Edit tour

Windows Analysis Report
sublime.text.v4152-patch.exe

Overview

General Information

Sample Name:	sublime.text.v4152-patch.exe
Analysis ID:	1290344
MD5:	15f0f046c5a23f898a4162724a16be09
SHA1:	106888897e37c6b5fbb26fb7ed1ad2d264aa2e9e
SHA256:	5ee68867759bd9dd852bd874db2716721d9d6671586533c8b62f820b18e690c5
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Generic Patcher

Found stalling execution ending in API Sleep call

PE file has nameless sections

PE file has a writeable .text section

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains functionality to modify clipboard data

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Yara signature match

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Sleep loop found (likely to delay execution)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found evaded block containing many API calls

Dropped file seen in connection with other malware

Contains functionality to dynamically determine API calls

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

sublime.text.v4152-patch.exe (PID: 5480 cmdline: C:\Users\user\Desktop\sublime.text.v4152-patch.exe MD5: 15F0F046C5A23F898A4162724A16BE09)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
sublime.text.v4152-patch.exe	CN_Honker_Acunetix_Web_Vulnerability_Scanner_8_x_Enterprise_Edition_KeyGen	Sample from CN Honker Pentest Toolset - file Acunetix_Web_Vulnerability_Scanner_8.x_Enterprise_Edition_KeyGen.exe	Florian Roth	0xccf59:$s0: <description>Patch</description> 0x804:$s2: \dup2patcher.dll 0x815:$s3: load_patcher

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\dup2patcher.dll	JoeSecurity_GenericPatcher	Yara detected Generic Patcher	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.886505239.0000000000830000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericPatcher	Yara detected Generic Patcher	Joe Security
Process Memory Space: sublime.text.v4152-patch.exe PID: 5480	JoeSecurity_GenericPatcher	Yara detected Generic Patcher	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.sublime.text.v4152-patch.exe.830000.2.raw.unpack	JoeSecurity_GenericPatcher	Yara detected Generic Patcher	Joe Security
0.2.sublime.text.v4152-patch.exe.830000.2.unpack	JoeSecurity_GenericPatcher	Yara detected Generic Patcher	Joe Security
0.2.sublime.text.v4152-patch.exe.6c660000.4.unpack	JoeSecurity_GenericPatcher	Yara detected Generic Patcher	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: sublime.text.v4152-patch.exe	ReversingLabs: Detection: 56%
Source: sublime.text.v4152-patch.exe	Virustotal: Detection: 61%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\dup2patcher.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: sublime.text.v4152-patch.exe

Joe Sandbox ML: detected

Source: sublime.text.v4152-patch.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: sublime.text.v4152-patch.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe

Code function: 0_2_6C666CE0 FindFirstFileA,FindClose,

0_2_6C666CE0

Source: sublime.text.v4152-patch.exe, 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmp, sublime.text.v4152-patch.exe, 00000000.00000002.886505239.0000000000867000.00000004.00001000.00020000.00000000.sdmp, dup2patcher.dll.0.dr	String found in binary or memory: http://diablo2oo2.cjb.netP76y
Source: sublime.text.v4152-patch.exe, 00000000.00000002.886492885.00000000006FC000.00000004.00000010.00020000.00000000.sdmp, sublime.text.v4152-patch.exe, 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmp, sublime.text.v4152-patch.exe, 00000000.00000002.886505239.0000000000867000.00000004.00001000.00020000.00000000.sdmp, sublime.text.v4152-patch.exe, 00000000.00000002.886647795.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, dup2patcher.dll.0.dr	String found in binary or memory: https://www.sublimetext.com/
Source: sublime.text.v4152-patch.exe, 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmp, sublime.text.v4152-patch.exe, 00000000.00000002.886505239.0000000000867000.00000004.00001000.00020000.00000000.sdmp, dup2patcher.dll.0.dr	String found in binary or memory: https://www.sublimetext.com/AholicknightAugust
Source: sublime.text.v4152-patch.exe, 00000000.00000002.886492885.00000000006FC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://www.sublimetext.com/_n
Source: sublime.text.v4152-patch.exe, 00000000.00000002.886492885.00000000006FC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://www.sublimetext.com/ttps://www.sublimetext.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe

Code function: 0_2_6C6671E0 lstrlenA,OpenClipboard,GlobalAlloc,GlobalLock,lstrcpyA,EmptyClipboard,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_6C6671E0

Source: sublime.text.v4152-patch.exe, 00000000.00000002.886647795.000000000099A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe

Code function: 0_2_6C6671E0 lstrlenA,OpenClipboard,GlobalAlloc,GlobalLock,lstrcpyA,EmptyClipboard,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_6C6671E0

System Summary

Malicious sample detected (through community Yara rule)

Source: sublime.text.v4152-patch.exe, type: SAMPLE

Matched rule: Sample from CN Honker Pentest Toolset - file Acunetix_Web_Vulnerability_Scanner_8.x_Enterprise_Edition_KeyGen.exe Author: Florian Roth

PE file has nameless sections

Source: bassmod.dll.0.dr	Static PE information: section name:
Source: bassmod.dll.0.dr	Static PE information: section name:

PE file has a writeable .text section

Source: dup2patcher.dll.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: sublime.text.v4152-patch.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: sublime.text.v4152-patch.exe, type: SAMPLE

Matched rule: CN_Honker_Acunetix_Web_Vulnerability_Scanner_8_x_Enterprise_Edition_KeyGen date = 2015-06-23, author = Florian Roth, description = Sample from CN Honker Pentest Toolset - file Acunetix_Web_Vulnerability_Scanner_8.x_Enterprise_Edition_KeyGen.exe, score = e32f5de730e324fb386f97b6da9ba500cf3a4f8d, reference = Disclosed CN Honker Pentest Toolset, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe	Code function: 0_2_100028F0	0_2_100028F0
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe	Code function: 0_2_10001B00	0_2_10001B00
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe	Code function: 0_2_10010534	0_2_10010534
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe	Code function: 0_2_10009B49	0_2_10009B49
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe	Code function: 0_2_10001790	0_2_10001790
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe	Code function: 0_2_1000ADA0	0_2_1000ADA0
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe	Code function: 0_2_100031D8	0_2_100031D8
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe	Code function: 0_2_6C669762	0_2_6C669762
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe	Code function: 0_2_6C669FA0	0_2_6C669FA0
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe	Code function: 0_2_6C6677A9	0_2_6C6677A9

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\bassmod.dll 8AD9E47693E292F381DA42DDC13724A3063040E51C26F4CA8E1F8E2F1DDD547F

Source: sublime.text.v4152-patch.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: bassmod.dll.0.dr

Static PE information: Section: ZLIB complexity 1.0005039687539372

Source: sublime.text.v4152-patch.exe	ReversingLabs: Detection: 56%
Source: sublime.text.v4152-patch.exe	Virustotal: Detection: 61%

Source: sublime.text.v4152-patch.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe

Code function: 0_2_001A1037 GetModuleHandleA,FindResourceA,SizeofResource,LoadResource,VirtualAlloc,RtlMoveMemory,GetTempPathA,lstrcatA,LoadLibraryA,GetProcAddress,FreeLibrary,DeleteFileA,

0_2_001A1037

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe

File created: C:\Users\user\AppData\Local\Temp\dup2patcher.dll

Jump to behavior

Source: classification engine

Classification label: mal88.spyw.evad.winEXE@1/2@0/0

Source: sublime.text.v4152-patch.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: bassmod.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xc8f0
Source: dup2patcher.dll.0.dr	Static PE information: real checksum: 0x19917 should be: 0xd1cb2
Source: sublime.text.v4152-patch.exe	Static PE information: real checksum: 0xecdd should be: 0xd5919

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe	Code function: 0_2_1000E989 push FF3F95A1h; ret		0_2_1000E9B9
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe	Code function: 0_2_1000CBA0 push eax; ret		0_2_1000CBCE

Source: bassmod.dll.0.dr	Static PE information: section name:
Source: bassmod.dll.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe

Code function: 0_2_001A1037 GetModuleHandleA,FindResourceA,SizeofResource,LoadResource,VirtualAlloc,RtlMoveMemory,GetTempPathA,lstrcatA,LoadLibraryA,GetProcAddress,FreeLibrary,DeleteFileA,

0_2_001A1037

Source: initial sample

Static PE information: section name: entropy: 7.982708398519935

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe	File created: C:\Users\user\AppData\Local\Temp\bassmod.dll			Jump to dropped file
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe	File created: C:\Users\user\AppData\Local\Temp\dup2patcher.dll			Jump to dropped file

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-10857

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe

Window / User API: threadDelayed 2468

Jump to behavior

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe TID: 6636

Thread sleep time: -74040s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe

Thread sleep count: Count: 2468 delay: -30

Jump to behavior

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe	Evaded block: after key decision			graph_0-10834
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe	Evaded block: after key decision			graph_0-11027

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe

Code function: 0_2_6C6668D3 rdtsc

0_2_6C6668D3

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe

Code function: 0_2_6C664616 GetSystemInfo,CreateFileA,GetFileSize,CreateFileMappingA,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,

0_2_6C664616

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe

Code function: 0_2_6C666CE0 FindFirstFileA,FindClose,

0_2_6C666CE0

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe	Code function: 0_2_6C6667F8 push dword ptr fs:[00000030h]		0_2_6C6667F8
Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe	Code function: 0_2_6C6667DE push dword ptr fs:[00000030h]		0_2_6C6667DE

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe

Code function: 0_2_001A1037 GetModuleHandleA,FindResourceA,SizeofResource,LoadResource,VirtualAlloc,RtlMoveMemory,GetTempPathA,lstrcatA,LoadLibraryA,GetProcAddress,FreeLibrary,DeleteFileA,

0_2_001A1037

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe

Code function: 0_2_6C6668D3 rdtsc

0_2_6C6668D3

HIPS / PFW / Operating System Protection Evasion

Yara detected Generic Patcher

Source: Yara match	File source: 0.2.sublime.text.v4152-patch.exe.830000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sublime.text.v4152-patch.exe.830000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sublime.text.v4152-patch.exe.6c660000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.886505239.0000000000830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sublime.text.v4152-patch.exe PID: 5480, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\dup2patcher.dll, type: DROPPED

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe

Code function: 0_2_10001000 cpuid

0_2_10001000

Source: C:\Users\user\Desktop\sublime.text.v4152-patch.exe

Code function: 0_2_1000CB31 BASSMOD_GetVersion,

0_2_1000CB31

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	Path Interception	Path Interception	2 Virtualization/Sandbox Evasion	1 Input Capture	1 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	3 Software Packing	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	11 Clipboard Data	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sublime.text.v4152-patch.exe	57%	ReversingLabs	Win32.Hacktool.Generic
sublime.text.v4152-patch.exe	62%	Virustotal		Browse
sublime.text.v4152-patch.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\dup2patcher.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\bassmod.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\bassmod.dll	1%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://diablo2oo2.cjb.netP76y	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.sublimetext.com/ttps://www.sublimetext.com/	sublime.text.v4152-patch.exe, 00000000.00000002.886492885.00000000006FC000.00000004.00000010.00020000.00000000.sdmp	false		high
https://www.sublimetext.com/AholicknightAugust	sublime.text.v4152-patch.exe, 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmp, sublime.text.v4152-patch.exe, 00000000.00000002.886505239.0000000000867000.00000004.00001000.00020000.00000000.sdmp, dup2patcher.dll.0.dr	false		high
https://www.sublimetext.com/_n	sublime.text.v4152-patch.exe, 00000000.00000002.886492885.00000000006FC000.00000004.00000010.00020000.00000000.sdmp	false		high
https://www.sublimetext.com/	sublime.text.v4152-patch.exe, 00000000.00000002.886492885.00000000006FC000.00000004.00000010.00020000.00000000.sdmp, sublime.text.v4152-patch.exe, 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmp, sublime.text.v4152-patch.exe, 00000000.00000002.886505239.0000000000867000.00000004.00001000.00020000.00000000.sdmp, sublime.text.v4152-patch.exe, 00000000.00000002.886647795.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, dup2patcher.dll.0.dr	false		high
http://diablo2oo2.cjb.netP76y	sublime.text.v4152-patch.exe, 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmp, sublime.text.v4152-patch.exe, 00000000.00000002.886505239.0000000000867000.00000004.00001000.00020000.00000000.sdmp, dup2patcher.dll.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1290344
Start date and time:	2023-08-12 05:26:27 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	sublime.text.v4152-patch.exe
Detection:	MAL
Classification:	mal88.spyw.evad.winEXE@1/2@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 33.3% (good quality ratio 31.8%) Quality average: 81.2% Quality standard deviation: 27.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 37 Number of non-executed functions: 64
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\bassmod.dll	Counter-Strike 2 client.dll patcher.exe	Get hash	malicious	Unknown	Browse
	XF-Sublime-KG.exe	Get hash	malicious	Unknown	Browse
	XF-Cerbero-KG.exe	Get hash	malicious	Unknown	Browse
	Source.exe	Get hash	malicious	Unknown	Browse
	kkk.exe	Get hash	malicious	Unknown	Browse
	manycam.7.6.0.38-MPT.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Adware.Bho.4103.10020.exe	Get hash	malicious	Unknown	Browse
	nitro.exe	Get hash	malicious	Unknown	Browse
	IcTy2OaX9w.exe	Get hash	malicious	Unknown	Browse
	Patch.exe	Get hash	malicious	Unknown	Browse
	(32-Bit) 4K Video Downloader v4.12.0.3570 Patch.exe	Get hash	malicious	Unknown	Browse
	accd.5.0.x-patch.exe	Get hash	malicious	Unknown	Browse
	accd.5.0.x-patch.exe	Get hash	malicious	Unknown	Browse
	Patch-iMazing.2.x.exe	Get hash	malicious	Unknown	Browse
	taxvxw5BSp.exe	Get hash	malicious		Browse
	sandboxie.memory.leak.x86-x64-patch.exe	Get hash	malicious		Browse
	Patch-WinNc.8.x.exe	Get hash	malicious		Browse
	Patch-WinNc.8.x.exe	Get hash	malicious		Browse
	testing.exe	Get hash	malicious		Browse
	test.exe	Get hash	malicious		Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\bassmod.dll

Download File

Process:	C:\Users\user\Desktop\sublime.text.v4152-patch.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	34308
Entropy (8bit):	7.892542080413996
Encrypted:	false
SSDEEP:	768:qQmS5iUgi5czW+DlrQOS1DeDdjgNtbX4O6DHix84H0:qQz5Tgof+DdpS1+djctLSHiZ0
MD5:	E4EC57E8508C5C4040383EBE6D367928
SHA1:	B22BCCE36D9FDEAE8AB7A7ECC0B01C8176648D06
SHA-256:	8AD9E47693E292F381DA42DDC13724A3063040E51C26F4CA8E1F8E2F1DDD547F
SHA-512:	77D5CF66CAF06E192E668FAE2B2594E60A498E8E0CCEF5B09B9710721A4CDB0C852D00C446FD32C5B5C85E739DE2E73CB1F1F6044879FE7D237341BBB6F27822
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: Counter-Strike 2 client.dll patcher.exe, Detection: malicious, Browse Filename: XF-Sublime-KG.exe, Detection: malicious, Browse Filename: XF-Cerbero-KG.exe, Detection: malicious, Browse Filename: Source.exe, Detection: malicious, Browse Filename: kkk.exe, Detection: malicious, Browse Filename: manycam.7.6.0.38-MPT.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Adware.Bho.4103.10020.exe, Detection: malicious, Browse Filename: nitro.exe, Detection: malicious, Browse Filename: IcTy2OaX9w.exe, Detection: malicious, Browse Filename: Patch.exe, Detection: malicious, Browse Filename: (32-Bit) 4K Video Downloader v4.12.0.3570 Patch.exe, Detection: malicious, Browse Filename: accd.5.0.x-patch.exe, Detection: malicious, Browse Filename: accd.5.0.x-patch.exe, Detection: malicious, Browse Filename: Patch-iMazing.2.x.exe, Detection: malicious, Browse Filename: taxvxw5BSp.exe, Detection: malicious, Browse Filename: sandboxie.memory.leak.x86-x64-patch.exe, Detection: malicious, Browse Filename: Patch-WinNc.8.x.exe, Detection: malicious, Browse Filename: Patch-WinNc.8.x.exe, Detection: malicious, Browse Filename: testing.exe, Detection: malicious, Browse Filename: test.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...................................D.... ..PE..L......@...........!................C .......................................0.......................................#..t....!..O....................................................................................................................................\|..................`................ ......................`.......................................................................................................................(...Z........D$...*..5...j...f...PRj.....j..S.ERROR!.Corrupt Data!... ..f.`P....h.p..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..\........X..t....:...E.........Z...t..$.4..l$..m..J...R...z....%XZt..).....u.........A............r..j.3.3.0_.K~......s.3.........s...$A.'.............Iu....=.......=.........$............u..........V+.48.^.I............ ...G...F............^..$......8...........[....... ...........7................"..4"..............."..

C:\Users\user\AppData\Local\Temp\dup2patcher.dll

Download File

Process:	C:\Users\user\Desktop\sublime.text.v4152-patch.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	808960
Entropy (8bit):	5.828626402420864
Encrypted:	false
SSDEEP:	12288:Wc2ldltF9jWPTePnnXSwJ0sX3cw5eD1+6QNZgYTgIQH:TmnXSwJ0s8PI6WgVI
MD5:	5B7F89778E8F916541AE3030F2330638
SHA1:	AA07437488CF42D38B75BE4D144DCFF6DCF51BE8
SHA-256:	3E56B33860EE05F5A51AE21693BE5E12349D65516A5A1E00EB3154ABD940BC65
SHA-512:	B7BB28A648CA9C0B62B8A1E6006FC1A119760053FB42919EB1EEF698FCFE84024EE598E6DC33BF757F1E0EA489EE38B2D56B0628B029050F79D773FDE6E1C03F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericPatcher, Description: Yara detected Generic Patcher, Source: C:\Users\user\AppData\Local\Temp\dup2patcher.dll, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........bd............! ....n#......u....................u......u......u......u.....Rich............................PE..L......P...........!................. ....................................................@.........................p.......P........0..........................H.......................................................D............................text...J........................... ....rdata..............................@..@.data....W..........................@....rsrc........0......................@....reloc..Z............N..............@..B................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.998608383385908
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sublime.text.v4152-patch.exe
File size:	840'704 bytes
MD5:	15f0f046c5a23f898a4162724a16be09
SHA1:	106888897e37c6b5fbb26fb7ed1ad2d264aa2e9e
SHA256:	5ee68867759bd9dd852bd874db2716721d9d6671586533c8b62f820b18e690c5
SHA512:	1df7f5bb90caf04d2df864ea1e4a6a1decf471957a8bf0214b346fc9e621b241d0c6204568209c34a6798a36a0147037b5a202a94b5afe019e729f600b373695
SSDEEP:	24576:qAXm+fFb4LUYEVjfFkkG9K/N088z6tsAHMU48Obds6:qAXmkb4LUvV7C9K10F6Hs2Ob
TLSH:	6C0533A045E02712F3BAC87D4FD4B6FE907D0B991D3BCC9632DA65A3D926F4C240931A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i.m.-...-...-.......,...B.......-...<...B...,...B...,...B...,...Rich-...........PE..L......P............................+......

File Icon


Icon Hash:	629c8e879e07e21d

Static PE Info

General

Entrypoint:	0x40102b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x50D4CDC2 [Fri Dec 21 20:59:46 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	dc73a9bd8de0fd640549c85ac4089b87

Entrypoint Preview

Instruction
call 00007F3EEC52E8CCh
push 00000000h
call 00007F3EEC52E9CAh
push ebp
mov ebp, esp
add esp, FFFFFBF4h
push esi
push edi
push ebx
push 00000000h
call 00007F3EEC52E9C9h
mov dword ptr [00403030h], eax
mov dword ptr [ebp-08h], 00000000h
push 0000000Ah
push 00403000h
push 00000000h
call 00007F3EEC52E9A3h
or eax, eax
je 00007F3EEC52E8E3h
mov dword ptr [ebp-04h], eax
push dword ptr [ebp-04h]
push 00000000h
call 00007F3EEC52E9C2h
mov dword ptr [ebp-0Ch], eax
push dword ptr [ebp-04h]
push 00000000h
call 00007F3EEC52E9A9h
or eax, eax
je 00007F3EEC52E8C5h
mov dword ptr [ebp-08h], eax
cmp dword ptr [ebp-08h], 00000000h
je 00007F3EEC52E8F4h
push 00000004h
push 00001000h
push dword ptr [ebp-0Ch]
push 00000000h
call 00007F3EEC52E99Dh
mov edi, eax
push dword ptr [ebp-0Ch]
push dword ptr [ebp-08h]
push edi
call 00007F3EEC52E983h
mov dword ptr [ebp-08h], edi
push DEADBEEFh
push dword ptr [ebp-0Ch]
push dword ptr [ebp-08h]
call 00007F3EEC52E804h
cmp dword ptr [ebp-08h], 00000000h
je 00007F3EEC52E8F6h
lea eax, dword ptr [ebp-0000040Ch]
push eax
push 00000400h
call 00007F3EEC52E947h
push 00403004h
lea eax, dword ptr [ebp-0000040Ch]
push eax
call 00007F3EEC52E95Ah
push dword ptr [ebp-0Ch]
push dword ptr [ebp-08h]
lea eax, dword ptr [ebp+0000FBF4h]

Rich Headers

Programming Language:

[IMP] VS2010 build 30319
[ASM] VS2010 build 30319
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2050	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0xcc7e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd1000	0x34	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1f6	0x200	False	0.70703125	data	5.064079900511637	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x200	False	0.55859375	tar archive (old), type 'P' \300 , seconds \372 , linkname !, comment: duleHandleA	4.270638734332521	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x34	0x200	False	0.078125	data	0.5689880404256953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0xcc7e0	0xcc800	False	0.9700321859718827	data	7.999743265140669	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd1000	0x52	0x200	False	0.123046875	data	0.7360464330211749	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x4138	0x6b0d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9986133917168399
RT_RCDATA	0xac48	0xc5800	data	0.9697240901898734
RT_GROUP_ICON	0xd0448	0x14	data	1.05
RT_MANIFEST	0xd045c	0x382	XML 1.0 document, ASCII text, with CRLF line terminators	0.45657015590200445

Imports

DLL	Import
kernel32.dll	DeleteFileA, ExitProcess, FindResourceA, FreeLibrary, GetModuleHandleA, GetProcAddress, GetTempPathA, LoadLibraryA, LoadResource, RtlMoveMemory, SizeofResource, VirtualAlloc, lstrcatA, CloseHandle, CreateFileA, FlushFileBuffers, WriteFile

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: sublime.text.v4152-patch.exePID: 5480, Parent PID: 3524

General

Target ID:	0
Start time:	05:27:17
Start date:	12/08/2023
Path:	C:\Users\user\Desktop\sublime.text.v4152-patch.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\sublime.text.v4152-patch.exe
Imagebase:	0x1a0000
File size:	840'704 bytes
MD5 hash:	15F0F046C5A23F898A4162724A16BE09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GenericPatcher, Description: Yara detected Generic Patcher, Source: 00000000.00000002.886505239.0000000000830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: sublime.text.v4152-patch.exePID: 5480, Parent PID: 3524COMMON

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.9%
Total number of Nodes:	1798
Total number of Limit Nodes:	27

Executed Functions

Function 001A1037 Relevance: 18.1, APIs: 12, Instructions: 81
librarymemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E001A1037() {
				struct HRSRC__* _v8;
				void* _v12;
				long _v16;
				char _v1040;
				struct HRSRC__* _t24;
				struct HINSTANCE__* _t26;
				struct HINSTANCE__* _t27;
				intOrPtr* _t29;
				void* _t40;
				void* _t44;
				struct HINSTANCE__* _t45;
				void* _t46;

				 *0x1a3030 = GetModuleHandleA(0);
				_v12 = 0;
				_t24 = FindResourceA(0, 0x1a3000, 0xa);
				if(_t24 != 0) {
					_v8 = _t24;
					_v16 = SizeofResource(0, _v8);
					_t44 = LoadResource(0, _v8);
					if(_t44 != 0) {
						_v12 = _t44;
					}
				}
				if(_v12 != 0) {
					_t40 = VirtualAlloc(0, _v16, 0x1000, 4); // executed
					_t46 = _t40;
					RtlMoveMemory(_t46, _v12, _v16);
					_v12 = _t46;
					E001A1000(_t40, _v12, _v16, 0xdeadbeef);
				}
				if(_v12 != 0) {
					GetTempPathA(0x400,  &_v1040);
					lstrcatA( &_v1040, 0x1a3004);
					E001A1184( &_v1040, _v12, _v16); // executed
				}
				_t26 = LoadLibraryA( &_v1040); // executed
				_t27 = _t26;
				if(_t27 == 0) {
					return _t27;
				} else {
					_t45 = _t27;
					_t29 = GetProcAddress(_t45, 0x1a3015);
					if(_t29 != 0) {
						 *_t29();
					}
					FreeLibrary(_t45);
					return DeleteFileA( &_v1040);
				}
			}

0x001a104a
0x001a104f
0x001a1064
0x001a1066
0x001a1068
0x001a1075
0x001a1082
0x001a1084
0x001a1086
0x001a1086
0x001a1084
0x001a108d
0x001a109b
0x001a10a0
0x001a10a9
0x001a10ae
0x001a10bc
0x001a10bc
0x001a10c5
0x001a10d3
0x001a10e4
0x001a10f6
0x001a10f6
0x001a1102
0x001a1107
0x001a1109
0x001a1134
0x001a110b
0x001a110b
0x001a1118
0x001a111a
0x001a111c
0x001a111c
0x001a111f
0x00000000
0x001a112b

APIs

GetModuleHandleA.KERNEL32(00000000,?,?,?,?,001A1030), ref: 001A1045
FindResourceA.KERNEL32(00000000,001A3000,0000000A), ref: 001A105F
SizeofResource.KERNEL32(00000000,?,00000000,?,?,?,?,001A1030), ref: 001A1070
LoadResource.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,001A1030), ref: 001A107D
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,?,?,?,?,001A1030), ref: 001A109B
RtlMoveMemory.KERNEL32(00000000,00000000,?,00000000,?,00001000,00000004,00000000,?,?,?,?,001A1030), ref: 001A10A9
GetTempPathA.KERNEL32(00000400,?,00000000,?,?,?,?,001A1030), ref: 001A10D3
lstrcatA.KERNEL32(?,001A3004,00000400,?,00000000,?,?,?,?,001A1030), ref: 001A10E4
LoadLibraryA.KERNEL32(?,00000000,?,?,?,?,001A1030), ref: 001A1102
GetProcAddress.KERNEL32(00000000,001A3015), ref: 001A1113
FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,?,001A1030), ref: 001A111F
DeleteFileA.KERNEL32(?,00000000,?,00000000,?,?,?,?,001A1030), ref: 001A112B

Memory Dump Source

Source File: 00000000.00000002.886349851.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.886340181.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.886354971.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.886360847.00000000001A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_sublime.jbxd

Similarity

API ID: Resource$LibraryLoad$AddressAllocDeleteFileFindFreeHandleMemoryModuleMovePathProcSizeofTempVirtuallstrcat
String ID:
API String ID: 528216020-0
Opcode ID: e6ae1c4f3659cbc7d5c9115780725f24306a8ae83c4151add1a62c65f76a21cb
Instruction ID: 9bb1f59a9fbdc48b2a3f668adf9b2d97f6227db4d83df83e2867f1c30e2cd88d
Opcode Fuzzy Hash: e6ae1c4f3659cbc7d5c9115780725f24306a8ae83c4151add1a62c65f76a21cb
Instruction Fuzzy Hash: 3D215EBDE40208BADF21ABF08C86FADBBB9AF16750F104491F314B6191DB714B85DB24

Uniqueness

Uniqueness Score: -1.00%

Function 6C662DD0 Relevance: 144.1, APIs: 69, Strings: 13, Instructions: 592
windowstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E6C662DD0(struct HWND__* _a4, int _a8, int _a12, signed int _a16) {
				int _t55;
				int _t56;
				int _t58;
				void* _t66;
				intOrPtr _t81;
				int _t101;
				int _t106;
				char _t113;
				intOrPtr _t117;
				int _t118;
				char _t120;
				void* _t122;
				void* _t125;
				intOrPtr _t128;
				void* _t131;
				struct HMENU__* _t134;
				void* _t141;
				intOrPtr _t143;
				intOrPtr _t150;
				void* _t166;
				CHAR* _t176;
				intOrPtr _t187;
				long _t191;
				void* _t192;
				void* _t196;
				intOrPtr _t197;
				struct HWND__* _t198;
				intOrPtr _t199;
				struct HMENU__* _t200;
				void* _t201;
				void* _t202;

				_t55 = _a8;
				if(_t55 != 0x110) {
					__eflags = _t55 - 0x113;
					if(_t55 != 0x113) {
						__eflags = _t55 - 0x111;
						if(_t55 != 0x111) {
							__eflags = _t55 - 0x7b;
							if(_t55 != 0x7b) {
								__eflags = _t55 - 0x138;
								if(_t55 == 0x138) {
									L62:
									_t56 = GetDlgCtrlID(_a16);
									__eflags = _t56 - 0x67;
									if(_t56 != 0x67) {
										__eflags =  *0x6c66e537 - 1;
										if( *0x6c66e537 != 1) {
											return 0;
										}
										_t58 = GetDlgCtrlID(_a16);
										__eflags = _t58 - 0x65;
										if(_t58 == 0x65) {
											L69:
											SetTextColor(_a12,  *0x6c66e940);
											__eflags =  *0x6c66e93c - 0xffffffff;
											if( *0x6c66e93c != 0xffffffff) {
												SetBkColor(_a12,  *0x6c66e93c);
												return CreateSolidBrush( *0x6c66e93c);
											}
											SetBkMode(_a12, 1);
											return GetStockObject(5);
										}
										__eflags = _t58 - 0x66;
										if(_t58 == 0x66) {
											goto L69;
										}
										__eflags = _t58 - 0x68;
										if(_t58 == 0x68) {
											goto L69;
										}
										__eflags = _t58 - 0x69;
										if(_t58 != 0x69) {
											__eflags = _t58 - 0x6a;
											if(_t58 != 0x6a) {
												__eflags = _t58 - 0x6f;
												if(_t58 != 0x6f) {
													SetTextColor(_a12,  *0x6c66e940);
													__eflags =  *0x6c66e93c - 0xffffffff;
													if( *0x6c66e93c != 0xffffffff) {
														SetBkColor(_a12,  *0x6c66e938);
														_t66 = CreateSolidBrush( *0x6c66e938);
													} else {
														SetBkMode(_a12, 1);
														_t66 = GetStockObject(5);
													}
													return _t66;
												}
												SetTextColor(_a12,  *0x6c66e948);
												__eflags =  *0x6c66e94c - 0xffffffff;
												if( *0x6c66e94c != 0xffffffff) {
													SetBkColor(_a12,  *0x6c66e944);
													return CreateSolidBrush( *0x6c66e944);
												}
												SetBkMode(_a12, 1);
												return GetStockObject(5);
											}
											SetTextColor(_a12,  *0x6c66e950);
											__eflags =  *0x6c66e94c - 0xffffffff;
											if( *0x6c66e94c != 0xffffffff) {
												SetBkColor(_a12,  *0x6c66e94c);
												return CreateSolidBrush( *0x6c66e94c);
											}
											SetBkMode(_a12, 1);
											return GetStockObject(5);
										}
										goto L69;
									}
									return SendMessageA(_a16, _a8, _a12, _a16);
								}
								__eflags = _t55 - 0x133;
								if(_t55 == 0x133) {
									goto L62;
								}
								__eflags = _t55 - 0x134;
								if(_t55 == 0x134) {
									goto L62;
								}
								__eflags = _t55 - 0x136;
								if(_t55 == 0x136) {
									__eflags =  *0x6c66e537 - 1;
									if( *0x6c66e537 != 1) {
										return 0;
									}
									return CreateSolidBrush( *0x6c66e938);
								}
								__eflags = _t55 - 0x2b;
								if(_t55 != 0x2b) {
									__eflags = _t55 - 0x200;
									if(_t55 != 0x200) {
										__eflags = _t55 - 0x205;
										if(_t55 != 0x205) {
											__eflags = _t55 - 0x10;
											if(_t55 != 0x10) {
												return 0;
											} else {
												goto L100;
											}
										} else {
											__eflags =  *0x6c66d90c - 1;
											if( *0x6c66d90c == 1) {
												ShowWindow(_a4, 6);
											}
											goto L105;
										}
									} else {
										__eflags = _a12 - 1;
										if(_a12 == 1) {
											SendMessageA( *0x6c66d8a6, 0x112, 0xf012, 0);
										}
										goto L105;
									}
								} else {
									return E6C663C60(_a4, _a16);
								}
							} else {
								__eflags = _a12 -  *0x6c66d8be; // 0x403ce
								if(__eflags == 0) {
									TrackPopupMenu( *0x6c66d903, 0, _a16 & 0x0000ffff, _a16 >> 0x10, 0, _a4, 0);
								}
								goto L105;
							}
						} else {
							_t101 = _a12;
							__eflags = _t101 - 0x6e;
							if(_t101 != 0x6e) {
								__eflags = _t101 - 0x6d;
								if(_t101 != 0x6d) {
									__eflags = _t101 - 0x6c;
									if(_t101 != 0x6c) {
										__eflags = _t101 - 0xc9;
										if(_t101 != 0xc9) {
											__eflags = _t101 - 0xca;
											if(_t101 == 0xca) {
												__eflags =  *0x6c66d902 - 1;
												if( *0x6c66d902 == 1) {
													ShowWindow( *0x6c66d8be, 0);
													ShowWindow( *0x6c66d8c2, 5);
												}
											}
										} else {
											E6C663D1A();
										}
									} else {
										E6C6662CD(_t192, _t196);
									}
								} else {
									__eflags =  *0x6c66d8aa;
									if( *0x6c66d8aa != 0) {
										_t106 = DialogBoxParamA( *0x6c66d8a2, 2,  *0x6c66d8a6, E6C663690, 0);
										__eflags = _t106 - 0xffffffff;
										if(_t106 == 0xffffffff) {
											MessageBoxA( *0x6c66d8a6, E6C662A53( *0x6c66d8aa, 8), "About", 0x40);
										}
									}
								}
							} else {
								L100:
								_t81 = E6C661460( *0x6c66d8a2, 0x12, 1);
								__eflags = _t81;
								if(_t81 != 0) {
									_t187 = _t81;
									E6C661BB2(0x6c66f15f);
									__eflags =  *((intOrPtr*)(_t187 + 5));
									if( *((intOrPtr*)(_t187 + 5)) != 0) {
										E6C663B6F( *0x6c66d8a6,  *((intOrPtr*)(_t187 + 5)),  *((intOrPtr*)(_t187 + 9)), 1);
									}
								}
								E6C6620BD();
								DeleteFileA(0x6c66e111);
								E6C663AC2();
								FreeLibrary( *0x6c672239);
								DeleteFileA(0x6c67223d);
								E6C6661BC();
								EndDialog( *0x6c66d8a6, 0);
							}
							goto L105;
						}
					} else {
						 *0x6c66d90c = 1;
						L105:
						return 1;
					}
				} else {
					_push(_a4);
					_pop( *0x6c66d8a6);
					 *0x6c66d8be = GetDlgItem( *0x6c66d8a6, 0x6f);
					 *0x6c66d8c2 = GetDlgItem( *0x6c66d8a6, 0x6a);
					E6C662AD8( *0x6c66d8be);
					LoadStringA( *0x6c66d8a2, 0xb, 0x6c67463d, 0x400);
					_t113 =  *0x6c67463d;
					_t197 =  *0x6C67463E;
					if(_t113 < 0x20 || _t113 > 0x7f || _t197 < 0x20 || _t197 > 0x7f) {
						 *0x6c66d90b = 1;
					} else {
						 *0x6c66d90b = 0;
					}
					if( *0x6c66d90b == 0) {
						lstrcpyA("Courier New", "Courier New");
						0x6c66d8c6->lfHeight = 0xe;
						 *0x6c66d8d6 = 0x190;
						SendMessageA( *0x6c66d8be, 0x30, CreateFontIndirectA(0x6c66d8c6), 1);
					}
					SendMessageA( *0x6c66d8a6, 0x80, 1, LoadIconA(0, 0x1f4)); // executed
					_t117 = E6C661460( *0x6c66d8a2, 1, 1);
					if(_t117 != 0) {
						 *0x6c66d8aa = _t117;
						_t199 = _t117;
						_t198 =  *0x6c66d8a6; // 0x30206
						SetWindowTextA(_t198, E6C662A53(_t199, 1)); // executed
						SetDlgItemTextA(_t198, 0x65, E6C662A53(_t199, 2)); // executed
						SetDlgItemTextA(_t198, 0x66, E6C662A53(_t199, 3)); // executed
						_t176 = E6C662A53(_t199, 4);
						 *0x6c66d8b6 = _t176;
						SetDlgItemTextA(_t198, 0x67, _t176); // executed
						SetDlgItemTextA(_t198, 0x68, E6C662A53(_t199, 5)); // executed
						SetDlgItemTextA(_t198, 0x6a, E6C662A53(_t199, 7)); // executed
						SetDlgItemTextA(_t198, 0x69, E6C662A53(_t199, 6)); // executed
					}
					if(( *(_t199 + 1) & 0x00000002) == 0) {
						_t118 = 1;
					} else {
						_t118 = 0;
					}
					CheckDlgButton( *0x6c66d8a6, 0x6b, _t118);
					_t120 = E6C662AFB(_a4, 0x6a, 0x6f);
					 *0x6c66d902 = _t120;
					if(_t120 == 1) {
						ShowWindow( *0x6c66d8be, 0); // executed
					}
					_t122 = E6C661460( *0x6c66d8a2, 2, 1);
					if(_t122 != 0) {
						_t202 = _t122; // executed
						_t166 = E6C662A7D(); // executed
						if(_t166 != 0) {
							E6C661FE3(_t202 + 1); // executed
						}
					}
					E6C665AFE();
					_t125 = E6C661460( *0x6c66d8a2, 0xa, 1);
					if(_t125 != 0) {
						_t201 = _t125;
						 *0x6c66e537 = 1;
						 *0x6c66e938 =  *((intOrPtr*)(_t201 + 1));
						 *0x6c66e93c =  *((intOrPtr*)(_t201 + 5));
						 *0x6c66e940 =  *((intOrPtr*)(_t201 + 9));
						 *0x6c66e944 =  *((intOrPtr*)(_t201 + 0xd));
						 *0x6c66e948 =  *((intOrPtr*)(_t201 + 0x11));
						 *0x6c66e94c =  *((intOrPtr*)(_t201 + 0x15));
						 *0x6c66e950 =  *((intOrPtr*)(_t201 + 0x19));
						 *0x6c66e954 =  *((intOrPtr*)(_t201 + 0x1d));
						 *0x6c66e958 =  *((intOrPtr*)(_t201 + 0x21));
						if( *0x6c66e954 != 0xffffffff &&  *0x6c66e958 != 0xffffffff) {
							E6C663C34( *0x6c66d8a6, 0x6c);
							E6C663C34( *0x6c66d8a6, 0x6d);
							E6C663C34( *0x6c66d8a6, 0x6e);
						}
					}
					 *0x6c66d8ae = GetDlgItem( *0x6c66d8a6, 0x67);
					 *0x6c66d8ba = SetWindowLongA( *0x6c66d8ae, 0xfffffffc,  &M6C662B40);
					if( *0x6c66e94c == 0xffffffff) {
						 *0x6c66e52f = SetWindowLongA(GetDlgItem(_a4, 0x6a), 0xfffffffc, 0x6c662cf0);
					}
					if( *0x6c66e944 == 0xffffffff) {
						 *0x6c66e533 = SetWindowLongA(GetDlgItem(_a4, 0x6f), 0xfffffffc, 0x6c662cf0);
					}
					_t128 = E6C6616E0( *0x6c66d8a2, _a4, "BTN_PATCH_UP", "BTN_PATCH_DOWN", "BTN_PATCH_OVER", 0x6c); // executed
					 *0x6c66d907 = _t128;
					E6C6616E0( *0x6c66d8a2, _a4, "BTN_ABOUT_UP", "BTN_ABOUT_DOWN", "BTN_ABOUT_OVER", 0x6d); // executed
					E6C6616E0( *0x6c66d8a2, _a4, "BTN_EXIT_UP", "BTN_EXIT_DOWN", "BTN_EXIT_OVER", "true"); // executed
					_t131 = E6C661460( *0x6c66d8a2, 0xf, "true");
					_t132 = _t131;
					if(_t131 != 0) {
						E6C662294(_t132); // executed
					}
					E6C662AD8( *0x6c66d8a6);
					_t134 = CreatePopupMenu();
					 *0x6c66d903 = _t134;
					_t200 = _t134;
					LoadStringA( *0x6c66d8a2, 0xe, 0x6c674a3d, 0x400);
					AppendMenuA(_t200, 0, 0xc9, 0x6c674a3d);
					LoadStringA( *0x6c66d8a2, 0xf, 0x6c674e3d, 0x400);
					AppendMenuA(_t200, 0, 0xca, 0x6c674e3d);
					_t191 = LoadCursorA( *0x6c66d8a2, 2);
					if(_t191 != 0) {
						SetClassLongA( *0x6c66d8ae, 0xfffffff4, _t191);
						SetClassLongA(GetDlgItem( *0x6c66d8a6, 0x6c), 0xfffffff4, _t191);
					}
					 *0x6c66d90c = 1;
					_t141 = E6C661460( *0x6c66d8a2, 0x12, 1);
					if(_t141 == 0) {
						_t143 = E6C661460( *0x6c66d8a2, 0xb, 1);
						__eflags = _t143;
						if(_t143 != 0) {
							E6C663AE0(_a4, _t143); // executed
						}
					} else {
						_t150 =  *((intOrPtr*)(_t141 + 1));
						if(_t150 != 0) {
							SetTimer(_a4, 0, _t150 + 0x3e8, 0); // executed
							 *0x6c66d90c = 0;
						}
						E6C662244(E6C663B43); // executed
					}
					E6C666089(); // executed
					E6C6638CC(); // executed
					SetFocus( *0x6c66d8a6);
					return 1;
				}
				goto L106;
			}

0x6c662ddc
0x6c662de4
0x6c663298
0x6c66329d
0x6c6632ab
0x6c6632b0
0x6c663372
0x6c663375
0x6c6633af
0x6c6633b4
0x6c6633c8
0x6c6633cb
0x6c6633d0
0x6c6633d4
0x6c6633ec
0x6c6633f3
0x00000000
0x6c663545
0x6c6633fc
0x6c663401
0x6c663405
0x6c663419
0x6c663422
0x6c663427
0x6c66342e
0x6c66344f
0x00000000
0x6c66345a
0x6c663435
0x00000000
0x6c66343c
0x6c663407
0x6c66340b
0x00000000
0x00000000
0x6c66340d
0x6c663411
0x00000000
0x00000000
0x6c663413
0x6c663417
0x6c663464
0x6c663468
0x6c6634b5
0x6c6634b9
0x6c663509
0x6c66350e
0x6c663515
0x6c663533
0x6c66353e
0x6c663517
0x6c66351c
0x6c663523
0x6c663523
0x00000000
0x6c663515
0x6c6634c4
0x6c6634c9
0x6c6634d0
0x6c6634ee
0x00000000
0x6c6634f9
0x6c6634d7
0x00000000
0x6c6634de
0x6c663473
0x6c663478
0x6c66347f
0x6c6634a0
0x00000000
0x6c6634ab
0x6c663486
0x00000000
0x6c66348d
0x00000000
0x6c663417
0x00000000
0x6c6633e2
0x6c6633b6
0x6c6633bb
0x00000000
0x00000000
0x6c6633bd
0x6c6633c2
0x00000000
0x00000000
0x6c663556
0x6c66355b
0x6c66355d
0x6c663564
0x00000000
0x6c663573
0x00000000
0x6c66356c
0x6c663584
0x6c663587
0x6c6635a0
0x6c6635a5
0x6c6635cd
0x6c6635d2
0x6c6635f0
0x6c6635f3
0x6c663674
0x00000000
0x00000000
0x00000000
0x6c6635d4
0x6c6635d4
0x6c6635db
0x6c6635e6
0x6c6635e6
0x00000000
0x6c6635db
0x6c6635a7
0x6c6635a7
0x6c6635ab
0x6c6635c3
0x6c6635c3
0x00000000
0x6c6635ab
0x6c663589
0x6c663598
0x6c663598
0x6c663377
0x6c66337a
0x6c663380
0x6c6633a5
0x6c6633a5
0x00000000
0x6c663380
0x6c6632b6
0x6c6632b6
0x6c6632b9
0x6c6632bd
0x6c6632c9
0x6c6632cd
0x6c663320
0x6c663324
0x6c663330
0x6c663334
0x6c663340
0x6c663344
0x6c66334a
0x6c663351
0x6c66335b
0x6c663368
0x6c663368
0x6c66336d
0x6c663336
0x6c663336
0x6c663336
0x6c663326
0x6c663326
0x6c663326
0x6c6632cf
0x6c6632cf
0x6c6632d6
0x6c6632f1
0x6c6632f6
0x6c6632f9
0x6c663316
0x6c663316
0x6c66331b
0x6c6632d6
0x6c6632bf
0x6c6635f5
0x6c663604
0x6c663604
0x6c663606
0x6c663608
0x6c66360f
0x6c663617
0x6c663619
0x6c663629
0x6c663629
0x6c663619
0x6c66362e
0x6c663638
0x6c66363d
0x6c663648
0x6c663652
0x6c663657
0x6c663664
0x6c663664
0x00000000
0x6c6632bd
0x6c66329f
0x6c66329f
0x6c663677
0x6c663680
0x6c663680
0x6c662dea
0x6c662dea
0x6c662ded
0x6c662e00
0x6c662e12
0x6c662e1d
0x6c662e34
0x6c662e3e
0x6c662e40
0x6c662e45
0x6c662e55
0x6c662e5e
0x6c662e5e
0x6c662e5e
0x6c662e6c
0x6c662e78
0x6c662e7d
0x6c662e87
0x6c662ea6
0x6c662ea6
0x6c662ec5
0x6c662ed9
0x6c662edb
0x6c662ee1
0x6c662ee6
0x6c662ee8
0x6c662ef8
0x6c662f09
0x6c662f1a
0x6c662f22
0x6c662f27
0x6c662f30
0x6c662f41
0x6c662f52
0x6c662f63
0x6c662f63
0x6c662f6f
0x6c662f78
0x6c662f71
0x6c662f71
0x6c662f71
0x6c662f86
0x6c662f92
0x6c662f97
0x6c662f9e
0x6c662fa8
0x6c662fa8
0x6c662fbc
0x6c662fbe
0x6c662fc0
0x6c662fc2
0x6c662fc9
0x6c662fcd
0x6c662fcd
0x6c662fc9
0x6c662fd2
0x6c662fe6
0x6c662fe8
0x6c662fee
0x6c662ff0
0x6c662ffa
0x6c663003
0x6c66300c
0x6c663015
0x6c66301e
0x6c663027
0x6c663030
0x6c663039
0x6c663042
0x6c66304f
0x6c663062
0x6c66306f
0x6c66307c
0x6c66307c
0x6c66304f
0x6c66308e
0x6c6630a5
0x6c6630b1
0x6c6630ca
0x6c6630ca
0x6c6630d6
0x6c6630ef
0x6c6630ef
0x6c66310e
0x6c663113
0x6c663132
0x6c663151
0x6c663160
0x6c663165
0x6c663167
0x6c66316a
0x6c66316a
0x6c663175
0x6c66317a
0x6c66317f
0x6c663184
0x6c663198
0x6c6631aa
0x6c6631c1
0x6c6631d3
0x6c6631e7
0x6c6631e9
0x6c6631f4
0x6c66320a
0x6c66320a
0x6c66320f
0x6c663225
0x6c663227
0x6c663265
0x6c663265
0x6c663267
0x6c66326d
0x6c66326d
0x6c663229
0x6c66322c
0x6c66322e
0x6c66323d
0x6c663242
0x6c663242
0x6c66324f
0x6c66324f
0x6c663272
0x6c663277
0x6c663282
0x6c663290
0x6c663290
0x00000000

APIs

GetDlgItem.USER32 ref: 6C662DFB
GetDlgItem.USER32 ref: 6C662E0D

Part of subcall function 6C662AD8: LoadCursorA.USER32(00000001), ref: 6C662AE3
Part of subcall function 6C662AD8: SetClassLongA.USER32(?,000000F4,00000000), ref: 6C662AF2

LoadStringA.USER32(0000000B,6C67463D,00000400,0000006F), ref: 6C662E34
lstrcpyA.KERNEL32(Courier New,Courier New,0000000B,6C67463D,00000400,0000006F,?), ref: 6C662E78
CreateFontIndirectA.GDI32(6C66D8C6), ref: 6C662E96
SendMessageA.USER32(00000030,00000000,00000001,6C66D8C6), ref: 6C662EA6
LoadIconA.USER32(00000000,000001F4), ref: 6C662EB2
SendMessageA.USER32(00000080,00000001,00000000,0000000B), ref: 6C662EC5
SetWindowTextA.USER32(00030206,00000000), ref: 6C662EF8
SetDlgItemTextA.USER32(00030206,00000065,00000000), ref: 6C662F09
SetDlgItemTextA.USER32(00030206,00000066,00000000), ref: 6C662F1A
SetDlgItemTextA.USER32(00030206,00000067,00000000), ref: 6C662F30
SetDlgItemTextA.USER32(00030206,00000068,00000000), ref: 6C662F41
SetDlgItemTextA.USER32(00030206,0000006A,00000000), ref: 6C662F52
SetDlgItemTextA.USER32(00030206,00000069,00000000), ref: 6C662F63
CheckDlgButton.USER32(0000006B,00000001,00000001), ref: 6C662F86
ShowWindow.USER32(00000000,00000001,00000080,00000001,00000000,0000000B,6C67463D,00000400,0000006F,?), ref: 6C662FA8
GetDlgItem.USER32 ref: 6C663089
SetWindowLongA.USER32 ref: 6C6630A0
GetDlgItem.USER32 ref: 6C6630B8
SetWindowLongA.USER32 ref: 6C6630C5
GetDlgItem.USER32 ref: 6C6630DD
SetWindowLongA.USER32 ref: 6C6630EA
CreatePopupMenu.USER32 ref: 6C66317A
LoadStringA.USER32(0000000E,6C674A3D,00000400,00000001), ref: 6C663198
AppendMenuA.USER32(00000000,00000000,000000C9,6C674A3D), ref: 6C6631AA
LoadStringA.USER32(0000000F,6C674E3D,00000400,0000000E), ref: 6C6631C1
AppendMenuA.USER32(00000000,00000000,000000CA,6C674E3D), ref: 6C6631D3
LoadCursorA.USER32(00000002,00000000), ref: 6C6631E0
SetClassLongA.USER32(000000F4,00000000,00000002), ref: 6C6631F4
GetDlgItem.USER32 ref: 6C663201
SetClassLongA.USER32(00000000,000000F4,00000000), ref: 6C66320A
SetTimer.USER32 ref: 6C66323D
SetFocus.USER32(0000000B,00000001,00000012,00000001,00000002,00000000,00000000,000000CA,6C674E3D,0000000F,6C674E3D,00000400,0000000E,6C674A3D,00000400,00000001), ref: 6C663282

Strings

BTN_PATCH_OVER, xrefs: 6C6630F6
BTN_PATCH_DOWN, xrefs: 6C6630FB
=Fgl, xrefs: 6C662E39
BTN_EXIT_DOWN, xrefs: 6C66313E
BTN_ABOUT_OVER, xrefs: 6C66311A
BTN_PATCH_UP, xrefs: 6C663100
Courier New, xrefs: 6C662E6E
BTN_ABOUT_DOWN, xrefs: 6C66311F
About, xrefs: 6C66330A
Courier New, xrefs: 6C662E73
BTN_ABOUT_UP, xrefs: 6C663124
BTN_EXIT_OVER, xrefs: 6C663139
BTN_EXIT_UP, xrefs: 6C663143

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: Item$Text$LoadLong$Window$ClassMenuString$AppendCreateCursorMessageSend$ButtonCheckFocusFontIconIndirectPopupShowTimerlstrcpy
String ID: =Fgl$About$BTN_ABOUT_DOWN$BTN_ABOUT_OVER$BTN_ABOUT_UP$BTN_EXIT_DOWN$BTN_EXIT_OVER$BTN_EXIT_UP$BTN_PATCH_DOWN$BTN_PATCH_OVER$BTN_PATCH_UP$Courier New$Courier New
API String ID: 131015904-1089521236
Opcode ID: 5f4c86564df528a90ee6a6a2aada044a30e1400e60b72f8c74e27c16cecb3192
Instruction ID: 37f47880f84d77b60687483d5f90b07945c4b8d9a52de2edd7599d8b2a048eda
Opcode Fuzzy Hash: 5f4c86564df528a90ee6a6a2aada044a30e1400e60b72f8c74e27c16cecb3192
Instruction Fuzzy Hash: 0112B430245640BAEF216F27DC85FE93A76EB0371CF144635F211A6EE0C7B288599A5F

Uniqueness

Uniqueness Score: -1.00%

Function 6C662DC9 Relevance: 80.8, APIs: 34, Strings: 12, Instructions: 323
windowstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E6C662DC9(struct HWND__* _a4, int _a8, int _a12, signed int _a16) {
				int _t55;
				int _t56;
				long _t57;
				int _t58;
				intOrPtr _t73;
				struct HBRUSH__* _t87;
				int _t92;
				int _t97;
				char _t104;
				intOrPtr _t108;
				int _t109;
				char _t111;
				void* _t113;
				void* _t116;
				intOrPtr _t119;
				void* _t122;
				struct HMENU__* _t125;
				void* _t132;
				intOrPtr _t134;
				intOrPtr _t141;
				void* _t157;
				CHAR* _t167;
				intOrPtr _t182;
				long _t188;
				void* _t190;
				void* _t194;
				intOrPtr _t195;
				struct HWND__* _t203;
				intOrPtr _t204;
				struct HMENU__* _t210;
				void* _t212;
				void* _t213;

				_push(_t204);
				_t55 = _a8;
				if(_t55 != 0x110) {
					__eflags = _t55 - 0x113;
					if(_t55 != 0x113) {
						__eflags = _t55 - 0x111;
						if(_t55 != 0x111) {
							__eflags = _t55 - 0x7b;
							if(_t55 != 0x7b) {
								__eflags = _t55 - 0x138;
								if(_t55 == 0x138) {
									L63:
									_t56 = GetDlgCtrlID(_a16);
									__eflags = _t56 - 0x67;
									if(_t56 != 0x67) {
										__eflags =  *0x6c66e537 - 1;
										if( *0x6c66e537 != 1) {
											_t57 = 0;
										} else {
											_t58 = GetDlgCtrlID(_a16);
											__eflags = _t58 - 0x65;
											if(_t58 == 0x65) {
												L70:
												SetTextColor(_a12,  *0x6c66e940);
												__eflags =  *0x6c66e93c - 0xffffffff;
												if( *0x6c66e93c != 0xffffffff) {
													SetBkColor(_a12,  *0x6c66e93c);
													_t57 = CreateSolidBrush( *0x6c66e93c);
												} else {
													SetBkMode(_a12, 1);
													_t57 = GetStockObject(5);
												}
											} else {
												__eflags = _t58 - 0x66;
												if(_t58 == 0x66) {
													goto L70;
												} else {
													__eflags = _t58 - 0x68;
													if(_t58 == 0x68) {
														goto L70;
													} else {
														__eflags = _t58 - 0x69;
														if(_t58 != 0x69) {
															__eflags = _t58 - 0x6a;
															if(_t58 != 0x6a) {
																__eflags = _t58 - 0x6f;
																if(_t58 != 0x6f) {
																	SetTextColor(_a12,  *0x6c66e940);
																	__eflags =  *0x6c66e93c - 0xffffffff;
																	if( *0x6c66e93c != 0xffffffff) {
																		SetBkColor(_a12,  *0x6c66e938);
																		_t57 = CreateSolidBrush( *0x6c66e938);
																	} else {
																		SetBkMode(_a12, 1);
																		_t57 = GetStockObject(5);
																	}
																} else {
																	SetTextColor(_a12,  *0x6c66e948);
																	__eflags =  *0x6c66e94c - 0xffffffff;
																	if( *0x6c66e94c != 0xffffffff) {
																		SetBkColor(_a12,  *0x6c66e944);
																		_t57 = CreateSolidBrush( *0x6c66e944);
																	} else {
																		SetBkMode(_a12, 1);
																		_t57 = GetStockObject(5);
																	}
																}
															} else {
																SetTextColor(_a12,  *0x6c66e950);
																__eflags =  *0x6c66e94c - 0xffffffff;
																if( *0x6c66e94c != 0xffffffff) {
																	SetBkColor(_a12,  *0x6c66e94c);
																	_t57 = CreateSolidBrush( *0x6c66e94c);
																} else {
																	SetBkMode(_a12, 1);
																	_t57 = GetStockObject(5);
																}
															}
														} else {
															goto L70;
														}
													}
												}
											}
										}
									} else {
										_t57 = SendMessageA(_a16, _a8, _a12, _a16);
									}
									return _t57;
								} else {
									__eflags = _t55 - 0x133;
									if(_t55 == 0x133) {
										goto L63;
									} else {
										__eflags = _t55 - 0x134;
										if(_t55 != 0x134) {
											__eflags = _t55 - 0x136;
											if(_t55 != 0x136) {
												__eflags = _t55 - 0x2b;
												if(_t55 != 0x2b) {
													__eflags = _t55 - 0x200;
													if(_t55 != 0x200) {
														__eflags = _t55 - 0x205;
														if(_t55 != 0x205) {
															__eflags = _t55 - 0x10;
															if(_t55 != 0x10) {
																return 0;
															} else {
																goto L101;
															}
														} else {
															__eflags =  *0x6c66d90c - 1;
															if( *0x6c66d90c == 1) {
																ShowWindow(_a4, 6);
															}
															goto L106;
														}
													} else {
														__eflags = _a12 - 1;
														if(_a12 == 1) {
															SendMessageA( *0x6c66d8a6, 0x112, 0xf012, 0);
														}
														goto L106;
													}
												} else {
													return E6C663C60(_a4, _a16);
												}
											} else {
												__eflags =  *0x6c66e537 - 1;
												if( *0x6c66e537 != 1) {
													_t87 = 0;
												} else {
													_t87 = CreateSolidBrush( *0x6c66e938);
												}
												return _t87;
											}
										} else {
											goto L63;
										}
									}
								}
							} else {
								__eflags = _a12 -  *0x6c66d8be; // 0x403ce
								if(__eflags == 0) {
									TrackPopupMenu( *0x6c66d903, 0, _a16 & 0x0000ffff, _a16 >> 0x10, 0, _a4, 0);
								}
								goto L106;
							}
						} else {
							_t92 = _a12;
							__eflags = _t92 - 0x6e;
							if(_t92 != 0x6e) {
								__eflags = _t92 - 0x6d;
								if(_t92 != 0x6d) {
									__eflags = _t92 - 0x6c;
									if(_t92 != 0x6c) {
										__eflags = _t92 - 0xc9;
										if(_t92 != 0xc9) {
											__eflags = _t92 - 0xca;
											if(_t92 == 0xca) {
												__eflags =  *0x6c66d902 - 1;
												if( *0x6c66d902 == 1) {
													ShowWindow( *0x6c66d8be, 0);
													ShowWindow( *0x6c66d8c2, 5);
												}
											}
										} else {
											E6C663D1A();
										}
									} else {
										E6C6662CD(_t190, _t194);
									}
								} else {
									__eflags =  *0x6c66d8aa;
									if( *0x6c66d8aa != 0) {
										_t97 = DialogBoxParamA( *0x6c66d8a2, 2,  *0x6c66d8a6, E6C663690, 0);
										__eflags = _t97 - 0xffffffff;
										if(_t97 == 0xffffffff) {
											MessageBoxA( *0x6c66d8a6, E6C662A53( *0x6c66d8aa, 8), "About", 0x40);
										}
									}
								}
							} else {
								L101:
								_t73 = E6C661460( *0x6c66d8a2, 0x12, 1);
								__eflags = _t73;
								if(_t73 != 0) {
									_t182 = _t73;
									E6C661BB2(0x6c66f15f);
									__eflags =  *((intOrPtr*)(_t182 + 5));
									if( *((intOrPtr*)(_t182 + 5)) != 0) {
										E6C663B6F( *0x6c66d8a6,  *((intOrPtr*)(_t182 + 5)),  *((intOrPtr*)(_t182 + 9)), 1);
									}
								}
								E6C6620BD();
								DeleteFileA(0x6c66e111);
								E6C663AC2();
								FreeLibrary( *0x6c672239);
								DeleteFileA(0x6c67223d);
								E6C6661BC();
								EndDialog( *0x6c66d8a6, 0);
							}
							goto L106;
						}
					} else {
						 *0x6c66d90c = 1;
						L106:
						return 1;
					}
				} else {
					_push(_a4);
					_pop( *0x6c66d8a6);
					 *0x6c66d8be = GetDlgItem( *0x6c66d8a6, 0x6f);
					 *0x6c66d8c2 = GetDlgItem( *0x6c66d8a6, 0x6a);
					E6C662AD8( *0x6c66d8be);
					LoadStringA( *0x6c66d8a2, 0xb, 0x6c67463d, 0x400);
					_t104 =  *0x6c67463d;
					_t195 =  *0x6C67463E;
					if(_t104 < 0x20 || _t104 > 0x7f || _t195 < 0x20 || _t195 > 0x7f) {
						 *0x6c66d90b = 1;
					} else {
						 *0x6c66d90b = 0;
					}
					if( *0x6c66d90b == 0) {
						lstrcpyA("Courier New", "Courier New");
						0x6c66d8c6->lfHeight = 0xe;
						 *0x6c66d8d6 = 0x190;
						SendMessageA( *0x6c66d8be, 0x30, CreateFontIndirectA(0x6c66d8c6), 1);
					}
					SendMessageA( *0x6c66d8a6, 0x80, 1, LoadIconA(0, 0x1f4)); // executed
					_t108 = E6C661460( *0x6c66d8a2, 1, 1);
					if(_t108 != 0) {
						 *0x6c66d8aa = _t108;
						_t204 = _t108;
						_t203 =  *0x6c66d8a6; // 0x30206
						SetWindowTextA(_t203, E6C662A53(_t204, 1)); // executed
						SetDlgItemTextA(_t203, 0x65, E6C662A53(_t204, 2)); // executed
						SetDlgItemTextA(_t203, 0x66, E6C662A53(_t204, 3)); // executed
						_t167 = E6C662A53(_t204, 4);
						 *0x6c66d8b6 = _t167;
						SetDlgItemTextA(_t203, 0x67, _t167); // executed
						SetDlgItemTextA(_t203, 0x68, E6C662A53(_t204, 5)); // executed
						SetDlgItemTextA(_t203, 0x6a, E6C662A53(_t204, 7)); // executed
						SetDlgItemTextA(_t203, 0x69, E6C662A53(_t204, 6)); // executed
					}
					if(( *(_t204 + 1) & 0x00000002) == 0) {
						_t109 = 1;
					} else {
						_t109 = 0;
					}
					CheckDlgButton( *0x6c66d8a6, 0x6b, _t109);
					_t111 = E6C662AFB(_a4, 0x6a, 0x6f);
					 *0x6c66d902 = _t111;
					if(_t111 == 1) {
						ShowWindow( *0x6c66d8be, 0); // executed
					}
					_t113 = E6C661460( *0x6c66d8a2, 2, 1);
					if(_t113 != 0) {
						_t213 = _t113; // executed
						_t157 = E6C662A7D(); // executed
						if(_t157 != 0) {
							E6C661FE3(_t213 + 1); // executed
						}
					}
					E6C665AFE();
					_t116 = E6C661460( *0x6c66d8a2, 0xa, 1);
					if(_t116 != 0) {
						_t212 = _t116;
						 *0x6c66e537 = 1;
						 *0x6c66e938 =  *((intOrPtr*)(_t212 + 1));
						 *0x6c66e93c =  *((intOrPtr*)(_t212 + 5));
						 *0x6c66e940 =  *((intOrPtr*)(_t212 + 9));
						 *0x6c66e944 =  *((intOrPtr*)(_t212 + 0xd));
						 *0x6c66e948 =  *((intOrPtr*)(_t212 + 0x11));
						 *0x6c66e94c =  *((intOrPtr*)(_t212 + 0x15));
						 *0x6c66e950 =  *((intOrPtr*)(_t212 + 0x19));
						 *0x6c66e954 =  *((intOrPtr*)(_t212 + 0x1d));
						 *0x6c66e958 =  *((intOrPtr*)(_t212 + 0x21));
						if( *0x6c66e954 != 0xffffffff &&  *0x6c66e958 != 0xffffffff) {
							E6C663C34( *0x6c66d8a6, 0x6c);
							E6C663C34( *0x6c66d8a6, 0x6d);
							E6C663C34( *0x6c66d8a6, 0x6e);
						}
					}
					 *0x6c66d8ae = GetDlgItem( *0x6c66d8a6, 0x67);
					 *0x6c66d8ba = SetWindowLongA( *0x6c66d8ae, 0xfffffffc,  &M6C662B40);
					if( *0x6c66e94c == 0xffffffff) {
						 *0x6c66e52f = SetWindowLongA(GetDlgItem(_a4, 0x6a), 0xfffffffc, 0x6c662cf0);
					}
					if( *0x6c66e944 == 0xffffffff) {
						 *0x6c66e533 = SetWindowLongA(GetDlgItem(_a4, 0x6f), 0xfffffffc, 0x6c662cf0);
					}
					_t119 = E6C6616E0( *0x6c66d8a2, _a4, "BTN_PATCH_UP", "BTN_PATCH_DOWN", "BTN_PATCH_OVER", 0x6c); // executed
					 *0x6c66d907 = _t119;
					E6C6616E0( *0x6c66d8a2, _a4, "BTN_ABOUT_UP", "BTN_ABOUT_DOWN", "BTN_ABOUT_OVER", 0x6d); // executed
					E6C6616E0( *0x6c66d8a2, _a4, "BTN_EXIT_UP", "BTN_EXIT_DOWN", "BTN_EXIT_OVER", "true"); // executed
					_t122 = E6C661460( *0x6c66d8a2, 0xf, "true");
					_t123 = _t122;
					if(_t122 != 0) {
						E6C662294(_t123); // executed
					}
					E6C662AD8( *0x6c66d8a6);
					_t125 = CreatePopupMenu();
					 *0x6c66d903 = _t125;
					_t210 = _t125;
					LoadStringA( *0x6c66d8a2, 0xe, 0x6c674a3d, 0x400);
					AppendMenuA(_t210, 0, 0xc9, 0x6c674a3d);
					LoadStringA( *0x6c66d8a2, 0xf, 0x6c674e3d, 0x400);
					AppendMenuA(_t210, 0, 0xca, 0x6c674e3d);
					_t188 = LoadCursorA( *0x6c66d8a2, 2);
					if(_t188 != 0) {
						SetClassLongA( *0x6c66d8ae, 0xfffffff4, _t188);
						SetClassLongA(GetDlgItem( *0x6c66d8a6, 0x6c), 0xfffffff4, _t188);
					}
					 *0x6c66d90c = 1;
					_t132 = E6C661460( *0x6c66d8a2, 0x12, 1);
					if(_t132 == 0) {
						_t134 = E6C661460( *0x6c66d8a2, 0xb, 1);
						__eflags = _t134;
						if(_t134 != 0) {
							E6C663AE0(_a4, _t134); // executed
						}
					} else {
						_t141 =  *((intOrPtr*)(_t132 + 1));
						if(_t141 != 0) {
							SetTimer(_a4, 0, _t141 + 0x3e8, 0); // executed
							 *0x6c66d90c = 0;
						}
						E6C662244(E6C663B43); // executed
					}
					E6C666089(); // executed
					E6C6638CC(); // executed
					SetFocus( *0x6c66d8a6);
					return 1;
				}
			}

