Play interactive tour

Edit tour

Analysis Report EasyEPD.exe

Overview

General Information

Sample Name:	EasyEPD.exe
MD5:	90ab8ce5d40593917a4615d83e84c3ab
SHA1:	b5be87c104ca7ed8164aa50149482b75bf2d68fa
SHA256:	1cfc4117a10016e0d035ffe7fa6ada896908f79687c3c276b162369b1c07f221
Most interesting Screenshot:

Detection

Score:	10
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality locales information (e.g. system language)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
One or more processes crash
PE file contains sections with non-standard names
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries keyboard layouts
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

EasyEPD.exe (PID: 3268 cmdline: 'C:\Users\user\Desktop\EasyEPD.exe' MD5: 90AB8CE5D40593917A4615D83E84C3AB)

WerFault.exe (PID: 2764 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 884 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
EasyEPD.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1090583500.0000000000401000.00000020.00020000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.EasyEPD.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0.0.EasyEPD.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\Desktop\EasyEPD.exe	Code function: 0_2_00409E50 FindFirstFileW,FindClose,	0_2_00409E50
Source: C:\Users\user\Desktop\EasyEPD.exe	Code function: 0_2_0040C472 FindFirstFileW,	0_2_0040C472
Source: C:\Users\user\Desktop\EasyEPD.exe	Code function: 0_2_004098E8 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	0_2_004098E8

Source: C:\Users\user\Desktop\EasyEPD.exe

Code function: 0_2_0040D04E OpenClipboard,

0_2_0040D04E

Source: C:\Users\user\Desktop\EasyEPD.exe

Code function: 0_2_0040CDAE GetClipboardData,

0_2_0040CDAE

Source: C:\Users\user\Desktop\EasyEPD.exe

Code function: 0_2_0040CE36 GetKeyboardState,

0_2_0040CE36

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\Windows\AppCompat\Programs\Amcache.hve.tmp

Jump to behavior

Source: C:\Users\user\Desktop\EasyEPD.exe	Code function: 0_2_004036E4		0_2_004036E4
Source: C:\Users\user\Desktop\EasyEPD.exe	Code function: 0_2_00408718		0_2_00408718

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 884

Source: EasyEPD.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: EasyEPD.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: EasyEPD.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: EasyEPD.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: EasyEPD.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: EasyEPD.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: EasyEPD.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: EasyEPD.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: EasyEPD.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: EasyEPD.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: EasyEPD.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Source: EasyEPD.exe	Binary or memory string: OriginalFilename vs EasyEPD.exe
Source: EasyEPD.exe, 00000000.00000000.1090583500.0000000000401000.00000020.00020000.sdmp	Binary or memory string: FOriginalFilename vs EasyEPD.exe
Source: EasyEPD.exe, 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename2 vs EasyEPD.exe
Source: EasyEPD.exe, 00000000.00000003.1135422605.00000000024C3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs EasyEPD.exe
Source: EasyEPD.exe	Binary or memory string: FOriginalFilename vs EasyEPD.exe
Source: EasyEPD.exe	Binary or memory string: OriginalFilename vs EasyEPD.exe
Source: EasyEPD.exe	Binary or memory string: OriginalFilename2 vs EasyEPD.exe

Source: C:\Users\user\Desktop\EasyEPD.exe	Section loaded: mfr_reader2.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyEPD.exe	Section loaded: reader2.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior

Source: classification engine

Classification label: clean10.winEXE@2/4@0/0

Source: C:\Users\user\Desktop\EasyEPD.exe

Code function: 0_2_0040C50A GetDiskFreeSpaceW,

0_2_0040C50A

Source: C:\Users\user\Desktop\EasyEPD.exe

Code function: 0_2_0040C4D2 FreeResource,

0_2_0040C4D2

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\Users\user\AppData\Local\DBG

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3268

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER967F.tmp

Jump to behavior

Source: Yara match	File source: EasyEPD.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1090583500.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.EasyEPD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.EasyEPD.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\EasyEPD.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\EasyEPD.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\EasyEPD.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\EasyEPD.exe 'C:\Users\user\Desktop\EasyEPD.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 884

Source: C:\Users\user\Desktop\EasyEPD.exe	Automated click: OK
Source: C:\Users\user\Desktop\EasyEPD.exe	Automated click: OK

Source: EasyEPD.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: EasyEPD.exe

Static file information: File size 2666496 > 1048576

Source: EasyEPD.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1f0400

Source: EasyEPD.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\EasyEPD.exe	Code function: 0_2_00405344 push eax; ret	0_2_00405380
Source: C:\Users\user\Desktop\EasyEPD.exe	Code function: 0_2_004085D4 push ecx; mov dword ptr [esp], eax	0_2_004085D5
Source: C:\Users\user\Desktop\EasyEPD.exe	Code function: 0_2_004EB804 push ecx; mov dword ptr [esp], edx	0_2_004EB808
Source: C:\Users\user\Desktop\EasyEPD.exe	Code function: 0_2_0041CBA0 push ecx; mov dword ptr [esp], edx	0_2_0041CBA5
Source: C:\Users\user\Desktop\EasyEPD.exe	Code function: 0_2_0040ADFC push 0040AE6Bh; ret	0_2_0040AE63

Source: C:\Users\user\Desktop\EasyEPD.exe	Code function: 0_2_004F2B08 IsIconic,		0_2_004F2B08
Source: C:\Users\user\Desktop\EasyEPD.exe	Code function: 0_2_004F2B88 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,		0_2_004F2B88

Source: C:\Windows\SysWOW64\WerFault.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket

Jump to behavior

Source: C:\Users\user\Desktop\EasyEPD.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EasyEPD.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\EasyEPD.exe

API coverage: 5.3 %

Source: C:\Windows\SysWOW64\WerFault.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\EasyEPD.exe

Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409

Jump to behavior

Source: C:\Users\user\Desktop\EasyEPD.exe	Code function: 0_2_00409E50 FindFirstFileW,FindClose,	0_2_00409E50
Source: C:\Users\user\Desktop\EasyEPD.exe	Code function: 0_2_0040C472 FindFirstFileW,	0_2_0040C472
Source: C:\Users\user\Desktop\EasyEPD.exe	Code function: 0_2_004098E8 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	0_2_004098E8

Source: C:\Users\user\Desktop\EasyEPD.exe

Code function: 0_2_0040A97E GetSystemInfo,

0_2_0040A97E

Source: EasyEPD.exe	Binary or memory string: UhgFSd
Source: EasyEPD.exe	Binary or memory string: UhgFS

Source: C:\Windows\SysWOW64\WerFault.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\EasyEPD.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\EasyEPD.exe

Code function: 0_2_0040C686 IsDebuggerPresent,

0_2_0040C686

Source: C:\Windows\SysWOW64\WerFault.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\EasyEPD.exe

Code function: 0_2_0040C33E AllocateAndInitializeSid,

0_2_0040C33E

Source: C:\Users\user\Desktop\EasyEPD.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	0_2_00409F38
Source: C:\Users\user\Desktop\EasyEPD.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00409480
Source: C:\Users\user\Desktop\EasyEPD.exe	Code function: GetLocaleInfoW,	0_2_0040C53A

Source: C:\Users\user\Desktop\EasyEPD.exe

Code function: 0_2_0040C532 GetLocalTime,

0_2_0040C532

Source: C:\Users\user\Desktop\EasyEPD.exe

Code function: 0_2_0040C5F6 GetTimeZoneInformation,

0_2_0040C5F6

Source: C:\Users\user\Desktop\EasyEPD.exe

Code function: 0_2_0040C5FE GetVersion,

0_2_0040C5FE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Graphical User Interface1	Winlogon Helper DLL	Process Injection1	Masquerading11	Input Capture11	System Time Discovery2	Application Deployment Software	Input Capture11	Data Encrypted1	Standard Cryptographic Protocol1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Replication Through Removable Media	Service Execution	Port Monitors	Accessibility Features	Modify Registry1	Network Sniffing	Virtualization/Sandbox Evasion2	Remote Services	Clipboard Data2	Exfiltration Over Other Network Medium	Fallback Channels	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
External Remote Services	Windows Management Instrumentation	Accessibility Features	Path Interception	Virtualization/Sandbox Evasion2	Input Capture	Process Discovery1	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Custom Cryptographic Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Drive-by Compromise	Scheduled Task	System Firmware	DLL Search Order Hijacking	Process Injection1	Credentials in Files	Application Window Discovery1	Logon Scripts	Input Capture	Data Encrypted	Multiband Communication	SIM Card Swap		Premium SMS Toll Fraud
Exploit Public-Facing Application	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Obfuscated Files or Information1	Account Manipulation	Security Software Discovery31	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Spearphishing Link	Graphical User Interface	Modify Existing Service	New Service	DLL Side-Loading1	Brute Force	Remote System Discovery1	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port	Jamming or Denial of Service		Abuse Accessibility Features
Spearphishing Attachment	Scripting	Path Interception	Scheduled Task	Software Packing	Two-Factor Authentication Interception	File and Directory Discovery1	Pass the Hash	Email Collection	Exfiltration Over Command and Control Channel	Uncommonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Spearphishing via Service	Third-party Software	Logon Scripts	Process Injection	Indicator Blocking	Bash History	System Information Discovery35	Remote Desktop Protocol	Clipboard Data	Exfiltration Over Alternative Protocol	Standard Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
EasyEPD.exe	0%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	28.0.0 Lapis Lazuli
Analysis ID:	232400
Start date:	22.05.2020
Start time:	14:09:09
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	EasyEPD.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean10.winEXE@2/4@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.8% (good quality ratio 59.4%) Quality average: 52.2% Quality standard deviation: 45.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe Excluded IPs from analysis (whitelisted): 40.90.23.154, 40.90.137.127, 40.90.137.125, 20.44.86.43, 92.122.253.206, 67.27.159.126, 67.27.157.254, 8.253.204.120, 67.27.159.254, 67.26.83.254 Excluded domains from analysis (whitelisted): umwatson.trafficmanager.net, fs.microsoft.com, lgin.msa.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, login.msa.msidentity.com, login.live.com, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net

Simulations

Behavior and APIs

Time	Type	Description
14:09:51	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_EasyEPD.exe_9783d479d970b5c198785c50ae8b566ece0f96d_b0ee6adb_0af0a0d0\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes):	12212
Entropy (8bit):	3.7649932015320884
Encrypted:	false
MD5:	05DE54E2E6594FEEC567745C71ED9136
SHA1:	DC77881C1826B9B4202E0A9F004F837EA9CCF69A
SHA-256:	66605135779B18A3B59A0BD645E82917B923D193755ED4D7793C0CA4CAC3CFE1
SHA-512:	1AB1C6EDE29C5CDBC9651933E99536B994E61CAE9CD1F5D29111847D51F71765F7D10FCBBE1C140A915CEB8BB2507B4E4C0CA383E8C64DD36F0376B7C0223C79
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.3.4.6.2.2.9.8.8.5.1.2.2.5.5.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.3.4.6.2.2.9.8.9.7.0.4.1.7.2.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.6.2.d.a.9.a.d.-.f.5.6.6.-.4.5.0.5.-.b.b.6.f.-.4.1.f.2.d.2.3.1.3.b.5.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.6.7.3.c.e.7.8.-.3.b.1.1.-.4.7.b.8.-.8.6.3.3.-.8.9.d.5.2.f.3.a.1.1.5.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.a.s.y.E.P.D...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.c.4.-.0.0.0.1.-.0.0.2.3.-.4.7.e.1.-.b.9.d.e.3.1.3.0.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.4.0.2.0.3.b.d.3.9.f.c.1.c.b.1.3.f.5.6.9.c.2.a.2.c.e.f.8.9.c.f.0.0.0.0.0.9.0.8.!.0.0.0.0.b.5.b.e.8.7.c.1.0.4.c.a.7.e.d.8.1.6.4.a.a.5.0.1.4.9.4.8.2.b.7.5.b.f.2.d.6.8.f.a.!.E.a.s.y.E.P.D...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER967F.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri May 22 12:09:48 2020, 0x1205a4 type
Size (bytes):	51562
Entropy (8bit):	2.306193875158645
Encrypted:	false
MD5:	C3EDA35CA0A32CFC6055267F7F16BF8F
SHA1:	4130097952B5A0ADEC77311F0A4944B04CA50462
SHA-256:	E51BAF511E51E0903019A9D10E7F7CFC36A5B04D37F3A823C3654994F7E94734
SHA-512:	37D255E4B37A02D3EA24CC63E6E5D902CB5A631D705110A813692C9A9F1B811A26CDE214EB373DEE0E92E83C7AEE362C9425CCC113410D93BA5CBE531E8CEFA7
Malicious:	false
Reputation:	low
Preview:	MDMP....... ..........^...................?...........B......(.......GenuineIntel............T..............^.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER98A3.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes):	8280
Entropy (8bit):	3.699006658372394
Encrypted:	false
MD5:	56386C940A0BA006C0F20F985C3257FE
SHA1:	3159657E5503F2DF8579153B1D3872A91AB748E8
SHA-256:	3FC838625AD9153237B632369861B7528456436674057AD29BE29D59BD48C239
SHA-512:	E09C76C3E39B2366BAE5E7559AEEF2AB768387A6A79D733D32394741F458B1996A21E5618F54D5966FBE319B36EB5168E99022938F4874B4D328B128469523E3
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1.6.5...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.6.8.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9931.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Size (bytes):	4509
Entropy (8bit):	4.464635924622455
Encrypted:	false
MD5:	87450C1ACB574A64C1A054397361DD49
SHA1:	E806CE71532376641B14CF5BCF28E10039C78F87
SHA-256:	8981B252B91595FBC59EB182EDC17869EFED97D38F5A9DAE9441490351DDCDCB
SHA-512:	8C1AD37DA45A1FA4E2D8BA77D13B673E0423832AE6E1271E6FF0BABB8D8478F2F47E272711DE62E4F342F697AD7C0389B142518E35CEE522373ED54D5783C02A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="165" />.. <arg nm="verqfe" val="165" />.. <arg nm="csdbld" val="165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="979386" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.165.17134.0-11.0.75" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="2048" />

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.523875690685476
TrID:	Win32 Executable (generic) a (10002005/4) 98.04% Inno Setup installer (109748/4) 1.08% InstallShield setup (43055/19) 0.42% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	EasyEPD.exe
File size:	2666496
MD5:	90ab8ce5d40593917a4615d83e84c3ab
SHA1:	b5be87c104ca7ed8164aa50149482b75bf2d68fa
SHA256:	1cfc4117a10016e0d035ffe7fa6ada896908f79687c3c276b162369b1c07f221
SHA512:	ad7ca606d2af28a0acedf478b25db5c83a4dbe25cfc0d3c259a87f81885184ae5d2446a5c2c6f55c682aa9a2d3a2bf6284c6401c15fb5006ebcb49546f7872dd
SSDEEP:	24576:Nd+kWxAX7aWj6NBvCBYC6ELvE4exoOiUM9Z5aB9BmScO99ngpT3woFuKbSp1dDxD:jneoEximASz9nmpUKGpvDkXVH6
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	fcf6cbf32f22eefe

Static PE Info

General
Entrypoint:	0x5f331c
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x4C7CE3F9 [Tue Aug 31 11:14:01 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	3874336b8c671d55e7434460e2ffaf7f

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
push ebx
mov eax, 005EB3C4h
call 00007F945444679Ch
mov ebx, dword ptr [005F8228h]
mov eax, dword ptr [ebx]
call 00007F945453A98Fh
mov eax, dword ptr [ebx]
mov dl, 01h
call 00007F945453C6C2h
mov eax, dword ptr [ebx]
mov edx, 005F343Ch
call 00007F945453A396h
mov ecx, dword ptr [005F7B8Ch]
mov eax, dword ptr [ebx]
mov edx, dword ptr [005DA69Ch]
call 00007F945453A97Fh
mov ecx, dword ptr [005F7B20h]
mov eax, dword ptr [ebx]
mov edx, dword ptr [0055A5ACh]
call 00007F945453A96Ch
mov ecx, dword ptr [005F7D9Ch]
mov eax, dword ptr [ebx]
mov edx, dword ptr [0054229Ch]
call 00007F945453A959h
mov ecx, dword ptr [005F8074h]
mov eax, dword ptr [ebx]
mov edx, dword ptr [0052DED8h]
call 00007F945453A946h
mov ecx, dword ptr [005F7FCCh]
mov eax, dword ptr [ebx]
mov edx, dword ptr [005E954Ch]
call 00007F945453A933h
mov ecx, dword ptr [005F8638h]
mov eax, dword ptr [ebx]
mov edx, dword ptr [00543F18h]
call 00007F945453A920h
mov ecx, dword ptr [005F7A54h]
mov eax, dword ptr [ebx]
mov edx, dword ptr [00541188h]
call 00007F945453A90Dh
mov ecx, dword ptr [005F84A0h]
mov eax, dword ptr [ebx]
mov edx, dword ptr [0055AE40h]
call 00007F945462EBFAh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x201000	0x3dee	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x234000	0x65000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x208000	0x2b490	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x207018	0x9	.rdata
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x207000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x201b48	0x97c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x205000	0x3a6	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1f0248	0x1f0400	False	0.437141845088	data	6.41398012348	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.itext	0x1f2000	0x144c	0x1600	False	0.518821022727	data	6.06364322695	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1f4000	0x477c	0x4800	False	0.437065972222	data	4.56880242419	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0x1f9000	0x7ef0	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x201000	0x3dee	0x3e00	False	0.310357862903	data	5.19740978236	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.didata	0x205000	0x3a6	0x400	False	0.4130859375	data	3.64975205447	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x206000	0x48	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x207000	0x21	0x200	False	0.072265625	data	0.359934664436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x208000	0x2b490	0x2b600	False	0.55546987572	data	6.71599868557	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x234000	0x65000	0x65000	False	0.169431176516	data	5.5006673695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x236738	0x134	data	English	United States
RT_CURSOR	0x23686c	0x134	data	English	United States
RT_CURSOR	0x2369a0	0x134	data	English	United States
RT_CURSOR	0x236ad4	0x134	data	English	United States
RT_CURSOR	0x236c08	0x134	data	English	United States
RT_CURSOR	0x236d3c	0x134	data	English	United States
RT_CURSOR	0x236e70	0x134	data	English	United States
RT_CURSOR	0x236fa4	0x134	data	English	United States
RT_BITMAP	0x2370d8	0x1d0	data	English	United States
RT_BITMAP	0x2372a8	0x1e4	data	English	United States
RT_BITMAP	0x23748c	0x1d0	data	English	United States
RT_BITMAP	0x23765c	0x1d0	data	English	United States
RT_BITMAP	0x23782c	0x1d0	data	English	United States
RT_BITMAP	0x2379fc	0x1d0	data	English	United States
RT_BITMAP	0x237bcc	0x1d0	data	English	United States
RT_BITMAP	0x237d9c	0x1d0	data	English	United States
RT_BITMAP	0x237f6c	0x1d0	data	English	United States
RT_BITMAP	0x23813c	0x1d0	data	English	United States
RT_BITMAP	0x23830c	0xc0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x2383cc	0xd8	data	English	United States
RT_BITMAP	0x2384a4	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x238584	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x238664	0x138	data	English	United States
RT_BITMAP	0x23879c	0x138	data	English	United States
RT_BITMAP	0x2388d4	0x138	data	English	United States
RT_BITMAP	0x238a0c	0x138	data	English	United States
RT_BITMAP	0x238b44	0x138	data	English	United States
RT_BITMAP	0x238c7c	0x138	data	English	United States
RT_BITMAP	0x238db4	0x104	data	English	United States
RT_BITMAP	0x238eb8	0x138	data	English	United States
RT_BITMAP	0x238ff0	0x104	data	English	United States
RT_BITMAP	0x2390f4	0x138	data	English	United States
RT_BITMAP	0x23922c	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x23930c	0xc0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x2393cc	0xc0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x23948c	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x23956c	0xd8	data	English	United States
RT_BITMAP	0x239644	0xd8	data	English	United States
RT_BITMAP	0x23971c	0xc0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x2397dc	0xd8	data	English	United States
RT_BITMAP	0x2398b4	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x239994	0xd8	data	English	United States
RT_BITMAP	0x239a6c	0xc0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x239b2c	0x668	data	English	United States
RT_BITMAP	0x23a194	0x668	data	English	United States
RT_BITMAP	0x23a7fc	0x668	data	English	United States
RT_BITMAP	0x23ae64	0x668	data	English	United States
RT_BITMAP	0x23b4cc	0x110	data	English	United States
RT_BITMAP	0x23b5dc	0x110	data	English	United States
RT_BITMAP	0x23b6ec	0x668	data	English	United States
RT_BITMAP	0x23bd54	0x668	data	English	United States
RT_BITMAP	0x23c3bc	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x23c49c	0xca8	dBase IV DBT of @.DBF, block length 3072, next free block index 40, next free block 1334425935, next used block 3108997561	English	Great Britain
RT_STRING	0x23d144	0x248	data
RT_STRING	0x23d38c	0x30c	data
RT_STRING	0x23d698	0x3cc	data
RT_STRING	0x23da64	0x304	data
RT_STRING	0x23dd68	0x21c	data
RT_STRING	0x23df84	0x158	data
RT_STRING	0x23e0dc	0x38c	data
RT_STRING	0x23e468	0x2ec	data
RT_STRING	0x23e754	0x1ec	data
RT_STRING	0x23e940	0xb4	data
RT_STRING	0x23e9f4	0x138	data
RT_STRING	0x23eb2c	0x194	data
RT_STRING	0x23ecc0	0x39c	data
RT_STRING	0x23f05c	0x2c0	data
RT_STRING	0x23f31c	0x17c	data
RT_STRING	0x23f498	0x4d8	data
RT_STRING	0x23f970	0x2d0	data
RT_STRING	0x23fc40	0x1a0	data
RT_STRING	0x23fde0	0x1fc	data
RT_STRING	0x23ffdc	0x158	data
RT_STRING	0x240134	0x250	data
RT_STRING	0x240384	0x250	data
RT_STRING	0x2405d4	0x110	data
RT_STRING	0x2406e4	0x17c	data
RT_STRING	0x240860	0x214	data
RT_STRING	0x240a74	0x258	data
RT_STRING	0x240ccc	0x418	data
RT_STRING	0x2410e4	0x494	data
RT_STRING	0x241578	0x158	data
RT_STRING	0x2416d0	0xd4	data
RT_STRING	0x2417a4	0x2c4	data
RT_STRING	0x241a68	0x148	data
RT_STRING	0x241bb0	0x410	data
RT_STRING	0x241fc0	0x3e4	data
RT_STRING	0x2423a4	0x3a8	data
RT_STRING	0x24274c	0x458	data
RT_STRING	0x242ba4	0x3b0	data
RT_STRING	0x242f54	0x3d8	data
RT_STRING	0x24332c	0x2dc	data
RT_STRING	0x243608	0xc4	data
RT_STRING	0x2436cc	0x9c	data
RT_STRING	0x243768	0x30c	data
RT_STRING	0x243a74	0x4ac	data
RT_STRING	0x243f20	0x314	data
RT_STRING	0x244234	0x2e0	data
RT_RCDATA	0x244514	0x82e8	data	English	United States
RT_RCDATA	0x24c7fc	0x14	data
RT_RCDATA	0x24c810	0x10	data
RT_RCDATA	0x24c820	0x6e8	data
RT_RCDATA	0x24cf08	0x1192	Delphi compiled form 'TfmAbout'
RT_RCDATA	0x24e09c	0xb38	Delphi compiled form 'TfmAccessAdmin'
RT_RCDATA	0x24ebd4	0xdee	Delphi compiled form 'TfmAccessControl'
RT_RCDATA	0x24f9c4	0x2d8e	Delphi compiled form 'TfmAdjustAll'
RT_RCDATA	0x252754	0x141e	Delphi compiled form 'TfmADS'
RT_RCDATA	0x253b74	0x2346	Delphi compiled form 'TfmAdsData'
RT_RCDATA	0x255ebc	0x12ebb	Delphi compiled form 'TFMain'
RT_RCDATA	0x268d78	0x2378	Delphi compiled form 'TfmAlarmControls'
RT_RCDATA	0x26b0f0	0x579	Delphi compiled form 'TfmAlarmGrid'
RT_RCDATA	0x26b66c	0xa97	Delphi compiled form 'TfmAlarmStatus'
RT_RCDATA	0x26c104	0x1731	Delphi compiled form 'TfmBatch'
RT_RCDATA	0x26d838	0x4a61	Delphi compiled form 'TfmCalibration'
RT_RCDATA	0x27229c	0x844	Delphi compiled form 'TfmChangePassword'
RT_RCDATA	0x272ae0	0x2f43	Delphi compiled form 'TfmConfig'
RT_RCDATA	0x275a24	0xe6e	Delphi compiled form 'TfmCounts'
RT_RCDATA	0x276894	0xbbf	Delphi compiled form 'TfmDisplayControl'
RT_RCDATA	0x277454	0x3b9d	Delphi compiled form 'TfmDoseAlarms'
RT_RCDATA	0x27aff4	0x2122	Delphi compiled form 'TfmDoseProfile'
RT_RCDATA	0x27d118	0x15da	Delphi compiled form 'TfmEasyEpdSetUp'
RT_RCDATA	0x27e6f4	0xbf7	Delphi compiled form 'TFMemory'
RT_RCDATA	0x27f2ec	0x221a	Delphi compiled form 'TfmEngCal'
RT_RCDATA	0x281508	0x243e	Delphi compiled form 'TfmEngineering'
RT_RCDATA	0x283948	0x22b1	Delphi compiled form 'TfmEpdStatus'
RT_RCDATA	0x285bfc	0xa18	Delphi compiled form 'TfmErrorDetails'
RT_RCDATA	0x286614	0xad0	Delphi compiled form 'TfmErrorStatus'
RT_RCDATA	0x2870e4	0x18d6	Delphi compiled form 'TfmEventHistory'
RT_RCDATA	0x2889bc	0xc48	Delphi compiled form 'TfmGeneralControl'
RT_RCDATA	0x289604	0x1177	Delphi compiled form 'TfmIdentity'
RT_RCDATA	0x28a77c	0x291	Delphi compiled form 'TfmMessage'
RT_RCDATA	0x28aa10	0xad9	Delphi compiled form 'TfmOtherAlarms'
RT_RCDATA	0x28b4ec	0x3e5	Delphi compiled form 'TfmPassword'
RT_RCDATA	0x28b8d4	0xa52	Delphi compiled form 'TfmQuality'
RT_RCDATA	0x28c328	0x703	Delphi compiled form 'TfmReadRam'
RT_RCDATA	0x28ca2c	0x1808	Delphi compiled form 'TfmResourceStrings'
RT_RCDATA	0x28e234	0xa26	Delphi compiled form 'TfmScratchPad'
RT_RCDATA	0x28ec5c	0x1512	Delphi compiled form 'TfmSetUpComms'
RT_RCDATA	0x290170	0x1c63	Delphi compiled form 'TfmSetUpDisplay'
RT_RCDATA	0x291dd4	0xbf6	Delphi compiled form 'TfmSetupDLL'
RT_RCDATA	0x2929cc	0x27a1	Delphi compiled form 'TfmSetUpEvents'
RT_RCDATA	0x295170	0xe48	Delphi compiled form 'TfmSetUpSwitch'
RT_RCDATA	0x295fb8	0xab3	Delphi compiled form 'TfmSpecial'
RT_RCDATA	0x296a6c	0xa99	Delphi compiled form 'TfmStatus'
RT_RCDATA	0x297508	0x458	Delphi compiled form 'TfmTimings'
RT_RCDATA	0x297960	0x5ce	Delphi compiled form 'TfmTranslation'
RT_RCDATA	0x297f30	0x494	Delphi compiled form 'TLoginDialog'
RT_RCDATA	0x2983c4	0x3c4	Delphi compiled form 'TPasswordDialog'
RT_GROUP_CURSOR	0x298788	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x29879c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x2987b0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x2987c4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x2987d8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x2987ec	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x298800	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x298814	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0x298828	0x14	data	English	Great Britain
RT_VERSION	0x29883c	0x33c	data	English	Great Britain
RT_MANIFEST	0x298b78	0x352	XML 1.0 document, ASCII text, with CRLF line terminators	English	Great Britain

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	LoadStringW, MessageBoxA, CharNextW
kernel32.dll	lstrcmpiA, LoadLibraryA, LocalFree, LocalAlloc, GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryW, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, IsValidLocale, GetSystemDefaultUILanguage, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetUserDefaultUILanguage, GetLocaleInfoW, GetLastError, GetCurrentDirectoryW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, CreateDirectoryW, ExitProcess, ExitThread, CreateThread, CompareStringW, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, CreateFileW, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
user32.dll	CreateWindowExW, WindowFromPoint, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetClassLongW, SetCaretPos, SetCapture, SetActiveWindow, SendMessageA, SendMessageW, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, OffsetRect, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsClipboardFormatAvailable, IsChild, IsCharAlphaNumericW, IsCharAlphaW, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropW, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMessageExtraInfo, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDlgItem, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameW, GetClassLongW, GetClassInfoW, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DeferWindowPos, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, CreateCaret, CreateAcceleratorTableW, CountClipboardFormats, CopyIcon, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CharUpperBuffW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, BeginDeferWindowPos, AdjustWindowRectEx, ActivateKeyboardLayout
msimg32.dll	AlphaBlend
gdi32.dll	WidenPath, UnrealizeObject, TextOutW, StrokePath, StrokeAndFillPath, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextCharacterExtra, SetTextColor, SetTextAlign, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetGraphicsMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetArcDirection, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SelectClipPath, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, PtVisible, Polyline, Polygon, PolyPolyline, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetTextCharacterExtra, GetTextAlign, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetMapMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipRgn, GetClipBox, GetBrushOrgEx, GetBkMode, GetBkColor, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtSelectClipRgn, ExtFloodFill, ExtCreatePen, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPath, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRoundRectRgn, CreateRectRgn, CreatePolygonRgn, CreatePenIndirect, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateEnhMetaFileW, CreateEllipticRgnIndirect, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, CombineRgn, CloseEnhMetaFile, Chord, BitBlt, BeginPath, ArcTo, Arc, AbortDoc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dll	lstrcpyW, lstrcmpW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualFree, VirtualAlloc, TryEnterCriticalSection, SystemTimeToTzSpecificLocalTime, SystemTimeToFileTime, SwitchToThread, SuspendThread, SizeofResource, SignalObjectAndWait, SetThreadPriority, SetThreadLocale, SetLastError, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, SetCurrentDirectoryW, ResumeThread, ResetEvent, ReadFile, RaiseException, IsDebuggerPresent, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryW, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetVersionExW, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetSystemTime, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileAttributesW, GetExitCodeThread, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCPInfo, FreeResource, InterlockedExchangeAdd, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoW, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringW, CloseHandle
advapi32.dll	RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey, OpenThreadToken, OpenProcessToken, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
kernel32.dll	Sleep
ole32.dll	CLSIDFromString
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
shell32.dll	SHGetSpecialFolderPathW, SHGetPathFromIDListW, SHGetMalloc, SHGetDesktopFolder, SHBrowseForFolderW
comdlg32.dll	PrintDlgW, GetSaveFileNameW, GetOpenFileNameW
winspool.drv	OpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter
winspool.drv	GetDefaultPrinterW
kernel32.dll	MulDiv

