Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report IDAProHelper.exe

Overview

General Information

Sample Name:IDAProHelper.exe
Analysis ID:331919
MD5:24e36601dc6f06b07270c60a0bba7002
SHA1:4758934da665823289aa7dbebf1121beef49aa9c
SHA256:e558133e382c004ea352fa0c7897ec156118e3d656f82c83cb76696962141fd8

Most interesting Screenshot:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
PE file has a writeable .text section
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • IDAProHelper.exe (PID: 7140 cmdline: 'C:\Users\user\Desktop\IDAProHelper.exe' MD5: 24E36601DC6F06B07270C60A0BBA7002)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041FAED __EH_prolog,GetFullPathNameA,lstrcpyn,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpy,0_2_0041FAED
Source: IDAProHelper.exe, 00000000.00000002.1768443171.000000000071A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041AA28 GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_0041AA28
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041DEA9 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_0041DEA9

System Summary:

barindex
PE file has a writeable .text sectionShow sources
Source: IDAProHelper.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041C539 NtdllDefWindowProc_A,0_2_0041C539
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041CD25 NtdllDefWindowProc_A,CallWindowProcA,0_2_0041CD25
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_00416260 CallWindowProcA,NtdllDefWindowProc_A,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,0_2_00416260
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_004165B0 RtlEnterCriticalSection,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,ReleaseDC,GlobalAddAtomA,GlobalAddAtomA,RtlLeaveCriticalSection,GlobalAddAtomA,GlobalAddAtomA,GlobalAddAtomA,GlobalAddAtomA,GlobalAddAtomA,GlobalAddAtomA,GetSystemMetrics,GetClassInfoA,GetClassInfoA,GetClassInfoA,NtdllDialogWndProc_A,0_2_004165B0
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041E6FC NtdllDefWindowProc_A,0_2_0041E6FC
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041D2370_2_0041D237
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_004115D90_2_004115D9
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_00418AB00_2_00418AB0
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0040DF210_2_0040DF21
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: String function: 0040975E appears 50 times
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: String function: 00409B78 appears 168 times
Source: IDAProHelper.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: IDAProHelper.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IDAProHelper.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IDAProHelper.exeBinary or memory string: OriginalFilename vs IDAProHelper.exe
Source: IDAProHelper.exe, 00000000.00000002.1769080058.0000000002210000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs IDAProHelper.exe
Source: IDAProHelper.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal52.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041B5B0 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,0_2_0041B5B0
Source: C:\Users\user\Desktop\IDAProHelper.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\IDAProHelper.exeUnpacked PE file: 0.2.IDAProHelper.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041E685 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,0_2_0041E685
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0042C2EC push D0004352h; retn 0042h0_2_0042C2F1
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0042C374 pushad ; ret 0_2_0042C375
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0042CA3C pushad ; retf 0042h0_2_0042CA49
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_00409B78 push eax; ret 0_2_00409B96
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0042CB30 push eax; retf 0_2_0042CB31
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0040AF60 push eax; ret 0_2_0040AF8E
Source: initial sampleStatic PE information: section name: .text entropy: 7.99752542707
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_00416260 CallWindowProcA,NtdllDefWindowProc_A,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,0_2_00416260
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_004013BD IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,0_2_004013BD
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_00402729 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,0_2_00402729
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_00416A10 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmp,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,0_2_00416A10
Source: C:\Users\user\Desktop\IDAProHelper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\IDAProHelper.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-19152
Source: C:\Users\user\Desktop\IDAProHelper.exeAPI coverage: 5.2 %
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041FAED __EH_prolog,GetFullPathNameA,lstrcpyn,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpy,0_2_0041FAED
Source: C:\Users\user\Desktop\IDAProHelper.exeAPI call chain: ExitProcess graph end nodegraph_0-19841
Source: C:\Users\user\Desktop\IDAProHelper.exeAPI call chain: ExitProcess graph end nodegraph_0-19853
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041E685 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,0_2_0041E685
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0040EE16 SetUnhandledExceptionFilter,0_2_0040EE16
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0040EE28 SetUnhandledExceptionFilter,0_2_0040EE28
Source: IDAProHelper.exe, 00000000.00000002.1768645796.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: IDAProHelper.exe, 00000000.00000002.1768645796.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: IDAProHelper.exe, 00000000.00000002.1768645796.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
Source: IDAProHelper.exe, 00000000.00000002.1768645796.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0040F755 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0040F755
Source: C:\Users\user\Desktop\IDAProHelper.exeCode function: 0_2_0041D237 __EH_prolog,GetVersion,0_2_0041D237

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API2Path InterceptionProcess Injection1Process Injection1Input Capture2System Time Discovery1Remote ServicesInput Capture2Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information1LSASS MemoryProcess Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Security Account ManagerApplication Window Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing12NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
IDAProHelper.exe4%VirustotalBrowse
IDAProHelper.exe9%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.1.IDAProHelper.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:31.0.0 Red Diamond
Analysis ID:331919
Start date:17.12.2020
Start time:19:27:08
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 13m 48s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:IDAProHelper.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:30
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal52.evad.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 44.4% (good quality ratio 39.5%)
  • Quality average: 72.1%
  • Quality standard deviation: 34.4%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Max analysis timeout: 720s exceeded, the analysis took too long
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
Entropy (8bit):7.580188073204676
TrID:
  • Win32 Executable (generic) a (10002005/4) 98.96%
  • Win32 EXE PECompact compressed (v2.x) (59071/9) 0.58%
  • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
File name:IDAProHelper.exe
File size:128000
MD5:24e36601dc6f06b07270c60a0bba7002
SHA1:4758934da665823289aa7dbebf1121beef49aa9c
SHA256:e558133e382c004ea352fa0c7897ec156118e3d656f82c83cb76696962141fd8
SHA512:5d16bad557aace599400a4cd48ec9852900e0d57895164a25b8629a0bab09c02c7b8ddfc3e681f7b8983baf0791008e1c7d7812f2c6c40bb49f1957c16e22555
SSDEEP:3072:cBul+Y/mpJ5Y16wA2c+URS3m1lofsxKPYAu5rcfFCs:cBuonJ5YZA8D3IQejcz
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.]...3...3...3...3...3.m.9...3.m.8...3.y.?...3...l...3...n...3...2...3...=...3.4.9...3.4.8.X.3.V.....3...5...3.Rich..3........

File Icon

Icon Hash:ece8e8eaeae2cc71

Static PE Info

General

Entrypoint:0x40a2f5
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x5AA22D01 [Fri Mar 9 06:43:13 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2ba507c0e60aeee70989fdd9caf407e7

Entrypoint Preview

Instruction
mov eax, 0044B51Ch
push eax
push dword ptr fs:[00000000h]
mov dword ptr fs:[00000000h], esp
xor eax, eax
mov dword ptr [eax], ecx
push eax
inc ebp
inc ebx
outsd
insd
jo 00007F99D85AF803h
arpl word ptr [edx+esi+00h], si

Rich Headers

Programming Language:
  • [C++] VS98 (6.0) SP6 build 8804
  • [EXP] VC++ 6.0 SP5 build 8804
  • [ C ] VS98 (6.0) SP6 build 8804