0x6c662dda
0x6c662ddc
0x6c662de4
0x6c663298
0x6c66329d
0x6c6632ab
0x6c6632b0
0x6c663372
0x6c663375
0x6c6633af
0x6c6633b4
0x6c6633c8
0x6c6633cb
0x6c6633d0
0x6c6633d4
0x6c6633ec
0x6c6633f3
0x6c663545
0x6c6633f9
0x6c6633fc
0x6c663401
0x6c663405
0x6c663419
0x6c663422
0x6c663427
0x6c66342e
0x6c66344f
0x6c66345a
0x6c663430
0x6c663435
0x6c66343c
0x6c66343c
0x6c663407
0x6c663407
0x6c66340b
0x00000000
0x6c66340d
0x6c66340d
0x6c663411
0x00000000
0x6c663413
0x6c663413
0x6c663417
0x6c663464
0x6c663468
0x6c6634b5
0x6c6634b9
0x6c663509
0x6c66350e
0x6c663515
0x6c663533
0x6c66353e
0x6c663517
0x6c66351c
0x6c663523
0x6c663523
0x6c6634bb
0x6c6634c4
0x6c6634c9
0x6c6634d0
0x6c6634ee
0x6c6634f9
0x6c6634d2
0x6c6634d7
0x6c6634de
0x6c6634de
0x6c6634d0
0x6c66346a
0x6c663473
0x6c663478
0x6c66347f
0x6c6634a0
0x6c6634ab
0x6c663481
0x6c663486
0x6c66348d
0x6c66348d
0x6c66347f
0x00000000
0x00000000
0x00000000
0x6c663417
0x6c663411
0x6c66340b
0x6c663405
0x6c6633d6
0x6c6633e2
0x6c6633e2
0x6c66354e
0x6c6633b6
0x6c6633b6
0x6c6633bb
0x00000000
0x6c6633bd
0x6c6633bd
0x6c6633c2
0x6c663556
0x6c66355b
0x6c663584
0x6c663587
0x6c6635a0
0x6c6635a5
0x6c6635cd
0x6c6635d2
0x6c6635f0
0x6c6635f3
0x6c663674
0x00000000
0x00000000
0x00000000
0x6c6635d4
0x6c6635d4
0x6c6635db
0x6c6635e6
0x6c6635e6
0x00000000
0x6c6635db
0x6c6635a7
0x6c6635a7
0x6c6635ab
0x6c6635c3
0x6c6635c3
0x00000000
0x6c6635ab
0x6c663589
0x6c663598
0x6c663598
0x6c66355d
0x6c66355d
0x6c663564
0x6c663573
0x6c663566
0x6c66356c
0x6c66356c
0x6c66357c
0x6c66357c
0x00000000
0x00000000
0x00000000
0x6c6633c2
0x6c6633bb
0x6c663377
0x6c66337a
0x6c663380
0x6c6633a5
0x6c6633a5
0x00000000
0x6c663380
0x6c6632b6
0x6c6632b6
0x6c6632b9
0x6c6632bd
0x6c6632c9
0x6c6632cd
0x6c663320
0x6c663324
0x6c663330
0x6c663334
0x6c663340
0x6c663344
0x6c66334a
0x6c663351
0x6c66335b
0x6c663368
0x6c663368
0x6c66336d
0x6c663336
0x6c663336
0x6c663336
0x6c663326
0x6c663326
0x6c663326
0x6c6632cf
0x6c6632cf
0x6c6632d6
0x6c6632f1
0x6c6632f6
0x6c6632f9
0x6c663316
0x6c663316
0x6c66331b
0x6c6632d6
0x6c6632bf
0x6c6635f5
0x6c663604
0x6c663604
0x6c663606
0x6c663608
0x6c66360f
0x6c663617
0x6c663619
0x6c663629
0x6c663629
0x6c663619
0x6c66362e
0x6c663638
0x6c66363d
0x6c663648
0x6c663652
0x6c663657
0x6c663664
0x6c663664
0x00000000
0x6c6632bd
0x6c66329f
0x6c66329f
0x6c663677
0x6c663680
0x6c663680
0x6c662dea
0x6c662dea
0x6c662ded
0x6c662e00
0x6c662e12
0x6c662e1d
0x6c662e34
0x6c662e3e
0x6c662e40
0x6c662e45
0x6c662e55
0x6c662e5e
0x6c662e5e
0x6c662e5e
0x6c662e6c
0x6c662e78
0x6c662e7d
0x6c662e87
0x6c662ea6
0x6c662ea6
0x6c662ec5
0x6c662ed9
0x6c662edb
0x6c662ee1
0x6c662ee6
0x6c662ee8
0x6c662ef8
0x6c662f09
0x6c662f1a
0x6c662f22
0x6c662f27
0x6c662f30
0x6c662f41
0x6c662f52
0x6c662f63
0x6c662f63
0x6c662f6f
0x6c662f78
0x6c662f71
0x6c662f71
0x6c662f71
0x6c662f86
0x6c662f92
0x6c662f97
0x6c662f9e
0x6c662fa8
0x6c662fa8
0x6c662fbc
0x6c662fbe
0x6c662fc0
0x6c662fc2
0x6c662fc9
0x6c662fcd
0x6c662fcd
0x6c662fc9
0x6c662fd2
0x6c662fe6
0x6c662fe8
0x6c662fee
0x6c662ff0
0x6c662ffa
0x6c663003
0x6c66300c
0x6c663015
0x6c66301e
0x6c663027
0x6c663030
0x6c663039
0x6c663042
0x6c66304f
0x6c663062
0x6c66306f
0x6c66307c
0x6c66307c
0x6c66304f
0x6c66308e
0x6c6630a5
0x6c6630b1
0x6c6630ca
0x6c6630ca
0x6c6630d6
0x6c6630ef
0x6c6630ef
0x6c66310e
0x6c663113
0x6c663132
0x6c663151
0x6c663160
0x6c663165
0x6c663167
0x6c66316a
0x6c66316a
0x6c663175
0x6c66317a
0x6c66317f
0x6c663184
0x6c663198
0x6c6631aa
0x6c6631c1
0x6c6631d3
0x6c6631e7
0x6c6631e9
0x6c6631f4
0x6c66320a
0x6c66320a
0x6c66320f
0x6c663225
0x6c663227
0x6c663265
0x6c663265
0x6c663267
0x6c66326d
0x6c66326d
0x6c663229
0x6c66322c
0x6c66322e
0x6c66323d
0x6c663242
0x6c663242
0x6c66324f
0x6c66324f
0x6c663272
0x6c663277
0x6c663282
0x6c663290
0x6c663290

APIs

GetDlgItem.USER32 ref: 6C662DFB
GetDlgItem.USER32 ref: 6C662E0D

Part of subcall function 6C662AD8: LoadCursorA.USER32(00000001), ref: 6C662AE3
Part of subcall function 6C662AD8: SetClassLongA.USER32(?,000000F4,00000000), ref: 6C662AF2

LoadStringA.USER32(0000000B,6C67463D,00000400,0000006F), ref: 6C662E34
lstrcpyA.KERNEL32(Courier New,Courier New,0000000B,6C67463D,00000400,0000006F,?), ref: 6C662E78
CreateFontIndirectA.GDI32(6C66D8C6), ref: 6C662E96
SendMessageA.USER32(00000030,00000000,00000001,6C66D8C6), ref: 6C662EA6
LoadIconA.USER32(00000000,000001F4), ref: 6C662EB2
SendMessageA.USER32(00000080,00000001,00000000,0000000B), ref: 6C662EC5
SetWindowTextA.USER32(00030206,00000000), ref: 6C662EF8
SetDlgItemTextA.USER32(00030206,00000065,00000000), ref: 6C662F09
SetDlgItemTextA.USER32(00030206,00000066,00000000), ref: 6C662F1A
SetDlgItemTextA.USER32(00030206,00000067,00000000), ref: 6C662F30
SetDlgItemTextA.USER32(00030206,00000068,00000000), ref: 6C662F41
SetDlgItemTextA.USER32(00030206,0000006A,00000000), ref: 6C662F52
SetDlgItemTextA.USER32(00030206,00000069,00000000), ref: 6C662F63
CheckDlgButton.USER32(0000006B,00000001,00000001), ref: 6C662F86
ShowWindow.USER32(00000000,00000001,00000080,00000001,00000000,0000000B,6C67463D,00000400,0000006F,?), ref: 6C662FA8
GetDlgItem.USER32 ref: 6C663089
SetWindowLongA.USER32 ref: 6C6630A0
GetDlgItem.USER32 ref: 6C6630B8
SetWindowLongA.USER32 ref: 6C6630C5
GetDlgItem.USER32 ref: 6C6630DD
SetWindowLongA.USER32 ref: 6C6630EA
CreatePopupMenu.USER32 ref: 6C66317A
LoadStringA.USER32(0000000E,6C674A3D,00000400,00000001), ref: 6C663198
AppendMenuA.USER32(00000000,00000000,000000C9,6C674A3D), ref: 6C6631AA
LoadStringA.USER32(0000000F,6C674E3D,00000400,0000000E), ref: 6C6631C1
AppendMenuA.USER32(00000000,00000000,000000CA,6C674E3D), ref: 6C6631D3
LoadCursorA.USER32(00000002,00000000), ref: 6C6631E0
SetClassLongA.USER32(000000F4,00000000,00000002), ref: 6C6631F4
GetDlgItem.USER32 ref: 6C663201
SetClassLongA.USER32(00000000,000000F4,00000000), ref: 6C66320A
SetTimer.USER32 ref: 6C66323D
SetFocus.USER32(0000000B,00000001,00000012,00000001,00000002,00000000,00000000,000000CA,6C674E3D,0000000F,6C674E3D,00000400,0000000E,6C674A3D,00000400,00000001), ref: 6C663282

Strings

BTN_PATCH_OVER, xrefs: 6C6630F6
BTN_PATCH_DOWN, xrefs: 6C6630FB
=Fgl, xrefs: 6C662E39
BTN_ABOUT_DOWN, xrefs: 6C66311F
BTN_EXIT_DOWN, xrefs: 6C66313E
BTN_ABOUT_OVER, xrefs: 6C66311A
Courier New, xrefs: 6C662E73
BTN_ABOUT_UP, xrefs: 6C663124
BTN_EXIT_OVER, xrefs: 6C663139
BTN_EXIT_UP, xrefs: 6C663143
BTN_PATCH_UP, xrefs: 6C663100
Courier New, xrefs: 6C662E6E

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: Item$Text$LoadLong$Window$ClassMenuString$AppendCreateCursorMessageSend$ButtonCheckFocusFontIconIndirectPopupShowTimerlstrcpy
String ID: =Fgl$BTN_ABOUT_DOWN$BTN_ABOUT_OVER$BTN_ABOUT_UP$BTN_EXIT_DOWN$BTN_EXIT_OVER$BTN_EXIT_UP$BTN_PATCH_DOWN$BTN_PATCH_OVER$BTN_PATCH_UP$Courier New$Courier New
API String ID: 131015904-1268177917
Opcode ID: 6f766936a9f24306667fdbb52bb1d67dbca685044f38fafc3b910b9af192256e
Instruction ID: 472ba7a2fb5db673e7d5e5b1af1df8d256e0f8d6dbedd11a14c2217029ee7f69
Opcode Fuzzy Hash: 6f766936a9f24306667fdbb52bb1d67dbca685044f38fafc3b910b9af192256e
Instruction Fuzzy Hash: E1B18630385600BEEF216B27DC8AFA93B769B0375CF244518F251B5EE0C7B684199A5F

Uniqueness

Uniqueness Score: -1.00%

Function 6C661BCC Relevance: 49.2, APIs: 26, Strings: 2, Instructions: 175
windowsleeplibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E6C661BCC(struct HWND__** _a4) {
				struct HDC__* _v8;
				struct HDC__* _v12;
				struct HDC__* _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				struct tagBITMAPINFO _v76;
				void* _v80;
				void* _v84;
				struct tagSIZE _v92;
				struct HWND__* _t70;
				long _t71;
				struct HDC__* _t73;
				void* _t77;
				int _t80;
				signed int _t104;
				int _t107;
				BITMAPINFO* _t108;
				intOrPtr* _t110;
				struct HWND__** _t111;

				_t111 = _a4;
				_t70 = _t111[7];
				if(_t70 >= 0x1f4) {
					_t71 = _t70 + 0x96;
				} else {
					_t71 = 0x1f4;
				}
				Sleep(_t71); // executed
				_v24 = lstrlenA(_t111[1]);
				_t73 = GetDC( *_t111); // executed
				_v8 = _t73;
				_v16 = CreateCompatibleDC(GetDC(0));
				_t77 = _t111[5];
				if(_t77 == 0) {
					_t77 = SendMessageA( *_t111, 0x31, 0, 0);
				}
				SelectObject(_v16, _t77);
				_t80 = GetTextExtentPointA(_v16, _t111[1], _v24,  &_v92);
				if(_t80 != 1) {
					return _t80;
				}
				_push(_v92.cy);
				_pop( *_t14);
				 *_t16 = _v92.cx;
				SelectObject(_v16, CreateCompatibleBitmap(_v8, _t111[4], _v20));
				_t108 =  &_v76;
				_push(0x2c);
				_push(_t108);
				L6C666B70();
				_t108->bmiHeader = 0x28;
				_push(_t111[4]);
				_pop( *_t23);
				_push(_v20);
				_pop( *_t25);
				_t108->bmiHeader.biPlanes = 1;
				_t108->bmiHeader.biBitCount = 0x20;
				_t108->bmiHeader.biCompression = 0;
				SelectObject(_v16, CreateDIBSection(_v16, _t108, 0,  &_v84, 0, 0));
				_v12 = CreateCompatibleDC(GetDC(0));
				SelectObject(_v12, CreateDIBSection(_v12,  &_v76, 0,  &_v80, 0, 0));
				BitBlt(_v12, 0, 0, _t111[4], _v20, _v8, _t111[2], _t111[3], 0xcc0020);
				SetBkMode(_v16, 1);
				SetTextColor(_v16, _t111[6]);
				_t110 = GetProcAddress(GetModuleHandleA("user32.dll"), "SetLayeredWindowAttributes");
				_v32 = 0 - _v28 - 8;
				_t107 = _t111[4] + 4;
				L7:
				if(_t111[8] == 0) {
					BitBlt(_v16, 0, 0, _t111[4], _v20, _v12, 0, 0, 0xcc0020);
					TextOutA(_v16, _t107, 0, _t111[1], _v24);
					E6C661DF0(_v84, _v80, _v20, _t111[4]);
					BitBlt(_v8, _t111[2], _t111[3], _t111[4], _v20, _v16, 0, 0, 0xcc0020);
					_t107 = _t107 - 1;
					if(_t107 == _v32) {
						_t107 = _t111[4];
					}
					_t110 = _t110;
					if(_t110 != 0) {
						_t104 = _t111[7] & 0x000000ff;
						if(_t104 != 0 && _t104 != 0xff) {
							 *_t110( *_t111, 0, _t104, 2);
						}
					}
				}
				Sleep(0x1e); // executed
				goto L7;
			}

0x6c661bd2
0x6c661bd5
0x6c661bdd
0x6c661be6
0x6c661bdf
0x6c661bdf
0x6c661bdf
0x6c661bec
0x6c661bf9
0x6c661bfe
0x6c661c03
0x6c661c13
0x6c661c19
0x6c661c1b
0x6c661c25
0x6c661c25
0x6c661c2e
0x6c661c40
0x6c661c48
0x6c661de2
0x6c661de2
0x6c661c4e
0x6c661c51
0x6c661c57
0x6c661c6c
0x6c661c71
0x6c661c74
0x6c661c76
0x6c661c77
0x6c661c7c
0x6c661c82
0x6c661c85
0x6c661c88
0x6c661c8b
0x6c661c8e
0x6c661c94
0x6c661c9a
0x6c661cb8
0x6c661cca
0x6c661ce7
0x6c661d07
0x6c661d11
0x6c661d1c
0x6c661d36
0x6c661d40
0x6c661d46
0x6c661d49
0x6c661d4d
0x6c661d6c
0x6c661d7d
0x6c661d8e
0x6c661dae
0x6c661db3
0x6c661db7
0x6c661db9
0x6c661db9
0x6c661dbc
0x6c661dbe
0x6c661dc4
0x6c661dc6
0x6c661dd3
0x6c661dd3
0x6c661dc6
0x6c661dbe
0x6c661dd7
0x00000000

APIs

Sleep.KERNEL32(?), ref: 6C661BEC
lstrlenA.KERNEL32(?,?), ref: 6C661BF4
GetDC.USER32 ref: 6C661BFE
GetDC.USER32 ref: 6C661C08
CreateCompatibleDC.GDI32(00000000), ref: 6C661C0E
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 6C661C25
SelectObject.GDI32(?,?), ref: 6C661C2E
GetTextExtentPointA.GDI32(?,?,?,?), ref: 6C661C40
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 6C661C63
SelectObject.GDI32(?,00000000), ref: 6C661C6C
RtlZeroMemory.KERNEL32(?,0000002C,?,00000000,?,?,00000000,?,?,?), ref: 6C661C77
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 6C661CAF
SelectObject.GDI32(?,00000000), ref: 6C661CB8
GetDC.USER32 ref: 6C661CBF
CreateCompatibleDC.GDI32(00000000), ref: 6C661CC5
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 6C661CDE
SelectObject.GDI32(?,00000000), ref: 6C661CE7
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00CC0020), ref: 6C661D07
SetBkMode.GDI32(?,00000001), ref: 6C661D11
SetTextColor.GDI32(?,00000000), ref: 6C661D1C
GetModuleHandleA.KERNEL32(user32.dll,?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 6C661D26
GetProcAddress.KERNEL32(00000000,SetLayeredWindowAttributes), ref: 6C661D31
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 6C661D6C
TextOutA.GDI32(?,-00000004,00000000,?,?), ref: 6C661D7D
BitBlt.GDI32(?,?,?,00000000,00000000,?,00000000,00000000,00CC0020), ref: 6C661DAE
Sleep.KERNEL32(0000001E,00000000,SetLayeredWindowAttributes,user32.dll,?,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 6C661DD7

Strings

SetLayeredWindowAttributes, xrefs: 6C661D2B
user32.dll, xrefs: 6C661D21

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: Create$ObjectSelect$CompatibleText$SectionSleep$AddressBitmapColorExtentHandleMemoryMessageModeModulePointProcSendZerolstrlen
String ID: SetLayeredWindowAttributes$user32.dll
API String ID: 17561160-3673630139
Opcode ID: b7fc8bd95201137db0da330d3f37ebf14114b31eae816701ce6f8a6175a77f7c
Instruction ID: 90c4e6662197bd63dd0f1c844560c22c933a91d5fba1d76cc9620744cb9d8143
Opcode Fuzzy Hash: b7fc8bd95201137db0da330d3f37ebf14114b31eae816701ce6f8a6175a77f7c
Instruction Fuzzy Hash: 42513631940609FBDF218FA2DD01FEEBBB6FF05708F104914B251B5DA0C772A9249B4A

Uniqueness

Uniqueness Score: -1.00%

Function 6C664126 Relevance: 49.1, APIs: 8, Strings: 20, Instructions: 133
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E6C664126(void* __ecx, void* __edx) {
				CHAR* _t4;
				CHAR* _t14;
				int _t20;
				void* _t44;
				void* _t45;

				_t45 = __edx;
				_t44 = __ecx;
				0x6c672199->dwOSVersionInfoSize = 0x94;
				GetVersionExA(0x6c672199);
				_t4 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "AttachConsole");
				if(_t4 != 0) {
					_push(0xffffffff); // executed
					_t4 = GetCommandLineA(); // executed
				}
				L6C666B0A();
				_t46 = _t4;
				E6C666D14("\r\n"); // executed
				if(E6C667040(_t4, "help", 0) == 0) {
					E6C666D14(" /help                 : show help menu"); // executed
					E6C666D14("\r\n"); // executed
					 *0x6c66e95c = E6C667040(_t46, "silent", 0);
					 *0x6c66e95d = E6C667040(_t46, "backup", 0);
					 *0x6c66e95e = E6C667040(_t46, "overwrite", 0);
					if(E6C667040(_t46, "startupworkdir", 0x6c66d911) != 1) {
						_t14 = 0;
					} else {
						_t46 = 0x6c66e95f;
						ExpandEnvironmentStringsA(0x6c66d911, 0x6c66e95f, 0x400);
						_t14 = 0x6c66e95f;
					}
					E6C6670B0(_t14);
					if(E6C667040(_t46, "setvar", 0x6c66d911) == 1) {
						ExpandEnvironmentStringsA(0x6c66d911, 0x6c66ed5f, 0x400);
						SetEnvironmentVariableA("dup2_cmd_var", 0x6c66ed5f);
					}
					if( *0x6c66e95c != 0) {
						E6C665AFE();
						E6C666089();
						return E6C6662CD(_t44, _t45);
					}
					_t20 = DialogBoxParamA( *0x6c66d8a2, 1, 0, E6C662DD0, 0); // executed
					return _t20;
				}
				E6C666D14("--------------------------------------------------------------------");
				E6C666D14("\r\n");
				E6C666D14(" diablo2oo2\'s universal patcher - console help");
				E6C666D14("\r\n");
				E6C666D14("\r\n");
				E6C666D14(" /help                 : this help menu");
				E6C666D14("\r\n");
				E6C666D14(" /silent               : no window gui, no input");
				E6C666D14("\r\n");
				E6C666D14(" /overwrite            : overwrite existing files");
				E6C666D14("\r\n");
				E6C666D14("                         during file attachment export");
				E6C666D14("\r\n");
				E6C666D14(" /backup               : make backup of every file which is patched");
				E6C666D14("\r\n");
				E6C666D14(" /startupworkdir <dir> : set working directory for the patcher");
				E6C666D14("\r\n");
				E6C666D14(" /setvar <content>     : set content of %dup2_cmd_var%");
				E6C666D14("\r\n");
				return E6C666D14("\r\n");
			}

0x6c664126
0x6c664126
0x6c664129
0x6c664138
0x6c664152
0x6c664154
0x6c664156
0x6c664158
0x6c664158
0x6c66415a
0x6c66415f
0x6c664166
0x6c66417a
0x6c664253
0x6c66425d
0x6c66426f
0x6c664281
0x6c664293
0x6c6642aa
0x6c6642c5
0x6c6642ac
0x6c6642ac
0x6c6642bc
0x6c6642c1
0x6c6642c1
0x6c6642c8
0x6c6642df
0x6c6642f0
0x6c6642ff
0x6c6642ff
0x6c66430b
0x6c664325
0x6c66432a
0x00000000
0x6c66432f
0x6c66431e
0x00000000
0x6c66431e
0x6c664185
0x6c66418f
0x6c664199
0x6c6641a3
0x6c6641ad
0x6c6641b7
0x6c6641c1
0x6c6641cb
0x6c6641d5
0x6c6641df
0x6c6641e9
0x6c6641f3
0x6c6641fd
0x6c664207
0x6c664211
0x6c66421b
0x6c664225
0x6c66422f
0x6c664239
0x6c66424b

APIs

GetVersionExA.KERNEL32(6C672199,?,?,?,6C66210E), ref: 6C664138
GetModuleHandleA.KERNEL32(kernel32.dll,6C672199,?,?,?,6C66210E), ref: 6C664142
GetProcAddress.KERNEL32(00000000,AttachConsole), ref: 6C66414D
GetCommandLineA.KERNEL32(000000FF,00000000,AttachConsole,kernel32.dll,6C672199,?,?,?,6C66210E), ref: 6C664158

Strings

/startupworkdir <dir> : set working directory for the patcher, xrefs: 6C664216
overwrite, xrefs: 6C664288
help, xrefs: 6C66416D
/help : this help menu, xrefs: 6C6641B2
diablo2oo2's universal patcher - console help, xrefs: 6C664194
AttachConsole, xrefs: 6C664147
/help : show help menu, xrefs: 6C66424E
/overwrite : overwrite existing files, xrefs: 6C6641DA
silent, xrefs: 6C664264
during file attachment export, xrefs: 6C6641EE
/silent : no window gui, no input, xrefs: 6C6641C6
dup2_cmd_var, xrefs: 6C6642FA
kernel32.dll, xrefs: 6C66413D
--------------------------------------------------------------------, xrefs: 6C664180
setvar, xrefs: 6C6642D2
_fl, xrefs: 6C6642AC
backup, xrefs: 6C664276
/backup : make backup of every file which is patched, xrefs: 6C664202
/setvar <content> : set content of %dup2_cmd_var%, xrefs: 6C66422A
startupworkdir, xrefs: 6C66429D

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: AddressCommandHandleLineModuleProcVersion
String ID: during file attachment export$ /backup : make backup of every file which is patched$ /help : show help menu$ /help : this help menu$ /overwrite : overwrite existing files$ /setvar <content> : set content of %dup2_cmd_var%$ /silent : no window gui, no input$ /startupworkdir <dir> : set working directory for the patcher$ diablo2oo2's universal patcher - console help$--------------------------------------------------------------------$AttachConsole$_fl$backup$dup2_cmd_var$help$kernel32.dll$overwrite$setvar$silent$startupworkdir
API String ID: 919412983-2572928243
Opcode ID: d44e0760bee6b9e945c99f29e201a9d42fee760706cc9f7a37fe00d9f1bd0474
Instruction ID: e8fb14ced1a231aef6f66ce31a94986d912be9303d9c874998c9775afe310d28
Opcode Fuzzy Hash: d44e0760bee6b9e945c99f29e201a9d42fee760706cc9f7a37fe00d9f1bd0474
Instruction Fuzzy Hash: 6E3102A054919270D91027B7FC02FDD96984FA321CF300D10F255F9E868BA4A9094EFF

Uniqueness

Uniqueness Score: -1.00%

Function 6C662B3E Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E6C662B3E(struct HWND__* _a4, int _a8, struct HDC__* _a12, long _a16) {
				struct tagRECT _v20;
				struct tagPOINT _v28;
				int _t21;
				long _t22;
				struct HWND__* _t27;
				struct HWND__* _t28;
				int _t35;
				struct HWND__* _t37;
				struct HWND__* _t41;
				long _t45;
				long _t52;

				_t21 = _a8;
				if(_t21 == 0x138) {
					if( *0x6c66d8b2 != 0) {
						__eflags =  *0x6c66e537 - 1;
						if( *0x6c66e537 != 1) {
							_t45 = 0xff0000;
						} else {
							_t45 =  *0x6c66e940;
						}
						SetTextColor(_a12, _t45);
					} else {
						if( *0x6c66e537 != 1) {
							_t52 = 0;
						} else {
							_t52 =  *0x6c66e940;
						}
						SetTextColor(_a12, _t52);
					}
					SetBkMode(_a12, 1);
					if( *0x6c66e537 != 1) {
						return CreateSolidBrush(GetSysColor(4));
					} else {
						if( *0x6c66e93c == 0xffffffff) {
							return GetStockObject(5);
						}
						return CreateSolidBrush( *0x6c66e93c);
					}
				}
				__eflags = _t21 - 0x200;
				if(_t21 != 0x200) {
					__eflags = _t21 - 0x202;
					if(_t21 != 0x202) {
						goto L28;
					} else {
						__eflags = _a4 -  *0x6c66d8ae; // 0x30208
						if(__eflags != 0) {
							goto L28;
						} else {
							ShellExecuteA(0, "open",  *0x6c66d8b6, 0, 0, 3);
							 *0x6c66d8b2 = 0;
							__eflags = 0;
							return 0;
						}
					}
				} else {
					__eflags = _a4 -  *0x6c66d8ae; // 0x30208
					if(__eflags != 0) {
						L28:
						_t22 = CallWindowProcA( *0x6c66d8ba, _a4, _a8, _a12, _a16); // executed
						return _t22;
					} else {
						_t27 = GetParent(_a4);
						_t28 = GetActiveWindow();
						__eflags = _t28 - _t27;
						if(_t28 == _t27) {
							GetCursorPos( &_v28);
							GetWindowRect(_a4,  &_v20);
							_push(_v28.y);
							_t35 = PtInRect( &_v20, _v28);
							__eflags = _t35;
							if(_t35 == 0) {
								_t37 = GetCapture();
								__eflags = _t37;
								if(_t37 != 0) {
									ReleaseCapture();
									 *0x6c66d8b2 = 0;
									InvalidateRect(_a4, 0, 0);
								}
							} else {
								_t41 = GetCapture();
								__eflags = _t41;
								if(_t41 == 0) {
									SetCapture(_a4);
									 *0x6c66d8b2 = 1;
									InvalidateRect(_a4, 0, 0);
								}
							}
						}
						__eflags = 0;
						return 0;
					}
				}
				goto L29;
			}

0x6c662b47
0x6c662b4f
0x6c662b5c
0x6c662b7e
0x6c662b85
0x6c662b8e
0x6c662b87
0x6c662b87
0x6c662b87
0x6c662b97
0x6c662b5e
0x6c662b65
0x6c662b6e
0x6c662b67
0x6c662b67
0x6c662b67
0x6c662b77
0x6c662b77
0x6c662ba1
0x6c662bad
0x00000000
0x6c662baf
0x6c662bb6
0x00000000
0x6c662bc7
0x00000000
0x6c662bbe
0x6c662bad
0x6c662be5
0x6c662bea
0x6c662c90
0x6c662c95
0x00000000
0x6c662c97
0x6c662c9a
0x6c662ca0
0x00000000
0x6c662ca2
0x6c662cb5
0x6c662cba
0x6c662cc4
0x6c662cc8
0x6c662cc8
0x6c662ca0
0x6c662bf0
0x6c662bf3
0x6c662bf9
0x6c662ccb
0x6c662cdd
0x6c662ce4
0x6c662bff
0x6c662c02
0x6c662c09
0x6c662c0e
0x6c662c10
0x6c662c16
0x6c662c22
0x6c662c27
0x6c662c31
0x6c662c36
0x6c662c38
0x6c662c63
0x6c662c68
0x6c662c6a
0x6c662c6c
0x6c662c71
0x6c662c82
0x6c662c82
0x6c662c3a
0x6c662c3a
0x6c662c3f
0x6c662c41
0x6c662c46
0x6c662c4b
0x6c662c5c
0x6c662c5c
0x6c662c41
0x6c662c38
0x6c662c87
0x6c662c8b
0x6c662c8b
0x6c662bf9
0x00000000

APIs

SetTextColor.GDI32(?,?), ref: 6C662B77
SetTextColor.GDI32(?,00FF0000), ref: 6C662B97
SetBkMode.GDI32(?,00000001), ref: 6C662BA1
CreateSolidBrush.GDI32(?), ref: 6C662BBE
GetStockObject.GDI32(00000005), ref: 6C662BC7
GetSysColor.USER32(00000004), ref: 6C662BD0
CreateSolidBrush.GDI32(00000000), ref: 6C662BD6
GetParent.USER32(?), ref: 6C662C02
GetActiveWindow.USER32 ref: 6C662C09
GetCursorPos.USER32(?), ref: 6C662C16
GetWindowRect.USER32(?,?), ref: 6C662C22
PtInRect.USER32 ref: 6C662C31
GetCapture.USER32 ref: 6C662C3A
SetCapture.USER32(?,?,?,?,?,?,?), ref: 6C662C46
InvalidateRect.USER32(?,00000000,00000000,?,?,?,?,?,?,?), ref: 6C662C5C

Strings

open, xrefs: 6C662CAE

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: ColorRect$BrushCaptureCreateSolidTextWindow$ActiveCursorInvalidateModeObjectParentStock
String ID: open
API String ID: 1204622265-2758837156
Opcode ID: 8362cd18bc8f4fc496e15455051c551fa8e7251aaf727bd5666f254b90747a9a
Instruction ID: 053b38d31602a8da41b0c8987a0593311296cd46a9fe25d7ad2db2aab9ee030b
Opcode Fuzzy Hash: 8362cd18bc8f4fc496e15455051c551fa8e7251aaf727bd5666f254b90747a9a
Instruction Fuzzy Hash: 44417930648206AAEF119F67DC89F993BB5EB0231CF244911F501E9EE0D7B5C898975F

Uniqueness

Uniqueness Score: -1.00%

Function 6C6616E0 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 147
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6C6616E0(struct HINSTANCE__* _a4, struct HWND__* _a8, CHAR* _a12, CHAR* _a16, CHAR* _a20, struct HMENU__* _a24) {
				struct HWND__* _v8;
				long _v12;
				long _v16;
				long _v20;
				int _v24;
				int _v28;
				char _v44;
				char _v60;
				char _v108;
				struct HWND__* _t50;
				long _t52;
				long _t54;
				struct HWND__* _t67;
				struct HWND__* _t71;
				struct HINSTANCE__* _t79;
				struct tagRECT* _t80;
				struct HINSTANCE__* _t81;
				struct HWND__* _t82;
				struct tagRECT* _t85;
				struct HWND__* _t86;
				WNDCLASSEXA* _t87;

				_t79 = _a4;
				_t50 = LoadBitmapA(_t79, _a12);
				if(_t50 != 0) {
					_v12 = _t50;
					_t52 = LoadBitmapA(_t79, _a16);
					if(_t52 == 0) {
						_t52 = _v12;
					}
					_v16 = _t52;
					_t54 = LoadBitmapA(_t79, _a20);
					if(_t54 == 0) {
						_t54 = _v12;
					}
					_v20 = _t54;
					_t50 = GetDlgItem(_a8, _a24);
					if(_t50 != 0) {
						_t86 = _t50;
						_t80 =  &_v60;
						GetWindowRect(_t86, _t80);
						_t85 =  &_v44;
						GetWindowRect(_a8, _t85);
						_v24 = _t80->left - _t85->left;
						_v28 = _t80->top - _t85->top;
						E6C6618B0(_a8,  &_v24,  &_v28);
						_t81 = _t79;
						ShowWindow(_t86, 0); // executed
						_t87 =  &_v108;
						_t87->cbSize = 0x30;
						_t87->style = 0x2000;
						 *((intOrPtr*)(_t87 + 8)) =  &M6C661980;
						_t87->cbClsExtra = 0;
						_t87->cbWndExtra = 0x14;
						_t87->hInstance = _t81;
						_t87->hbrBackground = 0x10;
						_t87->lpszMenuName = 0;
						_t87->lpszClassName = "Bmp_Button_Class";
						_t87->hIcon = 0;
						_t87->hCursor = LoadCursorA(0, 0x7f00);
						_t87->hIconSm = 0;
						RegisterClassExA(_t87);
						_t67 = CreateWindowExA(0x20, "Bmp_Button_Class", 0, 0x50000000, _v24, _v28, 0, 0, _a8, _a24, _t81, 0); // executed
						_t82 = _t67;
						SetWindowLongA(_t82, 0, _v12);
						SetWindowLongA(_t82, 4, _v16);
						SetWindowLongA(_t82, 8, _v20);
						_t71 = CreateWindowExA(0, "STATIC", 0, 0x5000000e, 0, 0, 0, 0, _t82, _a24, _a4, 0); // executed
						_v8 = _t71;
						SendMessageA(_t71, 0x172, 0, _v12); // executed
						GetWindowRect(_v8, _t85);
						SetWindowLongA(_t82, 0xc, _v8);
						SetWindowPos(_t82, 0, 0, 0, _t85->right - _t85->left, _t85->bottom - _t85->top, 2);
						return _t82;
					}
				}
				return _t50;
			}

0x6c6616e9
0x6c6616f0
0x6c6616f7
0x6c6616fd
0x6c661709
0x6c66170b
0x6c66170d
0x6c66170d
0x6c661710
0x6c66171c
0x6c66171e
0x6c661720
0x6c661720
0x6c661723
0x6c66172c
0x6c661733
0x6c661739
0x6c66173c
0x6c661741
0x6c661746
0x6c66174d
0x6c661756
0x6c66175f
0x6c66176d
0x6c661772
0x6c661776
0x6c66178e
0x6c661791
0x6c661797
0x6c66179e
0x6c6617a5
0x6c6617ac
0x6c6617b3
0x6c6617b6
0x6c6617bd
0x6c6617c4
0x6c6617cb
0x6c6617de
0x6c6617e1
0x6c6617e9
0x6c66180f
0x6c661814
0x6c66181c
0x6c661827
0x6c661832
0x6c661856
0x6c66185b
0x6c661869
0x6c661872
0x6c66187d
0x6c661898
0x00000000
0x6c66189d
0x6c661733
0x6c6618a3

APIs

LoadBitmapA.USER32 ref: 6C6616F0
LoadBitmapA.USER32 ref: 6C661704
LoadBitmapA.USER32 ref: 6C661717
GetDlgItem.USER32 ref: 6C66172C
GetWindowRect.USER32(00000000,?), ref: 6C661741
GetWindowRect.USER32(?,?), ref: 6C66174D
ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C661776
LoadCursorA.USER32(00000000,00007F00), ref: 6C6617D9
RegisterClassExA.USER32(?), ref: 6C6617E9
CreateWindowExA.USER32 ref: 6C66180F
SetWindowLongA.USER32 ref: 6C66181C
SetWindowLongA.USER32 ref: 6C661827
SetWindowLongA.USER32 ref: 6C661832
CreateWindowExA.USER32 ref: 6C661856

Strings

Bmp_Button_Class, xrefs: 6C6617C4, 6C661808
STATIC, xrefs: 6C66184F

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: Window$Load$BitmapLong$CreateRect$ClassCursorItemRegisterShow
String ID: Bmp_Button_Class$STATIC
API String ID: 3511724289-4004187156
Opcode ID: 56287d4e12649a2507be67fc378d7c236b69aae0a6a94ae93d524476a6e459e2
Instruction ID: 94bbe5c4228429756034f96a61106f21b458dd5fc5af661d7453ac065c7c256d
Opcode Fuzzy Hash: 56287d4e12649a2507be67fc378d7c236b69aae0a6a94ae93d524476a6e459e2
Instruction Fuzzy Hash: 3F514D71680309BFEB118FA2DC41FDEBBB9EF05708F108515F605AAA90D7B1E9148B9D

Uniqueness

Uniqueness Score: -1.00%

Function 6C66197E Relevance: 33.2, APIs: 22, Instructions: 165
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E6C66197E(struct HWND__* _a4, int _a8, int _a12, signed int _a16) {
				struct tagRECT _v20;
				char _v28;
				int _t38;
				long _t39;
				long _t40;
				void* _t50;
				struct HWND__* _t52;
				void* _t62;
				long _t64;
				long _t67;
				long _t71;
				signed int _t76;
				void* _t82;
				void* _t84;
				signed int _t85;
				signed int* _t86;
				intOrPtr* _t87;
				struct tagRECT* _t88;

				_t38 = _a8;
				if(_t38 != 0x201) {
					if(_t38 != 0x200) {
						if(_t38 != 0x202) {
							goto L22;
						} else {
							if( *0x6c66d888 != 0) {
								 *0x6c66d888 = 0;
								 *0x6c66d889 = 0;
								_t40 = GetWindowLongA(_a4, 0);
								SendMessageA(GetWindowLongA(_a4, 0xc), 0x172, 0, _t40);
								_t85 = _a16;
								asm("rol eax, 0x10");
								_t76 = _a16;
								GetWindowRect(_a4,  &_v20);
								_t87 =  &_v20;
								_t50 =  *((intOrPtr*)(_t87 + 8)) -  *_t87;
								_t82 =  *((intOrPtr*)(_t87 + 0xc)) -  *((intOrPtr*)(_t87 + 4));
								if(_t85 > 0 && _t76 > 0 && _t85 < _t50 && _t76 < _t82) {
									_t52 = GetParent(_a4);
									SendMessageA(_t52, 0x111, GetDlgCtrlID(_a4), _a4);
								}
								ReleaseCapture();
								goto L22;
							} else {
								return _t38;
							}
						}
					} else {
						_t88 =  &_v20;
						_t86 =  &_v28;
						GetWindowRect(_a4, _t88);
						 *_t86 = _a16 & 0x0000ffff;
						_t86[1] = (_a16 & 0xffff0000) >> 0x10;
						_t62 = _t88->right - _t88->left;
						_t84 = _t88->bottom - _t88->top;
						if( *_t86 < 0 || _t86[1] < 0 ||  *_t86 > _t62 || _t86[1] > _t84) {
							if( *0x6c66d888 != 0) {
								goto L9;
							} else {
								_t67 = GetWindowLongA(_a4, 0);
								SendMessageA(GetWindowLongA(_a4, 0xc), 0x172, 0, _t67); // executed
								ReleaseCapture();
								 *0x6c66d889 = 0;
								 *0x6c66d888 = 0;
								goto L22;
							}
						} else {
							L9:
							if( *0x6c66d888 != 0 ||  *0x6c66d889 != 0) {
								return _t62;
							} else {
								SetCapture(_a4);
								_t64 = GetWindowLongA(_a4, 8);
								SendMessageA(GetWindowLongA(_a4, 0xc), 0x172, 0, _t64); // executed
								 *0x6c66d889 = 1;
								 *0x6c66d888 = 0;
								goto L22;
							}
						}
					}
				} else {
					_t71 = GetWindowLongA(_a4, 4);
					SendMessageA(GetWindowLongA(_a4, 0xc), 0x172, 0, _t71);
					SetCapture(_a4);
					 *0x6c66d888 = 1;
					 *0x6c66d889 = 0;
					L22:
					_t39 = DefWindowProcA(_a4, _a8, _a12, _a16); // executed
					return _t39;
				}
			}

0x6c661989
0x6c661991
0x6c6619d7
0x6c661ac5
0x00000000
0x6c661acb
0x6c661ad2
0x6c661ae0
0x6c661ae7
0x6c661af3
0x6c661b0d
0x6c661b16
0x6c661b1b
0x6c661b1f
0x6c661b28
0x6c661b2d
0x6c661b33
0x6c661b38
0x6c661b3e
0x6c661b50
0x6c661b69
0x6c661b69
0x6c661b6e
0x00000000
0x6c661ad8
0x6c661ad8
0x6c661ad8
0x6c661ad2
0x6c6619dd
0x6c6619dd
0x6c6619e0
0x6c6619e7
0x6c6619f4
0x6c661a01
0x6c661a07
0x6c661a0c
0x6c661a12
0x6c661a2a
0x00000000
0x6c661a2c
0x6c661a31
0x6c661a4b
0x6c661a50
0x6c661a55
0x6c661a5c
0x00000000
0x6c661a5c
0x6c661a68
0x6c661a68
0x6c661a6f
0x6c661a7e
0x6c661a81
0x6c661a84
0x6c661a8e
0x6c661aa8
0x6c661aad
0x6c661ab4
0x00000000
0x6c661ab4
0x6c661a6f
0x6c661a12
0x6c661993
0x6c661998
0x6c6619b2
0x6c6619ba
0x6c6619bf
0x6c6619c6
0x6c661b73
0x6c661b7f
0x6c661b88
0x6c661b88

APIs

GetWindowLongA.USER32 ref: 6C661998
GetWindowLongA.USER32 ref: 6C6619A4
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 6C6619B2
SetCapture.USER32(?,00000000,00000172,00000000,00000000,?,0000000C,?,00000004), ref: 6C6619BA
GetWindowRect.USER32(?,?), ref: 6C6619E7
GetWindowLongA.USER32 ref: 6C661A31
GetWindowLongA.USER32 ref: 6C661A3D
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 6C661A4B
ReleaseCapture.USER32(00000000,00000172,00000000,00000000,?,0000000C,?,00000000,?,?), ref: 6C661A50
DefWindowProcA.USER32(?,?,?,?), ref: 6C661B7F

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: Window$Long$CaptureMessageSend$ProcRectRelease
String ID:
API String ID: 2818777917-0
Opcode ID: 1b2bff54bf57d1531f30a103632dc981ce7a7b9e15deb8caacb36d70f7f48a46
Instruction ID: f32ad157e87763232c07579f374dd1cb4a3977e9ad7db77a596999fa76b59210
Opcode Fuzzy Hash: 1b2bff54bf57d1531f30a103632dc981ce7a7b9e15deb8caacb36d70f7f48a46
Instruction Fuzzy Hash: A251C131640248BFEF119F67DC84B9E3FA6EB02348F148115F504AAEA1D3B1D895979F

Uniqueness

Uniqueness Score: -1.00%

Function 6C6638CC Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 136
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E6C6638CC() {
				char _v1028;
				struct HWND__* _v1032;
				char _v1048;
				char _v1064;
				char _v1124;
				intOrPtr* __ebx;
				intOrPtr* __esi;
				struct HWND__* _t43;
				intOrPtr _t58;
				void* _t60;
				char _t61;
				void* _t65;
				void* _t67;
				struct tagRECT* _t78;
				LOGFONTA* _t79;
				CHAR* _t85;
				struct tagRECT* _t86;
				void* _t87;

				_t43 = GetDlgItem( *0x6c66d8a6, 0x70);
				if(_t43 == 0) {
					L16:
					return _t43;
				}
				_v1032 = _t43;
				ShowWindow(_v1032, 0); // executed
				 *0x6C66F163 = E6C662A53( *0x6c66d8aa, 9);
				_t43 = E6C666C90(_t45);
				if(_t43 == 0) {
					goto L16;
				}
				 *__esi =  *0x6c66d8a6;
				_t78 =  &_v1048;
				GetWindowRect(_v1032, _t78);
				_t86 =  &_v1064;
				GetWindowRect( *0x6c66d8a6, _t86);
				 *0x6C66F167 = _t78->left - _t86->left;
				 *0x6C66F16F = _t78->right - _t78->left;
				 *0x6C66F16B = _t78->top - _t86->top;
				E6C6618B0( *0x6c66d8a6, 0x6c66f167, 0x6c66f16b);
				_t58 = E6C661460( *0x6c66d8a2, 0x12, 1);
				if(_t58 != 0) {
					_t58 =  *((intOrPtr*)(_t58 + 1));
				}
				 *0x6C66F17C = _t58;
				_t60 = E6C661460( *0x6c66d8a2, 0xb, 1);
				if(_t60 == 0) {
					if( *((intOrPtr*)(0x6c66f17c)) == 0) {
						_t61 = 0xff;
					} else {
						_t61 = 0xfe;
					}
				} else {
					_t61 =  *((intOrPtr*)(_t60 + 1));
				}
				 *0x6C66F17B = _t61;
				_t79 =  &_v1124;
				_push(0x3c);
				_push(_t79);
				L6C666B70();
				_t79->lfHeight = 7;
				_t79->lfCharSet = 1;
				_t79->lfQuality = 4;
				lstrcpyA( &(_t79->lfFaceName), "MS SANS SERIF");
				_t65 = E6C661460( *0x6c66d8a2, 0x13, 1);
				if(_t65 != 0) {
					_t87 = _t65;
					 *_t25 =  *((intOrPtr*)(_t87 + 0x11));
					 *__ebx =  *((intOrPtr*)(_t87 + 5));
					if(( *(_t87 + 9) & 0x00000001) != 0) {
						_t79->lfWeight = 0x2bc;
					}
					GetTempPathA(0x400,  &_v1028);
					_t32 = _t87 + 0x15; // 0x15
					lstrcatA( &_v1028, _t32);
					_t34 = _t87 + 0x95; // 0x95
					lstrcatA( &_v1028, _t34);
					_t36 = _t87 + 0x9b; // 0x9b
					E6C663A8F(_t36,  *((intOrPtr*)(_t87 + 0xd)),  &_v1028);
					_t39 = _t87 + 0x15; // 0x15
					_t85 = _t39;
					if( *_t85 != 0) {
						lstrcpyA( &(_t79->lfFaceName), _t85);
					} else {
						_t79 = 0;
					}
				}
				 *((intOrPtr*)(0x6c66f173)) = CreateFontIndirectA(_t79);
				_t67 = E6C661B8B(0x6c66f15f); // executed
				return _t67;
			}

0x6c6638e5
0x6c6638e7
0x6c663a8e
0x6c663a8e
0x6c663a8e
0x6c6638ed
0x6c6638fb
0x6c663912
0x6c66391b
0x6c66391d
0x00000000
0x00000000
0x6c663929
0x6c66392b
0x6c663938
0x6c66393d
0x6c66394a
0x6c663953
0x6c66395b
0x6c663964
0x6c663975
0x6c663989
0x6c66398b
0x6c66398d
0x6c66398d
0x6c663990
0x6c6639a2
0x6c6639a4
0x6c6639af
0x6c6639b8
0x6c6639b1
0x6c6639b1
0x6c6639b1
0x6c6639a6
0x6c6639a6
0x6c6639a6
0x6c6639bd
0x6c6639c0
0x6c6639c6
0x6c6639c8
0x6c6639c9
0x6c6639ce
0x6c6639d4
0x6c6639d8
0x6c6639e5
0x6c6639f9
0x6c6639fb
0x6c6639fd
0x6c663a02
0x6c663a08
0x6c663a11
0x6c663a13
0x6c663a13
0x6c663a26
0x6c663a2b
0x6c663a36
0x6c663a3b
0x6c663a49
0x6c663a4e
0x6c663a60
0x6c663a65
0x6c663a65
0x6c663a6b
0x6c663a76
0x6c663a6d
0x6c663a6d
0x6c663a6d
0x6c663a6b
0x6c663a81
0x6c663a85
0x00000000

APIs

GetDlgItem.USER32 ref: 6C6638E0
ShowWindow.USER32(?,00000000,00000070,00000000,?,00000000,?,6C66327C,0000000B,00000001,00000012,00000001,00000002,00000000,00000000,000000CA), ref: 6C6638FB
GetWindowRect.USER32(?,?), ref: 6C663938
GetWindowRect.USER32(?,?), ref: 6C66394A

Part of subcall function 6C6618B0: GetWindowLongA.USER32 ref: 6C6618BE
Part of subcall function 6C6618B0: GetWindowLongA.USER32 ref: 6C6618CA
Part of subcall function 6C6618B0: GetSystemMetrics.USER32 ref: 6C6618EF
Part of subcall function 6C6618B0: GetSystemMetrics.USER32 ref: 6C66190B
Part of subcall function 6C6618B0: GetSystemMetrics.USER32 ref: 6C661914
Part of subcall function 6C6618B0: GetSystemMetrics.USER32 ref: 6C661947
Part of subcall function 6C6618B0: GetSystemMetrics.USER32 ref: 6C661950
Part of subcall function 6C6618B0: GetSystemMetrics.USER32 ref: 6C661964
Part of subcall function 6C6618B0: GetSystemMetrics.USER32 ref: 6C66196D

RtlZeroMemory.KERNEL32(?,0000003C,0000000B,00000001,00000012,00000001,00000008,0000000C,?,?,?,00000000,00000070,00000000,?,00000000), ref: 6C6639C9
lstrcpyA.KERNEL32(?,MS SANS SERIF,?,0000003C,0000000B,00000001,00000012,00000001,00000008,0000000C,?,?,?,00000000,00000070,00000000), ref: 6C6639E5
GetTempPathA.KERNEL32(00000400,?,?,00000013,00000001,?,MS SANS SERIF,?,0000003C,0000000B,00000001,00000012,00000001,00000008,0000000C,?), ref: 6C663A26
lstrcatA.KERNEL32(?,00000015,00000400,?,?,00000013,00000001,?,MS SANS SERIF,?,0000003C,0000000B,00000001,00000012,00000001,00000008), ref: 6C663A36
lstrcatA.KERNEL32(?,00000095,?,00000015,00000400,?,?,00000013,00000001,?,MS SANS SERIF,?,0000003C,0000000B,00000001,00000012), ref: 6C663A49
lstrcpyA.KERNEL32(?,00000015,0000009B,?,?,?,00000095,?,00000015,00000400,?,?,00000013,00000001,?,MS SANS SERIF), ref: 6C663A76
CreateFontIndirectA.GDI32(?), ref: 6C663A7C

Strings

MS SANS SERIF, xrefs: 6C6639DC

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: MetricsSystem$Window$LongRectlstrcatlstrcpy$CreateFontIndirectItemMemoryPathShowTempZero
String ID: MS SANS SERIF
API String ID: 1718168783-2292534163
Opcode ID: a2e11da919b2b5824bd536e64108d0cf4a8a878c46400b61967b7ad428e10420
Instruction ID: 6a30f32758f10178d9f9685a248b228658a4052db4b5df7de143a038500632bb
Opcode Fuzzy Hash: a2e11da919b2b5824bd536e64108d0cf4a8a878c46400b61967b7ad428e10420
Instruction Fuzzy Hash: 085181B0500605EFDB20DF26CC84FA67BB9FF02348F048568A2159BE95D774E958CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 001A102B Relevance: 21.1, APIs: 14, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			_entry_() {
				struct HRSRC__* _v8;
				void* _v12;
				long _v16;
				char _v1040;
				struct HRSRC__* _t24;
				int _t26;
				int _t27;
				intOrPtr* _t29;
				void* _t39;
				void* _t43;
				struct HINSTANCE__* _t46;
				void* _t49;

				L1(); // executed
				ExitProcess(0);
				 *0x1a3030 = GetModuleHandleA(0);
				_v12 = 0;
				_t24 = FindResourceA(0, 0x1a3000, 0xa);
				if(_t24 != 0) {
					_v8 = _t24;
					_v16 = SizeofResource(0, _v8);
					_t43 = LoadResource(0, _v8);
					if(_t43 != 0) {
						_v12 = _t43;
					}
				}
				if(_v12 != 0) {
					_t39 = VirtualAlloc(0, _v16, 0x1000, 4); // executed
					_t49 = _t39;
					RtlMoveMemory(_t49, _v12, _v16);
					_v12 = _t49;
					E001A1000(_t39, _v12, _v16, 0xdeadbeef);
				}
				if(_v12 != 0) {
					GetTempPathA(0x400,  &_v1040);
					lstrcatA( &_v1040, 0x1a3004);
					E001A1184( &_v1040, _v12, _v16); // executed
				}
				_t26 = LoadLibraryA( &_v1040); // executed
				_t27 = _t26;
				if(_t27 != 0) {
					_t46 = _t27;
					_t29 = GetProcAddress(_t46, 0x1a3015);
					if(_t29 != 0) {
						 *_t29();
					}
					FreeLibrary(_t46);
					_t27 = DeleteFileA( &_v1040);
				}
				return _t27;
			}

0x001a102b
0x001a1032
0x001a104a
0x001a104f
0x001a1064
0x001a1066
0x001a1068
0x001a1075
0x001a1082
0x001a1084
0x001a1086
0x001a1086
0x001a1084
0x001a108d
0x001a109b
0x001a10a0
0x001a10a9
0x001a10ae
0x001a10bc
0x001a10bc
0x001a10c5
0x001a10d3
0x001a10e4
0x001a10f6
0x001a10f6
0x001a1102
0x001a1107
0x001a1109
0x001a110b
0x001a1118
0x001a111a
0x001a111c
0x001a111c
0x001a111f
0x001a112b
0x001a112b
0x001a1134

APIs

Part of subcall function 001A1037: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,001A1030), ref: 001A1045
Part of subcall function 001A1037: FindResourceA.KERNEL32(00000000,001A3000,0000000A), ref: 001A105F
Part of subcall function 001A1037: SizeofResource.KERNEL32(00000000,?,00000000,?,?,?,?,001A1030), ref: 001A1070
Part of subcall function 001A1037: LoadResource.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,001A1030), ref: 001A107D
Part of subcall function 001A1037: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,?,?,?,?,001A1030), ref: 001A109B
Part of subcall function 001A1037: RtlMoveMemory.KERNEL32(00000000,00000000,?,00000000,?,00001000,00000004,00000000,?,?,?,?,001A1030), ref: 001A10A9
Part of subcall function 001A1037: GetTempPathA.KERNEL32(00000400,?,00000000,?,?,?,?,001A1030), ref: 001A10D3
Part of subcall function 001A1037: lstrcatA.KERNEL32(?,001A3004,00000400,?,00000000,?,?,?,?,001A1030), ref: 001A10E4
Part of subcall function 001A1037: LoadLibraryA.KERNEL32(?,00000000,?,?,?,?,001A1030), ref: 001A1102
Part of subcall function 001A1037: GetProcAddress.KERNEL32(00000000,001A3015), ref: 001A1113
Part of subcall function 001A1037: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,?,001A1030), ref: 001A111F
Part of subcall function 001A1037: DeleteFileA.KERNEL32(?,00000000,?,00000000,?,?,?,?,001A1030), ref: 001A112B

ExitProcess.KERNEL32(00000000), ref: 001A1032

Memory Dump Source

Source File: 00000000.00000002.886349851.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.886340181.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.886354971.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.886360847.00000000001A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_sublime.jbxd

Similarity

API ID: Resource$LibraryLoad$AddressAllocDeleteExitFileFindFreeHandleMemoryModuleMovePathProcProcessSizeofTempVirtuallstrcat
String ID:
API String ID: 1211033256-0
Opcode ID: de2b3800112b918020ddfeb1e27f7ee613ca589ce65d144c91ea6cc006be225b
Instruction ID: 41138b2ecb88604a1dd52a2b5cb022140d257565eca1b57ab69ef43706c3f39c
Opcode Fuzzy Hash: de2b3800112b918020ddfeb1e27f7ee613ca589ce65d144c91ea6cc006be225b
Instruction Fuzzy Hash: 5221607DE40208BADF21ABF08C86FADBB79AB16750F004091B314B6192DB714A85DB24

Uniqueness

Uniqueness Score: -1.00%

Function 6C666089 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 90
stringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6C666089() {
				char _v1028;
				char _v3076;
				char _v5124;
				char _v5188;
				struct HINSTANCE__* _t52;
				intOrPtr* _t53;
				int _t55;
				void* _t56;
				void* _t59;
				char* _t60;
				char* _t61;

				GetTempPathA(0x400,  &_v3076);
				GetCurrentDirectoryA(0x400,  &_v1028);
				SetCurrentDirectoryA( &_v3076); // executed
				_t59 = 0x6c67263d;
				_t56 = 0;
				L5:
				_t56 = _t56 + 1;
				_t60 = E6C66149B( *0x6c66d8a2, _t56);
				_t61 = _t60;
				if(_t61 != 0) {
					if( *_t61 == 0x18) {
						_t5 = _t61 + 1; // 0x1
						E6C662200(_t5,  &_v5188, 0x10);
						lstrcpyA( &_v5124,  &_v3076);
						lstrcatA( &_v5124, 0x6c66d7eb);
						lstrcatA( &_v5124,  &_v5188);
						lstrcatA( &_v5124, ".dll");
						if(E6C666D4C( &_v5124, E6C66149B( *0x6c66d8a2,  &_v5188),  *0x6c66d880) != 0) {
							_t52 = LoadLibraryA( &_v5124);
							if(_t52 != 0) {
								 *((intOrPtr*)(_t59 + 4)) = _t52;
								_t17 = _t61 + 1; // 0x1
								_t53 = _t17;
								 *__edx =  *_t53;
								 *_t19 =  *((intOrPtr*)(_t53 + 4));
								 *_t21 =  *((intOrPtr*)(_t53 + 8));
								 *_t23 =  *((intOrPtr*)(_t53 + 0xc));
								_t59 = _t59 + 0x18;
							}
						}
					}
					goto L5;
				}
				_t55 = SetCurrentDirectoryA( &_v1028); // executed
				return _t55;
			}

0x6c6660a1
0x6c6660b2
0x6c6660be
0x6c6660c3
0x6c6660c8
0x6c666194
0x6c666194
0x6c6661a1
0x6c6661a3
0x6c6661a5
0x6c6660d7
0x6c6660e6
0x6c6660ea
0x6c6660fd
0x6c66610e
0x6c666121
0x6c666132
0x6c666160
0x6c66616e
0x6c666170
0x6c666172
0x6c666178
0x6c666178
0x6c66617d
0x6c666182
0x6c666188
0x6c66618e
0x6c666191
0x6c666191
0x6c666170
0x6c666160
0x00000000
0x6c6660d7
0x6c6661b2
0x6c6661bb

APIs

GetTempPathA.KERNEL32(00000400,?,00000000,?,00000000,?,6C663277,0000000B,00000001,00000012,00000001,00000002,00000000,00000000,000000CA,6C674E3D), ref: 6C6660A1
GetCurrentDirectoryA.KERNEL32(00000400,?,00000400,?,00000000,?,00000000,?,6C663277,0000000B,00000001,00000012,00000001,00000002,00000000,00000000), ref: 6C6660B2
lstrcpyA.KERNEL32(?,?,00000001,?,00000010,00000001,?,00000400,?,00000400,?,00000000,?,00000000,?,6C663277), ref: 6C6660FD
lstrcatA.KERNEL32(?,6C66D7EB,?,?,00000001,?,00000010,00000001,?,00000400,?,00000400,?,00000000,?,00000000), ref: 6C66610E
lstrcatA.KERNEL32(?,?,?,6C66D7EB,?,?,00000001,?,00000010,00000001,?,00000400,?,00000400,?,00000000), ref: 6C666121
lstrcatA.KERNEL32(?,.dll,?,?,?,6C66D7EB,?,?,00000001,?,00000010,00000001,?,00000400,?,00000400), ref: 6C666132
LoadLibraryA.KERNEL32(?,?,00000000,?,?,.dll,?,?,?,6C66D7EB,?,?,00000001,?,00000010,00000001), ref: 6C666169
SetCurrentDirectoryA.KERNEL32(?,00000400,?,00000400,?,00000000,?,00000000,?,6C663277,0000000B,00000001,00000012,00000001,00000002,00000000), ref: 6C6660BE