Version Infos

Description	Data
LegalCopyright	Copyright 2010 Thermo Fisher Scientific
InternalName
FileVersion	3.1.0.0
CompanyName	Thermo Fisher Scientific
LegalTrademarks	EPD
Comments
ProductName	EasyEPD2
ProductVersion	3.0
FileDescription	Reading and Configuring EPDs.
OriginalFilename
Translation	0x0809 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
English	Great Britain

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 22, 2020 14:09:49.334294081 CEST	58369	53	192.168.2.6	8.8.8.8
May 22, 2020 14:09:49.359700918 CEST	53	58369	8.8.8.8	192.168.2.6
May 22, 2020 14:09:49.910268068 CEST	62093	53	192.168.2.6	8.8.8.8
May 22, 2020 14:09:49.935606956 CEST	53	62093	8.8.8.8	192.168.2.6
May 22, 2020 14:10:23.033837080 CEST	54675	53	192.168.2.6	8.8.8.8
May 22, 2020 14:10:23.084763050 CEST	53	54675	8.8.8.8	192.168.2.6
May 22, 2020 14:10:23.331907988 CEST	63883	53	192.168.2.6	8.8.8.8
May 22, 2020 14:10:23.357237101 CEST	53	63883	8.8.8.8	192.168.2.6

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EasyEPD.exe PID: 3268 Parent PID: 2444

General

Start time:	14:09:40
Start date:	22/05/2020
Path:	C:\Users\user\Desktop\EasyEPD.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\EasyEPD.exe'
Imagebase:	0x400000
File size:	2666496 bytes
MD5 hash:	90AB8CE5D40593917A4615D83E84C3AB
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.1090583500.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: WerFault.exe PID: 2764 Parent PID: 3268

General

Start time:	14:09:47
Start date:	22/05/2020
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 884
Imagebase:	0xc0000
File size:	434584 bytes
MD5 hash:	80E91E3C0F5563E4049B62FCAF5D67AC
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: EasyEPD.exe PID: 3268 Parent PID: 2444 EasyEPD.exeCOMMON

Execution Graph

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.8%
Total number of Nodes:	821
Total number of Limit Nodes:	12

Executed Functions

Function 00409F38, Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409F38(intOrPtr _a4) {
				void* _t17;
				void* _t22;
				void* _t23;

				_t23 = 1;
				L0040256C();
				GetLocaleInfoW( *(_a4 - 0x210) & 0x0000ffff, 3,  *(_a4 - 0x210),  *(_a4 - 0x214)); // executed
				_t17 = E00409E50(_a4); // executed
				if(_t17 == 0) {
					( *(_a4 - 0x210))[2] = 0;
					_t22 = E00409E50(_a4); // executed
					if(_t22 == 0) {
						_t23 = 0;
					}
				}
				return _t23;
			}

0x00409f3c
0x00409f54
0x00409f5d
0x00409f66
0x00409f6e
0x00409f79
0x00409f83
0x00409f8b
0x00409f8d
0x00409f8d
0x00409f8b
0x00409f93

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,?,00000000,?,0040A0FC,?,?,?,00000000,00000105,00000000,0040A133,?,?), ref: 00409F54
GetLocaleInfoW.KERNEL32(?,00000003,?,?,00000000,?,0040A0FC,?,?,?,00000000,00000105,00000000,0040A133,?,?), ref: 00409F5D

Part of subcall function 00409E50: FindFirstFileW.KERNEL32(?,?,00000000), ref: 00409E6A
Part of subcall function 00409E50: FindClose.KERNEL32(00000000,?,?,00000000), ref: 00409E7A

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: 978bd77c838e830548eb6405c32ac923856ae9d3eeffdb9f261ae13c5a6a5d4e
Instruction ID: 1b5099e7ba547450a0d980bdedc91c00d00dcc2303c71ca11eb22a4a63bc58e7
Opcode Fuzzy Hash: 978bd77c838e830548eb6405c32ac923856ae9d3eeffdb9f261ae13c5a6a5d4e
Instruction Fuzzy Hash: 86F030752012056FDB00EE9DD88CAA677D8BB14354F004066F94CDB382C675DD408BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409E50, Relevance: 3.0, APIs: 2, Instructions: 21
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409E50(intOrPtr _a4) {
				struct _WIN32_FIND_DATAW _v596;
				void* _t8;
				signed int _t11;
				signed int _t12;

				_t8 = FindFirstFileW(_a4 + 0xfffffdf6,  &_v596); // executed
				_t12 = _t11 & 0xffffff00 | _t8 != 0xffffffff;
				if(_t12 != 0) {
					FindClose(_t8);
				}
				return _t12;
			}

0x00409e6a
0x00409e72
0x00409e77
0x00409e7a
0x00409e7a
0x00409e85

APIs

FindFirstFileW.KERNEL32(?,?,00000000), ref: 00409E6A
FindClose.KERNEL32(00000000,?,?,00000000), ref: 00409E7A

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c849f8b9814bfa78e7e962291f87f0458c4a89099a95cd61000440bd550cb506
Instruction ID: e5dd59b4829fbe69317922ed2256f1cdca9dbcde9e443367a80718b47a1697be
Opcode Fuzzy Hash: c849f8b9814bfa78e7e962291f87f0458c4a89099a95cd61000440bd550cb506
Instruction Fuzzy Hash: C8D0C26250110823CA2099BC9C89A8F734C5A00224B8807667958E32C1FA35D910059D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A97E, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A97E() {
				intOrPtr _v16;
				struct _SYSTEM_INFO* _t3;

				GetSystemInfo(_t3); // executed
				return _v16;
			}

0x0040a984
0x0040a990

APIs

GetSystemInfo.KERNEL32 ref: 0040A984

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 9f5d02421e06467d72b0051c4a2c38e5e646cf01a51e43e282660f5f7b2a6cad
Instruction ID: 79bb58b34467daf2bf89cf8fdbe93160764dc7fe55af93fa342d4310ab11d261
Opcode Fuzzy Hash: 9f5d02421e06467d72b0051c4a2c38e5e646cf01a51e43e282660f5f7b2a6cad
Instruction Fuzzy Hash: 29B012606084010BC504A72D4D4344B31C01A40124FC40635745CF53C2F65EC9A702DF

Uniqueness

Uniqueness Score: -1.00%

Function 00409AE4, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 156
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00409AE4(char __eax, void* __ebx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				long _t49;
				long _t83;
				long _t85;
				long _t87;
				void* _t91;
				intOrPtr _t97;
				intOrPtr _t99;
				void* _t103;
				void* _t104;
				intOrPtr _t105;

				_t103 = _t104;
				_t105 = _t104 + 0xfffffde4;
				_t91 = __edx;
				_v8 = __eax;
				L0040733C(_v8);
				_push(_t103);
				_push(0x409cc9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105;
				if(_v8 != 0) {
					lstrcpynW( &_v542, E004073E0(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L16:
					_pop(_t97);
					 *[fs:eax] = _t97;
					_push(E00409CD0);
					return L00407344( &_v8);
				} else {
					_v12 = 0;
					_t49 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
					if(_t49 == 0) {
						L8:
						_push(_t103);
						_push(0x409cac);
						_push( *[fs:eax]);
						 *[fs:eax] = _t105;
						E004098E8( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, E00409D80, 0, 0, 0,  &_v20) == 0) {
								_v12 = E00404288(_v20);
								RegQueryValueExW(_v16, E00409D80, 0, 0, _v12,  &_v20);
								E00407500(_t91, _v12);
							}
						} else {
							_v12 = E00404288(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E00407500(_t91, _v12);
						}
						_pop(_t99);
						 *[fs:eax] = _t99;
						_push(E00409CB3);
						if(_v12 != 0) {
							E004042A4(_v12);
						}
						return RegCloseKey(_v16);
					} else {
						_t83 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
						if(_t83 == 0) {
							goto L8;
						} else {
							_t85 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16); // executed
							if(_t85 == 0) {
								goto L8;
							} else {
								_t87 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16); // executed
								if(_t87 != 0) {
									goto L16;
								} else {
									goto L8;
								}
							}
						}
					}
				}
			}

0x00409ae5
0x00409ae7
0x00409aee
0x00409af0
0x00409af6
0x00409afd
0x00409afe
0x00409b03
0x00409b06
0x00409b0d
0x00409b39
0x00409b0f
0x00409b1d
0x00409b1d
0x00409b46
0x00409cb3
0x00409cb5
0x00409cb8
0x00409cbb
0x00409cc8
0x00409b4c
0x00409b4e
0x00409b66
0x00409b6d
0x00409bcd
0x00409bcf
0x00409bd0
0x00409bd5
0x00409bd8
0x00409be6
0x00409c07
0x00409c56
0x00409c60
0x00409c78
0x00409c82
0x00409c82
0x00409c09
0x00409c11
0x00409c2b
0x00409c35
0x00409c35
0x00409c89
0x00409c8c
0x00409c8f
0x00409c98
0x00409c9d
0x00409c9d
0x00409cab
0x00409b6f
0x00409b84
0x00409b8b
0x00000000
0x00409b8d
0x00409ba2
0x00409ba9
0x00000000
0x00409bab
0x00409bc0
0x00409bc7
0x00000000
0x00000000
0x00000000
0x00000000
0x00409bc7
0x00409ba9
0x00409b8b
0x00409b6d

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,00409CC9,?,00000000), ref: 00409B1D
lstrcpynW.KERNEL32(?,00000000,00000105,00000000,00409CC9,?,00000000), ref: 00409B39
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,?,00000000,00000105,00000000,00409CC9,?,00000000), ref: 00409B66
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,?,00000000,00000105,00000000,00409CC9), ref: 00409B84
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,?), ref: 00409BA2
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 00409BC0
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00409CAC,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,?,00000000), ref: 00409C00
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,00409CAC,?,80000001), ref: 00409C2B
RegQueryValueExW.ADVAPI32(?,00409D80,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,00409CAC,?,80000001), ref: 00409C4F
RegQueryValueExW.ADVAPI32(?,00409D80,00000000,00000000,?,?,?,00409D80,00000000,00000000,00000000,?,?,?,00000000,00000000), ref: 00409C78
RegCloseKey.ADVAPI32(?,00409CB3,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,00409CAC,?,80000001,Software\CodeGear\Locales), ref: 00409CA6

Strings

Software\Borland\Delphi\Locales, xrefs: 00409BB6
Software\CodeGear\Locales, xrefs: 00409B5C, 00409B7A
Software\Borland\Locales, xrefs: 00409B98

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: OpenQueryValue$CloseFileModuleNamelstrcpyn
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales
API String ID: 3482678030-345420546
Opcode ID: 4dabda91b8e88040af0f1b20ec1489bc67fa0ce0c48b3b42a07884dfc6de3506
Instruction ID: 1808f01b6f4689471e19b5f95aec41cba690d62dbffa01b775dfc343d46402f7
Opcode Fuzzy Hash: 4dabda91b8e88040af0f1b20ec1489bc67fa0ce0c48b3b42a07884dfc6de3506
Instruction Fuzzy Hash: 5C51F175A84208BEEB10DA95CD46FAE73BCEB48704F504077BA04F61C2D6B8AD40DB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004097A0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E004097A0(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				int _t9;
				void* _t17;
				signed short _t27;
				intOrPtr _t33;
				intOrPtr* _t42;
				intOrPtr _t45;

				_t40 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t42 = __edx;
				_t27 = __eax;
				_push(_t45);
				_push(0x4098a5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45;
				EnterCriticalSection(0x5fbb5c);
				if(_t27 !=  *0x5fbb74) {
					LeaveCriticalSection(0x5fbb5c);
					E00407354(_t42, 0);
					_t9 = IsValidLocale(_t27 & 0x0000ffff, 2); // executed
					if(_t9 != 0) {
						if( *0x5fbb58 == 0) {
							_t17 = E00409480(_t27, _t27, _t42, __edi, _t42);
							L00402594();
							if(_t27 != _t17) {
								if( *_t42 != 0) {
									_t17 = E00407750(_t42, E004098C0);
								}
								L00402594();
								E00409480(_t17, _t27,  &_v8, _t40, _t42);
								E00407750(_t42, _v8);
							}
						} else {
							E00409680(_t27, _t42);
						}
					}
					EnterCriticalSection(0x5fbb5c);
					 *0x5fbb74 = _t27;
					lstrcpynW("en-US,en,", E004073E0( *_t42), 0xaa);
					LeaveCriticalSection(0x5fbb5c);
				} else {
					E0040753C(_t42, 0x55, 0x5fbb78);
					LeaveCriticalSection(0x5fbb5c);
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(E004098AC);
				return L00407344( &_v8);
			}

0x004097a0
0x004097a3
0x004097a5
0x004097a6
0x004097a7
0x004097a9
0x004097ad
0x004097ae
0x004097b3
0x004097b6
0x004097be
0x004097ca
0x004097f1
0x004097fa
0x00409805
0x0040980c
0x00409815
0x00409826
0x0040982b
0x00409833
0x00409838
0x00409841
0x00409841
0x00409846
0x0040984e
0x00409858
0x00409858
0x00409817
0x0040981b
0x0040981b
0x00409815
0x00409862
0x00409867
0x00409880
0x0040988a
0x004097cc
0x004097d8
0x004097e2
0x004097e2
0x00409891
0x00409894
0x00409897
0x004098a4

APIs

EnterCriticalSection.KERNEL32(005FBB5C,00000000,004098A5,?,?,00000000,00000000,?,0040A0B8,?,?,?,00000000,00000105,00000000,0040A133), ref: 004097BE
LeaveCriticalSection.KERNEL32(005FBB5C,005FBB5C,00000000,004098A5,?,?,00000000,00000000,?,0040A0B8,?,?,?,00000000,00000105,00000000), ref: 004097E2
LeaveCriticalSection.KERNEL32(005FBB5C,005FBB5C,00000000,004098A5,?,?,00000000,00000000,?,0040A0B8,?,?,?,00000000,00000105,00000000), ref: 004097F1
IsValidLocale.KERNEL32(00000000,00000002,005FBB5C,005FBB5C,00000000,004098A5,?,?,00000000,00000000,?,0040A0B8,?,?,?,00000000), ref: 00409805
EnterCriticalSection.KERNEL32(005FBB5C,00000000,00000002,005FBB5C,005FBB5C,00000000,004098A5,?,?,00000000,00000000,?,0040A0B8,?,?,?), ref: 00409862
lstrcpynW.KERNEL32(en-US,en,,00000000,000000AA,005FBB5C,00000000,00000002,005FBB5C,005FBB5C,00000000,004098A5,?,?,00000000,00000000,?,0040A0B8), ref: 00409880
LeaveCriticalSection.KERNEL32(005FBB5C,en-US,en,,00000000,000000AA,005FBB5C,00000000,00000002,005FBB5C,005FBB5C,00000000,004098A5,?,?,00000000,00000000), ref: 0040988A

Strings

en-US,en,, xrefs: 004097CE, 0040987B

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValidlstrcpyn
String ID: en-US,en,
API String ID: 1058953229-3579323720
Opcode ID: f22752259b77584a038868251d37adc84c1873e8bf4970e4e0d86e6bb4b33935
Instruction ID: 944590b57add7a37bb0592cf990857422647a7b0ae69f0644b13bca931a503ab
Opcode Fuzzy Hash: f22752259b77584a038868251d37adc84c1873e8bf4970e4e0d86e6bb4b33935
Instruction Fuzzy Hash: A021D131724204E7FA14B766CD0762A26989B86B08F20443BF900B32CBDABD9D05D26F

Uniqueness

Uniqueness Score: -1.00%

Function 00500E70, Relevance: 12.1, APIs: 8, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00500E70(int __eax, void* __ecx, char __edx) {
				int _t28;
				void* _t44;
				char _t61;
				struct HWND__* _t62;
				struct HWND__* _t63;
				int _t81;
				char* _t82;

				_t28 = __eax;
				_t61 = __edx;
				_t81 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0xd3))) {
					 *((char*)(__eax + 0xd3)) = __edx;
					_t79 =  *((intOrPtr*)(__eax + 0x44));
					if( *((intOrPtr*)(__eax + 0x44)) != 0 && E004D8788(_t79) != 0 && ( *( *((intOrPtr*)(_t81 + 0x44)) + 0x1c) & 0x00000010) == 0 && ( *( *((intOrPtr*)(_t81 + 0x44)) + 0x1c) & 0x00000002) == 0) {
						if(__edx == 0) {
							_t44 = E004D83DC( *((intOrPtr*)(_t81 + 0x44)));
							 *_t82 = _t44 == GetForegroundWindow();
							E004F2B88(E004D83DC( *((intOrPtr*)(_t81 + 0x44))),  *( *((intOrPtr*)(_t81 + 0x44)) + 0x59) & 0x000000ff, 0);
							E004F2B88( *(_t81 + 0x170), 1, 1);
							if( *_t82 != 0) {
								SetForegroundWindow(E004D83DC( *((intOrPtr*)(_t81 + 0x44))));
							}
						} else {
							E004F2B88( *(_t81 + 0x170), 0, 0);
							E004F2B88(E004D83DC( *((intOrPtr*)(_t81 + 0x44))),  *( *((intOrPtr*)(_t81 + 0x44)) + 0x59) & 0x000000ff, 1);
						}
						E004D0980( *((intOrPtr*)(_t81 + 0x44)), 0, 0xb033, 0);
					}
					if(_t61 == 0) {
						_t62 =  *(_t81 + 0x170);
						SetWindowLongW(_t62, 0xffffffec, GetWindowLongW(_t62, 0xffffffec) & 0xffffff7f);
						_t28 = SetWindowTextW( *(_t81 + 0x170), E004073E0( *((intOrPtr*)(_t81 + 0x8c))));
					} else {
						_t63 =  *(_t81 + 0x170);
						SetWindowLongW(_t63, 0xffffffec, GetWindowLongW(_t63, 0xffffffec) | 0x00000080); // executed
						_t28 = SetWindowTextW( *(_t81 + 0x170), 0); // executed
					}
				}
				return _t28;
			}

0x00500e70
0x00500e74
0x00500e76
0x00500e7e
0x00500e84
0x00500e8a
0x00500e8f
0x00500ec0
0x00500eec
0x00500efa
0x00500f0f
0x00500f1e
0x00500f27
0x00500f32
0x00500f32
0x00500ec2
0x00500ecc
0x00500ee2
0x00500ee2
0x00500f43
0x00500f43
0x00500f4a
0x00500f7a
0x00500f8f
0x00500fa7
0x00500f4c
0x00500f4e
0x00500f63
0x00500f71
0x00500f71
0x00500f4a
0x00500fb0

APIs

GetForegroundWindow.USER32(?,?,?,005FE2F0,005F3343), ref: 00500EF3
SetForegroundWindow.USER32(00000000,?,?,?,005FE2F0,005F3343), ref: 00500F32

Part of subcall function 004F2B88: GetWindowLongW.USER32(00000000,000000EC), ref: 004F2B96
Part of subcall function 004F2B88: IsIconic.USER32 ref: 004F2BC4
Part of subcall function 004F2B88: IsWindowVisible.USER32(00000000), ref: 004F2BD4
Part of subcall function 004F2B88: ShowWindow.USER32(00000000,00000000,00000000,00000000,000000EC,?,00000000,00000000,?,00500F14,?,?,?,005FE2F0,005F3343), ref: 004F2BF1
Part of subcall function 004F2B88: SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 004F2C04
Part of subcall function 004F2B88: ShowWindow.USER32(00000000,00000006,00000000,000000EC,00000000,00000000,00000000,000000EC,?,00000000,00000000,?,00500F14), ref: 004F2C35

Part of subcall function 004F2B88: SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 004F2C15
Part of subcall function 004F2B88: ShowWindow.USER32(00000000,00000005,00000000,000000EC,00000000,00000000,00000000,000000EC,?,00000000,00000000,?,00500F14), ref: 004F2C3F

GetWindowLongW.USER32(?,000000EC), ref: 00500F55
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00500F63
SetWindowTextW.USER32(?,00000000), ref: 00500F71
GetWindowLongW.USER32(?,000000EC), ref: 00500F81
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00500F8F
SetWindowTextW.USER32(?,00000000), ref: 00500FA7

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: Window$Long$Show$ForegroundText$IconicVisible
String ID:
API String ID: 982591973-0
Opcode ID: 62c499e05cdb4a37993caa8d219bc642bffdde5bcbf941b6fb87b1fa4362a3f4
Instruction ID: 0be367b69e2e7dbcaf1391205f2647cca0160cc3991ed769fc3a182cd9df0540
Opcode Fuzzy Hash: 62c499e05cdb4a37993caa8d219bc642bffdde5bcbf941b6fb87b1fa4362a3f4
Instruction Fuzzy Hash: 5231E8702087515BC330BB39C881BAF7BE96F45714F18191EB9AA972C3CE39B8029754

Uniqueness

Uniqueness Score: -1.00%

Function 004FDCBC, Relevance: 7.6, APIs: 5, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E004FDCBC(void* __eax, void* __ecx, void* __edx) {
				int _t31;
				int _t32;
				int _t39;
				int _t50;
				void* _t65;
				signed int _t66;
				void* _t68;
				signed int _t69;
				void* _t70;

				_t70 = __eax;
				_t31 =  *0x5fe2f0; // 0x0
				if( *((intOrPtr*)(_t31 + 0x170)) != 0) {
					if(__edx == 0) {
						if( *((intOrPtr*)(__eax + 0x9c)) != 0) {
							L9:
							 *((intOrPtr*)(_t70 + 0x9c)) =  *((intOrPtr*)(_t70 + 0x9c)) + 1;
							return _t31;
						}
						EnumWindows(E004FDBC8, E00500BAC(__eax, __ecx)); // executed
						if( *((intOrPtr*)(_t70 + 0x44)) == 0) {
							L7:
							_t31 =  *(_t70 + 0x98);
							_t68 =  *((intOrPtr*)(_t31 + 8)) - 1;
							if(_t68 < 0) {
								goto L9;
							} else {
								goto L8;
							}
							do {
								L8:
								asm("cmc");
								asm("sbb eax, eax");
								_t31 = ShowOwnedPopups(E00439870( *(_t70 + 0x98), _t68), _t31);
								_t68 = _t68 - 1;
							} while (_t68 != 0xffffffff);
							goto L9;
						}
						_t50 =  *0x5fe2f0; // 0x0
						if( *((char*)(_t50 + 0xd3)) == 0) {
							goto L7;
						}
						_t69 = E00408BA8();
						if(_t69 < 0) {
							goto L7;
						} else {
							goto L6;
						}
						do {
							L6:
							ShowWindow( *( *((intOrPtr*)(_t70 + 0xd8)) + _t69 * 4), 0);
							_t69 = _t69 - 1;
						} while (_t69 != 0xffffffff);
						goto L7;
					}
					if( *((intOrPtr*)(__eax + 0x9c)) > 0) {
						 *((intOrPtr*)(__eax + 0x9c)) =  *((intOrPtr*)(__eax + 0x9c)) - 1;
						if( *((intOrPtr*)(__eax + 0x9c)) == 0) {
							if( *((intOrPtr*)(__eax + 0x44)) == 0) {
								L16:
								_t32 =  *(_t70 + 0x98);
								_t65 =  *((intOrPtr*)(_t32 + 8)) - 1;
								if(_t65 < 0) {
									L18:
									 *((intOrPtr*)( *( *(_t70 + 0x98)) + 8))();
									_push(0);
									return E00408D68();
								} else {
									goto L17;
								}
								do {
									L17:
									asm("cmc");
									asm("sbb eax, eax");
									_t32 = ShowOwnedPopups(E00439870( *(_t70 + 0x98), _t65), _t32);
									_t65 = _t65 - 1;
								} while (_t65 != 0xffffffff);
								goto L18;
							}
							_t39 =  *0x5fe2f0; // 0x0
							if( *((char*)(_t39 + 0xd3)) == 0) {
								goto L16;
							}
							_t66 = E00408BA8();
							if(_t66 < 0) {
								goto L16;
							} else {
								goto L15;
							}
							do {
								L15:
								ShowWindow( *( *((intOrPtr*)(_t70 + 0xd8)) + _t66 * 4), 5);
								_t66 = _t66 - 1;
							} while (_t66 != 0xffffffff);
							goto L16;
						}
					}
				}
				return _t31;
			}

0x004fdcc1
0x004fdcc3
0x004fdccf
0x004fdcd7
0x004fdce4
0x004fdd64
0x004fdd64
0x00000000
0x004fdd64
0x004fdcf3
0x004fdcfc
0x004fdd35
0x004fdd35
0x004fdd3e
0x004fdd42
0x00000000
0x00000000
0x00000000
0x00000000
0x004fdd44
0x004fdd44
0x004fdd47
0x004fdd48
0x004fdd59
0x004fdd5e
0x004fdd5f
0x00000000
0x004fdd44
0x004fdcfe
0x004fdd0a
0x00000000
0x00000000
0x004fdd17
0x004fdd1c
0x00000000
0x00000000
0x00000000
0x00000000
0x004fdd1e
0x004fdd1e
0x004fdd2a
0x004fdd2f
0x004fdd30
0x00000000
0x004fdd1e
0x004fdd76
0x004fdd7c
0x004fdd89
0x004fdd93
0x004fddcc
0x004fddcc
0x004fddd5
0x004fddd9
0x004fddfb
0x004fde03
0x004fde06
0x00000000
0x00000000
0x00000000
0x00000000
0x004fdddb
0x004fdddb
0x004fddde
0x004fdddf
0x004fddf0
0x004fddf5
0x004fddf6
0x00000000
0x004fdddb
0x004fdd95
0x004fdda1
0x00000000
0x00000000
0x004fddae
0x004fddb3
0x00000000
0x00000000
0x00000000
0x00000000
0x004fddb5
0x004fddb5
0x004fddc1
0x004fddc6
0x004fddc7
0x00000000
0x004fddb5
0x004fdd89
0x004fdd76
0x004fde24

APIs

EnumWindows.USER32(004FDBC8,00000000), ref: 004FDCF3
ShowWindow.USER32(?,00000000,004FDBC8,00000000,?,?,?,004FE813,005FE2F0,004FF334), ref: 004FDD2A
ShowOwnedPopups.USER32(00000000,?,004FDBC8,00000000,?,?,?,004FE813,005FE2F0,004FF334), ref: 004FDD59
ShowWindow.USER32(?,00000005,?,?,?,004FE813,005FE2F0,004FF334), ref: 004FDDC1
ShowOwnedPopups.USER32(00000000,?,?,?,?,004FE813,005FE2F0,004FF334), ref: 004FDDF0

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: Show$OwnedPopupsWindow$EnumWindows
String ID:
API String ID: 315437064-0
Opcode ID: fa18c8c3f74c0d70534032ae6dfefeca402f8fa434adbbb741acd1ba40cee719
Instruction ID: e00d8a553999733ea33d26c720b26f93c71cc0ca55601d04aa82cf6dd5c70d3b
Opcode Fuzzy Hash: fa18c8c3f74c0d70534032ae6dfefeca402f8fa434adbbb741acd1ba40cee719
Instruction Fuzzy Hash: A8416331E006048FD720AB79C845BA673E6AB91328F05493BE15DDB2E2CB7CACC5DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040D383, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 105
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E0040D383(intOrPtr* __eax, intOrPtr* __ebx, intOrPtr* __ecx, intOrPtr* __edx, intOrPtr* __edi, void* __esi) {
				intOrPtr* _t18;
				intOrPtr* _t19;
				struct HINSTANCE__* _t22;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t25;
				intOrPtr* _t28;
				intOrPtr* _t33;
				void* _t36;
				intOrPtr* _t37;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t42;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr* _t46;

				 *_t41 =  *_t41 + __ecx;
				asm("popad");
				 *__edi =  *__edi + __eax;
				 *[gs:eax+eax+0x6c] =  *[gs:eax+eax+0x6c] + __ecx;
				 *__ecx =  *__ecx + __eax;
				asm("outsb");
				 *__eax =  *__eax + __eax;
				 *_t41 =  *_t41 + __ecx;
				_push(__ebx);
				 *__edi =  *__edi + __edx;
				_t18 = __eax - 1;
				 *_t41 =  *_t41 + _t18;
				_t42 = _t41 + 1;
				 *((intOrPtr*)(_t18 + _t18)) =  *((intOrPtr*)(_t18 + _t18)) + __ecx;
				 *_t18 =  *_t18 + _t18;
				 *_t42 =  *_t42 + __ecx;
				asm("outsd");
				 *_t42 =  *_t42 + __edx;
				if ( *_t42 >= 0) goto L1;
				 *[gs:edx] =  *[gs:edx] + __ebx;
				 *_t18 =  *_t18 + _t18;
				 *_t18 =  *_t18 + _t18;
				 *__ebx =  *__ebx + __edx;
				_push(__edi);
				 *_t18 =  *_t18 + __ecx;
				_t44 = _t42 - 1 + 1;
				 *_t44 =  *_t44 + _t18;
				 *__edi =  *__edi + __ebx;
				_push(__edx);
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(_t18 + _t18 + 0x4d)) =  *((intOrPtr*)(_t18 + _t18 + 0x4d)) + __ecx;
				 *__ebx =  *__ebx + __edx;
				 *_t18 =  *_t18 + _t18;
				 *_t44 =  *_t44 + __ecx;
				_push(__ebx);
				 *_t18 =  *_t18 + __ecx;
				_pop(_t33);
				 *_t33 =  *_t33 + __edx;
				_t19 = _t18 - 1;
				 *_t44 =  *_t44 + _t19;
				_t45 = _t44 + 1;
				 *((intOrPtr*)(_t19 + _t19 + 0x53)) =  *((intOrPtr*)(_t19 + _t19 + 0x53)) + __ecx;
				 *_t45 =  *_t45 + __edx;
				_push(_t19);
				 *_t19 =  *_t19 + __edx;
				 *__edx =  *__edx + __edx;
				 *((intOrPtr*)(_t33 - 1)) =  *((intOrPtr*)(_t33 - 1)) + __ebx;
				_t46 = _t45 - 1;
				 *__ebx =  *__ebx + __edx;
				 *_t19 =  *_t19 + _t19;
				 *_t19 =  *_t19 + _t19;
				 *_t46 =  *_t46 + __ecx;
				_push(__ebx);
				 *_t19 =  *_t19 + __ecx;
				_pop(_t36);
				 *__ebx =  *__ebx + __edx;
				_t28 = __ebx + 1;
				 *__edx =  *__edx + __edx;
				_t37 = _t36 - 1;
				 *((intOrPtr*)(_t19 + _t19 + 0x4c)) =  *((intOrPtr*)(_t19 + _t19 + 0x4c)) + __ecx;
				 *_t37 =  *_t37 + _t28;
				 *__ecx =  *__ecx + __ecx;
				_t40 = __esi - 1;
				 *_t46 =  *_t46 + _t19;
				_push(_t28);
				 *_t37 =  *_t37 + _t28;
				 *_t28 =  *_t28 + __edx;
				 *_t19 =  *_t19 + _t19;
				 *_t19 =  *_t19 + _t19;
				 *((intOrPtr*)(_t28 + 0x5fbc4c3d)) =  *((intOrPtr*)(_t28 + 0x5fbc4c3d)) + _t19;
				if( *0x5fbc4c == 0) {
					_t22 = LoadLibraryW(L"hhctrl.ocx"); // executed
					 *0x5fbc4c = _t22;
					if( *0x5fbc4c != 0) {
						_t23 =  *0x5fbc4c; // 0x722d0000
						 *0x5fbc50 = E0040C55C(_t28, _t40, _t23, L"HtmlHelpA");
						_t25 =  *0x5fbc4c; // 0x722d0000
						 *0x5fbc54 = E0040C55C(_t28, _t40, _t25, L"HtmlHelpW");
					}
				}
				if( *0x5fbc50 == 0 ||  *0x5fbc54 == 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x0040d383
0x0040d386
0x0040d387
0x0040d38a
0x0040d38f
0x0040d392
0x0040d393
0x0040d395
0x0040d398
0x0040d399
0x0040d39c
0x0040d39d
0x0040d3a0
0x0040d3a1
0x0040d3a5
0x0040d3a7
0x0040d3aa
0x0040d3ab
0x0040d3ae
0x0040d3b0
0x0040d3b4
0x0040d3b6
0x0040d3b9
0x0040d3bc
0x0040d3bd
0x0040d3c0
0x0040d3c1
0x0040d3c5
0x0040d3c8
0x0040d3c9
0x0040d3cd
0x0040d3d1
0x0040d3d5
0x0040d3d7
0x0040d3da
0x0040d3db
0x0040d3de
0x0040d3df
0x0040d3e2
0x0040d3e3
0x0040d3e6
0x0040d3e7
0x0040d3eb
0x0040d3ee
0x0040d3ef
0x0040d3f3
0x0040d3f7
0x0040d3fa
0x0040d3fb
0x0040d3ff
0x0040d401
0x0040d403
0x0040d406
0x0040d407
0x0040d40a
0x0040d40b
0x0040d40e
0x0040d40f
0x0040d412
0x0040d413
0x0040d417
0x0040d41b
0x0040d41e
0x0040d41f
0x0040d422
0x0040d423
0x0040d427
0x0040d42b
0x0040d42d
0x0040d42f
0x0040d437
0x0040d43e
0x0040d443
0x0040d44f
0x0040d456
0x0040d461
0x0040d46b
0x0040d476
0x0040d476
0x0040d44f
0x0040d482
0x0040d48f
0x0040d490
0x0040d492
0x0040d492