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x4a6bc0x2e5.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE0x430000x763d.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x420000x16a00False0.999147531077data7.99752542707IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc0x430000x90000x8600False0.476591651119data5.54814099806IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_CURSOR0x3a0000x134emptyChineseChina
RT_CURSOR0x3a1380xb4emptyChineseChina
RT_BITMAP0x3a1f00x5e4emptyChineseChina
RT_BITMAP0x3a7d80xb8emptyChineseChina
RT_BITMAP0x3a8900x16cemptyChineseChina
RT_BITMAP0x3aa000x144emptyChineseChina
RT_ICON0x437180xea8dataChineseChina
RT_ICON0x445c00x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0ChineseChina
RT_ICON0x44e680x6c8dataChineseChina
RT_ICON0x455300x568GLS_BINARY_LSB_FIRSTChineseChina
RT_ICON0x45a980x25a8dataChineseChina
RT_ICON0x480400x10a8dataChineseChina
RT_ICON0x490e80x988dataChineseChina
RT_ICON0x49a700x468GLS_BINARY_LSB_FIRSTChineseChina
RT_DIALOG0x3ab480xeeemptyChineseChina
RT_DIALOG0x3ac380x1aeemptyChineseChina
RT_DIALOG0x3ade80xe2emptyChineseChina
RT_STRING0x3aed00x4cemptyChineseChina
RT_STRING0x3af200x50emptyChineseChina
RT_STRING0x3af700x2cemptyChineseChina
RT_STRING0x3afa00x78emptyChineseChina
RT_STRING0x3b0180x1c4emptyChineseChina
RT_STRING0x3b1e00x12aemptyChineseChina
RT_STRING0x3b3100x146emptyChineseChina
RT_STRING0x3b4580x40emptyChineseChina
RT_STRING0x3b4980x64emptyChineseChina
RT_STRING0x3b5000x1d8emptyChineseChina
RT_STRING0x3b6d80x114emptyChineseChina
RT_STRING0x3b7f00x24emptyChineseChina
RT_GROUP_CURSOR0x3b8180x22emptyChineseChina
RT_GROUP_ICON0x49ed80x76dataChineseChina
RT_VERSION0x49f500x3b8COM executable for DOSChineseChina
RT_MANIFEST0x4a3080x335XML 1.0 document, ASCII text, with CRLF line terminatorsChineseChina

Imports

DLLImport
kernel32.dllLoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree
USER32.dllMessageBeep
GDI32.dllSetMapMode
comdlg32.dllGetFileTitleA
WINSPOOL.DRVClosePrinter
ADVAPI32.dllRegDeleteKeyA
SHELL32.dllSHChangeNotify
COMCTL32.dll
oledlg.dll
ole32.dllCoFreeUnusedLibraries
OLEPRO32.DLL
OLEAUT32.dllVariantCopy

Version Infos

DescriptionData
LegalCopyright (C) 2017
InternalNameIDAProHelper
FileVersion1, 0, 0, 1
CompanyName(WwW.ChinaPYG.CoM)
PrivateBuild
LegalTrademarks
CommentsIDAPro 7.x
ProductNameIDAProHelper
SpecialBuild
ProductVersion1, 0, 0, 1
FileDescriptionIDAProHelper Microsoft
OriginalFilenameIDAProHelper.EXE
Translation0x0804 0x04b0

Possible Origin

Language of compilation systemCountry where language is spokenMap
ChineseChina

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: IDAProHelper.exe PID: 7140 Parent PID: 5948

General

Start time:19:28:03
Start date:17/12/2020
Path:C:\Users\user\Desktop\IDAProHelper.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user\Desktop\IDAProHelper.exe'
Imagebase:0x400000
File size:128000 bytes
MD5 hash:24E36601DC6F06B07270C60A0BBA7002
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: IDAProHelper.exe PID: 7140 Parent PID: 5948 IDAProHelper.exeCOMMON

    Execution Graph

    Execution Coverage:3.3%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:11.2%
    Total number of Nodes:1380
    Total number of Limit Nodes:57