Part of subcall function 6C66149B: FindResourceA.KERNEL32(?,6C661479,0000000A), ref: 6C6614B1

SetCurrentDirectoryA.KERNEL32(?,00000002,?,?,?,?,?,00000000,?,?,.dll,?,?,?,6C66D7EB,?), ref: 6C6661B2

Strings

=&gl, xrefs: 6C6660C3
.dll, xrefs: 6C666126

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: CurrentDirectorylstrcat$FindLibraryLoadPathResourceTemplstrcpy
String ID: .dll$=&gl
API String ID: 4090242041-2948811159
Opcode ID: bad50727148af06213cb3d6194c64d85a7f5db52347878faf19b449220236787
Instruction ID: ed68a5027e25aa5b5a3e3b6ce39c5ed3a2af84f900977b954196fc2591c09335
Opcode Fuzzy Hash: bad50727148af06213cb3d6194c64d85a7f5db52347878faf19b449220236787
Instruction Fuzzy Hash: 72314376800118EADB11DBA7DC84EEEF7BCBB09358F144995E305D7910E730DA588B6E

Uniqueness

Uniqueness Score: -1.00%

Function 6C661FE3 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 73
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 33%

			E6C661FE3(intOrPtr* _a4) {
				char _v1028;
				struct HINSTANCE__* _t10;
				struct HINSTANCE__* _t11;
				_Unknown_base(*)()* _t14;
				intOrPtr* _t18;
				void* _t20;
				intOrPtr* _t22;
				void* _t24;
				CHAR* _t25;

				GetTempPathA(0x400,  &_v1028);
				lstrcatA( &_v1028, "\\bassmod.dll");
				_t24 = 0;
				_t10 = LoadLibraryA( &_v1028); // executed
				_t11 = _t10;
				if(_t11 == 0) {
					L12:
					return _t24;
				} else {
					 *0x6c66d89e = _t11;
					_t25 = "BASSMOD_Init";
					_t22 = 0x6c66d88a;
					while( *_t25 != 0) {
						_t14 = GetProcAddress( *0x6c66d89e, _t25);
						if(_t14 == 0) {
							FreeLibrary( *0x6c66d89e);
							 *0x6c66d89e = 0;
							goto L12;
						}
						 *_t22 = _t14;
						_t22 = _t22 + 4;
						while( *_t25 != 0) {
							_t25 =  &(_t25[1]);
						}
						_t25 =  &(_t25[1]);
					}
					_push(0);
					_push(0xac44);
					_push(0xffffffff);
					if( *0x6c66d88a() == 1) {
						 *0x6c66d88e();
						_t18 = _a4;
						_t20 =  *0x6c66d892(1, _t18 + 4, 0,  *_t18, 6); // executed
						if(_t20 == 1) {
							 *0x6c66d896();
							_t24 = _t24 + 1;
						}
					}
					goto L12;
				}
			}

0x6c661ffd
0x6c66200e
0x6c662013
0x6c66201c
0x6c662021
0x6c662023
0x6c6620b2
0x6c6620ba
0x6c662029
0x6c662029
0x6c66202e
0x6c662033
0x6c662071
0x6c662046
0x6c662048
0x6c662060
0x6c662065
0x00000000
0x6c662065
0x6c66204a
0x6c66204c
0x6c662052
0x6c662051
0x6c662051
0x6c662057
0x6c662057
0x6c662076
0x6c662078
0x6c66207d
0x6c662088
0x6c66208a
0x6c662090
0x6c6620a0
0x6c6620a9
0x6c6620ab
0x6c6620b1
0x6c6620b1
0x6c6620a9
0x00000000
0x6c662088

APIs

GetTempPathA.KERNEL32(00000400,?), ref: 6C661FFD
lstrcatA.KERNEL32(?,\bassmod.dll,00000400,?), ref: 6C66200E
LoadLibraryA.KERNEL32(?,?,\bassmod.dll,00000400,?), ref: 6C66201C
GetProcAddress.KERNEL32(BASSMOD_Init,?), ref: 6C662041
BASSMOD_Init.BASSMOD(000000FF,0000AC44,00000000,BASSMOD_Init,?,?,\bassmod.dll,00000400,?), ref: 6C66207F
BASSMOD_MusicFree.BASSMOD ref: 6C66208A
BASSMOD_MusicLoad.BASSMOD(00000001,?,00000000,?,00000006), ref: 6C6620A0
BASSMOD_MusicPlay.BASSMOD(?,00000006), ref: 6C6620AB

Strings

BASSMOD_Init, xrefs: 6C66202E, 6C66203A
\bassmod.dll, xrefs: 6C662002

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: Music$Load$AddressFreeInitLibraryPathPlayProcTemplstrcat
String ID: BASSMOD_Init$\bassmod.dll
API String ID: 447368786-384773266
Opcode ID: 0e9ff15d6318952b71119f330b8ae8fbc98fb0076228975891e8a871034d9d36
Instruction ID: 28bce168da43af50b4ceba2bf42f2710548dc9d9efc4c6b807d721d29c8e11e2
Opcode Fuzzy Hash: 0e9ff15d6318952b71119f330b8ae8fbc98fb0076228975891e8a871034d9d36
Instruction Fuzzy Hash: C511B471644110AFEB205B2BDC8DFA97BF8EB42318F240129E585E5FC0D6B19985C76F

Uniqueness

Uniqueness Score: -1.00%

Function 6C66424C Relevance: 19.3, APIs: 4, Strings: 7, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6C66424C(long __ecx, void* __edx) {
				CHAR* _t5;
				int _t10;
				long _t15;
				void* _t16;

				_t16 = __edx;
				_t15 = __ecx;
				 *0x6c66e95c = E6C667040(0x6c66e95f, "silent", 0);
				 *0x6c66e95d = E6C667040(0x6c66e95f, "backup", 0);
				 *0x6c66e95e = E6C667040(0x6c66e95f, "overwrite", 0);
				if(E6C667040(0x6c66e95f, "startupworkdir", 0x6c66d911) != 1) {
					_t5 = 0;
				} else {
					ExpandEnvironmentStringsA(0x6c66d911, 0x6c66e95f, 0x400);
					_t5 = 0x6c66e95f;
				}
				E6C6670B0(_t5);
				if(E6C667040(0x6c66e95f, "setvar", 0x6c66d911) == 1) {
					ExpandEnvironmentStringsA(0x6c66d911, 0x6c66ed5f, 0x400);
					SetEnvironmentVariableA("dup2_cmd_var", 0x6c66ed5f);
				}
				if( *0x6c66e95c != 0) {
					E6C665AFE();
					E6C666089();
					_t10 = E6C6662CD(_t15, _t16);
				} else {
					_t10 = DialogBoxParamA( *0x6c66d8a2, 1, 0, E6C662DD0, 0); // executed
				}
				return _t10;
			}

0x6c66424c
0x6c66424c
0x6c66426f
0x6c664281
0x6c664293
0x6c6642aa
0x6c6642c5
0x6c6642ac
0x6c6642bc
0x6c6642c1
0x6c6642c1
0x6c6642c8
0x6c6642df
0x6c6642f0
0x6c6642ff
0x6c6642ff
0x6c66430b
0x6c664325
0x6c66432a
0x6c66432f
0x6c66430d
0x6c66431e
0x6c66431e
0x6c664337

APIs

Part of subcall function 6C667040: lstrlenA.KERNEL32(?), ref: 6C667052

Part of subcall function 6C667040: CompareStringA.KERNEL32(00000000,00000001,?,00000000,?,00000000,?), ref: 6C66706C

ExpandEnvironmentStringsA.KERNEL32(6C66D911,6C66E95F,00000400,6C66D668, /help : show help menu,6C66D413,00000000,AttachConsole,kernel32.dll,6C672199,?,?,?,6C66210E), ref: 6C6642BC
ExpandEnvironmentStringsA.KERNEL32(6C66D911,6C66ED5F,00000400,6C66D668, /help : show help menu,6C66D413,00000000,AttachConsole,kernel32.dll,6C672199,?,?,?,6C66210E), ref: 6C6642F0
SetEnvironmentVariableA.KERNEL32(dup2_cmd_var,6C66ED5F,6C66D911,6C66ED5F,00000400,6C66D668, /help : show help menu,6C66D413,00000000,AttachConsole,kernel32.dll,6C672199,?,?,?,6C66210E), ref: 6C6642FF
DialogBoxParamA.USER32(00000001,00000000,Function_00002DD0,00000000,6C66D668), ref: 6C66431E

Strings

overwrite, xrefs: 6C664288
dup2_cmd_var, xrefs: 6C6642FA
setvar, xrefs: 6C6642D2
_fl, xrefs: 6C6642AC
backup, xrefs: 6C664276
silent, xrefs: 6C664264
startupworkdir, xrefs: 6C66429D

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: Environment$ExpandStrings$CompareDialogParamStringVariablelstrlen
String ID: _fl$backup$dup2_cmd_var$overwrite$setvar$silent$startupworkdir
API String ID: 3077006360-1995928894
Opcode ID: 846e487d06ef5a9a7e9c55545575896c189979045c55a0e72d518dd572384fef
Instruction ID: 3a93f5304c854f4d0daabc2cdb82cd718c6a7a39a304cd129d306e5791821280
Opcode Fuzzy Hash: 846e487d06ef5a9a7e9c55545575896c189979045c55a0e72d518dd572384fef
Instruction Fuzzy Hash: 8D01A27028E59170DA6162276C40FEE16180B73719F340A41F24579E9AC69596091FFF

Uniqueness

Uniqueness Score: -1.00%

Function 6C663B6F Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75
sleeplibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E6C663B6F(struct HWND__* _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t32;
				signed int _t33;
				signed int _t34;
				signed int _t40;
				intOrPtr* _t48;
				long _t49;

				_t28 = GetProcAddress(GetModuleHandleA("user32.dll"), "SetLayeredWindowAttributes");
				if(_t28 != 0) {
					_t48 = _t28;
					_t29 = GetWindowLongA(_a4, 0xffffffec); // executed
					SetWindowLongA(_a4, 0xffffffec, _t29 | 0x00080000);
					_t32 = _a12;
					_t33 = _t32 / 4;
					if(_t32 % 4 != 0) {
						_t33 = _t33 + 1;
					}
					_v8 = _t33;
					if(_a8 == 0) {
						L13:
						if(_a16 != 0) {
							_t34 = 0;
						} else {
							_t34 = _a12;
						}
						return  *_t48(_a4, 0, _t34, 2);
					} else {
						_t49 = _a8 / _t33;
						if(_a16 != 0) {
							_t40 = _a12;
						} else {
							_t40 = 0;
						}
						while(_v8 != 0) {
							 *_t48(_a4, 0, _t40, 2);
							if(_a16 != 0) {
								_t40 = _t40 - 4;
							} else {
								_t40 = _t40 + 4;
							}
							Sleep(_t49); // executed
							UpdateWindow(_a4);
							_v8 = _v8 - 1;
						}
						goto L13;
					}
				}
				return _t28;
			}

0x6c663b8d
0x6c663b8f
0x6c663b95
0x6c663b9c
0x6c663bac
0x6c663bb3
0x6c663bbb
0x6c663bbf
0x6c663bc1
0x6c663bc1
0x6c663bc4
0x6c663bcb
0x6c663c16
0x6c663c1a
0x6c663c21
0x6c663c1c
0x6c663c1c
0x6c663c1c
0x00000000
0x6c663bcd
0x6c663bd6
0x6c663bdc
0x6c663be2
0x6c663bde
0x6c663bde
0x6c663bde
0x6c663c10
0x6c663bef
0x6c663bf5
0x6c663bfc
0x6c663bf7
0x6c663bf7
0x6c663bf7
0x6c663c00
0x6c663c08
0x6c663c0d
0x6c663c0d
0x00000000
0x6c663c10
0x6c663bcb
0x6c663c31

APIs

GetModuleHandleA.KERNEL32(user32.dll), ref: 6C663B7D
GetProcAddress.KERNEL32(00000000,SetLayeredWindowAttributes), ref: 6C663B88
GetWindowLongA.USER32 ref: 6C663B9C
SetWindowLongA.USER32 ref: 6C663BAC
Sleep.KERNEL32(00000000), ref: 6C663C00
UpdateWindow.USER32(?), ref: 6C663C08

Strings

SetLayeredWindowAttributes, xrefs: 6C663B82
user32.dll, xrefs: 6C663B78

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: Window$Long$AddressHandleModuleProcSleepUpdate
String ID: SetLayeredWindowAttributes$user32.dll
API String ID: 3069254162-3673630139
Opcode ID: 6fcdedd255c6c3061ac8ea62980582aa6c9803367b959391054ec412afbb1213
Instruction ID: c17ba9566ee3ba3eb5a440415b34e42b1b6f180dfd3b95b3b54b6fda0717108f
Opcode Fuzzy Hash: 6fcdedd255c6c3061ac8ea62980582aa6c9803367b959391054ec412afbb1213
Instruction Fuzzy Hash: 4021C030645208EBEB009E3BDD00F9E3AA5EB8136CF108530F910A7D90C771CD55DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 1000160E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108
sleepthreadtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E1000160E(void* __ecx, signed long long __fp0) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t30;
				signed int _t38;
				signed int _t46;
				intOrPtr _t49;
				intOrPtr* _t50;
				signed char* _t51;
				long _t54;
				void* _t62;
				signed long long _t63;

				_t63 = __fp0;
				Sleep(1); // executed
				SetThreadPriority(GetCurrentThread(), 0xf); // executed
				_t30 = timeGetTime();
				_v8 = _t30;
				_t49 = 0;
				while(1) {
					_t62 =  *0x10010ae8 - _t49; // 0x394
					if(_t62 == 0) {
						break;
					}
					__eflags =  *0x10010ac0 - _t49; // 0x1
					if(__eflags == 0) {
						L15:
						asm("fldz");
						 *0x10010ab4 = _t63;
						L16:
						_t30 = timeGetTime();
						_v8 = _v8 + 0x64;
						__eflags = _v8 - _t30;
						if(_v8 < _t30) {
							_v8 = _t30;
						}
						_t54 = _v8 - _t30;
						__eflags = _t54;
						Sleep(_t54);
						continue;
					}
					__eflags =  *0x1000e0b8 - _t49; // 0x0
					if(__eflags != 0) {
						goto L15;
					}
					__eflags =  *0x1000e6e0 - _t49; // 0x0
					if(__eflags == 0) {
						L7:
						E100011C0();
						__eflags =  *0x10010abc - _t49; // 0x0
						if(__eflags != 0) {
							_t50 =  *0x1000d018; // 0x1001204d
							 *_t50( &_v28);
							E10001790(0, 0, _t63);
							 *_t50( &_v20);
							_t38 = _v20 - _v28;
							__eflags = _t38;
							asm("sbb ecx, [ebp-0x14]");
							_v44 = _t38;
							_v40 = _v16;
							asm("fild qword [ebp-0x28]");
							asm("faddp st1, st0");
							_t63 =  *0x10010ab4 *  *0x1000d10c *  *0x1000d110;
							 *0x10010ab4 = _t63;
							L14:
							E100011CC();
							_t49 = 0;
							goto L16;
						}
						_v12 = _t49;
						_t51 = 0x1000f558;
						do {
							__eflags =  *_t51 & 0x00000001;
							if(__eflags != 0) {
								 *0x1000d018( &_v28);
								E10008A6F(_v12, __eflags);
								 *0x1000d018( &_v20);
								_t46 = _v20 - _v28;
								__eflags = _t46;
								asm("sbb ecx, [ebp-0x14]");
								_v36 = _t46;
								_v32 = _v16;
								asm("fild qword [ebp-0x20]");
								asm("faddp st1, st0");
								_t63 =  *0x10010ab4 *  *0x1000d114 *  *0x1000d110;
								 *0x10010ab4 = _t63;
							}
							_v12 = _v12 + 1;
							_t51 =  &(_t51[0x20]);
							__eflags = _v12 - 6;
						} while (_v12 < 6);
						goto L14;
					}
					__eflags =  *0x1000e294 - _t49; // 0x220
					if(__eflags != 0) {
						goto L7;
					}
					__eflags = E10008ABB() -  *0x1000e280; // 0x296c240
					if(__eflags >= 0) {
						E10001171(_t63);
					}
					goto L16;
				}
				return _t30;
			}

0x1000160e
0x1000161f
0x1000162a
0x10001636
0x10001638
0x1000163b
0x10001775
0x10001775
0x1000177b
0x00000000
0x00000000
0x10001642
0x10001648
0x10001757
0x10001757
0x10001759
0x1000175f
0x1000175f
0x10001761
0x10001765
0x10001768
0x1000176a
0x1000176a
0x10001770
0x10001770
0x10001773
0x00000000
0x10001773
0x1000164e
0x10001654
0x00000000
0x00000000
0x1000165a
0x10001660
0x10001685
0x10001685
0x1000168a
0x10001690
0x100016fe
0x10001708
0x1000170e
0x10001717
0x1000171c
0x1000171c
0x10001722
0x10001725
0x10001728
0x1000172b
0x10001740
0x10001742
0x10001748
0x1000174e
0x1000174e
0x10001753
0x00000000
0x10001753
0x10001692
0x10001695
0x1000169a
0x1000169a
0x1000169d
0x100016a3
0x100016ac
0x100016b5
0x100016be
0x100016be
0x100016c4
0x100016c7
0x100016ca
0x100016cd
0x100016e2
0x100016e4
0x100016ea
0x100016ea
0x100016f0
0x100016f3
0x100016f6
0x100016f6
0x00000000
0x100016fc
0x10001662
0x10001668
0x00000000
0x00000000
0x1000166f
0x10001675
0x1000167b
0x1000167b
0x00000000
0x10001675
0x10001785

APIs

Sleep.KERNELBASE(00000001), ref: 1000161F
GetCurrentThread.KERNEL32 ref: 10001623
SetThreadPriority.KERNELBASE(00000000), ref: 1000162A
timeGetTime.WINMM ref: 10001636
timeGetTime.WINMM ref: 1000175F
Sleep.KERNELBASE(00000064), ref: 10001773

Strings

d, xrefs: 10001761

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID: SleepThreadTimetime$CurrentPriority
String ID: d
API String ID: 4044642871-2564639436
Opcode ID: 9b8bc4cb04425e1355469ebb4d50463fedf59d8416cfcd1ecce477f13313c92f
Instruction ID: 27f673620ebd892123a62c403dc1fe6da9819cdde3708e8b2608e4368368447f
Opcode Fuzzy Hash: 9b8bc4cb04425e1355469ebb4d50463fedf59d8416cfcd1ecce477f13313c92f
Instruction Fuzzy Hash: F3417C75E00359DFFB50EFA4CDC55EDBBB4FB08384F02442AE205A2568DB709984CB62

Uniqueness

Uniqueness Score: -1.00%

Function 10008AFC Relevance: 9.1, APIs: 6, Instructions: 56
sleepthreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10008AFC() {
				void* _t16;
				long _t23;
				long _t27;
				intOrPtr* _t30;
				long _t33;

				Sleep(1); // executed
				SetThreadPriority(GetCurrentThread(), 2); // executed
				timeBeginPeriod(1);
				if( *0x10010aec == 0) {
					L13:
					return timeEndPeriod(1);
				} else {
					do {
						_t33 = 0x32;
						_t27 = _t33;
						_t30 = 0x1000e2b4;
						do {
							if( *(_t30 - 0xc) != 0) {
								_t16 = E10008ABB();
								_t2 = _t30 - 8; // 0x0
								_t23 =  *_t2 - _t16;
								if(_t23 <= 0) {
									_t7 = _t30 + 4; // 0x0
									_t8 = _t30 - 4; // 0x0
									_t9 = _t30 - 0xc; // 0x0
									 *_t30( *_t9,  *_t8,  *_t7);
									 *(_t30 - 0xc) =  *(_t30 - 0xc) & 0x00000000;
								} else {
									if( *0x10010abc == 0) {
										_t23 = _t23 * 0x3e8 /  *0x1000fe4c;
									}
									if(_t23 < _t27) {
										_t27 = _t23;
									}
								}
							}
							_t30 = _t30 + 0x14;
							_t33 = _t33 - 1;
						} while (_t33 != 0);
						Sleep(_t27); // executed
					} while ( *0x10010aec != 0);
					goto L13;
				}
			}

0x10008b05
0x10008b10
0x10008b18
0x10008b25
0x10008b8f
0x10008b98
0x10008b27
0x10008b2a
0x10008b2c
0x10008b2d
0x10008b2f
0x10008b34
0x10008b38
0x10008b3a
0x10008b3f
0x10008b42
0x10008b46
0x10008b6b
0x10008b6e
0x10008b71
0x10008b74
0x10008b76
0x10008b48
0x10008b4f
0x10008b61
0x10008b61
0x10008b65
0x10008b67
0x10008b67
0x10008b65
0x10008b46
0x10008b7a
0x10008b7d
0x10008b7d
0x10008b81
0x10008b83
0x00000000
0x10008b8e

APIs

Sleep.KERNELBASE(00000001), ref: 10008B05
GetCurrentThread.KERNEL32 ref: 10008B09
SetThreadPriority.KERNELBASE(00000000), ref: 10008B10
timeBeginPeriod.WINMM(00000001), ref: 10008B18
Sleep.KERNELBASE(00000032), ref: 10008B81
timeEndPeriod.WINMM(00000001), ref: 10008B91

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID: PeriodSleepThreadtime$BeginCurrentPriority
String ID:
API String ID: 296673637-0
Opcode ID: 28e05d8b62839f86524fbb552466dfc47fc7540cda5b9103db7c29909c11db9c
Instruction ID: 6b1e1b1cb432262348c661a92b301f190c4456ae4d28417c99a66424a5976680
Opcode Fuzzy Hash: 28e05d8b62839f86524fbb552466dfc47fc7540cda5b9103db7c29909c11db9c
Instruction Fuzzy Hash: 7911E572600324DFF711EB55CC88B2DB7A5FB447D2F01801DF18581199CBB58941CF21

Uniqueness

Uniqueness Score: -1.00%

Function 1000149B Relevance: 6.1, APIs: 4, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000149B(int __ecx) {
				struct tWAVEFORMATEX _v24;
				void* _t13;
				signed short _t14;
				signed short _t17;
				int _t21;
				unsigned int _t22;
				signed int _t23;
				signed int _t24;
				void* _t27;
				long _t30;
				signed int _t38;
				signed int _t40;
				signed int _t41;
				signed char _t42;
				signed int _t44;
				void* _t50;
				void* _t52;
				void* _t53;
				signed short _t56;
				struct wavehdr_tag* _t62;
				void* _t63;

				_t13 =  *0x1000d098(); // executed
				if(__ecx < _t13) {
					_t40 =  *0x1000f33c; // 0x2
					_t14 =  *0x1000f320; // 0x2
					_v24.nChannels = _t14;
					_t41 =  *0x1000fe54; // 0xac44
					_t56 = _t40 << 3;
					_v24.wBitsPerSample = _t56;
					_t17 = (_t14 & 0x0000ffff) * (_t56 & 0x0000ffff) >> 3;
					_v24.nBlockAlign = _t17;
					_v24.nAvgBytesPerSec = (_t17 & 0x0000ffff) * _t41;
					_v24.wFormatTag = 1;
					_v24.nSamplesPerSec = _t41;
					_v24.cbSize = 0;
					_t21 = waveOutOpen(0x10010ae4, __ecx,  &_v24, 0, 0, 0); // executed
					if(_t21 == 0) {
						_t22 =  *0x1000fe54; // 0xac44
						_t42 =  *0x1000e6ec; // 0x2
						_t23 = _t22 >> 3;
						 *0x1000e0b0 = _t23;
						_t24 = _t23 << _t42;
						 *0x1000f304 = _t24;
						_t27 = malloc(_t24 + _t24 * 2 << 1); // executed
						 *0x1000fa24 = _t27;
						if(_t27 != 0) {
							_t38 = 0;
							_t62 = 0x1000f548;
							do {
								_t44 = 8;
								memset(_t62, 0, _t44 << 2);
								_t63 = _t63 + 0xc;
								_t30 =  *0x1000f304; // 0x5620
								_t62->lpData =  *0x1000fa24 + _t30 * _t38;
								_t62->dwBufferLength = _t30;
								waveOutPrepareHeader( *0x10010ae4, _t62, 0x20);
								_t62 = _t62 + 0x20;
								_t38 = _t38 + 1;
							} while (_t62 < 0x1000f608);
							return 1;
						}
						 *0x10010aa4 = 1;
						waveOutClose( *0x10010ae4);
						 *0x10010ae4 = 0;
						L14:
						return 0;
					}
					_t50 = _t21 - 4;
					if(_t50 == 0) {
						L9:
						_push(3);
						L10:
						_pop(_t21);
						L11:
						 *0x10010aa4 = _t21;
						goto L14;
					}
					_t52 = _t50;
					if(_t52 == 0) {
						goto L9;
					}
					_t53 = _t52 - 1;
					if(_t53 == 0) {
						_t21 = 1;
						goto L11;
					}
					if(_t53 != 0x19) {
						goto L11;
					}
					_push(6);
					goto L10;
				}
				 *0x10010aa4 = 0x17;
				goto L14;
			}

0x100014a6
0x100014ae
0x100014bf
0x100014c5
0x100014ca
0x100014d0
0x100014d6
0x100014dc
0x100014e6
0x100014e9
0x100014f8
0x10001508
0x1000150c
0x1000150f
0x10001513
0x1000151b
0x10001542
0x10001547
0x1000154d
0x10001550
0x10001555
0x10001557
0x10001562
0x1000156b
0x10001570
0x1000158e
0x10001590
0x10001595
0x10001597
0x1000159c
0x1000159c
0x1000159e
0x100015b7
0x100015b9
0x100015bc
0x100015c2
0x100015c5
0x100015c6
0x00000000
0x100015d0
0x10001578
0x1000157e
0x10001584
0x1000158a
0x00000000
0x1000158a
0x1000151f
0x10001522
0x10001538
0x10001538
0x1000153a
0x1000153a
0x1000153b
0x1000153b
0x00000000
0x1000153b
0x10001525
0x10001526
0x00000000
0x00000000
0x10001528
0x10001529
0x10001534
0x00000000
0x10001534
0x1000152e
0x00000000
0x00000000
0x10001530
0x00000000
0x10001530
0x100014b0
0x00000000

APIs

waveOutOpen.WINMM(10010AE4,?,?,00000000,00000000,00000000), ref: 10001513
waveOutPrepareHeader.WINMM(1000F548,00000020,?,00000000,00000000,00000000), ref: 100015BC

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID: wave$HeaderOpenPrepare
String ID:
API String ID: 2298584912-0
Opcode ID: 81542737e670e7dc5db06991c4641dd8abd5842531dbdcd7f75159c086aaa008
Instruction ID: c8598c2832c8a5b4df7a156f3dde593b79036ae7f540ab3d3b922c964f81d035
Opcode Fuzzy Hash: 81542737e670e7dc5db06991c4641dd8abd5842531dbdcd7f75159c086aaa008
Instruction Fuzzy Hash: 4831D231604624DBF314DF68DD946AA7BE9EB883C1B40402EF546DB6A8DB708A01DB91

Uniqueness

Uniqueness Score: -1.00%

Function 001A1184 Relevance: 6.0, APIs: 4, Instructions: 31
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001A1184(CHAR* _a4, void* _a8, long _a12) {
				void* _v8;
				long _v12;
				void* _t10;

				_t10 = CreateFileA(_a4, 0x40000000, 0, 0, 2, 0x80, 0); // executed
				if(_t10 != 0xffffffff) {
					_v8 = _t10;
					WriteFile(_v8, _a8, _a12,  &_v12, 0); // executed
					FlushFileBuffers(_v8);
					CloseHandle(_v8); // executed
					return _v12;
				} else {
					return 0;
				}
			}

0x001a119f
0x001a11a7
0x001a11af
0x001a11c1
0x001a11c9
0x001a11d1
0x001a11da
0x001a11a9
0x001a11ac
0x001a11ac

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 001A119F
WriteFile.KERNEL32(?,?,?,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 001A11C1
FlushFileBuffers.KERNEL32(?,?,?,?,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 001A11C9
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 001A11D1

Memory Dump Source

Source File: 00000000.00000002.886349851.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000000.00000002.886340181.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.886354971.00000000001A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.886360847.00000000001A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a0000_sublime.jbxd

Similarity

API ID: File$BuffersCloseCreateFlushHandleWrite
String ID:
API String ID: 4137531733-0
Opcode ID: 9e4eea78fea8035dff0c9a245fbff7687304ebd2cbbbc0792616a57573c032c8
Instruction ID: 63cabd358ce318882210d073985c602843cafb8da7d4801424e224373313b7e6
Opcode Fuzzy Hash: 9e4eea78fea8035dff0c9a245fbff7687304ebd2cbbbc0792616a57573c032c8
Instruction Fuzzy Hash: 2FF0AC75A40209FAEF21ABB4DC03F9D7B65AB61724F204251B720B90E1DB71AF20A758

Uniqueness

Uniqueness Score: -1.00%

Function 6C666D4C Relevance: 6.0, APIs: 4, Instructions: 31
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C666D4C(CHAR* _a4, void* _a8, long _a12) {
				void* _v8;
				long _v12;
				void* _t10;

				_t10 = CreateFileA(_a4, 0x40000000, 0, 0, 2, 0x80, 0); // executed
				if(_t10 != 0xffffffff) {
					_v8 = _t10;
					WriteFile(_v8, _a8, _a12,  &_v12, 0); // executed
					FlushFileBuffers(_v8);
					CloseHandle(_v8); // executed
					return _v12;
				} else {
					return 0;
				}
			}

0x6c666d67
0x6c666d6f
0x6c666d77
0x6c666d89
0x6c666d91
0x6c666d99
0x6c666da2
0x6c666d71
0x6c666d74
0x6c666d74

APIs

CreateFileA.KERNEL32(00000008,40000000,00000000,00000000,00000002,00000080,00000000), ref: 6C666D67
WriteFile.KERNEL32(00000001,6C66E111,00000400,00000008,00000000,00000008,40000000,00000000,00000000,00000002,00000080,00000000), ref: 6C666D89
FlushFileBuffers.KERNEL32(00000001,00000001,6C66E111,00000400,00000008,00000000,00000008,40000000,00000000,00000000,00000002,00000080,00000000), ref: 6C666D91
CloseHandle.KERNEL32(00000001,00000001,00000001,6C66E111,00000400,00000008,00000000,00000008,40000000,00000000,00000000,00000002,00000080,00000000), ref: 6C666D99

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: File$BuffersCloseCreateFlushHandleWrite
String ID:
API String ID: 4137531733-0
Opcode ID: 062fc18334da10bf4cb8f25f91e6f01b827c87f4e906555039cbe201ef0cd06c
Instruction ID: 4695b6e0100f1d96b965cc60c597f78ed02678f395fe276882ad198ffbb61de7
Opcode Fuzzy Hash: 062fc18334da10bf4cb8f25f91e6f01b827c87f4e906555039cbe201ef0cd06c
Instruction Fuzzy Hash: 3DF0FE31540118FADF118B61DC02FCD7A75AB01718F208250B620F55E0D771AA24A74D

Uniqueness

Uniqueness Score: -1.00%

Function 6C662A7D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E6C662A7D() {
				signed char _v5;
				void* _t7;

				asm("pushad");
				_v5 = 0;
				_t7 = E6C661460( *0x6c66d8a2, 8, 1);
				if(_t7 != 0) {
					_t14 = _t7;
					GetTempPathA(0x400, 0x6c66e111);
					lstrcatA(0x6c66e111, "\\bassmod.dll");
					_t3 = _t14 + 5; // 0x5
					E6C666D4C(0x6c66e111, _t3,  *((intOrPtr*)(_t7 + 1))); // executed
					_v5 = 1;
				}
				asm("popad");
				return _v5 & 0x000000ff;
			}

0x6c662a83
0x6c662a84
0x6c662a97
0x6c662a99
0x6c662a9b
0x6c662aa7
0x6c662ab6
0x6c662abe
0x6c662ac8
0x6c662acd
0x6c662acd
0x6c662ad1
0x6c662ad7

APIs

GetTempPathA.KERNEL32(00000400,6C66E111,00000008,00000001), ref: 6C662AA7
lstrcatA.KERNEL32(6C66E111,\bassmod.dll,00000400,6C66E111,00000008,00000001), ref: 6C662AB6

Part of subcall function 6C666D4C: CreateFileA.KERNEL32(00000008,40000000,00000000,00000000,00000002,00000080,00000000), ref: 6C666D67

Strings

\bassmod.dll, xrefs: 6C662AAC

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: CreateFilePathTemplstrcat
String ID: \bassmod.dll
API String ID: 3703170275-1657146168
Opcode ID: 8527398597d652c5b30372101f29ba31e10365b8db71434186247bd37542070d
Instruction ID: d76264f0cf0f2e6374d203df2ecd00b41814a9aaf3e628ff4876e14fb62c9e1d
Opcode Fuzzy Hash: 8527398597d652c5b30372101f29ba31e10365b8db71434186247bd37542070d
Instruction Fuzzy Hash: 15F0E53024824979DB2193A39C42FE9FA984B2231CF1049A4B551E6EC1DAE1EA0D56AF

Uniqueness

Uniqueness Score: -1.00%

Function 1000A783 Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 227COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 1000A8B6

Strings

N.T., xrefs: 1000A7BD
ADPCM, xrefs: 1000A9DC

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID: malloc
String ID: ADPCM$N.T.
API String ID: 2803490479-4258761676
Opcode ID: 16cf8233041827d915f01c0868c1dde59fa91bde06781640817550930a3d729b
Instruction ID: 1220e54d365aa5a2bec4931655444f9967ee9239e901a96aef1f16103ee39984
Opcode Fuzzy Hash: 16cf8233041827d915f01c0868c1dde59fa91bde06781640817550930a3d729b
Instruction Fuzzy Hash: 9191D371E002159FEB04CF24C98179DB7F1FF46390F2586AAD815EB28AD770EA81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10001283 Relevance: 3.1, APIs: 2, Instructions: 79COMMON

Download Yara Rule

APIs

_CIexp.MSVCRT ref: 100012CC
malloc.MSVCRT ref: 1000134F

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID: Iexpmalloc
String ID:
API String ID: 316122613-0
Opcode ID: 6d7fb711e62ef91ffd493bce0f87ff7fe7c63c25baca19c2d72b77238d76c822
Instruction ID: 7b11736edb3678d659b03bd20ba21effc707f343fc726c4b93f60782785575ac
Opcode Fuzzy Hash: 6d7fb711e62ef91ffd493bce0f87ff7fe7c63c25baca19c2d72b77238d76c822
Instruction Fuzzy Hash: E4217CB2604364CBF304CF29DCD16A8B3E4FB483E5B40862EE541C3AA9D770D6459F41

Uniqueness

Uniqueness Score: -1.00%

Function 1000929D Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 10009A0A: malloc.MSVCRT ref: 10009A25

malloc.MSVCRT ref: 10009316

Strings

dddd, xrefs: 10009330

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID: malloc
String ID: dddd
API String ID: 2803490479-2442188630
Opcode ID: 2bf8ccf2c7dbadd81ad4d7936f9bfcc8005175e3bcd4b4867ea7012c42feff38
Instruction ID: d435e6e7e5084bcf4800b6c4bfd62bf2b2ff0d7af92c7b1b9b3a0ffe42b8bef7
Opcode Fuzzy Hash: 2bf8ccf2c7dbadd81ad4d7936f9bfcc8005175e3bcd4b4867ea7012c42feff38
Instruction Fuzzy Hash: 1011C130704B508BF728DB69C45976EB2D6EF847C0F08842DE497876DACF74EA018B45

Uniqueness

Uniqueness Score: -1.00%

Function 6C666D14 Relevance: 3.0, APIs: 2, Instructions: 19
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C666D14(void* _a4) {
				void* _v8;
				long _v12;
				long _v16;

				_v8 = GetStdHandle(0xfffffff5);
				_v16 = E6C666DB0(_a4);
				WriteFile(_v8, _a4, _v16,  &_v12, 0); // executed
				return _v12;
			}

0x6c666d21
0x6c666d2c
0x6c666d3e
0x6c666d47

APIs

GetStdHandle.KERNEL32(000000F5), ref: 6C666D1C
WriteFile.KERNEL32(?,?,?,?,00000000,?,000000F5), ref: 6C666D3E

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: FileHandleWrite
String ID:
API String ID: 3320372497-0
Opcode ID: d844ca47285880180042dfa4e4d52d8a159a6f81d82256ef4095a53a5612f731
Instruction ID: 83ee2926eba02bdebdc0bb4355cf8061aaedeaa845cd753bd0dc6b259e324ffa
Opcode Fuzzy Hash: d844ca47285880180042dfa4e4d52d8a159a6f81d82256ef4095a53a5612f731
Instruction Fuzzy Hash: 28E0B671C0011DBBDF019F95CD41DDDBBB9EB01258F108261AA20A6AA0DB319B559B9A

Uniqueness

Uniqueness Score: -1.00%

Function 100015D6 Relevance: 3.0, APIs: 2, Instructions: 18COMMON

Download Yara Rule

APIs

_beginthread.MSVCRT ref: 100015E6
_beginthread.MSVCRT ref: 10001602

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID: _beginthread
String ID:
API String ID: 2793500346-0
Opcode ID: 2a36e2aa338d09ea9fa137395d8aa1d93addf2da9ff52bd66227885436cb8308
Instruction ID: 6e8476960a712108dcc535114c1fd04f1dbe1465fbb1fde23dc25292eac5b64c
Opcode Fuzzy Hash: 2a36e2aa338d09ea9fa137395d8aa1d93addf2da9ff52bd66227885436cb8308
Instruction Fuzzy Hash: 9DD05E71A4437826F210D764AC82BCB3B90AB05784F180067FA842A5D9E6E225418BDA

Uniqueness

Uniqueness Score: -1.00%

Function 6C662294 Relevance: 3.0, APIs: 2, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E6C662294(intOrPtr _a4) {
				int _t4;
				intOrPtr _t8;

				asm("pushad");
				_t8 = _a4;
				if(_t8 != 0) {
					_t4 = SetWindowRgn( *0x6c66d8a6, ExtCreateRegion(0,  *(_t8 + 1), _t8 + 0x15), 1); // executed
				}
				asm("popad");
				return _t4;
			}

0x6c662297
0x6c66229b
0x6c66229d
0x6c6622b6
0x6c6622b6
0x6c6622bb
0x6c6622bd

APIs

ExtCreateRegion.GDI32(00000000,?,?), ref: 6C6622A8
SetWindowRgn.USER32(00000000,00000001), ref: 6C6622B6

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: CreateRegionWindow
String ID:
API String ID: 44738954-0
Opcode ID: e2a6dc1cd03c0766569f71d112c451432c2e3b69ca3cc3514a57f5e53d36c4c4
Instruction ID: 347d25fdebf8b1369bb8df317e00dd5916e2f7187e466bd335e960a6a1ae518f
Opcode Fuzzy Hash: e2a6dc1cd03c0766569f71d112c451432c2e3b69ca3cc3514a57f5e53d36c4c4
Instruction Fuzzy Hash: 31D0A7721046087FDA119A82CD42F6AB7EFEB46718F504010FE01E6F90C3B1E91456EE

Uniqueness

Uniqueness Score: -1.00%

Function 6C662244 Relevance: 3.0, APIs: 2, Instructions: 17
threadCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6C662244(_Unknown_base(*)()* _a4) {
				long _v8;
				void* _t4;
				int _t5;

				asm("pushad");
				_t4 = CreateThread(0, 0, _a4, 0, 0,  &_v8); // executed
				_t5 = CloseHandle(_t4); // executed
				asm("popad");
				return _t5;
			}

0x6c66224a
0x6c66225a
0x6c662260
0x6c662265
0x6c662267

APIs

CreateThread.KERNEL32 ref: 6C66225A
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 6C662260

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID:
API String ID: 3032276028-0
Opcode ID: 194cd71b936700de5ee151916d8113e3b987fff5ec9772dc980f45905a271fce
Instruction ID: 9f4e2f63a3322883816845ec8cf206ea82e5a0cb85f62ec130fddfd02209d77f
Opcode Fuzzy Hash: 194cd71b936700de5ee151916d8113e3b987fff5ec9772dc980f45905a271fce
Instruction Fuzzy Hash: 10D0127268830876E510A6D15D03FCF799D5742B24F2041107725FD7D2EAF1E614626E

Uniqueness

Uniqueness Score: -1.00%

Function 6C661B8B Relevance: 3.0, APIs: 2, Instructions: 15
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C661B8B(void* _a4) {
				long _v8;
				void* _t4;
				int _t5;

				_t4 = CreateThread(0, 0, E6C661BCC, _a4, 0,  &_v8); // executed
				_t5 = CloseHandle(_t4); // executed
				return _t5;
			}

0x6c661ba3
0x6c661ba9
0x6c661baf

APIs

CreateThread.KERNEL32 ref: 6C661BA3
CloseHandle.KERNEL32(00000000,00000000,00000000,Function_00001BCC,?,00000000,?), ref: 6C661BA9

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID:
API String ID: 3032276028-0
Opcode ID: 7d7a507b7abe9eaa6646559634dcaded7dabf421181cd55765587984b5786b13
Instruction ID: 677e8a7e54601772c473c1080e7ed07e3e632b9dfabbecf967510c39c3c59029
Opcode Fuzzy Hash: 7d7a507b7abe9eaa6646559634dcaded7dabf421181cd55765587984b5786b13
Instruction Fuzzy Hash: 77D0127558020876D550E6A1AC03FCF7A5C5711718F1041107715E59D1EBB5E61856AE

Uniqueness

Uniqueness Score: -1.00%

Function 10008A6F Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10008A6F(signed int __ecx, void* __eflags) {
				void* _t4;
				int _t5;
				signed int _t10;
				intOrPtr _t12;
				signed int _t13;
				signed int _t14;
				unsigned int _t19;
				void* _t20;
				void* _t24;
				struct wavehdr_tag* _t29;
				void* _t37;

				_t19 =  *0x1000f304; // 0x5620
				_t10 = __ecx << 5;
				_t1 = _t10 + 0x1000f548; // 0x1000f548
				_t29 = _t1;
				_t4 = E10001790(_t29->lpData, _t19, _t37);
				_t12 =  *0x1000f304; // 0x5620
				_t20 = _t4;
				if(_t20 < _t12) {
					_t13 = _t12 - _t20;
					_t24 =  &(_t29->lpData[_t20]);
					_t14 = _t13 >> 2;
					memset(_t24 + _t14, memset(_t24, 0, _t14 << 2), (_t13 & 0x00000003) << 0);
				}
				_t5 = waveOutWrite( *0x10010ae4, _t29, 0x20); // executed
				return _t5;
			}

0x10008a6f
0x10008a75
0x10008a79
0x10008a79
0x10008a81
0x10008a86
0x10008a8c
0x10008a90
0x10008a95
0x10008a97
0x10008a9b
0x10008aa7
0x10008aa9
0x10008ab3
0x10008aba

APIs

Part of subcall function 10001790: timeGetTime.WINMM(00000001,1000F548), ref: 100017C0

waveOutWrite.WINMM(1000F548,00000020,00000000,1000C4F7,?,00000000,1000C4BE), ref: 10008AB3

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID: TimeWritetimewave
String ID:
API String ID: 4094630031-0
Opcode ID: 5b59790eb9727f3041ac035a1d5ef0693df62042ac5fca92dfd42cf56b955c08
Instruction ID: e822a1bebc134e32d8eba50e3ff0c9cfe072cb71189f7173ba0d1ad33912f7fe
Opcode Fuzzy Hash: 5b59790eb9727f3041ac035a1d5ef0693df62042ac5fca92dfd42cf56b955c08
Instruction Fuzzy Hash: 39E09B313000209BE71CDF18DC699AA77A7EFC4291725453DE6479366DDE316902C640

Uniqueness

Uniqueness Score: -1.00%

Function 6C6660CF Relevance: 1.5, APIs: 1, Instructions: 11stringlibraryCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,?,00000001,?,00000010,00000001,?,00000400,?,00000400,?,00000000,?,00000000,?,6C663277), ref: 6C6660FD
lstrcatA.KERNEL32(?,6C66D7EB,?,?,00000001,?,00000010,00000001,?,00000400,?,00000400,?,00000000,?,00000000), ref: 6C66610E
lstrcatA.KERNEL32(?,?,?,6C66D7EB,?,?,00000001,?,00000010,00000001,?,00000400,?,00000400,?,00000000), ref: 6C666121
lstrcatA.KERNEL32(?,.dll,?,?,?,6C66D7EB,?,?,00000001,?,00000010,00000001,?,00000400,?,00000400), ref: 6C666132
LoadLibraryA.KERNEL32(?,?,00000000,?,?,.dll,?,?,?,6C66D7EB,?,?,00000001,?,00000010,00000001), ref: 6C666169
SetCurrentDirectoryA.KERNEL32(?,00000002,?,?,?,?,?,00000000,?,?,.dll,?,?,?,6C66D7EB,?), ref: 6C6661B2

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: lstrcat$CurrentDirectoryLibraryLoadlstrcpy
String ID:
API String ID: 4016003455-0
Opcode ID: c9f289213a8d57ff135d89c42c258dd9972d8c6050338ad740fc31849e729272
Instruction ID: a889a65cc88ea9c715247a6ed4d0b1e2f2a9e1dd8d5617a3ab906e9149515317
Opcode Fuzzy Hash: c9f289213a8d57ff135d89c42c258dd9972d8c6050338ad740fc31849e729272
Instruction Fuzzy Hash: DFB092A7A4403456DE2193ABB940ACC97A8AB8136CF0442A2C781E2D00A270DA4E469E

Uniqueness

Uniqueness Score: -1.00%

Function 6C661ADB Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 6C661B7F

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: ProcWindow
String ID:
API String ID: 181713994-0
Opcode ID: a103baa2c21733cf20083faaa0f2e6c8805f2ca815f0d7f296afffd6f91f20c9
Instruction ID: d3628d0f639d4b9451eb1a04390ff0512eaae68c46d18347cb9ba985c1a0f5eb
Opcode Fuzzy Hash: a103baa2c21733cf20083faaa0f2e6c8805f2ca815f0d7f296afffd6f91f20c9
Instruction Fuzzy Hash: EFC04C37200009BBCF029F9AFD00CDD3B22EB453A5B008423FA16949719372C575EB59

Uniqueness

Uniqueness Score: -1.00%

Function 6C662BE0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

CallWindowProcA.USER32 ref: 6C662CDD

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: dff449483d9860fa478f48c2a70d313388a51f22838a7810d63569dfe3ae61a4
Instruction ID: fe35ce65def57a662639e6214f1034abab95068cd074d62c65248d5cac03b148
Opcode Fuzzy Hash: dff449483d9860fa478f48c2a70d313388a51f22838a7810d63569dfe3ae61a4
Instruction Fuzzy Hash: 9CC00237100049BBCF024F86EE44CD93F62AB5A358B108805FA1654960C372C570BB1E

Uniqueness

Uniqueness Score: -1.00%

Function 6C662C8E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

CallWindowProcA.USER32 ref: 6C662CDD

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 812e4d494d0f83acb5f1cee0b3223686164d318f70b9c6cfa88811e91494b16b
Instruction ID: fe35ce65def57a662639e6214f1034abab95068cd074d62c65248d5cac03b148
Opcode Fuzzy Hash: 812e4d494d0f83acb5f1cee0b3223686164d318f70b9c6cfa88811e91494b16b
Instruction Fuzzy Hash: 9CC00237100049BBCF024F86EE44CD93F62AB5A358B108805FA1654960C372C570BB1E

Uniqueness

Uniqueness Score: -1.00%

Function 1000950C Relevance: 1.4, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 1000951D

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: c357385078383431c8e503c4568dd92c4f4628b14f9a43b4273516da74911566
Instruction ID: 181d54a6ef79742d923bf8e2a4ce53abfafbb0a5bd40b01c490642605998be84
Opcode Fuzzy Hash: c357385078383431c8e503c4568dd92c4f4628b14f9a43b4273516da74911566
Instruction Fuzzy Hash: F1315730608F119BE725CF79CCD1A6E73E0EF443A5F204A29D852C3289C776E9069700

Uniqueness

Uniqueness Score: -1.00%

Function 10009A0A Relevance: 1.3, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 10009274: malloc.MSVCRT ref: 10009278

malloc.MSVCRT ref: 10009A25

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 327b832d6b45f2ef1ed1189eb1975576db4a6e6270622a179acee84bc5593cb8
Instruction ID: 438105d2687a4e24b951186259946faf85d03dd67fae5f282eae31cc8780c2df
Opcode Fuzzy Hash: 327b832d6b45f2ef1ed1189eb1975576db4a6e6270622a179acee84bc5593cb8
Instruction Fuzzy Hash: D031F2307007018AF700EBB4D99565F32A0EF823E4F164269E4028B1EAEFB0E941C3E7

Uniqueness

Uniqueness Score: -1.00%

Function 10009274 Relevance: 1.3, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 10009278

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: df2326eae5bec8cd7d26d8e2b412344cec7056fb19aa87a975da1748e67337b2
Instruction ID: d40c1adeb822737a7229334bb4065bd4977e3234c3c85ccaef5cf787528b26a9
Opcode Fuzzy Hash: df2326eae5bec8cd7d26d8e2b412344cec7056fb19aa87a975da1748e67337b2
Instruction Fuzzy Hash: 28D0A93A3015342B6B4CD11EEC246BAA2CB9FC962030A803FE106C3358DEA0CC1201A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000A0B6 Relevance: 1.3, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 1000A0BE

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 8ec0dfc047e7588edeefcbee3a0ca862ca22f0ea22344ddfa367c68e10dcf096
Instruction ID: 84a0b9de50f5687018b715be834414938be9258c5d47dd87aba66bea2c881a3d
Opcode Fuzzy Hash: 8ec0dfc047e7588edeefcbee3a0ca862ca22f0ea22344ddfa367c68e10dcf096
Instruction Fuzzy Hash: 3DD012733010281B9B1C55696CD59BF97CFF6CD162358413FFA06C3244CE558C159260

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6C664616 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 124
fileCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E6C664616(intOrPtr* _a4) {
				signed int _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				struct _SYSTEM_INFO _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				long _v64;
				long _v68;
				long _v72;
				long _v76;
				long _v80;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				void* _t65;
				void* _t70;
				void* _t75;
				signed int _t82;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t88;
				signed int _t93;
				void* _t95;
				intOrPtr* _t99;
				signed int* _t100;

				_v8 = 0;
				GetSystemInfo( &_v48);
				_t85 = _v48.dwAllocationGranularity;
				_v88 = _t85;
				_t86 = _t85 + _t85;
				_v92 = _t86;
				_v96 = _t86 + _v48.dwAllocationGranularity;
				_t99 = _a4;
				_t65 = CreateFileA(0x6c66d911, 0xc0000000, 2, 0, 3, 0x82, 0);
				if(_t65 != 0xffffffff) {
					_v52 = _t65;
					_v64 = GetFileSize(_v52,  &_v68);
					_t70 = CreateFileMappingA(_v52, 0, 4, 0, 0, 0);
					if(_t70 != 0) {
						_v56 = _t70;
						E6C6622C0("trying large file patchmode");
						do {
							_v72 = 0;
							_v76 = 0;
							_t100 =  *((intOrPtr*)(_t99 + 0x16)) + _t99;
							_push(_v96);
							_pop( *_t20);
							_v12 = 0;
							while(1) {
								_t75 = MapViewOfFile(_v56, 2, _v76, _v72, _v80);
								if(_t75 == 0) {
									break;
								}
								_v60 = _t75;
								_t88 =  *_t100;
								_t93 = _t100[1];
								if(_t93 != 0xffffffff) {
									_t93 = _t93 - _v12;
								}
								_push(_t93);
								if(_v80 == 0) {
									_t95 = _v64 - _v72;
								} else {
									_t95 = _v92 + _t88 - 1;
								}
								_push(_t95);
								_push(_t88);
								_push(_t100 + 8 + _t88 * 2 + _t88);
								_push(_t100 + 8 + _t88 * 2);
								_push( &(_t100[2]) + _t88);
								_push( &(_t100[2]));
								_push(_v60);
								_t82 = E6C666740();
								_v12 = _v12 + _t82;
								_v8 = _v8 | _t82;
								UnmapViewOfFile(_v60);
								if(_v80 != 0) {
									_v72 = _v72 + _v92;
									asm("adc [ebp-0x48], edx");
									if(_v76 == _v68 && _v72 + _v80 >= _v64) {
										_v80 = 0;
									}
									continue;
								} else {
									goto L11;
								}
								goto L18;
							}
							break;
							L11:
							_t99 = _t100 + 8 +  *_t100 * 4;
						} while ( *_t99 != 0);
						L18:
						CloseHandle(_v56);
					}
					CloseHandle(_v52);
				}
				return _v8;
			}

0x6c66461f
0x6c66462a
0x6c66462f
0x6c664632
0x6c664635
0x6c664637
0x6c66463d
0x6c664640
0x6c66465a
0x6c664662
0x6c664668
0x6c664677
0x6c66468c
0x6c66468e
0x6c664694
0x6c66469c
0x6c6646a1
0x6c6646a1
0x6c6646a8
0x6c6646b2
0x6c6646b5
0x6c6646b8
0x6c6646bb
0x6c6646c2
0x6c6646d5
0x6c6646d7
0x00000000
0x00000000
0x6c6646d9
0x6c6646dc
0x6c6646de
0x6c6646e4
0x6c6646e6
0x6c6646e6
0x6c6646e9
0x6c6646ee
0x6c6646fd
0x6c6646f0
0x6c6646f5
0x6c6646f5
0x6c664700
0x6c664701
0x6c664708
0x6c66470d
0x6c664712
0x6c664716
0x6c664717
0x6c66471a
0x6c66471f
0x6c664722
0x6c664728
0x6c664731
0x6c664741
0x6c664744
0x6c66474d
0x6c66475a
0x6c66475a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6c664731
0x00000000
0x6c664733
0x6c664768
0x6c66476c
0x6c664775
0x6c664778
0x6c664778
0x6c664780
0x6c664780
0x6c66478e

APIs

GetSystemInfo.KERNEL32(?,00000001,?,?), ref: 6C66462A
CreateFileA.KERNEL32(6C66D911,C0000000,00000002,00000000,00000003,00000082,00000000,?,00000001,?,?), ref: 6C66465A
GetFileSize.KERNEL32(?,?,6C66D911,C0000000,00000002,00000000,00000003,00000082,00000000,?,00000001,?,?), ref: 6C664672
CreateFileMappingA.KERNEL32 ref: 6C664687
CloseHandle.KERNEL32(?,?,00000000,00000004,00000000,00000000,00000000,?,?,6C66D911,C0000000,00000002,00000000,00000003,00000082,00000000), ref: 6C664780

Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000180,00000000,?), ref: 6C6622D9
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,0000018B,00000000,00000000), ref: 6C6622E8
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000186,-00000001,00000000), ref: 6C6622F7

MapViewOfFile.KERNEL32(?,00000002,?,?,?,?,?,00000000,00000004,00000000,00000000,00000000,?,?,6C66D911,C0000000), ref: 6C6646D0
UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000002,?,?,?,?,?), ref: 6C664728
CloseHandle.KERNEL32(?,?,00000002,?,?,?,?,?,00000000,00000004,00000000,00000000,00000000,?,?,6C66D911), ref: 6C664778

Strings

trying large file patchmode, xrefs: 6C664697

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: File$MessageSend$CloseCreateHandleView$InfoMappingSizeSystemUnmap
String ID: trying large file patchmode
API String ID: 3390188210-199533899
Opcode ID: 75b81bab4bcea9c0854f2256422029c5d6fe7de4f201ece21cc6cad8cdf1626b
Instruction ID: e4e970106d80d5fcd8e72ab5dbd9eeece7450019b9607e51df667b78d0108b52
Opcode Fuzzy Hash: 75b81bab4bcea9c0854f2256422029c5d6fe7de4f201ece21cc6cad8cdf1626b
Instruction Fuzzy Hash: 3D412671D00208EFDF11CF96DC90BEDBBB6EF41318F208129E111A6A90D7B0A955CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 6C6671E0 Relevance: 13.5, APIs: 9, Instructions: 45
clipboardstringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E6C6671E0(CHAR* _a4) {
				signed char _v5;
				int _t6;
				void* _t9;
				void* _t12;
				int _t17;
				void* _t19;
				void* _t20;
				CHAR* _t22;

				asm("pushad");
				_v5 = 0;
				_t22 = _a4;
				if(_t22 == 0) {
					L8:
					asm("popad");
					return _v5 & 0x000000ff;
				}
				_t6 = lstrlenA(_t22);
				if(_t6 == 0) {
					goto L8;
				}
				_t17 = _t6;
				if(OpenClipboard(0) != 1) {
					goto L8;
				}
				_t9 = GlobalAlloc(0x2042, _t17 + 2);
				if(_t9 != 0) {
					_t19 = _t9;
					_t12 = GlobalLock(_t19);
					if(_t12 != 0) {
						_t20 = _t12;
						lstrcpyA(_t20, _t22);
						if(EmptyClipboard() == 1) {
							GlobalUnlock(_t20);
							SetClipboardData(1, _t19);
						}
					}
				}
				CloseClipboard();
				goto L8;
			}

0x6c6671e6
0x6c6671e7
0x6c6671ee
0x6c6671f0
0x6c66724e
0x6c66724e
0x6c667254
0x6c667254
0x6c6671f8
0x6c6671fa
0x00000000
0x00000000
0x6c6671fc
0x6c667208
0x00000000
0x00000000
0x6c667218
0x6c66721a
0x6c66721c
0x6c667224
0x6c667226
0x6c667228
0x6c66722c
0x6c667239
0x6c66723c
0x6c667244
0x6c667244
0x6c667239
0x6c667226
0x6c667249
0x00000000

APIs

lstrlenA.KERNEL32(?), ref: 6C6671F3
OpenClipboard.USER32(00000000), ref: 6C667200
GlobalAlloc.KERNEL32(00002042,00000000,?), ref: 6C667213
GlobalLock.KERNEL32 ref: 6C66721F
lstrcpyA.KERNEL32(00000000,?,00000000,00002042,00000000,?), ref: 6C66722C
EmptyClipboard.USER32(00000000,?,00000000,00002042,00000000,?), ref: 6C667231
GlobalUnlock.KERNEL32(00000000,00000000,?,00000000,00002042,00000000,?), ref: 6C66723C
SetClipboardData.USER32 ref: 6C667244
CloseClipboard.USER32(00002042,00000000,?), ref: 6C667249

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenUnlocklstrcpylstrlen
String ID:
API String ID: 3593921032-0
Opcode ID: e0ae8ff1f76d97a44267d8c6efe8f35e0107f6a22844dbe5c4e64f9a06f44af1
Instruction ID: 0128d48a477317bd611ce81a1046465c3c35eb46ea708b897e7e10d5c17a99ff
Opcode Fuzzy Hash: e0ae8ff1f76d97a44267d8c6efe8f35e0107f6a22844dbe5c4e64f9a06f44af1
Instruction Fuzzy Hash: 15F02420A1923525E60162F35C81BBE295C4B0376CF200150F840EAFC7EF95D91851BF

Uniqueness

Uniqueness Score: -1.00%

Function 1000ADA0 Relevance: 9.5, APIs: 3, Strings: 2, Instructions: 736COMMON

Download Yara Rule

APIs

_ftol.MSVCRT ref: 1000B047
_ftol.MSVCRT ref: 1000B440
malloc.MSVCRT ref: 1000B5E8

Strings

@, xrefs: 1000B1D5
4, xrefs: 1000B013

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID: _ftol$malloc
String ID: 4$@
API String ID: 1531896713-1528247400
Opcode ID: 33ce1efdfabe79b68992e9e8917b31bfe53a4fdc63d456d2683879312e6f0a23
Instruction ID: 2bd6d3a6621f1fcb62dc56ee6fea1d5d90282659d4c903a6b5cd0090bb41f5c9
Opcode Fuzzy Hash: 33ce1efdfabe79b68992e9e8917b31bfe53a4fdc63d456d2683879312e6f0a23
Instruction Fuzzy Hash: B1623830A04B9A8FEB21CF64C4507EDBBF0FF06380F1446A9D89697686D734AA85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10001000 Relevance: 7.5, APIs: 5, Instructions: 47threadCOMMON

Download Yara Rule

APIs

DisableThreadLibraryCalls.KERNEL32(?), ref: 10001014
QueryPerformanceFrequency.KERNEL32(?), ref: 10001044
RtlInitializeCriticalSection.NTDLL(1000F324), ref: 10001066
BASSMOD_Free.BASSMOD ref: 1000106E
RtlDeleteCriticalSection.NTDLL(1000F324), ref: 10001078

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID: CriticalSection$CallsDeleteDisableFreeFrequencyInitializeLibraryPerformanceQueryThread
String ID:
API String ID: 3976701699-0
Opcode ID: e21d60c6b0cc6315314d4d75a7dfcf352752025a452740a832d0a27c415ec9c5
Instruction ID: 4d959fd10b64a8b70ed6085801d867471c968ef27c87a14eebda340be764368d
Opcode Fuzzy Hash: e21d60c6b0cc6315314d4d75a7dfcf352752025a452740a832d0a27c415ec9c5
Instruction Fuzzy Hash: 0801AD76614149FFF744EBA8CC88B8D3BA5FB043D1F108455F289D2558C6B0AA918A24

Uniqueness

Uniqueness Score: -1.00%

Function 6C666CE0 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C666CE0(CHAR* _a4) {
				struct _WIN32_FIND_DATAA _v322;
				void* _t5;

				_t5 = FindFirstFileA(_a4,  &_v322);
				if(_t5 != 0xffffffff) {
					FindClose(_t5);
					return _v322.nFileSizeLow;
				}
				return 0xffffffff;
			}

0x6c666cf3
0x6c666cfb
0x6c666d05
0x00000000
0x6c666d0a
0x00000000

APIs

FindFirstFileA.KERNEL32(?,?), ref: 6C666CF3
FindClose.KERNEL32(00000000,?,?), ref: 6C666D05

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 979f0add1b60af9980b8b1f71a2e6074693626d1f880305a576188f58626c3e1
Instruction ID: 6dd7ca8e42e2f9477fa1548cdfcbe923b4055eb575e819d51c53823c0022a883
Opcode Fuzzy Hash: 979f0add1b60af9980b8b1f71a2e6074693626d1f880305a576188f58626c3e1
Instruction Fuzzy Hash: 3FD05E7040011956CA20967AEC42CCD72AC5B12338F100351B634D6AD1DB70DA908AAE

Uniqueness

Uniqueness Score: -1.00%

Function 10009B49 Relevance: 2.9, Strings: 2, Instructions: 388COMMON

Download Yara Rule

Strings

FastTracker v 2.00 , xrefs: 10009C0C
x, xrefs: 10009CD6

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID:
String ID: FastTracker v 2.00 $x
API String ID: 0-3687214501
Opcode ID: 60f7f0d239a6afe2fef7d80d8b0ceb29e9691d20155b6aaee9200d6b9ff23c37
Instruction ID: 36c34ba1ef2acc4888e8347ab46dba18dcafd8c1c730cacbf4adb65d5d434434
Opcode Fuzzy Hash: 60f7f0d239a6afe2fef7d80d8b0ceb29e9691d20155b6aaee9200d6b9ff23c37
Instruction Fuzzy Hash: 4AF1BF71D04299CBEF15CF64C8946EEBBF0EF45380F1541EAD849AB28AD7709A85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6C669FA0 Relevance: 1.8, Strings: 1, Instructions: 510COMMON

Download Yara Rule

Strings

`'hl, xrefs: 6C669FA6

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID:
String ID: `'hl
API String ID: 0-3460347046
Opcode ID: 1602d2a092e26b29f562ffb92e95f5b3f426e53a98ef231f275eefd4b8e41ff0
Instruction ID: deec18876782e5da96addfa5963dbbf0d4a949db70e9c7fbb20dbe50e263da14
Opcode Fuzzy Hash: 1602d2a092e26b29f562ffb92e95f5b3f426e53a98ef231f275eefd4b8e41ff0
Instruction Fuzzy Hash: B702407398560B4BEB1CCD26CCC1AD57393B7D42A871BD27C9829C7644EE7CE64B8640