APIs

LoadLibraryW.KERNEL32(hhctrl.ocx), ref: 0040D43E

Strings

HtmlHelpA, xrefs: 0040D451
HtmlHelpW, xrefs: 0040D466
hhctrl.ocx, xrefs: 0040D439

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: HtmlHelpA$HtmlHelpW$hhctrl.ocx
API String ID: 1029625771-2872279806
Opcode ID: 3b32d5519c794c6a067789e788b50227665fe0657662f0bf5de77eca969a4374
Instruction ID: f4b746694bb527d884938eef3755f0f89da8170c59d128b4d6dde89f52e4415b
Opcode Fuzzy Hash: 3b32d5519c794c6a067789e788b50227665fe0657662f0bf5de77eca969a4374
Instruction Fuzzy Hash: CF412F0418E7C56FC7068B705DB9996BF20AA53104B0DC7DFD8888A8E3C76CAA0DD767

Uniqueness

Uniqueness Score: -1.00%

Function 0040D430, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 23
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040D430() {
				struct HINSTANCE__* _t3;
				struct HINSTANCE__* _t4;
				struct HINSTANCE__* _t6;
				void* _t8;
				void* _t9;

				if( *0x5fbc4c == 0) {
					_t3 = LoadLibraryW(L"hhctrl.ocx"); // executed
					 *0x5fbc4c = _t3;
					if( *0x5fbc4c != 0) {
						_t4 =  *0x5fbc4c; // 0x722d0000
						 *0x5fbc50 = E0040C55C(_t8, _t9, _t4, L"HtmlHelpA");
						_t6 =  *0x5fbc4c; // 0x722d0000
						 *0x5fbc54 = E0040C55C(_t8, _t9, _t6, L"HtmlHelpW");
					}
				}
				if( *0x5fbc50 == 0 ||  *0x5fbc54 == 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x0040d437
0x0040d43e
0x0040d443
0x0040d44f
0x0040d456
0x0040d461
0x0040d46b
0x0040d476
0x0040d476
0x0040d44f
0x0040d482
0x0040d48f
0x0040d490
0x0040d492
0x0040d492

APIs

LoadLibraryW.KERNEL32(hhctrl.ocx), ref: 0040D43E

Part of subcall function 0040C55C: GetProcAddress.KERNEL32(?,?), ref: 0040C580

Part of subcall function 0040C55C: GetProcAddress.KERNEL32(?,00000000), ref: 0040C5A2

Strings

HtmlHelpA, xrefs: 0040D451
HtmlHelpW, xrefs: 0040D466
hhctrl.ocx, xrefs: 0040D439

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HtmlHelpA$HtmlHelpW$hhctrl.ocx
API String ID: 2238633743-2872279806
Opcode ID: a2fb08f4f1ff74cf5d327bcd5199259722835c9ff6f1b1725c9692b1feb3272a
Instruction ID: dc8f318e16ce5395d40b0527178d9abc0a2547f09fc3a505c615d551a7ba4a9b
Opcode Fuzzy Hash: a2fb08f4f1ff74cf5d327bcd5199259722835c9ff6f1b1725c9692b1feb3272a
Instruction Fuzzy Hash: 51F0A570900206DEE725ABB5EC49B2733A4A324709F00493BA100E66F5CF7C6E4CEF4A

Uniqueness

Uniqueness Score: -1.00%

Function 00409F94, Relevance: 6.1, APIs: 4, Instructions: 118
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00409F94(char __eax, void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				short _v526;
				char _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				char _v548;
				char _v552;
				char _v556;
				signed short _t56;
				signed short _t59;
				signed short _t60;
				signed short _t69;
				intOrPtr _t81;
				signed int _t85;
				signed int _t86;
				intOrPtr* _t91;
				void* _t93;
				void* _t96;

				_t95 = _t96;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v556 = 0;
				_v552 = 0;
				_v548 = 0;
				_t93 = __ecx;
				_v544 = __edx;
				_v540 = __eax;
				L0040733C(_v540);
				L0040733C(_v544);
				_t91 =  &_v532;
				_push(_t96);
				_push(0x40a133);
				 *[fs:eax] = _t96 + 0xfffffdd8;
				E00407354(__ecx, 0,  *[fs:eax]);
				_t69 = 0;
				lstrcpynW( &_v526, E004073E0(_v544), 0x105);
				 *_t91 = lstrlenW( &_v526) + _t40 +  &_v526 - 2;
				while( *((short*)( *_t91)) != 0x2e &&  &_v526 !=  *_t91) {
					 *_t91 =  *_t91 - 2;
				}
				if( &_v526 !=  *_t91) {
					 *_t91 =  *_t91 + 2;
					 *((short*)( *_t91)) = 0;
					_t85 =  *_t91 -  &_v526;
					_t86 = _t85 >> 1;
					if(_t85 < 0) {
						asm("adc edx, 0x0");
					}
					_v536 = 0x105 - _t86;
					_t56 = E00409AE4(_v540, _t69,  &_v548); // executed
					if(_v548 == 0) {
						L0040256C();
						E004097A0(_t56, _t69,  &_v552, _t91, _t93); // executed
						_t59 = E00409E88(_v552, _t69, _t91, _t93, _t95); // executed
						_t69 = _t59;
						if(_t69 == 0 &&  *0x5fbb58 == 0) {
							L00402594();
							E004097A0(_t59, _t69,  &_v556, _t91, _t93);
							_t69 = E00409E88(_v556, _t69, _t91, _t93, _t95);
						}
						if(_t69 == 0) {
							_t60 = E00409F38(_t95); // executed
							_t69 = _t60;
						}
					} else {
						_t69 = E00409E88(_v548, _t69, _t91, _t93, _t95);
					}
				}
				if(_t69 != 0) {
					E0040753C(_t93, 0x105,  &_v526);
				}
				_pop(_t81);
				 *[fs:eax] = _t81;
				_push(E0040A13A);
				return L0040734C( &_v556, 5);
			}

0x00409f95
0x00409f9d
0x00409f9e
0x00409f9f
0x00409fa2
0x00409fa8
0x00409fae
0x00409fb4
0x00409fb6
0x00409fbc
0x00409fc8
0x00409fd3
0x00409fd8
0x00409fe0
0x00409fe1
0x00409fe9
0x00409ff0
0x00409ff5
0x0040a00f
0x0040a02d
0x0040a034
0x0040a031
0x0040a031
0x0040a04e
0x0040a054
0x0040a059
0x0040a066
0x0040a068
0x0040a06a
0x0040a06c
0x0040a06c
0x0040a076
0x0040a088
0x0040a094
0x0040a0a8
0x0040a0b3
0x0040a0be
0x0040a0c4
0x0040a0c8
0x0040a0d4
0x0040a0df
0x0040a0f0
0x0040a0f0
0x0040a0f4
0x0040a0f7
0x0040a0fd
0x0040a0fd
0x0040a096
0x0040a0a3
0x0040a0a3
0x0040a094
0x0040a101
0x0040a110
0x0040a110
0x0040a117
0x0040a11a
0x0040a11d
0x0040a132

APIs

lstrcpynW.KERNEL32(?,00000000,00000105,00000000,0040A133,?,?,?,00000000), ref: 0040A00F
lstrlenW.KERNEL32(?,?,00000000,00000105,00000000,0040A133,?,?,?,00000000), ref: 0040A01B
GetUserDefaultUILanguage.KERNEL32(?,?,?,00000000,00000105,00000000,0040A133,?,?,?,00000000), ref: 0040A0A8
GetSystemDefaultUILanguage.KERNEL32(?,?,?,00000000,00000105,00000000,0040A133,?,?,?,00000000), ref: 0040A0D4

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: DefaultLanguage$SystemUserlstrcpynlstrlen
String ID:
API String ID: 3749826553-0
Opcode ID: bf834e8ddd2144db3845edba24dfef04b3be645cadeda356c3503f5b959a4658
Instruction ID: ac2090829a0b2fb0ea48245f051463b5f9a9164d35936641d4891a5034ff83a6
Opcode Fuzzy Hash: bf834e8ddd2144db3845edba24dfef04b3be645cadeda356c3503f5b959a4658
Instruction Fuzzy Hash: 6C415431A4031D9BD720DF65DC897CAB3B5AF58304F9041B6E408B72D2EB786E948E59

Uniqueness

Uniqueness Score: -1.00%

Function 004FD9FC, Relevance: 6.1, APIs: 4, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004FD9FC(void* __eax, void* __ecx, char __edx) {
				char _v12;
				struct HWND__* _v20;
				int _t16;
				void* _t25;
				struct HWND__* _t31;
				void* _t33;
				void* _t34;
				long _t35;

				_t35 = _t34 + 0xfffffff8;
				_t25 = __eax;
				_t16 =  *(__eax + 0x170);
				if(_t16 != 0) {
					if( *((intOrPtr*)(__eax + 0x94)) == 0) {
						 *_t35 = _t16;
						_v12 = __edx;
						EnumWindows(E004FD948, _t35); // executed
						_t16 =  *(_t25 + 0x90);
						if( *((intOrPtr*)(_t16 + 8)) != 0) {
							_t31 = GetWindow(_v20, 3);
							_v20 = _t31;
							if((GetWindowLongW(_t31, 0xffffffec) & 0x00000008) != 0) {
								_v20 = 0xfffffffe;
							}
							_t16 =  *(_t25 + 0x90);
							_t33 =  *((intOrPtr*)(_t16 + 8)) - 1;
							if(_t33 >= 0) {
								do {
									_t16 = SetWindowPos(E00439870( *(_t25 + 0x90), _t33), _v20, 0, 0, 0, 0, 0x213);
									_t33 = _t33 - 1;
								} while (_t33 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t25 + 0x94)) =  *((intOrPtr*)(_t25 + 0x94)) + 1;
				}
				return _t16;
			}

0x004fd9fe
0x004fda01
0x004fda03
0x004fda0b
0x004fda18
0x004fda1a
0x004fda1d
0x004fda29
0x004fda2e
0x004fda38
0x004fda46
0x004fda48
0x004fda55
0x004fda57
0x004fda57
0x004fda5e
0x004fda67
0x004fda6b
0x004fda6d
0x004fda8d
0x004fda92
0x004fda93
0x004fda6d
0x004fda6b
0x004fda38
0x004fda98
0x004fda98
0x004fdaa2

APIs

EnumWindows.USER32(004FD948), ref: 004FDA29
GetWindow.USER32(00000003,00000003), ref: 004FDA41
GetWindowLongW.USER32(00000000,000000EC), ref: 004FDA4E
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213,00000000,000000EC), ref: 004FDA8D

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: 5ff0dbcc93a48cf775379d1727072d937b821400ed5095c5f80c5520151617e1
Instruction ID: 29082b7611424d4eb4ca608481d3a32473847a8693b415a0f25e433e0fb48ef0
Opcode Fuzzy Hash: 5ff0dbcc93a48cf775379d1727072d937b821400ed5095c5f80c5520151617e1
Instruction Fuzzy Hash: 2A115231E082109FDB10AB69CC85FA673D5AB45724F14027AFA68AF2D6C6749C41C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 004FF14C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E004FF14C(intOrPtr __eax, void* __ebx, char __ecx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				char _t36;
				intOrPtr _t47;
				intOrPtr _t49;
				void* _t69;
				intOrPtr _t71;
				struct HWND__* _t72;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t87;
				intOrPtr _t88;
				intOrPtr _t90;
				void* _t94;
				void* _t95;
				intOrPtr _t96;

				_t94 = _t95;
				_t96 = _t95 + 0xfffffff4;
				_v12 = __ecx;
				_t69 = __edx;
				_v8 = __eax;
				if( *((intOrPtr*)(_v8 + 0x44)) != 0) {
					L2:
					_t36 = 0;
				} else {
					_t90 =  *0x4ee4c0; // 0x4ee518
					if(E00405980(__edx, _t90) != 0) {
						_t36 = 1;
					} else {
						goto L2;
					}
				}
				 *((char*)(_v8 + 0xd1)) = _t36;
				_v16 = 0;
				 *[fs:edx] = _t96;
				_v16 =  *((intOrPtr*)(_t69 - 0xc))( *[fs:edx], 0x4ff28c, _t94);
				_t10 =  &_v12; // 0x5f3362
				 *((intOrPtr*)( *_t10)) = _v16;
				 *[fs:eax] = _t96;
				 *((intOrPtr*)( *_v16 + 0x2c))( *[fs:eax], 0x4ff1cf, _t94);
				_pop(_t85);
				 *[fs:eax] = _t85;
				if( *((intOrPtr*)(_v8 + 0x44)) == 0) {
					_t88 =  *0x4ee4c0; // 0x4ee518
					if(E004058E0(_v16, _t88) != 0) {
						_t71 = _v16;
						E004D83B8(_t71);
						 *((intOrPtr*)(_v8 + 0x44)) = _t71;
						if( *(_v8 + 0xd3) != 0) {
							_t72 =  *(_v8 + 0x170);
							SetWindowLongW(_t72, 0xffffffec, GetWindowLongW(_t72, 0xffffffec) | 0x08000000);
						}
						E004F2B88( *(_v8 + 0x170),  *(_v8 + 0xd3) & 0x000000ff ^ 0x00000001,  *(_v8 + 0xd3) & 0x000000ff ^ 0x00000001);
					}
				}
				_pop(_t86);
				 *[fs:eax] = _t86;
				_push(E004FF293);
				_t47 = _v8;
				if( *((intOrPtr*)(_t47 + 0x44)) == 0) {
					_t87 =  *0x4ee4c0; // 0x4ee518
					_t47 = E004058E0(_v16, _t87);
					if(_t47 != 0) {
						_t49 = _v16;
						 *((char*)(_t49 + 0x370)) = 0;
						return _t49;
					}
				}
				return _t47;
			}

0x004ff14d
0x004ff14f
0x004ff155
0x004ff158
0x004ff15a
0x004ff164
0x004ff177
0x004ff177
0x004ff166
0x004ff166
0x004ff175
0x004ff17b
0x00000000
0x00000000
0x00000000
0x004ff175
0x004ff180
0x004ff188
0x004ff196
0x004ff19e
0x004ff1a1
0x004ff1a7
0x004ff1b4
0x004ff1c2
0x004ff1c7
0x004ff1ca
0x004ff1ec
0x004ff1f1
0x004ff1fe
0x004ff200
0x004ff205
0x004ff20d
0x004ff21a
0x004ff221
0x004ff236
0x004ff236
0x004ff254
0x004ff254
0x004ff1fe
0x004ff25b
0x004ff25e
0x004ff261
0x004ff266
0x004ff26d
0x004ff272
0x004ff278
0x004ff27f
0x004ff281
0x004ff284
0x00000000
0x004ff284
0x004ff27f
0x004ff28b

APIs

GetWindowLongW.USER32(?,000000EC), ref: 004FF228
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004FF236

Strings

b3_, xrefs: 004FF1A1

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: LongWindow
String ID: b3_
API String ID: 1378638983-3148738313
Opcode ID: 1a06cb925df799030fa8be06334836c04a01ad4468fb89f1b65206e7298986d2
Instruction ID: ec0f1cdd049c74328326eeb5b29adf86d3bca0fc0b41c351140660bf6fd10b40
Opcode Fuzzy Hash: 1a06cb925df799030fa8be06334836c04a01ad4468fb89f1b65206e7298986d2
Instruction Fuzzy Hash: 7741C234A04208EFDB00CFA9C980AAEB7F5EF49304F6145F6E914A7392D738AE05CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00405E06, Relevance: 4.6, APIs: 3, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E00405E06(void* __ebx, void* __edi, void* __esi, void* __ebp, struct _EXCEPTION_POINTERS _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				struct _EXCEPTION_RECORD* _t22;
				intOrPtr* _t25;
				long _t28;
				long _t30;
				long _t31;
				long _t32;
				void* _t33;
				void* _t38;
				long _t41;
				intOrPtr* _t43;
				intOrPtr _t44;
				void* _t45;
				void* _t47;
				void* _t48;
				intOrPtr _t50;

				_t48 = __ebp;
				_t47 = __esi;
				_t45 = __edi;
				_t33 = __ebx;
				_t22 = _a4.ExceptionRecord;
				if((_t22->ExceptionFlags & 0x00000006) == 0) {
					_t41 = _t22->ExceptionInformation[1];
					_t38 = _t22->ExceptionInformation;
					if(_t22->ExceptionCode == 0xeedfade) {
						L11:
						if( *0x5f402c <= 1 ||  *0x5f4028 > 0) {
							goto L14;
						}
						_t28 = UnhandledExceptionFilter( &_a4);
						_t38 = _t38;
						_t41 = _t41;
						_t22 = _t22;
						if(_t28 != 0) {
							goto L14;
						}
					} else {
						asm("cld");
						E00405578(_t22);
						_t43 =  *0x5f9010; // 0x0
						if(_t43 != 0) {
							_t30 =  *_t43();
							if(_t30 != 0) {
								_t44 = _a12;
								if(_a4.ExceptionRecord->ExceptionCode == 0xeefface) {
									L10:
									_t41 = _t30;
									_t22 = _a4.ExceptionRecord;
									_t38 = _t22->ExceptionAddress;
									goto L11;
								} else {
									_t30 = E00405D20(_t30, _t44, __edi);
									if( *0x5f402c <= 0 ||  *0x5f4028 > 0) {
										goto L10;
									} else {
										_t31 = UnhandledExceptionFilter( &_a4);
										_t32 = _t30;
										if(_t31 != 0) {
											_t41 = _t32;
											_t22 = _a4.ExceptionRecord;
											_t38 = _t22->ExceptionAddress;
											L14:
											_t22->ExceptionFlags = _t22->ExceptionFlags | 0x00000002;
											 *0x5f9018(_a8, "true", _t22, 0, _t38, _t41, _t22,  *[fs:ebx], _t48, _t45, _t47, _t33); // executed
											_t46 = _v8;
											_t25 = E0040AEE8();
											_push( *_t25);
											 *_t25 = _t50;
											 *((intOrPtr*)(_v8 + 4)) = E00405F0C;
											E00405D70(_t25,  *((intOrPtr*)(_t46 + 4)) + 5, _t47);
											goto __ebx;
										}
									}
								}
							}
						}
					}
				}
				return 1;
			}

0x00405e06
0x00405e06
0x00405e06
0x00405e06
0x00405e08
0x00405e13
0x00405e1f
0x00405e22
0x00405e25
0x00405e95
0x00405e9c
0x00000000
0x00000000
0x00405eaf
0x00405eb7
0x00405eb8
0x00405eb9
0x00405eba
0x00000000
0x00000000
0x00405e27
0x00405e27
0x00405e28
0x00405e2d
0x00405e35
0x00405e3b
0x00405e3f
0x00405e45
0x00405e53
0x00405e8c
0x00405e8c
0x00405e8e
0x00405e92
0x00000000
0x00405e55
0x00405e55
0x00405e61
0x00000000
0x00405e6c
0x00405e72
0x00405e7a
0x00405e7b
0x00405e81
0x00405e83
0x00405e87
0x00405ebc
0x00405ebc
0x00405eda
0x00405ee0
0x00405ee4
0x00405ee9
0x00405eef
0x00405efb
0x00405f05
0x00405f0a
0x00405f0a
0x00405e7b
0x00405e61
0x00405e53
0x00405e3f
0x00405e35
0x00405e25
0x00405f31

APIs

UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00405E72
UnhandledExceptionFilter.KERNEL32(?,?,?,Function_00005E08), ref: 00405EAF
RtlUnwind.KERNEL32(?,?,Function_00005E08,00000000,?,?,Function_00005E08,?), ref: 00405EDA

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$Unwind
String ID:
API String ID: 1141220122-0
Opcode ID: 135184f26fe000dbbd9db70abe89ce1ad78a92b8f25cd810d575c8edb277e1e9
Instruction ID: 16d478e77fe2e1e800d48bdbb38a604db07a4f726f6afed9864ab9ed22db0b00
Opcode Fuzzy Hash: 135184f26fe000dbbd9db70abe89ce1ad78a92b8f25cd810d575c8edb277e1e9
Instruction Fuzzy Hash: 34317CB4604601AFE324DB20D888F2B77A9EB84714F25856BE548A72D1C738ED44CE69

Uniqueness

Uniqueness Score: -1.00%

Function 0040678C, Relevance: 4.6, APIs: 3, Instructions: 79
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E0040678C() {
				int _t19;
				void* _t39;
				struct HINSTANCE__* _t48;
				intOrPtr _t50;
				void* _t51;

				if( *0x5f4004 != 0) {
					E0040666C();
					E004066FC(_t39);
					 *0x5f4004 = 0;
				}
				if( *0x5fbb20 != 0 && GetCurrentThreadId() ==  *0x5fbb48) {
					E00406408(0x5fbb1c);
					E004066D0(0x5fbb1c);
				}
				if( *0x005FBB14 != 0 ||  *0x5f9050 == 0) {
					L8:
					if( *((char*)(0x5fbb14)) == 2 &&  *0x5f4000 == 0) {
						 *0x005FBAF8 = 0;
					}
					E00406430(); // executed
					if( *((char*)(0x5fbb14)) <= 1 ||  *0x5f4000 != 0) {
						_t43 =  *0x005FBAFC;
						if( *0x005FBAFC != 0) {
							E0040A278(_t43);
							_t50 =  *((intOrPtr*)(0x5fbafc));
							_t7 = _t50 + 0x10; // 0x400000
							_t48 =  *_t7;
							_t8 = _t50 + 4; // 0x400000
							if(_t48 !=  *_t8 && _t48 != 0) {
								FreeLibrary(_t48);
							}
						}
					}
					E00406408(0x5fbaec);
					if( *((char*)(0x5fbb14)) == 1) {
						 *0x005FBB10();
					}
					if( *((char*)(0x5fbb14)) != 0) {
						E004066D0(0x5fbaec);
					}
					if( *0x5fbaec == 0) {
						if( *0x5f9030 != 0) {
							 *0x5f9030();
						}
						_t19 =  *0x5f4000; // 0x1
						ExitProcess(_t19); // executed
					}
					memcpy(0x5fbaec,  *0x5fbaec, 0xc << 2);
					_t51 = _t51 + 0xc;
				} else {
					do {
						 *0x5f9050 = 0;
						 *((intOrPtr*)( *0x5f9050))();
					} while ( *0x5f9050 != 0);
				}
			}

0x004067a1
0x004067a3
0x004067a8
0x004067af
0x004067af
0x004067bb
0x004067cf
0x004067d9
0x004067d9
0x004067e2
0x004067f8
0x004067fc
0x00406809
0x00406809
0x0040680c
0x00406815
0x00406820
0x00406825
0x00406829
0x0040682e
0x00406831
0x00406831
0x00406834
0x00406837
0x0040683e
0x0040683e
0x00406837
0x00406825
0x00406845
0x0040684e
0x00406850
0x00406850
0x00406857
0x0040685b
0x0040685b
0x00406863
0x0040686c
0x0040686e
0x0040686e
0x00406874
0x0040687a
0x0040687a
0x0040688a
0x0040688a
0x00000000
0x004067e9
0x004067ef
0x004067f1
0x004067f3
0x004067e9

APIs

GetCurrentThreadId.KERNEL32 ref: 004067BD
FreeLibrary.KERNEL32(00400000,?,00000000,?,00000002,004068A2,00404397,004043DE,00000001,?,?,EasyEPD,000004E4), ref: 0040683E
ExitProcess.KERNEL32(00000001,?,00000000,?,00000002,004068A2,00404397,004043DE,00000001,?,?,EasyEPD,000004E4), ref: 0040687A

Part of subcall function 004066FC: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004067AD,?,00000000,?,00000002,004068A2,00404397,004043DE,00000001,?), ref: 00406735
Part of subcall function 004066FC: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004067AD,?,00000000,?,00000002,004068A2,00404397,004043DE,00000001), ref: 0040673B
Part of subcall function 004066FC: GetStdHandle.KERNEL32(000000F5,00406788,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004067AD,?,00000000), ref: 00406750
Part of subcall function 004066FC: WriteFile.KERNEL32(00000000,000000F5,00406788,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004067AD,?,00000000), ref: 00406756

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID:
API String ID: 3490077880-0
Opcode ID: 519aaf2d9d97340e6bfb87cf1586c4853bad046dd7e0248776f2adea5dfdfaf7
Instruction ID: 9867dc43939077647e91a6e3acf10b5f8bc83fe7bfee3fe23eb874c9f8612224
Opcode Fuzzy Hash: 519aaf2d9d97340e6bfb87cf1586c4853bad046dd7e0248776f2adea5dfdfaf7
Instruction Fuzzy Hash: 4531B1719012148FEF21AF39D8487663AE4AB04318F16457BE806AB3C6D77CCCA4CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00406784, Relevance: 4.6, APIs: 3, Instructions: 76
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00406784() {
				intOrPtr* _t13;
				int _t22;
				void* _t43;
				struct HINSTANCE__* _t54;
				intOrPtr _t57;
				void* _t58;

				 *((intOrPtr*)(_t13 +  *_t13)) =  *((intOrPtr*)(_t13 +  *_t13)) + _t13 +  *_t13;
				if( *0x5f4004 != 0) {
					E0040666C();
					E004066FC(_t43);
					 *0x5f4004 = 0;
				}
				if( *0x5fbb20 != 0 && GetCurrentThreadId() ==  *0x5fbb48) {
					E00406408(0x5fbb1c);
					E004066D0(0x5fbb1c);
				}
				if( *0x005FBB14 != 0 ||  *0x5f9050 == 0) {
					L10:
					if( *((char*)(0x5fbb14)) == 2 &&  *0x5f4000 == 0) {
						 *0x005FBAF8 = 0;
					}
					E00406430(); // executed
					if( *((char*)(0x5fbb14)) <= 1 ||  *0x5f4000 != 0) {
						_t48 =  *0x005FBAFC;
						if( *0x005FBAFC != 0) {
							E0040A278(_t48);
							_t57 =  *((intOrPtr*)(0x5fbafc));
							_t7 = _t57 + 0x10; // 0x400000
							_t54 =  *_t7;
							_t8 = _t57 + 4; // 0x400000
							if(_t54 !=  *_t8 && _t54 != 0) {
								FreeLibrary(_t54);
							}
						}
					}
					E00406408(0x5fbaec);
					if( *((char*)(0x5fbb14)) == 1) {
						 *0x005FBB10();
					}
					if( *((char*)(0x5fbb14)) != 0) {
						E004066D0(0x5fbaec);
					}
					if( *0x5fbaec == 0) {
						if( *0x5f9030 != 0) {
							 *0x5f9030();
						}
						_t22 =  *0x5f4000; // 0x1
						ExitProcess(_t22); // executed
					}
					memcpy(0x5fbaec,  *0x5fbaec, 0xc << 2);
					_t58 = _t58 + 0xc;
				} else {
					do {
						 *0x5f9050 = 0;
						 *((intOrPtr*)( *0x5f9050))();
					} while ( *0x5f9050 != 0);
				}
			}

0x00406786
0x004067a1
0x004067a3
0x004067a8
0x004067af
0x004067af
0x004067bb
0x004067cf
0x004067d9
0x004067d9
0x004067e2
0x004067f8
0x004067fc
0x00406809
0x00406809
0x0040680c
0x00406815
0x00406820
0x00406825
0x00406829
0x0040682e
0x00406831
0x00406831
0x00406834
0x00406837
0x0040683e
0x0040683e
0x00406837
0x00406825
0x00406845
0x0040684e
0x00406850
0x00406850
0x00406857
0x0040685b
0x0040685b
0x00406863
0x0040686c
0x0040686e
0x0040686e
0x00406874
0x0040687a
0x0040687a
0x0040688a
0x0040688a
0x00000000
0x004067e9
0x004067ef
0x004067f1
0x004067f3
0x004067e9

APIs

GetCurrentThreadId.KERNEL32 ref: 004067BD
FreeLibrary.KERNEL32(00400000,?,00000000,?,00000002,004068A2,00404397,004043DE,00000001,?,?,EasyEPD,000004E4), ref: 0040683E
ExitProcess.KERNEL32(00000001,?,00000000,?,00000002,004068A2,00404397,004043DE,00000001,?,?,EasyEPD,000004E4), ref: 0040687A