    Graph

    execution_graph 18718 41b154 18733 41cd70 18718->18733 18721 41b177 18723 41b1e0 18743 41e485 18723->18743 18725 41b191 GetWindowLongA 18725->18723 18727 41b19f 18725->18727 18726 41b16d 18726->18721 18726->18723 18726->18725 18747 420c16 GetClassNameA lstrcmpi 18727->18747 18729 41b1ab 18729->18723 18730 41b1af GetDlgItem 18729->18730 18731 41b1c9 SendMessageA 18730->18731 18732 41b1be IsWindowEnabled 18730->18732 18731->18721 18732->18723 18732->18731 18748 42274e 18733->18748 18736 41d987 18737 41d994 18736->18737 18738 41d98e 18736->18738 18737->18726 18738->18737 18742 41d9ad 18738->18742 18824 41d8dc 18738->18824 18740 41d9c4 18740->18726 18741 41d8dc 59 API calls 18741->18742 18742->18740 18742->18741 18744 41e493 18743->18744 18746 41e4ae 18744->18746 18994 41ea78 18744->18994 18746->18721 18747->18729 18753 422f5f 18748->18753 18751 41b162 18751->18721 18751->18736 18754 422f95 TlsGetValue 18753->18754 18755 422f68 18753->18755 18756 422fa8 18754->18756 18757 422f82 18755->18757 18780 422b5f TlsAlloc 18755->18780 18761 422fbb 18756->18761 18762 42275d 18756->18762 18770 422bf8 RtlEnterCriticalSection 18757->18770 18760 422f93 18760->18754 18784 422d67 TlsGetValue 18761->18784 18762->18751 18764 422ff4 18762->18764 18765 422ffe __EH_prolog 18764->18765 18766 42302c 18765->18766 18807 423293 18765->18807 18766->18751 18771 422c17 18770->18771 18772 422c51 GlobalAlloc 18771->18772 18773 422c64 GlobalHandle GlobalUnWire GlobalReAlloc 18771->18773 18774 422cd3 ctype 18771->18774 18776 422c86 18772->18776 18773->18776 18775 422ce8 RtlLeaveCriticalSection 18774->18775 18775->18760 18777 422c94 GlobalHandle GlobalFix RtlLeaveCriticalSection 18776->18777 18778 422caf GlobalFix 18776->18778 18799 419d03 18777->18799 18778->18774 18781 422b93 RtlInitializeCriticalSection 18780->18781 18782 422b8e 18780->18782 18781->18757 18783 419d03 ctype RaiseException 18782->18783 18783->18781 18785 422d98 18784->18785 18788 422d7e 18784->18788 18802 422b2d LocalAlloc 18785->18802 18786 422e3e 18786->18762 18788->18786 18791 422df2 LocalReAlloc 18788->18791 18792 422de1 LocalAlloc 18788->18792 18793 422e02 18791->18793 18792->18793 18795 422e0e ctype 18793->18795 18797 419d03 ctype RaiseException 18793->18797 18798 422e2d TlsSetValue 18795->18798 18796 422dd0 RtlLeaveCriticalSection 18796->18788 18797->18795 18798->18786 18801 40aa09 RaiseException 18799->18801 18803 422b40 18802->18803 18804 422b45 RtlEnterCriticalSection 18802->18804 18805 419d03 ctype RaiseException 18803->18805 18806 422ad4 18804->18806 18805->18804 18806->18796 18808 42329e 18807->18808 18810 4232a3 18807->18810 18819 423200 18808->18819 18811 423015 18810->18811 18812 4232f0 RtlEnterCriticalSection 18810->18812 18813 4232c7 RtlEnterCriticalSection 18810->18813 18816 423303 18811->18816 18812->18811 18814 4232d5 RtlInitializeCriticalSection 18813->18814 18815 4232e8 RtlLeaveCriticalSection 18813->18815 18814->18815 18815->18812 18817 423321 18816->18817 18818 42330c RtlLeaveCriticalSection 18816->18818 18817->18766 18818->18817 18820 42320a GetVersion 18819->18820 18821 423224 18819->18821 18822 42322c RtlInitializeCriticalSection 18820->18822 18823 42321d 18820->18823 18821->18810 18822->18821 18823->18821 18823->18822 18825 41d911 18824->18825 18828 41d8e2 18824->18828 18825->18742 18826 41d8f0 GetParent 18829 41c48d 18826->18829 18828->18825 18828->18826 18836 41c41b 18829->18836 18831 41c496 18844 41f1c0 18831->18844 18833 41c4a3 18850 41ecb3 18833->18850 18835 41c4ad 18835->18828 18837 41c425 __EH_prolog 18836->18837 18854 422774 18837->18854 18839 41c469 ctype 18839->18831 18840 41c42b ctype 18840->18839 18859 41b0e0 18840->18859 18846 41f1ca __EH_prolog ctype 18844->18846 18845 41f1db ctype 18845->18833 18846->18845 18847 41f23f 18846->18847 18848 419d03 ctype RaiseException 18846->18848 18981 41a372 18847->18981 18848->18847 18851 41ecba 18850->18851 18853 41ecd6 ctype 18850->18853 18852 41ecc0 GetParent 18851->18852 18851->18853 18852->18853 18853->18835 18855 42274e ctype 28 API calls 18854->18855 18856 422779 18855->18856 18857 422f5f ctype 21 API calls 18856->18857 18858 42278a 18857->18858 18858->18840 18861 41b0e6 18859->18861 18862 41b104 18861->18862 18867 40a76c 18861->18867 18862->18839 18863 41f15b 18862->18863 18864 41f165 __EH_prolog ctype 18863->18864 18972 41a20e 18864->18972 18866 41f19c 18866->18839 18870 40a77e 18867->18870 18871 40a77b 18870->18871 18873 40a785 ctype 18870->18873 18871->18861 18873->18871 18874 40a7aa 18873->18874 18875 40a7d7 18874->18875 18879 40a81a 18874->18879 18881 40a805 18875->18881 18892 40d4cd 18875->18892 18877 40a7ed 18907 40da6c 18877->18907 18878 40a889 RtlAllocateHeap 18889 40a80c 18878->18889 18879->18881 18882 40a83c 18879->18882 18881->18878 18881->18889 18883 40d4cd ctype 28 API calls 18882->18883 18885 40a843 18883->18885 18916 40e50f 18885->18916 18888 40a856 18923 40a870 18888->18923 18889->18873 18893 40d523 RtlEnterCriticalSection 18892->18893 18894 40d4e5 18892->18894 18893->18877 18895 40a76c ctype 27 API calls 18894->18895 18896 40d4ed 18895->18896 18897 40d4fb 18896->18897 18926 40a3fd 18896->18926 18899 40d4cd ctype 27 API calls 18897->18899 18900 40d503 18899->18900 18901 40d514 18900->18901 18902 40d50a RtlInitializeCriticalSection 18900->18902 18932 40a5d6 18901->18932 18903 40d519 18902->18903 18949 40d52e RtlLeaveCriticalSection 18903->18949 18906 40d521 18906->18893 18909 40da9e 18907->18909 18908 40a7f8 18913 40a811 18908->18913 18909->18908 18912 40db3d 18909->18912 18950 40dd75 18909->18950 18912->18908 18957 40de26 18912->18957 18961 40d52e RtlLeaveCriticalSection 18913->18961 18915 40a818 18915->18881 18917 40e51d ctype 18916->18917 18918 40e609 VirtualAlloc 18917->18918 18919 40e6de 18917->18919 18922 40e5da ctype 18917->18922 18918->18922 18962 40e217 18919->18962 18922->18888 18922->18922 18971 40d52e RtlLeaveCriticalSection 18923->18971 18925 40a863 18925->18881 18925->18889 18927 40a406 18926->18927 18928 40a40b 18926->18928 18929 40d318 ctype 7 API calls 18927->18929 18930 40d351 ctype 7 API calls 18928->18930 18929->18928 18931 40a414 18930->18931 18931->18897 18933 40a6b0 18932->18933 18934 40a604 18932->18934 18933->18903 18935 40a649 18934->18935 18936 40a60e 18934->18936 18937 40a63a 18935->18937 18940 40d4cd ctype 28 API calls 18935->18940 18938 40d4cd ctype 28 API calls 18936->18938 18937->18933 18939 40a6a2 HeapFree 18937->18939 18941 40a615 ctype 18938->18941 18939->18933 18942 40a655 ctype 