Uniqueness

Uniqueness Score: -1.00%

Function 10001790 Relevance: 1.7, APIs: 1, Instructions: 230
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E10001790(intOrPtr __ecx, unsigned int __edx, void* __fp0) {
				void* __ebp;
				signed int _t75;
				unsigned int _t77;
				signed int _t80;
				signed int _t84;
				signed int _t86;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t99;
				intOrPtr _t102;
				void* _t103;
				void* _t104;
				signed char _t109;
				signed char _t110;
				signed int _t111;
				signed char _t116;
				intOrPtr _t123;
				intOrPtr _t125;
				void* _t126;
				intOrPtr _t128;
				void* _t129;
				intOrPtr _t131;
				signed char _t134;
				intOrPtr _t135;
				intOrPtr _t137;
				intOrPtr _t147;
				intOrPtr _t148;
				void* _t149;
				intOrPtr _t152;
				signed int _t156;
				signed int _t158;
				void* _t159;
				void* _t160;
				void* _t161;
				intOrPtr _t163;
				signed int _t164;
				void* _t165;
				intOrPtr _t166;
				void* _t167;
				void* _t168;
				intOrPtr _t169;
				void* _t170;
				intOrPtr _t171;
				signed int _t172;
				void* _t173;
				intOrPtr _t178;
				signed int _t179;
				void* _t181;
				signed int _t182;
				intOrPtr _t206;

				_t219 = __fp0;
				_t75 =  *0x1000e6b8; // 0x0
				_t156 = 0;
				_t163 = __ecx;
				 *(_t173 + 0x14) = __edx;
				 *((intOrPtr*)(_t173 + 0x10)) = __ecx;
				 *(_t173 + 0x18) = 0;
				if((_t75 & 0x00020000) != 0) {
					E10001B00(0, _t170, __fp0);
				}
				if(_t163 != 0) {
					_t109 =  *0x1000e6ec; // 0x2
					_t77 =  *(_t173 + 0x14) >> _t109;
				} else {
					_t77 = timeGetTime() + 0xc8;
				}
				 *(_t173 + 0x14) = _t77;
				if(_t77 <= 0) {
					L61:
					_t110 =  *0x1000e6ec; // 0x2
					return _t156 << _t110;
				} else {
					goto L8;
					L9:
					_t179 =  *0x1000e294; // 0x220
					if(_t179 == 0) {
						goto L61;
					}
					L10:
					if(_t163 != 0) {
						L12:
						_t182 =  *0x1000e294; // 0x220
						if(_t182 != 0) {
							L50:
							if( *((intOrPtr*)(_t173 + 0x10)) == 0) {
								L60:
								_t156 =  *(_t173 + 0x18);
								_t77 =  *(_t173 + 0x14);
								if(_t156 < _t77) {
									_t163 =  *((intOrPtr*)(_t173 + 0x10));
									L8:
									_t178 =  *0x1000e6e0; // 0x0
									if(_t178 == 0) {
										goto L10;
									}
									goto L9;
								}
								goto L61;
							}
							_t80 =  *0x1000e294; // 0x220
							_t158 =  *(_t173 + 0x14) -  *(_t173 + 0x18);
							if(_t80 < _t158) {
								_t158 = _t80;
							}
							_t172 =  *0x1000f61c; // 0xac8
							if( *0x1000f320 == 2) {
								_t116 =  *0x1000e6f0; // 0x2
								_t172 = _t172 >> 1;
								if((_t116 & 0x00000006) != 0) {
									_t172 = _t172 >> 1;
								}
							}
							 *0x1000e294 = _t80 - _t158;
							 *(_t173 + 0x18) =  *(_t173 + 0x18) + _t158;
							while(_t158 != 0) {
								_t164 = _t158;
								if(_t158 >= _t172) {
									_t164 = _t172;
								}
								E10006980( *((intOrPtr*)(_t173 + 0x10)), _t164);
								_t134 =  *0x1000e6ec; // 0x2
								_t84 = _t164 << _t134;
								_t135 =  *0x1000e280; // 0x296c240
								_t158 = _t158 - _t164;
								 *((intOrPtr*)(_t173 + 0x10)) =  *((intOrPtr*)(_t173 + 0x10)) + _t84;
								 *0x1000e280 = _t135 + _t84;
							}
							goto L60;
						}
						if(( *0x1000e6f0 & 0x00000003) == 0) {
							L23:
							if(E10002355() != 0) {
								_t171 =  *0x10010adc; // 0x26d90f0
								L31:
								if( *((intOrPtr*)(_t173 + 0x10)) != 0) {
									_t86 =  *0x1000fe54; // 0xac44
									_t111 =  *0x1000e6c8; // 0x7d
									 *0x1000e294 = _t86 * 0x7d / _t111 * 0x32;
								} else {
									asm("cdq");
									 *0x1000e280 =  *0x1000e280 + 0x9c4 /  *0x1000e6c8;
								}
								_t159 = 0;
								_t165 = 0;
								do {
									if( *((intOrPtr*)( *((intOrPtr*)(_t171 + 0x2dc)) + _t165 + 0x1b8)) != 0 &&  *((intOrPtr*)(_t173 + 0x10)) != 0) {
										E10006B20(_t219);
										_t171 =  *0x10010adc; // 0x26d90f0
									}
									_t159 = _t159 + 1;
									_t165 = _t165 + 0x208;
								} while (_t159 <  *((intOrPtr*)(_t171 + 4)));
								_t166 =  *((intOrPtr*)(_t171 + 0x2e0));
								if(_t166 == 0) {
									L47:
									_t206 =  *0x1000e6e0; // 0x0
									if(_t206 == 0) {
										_t91 =  *0x1000e694; // 0x6
										_t137 =  *0x1000e6c4; // 0x7
										_t92 = _t91 + 1;
										 *0x1000e694 = _t92;
										if(_t92 >= _t137) {
											E10001B00(0, _t171, _t219);
										}
									}
									goto L50;
								}
								_t160 = 0x40;
								do {
									if( *((intOrPtr*)(_t166 + 0x1b8)) != 0) {
										if( *((intOrPtr*)(_t166 + 0x1dc)) != 0) {
											if( *((intOrPtr*)(_t173 + 0x10)) != 0) {
												E10006B20(_t219);
											}
										} else {
											 *((char*)(_t166 + 0x1b8)) = 0;
										}
									}
									_t166 = _t166 + 0x208;
									_t160 = _t160 - 1;
								} while (_t160 != 0);
								goto L47;
							}
							_t161 = 0;
							_t167 = 0;
							do {
								_t147 =  *0x10010adc; // 0x26d90f0
								E100060F0( *((intOrPtr*)(_t147 + 0x2dc)) + _t167);
								_t99 =  *0x10010adc; // 0x26d90f0
								 *((char*)( *((intOrPtr*)(_t99 + 0x2dc)) + _t167 + 0x1b8)) = 0;
								_t148 =  *0x10010adc; // 0x26d90f0
								_t161 = _t161 + 1;
								_t167 = _t167 + 0x208;
							} while (_t161 <  *((intOrPtr*)(_t148 + 4)));
							_t171 = _t148;
							if( *((intOrPtr*)(_t171 + 0x2e0)) == 0) {
								goto L31;
							}
							_t168 = 0;
							do {
								E100060F0( *((intOrPtr*)(_t171 + 0x2e0)) + _t168);
								_t102 =  *0x10010adc; // 0x26d90f0
								 *((char*)( *((intOrPtr*)(_t102 + 0x2e0)) + _t168 + 0x1b8)) = 0;
								_t171 =  *0x10010adc; // 0x26d90f0
								_t168 = _t168 + 0x208;
							} while (_t168 < 0x8200);
							goto L31;
						} else {
							_t149 = 0;
							_t103 = 0;
							do {
								_t123 =  *0x10010adc; // 0x26d90f0
								 *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x2dc)) + _t103 + 0x1f4)) = 0;
								_t169 =  *0x10010adc; // 0x26d90f0
								_t125 =  *((intOrPtr*)(_t169 + 0x2dc));
								_t126 = _t125 + _t103;
								if( *((intOrPtr*)(_t125 + _t103 + 0x1b0)) == 0) {
									 *((intOrPtr*)(_t126 + 0x1f0)) = 0;
									_t131 =  *0x10010adc; // 0x26d90f0
									 *((intOrPtr*)( *((intOrPtr*)(_t131 + 0x2dc)) + _t103 + 0x1ec)) = 0;
									_t169 =  *0x10010adc; // 0x26d90f0
								}
								_t149 = _t149 + 1;
								_t103 = _t103 + 0x208;
							} while (_t149 <  *((intOrPtr*)(_t169 + 4)));
							if( *((intOrPtr*)(_t169 + 0x2e0)) == 0) {
								goto L23;
							}
							_t104 = 0;
							do {
								 *((intOrPtr*)( *((intOrPtr*)(_t169 + 0x2e0)) + _t104 + 0x1f4)) = 0;
								_t169 =  *0x10010adc; // 0x26d90f0
								_t128 =  *((intOrPtr*)(_t169 + 0x2e0));
								_t129 = _t128 + _t104;
								if( *((intOrPtr*)(_t128 + _t104 + 0x1b0)) == 0) {
									 *((intOrPtr*)(_t129 + 0x1f0)) = 0;
									_t152 =  *0x10010adc; // 0x26d90f0
									 *((intOrPtr*)( *((intOrPtr*)(_t152 + 0x2e0)) + _t104 + 0x1ec)) = 0;
									_t169 =  *0x10010adc; // 0x26d90f0
								}
								_t104 = _t104 + 0x208;
							} while (_t104 < 0x8200);
							goto L23;
						}
					}
					_t181 =  *0x1000e280 - _t77; // 0x296c240
					if(_t181 >= 0) {
						goto L61;
					}
					goto L12;
				}
			}

0x10001790
0x10001793
0x1000179c
0x1000179e
0x100017a7
0x100017ab
0x100017af
0x100017b3
0x100017b7
0x100017b7
0x100017be
0x100017cd
0x100017d7
0x100017c0
0x100017c6
0x100017c6
0x100017db
0x100017df
0x10001adf
0x10001adf
0x10001af0
0x100017e5
0x100017e5
0x100017f8
0x100017f8
0x100017fe
0x00000000
0x00000000
0x10001804
0x10001806
0x10001814
0x10001814
0x1000181a
0x10001a44
0x10001a48
0x10001acf
0x10001acf
0x10001ad3
0x10001ad9
0x100017e7
0x100017f0
0x100017f0
0x100017f6
0x00000000
0x00000000
0x00000000
0x100017f6
0x00000000
0x10001ad9
0x10001a56
0x10001a5b
0x10001a5f
0x10001a61
0x10001a61
0x10001a6a
0x10001a70
0x10001a72
0x10001a78
0x10001a7d
0x10001a7f
0x10001a7f
0x10001a7d
0x10001a8b
0x10001a90
0x10001a94
0x10001a98
0x10001a9a
0x10001a9c
0x10001a9c
0x10001aa4
0x10001aa9
0x10001ab5
0x10001ab7
0x10001ac1
0x10001ac3
0x10001ac7
0x10001ac7
0x00000000
0x10001a94
0x10001827
0x100018e4
0x100018eb
0x1000196f
0x10001975
0x10001979
0x1000198f
0x10001994
0x100019a4
0x1000197b
0x10001980
0x10001987
0x10001987
0x100019a9
0x100019ab
0x100019b0
0x100019c2
0x100019ca
0x100019cf
0x100019cf
0x100019d8
0x100019d9
0x100019df
0x100019e3
0x100019eb
0x10001a20
0x10001a20
0x10001a26
0x10001a28
0x10001a2d
0x10001a33
0x10001a36
0x10001a3b
0x10001a3f
0x10001a3f
0x10001a3b
0x00000000
0x10001a26
0x100019ed
0x100019f2
0x100019f8
0x10001a00
0x10001a0e
0x10001a12
0x10001a12
0x10001a02
0x10001a02
0x10001a02
0x10001a00
0x10001a17
0x10001a1d
0x10001a1d
0x00000000
0x100019f2
0x100018f1
0x100018f3
0x100018f5
0x100018f5
0x10001903
0x10001908
0x10001913
0x1000191a
0x10001923
0x10001924
0x1000192a
0x1000192e
0x10001936
0x00000000
0x00000000
0x10001938
0x1000193a
0x10001942
0x10001947
0x10001952
0x10001959
0x1000195f
0x10001965
0x00000000
0x1000182d
0x1000182d
0x1000182f
0x10001831
0x10001831
0x1000183d
0x10001844
0x1000184a
0x10001857
0x1000185b
0x1000185d
0x10001863
0x1000186f
0x10001876
0x10001876
0x1000187f
0x10001880
0x10001885
0x1000188f
0x00000000
0x00000000
0x10001891
0x10001893
0x10001899
0x100018a0
0x100018a6
0x100018b3
0x100018b7
0x100018b9
0x100018bf
0x100018cb
0x100018d2
0x100018d2
0x100018d8
0x100018dd
0x00000000
0x10001893
0x10001827
0x10001808
0x1000180e
0x00000000
0x00000000
0x00000000
0x1000180e

APIs

timeGetTime.WINMM(00000001,1000F548), ref: 100017C0

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID: Timetime
String ID:
API String ID: 17336451-0
Opcode ID: d434eb954fd3ff1a2f2211dbff3417c29430e33bb0ad769ad76aa5bba723d774
Instruction ID: 4c2150b3548b48f45b1de4931930676a011bc16931eec8f77d2f72173dc26091
Opcode Fuzzy Hash: d434eb954fd3ff1a2f2211dbff3417c29430e33bb0ad769ad76aa5bba723d774
Instruction Fuzzy Hash: 6A919E356003928FE754CF14C8D069AB3E2FB843C4F55453ED899A775ADB31AC46CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6C6677A9 Relevance: .7, Instructions: 699COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec2551c4478387ed5af9a074f291c40c461a559c729eefa82c5df026e857352
Instruction ID: f1cfc39fc9974cdc7453af303d7a4415622de426611742c4cc56cefadc2ea9a9
Opcode Fuzzy Hash: fec2551c4478387ed5af9a074f291c40c461a559c729eefa82c5df026e857352
Instruction Fuzzy Hash: D722EA9513BFB919FBC3D4258694E33D1C4AF9D04FA044D394A11EA994AF3FA68F2138

Uniqueness

Uniqueness Score: -1.00%

Function 6C669762 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a983b09802c03cf36cc3327cdd50b04a4736810b6286998c19e80ef1ee3e10cb
Instruction ID: 84245b841e7a7ee3ba3f6249996c61d3227379a2b85e56bc5c2689b045f7c59f
Opcode Fuzzy Hash: a983b09802c03cf36cc3327cdd50b04a4736810b6286998c19e80ef1ee3e10cb
Instruction Fuzzy Hash: 9D22D833796A1F0ADB689D6ACCC63B87293EBD2719F6DC3358404C6DC9E57E824E5110

Uniqueness

Uniqueness Score: -1.00%

Function 100028F0 Relevance: .5, Instructions: 507
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E100028F0(signed int* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _t248;
				intOrPtr _t249;
				signed char* _t250;
				intOrPtr _t251;
				signed char _t252;
				intOrPtr _t253;
				intOrPtr _t254;
				signed char _t255;
				signed char _t258;
				intOrPtr _t259;
				signed int _t260;
				signed int _t263;
				void* _t266;
				signed int _t270;
				signed int _t275;
				intOrPtr _t276;
				signed char _t277;
				intOrPtr _t285;
				intOrPtr _t289;
				signed int _t292;
				intOrPtr _t301;
				signed int _t303;
				intOrPtr _t304;
				signed int _t306;
				signed int _t308;
				intOrPtr _t309;
				signed char* _t310;
				void* _t312;
				void* _t315;
				intOrPtr _t317;
				void* _t318;
				intOrPtr _t320;
				intOrPtr _t323;
				intOrPtr _t324;
				void* _t326;
				void* _t327;
				intOrPtr _t328;
				signed int _t329;
				intOrPtr _t331;
				void* _t333;
				intOrPtr _t336;
				signed char _t337;
				intOrPtr _t339;
				signed int _t346;
				signed int _t348;
				signed int _t350;
				signed int _t354;
				intOrPtr _t355;
				signed int* _t362;
				signed int* _t368;
				signed int _t371;
				signed int _t376;
				signed int _t382;
				void* _t383;
				signed int _t386;
				void* _t387;
				void* _t389;
				signed int _t392;
				void* _t394;
				void* _t396;
				void* _t397;
				signed int _t398;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t413;
				signed int _t415;
				signed int _t419;
				signed int* _t422;

				_v20 = _v20 | 0xffffffff;
				_t422 = __ecx;
				_t248 =  *((intOrPtr*)(__ecx + 0x74));
				_v8 = 0;
				_v16 = 0;
				_v24 = 0;
				_v12 = 0;
				_v28 = 0;
				_v32 = 0;
				 *((intOrPtr*)(__ecx + 0x7c)) = _t248;
				if(_t248 == 0) {
					L164:
					return _t248;
				} else {
					_t249 =  *0x10010adc; // 0x26d90f0
					if(( *(_t249 + 0x129) & 0x00000010) == 0) {
						 *((intOrPtr*)(__ecx + 0x124)) = 0;
					}
					while(1) {
						_t250 = _t422[0x1f];
						_t382 = _t422[0x1e];
						if(_t250 >= _t382) {
							_t408 = 0;
							_t354 = 0;
							__eflags = 0;
						} else {
							_t354 =  *_t250 & 0x000000ff;
							_t422[0x1f] =  &(_t250[1]);
							_t408 = 0;
						}
						L7:
						if(_t354 == _t408) {
							_t251 =  *0x10010adc; // 0x26d90f0
							_t252 =  *(_t251 + 0x128);
							__eflags = _t252 & 0x00000102;
							if((_t252 & 0x00000102) == 0) {
								_t346 = _v16;
								__eflags = _t346 - 0xfe;
								if(_t346 > 0xfe) {
									_t346 = 0;
									__eflags = 0;
									_v16 = 0;
								}
								__eflags = _t346 - _t408;
								if(_t346 == _t408) {
									L121:
									__eflags = _t422[0x16] - _t408;
									if(_t422[0x16] == _t408) {
										L131:
										__eflags = _t346 - _t408;
										if(_t346 != _t408) {
											__eflags = _v12 - _t408;
											if(_v12 == _t408) {
												_t200 = _t346 - 1; // 0x1000f547
												_t422[0x1c] = _t200;
												E100031D8(_t422, 1);
												_t386 = _v20;
												__eflags = _t386 - 0xffffffff;
												if(_t386 > 0xffffffff) {
													__eflags = _t422[0x1b] + _t422[0x1c];
													_t422[0x21] = _t386;
													_t270 = E10002FF2(_t422[0x1b] + _t422[0x1c], _t386);
													_t422[0x23] = _t270;
													_t422[0x37] = _t270;
												}
											}
										}
										L135:
										__eflags = _v8 - _t408;
										if(_v8 == _t408) {
											L155:
											_t253 =  *0x10010adc; // 0x26d90f0
											__eflags =  *(_t253 + 0x128) & 0x00000008;
											if(( *(_t253 + 0x128) & 0x00000008) == 0) {
												__eflags = _v12 - _t408;
												if(_v12 != _t408) {
													_t422[1] = _v36;
												}
											}
											__eflags = _v32 - _t408;
											if(_v32 != _t408) {
												__eflags = _t422[0x48];
												if(_t422[0x48] == 0) {
													_t254 =  *0x10010adc; // 0x26d90f0
													_t255 =  *(_t254 + 0x128);
													__eflags = _t255 & 0x00000180;
													if((_t255 & 0x00000180) == 0) {
														__eflags = _t255 & 0x00000008;
														if((_t255 & 0x00000008) != 0) {
															_t422[0x78] = _t422[0x49];
														}
													}
												}
											}
											L163:
											_t248 = 0;
											__eflags = 0;
											goto L164;
										}
										_t355 =  *0x10010adc; // 0x26d90f0
										_t258 =  *(_t355 + 0x128);
										__eflags = _t258 & 0x00000010;
										if((_t258 & 0x00000010) == 0) {
											L147:
											__eflags = _v24 - _t408;
											if(_v24 != _t408) {
												__eflags = _t258 & 0x00000008;
												if((_t258 & 0x00000008) != 0) {
													L152:
													_t259 =  *0x10010adc; // 0x26d90f0
													__eflags =  *(_t259 + 0x129) & 0x00000010;
													if(( *(_t259 + 0x129) & 0x00000010) != 0) {
														_t260 = _t422[2];
														__eflags = _t260 - _t408;
														if(_t260 != _t408) {
															_t422[0x47] =  *(_t260 + 0x14);
														}
													}
													goto L155;
												}
												_push(0x22);
												L151:
												_pop(_t383);
												E100031D8(_t422, _t383);
												goto L152;
											}
											L148:
											_push(2);
											goto L151;
										}
										__eflags = _t346 - _t408;
										if(_t346 != _t408) {
											goto L147;
										}
										__eflags = _t422[0x1c] - _t408;
										if(_t422[0x1c] == _t408) {
											goto L147;
										}
										__eflags = _t422[0x6e];
										if(_t422[0x6e] != 0) {
											goto L148;
										}
										_t263 = _t422[1];
										__eflags = _t263 - _t408;
										if(_t263 == _t408) {
											L146:
											_push(3);
											goto L151;
										}
										__eflags = _t263 -  *_t422;
										if(_t263 ==  *_t422) {
											goto L146;
										}
										_t266 = ( *(_t263 + 6) & 0x0000ffff) * 0x3c +  *((intOrPtr*)(_t355 + 0x130));
										__eflags =  *(_t266 + 0x1c) & 0x00000010;
										if(( *(_t266 + 0x1c) & 0x00000010) != 0) {
											L145:
											_t422[0x49] =  *(_t266 + 0x14);
											goto L146;
										}
										__eflags =  *((intOrPtr*)(_t266 + 0x10)) - _t408;
										if( *((intOrPtr*)(_t266 + 0x10)) == _t408) {
											goto L145;
										}
										_t422[0x49] = _t408;
										goto L146;
									}
									__eflags =  *0x1000e694 - _t408; // 0x6
									if(__eflags != 0) {
										L124:
										__eflags = _v24 - _t408;
										if(_v24 != _t408) {
											__eflags = _t422[5] - _t408;
											if(_t422[5] == _t408) {
												goto L135;
											}
											_push(2);
											L128:
											_pop(_t387);
											E100031D8(_t422, _t387);
											goto L135;
										}
										__eflags = _t346 - _t408;
										if(_t346 != _t408) {
											_t196 = _t346 - 1; // 0x1000f547
											_t422[0x1c] = _t196;
										}
										_push(4);
										goto L128;
									}
									__eflags =  *0x1000e6a0 - _t408; // 0x0
									if(__eflags == 0) {
										goto L131;
									}
									goto L124;
								} else {
									__eflags = _v12 - _t408;
									if(_v12 == _t408) {
										L106:
										__eflags = _t252 & 0x00000008;
										if((_t252 & 0x00000008) == 0) {
											L108:
											__eflags = _v12 - _t408;
											if(_v12 != _t408) {
												__eflags = _t422[2] - _t408;
												if(_t422[2] == _t408) {
													__eflags = _t422[0x1c] - _t408;
													if(_t422[0x1c] != _t408) {
														__eflags = _t252 & 0x00000010;
														if((_t252 & 0x00000010) != 0) {
															__eflags = 1;
															E100031D8(_t422, 1);
														}
													}
												}
												__eflags = _t422[1] -  *_t422;
												if(_t422[1] !=  *_t422) {
													_t276 =  *0x10010adc; // 0x26d90f0
													_t277 =  *(_t276 + 0x128);
													__eflags = _t277;
													if(_t277 < 0) {
														__eflags = _t277 & 0x00000008;
														if((_t277 & 0x00000008) != 0) {
															__eflags = _t277 & 0x00000010;
															if((_t277 & 0x00000010) == 0) {
																_t409 = _t422[0x23];
																E100060F0(_t422);
																_t422[0x6e] = _t422[0x6e] & 0x00000000;
																_t389 = 3;
																_t422[0x1c] = _v16 - 1;
																E100031D8(_t422, _t389);
																_t422[0x23] = _t409;
																_t422[0x37] = _t409;
																_t346 = _v16;
																_t422[0x24] = _t422[0x23];
																_t408 = 0;
																__eflags = 0;
															}
														}
													}
												}
												_t275 = E10002FF2(_t422[0x1b] + _t346 - 1, _t422[0x21]);
												__eflags = _t275 - _t422[0x23];
												_t362 =  &(_t422[0x24]);
												 *_t362 = _t275;
												if(_t275 == _t422[0x23]) {
													 *_t362 = _t408;
												}
												_t422[0x2d] = _t408;
											}
											goto L121;
										}
										_t422[0x24] = _t408;
										_v12 = _t408;
										goto L121;
									}
									__eflags =  *_t422 - _t408;
									if( *_t422 != _t408) {
										goto L108;
									}
									goto L106;
								}
							}
							__eflags = _v16 - _t408;
							if(_v16 != _t408) {
								L55:
								_t348 = _v16;
								__eflags = _t348;
								 *0x10010a5c = _t422[0x6e] & 0x000000ff;
								_t410 = _t348;
								if(_t348 == 0) {
									_t410 = _t422[0x1c] + 1;
									__eflags = _t410;
								}
								__eflags = _t410 - 0xfe;
								if(_t410 <= 0xfe) {
									_t285 =  *0x10010adc; // 0x26d90f0
									_t392 =  *(_t285 + 0x128);
									__eflags = _t392 & 0x00000002;
									if((_t392 & 0x00000002) == 0) {
										L68:
										__eflags = _v12;
										if(_v12 == 0) {
											L90:
											_t422[0x24] = _t422[0x24] & 0x00000000;
											__eflags = _t348;
											if(_t348 != 0) {
												E10003093(_t422);
												_t394 = 0x43;
												_t422[0x1c] = _t348 - 1;
												E100031D8(_t422, _t394);
												_t149 =  &(_t422[0x38]);
												 *_t149 = _t422[0x38] & 0x00000000;
												__eflags =  *_t149;
											}
											__eflags = _v8;
											if(_v8 == 0) {
												goto L163;
											} else {
												__eflags = _t422[0x6e];
												if(_t422[0x6e] == 0) {
													L99:
													E10003093(_t422);
													_push(3);
													goto L100;
												}
												__eflags =  *_t422 - _t422[1];
												if( *_t422 != _t422[1]) {
													goto L99;
												}
												_t289 =  *0x10010adc; // 0x26d90f0
												__eflags =  *(_t289 + 0x129) & 0x00000008;
												_t368 = _t422;
												if(( *(_t289 + 0x129) & 0x00000008) != 0) {
													_push(0x22);
												} else {
													_push(2);
												}
												_pop(_t393);
												goto L75;
											}
										}
										_t371 =  *_t422;
										__eflags = _t371;
										if(_t371 == 0) {
											goto L90;
										}
										__eflags = _t422[0x6e];
										if(_t422[0x6e] == 0) {
											goto L90;
										}
										__eflags = _t348;
										if(_t348 != 0) {
											_t292 = _t422[1];
											__eflags = _t371 - _t292;
											if(_t371 != _t292) {
												__eflags = _t392 & 0x00000402;
												_v32 = _t422[0x1c];
												if((_t392 & 0x00000402) == 0) {
													__eflags = _v8;
													if(_v8 != 0) {
														_t396 = 2;
														E100031D8(_t422, _t396);
													}
													_t422[0x24] = E10002FF2( *(_t422[1] + _t410 * 4) & 0x0000ffff, _t422[0x21]);
												} else {
													_t350 = _t422[0x23];
													E100060F0(_t422);
													_t422[0x6e] = _t422[0x6e] & 0x00000000;
													_t397 = 0x13;
													_t422[0x1c] = _t410 - 1;
													E100031D8(_t422, _t397);
													_t422[0x24] = _t422[0x23];
													_t422[0x23] = _t350;
													_t422[0x37] = _t350;
													_t301 =  *0x10010adc; // 0x26d90f0
													__eflags =  *(_t301 + 0x129) & 0x00000004;
													if(( *(_t301 + 0x129) & 0x00000004) == 0) {
														_t422[0x1c] = _v32;
													}
												}
											} else {
												__eflags = _t392 & 0x00000002;
												_t398 = _t422[0x21];
												_t108 = _t410 - 1; // 0x1000f547
												_t376 = _t108;
												if((_t392 & 0x00000002) == 0) {
													_t376 =  *(_t292 + _t410 * 4) & 0x0000ffff;
												}
												_t303 = E10002FF2(_t376, _t398);
												__eflags = _v8;
												_t422[0x24] = _t303;
												if(_v8 != 0) {
													_t422[0x1c] = _t410 - 1;
													_t304 =  *0x10010adc; // 0x26d90f0
													E100031D8(_t422, ( *(_t304 + 0x128) & 0x00000400 | 0x00000040) >> 5);
												}
											}
											__eflags = _t422[0x24] - _t422[0x23];
											if(_t422[0x24] == _t422[0x23]) {
												_t142 =  &(_t422[0x24]);
												 *_t142 = _t422[0x24] & 0x00000000;
												__eflags =  *_t142;
											}
											_t422[0x2d] = _t422[0x2d] & 0x00000000;
											goto L163;
										}
										__eflags = _v8 - _t348;
										if(_v8 == _t348) {
											goto L163;
										}
										_t393 = ( !_t392 & 0x00000400 | 0x00000040) >> 5;
										__eflags = ( !_t392 & 0x00000400 | 0x00000040) >> 5;
										goto L74;
									}
									_t306 = _t422[1];
									__eflags = _t306;
									if(_t306 == 0) {
										L67:
										_t248 = 1;
										goto L164;
									}
									__eflags =  *((short*)(_t306 + 2 + _t410 * 4)) - 0xffff;
									if( *((short*)(_t306 + 2 + _t410 * 4)) != 0xffff) {
										goto L68;
									}
									goto L67;
								} else {
									__eflags = _v12;
									if(_v12 == 0) {
										_t413 = _t410 - 1;
										__eflags = _t413;
										_t422[0x1c] = _t413;
									}
									__eflags = _v8;
									if(_v8 != 0) {
										__eflags = _v24 - 1;
										if(_v24 != 1) {
											goto L163;
										}
										_t308 =  *0x1000fe28; // 0x3c
										_t422[0x1c] = _t308;
										_t309 =  *0x10010adc; // 0x26d90f0
										__eflags =  *(_t309 + 0x129) & 0x00000008;
										if(( *(_t309 + 0x129) & 0x00000008) != 0) {
											goto L163;
										}
										_push(2);
										L100:
										_pop(_t393);
										L74:
										_t368 = _t422;
										L75:
										E100031D8(_t368, _t393);
									}
									goto L163;
								}
							}
							__eflags = _v8 - _t408;
							if(_v8 == _t408) {
								goto L163;
							}
							goto L55;
						}
						_t310 = _t422[0x1f];
						if(_t310 >= _t382) {
							_t415 = 0;
							__eflags = 0;
						} else {
							_t415 =  *_t310 & 0x000000ff;
							_t422[0x1f] =  &(_t310[1]);
						}
						_t312 = _t354 - 1;
						if(_t312 == 0) {
							__eflags = _t415 - 0xff;
							 *0x1000fe28 = _t422[0x1c];
							if(__eflags != 0) {
								__eflags = _t415 - 0xfe;
								if(_t415 == 0xfe) {
									_t422[0x41] = 1;
									_v24 = 2;
								}
							} else {
								E10003CA9(_t422, __eflags);
								_v24 = 1;
							}
							_v16 = _t415 + 1;
							continue;
						} else {
							_t315 = _t312 - 1;
							if(_t315 == 0) {
								_t422[0x49] = _t422[0x49] & 0x00000000;
								_t66 = _t415 + 1; // 0x1
								_v8 = _t66;
								_t317 =  *0x10010adc; // 0x26d90f0
								__eflags = _t415 -  *((intOrPtr*)(_t317 + 0x18));
								if(_t415 <  *((intOrPtr*)(_t317 + 0x18))) {
									_t422[1] = _t415 * 0x35c +  *((intOrPtr*)(_t317 + 0x12c));
								} else {
									_t422[1] = _t422[1] & 0x00000000;
								}
								continue;
								do {
									goto L7;
									L36:
									_t324 =  *0x10010adc; // 0x26d90f0
									__eflags =  *(_t324 + 0x128) & 0x00000100;
								} while (( *(_t324 + 0x128) & 0x00000100) == 0);
								L37:
								__eflags = _t422[0x6e];
								if(_t422[0x6e] != 0) {
									L39:
									_v12 = 1;
									L40:
									_t320 =  *0x10010adc; // 0x26d90f0
									__eflags =  *(_t320 + 0x128) & 0x00000008;
									if(( *(_t320 + 0x128) & 0x00000008) == 0) {
										__eflags = _v28;
										if(_v28 == 0) {
											_v36 = _t422[1];
											_t422[1] =  *_t422;
										}
									}
									_v28 = 1;
									continue;
								}
								_t323 =  *0x10010adc; // 0x26d90f0
								__eflags =  *(_t323 + 0x128) & 0x00000100;
								if(( *(_t323 + 0x128) & 0x00000100) != 0) {
									goto L40;
								}
								goto L39;
							}
							_t318 = _t315 - 4;
							if(_t318 == 0) {
								L33:
								__eflags = _t422[0x16];
								if(_t422[0x16] == 0) {
									goto L37;
								}
								__eflags =  *0x1000e694; // 0x6
								if(__eflags != 0) {
									goto L36;
								}
								__eflags =  *0x1000e6a0; // 0x0
								if(__eflags == 0) {
									goto L37;
								}
								goto L36;
							}
							_t326 = _t318;
							if(_t326 == 0) {
								goto L33;
							} else {
								_t327 = _t326 - 4;
								if(_t327 == 0) {
									__eflags = _t415;
									if(_t415 != 0) {
										_t331 =  *0x10010adc; // 0x26d90f0
										_t419 = _t415 << 8;
										__eflags =  *(_t331 + 0x128) & 0x00000100;
										if(( *(_t331 + 0x128) & 0x00000100) == 0) {
											_t422[0x42] = _t419;
										} else {
											_t422[0x42] = _t422[0x42] & 0x000f0000 | _t419;
										}
									}
									_t328 =  *0x10010adc; // 0x26d90f0
									__eflags =  *(_t328 + 0x129) & 0x00000010;
									_t329 = _t422[0x42];
									if(( *(_t328 + 0x129) & 0x00000010) == 0) {
										_t422[0x49] = _t329;
									} else {
										_t422[0x49] = _t422[0x49] + (_t329 << 1);
									}
									_v32 = 1;
								} else {
									_t333 = _t327 - 5;
									if(_t333 == 0) {
										__eflags = (_t415 & 0xfffffff0) - 0x50;
										if((_t415 & 0xfffffff0) == 0x50) {
											_t336 =  *0x10010adc; // 0x26d90f0
											_t337 =  *(_t336 + 0x128);
											__eflags = _t337 & 0x00000008;
											_v20 = (_t415 & 0x0000000f) << 4;
											if((_t337 & 0x00000008) != 0) {
												_v20 = _v20 ^ 0x00000080;
												__eflags = _t337;
												if(_t337 >= 0) {
													_v20 = _v20 + 0x80;
												}
											}
										}
									} else {
										if(_t333 == 0x1a) {
											_t339 =  *0x10010adc; // 0x26d90f0
											if(( *(_t339 + 0x128) & 0x00000002) != 0 && (_t415 & 0xfffffff0) == 0x50) {
												_v20 =  *(0x1000e014 + _t415 * 2) & 0x0000ffff;
											}
										}
									}
								}
								while(1) {
									_t250 = _t422[0x1f];
									_t382 = _t422[0x1e];
									if(_t250 >= _t382) {
										_t408 = 0;
										_t354 = 0;
										__eflags = 0;
									} else {
										_t354 =  *_t250 & 0x000000ff;
										_t422[0x1f] =  &(_t250[1]);
										_t408 = 0;
									}
									goto L7;
								}
							}
						}
					}
				}
			}

0x100028f6
0x100028fc
0x100028fe
0x10002906
0x10002909
0x1000290c
0x1000290f
0x10002912
0x10002915
0x10002918
0x1000291b
0x10002fed
0x10002ff1
0x10002921
0x10002921
0x1000292d
0x1000292f
0x1000292f
0x1000293a
0x1000293a
0x1000293d
0x10002942
0x1000294f
0x10002951
0x10002951
0x10002944
0x10002944
0x10002948
0x1000294b
0x1000294b
0x10002953
0x10002955
0x10002b4e
0x10002b53
0x10002b59
0x10002b5d
0x10002dad
0x10002db0
0x10002db6
0x10002db8
0x10002db8
0x10002dba
0x10002dba
0x10002dbd
0x10002dbf
0x10002e93
0x10002e93
0x10002e96
0x10002ecc
0x10002ecc
0x10002ece
0x10002ed0
0x10002ed3
0x10002ed7
0x10002edd
0x10002ee0
0x10002ee5
0x10002ee8
0x10002eeb
0x10002ef0
0x10002ef3
0x10002ef9
0x10002efe
0x10002f04
0x10002f04
0x10002eeb
0x10002ed3
0x10002f0a
0x10002f0a
0x10002f0d
0x10002fa3
0x10002fa3
0x10002fa8
0x10002faf
0x10002fb1
0x10002fb4
0x10002fb9
0x10002fb9
0x10002fb4
0x10002fbc
0x10002fbf
0x10002fc1
0x10002fc8
0x10002fca
0x10002fcf
0x10002fd5
0x10002fd9
0x10002fdb
0x10002fdd
0x10002fe5
0x10002fe5
0x10002fdd
0x10002fd9
0x10002fc8
0x10002feb
0x10002feb
0x10002feb
0x00000000
0x10002feb
0x10002f13
0x10002f19
0x10002f1f
0x10002f22
0x10002f6e
0x10002f6e
0x10002f71
0x10002f77
0x10002f79
0x10002f85
0x10002f85
0x10002f8a
0x10002f91
0x10002f93
0x10002f96
0x10002f98
0x10002f9d
0x10002f9d
0x10002f98
0x00000000
0x10002f91
0x10002f7b
0x10002f7d
0x10002f7f
0x10002f80
0x00000000
0x10002f80
0x10002f73
0x10002f73
0x00000000
0x10002f73
0x10002f24
0x10002f26
0x00000000
0x00000000
0x10002f28
0x10002f2b
0x00000000
0x00000000
0x10002f2d
0x10002f34
0x00000000
0x00000000
0x10002f36
0x10002f39
0x10002f3b
0x10002f6a
0x10002f6a
0x00000000
0x10002f6a
0x10002f3d
0x10002f3f
0x00000000
0x00000000
0x10002f48
0x10002f4e
0x10002f52
0x10002f61
0x10002f64
0x00000000
0x10002f64
0x10002f54
0x10002f57
0x00000000
0x00000000
0x10002f59
0x00000000
0x10002f59
0x10002e98
0x10002e9e
0x10002ea8
0x10002ea8
0x10002eab
0x10002ec3
0x10002ec6
0x00000000
0x00000000
0x10002ec8
0x10002eb9
0x10002eb9
0x10002ebc
0x00000000
0x10002ebc
0x10002ead
0x10002eaf
0x10002eb1
0x10002eb4
0x10002eb4
0x10002eb7
0x00000000
0x10002eb7
0x10002ea0
0x10002ea6
0x00000000
0x00000000
0x00000000
0x10002dc5
0x10002dc5
0x10002dc8
0x10002dce
0x10002dce
0x10002dd0
0x10002de0
0x10002de0
0x10002de3
0x10002de9
0x10002dec
0x10002dee
0x10002df1
0x10002df3
0x10002df6
0x10002dfa
0x10002dfd
0x10002dfd
0x10002df6
0x10002df1
0x10002e05
0x10002e07
0x10002e09
0x10002e0e
0x10002e14
0x10002e16
0x10002e18
0x10002e1a
0x10002e1c
0x10002e1f
0x10002e24
0x10002e2c
0x10002e31
0x10002e3e
0x10002e41
0x10002e44
0x10002e4f
0x10002e55
0x10002e5e
0x10002e61
0x10002e67
0x10002e67
0x10002e67
0x10002e1f
0x10002e1a
0x10002e16
0x10002e76
0x10002e7b
0x10002e81
0x10002e87
0x10002e89
0x10002e8b
0x10002e8b
0x10002e8d
0x10002e8d
0x00000000
0x10002de3
0x10002dd2
0x10002dd8
0x00000000
0x10002dd8
0x10002dca
0x10002dcc
0x00000000
0x00000000
0x00000000
0x10002dcc
0x10002dbf
0x10002b63
0x10002b66
0x10002b71
0x10002b78
0x10002b7d
0x10002b7f
0x10002b84
0x10002b86
0x10002b8b
0x10002b8b
0x10002b8b
0x10002b8c
0x10002b92
0x10002bd1
0x10002bd6
0x10002bdc
0x10002bdf
0x10002bf9
0x10002bf9
0x10002bfc
0x10002d41
0x10002d41
0x10002d48
0x10002d4a
0x10002d4e
0x10002d56
0x10002d59
0x10002d5c
0x10002d61
0x10002d61
0x10002d61
0x10002d61
0x10002d68
0x10002d6c
0x00000000
0x10002d72
0x10002d72
0x10002d79
0x10002d9e
0x10002da0
0x10002da5
0x00000000
0x10002da5
0x10002d7d
0x10002d80
0x00000000
0x00000000
0x10002d82
0x10002d87
0x10002d8e
0x10002d90
0x10002d96
0x10002d92
0x10002d92
0x10002d92
0x10002d98
0x00000000
0x10002d98
0x10002d6c
0x10002c02
0x10002c04
0x10002c06
0x00000000
0x00000000
0x10002c0c
0x10002c13
0x00000000
0x00000000
0x10002c19
0x10002c1b
0x10002c40
0x10002c43
0x10002c45
0x10002c9b
0x10002ca3
0x10002ca6
0x10002cf8
0x10002cfc
0x10002d00
0x10002d03
0x10002d03
0x10002d1a
0x10002ca8
0x10002ca8
0x10002cb0
0x10002cb5
0x10002cbf
0x10002cc2
0x10002cc5
0x10002cd0
0x10002cd6
0x10002cdc
0x10002ce2
0x10002ce7
0x10002cee
0x10002cf3
0x10002cf3
0x10002cee
0x10002c47
0x10002c47
0x10002c4a
0x10002c50
0x10002c50
0x10002c53
0x10002c55
0x10002c55
0x10002c59
0x10002c5e
0x10002c62
0x10002c68
0x10002c72
0x10002c75
0x10002c8e
0x10002c93
0x10002c68
0x10002d26
0x10002d2c
0x10002d2e
0x10002d2e
0x10002d2e
0x10002d2e
0x10002d35
0x00000000
0x10002d35
0x10002c1d
0x10002c20
0x00000000
0x00000000
0x10002c31
0x10002c31
0x00000000
0x10002c31
0x10002be1
0x10002be4
0x10002be6
0x10002bf1
0x10002bf3
0x00000000
0x10002bf3
0x10002be8
0x10002bef
0x00000000
0x00000000
0x00000000
0x10002b94
0x10002b94
0x10002b97
0x10002b99
0x10002b99
0x10002b9a
0x10002b9a
0x10002b9d
0x10002ba0
0x10002ba6
0x10002baa
0x00000000
0x00000000
0x10002bb0
0x10002bb5
0x10002bb8
0x10002bbd
0x10002bc4
0x00000000
0x00000000
0x10002bca
0x10002da7
0x10002da7
0x10002c34
0x10002c34
0x10002c36
0x10002c36
0x10002c36
0x00000000
0x10002ba0
0x10002b92
0x10002b68
0x10002b6b
0x00000000
0x00000000
0x00000000
0x10002b6b
0x1000295b
0x10002960
0x1000296b
0x1000296b
0x10002962
0x10002962
0x10002966
0x10002966
0x1000296f
0x10002970
0x10002b0c
0x10002b15
0x10002b1a
0x10002b2c
0x10002b32
0x10002b34
0x10002b3e
0x10002b3e
0x10002b1c
0x10002b1e
0x10002b23
0x10002b23
0x10002b46
0x00000000
0x10002976
0x10002976
0x10002977
0x10002ad8
0x10002adf
0x10002ae2
0x10002ae5
0x10002aea
0x10002aed
0x10002b04
0x10002aef
0x10002aef
0x10002aef
0x00000000
0x1000293a
0x00000000
0x10002a7f
0x10002a7f
0x10002a84
0x10002a84
0x10002a90
0x10002a90
0x10002a97
0x10002aa6
0x10002aa6
0x10002aad
0x10002aad
0x10002ab2
0x10002ab9
0x10002abb
0x10002abf
0x10002ac4
0x10002ac9
0x10002ac9
0x10002abf
0x10002acc
0x10002ad3
0x10002ad3
0x10002a99
0x10002a9e
0x10002aa4
0x00000000
0x00000000
0x00000000
0x10002aa4
0x1000297d
0x10002980
0x10002a68
0x10002a6a
0x10002a6d
0x00000000
0x00000000
0x10002a6f
0x10002a75
0x00000000
0x00000000
0x10002a77
0x10002a7d
0x00000000
0x00000000
0x00000000
0x10002a7d
0x10002987
0x10002988
0x00000000
0x1000298e
0x1000298e
0x10002991
0x10002a0a
0x10002a0c
0x10002a0e
0x10002a13
0x10002a16
0x10002a1c
0x10002a32
0x10002a1e
0x10002a2e
0x10002a2e
0x10002a1c
0x10002a38
0x10002a3d
0x10002a44
0x10002a4a
0x10002a56
0x10002a4c
0x10002a4e
0x10002a4e
0x10002a5c
0x10002993
0x10002993
0x10002996
0x100029ca
0x100029cd
0x100029d3
0x100029d8
0x100029e4
0x100029e6
0x100029e9
0x100029ef
0x100029f6
0x100029f8
0x100029fe
0x100029fe
0x100029f8
0x100029e9
0x10002998
0x1000299b
0x1000299d
0x100029a9
0x100029bd
0x100029bd
0x100029a9
0x1000299b
0x10002996
0x1000293a
0x1000293a
0x1000293d
0x10002942
0x1000294f
0x10002951
0x10002951
0x10002944
0x10002944
0x10002948
0x1000294b
0x1000294b
0x00000000
0x10002951
0x1000293a
0x10002988
0x10002970
0x1000293a

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 738f558e9f82530a6948be8b67764b27b723360f1fe12266ff84065f611c3275
Instruction ID: d3d9fc7df76b8bcbdf3034690f2980825895f650e112ca37b5a2db1d29ef19d1
Opcode Fuzzy Hash: 738f558e9f82530a6948be8b67764b27b723360f1fe12266ff84065f611c3275
Instruction Fuzzy Hash: A3223A70A00B468FE762CF24C484BAAB7F1FF447C4F21856ED9D6976A9D770A981CB01

Uniqueness

Uniqueness Score: -1.00%

Function 100031D8 Relevance: .5, Instructions: 497
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E100031D8(signed int* __ecx, signed char __edx) {
				signed int* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int* _t310;
				signed short _t311;
				signed int _t312;
				signed char _t313;
				signed int _t315;
				signed short _t318;
				signed short _t319;
				signed char _t320;
				signed int _t321;
				signed short _t328;
				signed short _t329;
				signed int _t334;
				signed int _t335;
				void* _t336;
				signed int _t338;
				signed short _t339;
				signed short _t340;
				signed short _t342;
				signed int* _t343;
				signed char* _t347;
				signed int _t352;
				signed int _t354;
				signed int _t360;
				signed int _t361;
				void* _t363;
				signed int _t367;
				signed int _t370;
				signed int _t371;
				signed short _t372;
				signed int _t373;
				signed int _t379;
				signed short _t381;
				signed short _t384;
				signed char _t385;
				signed int _t387;
				void* _t391;
				signed short _t394;
				signed short _t395;
				signed short _t396;
				signed short _t399;
				signed int _t404;
				signed int _t405;
				intOrPtr _t407;
				signed char _t413;
				signed int _t414;
				signed int* _t417;
				signed short _t420;
				signed int _t424;
				void* _t428;
				signed int _t431;
				signed int _t432;
				void* _t435;
				signed int _t437;
				signed short _t439;
				signed short _t442;
				signed int* _t443;
				signed int* _t447;
				signed int _t455;
				signed short _t457;
				signed int _t461;
				signed int* _t462;
				void* _t463;

				_t385 = __edx;
				_t462 = __ecx;
				_t310 =  *((intOrPtr*)(__ecx));
				_t439 = 0;
				_t463 =  *0x10010a5c - _t439; // 0x0
				_t455 =  *(__ecx + 8);
				_v16 = __edx;
				_v8 = _t310;
				if(_t463 == 0) {
					L2:
					_v12 = _t439;
					L3:
					_t311 =  *0x10010adc; // 0x26d90f0
					if(( *(_t311 + 0x128) & 0x00000102) == 0) {
						__eflags = _t385 & 0x00000005;
						if((_t385 & 0x00000005) == 0) {
							L115:
							__eflags = _v16 & 0x00000002;
							if((_v16 & 0x00000002) == 0) {
								L150:
								return _t311;
							}
							__eflags = _t455;
							if(_t455 != 0) {
								_t312 =  *(_t455 + 0xc);
								__eflags = _t312 - 0xffffffff;
								if(_t312 > 0xffffffff) {
									_t462[0x17] = _t312;
								}
								_t399 =  *0x10010adc; // 0x26d90f0
								_t313 =  *(_t399 + 0x128);
								__eflags = _t313;
								if(_t313 >= 0) {
									L144:
									_t457 =  *(_t455 + 8);
									_t462[0x19] = _t457;
									_t462[0x22] = _t457;
									goto L145;
								} else {
									__eflags = _t313 & 0x00000008;
									if((_t313 & 0x00000008) == 0) {
										goto L144;
									}
									_t315 = _t462[1];
									__eflags = _t315;
									if(_t315 == 0) {
										goto L144;
									}
									_t318 =  *(( *(_t315 + 6) & 0x0000ffff) * 0x3c +  *((intOrPtr*)(_t399 + 0x130)) + 8);
									_t462[0x19] = _t318;
									_t462[0x22] = _t318;
									L145:
									__eflags = _v16 & 0x00000020;
									if((_v16 & 0x00000020) == 0) {
										E10003A47(_t462, _v8);
										__eflags = _v8;
										if(_v8 != 0) {
											_t304 =  &(_t462[0x48]);
											 *_t304 = _t462[0x48] | 0x00000006;
											__eflags =  *_t304;
										}
										_t462[0x3a] = 0;
										_t462[3] = 0x7ef4;
										_t462[0x20] = 1;
										_t462[0x2e] = 0;
									}
									L149:
									_t311 = E1000276C(_t462);
									goto L150;
								}
							}
							_t319 =  *0x10010adc; // 0x26d90f0
							_t320 =  *(_t319 + 0x128);
							__eflags = _t320;
							if(_t320 >= 0) {
								L119:
								_t462[0x17] = 0x80;
								L120:
								_t462[0x19] = 0;
								_t462[0x22] = 0;
								goto L145;
							}
							__eflags = _t320 & 0x00000008;
							if((_t320 & 0x00000008) != 0) {
								goto L120;
							}
							goto L119;
						}
						_t321 = _t462[1];
						_v20 = _v20 & 0x00000000;
						__eflags = _t385 & 0x00000008;
						 *_t462 = _t321;
						_v8 = _t321;
						_t311 =  *0x10010adc; // 0x26d90f0
						if((_t385 & 0x00000008) == 0) {
							L103:
							__eflags = _v8;
							if(_v8 == 0) {
								L121:
								_t462[2] = 0;
								_t455 = 0;
								__eflags = 0;
								L122:
								_t442 = 0;
								__eflags = _t455;
								if(_t455 == 0) {
									L114:
									_t462[0x3c] = _t442;
									_t462[6] = _t442;
									_t462[5] = _t442;
									_t462[0x41] = 1;
									goto L115;
								}
								__eflags = _v20;
								_t462[0x3a] = 0;
								if(_v20 != 0) {
									L136:
									_t443 = _v8;
									_t462[5] = 0;
									_t311 = 0;
									__eflags = _v16 & 0x00000004;
									_t462[6] = 0;
									if((_v16 & 0x00000004) != 0) {
										_t311 = E10003A47(_t462, _t443);
									}
									goto L115;
								}
								__eflags = _t462[0x49] -  *((intOrPtr*)(_t455 + 0x10));
								if(_t462[0x49] <  *((intOrPtr*)(_t455 + 0x10))) {
									L135:
									_t274 =  &(_t462[0x48]);
									 *_t274 = _t462[0x48] | 0x00000001;
									__eflags =  *_t274;
									goto L136;
								}
								_t328 =  *0x10010adc; // 0x26d90f0
								_t404 =  *(_t328 + 0x128);
								__eflags = _t404 & 0x00010000;
								if((_t404 & 0x00010000) != 0) {
									L132:
									__eflags =  *(_t455 + 0x1c) & 0x00000010;
									if(( *(_t455 + 0x1c) & 0x00000010) != 0) {
										L129:
										_t329 =  *(_t455 + 0x14);
										L134:
										_t462[0x49] = _t329;
										goto L135;
									}
									_t329 = 0;
									__eflags = 0;
									goto L134;
								}
								_t311 = 0x88;
								_t405 = _t404 & 0x00000088;
								__eflags = _t405 - 8;
								if(_t405 == 8) {
									goto L132;
								}
								__eflags = _t405 - 0x88;
								if(_t405 != 0x88) {
									L130:
									_t462[2] = _t442;
									_t462[0x3c] = _t442;
									L131:
									_t462[0x41] = 1;
									goto L150;
								}
								__eflags =  *(_t455 + 0x1c) & 0x00000010;
								if(( *(_t455 + 0x1c) & 0x00000010) == 0) {
									goto L130;
								}
								goto L129;
							}
							_t387 = _t462[0x1c];
							_t407 =  *((intOrPtr*)(_v8 + 6 + _t387 * 4));
							__eflags = _t407 - 0xffff;
							if(_t407 == 0xffff) {
								goto L121;
							}
							_t455 = 0 +  *((intOrPtr*)(_t311 + 0x130));
							__eflags =  *0x00000024;
							if( *0x00000024 == 0) {
								asm("sbb eax, eax");
								_t311 =  ~( *_v8 & 0x00000001) & _t455;
								_t455 = 0;
								_t462[2] = _t311;
								_t442 = 0;
								__eflags = 0;
								goto L114;
							}
							_t334 =  *(_t311 + 0x128);
							__eflags = _t334 & 0x00000008;
							if((_t334 & 0x00000008) != 0) {
								L112:
								_t462[2] = _t455;
								_t335 =  *(_t455 + 4);
								_t462[0x1b] = _t335;
								_t409 = _t335 + _t387;
								L110:
								_t462[0x21] =  *_t455;
								_t311 = E10002FF2(_t409,  *_t455);
								_t462[0x23] = _t311;
								_t462[0x37] = _t311;
								goto L122;
							}
							__eflags =  *0x00000004 + _t387 - 0x77;
							if( *0x00000004 + _t387 < 0x77) {
								goto L112;
							}
							__eflags = _t334 & 0x00010000;
							if((_t334 & 0x00010000) == 0) {
								_t311 =  *0x1000fe28; // 0x3c
								_t455 = _t462[2];
								_t462[0x1c] = _t311;
								_v20 = 1;
								goto L122;
							}
							_t462[2] = 0;
							_t336 = 0x77;
							_t462[0x1c] = _t336 -  *0x00000004;
							_t338 =  *0x00000004;
							_t409 = _t338 + _t462[0x1c];
							__eflags = _t338 + _t462[0x1c];
							_t462[0x1b] = _t338;
							goto L110;
						}
						__eflags =  *(_t311 + 0x128) & 0x00000008;
						if(( *(_t311 + 0x128) & 0x00000008) != 0) {
							goto L122;
						}
						goto L103;
					}
					_t461 = _t462[1];
					 *_t462 = _t461;
					if((_t385 & 0x00000005) == 0) {
						L53:
						if(_v12 == _t439) {
							_t462[0x5c] = _t439;
						}
						if(_t461 == _t439) {
							goto L131;
						} else {
							_t311 = _t462[0x1c];
							if(_t311 > 0x77) {
								goto L131;
							}
							_t311 =  *((intOrPtr*)(_t461 + 6 + _t311 * 4));
							if(_t311 == 0xffff) {
								goto L131;
							}
							_t339 =  *0x10010adc; // 0x26d90f0
							_t391 = 0 +  *((intOrPtr*)(_t339 + 0x130));
							if(0 != 0) {
								_t413 = _v16;
								_v16 = _t413;
								_t112 =  &_v16;
								 *_t112 = _v16 & 0x00000020;
								__eflags =  *_t112;
								if( *_t112 == 0) {
									_t367 =  *0x0000000C;
									__eflags = _t367 - 0xffffffff;
									if(_t367 <= 0xffffffff) {
										_t367 =  *(_t461 + 0x334);
										__eflags = _t367 - 0xffffffff;
										if(_t367 <= 0xffffffff) {
											_t367 = _t462[0x5f];
										}
									}
									_t462[0x17] = _t367;
								}
								__eflags = _t413 & 0x00000040;
								if((_t413 & 0x00000040) == 0) {
									_t360 =  *(_t391 + 0x30);
									_t462[0x4d] = _t360;
									_t420 =  *0x10010adc; // 0x26d90f0
									__eflags =  *(_t420 + 0x129) & 0x00000002;
									if(( *(_t420 + 0x129) & 0x00000002) != 0) {
										_t462[0x4d] =  *(_t461 + 0x330) * _t360 >> 7;
										__eflags =  *(_t461 + 0x34c) - _t439;
										if( *(_t461 + 0x34c) != _t439) {
											_t361 =  *0x1000d06c();
											asm("cdq");
											_t363 = 0x64;
											_t424 = 0x64;
											asm("cdq");
											_t439 = 0;
											__eflags = 0;
											_t462[0x4d] = (_t363 - _t361 %  *(_t461 + 0x34c)) * _t462[0x4d] / _t424;
										}
									}
									_t394 =  *(_t391 + 8);
									_t462[0x19] = _t394;
									_t462[0x22] = _t394;
								}
								_t340 =  *0x10010adc; // 0x26d90f0
								__eflags =  *(_t340 + 0x129) & 0x00000002;
								if(( *(_t340 + 0x129) & 0x00000002) == 0) {
									L97:
									_t462[4] =  *(_t461 + 0x2b8);
									L98:
									_t462[3] = 0x7fff;
									_t462[0x15] = 1;
									_t342 =  *0x10010adc; // 0x26d90f0
									if(( *(_t342 + 0x129) & 0x00000002) != 0) {
										_t462[0x15] = 3;
									}
									goto L149;
								} else {
									__eflags = _v16 - _t439;
									if(_v16 != _t439) {
										goto L97;
									}
									_t414 =  *(_t461 + 0x33c);
									__eflags = _t414 - _t439;
									if(_t414 == _t439) {
										_t462[0x5a] = _t439;
									} else {
										asm("cdq");
										_t462[0x5a] = (_t462[0x1c] -  *((intOrPtr*)(_t461 + 0x340))) * _t414 - _t439 >> 1;
									}
									_t343 = _t461 + 0x350;
									__eflags =  *_t343;
									if( *_t343 != 0) {
										__eflags = _t462[0x17];
										if(_t462[0x17] >= 0) {
											_t393 =  *_t343;
											_t352 =  *0x1000d06c();
											asm("cdq");
											_t159 =  &(_t462[0x17]);
											 *_t159 = _t462[0x17] + _t352 % ( *_t343 + _t393) - _t393;
											__eflags =  *_t159;
											_t354 = _t462[0x17];
											if( *_t159 >= 0) {
												__eflags = _t354 - 0xff;
												if(_t354 > 0xff) {
													_t462[0x17] = 0xff;
												}
											} else {
												_t462[0x17] = _t462[0x17] & 0x00000000;
											}
										}
									}
									__eflags = _v12;
									if(_v12 == 0) {
										L84:
										_t392 = _t461 + 0x1e4;
										E10003925(_t462,  &(_t462[7]), _t461 + 0x1e4, 0xffffffc0);
										goto L85;
									} else {
										_t392 = _t461 + 0x1e4;
										__eflags =  *_t392 & 0x00000020;
										if(( *_t392 & 0x00000020) == 0) {
											goto L84;
										}
										_t462[7] = _t462[7] & 0x000000f7;
										L85:
										__eflags = _v12;
										if(_v12 == 0) {
											L88:
											E10003925(_t462,  &(_t462[0xe]), _t461 + 0x24e, 0xffffffe0);
											L89:
											__eflags = _v12;
											if(_v12 == 0) {
												L92:
												_t347 = _t461 + 0x2c4;
												__eflags =  *_t347 & 0x00000010;
												_t417 = _t462;
												_t447 =  &(_t462[0x53]);
												if(( *_t347 & 0x00000010) == 0) {
													_push(0xfffffc00);
												} else {
													_push(0xfffff800);
												}
												_push(_t347);
												E10003925(_t417, _t447);
												L96:
												__eflags = 0;
												_t462[5] = 0;
												goto L97;
											}
											__eflags =  *(_t461 + 0x2c4) & 0x00000020;
											if(( *(_t461 + 0x2c4) & 0x00000020) == 0) {
												goto L92;
											}
											_t462[0x53] = _t462[0x53] & 0x000000f7;
											goto L96;
										}
										__eflags =  *(_t461 + 0x24e) & 0x00000020;
										if(( *(_t461 + 0x24e) & 0x00000020) == 0) {
											goto L88;
										}
										_t462[0xe] = _t462[0xe] & 0x000000f7;
										goto L89;
									}
								}
							}
							_t462[0x17] = 0x80;
							_t462[0x19] = _t439;
							_t462[0x22] = _t439;
							goto L98;
						}
					}
					_t462[0x5c] = _t439;
					if(_t461 == _t439) {
						L14:
						_t462[2] = _t439;
						_t395 = 0;
						__eflags = 0;
						L15:
						if(_t395 == _t439) {
							L13:
							_t462[0x3c] = _t439;
							_t462[6] = _t439;
							_t462[5] = _t439;
							_t462[0x41] = 1;
							goto L53;
						} else {
							if(_t462[0x49] >=  *((intOrPtr*)(_t395 + 0x10))) {
								_t381 =  *0x10010adc; // 0x26d90f0
								if(( *(_t381 + 0x129) & 0x00000008) == 0) {
									__eflags =  *(_t395 + 0x1c) & 0x00000010;
									if(( *(_t395 + 0x1c) & 0x00000010) != 0) {
										_t462[0x49] =  *(_t395 + 0x14);
									}
								} else {
									_t462[0x49] = _t439;
								}
							}
							if(_t462[0x49] <  *((intOrPtr*)(_t395 + 0x10))) {
								_t462[0x48] = _t462[0x48] | 0x00000001;
								__eflags =  *((char*)(_t395 + 0x2e));
								if( *((char*)(_t395 + 0x2e)) == 0) {
									goto L23;
								}
								__eflags =  *((char*)(_t395 + 0x2f));
								if( *((char*)(_t395 + 0x2f)) == 0) {
									goto L23;
								}
								_t462[0x3c] = 1;
								_t462[0x3d] =  *((intOrPtr*)(_t395 + 0x2c));
								_t462[0x3d] =  *((intOrPtr*)(_t395 + 0x2e));
								_t379 =  *((intOrPtr*)(_t395 + 0x2f));
								_t462[0x3d] = _t379;
								_t462[0x3d] = _t379;
								_t462[0x3e] =  *((intOrPtr*)(_t395 + 0x2d));
								_t462[0x3f] = _t439;
								goto L24;
							} else {
								_t462[2] = _t439;
								_t395 = 0;
								_t462[0x41] = 1;
								L23:
								_t462[0x3c] = _t439;
								L24:
								_t311 =  *(_t461 + 0x338);
								_t462[0x51] = _t311;
								if((_v16 & 0x00000010) != 0) {
									goto L53;
								}
								_t311 =  *0x10010adc; // 0x26d90f0
								if(( *(_t311 + 0x129) & 0x00000002) == 0) {
									goto L53;
								}
								_t370 =  *(_t461 + 0x354);
								if(_t370 < 0) {
									_t462[0x62] = _t370 & 0x0000007f;
								}
								_t371 =  *(_t461 + 0x358);
								if(_t371 < 0) {
									_t462[0x63] = _t371 & 0x0000007f;
								}
								_t311 = E10005FE0(_t462, _t462[0x62]);
								if( *((intOrPtr*)(_t461 + 0x344)) == 0) {
									L52:
									_t439 = 0;
									goto L53;
								} else {
									_t372 =  *0x10010adc; // 0x26d90f0
									_t373 =  *(_t372 + 0x2e0);
									_v8 = _t373;
									_v20 = 0x40;
									do {
										if( *((char*)(_t373 + 0x1b8)) != 0 &&  *((intOrPtr*)(_t373 + 0x130)) == _t462[0x4c] &&  *_t373 == _t461) {
											_t428 =  *((intOrPtr*)(_t461 + 0x344)) - 1;
											if(_t428 == 0) {
												__eflags =  *((intOrPtr*)(_t373 + 0x70)) - _t462[0x1c];
												L44:
												if(__eflags != 0) {
													goto L51;
												}
												L45:
												_t431 =  *(_t461 + 0x348);
												__eflags = _t431;
												if(_t431 == 0) {
													 *(_t373 + 0x104) = 1;
												} else {
													_t432 = _t431 - 1;
													__eflags = _t432;
													if(_t432 == 0) {
														E100030F2(_v8);
														_t373 = _v8;
													} else {
														__eflags = _t432 == 1;
														if(_t432 == 1) {
															 *(_t373 + 0x54) =  *(_t373 + 0x54) & 0xfffffffd;
														}
													}
												}
												goto L51;
											}
											_t435 = _t428 - 1;
											if(_t435 == 0) {
												__eflags =  *((intOrPtr*)(_t373 + 8)) - _t395;
												goto L44;
											}
											if(_t435 == 1) {
												goto L45;
											}
										}
										L51:
										_t373 = _t373 + 0x208;
										_t97 =  &_v20;
										 *_t97 = _v20 - 1;
										_v8 = _t373;
									} while ( *_t97 != 0);
									goto L52;
								}
							}
						}
					}
					_t437 = _t462[0x1c];
					if(_t437 > 0x77) {
						goto L14;
					}
					_t311 =  *((intOrPtr*)(_t461 + 6 + _t437 * 4));
					if(_t311 == 0xffff) {
						goto L14;
					}
					_t396 =  *0x10010adc; // 0x26d90f0
					_t311 = (_t311 & 0x0000ffff) * 0x3c;
					_t395 =  *((intOrPtr*)(_t396 + 0x130)) + _t311;
					_t462[2] = _t395;
					if( *((intOrPtr*)(_t395 + 0x24)) == _t439) {
						_t462[2] = _t439;
						goto L13;
					} else {
						_t453 =  *_t395;
						_t462[0x21] =  *_t395;
						_t384 =  *0x10010adc; // 0x26d90f0
						if(( *(_t384 + 0x128) & 0x00000002) == 0) {
							_t437 =  *(_t461 + 4 + _t437 * 4) & 0x0000ffff;
						}
						_t311 = E10002FF2(_t437, _t453);
						_t462[0x23] = _t311;
						_t462[0x37] = _t311;
						_t439 = 0;
						goto L15;
					}
				}
				_v12 = 1;
				if(_t310 ==  *((intOrPtr*)(__ecx + 4))) {
					goto L3;
				}
				goto L2;
			}