Part of subcall function 004066FC: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004067AD,?,00000000,?,00000002,004068A2,00404397,004043DE,00000001,?), ref: 00406735
Part of subcall function 004066FC: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004067AD,?,00000000,?,00000002,004068A2,00404397,004043DE,00000001), ref: 0040673B
Part of subcall function 004066FC: GetStdHandle.KERNEL32(000000F5,00406788,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004067AD,?,00000000), ref: 00406750
Part of subcall function 004066FC: WriteFile.KERNEL32(00000000,000000F5,00406788,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004067AD,?,00000000), ref: 00406756

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID:
API String ID: 3490077880-0
Opcode ID: 59fa10dc47669ab6c24afc637a70c8f3748b567eb0db569a03c2c4611db01e94
Instruction ID: a2d6eaf798ce685354e4ca30805bfbb06767aae44cec9e444d4d48af2e478b0c
Opcode Fuzzy Hash: 59fa10dc47669ab6c24afc637a70c8f3748b567eb0db569a03c2c4611db01e94
Instruction Fuzzy Hash: 433193719012548FDF21AF75D4483663BA46B14318F16457BE802AB3D6D77CCCA4CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00406788, Relevance: 4.6, APIs: 3, Instructions: 74
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00406788() {
				int _t21;
				void* _t42;
				struct HINSTANCE__* _t53;
				intOrPtr _t56;
				void* _t57;

				if( *0x5f4004 != 0) {
					E0040666C();
					E004066FC(_t42);
					 *0x5f4004 = 0;
				}
				if( *0x5fbb20 != 0 && GetCurrentThreadId() ==  *0x5fbb48) {
					E00406408(0x5fbb1c);
					E004066D0(0x5fbb1c);
				}
				if( *0x005FBB14 != 0 ||  *0x5f9050 == 0) {
					L9:
					if( *((char*)(0x5fbb14)) == 2 &&  *0x5f4000 == 0) {
						 *0x005FBAF8 = 0;
					}
					E00406430(); // executed
					if( *((char*)(0x5fbb14)) <= 1 ||  *0x5f4000 != 0) {
						_t47 =  *0x005FBAFC;
						if( *0x005FBAFC != 0) {
							E0040A278(_t47);
							_t56 =  *((intOrPtr*)(0x5fbafc));
							_t7 = _t56 + 0x10; // 0x400000
							_t53 =  *_t7;
							_t8 = _t56 + 4; // 0x400000
							if(_t53 !=  *_t8 && _t53 != 0) {
								FreeLibrary(_t53);
							}
						}
					}
					E00406408(0x5fbaec);
					if( *((char*)(0x5fbb14)) == 1) {
						 *0x005FBB10();
					}
					if( *((char*)(0x5fbb14)) != 0) {
						E004066D0(0x5fbaec);
					}
					if( *0x5fbaec == 0) {
						if( *0x5f9030 != 0) {
							 *0x5f9030();
						}
						_t21 =  *0x5f4000; // 0x1
						ExitProcess(_t21); // executed
					}
					memcpy(0x5fbaec,  *0x5fbaec, 0xc << 2);
					_t57 = _t57 + 0xc;
				} else {
					do {
						 *0x5f9050 = 0;
						 *((intOrPtr*)( *0x5f9050))();
					} while ( *0x5f9050 != 0);
				}
			}

APIs

GetCurrentThreadId.KERNEL32 ref: 004067BD
FreeLibrary.KERNEL32(00400000,?,00000000,?,00000002,004068A2,00404397,004043DE,00000001,?,?,EasyEPD,000004E4), ref: 0040683E
ExitProcess.KERNEL32(00000001,?,00000000,?,00000002,004068A2,00404397,004043DE,00000001,?,?,EasyEPD,000004E4), ref: 0040687A

Part of subcall function 004066FC: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004067AD,?,00000000,?,00000002,004068A2,00404397,004043DE,00000001,?), ref: 00406735
Part of subcall function 004066FC: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004067AD,?,00000000,?,00000002,004068A2,00404397,004043DE,00000001), ref: 0040673B
Part of subcall function 004066FC: GetStdHandle.KERNEL32(000000F5,00406788,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004067AD,?,00000000), ref: 00406750
Part of subcall function 004066FC: WriteFile.KERNEL32(00000000,000000F5,00406788,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004067AD,?,00000000), ref: 00406756

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID:
API String ID: 3490077880-0
Opcode ID: cc63ea3ee359502ac8a485abbf48d8f25e5512a2f81d7ff8563f2dac86c81f4b
Instruction ID: f2ba12a37d6b7852791332f4ad859c3d471209a985b9c52a56a7d2ef8c62abb9
Opcode Fuzzy Hash: cc63ea3ee359502ac8a485abbf48d8f25e5512a2f81d7ff8563f2dac86c81f4b
Instruction Fuzzy Hash: 282191719012148BEF21AF35D4483663AA46B10318F16457BE802AB3C6D77CCCA4CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00406346, Relevance: 3.1, APIs: 2, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E00406346(struct _EXCEPTION_POINTERS _a4, long _a8) {
				long _v12;
				void* _t18;
				long _t19;
				long _t24;
				long _t25;
				void* _t29;
				void* _t30;
				void* _t39;
				void* _t40;

				if((_a4.ExceptionRecord->ExceptionFlags & 0x00000006) != 0) {
					L43:
					__eflags = 0;
					return 0;
				} else {
					__eflags =  *0x5f4028;
					if( *0x5f4028 > 0) {
						L36:
						__eax = _a4.ExceptionRecord;
						asm("cld");
						__eax = E00405578(_a4.ExceptionRecord);
						__edx = _a8;
						__eax =  *0x5f9018(_a8, "true", __eax, 0); // executed
						__ebx = _v12;
						__eflags =  *__ebx - 0xeedfade;
						__edx =  *(__ebx + 0x14);
						__eax =  *(__ebx + 0x18);
						if( *__ebx == 0xeedfade) {
							L40:
							__eax = E00405DE8(__eax);
							__ecx =  *0x5f9004; // 0x0
							__eflags = __ecx;
							if(__ecx != 0) {
								__eax =  *__ecx();
							}
							__ecx = _v12;
							__eax = 0xd9;
							__edx =  *(__ecx + 0x14);
							 *__esp =  *(__ecx + 0x14);
							_pop( *0x5f4004);
							 *0x5f4000 = 0xd9;
							E0040678C();
							return 0xd9;
						} else {
							__edx =  *0x5f9010; // 0x0
							__eflags = __edx;
							if(__edx == 0) {
								L1:
								_t32 = _v12;
								_t18 =  *_v12;
								_t39 = _t18 - 0xc0000092;
								if(_t39 > 0) {
									__eflags = _t18 - 0xc0000096;
									if(__eflags > 0) {
										_t19 = _t18 - 0xc00000fd;
										__eflags = _t19;
										if(_t19 == 0) {
										} else {
											__eflags = _t19 != 0x3d;
											if(_t19 != 0x3d) {
												goto L32;
											}
										}
									} else {
										if(__eflags == 0) {
										} else {
											_t24 = _t18 - 0xc0000093;
											__eflags = _t24;
											if(_t24 == 0) {
												goto L27;
											} else {
												_t25 = _t24 - 1;
												__eflags = _t25;
												if(_t25 == 0) {
												} else {
													__eflags = _t25 != 1;
													if(_t25 != 1) {
														goto L32;
													}
												}
											}
										}
									}
								} else {
									if(_t39 == 0) {
										L24:
									} else {
										_t40 = _t18 - 0xc000008e;
										if(_t40 > 0) {
											__eflags = _t18 + 0x3fffff71 - 2;
											if(__eflags < 0) {
												goto L24;
											} else {
												if(__eflags != 0) {
													goto L32;
												}
											}
										} else {
											if(_t40 == 0) {
											} else {
												_t29 = _t18 - 0xc0000005;
												if(_t29 == 0) {
												} else {
													_t30 = _t29 - 0x87;
													if(_t30 == 0) {
													} else {
														if(_t30 == 1) {
															L27:
														} else {
															L32:
														}
													}
												}
											}
										}
									}
								}
								return E0040438C( *((intOrPtr*)(_t32 + 0xc)));
							} else {
								__eax = __ebx;
								__eax =  *__edx();
								__eflags = __eax;
								if(__eax == 0) {
									goto L1;
								} else {
									__edx =  *(__ebx + 0xc);
									goto L40;
								}
							}
						}
					} else {
						__eax =  &_a4;
						__eax = UnhandledExceptionFilter( &_a4); // executed
						__eflags = __eax;
						if(__eax == 0) {
							goto L43;
						} else {
							goto L36;
						}
					}
				}
			}

0x00406353
0x004063e2
0x004063e2
0x004063e4
0x00406359
0x00406359
0x00406360
0x00406371
0x00406371
0x00406375
0x00406376
0x0040637b
0x00406388
0x0040638e
0x00406392
0x00406398
0x0040639b
0x0040639e
0x004063bd
0x004063bd
0x004063c2
0x004063c8
0x004063ca
0x004063cc
0x004063cc
0x004063ce
0x004063d2
0x004063d7
0x004063da
0x004068a4
0x00406898
0x0040689d
0x004068a2
0x004063a0
0x004063a0
0x004063a6
0x004063a8
0x004062a8
0x004062ab
0x004062ae
0x004062b0
0x004062b5
0x004062e3
0x004062e8
0x004062fb
0x004062fb
0x00406300
0x00406302
0x00406302
0x00406305
0x00000000
0x00406307
0x00406305
0x004062ea
0x004062ea
0x004062ec
0x004062ec
0x004062ec
0x004062f1
0x00000000
0x004062f3
0x004062f3
0x004062f3
0x004062f4
0x004062f6
0x004062f6
0x004062f7
0x00000000
0x004062f9
0x004062f7
0x004062f4
0x004062f1
0x004062ea
0x004062b7
0x004062b7
0x00406315
0x004062b9
0x004062b9
0x004062be
0x004062da
0x004062dd
0x00000000
0x004062df
0x004062df
0x00000000
0x004062e1
0x004062df
0x004062c0
0x004062c0
0x004062c2
0x004062c2
0x004062c7
0x004062c9
0x004062c9
0x004062ce
0x004062d0
0x004062d1
0x00406321
0x004062d3
0x00406335
0x00406335
0x004062d1
0x004062ce
0x004062c7
0x004062c0
0x004062be
0x004062b7
0x00406343
0x004063ae
0x004063ae
0x004063b0
0x004063b2
0x004063b4
0x00000000
0x004063ba
0x004063ba
0x00000000
0x004063ba
0x004063b4
0x004063a8
0x00406362
0x00406362
0x00406367
0x0040636c
0x0040636f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040636f
0x00406360

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00406367
RtlUnwind.KERNEL32(?,?,00000000,00000000), ref: 00406388

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandledUnwind
String ID:
API String ID: 2354489195-0
Opcode ID: 615531bb1fb948416842ed36a4fa57e729e881b81c0353a512857551299cfb07
Instruction ID: 7a53ef408fd81b78049ac2117c94b095f81b1d254df3e06736cdabc0ff7f7e78
Opcode Fuzzy Hash: 615531bb1fb948416842ed36a4fa57e729e881b81c0353a512857551299cfb07
Instruction Fuzzy Hash: 7721C6352042019BD724DF18C984B2B73A5AF84310F16857BAC46EB3D5CB3CDC60DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00409D84, Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00409D84(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x409e3e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E00407500( &_v536, _t49);
				_push(_v536);
				E0040753C( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E00409F94(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E004073E0(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E00409E45);
				L0040734C( &_v540, 2);
				return L00407344( &_v8);
			}

0x00409d91
0x00409d97
0x00409d9d
0x00409da0
0x00409da4
0x00409da5
0x00409daa
0x00409dad
0x00409dc0
0x00409dcd
0x00409dd8
0x00409dea
0x00409df8
0x00409df9
0x00409e02
0x00409e11
0x00409e16
0x00409e1a
0x00409e1d
0x00409e20
0x00409e30
0x00409e3d

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,00409E3E,?,?,00000000), ref: 00409DC0

Part of subcall function 00409F94: lstrcpynW.KERNEL32(?,00000000,00000105,00000000,0040A133,?,?,?,00000000), ref: 0040A00F
Part of subcall function 00409F94: lstrlenW.KERNEL32(?,?,00000000,00000105,00000000,0040A133,?,?,?,00000000), ref: 0040A01B

LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,00409E3E,?,?,00000000), ref: 00409E11

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: FileLibraryLoadModuleNamelstrcpynlstrlen
String ID:
API String ID: 2912033995-0
Opcode ID: cff9b18f8c60faf4c619abc3b50c31c85f7d2f5e8d69d4bbfad7d98276597e26
Instruction ID: f05c5204dd5c45b4209d9cdadf335cfec14ac048883a0a64dc8909b25322980f
Opcode Fuzzy Hash: cff9b18f8c60faf4c619abc3b50c31c85f7d2f5e8d69d4bbfad7d98276597e26
Instruction Fuzzy Hash: DE119430A4421CABDB14DB50CD86BDE73B8DB04304F5140BAB408B32D1DA786F84CEA9

Uniqueness

Uniqueness Score: -1.00%

Function 004FEB50, Relevance: 3.0, APIs: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004FEB50(void* __eax, void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* _t9;
				void* _t18;
				void* _t23;
				void* _t24;

				_t24 = __eflags;
				_t23 = __edx;
				_t18 = __eax;
				_t9 = E00407AB4( *((intOrPtr*)(__eax + 0x8c)), __eax, __edx);
				if(_t24 == 0) {
					return _t9;
				}
				if( *((char*)(_t18 + 0xac)) != 0) {
					if( *((char*)(_t18 + 0xd3)) == 0) {
						SetWindowTextW( *(_t18 + 0x170), E004073E0(_t23));
					} else {
						SetWindowTextW( *(_t18 + 0x170), 0); // executed
					}
				}
				_t6 = _t18 + 0x8c; // 0x8c
				return E00407354(_t6, _t23);
			}

0x004feb50
0x004feb52
0x004feb54
0x004feb5e
0x004feb63
0x004febaa
0x004febaa
0x004feb6c
0x004feb75
0x004feb96
0x004feb77
0x004feb80
0x004feb80
0x004feb75
0x004feb9b
0x00000000

APIs

SetWindowTextW.USER32(?,00000000), ref: 004FEB80
SetWindowTextW.USER32(?,00000000), ref: 004FEB96

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 9e011c3179dc4944b4ef3e7819aaf90a65fe26f68f0b6813314874d4448d7f97
Instruction ID: 562bc3e07c8bf5a1c6b9c494932e23dccebbc08e6671604ade2cef329b92d43d
Opcode Fuzzy Hash: 9e011c3179dc4944b4ef3e7819aaf90a65fe26f68f0b6813314874d4448d7f97
Instruction Fuzzy Hash: 7FF0A770B0455496EB01EA6A44C5FAA22981B08305F0C40B7BE0CDF297CA7C6D0687BE

Uniqueness

Uniqueness Score: -1.00%

Function 0040418C, Relevance: 2.6, APIs: 2, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040418C() {
				intOrPtr _t13;
				int _t14;
				void* _t16;
				int _t20;
				void* _t21;
				void* _t22;
				void* _t23;

				_t23 =  *0x005F9A30;
				while(_t23 != 0x5f9a2c) {
					_t2 = _t23 + 4; // 0x5f9a2c
					VirtualFree(_t23, 0, 0x8000); // executed
					_t23 =  *_t2;
				}
				_t21 = 0x37;
				_t13 = 0x5f4084;
				do {
					 *((intOrPtr*)(_t13 + 0x14)) = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = 1;
					 *((intOrPtr*)(_t13 + 0xc)) = 0;
					_t13 = _t13 + 0x20;
					_t21 = _t21 - 1;
				} while (_t21 != 0);
				 *0x5f9a2c = 0x5f9a2c;
				 *0x005F9A30 = 0x5f9a2c;
				_t22 = 0x400;
				_t20 = 0x5f9acc;
				do {
					_t14 = _t20;
					 *_t14 = _t14;
					_t8 = _t14 + 4; // 0x5f9acc
					 *_t8 = _t14;
					_t20 = _t20 + 8;
					_t22 = _t22 - 1;
				} while (_t22 != 0);
				_t16 =  *0x005FBAD4;
				while(_t16 != 0x5fbad0) {
					_t10 = _t16 + 4; // 0x5fbad0
					_t14 = VirtualFree(_t16, 0, 0x8000);
					_t16 =  *_t10;
				}
				 *0x5fbad0 = 0x5fbad0;
				 *0x005FBAD4 = 0x5fbad0;
				return _t14;
			}

0x0040419a
0x004041b1
0x0040419f
0x004041aa
0x004041af
0x004041af
0x004041b5
0x004041ba
0x004041bf
0x004041c1
0x004041c6
0x004041c9
0x004041d2
0x004041d5
0x004041d8
0x004041d8
0x004041db
0x004041dd
0x004041e0
0x004041e5
0x004041ea
0x004041ea
0x004041ec
0x004041ee
0x004041ee
0x004041f1
0x004041f4
0x004041f4
0x004041f7
0x0040420e
0x004041fc
0x00404207
0x0040420c
0x0040420c
0x00404212
0x00404214
0x0040421b

APIs

VirtualFree.KERNEL32(005F9A2C,00000000,00008000), ref: 004041AA
VirtualFree.KERNEL32(005FBAD0,00000000,00008000), ref: 00404207

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: f10f02b34af199360667ce4a18bb3721977a44d4474cced3fd28d24f7599c2ed
Instruction ID: cc05e57a9a5da49ce0e5139a00fa68cfe86960deac7eb9f45c996ca6bfb674c5
Opcode Fuzzy Hash: f10f02b34af199360667ce4a18bb3721977a44d4474cced3fd28d24f7599c2ed
Instruction Fuzzy Hash: 0811A1B13002049BC7244F449D88B26BAE5FB94750F19C47EE349AF385D678EC428B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040D28A, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040D28A(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t31;
				long _t38;

				_push(_t31);
				_v8 = _t31;
				_t38 = __eax;
				_t13 = E00404774();
				_t24 = CreateWindowExW(_t38, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00404764(_t13);
				return _t24;
			}

0x0040d28f
0x0040d293
0x0040d298
0x0040d29a
0x0040d2cb
0x0040d2d4
0x0040d2e0

APIs

CreateWindowExW.USER32 ref: 0040D2CB

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4a8655bf449c0cba0bac3ce6072963c9458fc4efc0d9cb7740e3dc009ed65faf
Instruction ID: 5a264385d20d2fdeaf1f3c7eff857cb0531ec26e0a273004ed09f576ca25475b
Opcode Fuzzy Hash: 4a8655bf449c0cba0bac3ce6072963c9458fc4efc0d9cb7740e3dc009ed65faf
Instruction Fuzzy Hash: 10F097B6700158BF9B80DE9DDC81DDB77ECEB8D264B054169FA0CD3201D634ED118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00408F28, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408F28(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E00409D84(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}

0x00408f30
0x00408f32
0x00408f36
0x00408f46
0x00408f4f
0x00408f54
0x00408f56
0x00408f5b
0x00408f60
0x00408f60
0x00408f5b
0x00408f6e

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 00408F46

Part of subcall function 00409D84: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,00409E3E,?,?,00000000), ref: 00409DC0
Part of subcall function 00409D84: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,00409E3E,?,?,00000000), ref: 00409E11

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: ce82624cb2025369bee6f02a98740550a6c63583fbf2c1413b12746bd950664c
Instruction ID: 93e6d6c938a8695af7d41146dac281446d2cde1f40346e9f426a89c8cba438c4
Opcode Fuzzy Hash: ce82624cb2025369bee6f02a98740550a6c63583fbf2c1413b12746bd950664c
Instruction Fuzzy Hash: ACE03971A003109FCB10DE68C9C5A4333A4AB08754F000666AC54DF387D374CD2087D5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5F9, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D5F9(void* __eax) {
				void* _t2;
				struct HINSTANCE__* _t3;
				int _t4;

				_t2 = __eax + 0x5fbc48;
				if(_t2 == 0 &&  *0x5fbc4c != 0) {
					_t3 =  *0x5fbc4c; // 0x722d0000
					_t4 = FreeLibrary(_t3); // executed
					return _t4;
				}
				return _t2;
			}

0x0040d5f9
0x0040d5fe
0x0040d609
0x0040d60f
0x00000000
0x0040d60f
0x0040d614

APIs

FreeLibrary.KERNEL32(722D0000), ref: 0040D60F

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 5d914e397517779c5e1ebe25f976a3b3ee60b7a7d51200f98715c1ffbdc884d1
Instruction ID: 2dda597eafeb0aa7877b9bf4145001265442d9df6aceca099b1d25413a29981a
Opcode Fuzzy Hash: 5d914e397517779c5e1ebe25f976a3b3ee60b7a7d51200f98715c1ffbdc884d1
Instruction Fuzzy Hash: BEC04C65800101C5EA28D795D8457372154A364304F4848275204976A0CF7D9D48DB2B

Uniqueness

Uniqueness Score: -1.00%

Function 00409E88, Relevance: 1.3, APIs: 1, Instructions: 57
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00409E88(char __eax, void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				char _v9;
				void* _t24;
				WCHAR* _t29;
				intOrPtr _t33;
				WCHAR* _t35;
				signed int _t37;
				void* _t40;

				_v8 = __eax;
				L0040733C(_v8);
				_push(_t40);
				_push(0x409f25);
				_push( *[fs:eax]);
				 *[fs:eax] = _t40 + 0xfffffff8;
				_v9 = 1;
				_t29 = E004073E0(_v8);
				while( *_t29 != 0) {
					_t35 = _t29;
					while(1) {
						_t37 =  *_t29 & 0x0000ffff;
						if(_t37 == 0x2c || _t37 == 0) {
							break;
						}
						_t29 =  &(_t29[1]);
					}
					if( *_t29 == 0x2c) {
						 *_t29 = 0;
						_t29 =  &(_t29[1]);
					}
					lstrcpynW( *(_a4 - 0x210), _t35,  *(_a4 - 0x214));
					_t24 = E00409E50(_a4); // executed
					if(_t24 == 0) {
						continue;
					}
					L10:
					_pop(_t33);
					 *[fs:eax] = _t33;
					_push(E00409F2C);
					return L00407344( &_v8);
				}
				_v9 = 0;
				goto L10;
			}

0x00409e91
0x00409e97
0x00409e9e
0x00409e9f
0x00409ea4
0x00409ea7
0x00409eaa
0x00409eb6
0x00409f05
0x00409eba
0x00409ec1
0x00409ec1
0x00409ec8
0x00000000
0x00000000
0x00409ebe
0x00409ebe
0x00409ed3
0x00409ed5
0x00409eda
0x00409eda
0x00409ef2
0x00409efb
0x00409f03
0x00000000
0x00000000
0x00409f0f
0x00409f11
0x00409f14
0x00409f17
0x00409f24
0x00409f24
0x00409f0b
0x00000000

APIs

lstrcpynW.KERNEL32(?,00000000,?,00000000,00409F25,?,?,?,00000000), ref: 00409EF2

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: lstrcpyn
String ID:
API String ID: 97706510-0
Opcode ID: 197892109685b80350ee26d092852d461b26a517041bc23c981a040c097c9a55
Instruction ID: 4ac8d2b94b660a920d88597cdc856d414060e2900c8a3954063e3a5ef65cb122
Opcode Fuzzy Hash: 197892109685b80350ee26d092852d461b26a517041bc23c981a040c097c9a55
Instruction Fuzzy Hash: C611E071904208EFDF21DB69CC86BAA77E8EB05350F1040BAF804A73C2D7B85D00C6AA

Uniqueness

Uniqueness Score: -1.00%

Function 00402A68, Relevance: 1.3, APIs: 1, Instructions: 38
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402A68(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void* _t10;
				void** _t15;
				void* _t17;

				_t8 = __eax;
				E004029FC(__eax);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x5f9a44 = 0;
					return 0;
				} else {
					_t15 =  *0x5f9a30; // 0x5f9a2c
					_t10 = _t4;
					 *_t10 = 0x5f9a2c;
					 *0x5f9a30 = _t4;
					 *(_t10 + 4) = _t15;
					 *_t15 = _t4;
					_t17 = _t4 + 0x13fff0;
					 *((intOrPtr*)(_t17 - 4)) = 2;
					 *0x5f9a44 = 0x13ffe0 - _t8;
					_t7 = _t17 - _t8;
					 *0x5f9a40 = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}

0x00402a69
0x00402a6b
0x00402a7e
0x00402a85
0x00402ad6
0x00402ade
0x00402a87
0x00402a87
0x00402a8d
0x00402a8f
0x00402a95
0x00402a9a
0x00402a9d
0x00402aa1
0x00402aac
0x00402ab9
0x00402ac1
0x00402ac3
0x00402ad0
0x00402ad3
0x00402ad3

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,00403077), ref: 00402A7E

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 219dc926bb8dcd74cc60ab23f20a8f26922be2d70be3c244e65c3a2c1aaac088
Instruction ID: 1dbdd09c306e35204c5860f7e42a0284c5e1736e9009972446cb04aaf3558b9c
Opcode Fuzzy Hash: 219dc926bb8dcd74cc60ab23f20a8f26922be2d70be3c244e65c3a2c1aaac088
Instruction Fuzzy Hash: 05F049F1B517004BDB54DF799E457227AD2B789304F10817EE649DB7E8EBB98405EB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004098E8, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 152
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004098E8(WCHAR* __eax, int __edx) {
				WCHAR* _v8;
				int _v12;
				WCHAR* _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t53;
				signed int _t54;
				signed int _t59;
				signed int _t60;
				signed int _t105;
				signed int _t106;
				intOrPtr* _t107;
				WCHAR* _t114;
				WCHAR* _t116;
				short* _t117;
				void* _t118;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_v20 = GetModuleHandleW(L"kernel32.dll");
				if(_v20 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t116 =  &(_v8[2]);
						goto L10;
					} else {
						if(_v8[1] == 0x5c) {
							_t117 = E004098C4( &(_v8[2]));
							if( *_t117 != 0) {
								_t17 = _t117 + 2; // 0x2
								_t116 = E004098C4(_t17);
								if( *_t116 != 0) {
									L10:
									_t105 = _t116 - _v8;
									_t106 = _t105 >> 1;
									if(_t105 < 0) {
										asm("adc ebx, 0x0");
									}
									lstrcpynW( &_v1134, _v8, _t106 + 1);
									while( *_t116 != 0) {
										_t114 = E004098C4( &(_t116[1]));
										_t53 = _t114 - _t116;
										_t54 = _t53 >> 1;
										if(_t53 < 0) {
											asm("adc eax, 0x0");
										}
										if(_t54 + _t106 + 1 <= 0x105) {
											_t59 = _t114 - _t116;
											_t60 = _t59 >> 1;
											if(_t59 < 0) {
												asm("adc eax, 0x0");
											}
											lstrcpynW( &_v1134 + _t106 + _t106, _t116, _t60 + 1);
											_v20 = FindFirstFileW( &_v1134,  &_v612);
											if(_v20 != 0xffffffff) {
												FindClose(_v20);
												if(lstrlenW( &(_v612.cFileName)) + _t106 + 1 + 1 <= 0x105) {
													 *((short*)(_t118 + _t106 * 2 - 0x46a)) = 0x5c;
													lstrcpynW( &(( &_v1134 + _t106 + _t106)[1]),  &(_v612.cFileName), 0x105 - _t106 - 1);
													_t106 = _t106 + lstrlenW( &(_v612.cFileName)) + 1;
													_t116 = _t114;
													continue;
												}
											}
										}
										goto L23;
									}
									lstrcpynW(_v8,  &_v1134, _v12);
								}
							}
						}
					}
				} else {
					_t107 = GetProcAddress(_v20, "GetLongPathNameW");
					if(_t107 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t107() == 0) {
							goto L4;
						} else {
							lstrcpynW(_v8,  &_v1134, _v12);
						}
					}
				}
				L23:
				return _v16;
			}

0x004098f4
0x004098f7
0x004098fd
0x0040990a
0x00409911
0x00409956
0x0040995d
0x0040999d
0x00000000
0x0040995f
0x00409967
0x00409978
0x0040997e
0x00409984
0x0040998c
0x00409992
0x004099a0
0x004099a2
0x004099a5
0x004099a7
0x004099a9
0x004099a9
0x004099bb
0x00409a8a
0x004099cd
0x004099d1
0x004099d3
0x004099d5
0x004099d7
0x004099d7
0x004099e2
0x004099ea
0x004099ec
0x004099ee
0x004099f0
0x004099f0
0x00409a03
0x00409a1b
0x00409a22
0x00409a2c
0x00409a48
0x00409a4a
0x00409a74
0x00409a86
0x00409a88
0x00000000
0x00409a88
0x00409a48
0x00409a22
0x00000000
0x004099e2
0x00409aa3
0x00409aa3
0x00409992
0x0040997e
0x00409967
0x00409913
0x00409921
0x00409925
0x00000000
0x00409927
0x00409927
0x00409932
0x00409936
0x0040993b
0x00000000
0x0040993d
0x0040994c
0x0040994c
0x0040993b
0x00409925
0x00409aa8
0x00409ab1

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?), ref: 00409905
GetProcAddress.KERNEL32(?,GetLongPathNameW), ref: 0040991C
lstrcpynW.KERNEL32(?,?,?), ref: 0040994C
lstrcpynW.KERNEL32(?,?,?,kernel32.dll,?,?,?), ref: 004099BB
lstrcpynW.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 00409A03
FindFirstFileW.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 00409A16
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 00409A2C
lstrlenW.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 00409A38
lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?), ref: 00409A74
lstrlenW.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?), ref: 00409A80
lstrcpynW.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00409AA3

Strings

kernel32.dll, xrefs: 00409900
GetLongPathNameW, xrefs: 00409913
\, xrefs: 00409A4A

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 3245196872-3908791685
Opcode ID: ee5eb37791ec5051b97092cc95cebc1a01017e0bd00e05ff2b6a9e16bbc5c0f7
Instruction ID: 8fea8ba035cf4e359e8b4f63381b4ba9f2eac249dcf836349b2d0b579bd5814d
Opcode Fuzzy Hash: ee5eb37791ec5051b97092cc95cebc1a01017e0bd00e05ff2b6a9e16bbc5c0f7
Instruction Fuzzy Hash: CE5165B2E00119ABCB10EAA8CD85ADE73B8EB45314F1445BAA544F72C2E77CDE448F5D

Uniqueness

Uniqueness Score: -1.00%

Function 004F2B88, Relevance: 12.1, APIs: 8, Instructions: 71
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004F2B88(struct HWND__* __eax, signed char __ecx, void* __edx) {
				signed int _v14;
				signed int _v15;
				int _t11;
				int _t13;
				int _t15;
				void* _t23;
				signed int _t27;
				struct HWND__* _t30;
				signed char* _t31;