18940->18942 18943 40a62f 18941->18943 18944 40d743 ctype VirtualFree VirtualFree HeapFree 18941->18944 18946 40a681 18942->18946 18947 40e4ca ctype VirtualFree HeapFree VirtualFree 18942->18947 18945 40a640 ctype RtlLeaveCriticalSection 18943->18945 18944->18943 18945->18937 18948 40a698 ctype RtlLeaveCriticalSection 18946->18948 18947->18946 18948->18937 18949->18906 18951 40ddb8 RtlAllocateHeap 18950->18951 18952 40dd88 RtlReAllocateHeap 18950->18952 18954 40de08 18951->18954 18955 40ddde VirtualAlloc 18951->18955 18953 40dda7 18952->18953 18952->18954 18953->18951 18954->18912 18955->18954 18956 40ddf8 HeapFree 18955->18956 18956->18954 18958 40de38 VirtualAlloc 18957->18958 18960 40de81 18958->18960 18960->18908 18961->18915 18963 40e224 18962->18963 18964 40e22b RtlAllocateHeap 18962->18964 18965 40e248 VirtualAlloc 18963->18965 18964->18965 18970 40e280 ctype 18964->18970 18966 40e268 VirtualAlloc 18965->18966 18967 40e33d 18965->18967 18968 40e32f VirtualFree 18966->18968 18966->18970 18969 40e345 HeapFree 18967->18969 18967->18970 18968->18967 18969->18970 18970->18922 18971->18925 18973 41a21f 18972->18973 18974 41a219 18972->18974 18976 41b0e0 ctype 29 API calls 18973->18976 18977 41a23b ctype 18973->18977 18978 41b109 18974->18978 18976->18977 18977->18866 18979 40a5d6 ctype 29 API calls 18978->18979 18980 41b112 18979->18980 18980->18973 18982 41a386 18981->18982 18983 41a39b 18982->18983 18984 41a20e ctype 29 API calls 18982->18984 18986 41a3a2 18982->18986 18987 41a2a7 18983->18987 18984->18983 18986->18845 18988 41a2b0 18987->18988 18989 41a2be 18987->18989 18991 41a195 18988->18991 18989->18986 18992 41b0e0 ctype 29 API calls 18991->18992 18993 41a1a7 18992->18993 18993->18989 18995 41ea81 18994->18995 18996 41ea9a IsDialogMessage 18994->18996 18998 42274e ctype 28 API calls 18995->18998 18997 41ea86 18996->18997 18997->18746 18998->18997 18999 40a2f5 GetVersion 19031 40d1da HeapCreate 18999->19031 19001 40a353 19002 40a360 19001->19002 19003 40a358 19001->19003 19043 40c71c 19002->19043 19110 40a422 19003->19110 19007 40a365 19008 40a371 19007->19008 19009 40a369 19007->19009 19053 40cea9 19008->19053 19010 40a422 8 API calls 19009->19010 19012 40a370 19010->19012 19012->19008 19013 40a37b GetCommandLineA 19067 40cd77 19013->19067 19017 40a395 19090 40ca71 19017->19090 19019 40a39a 19020 40a39f GetStartupInfoA 19019->19020 19103 40ca19 19020->19103 19022 40a3b1 19023 40a3ba 19022->19023 19024 40a3c3 GetModuleHandleA 19023->19024 19107 418c47 19024->19107 19032 40d230 19031->19032 19033 40d1fa 19031->19033 19032->19001 19133 40d092 19033->19133 19036 40d216 19038 40d233 19036->19038 19040 40e217 ctype 5 API calls 19036->19040 19037 40d209 19145 40d6d0 RtlAllocateHeap 19037->19145 19038->19001 19041 40d213 19040->19041 19041->19038 19042 40d224 HeapDestroy 19041->19042 19042->19032 19246 40d4a4 RtlInitializeCriticalSection RtlInitializeCriticalSection RtlInitializeCriticalSection RtlInitializeCriticalSection 19043->19246 19045 40c722 TlsAlloc 19046 40c732 19045->19046 19047 40c76c 19045->19047 19048 40e8e4 ctype 30 API calls 19046->19048 19047->19007 19049 40c73b 19048->19049 19049->19047 19050 40c743 TlsSetValue 19049->19050 19050->19047 19051 40c754 ctype 19050->19051 19052 40c75a GetCurrentThreadId 19051->19052 19052->19007 19054 40a76c ctype 29 API calls 19053->19054 19055 40cebc 19054->19055 19056 40ceca GetStartupInfoA 19055->19056 19057 40a3fd ctype 7 API calls 19055->19057 19063 40cfe9 19056->19063 19066 40cf18 19056->19066 19057->19056 19059 40d054 SetHandleCount 19059->19013 19060 40d014 GetStdHandle 19061 40d022 GetFileType 19060->19061 19060->19063 19061->19063 19062 40a76c ctype 29 API calls 19062->19066 19063->19059 19063->19060 19064 40cf8f 19064->19063 19065 40cfb1 GetFileType 19064->19065 19065->19064 19066->19062 19066->19063 19066->19064 19068 40cd92 GetEnvironmentStringsW 19067->19068 19069 40cdc5 19067->19069 19070 40cda6 GetEnvironmentStrings 19068->19070 19071 40cd9a 19068->19071 19069->19071 19072 40cdb6 19069->19072 19070->19072 19073 40a38b 19070->19073 19074 40cdd2 GetEnvironmentStringsW 19071->19074 19075 40cdde WideCharToMultiByte 19071->19075 19072->19073 19076 40ce64 19072->19076 19077 40ce58 GetEnvironmentStrings 19072->19077 19116 40cb2a 19073->19116 19074->19073 19074->19075 19079 40ce12 19075->19079 19080 40ce44 FreeEnvironmentStringsW 19075->19080 19081 40a76c ctype 29 API calls 19076->19081 19077->19073 19077->19076 19082 40a76c ctype 29 API calls 19079->19082 19080->19073 19088 40ce7f ctype 19081->19088 19083 40ce18 19082->19083 19083->19080 19084 40ce21 WideCharToMultiByte 19083->19084 19086 40ce3b 19084->19086 19087 40ce32 19084->19087 19085 40ce95 FreeEnvironmentStringsA 19085->19073 19086->19080 19089 40a5d6 ctype 29 API calls 19087->19089 19088->19085 19089->19086 19091 40ca7e 19090->19091 19094 40ca83 ctype 19090->19094 19247 40b37e 19091->19247 19093 40a76c ctype 29 API calls 19095 40cab0 19093->19095 19094->19093 19096 40cac4 ctype 19095->19096 19097 40a3fd ctype 7 API calls 19095->19097 19100 40cb07 19096->19100 19101 40a76c ctype 29 API calls 19096->19101 19102 40a3fd ctype 7 API calls 19096->19102 19097->19096 19098 40a5d6 ctype 29 API calls 19099 40cb13 19098->19099 19099->19019 19100->19098 19101->19096 19102->19096 19104 40ca22 19103->19104 19106 40ca27 19103->19106 19105 40b37e 48 API calls 19104->19105 19105->19106 19106->19022 19276 420290 19107->19276 19111 40a430 19110->19111 19112 40a42b 19110->19112 19833 40d351 19111->19833 19827 40d318 19112->19827 19117 40cb41 GetModuleFileNameA 19116->19117 19118 40cb3c 19116->19118 19120 40cb64 19117->19120 19119 40b37e 48 API calls 19118->19119 19119->19117 19121 40a76c ctype 29 API calls 19120->19121 19122 40cb85 19121->19122 19123 40a3fd ctype 7 API calls 19122->19123 19124 40cb95 19122->19124 19123->19124 19124->19017 19125 40a4e3 19847 40a505 19125->19847 19128 40c8a1 19129 40c783 ctype 35 API calls 19128->19129 19130 40c8ac 19129->19130 19131 40c9d2 UnhandledExceptionFilter 19130->19131 19132 40a3ef 19130->19132 19131->19132 19147 40af60 19133->19147 19136 40d0d5 GetEnvironmentVariableA 19140 40d0f4 19136->19140 19144 40d1b2 19136->19144 19137 40d0bb 19137->19136 19138 40d0cd 19137->19138 19138->19036 19138->19037 19141 40d139 GetModuleFileNameA 19140->19141 19143 40d131 19140->19143 19141->19143 19143->19144 19149 40aa43 19143->19149 19144->19138 19152 40d065 GetModuleHandleA 19144->19152 19146 40d6ec 19145->19146 19146->19041 19148 40af6c