0x100031e0
0x100031e2
0x100031e4
0x100031e6
0x100031e8
0x100031ef
0x100031f2
0x100031f5
0x100031f8
0x10003206
0x10003206
0x10003209
0x10003209
0x10003217
0x100036a8
0x100036ab
0x100037a5
0x100037a5
0x100037a9
0x10003920
0x10003924
0x10003924
0x100037b1
0x100037b3
0x10003892
0x10003895
0x10003898
0x1000389a
0x1000389a
0x1000389d
0x100038a3
0x100038a9
0x100038ab
0x100038d4
0x100038d4
0x100038d7
0x100038da
0x00000000
0x100038ad
0x100038ad
0x100038af
0x00000000
0x00000000
0x100038b1
0x100038b4
0x100038b6
0x00000000
0x00000000
0x100038c5
0x100038c9
0x100038cc
0x100038e0
0x100038e0
0x100038e4
0x100038eb
0x100038f0
0x100038f3
0x100038f5
0x100038f5
0x100038f5
0x100038f5
0x100038fc
0x10003902
0x10003909
0x10003913
0x10003913
0x10003919
0x1000391b
0x00000000
0x1000391b
0x100038ab
0x100037b9
0x100037be
0x100037c4
0x100037c6
0x100037cc
0x100037cc
0x100037d3
0x100037d3
0x100037d6
0x00000000
0x100037d6
0x100037c8
0x100037ca
0x00000000
0x00000000
0x00000000
0x100037ca
0x100036b1
0x100036b4
0x100036b8
0x100036bb
0x100036bd
0x100036c0
0x100036c5
0x100036d4
0x100036d6
0x100036d9
0x100037e1
0x100037e1
0x100037e4
0x100037e4
0x100037e6
0x100037e6
0x100037e8
0x100037ea
0x1000378f
0x1000378f
0x10003795
0x10003798
0x1000379b
0x00000000
0x1000379b
0x100037ec
0x100037ef
0x100037f5
0x1000385d
0x1000385d
0x1000386b
0x10003876
0x10003879
0x1000387d
0x10003880
0x10003888
0x10003888
0x00000000
0x10003880
0x100037fd
0x10003800
0x10003856
0x10003856
0x10003856
0x10003856
0x00000000
0x10003856
0x10003802
0x10003807
0x1000380d
0x10003813
0x10003848
0x10003848
0x1000384c
0x1000382b
0x1000382b
0x10003850
0x10003850
0x00000000
0x10003850
0x1000384e
0x1000384e
0x00000000
0x1000384e
0x10003815
0x1000381a
0x1000381c
0x1000381f
0x00000000
0x00000000
0x10003821
0x10003823
0x10003830
0x10003830
0x10003833
0x10003839
0x10003839
0x00000000
0x10003839
0x10003825
0x10003829
0x00000000
0x00000000
0x00000000
0x10003829
0x100036df
0x100036e5
0x100036ea
0x100036ef
0x00000000
0x00000000
0x100036fd
0x10003703
0x10003706
0x10003784
0x10003786
0x10003788
0x1000378a
0x1000378d
0x1000378d
0x00000000
0x1000378d
0x10003708
0x1000370e
0x10003710
0x1000376c
0x1000376c
0x1000376f
0x10003774
0x10003777
0x1000373a
0x1000373c
0x10003742
0x10003747
0x1000374d
0x00000000
0x1000374d
0x10003717
0x1000371a
0x00000000
0x00000000
0x1000371c
0x10003721
0x10003758
0x1000375d
0x10003760
0x10003763
0x00000000
0x10003763
0x10003725
0x10003728
0x1000372c
0x1000372f
0x10003734
0x10003734
0x10003737
0x00000000
0x10003737
0x100036c7
0x100036ce
0x00000000
0x00000000
0x00000000
0x100036ce
0x10003220
0x10003223
0x10003225
0x10003471
0x10003474
0x10003476
0x10003476
0x1000347e
0x00000000
0x10003484
0x10003484
0x1000348a
0x00000000
0x00000000
0x10003490
0x10003499
0x00000000
0x00000000
0x100034a4
0x100034ac
0x100034b2
0x100034c9
0x100034cc
0x100034cf
0x100034cf
0x100034cf
0x100034d3
0x100034d5
0x100034d8
0x100034db
0x100034dd
0x100034e3
0x100034e6
0x100034e8
0x100034e8
0x100034e6
0x100034ee
0x100034ee
0x100034f1
0x100034f4
0x100034f6
0x100034f9
0x100034ff
0x10003505
0x1000350c
0x1000351a
0x10003520
0x10003526
0x10003528
0x1000352e
0x10003537
0x1000353a
0x10003544
0x10003547
0x10003547
0x10003549
0x10003549
0x10003526
0x1000354f
0x10003552
0x10003555
0x10003555
0x1000355b
0x10003560
0x10003567
0x10003673
0x10003679
0x1000367c
0x1000367c
0x10003683
0x1000368a
0x10003696
0x1000369c
0x1000369c
0x00000000
0x1000356d
0x1000356d
0x10003570
0x00000000
0x00000000
0x10003576
0x1000357c
0x1000357e
0x10003599
0x10003580
0x1000358c
0x10003591
0x10003591
0x1000359f
0x100035a5
0x100035a8
0x100035aa
0x100035ae
0x100035b0
0x100035b2
0x100035b8
0x100035c0
0x100035c0
0x100035c0
0x100035c3
0x100035c6
0x100035d3
0x100035d5
0x100035d7
0x100035d7
0x100035c8
0x100035c8
0x100035c8
0x100035c6
0x100035ae
0x100035da
0x100035de
0x100035f1
0x100035f3
0x100035ff
0x00000000
0x100035e0
0x100035e0
0x100035e6
0x100035e9
0x00000000
0x00000000
0x100035eb
0x10003604
0x10003604
0x10003608
0x10003619
0x10003627
0x1000362c
0x1000362c
0x10003630
0x10003644
0x10003644
0x1000364a
0x1000364d
0x1000364f
0x10003655
0x1000365e
0x10003657
0x10003657
0x10003657
0x10003663
0x10003664
0x10003669
0x1000366d
0x10003670
0x00000000
0x10003670
0x10003632
0x10003639
0x00000000
0x00000000
0x1000363b
0x00000000
0x1000363b
0x1000360a
0x10003611
0x00000000
0x00000000
0x10003613
0x00000000
0x10003613
0x100035de
0x10003567
0x100034b4
0x100034bb
0x100034be
0x00000000
0x100034be
0x1000347e
0x1000322d
0x10003233
0x100032b4
0x100032b4
0x100032b7
0x100032b7
0x100032b9
0x100032bb
0x10003299
0x10003299
0x1000329f
0x100032a2
0x100032a5
0x00000000
0x100032bd
0x100032c6
0x100032c8
0x100032d4
0x100032de
0x100032e2
0x100032e7
0x100032e7
0x100032d6
0x100032d6
0x100032d6
0x100032d4
0x100032f6
0x100033c9
0x100033d0
0x100033d4
0x00000000
0x00000000
0x100033da
0x100033de
0x00000000
0x00000000
0x100033e4
0x100033f1
0x100033fa
0x10003400
0x10003403
0x10003409
0x10003412
0x10003418
0x00000000
0x100032fc
0x100032fc
0x100032ff
0x10003301
0x1000330b
0x1000330b
0x10003311
0x10003315
0x1000331b
0x10003321
0x00000000
0x00000000
0x10003327
0x10003333
0x00000000
0x00000000
0x10003339
0x10003341
0x10003346
0x10003346
0x1000334c
0x10003354
0x10003359
0x10003359
0x10003367
0x10003373
0x1000346f
0x1000346f
0x00000000
0x10003379
0x10003379
0x1000337e
0x10003384
0x10003387
0x1000338e
0x10003395
0x100033bb
0x100033bc
0x1000342b
0x1000342e
0x1000342e
0x00000000
0x00000000
0x10003430
0x10003436
0x10003436
0x10003439
0x10003454
0x1000343b
0x1000343b
0x1000343b
0x1000343c
0x1000344a
0x1000344f
0x1000343e
0x1000343e
0x1000343f
0x10003441
0x10003441
0x1000343f
0x1000343c
0x00000000
0x10003439
0x100033be
0x100033bf
0x10003423
0x00000000
0x10003423
0x100033c2
0x00000000
0x00000000
0x100033c4
0x1000345e
0x1000345e
0x10003463
0x10003463
0x10003466
0x10003466
0x00000000
0x1000338e
0x10003373
0x100032f6
0x100032bb
0x10003235
0x1000323b
0x00000000
0x00000000
0x1000323d
0x10003246
0x00000000
0x00000000
0x10003248
0x10003257
0x1000325a
0x1000325c
0x10003262
0x10003296
0x00000000
0x10003264
0x10003264
0x10003266
0x1000326c
0x10003278
0x1000328f
0x1000328f
0x1000327a
0x1000327f
0x10003285
0x1000328b
0x00000000
0x1000328b
0x10003262
0x100031fd
0x10003204
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 381c3528033407cf28fcc44b4e0bb9f4d0ec186eb51ed1e5ea1b604a8666c357
Instruction ID: 64ffbe89166525c7bcc120634bdd9cc6a2c3859051f4c9541b2a3c2bbc5713b3
Opcode Fuzzy Hash: 381c3528033407cf28fcc44b4e0bb9f4d0ec186eb51ed1e5ea1b604a8666c357
Instruction Fuzzy Hash: DE228EB0A04B428FE766CF29C484797BBE5FF44384F14C56ED8AA8B695D770B944CB40

Uniqueness

Uniqueness Score: -1.00%

Function 10001B00 Relevance: .3, Instructions: 251
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10001B00(intOrPtr __ecx, void* __ebp, void* __fp0) {
				intOrPtr _v4;
				signed int _t79;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				signed int _t89;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				signed int _t97;
				signed int _t108;
				void* _t109;
				signed short _t113;
				signed short _t117;
				signed short _t118;
				signed char _t119;
				intOrPtr* _t125;
				signed int _t131;
				signed int _t134;
				void* _t136;
				signed int _t137;
				intOrPtr _t144;
				intOrPtr _t145;
				signed short _t151;
				signed int _t153;
				void* _t157;
				signed short _t158;
				signed int _t164;
				signed int _t165;
				void* _t167;
				void* _t169;
				intOrPtr _t172;
				signed int _t176;
				signed int _t178;
				void* _t181;
				intOrPtr _t186;
				signed int _t189;
				void* _t196;
				void* _t199;
				void* _t204;

				_t204 = __fp0;
				_push(__ecx);
				_t79 =  *0x1000e69c; // 0x0
				_t153 =  *0x1000e6b8; // 0x0
				_v4 = __ecx;
				_t189 = 0;
				_t164 = 0;
				 *0x1000e6b0 = 0;
				 *0x1000e694 = 0;
				if(_t79 == 0) {
					 *0x1000e6a0 = 0;
					goto L11;
				} else {
					_t196 =  *0x1000e6a0 - _t189; // 0x0
					if(_t196 == 0) {
						 *0x1000e6a0 = 1;
						if(_t153 != 0) {
							 *0x1000e698 =  *0x1000e698 + 1;
						}
						_t199 =  *0x1000e6ac - _t189; // 0x0
						if(_t199 != 0) {
							 *0x1000e6ac =  *0x1000e6ac + 1;
						}
						if((_t79 & 0x00000001) != 0) {
							_t186 =  *0x1000e6c4; // 0x7
							 *0x1000e694 = _t186 - (_t79 & 0x000000ff);
							_t79 = 1;
						}
					}
					_t80 = _t79 - 1;
					 *0x1000e69c = _t80;
					if(_t79 == 0) {
						L11:
						__eflags = _v4 - _t189;
						_t80 =  *0x10010adc; // 0x26d90f0
						if(_v4 != _t189) {
							L20:
							_t176 =  *0x1000e6c0; // 0x1b
							goto L21;
						} else {
							__eflags =  *(_t80 + 0x12a) & 0x00000004;
							if(( *(_t80 + 0x12a) & 0x00000004) == 0) {
								goto L20;
							} else {
								__eflags = _t153 - _t189;
								if(_t153 == _t189) {
									goto L20;
								} else {
									__eflags = _t153 & 0x00020000;
									if((_t153 & 0x00020000) != 0) {
										goto L20;
									} else {
										_t176 =  *0x1000e6c0; // 0x1b
										__eflags = _t176 - _t153;
										if(__eflags > 0) {
											L18:
											_t80 = E10008993(1);
											__eflags = _t80;
											if(_t80 != 0) {
												goto L9;
											} else {
												_t153 =  *0x1000e6b8; // 0x0
												_t164 =  *0x1000e6b0; // 0x0
												_t80 =  *0x10010adc; // 0x26d90f0
												goto L20;
											}
										} else {
											if(__eflags != 0) {
												L21:
												_t117 =  *0x1000e6ac; // 0x0
												 *0x1000e6bc =  *0x1000e6bc + 1;
												__eflags = _t117 - _t189;
												if(_t117 != _t189) {
													_t164 = ( *0x1000e6ae & 0x0000ffff) + 2;
													__eflags = _t164;
													 *0x1000e6bc = _t117 & 0x0000ffff;
													 *0x1000e6b0 = _t164;
													 *0x1000e6ac = _t189;
												}
												__eflags = _t153 - _t189;
												if(_t153 != _t189) {
													L26:
													_t118 =  *0x1000e698; // 0x0
													_t165 = _t176;
													_t178 = _t153;
													 *0x1000e6bc = _t118;
													while(1) {
														 *0x1000e6c0 = _t178;
														__eflags = _t178 -  *((intOrPtr*)(_t80 + 8));
														if(_t178 >=  *((intOrPtr*)(_t80 + 8))) {
															break;
														}
														_t119 =  *(_t80 + _t178 + 0x28);
														__eflags = 0 -  *((intOrPtr*)(_t80 + 0x10));
														if(0 >=  *((intOrPtr*)(_t80 + 0x10))) {
															__eflags =  *(_t80 + 0x128) & 0x00000102;
															if(( *(_t80 + 0x128) & 0x00000102) == 0) {
																L30:
																_t178 = _t178 + 1;
																__eflags = _t178;
																continue;
															} else {
																__eflags = _t119 - 0xff;
																if(_t119 != 0xff) {
																	goto L30;
																}
															}
														}
														break;
													}
													__eflags = _t178 -  *((intOrPtr*)(_t80 + 8));
													if(_t178 >=  *((intOrPtr*)(_t80 + 8))) {
														L35:
														__eflags = _v4 - _t189;
														if(_v4 == _t189) {
															__eflags = 0;
															E10008993(0);
															_t80 =  *0x10010adc; // 0x26d90f0
														}
														_t178 =  *(_t80 + 0xc);
														while(1) {
															 *0x1000e6c0 = _t178;
															__eflags = _t178 -  *((intOrPtr*)(_t80 + 8));
															if(_t178 >=  *((intOrPtr*)(_t80 + 8))) {
																break;
															}
															__eflags = ( *(_t80 + _t178 + 0x28) & 0x000000ff) -  *((intOrPtr*)(_t80 + 0x10));
															if(( *(_t80 + _t178 + 0x28) & 0x000000ff) >=  *((intOrPtr*)(_t80 + 0x10))) {
																_t178 = _t178 + 1;
																__eflags = _t178;
																continue;
															}
															break;
														}
														__eflags = _t178 -  *((intOrPtr*)(_t80 + 8));
														if(_t178 >=  *((intOrPtr*)(_t80 + 8))) {
															goto L9;
														} else {
															goto L42;
														}
													} else {
														__eflags =  *(_t80 + 0x128) & 0x00000102;
														if(( *(_t80 + 0x128) & 0x00000102) == 0) {
															L42:
															__eflags = _t178 - _t165;
															 *0x1000e6a4 = _t189;
															__eflags =  *0x1000e698 - _t189; // 0x0
															_t164 = (0 | __eflags == 0x00000000) + 1;
															 *0x1000e6b0 = _t164;
															if(__eflags != 0) {
																__eflags =  *0x1000e6bc - ( *( *((intOrPtr*)(_t80 + 0x138)) + ( *(_t178 + _t80 + 0x28) & 0x000000ff) * 2) & 0x0000ffff); // 0x1e
																if(__eflags >= 0) {
																	 *0x1000e6bc = _t189;
																}
															}
															 *0x1000e6b8 = _t189;
															 *0x1000e698 = _t189;
															goto L46;
														} else {
															__eflags =  *(_t178 + _t80 + 0x28) - 0xff;
															if( *(_t178 + _t80 + 0x28) != 0xff) {
																goto L42;
															} else {
																goto L35;
															}
														}
													}
												} else {
													_t151 =  *0x1000e6bc; // 0x1e
													__eflags = _t151 -  *0x1000e6b4; // 0x40
													if(__eflags < 0) {
														L46:
														__eflags = _v4 - _t189;
														if(_v4 != _t189) {
															L51:
															_t125 =  *0x1000e010; // 0x10010ac8
															_t39 = _t125 + 4; // 0x0
															_t108 =  *_t39;
															__eflags = _t108 - _t189;
															if(_t108 != _t189) {
																_t172 =  *_t125;
																do {
																	__eflags =  *((intOrPtr*)(_t172 + 4)) - _t189;
																	if( *((intOrPtr*)(_t172 + 4)) == _t189) {
																		_t144 =  *((intOrPtr*)(_t172 + 8));
																		__eflags = _t144 - 0xffff;
																		if(_t144 == 0xffff) {
																			L56:
																			_t145 =  *((intOrPtr*)(_t172 + 0xa));
																			__eflags = _t145 - 0xffff;
																			if(_t145 == 0xffff) {
																				L58:
																				__eflags = ( *0x1000e6bc & 0x0000ffff) << 0x10;
																				E100088FE(_t172, ( *0x1000e6bc & 0x0000ffff) << 0x10);
																				_t178 =  *0x1000e6c0; // 0x1b
																				_t80 =  *0x10010adc; // 0x26d90f0
																			} else {
																				__eflags = _t145 -  *0x1000e6bc; // 0x1e
																				if(__eflags == 0) {
																					goto L58;
																				}
																			}
																		} else {
																			__eflags = _t144 - _t178;
																			if(_t144 == _t178) {
																				goto L56;
																			}
																		}
																	}
																	_t172 = _t172 + 0x18;
																	_t108 = _t108 - 1;
																	__eflags = _t108;
																} while (_t108 != 0);
															}
															_t167 = 0;
															 *0x1000e6b4 =  *( *((intOrPtr*)(_t80 + 0x138)) + ( *(_t178 + _t80 + 0x28) & 0x000000ff) * 2) & 0x0000ffff;
															_t109 = 0;
															while(1) {
																_t131 =  *( *((intOrPtr*)(_t80 + 0x134)) + (( *(_t178 + _t80 + 0x28) & 0x000000ff) *  *(_t80 + 4) + _t167) * 2) & 0x0000ffff;
																_t181 =  *((intOrPtr*)(_t80 + 0x2dc)) + _t109;
																__eflags = _t131 -  *((intOrPtr*)(_t80 + 0x14));
																if(_t131 >=  *((intOrPtr*)(_t80 + 0x14))) {
																	_t81 = 0;
																	__eflags = 0;
																} else {
																	_t158 =  *0x1000e6bc; // 0x1e
																	_t81 = E10001E78( *((intOrPtr*)( *((intOrPtr*)(_t80 + 0x13c)) + _t131 * 4)), _t158);
																}
																__eflags = _t81 - _t189;
																 *(_t181 + 0x74) = _t81;
																if(_t81 != _t189) {
																	_t97 = _t81 + 1;
																	__eflags = _t97;
																	 *((intOrPtr*)(_t181 + 0x78)) = _t81 + 1;
																	 *(_t181 + 0x74) = _t97;
																}
																_t82 = E100022D2(_t181);
																__eflags = _t82;
																if(_t82 == 0) {
																	E10001FC7(_t181, _t204);
																}
																_t80 =  *0x10010adc; // 0x26d90f0
																_t167 = _t167 + 1;
																_t109 = _t109 + 0x208;
																__eflags = _t167 -  *(_t80 + 4);
																if(_t167 >=  *(_t80 + 4)) {
																	break;
																}
																_t178 =  *0x1000e6c0; // 0x1b
															}
															__eflags = _v4 - _t189;
															if(_v4 != _t189) {
																goto L9;
															} else {
																__eflags =  *0x1000e6c4 - _t189; // 0x7
																if(__eflags != 0) {
																	goto L9;
																} else {
																	__eflags =  *0x1000e6c0 - _t189; // 0x1b
																	if(__eflags != 0) {
																		L74:
																		_t80 = E10008993(0);
																		__eflags = _t80;
																		if(_t80 != 0) {
																			goto L9;
																		} else {
																			E10001EA4();
																			_pop(_t168);
																			_pop(_t182);
																			_pop(_t110);
																			E10007063(0, _t204);
																			__eflags =  *0x1000e6f1 & 0x00000006;
																			if(( *0x1000e6f1 & 0x00000006) != 0) {
																				E10007020();
																			}
																			E10007162();
																			E100070F3(0, _t204);
																			__eflags =  *0x10010aac; // 0x800000
																			if(__eflags == 0) {
																				__eflags =  *0x1000f33c - 2;
																				 *0x1000f608 = 0x10006fd0;
																				if( *0x1000f33c != 2) {
																					 *0x1000f608 = 0x10006f20;
																				}
																			} else {
																				__eflags =  *0x1000f33c - 2;
																				if( *0x1000f33c != 2) {
																					 *0x1000f608 = E10006EA0;
																				} else {
																					 *0x1000f608 = E10006F70;
																				}
																			}
																			_t134 =  *0x1000f61c; // 0xac8
																			_t169 =  *0x1000f310; // 0x26d5d48
																			memset(_t169, 0, _t134 << 2);
																			_t89 =  *0x10010adc; // 0x26d90f0
																			_t157 = 0;
																			 *0x1000e294 = 0;
																			_t136 = 0;
																			__eflags = 0;
																			do {
																				 *((intOrPtr*)( *((intOrPtr*)(_t89 + 0x2dc)) + _t136 + 0x1f0)) = 0;
																				_t91 =  *0x10010adc; // 0x26d90f0
																				 *((intOrPtr*)( *((intOrPtr*)(_t91 + 0x2dc)) + _t136 + 0x1ec)) = 0;
																				_t89 =  *0x10010adc; // 0x26d90f0
																				_t157 = _t157 + 1;
																				_t136 = _t136 + 0x208;
																				__eflags = _t157 -  *((intOrPtr*)(_t89 + 4));
																			} while (_t157 <  *((intOrPtr*)(_t89 + 4)));
																			_t93 =  *(_t89 + 0x2e0);
																			__eflags = _t93;
																			if(_t93 != 0) {
																				_t94 = _t93 + 0x1ec;
																				__eflags = _t94;
																				_t137 = 0x40;
																				do {
																					 *((intOrPtr*)(_t94 + 4)) = 0;
																					 *_t94 = 0;
																					_t94 = _t94 + 0x208;
																					_t137 = _t137 - 1;
																					__eflags = _t137;
																				} while (_t137 != 0);
																			}
																			return _t93;
																		}
																	} else {
																		__eflags =  *0x1000e6bc - _t189; // 0x1e
																		if(__eflags == 0) {
																			goto L9;
																		} else {
																			goto L74;
																		}
																	}
																}
															}
														} else {
															__eflags = _t164 - 4;
															if(_t164 != 4) {
																goto L51;
															} else {
																__eflags =  *0x1000e2a0 - _t189; // 0x1
																if(__eflags != 0) {
																	goto L51;
																} else {
																	_t80 = E10008993(0);
																	__eflags = _t80;
																	if(_t80 != 0) {
																		goto L9;
																	} else {
																		_t178 =  *0x1000e6c0; // 0x1b
																		_t80 =  *0x10010adc; // 0x26d90f0
																		goto L51;
																	}
																}
															}
														}
													} else {
														_t10 = _t176 + 0x10001; // 0x1001c
														_t153 = _t10;
														__eflags = _t153 - _t189;
														 *0x1000e6b8 = _t153;
														if(_t153 == _t189) {
															goto L46;
														} else {
															goto L26;
														}
													}
												}
											} else {
												_t113 =  *0x1000e698; // 0x0
												_t189 = 0;
												__eflags =  *0x1000e6bc - _t113; // 0x1e
												if(__eflags <= 0) {
													goto L21;
												} else {
													goto L18;
												}
											}
										}
									}
								}
							}
						}
					} else {
						L9:
						return _t80;
					}
				}
			}

0x10001b00
0x10001b00
0x10001b01
0x10001b06
0x10001b0e
0x10001b15
0x10001b18
0x10001b1d
0x10001b23
0x10001b29
0x10001b7d
0x00000000
0x10001b2b
0x10001b2b
0x10001b31
0x10001b35
0x10001b3b
0x10001b3d
0x10001b3d
0x10001b43
0x10001b49
0x10001b4b
0x10001b4b
0x10001b54
0x10001b56
0x10001b63
0x10001b69
0x10001b69
0x10001b54
0x10001b6d
0x10001b70
0x10001b75
0x10001b83
0x10001b83
0x10001b87
0x10001b8c
0x10001bda
0x10001bda
0x00000000
0x10001b8e
0x10001b8e
0x10001b95
0x00000000
0x10001b97
0x10001b97
0x10001b99
0x00000000
0x10001b9b
0x10001b9b
0x10001ba1
0x00000000
0x10001ba3
0x10001ba3
0x10001ba9
0x10001bac
0x10001bc0
0x10001bc0
0x10001bc5
0x10001bc7
0x00000000
0x10001bc9
0x10001bc9
0x10001bcf
0x10001bd5
0x00000000
0x10001bd5
0x10001bae
0x10001bae
0x10001be0
0x10001be0
0x10001be6
0x10001bec
0x10001bee
0x10001bfb
0x10001bfb
0x10001bfc
0x10001c02
0x10001c08
0x10001c08
0x10001c0e
0x10001c10
0x10001c38
0x10001c38
0x10001c3e
0x10001c42
0x10001c45
0x10001c6d
0x10001c6d
0x10001c73
0x10001c76
0x00000000
0x00000000
0x10001c52
0x10001c5a
0x10001c5d
0x10001c5f
0x10001c65
0x10001c6c
0x10001c6c
0x10001c6c
0x00000000
0x10001c67
0x10001c67
0x10001c6a
0x00000000
0x00000000
0x10001c6a
0x10001c65
0x00000000
0x10001c5d
0x10001c78
0x10001c7b
0x10001c8c
0x10001c8c
0x10001c90
0x10001c92
0x10001c94
0x10001c99
0x10001c99
0x10001c9e
0x10001cae
0x10001cae
0x10001cb4
0x10001cb7
0x00000000
0x00000000
0x10001ca8
0x10001cab
0x10001cad
0x10001cad
0x00000000
0x10001cad
0x00000000
0x10001cab
0x10001cb9
0x10001cbc
0x00000000
0x00000000
0x00000000
0x00000000
0x10001c7d
0x10001c7d
0x10001c83
0x10001cc2
0x10001cc4
0x10001cc9
0x10001cd0
0x10001cd6
0x10001cd8
0x10001cde
0x10001cef
0x10001cf5
0x10001cf7
0x10001cf7
0x10001cf5
0x10001cfd
0x10001d03
0x00000000
0x10001c85
0x10001c85
0x10001c8a
0x00000000
0x00000000
0x00000000
0x00000000
0x10001c8a
0x10001c83
0x10001c12
0x10001c12
0x10001c18
0x10001c1e
0x10001d09
0x10001d09
0x10001d0d
0x10001d36
0x10001d36
0x10001d3c
0x10001d3c
0x10001d3f
0x10001d41
0x10001d43
0x10001d45
0x10001d45
0x10001d48
0x10001d4a
0x10001d4e
0x10001d53
0x10001d5a
0x10001d5a
0x10001d5e
0x10001d63
0x10001d6e
0x10001d7f
0x10001d81
0x10001d86
0x10001d8c
0x10001d65
0x10001d65
0x10001d6c
0x00000000
0x00000000
0x10001d6c
0x10001d55
0x10001d55
0x10001d58
0x00000000
0x00000000
0x10001d58
0x10001d53
0x10001d91
0x10001d94
0x10001d94
0x10001d94
0x10001d45
0x10001da6
0x10001da8
0x10001dae
0x10001db8
0x10001dcf
0x10001dd3
0x10001dd5
0x10001dd8
0x10001df0
0x10001df0
0x10001dda
0x10001de0
0x10001de9
0x10001de9
0x10001df2
0x10001df4
0x10001df7
0x10001e04
0x10001e04
0x10001e05
0x10001e08
0x10001e08
0x10001e0d
0x10001e12
0x10001e14
0x10001e18
0x10001e18
0x10001e1d
0x10001e22
0x10001e23
0x10001e29
0x10001e2c
0x00000000
0x00000000
0x10001db2
0x10001db2
0x10001e2e
0x10001e32
0x00000000
0x10001e38
0x10001e38
0x10001e3e
0x00000000
0x10001e44
0x10001e44
0x10001e4a
0x10001e58
0x10001e5a
0x10001e5f
0x10001e61
0x00000000
0x10001e67
0x10001e67
0x10001e6c
0x10001e6d
0x10001e6f
0x10006dc0
0x10006dc5
0x10006dcc
0x10006dce
0x10006dce
0x10006dd5
0x10006dda
0x10006de1
0x10006de7
0x10006e0a
0x10006e11
0x10006e1b
0x10006e1d
0x10006e1d
0x10006de9
0x10006de9
0x10006df0
0x10006dfe
0x10006df2
0x10006df2
0x10006df2
0x10006df0
0x10006e27
0x10006e2e
0x10006e36
0x10006e38
0x10006e3d
0x10006e3f
0x10006e45
0x10006e45
0x10006e4d
0x10006e53
0x10006e5a
0x10006e65
0x10006e6c
0x10006e71
0x10006e72
0x10006e74
0x10006e74
0x10006e79
0x10006e7f
0x10006e81
0x10006e85
0x10006e85
0x10006e8a
0x10006e8b
0x10006e8b
0x10006e8e
0x10006e90
0x10006e92
0x10006e92
0x10006e92
0x10006e8b
0x10006e97
0x10006e97
0x10001e4c
0x10001e4c
0x10001e52
0x00000000
0x00000000
0x00000000
0x00000000
0x10001e52
0x10001e4a
0x10001e3e
0x10001d0f
0x10001d0f
0x10001d12
0x00000000
0x10001d14
0x10001d14
0x10001d1a
0x00000000
0x10001d1c
0x10001d1e
0x10001d23
0x10001d25
0x00000000
0x10001d2b
0x10001d2b
0x10001d31
0x00000000
0x10001d31
0x10001d25
0x10001d1a
0x10001d12
0x10001c24
0x10001c24
0x10001c24
0x10001c2a
0x10001c2c
0x10001c32
0x00000000
0x00000000
0x00000000
0x00000000
0x10001c32
0x10001c1e
0x10001bb0
0x10001bb0
0x10001bb6
0x10001bb8
0x10001bbe
0x00000000
0x00000000
0x00000000
0x00000000
0x10001bbe
0x10001bae
0x10001bac
0x10001ba1
0x10001b99
0x10001b95
0x10001b77
0x10001b77
0x10001b7c
0x10001b7c
0x10001b75

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ca24e12fcd8c68d48c5b659970d2a09a2d62930beb324be79505086833df09
Instruction ID: a05401d2b016d99077ecae3d229ecc50a6fbb32bf1e1eb0e9bdffe1ab8217d16
Opcode Fuzzy Hash: 10ca24e12fcd8c68d48c5b659970d2a09a2d62930beb324be79505086833df09
Instruction Fuzzy Hash: 57A1DFB5A042A18FF354CF14D8D09A6B7E1FB543D0756866ED886A72BEDB31EC80CB41

Uniqueness

Uniqueness Score: -1.00%

Function 6C6668D3 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15a1cd23abbcb8dc1570f1c80baec6ab94aad62574a5b7e492d7337cf3acec0
Instruction ID: a5ba212e5fb729e53520f4225e24f72fadfc48bf1a4d6d4dc7b899b0561bf238
Opcode Fuzzy Hash: f15a1cd23abbcb8dc1570f1c80baec6ab94aad62574a5b7e492d7337cf3acec0
Instruction Fuzzy Hash: A11193315046429FD720CB16E9507EAB7F8AF4130CF55465DD8DAE3E00E334EA55C755

Uniqueness

Uniqueness Score: -1.00%

Function 10010534 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e1f4f7861f71d1e5b311bbb9ab51cd757d59ba32cee3030be11ebed3cf45e5f
Instruction ID: bc02f14f618f391bc63cc6ba3f4ea66d216041da74b66d13223a92b0973bab88
Opcode Fuzzy Hash: 0e1f4f7861f71d1e5b311bbb9ab51cd757d59ba32cee3030be11ebed3cf45e5f
Instruction Fuzzy Hash: 0F11CE3194D395CFD756DF74C09228ABFA1AF4621471951DDC4C16F423C6BA5816CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6C6667DE Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761b5e175e292ec1bb657823413b4652a7c9bc98c229b0e9673dc1eddbf72874
Instruction ID: 86c1b4849cf05606dd644e77457a4400b7c02d76e8771ea65641cc22be9b581c
Opcode Fuzzy Hash: 761b5e175e292ec1bb657823413b4652a7c9bc98c229b0e9673dc1eddbf72874
Instruction Fuzzy Hash: BFC00277051440EEEE4F0B00E91A9A0BB26E708635734448EE005444A2ABB76823E900

Uniqueness

Uniqueness Score: -1.00%

Function 6C6667F8 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ad59243ed67fd5ebd3e5a5964d2427436f1d77b68934569e614c548b996b07
Instruction ID: d88deb7aae4bc3267eef166ebb9a50d9359ae9dcda92f38d610eaaa2bea61a9a
Opcode Fuzzy Hash: d5ad59243ed67fd5ebd3e5a5964d2427436f1d77b68934569e614c548b996b07
Instruction Fuzzy Hash: 3FA01273011440DDEA0B0700E915A907725E304531F34044EE0064085097571821E400

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB31 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea078bba00f692771b990ad2e8bdad3271abf816e8f1cdd9106c9839b14e4661
Instruction ID: 8b87bb8fafe22804a63278bcc14f3b133977ccf0450289a91b21c0d3e97e50af
Opcode Fuzzy Hash: ea078bba00f692771b990ad2e8bdad3271abf816e8f1cdd9106c9839b14e4661
Instruction Fuzzy Hash: 5DA002B13423109AF62086049D5AB1123505B80727F648445F1809D4D5CBF450449505

Uniqueness

Uniqueness Score: -1.00%

Function 6C665B9C Relevance: 80.8, APIs: 42, Strings: 4, Instructions: 342
stringprocessfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E6C665B9C(intOrPtr _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v9;
				char _v1033;
				char _v2057;
				char _v3081;
				struct _STARTUPINFOA _v3152;
				struct _PROCESS_INFORMATION _v3168;
				long _t79;
				signed int _t83;
				long _t100;
				int _t139;
				int _t151;
				char _t178;
				CHAR* _t179;
				CHAR* _t180;
				intOrPtr _t183;
				void* _t185;

				_v8 = 0;
				_t183 = _a4;
				if(( *(_t183 + 0xd) & 0x00000020) != 0) {
					E6C6640CF();
				}
				ExpandEnvironmentStringsA(_t183 + 0x421,  &_v1033, 0x400);
				_t79 = ExpandEnvironmentStringsA( &_v1033, 0x6c66d911, 0x400);
				_push(_t183);
				_t178 = 0;
				while( *0x6c66d911 != 0) {
					asm("lodsb");
					__eflags = _t79 - 0x25;
					if(__eflags != 0) {
						continue;
					} else {
						lstrcpyA(0x6c66d911, E6C666EA0(0x6c66d911));
						_t178 = 1;
						break;
					}
				}
				_pop(_t185);
				_t188 =  *0x6C66D912 - 0x3a;
				if( *0x6C66D912 != 0x3a) {
					GetModuleFileNameA(0,  &_v1033, 0x400);
					E6C66226A(_t188,  &_v1033);
					if( *0x6c66d911 != 0x5c) {
						lstrcatA( &_v1033, 0x6c66d7a9);
					}
					lstrcatA( &_v1033, 0x6c66d911);
					lstrcpyA(0x6c66d911,  &_v1033);
				}
				LoadStringA( *0x6c66d8a2, 5, 0x6c67e645, 0x400);
				E6C6622C0(0x6c67e645);
				E6C6622C0(0x6c66d911);
				if(_t178 == 1 || ( *(_t185 + 0xd) & 0x00000001) != 0) {
					_t192 =  *0x6c66e95c;
					if( *0x6c66e95c != 0) {
						_t83 = 0;
						__eflags = 0;
					} else {
						lstrcpyA( &_v1033, 0x6c66d911);
						E6C66226A(_t192,  &_v1033);
						_t83 = E6C667100(0x6c66d911, "All Files",  &_v1033,  *0x6c66d8a6, E6C666EA0(0x6c66d911));
					}
					if(_t83 == 0) {
						goto L50;
					} else {
						goto L16;
					}
				} else {
					L16:
					_v9 = 0;
					if(GetFileAttributesA(0x6c66d911) == 0xffffffff) {
						L27:
						if( *((char*)(0x6c66d912)) == 0x3a) {
							_t197 =  *0x6C66D913 - 0x5c;
							if( *0x6C66D913 == 0x5c) {
								lstrcpyA( &_v1033, 0x6c66d911);
								E6C66226A(_t197,  &_v1033);
								E6C667170( &_v1033);
							}
						}
						_t31 = _t185 + 5; // 0x0
						_t33 = _t185 + 1; // 0x0
						if(E6C666D4C(0x6c66d911,  *_t31 + _t185,  *_t33) != 0) {
							_t34 = _t185 + 9; // 0x0
							_t100 =  *_t34;
							__eflags = _t100;
							if(_t100 != 0) {
								_t139 = SetFileAttributesA(0x6c66d911, _t100);
								__eflags = _t139 - 1;
								if(_t139 == 1) {
									LoadStringA( *0x6c66d8a2, 0x2c, 0x6c67fa45, 0x400);
									E6C6622C0(0x6c67fa45);
								}
							}
							__eflags =  *(_t185 + 0xd) & 0x00000002;
							if(( *(_t185 + 0xd) & 0x00000002) != 0) {
								LoadStringA( *0x6c66d8a2, 0x2d, 0x6c67fe45, 0x400);
								E6C6622C0(0x6c67fe45);
								__eflags =  *((char*)(0x6c66d912)) - 0x3a;
								if(__eflags == 0) {
									lstrcpyA( &_v1033, 0x6c66d911);
									E6C66226A(__eflags,  &_v1033);
									SetCurrentDirectoryA( &_v1033);
								}
								_t42 = _t185 + 0x21; // 0x6c66d932
								_t179 = _t42;
								__eflags =  *_t179;
								if( *_t179 != 0) {
									ExpandEnvironmentStringsA(_t179,  &_v2057, 0x400);
									_t180 =  &_v2057;
								} else {
									_t180 = 0;
								}
								__eflags =  *(_t185 + 0xd) & 0x00000004;
								if(( *(_t185 + 0xd) & 0x00000004) == 0) {
									ShellExecuteA(0, "open", 0x6c66d911, _t180, 0, 0xa);
								} else {
									_push(0x44);
									_push( &_v3152);
									L6C666B70();
									_push(0x10);
									_push( &_v3168);
									L6C666B70();
									lstrcpyA( &_v1033, "\"");
									__eflags =  *((char*)(0x6c66d912)) - 0x3a;
									if( *((char*)(0x6c66d912)) != 0x3a) {
										GetCurrentDirectoryA(0x400,  &_v3081);
										lstrcatA( &_v1033,  &_v3081);
										lstrcatA( &_v1033, 0x6c66d7c0);
									}
									lstrcatA( &_v1033, 0x6c66d911);
									lstrcatA( &_v1033, 0x6c66d7c2);
									lstrcatA( &_v1033, _t180);
									CreateProcessA(0x6c66d911,  &_v1033, 0, 0, 0, 0, 0, 0,  &_v3152,  &_v3168);
									WaitForSingleObject(_v3168, 0xffffffff);
								}
								__eflags =  *(_t185 + 0xd) & 0x00000008;
								if(( *(_t185 + 0xd) & 0x00000008) != 0) {
									LoadStringA( *0x6c66d8a2, 0x2e, 0x6c680245, 0x400);
									E6C6622C0(0x6c680245);
									DeleteFileA(0x6c66d911);
								}
							}
							LoadStringA( *0x6c66d8a2, 0x2f, 0x6c680645, 0x400);
							E6C6622C0(0x6c680645);
							_v8 = 1;
						} else {
							if(GetFileAttributesA(0x6c66d911) == 0xffffffff) {
								LoadStringA( *0x6c66d8a2, 0x2b, 0x6c67f645, 0x400);
								E6C6622C0(0x6c67f645);
							}
						}
						L50:
						_t200 = _v9;
						if(_v9 != 0) {
							E6C662368(_v8);
						}
						SetEnvironmentVariableA("dup2_last_file", 0x6c66d911);
						lstrcpyA( &_v1033, 0x6c66d911);
						E6C66226A(_t200,  &_v1033);
						SetEnvironmentVariableA("dup2_last_path",  &_v1033);
						if(( *(_t185 + 0xd) & 0x00000020) != 0) {
							E6C6640FA();
						}
						return _v8;
					}
					if(( *(_t185 + 0xd) & 0x00000010) == 0) {
						__eflags =  *0x6c66e95c;
						if( *0x6c66e95c != 0) {
							__eflags =  *0x6c66e95e - 1;
							if( *0x6c66e95e != 1) {
								_t151 = 7;
							} else {
								_t151 = 6;
							}
						} else {
							LoadStringA( *0x6c66d8a2, 0x29, 0x6c67ea45, 0x400);
							_t151 = MessageBoxA( *0x6c66d8a6, 0x6c67ea45, 0x6c66d911, 0x24);
						}
						__eflags = _t151 - 6;
						if(_t151 != 6) {
							LoadStringA( *0x6c66d8a2, 0x2b, 0x6c67f245, 0x400);
							E6C6622C0(0x6c67f245);
							goto L50;
						} else {
							L25:
							_v9 = 1;
							E6C662313(0x6c66d911);
							SetFileAttributesA(0x6c66d911, 0x80);
							LoadStringA( *0x6c66d8a2, 0x2a, 0x6c67ee45, 0x400);
							E6C6622C0(0x6c67ee45);
							goto L27;
						}
					}
					goto L25;
				}
			}

0x6c665ba8
0x6c665baf
0x6c665bb9
0x6c665bbb
0x6c665bbb
0x6c665bd3
0x6c665be9
0x6c665bee
0x6c665bf4
0x6c665c16
0x6c665bf8
0x6c665bf9
0x6c665bfb
0x00000000
0x6c665bfd
0x6c665c0d
0x6c665c12
0x00000000
0x6c665c12
0x6c665bfb
0x6c665c1b
0x6c665c21
0x6c665c25
0x6c665c35
0x6c665c41
0x6c665c49
0x6c665c57
0x6c665c57
0x6c665c64
0x6c665c71
0x6c665c71
0x6c665c88
0x6c665c92
0x6c665c98
0x6c665ca0
0x6c665cab
0x6c665cb2
0x6c665cee
0x6c665cee
0x6c665cb4
0x6c665cbc
0x6c665cc8
0x6c665ce7
0x6c665ce7
0x6c665cf2
0x00000000
0x00000000
0x00000000
0x00000000
0x6c665cf8
0x6c665cf8
0x6c665cf8
0x6c665d05
0x6c665dc3
0x6c665dc7
0x6c665dc9
0x6c665dcd
0x6c665dd7
0x6c665de3
0x6c665def
0x6c665def
0x6c665dcd
0x6c665df4
0x6c665dfa
0x6c665e06
0x6c665e3d
0x6c665e40
0x6c665e40
0x6c665e42
0x6c665e46
0x6c665e4b
0x6c665e4e
0x6c665e62
0x6c665e6c
0x6c665e6c
0x6c665e4e
0x6c665e71
0x6c665e78
0x6c665e90
0x6c665e9a
0x6c665e9f
0x6c665ea3
0x6c665ead
0x6c665eb9
0x6c665ec5
0x6c665ec5
0x6c665eca
0x6c665eca
0x6c665ecd
0x6c665ed0
0x6c665ee3
0x6c665ee8
0x6c665ed2
0x6c665ed2
0x6c665ed2
0x6c665eee
0x6c665ef5
0x6c665fd1
0x6c665efb
0x6c665efb
0x6c665f03
0x6c665f04
0x6c665f09
0x6c665f11
0x6c665f12
0x6c665f23
0x6c665f28
0x6c665f2c
0x6c665f3a
0x6c665f4d
0x6c665f5e
0x6c665f5e
0x6c665f6b
0x6c665f7c
0x6c665f89
0x6c665fb0
0x6c665fbd
0x6c665fbd
0x6c665fd6
0x6c665fdd
0x6c665ff1
0x6c665ffb
0x6c666001
0x6c666001
0x6c665fdd
0x6c666018
0x6c666022
0x6c666027
0x6c665e08
0x6c665e11
0x6c665e29
0x6c665e33
0x6c665e33
0x6c665e11
0x6c66602e
0x6c66602e
0x6c666032
0x6c666037
0x6c666037
0x6c666042
0x6c66604f
0x6c66605b
0x6c66606c
0x6c666078
0x6c66607a
0x6c66607a
0x6c666086
0x6c666086
0x6c665d12
0x6c665d16
0x6c665d1d
0x6c665d4b
0x6c665d52
0x6c665d5b
0x6c665d54
0x6c665d54
0x6c665d54
0x6c665d1f
0x6c665d31
0x6c665d44
0x6c665d44
0x6c665d60
0x6c665d63
0x6c665daf
0x6c665db9
0x00000000
0x6c665d65
0x6c665d65
0x6c665d65
0x6c665d6a
0x6c665d75
0x6c665d8c
0x6c665d96
0x00000000
0x6c665d96
0x6c665d63
0x00000000
0x6c665d14

APIs

ExpandEnvironmentStringsA.KERNEL32(?,?,00000400,00000001,?,00000000,?,6C66636F,00000000,00000001,00000000,6C680A45,00000400,00000184,00000000,00000000), ref: 6C665BD3
ExpandEnvironmentStringsA.KERNEL32(?,6C66D911,00000400,?,?,00000400,00000001,?,00000000,?,6C66636F,00000000,00000001,00000000,6C680A45,00000400), ref: 6C665BE9
lstrcpyA.KERNEL32(6C66D911,00000000,6C66D911,?,?,6C66D911,00000400,?,?,00000400,00000001,?,00000000,?,6C66636F,00000000), ref: 6C665C0D
GetModuleFileNameA.KERNEL32(00000000,?,00000400,00000000,6C66D911,?,?,6C66D911,00000400,?,?,00000400,00000001,?,00000000), ref: 6C665C35
lstrcatA.KERNEL32(?,6C66D7A9,00000000,?,00000400,00000000,6C66D911,?,?,6C66D911,00000400,?,?,00000400,00000001), ref: 6C665C57
lstrcatA.KERNEL32(?,6C66D911,00000000,?,00000400,00000000,6C66D911,?,?,6C66D911,00000400,?,?,00000400,00000001), ref: 6C665C64
lstrcpyA.KERNEL32(6C66D911,?,?,6C66D911,00000000,?,00000400,00000000,6C66D911,?,?,6C66D911,00000400,?,?,00000400), ref: 6C665C71
LoadStringA.USER32(00000005,6C67E645,00000400,00000000), ref: 6C665C88
lstrcpyA.KERNEL32(?,6C66D911,00000005,6C67E645,00000400,00000000,6C66D911,?,?,6C66D911,00000400,?,?,00000400,00000001), ref: 6C665CBC
GetFileAttributesA.KERNEL32(6C66D911,00000005,6C67E645,00000400,00000000,6C66D911,?,?,6C66D911,00000400,?,?,00000400,00000001,?,00000000), ref: 6C665CFD
LoadStringA.USER32(00000029,6C67EA45,00000400,6C66D911), ref: 6C665D31
MessageBoxA.USER32 ref: 6C665D44
SetFileAttributesA.KERNEL32(6C66D911,00000080,6C66D911,00000005,6C67E645,00000400,00000000,6C66D911,?,?,6C66D911,00000400,?,?,00000400,00000001), ref: 6C665D75
LoadStringA.USER32(0000002A,6C67EE45,00000400,6C66D911), ref: 6C665D8C

Part of subcall function 6C6640CF: GetModuleHandleA.KERNEL32(kernel32.dll,6C664F4B), ref: 6C6640D4
Part of subcall function 6C6640CF: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 6C6640DF

LoadStringA.USER32(0000002B,6C67F245,00000400,6C66D911), ref: 6C665DAF
lstrcpyA.KERNEL32(?,6C66D911,6C66D911,00000005,6C67E645,00000400,00000000,6C66D911,?,?,6C66D911,00000400,?,?,00000400,00000001), ref: 6C665DD7
GetFileAttributesA.KERNEL32(6C66D911,6C66D911,00000000,00000000,6C66D911,00000005,6C67E645,00000400,00000000,6C66D911,?,?,6C66D911,00000400,?,?), ref: 6C665E09
LoadStringA.USER32(0000002B,6C67F645,00000400,6C66D911), ref: 6C665E29
SetFileAttributesA.KERNEL32(6C66D911,00000000,6C66D911,00000000,00000000,6C66D911,00000005,6C67E645,00000400,00000000,6C66D911,?,?,6C66D911,00000400,?), ref: 6C665E46
LoadStringA.USER32(0000002C,6C67FA45,00000400,6C66D911), ref: 6C665E62

Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000180,00000000,?), ref: 6C6622D9
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,0000018B,00000000,00000000), ref: 6C6622E8
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000186,-00000001,00000000), ref: 6C6622F7

LoadStringA.USER32(0000002D,6C67FE45,00000400,6C66D911), ref: 6C665E90
lstrcpyA.KERNEL32(?,6C66D911,0000002D,6C67FE45,00000400,6C66D911,00000000,00000000,6C66D911,00000005,6C67E645,00000400,00000000,6C66D911,?,?), ref: 6C665EAD
SetCurrentDirectoryA.KERNEL32(?,?,6C66D911,0000002D,6C67FE45,00000400,6C66D911,00000000,00000000,6C66D911,00000005,6C67E645,00000400,00000000,6C66D911,?), ref: 6C665EC5
ExpandEnvironmentStringsA.KERNEL32(6C66D932,?,00000400,0000002D,6C67FE45,00000400,6C66D911,00000000,00000000,6C66D911,00000005,6C67E645,00000400,00000000,6C66D911,?), ref: 6C665EE3
RtlZeroMemory.KERNEL32(?,00000044,6C66D932,?,00000400,0000002D,6C67FE45,00000400,6C66D911,00000000,00000000,6C66D911,00000005,6C67E645,00000400,00000000), ref: 6C665F04
RtlZeroMemory.KERNEL32(?,00000010,?,00000044,6C66D932,?,00000400,0000002D,6C67FE45,00000400,6C66D911,00000000,00000000,6C66D911,00000005,6C67E645), ref: 6C665F12
lstrcpyA.KERNEL32(?,6C66D7BC,?,00000010,?,00000044,6C66D932,?,00000400,0000002D,6C67FE45,00000400,6C66D911,00000000,00000000,6C66D911), ref: 6C665F23
GetCurrentDirectoryA.KERNEL32(00000400,?,?,6C66D7BC,?,00000010,?,00000044,6C66D932,?,00000400,0000002D,6C67FE45,00000400,6C66D911,00000000), ref: 6C665F3A
lstrcatA.KERNEL32(?,?,00000400,?,?,6C66D7BC,?,00000010,?,00000044,6C66D932,?,00000400,0000002D,6C67FE45,00000400), ref: 6C665F4D
lstrcatA.KERNEL32(?,6C66D7C0,?,?,00000400,?,?,6C66D7BC,?,00000010,?,00000044,6C66D932,?,00000400,0000002D), ref: 6C665F5E
lstrcatA.KERNEL32(?,6C66D911,?,6C66D7BC,?,00000010,?,00000044,6C66D932,?,00000400,0000002D,6C67FE45,00000400,6C66D911,00000000), ref: 6C665F6B
lstrcatA.KERNEL32(?,6C66D7C2,?,6C66D911,?,6C66D7BC,?,00000010,?,00000044,6C66D932,?,00000400,0000002D,6C67FE45,00000400), ref: 6C665F7C
lstrcatA.KERNEL32(?,?,?,6C66D7C2,?,6C66D911,?,6C66D7BC,?,00000010,?,00000044,6C66D932,?,00000400,0000002D), ref: 6C665F89
CreateProcessA.KERNEL32(6C66D911,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,6C66D7C2,?,6C66D911), ref: 6C665FB0
WaitForSingleObject.KERNEL32(?,000000FF,6C66D911,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,6C66D7C2), ref: 6C665FBD
ShellExecuteA.SHELL32(00000000,open,6C66D911,?,00000000,0000000A), ref: 6C665FD1
LoadStringA.USER32(0000002E,6C680245,00000400,00000000), ref: 6C665FF1
DeleteFileA.KERNEL32(6C66D911,0000002E,6C680245,00000400,00000000,open,6C66D911,?,00000000,0000000A,6C66D932,?,00000400,0000002D,6C67FE45,00000400), ref: 6C666001
LoadStringA.USER32(0000002F,6C680645,00000400,6C66D911), ref: 6C666018
SetEnvironmentVariableA.KERNEL32(dup2_last_file,6C66D911,00000005,6C67E645,00000400,00000000,6C66D911,?,?,6C66D911,00000400,?,?,00000400,00000001), ref: 6C666042
lstrcpyA.KERNEL32(?,6C66D911,dup2_last_file,6C66D911,00000005,6C67E645,00000400,00000000,6C66D911,?,?,6C66D911,00000400,?,?,00000400), ref: 6C66604F
SetEnvironmentVariableA.KERNEL32(dup2_last_path,?,?,6C66D911,dup2_last_file,6C66D911,00000005,6C67E645,00000400,00000000,6C66D911,?,?,6C66D911,00000400,?), ref: 6C66606C

Part of subcall function 6C666EA0: lstrlenA.KERNEL32(?), ref: 6C666EAA

Strings

All Files, xrefs: 6C665CE1
dup2_last_file, xrefs: 6C66603D
open, xrefs: 6C665FCA
dup2_last_path, xrefs: 6C666067

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: LoadString$lstrcatlstrcpy$File$Environment$AttributesMessage$ExpandSendStrings$CurrentDirectoryMemoryModuleVariableZero$AddressCreateDeleteExecuteHandleNameObjectProcProcessShellSingleWaitlstrlen
String ID: All Files$dup2_last_file$dup2_last_path$open
API String ID: 3369982232-2561620864
Opcode ID: a6a80e1f4c90e776c310139d9abc2f278e4464b3b14903419e0fe28f2830d6ac
Instruction ID: 295fcc8f1cadf04aaafedf97a1b4aa9446265b1b867fc2558d402600beda9f0f
Opcode Fuzzy Hash: a6a80e1f4c90e776c310139d9abc2f278e4464b3b14903419e0fe28f2830d6ac
Instruction Fuzzy Hash: 6BC19DB0944608BADB209AA3DC89FDE77BC9B0270CF1149A5A310F1EC1D774D6498E2F

Uniqueness

Uniqueness Score: -1.00%

Function 6C662463 Relevance: 66.8, APIs: 33, Strings: 5, Instructions: 301
stringfilewindowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E6C662463(CHAR* _a4, signed int _a8, signed int _a12) {
				char _v1028;
				char _v2052;
				char _v3076;
				signed int _v3080;
				long _t48;
				signed int _t52;
				void* _t53;
				long _t55;
				void* _t56;
				void* _t57;
				void* _t58;
				signed int _t59;
				int _t76;
				void* _t77;
				short* _t80;
				void* _t82;
				void* _t84;
				long _t92;
				CHAR* _t113;
				CHAR* _t114;
				void* _t116;
				void* _t132;

				asm("pushad");
				_v3080 = 0;
				 *0x6c66e52e = 0;
				ExpandEnvironmentStringsA(_a4,  &_v3076, 0x400);
				_t48 = ExpandEnvironmentStringsA( &_v3076, 0x6c66d911, 0x400);
				while( *0x6c66d911 != 0) {
					asm("lodsb");
					__eflags = _t48 - 0x25;
					if(__eflags != 0) {
						continue;
					} else {
						lstrcpyA(0x6c66d911, E6C666EA0(0x6c66d911));
						break;
					}
				}
				if( *0x6C66D912 != 0x3a) {
					_t119 =  *0x6c66e95f;
					if( *0x6c66e95f != 0) {
						lstrcpyA( &_v3076, 0x6c66e95f);
					} else {
						GetModuleFileNameA(0,  &_v3076, 0x400);
						E6C66226A(_t119,  &_v3076);
					}
					if( *0x6c66d911 != 0x5c) {
						lstrcatA( &_v3076, 0x6c66d11a);
					}
					lstrcatA( &_v3076, 0x6c66d911);
					lstrcpyA(0x6c66d911,  &_v3076);
				}
				while(1) {
					LoadStringA( *0x6c66d8a2, 0x13, 0x6c67323d, 0x400);
					E6C6622C0(0x6c67323d);
					E6C6622C0(0x6c66d911);
					_t52 = GetFileAttributesA(0x6c66d911);
					 *0x6c66e511 = _t52;
					if(_t52 != 0xffffffff) {
						if((_a12 & 0x80000000) == 0) {
							__eflags = _t52 & 0x00000001;
							if((_t52 & 0x00000001) != 0) {
								_t92 = _t52 ^ 0x00000001;
								__eflags = _t92;
								SetFileAttributesA(0x6c66d911, _t92);
								E6C6622C0("Removing readonly file attribute");
							}
							E6C662313(0x6c66d911);
						}
					}
					if((_a12 & 0x80000000) == 0) {
						_t53 = CreateFileA(0x6c66d911, 0xc0000000, 2, 0, 3, 0x82, 0);
					} else {
						_t53 = CreateFileA(0x6c66d911, 0x80000000, 1, 0, 3, 0x82, 0);
					}
					if(_t53 != 0xffffffff) {
						break;
					}
					if(GetFileAttributesA(0x6c66d911) != 0xffffffff) {
						__eflags = _a12 & 0x00000002;
						if((_a12 & 0x00000002) == 0) {
							LoadStringA( *0x6c66d8a2, 0x12, 0x6c673e3d, 0x400);
							_t76 = MessageBoxA( *0x6c66d8a6, 0x6c673e3d, 0x6c66d911, 0x34);
							__eflags = _t76 - 6;
							if(_t76 != 6) {
								L40:
								L56:
								__eflags = _v3080;
								if(_v3080 == 0) {
									E6C6622C0("File not loaded");
								}
								asm("popad");
								return _v3080;
							}
							continue;
						}
						__eflags =  *0x6c66e52e;
						if( *0x6c66e52e != 0) {
							goto L40;
						}
						_t77 = E6C662411(0x6c66d911);
						__eflags = _t77 - 1;
						if(_t77 != 1) {
							goto L40;
						}
						 *0x6c66e52e = 1;
						LoadStringA( *0x6c66d8a2, 0x11, 0x6c673a3d, 0x400);
						E6C6622C0(0x6c673a3d);
						continue;
					}
					if( *0x6c66e95c != 0) {
						goto L40;
					}
					_t80 = E6C666EA0(0x6c66d911);
					if( *_t80 == 0x2e2a ||  *_t80 == 0) {
						L26:
						_t113 =  &_v1028;
						_t111 = 0x6c66d911;
						if( *((char*)(0x6c66d912)) == 0x3a) {
							_t111 = E6C666EA0(0x6c66d911);
						}
						lstrcpyA(_t113, _t111);
						_t82 = E6C666C90(_t113);
						if(_t82 > 0) {
							_t82 = _t82 + 1;
							_t132 = _t82;
						}
						_t114 =  &(_t113[_t82]);
						lstrcpyA(_t114, _t111);
						_t84 = _t82;
						RtlMoveMemory( &(_t114[_t84]), "Exe Files [*.exe]", 0x2e);
						_t116 = _t113;
						_t109 =  &_v2052;
						lstrcpyA( &_v2052, 0x6c66d911);
						E6C66226A(_t132, _t109);
						if(E6C666E30(0x6c66d911, _t116, _t109,  *0x6c66d8a6) != 1) {
							goto L32;
						} else {
							continue;
						}
					} else {
						LoadStringA( *0x6c66d8a2, 0x10, 0x6c67363d, 0x400);
						if(MessageBoxA( *0x6c66d8a6, 0x6c67363d, 0x6c66d911, 0x34) != 6) {
							L32:
							goto L40;
						}
						goto L26;
					}
				}
				 *0x6c66e515 = _t53;
				GetFileTime( *0x6c66e515, 0x6c66f181, 0x6c66f189, 0x6c66f191);
				_t55 = GetFileSize( *0x6c66e515, 0x6c66e51d);
				 *0x6c66e519 = _t55;
				__eflags = _a8;
				if(_a8 == 0) {
					_a8 = _t55;
				}
				__eflags = _a12 & 0x00000004;
				if((_a12 & 0x00000004) != 0) {
					_t72 = _t55 + 0x278 +  *0x6c66d880;
					__eflags = _t55 + 0x278 +  *0x6c66d880;
					_a8 = E6C666EE0(_t72, 0x100);
				}
				_push(_a8);
				_pop( *0x6c66e529);
				__eflags = _a12 & 0x80000000;
				if((_a12 & 0x80000000) == 0) {
					_t56 = CreateFileMappingA( *0x6c66e515, 0, 4, 0, 0, 0);
				} else {
					_t56 = CreateFileMappingA( *0x6c66e515, 0, 2, 0, 0, 0);
				}
				_t57 = _t56;
				__eflags = _t57;
				if(_t57 != 0) {
					 *0x6c66e525 = _t57;
					__eflags = _a12 & 0x80000000;
					if((_a12 & 0x80000000) == 0) {
						_t58 = MapViewOfFile(_t57, 2, 0, 0, 0);
					} else {
						_t58 = MapViewOfFile(_t57, 4, 0, 0, 0);
					}
					_t59 = _t58;
					__eflags = _t59;
					if(__eflags != 0) {
						 *0x6c66e521 = _t59;
						_v3080 = _t59;
						SetEnvironmentVariableA("dup2_last_file", 0x6c66d911);
						lstrcpyA( &_v3076, 0x6c66d911);
						E6C66226A(__eflags,  &_v3076);
						SetEnvironmentVariableA("dup2_last_path",  &_v3076);
						goto L56;
					} else {
						goto L49;
					}
				} else {
					L49:
					LoadStringA( *0x6c66d8a2, 0x14, 0x6c67423d, 0x400);
					E6C6622C0(0x6c67423d);
					goto L56;
				}
			}