				_push(__ecx);
				 *_t31 = __ecx;
				_t23 = __edx;
				_t30 = __eax;
				_t11 = GetWindowLongW(__eax, 0xffffffec);
				_t27 = _t11;
				if(_t23 == 0 || (_t27 & 0x00040000) != 0) {
					if(_t23 != 0) {
						goto L14;
					}
					_t11 = _t27 & 0x00040000;
					if(_t11 != 0x40000) {
						goto L14;
					}
					goto L4;
				} else {
					L4:
					_t13 = IsIconic(_t30);
					asm("sbb eax, eax");
					_v14 = _t13 + 1;
					_t15 = IsWindowVisible(_t30);
					asm("sbb eax, eax");
					_v15 = _t15 + 1;
					if((_v15 & 0x000000ff | _v14) != 0) {
						ShowWindow(_t30, 0);
					}
					if(_t23 == 0) {
						SetWindowLongW(_t30, 0xffffffec, _t27 & 0xfffbffff);
					} else {
						SetWindowLongW(_t30, 0xffffffec, _t27 | 0x00040000);
					}
					_t11 =  *_t31 & 0x000000ff & _v15;
					if(_t11 != 0 || _v14 != 0) {
						if(_v14 == 0) {
							_t11 = ShowWindow(_t30, 5);
						} else {
							_t11 = ShowWindow(_t30, 6);
						}
					}
					L14:
					return _t11;
				}
			}

0x004f2b8b
0x004f2b8c
0x004f2b8f
0x004f2b91
0x004f2b96
0x004f2b9b
0x004f2b9f
0x004f2bab
0x00000000
0x00000000
0x004f2bb3
0x004f2bbd
0x00000000
0x00000000
0x00000000
0x004f2bc3
0x004f2bc3
0x004f2bc4
0x004f2bcc
0x004f2bcf
0x004f2bd4
0x004f2bdc
0x004f2bdf
0x004f2bec
0x004f2bf1
0x004f2bf1
0x004f2bf8
0x004f2c15
0x004f2bfa
0x004f2c04
0x004f2c04
0x004f2c1e
0x004f2c22
0x004f2c30
0x004f2c3f
0x004f2c32
0x004f2c35
0x004f2c35
0x004f2c30
0x004f2c44
0x004f2c48
0x004f2c48

APIs

GetWindowLongW.USER32(00000000,000000EC), ref: 004F2B96
IsIconic.USER32 ref: 004F2BC4
IsWindowVisible.USER32(00000000), ref: 004F2BD4
ShowWindow.USER32(00000000,00000000,00000000,00000000,000000EC,?,00000000,00000000,?,00500F14,?,?,?,005FE2F0,005F3343), ref: 004F2BF1
SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 004F2C04
SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 004F2C15
ShowWindow.USER32(00000000,00000006,00000000,000000EC,00000000,00000000,00000000,000000EC,?,00000000,00000000,?,00500F14), ref: 004F2C35
ShowWindow.USER32(00000000,00000005,00000000,000000EC,00000000,00000000,00000000,000000EC,?,00000000,00000000,?,00500F14), ref: 004F2C3F

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: Window$LongShow$IconicVisible
String ID:
API String ID: 3484284227-0
Opcode ID: 29e3591fd252f144b2f68b0292a6a794bcf0bfb0c95739edce84a7238493dd55
Instruction ID: 8c76b6f72b60f2216bd9da4bb80a88cd3d9c198205a8d9820b20a40da8a225d1
Opcode Fuzzy Hash: 29e3591fd252f144b2f68b0292a6a794bcf0bfb0c95739edce84a7238493dd55
Instruction Fuzzy Hash: F211272254DAD034D23A763A0D02FBF2A994FC3318F28463BF6D4E52C2C96C8506926F

Uniqueness

Uniqueness Score: -1.00%

Function 00409480, Relevance: 4.6, APIs: 3, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00409480(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v12;
				intOrPtr _v16;
				short _v186;
				short _v356;
				char _v360;
				char _v364;
				char _v368;
				int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed short _t81;
				void* _t84;
				void* _t86;
				void* _t87;

				_t78 = __edi;
				_push(__edi);
				_v360 = 0;
				_v364 = 0;
				_v368 = 0;
				_v12 = __edx;
				_t81 = __eax;
				_push(_t84);
				_push(0x4095e7);
				 *[fs:eax] = _t84 + 0xfffffe94;
				E00407354(_v12, 0,  *[fs:eax]);
				_t86 = _t81 -  *0x5f47e0; // 0x404
				if(_t86 >= 0) {
					_t87 = _t81 -  *0x5f49e0; // 0x7c68
					if(_t87 <= 0) {
						_t78 = 0x40;
						_v16 = 0;
						if(0x40 >= _v16) {
							do {
								_t61 = _v16 + _t78 >> 1;
								if(_t81 >=  *((intOrPtr*)(0x5f47e0 + _t61 * 8))) {
									__eflags = _t81 -  *((intOrPtr*)(0x5f47e0 + _t61 * 8));
									if(__eflags <= 0) {
										E00409390( *((intOrPtr*)(0x5f47e4 + _t61 * 8)), _t61, _v12, _t78, _t81, __eflags);
									} else {
										_v16 = _t61 + 1;
										goto L8;
									}
								} else {
									_t78 = _t61 - 1;
									goto L8;
								}
								goto L9;
								L8:
							} while (_t78 >= _v16);
						}
					}
				}
				L9:
				if( *_v12 == 0 && IsValidLocale(_t81 & 0x0000ffff, 2) != 0) {
					_t58 = _t81 & 0x0000ffff;
					GetLocaleInfoW(_t58, 0x59,  &_v186, 0x55);
					GetLocaleInfoW(_t58, 0x5a,  &_v356, 0x55);
					E0040753C( &_v360, 0x55,  &_v186);
					_push(_v360);
					_push(0x409604);
					E0040753C( &_v364, 0x55,  &_v356);
					_push(_v364);
					_push(E00409614);
					E0040753C( &_v368, 0x55,  &_v186);
					_push(_v368);
					E004078F4(_v12, 5, _t78);
				}
				_pop(_t71);
				 *[fs:eax] = _t71;
				_push(E004095EE);
				return L0040734C( &_v368, 3);
			}

0x00409480
0x0040948b
0x0040948e
0x00409494
0x0040949a
0x004094a0
0x004094a3
0x004094a7
0x004094a8
0x004094b0
0x004094b8
0x004094bd
0x004094c4
0x004094c6
0x004094cd
0x004094cf
0x004094d6
0x004094dc
0x004094de
0x004094e3
0x004094ed
0x004094f4
0x004094fc
0x0040950e
0x004094fe
0x004094ff
0x00000000
0x004094ff
0x004094ef
0x004094f1
0x00000000
0x004094f1
0x00000000
0x00409515
0x00409515
0x004094de
0x004094dc
0x004094cd
0x0040951a
0x00409520
0x00409544
0x00409548
0x00409559
0x0040956f
0x00409574
0x0040957a
0x00409590
0x00409595
0x0040959b
0x004095b1
0x004095b6
0x004095c4
0x004095c4
0x004095cb
0x004095ce
0x004095d1
0x004095e6

APIs

IsValidLocale.KERNEL32(?,00000002,00000000,004095E7,?,?,?,00000000), ref: 0040952C
GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,004095E7,?,?,?,00000000), ref: 00409548
GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,004095E7,?,?,?,00000000), ref: 00409559

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: Locale$Info$Valid
String ID:
API String ID: 1826331170-0
Opcode ID: 7d882214ebf7b4bb8deff548f585beeb6ac2684b4516dd028be4af3c479711f3
Instruction ID: afbe5fa315c181f4c16943e09339992b2932d288cd721b8d244c2451eacd6504
Opcode Fuzzy Hash: 7d882214ebf7b4bb8deff548f585beeb6ac2684b4516dd028be4af3c479711f3
Instruction Fuzzy Hash: 1531DF71904218ABDB25EF52DC91BEB77B5EB89704F0040BBE508B32D2D7396E45CE19

Uniqueness

Uniqueness Score: -1.00%

Function 004F2B08, Relevance: 1.5, APIs: 1, Instructions: 11
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004F2B08(struct HWND__* __eax) {
				intOrPtr _t5;
				intOrPtr _t6;

				_t6 =  *0x5fe2f0; // 0x0
				if(__eax !=  *((intOrPtr*)(_t6 + 0x170))) {
					return IsIconic(__eax);
				} else {
					_t5 =  *0x5fe2f0; // 0x0
					asm("cmc");
					asm("sbb eax, eax");
					return _t5;
				}
			}

0x004f2b08
0x004f2b14
0x004f2b29
0x004f2b16
0x004f2b16
0x004f2b1f
0x004f2b20
0x004f2b22
0x004f2b22

APIs

IsIconic.USER32 ref: 004F2B24

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: 7bbf7e2365e7b0bcb0f5078eb8695035049a286d078ac2b95bd7d45f92b3ef2f
Instruction ID: cb6b30ecd7558f31a96f036c099f03499ee30342b28602fc160b06a45bb1a656
Opcode Fuzzy Hash: 7bbf7e2365e7b0bcb0f5078eb8695035049a286d078ac2b95bd7d45f92b3ef2f
Instruction Fuzzy Hash: 08C01274A05141CBCB02DB34D481EA177677750301FD41A91E005C70A5D77CE848D790

Uniqueness

Uniqueness Score: -1.00%

Function 004036E4, Relevance: .1, Instructions: 94
COMMONCrypto

Download Yara Rule

C-Code - Quality: 46%

			E004036E4(void* __eax, char* __edx) {

				_t39 = __eax + 1;
				 *__edx = 0xffffffff89705f71;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = ((((((((((__eax + 0x00000001) * 0x89705f41 >> 0x00000020 & 0x1fffffff) + 0xfffffffe25c17d04 + (_t39 * 0x89705f41 >> 0x0000001e) & 0x0fffffff) + 0xfffffffe25c17d04 & 0x07ffffff) + 0xfffffffe25c17d04 & 0x03ffffff) + 0xfffffffe25c17d04 & 0x01ffffff) + 0xfffffffe25c17d04 & 0x00ffffff) + 0xfffffffe25c17d04 & 0x007fffff) + 0xfffffffe25c17d04 & 0x003fffff) + 0xfffffffe25c17d04 & 0x001fffff) + 0xfffffffe25c17d04 >> 0x00000014 | 0x00000030;
				return __edx + 1;
			}

0x004036e7
0x00403709
0x00403710
0x00403721
0x0040372c
0x0040373d
0x00403748
0x00403759
0x00403764
0x00403775
0x00403780
0x00403791
0x0040379c
0x004037ad
0x004037b8
0x004037c9
0x004037d4
0x004037e5
0x004037ed
0x004037f6
0x004037fc

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Uniqueness

Uniqueness Score: -1.00%

Function 00408718, Relevance: .1, Instructions: 64
COMMONCrypto

Download Yara Rule

C-Code - Quality: 53%

			E00408718(signed int __eax, signed int __edx, signed int _a4, signed int _a8) {
				signed int _v16;
				signed int _v20;
				signed int _t35;
				signed int _t39;
				signed int _t46;
				signed int _t50;
				signed int _t51;
				signed int _t56;
				signed int _t68;
				signed int _t72;
				signed int _t73;
				void* _t74;

				_t50 = _a8;
				_t72 = __edx >> 0x1f;
				_t56 = __edx ^ _t72;
				_t35 = (__eax ^ _t72) - _t72;
				asm("sbb edx, esi");
				_t68 = _t50 >> 0x1f;
				_t73 = _t72 ^ _t68;
				_t51 = _t50 ^ _t68;
				_t46 = (_a4 ^ _t68) - _t68;
				asm("sbb ecx, edi");
				if(_t46 != 0) {
					 *(_t74 - 0xc) = _t35;
					_v20 = _t46;
					_v16 = _t56;
					asm("rcr eax, 1");
					asm("ror edi, 1");
					asm("rcr ebx, 1");
					asm("bsr ecx, ecx");
					asm("rol edi, 1");
					_t39 = ((_t56 >> 0x00000001 << 0x00000020 | _t35) >> _t51) / ((_t51 << 0x00000020 | _t46) >> _t51);
					asm("sbb ecx, edx");
					asm("sbb eax, 0x0");
				} else {
					if(_t56 >= _t46) {
						_t51 = _t56 / _t46;
					}
					_t39 = _t35 / _t46;
				}
				asm("sbb edx, esi");
				return (_t39 ^ _t73) - _t73;
			}

0x0040871f
0x00408727
0x0040872c
0x0040872e
0x00408730
0x00408732
0x00408735
0x00408739
0x0040873b
0x0040873d
0x0040873f
0x00408757
0x0040875a
0x0040875e
0x00408766
0x00408768
0x0040876a
0x0040876c
0x00408777
0x0040878b
0x00408791
0x00408793
0x00408741
0x00408743
0x0040874d
0x0040874d
0x0040874e
0x00408750
0x004087a1
0x004087a6

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
Instruction ID: fddddae81f5608bef2943f08f3e5909077e9dc4e9b2fa9e7bab0eac03226acb8
Opcode Fuzzy Hash: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
Instruction Fuzzy Hash: 2C01D632B003210B874CDD3ECD8852AB6D3ABC8910F19C63E95C9C72C8CD318C1AC286

Uniqueness

Uniqueness Score: -1.00%

Function 0040C33E, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e977ccbc2249198cb97fd78bc0b6157df8d86fac4105c368c366c16dd743529
Instruction ID: 1ef4fd169a5460d671f4c17576c7c1bec807f7b1592e8da2e90c4850d9dbeae2
Opcode Fuzzy Hash: 1e977ccbc2249198cb97fd78bc0b6157df8d86fac4105c368c366c16dd743529
Instruction Fuzzy Hash: D9A001B5948682CED31A8B50AAA94A17BADBA5B20670560D5C1984A022D37452429A00

Uniqueness

Uniqueness Score: -1.00%

Function 0040D04E, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b4197a641f55e7bdc86497802e0024527a661117271c557c8485cc356e52ce
Instruction ID: 2474002798526724205bb544ce784ab897c5991c828fe35b8825b49724a49499
Opcode Fuzzy Hash: c8b4197a641f55e7bdc86497802e0024527a661117271c557c8485cc356e52ce
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040C472, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fcddff0d0faec5960466bde0865cf41f7dc86324bb83f03447cba21887dab1e
Instruction ID: 472234c6e1b9be4bab3ffd79a2219239fb67bf8f8d550575ae80e029d752c8bf
Opcode Fuzzy Hash: 0fcddff0d0faec5960466bde0865cf41f7dc86324bb83f03447cba21887dab1e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040C4D2, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 441fa575cf9ed7859e428fc86258be9b077ee5c3ca28943ece43f0108619ad5d
Instruction ID: 4b0fb1c8ecf6ac80b4db4366aa338c97ab52f81780f7c0df26fd50772c3588d2
Opcode Fuzzy Hash: 441fa575cf9ed7859e428fc86258be9b077ee5c3ca28943ece43f0108619ad5d
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040C50A, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a786c44dc333b93b3cc02bae726297883e0257555cbd22d8d4e480730ecd4b
Instruction ID: 7bd75626c997c055e10f3c18739f9d506951597ffbdba4ac8684b4cf7bb3a2e3
Opcode Fuzzy Hash: 97a786c44dc333b93b3cc02bae726297883e0257555cbd22d8d4e480730ecd4b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040C532, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00cb892303223904a672f0fb35d96caa4b963e423cd53bd2c05f851ae6160231
Instruction ID: e28f4b7c8344dd56735184d7c8468ff67fee18b1e221b78e64ece6450de90dbf
Opcode Fuzzy Hash: 00cb892303223904a672f0fb35d96caa4b963e423cd53bd2c05f851ae6160231
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040C53A, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03be23c3f681eb34a58e52bff48f911974fbe1089f6b87aaaa46e76a3d86d53b
Instruction ID: 9b48feeba157df74e8688acd50bf7f7cdcfb14b785910066b3ab8f12cb020288
Opcode Fuzzy Hash: 03be23c3f681eb34a58e52bff48f911974fbe1089f6b87aaaa46e76a3d86d53b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5F6, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c12b2bff23a7a9fd976af5e5cf690914fd606809cfb786d68e3211698d345ac
Instruction ID: 6a627d91331ad8e5ae972a57e00f97c09a7a1323c0316800a4620c6ee4388ca5
Opcode Fuzzy Hash: 0c12b2bff23a7a9fd976af5e5cf690914fd606809cfb786d68e3211698d345ac
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5FE, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C5FE() {

				return GetVersion();
			}

0x0040c600

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba08018363985d0ad336ef720433ee0cd5032fd32e8ab1d07e536d2af296693
Instruction ID: 05d142b35c52f35dffb35b14bbd371eb865d74350d3e456548ebd1a0c8f7b889
Opcode Fuzzy Hash: 2ba08018363985d0ad336ef720433ee0cd5032fd32e8ab1d07e536d2af296693
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDAE, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e9aaa9e6e5ea98dd72b01aa267406531f0bd769c424b77e4e07cadd647416e
Instruction ID: 253359608713d94d209f49ee7094b1aaadcbdc453a379f123a11890712325762
Opcode Fuzzy Hash: 85e9aaa9e6e5ea98dd72b01aa267406531f0bd769c424b77e4e07cadd647416e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE36, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c00e97919825687c3549bf0e7c8e5a5ae2637a1d5d7b5719b3769c18d5547f
Instruction ID: e04da63fe78f5da3caf877a8a4d3affdc1cb7c71485f7b0ef1aed58721b1dccb
Opcode Fuzzy Hash: 80c00e97919825687c3549bf0e7c8e5a5ae2637a1d5d7b5719b3769c18d5547f
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040C686, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C686() {

				return IsDebuggerPresent();
			}

0x0040c688

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c428cda253db76c0ad0dbbf56ebc0949c6f4c9492c654980b7013696f8446b
Instruction ID: 3073e73c0601a10f10972b5d3adcb7b84a7e60e0a27f833000bd6afaa44714d8
Opcode Fuzzy Hash: 26c428cda253db76c0ad0dbbf56ebc0949c6f4c9492c654980b7013696f8446b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040D2E4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 62
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D2E4(intOrPtr* __eax, int* __ecx, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v12;
				struct HWND__* _t20;
				int* _t31;
				int* _t34;

				_t31 = __ecx;
				_t34 = __edx;
				_v12 = __eax;
				_t20 = FindWindowW(L"MouseZ", L"Magellan MSWHEEL");
				 *_v12 = RegisterWindowMessageW(L"MSWHEEL_ROLLMSG");
				 *_t34 = RegisterWindowMessageW(L"MSH_WHEELSUPPORT_MSG");
				 *_t31 = RegisterWindowMessageW(L"MSH_SCROLL_LINES_MSG");
				if( *_t34 == 0 || _t20 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageW(_t20,  *_t34, 0, 0);
				}
				if( *_t31 == 0 || _t20 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageW(_t20,  *_t31, 0, 0);
				}
				return _t20;
			}

0x0040d2ed
0x0040d2ef
0x0040d2f1
0x0040d303
0x0040d312
0x0040d31e
0x0040d32a
0x0040d32f
0x0040d34e
0x0040d335
0x0040d345
0x0040d345
0x0040d353
0x0040d370
0x0040d359
0x0040d369
0x0040d369
0x0040d37e

APIs

FindWindowW.USER32(MouseZ,Magellan MSWHEEL), ref: 0040D2FE
RegisterWindowMessageW.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 0040D30A
RegisterWindowMessageW.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 0040D319
RegisterWindowMessageW.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 0040D325
SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0040D33D
SendMessageW.USER32(00000000,?,00000000,00000000), ref: 0040D361

Strings

MouseZ, xrefs: 0040D2F9
MSH_WHEELSUPPORT_MSG, xrefs: 0040D314
MSWHEEL_ROLLMSG, xrefs: 0040D305
MSH_SCROLL_LINES_MSG, xrefs: 0040D320
Magellan MSWHEEL, xrefs: 0040D2F4

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: Message$Window$Register$Send$Find
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 3569030445-3736581797
Opcode ID: 8816ca6cb5fb38f1241d040ece926d8c2b92d4b7308aaa7dec3e7722c69b81d7
Instruction ID: 1dcca4bad58f43dc33321d5dad0f996563209fe090405d391262f23dfd5c2915
Opcode Fuzzy Hash: 8816ca6cb5fb38f1241d040ece926d8c2b92d4b7308aaa7dec3e7722c69b81d7
Instruction Fuzzy Hash: 51119470A04305AFE3146FE9CC82B6AB7D8EF44714F20803BBD44BB2C0D67958498B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB07, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 182
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040AB07(void* __ecx, void* __edx, void* __eflags) {
				signed int* _t63;
				_Unknown_base(*)()* _t65;
				intOrPtr* _t72;
				intOrPtr _t88;
				struct HINSTANCE__* _t92;
				signed int _t101;
				signed int _t103;
				_Unknown_base(*)()* _t110;
				intOrPtr _t114;
				void* _t116;
				void* _t118;

				_t116 = _t118;
				_t114 =  *((intOrPtr*)(_t116 + 8));
				E0040AA04(_t116 - 0x30, 0, 0x24);
				 *(_t116 - 0x30) = 0x24;
				 *((intOrPtr*)(_t116 - 0x2c)) = _t114;
				_t101 =  *(_t116 + 0xc);
				 *(_t116 - 0x28) = _t101;
				 *(_t116 - 0x24) =  *(_t114 + 4);
				_t92 =  *(_t114 + 8);
				 *(_t116 - 4) = E0040AA82( *(_t116 + 0xc),  *((intOrPtr*)(_t114 + 0xc)));
				_t63 = ( *(_t116 - 4) << 2) +  *((intOrPtr*)(_t114 + 0x10));
				_t103 = (_t101 & 0xffffff00 | (_t63[0] & 0x00000080) == 0x00000000) & 0x00000001;
				 *(_t116 - 0x20) = _t103;
				if(_t103 == 0) {
					 *(_t116 - 0x1c) =  *_t63 & 0x0000ffff;
				} else {
					 *(_t116 - 0x1c) =  *_t63 + 2;
				}
				_t110 = 0;
				if( *0x5f49f4 == 0) {
					L6:
					if(_t92 != 0) {
						L20:
						 *(_t116 - 0x18) = _t92;
						if( *0x5f49f4 != 0) {
							_t110 =  *0x5f49f4(2, _t116 - 0x30);
						}
						if(_t110 != 0) {
							L30:
							if(_t110 == 0) {
								 *((intOrPtr*)(_t116 - 0x10)) = GetLastError();
								if( *0x5f49f0 != 0) {
									_t110 =  *0x5f49f0(4, _t116 - 0x30);
								}
								if(_t110 == 0) {
									 *(_t116 - 0xc) = _t116 - 0x30;
									RaiseException(0xc0fb007f, 0, 1, _t116 - 0xc);
									_t110 =  *((intOrPtr*)(_t116 - 0x14));
								}
							}
							 *( *(_t116 + 0xc)) = _t110;
							goto L36;
						} else {
							if( *((intOrPtr*)(_t114 + 0x14)) == 0 ||  *((intOrPtr*)(_t114 + 0x1c)) == 0) {
								L29:
								_t110 = GetProcAddress(_t92,  *(_t116 - 0x1c));
								goto L30;
							} else {
								_t72 = E0040AAAE(_t92);
								_t112 = _t72;
								if( *_t72 != 0x4550 || E0040AADE(_t112) !=  *((intOrPtr*)(_t114 + 0x1c)) || E0040AAEB(_t112, _t92) == 0) {
									goto L29;
								} else {
									E0040AABB( *((intOrPtr*)(_t114 + 0xc)),  *((intOrPtr*)(_t114 + 0x14)));
									_t110 =  *((intOrPtr*)( *((intOrPtr*)(_t114 + 0xc)) +  *(_t116 - 4) * 4));
									goto L36;
								}
							}
						}
					}
					if( *0x5f49f4 != 0) {
						_t92 =  *0x5f49f4(1, _t116 - 0x30);
					}
					if(_t92 == 0) {
						_t92 = LoadLibraryA( *(_t116 - 0x24));
					}
					if(_t92 != 0) {
						L16:
						EnterCriticalSection(0x5fbc24);
						if( *(_t114 + 8) != 0) {
							FreeLibrary(_t92);
							_t92 =  *(_t114 + 8);
						} else {
							E0040AA20(_t114);
							 *(_t114 + 8) = _t92;
						}
						LeaveCriticalSection(0x5fbc24);
						goto L20;
					} else {
						 *((intOrPtr*)(_t116 - 0x10)) = GetLastError();
						if( *0x5f49f0 != 0) {
							_t92 =  *0x5f49f0(3, _t116 - 0x30);
						}
						if(_t92 != 0) {
							goto L16;
						} else {
							 *(_t116 - 8) = _t116 - 0x30;
							RaiseException(0xc0fb007e, 0, 1, _t116 - 8);
							_t65 =  *((intOrPtr*)(_t116 - 0x14));
							goto L39;
						}
					}
				} else {
					_t88 =  *0x5f49f4(0, _t116 - 0x30);
					_t110 = _t88;
					if(_t88 == 0) {
						goto L6;
					}
					L36:
					if( *0x5f49f4 != 0) {
						 *((intOrPtr*)(_t116 - 0x10)) = 0;
						 *(_t116 - 0x18) = _t92;
						 *((intOrPtr*)(_t116 - 0x14)) = _t110;
						 *0x5f49f4(5, _t116 - 0x30);
					}
					_t65 = _t110;
					L39:
					return _t65;
				}
			}

0x0040ab07
0x0040ab0f
0x0040ab1a
0x0040ab22
0x0040ab29
0x0040ab2c
0x0040ab2f
0x0040ab35
0x0040ab38
0x0040ab49
0x0040ab52
0x0040ab5c
0x0040ab5f
0x0040ab64
0x0040ab78
0x0040ab66
0x0040ab6b
0x0040ab6b
0x0040ab7b
0x0040ab84
0x0040ab9d
0x0040ab9f
0x0040ac40
0x0040ac40
0x0040ac4a
0x0040ac58
0x0040ac58
0x0040ac5c
0x0040acb1
0x0040acb3
0x0040acba
0x0040acc4
0x0040acd2
0x0040acd2
0x0040acd6
0x0040acdb
0x0040aceb
0x0040acf0
0x0040acf0
0x0040acd6
0x0040acf6
0x00000000
0x0040ac5e
0x0040ac62
0x0040aca6
0x0040acaf
0x00000000
0x0040ac6a
0x0040ac6b
0x0040ac70
0x0040ac78
0x00000000
0x0040ac90
0x0040ac96
0x0040aca1
0x00000000
0x0040aca1
0x0040ac78
0x0040ac62
0x0040ac5c
0x0040abac
0x0040abba
0x0040abba
0x0040abbe
0x0040abc8
0x0040abc8
0x0040abcc
0x0040ac11
0x0040ac16
0x0040ac1f
0x0040ac2e
0x0040ac33
0x0040ac21
0x0040ac22
0x0040ac28
0x0040ac28
0x0040ac3b
0x00000000
0x0040abce
0x0040abd3
0x0040abdd
0x0040abeb
0x0040abeb
0x0040abef
0x00000000
0x0040abf1
0x0040abf4
0x0040ac04
0x0040ac09
0x00000000
0x0040ac09
0x0040abef
0x0040ab86
0x0040ab8c
0x0040ab92
0x0040ab96
0x00000000
0x00000000
0x0040acf8
0x0040acff
0x0040ad03
0x0040ad06
0x0040ad09
0x0040ad12
0x0040ad12
0x0040ad18
0x0040ad1a
0x0040ad20
0x0040ad20

APIs

LoadLibraryA.KERNEL32(?), ref: 0040ABC3
GetLastError.KERNEL32 ref: 0040ABCE
RaiseException.KERNEL32(C0FB007E,00000000,00000001,?), ref: 0040AC04
EnterCriticalSection.KERNEL32(005FBC24), ref: 0040AC16
FreeLibrary.KERNEL32(?,005FBC24), ref: 0040AC2E
LeaveCriticalSection.KERNEL32(005FBC24,?,005FBC24), ref: 0040AC3B
GetProcAddress.KERNEL32(?,?), ref: 0040ACAA
GetLastError.KERNEL32 ref: 0040ACB5
RaiseException.KERNEL32(C0FB007F,00000000,00000001,?), ref: 0040ACEB

Part of subcall function 0040AA20: LocalAlloc.KERNEL32(00000040,00000008), ref: 0040AA2C
Part of subcall function 0040AA20: RaiseException.KERNEL32(C0FB0008,00000000,00000001,?,00000040,00000008), ref: 0040AA41

Strings

$, xrefs: 0040AB22

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: ExceptionRaise$CriticalErrorLastLibrarySection$AddressAllocEnterFreeLeaveLoadLocalProc
String ID: $
API String ID: 4255670546-3993045852
Opcode ID: 86e7897f0fc8a4b23a0c840ab542a18522d37b534167ccb70a3afa58001dee41
Instruction ID: 6534c557706117906402f9327024843be6de7f29e8670a2e5d67a1453511234c
Opcode Fuzzy Hash: 86e7897f0fc8a4b23a0c840ab542a18522d37b534167ccb70a3afa58001dee41
Instruction Fuzzy Hash: E961ACB1A00306AFEB20DF95CE84BBBB7B5AB54304F04413AE611B62D0D7B89954DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004049A4, Relevance: 15.1, APIs: 10, Instructions: 129
fileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E004049A4(void** __eax) {
				long _t29;
				void* _t31;
				long _t34;
				void* _t38;
				void* _t40;
				long _t41;
				int _t44;
				void* _t46;
				long _t54;
				long _t55;
				void* _t58;
				void** _t59;
				DWORD* _t60;

				_t59 = __eax;
				 *((intOrPtr*)(__eax + 0xc)) = 0;
				 *((intOrPtr*)(__eax + 0x10)) = 0;
				if(0xffffffffffff284f == 0) {
					_t29 = 0x80000000;
					_t55 = 1;
					_t54 = 3;
					 *((intOrPtr*)(__eax + 0x1c)) = 0x4048f8;
				} else {
					if(0xffffffffffff284f == 0) {
						_t29 = 0x40000000;
						_t55 = 1;
						_t54 = 2;
					} else {
						if(0xffffffffffff284f != 0) {
							return 0xffffffffffff284d;
						}
						_t29 = 0xc0000000;
						_t55 = 1;
						_t54 = 3;
					}
					_t59[7] = E00404938;
				}
				_t59[9] = E00404984;
				_t59[8] = E00404934;
				if(_t59[0x12] == 0) {
					_t59[2] = 0x80;
					_t59[9] = E00404934;
					_t59[5] =  &(_t59[0x94]);
					if(_t59[1] == 0xd7b2) {
						if(_t59 != 0x5f95fc) {
							_push(0xfffffff5);
						} else {
							_push(0xfffffff4);
						}
					} else {
						_push(0xfffffff6);
					}
					_t31 = GetStdHandle();
					if(_t31 == 0xffffffff) {
						goto L37;
					}
					 *_t59 = _t31;
					goto L30;
				} else {
					_t38 = CreateFileW( &(_t59[0x12]), _t29, _t55, 0, _t54, 0x80, 0);
					if(_t38 == 0xffffffff) {
						L37:
						_t59[1] = 0xd7b0;
						return GetLastError();
					}
					 *_t59 = _t38;
					if(_t59[1] != 0xd7b3) {
						L30:
						if(_t59[1] == 0xd7b1) {
							L34:
							return 0;
						}
						_t34 = GetFileType( *_t59);
						if(_t34 == 0) {
							CloseHandle( *_t59);
							_t59[1] = 0xd7b0;
							return 0x69;
						}
						if(_t34 == 2) {
							_t59[8] = E00404938;
						}
						goto L34;
					}
					_t59[1] = _t59[1] - 1;
					_t40 = GetFileSize( *_t59, 0) + 1;
					if(_t40 == 0) {
						goto L37;
					}
					_t41 = _t40 - 0x81;
					if(_t41 < 0) {
						_t41 = 0;
					}
					if(SetFilePointer( *_t59, _t41, 0, 0) + 1 == 0) {
						goto L37;
					} else {
						_t44 = ReadFile( *_t59,  &(_t59[0x94]), 0x80, _t60, 0);
						_t58 = 0;
						if(_t44 != 1) {
							goto L37;
						}
						_t46 = 0;
						while(_t46 < _t58) {
							if( *((char*)(_t59 + _t46 + 0x250)) == 0xe) {
								if(SetFilePointer( *_t59, _t46 - _t58, 0, 2) + 1 == 0 || SetEndOfFile( *_t59) != 1) {
									goto L37;
								} else {
									goto L30;
								}
							}
							_t46 = _t46 + 1;
						}
						goto L30;
					}
				}
			}