GetVersionExA 19147->19148 19148->19136 19148->19137 19154 40aa5a 19149->19154 19153 40d07c 19152->19153 19153->19138 19156 40aa72 19154->19156 19158 40aaa2 19156->19158 19163 40ef6f 19156->19163 19157 40ef6f 6 API calls 19157->19158 19158->19157 19160 40abcb 19158->19160 19162 40aa56 19158->19162 19167 40ee34 19158->19167 19160->19162 19178 40bba9 19160->19178 19162->19144 19164 40ef8d 19163->19164 19166 40ef81 19163->19166 19181 40f024 19164->19181 19166->19156 19168 40ee52 InterlockedIncrement 19167->19168 19177 40ee3f 19167->19177 19169 40ee78 19168->19169 19170 40ee6e InterlockedDecrement 19168->19170 19193 40eea3 19169->19193 19171 40d4cd ctype 29 API calls 19170->19171 19171->19169 19174 40ee98 InterlockedDecrement 19174->19177 19175 40ee8e 19199 40d52e RtlLeaveCriticalSection 19175->19199 19177->19158 19218 40c783 GetLastError TlsGetValue 19178->19218 19180 40bbae 19180->19162 19182 40f06d 19181->19182 19183 40f055 GetStringTypeW 19181->19183 19184 40f098 GetStringTypeA 19182->19184 19189 40f0bc 19182->19189 19183->19182 19185 40f071 GetStringTypeA 19183->19185 19187 40f159 19184->19187 19185->19182 19185->19187 19187->19166 19188 40f0d2 MultiByteToWideChar 19188->19187 19190 40f0f6 ctype 19188->19190 19189->19187 19189->19188 19190->19187 19191 40f130 MultiByteToWideChar 19190->19191 19191->19187 19192 40f149 GetStringTypeW 19191->19192 19192->19187 19195 40eece 19193->19195 19198 40ee85 19193->19198 19194 40eeea 19194->19198 19200 40eb4a 19194->19200 19195->19194 19196 40ef6f 6 API calls 19195->19196 19196->19194 19198->19174 19198->19175 19199->19177 19201 40eb7a LCMapStringW 19200->19201 19204 40eb96 19200->19204 19202 40eb9e LCMapStringA 19201->19202 19201->19204 19203 40ecd8 19202->19203 19202->19204 19203->19198 19205 40ebfc 19204->19205 19206 40ebdf LCMapStringA 19204->19206 19205->19203 19207 40ec12 MultiByteToWideChar 19205->19207 19206->19203 19207->19203 19208 40ec3c 19207->19208 19208->19203 19209 40ec72 MultiByteToWideChar 19208->19209 19209->19203 19210 40ec8b LCMapStringW 19209->19210 19210->19203 19211 40eca6 19210->19211 19212 40ecac 19211->19212 19214 40ecec 19211->19214 19212->19203 19213 40ecba LCMapStringW 19212->19213 19213->19203 19214->19203 19215 40ed24 LCMapStringW 19214->19215 19215->19203 19216 40ed3c WideCharToMultiByte 19215->19216 19216->19203 19219 40c7de SetLastError 19218->19219 19220 40c79f 19218->19220 19219->19180 19229 40e8e4 19220->19229 19223 40c7b0 TlsSetValue 19224 40c7d6 19223->19224 19227 40c7c1 ctype 19223->19227 19225 40a3fd ctype 7 API calls 19224->19225 19226 40c7dd 19225->19226 19226->19219 19228 40c7c7 GetCurrentThreadId 19227->19228 19228->19219 19235 40e919 ctype 19229->19235 19230 40c7a8 19230->19223 19230->19224 19231 40e9d1 RtlAllocateHeap 19231->19235 19232 40d4cd 29 API calls ctype 19232->19235 19233 40da6c ctype 5 API calls 19233->19235 19234 40e50f ctype 6 API calls 19234->19235 19235->19230 19235->19231 19235->19232 19235->19233 19235->19234 19238 40e97d 19235->19238 19241 40ea06 19235->19241 19244 40d52e RtlLeaveCriticalSection 19238->19244 19240 40e984 19240->19235 19245 40d52e RtlLeaveCriticalSection 19241->19245 19243 40ea0d 19243->19235 19244->19240 19245->19243 19246->19045 19248 40b387 19247->19248 19250 40b38e 19247->19250 19251 40afa6 19248->19251 19250->19094 19252 40d4cd ctype 29 API calls 19251->19252 19253 40afb6 19252->19253 19262 40b153 19253->19262 19256 40afcd 19275 40d52e RtlLeaveCriticalSection 19256->19275 19258 40b14b 19258->19250 19260 40aff2 GetCPInfo 19261 40b008 19260->19261 19261->19256 19267 40b1f9 GetCPInfo 19261->19267 19263 40b173 19262->19263 19264 40b163 GetOEMCP 19262->19264 19265 40b178 GetACP 19263->19265 19266 40afbe 19263->19266 19264->19263 19265->19266 19266->19256 19266->19260 19266->19261 19268 40b21c 19267->19268 19274 40b2e4 19267->19274 19269 40f024 6 API calls 19268->19269 19270 40b298 19269->19270 19271 40eb4a 9 API calls 19270->19271 19272 40b2bc 19271->19272 19273 40eb4a 9 API calls 19272->19273 19273->19274 19274->19256 19275->19258 19287 41a663 19276->19287 19279 42274e ctype 28 API calls 19280 4202a2 19279->19280 19292 423553 SetErrorMode SetErrorMode 19280->19292 19285 4202d7 19318 425515 19285->19318 19288 422774 ctype 28 API calls 19287->19288 19289 41a668 19288->19289 19290 41a674 19289->19290 19291 42274e ctype 28 API calls 19289->19291 19290->19279 19291->19290 19293 42274e ctype 28 API calls 19292->19293 19294 42356a 19293->19294 19295 42274e ctype 28 API calls 19294->19295 19296 423579 19295->19296 19297 423580 19296->19297 19298 42359f 19296->19298 19350 4235b6 19297->19350 19299 42274e ctype 28 API calls 19298->19299 19301 4235a4 19299->19301 19302 4202ba 19301->19302 19339 41a678 19301->19339 19302->19285 19304 401065 19302->19304 19305 40106f __EH_prolog 19304->19305 19392 401cf8 19305->19392 19311 40108e 19414 41b5b0 19311->19414 19319 42274e ctype 28 API calls 19318->19319 19320 42551e 19319->19320 19321 423293 ctype 6 API calls 19320->19321 19322 425527 19321->19322 19323 425554 19322->19323 19328 42274e ctype 28 API calls 19322->19328 19813 40a972 19322->19813 19325 423303 ctype RtlLeaveCriticalSection 19323->19325 19326 42555e 19325->19326 19327 42274e ctype 28 API calls 19326->19327 19329 425563 19327->19329 19330 425545 UnregisterClassA 19328->19330 19331 422521 21 API calls 19329->19331 19330->19322 19332 42557b 19331->19332 19333 42274e ctype 28 API calls 19332->19333 19334 4255a0 19333->19334 19335 40a3d5 19334->19335 19336 4255b2 UnhookWindowsHookEx 19334->19336 19337 4255b8 19334->19337 19335->19125 19336->19337 19337->19335 19338 4255bf UnhookWindowsHookEx 19337->19338 19338->19335 19340 42274e ctype 28 API calls 19339->19340 19341 41a67d 19340->19341 19342 41a6d5 19341->19342 19369 422521 19341->19369 19342->19302 19345 422ff4 ctype 7 API calls 19346 41a6b3 19345->19346 19347 41a6c0 19346->19347 19348 42274e ctype 28 API calls 19346->19348 19349 422f5f ctype 21 API calls 19347->19349 19348->19347 19349->19342 19351 42274e ctype 28 API calls 19350->19351 19352 4235c9 GetModuleFileNameA 19351->19352 19372 40b964 19352->19372 19354 4235fb 19378 4236d3 19354->19378 19357 42362d 19359 423667 19357->19359 19387 41eda2 19357->19387 19360 42369a 19359->19360 19361 42367f lstrcpy 19359->19361 19364 4236a9 lstrcat 19360->19364 19365 4236c7 19360->19365 19363 40a48b 29 API calls 19361->19363 19363->19360 19367 40a48b 29 API calls 19364->19367 19365->19298 19367->19365 19368 40a48b 29 API calls 19368->19359 19370 422f5f ctype 21 API