0x6c66246c
0x6c66246d
0x6c662477
0x6c66248d
0x6c6624a3
0x6c6624cb
0x6c6624af
0x6c6624b0
0x6c6624b2
0x00000000
0x6c6624b4
0x6c6624c4
0x00000000
0x6c6624c4
0x6c6624b2
0x6c6624d9
0x6c6624db
0x6c6624e2
0x6c662511
0x6c6624e4
0x6c6624f2
0x6c6624fe
0x6c6624fe
0x6c662519
0x6c662527
0x6c662527
0x6c662534
0x6c662541
0x6c662541
0x6c662546
0x6c662558
0x6c662562
0x6c66256c
0x6c662576
0x6c66257b
0x6c662583
0x6c66258c
0x6c662590
0x6c662595
0x6c662597
0x6c662597
0x6c6625a0
0x6c6625aa
0x6c6625aa
0x6c6625b4
0x6c6625b4
0x6c66258c
0x6c6625c0
0x6c6625f7
0x6c6625c2
0x6c6625d9
0x6c6625d9
0x6c6625ff
0x00000000
0x00000000
0x6c662612
0x6c6626ef
0x6c6626f6
0x6c662751
0x6c662768
0x6c66276d
0x6c662770
0x6c662777
0x6c6628ba
0x6c6628ba
0x6c6628c1
0x6c6628c8
0x6c6628c8
0x6c6628cd
0x6c6628d5
0x6c6628d5
0x00000000
0x6c662772
0x6c6626f8
0x6c6626ff
0x00000000
0x00000000
0x6c662706
0x6c66270b
0x6c66270e
0x00000000
0x6c66273d
0x6c662710
0x6c662729
0x6c662733
0x00000000
0x6c662733
0x6c66261f
0x00000000
0x00000000
0x6c66262a
0x6c662634
0x6c66266f
0x6c66266f
0x6c662675
0x6c66267e
0x6c662686
0x6c662686
0x6c66268a
0x6c662690
0x6c662698
0x6c66269a
0x6c66269a
0x6c66269a
0x6c66269d
0x6c6626a1
0x6c6626a6
0x6c6626b1
0x6c6626b6
0x6c6626b7
0x6c6626c3
0x6c6626c9
0x6c6626e3
0x00000000
0x6c6626e5
0x00000000
0x6c6626e5
0x6c66263c
0x6c66264e
0x6c66266d
0x6c6626ea
0x00000000
0x6c6626ea
0x00000000
0x6c66266d
0x6c662634
0x6c66277c
0x6c662796
0x6c6627a6
0x6c6627ab
0x6c6627b0
0x6c6627b4
0x6c6627b6
0x6c6627b6
0x6c6627b9
0x6c6627c0
0x6c6627c7
0x6c6627c7
0x6c6627d8
0x6c6627d8
0x6c6627db
0x6c6627de
0x6c6627e4
0x6c6627eb
0x6c662814
0x6c6627ed
0x6c6627fd
0x6c6627fd
0x6c662819
0x6c662819
0x6c66281b
0x6c662840
0x6c662845
0x6c66284c
0x6c662867
0x6c66284e
0x6c662857
0x6c662857
0x6c66286c
0x6c66286c
0x6c66286e
0x6c662872
0x6c662877
0x6c662887
0x6c662898
0x6c6628a4
0x6c6628b5
0x00000000
0x6c662870
0x00000000
0x6c662870
0x6c66281d
0x6c66281d
0x6c66282f
0x6c662839
0x00000000
0x6c662839

APIs

ExpandEnvironmentStringsA.KERNEL32(?,?,00000400), ref: 6C66248D
ExpandEnvironmentStringsA.KERNEL32(?,6C66D911,00000400,?,?,00000400), ref: 6C6624A3
lstrcpyA.KERNEL32(6C66D911,00000000,6C66D911,?,6C66D911,00000400,?,?,00000400), ref: 6C6624C4
GetModuleFileNameA.KERNEL32(00000000,?,00000400,6C66D911,00000000,6C66D911,?,6C66D911,00000400,?,?,00000400), ref: 6C6624F2
lstrcpyA.KERNEL32(?,6C66E95F,6C66D911,00000000,6C66D911,?,6C66D911,00000400,?,?,00000400), ref: 6C662511
lstrcatA.KERNEL32(?,6C66D11A,?,6C66E95F,6C66D911,00000000,6C66D911,?,6C66D911,00000400,?,?,00000400), ref: 6C662527
lstrcatA.KERNEL32(?,6C66D911,?,6C66E95F,6C66D911,00000000,6C66D911,?,6C66D911,00000400,?,?,00000400), ref: 6C662534
lstrcpyA.KERNEL32(6C66D911,?,?,6C66D911,?,6C66E95F,6C66D911,00000000,6C66D911,?,6C66D911,00000400,?,?,00000400), ref: 6C662541
LoadStringA.USER32(00000013,6C67323D,00000400,6C66D911), ref: 6C662558
GetFileAttributesA.KERNEL32(6C66D911,00000013,6C67323D,00000400,6C66D911,00000000,6C66D911,?,6C66D911,00000400,?,?,00000400), ref: 6C662576
SetFileAttributesA.KERNEL32(6C66D911,00000000,6C66D911,00000013,6C67323D,00000400,6C673E3D,6C66D911,00000034,00000012,6C673E3D,00000400,6C66D911,6C66D911,C0000000,00000002), ref: 6C6625A0
CreateFileA.KERNEL32(6C66D911,80000000,00000001,00000000,00000003,00000082,00000000,6C66D911,00000013,6C67323D,00000400,6C673E3D,6C66D911,00000034,00000012,6C673E3D), ref: 6C6625D9
CreateFileA.KERNEL32(6C66D911,C0000000,00000002,00000000,00000003,00000082,00000000,6C66D911,00000013,6C67323D,00000400,6C66D911,00000000,6C66D911,?,6C66D911), ref: 6C6625F7
GetFileAttributesA.KERNEL32(6C66D911,6C66D911,C0000000,00000002,00000000,00000003,00000082,00000000,6C66D911,00000013,6C67323D,00000400,6C66D911,00000000,6C66D911,?), ref: 6C66260A
LoadStringA.USER32(00000010,6C67363D,00000400,6C66D911), ref: 6C66264E
MessageBoxA.USER32 ref: 6C662665
lstrcpyA.KERNEL32(?,6C66D911,6C66D911,6C66D911,6C66D911,80000000,00000001,00000000,00000003,00000082,00000000,6C66D911,00000013,6C67323D,00000400,6C673E3D), ref: 6C66268A
lstrcpyA.KERNEL32(?,6C66D911,00000000,?,?,?,6C66D911,6C66D911,6C66D911,6C66D911,80000000,00000001,00000000,00000003,00000082,00000000), ref: 6C6626A1
RtlMoveMemory.KERNEL32(?,Exe Files [*.exe],0000002E,6C66D911,00000000,?,?,?,6C66D911,6C66D911,6C66D911,6C66D911,80000000,00000001,00000000,00000003), ref: 6C6626B1
lstrcpyA.KERNEL32(?,6C66D911,Exe Files [*.exe],0000002E,6C66D911,00000000,?,?,?,6C66D911,6C66D911,6C66D911,6C66D911,80000000,00000001,00000000), ref: 6C6626C3
LoadStringA.USER32(00000011,6C673A3D,00000400,6C66D911), ref: 6C662729
LoadStringA.USER32(00000012,6C673E3D,00000400,6C66D911), ref: 6C662751
MessageBoxA.USER32 ref: 6C662768
GetFileTime.KERNEL32(6C66F181,6C66F189,6C66F191,6C66D911,C0000000,00000002,00000000,00000003,00000082,00000000,6C66D911,00000013,6C67323D,00000400,6C66D911,00000000), ref: 6C662796
GetFileSize.KERNEL32(6C66E51D,6C66F181,6C66F189,6C66F191,6C66D911,C0000000,00000002,00000000,00000003,00000082,00000000,6C66D911,00000013,6C67323D,00000400,6C66D911), ref: 6C6627A6
CreateFileMappingA.KERNEL32 ref: 6C6627FD
CreateFileMappingA.KERNEL32 ref: 6C662814
LoadStringA.USER32(00000014,6C67423D,00000400,00000000), ref: 6C66282F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000000,6C66E51D,6C66F181,6C66F189,6C66F191,6C66D911), ref: 6C662857
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000000,6C66E51D,6C66F181,6C66F189,6C66F191,6C66D911), ref: 6C662867
SetEnvironmentVariableA.KERNEL32(dup2_last_file,6C66D911,00000000,00000002,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000000,6C66E51D,6C66F181,6C66F189), ref: 6C662887
lstrcpyA.KERNEL32(?,6C66D911,dup2_last_file,6C66D911,00000000,00000002,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000000,6C66E51D), ref: 6C662898
SetEnvironmentVariableA.KERNEL32(dup2_last_path,?,?,6C66D911,dup2_last_file,6C66D911,00000000,00000002,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000000), ref: 6C6628B5

Strings

dup2_last_file, xrefs: 6C662882
Exe Files [*.exe], xrefs: 6C6626AB
File not loaded, xrefs: 6C6628C3
dup2_last_path, xrefs: 6C6628B0
Removing readonly file attribute, xrefs: 6C6625A5

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: File$lstrcpy$LoadString$CreateEnvironment$Attributes$ExpandMappingMessageStringsVariableViewlstrcat$MemoryModuleMoveNameSizeTime
String ID: Exe Files [*.exe]$File not loaded$Removing readonly file attribute$dup2_last_file$dup2_last_path
API String ID: 3117120910-276086001
Opcode ID: 9f8e8985445e263546a756eba22ed7c4d867eaf13fa8c81b373dcada1d737ddf
Instruction ID: 0ee916d08f251c6415dc97afacda6c0389fbd30e800e7af99a2a20c39e5b03f2
Opcode Fuzzy Hash: 9f8e8985445e263546a756eba22ed7c4d867eaf13fa8c81b373dcada1d737ddf
Instruction Fuzzy Hash: 8DA1D670688204BAEF309B73DC49FDA3768AB1371CF204A15B610F5ED1DBB496588A5F

Uniqueness

Uniqueness Score: -1.00%

Function 6C66498E Relevance: 47.6, APIs: 25, Strings: 2, Instructions: 380
memoryfilestringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E6C66498E(intOrPtr _a4) {
				long _v8;
				signed char _v9;
				char* _v16;
				void* _v20;
				WCHAR* _v24;
				long _v28;
				int _v32;
				int _v36;
				signed int _v40;
				signed int _v44;
				CHAR* _v48;
				long _v52;
				intOrPtr _v56;
				int _v60;
				int _v64;
				long _v68;
				long _v72;
				void* _v1096;
				char _v1100;
				char _v1220;
				signed int _t174;
				void* _t175;
				void* _t177;
				int _t182;
				long _t184;
				CHAR* _t192;
				void* _t197;
				short* _t233;
				short* _t234;
				long _t236;
				long _t237;
				intOrPtr _t238;
				intOrPtr _t239;
				void* _t243;
				void* _t244;
				void* _t245;
				intOrPtr _t246;
				intOrPtr* _t247;
				CHAR* _t248;
				long _t250;
				void* _t251;

				_v8 = 0;
				_v9 = 1;
				_t246 = _a4;
				LoadStringA( *0x6c66d8a2, 6, 0x6c679e3d, 0x400);
				E6C6622C0(0x6c679e3d);
				 *_t5 =  *(_t246 + 0x401);
				if(( *(_t246 + 0x401) & 0x00000008) != 0) {
					E6C6640CF();
				}
				if(E6C662463(_t246 + 1, 0,  *(_t246 + 0x401)) != 0) {
					if( *0x6c66e519 >= 0x100000) {
						_t174 =  *0x6c66e519 << 1;
					} else {
						_t174 = 0x100000;
					}
					_v72 = _t174;
					_t175 = VirtualAlloc(0, _v72, 0x1000, 4);
					_v16 = _t175;
					_v24 = _t175;
					_v20 = VirtualAlloc(0, _v72, 0x1000, 4);
					_t177 =  *0x6c66e521;
					if( *_t177 != 0xfeff) {
						RtlMoveMemory(_v16,  *0x6c66e521,  *0x6c66e519);
						_v68 = 0;
					} else {
						WideCharToMultiByte(0, 0, _t177 + 2,  *0x6c66e519 - 2 >> 1, _v16, _v72, 0, 0);
						LoadStringA( *0x6c66d8a2, 0x18, 0x6c67a23d, 0x400);
						E6C6622C0(0x6c67a23d);
						_v68 = 1;
					}
					_t247 = _t246 + 0x408;
					while( *((intOrPtr*)(_t247 + 4)) != 0) {
						 *_t23 =  *_t247;
						_t248 = _t247 + 8;
						_v48 = _t248;
						 *_t26 =  *((intOrPtr*)(_t248 - 4));
						_t250 = _t248 +  *((intOrPtr*)(_t248 - 4)) + 5;
						_v52 = _t250;
						_v56 = _t250;
						 *_t31 =  *((intOrPtr*)(_t250 - 4));
						_v28 = E6C666C90(_v24);
						_t251 = _v16;
						_t243 = _v20;
						_push(_v72);
						_push(_t243);
						L6C666B70();
						_push(_v52);
						if((_v40 & 0x00000080) != 0) {
							ExpandEnvironmentStringsA(_v48, 0x6c66f199, 0x1000);
							_v60 = E6C666C90(0x6c66f199);
							 *_t43 = 0x6c66f199;
						}
						if((_v40 & 0x00000100) != 0) {
							ExpandEnvironmentStringsA(_v52, 0x6c670199, 0x1000);
							_v64 = E6C666C90(0x6c670199);
							 *_t49 = 0x6c670199;
						}
						while(_v28 != 0) {
							_t182 = E6C663E20(_v48, _t251, _v40,  &_v60,  &_v1220,  &_v1100);
							_v36 = _t182;
							if(_v36 >= 0 && (_v40 & 0x00000002) != 0) {
								_v32 = _t182;
								if(_t251 != _v24 && E6C667300(_t251 - 1, " <>[]|$^!%&/\\(){}=?`*+-\'#.:;,@~\"\r\n\t") == 0) {
									_v32 = 0xffffffff;
								}
								if(E6C667300(_t251 + _v60, " <>[]|$^!%&/\\(){}=?`*+-\'#.:;,@~\"\r\n\t") == 0) {
									_v32 = 0xffffffff;
								}
							}
							if(_v36 < 0) {
								if((_v40 & 0x00001000) == 0) {
									asm("movsb");
									_v28 = _v28 - 1;
									continue;
								}
								_t236 = _v28;
								while(1) {
									_t237 = _t236;
									if(_t237 == 0) {
										break;
									}
									asm("movsb");
									_t236 = _t237 - 1;
								}
								_v28 = 0;
							} else {
								if((_v40 & 0x00001000) != 0) {
									E6C663DA0( &_v1220, _v56, 0x6c671199, _v36,  &_v1220, _t251);
									 *_t73 = 0x6c671199;
									_v64 = E6C666C90(_v52);
								}
								if((_v40 & 0x00000040) != 0 &&  *0x6c67e63d !=  &_v1096) {
									_push(_v52);
									_pop( *0x6c67e63d);
									if(DialogBoxParamA( *0x6c66d8a2, 3,  *0x6c66d8a6, E6C6658B0,  &_v1096) != 0) {
										_v64 = E6C666C90( &_v1096);
										_v52 =  &_v1096;
									}
								}
								_t238 = _v1100;
								while(1) {
									_t239 = _t238;
									if(_t239 == 0) {
										break;
									}
									asm("movsb");
									_t238 = _t239 - 1;
								}
								if((_v40 & 0x00000008) == 0) {
									if((_v40 & 0x00000004) == 0) {
										if((_v40 & 0x00000010) == 0) {
											if((_v40 & 0x00000020) != 0) {
												RtlMoveMemory(_t243, _v52, _v64);
												_t244 = _t243 + _v64;
												RtlMoveMemory(_t244, _t251, _v60);
												_t243 = _t244 + _v60;
												_t251 = _t251 + _v60;
											}
										} else {
											RtlMoveMemory(_t243, _t251, _v60);
											_t245 = _t243 + _v60;
											_t251 = _t251 + _v60;
											RtlMoveMemory(_t245, _v52, _v64);
											_t243 = _t245 + _v64;
										}
									} else {
										RtlMoveMemory(_t243, _v52, _v64);
										_t243 = _t243 + _v64;
										_t251 = _t251 + _v60;
									}
								} else {
									_t251 = _t251 + _v60;
								}
								if( *_t251 == 0) {
									_v28 = 0;
								} else {
									_v28 = _v28 - _v60;
								}
								_v8 = 1;
							}
						}
						_pop( *_t129);
						_push(_v16);
						_push(_v20);
						_pop( *_t132);
						_pop( *_t133);
						_push(_v16);
						_pop( *_t135);
						_t247 = _v52 +  *((intOrPtr*)(_v52 - 4)) + 1;
					}
					E6C6628D8(_v8, 0);
					_t184 =  *0x6c66e511;
					if((_t184 & 0x00000001) != 0) {
						_t184 = _t184 - 1;
					}
					SetFileAttributesA(0x6c66d911, _t184);
					if(_v68 != 1) {
						 *0x6c66e529 = E6C666C90(_v24);
					} else {
						if(_v16 != _v24) {
							_t233 = _v16;
						} else {
							_t233 = _v20;
						}
						 *_t233 = 0xfeff;
						_t234 = _t233 + 2;
						MultiByteToWideChar(0, 0, _v24, 0xffffffff, _t234, _v72);
						_v24 = _t234 - 2;
						 *0x6c66e529 = lstrlenW(_v24) << 1;
					}
					if(E6C666D4C(0x6c66d911, _v24,  *0x6c66e529) != 0) {
						if((_v44 & 0x00000010) != 0) {
							_t197 = CreateFileA(0x6c66d911, 0xc0000000, 0, 0, 3, 0x82, 0);
							 *0x6c66e515 = _t197;
							if(_t197 != 0xffffffff) {
								SetFileTime( *0x6c66e515, 0x6c66f181, 0x6c66f189, 0x6c66f191);
								CloseHandle( *0x6c66e515);
							}
						}
					} else {
						_v9 = 0;
					}
					VirtualFree(_v16, _v72, 0x4000);
					VirtualFree(_v20, _v72, 0x4000);
					goto L69;
				} else {
					_v9 = 0;
					L69:
					if(_v8 != 0) {
						LoadStringA( *0x6c66d8a2, 0xb, 0x6c67aa3d, 0x400);
						_t192 = 0x6c67aa3d;
					} else {
						LoadStringA( *0x6c66d8a2, 0xa, 0x6c67a63d, 0x400);
						_t192 = 0x6c67a63d;
						_v9 = 0;
					}
					E6C6622C0(_t192);
					if(( *(_a4 + 0x401) & 0x00000008) != 0) {
						E6C6640FA();
					}
					return _v9 & 0x000000ff;
				}
			}

0x6c66499a
0x6c6649a1
0x6c6649a5
0x6c6649ba
0x6c6649c4
0x6c6649cf
0x6c6649dc
0x6c6649de
0x6c6649de
0x6c6649f6
0x6c664a0b
0x6c664a19
0x6c664a0d
0x6c664a0d
0x6c664a0d
0x6c664a1b
0x6c664a2a
0x6c664a2f
0x6c664a32
0x6c664a46
0x6c664a49
0x6c664a53
0x6c664ab1
0x6c664ab6
0x6c664a55
0x6c664a73
0x6c664a8a
0x6c664a94
0x6c664a99
0x6c664a99
0x6c664abd
0x6c664d6a
0x6c664aca
0x6c664acd
0x6c664ad0
0x6c664ad6
0x6c664adc
0x6c664adf
0x6c664ae2
0x6c664ae8
0x6c664af3
0x6c664af6
0x6c664af9
0x6c664afc
0x6c664aff
0x6c664b00
0x6c664b05
0x6c664b0f
0x6c664b1e
0x6c664b2d
0x6c664b35
0x6c664b35
0x6c664b3f
0x6c664b4e
0x6c664b5d
0x6c664b65
0x6c664b65
0x6c664d42
0x6c664b86
0x6c664b8b
0x6c664b92
0x6c664b9d
0x6c664ba3
0x6c664bb7
0x6c664bb7
0x6c664bd0
0x6c664bd2
0x6c664bd2
0x6c664bd9
0x6c664be0
0x6c664d26
0x6c664d3e
0x6c664d3f
0x00000000
0x6c664d3f
0x6c664d28
0x6c664d31
0x6c664d31
0x6c664d33
0x00000000
0x00000000
0x6c664d2d
0x6c664d2e
0x6c664d2e
0x6c664d35
0x6c664be6
0x6c664bed
0x6c664c02
0x6c664c0c
0x6c664c17
0x6c664c17
0x6c664c21
0x6c664c31
0x6c664c34
0x6c664c5b
0x6c664c69
0x6c664c72
0x6c664c72
0x6c664c5b
0x6c664c75
0x6c664c81
0x6c664c81
0x6c664c83
0x00000000
0x00000000
0x6c664c7d
0x6c664c7e
0x6c664c7e
0x6c664c8c
0x6c664c9a
0x6c664cb7
0x6c664ce1
0x6c664cea
0x6c664cef
0x6c664cf7
0x6c664cfc
0x6c664cff
0x6c664cff
0x6c664cb9
0x6c664cbe
0x6c664cc3
0x6c664cc6
0x6c664cd0
0x6c664cd5
0x6c664cd5
0x6c664c9c
0x6c664ca3
0x6c664ca8
0x6c664cab
0x6c664cab
0x6c664c8e
0x6c664c8e
0x6c664c8e
0x6c664d05
0x6c664d0f
0x6c664d07
0x6c664d0a
0x6c664d0a
0x6c664d16
0x6c664d16
0x6c664be0
0x6c664d4c
0x6c664d4f
0x6c664d52
0x6c664d55
0x6c664d58
0x6c664d5b
0x6c664d5e
0x6c664d67
0x6c664d67
0x6c664d79
0x6c664d7e
0x6c664d88
0x6c664d8a
0x6c664d8a
0x6c664d93
0x6c664d9c
0x6c664de7
0x6c664d9e
0x6c664da4
0x6c664dab
0x6c664da6
0x6c664da6
0x6c664da6
0x6c664dae
0x6c664db3
0x6c664dc3
0x6c664dcb
0x6c664dd8
0x6c664dd8
0x6c664e01
0x6c664e10
0x6c664e29
0x6c664e2e
0x6c664e36
0x6c664e4d
0x6c664e58
0x6c664e58
0x6c664e36
0x6c664e03
0x6c664e03
0x6c664e03
0x6c664e68
0x6c664e78
0x00000000
0x6c6649f8
0x6c6649f8
0x6c664e7d
0x6c664e81
0x6c664eb7
0x6c664ebc
0x6c664e83
0x6c664e95
0x6c664e9a
0x6c664e9f
0x6c664e9f
0x6c664ec2
0x6c664ed4
0x6c664ed6
0x6c664ed6
0x6c664ee3
0x6c664ee3

APIs

LoadStringA.USER32(00000006,6C679E3D,00000400,00000001), ref: 6C6649BA

Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000180,00000000,?), ref: 6C6622D9
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,0000018B,00000000,00000000), ref: 6C6622E8
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000186,-00000001,00000000), ref: 6C6622F7

LoadStringA.USER32(0000000A,6C67A63D,00000400,?), ref: 6C664E95

Part of subcall function 6C6640CF: GetModuleHandleA.KERNEL32(kernel32.dll,6C664F4B), ref: 6C6640D4
Part of subcall function 6C6640CF: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 6C6640DF

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 6C664A2A
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,?,00001000,00000004), ref: 6C664A41
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00001000,00000004,00000000,?,00001000,00000004), ref: 6C664A73
LoadStringA.USER32(00000018,6C67A23D,00000400,00000000), ref: 6C664A8A
RtlMoveMemory.KERNEL32(?,00000000,?,00001000,00000004,00000000,?,00001000,00000004), ref: 6C664AB1
RtlZeroMemory.KERNEL32(?,?,?,?,00000000,?,?,00000000,?,00001000,00000004,00000000,?,00001000,00000004), ref: 6C664B00
ExpandEnvironmentStringsA.KERNEL32(?,6C66F199,00001000,?,?,?,?,?,00000000,?,?,00000000,?,00001000,00000004,00000000), ref: 6C664B1E
ExpandEnvironmentStringsA.KERNEL32(?,6C670199,00001000,?,?,?,?,?,00000000,?,?,00000000,?,00001000,00000004,00000000), ref: 6C664B4E
DialogBoxParamA.USER32(00000003,6C6658B0,?,?,?), ref: 6C664C54
RtlMoveMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C664CA3
RtlMoveMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C664CBE
RtlMoveMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C664CD0
RtlMoveMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C664CEA
RtlMoveMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C664CF7
SetFileAttributesA.KERNEL32(6C66D911,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C664D93
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,6C66D911,?,?,?,?,?,?,?,?,?), ref: 6C664DC3
lstrlenW.KERNEL32(?,00000000,00000000,?,000000FF,?,?,6C66D911,?,?,?,?,?,?,?,?), ref: 6C664DD1
CreateFileA.KERNEL32(6C66D911,C0000000,00000000,00000000,00000003,00000082,00000000,6C66D911,?,?,6C66D911,?,?,?,?,?), ref: 6C664E29
SetFileTime.KERNEL32(6C66F181,6C66F189,6C66F191,6C66D911,C0000000,00000000,00000000,00000003,00000082,00000000,6C66D911,?,?,6C66D911,?,?), ref: 6C664E4D
CloseHandle.KERNEL32(6C66F181,6C66F189,6C66F191,6C66D911,C0000000,00000000,00000000,00000003,00000082,00000000,6C66D911,?,?,6C66D911,?,?), ref: 6C664E58
VirtualFree.KERNEL32(?,?,00004000,6C66D911,?,?,6C66D911,?,?,?,?,?,?,?,?,?), ref: 6C664E68
VirtualFree.KERNEL32(?,?,00004000,?,?,00004000,6C66D911,?,?,6C66D911,?,?,?,?,?,?), ref: 6C664E78
LoadStringA.USER32(0000000B,6C67AA3D,00000400,?), ref: 6C664EB7

Strings

<>[]|$^!%&/\(){}=?`*+-'#.:;,@~", xrefs: 6C664BA8, 6C664BC3
, xrefs: 6C664CDA

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: Memory$Move$LoadStringVirtual$FileMessageSend$AllocByteCharEnvironmentExpandFreeHandleMultiStringsWide$AddressAttributesCloseCreateDialogModuleParamProcTimeZerolstrlen
String ID: $ <>[]|$^!%&/\(){}=?`*+-'#.:;,@~"
API String ID: 1051299063-3390012715
Opcode ID: e47a6c02b0998901d7b14db2c775517b80e1de31f36f1263531ce4a96336521f
Instruction ID: ce6d306d2d6fda5357dd33771f21ed9d71fd62370ab5fc0853003937872878f5
Opcode Fuzzy Hash: e47a6c02b0998901d7b14db2c775517b80e1de31f36f1263531ce4a96336521f
Instruction Fuzzy Hash: 70E14571D00218EBDF11CFA6DD51BEEBBB5AB06308F104518F610B6EA0C7B259549BAE

Uniqueness

Uniqueness Score: -1.00%

Function 6C663690 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C663690(struct HWND__* _a4, intOrPtr _a8, struct HDC__* _a12, struct HWND__* _a16) {
				intOrPtr _t23;
				void* _t28;

				_t23 = _a8;
				if(_t23 != 0x110) {
					if(_t23 != 0x111) {
						if(_t23 == 0x138 || _t23 == 0x133) {
							if( *0x6c66e537 != 1) {
								return 0;
							}
							if(GetDlgCtrlID(_a16) != 0x65) {
								SetTextColor(_a12,  *0x6c66e940);
								if( *0x6c66e93c != 0xffffffff) {
									SetBkColor(_a12,  *0x6c66e938);
									_t28 = CreateSolidBrush( *0x6c66e938);
								} else {
									SetBkMode(_a12, 1);
									_t28 = GetStockObject(5);
								}
								return _t28;
							}
							SetTextColor(_a12,  *0x6c66e940);
							if( *0x6c66e93c != 0xffffffff) {
								SetBkColor(_a12,  *0x6c66e93c);
								return CreateSolidBrush( *0x6c66e93c);
							}
							SetBkMode(_a12, 1);
							return GetStockObject(5);
						}
						if(_t23 == 0x136) {
							if( *0x6c66e537 != 1) {
								return 0;
							}
							return CreateSolidBrush( *0x6c66e938);
						}
						if(_t23 != 0x2b) {
							if(_t23 != 0x200) {
								if(_t23 != 0x10) {
									return 0;
								} else {
									goto L37;
								}
							} else {
								if(_a12 == 1) {
									SendMessageA(_a4, 0x112, 0xf012, 0);
								}
								goto L39;
							}
						} else {
							return E6C663C60(_a4, _a16);
						}
					} else {
						if(_a12 == 0x66) {
							L37:
							EndDialog(_a4, 0);
						}
						goto L39;
					}
				} else {
					if((GetWindowLongA( *0x6c66d8a6, 0xffffffec) & 0x00000008) == 0) {
						SetWindowPos(_a4, 0xfffffffe, 0, 0, 0, 0, 3);
					}
					SetDlgItemTextA(_a4, 0x65, E6C662A53( *0x6c66d8aa, 8));
					if( *0x6c66e537 == 1 &&  *0x6c66e954 != 0xffffffff &&  *0x6c66e958 != 0xffffffff) {
						E6C663C34(_a4, 0x66);
					}
					E6C6616E0( *0x6c66d8a2, _a4, "BTN_ABOUT_OK_UP", "BTN_ABOUT_OK_DOWN", "BTN_ABOUT_OK_OVER", 0x66);
					_t48 = E6C661460( *0x6c66d8a2, 0xb, 1);
					if(E6C661460( *0x6c66d8a2, 0xb, 1) != 0) {
						E6C663AE0(_a4, _t48);
					}
					E6C667260(_a4,  *0x6c66d8a6);
					L39:
					return 1;
				}
				goto L40;
			}

0x6c663696
0x6c66369e
0x6c66375c
0x6c663779
0x6c66378d
0x00000000
0x6c66382b
0x6c66379f
0x6c6637ef
0x6c6637fb
0x6c663819
0x6c663824
0x6c6637fd
0x6c663802
0x6c663809
0x6c663809
0x00000000
0x6c6637fb
0x6c6637aa
0x6c6637b6
0x6c6637d4
0x00000000
0x6c6637df
0x6c6637bd
0x00000000
0x6c6637c4
0x6c663841
0x6c66384a
0x00000000
0x6c663859
0x00000000
0x6c663852
0x6c66386a
0x6c663885
0x6c6638a6
0x6c6638bd
0x00000000
0x00000000
0x00000000
0x6c663887
0x6c66388b
0x6c66389c
0x6c66389c
0x00000000
0x6c66388b
0x6c66386c
0x6c66387b
0x6c66387b
0x6c66375e
0x6c663764
0x6c6638a8
0x6c6638ad
0x6c6638ad
0x00000000
0x6c663764
0x6c6636a4
0x6c6636b6
0x6c6636c7
0x6c6636c7
0x6c6636df
0x6c6636eb
0x6c663704
0x6c663704
0x6c663723
0x6c663737
0x6c663739
0x6c66373f
0x6c66373f
0x6c66374d
0x6c6638c0
0x6c6638c9
0x6c6638c9
0x00000000

APIs

GetWindowLongA.USER32 ref: 6C6636AC
SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,000000EC), ref: 6C6636C7
SetDlgItemTextA.USER32(?,00000065,00000000), ref: 6C6636DF
EndDialog.USER32 ref: 6C6638AD

Strings

BTN_ABOUT_OK_DOWN, xrefs: 6C663710
BTN_ABOUT_OK_UP, xrefs: 6C663715
BTN_ABOUT_OK_OVER, xrefs: 6C66370B

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: Window$DialogItemLongText
String ID: BTN_ABOUT_OK_DOWN$BTN_ABOUT_OK_OVER$BTN_ABOUT_OK_UP
API String ID: 917433306-3517212525
Opcode ID: 7574e9342d7056705f94e40c64b3a70d9a9680147206290b46628ce59d6fbb73
Instruction ID: 736882bd082a9ec1475763a7504cc1490ae60616edf6b149ad3c624cc37e82a5
Opcode Fuzzy Hash: 7574e9342d7056705f94e40c64b3a70d9a9680147206290b46628ce59d6fbb73
Instruction Fuzzy Hash: 3A51A070644644BBEF215B17DC81FD93A21EB0336CF104636F611A5EE0C7B2C8A5969F

Uniqueness

Uniqueness Score: -1.00%

Function 6C6658B0 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 178
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E6C6658B0(struct HWND__* _a4, intOrPtr _a8, struct HDC__* _a12, intOrPtr _a16) {
				char _v1028;
				intOrPtr _t28;
				CHAR* _t45;
				int _t57;
				void* _t58;
				CHAR* _t59;
				void* _t60;

				_t28 = _a8;
				if(_t28 != 0x110) {
					if(_t28 != 0x111) {
						if(_t28 == 0x138) {
							if( *0x6c66e537 != 1) {
								return 0;
							}
							SetTextColor(_a12,  *0x6c66e940);
							if( *0x6c66e93c != 0xffffffff) {
								SetBkColor(_a12,  *0x6c66e93c);
								return CreateSolidBrush( *0x6c66e93c);
							}
							SetBkMode(_a12, 1);
							return GetStockObject(5);
						}
						if(_t28 == 0x136) {
							if( *0x6c66e537 != 1) {
								return 0;
							}
							return CreateSolidBrush( *0x6c66e938);
						}
						if(_t28 != 0x2b) {
							if(_t28 != 0x200) {
								if(_t28 != 0x10) {
									return 0;
								} else {
									goto L41;
								}
							} else {
								if(_a12 == 1) {
									SendMessageA(_a4, 0x112, 0xf012, 0);
								}
								goto L43;
							}
						} else {
							return E6C663C60(_a4, _a16);
						}
					} else {
						if(_a12 != 0x66) {
							if((GetKeyState(0xd) & 0x00008000) != 0) {
								SendMessageA(_a4, 0x111, 0x66, 0);
							}
						} else {
							_t45 =  *0x6c67e641;
							 *_t45 = 0;
							if(GetDlgItemTextA(_a4, 0x65, _t45, 0x400) != 0) {
								L41:
								EndDialog(_a4,  *0x6c67e641);
							}
						}
						goto L43;
					}
				} else {
					_push(_a16);
					_pop( *0x6c67e641);
					if((GetWindowLongA( *0x6c66d8a6, 0xffffffec) & 0x00000008) == 0) {
						SetWindowPos(_a4, 0xfffffffe, 0, 0, 0, 0, 3);
					}
					if( *0x6c66e537 == 1 &&  *0x6c66e954 != 0xffffffff &&  *0x6c66e958 != 0xffffffff) {
						E6C663C34(_a4, 0x66);
					}
					E6C6616E0( *0x6c66d8a2, _a4, "BTN_REGP_OK_UP", "BTN_REGP_OK_DOWN", "BTN_REGP_OK_OVER", 0x66);
					_t51 = E6C661460( *0x6c66d8a2, 0xb, 1);
					if(E6C661460( *0x6c66d8a2, 0xb, 1) != 0) {
						E6C663AE0(_a4, _t51);
					}
					E6C667260(_a4,  *0x6c66d8a6);
					_t60 =  *0x6c67e63d;
					_t59 =  &_v1028;
					if( *_t60 == 0x24) {
						_t60 = _t60 + 1;
					}
					_t57 = 0;
					while( *((char*)(_t60 + _t57)) != 0x24 &&  *((char*)(_t60 + _t57)) != 0) {
						_t57 = _t57 + 1;
					}
					RtlMoveMemory(_t59, _t60, _t57);
					_t58 = _t57;
					 *((char*)(_t58 + _t59)) = 0;
					SetWindowTextA(_a4, _t59);
					L43:
					return 1;
				}
				goto L44;
			}

0x6c6658bc
0x6c6658c4
0x6c6659ad
0x6c665a09
0x6c665a12
0x00000000
0x6c665a59
0x6c665a1d
0x6c665a29
0x6c665a47
0x00000000
0x6c665a52
0x6c665a30
0x00000000
0x6c665a37
0x6c665a6f
0x6c665a78
0x00000000
0x6c665a87
0x00000000
0x6c665a80
0x6c665a98
0x6c665ab3
0x6c665ad4
0x6c665aef
0x00000000
0x00000000
0x00000000
0x6c665ab5
0x6c665ab9
0x6c665aca
0x6c665aca
0x00000000
0x6c665ab9
0x6c665a9a
0x6c665aa9
0x6c665aa9
0x6c6659af
0x6c6659b5
0x6c6659ec
0x6c6659fa
0x6c6659fa
0x6c6659b7
0x6c6659b7
0x6c6659bc
0x6c6659d1
0x6c665ad6
0x6c665adf
0x6c665adf
0x6c6659d1
0x00000000
0x6c6659b5
0x6c6658ca
0x6c6658ca
0x6c6658cd
0x6c6658e5
0x6c6658f6
0x6c6658f6
0x6c665902
0x6c66591b
0x6c66591b
0x6c66593a
0x6c66594e
0x6c665950
0x6c665956
0x6c665956
0x6c665964
0x6c665969
0x6c66596f
0x6c665978
0x6c66597a
0x6c66597a
0x6c66597b
0x6c665980
0x6c66597f
0x6c66597f
0x6c665990
0x6c665995
0x6c665996
0x6c66599e
0x6c665af2
0x6c665afb
0x6c665afb
0x00000000

APIs

GetWindowLongA.USER32 ref: 6C6658DB
SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,000000EC,?), ref: 6C6658F6
RtlMoveMemory.KERNEL32(?,?,00000000,00000000,?,0000000B,00000001,?), ref: 6C665990
SetWindowTextA.USER32(?,?), ref: 6C66599E
GetDlgItemTextA.USER32(?,00000065,?,00000400), ref: 6C6659CA
EndDialog.USER32 ref: 6C665ADF

Strings

BTN_REGP_OK_OVER, xrefs: 6C665922
BTN_REGP_OK_DOWN, xrefs: 6C665927
BTN_REGP_OK_UP, xrefs: 6C66592C

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: Window$Text$DialogItemLongMemoryMove
String ID: BTN_REGP_OK_DOWN$BTN_REGP_OK_OVER$BTN_REGP_OK_UP
API String ID: 1467606235-2190942234
Opcode ID: 9c50872b5c9ee782f1401646dab022993df0ce756d0c195ce2d19e92563ad60d
Instruction ID: 1f9c4120a08d755c606e75c1cf239661d28466d2ce55c7f004ff400cf28704e8
Opcode Fuzzy Hash: 9c50872b5c9ee782f1401646dab022993df0ce756d0c195ce2d19e92563ad60d
Instruction Fuzzy Hash: BB51E530644195BAEF214A17DC82FC93B71EB0336CF244622F211A8DE2D7B2C895979F

Uniqueness

Uniqueness Score: -1.00%

Function 6C665516 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 113
stringmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6C665516(intOrPtr _a4) {
				signed char _v5;
				char _v1029;
				void* _v1036;
				void* _v1040;
				long _v1044;
				long _v1048;
				struct _SHELLEXECUTEINFOA _v1108;
				long _t55;
				void* _t58;
				long _t76;
				void* _t79;
				intOrPtr _t81;

				_v5 = 0;
				LoadStringA( *0x6c66d8a2, 4, 0x6c67e23d, 0x400);
				E6C6622C0(0x6c67e23d);
				GetTempPathA(0x400,  &_v1029);
				lstrcatA( &_v1029, "\\regpatch.reg");
				_t81 = _a4;
				if(( *(_t81 + 5) & 0x00000008) != 0) {
					E6C6640CF();
				}
				_t55 =  *((intOrPtr*)(_t81 + 1)) + 0x100000;
				_v1044 = _t55;
				_v1036 = VirtualAlloc(0, _t55, 0x1000, 4);
				_t58 = E6C6657A2(_t81 + 9, _v1036);
				_t79 = _v1036;
				if(( *(_t81 + 5) & 0x00000001) != 0) {
					_t76 =  *((intOrPtr*)(_t81 + 1)) + 0x100000;
					_v1048 = _t76;
					_v1040 = VirtualAlloc(0, _t76, 0x1000, 4);
					_t58 = E6C6656F6(_v1036, _v1040, _v1048);
					_t79 = _v1040;
				}
				if(E6C666D4C( &_v1029, _t79, _t58) != 0) {
					lstrcpyA(0x6c66d911, "/s \"");
					lstrcatA(0x6c66d911,  &_v1029);
					lstrcatA(0x6c66d911, 0x6c66d701);
					_push(0x3c);
					_push( &_v1108);
					L6C666B70();
					_v1108.cbSize = 0x3c;
					_v1108.fMask = 0x40;
					_v1108.lpVerb = "open";
					_v1108.lpFile = "regedit.exe";
					_v1108.lpParameters = 0x6c66d911;
					_v1108.nShow = 0;
					ShellExecuteExA( &_v1108);
					WaitForSingleObject(_v1108.hProcess, 0xffffffff);
					_v5 = 1;
				}
				VirtualFree(_v1036, _v1044, 0x4000);
				if(( *(_t81 + 5) & 0x00000001) != 0) {
					VirtualFree(_v1040, _v1048, 0x4000);
				}
				DeleteFileA( &_v1029);
				if(( *(_t81 + 5) & 0x00000008) != 0) {
					E6C6640FA();
				}
				return _v5 & 0x000000ff;
			}

0x6c665522
0x6c665538
0x6c665542
0x6c665553
0x6c665564
0x6c665569
0x6c665573
0x6c665575
0x6c665575
0x6c66557d
0x6c665582
0x6c665597
0x6c6655a7
0x6c6655ac
0x6c6655b9
0x6c6655be
0x6c6655c3
0x6c6655d8
0x6c6655f0
0x6c6655f5
0x6c6655f5
0x6c66560b
0x6c66561c
0x6c665629
0x6c665634
0x6c665639
0x6c665641
0x6c665642
0x6c665647
0x6c665651
0x6c66565b
0x6c665665
0x6c66566f
0x6c665675
0x6c665686
0x6c665693
0x6c665698
0x6c665698
0x6c6656ad
0x6c6656b9
0x6c6656cc
0x6c6656cc
0x6c6656d8
0x6c6656e4
0x6c6656e6
0x6c6656e6
0x6c6656f3

APIs

LoadStringA.USER32(00000004,6C67E23D,00000400,00000001), ref: 6C665538

Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000180,00000000,?), ref: 6C6622D9
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,0000018B,00000000,00000000), ref: 6C6622E8
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000186,-00000001,00000000), ref: 6C6622F7

GetTempPathA.KERNEL32(00000400,?,00000004,6C67E23D,00000400,00000001,?,00000000,?,6C66637F,00000000,00000001,00000000,6C680A45,00000400,00000184), ref: 6C665553
lstrcatA.KERNEL32(?,\regpatch.reg,00000400,?,00000004,6C67E23D,00000400,00000001,?,00000000,?,6C66637F,00000000,00000001,00000000,6C680A45), ref: 6C665564
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,\regpatch.reg,00000400,?,00000004,6C67E23D,00000400,00000001,?,00000000,?,6C66637F), ref: 6C665592
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00000000,?,00001000,00000004,?,\regpatch.reg,00000400,?,00000004,6C67E23D), ref: 6C6655D3
lstrcpyA.KERNEL32(6C66D911,/s ",?,?,00000000,?,?,00000000,?,00001000,00000004,?,\regpatch.reg,00000400,?,00000004), ref: 6C66561C
lstrcatA.KERNEL32(6C66D911,?,6C66D911,/s ",?,?,00000000,?,?,00000000,?,00001000,00000004,?,\regpatch.reg,00000400), ref: 6C665629
lstrcatA.KERNEL32(6C66D911,6C66D701,6C66D911,?,6C66D911,/s ",?,?,00000000,?,?,00000000,?,00001000,00000004,?), ref: 6C665634
RtlZeroMemory.KERNEL32(?,0000003C,6C66D911,6C66D701,6C66D911,?,6C66D911,/s ",?,?,00000000,?,?,00000000,?,00001000), ref: 6C665642
ShellExecuteExA.SHELL32(0000003C,?,0000003C,6C66D911,6C66D701,6C66D911,?,6C66D911,/s ",?,?,00000000,?,?,00000000,?), ref: 6C665686
WaitForSingleObject.KERNEL32(?,000000FF,0000003C,?,0000003C,6C66D911,6C66D701,6C66D911,?,6C66D911,/s ",?,?,00000000,?,?), ref: 6C665693
VirtualFree.KERNEL32(?,?,00004000,?,?,00000000,?,?,00000000,?,00001000,00000004,?,\regpatch.reg,00000400,?), ref: 6C6656AD
VirtualFree.KERNEL32(?,?,00004000,?,?,00004000,?,?,00000000,?,?,00000000,?,00001000,00000004,?), ref: 6C6656CC
DeleteFileA.KERNEL32(?,?,?,00004000,?,?,00000000,?,?,00000000,?,00001000,00000004,?,\regpatch.reg,00000400), ref: 6C6656D8

Part of subcall function 6C6640CF: GetModuleHandleA.KERNEL32(kernel32.dll,6C664F4B), ref: 6C6640D4
Part of subcall function 6C6640CF: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 6C6640DF

Strings

<, xrefs: 6C665647
/s ", xrefs: 6C665616
\regpatch.reg, xrefs: 6C665558
@, xrefs: 6C665651

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: Virtual$MessageSendlstrcat$AllocFree$AddressDeleteExecuteFileHandleLoadMemoryModuleObjectPathProcShellSingleStringTempWaitZerolstrcpy
String ID: /s "$<$@$\regpatch.reg
API String ID: 2640690069-2261817607
Opcode ID: 6f98c8f330dfdac4308f0a29e6cf3e1ed6265b50ff2b98ffe74cf2762db66f2b
Instruction ID: 58112339e71a0c50a6b51c6b9f025b1872d34f2247f7f32f541f238b6221d9a4
Opcode Fuzzy Hash: 6f98c8f330dfdac4308f0a29e6cf3e1ed6265b50ff2b98ffe74cf2762db66f2b
Instruction Fuzzy Hash: DB4195F1804218AADF219B62CC41FDEB779AF45308F1044D4E348F6E91C7B19A998F2E

Uniqueness

Uniqueness Score: -1.00%

Function 6C664338 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 187
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E6C664338(char __ecx, intOrPtr* _a4) {
				signed char _v8;
				signed char _v9;
				signed int _v16;
				intOrPtr _t49;
				void* _t51;
				char _t54;
				CHAR* _t56;
				signed char _t81;
				char _t82;
				intOrPtr _t83;
				intOrPtr* _t84;

				_t82 = __ecx;
				_t84 = _a4;
				_v8 = 0;
				_v9 = 1;
				if(( *(_t84 + 0x1e) & 0x00000008) != 0) {
					E6C6640CF();
				}
				LoadStringA( *0x6c66d8a2, 2, 0x6c67563d, 0x400);
				E6C6622C0(0x6c67563d);
				 *_t9 =  *(_t84 + 0x1e);
				if(E6C662463(_t84 + 0x22,  *((intOrPtr*)(_t84 + 6)), _v16) != 0) {
					_t49 =  *((intOrPtr*)(_t84 + 2));
					if(_t49 == 0) {
						LoadStringA( *0x6c66d8a2, 0x22, 0x6c67623d, 0x400);
						_t51 = E6C6622C0(0x6c67623d);
						goto L9;
					} else {
						if( *0x6c66e519 == _t49) {
							LoadStringA( *0x6c66d8a2, 0x21, 0x6c675e3d, 0x400);
							_t51 = E6C6622C0(0x6c675e3d);
							L9:
							if( *((intOrPtr*)(_t84 + 0xa)) == 0) {
								LoadStringA( *0x6c66d8a2, 0x24, 0x6c676e3d, 0x400);
								E6C6622C0(0x6c676e3d);
								goto L14;
							} else {
								if( *((intOrPtr*)(_t84 + 0xa)) == E6C661020(_t51,  *0x6c66e519,  *0x6c66e521)) {
									LoadStringA( *0x6c66d8a2, 0x1e, 0x6c676a3d, 0x400);
									E6C6622C0(0x6c676a3d);
									L14:
									if(( *(_t84 + 0x1e) & 0x00000004) == 0) {
										if(( *(_t84 + 0x1e) & 0x00000001) == 0) {
											_t81 = 0;
										} else {
											_t81 = 1;
										}
										_t54 =  *((intOrPtr*)(_t84 + 0x16));
										_t84 = _t54 + _t84;
										_t83 =  *0x6c66e521;
										while( *_t84 != 0 ||  *((short*)(_t84 + 4)) != 0) {
											asm("lodsd");
											_t30 = _t54;
											_t54 = _t82;
											_t82 = _t30;
											asm("lodsb");
											_t81 = _t81;
											if(_t81 != 0 ||  *((intOrPtr*)(_t82 + _t83)) == _t54) {
												asm("lodsb");
												 *((char*)(_t82 + _t83)) = _t54;
												_v8 = 1;
												continue;
											} else {
												LoadStringA( *0x6c66d8a2, 0x25, 0x6c677a3d, 0x400);
												E6C6622C0(0x6c677a3d);
												_v9 = 0;
											}
											goto L29;
										}
									} else {
										if(E6C6665AE( *0x6c66e521, 3, 0x278 +  *0x6c66d880, _t84,  *(_t84 + 0x1e)) != 0) {
											LoadStringA( *0x6c66d8a2, 9, 0x6c67763d, 0x400);
											E6C6622C0(0x6c67763d);
											_v8 = 1;
										} else {
											LoadStringA( *0x6c66d8a2, 8, 0x6c67723d, 0x400);
											E6C6622C0(0x6c67723d);
											 *0x6c66e529 =  *0x6c66e519;
											_v9 = 0;
										}
									}
								} else {
									LoadStringA( *0x6c66d8a2, 0x23, 0x6c67663d, 0x400);
									E6C6622C0(0x6c67663d);
									_v9 = 0;
								}
							}
						} else {
							LoadStringA( *0x6c66d8a2, 0x20, 0x6c675a3d, 0x400);
							E6C6622C0(0x6c675a3d);
							_v9 = 0;
						}
					}
				} else {
					_v9 = 0;
				}
				L29:
				if(_v8 != 0) {
					LoadStringA( *0x6c66d8a2, 0xb, 0x6c67823d, 0x400);
					_t56 = 0x6c67823d;
				} else {
					 *0x6c66e529 =  *0x6c66e519;
					LoadStringA( *0x6c66d8a2, 0xa, 0x6c677e3d, 0x400);
					_t56 = 0x6c677e3d;
					_v9 = 0;
				}
				E6C6622C0(_t56);
				E6C6628D8(_v8, _v16);
				if(( *(_t84 + 0x1e) & 0x00000008) != 0) {
					E6C6640FA();
				}
				return _v9 & 0x000000ff;
			}

0x6c664338
0x6c664341
0x6c664344
0x6c66434b
0x6c664356
0x6c664358
0x6c664358
0x6c66436f
0x6c664379
0x6c664384
0x6c664395
0x6c6643a3
0x6c6643a5
0x6c664410
0x6c66441a
0x00000000
0x6c6643a7
0x6c6643ad
0x6c6643ed
0x6c6643f7
0x6c66441f
0x6c664423
0x6c66449c
0x6c6644a6
0x00000000
0x6c664425
0x6c664439
0x6c664479
0x6c664483
0x6c6644ab
0x6c6644b2
0x6c664539
0x6c66453f
0x6c66453b
0x6c66453b
0x6c66453b
0x6c664541
0x6c664544
0x6c664547
0x6c664550
0x6c66455c
0x6c66455d
0x6c66455d
0x6c66455d
0x6c66455e
0x6c66455f
0x6c664561
0x6c66458f
0x6c664590
0x6c664593
0x00000000
0x6c664568
0x6c66457a
0x6c664584
0x6c664589
0x6c664589
0x00000000
0x6c664561
0x6c6644b4
0x6c6644d3
0x6c66451a
0x6c664524
0x6c664529
0x6c6644d5
0x6c6644e7
0x6c6644f1
0x6c6644fc
0x6c664502
0x6c664502
0x6c664530
0x6c66443b
0x6c66444d
0x6c664457
0x6c66445c
0x6c66445c
0x6c664439
0x6c6643af
0x6c6643c1
0x6c6643cb
0x6c6643d0
0x6c6643d0
0x6c6643ad
0x6c664397
0x6c664397
0x6c664397
0x6c66459c
0x6c6645a0
0x6c6645e2
0x6c6645e7
0x6c6645a2
0x6c6645a8
0x6c6645c0
0x6c6645c5
0x6c6645ca
0x6c6645ca
0x6c6645ed
0x6c6645f8
0x6c664604
0x6c664606
0x6c664606
0x6c664613

APIs

LoadStringA.USER32(00000002,6C67563D,00000400), ref: 6C66436F
LoadStringA.USER32(0000000A,6C677E3D,00000400,00000024), ref: 6C6645C0

Part of subcall function 6C6640CF: GetModuleHandleA.KERNEL32(kernel32.dll,6C664F4B), ref: 6C6640D4
Part of subcall function 6C6640CF: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 6C6640DF

LoadStringA.USER32(00000020,6C675A3D,00000400,00000008), ref: 6C6643C1

Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000180,00000000,?), ref: 6C6622D9
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,0000018B,00000000,00000000), ref: 6C6622E8
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000186,-00000001,00000000), ref: 6C6622F7

LoadStringA.USER32(00000021,6C675E3D,00000400,00000008), ref: 6C6643ED
LoadStringA.USER32(00000022,6C67623D,00000400,00000008), ref: 6C664410
LoadStringA.USER32(00000023,6C67663D,00000400,00000400), ref: 6C66444D
LoadStringA.USER32(0000000B,6C67823D,00000400,00000024), ref: 6C6645E2

Strings

=~gl, xrefs: 6C6645C5

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: LoadString$MessageSend$AddressHandleModuleProc
String ID: =~gl
API String ID: 1736458721-332556841
Opcode ID: a59555e04a8c741b9ba74ea4fc9965e1fa6fc5b3c141a2595b829c53a197988b
Instruction ID: de7fbe73f935a54831f007b8d18a90684a60d1b0d770c76941a84eb2b8253a2e
Opcode Fuzzy Hash: a59555e04a8c741b9ba74ea4fc9965e1fa6fc5b3c141a2595b829c53a197988b
Instruction Fuzzy Hash: 49619570645200BADF31DBA7CC15FAA37B1AB1674CF105C14B250B5EE0D7B296188A6F

Uniqueness

Uniqueness Score: -1.00%

Function 6C6628D8 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 59
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E6C6628D8(intOrPtr _a4, signed int _a8) {
				void* _t7;
				void* _t21;

				asm("pushad");
				_t21 =  *0x6c66e515;
				if(_t21 != 0) {
					UnmapViewOfFile( *0x6c66e521);
					CloseHandle( *0x6c66e525);
					SetFilePointer(_t21,  *0x6c66e529, 0x6c66e51d, 0);
					SetEndOfFile(_t21);
					CloseHandle(_t21);
					E6C662368(_a4);
					_t7 = SetFileAttributesA(0x6c66d911,  *0x6c66e511);
					if((_a8 & 0x00000010) != 0) {
						_t7 = CreateFileA(0x6c66d911, 0xc0000000, 0, 0, 3, 0x82, 0);
						 *0x6c66e515 = _t7;
						if(_t7 != 0xffffffff) {
							SetFileTime( *0x6c66e515, 0x6c66f181, 0x6c66f189, 0x6c66f191);
							CloseHandle( *0x6c66e515);
							_t7 = E6C6622C0("Restore original file time : OK");
						}
					}
				}
				asm("popad");
				return _t7;
			}

0x6c6628db
0x6c6628e2
0x6c6628e4
0x6c662918
0x6c662923
0x6c662936
0x6c66293c
0x6c662942
0x6c66294a
0x6c66295a
0x6c662966
0x6c66297f
0x6c662984
0x6c66298c
0x6c6629a3
0x6c6629ae
0x6c6629b8
0x6c6629b8
0x6c66298c
0x6c662966
0x6c6629bd
0x6c6629bf

APIs

UnmapViewOfFile.KERNEL32 ref: 6C662918
CloseHandle.KERNEL32 ref: 6C662923
SetFilePointer.KERNEL32(?,6C66E51D,00000000), ref: 6C662936
SetEndOfFile.KERNEL32(?,?,6C66E51D,00000000), ref: 6C66293C
CloseHandle.KERNEL32(?,?,?,6C66E51D,00000000), ref: 6C662942
SetFileAttributesA.KERNEL32(6C66D911,?,?,?,6C66E51D,00000000), ref: 6C66295A
CreateFileA.KERNEL32(6C66D911,C0000000,00000000,00000000,00000003,00000082,00000000,6C66D911,?,?,?,6C66E51D,00000000), ref: 6C66297F
SetFileTime.KERNEL32(6C66F181,6C66F189,6C66F191,6C66D911,C0000000,00000000,00000000,00000003,00000082,00000000,6C66D911,?,?,?,6C66E51D,00000000), ref: 6C6629A3
CloseHandle.KERNEL32(6C66F181,6C66F189,6C66F191,6C66D911,C0000000,00000000,00000000,00000003,00000082,00000000,6C66D911,?,?,?,6C66E51D,00000000), ref: 6C6629AE

Part of subcall function 6C6629EF: LoadLibraryA.KERNEL32(Imagehlp.dll), ref: 6C662A02
Part of subcall function 6C6629EF: GetProcAddress.KERNEL32(00000000,CheckSumMappedFile), ref: 6C662A13
Part of subcall function 6C6629EF: CloseHandle.KERNEL32(00000000,00000000,CheckSumMappedFile,Imagehlp.dll), ref: 6C662A48

Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000180,00000000,?), ref: 6C6622D9
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,0000018B,00000000,00000000), ref: 6C6622E8
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000186,-00000001,00000000), ref: 6C6622F7

Strings

PE CheckSum Fix : Failed, xrefs: 6C662908
, xrefs: 6C6628EA
PE CheckSum Fix : OK, xrefs: 6C6628FC
Restore original file time : OK, xrefs: 6C6629B3

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: File$CloseHandle$MessageSend$AddressAttributesCreateLibraryLoadPointerProcTimeUnmapView
String ID: $PE CheckSum Fix : Failed$PE CheckSum Fix : OK$Restore original file time : OK
API String ID: 2362126809-2918191134
Opcode ID: 035fc263aa5407e46d0cb78de638e5d8d6680210617f90b17de9628fa7846e06
Instruction ID: cf8c9616d54199f3d6b4bd4ac92ffd42d144aaf50b792e0e40c344f27cf94946
Opcode Fuzzy Hash: 035fc263aa5407e46d0cb78de638e5d8d6680210617f90b17de9628fa7846e06
Instruction Fuzzy Hash: 481161312402047ADB012BB3DD45FDD37256B5375CF204610B522B5EE0DB7296299AAF

Uniqueness

Uniqueness Score: -1.00%

Function 6C664EE6 Relevance: 21.2, APIs: 14, Instructions: 203
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E6C664EE6(void* __ecx, intOrPtr _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				void* _t57;
				void* _t69;
				intOrPtr* _t77;
				intOrPtr _t78;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr _t99;

				LoadStringA( *0x6c66d8a2, 0x1b, 0x6c67ae3d, 0x400);
				E6C6622C0(0x6c67ae3d);
				_v12 = 1;
				if( *0x6c66e95c == 0) {
					_v8 = 0;
					 *0x6c66e95c = 1;
				} else {
					_v8 = 1;
				}
				_t99 = _a4;
				if(( *(_t99 + 0x401) & 0x00000040) != 0) {
					E6C6640CF();
				}
				_t57 = E6C662463(_t99 + 1, 0, 0x80000000);
				_t58 = _t57;
				if(_t57 != 0) {
					if(( *(_t99 + 0x401) & 0x00000001) != 0) {
						LoadStringA( *0x6c66d8a2, 0x15, 0x6c67b23d, 0x400);
						_t58 = E6C6622C0(0x6c67b23d);
					}
					if(( *(_t99 + 0x401) & 0x00000002) != 0) {
						if( *0x6c66e519 !=  *((intOrPtr*)(_t99 + 0x405))) {
							LoadStringA( *0x6c66d8a2, 0x21, 0x6c67ba3d, 0x400);
							_t58 = E6C6622C0(0x6c67ba3d);
							_v12 = 0;
						} else {
							LoadStringA( *0x6c66d8a2, 0x21, 0x6c67b63d, 0x400);
							_t58 = E6C6622C0(0x6c67b63d);
						}
					}
					if(( *(_t99 + 0x401) & 0x00000004) != 0) {
						if( *((intOrPtr*)(_t99 + 0x409)) != E6C661020(_t58,  *0x6c66e519,  *0x6c66e521)) {
							LoadStringA( *0x6c66d8a2, 0x23, 0x6c67c23d, 0x400);
							E6C6622C0(0x6c67c23d);
							_v12 = 0;
						} else {
							LoadStringA( *0x6c66d8a2, 0x1e, 0x6c67be3d, 0x400);
							E6C6622C0(0x6c67be3d);
						}
					}
					if(( *(_t99 + 0x401) & 0x00000008) != 0) {
						E6C66A5B8(E6C66A578(),  *0x6c66e521,  *0x6c66e519);
						_t77 = E6C66A618();
						asm("bswap ecx");
						_t96 =  *((intOrPtr*)(_t77 + 4));
						asm("bswap edx");
						_t93 =  *((intOrPtr*)(_t77 + 8));
						asm("bswap ebx");
						_t78 =  *((intOrPtr*)(_t77 + 0xc));
						asm("bswap eax");
						if( *((intOrPtr*)(_t99 + 0x40d)) !=  *_t77 ||  *((intOrPtr*)(_t99 + 0x411)) != _t96 ||  *((intOrPtr*)(_t99 + 0x415)) != _t93 ||  *((intOrPtr*)(_t99 + 0x419)) != _t78) {
							LoadStringA( *0x6c66d8a2, 0x1a, 0x6c67ca3d, 0x400);
							E6C6622C0(0x6c67ca3d);
							_v12 = 0;
						} else {
							LoadStringA( *0x6c66d8a2, 0x19, 0x6c67c63d, 0x400);
							E6C6622C0(0x6c67c63d);
						}
					}
					if(( *(_t99 + 0x401) & 0x00000010) != 0) {
						if(( *(_t99 + 0x401) & 0x00000020) == 0) {
							_t69 = E6C66548F( *0x6c66e521,  *0x6c66e519, _t99 + 0x41d);
						} else {
							_t69 = E6C66548F( *0x6c66e521 +  *((intOrPtr*)(_t99 + 0x1425)),  *((intOrPtr*)(_t99 + 0x41d)), _t99 + 0x41d);
						}
						if(_t69 != 0xffffffff) {
							LoadStringA( *0x6c66d8a2, 0x30, 0x6c67d23d, 0x400);
							E6C6622C0(0x6c67d23d);
						} else {
							LoadStringA( *0x6c66d8a2, 0x31, 0x6c67ce3d, 0x400);
							E6C6622C0(0x6c67ce3d);
							_v12 = 0;
						}
					}
					goto L31;
				} else {
					_v12 = 0;
					L31:
					E6C6629C2();
					if(( *(_t99 + 0x401) & 0x00000080) != 0) {
						if(CreateFileA(0x6c66d911, 0xc0000000, 2, 0, 3, 0x82, 0) != 0xffffffff) {
							LoadStringA( *0x6c66d8a2, 0x32, 0x6c67da3d, 0x400);
							CloseHandle(E6C6622C0(0x6c67da3d));
						} else {
							LoadStringA( *0x6c66d8a2, 0x33, 0x6c67d63d, 0x400);
							E6C6622C0(0x6c67d63d);
							_v12 = 0;
						}
					}
					if(( *(_t99 + 0x401) & 0x00000040) != 0) {
						E6C6640FA();
					}
					if(_v8 == 0) {
						 *0x6c66e95c = 0;
					}
					return _v12;
				}
			}