0x004049a5
0x004049a9
0x004049ac
0x004049b8
0x004049c5
0x004049ca
0x004049cf
0x004049d4
0x004049ba
0x004049bb
0x004049dd
0x004049e2
0x004049e7
0x004049bd
0x004049be
0x00000000
0x00000000
0x004049ee
0x004049f3
0x004049f8
0x004049f8
0x004049fd
0x004049fd
0x00404a04
0x00404a0b
0x00404a17
0x00404ad5
0x00404adc
0x00404ae3
0x00404aec
0x00404af8
0x00404afe
0x00404afa
0x00404afa
0x00404afa
0x00404aee
0x00404aee
0x00404aee
0x00404b00
0x00404b08
0x00000000
0x00000000
0x00404b0a
0x00000000
0x00404a1d
0x00404a2d
0x00404a35
0x00404b43
0x00404b43
0x00000000
0x00404b49
0x00404a3b
0x00404a43
0x00404b0c
0x00404b12
0x00404b2b
0x00000000
0x00404b2b
0x00404b16
0x00404b1d
0x00404b31
0x00404b36
0x00000000
0x00404b3c
0x00404b22
0x00404b24
0x00404b24
0x00000000
0x00404b22
0x00404a49
0x00404a56
0x00404a57
0x00000000
0x00000000
0x00404a5d
0x00404a62
0x00404a64
0x00404a64
0x00404a73
0x00000000
0x00404a79
0x00404a8e
0x00404a93
0x00404a95
0x00000000
0x00000000
0x00404a9b
0x00404a9d
0x00404aa9
0x00404abd
0x00000000
0x00404acd
0x00000000
0x00404acd
0x00404abd
0x00404aab
0x00404aab
0x00000000
0x00404a9d
0x00404a73

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00404A2D
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00404A51
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00404A6D
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 00404A8E
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404AB7
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404AC5
GetStdHandle.KERNEL32(000000F5), ref: 00404B00
GetFileType.KERNEL32(?,000000F5), ref: 00404B16
CloseHandle.KERNEL32(?,?,000000F5), ref: 00404B31
GetLastError.KERNEL32(000000F5), ref: 00404B49

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: ba08fc4dd5624b871b08c3d7685d10d92c94546202f472b8676b5dfe7cca29f0
Instruction ID: d7d538d4bc68326521bc77a3529fa71c311b46da4169fcde9cc63c0833e5e3e6
Opcode Fuzzy Hash: ba08fc4dd5624b871b08c3d7685d10d92c94546202f472b8676b5dfe7cca29f0
Instruction Fuzzy Hash: 7E4162F0204700A9E730AB24C909B2376F5ABC0714F248A3FE796A66D5D7BDE941C75D

Uniqueness

Uniqueness Score: -1.00%

Function 00422BF8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00422BF8(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v780;
				intOrPtr _v784;
				char _v788;
				signed int _v792;
				signed short* _v796;
				char _v800;
				char _v804;
				intOrPtr* _v808;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				signed short* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v784 = __ecx;
				_t91 = __edx;
				_v780 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E00422788(0x80070057);
				}
				_t47 =  *_t91 & 0x0000ffff;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v780);
					L004208DC();
					return E00422788(_v780);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v796 = _t91[4];
					} else {
						_v796 =  *(_t91[4]);
					}
					_v792 =  *_v796 & 0x0000ffff;
					_t93 = _v792 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v792;
						_push(_t54);
						_push(0xc);
						L00420D3C();
						_t113 = _t54;
						if(_t113 == 0) {
							E004224E0(_t100);
						}
						E00422B50(_v780);
						 *_v780 = 0x200c;
						 *((intOrPtr*)(_v780 + 8)) = _t113;
						_t95 = _v792 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v792 - 1;
							if(E00422B6C(_v792 - 1, _t115) != 0) {
								L00420D74();
								E00422788(_v796);
								L00420D74();
								E00422788( &_v260);
								_v784(_t113,  &_v260,  &_v804, _v796,  &_v260,  &_v800);
							}
							_t62 = E00422B9C(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v808 = _t114;
							_push(_v808 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v796);
							L00420D44();
							E00422788(_v796);
							_push( &_v788);
							_t21 = _t112 + 1; // 0x1
							_push(_v796);
							L00420D4C();
							E00422788(_v796);
							 *_v808 = _v788 -  *((intOrPtr*)(_v808 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}

0x00422bf8
0x00422c04
0x00422c0a
0x00422c0c
0x00422c16
0x00422c1d
0x00422c1d
0x00422c22
0x00422c30
0x00422da9
0x00422db0
0x00422db1
0x00000000
0x00422c36
0x00422c39
0x00422c4b
0x00422c3b
0x00422c40
0x00422c40
0x00422c5a
0x00422c66
0x00422c69
0x00422cd6
0x00422cdc
0x00422cdd
0x00422ce3
0x00422ce4
0x00422ce6
0x00422ceb
0x00422cef
0x00422cf1
0x00422cf1
0x00422cfc
0x00422d07
0x00422d12
0x00422d1b
0x00422d1e
0x00422d3a
0x00422d41
0x00422d4c
0x00422d63
0x00422d68
0x00422d7c
0x00422d81
0x00422d94
0x00422d94
0x00422d9d
0x00422d20
0x00422d20
0x00422d21
0x00422d27
0x00422d2d
0x00422d2f
0x00422d31
0x00422d34
0x00422d37
0x00422d37
0x00422d3a
0x00000000
0x00000000
0x00000000
0x00422d3a
0x00422c6b
0x00422c6b
0x00422c6c
0x00422c6e
0x00422c74
0x00422c76
0x00422c85
0x00422c86
0x00422c90
0x00422c91
0x00422c96
0x00422ca1
0x00422ca2
0x00422cac
0x00422cad
0x00422cb2
0x00422ccd
0x00422ccf
0x00422cd0
0x00422cd3
0x00422cd3
0x00000000
0x00422c74
0x00422c69

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00422C91
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00422CAD
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00422CE6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00422D63
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 00422D7C
VariantCopy.OLEAUT32(?), ref: 00422DB1

Strings

, xrefs: 00422C12

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-3916222277
Opcode ID: 3848d20fadf736b8cb77a9877045cf98973bdf96d2f755fa4af5c66f00e8af79
Instruction ID: ac738ffa502d4b5dca149ad8c98f6ed97b2bd05feea5a7bdd79e37f41cffc8ae
Opcode Fuzzy Hash: 3848d20fadf736b8cb77a9877045cf98973bdf96d2f755fa4af5c66f00e8af79
Instruction Fuzzy Hash: 9E511375A0062D9BCB61DB59D980BD9B3FCAF4C304F8041DAE548E7212D678AF818F55

Uniqueness

Uniqueness Score: -1.00%

Function 004066FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004066FC(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x5f9054 == 0) {
					if( *0x5f4030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x5f9330 == 0xd7b2 &&  *0x5f9338 > 0) {
						 *0x5f9348();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00406788, 2,  &_v4, 0);
				}
			}

0x00406704
0x00406764
0x00406774
0x00406774
0x0040677a
0x00406706
0x0040670f
0x0040671f
0x0040671f
0x0040673b
0x0040675c
0x0040675c

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004067AD,?,00000000,?,00000002,004068A2,00404397,004043DE,00000001,?), ref: 00406735
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004067AD,?,00000000,?,00000002,004068A2,00404397,004043DE,00000001), ref: 0040673B
GetStdHandle.KERNEL32(000000F5,00406788,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004067AD,?,00000000), ref: 00406750
WriteFile.KERNEL32(00000000,000000F5,00406788,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004067AD,?,00000000), ref: 00406756
MessageBoxA.USER32 ref: 00406774

Strings

Error, xrefs: 00406768
Runtime error at 00000000, xrefs: 0040672E, 0040676D

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 3c048bd13c79caf6c45f45e5690fb334038999ef88a18d7ea6aa49fe748a3014
Instruction ID: 6039bf95adf9f02388df85ca2a71beb15313f049714d47c592cc6e1198d8cac1
Opcode Fuzzy Hash: 3c048bd13c79caf6c45f45e5690fb334038999ef88a18d7ea6aa49fe748a3014
Instruction Fuzzy Hash: DAF0F0606C134439FA20B7649E8AFBA2A9C9711F18F504A3BB310F50D2C7FC0888D61A

Uniqueness

Uniqueness Score: -1.00%

Function 00403100, Relevance: 12.2, APIs: 8, Instructions: 221
sleepCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00403100(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x5f9055; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E00402AE0();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								if(VirtualFree(_t103, 0, 0x8000) == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x5fbacc = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x5f98dd;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0xc;
					 *_t14 =  *(__edx + 0xc) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 8);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0xc) = __eax;
						} else {
							__eax =  *(__edx + 0x14);
							__ecx =  *(__edx + 4);
							 *(__eax + 4) = __ecx;
							 *(__ecx + 0x14) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x10)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x10)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x5f9055; // 0x0
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x5f9a3c], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x5f98dd;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x5f9a3c], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E0040295C(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E0040295C(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x5f9a44 - 0x13ffe0;
							if( *0x5f9a44 != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E004029FC(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x5f9a44 = 0x13ffe0;
								 *0x5f9a40 = _t82;
								 *0x5f9a3c = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x5f9a3c = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E0040299C(_t106, _t88, _t81);
							 *0x5f9a3c = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 8) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 4);
							 *(__edx + 0x14) = __ebx;
							 *(__edx + 4) = __ecx;
							 *(__ecx + 0x14) = __edx;
							 *(__ebx + 4) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}

0x00403100
0x00403100
0x00403109
0x0040310f
0x004031f8
0x004031fb
0x004032e8
0x004032e9
0x004032ec
0x00402b8c
0x00402b8e
0x00402b90
0x00402b95
0x00402b98
0x00402b9d
0x00402ba1
0x00402ba7
0x00402bab
0x00402bb1
0x00402bcd
0x00402bd1
0x00402bd4
0x00402bd4
0x00402bd6
0x00402bde
0x00402beb
0x00402bf0
0x00402bf2
0x00402bf4
0x00402bf7
0x00402bf7
0x00402bf9
0x00402bfd
0x00402bff
0x00402c01
0x00402c03
0x00000000
0x00402c03
0x00000000
0x00402bff
0x00402bb3
0x00402bc2
0x00402bc8
0x00402bc4
0x00402bc4
0x00402bc4
0x00402bc2
0x00402c07
0x00402c09
0x00402c12
0x00402c1b
0x00402c1b
0x00402c1e
0x00402c2e
0x004032f2
0x004032f7
0x004032f7
0x00000000
0x00000000
0x00000000
0x00403115
0x00403115
0x00403117
0x00403119
0x0040317c
0x0040317c
0x00403181
0x00403185
0x00000000
0x00000000
0x00403187
0x00403189
0x00403190
0x00000000
0x00403192
0x00403196
0x0040319b
0x0040319c
0x0040319d
0x004031a2
0x004031a6
0x004031b0
0x004031b5
0x004031b6
0x00000000
0x004031b6
0x004031a6
0x00000000
0x00403190
0x0040317c
0x0040311b
0x0040311b
0x0040311b
0x0040311b
0x0040311f
0x00403122
0x00403150
0x00403152
0x00403167
0x00403167
0x00403154
0x00403154
0x00403157
0x0040315a
0x0040315d
0x00403160
0x00403162
0x00403165
0x00000000
0x00000000
0x00403165
0x0040316a
0x0040316c
0x0040316e
0x00403171
0x00403201
0x00403204
0x00403206
0x00403208
0x00403209
0x0040320b
0x004031bc
0x004031bc
0x004031c1
0x004031c9
0x00000000
0x00000000
0x004031cb
0x004031cd
0x004031d4
0x00000000
0x004031d6
0x004031d8
0x004031dd
0x004031e2
0x004031ea
0x004031ee
0x00000000
0x004031ee
0x004031ea
0x00000000
0x004031d4
0x004031bc
0x0040320d
0x0040320d
0x00403215
0x00403219
0x00403250
0x00403253
0x00403256
0x00403258
0x0040325e
0x00403260
0x00403260
0x0040321b
0x0040321b
0x0040321b
0x0040321e
0x0040321e
0x00403222
0x00403226
0x00403268
0x0040326b
0x0040326d
0x0040326f
0x00403275
0x00403279
0x00403279
0x00403275
0x00403228
0x0040322e
0x00403280
0x0040328a
0x004032b8
0x004032be
0x004032c3
0x004032ca
0x004032d4
0x004032da
0x004032e1
0x004032e5
0x0040328c
0x0040328c
0x0040328f
0x00403291
0x00403294
0x00403297
0x00403299
0x004032a8
0x004032ad
0x004032b0
0x004032b4
0x004032b4
0x00403230
0x00403233
0x00403236
0x0040323e
0x00403243
0x0040324a
0x0040324e
0x0040324e
0x00403124
0x00403124
0x00403126
0x0040312c
0x0040312f
0x00403138
0x0040313b
0x0040313e
0x00403141
0x00403144
0x00403147
0x0040314a
0x0040314a
0x0040314c
0x0040314d
0x00403131
0x00403131
0x00403131
0x00403133
0x00403135
0x00403136
0x00403136
0x0040312f
0x00403122

APIs

Sleep.KERNEL32(00000000,?), ref: 00403196
Sleep.KERNEL32(0000000A,00000000,?), ref: 004031B0

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: aa3228a24e30a854a76d37ce170f200bdc86c38d7c6b5f9f6ff6c40aaadb4f99
Instruction ID: 51db629a306512442219e048d3cc5981d601daa4460c0358878b232d2a685e1a
Opcode Fuzzy Hash: aa3228a24e30a854a76d37ce170f200bdc86c38d7c6b5f9f6ff6c40aaadb4f99
Instruction Fuzzy Hash: C97117712042008FD715CF28DD88B26BFD8AB99315F18C2BFD844AB3D2D6B8D949DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004FEED8, Relevance: 12.1, APIs: 8, Instructions: 118
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004FEED8(void* __eax, char* __ecx, struct tagMSG* __edx) {
				char _v18;
				char _v19;
				char _t14;
				void* _t35;
				void* _t36;
				void* _t46;
				MSG* _t47;
				struct HWND__* _t48;
				signed char* _t49;

				_t37 = __ecx;
				_push(__ecx);
				_t47 = __edx;
				_t46 = __eax;
				 *_t49 = 0;
				PeekMessageW(__edx, 0, 0x200, 0x20e, 1);
				asm("sbb ebx, ebx");
				_t36 = _t35 + 1;
				if(_t36 != 0 || PeekMessageW(_t47, 0, 0, 0, 0) != 0) {
					_t48 = _t47->hwnd;
					if(_t48 == 0 || IsWindowUnicode(_t48) != 0) {
						_t14 = 1;
					} else {
						_t14 = 0;
					}
					_v18 = _t14;
					if(_t36 == 0) {
						if(_v18 == 0) {
							PeekMessageA(_t47, 0, 0, 0, 1);
							asm("sbb ebx, ebx");
							_t36 = _t36 + 1;
						} else {
							PeekMessageW(_t47, 0, 0, 0, 1);
							asm("sbb ebx, ebx");
							_t36 = _t36 + 1;
						}
					}
					if(_t36 != 0) {
						 *_t49 = 1;
						if(_t47->message == 0x12) {
							 *((char*)(_t46 + 0xa4)) = 1;
						} else {
							_v19 = 0;
							if( *((short*)(_t46 + 0x10a)) != 0) {
								_t37 =  &_v19;
								 *((intOrPtr*)(_t46 + 0x108))();
							}
							if(E00500D7C(_t46, _t37, _t47) == 0 && E004FED84(_t46, _t47) == 0 && _v19 == 0 && E004FEC3C(_t46, _t47) == 0 && E004FEC8C(_t46, _t47) == 0 && E004FEBF4(_t46, _t47) == 0) {
								TranslateMessage(_t47);
								if(_v18 == 0) {
									DispatchMessageA(_t47);
								} else {
									DispatchMessageW(_t47);
								}
							}
						}
					}
					goto L24;
				} else {
					L24:
					return  *_t49 & 0x000000ff;
				}
			}

0x004feed8
0x004feedc
0x004feedd
0x004feedf
0x004feee1
0x004feef4
0x004feefc
0x004feefe
0x004fef01
0x004fef19
0x004fef1d
0x004fef2d
0x004fef29
0x004fef29
0x004fef29
0x004fef2f
0x004fef35
0x004fef3c
0x004fef5d
0x004fef65
0x004fef67
0x004fef3e
0x004fef47
0x004fef4f
0x004fef51
0x004fef51
0x004fef3c
0x004fef6a
0x004fef70
0x004fef78
0x004ff004
0x004fef7e
0x004fef7e
0x004fef8b
0x004fef8d
0x004fef99
0x004fef99
0x004fefaa
0x004fefe8
0x004feff2
0x004feffd
0x004feff4
0x004feff5
0x004feff5
0x004feff2
0x004fefaa
0x004fef78
0x00000000
0x004ff00b
0x004ff00b
0x004ff014
0x004ff014

APIs

PeekMessageW.USER32 ref: 004FEEF4
PeekMessageW.USER32 ref: 004FEF0C
IsWindowUnicode.USER32 ref: 004FEF20
PeekMessageW.USER32 ref: 004FEF47
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004FEF5D
TranslateMessage.USER32 ref: 004FEFE8
DispatchMessageW.USER32 ref: 004FEFF5
DispatchMessageA.USER32 ref: 004FEFFD

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
String ID:
API String ID: 2190272339-0
Opcode ID: 51a9d1cf49dcd7069d8d1b6357f2648b2d9769b5a030c929fd4f0bb0515ed71f
Instruction ID: c6f5eb4ed8a7a69a3abe97be13754504004c753cbf0a3382eb4b7b1cde6f4e1c
Opcode Fuzzy Hash: 51a9d1cf49dcd7069d8d1b6357f2648b2d9769b5a030c929fd4f0bb0515ed71f
Instruction Fuzzy Hash: 0831DB603487887AFB3126264C81BBF56854F5270DF14452BFBC5A62D3CBAE984F426F

Uniqueness

Uniqueness Score: -1.00%

Function 004FEC8C, Relevance: 12.1, APIs: 8, Instructions: 99
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004FEC8C(void* __eax, struct HWND__** __edx) {
				long _v20;
				intOrPtr _t17;
				intOrPtr _t30;
				void* _t46;
				void* _t50;
				struct HWND__** _t51;
				struct HWND__* _t52;
				struct HWND__* _t53;
				void* _t54;
				DWORD* _t55;

				_t55 = _t54 + 0xfffffff8;
				_t51 = __edx;
				_t50 = __eax;
				_t46 = 0;
				_t17 =  *((intOrPtr*)(__edx + 4));
				if(_t17 < 0x100 || _t17 > 0x109) {
					L19:
					return _t46;
				} else {
					_t52 = GetCapture();
					if(_t52 != 0) {
						GetWindowThreadProcessId(_t52, _t55);
						GetWindowThreadProcessId( *(_t50 + 0x170),  &_v20);
						if( *_t55 == _v20 && SendMessageW(_t52, _t51[1] + 0xbc00, _t51[2], _t51[3]) != 0) {
							_t46 = 1;
						}
						goto L19;
					}
					_t53 =  *_t51;
					_t30 =  *((intOrPtr*)(_t50 + 0x44));
					if(_t30 == 0 || _t53 !=  *((intOrPtr*)(_t30 + 0x37c))) {
						L7:
						if(E004CB9EC(_t53) == 0 && _t53 != 0) {
							_t53 = GetParent(_t53);
							goto L7;
						}
						if(_t53 == 0) {
							_t53 =  *_t51;
						}
						goto L11;
					} else {
						_t53 = E004D83DC(_t30);
						L11:
						if(IsWindowUnicode(_t53) == 0) {
							if(SendMessageA(_t53, _t51[1] + 0xbc00, _t51[2], _t51[3]) != 0) {
								_t46 = 1;
							}
						} else {
							if(SendMessageW(_t53, _t51[1] + 0xbc00, _t51[2], _t51[3]) != 0) {
								_t46 = 1;
							}
						}
						goto L19;
					}
				}
			}

0x004fec90
0x004fec93
0x004fec95
0x004fec97
0x004fec99
0x004feca1
0x004fed7a
0x004fed82
0x004fecb2
0x004fecb7
0x004fecbb
0x004fed3e
0x004fed4f
0x004fed5b
0x004fed78
0x004fed78
0x00000000
0x004fed5b
0x004fecbd
0x004fecbf
0x004fecc4
0x004fecdf
0x004fece8
0x004fecdd
0x00000000
0x004fecdd
0x004fecf0
0x004fecf2
0x004fecf2
0x00000000
0x004fecce
0x004fecd3
0x004fecf4
0x004fecfc
0x004fed36
0x004fed38
0x004fed38
0x004fecfe
0x004fed17
0x004fed19
0x004fed19
0x004fed17
0x00000000
0x004fecfc
0x004fecc4

APIs

GetCapture.USER32 ref: 004FECB2
IsWindowUnicode.USER32(00000000), ref: 004FECF5
SendMessageW.USER32(00000000,-0000BBEE,?,?), ref: 004FED10
SendMessageA.USER32 ref: 004FED2F
GetWindowThreadProcessId.USER32(00000000), ref: 004FED3E
GetWindowThreadProcessId.USER32(?,?), ref: 004FED4F
SendMessageW.USER32(00000000,-0000BBEE,?,?), ref: 004FED6F

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: MessageSendWindow$ProcessThread$CaptureUnicode
String ID:
API String ID: 1994056952-0
Opcode ID: 55caf9e10fd517597d71483d518bb41ebe834d46082e1db6fcda521b26c0c1bb
Instruction ID: fa4f88a1a7f0f7f6764363fff900e576a24bfc397e5ae282c74f83592f525cb9
Opcode Fuzzy Hash: 55caf9e10fd517597d71483d518bb41ebe834d46082e1db6fcda521b26c0c1bb
Instruction Fuzzy Hash: F0218D7120464EAFD620EB5AC981F7773DCEB09345B10443AFA69D37A2DB29FC018769

Uniqueness

Uniqueness Score: -1.00%

Function 004032F8, Relevance: 10.9, APIs: 7, Instructions: 407
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004032F8(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t180;
				intOrPtr _t193;
				signed int _t196;
				signed int _t197;
				signed int _t198;
				void* _t206;
				unsigned int _t208;
				intOrPtr _t214;
				void* _t226;
				intOrPtr _t228;
				void* _t229;
				signed int _t231;
				void* _t233;
				signed int _t234;
				signed int _t235;
				signed int _t239;
				signed int _t242;
				void* _t244;
				intOrPtr* _t245;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t218 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t218);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t226);
							_t245 = _t244 + 0xffffffe0;
							_t219 = __edx;
							_t203 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (_t69 & 0xfffffff0) - 0x14;
							if(_t148 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E00402D7C(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t219 - 0x40a2c;
										if(_t219 > 0x40a2c) {
											_t78 = _t203 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t219;
										}
										E00402940(_t203, _t219, _t150);
										E00403100(_t203, _t203, _t226);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								_t180 = (_t148 >> 2) + _t148;
								if(_t180 <= __edx) {
									_t228 = __edx;
								} else {
									_t228 = _t180;
								}
								 *_t245 = _t203 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t245 + 8), _t245 + 8, 0x1c);
								if( *((intOrPtr*)(_t245 + 0x14)) != 0x10000) {
									L12:
									_t150 = E00402D7C(_t228);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t228 - 0x40a2c;
										if(_t228 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t219;
										}
										E00402910(_t203,  *((intOrPtr*)(_t203 - 0x10 + 8)), _t150);
										E00403100(_t203, _t203, _t228);
									}
								} else {
									 *(_t245 + 0x10) =  *(_t245 + 0x10) & 0xffff0000;
									_t94 =  *(_t245 + 0x10);
									if(_t219 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t228 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t245 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t245 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t203 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t219;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t203;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t206 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t226);
						if(__edx > _t171) {
							_t102 =  *(_t206 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t229 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t208 = _t171;
								_t109 = E00402D7C(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t193 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t229 - 0x40a2c;
									if(_t229 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t193;
									}
									_t231 = _t109;
									E00402910(_t218, _t208, _t109);
									E00403100(_t218, _t208, _t231);
									return _t231;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t233 = _t171 + _t115;
								__eflags = __edx - _t233;
								if(__edx > _t233) {
									goto L75;
								} else {
									__eflags =  *0x5f9055;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E0040295C(_t206);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t196 = _t233 + 4 - _t123;
										__eflags = _t196;
										if(_t196 > 0) {
											 *(_t218 + _t233 - 4) = _t196;
											 *((intOrPtr*)(_t218 - 4 + _t123)) = _t196 + 3;
											_t234 = _t123;
											__eflags = _t196 - 0xb30;
											if(_t196 >= 0xb30) {
												__eflags = _t123 + _t218;
												E0040299C(_t123 + _t218, _t171, _t196);
											}
										} else {
											 *(_t218 + _t233) =  *(_t218 + _t233) & 0xfffffff7;
											_t234 = _t233 + 4;
										}
										_t235 = _t234 | _t156;
										__eflags = _t235;
										 *(_t218 - 4) = _t235;
										 *0x5f9a3c = 0;
										_t109 = _t218;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x5f9a3c], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x5f98dd;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x5f9a3c], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t218 - 4);
										_t129 =  *(_t206 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x5f9a3c = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t233 = _t171 + _t115;
											__eflags = _t176 - _t233;
											if(_t176 > _t233) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t239 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t239;
									__eflags =  *0x5f9055;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x5f9a3c], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x5f98dd;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x5f9a3c], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t218 - 4);
										__eflags = 0xf;
									}
									 *(_t218 - 4) = _t156 | _t239;
									_t161 = _t174;
									_t197 =  *(_t206 - 4);
									__eflags = _t197 & 0x00000001;
									if((_t197 & 0x00000001) != 0) {
										_t131 = _t206;
										_t198 = _t197 & 0xfffffff0;
										_t161 = _t161 + _t198;
										_t206 = _t206 + _t198;
										__eflags = _t198 - 0xb30;
										if(_t198 >= 0xb30) {
											E0040295C(_t131);
										}
									} else {
										 *(_t206 - 4) = _t197 | 0x00000008;
									}
									 *((intOrPtr*)(_t206 - 8)) = _t161;
									 *((intOrPtr*)(_t218 + _t239 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E0040299C(_t218 + _t239, _t174, _t161);
									}
									 *0x5f9a3c = 0;
									return _t218;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t214 = __edx;
										_t140 = E00402D7C(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t242 = _t140;
											E00402940(_t218, _t214, _t140);
											E00403100(_t218, _t214, _t242);
											_t140 = _t242;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E00402D7C((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E00403100(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E00402D7C(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E00403100(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x004032f8
0x004032f8
0x004032f8
0x00403300
0x00403302
0x00403390
0x00403393
0x00403600
0x00403601
0x00403602
0x00403605
0x00402c30
0x00402c31
0x00402c32
0x00402c33
0x00402c34
0x00402c37
0x00402c39
0x00402c40
0x00402c47
0x00402c4c
0x00402d35
0x00402d37
0x00402d4a
0x00402d4c
0x00402d4e
0x00402d50
0x00402d56
0x00402d5a
0x00402d5a
0x00402d5d
0x00402d5d
0x00402d66
0x00402d6d
0x00402d6d
0x00402d39
0x00402d39
0x00402d3e
0x00402d3e
0x00402c52
0x00402c57
0x00402c5b
0x00402c61
0x00402c5d
0x00402c5d
0x00402c5d
0x00402c6d
0x00402c7c
0x00402c89
0x00402cfb
0x00402d02
0x00402d04
0x00402d06
0x00402d08
0x00402d0e
0x00402d12
0x00402d12
0x00402d15
0x00402d15
0x00402d25
0x00402d2c
0x00402d2c
0x00402c8b
0x00402c8b
0x00402c97
0x00402c9d
0x00000000
0x00402c9f
0x00402cb0
0x00402cb4
0x00402cb6
0x00402cb6
0x00402ccc
0x00000000
0x00402ce4
0x00402ce6
0x00402ce9
0x00402cf4
0x00402cf7
0x00402cf7
0x00402ccc
0x00402c9d
0x00402c89
0x00402d7b
0x0040360b
0x0040360b
0x0040360d
0x0040360d
0x00403399
0x0040339b
0x0040339e
0x0040339f
0x004033a2
0x004033a5
0x004033a8
0x004033aa
0x004033ab
0x004034c0
0x004034c3
0x004034c5
0x004035b8
0x004035c3
0x004035ca
0x004035cc
0x004035cf
0x004035d4
0x004035d5
0x004035d7
0x00000000
0x004035d9
0x004035d9
0x004035df
0x004035e1
0x004035e1
0x004035e4
0x004035ec
0x004035f3
0x004035fe
0x004035fe
0x004034cb
0x004034cb
0x004034ce
0x004034d1
0x004034d3
0x00000000
0x004034d9
0x004034d9
0x004034e0
0x0040353d
0x0040353d
0x00403542
0x00403548
0x0040354d
0x0040354e
0x0040354e
0x0040355a
0x0040356b
0x00403571
0x00403571
0x00403573
0x00403580
0x00403587
0x0040358b
0x0040358d
0x00403593
0x00403595
0x00403597
0x00403597
0x00403575
0x00403575
0x00403579
0x00403579
0x0040359c
0x0040359c
0x0040359e
0x004035a1
0x004035a8
0x004035aa
0x004035ae
0x004034e2
0x004034e2
0x004034e7
0x004034ef
0x00000000
0x00000000
0x004034f1
0x004034f3
0x004034fa
0x00000000
0x004034fc
0x00403500
0x00403505
0x00403506
0x0040350c
0x00403514
0x0040351a
0x0040351f
0x00403520
0x00000000
0x00403520
0x00403514
0x00000000
0x004034fa
0x00403529
0x0040352c
0x0040352f
0x00403531
0x004035b1
0x004035b1
0x00000000
0x00403533
0x00403533
0x00403536
0x00403539
0x0040353b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040353b
0x00403531
0x004034e0
0x004034d3
0x004033b1
0x004033b4
0x004033b6
0x004033c0
0x004033c6
0x004033dd
0x004033dd
0x004033e9
0x004033ef
0x004033f1
0x004033f8
0x004033fa
0x004033ff
0x00403407
0x00000000
0x00000000
0x00403409
0x0040340b
0x00403412
0x00000000
0x00403414
0x00403417
0x0040341c
0x00403422
0x0040342a
0x0040342f
0x00403434
0x00000000
0x00403434
0x0040342a
0x00000000
0x00403412
0x0040343d
0x0040343d
0x0040343d
0x00403442
0x00403445
0x00403447
0x0040344a
0x0040344d
0x00403458
0x0040345a
0x0040345d
0x0040345f
0x00403461
0x00403467
0x00403469
0x00403469
0x0040344f
0x00403452
0x00403452
0x0040346e
0x00403474
0x00403478
0x0040347e
0x00403485
0x00403485
0x0040348a
0x00403497
0x004033c8
0x004033c8
0x004033ce
0x00403498
0x0040349c
0x004034a1
0x004034a3
0x004034a5
0x004034ad
0x004034b4
0x004034b9
0x004034b9
0x004034bf
0x004033d4
0x004033d4
0x004033d9
0x004033db
0x00000000
0x00000000
0x00000000
0x00000000
0x004033db
0x004033ce
0x004033b8
0x004033b8
0x004033bc
0x004033bc
0x004033b6
0x004033ab
0x00403308
0x00403308
0x0040330a
0x0040330e
0x00403311
0x00403313
0x0040334c
0x00403350
0x00403351
0x00403353
0x00403355
0x00403357
0x0040335a
0x0040335c
0x0040335e
0x00403363
0x00403365
0x00403367
0x0040336d
0x0040336f
0x0040336f
0x00403376
0x00403376
0x00403379
0x0040337b
0x00403384
0x00403389
0x00403389
0x0040338b
0x0040338c
0x0040338d
0x0040338e
0x00403315
0x00403315
0x0040331c
0x0040331e
0x00403324
0x00403326
0x00403328
0x0040332d
0x0040332f
0x00403331
0x00403333
0x00403335
0x00403340
0x00403345
0x00403345
0x00403347
0x00403348
0x00403349
0x00403320
0x00403320
0x00403321
0x00403322
0x00403322
0x0040331e
0x00403313