calls 19369->19370 19371 41a689 GetCurrentThreadId SetWindowsHookExA 19370->19371 19371->19345 19373 40b981 19372->19373 19375 40b972 19372->19375 19374 40d4cd ctype 29 API calls 19373->19374 19376 40b989 19374->19376 19375->19354 19391 40d52e RtlLeaveCriticalSection 19376->19391 19379 4236db 19378->19379 19380 423713 lstrcpyn 19379->19380 19381 423709 lstrlen 19379->19381 19382 423617 19380->19382 19381->19382 19382->19357 19383 40a48b 19382->19383 19384 40a494 ctype 19383->19384 19386 40a4a1 ctype 19383->19386 19385 40a76c ctype 29 API calls 19384->19385 19385->19386 19386->19357 19388 42274e ctype 28 API calls 19387->19388 19389 41eda8 LoadStringA 19388->19389 19390 41edc3 19389->19390 19390->19368 19391->19375 19393 401d01 19392->19393 19396 401d10 19392->19396 19394 422ff4 ctype 7 API calls 19393->19394 19394->19396 19395 42274e ctype 28 API calls 19397 40107c 19395->19397 19396->19395 19398 4222b6 19397->19398 19399 4222ca 19398->19399 19405 401084 19398->19405 19400 422ff4 ctype 7 API calls 19399->19400 19401 4222d9 19400->19401 19402 422324 19401->19402 19403 42274e ctype 28 API calls 19401->19403 19404 42274e ctype 28 API calls 19402->19404 19402->19405 19403->19402 19404->19405 19406 4011ab 19405->19406 19407 4011b5 __EH_prolog 19406->19407 19460 41bd6d 19407->19460 19410 42274e ctype 28 API calls 19411 4011f5 19410->19411 19412 42274e ctype 28 API calls 19411->19412 19413 4011fa LoadIconA 19412->19413 19413->19311 19415 41b5ba __EH_prolog 19414->19415 19416 42274e ctype 28 API calls 19415->19416 19417 41b5d6 19416->19417 19418 41b5fd 19417->19418 19419 42274e ctype 28 API calls 19417->19419 19420 41b601 LockResource 19418->19420 19421 41b60b 19418->19421 19422 41b5e4 FindResourceA LoadResource 19419->19422 19420->19421 19423 4010a0 19421->19423 19505 41b534 19421->19505 19422->19418 19449 41bc28 19423->19449 19428 41b650 19521 41c95b 19428->19521 19429 41b632 IsWindowEnabled 19429->19428 19430 41b63f EnableWindow 19429->19430 19430->19428 19433 41c48d 58 API calls 19434 41b661 19433->19434 19528 41b2cc 19434->19528 19437 41b6a7 19438 41b6d7 19437->19438 19439 41b6cc EnableWindow 19437->19439 19441 41b6f0 19438->19441 19442 41b6dc GetActiveWindow 19438->19442 19439->19438 19440 41b691 19440->19437 19590 41eb91 19440->19590 19594 41b56e 19441->19594 19442->19441 19445 41b6e7 SetActiveWindow 19442->19445 19445->19441 19446 41b681 19570 41e4b5 19446->19570 19450 4010af 19449->19450 19451 41bc38 InterlockedDecrement 19449->19451 19454 41b28e 19450->19454 19451->19450 19452 41bc46 19451->19452 19453 41bb17 ctype 31 API calls 19452->19453 19453->19450 19455 41b298 __EH_prolog 19454->19455 19456 41b2b4 19455->19456 19800 41ccd8 19455->19800 19809 41cb1b 19456->19809 19459 4010bb 19459->19285 19461 41bd79 19460->19461 19462 41bd7d lstrlen 19460->19462 19465 41bcf0 19461->19465 19462->19461 19464 4011f0 19464->19410 19468 41bbff 19465->19468 19467 41bcfe ctype 19467->19464 19469 41bc0f 19468->19469 19470 41bc23 19469->19470 19474 41bb5f 19469->19474 19470->19467 19475 41bb6f InterlockedDecrement 19474->19475 19476 41bb87 19474->19476 19475->19476 19477 41bb7d 19475->19477 19479 41ba95 19476->19479 19486 41bb17 19477->19486 19480 41baa1 19479->19480 19481 41baaa 19479->19481 19480->19470 19482 41bab2 19481->19482 19484 41baf1 19481->19484 19497 402bd6 19482->19497 19485 41b0e0 ctype 29 API calls 19484->19485 19485->19480 19487 41bb1f 19486->19487 19488 41bb2b 19486->19488 19494 402c65 19487->19494 19488->19487 19491 41bb58 19488->19491 19492 41b109 ctype 29 API calls 19491->19492 19493 41bb5d 19492->19493 19493->19476 19495 402c71 RtlEnterCriticalSection RtlLeaveCriticalSection 19494->19495 19496 402c8c 19494->19496 19495->19496 19496->19476 19504 409b78 19497->19504 19499 402be0 RtlEnterCriticalSection 19500 402bfe 19499->19500 19501 402c2f RtlLeaveCriticalSection 19499->19501 19502 41a195 ctype 29 API calls 19500->19502 19501->19480 19503 402c10 19502->19503 19503->19501 19504->19499 19506 42274e ctype 28 API calls 19505->19506 19507 41b53d 19506->19507 19508 41b54d 19507->19508 19622 421289 19507->19622 19605 42142f 19508->19605 19512 41c95b 23 API calls 19513 41b569 19512->19513 19514 41c9a7 19513->19514 19515 422f5f ctype 21 API calls 19514->19515 19516 41c9b7 19515->19516 19517 42274e ctype 28 API calls 19516->19517 19518 41c9be 19517->19518 19519 41b628 19518->19519 19520 41c9cb UnhookWindowsHookEx 19518->19520 19519->19428 19519->19429 19520->19519 19522 422f5f ctype 21 API calls 19521->19522 19523 41c96c 19522->19523 19524 41b659 19523->19524 19525 41c97d GetCurrentThreadId SetWindowsHookExA 19523->19525 19524->19433 19525->19524 19526 41c99a 19525->19526 19527 419d03 ctype RaiseException 19526->19527 19527->19524 19529 41b2d6 __EH_prolog 19528->19529 19530 41b2f0 19529->19530 19531 42274e ctype 28 API calls 19529->19531 19532 42274e ctype 28 API calls 19530->19532 19531->19530 19533 41b2fb 19532->19533 19631 41e6fc 19533->19631 19536 41e6fc 38 API calls 19538 41b31e 19536->19538 19566 41b334 19538->19566 19672 41f495 19538->19672 19539 41b370 19540 41b380 GetSystemMetrics 19539->19540 19553 41b3c3 19539->19553 19541 41b390 19540->19541 19542 41b415 19540->19542 19679 40a8a6 19541->19679 19545 41c95b 23 API calls 19542->19545 19548 41b423 CreateDialogIndirectParamA 19545->19548 19547 41b39d 19551 40a8a6 29 API calls 19547->19551 19547->19553 19555 41bc28 ctype 32 API calls 19548->19555 19550 41b3ed 19701 41f373 19550->19701 19554 41b3b0 19551->19554 19553->19542 19688 41f2e4 19553->19688 19554->19553 19558 40a8a6 29 API calls 19554->19558 19561 41b452 19555->19561 19558->19553 19559 41b409 GlobalFix 19559->19542 19560 41c9a7 29 API calls 19562 41b499 19560->19562 19561->19560 19563 41b4be 19562->19563 19564 41b4b2 DestroyWindow 19562->19564 19565 41b4c3 GlobalUnWire GlobalFree 19563->19565 19563->19566 19564->19563 19565->19566 19566->19437 19566->19440 19567 41eaab 19566->19567 19568 41eab2 GetWindowLongA 19567->19568 19569 41eabe 19567->19569 19568->19446 19571 41e4d7 GetParent 19570->19571 19572 41e4d2 19570->19572 19575 41a663 28 API calls 19571->19575 19573 41eaab GetWindowLongA 19572->19573 19573->19571 19580 41e4fc 19575->19580 19576 41e50d PeekMessageA 19576->19580 19577 41e522 19586 41ebe0 ShowWindow 19577->19586 19769 41ebe0 19577->19769 19580->19576 19580->19577 19581 41e561 SendMessageA 19580->19581 19582 41e5f8 19580->19582 19583 41e547 SendMessageA 19580->19583 19585 41e5fe 19580->19585 19588 41a663 28 API calls 19580->19588 19589 41e5e4 