0x6c664f01
0x6c664f0b
0x6c664f10
0x6c664f1e
0x6c664f29
0x6c664f30
0x6c664f20
0x6c664f20
0x6c664f20
0x6c664f37
0x6c664f44
0x6c664f46
0x6c664f46
0x6c664f56
0x6c664f5b
0x6c664f5d
0x6c664f75
0x6c664f89
0x6c664f93
0x6c664f93
0x6c664fa2
0x6c664fb0
0x6c664fe7
0x6c664ff1
0x6c664ff6
0x6c664fb2
0x6c664fc4
0x6c664fce
0x6c664fce
0x6c664fb0
0x6c665007
0x6c665020
0x6c665057
0x6c665061
0x6c665066
0x6c665022
0x6c665034
0x6c66503e
0x6c66503e
0x6c665020
0x6c665077
0x6c66508e
0x6c665093
0x6c66509a
0x6c66509c
0x6c66509f
0x6c6650a1
0x6c6650a4
0x6c6650a6
0x6c6650a9
0x6c6650b1
0x6c665100
0x6c66510a
0x6c66510f
0x6c6650cb
0x6c6650dd
0x6c6650e7
0x6c6650e7
0x6c6650b1
0x6c665120
0x6c665130
0x6c665166
0x6c665132
0x6c66514c
0x6c66514c
0x6c66516e
0x6c6651ac
0x6c6651b6
0x6c665170
0x6c665182
0x6c66518c
0x6c665191
0x6c665191
0x6c66516e
0x00000000
0x6c664f5f
0x6c664f5f
0x6c6651bb
0x6c6651bb
0x6c6651ca
0x6c6651eb
0x6c665229
0x6c665239
0x6c6651ed
0x6c6651ff
0x6c665209
0x6c66520e
0x6c66520e
0x6c6651eb
0x6c665248
0x6c66524a
0x6c66524a
0x6c665253
0x6c665255
0x6c665255
0x6c665263
0x6c665263

APIs

LoadStringA.USER32(0000001B,6C67AE3D,00000400,00000001), ref: 6C664F01

Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000180,00000000,?), ref: 6C6622D9
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,0000018B,00000000,00000000), ref: 6C6622E8
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000186,-00000001,00000000), ref: 6C6622F7

LoadStringA.USER32(00000015,6C67B23D,00000400), ref: 6C664F89
LoadStringA.USER32(00000021,6C67B63D,00000400), ref: 6C664FC4
LoadStringA.USER32(00000021,6C67BA3D,00000400), ref: 6C664FE7
LoadStringA.USER32(0000001E,6C67BE3D,00000400), ref: 6C665034
LoadStringA.USER32(00000023,6C67C23D,00000400), ref: 6C665057
LoadStringA.USER32(00000019,6C67C63D,00000400), ref: 6C6650DD
LoadStringA.USER32(0000001A,6C67CA3D,00000400), ref: 6C665100
LoadStringA.USER32(00000031,6C67CE3D,00000400,?), ref: 6C665182
LoadStringA.USER32(00000030,6C67D23D,00000400,?), ref: 6C6651AC
CreateFileA.KERNEL32(6C66D911,C0000000,00000002,00000000,00000003,00000082,00000000), ref: 6C6651E3
LoadStringA.USER32(00000033,6C67D63D,00000400,6C66D911), ref: 6C6651FF
LoadStringA.USER32(00000032,6C67DA3D,00000400,6C66D911), ref: 6C665229
CloseHandle.KERNEL32(00000000,00000032,6C67DA3D,00000400,6C66D911,C0000000,00000002,00000000,00000003,00000082,00000000), ref: 6C665239

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: LoadString$MessageSend$CloseCreateFileHandle
String ID:
API String ID: 3199326509-0
Opcode ID: fd494a8b64d55f8dfede69b935ba43d4e04b1f063b2d7fe826a384ac03f1e7de
Instruction ID: 74a06f6df754d1ef828fc2791a7a178b0c1bf8dfcd61f18d78efa3399723def1
Opcode Fuzzy Hash: fd494a8b64d55f8dfede69b935ba43d4e04b1f063b2d7fe826a384ac03f1e7de
Instruction Fuzzy Hash: 6C71C0B0689304BADB309B63CC4AFDA77B1AB0274CF208C14B35175EE1C7B191489A6F

Uniqueness

Uniqueness Score: -1.00%

Function 6C6662CD Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 192
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C6662CD(long __ecx, void* __edx) {
				RECT* _v8;
				RECT* _t33;
				void* _t51;
				long _t54;
				void* _t55;
				RECT* _t56;
				RECT* _t57;

				_t55 = __edx;
				_t54 = __ecx;
				if( *0x6c66d902 == 1) {
					ShowWindow( *0x6c66d8be, 5);
					ShowWindow( *0x6c66d8c2, 0);
				}
				SendMessageA( *0x6c66d8be, 0x184, 0, 0);
				LoadStringA( *0x6c66d8a2, 0, 0x6c680a45, 0x400);
				E6C6622C0(0x6c680a45);
				E6C6622C0(" ");
				_t51 = 0;
				while(1) {
					_t51 = _t51 + 1;
					_t33 = E6C66149B( *0x6c66d8a2, _t51);
					_t56 = _t33;
					_t57 = _t56;
					if(_t57 == 0) {
						break;
					}
					if(_t57->left != 3) {
						if(_t57->left != 4) {
							if(_t57->left != 0x11) {
								if(_t57->left != 5) {
									if(_t57->left != 0x14) {
										if(_t57->left != 0x16) {
											if(_t57->left != 0x17) {
												if(_t57->left != 0x10) {
													if(_t57->left != 0x15) {
														if(_t57->left == 0x18) {
															_t33 = E6C66625C(_t57);
														}
														goto L39;
													}
													if(_v8 == 1 || _v8 == 0) {
														if((_t57->left & 0x00000004) == 0) {
															if((_t57->left & 0x00000008) == 0) {
																if((_t57->left & 0x00000040) != 0) {
																	_t33 = _v8;
																}
															} else {
																_t33 = 1;
															}
														} else {
															_t33 = 0;
														}
													} else {
														_t33 = _v8;
													}
													if(_v8 != _t33) {
														goto L39;
													} else {
														if((_t57->left & 0x00000001) == 0) {
															if((_t57->left & 0x00000010) == 0) {
																if((_t57->left & 0x00000020) != 0) {
																	_t51 = _t51 - _t57->top - 1;
																}
															} else {
																_t51 = _t51 + _t57->top - 1;
															}
															goto L39;
														}
														E6C6622C0("EXIT PATCHING");
														break;
													}
												}
												LoadStringA( *0x6c66d8a2, 7, 0x6c680e45, 0x400);
												E6C6622C0(0x6c680e45);
												_t33 = E6C6614E6(_t57);
												goto L39;
											}
											_t33 = E6C665266(_t57);
											goto L39;
										}
										_t33 = E6C664EE6(_t54, _t57);
									} else {
										_t33 = E6C66498E(_t57);
									}
								} else {
									_t33 = E6C665516(_t57);
								}
							} else {
								_t33 = E6C665B9C(_t57);
							}
						} else {
							_t33 = E6C664791(_t55, _t57);
						}
						goto L39;
					} else {
						_t33 = E6C664338(_t54, _t57);
						L39:
						_v8 = _t33;
						_t54 = _t57->left;
						if(_t54 == 3 || _t54 == 4 || _t54 == 0x11 || _t54 == 5 || _t54 == 0x14 || _t54 == 0x16 || _t54 == 0x17 || _t54 == 0x10 || _t54 == 0x18) {
							if(_v8 != 1) {
								if(_v8 == 0) {
									LoadStringA( *0x6c66d8a2, 0x1c, 0x6c681645, 0x400);
									E6C6622C0(0x6c681645);
									E6C6622C0(" ");
								}
							} else {
								LoadStringA( *0x6c66d8a2, 0x1d, 0x6c681245, 0x400);
								E6C6622C0(0x6c681245);
								E6C6622C0(" ");
							}
						}
						continue;
					}
				}
				LoadStringA( *0x6c66d8a2, 1, 0x6c681a45, 0x400);
				E6C6622C0(0x6c681a45);
				E6C666577( *0x6c66d907);
				EnableWindow(GetDlgItem( *0x6c66d8a6, 0x6c), 0);
				return RedrawWindow( *0x6c66d8a6, 0, 0, 1);
			}

0x6c6662cd
0x6c6662cd
0x6c6662dd
0x6c6662e7
0x6c6662f4
0x6c6662f4
0x6c666308
0x6c66631f
0x6c666329
0x6c666333
0x6c666338
0x6c666509
0x6c666509
0x6c666511
0x6c666516
0x6c666518
0x6c66651a
0x00000000
0x00000000
0x6c666347
0x6c666357
0x6c666367
0x6c666377
0x6c666387
0x6c666397
0x6c6663a7
0x6c6663b7
0x6c6663e8
0x6c66646b
0x6c66646e
0x6c66646e
0x00000000
0x6c66646b
0x6c6663ee
0x6c6663fd
0x6c66640d
0x6c66641d
0x6c66641f
0x6c66641f
0x6c66640f
0x6c66640f
0x6c66640f
0x6c6663ff
0x6c6663ff
0x6c6663ff
0x6c666424
0x6c666424
0x6c666424
0x6c66642a
0x00000000
0x6c66642c
0x6c666433
0x6c66644d
0x6c66645e
0x6c666463
0x6c666463
0x6c66644f
0x6c666452
0x6c666452
0x00000000
0x6c666466
0x6c66643a
0x00000000
0x6c66643a
0x6c66642a
0x6c6663cb
0x6c6663d5
0x6c6663db
0x00000000
0x6c6663db
0x6c6663aa
0x00000000
0x6c6663aa
0x6c66639a
0x6c666389
0x6c66638a
0x6c66638a
0x6c666379
0x6c66637a
0x6c66637a
0x6c666369
0x6c66636a
0x6c66636a
0x6c666359
0x6c66635a
0x6c66635a
0x00000000
0x6c666349
0x6c66634a
0x6c666473
0x6c666473
0x6c666476
0x6c66647b
0x6c6664a9
0x6c6664dc
0x6c6664f0
0x6c6664fa
0x6c666504
0x6c666504
0x6c6664ab
0x6c6664bd
0x6c6664c7
0x6c6664d1
0x6c6664d1
0x6c6664a9
0x00000000
0x6c66647b
0x6c666347
0x6c666532
0x6c66653c
0x6c666547
0x6c66655c
0x6c666576

APIs

ShowWindow.USER32(00000005), ref: 6C6662E7
ShowWindow.USER32(00000000,00000005), ref: 6C6662F4
SendMessageA.USER32(00000184,00000000,00000000), ref: 6C666308
LoadStringA.USER32(00000000,6C680A45,00000400,00000184), ref: 6C66631F
LoadStringA.USER32(00000001,6C681A45,00000400,00000002), ref: 6C666532
GetDlgItem.USER32 ref: 6C666554
EnableWindow.USER32(00000000,00000000), ref: 6C66655C
RedrawWindow.USER32(00000000,00000000,00000001,0000006C,00000001,6C681A45,00000400,00000002,0000001C,6C681645,00000400,00000001,00000000,6C680A45,00000400,00000184), ref: 6C66656D

Strings

EXIT PATCHING, xrefs: 6C666435

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: Window$LoadShowString$EnableItemMessageRedrawSend
String ID: EXIT PATCHING
API String ID: 3447863954-2450873957
Opcode ID: 75449f63d8902fcaaaf4f47d893945bbdc7a077c5f8cb06876a29e9867524e34
Instruction ID: 724726620369463bcd2a0860657c23454723f1e0d94c641324af1ee8252237dc
Opcode Fuzzy Hash: 75449f63d8902fcaaaf4f47d893945bbdc7a077c5f8cb06876a29e9867524e34
Instruction Fuzzy Hash: E151257068A744BAEB319B27ED06FCA3AB44F0331CF24D919E290E0ED18775D584966F

Uniqueness

Uniqueness Score: -1.00%

Function 6C665AFE Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 36
libraryloaderstringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E6C665AFE() {
				_Unknown_base(*)()* _t2;

				asm("pushad");
				_t2 = E6C66149B( *0x6c66d8a2, "PCRE_DLL");
				if(_t2 != 0) {
					GetTempPathA(0x400, 0x6c67223d);
					lstrcatA(0x6c67223d, "\\pcre.dll");
					E6C666D4C(0x6c67223d, _t2,  *0x6c66d880);
					_t2 = LoadLibraryA(0x6c67223d);
					if(_t2 != 0) {
						 *0x6c672239 = _t2;
						 *0x6c67222d = GetProcAddress( *0x6c672239, "pcre_compile");
						 *0x6c672231 = GetProcAddress( *0x6c672239, "pcre_exec");
						_t2 = GetProcAddress( *0x6c672239, "pcre_copy_substring");
						 *0x6c672235 = _t2;
					}
				}
				asm("popad");
				return _t2;
			}

0x6c665afe
0x6c665b0f
0x6c665b11
0x6c665b23
0x6c665b32
0x6c665b43
0x6c665b52
0x6c665b54
0x6c665b56
0x6c665b6b
0x6c665b80
0x6c665b90
0x6c665b95
0x6c665b95
0x6c665b54
0x6c665b9a
0x6c665b9b

APIs

Part of subcall function 6C66149B: FindResourceA.KERNEL32(?,6C661479,0000000A), ref: 6C6614B1

GetTempPathA.KERNEL32(00000400,6C67223D,PCRE_DLL,6C662FD7,00000002,00000001,00000001,00000080,00000001,00000000,0000000B,6C67463D,00000400,0000006F,?), ref: 6C665B23
lstrcatA.KERNEL32(6C67223D,\pcre.dll,00000400,6C67223D,PCRE_DLL,6C662FD7,00000002,00000001,00000001,00000080,00000001,00000000,0000000B,6C67463D,00000400,0000006F), ref: 6C665B32

Part of subcall function 6C666D4C: CreateFileA.KERNEL32(00000008,40000000,00000000,00000000,00000002,00000080,00000000), ref: 6C666D67

LoadLibraryA.KERNEL32(6C67223D,6C67223D,00000000,6C67223D,\pcre.dll,00000400,6C67223D,PCRE_DLL,6C662FD7,00000002,00000001,00000001,00000080,00000001,00000000,0000000B), ref: 6C665B4D
GetProcAddress.KERNEL32(pcre_compile,6C67223D), ref: 6C665B66
GetProcAddress.KERNEL32(pcre_exec,pcre_compile), ref: 6C665B7B
GetProcAddress.KERNEL32(pcre_copy_substring,pcre_exec), ref: 6C665B90

Strings

pcre_compile, xrefs: 6C665B5B
\pcre.dll, xrefs: 6C665B28
pcre_copy_substring, xrefs: 6C665B85
pcre_exec, xrefs: 6C665B70
PCRE_DLL, xrefs: 6C665AFF

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: AddressProc$CreateFileFindLibraryLoadPathResourceTemplstrcat
String ID: PCRE_DLL$\pcre.dll$pcre_compile$pcre_copy_substring$pcre_exec
API String ID: 4288541509-2867501554
Opcode ID: 4dfa45941f8a0b4a32935249ba422d5bfcca870b6258ef6f7141644cd2640c43
Instruction ID: 0e3b6fe5aabbb783096b4a8b9a5ff4b522927221165e455d52fd393cdfdd3991
Opcode Fuzzy Hash: 4dfa45941f8a0b4a32935249ba422d5bfcca870b6258ef6f7141644cd2640c43
Instruction Fuzzy Hash: 0BF0BD70709150FA9F166B739C98CA87FB2FB07318B200D24B420E5E52D771C9259E2F

Uniqueness

Uniqueness Score: -1.00%

Function 6C6618B0 Relevance: 18.1, APIs: 12, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C6618B0(struct HWND__* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				int _t21;
				int _t23;
				signed int _t27;
				intOrPtr* _t32;
				signed int _t33;

				_t32 = _a12;
				_t33 = GetWindowLongA(_a4, 0xffffffec);
				_t21 = GetWindowLongA(_a4, 0xfffffff0);
				_t27 = _t21;
				if((_t27 & 0x00c00000) != 0) {
					_t21 = _t21 & 0x00c00000;
					if(_t21 == 0xc00000) {
						if((_t33 & 0x00000080) == 0) {
							_t21 = GetSystemMetrics(4);
							 *_t32 =  *_t32 - _t21;
						} else {
							_t21 = GetSystemMetrics(0x33);
							 *_t32 =  *_t32 - _t21;
						}
					}
				}
				if((_t27 & 0x00040000) == 0) {
					if((_t27 & 0x00400000) != 0) {
						 *_t32 =  *_t32 - GetSystemMetrics(8);
						_t21 = GetSystemMetrics(7);
						 *_a8 =  *_a8 - _t21;
					}
				} else {
					 *_t32 =  *_t32 - GetSystemMetrics(0x21);
					_t21 = GetSystemMetrics(0x20);
					 *_a8 =  *_a8 - _t21;
				}
				if((_t33 & 0x00000200) != 0) {
					 *_t32 =  *_t32 - GetSystemMetrics(0x2d);
					_t21 = GetSystemMetrics(0x2e);
					 *_a8 =  *_a8 - _t21;
				}
				if((_t33 & 0x00020000) != 0) {
					 *_t32 =  *_t32 - GetSystemMetrics(6);
					_t23 = GetSystemMetrics(5);
					 *_a8 =  *_a8 - _t23;
					return _t23;
				}
				return _t21;
			}

0x6c6618b6
0x6c6618c3
0x6c6618ca
0x6c6618cf
0x6c6618d7
0x6c6618d9
0x6c6618e3
0x6c6618eb
0x6c6618fa
0x6c6618ff
0x6c6618ed
0x6c6618ef
0x6c6618f4
0x6c6618f4
0x6c6618eb
0x6c6618e3
0x6c661907
0x6c661926
0x6c66192f
0x6c661933
0x6c66193b
0x6c66193b
0x6c661909
0x6c661910
0x6c661914
0x6c66191c
0x6c66191c
0x6c661943
0x6c66194c
0x6c661950
0x6c661958
0x6c661958
0x6c661960
0x6c661969
0x6c66196d
0x6c661975
0x00000000
0x6c661975
0x6c66197b

APIs

GetWindowLongA.USER32 ref: 6C6618BE
GetWindowLongA.USER32 ref: 6C6618CA
GetSystemMetrics.USER32 ref: 6C6618EF
GetSystemMetrics.USER32 ref: 6C6618FA
GetSystemMetrics.USER32 ref: 6C66190B
GetSystemMetrics.USER32 ref: 6C661914
GetSystemMetrics.USER32 ref: 6C66192A
GetSystemMetrics.USER32 ref: 6C661933
GetSystemMetrics.USER32 ref: 6C661947
GetSystemMetrics.USER32 ref: 6C661950
GetSystemMetrics.USER32 ref: 6C661964
GetSystemMetrics.USER32 ref: 6C66196D

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: MetricsSystem$LongWindow
String ID:
API String ID: 3112282201-0
Opcode ID: 3ccbb50938f47ff3d9ec0daad082a3d167bfeab731663d4bb052b053579b7895
Instruction ID: 525a5871457d0d6007280d772c53d8a1959ca782ae478f64342884c2920d2b73
Opcode Fuzzy Hash: 3ccbb50938f47ff3d9ec0daad082a3d167bfeab731663d4bb052b053579b7895
Instruction Fuzzy Hash: A8219D325D13026FE7011A77E864BA93768EF1235CF288134A91A9AED0DB70C844C79F

Uniqueness

Uniqueness Score: -1.00%

Function 6C6661BC Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 49
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C6661BC() {
				char _v2052;
				char _v4100;
				char _v4164;
				int _t14;
				void* _t30;

				_t14 = GetTempPathA(0x400,  &_v2052);
				_t30 = 0x6c67263d;
				while( *(_t30 + 4) != 0) {
					FreeLibrary( *(_t30 + 4));
					_t4 = _t30 + 8; // 0x6c672645
					E6C662200(_t4,  &_v4164, 0x10);
					lstrcpyA( &_v4100,  &_v2052);
					lstrcatA( &_v4100, 0x6c66d7f2);
					lstrcatA( &_v4100,  &_v4164);
					lstrcatA( &_v4100, ".dll");
					_t14 = DeleteFileA( &_v4100);
					_t30 = _t30 + 0x18;
				}
				return _t14;
			}

0x6c6661d4
0x6c6661d9
0x6c666251
0x6c6661e3
0x6c6661f1
0x6c6661f5
0x6c666208
0x6c666219
0x6c66622c
0x6c66623d
0x6c666249
0x6c66624e
0x6c66624e
0x6c66625b

APIs

GetTempPathA.KERNEL32(00000400,?,?,?,?,?,6C66365C,6C67223D,6C66E111,00000012,00000001), ref: 6C6661D4
FreeLibrary.KERNEL32(?,00000400,?,?,?,?,?,6C66365C,6C67223D,6C66E111,00000012,00000001), ref: 6C6661E3
lstrcpyA.KERNEL32(?,?,6C672645,?,00000010,?,00000400,?,?,?,?,?,6C66365C,6C67223D,6C66E111,00000012), ref: 6C666208
lstrcatA.KERNEL32(?,6C66D7F2,?,?,6C672645,?,00000010,?,00000400,?,?,?,?,?,6C66365C,6C67223D), ref: 6C666219
lstrcatA.KERNEL32(?,?,?,6C66D7F2,?,?,6C672645,?,00000010,?,00000400,?), ref: 6C66622C
lstrcatA.KERNEL32(?,.dll,?,?,?,6C66D7F2,?,?,6C672645,?,00000010,?,00000400,?), ref: 6C66623D
DeleteFileA.KERNEL32(?,?,.dll,?,?,?,6C66D7F2,?,?,6C672645,?,00000010,?,00000400,?), ref: 6C666249

Strings

=&gl, xrefs: 6C6661D9
.dll, xrefs: 6C666231

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: lstrcat$DeleteFileFreeLibraryPathTemplstrcpy
String ID: .dll$=&gl
API String ID: 1649043200-2948811159
Opcode ID: d88eb87f1974b48bdd9f7e7fe5b1ac579b886169930bd2e05f6ce61e3c84c5c9
Instruction ID: 8e00cc51a9f0d69580e32cc71469cbf1b1f28914dde8c53b9b9e215d90142056
Opcode Fuzzy Hash: d88eb87f1974b48bdd9f7e7fe5b1ac579b886169930bd2e05f6ce61e3c84c5c9
Instruction Fuzzy Hash: 3A0152B2800158A6CB21DBA2DC44FDEB36CBB45348F0405A6B245E2D44EB74D79C8FAE

Uniqueness

Uniqueness Score: -1.00%

Function 6C663C60 Relevance: 13.6, APIs: 9, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C663C60(struct HWND__* _a4, intOrPtr _a8) {
				intOrPtr _t36;

				if( *0x6c66e537 != 1) {
					return 0;
				}
				_t36 = _a8;
				SelectObject( *(_t36 + 0x18), CreateSolidBrush( *0x6c66e954));
				RoundRect( *(_t36 + 0x18),  *(_t36 + 0x1c),  *(_t36 + 0x20),  *(_t36 + 0x24),  *(_t36 + 0x28), 0, 0);
				if(( *(_t36 + 0x10) & 0x00000001) != 0) {
					OffsetRect(_t36 + 0x1c, 1, 1);
				}
				GetDlgItemTextA(_a4,  *(_t36 + 4), 0x6c66e538, 0x400);
				SetBkMode( *(_t36 + 0x18), 1);
				SetTextColor( *(_t36 + 0x18),  *0x6c66e958);
				DrawTextA( *(_t36 + 0x18), 0x6c66e538, 0xffffffff, _t36 + 0x1c, 0x25);
				if(( *(_t36 + 0x10) & 0x00000001) != 0) {
					OffsetRect(_t36 + 0x1c, 0xffffffff, 0xffffffff);
				}
				return 1;
			}

0x6c663c6a
0x00000000
0x6c663d14
0x6c663c70
0x6c663c82
0x6c663c9a
0x6c663ca6
0x6c663cb0
0x6c663cb0
0x6c663cc5
0x6c663ccf
0x6c663cdd
0x6c663cf2
0x6c663cfe
0x6c663d08
0x6c663d08
0x00000000

APIs

CreateSolidBrush.GDI32 ref: 6C663C79
SelectObject.GDI32(?,00000000), ref: 6C663C82
RoundRect.GDI32(?,?,?,?,?,00000000,00000000), ref: 6C663C9A
OffsetRect.USER32(?,00000001,00000001), ref: 6C663CB0
GetDlgItemTextA.USER32(?,?,6C66E538,00000400), ref: 6C663CC5
SetBkMode.GDI32(?,00000001), ref: 6C663CCF
SetTextColor.GDI32(?,?), ref: 6C663CDD
DrawTextA.USER32(?,6C66E538,000000FF,?,00000025), ref: 6C663CF2
OffsetRect.USER32(?,000000FF,000000FF), ref: 6C663D08

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: RectText$Offset$BrushColorCreateDrawItemModeObjectRoundSelectSolid
String ID:
API String ID: 3683931702-0
Opcode ID: 972ac3ac957c28daa964b86a4f788ab8df1b0d49b1dc01b38cc907b47c536400
Instruction ID: 58236c631b47d9433d1ee092e2bbfb9102d51bf0474002d30eeebc622adeeaa0
Opcode Fuzzy Hash: 972ac3ac957c28daa964b86a4f788ab8df1b0d49b1dc01b38cc907b47c536400
Instruction Fuzzy Hash: 1C119431144B00BADB314F53DD00F8676B5AF15318F104B14B652A1DF0D7B2E49D9B8E

Uniqueness

Uniqueness Score: -1.00%

Function 6C6658A1 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E6C6658A1(struct HWND__* _a4, intOrPtr _a8, struct HDC__* _a12, intOrPtr _a16) {
				char _v1028;
				intOrPtr _t28;
				struct HBRUSH__* _t34;
				void* _t35;
				CHAR* _t42;
				void* _t47;
				int _t60;
				void* _t61;
				CHAR* _t68;
				void* _t75;

				_t28 = _a8;
				if(_t28 != 0x110) {
					if(_t28 != 0x111) {
						if(_t28 != 0x138) {
							if(_t28 != 0x136) {
								if(_t28 != 0x2b) {
									if(_t28 != 0x200) {
										if(_t28 != 0x10) {
											return 0;
										} else {
											goto L42;
										}
									} else {
										if(_a12 == 1) {
											SendMessageA(_a4, 0x112, 0xf012, 0);
										}
										goto L44;
									}
								} else {
									return E6C663C60(_a4, _a16);
								}
							} else {
								if( *0x6c66e537 != 1) {
									_t34 = 0;
								} else {
									_t34 = CreateSolidBrush( *0x6c66e938);
								}
								return _t34;
							}
						} else {
							if( *0x6c66e537 != 1) {
								_t35 = 0;
							} else {
								SetTextColor(_a12,  *0x6c66e940);
								if( *0x6c66e93c != 0xffffffff) {
									SetBkColor(_a12,  *0x6c66e93c);
									_t35 = CreateSolidBrush( *0x6c66e93c);
								} else {
									SetBkMode(_a12, 1);
									_t35 = GetStockObject(5);
								}
							}
							return _t35;
						}
					} else {
						if(_a12 != 0x66) {
							if((GetKeyState(0xd) & 0x00008000) != 0) {
								SendMessageA(_a4, 0x111, 0x66, 0);
							}
						} else {
							_t42 =  *0x6c67e641;
							 *_t42 = 0;
							if(GetDlgItemTextA(_a4, 0x65, _t42, 0x400) != 0) {
								L42:
								EndDialog(_a4,  *0x6c67e641);
							}
						}
						goto L44;
					}
				} else {
					_push(_a16);
					_pop( *0x6c67e641);
					if((GetWindowLongA( *0x6c66d8a6, 0xffffffec) & 0x00000008) == 0) {
						SetWindowPos(_a4, 0xfffffffe, 0, 0, 0, 0, 3);
					}
					if( *0x6c66e537 == 1 &&  *0x6c66e954 != 0xffffffff &&  *0x6c66e958 != 0xffffffff) {
						E6C663C34(_a4, 0x66);
					}
					E6C6616E0( *0x6c66d8a2, _a4, "BTN_REGP_OK_UP", "BTN_REGP_OK_DOWN", "BTN_REGP_OK_OVER", 0x66);
					_t47 = E6C661460( *0x6c66d8a2, 0xb, 1);
					_t48 = _t47;
					if(_t47 != 0) {
						E6C663AE0(_a4, _t48);
					}
					E6C667260(_a4,  *0x6c66d8a6);
					_t75 =  *0x6c67e63d;
					_t68 =  &_v1028;
					if( *_t75 == 0x24) {
						_t75 = _t75 + 1;
					}
					_t60 = 0;
					while( *((char*)(_t75 + _t60)) != 0x24 &&  *((char*)(_t75 + _t60)) != 0) {
						_t60 = _t60 + 1;
					}
					RtlMoveMemory(_t68, _t75, _t60);
					_t61 = _t60;
					 *((char*)(_t61 + _t68)) = 0;
					SetWindowTextA(_a4, _t68);
					L44:
					return 1;
				}
			}

0x6c6658bc
0x6c6658c4
0x6c6659ad
0x6c665a09
0x6c665a6f
0x6c665a98
0x6c665ab3
0x6c665ad4
0x6c665aef
0x00000000
0x00000000
0x00000000
0x6c665ab5
0x6c665ab9
0x6c665aca
0x6c665aca
0x00000000
0x6c665ab9
0x6c665a9a
0x6c665aa9
0x6c665aa9
0x6c665a71
0x6c665a78
0x6c665a87
0x6c665a7a
0x6c665a80
0x6c665a80
0x6c665a90
0x6c665a90
0x6c665a0b
0x6c665a12
0x6c665a59
0x6c665a14
0x6c665a1d
0x6c665a29
0x6c665a47
0x6c665a52
0x6c665a2b
0x6c665a30
0x6c665a37
0x6c665a37
0x6c665a29
0x6c665a62
0x6c665a62
0x6c6659af
0x6c6659b5
0x6c6659ec
0x6c6659fa
0x6c6659fa
0x6c6659b7
0x6c6659b7
0x6c6659bc
0x6c6659d1
0x6c665ad6
0x6c665adf
0x6c665adf
0x6c6659d1
0x00000000
0x6c6659b5
0x6c6658ca
0x6c6658ca
0x6c6658cd
0x6c6658e5
0x6c6658f6
0x6c6658f6
0x6c665902
0x6c66591b
0x6c66591b
0x6c66593a
0x6c665949
0x6c66594e
0x6c665950
0x6c665956
0x6c665956
0x6c665964
0x6c665969
0x6c66596f
0x6c665978
0x6c66597a
0x6c66597a
0x6c66597b
0x6c665980
0x6c66597f
0x6c66597f
0x6c665990
0x6c665995
0x6c665996
0x6c66599e
0x6c665af2
0x6c665afb
0x6c665afb

APIs

GetWindowLongA.USER32 ref: 6C6658DB
SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,000000EC,?), ref: 6C6658F6
RtlMoveMemory.KERNEL32(?,?,00000000,00000000,?,0000000B,00000001,?), ref: 6C665990
SetWindowTextA.USER32(?,?), ref: 6C66599E
GetDlgItemTextA.USER32(?,00000065,?,00000400), ref: 6C6659CA
EndDialog.USER32 ref: 6C665ADF

Strings

BTN_REGP_OK_OVER, xrefs: 6C665922
BTN_REGP_OK_DOWN, xrefs: 6C665927
BTN_REGP_OK_UP, xrefs: 6C66592C

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: Window$Text$DialogItemLongMemoryMove
String ID: BTN_REGP_OK_DOWN$BTN_REGP_OK_OVER$BTN_REGP_OK_UP
API String ID: 1467606235-2190942234
Opcode ID: 391fec8bebf003bc1cd2bff20104db9c9cfb6ce340c9e2211e713398a3a14d11
Instruction ID: 8802ce208ce9800b1239810bc6e45511d1437e3068c28d8caad9a6615e5f3b09
Opcode Fuzzy Hash: 391fec8bebf003bc1cd2bff20104db9c9cfb6ce340c9e2211e713398a3a14d11
Instruction Fuzzy Hash: B721F330644185BEEF310A27CC42FDA3B75AB0236CF200619F515A5EE1D7B29556879F

Uniqueness

Uniqueness Score: -1.00%

Function 1000C031 Relevance: 12.1, APIs: 8, Instructions: 84fileCOMMON

Download Yara Rule

APIs

_wfopen.MSVCRT ref: 1000C042
fopen.MSVCRT ref: 1000C050
_fileno.MSVCRT ref: 1000C06E
malloc.MSVCRT ref: 1000C0AA
fclose.MSVCRT ref: 1000C0C0
fclose.MSVCRT ref: 1000C0EF
fclose.MSVCRT ref: 1000C129

Part of subcall function 1000C18F: fread.MSVCRT ref: 1000C197

fclose.MSVCRT ref: 1000C136

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID: fclose$_fileno_wfopenfopenfreadmalloc
String ID:
API String ID: 3033517385-0
Opcode ID: 56077a3e291155ca33e2d2c1a8aa3bdf955bd743f8a7a0ccb11ec08104b0c960
Instruction ID: 351546d302ca3e42d5c8c50b78ce9f0c5e033fee65b552da2154965d06382f37
Opcode Fuzzy Hash: 56077a3e291155ca33e2d2c1a8aa3bdf955bd743f8a7a0ccb11ec08104b0c960
Instruction Fuzzy Hash: FA218F31205765DBF318EBA49C88E9F3BA4EF453D1F10801AF849926A9DF74C806CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6C6665AE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E6C6665AE(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20) {
				intOrPtr _t50;
				void* _t53;
				intOrPtr _t71;
				intOrPtr _t75;
				void* _t81;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t87;
				void* _t88;
				void* _t91;

				_t87 = _a4;
				_t75 = 0;
				while( *((intOrPtr*)(_t75 + _t87)) != 0x4550) {
					_t75 = _t75 + 1;
					if(_t75 !=  *0x6c66e519) {
						continue;
					} else {
						LoadStringA( *0x6c66d8a2, 0x16, 0x6c681e45, 0x400);
						E6C6622C0(0x6c681e45);
						L3:
						return 0;
					}
					L15:
				}
				_t88 = _t87 + _t75;
				if( *((intOrPtr*)(_a4 +  *0x6c66e519 - 4)) != 0x32505564) {
					_t85 = _t88 + 0x18 + ( *(_t88 + 0x14) & 0x0000ffff);
					 *(_t85 + 0x24) =  *(_t85 + 0x24) | 0x80000000;
					_t86 = _t85 + (( *(_t88 + 6) & 0x0000ffff) - 1) * 0x28;
					_t91 = _t88;
					 *0x6c66698d = 0;
					if(_a8 == 4) {
						 *0x6c66698d =  *0x6c66698d | 0x00000001;
					}
					if((_a20 & 0x00000040) != 0) {
						 *0x6c66698d =  *0x6c66698d | 0x00000002;
					}
					 *0x6c666985 =  *((intOrPtr*)(_t91 + 0x28));
					 *((intOrPtr*)(_t91 + 0x28)) =  *((intOrPtr*)(_t86 + 0xc)) +  *((intOrPtr*)(_t86 + 0x10));
					if(_a8 != 4) {
						_t50 = 0;
					} else {
						_t50 =  *((intOrPtr*)(_t86 + 0xc)) +  *((intOrPtr*)(_t86 + 0x10));
					}
					 *0x6c666991 = _t50;
					_t53 = _a4 +  *((intOrPtr*)(_t86 + 0x14)) +  *((intOrPtr*)(_t86 + 0x10));
					_push(_t53 + 0x278);
					RtlMoveMemory(_t53, 0x6c666730, 0x278);
					_pop(_t84);
					_t78 = _a16;
					_t71 =  *0x6c66d880; // 0x20
					RtlMoveMemory(_t84,  *((intOrPtr*)(_a16 + 0x16)) + _t78, _t71 -  *((intOrPtr*)(_a16 + 0x16)));
					 *((intOrPtr*)(_t86 + 8)) =  *((intOrPtr*)(_t86 + 8)) + E6C666EE0(_a12, 0x100);
					 *((intOrPtr*)(_t86 + 0x10)) =  *((intOrPtr*)(_t86 + 0x10)) + _a12;
					 *(_t86 + 0x24) =  *(_t86 + 0x24) | 0xe0000000;
					 *((intOrPtr*)(_t91 + 0x50)) = E6C666EE0( *((intOrPtr*)(_t86 + 0xc)) +  *((intOrPtr*)(_t86 + 8)),  *((intOrPtr*)(_t91 + 0x38)));
					_t81 = _a4 +  *0x6c66e529;
					 *((char*)(_t81 - 1)) = 0x32;
					 *((char*)(_t81 - 2)) = 0x50;
					 *((char*)(_t81 - 3)) = 0x55;
					 *((char*)(_t81 - 4)) = 0x64;
					return 1;
				} else {
					LoadStringA( *0x6c66d8a2, 0x17, 0x6c682245, 0x400);
					E6C6622C0(0x6c682245);
					goto L3;
				}
				goto L15;
			}

0x6c6665b6
0x6c6665b9
0x6c6665f2
0x6c6665bd
0x6c6665c4
0x00000000
0x6c6665c6
0x6c6665d8
0x6c6665e2
0x6c6665e7
0x6c6665ef
0x6c6665ef
0x00000000
0x6c6665c4
0x6c6665fb
0x6c66660d
0x6c666644
0x6c666646
0x6c66664d
0x6c66664f
0x6c666650
0x6c66665e
0x6c666660
0x6c666660
0x6c66666e
0x6c666670
0x6c666670
0x6c66667a
0x6c666686
0x6c66668d
0x6c666699
0x6c66668f
0x6c666695
0x6c666695
0x6c66669b
0x6c6666a6
0x6c6666b7
0x6c6666bb
0x6c6666c0
0x6c6666c1
0x6c6666ca
0x6c6666d5
0x6c6666e8
0x6c6666ee
0x6c6666f1
0x6c666708
0x6c66670e
0x6c666714
0x6c666718
0x6c66671c
0x6c666720
0x6c66672d
0x6c66660f
0x6c666621
0x6c66662b
0x00000000
0x6c66662b
0x00000000

APIs

LoadStringA.USER32(00000016,6C681E45,00000400), ref: 6C6665D8
LoadStringA.USER32(00000017,6C682245,00000400), ref: 6C666621

Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000180,00000000,?), ref: 6C6622D9
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,0000018B,00000000,00000000), ref: 6C6622E8
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000186,-00000001,00000000), ref: 6C6622F7

RtlMoveMemory.KERNEL32(?,6C666730,00000278,?,?,?,?,?,00000001,?,6C664846,00000004,-6C66D608,?,00000004,00000008), ref: 6C6666BB
RtlMoveMemory.KERNEL32(?,?,00000020,6C666730,00000278,?,?,?,?,?,00000001,?,6C664846,00000004,-6C66D608,?), ref: 6C6666D5

Strings

dUP2, xrefs: 6C666606
@, xrefs: 6C666667

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: MessageSend$LoadMemoryMoveString
String ID: @$dUP2
API String ID: 1206653450-646226640
Opcode ID: d65fad3bda4046a780d2c5937b622aa411cf96b9a36852a62e51fd98f666cc42
Instruction ID: a96d65e9a0583e2dea82685e65a926c8b825b959713e79cd95cc7ead002ba32a
Opcode Fuzzy Hash: d65fad3bda4046a780d2c5937b622aa411cf96b9a36852a62e51fd98f666cc42
Instruction Fuzzy Hash: 3D41ABB1204605AFDB04CF2BE885A66B7F4FB06318F10862DE506C7A51D771E854CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 6C663683 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C663683(struct HWND__* _a4, intOrPtr _a8, struct HDC__* _a12, struct HWND__* _a16) {
				intOrPtr _t23;
				void* _t24;
				struct HBRUSH__* _t37;
				void* _t43;

				_t23 = _a8;
				if(_t23 != 0x110) {
					if(_t23 != 0x111) {
						if(_t23 == 0x138 || _t23 == 0x133) {
							if( *0x6c66e537 != 1) {
								_t24 = 0;
							} else {
								if(GetDlgCtrlID(_a16) != 0x65) {
									SetTextColor(_a12,  *0x6c66e940);
									if( *0x6c66e93c != 0xffffffff) {
										SetBkColor(_a12,  *0x6c66e938);
										_t24 = CreateSolidBrush( *0x6c66e938);
									} else {
										SetBkMode(_a12, 1);
										_t24 = GetStockObject(5);
									}
								} else {
									SetTextColor(_a12,  *0x6c66e940);
									if( *0x6c66e93c != 0xffffffff) {
										SetBkColor(_a12,  *0x6c66e93c);
										_t24 = CreateSolidBrush( *0x6c66e93c);
									} else {
										SetBkMode(_a12, 1);
										_t24 = GetStockObject(5);
									}
								}
							}
							return _t24;
						} else {
							if(_t23 != 0x136) {
								if(_t23 != 0x2b) {
									if(_t23 != 0x200) {
										if(_t23 != 0x10) {
											return 0;
										} else {
											goto L38;
										}
									} else {
										if(_a12 == 1) {
											SendMessageA(_a4, 0x112, 0xf012, 0);
										}
										goto L40;
									}
								} else {
									return E6C663C60(_a4, _a16);
								}
							} else {
								if( *0x6c66e537 != 1) {
									_t37 = 0;
								} else {
									_t37 = CreateSolidBrush( *0x6c66e938);
								}
								return _t37;
							}
						}
					} else {
						if(_a12 == 0x66) {
							L38:
							EndDialog(_a4, 0);
						}
						goto L40;
					}
				} else {
					if((GetWindowLongA( *0x6c66d8a6, 0xffffffec) & 0x00000008) == 0) {
						SetWindowPos(_a4, 0xfffffffe, 0, 0, 0, 0, 3);
					}
					SetDlgItemTextA(_a4, 0x65, E6C662A53( *0x6c66d8aa, 8));
					if( *0x6c66e537 == 1 &&  *0x6c66e954 != 0xffffffff &&  *0x6c66e958 != 0xffffffff) {
						E6C663C34(_a4, 0x66);
					}
					E6C6616E0( *0x6c66d8a2, _a4, "BTN_ABOUT_OK_UP", "BTN_ABOUT_OK_DOWN", "BTN_ABOUT_OK_OVER", 0x66);
					_t43 = E6C661460( *0x6c66d8a2, 0xb, 1);
					_t44 = _t43;
					if(_t43 != 0) {
						E6C663AE0(_a4, _t44);
					}
					E6C667260(_a4,  *0x6c66d8a6);
					L40:
					return 1;
				}
			}

0x6c663696
0x6c66369e
0x6c66375c
0x6c663779
0x6c66378d
0x6c66382b
0x6c663793
0x6c66379f
0x6c6637ef
0x6c6637fb
0x6c663819
0x6c663824
0x6c6637fd
0x6c663802
0x6c663809
0x6c663809
0x6c6637a1
0x6c6637aa
0x6c6637b6
0x6c6637d4
0x6c6637df
0x6c6637b8
0x6c6637bd
0x6c6637c4
0x6c6637c4
0x6c6637b6
0x6c66379f
0x6c663834
0x6c66383c
0x6c663841
0x6c66386a
0x6c663885
0x6c6638a6
0x6c6638bd
0x00000000
0x00000000
0x00000000
0x6c663887
0x6c66388b
0x6c66389c
0x6c66389c
0x00000000
0x6c66388b
0x6c66386c
0x6c66387b
0x6c66387b
0x6c663843
0x6c66384a
0x6c663859
0x6c66384c
0x6c663852
0x6c663852
0x6c663862
0x6c663862
0x6c663841
0x6c66375e
0x6c663764
0x6c6638a8
0x6c6638ad
0x6c6638ad
0x00000000
0x6c663764
0x6c6636a4
0x6c6636b6
0x6c6636c7
0x6c6636c7
0x6c6636df
0x6c6636eb
0x6c663704
0x6c663704
0x6c663723
0x6c663732
0x6c663737
0x6c663739
0x6c66373f
0x6c66373f
0x6c66374d
0x6c6638c0
0x6c6638c9
0x6c6638c9

APIs

GetWindowLongA.USER32 ref: 6C6636AC
SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,000000EC), ref: 6C6636C7
SetDlgItemTextA.USER32(?,00000065,00000000), ref: 6C6636DF
EndDialog.USER32 ref: 6C6638AD

Strings

BTN_ABOUT_OK_DOWN, xrefs: 6C663710
BTN_ABOUT_OK_UP, xrefs: 6C663715
BTN_ABOUT_OK_OVER, xrefs: 6C66370B

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: Window$DialogItemLongText
String ID: BTN_ABOUT_OK_DOWN$BTN_ABOUT_OK_OVER$BTN_ABOUT_OK_UP
API String ID: 917433306-3517212525
Opcode ID: 39fbf89aadad665bfae0b80bd3098d59dc3efafed2b0973826770d36d1a5ec4b
Instruction ID: 11bc00c230250e32604906cb27bc0f545fcc92ea99873ded83e31beeac8e53f5
Opcode Fuzzy Hash: 39fbf89aadad665bfae0b80bd3098d59dc3efafed2b0973826770d36d1a5ec4b
Instruction Fuzzy Hash: C51193702442047BEF215A17CC81F9A3F65AB027ACF244634F611A9DE0D7B29555968F

Uniqueness

Uniqueness Score: -1.00%

Function 100013A3 Relevance: 10.6, APIs: 7, Instructions: 60COMMON

Download Yara Rule

APIs

_ftol.MSVCRT ref: 100013C3
_CIpow.MSVCRT ref: 10001406
_ftol.MSVCRT ref: 10001417
_CIpow.MSVCRT ref: 1000142B
_CIpow.MSVCRT ref: 1000145D
_ftol.MSVCRT ref: 1000146E
_CIpow.MSVCRT ref: 1000148D

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID: Ipow$_ftol
String ID:
API String ID: 2619930121-0
Opcode ID: aa96ad053ae339412b13383e44482b0fc9408fa573bd11176da3327861fe0ff5
Instruction ID: 535b2fc7c65d2210147c47c392e3ed37f4d31b5f8f891ed4ae5e4eaaca6a7ad5
Opcode Fuzzy Hash: aa96ad053ae339412b13383e44482b0fc9408fa573bd11176da3327861fe0ff5
Instruction Fuzzy Hash: 69212930800728EBFB10EF90DD8A78D7B74FB44390F628596D44A2316DCB701EA9DB95

Uniqueness

Uniqueness Score: -1.00%

Function 6C662313 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E6C662313(CHAR* _a4) {
				int _t3;

				asm("pushad");
				_t3 = IsDlgButtonChecked( *0x6c66d8a6, 0x6b);
				if(_t3 == 1) {
					lstrcpyA(0x6c66dd11, _a4);
					lstrcatA(0x6c66dd11, ".BAK");
					if(GetFileAttributesA(0x6c66dd11) != 0xffffffff) {
						_t3 = 1;
					} else {
						CopyFileA(_a4, 0x6c66dd11, 0);
						_t3 = 0;
					}
					 *0x6c66e52d = _t3;
				}
				asm("popad");
				return _t3;
			}

0x6c662316
0x6c66231f
0x6c662327
0x6c662332
0x6c66233d
0x6c66234b
0x6c66235c
0x6c66234d
0x6c662353
0x6c662358
0x6c662358
0x6c66235e
0x6c66235e
0x6c662363
0x6c662365

APIs

IsDlgButtonChecked.USER32(0000006B), ref: 6C66231F
lstrcpyA.KERNEL32(6C66DD11,?), ref: 6C662332
lstrcatA.KERNEL32(6C66DD11,.BAK,6C66DD11,?), ref: 6C66233D
GetFileAttributesA.KERNEL32(6C66DD11,6C66DD11,.BAK,6C66DD11,?), ref: 6C662343
CopyFileA.KERNEL32 ref: 6C662353

Strings

.BAK, xrefs: 6C662337

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: File$AttributesButtonCheckedCopylstrcatlstrcpy
String ID: .BAK
API String ID: 1049863671-450607331
Opcode ID: 49dc2645395542c3d5c0d87f5bca7a0946852dcb17052fdc45a57cb267ec090a
Instruction ID: 277524bee303ac0a2fdb3f793c0b8048ef2df83951ce96e7537faed44c05c52c
Opcode Fuzzy Hash: 49dc2645395542c3d5c0d87f5bca7a0946852dcb17052fdc45a57cb267ec090a
Instruction Fuzzy Hash: 7CE0ED3004502075CA112A679C42ECE3B19AB13328F240501F210BAED1C362852667AF

Uniqueness

Uniqueness Score: -1.00%

Function 6C662411 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 28
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C662411(CHAR* _a4) {
				char _v1028;
				int _t8;
				CHAR* _t10;

				_t10 =  &_v1028;
				lstrcpyA(_t10, _a4);
				lstrcatA(_t10, ".tmp");
				DeleteFileA(_t10);
				_t8 = MoveFileA(_a4, _t10);
				if(_t8 == 1) {
					_t8 = CopyFileA(_t10, _a4, 1);
					if(_t8 == 1) {
						return 1;
					}
				}
				return _t8;
			}

0x6c66241b
0x6c662425
0x6c662430
0x6c662436
0x6c66243f
0x6c662447
0x6c66244f
0x6c662457
0x00000000
0x6c662459
0x6c662457
0x6c662460

APIs

lstrcpyA.KERNEL32(?,?), ref: 6C662425
lstrcatA.KERNEL32(?,.tmp,?,?), ref: 6C662430
DeleteFileA.KERNEL32(?,?,.tmp,?,?), ref: 6C662436
MoveFileA.KERNEL32 ref: 6C66243F
CopyFileA.KERNEL32 ref: 6C66244F

Strings

.tmp, xrefs: 6C66242A

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: File$CopyDeleteMovelstrcatlstrcpy
String ID: .tmp
API String ID: 2634143726-2986845003
Opcode ID: 43fa7bb4a6ebbde36df1dd170a4d67f609c5c6603ff83d25368f59c1c3909b1c
Instruction ID: 0c06300cec370f61d494e610c129296139456d0944b4b406eea2643dabd90ce0
Opcode Fuzzy Hash: 43fa7bb4a6ebbde36df1dd170a4d67f609c5c6603ff83d25368f59c1c3909b1c
Instruction Fuzzy Hash: 8FE0E57250143472CE211A66AD45ECE3A29AF03358F008010FA04F5E50EB76D7AA86EF

Uniqueness

Uniqueness Score: -1.00%

Function 6C663AF9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E6C663AF9(struct HWND__* _a4, intOrPtr _a8) {
				intOrPtr* _t7;

				asm("pushad");
				_t7 = GetProcAddress(GetModuleHandleA("user32.dll"), "SetLayeredWindowAttributes");
				if(_t7 != 0) {
					SetWindowLongA(_a4, 0xffffffec, GetWindowLongA(_a4, 0xffffffec) | 0x00080000);
					_t7 =  *_t7(_a4, 0, _a8, 2);
				}
				asm("popad");
				return _t7;
			}

0x6c663afc
0x6c663b12
0x6c663b14
0x6c663b2d
0x6c663b3c
0x6c663b3c
0x6c663b3e
0x6c663b40

APIs

GetModuleHandleA.KERNEL32(user32.dll,?,6C663AF5,?,00000002,?,6C663272,?,00000000,0000000B,00000001,00000012,00000001,00000002,00000000,00000000), ref: 6C663B02
GetProcAddress.KERNEL32(00000000,SetLayeredWindowAttributes), ref: 6C663B0D
GetWindowLongA.USER32 ref: 6C663B1D
SetWindowLongA.USER32 ref: 6C663B2D

Strings

user32.dll, xrefs: 6C663AFD
SetLayeredWindowAttributes, xrefs: 6C663B07

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: LongWindow$AddressHandleModuleProc
String ID: SetLayeredWindowAttributes$user32.dll
API String ID: 1792074081-3673630139
Opcode ID: d49835e3f243888f46cb9962885362b90b3e52549bd2bc8722c034ba4abef8e6
Instruction ID: a097746e576cdde5b9718fe05126447947e79eb1bd9b584717824fc3244a2d49
Opcode Fuzzy Hash: d49835e3f243888f46cb9962885362b90b3e52549bd2bc8722c034ba4abef8e6
Instruction Fuzzy Hash: D7E04F3114810877DF012B73DC01FAD3D5EDB823A8F208620B515E9EE1CBB1C82A9A5E

Uniqueness

Uniqueness Score: -1.00%

Function 6C664791 Relevance: 9.1, APIs: 6, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E6C664791(void* __edx, intOrPtr* _a4) {
				signed char _v8;
				signed char _v9;
				signed int _v16;
				void* _t61;
				CHAR* _t64;
				signed int _t84;
				intOrPtr* _t86;
				signed int* _t87;

				_t86 = _a4;
				_v8 = 0;
				_v9 = 1;
				if(( *(_t86 + 0x1e) & 0x00000008) != 0) {
					E6C6640CF();
				}
				LoadStringA( *0x6c66d8a2, 3, 0x6c67863d, 0x400);
				E6C6622C0(0x6c67863d);
				 *_t9 =  *(_t86 + 0x1e);
				if(E6C662463(_t86 + 0x22,  *((intOrPtr*)(_t86 + 6)), _v16) != 0) {
					if(( *(_t86 + 0x1e) & 0x00000004) == 0) {
						_t87 =  *((intOrPtr*)(_t86 + 0x16)) + _t86;
						do {
							_t84 =  *_t87;
							_t61 = E6C666740( *0x6c66e521,  &(_t87[2]),  &(_t87[2]) + _t84, _t87 + 8 + _t84 * 2, _t87 + 8 + _t84 * 2 + _t84, _t84,  *0x6c66e519, _t87[1]);
							asm("pushad");
							if(_t61 != 0) {
								_v8 = 1;
								goto L17;
							} else {
								if( *(_t87 + 8 + _t84 * 4) == 0) {
									asm("popad");
								} else {
									LoadStringA( *0x6c66d8a2, 0x26, 0x6c67923d, 0x400);
									E6C6622C0(0x6c67923d);
									goto L17;
								}
							}
							goto L18;
							L17:
							asm("popad");
							_t87 = _t87 + 8 + _t84 * 4;
						} while ( *_t87 != 0);
					} else {
						if(E6C6665AE( *0x6c66e521, 4, 0x278 +  *0x6c66d880, _t86,  *(_t86 + 0x1e)) != 0) {
							LoadStringA( *0x6c66d8a2, 9, 0x6c678e3d, 0x400);
							E6C6622C0(0x6c678e3d);
							_v8 = 1;
						} else {
							LoadStringA( *0x6c66d8a2, 8, 0x6c678a3d, 0x400);
							E6C6622C0(0x6c678a3d);
							 *0x6c66e529 =  *0x6c66e519;
							_v9 = 0;
						}
					}
					L18:
					E6C6628D8(_v8, _v16);
				} else {
					E6C6628D8(_v8, _v16);
					if(E6C664616(_a4) != 0) {
						_v8 = 1;
						_v9 = 1;
					}
				}
				if(_v8 != 0) {
					LoadStringA( *0x6c66d8a2, 0xb, 0x6c679a3d, 0x400);
					_t64 = 0x6c679a3d;
				} else {
					LoadStringA( *0x6c66d8a2, 0xa, 0x6c67963d, 0x400);
					_t64 = 0x6c67963d;
					_v9 = 0;
				}
				E6C6622C0(_t64);
				if((_t87[7] & 0x00000008) != 0) {
					E6C6640FA();
				}
				return _v9 & 0x000000ff;
			}

0x6c66479a
0x6c66479d
0x6c6647a4
0x6c6647af
0x6c6647b1
0x6c6647b1
0x6c6647c8
0x6c6647d2
0x6c6647dd
0x6c6647ee
0x6c664823
0x6c6648ad
0x6c6648b0
0x6c6648b0
0x6c6648d8
0x6c6648dd
0x6c6648e0
0x6c66490f
0x00000000
0x6c6648e2
0x6c6648e7
0x6c66490c
0x6c6648e9
0x6c6648fb
0x6c664905
0x00000000
0x6c664905
0x6c6648e7
0x00000000
0x6c664916
0x6c664916
0x6c664917
0x6c66491b
0x6c664829
0x6c664848
0x6c66488f
0x6c664899
0x6c66489e
0x6c66484a
0x6c66485c
0x6c664866
0x6c664871
0x6c664877
0x6c664877
0x6c6648a5
0x6c664920
0x6c664926
0x6c6647f0
0x6c6647f6
0x6c664805
0x6c664807
0x6c66480e
0x6c66480e
0x6c664812
0x6c66492f
0x6c664965
0x6c66496a
0x6c664931
0x6c664943
0x6c664948
0x6c66494d
0x6c66494d
0x6c664970
0x6c66497c
0x6c66497e
0x6c66497e
0x6c66498b

APIs

LoadStringA.USER32(00000003,6C67863D,00000400), ref: 6C6647C8
LoadStringA.USER32(0000000A,6C67963D,00000400,?), ref: 6C664943

Part of subcall function 6C6640CF: GetModuleHandleA.KERNEL32(kernel32.dll,6C664F4B), ref: 6C6640D4
Part of subcall function 6C6640CF: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 6C6640DF

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: LoadString$AddressHandleModuleProc
String ID:
API String ID: 2917493658-0
Opcode ID: 32e1e06779008daedcc0ea72ef731ef222863f7da8b37c5f0bae51b06aa13a08
Instruction ID: be68ab77e75988b67caf8cc72c991837c4697581b1fe9f27ca139ae0dc8554ed
Opcode Fuzzy Hash: 32e1e06779008daedcc0ea72ef731ef222863f7da8b37c5f0bae51b06aa13a08
Instruction Fuzzy Hash: 2A51D471644200FEDB21DFA7CC44FEA7BB5AB0634CF104918A241B6EA0C7B196489B6F

Uniqueness

Uniqueness Score: -1.00%

Function 6C662CEE Relevance: 9.1, APIs: 6, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C662CEE(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t13;
				_Unknown_base(*)()* _t14;
				_Unknown_base(*)()* _t18;

				_t13 = _a8;
				if(_t13 == 0x102 || _t13 == 0x100 || _t13 == 0x101 || _t13 == 0x115 || _t13 == 0x114 || _t13 == 0x202 || _t13 == 0x205 || _t13 == 0x201 || _t13 == 0x204 || _t13 == 0x114 || _t13 == 0x115 || _t13 == 0xc || _t13 == 0x20a) {
					_t14 = GetDlgCtrlID(_a4);
					if(_t14 != 0x6a) {
						if(_t14 == 0x6f) {
							_t14 =  *0x6c66e533;
						}
					} else {
						_t14 =  *0x6c66e52f;
					}
					CallWindowProcA(_t14, _a4, _a8, _a12, _a16);
					return InvalidateRect(GetParent(_a4), 0, 0);
				} else {
					_t18 = GetDlgCtrlID(_a4);
					if(_t18 != 0x6a) {
						if(_t18 == 0x6f) {
							_t18 =  *0x6c66e533;
						}
					} else {
						_t18 =  *0x6c66e52f;
					}
					return CallWindowProcA(_t18, _a4, _a8, _a12, _a16);
				}
			}

0x6c662cf3
0x6c662cfb
0x6c662d52
0x6c662d5a
0x6c662d66
0x6c662d68
0x6c662d68
0x6c662d5c
0x6c662d5c
0x6c662d5c
0x6c662d7a
0x6c662d92
0x6c662d95
0x6c662d98
0x6c662da0
0x6c662dac
0x6c662dae
0x6c662dae
0x6c662da2
0x6c662da2
0x6c662da2
0x6c662dc6
0x6c662dc6

APIs

GetDlgCtrlID.USER32 ref: 6C662D52
CallWindowProcA.USER32 ref: 6C662D7A
GetParent.USER32(?), ref: 6C662D82
InvalidateRect.USER32(00000000,00000000,00000000,?,00000000,?,?,?,?,?), ref: 6C662D8C
GetDlgCtrlID.USER32 ref: 6C662D98
CallWindowProcA.USER32 ref: 6C662DC0

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: CallCtrlProcWindow$InvalidateParentRect
String ID:
API String ID: 1256023302-0
Opcode ID: dfac4d110584e4cbb2b10c4ae095c35ad6dfc8d29741f434e8315ec2c5d28e22
Instruction ID: 3ac5d4fb032b803b558de59fca42b7c340bfeeb42108755698a62d9102ddead8
Opcode Fuzzy Hash: dfac4d110584e4cbb2b10c4ae095c35ad6dfc8d29741f434e8315ec2c5d28e22
Instruction Fuzzy Hash: C7210A31501148AEDF214B67E889FDD37A29B45708F308922F920D9DB5CA7AD8A0A65F

Uniqueness

Uniqueness Score: -1.00%

Function 6C6657A2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C6657A2(void* _a4, void* _a8) {
				char _v1028;
				void* _v1032;
				int _t25;
				void* _t26;
				CHAR* _t27;
				void* _t28;

				_t28 = _a4;
				_t26 = _a8;
				_v1032 = _t28;
				L16:
				while( *_t28 != 0) {
					while( *_t28 != 0x24) {
						if( *_t28 == 0xa0d) {
							L15:
							_t28 = _t28 + 1;
							goto L16;
						}
						if( *_t28 == 0) {
							goto L17;
						}
						_t28 = _t28 + 1;
					}
					 *0x6c67e63d = _t28;
					_t28 = _t28 + 1;
					while( *_t28 != 0x24) {
						if( *_t28 == 0xa0d) {
							goto L15;
						}
						if( *_t28 == 0) {
							goto L17;
						}
						_t28 = _t28 + 1;
					}
					_t28 = _t28 + 1;
					if( *0x6c66e95c != 0) {
						E6C6622C0("Can not use placeholders in console mode.");
					} else {
						if(DialogBoxParamA( *0x6c66d8a2, 3,  *0x6c66d8a6, E6C6658B0,  &_v1028) != 0) {
							_t25 =  *0x6c67e63d - _v1032;
							RtlMoveMemory(_t26, _v1032, _t25);
							_t27 = _t26 + _t25;
							lstrcatA(_t27,  &_v1028);
							_t26 =  &(_t27[E6C666C90( &_v1028)]);
							_v1032 = _t28;
						}
					}
					goto L15;
				}
				L17:
				RtlMoveMemory(_t26, _v1032, _t28 - _v1032);
				return E6C666C90(_a8);
			}

0x6c6657ae
0x6c6657b1
0x6c6657b4
0x00000000
0x6c665874
0x6c6657d6
0x6c6657c6
0x6c665873
0x6c665873
0x00000000
0x6c665873
0x6c6657cf
0x00000000
0x00000000
0x6c6657d5
0x6c6657d5
0x6c6657db
0x6c6657e1
0x6c6657f9
0x6c6657e9
0x00000000
0x00000000
0x6c6657f2
0x00000000
0x00000000
0x6c6657f8
0x6c6657f8
0x6c6657fe
0x6c665806
0x6c66586e
0x6c665808
0x6c665829
0x6c665831
0x6c66583f
0x6c665844
0x6c66584e
0x6c66585f
0x6c665861
0x6c665861
0x6c665829
0x00000000
0x6c665806
0x6c66587d
0x6c66588d
0x6c66589e