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ca93341185f61ac2ce410e512423f2187a398738d1a52c2e70cc08ecee7560
Instruction ID: bd5996512a7044d129281cbb2de5bf2e63c1a97c75ce7cf8d25c133293c482ec
Opcode Fuzzy Hash: f0ca93341185f61ac2ce410e512423f2187a398738d1a52c2e70cc08ecee7560
Instruction Fuzzy Hash: 6DC128627106000BD714AE7DDE8976EBB899BC4326F18823FE544EB3D5DABCCE458348

Uniqueness

Uniqueness Score: -1.00%

Function 00444384, Relevance: 9.1, APIs: 6, Instructions: 119
threadCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00444384(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v5;
				intOrPtr* _v12;
				long _v16;
				char _v20;
				char _v24;
				long _t27;
				char _t34;
				void* _t62;
				intOrPtr _t63;
				intOrPtr _t70;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t76;
				void* _t82;
				void* _t83;
				intOrPtr _t84;

				_t82 = _t83;
				_t84 = _t83 + 0xffffffec;
				_push(__esi);
				_push(__edi);
				_t62 = __eax;
				_t27 = GetCurrentThreadId();
				_t71 =  *0x5f8758; // 0x5f903c
				if(_t27 !=  *_t71) {
					_v24 = GetCurrentThreadId();
					_v20 = 0;
					_t70 =  *0x5f8224; // 0x40e398
					E0041A4EC(_t62, _t70, 1, __edi, __esi, 0,  &_v24);
					E0040619C();
				}
				if(_t62 <= 0) {
					E00444350();
				} else {
					E0044435C(_t62);
				}
				_v16 = 0;
				EnterCriticalSection(0x5fdf84);
				_push(_t82);
				_push(0x444566);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				_v16 = InterlockedExchange(0x5f50f0, _v16);
				_push(_t82);
				_push(0x444547);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				if(_v16 == 0 ||  *((intOrPtr*)(_v16 + 8)) <= 0) {
					_t34 = 0;
				} else {
					_t34 = 1;
				}
				_v5 = _t34;
				if(_v5 == 0 ||  *((intOrPtr*)(_v16 + 8)) <= 0) {
					_pop(_t72);
					 *[fs:eax] = _t72;
					_push(E0044454E);
					return E004056C4(_v16);
				} else {
					_v12 = E00439870(_v16, 0);
					E00439708(_v16, 0);
					LeaveCriticalSection(0x5fdf84);
					_push(_t82);
					_push(0x4444e9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t84;
					_push(_t82);
					_push(0x4444aa);
					_push( *[fs:eax]);
					 *[fs:eax] = _t84;
					_t63 =  *_v12;
					if( *((short*)(_t63 + 0xa)) == 0) {
						if( *((intOrPtr*)(_t63 + 0x10)) != 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_v12 + 0x10)))) + 0xc))();
						}
					} else {
						 *((intOrPtr*)(_t63 + 8))();
					}
					_pop(_t75);
					 *[fs:eax] = _t75;
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(E004444F0);
					EnterCriticalSection(0x5fdf84);
					return 0;
				}
			}

0x00444385
0x00444387
0x0044438b
0x0044438c
0x0044438d
0x0044438f
0x00444394
0x0044439c
0x004443a3
0x004443a6
0x004443b0
0x004443bd
0x004443c2
0x004443c2
0x004443c9
0x004443d4
0x004443cb
0x004443cd
0x004443cd
0x004443db
0x004443e3
0x004443ea
0x004443eb
0x004443f0
0x004443f3
0x00444404
0x00444409
0x0044440a
0x0044440f
0x00444412
0x00444419
0x00444424
0x00444428
0x00444428
0x00444428
0x0044442a
0x00444431
0x00444533
0x00444536
0x00444539
0x00444546
0x0044443c
0x00444446
0x0044444e
0x00444458
0x0044445f
0x00444460
0x00444465
0x00444468
0x0044446d
0x0044446e
0x00444473
0x00444476
0x0044447c
0x00444483
0x00444491
0x0044449d
0x0044449d
0x00444485
0x00444488
0x00444488
0x004444a2
0x004444a5
0x004444d3
0x004444d6
0x004444d9
0x004444e3
0x004444e8
0x004444e8

APIs

GetCurrentThreadId.KERNEL32 ref: 0044438F
GetCurrentThreadId.KERNEL32 ref: 0044439E

Part of subcall function 00444350: ResetEvent.KERNEL32(00000248,004443D9,?,?,00000000), ref: 00444356

EnterCriticalSection.KERNEL32(005FDF84,?,?,00000000), ref: 004443E3
InterlockedExchange.KERNEL32(005F50F0,?), ref: 004443FF
LeaveCriticalSection.KERNEL32(005FDF84,00000000,00444547,?,005F50F0,?,00000000,00444566,?,005FDF84,?,?,00000000), ref: 00444458
EnterCriticalSection.KERNEL32(005FDF84,004444F0,005FDF84,00000000,00444547,?,005F50F0,?,00000000,00444566,?,005FDF84,?,?,00000000), ref: 004444E3

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
String ID:
API String ID: 2189153385-0
Opcode ID: 9686c9dec95284c4efce4ee84408c2bd2cb1d1c7781ec85d89eef84daa1be2e7
Instruction ID: c69da50aac718a89266827c737ccad7b79465a9ffa9b4840dc2007a2fa45f162
Opcode Fuzzy Hash: 9686c9dec95284c4efce4ee84408c2bd2cb1d1c7781ec85d89eef84daa1be2e7
Instruction Fuzzy Hash: 6641D230604644AFE711DFA5D892B6EB7F4FB89704F6184A6F800E76A1C77CAD40CA29

Uniqueness

Uniqueness Score: -1.00%

Function 00402D7C, Relevance: 9.0, APIs: 7, Instructions: 298
sleepCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00402D7C(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				intOrPtr* _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				intOrPtr* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				intOrPtr* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t129 =  *0x5f9055; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t156 = __eax + 0x00010010 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t121 = VirtualAlloc(0, _t156, 0x101000, 4);
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E00402AE0();
								_t99 =  *0x5fbad4; // 0x5fbad0
								 *_t147 = 0x5fbad0;
								 *0x5fbad4 = _t121;
								 *((intOrPtr*)(_t147 + 4)) = _t99;
								 *_t99 = _t121;
								 *0x5fbacc = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t125 = (__eax + 0x000000d3 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x5f9a3c], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x5f98dd;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x5f9a3c], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t141 = _t125 - 0xb30;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x5f9a4c + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x5f9a48;
							if((0xfffffffe << _t132 &  *0x5f9a48) == 0) {
								_t133 =  *0x5f9a44; // 0x38180
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E00402A68(_t125);
								} else {
									_t110 =  *0x5f9a40; // 0x2498190
									_t109 = _t110 - _t125;
									 *0x5f9a40 = _t109;
									 *0x5f9a44 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x5f9a3c = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x5f9acc + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x5f9a4c + _t142 * 4;
								 *_t80 =  *(0x5f9a4c + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x5f9a48], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E0040299C(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							 *(_t159 - 4) = _t125 + 2;
							 *0x5f9a3c = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					__eax =  *(__edx + 0x5f98e4) & 0x000000ff;
					__ebx = 0x5f4084 + ( *(__edx + 0x5f98e4) & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x5f98dd;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 4);
					__eax =  *(__edx + 8);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x10);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0xc);
						if(__eax >  *(__ebx + 0xc)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x5f9055;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x5f9a3c], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x5f98dd;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x5f9a3c], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x5f9a48;
							__eflags =  *(__ebx + 1) &  *0x5f9a48;
							if(( *(__ebx + 1) &  *0x5f9a48) == 0) {
								__ecx =  *(__ebx + 0x18) & 0x0000ffff;
								__edi =  *0x5f9a44; // 0x38180
								__eflags = __edi - ( *(__ebx + 0x18) & 0x0000ffff);
								if(__edi < ( *(__ebx + 0x18) & 0x0000ffff)) {
									__eax =  *(__ebx + 0x1a) & 0x0000ffff;
									__edi = __eax;
									__eax = E00402A68(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x5f9a3c = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x5f9a40; // 0x2498190
									__ecx =  *(__ebx + 0x1a) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x5f9a44 =  *0x5f9a44 - __edi;
									 *0x5f9a40 = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x5f9a4c + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x5f9a4c + __eax * 4) + __eax * 8 * 4;
								__edi = 0x5f9acc + ( *(0x5f9a4c + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x5f9a4c + __eax * 4;
									 *_t38 =  *(0x5f9a4c + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x5f9a48], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 0x1a) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E0040299C(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0x38186
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x5f9a3c = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 8)) = 0;
								 *((intOrPtr*)(__esi + 0xc)) = 1;
								 *(__ebx + 0x10) = __esi;
								_t61 = __esi + 0x20; // 0x24981b0
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 8) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0xc) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0xc;
							 *_t19 =  *(__edx + 0xc) + 1;
							__eflags =  *_t19;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0xc) =  *(__edx + 0xc) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 8) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 4);
							 *(__ecx + 0x14) = __ebx;
							 *(__ebx + 4) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00402d88
0x00402d8e
0x00402fdc
0x00402fe1
0x004030f4
0x004030f5
0x004030f7
0x00402b28
0x00402b2c
0x00402b38
0x00402b4d
0x00402b51
0x00402b53
0x00402b55
0x00402b5b
0x00402b5e
0x00402b63
0x00402b68
0x00402b6e
0x00402b74
0x00402b77
0x00402b79
0x00402b80
0x00402b80
0x00402b89
0x004030fd
0x004030fd
0x004030ff
0x004030ff
0x00402fe7
0x00402ff3
0x00402ff6
0x00402ff8
0x00402fa0
0x00402fa5
0x00402fad
0x00000000
0x00000000
0x00402faf
0x00402fb1
0x00402fb8
0x00000000
0x00402fba
0x00402fbc
0x00402fc6
0x00402fce
0x00402fd2
0x00000000
0x00402fd2
0x00402fce
0x00000000
0x00402fb8
0x00402fa0
0x00402ffa
0x00402ffa
0x00403002
0x00403005
0x0040300f
0x0040300f
0x00403016
0x00403029
0x0040302d
0x00403033
0x0040304c
0x00403052
0x00403052
0x00403054
0x00403072
0x00403056
0x00403056
0x0040305b
0x0040305d
0x00403062
0x0040306b
0x0040306b
0x00403077
0x0040307f
0x00403035
0x00403035
0x0040303f
0x00403047
0x00000000
0x00403047
0x00403018
0x0040301b
0x0040301e
0x00403080
0x00403080
0x00403081
0x00403082
0x00403089
0x0040308c
0x0040308f
0x00403092
0x00403094
0x00403096
0x0040309d
0x0040309f
0x0040309f
0x0040309f
0x004030a6
0x004030a8
0x004030a8
0x004030a6
0x004030b4
0x004030b9
0x004030b9
0x004030bb
0x004030dc
0x004030dc
0x004030dc
0x004030bd
0x004030bd
0x004030c3
0x004030c6
0x004030ca
0x004030d0
0x004030d2
0x004030d2
0x004030d0
0x004030e4
0x004030e7
0x004030f3
0x004030f3
0x00403016
0x00402d94
0x00402d94
0x00402d96
0x00402d9d
0x00402da4
0x00402dfc
0x00402dfc
0x00402e01
0x00402e05
0x00000000
0x00000000
0x00402e07
0x00402e07
0x00402e0a
0x00402e0f
0x00402e13
0x00402e15
0x00402e15
0x00402e18
0x00402e1d
0x00402e21
0x00402e23
0x00402e26
0x00402e28
0x00402e2f
0x00000000
0x00402e31
0x00402e33
0x00402e38
0x00402e3d
0x00402e41
0x00402e49
0x00000000
0x00402e49
0x00402e41
0x00402e2f
0x00402e21
0x00000000
0x00402e13
0x00402dfc
0x00402da6
0x00402da6
0x00402da9
0x00402dac
0x00402db1
0x00402db3
0x00402dcc
0x00402dcf
0x00402dd3
0x00402dd5
0x00402dd8
0x00402e50
0x00402e51
0x00402e52
0x00402e59
0x00402e5b
0x00402e5b
0x00402e60
0x00402e68
0x00000000
0x00000000
0x00402e6a
0x00402e6c
0x00402e73
0x00000000
0x00402e75
0x00402e77
0x00402e7c
0x00402e81
0x00402e89
0x00402e8d
0x00000000
0x00402e8d
0x00402e89
0x00000000
0x00402e73
0x00402e5b
0x00402e94
0x00402e98
0x00402e98
0x00402e9e
0x00402f10
0x00402f14
0x00402f1a
0x00402f1c
0x00402f44
0x00402f48
0x00402f4a
0x00402f4f
0x00402f51
0x00402f53
0x00000000
0x00402f55
0x00402f55
0x00402f5a
0x00402f5c
0x00402f5d
0x00402f5e
0x00402f5f
0x00402f5f
0x00402f1e
0x00402f1e
0x00402f24
0x00402f28
0x00402f2e
0x00402f30
0x00402f32
0x00402f32
0x00402f34
0x00402f36
0x00402f3c
0x00000000
0x00402f3c
0x00402ea0
0x00402ea0
0x00402ea3
0x00402eaa
0x00402eb1
0x00402eb4
0x00402eb7
0x00402ebe
0x00402ec1
0x00402ec4
0x00402ec7
0x00402ec9
0x00402ecb
0x00402ecd
0x00402ed2
0x00402ed4
0x00402ed4
0x00402ed4
0x00402edb
0x00402edd
0x00402edd
0x00402edb
0x00402ee4
0x00402ee9
0x00402eec
0x00402ef2
0x00402f60
0x00402f60
0x00402f60
0x00402ef4
0x00402ef4
0x00402ef6
0x00402efa
0x00402efc
0x00402eff
0x00402f02
0x00402f05
0x00402f09
0x00402f09
0x00402f65
0x00402f65
0x00402f65
0x00402f68
0x00402f6b
0x00402f6d
0x00402f72
0x00402f74
0x00402f77
0x00402f7e
0x00402f81
0x00402f81
0x00402f84
0x00402f88
0x00402f8b
0x00402f8e
0x00402f90
0x00402f90
0x00402f92
0x00402f95
0x00402f98
0x00402f9b
0x00402f9c
0x00402f9d
0x00402f9e
0x00402f9e
0x00402dda
0x00402dda
0x00402dda
0x00402dda
0x00402dde
0x00402de1
0x00402de4
0x00402de7
0x00402de8
0x00402de8
0x00402db5
0x00402db5
0x00402db9
0x00402db9
0x00402dbc
0x00402dbf
0x00402dc2
0x00402dec
0x00402def
0x00402df2
0x00402df5
0x00402df8
0x00402df9
0x00402dc4
0x00402dc4
0x00402dc7
0x00402dc8
0x00402dc8
0x00402dc2
0x00402db3

APIs

Sleep.KERNEL32(00000000), ref: 00402E33
Sleep.KERNEL32(0000000A,00000000), ref: 00402E49
Sleep.KERNEL32(00000000), ref: 00402E77
Sleep.KERNEL32(0000000A,00000000), ref: 00402E8D

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: bc163b27a2b7454aeec21b41af28ea74a4265ccd42585b500d1f30fc00346fa1
Instruction ID: 901ed75675c9fa0131dbcf5d6c122f60775655419388a81e3e428f4fec44c7b5
Opcode Fuzzy Hash: bc163b27a2b7454aeec21b41af28ea74a4265ccd42585b500d1f30fc00346fa1
Instruction Fuzzy Hash: 23C126B26016528FCB15CF29D988726BBE0BB95310F18827FD449DB3E5C7B89849DB84

Uniqueness

Uniqueness Score: -1.00%

Function 004FD038, Relevance: 9.0, APIs: 6, Instructions: 37
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004FD038(void* __ecx) {
				void* _v4;
				int _t3;
				void* _t4;
				intOrPtr _t10;
				struct HHOOK__* _t12;
				void* _t16;
				void* _t17;

				if( *0x5fe308 != 0) {
					_t12 =  *0x5fe308; // 0x0
					UnhookWindowsHookEx(_t12);
				}
				 *0x5fe308 = 0;
				_t3 = InterlockedExchange(0x5fe30c, 0);
				_v4 = _t3;
				if(_v4 != 0) {
					_t4 =  *0x5fe304; // 0x0
					SetEvent(_t4);
					if(GetCurrentThreadId() !=  *0x5fe300) {
						while(MsgWaitForMultipleObjects(1,  &_v4, 0, 0xffffffff, 0xff) != 0) {
							_t10 =  *0x5fe2f0; // 0x0
							E004FF030(_t10, _t16, _t17);
						}
					}
					_t3 = CloseHandle(_v4);
				}
				return _t3;
			}

0x004fd040
0x004fd042
0x004fd048
0x004fd048
0x004fd04f
0x004fd05b
0x004fd060
0x004fd067
0x004fd069
0x004fd06f
0x004fd07f
0x004fd08d
0x004fd083
0x004fd088
0x004fd088
0x004fd08d
0x004fd0aa
0x004fd0aa
0x004fd0b0

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 004FD048
InterlockedExchange.KERNEL32(005FE30C,00000000), ref: 004FD05B
SetEvent.KERNEL32(00000000,005FE30C,00000000,?,005003A6,00000000,004FEDAF,?,?,?,?,004FEFB5,?,00000000,00000200,0000020E), ref: 004FD06F
GetCurrentThreadId.KERNEL32 ref: 004FD074
MsgWaitForMultipleObjects.USER32 ref: 004FD09D
CloseHandle.KERNEL32(00000000,00000000,005FE30C,00000000,?,005003A6,00000000,004FEDAF,?,?,?,?,004FEFB5,?,00000000,00000200), ref: 004FD0AA

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: CloseCurrentEventExchangeHandleHookInterlockedMultipleObjectsThreadUnhookWaitWindows
String ID:
API String ID: 2988543691-0
Opcode ID: 0b3049eca12eaa3f3c1e19cf7f1201434f1706d3c75d4c58d96687801ff2b72e
Instruction ID: 08c81aaa46083846217157296d4431b422eb244011a87bdf34e2391f1e320e1d
Opcode Fuzzy Hash: 0b3049eca12eaa3f3c1e19cf7f1201434f1706d3c75d4c58d96687801ff2b72e
Instruction Fuzzy Hash: B4F03171614204DEDA21BBA5DC8AB3A32996B1070CF100D2AB250D71F2DA7CA485D61A

Uniqueness

Uniqueness Score: -1.00%

Function 00407E80, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407E80(signed int __eax, void* __edx) {
				short _v530;
				short _v1052;
				short _v1056;
				short _v1058;
				signed int _t20;
				void* _t24;
				WCHAR* _t25;

				_t25 =  &_v1052;
				_t24 = __edx;
				_t20 = __eax;
				if(__eax != 0) {
					 *_t25 = (__eax & 0x000000ff) + 0x41 - 1;
					_v1058 = 0x3a;
					_v1056 = 0;
					GetCurrentDirectoryW(0x105,  &_v530);
					SetCurrentDirectoryW(_t25);
				}
				GetCurrentDirectoryW(0x105,  &_v1052);
				if(_t20 != 0) {
					SetCurrentDirectoryW( &_v530);
				}
				return E0040753C(_t24, 0x105,  &_v1052);
			}

0x00407e82
0x00407e88
0x00407e8a
0x00407e8e
0x00407e98
0x00407e9c
0x00407ea3
0x00407eb7
0x00407ebd
0x00407ebd
0x00407ecc
0x00407ed3
0x00407edd
0x00407edd
0x00407efa

APIs

GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 00407EB7
SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 00407EBD
GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 00407ECC
SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 00407EDD

Strings

:, xrefs: 00407E9C

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 7c90f6028e72857919db8656c8c1600cf4daf286838ad10055f0cdca4933644a
Instruction ID: 5f7c0f209126d2fef4456d8228765a5d9a9dec84fdd4e12a63a1e3be5d17b218
Opcode Fuzzy Hash: 7c90f6028e72857919db8656c8c1600cf4daf286838ad10055f0cdca4933644a
Instruction Fuzzy Hash: 76F0CD615496556AD314E7548C66AEB729CEF44304F00882FB6C8D72D1E6BC888897AB

Uniqueness

Uniqueness Score: -1.00%

Function 00403C3C, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 277
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00403C3C(void* __eax, void* __fp0) {
				void* _v8;
				char _v110600;
				char _v112644;
				char _v112645;
				signed int _v112652;
				char _v112653;
				char _v112654;
				char _v112660;
				intOrPtr _v112664;
				intOrPtr _v112668;
				intOrPtr _v112672;
				signed short* _v112676;
				void* _v112680;
				char _v129064;
				char _v131113;
				char _v161832;
				void* __ebx;
				void* _t70;
				int _t76;
				intOrPtr _t79;
				intOrPtr _t90;
				CHAR* _t94;
				intOrPtr _t96;
				void* _t106;
				intOrPtr _t107;
				intOrPtr _t113;
				intOrPtr _t118;
				void* _t128;
				intOrPtr _t129;
				intOrPtr _t133;
				signed int _t143;
				int _t147;
				intOrPtr _t148;
				char* _t150;
				char* _t151;
				char* _t152;
				char* _t153;
				char* _t154;
				char* _t155;
				char* _t157;
				char* _t158;
				char* _t163;
				char* _t164;
				intOrPtr _t195;
				void* _t197;
				void* _t198;
				intOrPtr* _t201;
				void* _t203;
				void* _t204;
				signed int _t209;
				void* _t212;
				void* _t213;
				void* _t226;

				_push(__eax);
				_t70 = 0x27;
				goto L1;
				L12:
				while(_t195 != 0x5f9a2c) {
					_t76 = E00403668(_t195, _t147, _t180);
					_t147 = _t76;
					__eflags = _t147;
					if(_t147 == 0) {
						L11:
						_t20 = _t195 + 4; // 0x5f9a2c
						_t195 =  *_t20;
						continue;
					} else {
						goto L4;
					}
					do {
						L4:
						_t209 =  *(_t147 - 4);
						__eflags = _t209 & 0x00000001;
						if((_t209 & 0x00000001) == 0) {
							__eflags = _t209 & 0x00000004;
							if(__eflags == 0) {
								__eflags = _v112652 - 0x1000;
								if(_v112652 < 0x1000) {
									_v112664 = (_t209 & 0xfffffff0) - 4;
									_t143 = E00403A24(_t147);
									__eflags = _t143;
									if(_t143 == 0) {
										_v112645 = 0;
										_t180 = _v112664;
										 *((intOrPtr*)(_t212 + _v112652 * 4 - 0x1f824)) = _v112664;
										_t18 =  &_v112652;
										 *_t18 = _v112652 + 1;
										__eflags =  *_t18;
									}
								}
							} else {
								E00403A7C(_t147, __eflags, _t212);
							}
						}
						_t76 = E00403644(_t147);
						_t147 = _t76;
						__eflags = _t147;
					} while (_t147 != 0);
					goto L11;
				}
				_t148 =  *0x5fbad4; // 0x5fbad0
				while(_t148 != 0x5fbad0 && _v112652 < 0x1000) {
					_t76 = E00403A24(_t148 + 0x10);
					__eflags = _t76;
					if(_t76 == 0) {
						_v112645 = 0;
						_t22 = _t148 + 0xc; // 0x0
						_t76 = _v112652;
						 *((intOrPtr*)(_t212 + _t76 * 4 - 0x1f824)) = ( *_t22 & 0xfffffff0) - 0xfffffffffffffff4;
						_t27 =  &_v112652;
						 *_t27 = _v112652 + 1;
						__eflags =  *_t27;
					}
					_t29 = _t148 + 4; // 0x5fbad0
					_t148 =  *_t29;
				}
				if(_v112645 != 0) {
					L50:
					return _t76;
				}
				_v112653 = 0;
				_v112668 = 0;
				_t79 =  *0x5f4060; // 0x4026f0
				_t150 = E00403800(E00406CBC(_t79),  &_v161832);
				_v112660 = 0x37;
				_v112676 = 0x5f4086;
				_v112680 =  &_v110600;
				do {
					_v112672 = ( *_v112676 & 0x0000ffff) - 4;
					_v112654 = 0;
					_t197 = 0xff;
					_t201 = _v112680;
					while(_t150 <=  &_v131113) {
						if( *_t201 > 0) {
							if(_v112653 == 0) {
								_t133 =  *0x5f4064; // 0x40271c
								_t150 = E00403800(E00406CBC(_t133), _t150);
								_v112653 = 1;
							}
							if(_v112654 != 0) {
								 *_t150 = 0x2c;
								_t155 = _t150 + 1;
								 *_t155 = 0x20;
								_t156 = _t155 + 1;
								__eflags = _t155 + 1;
							} else {
								 *_t150 = 0xd;
								 *((char*)(_t150 + 1)) = 0xa;
								_t163 = E004036E4(_v112668 + 1, _t150 + 2);
								 *_t163 = 0x20;
								_t164 = _t163 + 1;
								 *_t164 = 0x2d;
								 *((char*)(_t164 + 1)) = 0x20;
								_t128 = E004036E4(_v112672, _t164 + 2);
								_t129 =  *0x5f406c; // 0x402784
								_t156 = E00403800(E00406CBC(_t129), _t128);
								_v112654 = 1;
							}
							_t106 = _t197 - 1;
							_t226 = _t106;
							if(_t226 < 0) {
								_t107 =  *0x5f4070; // 0x402790
								_t157 = E00403800(E00406CBC(_t107), _t156);
							} else {
								if(_t226 == 0) {
									_t113 =  *0x5f4074; // 0x402798
									_t157 = E00403800(E00406CBC(_t113), _t156);
								} else {
									if(_t106 == 1) {
										_t118 =  *0x5f4078; // 0x4027a4
										_t157 = E00403800(E00406CBC(_t118), _t156);
									} else {
										_t157 = E00403818( *((intOrPtr*)(_t201 - 4)), _t156);
									}
								}
							}
							 *_t157 = 0x20;
							_t158 = _t157 + 1;
							 *_t158 = 0x78;
							 *((char*)(_t158 + 1)) = 0x20;
							_t150 = E004036E4( *_t201, _t158 + 2);
						}
						_t197 = _t197 - 1;
						_t201 = _t201 - 8;
						if(_t197 != 0xffffffff) {
							continue;
						} else {
							goto L39;
						}
					}
					L39:
					_v112668 = _v112672;
					_v112680 = _v112680 + 0x800;
					_v112676 =  &(_v112676[0x10]);
					_t57 =  &_v112660;
					 *_t57 = _v112660 - 1;
				} while ( *_t57 != 0);
				if(_v112652 <= 0) {
					L49:
					_t90 =  *0x5f407c; // 0x4027b4
					E00403800(E00406CBC(_t90), _t150);
					_t94 =  *0x5f4080; // 0x4027b8
					_t76 = MessageBoxA(0,  &_v161832, _t94, 0x2010);
					goto L50;
				}
				if(_v112653 != 0) {
					 *_t150 = 0xd;
					_t152 = _t150 + 1;
					 *_t152 = 0xa;
					_t153 = _t152 + 1;
					 *_t153 = 0xd;
					_t154 = _t153 + 1;
					 *_t154 = 0xa;
					_t150 = _t154 + 1;
				}
				_t96 =  *0x5f4068; // 0x402744
				_t150 = E00403800(E00406CBC(_t96), _t150);
				_t203 = _v112652 - 1;
				if(_t203 >= 0) {
					_t204 = _t203 + 1;
					_t198 = 0;
					_v112680 =  &_v129064;
					L45:
					L45:
					if(_t198 != 0) {
						 *_t150 = 0x2c;
						_t151 = _t150 + 1;
						 *_t151 = 0x20;
						_t150 = _t151 + 1;
					}
					_t150 = E004036E4( *_v112680, _t150);
					if(_t150 >  &_v131113) {
						goto L49;
					}
					_t198 = _t198 + 1;
					_v112680 = _v112680 + 4;
					_t204 = _t204 - 1;
					if(_t204 != 0) {
						goto L45;
					}
				}
				L1:
				_t213 = _t213 + 0xfffff004;
				_push(_t70);
				_t70 = _t70 - 1;
				if(_t70 != 0) {
					goto L1;
				} else {
					_push(_t147);
					E00404CFC( &_v112644, 0x1b800);
					_t180 = 0x4000;
					E00404CFC( &_v129064, 0x4000);
					_t76 = 0;
					_v112652 = 0;
					_v112645 = 1;
					_t195 =  *0x5f9a30; // 0x5f9a2c
					goto L12;
				}
			}