PeekMessageA 19580->19589 19581->19580 19772 4253fc 19582->19772 19583->19580 19585->19440 19587 41e5b3 UpdateWindow 19586->19587 19587->19580 19588->19580 19589->19580 19591 41eb9b SetWindowPos 19590->19591 19593 41ebc0 19590->19593 19591->19593 19593->19437 19595 41c9a7 29 API calls 19594->19595 19596 41b576 19595->19596 19776 41c50b 19596->19776 19599 41b595 19601 42274e ctype 28 API calls 19599->19601 19600 41b58a EnableWindow 19600->19599 19602 41b59e 19601->19602 19603 41b5af 19602->19603 19604 421289 28 API calls 19602->19604 19603->19423 19604->19603 19606 421443 19605->19606 19607 4214a8 GetWindowLongA 19605->19607 19625 4214cb 19606->19625 19608 4214b8 GetParent 19607->19608 19619 421455 19607->19619 19616 421451 19608->19616 19610 421468 19614 421470 GetLastActivePopup 19610->19614 19615 421479 19610->19615 19611 42145f GetParent 19611->19610 19611->19611 19614->19615 19617 421485 IsWindowEnabled 19615->19617 19618 41b561 19615->19618 19616->19607 19616->19619 19617->19618 19620 421490 19617->19620 19618->19512 19619->19610 19619->19611 19620->19618 19621 421494 EnableWindow 19620->19621 19621->19618 19623 401ca1 28 API calls 19622->19623 19624 42128f 19623->19624 19624->19508 19626 422521 21 API calls 19625->19626 19627 421448 19626->19627 19627->19616 19628 401ca1 19627->19628 19629 41a663 28 API calls 19628->19629 19630 401ca6 19629->19630 19630->19616 19632 42274e ctype 28 API calls 19631->19632 19634 41e707 ctype 19632->19634 19633 41b314 19633->19536 19634->19633 19635 42274e ctype 28 API calls 19634->19635 19636 41e73f 19635->19636 19637 41e770 19636->19637 19704 41cfe4 19636->19704 19639 41e791 19637->19639 19640 41cfe4 32 API calls 19637->19640 19641 41e7b8 19639->19641 19643 41cfe4 32 API calls 19639->19643 19640->19639 19642 41e7de 19641->19642 19717 41e644 19641->19717 19645 41e80b 19642->19645 19646 41e644 34 API calls 19642->19646 19643->19641 19647 41e82c 19645->19647 19724 41e685 GetModuleHandleA LoadLibraryA 19645->19724 19646->19645 19648 41e84c 19647->19648 19650 41e685 4 API calls 19647->19650 19651 41e869 19648->19651 19652 41e685 4 API calls 19648->19652 19650->19648 19653 41e882 19651->19653 19654 41e685 4 API calls 19651->19654 19652->19651 19655 41e89f 19653->19655 19657 41e685 4 API calls 19653->19657 19654->19653 19656 41e8bc 19655->19656 19658 41e685 4 API calls 19655->19658 19659 41e8d9 19656->19659 19660 41e685 4 API calls 19656->19660 19657->19655 19658->19656 19661 41e8f6 19659->19661 19662 41e685 4 API calls 19659->19662 19660->19659 19663 41e913 19661->19663 19665 41e685 4 API calls 19661->19665 19662->19661 19664 41e92c 19663->19664 19666 41e685 4 API calls 19663->19666 19667 41e945 19664->19667 19668 41e685 4 API calls 19664->19668 19665->19663 19666->19664 19669 41e685 4 API calls 19667->19669 19670 41e962 19667->19670 19668->19667 19669->19670 19670->19633 19671 41e685 4 API calls 19670->19671 19671->19633 19674 41f4a2 19672->19674 19673 41f4ad 19673->19539 19674->19673 19730 41befe 19674->19730 19680 40a8b5 19679->19680 19681 40a8c7 19679->19681 19680->19547 19682 40d4cd ctype 29 API calls 19681->19682 19683 40a8ce 19682->19683 19684 40a932 19683->19684 19685 40a946 19683->19685 19755 40d52e RtlLeaveCriticalSection 19684->19755 19756 40d52e RtlLeaveCriticalSection 19685->19756 19689 41b3de 19688->19689 19690 41f2fc 19688->19690 19692 41f61e GetStockObject 19689->19692 19757 41f313 GlobalAlloc 19690->19757 19693 41f640 GetStockObject 19692->19693 19694 41f648 GetObjectA 19692->19694 19693->19694 19695 41f692 19693->19695 19694->19695 19696 41f659 GetDC 19694->19696 19762 41f504 19695->19762 19697 41f672 GetDeviceCaps MulDiv ReleaseDC 19696->19697 19698 41f66d 19696->19698 19697->19695 19698->19697 19702 41b404 19701->19702 19703 41f379 GlobalFree 19701->19703 19702->19542 19702->19559 19703->19702 19729 409b78 19704->19729 19706 41cfee GetClassInfoA 19707 41d01a 19706->19707 19708 41d00e RegisterClassA 19706->19708 19707->19637 19708->19707 19709 41d01e 19708->19709 19710 42274e ctype 28 API calls 19709->19710 19711 41d023 19710->19711 19711->19707 19712 423293 ctype 6 API calls 19711->19712 19713 41d031 19712->19713 19714 42274e ctype 28 API calls 19713->19714 19715 41d039 lstrcat lstrcat 19714->19715 19716 423303 ctype RtlLeaveCriticalSection 19715->19716 19716->19707 19718 42274e ctype 28 API calls 19717->19718 19719 41e656 LoadIconA 19718->19719 19720 41e67a 19719->19720 19721 41e66f LoadIconA 19719->19721 19722 41cfe4 32 API calls 19720->19722 19721->19720 19723 41e680 19722->19723 19723->19642 19725 41e6a3 GetProcAddress 19724->19725 19726 41e6f6 19724->19726 19728 41e6b5 FreeLibrary 19725->19728 19726->19647 19728->19726 19729->19706 19738 41be87 19730->19738 19733 41bed6 19749 41bbd1 19733->19749 19735 41bede 19736 41bee7 lstrlen 19735->19736 19737 41beef 19735->19737 19736->19737 19737->19539 19739 41be9a 19738->19739 19740 41ba95 ctype 31 API calls 19739->19740 19743 41bece WideCharToMultiByte 19739->19743 19741 41beb1 ctype 19740->19741 19744 41bb90 19741->19744 19743->19733 19745 41bb9d InterlockedDecrement 19744->19745 19746 41bbaf 19744->19746 19745->19746 19747 41bba8 19745->19747 19746->19743 19748 41bb17 ctype 31 API calls 19747->19748 19748->19746 19750 41bbdd 19749->19750 19754 41bbec ctype 19749->19754 19751 41bb5f ctype 32 API calls 19750->19751 19752 41bbe2 19751->19752 19753 41ba95 ctype 31 API calls 19752->19753 19753->19754 19754->19735 19755->19680 19756->19680 19758 41f36f 19757->19758 19759 41f32f GlobalFix 19757->19759 19758->19689 19760 41f346 ctype 19759->19760 19761 41f358 GlobalUnWire 19760->19761 19761->19758 19763 41f515 19762->19763 19764 41f51c GlobalFix 19762->19764 19763->19550 19765 41f53e MultiByteToWideChar 19764->19765 19767 41f585 ctype 19765->19767 19768 41f5fc GlobalUnWire 19767->19768 19768->19763 19770 41ebe7 ShowWindow 19769->19770 19771 41e52b UpdateWindow 19769->19771 19770->19771 19771->19580 19773 41a663 28 API calls 19772->19773 19774 425401 PostQuitMessage 19773->19774 19774->19585 19777 41b57d IsWindow 19776->19777 19778 41c516 19776->19778 19777->19599 19777->19600 19779 41c41b ctype 57 API calls 19778->19779 19780 41c51d 19779->19780 19780->19777 19782 41a3c2 19780->19782 19783 41a3f8 19782->19783 19784 41a3cb 19782->19784 19783->19777 19784->19783 19786 41a2f4 19784->19786 19787 41a305 19786->19787 19788 41a30a 19786->19788 19790 41a253 19787->19790 19788->19783 19791 41a25d 19790->19791 19795 41a263 19790->19795 19793 41b109 ctype 29 API calls 19791->19793 