APIs

DialogBoxParamA.USER32(00000003,6C6658B0,?,00000001), ref: 6C665822
RtlMoveMemory.KERNEL32(?,?,?,00000003,6C6658B0,?,00000001,?,?), ref: 6C66583F
lstrcatA.KERNEL32(?,?,?,?,?,00000003,6C6658B0,?,00000001,?,?), ref: 6C66584E
RtlMoveMemory.KERNEL32(?,?,?,00000001,?,?), ref: 6C66588D

Strings

Can not use placeholders in console mode., xrefs: 6C665869

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: MemoryMove$DialogParamlstrcat
String ID: Can not use placeholders in console mode.
API String ID: 608252020-475865414
Opcode ID: 897890c11c4323b60e2ea92495a668d17e7314f28406d5eac34d6cea632dc2ff
Instruction ID: af4f05bb0b9bd486e5443650a32fd0488bf1b82536df819f451022877025e76e
Opcode Fuzzy Hash: 897890c11c4323b60e2ea92495a668d17e7314f28406d5eac34d6cea632dc2ff
Instruction Fuzzy Hash: 8F2108B5904224AFDB228B53CC41B9CBBB8AB46308F24059DE78051E52D33059858B5F

Uniqueness

Uniqueness Score: -1.00%

Function 6C6629EF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6C6629EF() {
				char _v8;
				char _v12;
				intOrPtr _v16;
				void* _t9;
				intOrPtr* _t12;
				void* _t17;
				void* _t19;

				_v16 = 0;
				_t9 = LoadLibraryA("Imagehlp.dll");
				if(_t9 != 0) {
					_t19 = _t9;
					_t12 = GetProcAddress(_t19, "CheckSumMappedFile");
					if(_t12 != 0) {
						_t17 =  *_t12( *0x6c66e521,  *0x6c66e529,  &_v8,  &_v12);
						if(_t17 != 0) {
							 *((intOrPtr*)(_t17 + 0x58)) = _v12;
							_v16 = 1;
						}
					}
					CloseHandle(_t19);
				}
				return _v16;
			}

0x6c6629f6
0x6c662a07
0x6c662a09
0x6c662a0b
0x6c662a18
0x6c662a1a
0x6c662a34
0x6c662a36
0x6c662a3d
0x6c662a40
0x6c662a40
0x6c662a36
0x6c662a48
0x6c662a48
0x6c662a52

APIs

LoadLibraryA.KERNEL32(Imagehlp.dll), ref: 6C662A02
GetProcAddress.KERNEL32(00000000,CheckSumMappedFile), ref: 6C662A13
CloseHandle.KERNEL32(00000000,00000000,CheckSumMappedFile,Imagehlp.dll), ref: 6C662A48

Strings

CheckSumMappedFile, xrefs: 6C662A0D
Imagehlp.dll, xrefs: 6C6629FD

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: AddressCloseHandleLibraryLoadProc
String ID: CheckSumMappedFile$Imagehlp.dll
API String ID: 4093397079-2254704603
Opcode ID: 5b91654745a24bb4727fe3e62aa39e14aff5996093448aa42bbaa5220c111a79
Instruction ID: 43b27ee771a27aa3697326f62b178f9c9a5386811afc04bf110ac78c3febca1d
Opcode Fuzzy Hash: 5b91654745a24bb4727fe3e62aa39e14aff5996093448aa42bbaa5220c111a79
Instruction Fuzzy Hash: 86F05E71A00144ABDB108BB7CC84ADEB7F8AB49308F204460A121E6F51FFB5DA088B5A

Uniqueness

Uniqueness Score: -1.00%

Function 6C6640FA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 12
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6C6640FA() {
				intOrPtr* _t3;

				_t3 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "Wow64RevertWow64FsRedirection");
				if(_t3 != 0) {
					 *_t3( *0x6c66d90d);
					return E6C6622C0("WOW64 File System Redirection : enabled");
				}
				return _t3;
			}

0x6c66410f
0x6c664111
0x6c664119
0x00000000
0x6c664120
0x6c664125

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,6C66524F), ref: 6C6640FF
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 6C66410A

Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000180,00000000,?), ref: 6C6622D9
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,0000018B,00000000,00000000), ref: 6C6622E8
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000186,-00000001,00000000), ref: 6C6622F7

Strings

Wow64RevertWow64FsRedirection, xrefs: 6C664104
WOW64 File System Redirection : enabled, xrefs: 6C66411B
kernel32.dll, xrefs: 6C6640FA

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: MessageSend$AddressHandleModuleProc
String ID: WOW64 File System Redirection : enabled$Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 1180987372-293881157
Opcode ID: ab3cf08b8c0f0e2745f8da3276a22a767aa8d54bb5c9cadbbc3c330a28bfc71a
Instruction ID: f34d678a80fc1124b47445748c9f2877b14cb2c6814d4ea0e924bd4ec303dd5d
Opcode Fuzzy Hash: ab3cf08b8c0f0e2745f8da3276a22a767aa8d54bb5c9cadbbc3c330a28bfc71a
Instruction Fuzzy Hash: 6FC02228302000F2AF0033B32C08CBC080CCB833883B00C082220F2E00CFAAC8A88C3F

Uniqueness

Uniqueness Score: -1.00%

Function 6C6640CF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 12
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6C6640CF() {
				intOrPtr* _t3;

				_t3 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "Wow64DisableWow64FsRedirection");
				if(_t3 != 0) {
					 *_t3(0x6c66d90d);
					return E6C6622C0("WOW64 File System Redirection : disabled");
				}
				return _t3;
			}

0x6c6640e4
0x6c6640e6
0x6c6640ed
0x00000000
0x6c6640f4
0x6c6640f9

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,6C664F4B), ref: 6C6640D4
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 6C6640DF

Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000180,00000000,?), ref: 6C6622D9
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,0000018B,00000000,00000000), ref: 6C6622E8
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000186,-00000001,00000000), ref: 6C6622F7

Strings

WOW64 File System Redirection : disabled, xrefs: 6C6640EF
kernel32.dll, xrefs: 6C6640CF
Wow64DisableWow64FsRedirection, xrefs: 6C6640D9

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: MessageSend$AddressHandleModuleProc
String ID: WOW64 File System Redirection : disabled$Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 1180987372-1162415981
Opcode ID: 069e05e1fc3aa3a5fb82c171a5a59de56bb09bf8c460966ca7e8eb6f25501ded
Instruction ID: 5cb69b64f1019d0ad8e09c1ab8683e2f1319cc17e4b1c72c00fee00ad31f7d72
Opcode Fuzzy Hash: 069e05e1fc3aa3a5fb82c171a5a59de56bb09bf8c460966ca7e8eb6f25501ded
Instruction Fuzzy Hash: 5EC09298602045F11A4023F33D04CBC05488BC738C3B40C106651F2E04CE65C5298C7F

Uniqueness

Uniqueness Score: -1.00%

Function 6C665266 Relevance: 7.6, APIs: 5, Instructions: 138
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C665266(intOrPtr _a4) {
				char _v1028;
				char _v1032;
				char _v1036;
				intOrPtr _v1040;
				char _v1044;
				char _v1164;
				char _v1168;
				intOrPtr _t86;
				CHAR* _t87;
				intOrPtr _t88;
				intOrPtr _t89;
				intOrPtr _t90;
				void* _t91;
				void* _t92;
				char* _t93;
				signed int _t94;
				char* _t97;
				CHAR* _t98;
				void* _t99;
				intOrPtr _t100;

				LoadStringA( *0x6c66d8a2, 0x1f, 0x6c67de3d, 0x400);
				E6C6622C0(0x6c67de3d);
				_v1032 = 0;
				_t100 = _a4;
				_t98 = _t100 + 1;
				_t87 =  &_v1028;
				lstrcpyA(_t87, _t98);
				lstrcatA(_t87, 0x6c66d6e7);
				lstrcatA(_t87, _t100 + 0x401);
				E6C6622C0(_t87);
				lstrcpyA(_t87, _t98);
				_t90 = 0;
				L2:
				if( *((char*)(_t90 + _t87)) != 0x5c) {
					_t90 = _t90 + 1;
					goto L2;
				}
				 *((char*)(_t90 + _t87)) = 0;
				_t9 =  &(_t98[1]); // 0x1
				_v1040 = _t90 + _t9;
				_t73 = E6C661657( &_v1028);
				if(E6C661657( &_v1028) == 0) {
					L30:
					return _v1032;
				}
				if(( *(_t100 + 0x481) & 0x00000004) == 0) {
					if(( *(_t100 + 0x481) & 0x00000001) != 0) {
						_t91 = _t100 + 0x401;
						_t93 =  &_v1028;
						if(( *(_t100 + 0x88d) & 0x80000000) == 0) {
							_t88 = 0;
						} else {
							_t88 = 1;
						}
						if(E6C666F00(_t93, _t73, _v1040, _t91, _t88) == 0) {
							_t99 = _t100 + 0x489;
							_t94 =  *(_t100 + 0x88d);
							if(( *(_t100 + 0x485) & 0x00000001) == 0) {
								if(( *(_t100 + 0x485) & 0x00000010) != 0 && E6C663E20(_t99,  &_v1028, _t94 | 0x00001000,  &_v1044,  &_v1164,  &_v1168) >= 0) {
									_v1032 = 1;
								}
							} else {
								if(E6C663E20(_t99,  &_v1028, _t94 | 0x00000800, 0, 0, 0) >= 0) {
									_v1032 = 1;
								}
							}
						}
					}
					goto L30;
				}
				_t92 = _t100 + 0x401;
				_t97 =  &_v1036;
				if(( *(_t100 + 0x88d) & 0x80000000) == 0) {
					_t89 = 0;
				} else {
					_t89 = 1;
				}
				if(E6C666FA0(_t97, _t73, _v1040, _t92, _t89) == 0) {
					_t86 = _v1036;
					if(( *(_t100 + 0x485) & 0x00000001) == 0) {
						if(( *(_t100 + 0x485) & 0x00000004) == 0) {
							if(( *(_t100 + 0x485) & 0x00000008) != 0 && _t86 >  *((intOrPtr*)(_t100 + 0x889))) {
								_v1032 = 1;
							}
						} else {
							if(_t86 <  *((intOrPtr*)(_t100 + 0x889))) {
								_v1032 = 1;
							}
						}
					} else {
						if(_t86 ==  *((intOrPtr*)(_t100 + 0x889))) {
							_v1032 = 1;
						}
					}
				}
			}

0x6c665284
0x6c66528e
0x6c665293
0x6c66529d
0x6c6652a0
0x6c6652a3
0x6c6652ab
0x6c6652b6
0x6c6652c3
0x6c6652c9
0x6c6652d0
0x6c6652d5
0x6c6652da
0x6c6652de
0x6c6652d9
0x00000000
0x6c6652d9
0x6c6652e0
0x6c6652e4
0x6c6652e8
0x6c6652fa
0x6c6652fc
0x6c665482
0x6c66548c
0x6c66548c
0x6c66530c
0x6c6653bd
0x6c6653c3
0x6c6653c9
0x6c6653d9
0x6c6653e2
0x6c6653db
0x6c6653db
0x6c6653db
0x6c6653f5
0x6c6653fb
0x6c665401
0x6c665411
0x6c665448
0x6c665478
0x6c665478
0x6c665413
0x6c665430
0x6c665432
0x6c665432
0x6c665430
0x6c665411
0x6c6653f5
0x00000000
0x6c6653bd
0x6c665312
0x6c665318
0x6c665328
0x6c665331
0x6c66532a
0x6c66532a
0x6c66532a
0x6c665344
0x6c66534a
0x6c66535a
0x6c66537a
0x6c66539a
0x6c6653a4
0x6c6653a4
0x6c66537c
0x6c665382
0x6c665384
0x6c665384
0x6c665382
0x6c66535c
0x6c665362
0x6c665364
0x6c665364
0x6c665362
0x6c6653ae

APIs

LoadStringA.USER32(0000001F,6C67DE3D,00000400,00000001), ref: 6C665284

Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000180,00000000,?), ref: 6C6622D9
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,0000018B,00000000,00000000), ref: 6C6622E8
Part of subcall function 6C6622C0: SendMessageA.USER32(000403CE,00000186,-00000001,00000000), ref: 6C6622F7

lstrcpyA.KERNEL32(?,?,0000001F,6C67DE3D,00000400,00000001,?,00000000,?,6C6663AF,00000000,00000001,00000000,6C680A45,00000400,00000184), ref: 6C6652AB
lstrcatA.KERNEL32(?,6C66D6E7,?,?,0000001F,6C67DE3D,00000400,00000001,?,00000000,?,6C6663AF,00000000,00000001,00000000,6C680A45), ref: 6C6652B6
lstrcatA.KERNEL32(?,?,?,6C66D6E7,?,?,0000001F,6C67DE3D,00000400,00000001,?,00000000,?,6C6663AF,00000000,00000001), ref: 6C6652C3
lstrcpyA.KERNEL32(?,?,?,?,?,6C66D6E7,?,?,0000001F,6C67DE3D,00000400,00000001,?,00000000,?,6C6663AF), ref: 6C6652D0

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: MessageSend$lstrcatlstrcpy$LoadString
String ID:
API String ID: 1610432388-0
Opcode ID: bfbe6d5ff921aa8d0bf11ba9cd720f0223b1cda896da47d0933a48edd2a2a066
Instruction ID: 93f0e3334a8998ebcae95cbed4b8883c22e5abd64f5aa55fa512c175f08c7258
Opcode Fuzzy Hash: bfbe6d5ff921aa8d0bf11ba9cd720f0223b1cda896da47d0933a48edd2a2a066
Instruction Fuzzy Hash: 795198F0504318AED7208A22CC81FDB73B8EF4170CF108899E755A2D41DBF4AA859B5E

Uniqueness

Uniqueness Score: -1.00%

Function 6C667260 Relevance: 7.6, APIs: 5, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C667260(struct HWND__* _a4, struct HWND__* _a8) {
				char _v20;
				char _v36;
				signed int _v40;
				signed int _v44;
				long _t24;
				signed int _t26;
				long _t27;
				signed int _t29;
				void* _t35;
				void* _t37;
				long _t41;
				long _t42;
				struct tagRECT* _t47;
				struct tagRECT* _t48;

				_t48 =  &_v20;
				_t47 =  &_v36;
				GetClientRect(_a4, _t48);
				GetClientRect(_a8, _t47);
				_t35 = 0;
				_t24 = _t47->right;
				_t41 = _t48->right;
				if(_t24 < _t41) {
					_t7 = _t24;
					_t24 = _t41;
					_t41 = _t7;
					_t35 = 1;
				}
				_t26 = _t24 - _t41 >> 1;
				if(_t35 != 0) {
					_t26 =  ~_t26;
				}
				_v40 = _t26;
				_t37 = 0;
				_t27 = _t47->bottom;
				_t42 = _t48->bottom;
				if(_t27 < _t42) {
					_t11 = _t27;
					_t27 = _t42;
					_t42 = _t11;
					_t37 = 1;
				}
				_t29 = _t27 - _t42 >> 1;
				if(_t37 != 0) {
					_t29 =  ~_t29;
				}
				_v44 = _t29;
				GetWindowRect(_a8, _t47);
				GetWindowRect(_a4, _t48);
				return MoveWindow(_a4, _v40 + _t47->left, _v44 + _t47->top, _t48->right - _t48->left, _t48->bottom - _t48->top, 1);
			}

0x6c667269
0x6c66726c
0x6c667273
0x6c66727c
0x6c667281
0x6c667283
0x6c667286
0x6c66728b
0x6c66728d
0x6c66728d
0x6c66728d
0x6c66728e
0x6c66728e
0x6c667292
0x6c667296
0x6c667298
0x6c667298
0x6c66729a
0x6c66729d
0x6c66729f
0x6c6672a2
0x6c6672a7
0x6c6672a9
0x6c6672a9
0x6c6672a9
0x6c6672aa
0x6c6672aa
0x6c6672ae
0x6c6672b2
0x6c6672b4
0x6c6672b4
0x6c6672b6
0x6c6672bd
0x6c6672c6
0x6c6672f3

APIs

GetClientRect.USER32 ref: 6C667273
GetClientRect.USER32 ref: 6C66727C
GetWindowRect.USER32(?,?), ref: 6C6672BD
GetWindowRect.USER32(?,?), ref: 6C6672C6
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?,?,?,?,?,?), ref: 6C6672EA

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: Rect$Window$Client$Move
String ID:
API String ID: 2306913390-0
Opcode ID: 5466a5f53e6a19e471acef218df414685dcc448f62439d56c97629f5dafe5c3d
Instruction ID: c0a19e58da0860b62fd45ccfcbebac4d88b4c91f01bdaf9fb8c938063d05d587
Opcode Fuzzy Hash: 5466a5f53e6a19e471acef218df414685dcc448f62439d56c97629f5dafe5c3d
Instruction Fuzzy Hash: A11163312811096FCB14CF2ACC80CEEBF7DEF86318B148618E556E7E50D731E955CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 6C666444 Relevance: 7.6, APIs: 5, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C666444(RECT* __eax, void* __ebx, void* __edx, RECT* __esi) {
				RECT* _t29;
				void* _t45;
				char _t49;
				void* _t50;
				RECT* _t52;
				RECT* _t53;
				void* _t55;

				_t52 = __esi;
				_t50 = __edx;
				_t45 = __ebx;
				_t29 = __eax;
				while(1) {
					L34:
					while(1) {
						 *(_t55 - 4) = _t29;
						_t49 = _t52->left;
						if(_t49 == 3 || _t49 == 4 || _t49 == 0x11 || _t49 == 5 || _t49 == 0x14 || _t49 == 0x16 || _t49 == 0x17 || _t49 == 0x10 || _t49 == 0x18) {
							if( *(_t55 - 4) != 1) {
								if( *(_t55 - 4) == 0) {
									LoadStringA( *0x6c66d8a2, 0x1c, 0x6c681645, 0x400);
									E6C6622C0(0x6c681645);
									E6C6622C0(" ");
								}
							} else {
								LoadStringA( *0x6c66d8a2, 0x1d, 0x6c681245, 0x400);
								E6C6622C0(0x6c681245);
								E6C6622C0(" ");
							}
						}
						_t45 = _t45 + 1;
						_t29 = E6C66149B( *0x6c66d8a2, _t45);
						_t53 = _t29;
						_t52 = _t53;
						if(_t52 == 0) {
							break;
						}
						if(_t52->left != 3) {
							if(_t52->left != 4) {
								if(_t52->left != 0x11) {
									if(_t52->left != 5) {
										if(_t52->left != 0x14) {
											if(_t52->left != 0x16) {
												if(_t52->left != 0x17) {
													if(_t52->left != 0x10) {
														if(_t52->left != 0x15) {
															if( *_t52 == 0x18) {
																_t29 = E6C66625C(_t52);
															}
															continue;
														}
														if( *(_t55 - 4) == 1 ||  *(_t55 - 4) == 0) {
															if((_t52->left & 0x00000004) == 0) {
																if((_t52->left & 0x00000008) == 0) {
																	if((_t52->left & 0x00000040) != 0) {
																		_t29 =  *(_t55 - 4);
																	}
																} else {
																	_t29 = 1;
																}
															} else {
																_t29 = 0;
															}
														} else {
															_t29 =  *(_t55 - 4);
														}
														if( *(_t55 - 4) != _t29) {
															continue;
														} else {
															if((_t52->left & 0x00000001) == 0) {
																if((_t52->left & 0x00000010) == 0) {
																	if((_t52->left & 0x00000020) != 0) {
																		_t45 = _t45 - _t52->top - 1;
																	}
																} else {
																	_t45 = _t45 + _t52->top - 1;
																}
																goto L34;
															}
															E6C6622C0("EXIT PATCHING");
															break;
														}
													}
													LoadStringA( *0x6c66d8a2, 7, 0x6c680e45, 0x400);
													E6C6622C0(0x6c680e45);
													_t29 = E6C6614E6(_t52);
													continue;
												}
												_t29 = E6C665266(_t52);
											} else {
												_t29 = E6C664EE6(_t49, _t52);
											}
										} else {
											_t29 = E6C66498E(_t52);
										}
									} else {
										_t29 = E6C665516(_t52);
									}
								} else {
									_t29 = E6C665B9C(_t52);
								}
							} else {
								_t29 = E6C664791(_t50, _t52);
							}
						} else {
							_t29 = E6C664338(_t49, _t52);
						}
					}
					LoadStringA( *0x6c66d8a2, 1, 0x6c681a45, 0x400);
					E6C6622C0(0x6c681a45);
					E6C666577( *0x6c66d907);
					EnableWindow(GetDlgItem( *0x6c66d8a6, 0x6c), 0);
					return RedrawWindow( *0x6c66d8a6, 0, 0, 1);
				}
			}

0x6c666444
0x6c666444
0x6c666444
0x6c666444
0x6c666466
0x6c666466
0x6c666473
0x6c666473
0x6c666476
0x6c66647b
0x6c6664a9
0x6c6664dc
0x6c6664f0
0x6c6664fa
0x6c666504
0x6c666504
0x6c6664ab
0x6c6664bd
0x6c6664c7
0x6c6664d1
0x6c6664d1
0x6c6664a9
0x6c666509
0x6c666511
0x6c666516
0x6c666518
0x6c66651a
0x00000000
0x00000000
0x6c666347
0x6c666357
0x6c666367
0x6c666377
0x6c666387
0x6c666397
0x6c6663a7
0x6c6663b7
0x6c6663e8
0x6c66646b
0x6c66646e
0x6c66646e
0x00000000
0x6c66646b
0x6c6663ee
0x6c6663fd
0x6c66640d
0x6c66641d
0x6c66641f
0x6c66641f
0x6c66640f
0x6c66640f
0x6c66640f
0x6c6663ff
0x6c6663ff
0x6c6663ff
0x6c666424
0x6c666424
0x6c666424
0x6c66642a
0x00000000
0x6c66642c
0x6c666433
0x6c66644d
0x6c66645e
0x6c666463
0x6c666463
0x6c66644f
0x6c666452
0x6c666452
0x00000000
0x6c66644d
0x6c66643a
0x00000000
0x6c66643a
0x6c66642a
0x6c6663cb
0x6c6663d5
0x6c6663db
0x00000000
0x6c6663db
0x6c6663aa
0x6c666399
0x6c66639a
0x6c66639a
0x6c666389
0x6c66638a
0x6c66638a
0x6c666379
0x6c66637a
0x6c66637a
0x6c666369
0x6c66636a
0x6c66636a
0x6c666359
0x6c66635a
0x6c66635a
0x6c666349
0x6c66634a
0x6c66634a
0x6c666347
0x6c666532
0x6c66653c
0x6c666547
0x6c66655c
0x6c666576
0x6c666576

APIs

LoadStringA.USER32(0000001D,6C681245,00000400,00000001), ref: 6C6664BD
LoadStringA.USER32(0000001C,6C681645,00000400,00000001), ref: 6C6664F0
LoadStringA.USER32(00000001,6C681A45,00000400,00000002), ref: 6C666532
GetDlgItem.USER32 ref: 6C666554
EnableWindow.USER32(00000000,00000000), ref: 6C66655C
RedrawWindow.USER32(00000000,00000000,00000001,0000006C,00000001,6C681A45,00000400,00000002,0000001C,6C681645,00000400,00000001,00000000,6C680A45,00000400,00000184), ref: 6C66656D

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: LoadString$Window$EnableItemRedraw
String ID:
API String ID: 3679095025-0
Opcode ID: 0fb67282287f75ec7b197cd87a1056d93ff90475155a8f5aa2a0bc171624ebea
Instruction ID: 327fe7bc8e42e270188b20f67e1a6b98c1a916b50678f3829c6d1db1e0f837d7
Opcode Fuzzy Hash: 0fb67282287f75ec7b197cd87a1056d93ff90475155a8f5aa2a0bc171624ebea
Instruction Fuzzy Hash: 5411CE30786508BBFF316A17ED53FEA27B24F0272CF609426A321E0EE58275C894955F

Uniqueness

Uniqueness Score: -1.00%

Function 6C6656F6 Relevance: 7.6, APIs: 5, Instructions: 66
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E6C6656F6(CHAR* _a4, CHAR* _a8, intOrPtr _a12) {
				void* _v8;
				long _v12;
				long _t17;
				long _t19;
				int _t24;
				void* _t26;
				char* _t27;
				CHAR* _t29;

				_t17 = _a12 + 0x100000;
				_v12 = _t17;
				_v8 = VirtualAlloc(0, _t17, 0x1000, 4);
				_t27 = _a8;
				_t19 = ExpandEnvironmentStringsA(_a4, _v8, _v12);
				_t29 = _v8;
				if(_t19 == 0) {
					L15:
					VirtualFree(_v8, _v12, 0x4000);
					return E6C666C90(_a8);
				}
				_t24 = lstrcmpA(_t29, _a4);
				if(_t24 == 0) {
					lstrcpyA(_a8, _a4);
				} else {
					_t26 = 0;
					while( *_t29 != 0) {
						asm("lodsb");
						if( *_t29 == 0x5b0a) {
							_t26 = 1;
						}
						if(_t24 == 0x5c) {
							_t26 = _t26;
							if(_t26 == 0 &&  *_t29 != 0x5c &&  *((char*)(_t29 - 2)) != 0x5c) {
								asm("stosb");
							}
						}
						asm("stosb");
						if( *_t29 == 0xd5d) {
							_t26 = 0;
						}
					}
					 *_t27 = 0;
				}
			}

0x6c665702
0x6c665707
0x6c665719
0x6c66571f
0x6c665729
0x6c66572e
0x6c665733
0x6c665783
0x6c66578e
0x6c66579f
0x6c66579f
0x6c66573e
0x6c665740
0x6c66577e
0x6c665742
0x6c665742
0x6c66576e
0x6c665746
0x6c66574c
0x6c66574e
0x6c66574e
0x6c665752
0x6c665754
0x6c665756
0x6c665763
0x6c665763
0x6c665756
0x6c665764
0x6c66576a
0x6c66576c
0x6c66576c
0x6c66576a
0x6c665773
0x6c665773

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000001,?,?), ref: 6C665714
ExpandEnvironmentStringsA.KERNEL32(?,?,?,00000000,?,00001000,00000004,00000001,?,?), ref: 6C665729
lstrcmpA.KERNEL32(?,?,?,?,?,00000000,?,00001000,00000004,00000001,?,?), ref: 6C665739
lstrcpyA.KERNEL32(?,?,?,?,?,?,?,00000000,?,00001000,00000004,00000001,?,?), ref: 6C66577E
VirtualFree.KERNEL32(?,?,00004000,?,?,?,00000000,?,00001000,00000004,00000001,?,?), ref: 6C66578E

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: Virtual$AllocEnvironmentExpandFreeStringslstrcmplstrcpy
String ID:
API String ID: 1433300790-0
Opcode ID: 98a67a8e72961e8acd9c4207334b6e3eaf31fe18363ddb456b7e33c4f54bb585
Instruction ID: 5b4b71a82e6be5259cac8bdd753174dde2022f534fdd0500fb6953071f544751
Opcode Fuzzy Hash: 98a67a8e72961e8acd9c4207334b6e3eaf31fe18363ddb456b7e33c4f54bb585
Instruction Fuzzy Hash: 1611EE31944204FEEF218B6BEC42BCDBFB5AF06358F284114E590AAE91D77086909B5F

Uniqueness

Uniqueness Score: -1.00%

Function 6C66A7A0 Relevance: 7.5, APIs: 5, Instructions: 48
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E6C66A7A0(void* _a4, char* _a8, char* _a12, CHAR* _a16, intOrPtr _a20) {
				int _v8;
				void* _v12;
				int _v16;
				struct _OSVERSIONINFOA _v164;
				long _t20;
				void* _t24;
				int _t27;

				if(_a20 != 1) {
					_t27 = 0xf003f;
				} else {
					_v164.dwOSVersionInfoSize = 0x94;
					GetVersionExA( &_v164);
					if(_v164.dwMajorVersion < 5 || _v164.dwMinorVersion < 1) {
						_t27 = 1;
					} else {
						_t27 = 0x101;
					}
				}
				_t20 = RegCreateKeyExA(_a4, _a8, 0, 0, 0, _t27, 0,  &_v12,  &_v8);
				if(_t20 != 0) {
					return _t20;
				} else {
					_v16 = lstrlenA(_a16);
					_push(RegSetValueExA(_v12, _a12, 0, 1, _a16, _v16));
					RegCloseKey(_v12);
					_pop(_t24);
					return _t24;
				}
			}

0x6c66a7ad
0x6c66a7e5
0x6c66a7af
0x6c66a7af
0x6c66a7c0
0x6c66a7cc
0x6c66a7de
0x6c66a7d7
0x6c66a7d7
0x6c66a7d7
0x6c66a7cc
0x6c66a806
0x6c66a808
0x6c66a835
0x6c66a80a
0x6c66a812
0x6c66a82a
0x6c66a82e
0x6c66a833
0x00000000
0x6c66a833

APIs

GetVersionExA.KERNEL32(00000094), ref: 6C66A7C0
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 6C66A801
lstrlenA.KERNEL32(?,?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 6C66A80D
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,?,?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 6C66A825
RegCloseKey.ADVAPI32(?,00000000,?,?,00000000,00000001,?,?,?,?,?,00000000,00000000,00000000,000F003F,00000000), ref: 6C66A82E

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: CloseCreateValueVersionlstrlen
String ID:
API String ID: 721734588-0
Opcode ID: fdddb4931ef9f911a3d8e5cf9e923bb5f4a730689e838f12952e2d913c5fc15d
Instruction ID: 9fdfa6c0f05b7117362d0a1a43137f633687cc4fb2dcfd8c00eeb8a0e94faedd
Opcode Fuzzy Hash: fdddb4931ef9f911a3d8e5cf9e923bb5f4a730689e838f12952e2d913c5fc15d
Instruction Fuzzy Hash: 97014035A4021CFADF118FA2CC01FDDBB7AEB02308F104065F604A5EA2D7759A95DB1B

Uniqueness

Uniqueness Score: -1.00%

Function 6C662368 Relevance: 7.5, APIs: 5, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E6C662368(intOrPtr _a4) {
				int _t2;

				asm("pushad");
				_t2 = IsDlgButtonChecked( *0x6c66d8a6, 0x6b);
				if(_t2 != 1) {
					L12:
					asm("popad");
					return _t2;
				}
				if(_a4 != 0) {
					_t2 = 1;
					if( *0x6c66e95c == 1 &&  *0x6c66e95d == 0) {
						_t2 = 0;
					}
					if(_t2 != 1) {
						goto L4;
					} else {
						LoadStringA( *0x6c66d8a2, 0xd, 0x6c672e3d, 0x400);
						E6C6622C0(0x6c672e3d);
						E6C6622C0(0x6c66dd11);
						_t2 = SetFileAttributesA(0x6c66dd11,  *0x6c66e511);
						goto L12;
					}
				} else {
					if( *0x6c66e52d == 0) {
						_t2 = CopyFileA(0x6c66dd11, 0x6c66d911, 0);
					}
					L4:
					if( *0x6c66e52d == 0) {
						_t2 = DeleteFileA(0x6c66dd11);
					}
					goto L12;
				}
			}

0x6c66236b
0x6c662374
0x6c66237c
0x6c66240c
0x6c66240c
0x6c66240e
0x6c66240e
0x6c66238b
0x6c6623b4
0x6c6623c0
0x6c6623cb
0x6c6623cb
0x6c6623d3
0x00000000
0x6c6623d5
0x6c6623e7
0x6c6623f1
0x6c6623f7
0x6c662403
0x00000000
0x6c662403
0x6c66238d
0x6c662394
0x6c66239e
0x6c66239e
0x6c6623a3
0x6c6623aa
0x6c6623ad
0x6c6623ad
0x00000000
0x6c6623aa

APIs

IsDlgButtonChecked.USER32(0000006B), ref: 6C662374
CopyFileA.KERNEL32 ref: 6C66239E
DeleteFileA.KERNEL32(6C66DD11,0000006B), ref: 6C6623AD
LoadStringA.USER32(0000000D,6C672E3D,00000400,0000006B), ref: 6C6623E7
SetFileAttributesA.KERNEL32(6C66DD11), ref: 6C662403

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: File$AttributesButtonCheckedCopyDeleteLoadString
String ID:
API String ID: 1907639918-0
Opcode ID: 9be22e058ac5d0288355111be2fa3572d866469272ba3c8cd251f28607b72908
Instruction ID: 014cb3ef040cfb569d5214465d2a0b9f8a8d3de7dea0f19e397719106885a4ec
Opcode Fuzzy Hash: 9be22e058ac5d0288355111be2fa3572d866469272ba3c8cd251f28607b72908
Instruction Fuzzy Hash: 1501ADB0A49560BAEF211727DC49B893B699F2332CF188512E200B5ED1C3A981C947EF

Uniqueness

Uniqueness Score: -1.00%

Function 6C663D1A Relevance: 7.5, APIs: 5, Instructions: 46
windowmemorystringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E6C663D1A() {
				int _t1;
				int _t6;
				int _t7;
				void* _t8;
				CHAR* _t9;
				void* _t10;

				asm("pushad");
				if( *0x6c66d8be != 0) {
					_t1 = SendMessageA( *0x6c66d8be, 0x18b, 0, 0);
					if(_t1 > 0) {
						_t6 = _t1;
						_t9 = VirtualAlloc(0, 0x50000, 0x1000, 4);
						_push(_t9);
						_t7 = 0;
						while(_t7 != _t6) {
							_push(_t7);
							SendMessageA( *0x6c66d8be, 0x189, _t7, _t9);
							lstrcatA(_t9, "\r\n");
							while( *_t9 != 0) {
								_t9 =  &(_t9[1]);
							}
							_pop(_t8);
							_t7 = _t8 + 1;
						}
						_pop(_t10);
						E6C6671E0(_t10);
						_t1 = VirtualFree(_t10, 0x50000, 0x4000);
					}
				}
				asm("popad");
				return _t1;
			}

0x6c663d1a
0x6c663d22
0x6c663d33
0x6c663d3b
0x6c663d3d
0x6c663d52
0x6c663d54
0x6c663d55
0x6c663d81
0x6c663d59
0x6c663d67
0x6c663d72
0x6c663d7a
0x6c663d79
0x6c663d79
0x6c663d7f
0x6c663d80
0x6c663d80
0x6c663d85
0x6c663d87
0x6c663d97
0x6c663d97
0x6c663d3b
0x6c663d9c
0x6c663d9d

APIs

SendMessageA.USER32(0000018B,00000000,00000000,6C66333B), ref: 6C663D33
VirtualAlloc.KERNEL32(00000000,00050000,00001000,00000004,0000018B,00000000,00000000,6C66333B), ref: 6C663D4D
SendMessageA.USER32(00000189,00000000,00000000,00000000), ref: 6C663D67
lstrcatA.KERNEL32(00000000,6C66D338,00000189,00000000,00000000,00000000,00000000,00000000,00050000,00001000,00000004,0000018B,00000000,00000000,6C66333B), ref: 6C663D72
VirtualFree.KERNEL32(6C66D338,00050000,00004000,6C66D338,00000189,00000000,00000000,00000000,00000000,00000000,00050000,00001000,00000004,0000018B,00000000,00000000), ref: 6C663D97

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: MessageSendVirtual$AllocFreelstrcat
String ID:
API String ID: 3447240021-0
Opcode ID: b5a2059aaf089a9f3f25b5d0950bab38a8ed3ff49f6b071d7707088089608f87
Instruction ID: 47774c81b808073caa441f771c1a55e08042961ad2f3fa0963289da2475e68c4
Opcode Fuzzy Hash: b5a2059aaf089a9f3f25b5d0950bab38a8ed3ff49f6b071d7707088089608f87
Instruction Fuzzy Hash: F7F01D747942407DFB161623DC9AFBE25B48783B19F30017DF301AAED09AB0699A521F

Uniqueness

Uniqueness Score: -1.00%

Function 6C662AFB Relevance: 7.5, APIs: 5, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C662AFB(struct HWND__* _a4, int _a8, int _a12) {
				char _v20;
				char _v36;
				struct tagRECT _v52;
				RECT* _t14;
				RECT* _t15;

				_t15 =  &_v20;
				_t14 =  &_v36;
				GetWindowRect(GetDlgItem(_a4, _a8), _t15);
				GetWindowRect(GetDlgItem(_a4, _a12), _t14);
				return IntersectRect( &_v52, _t15, _t14);
			}

0x6c662b03
0x6c662b06
0x6c662b16
0x6c662b28
0x6c662b3b

APIs

GetDlgItem.USER32 ref: 6C662B0F
GetWindowRect.USER32(00000000,?), ref: 6C662B16
GetDlgItem.USER32 ref: 6C662B21
GetWindowRect.USER32(00000000,?), ref: 6C662B28
IntersectRect.USER32 ref: 6C662B33

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: Rect$ItemWindow$Intersect
String ID:
API String ID: 3468032208-0
Opcode ID: 1583048bf30bbd94fd84b6852f8b8492155a7e860697753d1d4a9878ad06f0cf
Instruction ID: cefd597c76b2fbb8673359a23105d3c6d6479bf38ba1cb348181f9d59db8f11e
Opcode Fuzzy Hash: 1583048bf30bbd94fd84b6852f8b8492155a7e860697753d1d4a9878ad06f0cf
Instruction Fuzzy Hash: E0E06D7244021876CF10AFA6EC04CCF3F2DEF86318B048414B905F2D10E731D619C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 10008F34 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219COMMON

Download Yara Rule

APIs

_mbsdup.MSVCRT ref: 10008FE6
malloc.MSVCRT ref: 1000905F
realloc.MSVCRT ref: 10009188

Strings

, xrefs: 10009019

Memory Dump Source

Source File: 00000000.00000002.886953738.0000000010001000.00000040.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.886949159.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.886953738.0000000010012000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_sublime.jbxd

Similarity

API ID: _mbsdupmallocrealloc
String ID:
API String ID: 718955986-3916222277
Opcode ID: 5529186903d28e74717e4a4e68780ebe29093a307a7f29ac72226b8e1592b2e6
Instruction ID: 8c795b5cf108c60df557c0bb505df6688818e0db33b4a93fcc212119150f04d0
Opcode Fuzzy Hash: 5529186903d28e74717e4a4e68780ebe29093a307a7f29ac72226b8e1592b2e6
Instruction Fuzzy Hash: CB91B371A002AACFF744CF64C9C46A97BE1FB443D0F54812AF889AB6A9DB719D41CF41

Uniqueness

Uniqueness Score: -1.00%

Function 6C666577 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6C666577(struct HWND__* _a4) {
				long _t3;

				asm("pushad");
				_t3 = LoadBitmapA( *0x6c66d8a2, "BTN_PATCH_DISABLED");
				if(_t3 != 0) {
					_t3 = SendMessageA(GetWindowLongA(_a4, 0xc), 0x172, 0, _t3);
				}
				asm("popad");
				return _t3;
			}

0x6c66657a
0x6c66658b
0x6c66658d
0x6c6665a4
0x6c6665a4
0x6c6665a9
0x6c6665ab

APIs

LoadBitmapA.USER32 ref: 6C666586
GetWindowLongA.USER32 ref: 6C666596
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 6C6665A4

Strings

BTN_PATCH_DISABLED, xrefs: 6C66657B

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: BitmapLoadLongMessageSendWindow
String ID: BTN_PATCH_DISABLED
API String ID: 1801189489-85872909
Opcode ID: dfdf103bc5195d56e71ef6e57f495869e1936578963b7cb447e6cb5655c526e7
Instruction ID: e81a056fc6a03e8af0775b6bde8b44c5b4bfc00f86229613e3ae4d4e3c369838
Opcode Fuzzy Hash: dfdf103bc5195d56e71ef6e57f495869e1936578963b7cb447e6cb5655c526e7
Instruction Fuzzy Hash: B4D05E602912047AEA112663AC06FAA399EC7027A8F1084247210E8FE2DAF1C805516E

Uniqueness

Uniqueness Score: -1.00%

Function 6C664735 Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32(?,00000002,?,?,?,?,?,00000000,00000004,00000000,00000000,00000000,?,?,6C66D911,C0000000), ref: 6C6646D0
UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000002,?,?,?,?,?), ref: 6C664728
CloseHandle.KERNEL32(?,?,00000002,?,?,?,?,?,00000000,00000004,00000000,00000000,00000000,?,?,6C66D911), ref: 6C664778
CloseHandle.KERNEL32(?,?,00000000,00000004,00000000,00000000,00000000,?,?,6C66D911,C0000000,00000002,00000000,00000003,00000082,00000000), ref: 6C664780

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: CloseFileHandleView$Unmap
String ID:
API String ID: 1018311036-0
Opcode ID: f526ea3c5684aa0311512a861893687e18a5feed266a20859759e42a7f9c484e
Instruction ID: ff73b95a6fcdc1f88848cee23005528b699e2bcfa385446e471127f9b83bc27b
Opcode Fuzzy Hash: f526ea3c5684aa0311512a861893687e18a5feed266a20859759e42a7f9c484e
Instruction Fuzzy Hash: 0221E775D01108EFCB15CF96D990AEDFBB6FF41318F20812AE111A2D54D771A996CF0A

Uniqueness

Uniqueness Score: -1.00%

Function 6C662CE7 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C662CE7(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t13;
				_Unknown_base(*)()* _t14;
				_Unknown_base(*)()* _t18;

				_t13 = _a8;
				if(_t13 == 0x102 || _t13 == 0x100 || _t13 == 0x101 || _t13 == 0x115 || _t13 == 0x114 || _t13 == 0x202 || _t13 == 0x205 || _t13 == 0x201 || _t13 == 0x204 || _t13 == 0x114 || _t13 == 0x115 || _t13 == 0xc || _t13 == 0x20a) {
					_t14 = GetDlgCtrlID(_a4);
					if(_t14 != 0x6a) {
						if(_t14 == 0x6f) {
							_t14 =  *0x6c66e533;
						}
					} else {
						_t14 =  *0x6c66e52f;
					}
					CallWindowProcA(_t14, _a4, _a8, _a12, _a16);
					return InvalidateRect(GetParent(_a4), 0, 0);
				} else {
					_t18 = GetDlgCtrlID(_a4);
					if(_t18 != 0x6a) {
						if(_t18 == 0x6f) {
							_t18 =  *0x6c66e533;
						}
					} else {
						_t18 =  *0x6c66e52f;
					}
					return CallWindowProcA(_t18, _a4, _a8, _a12, _a16);
				}
			}

APIs

GetDlgCtrlID.USER32 ref: 6C662D52
CallWindowProcA.USER32 ref: 6C662D7A
GetParent.USER32(?), ref: 6C662D82
InvalidateRect.USER32(00000000,00000000,00000000,?,00000000,?,?,?,?,?), ref: 6C662D8C
GetDlgCtrlID.USER32 ref: 6C662D98
CallWindowProcA.USER32 ref: 6C662DC0

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: CallCtrlProcWindow$InvalidateParentRect
String ID:
API String ID: 1256023302-0
Opcode ID: b2601ce0592b20dcb5489498b3083825a32baa16b4223d32857068493d938318
Instruction ID: 5e215eef600059fabe1423259e6c51db19287a866e1227d44559853b2bea08a0
Opcode Fuzzy Hash: b2601ce0592b20dcb5489498b3083825a32baa16b4223d32857068493d938318
Instruction Fuzzy Hash: 0701EC30541288AEEF224B27D88DFED3797D745708F304822ED24E9DB9CA7AD490965F

Uniqueness

Uniqueness Score: -1.00%

Function 6C666F00 Relevance: 6.0, APIs: 4, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E6C666F00(char* _a4, void* _a8, char* _a12, char* _a16, intOrPtr _a20) {
				void* _v8;
				int _v12;
				int _v16;
				struct _OSVERSIONINFOA _v164;
				long _t19;
				void* _t25;
				int _t28;

				if(_a20 != 1) {
					_t28 = 1;
				} else {
					_v164.dwOSVersionInfoSize = 0x94;
					GetVersionExA( &_v164);
					if(_v164.dwMajorVersion < 5 || _v164.dwMinorVersion < 1) {
						_t28 = 1;
					} else {
						_t28 = 0x101;
					}
				}
				_t19 = RegOpenKeyExA(_a8, _a12, 0, _t28,  &_v8);
				if(_t19 != 0) {
					return _t19;
				} else {
					_v12 = 1;
					_v16 = 0x400;
					_push(RegQueryValueExA(_v8, _a16, 0,  &_v12, _a4,  &_v16));
					RegCloseKey(_v8);
					_pop(_t25);
					return _t25;
				}
			}

0x6c666f0d
0x6c666f45
0x6c666f0f
0x6c666f0f
0x6c666f20
0x6c666f2c
0x6c666f3e
0x6c666f37
0x6c666f37
0x6c666f37
0x6c666f2c
0x6c666f5c
0x6c666f5e
0x6c666f92
0x6c666f60
0x6c666f65
0x6c666f68
0x6c666f87
0x6c666f8b
0x6c666f90
0x00000000
0x6c666f90

APIs

GetVersionExA.KERNEL32(?), ref: 6C666F20
RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,?), ref: 6C666F57
RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000001,?), ref: 6C666F82
RegCloseKey.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,?,00000000,00000001,?), ref: 6C666F8B

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: CloseOpenQueryValueVersion
String ID:
API String ID: 2996790148-0
Opcode ID: e1892d3d9792545cd93157d0401ee52856a44f0dfdadaad5d0370727a44a8380
Instruction ID: f3e9db9633a1414dd677ec89c9339d1f1ef4204f285200a4827668b71204de8c
Opcode Fuzzy Hash: e1892d3d9792545cd93157d0401ee52856a44f0dfdadaad5d0370727a44a8380
Instruction Fuzzy Hash: E5014C7192010CEFDF108E52DC01BDE77BAEB01308F1041A5F604E5AA1D7B5DA98DB5B

Uniqueness

Uniqueness Score: -1.00%

Function 6C666FA0 Relevance: 6.0, APIs: 4, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E6C666FA0(char* _a4, void* _a8, char* _a12, char* _a16, intOrPtr _a20) {
				void* _v8;
				int _v12;
				int _v16;
				struct _OSVERSIONINFOA _v164;
				long _t19;
				void* _t25;
				int _t28;

				if(_a20 != 1) {
					_t28 = 1;
				} else {
					_v164.dwOSVersionInfoSize = 0x94;
					GetVersionExA( &_v164);
					if(_v164.dwMajorVersion < 5 || _v164.dwMinorVersion < 1) {
						_t28 = 1;
					} else {
						_t28 = 0x101;
					}
				}
				_t19 = RegOpenKeyExA(_a8, _a12, 0, _t28,  &_v8);
				if(_t19 != 0) {
					return _t19;
				} else {
					_v12 = 4;
					_v16 = 4;
					_push(RegQueryValueExA(_v8, _a16, 0,  &_v12, _a4,  &_v16));
					RegCloseKey(_v8);
					_pop(_t25);
					return _t25;
				}
			}

0x6c666fad
0x6c666fe5
0x6c666faf
0x6c666faf
0x6c666fc0
0x6c666fcc
0x6c666fde
0x6c666fd7
0x6c666fd7
0x6c666fd7
0x6c666fcc
0x6c666ffc
0x6c666ffe
0x6c667032
0x6c667000
0x6c667005
0x6c667008
0x6c667027
0x6c66702b
0x6c667030
0x00000000
0x6c667030

APIs

GetVersionExA.KERNEL32(?), ref: 6C666FC0
RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,?), ref: 6C666FF7
RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000001,?), ref: 6C667022
RegCloseKey.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,?,00000000,00000001,?), ref: 6C66702B

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: CloseOpenQueryValueVersion
String ID:
API String ID: 2996790148-0
Opcode ID: 487ece90361f513cc7b554e11134285546270502a32006d15a53591e74668c87
Instruction ID: b487ec3b51ab5741524b74b94f9918fb898c768ffce3528ef3d4699b75876ff1
Opcode Fuzzy Hash: 487ece90361f513cc7b554e11134285546270502a32006d15a53591e74668c87
Instruction Fuzzy Hash: EA01297091011CFBDF108E52DC01FDEBBBAEB01308F1040A5E604E6AA1D775DA98DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 6C6670B0 Relevance: 6.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6C6670B0(CHAR* _a4) {
				char _v516;
				int _t4;
				struct HINSTANCE__* _t5;
				int _t7;
				CHAR* _t8;
				CHAR* _t9;
				CHAR* _t10;

				asm("pushad");
				if(_a4 != 0) {
					_t8 = _a4;
				} else {
					_t5 = GetModuleHandleA(0);
					_t9 =  &_v516;
					GetModuleFileNameA(_t5, _t9, 0x200);
					_t7 = lstrlenA(_t9);
					_push(_t9);
					_t10 =  &(_t9[_t7]);
					while( *_t10 != 0x5c) {
						_t10 = _t10 - 1;
					}
					 *_t10 = 0;
					_pop(_t8);
				}
				_t4 = SetCurrentDirectoryA(_t8);
				asm("popad");
				return _t4;
			}

0x6c6670b9
0x6c6670be
0x6c6670f0
0x6c6670c0
0x6c6670c2
0x6c6670c7
0x6c6670d4
0x6c6670da
0x6c6670df
0x6c6670e0
0x6c6670e5
0x6c6670e4
0x6c6670e4
0x6c6670ea
0x6c6670ed
0x6c6670ed
0x6c6670f4
0x6c6670f9
0x6c6670fb

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 6C6670C2
GetModuleFileNameA.KERNEL32(00000000,?,00000200,00000000), ref: 6C6670D4
lstrlenA.KERNEL32(?,00000000,?,00000200,00000000), ref: 6C6670DA
SetCurrentDirectoryA.KERNEL32(00000000), ref: 6C6670F4

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: Module$CurrentDirectoryFileHandleNamelstrlen
String ID:
API String ID: 2912049553-0
Opcode ID: d183faf1d221dc3c75a174f70d2d803d85273545b32c3a863cd827d20767ddf2
Instruction ID: 2f8a9ad9a04808d5af94a2f773613f49a7911f33d691bf4c505f52b7d1034fd1
Opcode Fuzzy Hash: d183faf1d221dc3c75a174f70d2d803d85273545b32c3a863cd827d20767ddf2
Instruction Fuzzy Hash: 3EE02B61848264F9D71156774C00FCF7ED85F07358F144054EA846AF81D7B4A19483FF

Uniqueness

Uniqueness Score: -1.00%

Function 6C66633F Relevance: 6.0, APIs: 4, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6C66633F(long __ecx, void* __edx, RECT* __esi) {
				RECT* _t29;
				void* _t45;
				long _t49;
				void* _t50;
				RECT* _t52;
				RECT* _t53;
				void* _t55;

				_t52 = __esi;
				_t50 = __edx;
				_t49 = __ecx;
				while(1) {
					_t53 = _t52;
					if(_t53 == 0) {
						break;
					}
					if(_t53->left != 3) {
						if(_t53->left != 4) {
							if(_t53->left != 0x11) {
								if(_t53->left != 5) {
									if(_t53->left != 0x14) {
										if(_t53->left != 0x16) {
											if(_t53->left != 0x17) {
												if(_t53->left != 0x10) {
													if(_t53->left != 0x15) {
														if(_t53->left == 0x18) {
															_t29 = E6C66625C(_t53);
														}
														goto L37;
													}
													if( *(_t55 - 4) == 1 ||  *(_t55 - 4) == 0) {
														if((_t53->left & 0x00000004) == 0) {
															if((_t53->left & 0x00000008) == 0) {
																if((_t53->left & 0x00000040) != 0) {
																	_t29 =  *(_t55 - 4);
																}
															} else {
																_t29 = 1;
															}
														} else {
															_t29 = 0;
														}
													} else {
														_t29 =  *(_t55 - 4);
													}
													if( *(_t55 - 4) != _t29) {
														goto L37;
													} else {
														if((_t53->left & 0x00000001) == 0) {
															if((_t53->left & 0x00000010) == 0) {
																if((_t53->left & 0x00000020) != 0) {
																	_t45 = _t45 - _t53->top - 1;
																}
															} else {
																_t45 = _t45 + _t53->top - 1;
															}
															goto L37;
														}
														E6C6622C0("EXIT PATCHING");
														break;
													}
												}
												LoadStringA( *0x6c66d8a2, 7, 0x6c680e45, 0x400);
												E6C6622C0(0x6c680e45);
												_t29 = E6C6614E6(_t53);
												goto L37;
											}
											_t29 = E6C665266(_t53);
										} else {
											_t29 = E6C664EE6(_t49, _t53);
										}
									} else {
										_t29 = E6C66498E(_t53);
									}
								} else {
									_t29 = E6C665516(_t53);
								}
							} else {
								_t29 = E6C665B9C(_t53);
							}
						} else {
							_t29 = E6C664791(_t50, _t53);
						}
						goto L37;
					} else {
						_t29 = E6C664338(_t49, _t53);
						L37:
						 *(_t55 - 4) = _t29;
						_t49 = _t53->left;
						if(_t49 == 3 || _t49 == 4 || _t49 == 0x11 || _t49 == 5 || _t49 == 0x14 || _t49 == 0x16 || _t49 == 0x17 || _t49 == 0x10 || _t49 == 0x18) {
							if( *(_t55 - 4) != 1) {
								if( *(_t55 - 4) == 0) {
									LoadStringA( *0x6c66d8a2, 0x1c, 0x6c681645, 0x400);
									E6C6622C0(0x6c681645);
									E6C6622C0(" ");
								}
							} else {
								LoadStringA( *0x6c66d8a2, 0x1d, 0x6c681245, 0x400);
								E6C6622C0(0x6c681245);
								E6C6622C0(" ");
							}
						}
						_t45 = _t45 + 1;
						_t29 = E6C66149B( *0x6c66d8a2, _t45);
						_t52 = _t29;
						continue;
					}
				}
				LoadStringA( *0x6c66d8a2, 1, 0x6c681a45, 0x400);
				E6C6622C0(0x6c681a45);
				E6C666577( *0x6c66d907);
				EnableWindow(GetDlgItem( *0x6c66d8a6, 0x6c), 0);
				return RedrawWindow( *0x6c66d8a6, 0, 0, 1);
			}

0x6c66633f
0x6c66633f
0x6c66633f
0x6c666518
0x6c666518
0x6c66651a
0x00000000
0x00000000
0x6c666347
0x6c666357
0x6c666367
0x6c666377
0x6c666387
0x6c666397
0x6c6663a7
0x6c6663b7
0x6c6663e8
0x6c66646b
0x6c66646e
0x6c66646e
0x00000000
0x6c66646b
0x6c6663ee
0x6c6663fd
0x6c66640d
0x6c66641d
0x6c66641f
0x6c66641f
0x6c66640f
0x6c66640f
0x6c66640f
0x6c6663ff
0x6c6663ff
0x6c6663ff
0x6c666424
0x6c666424
0x6c666424
0x6c66642a
0x00000000
0x6c66642c
0x6c666433
0x6c66644d
0x6c66645e
0x6c666463
0x6c666463
0x6c66644f
0x6c666452
0x6c666452
0x00000000
0x6c666466
0x6c66643a
0x00000000
0x6c66643a
0x6c66642a
0x6c6663cb
0x6c6663d5
0x6c6663db
0x00000000
0x6c6663db
0x6c6663aa
0x6c666399
0x6c66639a
0x6c66639a
0x6c666389
0x6c66638a
0x6c66638a
0x6c666379
0x6c66637a
0x6c66637a
0x6c666369
0x6c66636a
0x6c66636a
0x6c666359
0x6c66635a
0x6c66635a
0x00000000
0x6c666349
0x6c66634a
0x6c666473
0x6c666473
0x6c666476
0x6c66647b
0x6c6664a9
0x6c6664dc
0x6c6664f0
0x6c6664fa
0x6c666504
0x6c666504
0x6c6664ab
0x6c6664bd
0x6c6664c7
0x6c6664d1
0x6c6664d1
0x6c6664a9
0x6c666509
0x6c666511
0x6c666516
0x00000000
0x6c666516
0x6c666347
0x6c666532
0x6c66653c
0x6c666547
0x6c66655c
0x6c666576

APIs

LoadStringA.USER32(0000001D,6C681245,00000400,00000001), ref: 6C6664BD
LoadStringA.USER32(00000001,6C681A45,00000400,00000002), ref: 6C666532
GetDlgItem.USER32 ref: 6C666554
EnableWindow.USER32(00000000,00000000), ref: 6C66655C
RedrawWindow.USER32(00000000,00000000,00000001,0000006C,00000001,6C681A45,00000400,00000002,0000001C,6C681645,00000400,00000001,00000000,6C680A45,00000400,00000184), ref: 6C66656D

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: LoadStringWindow$EnableItemRedraw
String ID:
API String ID: 3001624229-0
Opcode ID: fe3f6d14f0bf2b655cc8e66adcabdc3f650002ff04a1def17b1c64385c2091ee
Instruction ID: 5a23412236b138a00297aa5e0acad9a086438f09975f4ed9bb467bdad730f972
Opcode Fuzzy Hash: fe3f6d14f0bf2b655cc8e66adcabdc3f650002ff04a1def17b1c64385c2091ee
Instruction Fuzzy Hash: F4E048717C520079EE31671BFC47F981A659702B5CF2051157301F4EE487F2D418559F

Uniqueness

Uniqueness Score: -1.00%

Function 6C66625C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6C66625C(intOrPtr _a4) {
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				intOrPtr _v16;
				intOrPtr* _t18;
				void* _t24;
				intOrPtr _t25;
				intOrPtr _t26;

				_v8 = 0;
				_t25 = _a4;
				_t24 = 0x6c67263d;
				while( *((intOrPtr*)(_t24 + 4)) != 0) {
					_t3 = _t24 + 8; // 0x6c672645
					if(E6C6621D0(_t25 + 1, _t3, 0x10) != 0) {
						 *_t6 =  *((intOrPtr*)(_t24 + 4));
					}
					_t24 = _t24 + 0x18;
				}
				_t18 = GetProcAddress(_v12, "PLUGIN_Action");
				if(_t18 == 0) {
					_v8 = 0xffffffff;
				} else {
					_v16 = _t26;
					_v8 =  *_t18(_t25 + 0x11);
				}
				return _v8;
			}

0x6c666265
0x6c66626c
0x6c66626f
0x6c666292
0x6c666276
0x6c666287
0x6c66628c
0x6c66628c
0x6c66628f
0x6c66628f
0x6c6662a5
0x6c6662a7
0x6c6662bc
0x6c6662a9
0x6c6662ae
0x6c6662b7
0x6c6662b7
0x6c6662ca

APIs

GetProcAddress.KERNEL32(?,PLUGIN_Action), ref: 6C6662A0

Strings

PLUGIN_Action, xrefs: 6C666298
=&gl, xrefs: 6C66626F

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: AddressProc
String ID: =&gl$PLUGIN_Action
API String ID: 190572456-1510767407
Opcode ID: 6b0f378f5ebd8a0cbc117ced9269cfd840803cf576598dd3aa98f13eee796ddf
Instruction ID: b6971435612709e21faa5836bda9e0c887ecd39dd4d036d96a2ba95c6551cba7
Opcode Fuzzy Hash: 6b0f378f5ebd8a0cbc117ced9269cfd840803cf576598dd3aa98f13eee796ddf
Instruction Fuzzy Hash: F901A271D05209FBCB108F5ADC40ACEFB79FB85368F108A55D424A3E80D771EA14DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 6C666E30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E6C666E30(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {

				asm("pushad");
				_push(0x4c);
				_push(0x6c682650);
				L6C666B70();
				 *_a4 = 0;
				 *0x6c682650 = 0x4c;
				 *0x6C68265C = _a8;
				 *0x6C68266C = _a4;
				 *0x6C682670 = 0x400;
				 *0x6C68267C = _a12;
				 *0x6C682654 = _a16;
				if(GetOpenFileNameA(0x6c682650) == 0) {
					 *_a4 = 0;
				}
				asm("popad");
				if( *((char*)(_a4 + 1)) != 0x3a) {
					return 0;
				} else {
					return 1;
				}
			}

0x6c666e33
0x6c666e34
0x6c666e36
0x6c666e3b
0x6c666e43
0x6c666e4d
0x6c666e56
0x6c666e5c
0x6c666e5f
0x6c666e69
0x6c666e6f
0x6c666e7a
0x6c666e7f
0x6c666e7f
0x6c666e85
0x6c666e8d
0x00000000
0x6c666e8f
0x00000000
0x6c666e8f

APIs

RtlZeroMemory.KERNEL32(6C682650,0000004C,?,6C6626E0,6C66D911,?,?,?,6C66D911,Exe Files [*.exe],0000002E,6C66D911,00000000,?,?,?), ref: 6C666E3B
GetOpenFileNameA.COMDLG32(6C682650,6C682650,0000004C,?,6C6626E0,6C66D911,?,?,?,6C66D911,Exe Files [*.exe],0000002E,6C66D911,00000000,?,?), ref: 6C666E73

Strings

P&hl, xrefs: 6C666E48

Memory Dump Source

Source File: 00000000.00000002.886976128.000000006C661000.00000080.00000001.01000000.00000004.sdmp, Offset: 6C660000, based on PE: true

Associated: 00000000.00000002.886971213.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886984620.000000006C66B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886989387.000000006C66D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C683000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.886994622.000000006C6AF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.887066130.000000006C73D000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c660000_sublime.jbxd

Similarity

API ID: FileMemoryNameOpenZero
String ID: P&hl
API String ID: 2360347673-1068049968
Opcode ID: f71b1abf183e7dd941130962369d2288f69dc2332f57482750e49c6338c3171a
Instruction ID: fb94ca60231a9cc21ca1a6c11c57bc1d8f26e7320296ef5e528950baf4d2843b
Opcode Fuzzy Hash: f71b1abf183e7dd941130962369d2288f69dc2332f57482750e49c6338c3171a
Instruction Fuzzy Hash: 8601FFB0604304EFD751CF2AC540B867BE4AF09358F008919E989CBB51E7B4E9418F99

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sublime.text.v4152-patch.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\bassmod.dll

C:\Users\user\AppData\Local\Temp\dup2patcher.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: sublime.text.v4152-patch.exePID: 5480, Parent PID: 3524

General

Windows Analysis Report
sublime.text.v4152-patch.exe

Function 001A1037 Relevance: 18.1, APIs: 12, Instructions: 81
librarymemoryfileCOMMON

Function 6C662DD0 Relevance: 144.1, APIs: 69, Strings: 13, Instructions: 592
windowstringtimeCOMMON

Function 6C662DC9 Relevance: 80.8, APIs: 34, Strings: 12, Instructions: 323
windowstringtimeCOMMON

Function 6C661BCC Relevance: 49.2, APIs: 26, Strings: 2, Instructions: 175
windowsleeplibraryCOMMON

Function 6C664126 Relevance: 49.1, APIs: 8, Strings: 20, Instructions: 133
libraryloaderCOMMON

Function 6C662B3E Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 122
COMMON

Function 6C6616E0 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 147
windowregistryCOMMON

Function 6C66197E Relevance: 33.2, APIs: 22, Instructions: 165
windowCOMMON

Function 6C6638CC Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 136
stringCOMMON

Function 001A102B Relevance: 21.1, APIs: 14, Instructions: 84
COMMON

Function 6C666089 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 90
stringlibraryCOMMON

Function 6C661FE3 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 73
librarystringloaderCOMMON

Function 6C66424C Relevance: 19.3, APIs: 4, Strings: 7, Instructions: 57
COMMON

Function 6C663B6F Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75
sleeplibraryloaderCOMMON

Function 1000160E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108
sleepthreadtimeCOMMON

Function 10008AFC Relevance: 9.1, APIs: 6, Instructions: 56
sleepthreadCOMMON

Function 1000149B Relevance: 6.1, APIs: 4, Instructions: 109
COMMON

Function 001A1184 Relevance: 6.0, APIs: 4, Instructions: 31
fileCOMMON

Function 6C666D4C Relevance: 6.0, APIs: 4, Instructions: 31
fileCOMMON

Function 6C662A7D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
stringCOMMON

Function 6C666D14 Relevance: 3.0, APIs: 2, Instructions: 19
fileCOMMON

Function 6C662294 Relevance: 3.0, APIs: 2, Instructions: 18
COMMON

Function 6C662244 Relevance: 3.0, APIs: 2, Instructions: 17
threadCOMMON

Function 6C661B8B Relevance: 3.0, APIs: 2, Instructions: 15
threadCOMMON

Function 10008A6F Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Function 6C664616 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 124
fileCOMMON

Function 6C6671E0 Relevance: 13.5, APIs: 9, Instructions: 45
clipboardstringmemoryCOMMON

Function 6C666CE0 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 10001790 Relevance: 1.7, APIs: 1, Instructions: 230
timeCOMMONCrypto

Function 100028F0 Relevance: .5, Instructions: 507
COMMONCrypto