0x00403c3f
0x00403c40
0x00403c40
0x00000000
0x00403d1b
0x00403c9b
0x00403ca0
0x00403ca2
0x00403ca4
0x00403d18
0x00403d18
0x00403d18
0x00000000
0x00000000
0x00000000
0x00000000
0x00403ca6
0x00403ca6
0x00403cab
0x00403cad
0x00403cb3
0x00403cb5
0x00403cbb
0x00403cc8
0x00403cd2
0x00403cda
0x00403ce2
0x00403ce7
0x00403ce9
0x00403ceb
0x00403cf8
0x00403cfe
0x00403d05
0x00403d05
0x00403d05
0x00403d05
0x00403ce9
0x00403cbd
0x00403cc0
0x00403cc5
0x00403cbb
0x00403d0d
0x00403d12
0x00403d14
0x00403d14
0x00000000
0x00403ca6
0x00403d27
0x00403d66
0x00403d34
0x00403d39
0x00403d3b
0x00403d3d
0x00403d44
0x00403d50
0x00403d56
0x00403d5d
0x00403d5d
0x00403d5d
0x00403d5d
0x00403d63
0x00403d63
0x00403d63
0x00403d81
0x00404016
0x0040401c
0x0040401c
0x00403d87
0x00403d90
0x00403d96
0x00403db2
0x00403db4
0x00403dbe
0x00403dce
0x00403dd4
0x00403de0
0x00403de6
0x00403ded
0x00403df8
0x00403dfa
0x00403e0b
0x00403e18
0x00403e1a
0x00403e32
0x00403e34
0x00403e34
0x00403e42
0x00403e9a
0x00403e9d
0x00403e9e
0x00403ea1
0x00403ea1
0x00403e44
0x00403e44
0x00403e48
0x00403e5a
0x00403e5c
0x00403e5f
0x00403e60
0x00403e64
0x00403e70
0x00403e77
0x00403e8f
0x00403e91
0x00403e91
0x00403ea4
0x00403ea4
0x00403ea7
0x00403eb0
0x00403ec8
0x00403ea9
0x00403ea9
0x00403ecc
0x00403ee4
0x00403eab
0x00403eac
0x00403ee8
0x00403f00
0x00403eae
0x00403f0e
0x00403f0e
0x00403eac
0x00403ea9
0x00403f10
0x00403f13
0x00403f14
0x00403f18
0x00403f25
0x00403f25
0x00403f27
0x00403f28
0x00403f2e
0x00000000
0x00000000
0x00000000
0x00000000
0x00403f2e
0x00403f34
0x00403f3a
0x00403f40
0x00403f4a
0x00403f51
0x00403f51
0x00403f51
0x00403f64
0x00403fe5
0x00403fe5
0x00403ff8
0x00404002
0x00404011
0x00000000
0x00404011
0x00403f6d
0x00403f6f
0x00403f72
0x00403f73
0x00403f76
0x00403f77
0x00403f7a
0x00403f7b
0x00403f7e
0x00403f7e
0x00403f7f
0x00403f97
0x00403f9f
0x00403fa2
0x00403fa4
0x00403fa5
0x00403fad
0x00000000
0x00403fb3
0x00403fb5
0x00403fb7
0x00403fba
0x00403fbb
0x00403fbe
0x00403fbe
0x00403fce
0x00403fd8
0x00000000
0x00000000
0x00403fda
0x00403fdb
0x00403fe2
0x00403fe3
0x00000000
0x00000000
0x00403fe3
0x00403c45
0x00403c45
0x00403c4b
0x00403c4c
0x00403c4d
0x00000000
0x00403c4f
0x00403c58
0x00403c68
0x00403c75
0x00403c7a
0x00403c7f
0x00403c81
0x00403c87
0x00403c8e
0x00000000
0x00403c8e

APIs

MessageBoxA.USER32 ref: 00404011

Strings

7, xrefs: 00403DB4
, xrefs: 00403F4A
D'@, xrefs: 00403F7F, 00403F8D

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: Message
String ID: $7$D'@
API String ID: 2030045667-691481556
Opcode ID: 7df3df3de95ef1d4406de00f62b449a38d5d7d684d6bb8d7baf3bdbdb16cea10
Instruction ID: 9109db9605610be43478b86f27a34e1b289cb263786a01ee37ef2c10b737f63a
Opcode Fuzzy Hash: 7df3df3de95ef1d4406de00f62b449a38d5d7d684d6bb8d7baf3bdbdb16cea10
Instruction Fuzzy Hash: 24B1D730B042548BDB21EF2DC884B997BE8AB19305F1441FAE549EB381CF799E85CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E6D0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E6D0() {
				struct HINSTANCE__* _t6;
				struct HINSTANCE__* _t8;
				intOrPtr* _t11;
				struct HRSRC__* _t15;
				void* _t16;
				intOrPtr _t27;

				_t6 =  *0x5fbc40; // 0x400000
				_t15 = FindResourceW(_t6, L"CHARTABLE", 0xa);
				if(_t15 == 0) {
					E0041C990();
				}
				_t8 =  *0x5fbc40; // 0x400000
				_t16 = LoadResource(_t8, _t15);
				if(_t16 == 0) {
					E0041C990();
				}
				 *0x5fbc64 = LockResource(_t16);
				if( *0x5fbc64 == 0) {
					E0041C990();
				}
				_t11 =  *0x5fbc64;
				_t27 =  *0x5fbc64;
				 *0x5fbc68 = _t27 +  *_t11;
				 *0x5fbc6c = _t27 +  *((intOrPtr*)(_t11 + 4));
				 *0x5fbc70 = _t27 +  *((intOrPtr*)(_t11 + 8));
				 *0x5fbc74 = _t27 +  *((intOrPtr*)(_t11 + 0xc));
				 *0x5fbc78 = _t27 +  *((intOrPtr*)(_t11 + 0x10));
				 *0x5fbc7c = _t27 +  *((intOrPtr*)(_t11 + 0x14));
				return _t11;
			}

0x0040e6de
0x0040e6e9
0x0040e6ed
0x0040e6ef
0x0040e6ef
0x0040e6f5
0x0040e700
0x0040e704
0x0040e706
0x0040e706
0x0040e711
0x0040e716
0x0040e718
0x0040e718
0x0040e71d
0x0040e71f
0x0040e725
0x0040e730
0x0040e73b
0x0040e746
0x0040e751
0x0040e75a
0x0040e762

APIs

FindResourceW.KERNEL32(00400000,CHARTABLE,0000000A,?,?,0040E58C), ref: 0040E6E4
LoadResource.KERNEL32(00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040E58C), ref: 0040E6FB
LockResource.KERNEL32(00000000,00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040E58C), ref: 0040E70C

Part of subcall function 0041C990: GetLastError.KERNEL32(0040E71D,00000000,00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040E58C), ref: 0041C990

Strings

CHARTABLE, xrefs: 0040E6D9

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: Resource$ErrorFindLastLoadLock
String ID: CHARTABLE
API String ID: 1074440638-2668339182
Opcode ID: acd942ef9ea48e169c24bc4e25eca0d5f4643b9f8b675a408faa8bbcc4d43b2f
Instruction ID: 4114eee9ebcc54b1dd85ffe10355466ea085f0f3c232e8f595c5486aabf77f2e
Opcode Fuzzy Hash: acd942ef9ea48e169c24bc4e25eca0d5f4643b9f8b675a408faa8bbcc4d43b2f
Instruction Fuzzy Hash: 20018BB0640302CFE708EF6AD8D0E6A33A5AB68314719593EE145977A1CF3C9C04CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00422940, Relevance: 6.1, APIs: 4, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00422940(signed short* __eax) {
				char _v260;
				char _v768;
				char _v772;
				signed short* _v780;
				signed short* _v784;
				char _v788;
				signed int _v792;
				char _v796;
				intOrPtr* _v800;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v780 = __eax;
				if((_v780[0] & 0x00000020) == 0) {
					E00422788(0x80070057);
				}
				_t43 =  *_v780 & 0x0000ffff;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v784 = _v780[4];
					} else {
						_v784 =  *(_v780[4]);
					}
					_v792 =  *_v784 & 0x0000ffff;
					_t79 = _v792 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v800 = _t97;
							_push(_v800 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v784);
							L00420D44();
							E00422788(_v784);
							_push( &_v788);
							_t25 = _t96 + 1; // 0x1
							_push(_v784);
							L00420D4C();
							E00422788(_v784);
							 *_v800 = _v788 -  *((intOrPtr*)(_v800 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v792 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E004228E4(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v792 - 1;
					if(E004228B4(_v792 - 1, _t98) != 0) {
						_push( &_v796);
						_push( &_v260);
						_push(_v784);
						L00420D74();
						E00422788(_v784);
						E00422B50(_v796);
					}
				}
				L15:
				_push(_v780);
				L004208D4();
				return E00422788(_v780);
			}

0x0042294c
0x0042295c
0x00422963
0x00422963
0x0042296e
0x0042297c
0x0042298b
0x004229a9
0x0042298d
0x00422998
0x00422998
0x004229b8
0x004229c4
0x004229c7
0x004229c9
0x004229ca
0x004229cc
0x004229d2
0x004229d4
0x004229e3
0x004229e4
0x004229ee
0x004229ef
0x004229f4
0x004229ff
0x00422a00
0x00422a0a
0x00422a0b
0x00422a10
0x00422a2b
0x00422a2d
0x00422a2e
0x00422a31
0x00422a31
0x004229d2
0x00422a3a
0x00422a3d
0x00422a3f
0x00422a40
0x00422a46
0x00422a4c
0x00422a4e
0x00422a50
0x00422a53
0x00422a56
0x00422a56
0x00422a59
0x00000000
0x00000000
0x00000000
0x00422a59
0x00422a59
0x00422a60
0x00422a6b
0x00422a73
0x00422a7a
0x00422a81
0x00422a82
0x00422a87
0x00422a92
0x00422a92
0x00422aa0
0x00422aa4
0x00422aaa
0x00422aab
0x00422abb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004229EF
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00422A0B
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00422A82
VariantClear.OLEAUT32(?), ref: 00422AAB

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: 145f7cdbb2c605af129b9540a9061aabb24af1ca7241294528613f58e48e3eed
Instruction ID: d22b4ce511593c0c67cb2c4a973cde0e2e2fe87c3b587ec89ab382e969633179
Opcode Fuzzy Hash: 145f7cdbb2c605af129b9540a9061aabb24af1ca7241294528613f58e48e3eed
Instruction Fuzzy Hash: 42412E75B0022EAFCB61DB59D980BD9B3FCAF48304F8041DAA548E7212D678AF818F54

Uniqueness

Uniqueness Score: -1.00%

Function 00409680, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00409680(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* _t40;
				void* _t56;
				void* _t60;
				short* _t63;
				signed short _t67;
				void* _t68;
				void* _t69;
				intOrPtr _t70;
				signed short _t82;
				void* _t84;

				_t84 = __edx;
				_t67 = __eax;
				_v16 = 0;
				if(__eax !=  *0x5fbb54()) {
					_v16 = E0040963C( &_v8);
					_t82 = _t67;
					_v20 = 3;
					_t63 =  &_v26;
					do {
						_t70 =  *0x5f49e8; // 0x0
						 *_t63 =  *(_t70 + (_t82 & 0xf) + 1 - 1) & 0x000000ff;
						_t82 = (_t82 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t63 = _t63 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x5fbb50(4,  &_v32,  &_v20);
				}
				_t40 = E0040963C( &_v12);
				_t68 = _t40;
				if(_t68 != 0) {
					_t56 = _v12 - 2;
					if(_t56 >= 0) {
						_t60 = _t56 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t68 + _v20 * 2)) == 0) {
								 *((short*)(_t68 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t60 = _t60 - 1;
						} while (_t60 != 0);
					}
					E00407500(_t84, _t68);
					_t40 = E004042A4(_t68);
				}
				if(_v16 != 0) {
					 *0x5fbb50(0, 0,  &_v20);
					_t69 = E0040963C( &_v12);
					if(_v8 != _v12 || E00409618(_v16, _v12, _t69) != 0) {
						 *0x5fbb50(8, _v16,  &_v20);
					}
					E004042A4(_t69);
					return E004042A4(_v16);
				}
				return _t40;
			}

0x00409688
0x0040968a
0x0040968e
0x0040969a
0x004096a4
0x004096a7
0x004096a9
0x004096b0
0x004096b3
0x004096bd
0x004096c8
0x004096ce
0x004096d1
0x004096d4
0x004096d7
0x004096dd
0x004096e3
0x004096f3
0x004096f3
0x004096fc
0x00409701
0x00409705
0x0040970a
0x0040970f
0x00409711
0x00409712
0x00409719
0x00409721
0x00409726
0x00409726
0x0040972c
0x0040972f
0x0040972f
0x00409719
0x00409736
0x0040973d
0x0040973d
0x00409746
0x00409750
0x0040975e
0x00409766
0x00409783
0x00409783
0x0040978b
0x00000000
0x00409793
0x0040979d

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 00409691
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 004096F3
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 00409750
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 00409783

Part of subcall function 0040963C: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,00409701), ref: 00409653
Part of subcall function 0040963C: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,00409701), ref: 00409670

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: 49f0be0542ff4f3e91d2cf92b91c5e31d37aba510cac0822f4cb9f5165e9e787
Instruction ID: 2a288eea4ccd67f63a94fa0aba5c29fd06f97239c55abe08770080f570693e25
Opcode Fuzzy Hash: 49f0be0542ff4f3e91d2cf92b91c5e31d37aba510cac0822f4cb9f5165e9e787
Instruction Fuzzy Hash: 36318970A1021A9BDB00EFA9C880AAEB3B8FF44304F00457AE910E72D6D7789E09CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004FDBC8, Relevance: 6.1, APIs: 4, Instructions: 75
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004FDBC8(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t24;
				intOrPtr _t31;
				signed int _t33;
				intOrPtr _t34;
				intOrPtr _t37;
				intOrPtr _t40;
				struct HWND__* _t43;
				intOrPtr _t46;
				signed int _t50;
				signed int _t51;
				struct HWND__* _t52;

				_t52 = _a4;
				_t51 = _t50 | 0xffffffff;
				_t43 = GetWindow(_t52, 4);
				if(_t43 == 0) {
					L3:
					_v8 = 0;
					L4:
					if(GetCurrentProcessId() == _v8) {
						_t34 =  *0x5fe2f0; // 0x0
						if(E004398D8( *((intOrPtr*)(_t34 + 0x98)), _t43) < 0) {
							_t37 =  *0x5fe2f0; // 0x0
							E004396B0( *((intOrPtr*)(_t37 + 0x98)), _t43);
						}
					}
					if(_t43 != 0) {
						_t21 =  *0x5fe2f0; // 0x0
						if(_t52 !=  *((intOrPtr*)(_t21 + 0x170))) {
							_t22 =  *0x5fe2f0; // 0x0
							if(_t43 ==  *((intOrPtr*)(_t22 + 0x170)) && _t52 != _a8 && IsWindowVisible(_t52) != 0) {
								_t24 =  *0x5fe2f0; // 0x0
								_push(E00408BA0( *((intOrPtr*)(_t24 + 0xd8))) + 1);
								E00408D68();
								_t31 =  *0x5fe2f0; // 0x0
								_t33 = E00408BA0( *((intOrPtr*)(_t31 + 0xd8)));
								_t46 =  *0x5fe2f0; // 0x0
								 *( *((intOrPtr*)(_t46 + 0xd8)) + _t33 * 4 - 4) = _t52;
							}
						}
					}
					return _t51;
				}
				_t40 =  *0x5fe2f0; // 0x0
				if(_t43 ==  *((intOrPtr*)(_t40 + 0x170))) {
					goto L3;
				} else {
					GetWindowThreadProcessId(_t43,  &_v8);
					goto L4;
				}
			}

0x004fdbcf
0x004fdbd2
0x004fdbdd
0x004fdbe1
0x004fdbfc
0x004fdbfe
0x004fdc01
0x004fdc09
0x004fdc0b
0x004fdc1f
0x004fdc21
0x004fdc2e
0x004fdc2e
0x004fdc1f
0x004fdc35
0x004fdc37
0x004fdc42
0x004fdc44
0x004fdc4f
0x004fdc60
0x004fdc71
0x004fdc87
0x004fdc8f
0x004fdc9a
0x004fdc9f
0x004fdcab
0x004fdcab
0x004fdc4f
0x004fdc42
0x004fdcb6
0x004fdcb6
0x004fdbe3
0x004fdbee
0x00000000
0x004fdbf0
0x004fdbf5
0x00000000
0x004fdbf5

APIs

GetWindow.USER32(?,00000004), ref: 004FDBD8
GetWindowThreadProcessId.USER32(?,?), ref: 004FDBF5
GetCurrentProcessId.KERNEL32(?,00000004), ref: 004FDC01
IsWindowVisible.USER32(?), ref: 004FDC57

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: Window$Process$CurrentThreadVisible
String ID:
API String ID: 3926708836-0
Opcode ID: 6e8d70ca075c1c2c011dfc33a983abce96ac9874ec24c2a2ecce433f6abe7d96
Instruction ID: c8c6961a9afac27fbfa77e536af5494efbf8cb47fd50af8604094f7ac2d6738b
Opcode Fuzzy Hash: 6e8d70ca075c1c2c011dfc33a983abce96ac9874ec24c2a2ecce433f6abe7d96
Instruction Fuzzy Hash: 21219C35700245DFC610EB69D8C2EBA33AABB54314F144176F908D73A2DA78AC45D799

Uniqueness

Uniqueness Score: -1.00%

Function 004FE7D4, Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004FE7D4(void* __eax, void* __ecx) {
				long _t26;
				int _t40;
				int _t42;
				void* _t51;
				void* _t52;

				_t52 = __ecx;
				_t51 = __eax;
				_t26 = E004F2B08( *((intOrPtr*)(__eax + 0x170)));
				if(_t26 != 0) {
					L15:
					return _t26;
				}
				E004FDAFC();
				if( *((char*)(_t51 + 0xd3)) == 0) {
					SetActiveWindow( *(_t51 + 0x170));
				}
				 *((char*)(_t51 + 0x34)) = 1;
				E004FDCBC(_t51, _t52, 0);
				if( *((char*)(_t51 + 0xd3)) == 0) {
					__eflags =  *(_t51 + 0x44);
					if(__eflags == 0) {
						L12:
						_t26 = E004FD110( *(_t51 + 0x170), 6, __eflags);
						goto L13;
					}
					__eflags =  *((char*)(_t51 + 0x5b));
					if( *((char*)(_t51 + 0x5b)) != 0) {
						L10:
						__eflags = IsWindowEnabled(E004D83DC( *(_t51 + 0x44)));
						if(__eflags == 0) {
							goto L12;
						}
						_t40 = E004F5364( *(_t51 + 0x44));
						_t42 = E004F5344( *(_t51 + 0x44));
						SetWindowPos( *(_t51 + 0x170), E004D83DC( *(_t51 + 0x44)), _t42, _t40,  *( *(_t51 + 0x44) + 0x48), 0, 0x40);
						_t26 = DefWindowProcW( *(_t51 + 0x170), 0x112, 0xf020, 0);
						goto L13;
					}
					__eflags =  *((char*)( *(_t51 + 0x44) + 0x59));
					if(__eflags == 0) {
						goto L12;
					}
					goto L10;
				} else {
					_t26 =  *(_t51 + 0x44);
					if(_t26 == 0) {
						 *((char*)(_t51 + 0xdc)) = 1;
					} else {
						_t26 = E004F71C4(_t26, 1);
					}
					L13:
					if( *((short*)(_t51 + 0x14a)) == 0) {
						goto L15;
					}
					return  *((intOrPtr*)(_t51 + 0x148))();
				}
			}

0x004fe7d4
0x004fe7d5
0x004fe7dd
0x004fe7e4
0x004fe8d7
0x004fe8d7
0x004fe8d7
0x004fe7ec
0x004fe7f8
0x004fe801
0x004fe801
0x004fe806
0x004fe80e
0x004fe81a
0x004fe83b
0x004fe83f
0x004fe8ae
0x004fe8b9
0x00000000
0x004fe8b9
0x004fe841
0x004fe845
0x004fe850
0x004fe85e
0x004fe860
0x00000000
0x00000000
0x004fe870
0x004fe879
0x004fe88f
0x004fe8a7
0x00000000
0x004fe8a7
0x004fe84a
0x004fe84e
0x00000000
0x00000000
0x00000000
0x004fe81c
0x004fe81c
0x004fe821
0x004fe82f
0x004fe823
0x004fe825
0x004fe825
0x004fe8be
0x004fe8c6
0x00000000
0x00000000
0x00000000
0x004fe8d0

APIs

SetActiveWindow.USER32(?,005FE2F0,004FF334), ref: 004FE801

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: ActiveWindow
String ID:
API String ID: 2558294473-0
Opcode ID: 356e24ba302c69361e66d8eebeb64ec1d826bfddee3d4e6bd95afead801caae8
Instruction ID: 81b9b822c22eb10e4995b261473f664763cd2a87e227313279509cace8680ae5
Opcode Fuzzy Hash: 356e24ba302c69361e66d8eebeb64ec1d826bfddee3d4e6bd95afead801caae8
Instruction Fuzzy Hash: 23213070A042489BDB25FE6AC9C5BA637956F04345F0800BBBF089F2ABD66DD841D729

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD6A, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040AD6A(CHAR* _a4) {
				void* _t10;
				intOrPtr* _t11;
				CHAR* _t14;

				_t14 = _a4;
				EnterCriticalSection(0x5fbc24);
				if(_t14 == 0) {
					while( *0x5f49ec != 0) {
						E0040AD23( *0x5f49ec);
					}
					_t10 = 1;
				} else {
					_t11 =  *0x5f49ec;
					if(0x5f49ec != 0) {
						while(lstrcmpiA(_t14,  *( *((intOrPtr*)(_t11 + 4)) + 4)) != 0) {
							_t11 =  *_t11;
							if(_t11 != 0) {
								continue;
							}
							goto L5;
						}
					}
					L5:
					_t10 = E0040AD23(_t11);
				}
				LeaveCriticalSection(0x5fbc24);
				return _t10;
			}

0x0040ad6f
0x0040ad7c
0x0040ad83
0x0040adb8
0x0040adb2
0x0040adb7
0x0040adbd
0x0040ad85
0x0040ad85
0x0040ad89
0x0040ad8b
0x0040ad9d
0x0040ada1
0x00000000
0x00000000
0x00000000
0x0040ada1
0x0040ad9b
0x0040ada3
0x0040adaa
0x0040adaa
0x0040adc7
0x0040add1

APIs

EnterCriticalSection.KERNEL32(005FBC24), ref: 0040AD7C
lstrcmpiA.KERNEL32(?,?,005FBC24), ref: 0040AD92
LeaveCriticalSection.KERNEL32(005FBC24,005FBC24), ref: 0040ADC7

Strings

I_, xrefs: 0040AD72

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeavelstrcmpi
String ID: I_
API String ID: 2420758022-1046359221
Opcode ID: 80c714e8b099879616627bfa8730fcc8ed1e49bdc40fde5e8b907aa2d27135fc
Instruction ID: fcc671c1d1f14f781d64d0afb97dc4ba64fefff12c7e6219ed81e2c964544343
Opcode Fuzzy Hash: 80c714e8b099879616627bfa8730fcc8ed1e49bdc40fde5e8b907aa2d27135fc
Instruction Fuzzy Hash: 2EF062356143159BEF106A91C8C1B67778A9F15715B04443BBA007F6C2CABC8C2047AB

Uniqueness

Uniqueness Score: -1.00%

Function 004CB990, Relevance: 6.0, APIs: 4, Instructions: 35
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004CB990(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t5;
				struct HWND__* _t12;
				void* _t15;
				DWORD* _t16;

				_t13 = __ecx;
				_push(__ecx);
				_t12 = __eax;
				_t15 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t16) != 0 && GetCurrentProcessId() ==  *_t16) {
					_t5 =  *0x5fe268; // 0x0
					if(GlobalFindAtomW(E004073E0(_t5)) !=  *0x5fe262) {
						_t15 = E004CB95C(_t12, _t13);
					} else {
						_t15 = GetPropW(_t12,  *0x5fe262 & 0x0000ffff);
					}
				}
				return _t15;
			}

0x004cb990
0x004cb992
0x004cb993
0x004cb995
0x004cb999
0x004cb9b0
0x004cb9c7
0x004cb9e2
0x004cb9c9
0x004cb9d7
0x004cb9d7
0x004cb9c7
0x004cb9e9

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 004CB99D
GetCurrentProcessId.KERNEL32(?,?,00000000,00500DAD,?,?,?,?,004FEFA8,?,00000000,00000200,0000020E,00000001), ref: 004CB9A6
GlobalFindAtomW.KERNEL32(00000000), ref: 004CB9BB
GetPropW.USER32(00000000,00000000), ref: 004CB9D2

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 28769144e4a662cb530cb2cd40256db9c90e2be2475f536a050d1dc5d7bf13b9
Instruction ID: 13067b356829101efc4f3b4fa40428367ab64d74038804edf92efd67b7149110
Opcode Fuzzy Hash: 28769144e4a662cb530cb2cd40256db9c90e2be2475f536a050d1dc5d7bf13b9
Instruction Fuzzy Hash: E0F030AA604251A7DA60B7B75CC3E3B218CDA553A9B01063FBA41E7392D73C8C45D2FD

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC5C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DC5C() {
				struct HINSTANCE__* _t1;
				struct HINSTANCE__* _t2;
				intOrPtr _t3;
				void* _t4;
				void* _t5;

				if( *0x5fbc58 == 0) {
					_t1 = GetModuleHandleW(L"comctl32.dll");
					 *0x5fbc58 = _t1;
					if( *0x5fbc58 != 0) {
						_t2 =  *0x5fbc58; // 0x0
						_t3 = E0040C55C(_t4, _t5, _t2, L"InitCommonControlsEx");
						 *0x5fbc5c = _t3;
						return _t3;
					}
				}
				return _t1;
			}

0x0040dc63
0x0040dc6a
0x0040dc6f
0x0040dc7b
0x0040dc82
0x0040dc88
0x0040dc8d
0x00000000
0x0040dc8d
0x0040dc7b
0x0040dc92

APIs

GetModuleHandleW.KERNEL32(comctl32.dll,0040DCED,?), ref: 0040DC6A

Part of subcall function 0040C55C: GetProcAddress.KERNEL32(?,?), ref: 0040C580

Strings

comctl32.dll, xrefs: 0040DC65
InitCommonControlsEx, xrefs: 0040DC7D

Memory Dump Source

Source File: 00000000.00000002.1136213144.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1136199741.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1137100827.00000000005F4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137128686.00000000005F8000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137142838.00000000005F9000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137156525.00000000005FD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137166861.0000000000601000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137181555.0000000000603000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.1137205269.0000000000605000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1137218576.0000000000607000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EasyEPD.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: InitCommonControlsEx$comctl32.dll
API String ID: 1646373207-802336580
Opcode ID: f8988ed496fad2946e90bd105e7c00bd44c0308eded0a9d7f4ad80c39008a4f4
Instruction ID: e7cadfe7f54286b356a34137fca84ca4596670abd4348284701dfa7035642e7f
Opcode Fuzzy Hash: f8988ed496fad2946e90bd105e7c00bd44c0308eded0a9d7f4ad80c39008a4f4
Instruction Fuzzy Hash: C1D067749043A2EAF612AFA9DC8D72773605724305F50403AA104A62E4CFBC5D8CEB4C

Uniqueness

Uniqueness Score: -1.00%

Description:	The Graphical User Interfaces (GUI) is a common way to interact with an operating system. Adversaries may use a system's GUI during an operation, commonly through a remote interactive session such as Remote Desktop Protocol , instead of through a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), to search for information and execute files via mouse double-click events, the Windows Run command , or other potentially difficult to monitor interactions.
Tactics:	Execution
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may check for the presence of a virtual machine environment (VME) or sandbox to avoid potential detection of tools and activities. If the adversary detects a VME, they may alter their malware to conceal the core functions of the implant or disengage from the victim. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information from learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception.
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Kernel drivers, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Adversaries may also use local host files in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
Tactics:	Exfiltration
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report EasyEPD.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

Spreading:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: EasyEPD.exe PID: 3268 Parent PID: 2444

General

Chronological Activities

Analysis Process: WerFault.exe PID: 2764 Parent PID: 3268

Function 00409F38, Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Function 00409E50, Relevance: 3.0, APIs: 2, Instructions: 21
fileCOMMON

Function 0040A97E, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Function 00409AE4, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 156
registrystringCOMMON

Function 004097A0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77
stringCOMMON

Function 00500E70, Relevance: 12.1, APIs: 8, Instructions: 98
COMMON

Function 004FDCBC, Relevance: 7.6, APIs: 5, Instructions: 107
COMMON

Function 0040D383, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 105
libraryCOMMON

Function 0040D430, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 23
libraryCOMMON

Function 00409F94, Relevance: 6.1, APIs: 4, Instructions: 118
stringCOMMON

Function 004FD9FC, Relevance: 6.1, APIs: 4, Instructions: 56
COMMON

Function 004FF14C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102
COMMON

Function 00405E06, Relevance: 4.6, APIs: 3, Instructions: 83
COMMON

Function 0040678C, Relevance: 4.6, APIs: 3, Instructions: 79
threadCOMMON

Function 00406784, Relevance: 4.6, APIs: 3, Instructions: 76
threadCOMMON

Function 00406788, Relevance: 4.6, APIs: 3, Instructions: 74
threadCOMMON

Function 00406346, Relevance: 3.1, APIs: 2, Instructions: 68
COMMON

Function 00409D84, Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Function 004FEB50, Relevance: 3.0, APIs: 2, Instructions: 29
COMMON

Function 0040418C, Relevance: 2.6, APIs: 2, Instructions: 55
COMMON

Function 0040D28A, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 00408F28, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 0040D5F9, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Function 00409E88, Relevance: 1.3, APIs: 1, Instructions: 57
stringCOMMON

Function 00402A68, Relevance: 1.3, APIs: 1, Instructions: 38
memoryCOMMON

Function 004098E8, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 152
stringlibraryfileCOMMON

Function 004F2B88, Relevance: 12.1, APIs: 8, Instructions: 71
windowCOMMON

Function 00409480, Relevance: 4.6, APIs: 3, Instructions: 100
COMMON

Function 004F2B08, Relevance: 1.5, APIs: 1, Instructions: 11
windowCOMMON

Function 004036E4, Relevance: .1, Instructions: 94
COMMONCrypto

Function 00408718, Relevance: .1, Instructions: 64
COMMONCrypto

Function 0040C5FE, Relevance: .0, Instructions: 2
COMMON

Function 0040C686, Relevance: .0, Instructions: 2
COMMON

Function 0040D2E4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 62
windowregistryCOMMON

Function 0040AB07, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 182
libraryloaderCOMMON

Function 004049A4, Relevance: 15.1, APIs: 10, Instructions: 129
fileCOMMON

Function 00422BF8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
COMMON