19793->19795 19796 41a1b5 19795->19796 19797 41a1b9 19796->19797 19798 41a1c9 19796->19798 19797->19798 19799 41b109 ctype 29 API calls 19797->19799 19798->19788 19799->19797 19801 41cce1 19800->19801 19802 41cce5 19800->19802 19801->19456 19803 41c41b ctype 57 API calls 19802->19803 19804 41ccee ctype 19803->19804 19805 41cd02 DestroyWindow 19804->19805 19806 41cd0d 19804->19806 19805->19806 19807 41cd1f 19806->19807 19808 41c50b ctype 57 API calls 19806->19808 19807->19456 19808->19807 19811 41cb25 __EH_prolog 19809->19811 19810 41cb61 ctype 19810->19459 19811->19810 19812 41ccd8 ctype 58 API calls 19811->19812 19812->19810 19814 40a98f 19813->19814 19816 40a980 19813->19816 19815 40d4cd ctype 29 API calls 19814->19815 19820 40a996 19815->19820 19816->19322 19817 40a9ed 19826 40d52e RtlLeaveCriticalSection 19817->19826 19819 40a9d4 19824 40d52e RtlLeaveCriticalSection 19819->19824 19820->19817 19820->19819 19821 40a9e0 19820->19821 19825 40d52e RtlLeaveCriticalSection 19821->19825 19824->19816 19825->19816 19826->19816 19828 40d322 19827->19828 19829 40d351 ctype 7 API calls 19828->19829 19832 40d34f 19828->19832 19830 40d339 19829->19830 19831 40d351 ctype 7 API calls 19830->19831 19831->19832 19832->19111 19834 40d364 19833->19834 19835 40d47b ctype 19834->19835 19836 40d3a4 19834->19836 19841 40a439 ExitProcess 19834->19841 19837 40d48e GetStdHandle WriteFile 19835->19837 19838 40d3b0 GetModuleFileNameA 19836->19838 19836->19841 19837->19841 19839 40d3c8 ctype 19838->19839 19842 4100b7 19839->19842 19843 4100c4 LoadLibraryA 19842->19843 19845 410106 19842->19845 19844 4100d5 GetProcAddress 19843->19844 19843->19845 19844->19845 19846 4100ec GetProcAddress GetProcAddress 19844->19846 19845->19841 19846->19845 19856 40a5aa 19847->19856 19850 40a516 GetCurrentProcess TerminateProcess 19851 40a527 19850->19851 19852 40a591 19851->19852 19853 40a598 ExitProcess 19851->19853 19859 40a5b3 19852->19859 19857 40d4cd ctype 29 API calls 19856->19857 19858 40a50b 19857->19858 19858->19850 19858->19851 19862 40d52e RtlLeaveCriticalSection 19859->19862 19861 40a3de 19861->19128 19862->19861 19863 40ee16 SetUnhandledExceptionFilter 19864 423324 19869 42332e 19864->19869 19866 423329 19877 40975e 19866->19877 19870 4233a0 GetVersion 19869->19870 19871 4233f3 19870->19871 19872 4233e1 GetProcessVersion 19870->19872 19880 41f000 KiUserCallbackDispatcher GetSystemMetrics 19871->19880 19872->19871 19874 4233fa 19887 41efbc 7 API calls 19874->19887 19876 423404 LoadCursorA LoadCursorA 19876->19866 19892 4096e0 19877->19892 19881 41f026 19880->19881 19882 41f01f 19880->19882 19891 42337e GetSystemMetrics GetSystemMetrics 19881->19891 19888 42334e 19882->19888 19886 41f02b GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 19886->19874 19887->19876 19889 423357 GetSystemMetrics GetSystemMetrics 19888->19889 19890 41f024 19888->19890 19889->19890 19890->19886 19891->19886 19893 40a5aa ctype 29 API calls 19892->19893 19894 4096e6 19893->19894 19903 40ae70 19894->19903 19897 40ae70 ctype 30 API calls 19898 40970f 19897->19898 19915 40b635 19898->19915 19899 40a5b3 ctype RtlLeaveCriticalSection 19901 40975a 19899->19901 19902 40971e 19902->19899 19904 40aee3 19903->19904 19905 40ae9d 19903->19905 19906 40af2e RtlSizeHeap 19904->19906 19908 40d4cd ctype 29 API calls 19904->19908 19907 40d4cd ctype 29 API calls 19905->19907 19909 4096f1 19906->19909 19910 40aea4 ctype 19907->19910 19911 40aeef ctype 19908->19911 19909->19897 19909->19902 19940 40aeda 19910->19940 19943 40af55 19911->19943 19914 40aed1 19914->19906 19914->19909 19916 40b661 19915->19916 19917 40b66f 19915->19917 19918 40a76c ctype 29 API calls 19916->19918 19919 40b682 19917->19919 19920 40b676 19917->19920 19923 40b669 19918->19923 19922 40b7c9 19919->19922 19937 40b690 ctype 19919->19937 19921 40a5d6 ctype 29 API calls 19920->19921 19921->19923 19926 40b919 ctype 19922->19926 19938 40b7d2 ctype 19922->19938 19923->19902 19924 40d4cd ctype 29 API calls 19924->19937 19925 40b927 RtlReAllocateHeap 19925->19926 19926->19923 19926->19925 19927 40d4cd ctype 29 API calls 19927->19938 19929 40b8cc RtlReAllocateHeap 19929->19938 19930 40b71c RtlAllocateHeap 19930->19937 19931 40b88c RtlAllocateHeap 19931->19938 19933 40b772 RtlReAllocateHeap 19933->19937 19934 40da6c ctype 5 API calls 19934->19937 19935 40e50f ctype 6 API calls 19935->19938 19936 40e4ca VirtualFree HeapFree VirtualFree ctype 19936->19938 19937->19923 19937->19924 19937->19930 19937->19933 19937->19934 19939 40d743 VirtualFree VirtualFree HeapFree ctype 19937->19939 19948 40b7c0 19937->19948 19938->19923 19938->19927 19938->19929 19938->19931 19938->19935 19938->19936 19951 40b90e 19938->19951 19939->19937 19946 40d52e RtlLeaveCriticalSection 19940->19946 19942 40aee1 19942->19914 19947 40d52e RtlLeaveCriticalSection 19943->19947 19945 40af5c 19945->19914 19946->19942 19947->19945 19954 40d52e RtlLeaveCriticalSection 19948->19954 19950 40b7c7 19950->19937 19955 40d52e RtlLeaveCriticalSection 19951->19955 19953 40b915 19953->19938 19954->19950 19955->19953 19956 41c6e9 19957 422ff4 ctype 7 API calls 19956->19957 19961 41c6fd 19957->19961 19958 41c747 19960 41c74b 19958->19960 19963 41c58a 19958->19963 19961->19958 19990 41e075 19961->19990 19998 409b78 19963->19998 19965 41c594 GetPropA 19966 41c674 19965->19966 19967 41c5c7 19965->19967 19968 41c48d 58 API calls 19966->19968 19969 41c5d0 19967->19969 19970 41c653 19967->19970 19972 41c67c 19968->19972 19973 41c5d5 19969->19973 19974 41c62f SetWindowLongA RemovePropA GlobalFindAtomA GlobalDeleteAtom 19969->19974 19971 41c48d 58 API calls 19970->19971 19976 41c659 19971->19976 19977 41c48d 58 API calls 19972->19977 19975 41c692 CallWindowProcA 19973->19975 19978 41c5e0 19973->19978 19974->19975 19982 41c61b 19975->19982 20015 41c24c 19976->20015 19980 41c684 19977->19980 19981 41c48d 58 API calls 19978->19981 20029 41c1eb 19980->20029 19985 41c5e6 19981->19985 19982->19960 19999 41c14f GetWindowRect 19985->19999 19986 41c68e 19986->19975 19986->19982 19991 41e0e4 19990->19991 19992 41e081 19990->19992 19991->19958 19992->19991 19993 41e0aa GetObjectA SetBkColor 19992->19993 20132 420bcc 19992->20132 19995 41e0d5 SetTextColor 19993->19995 19996 41e0cd GetSysColor 19993->19996 19995->19991 19996->19995 19998->19965 20000 41eaab GetWindowLongA 19999->20000 20001 41c168 CallWindowProcA 20000->20001 20002 41c172 20001->20002 20003 41c1e6 20002->20003 20004 41c17f 20002->20004 20003->19982 20005 41eaab GetWindowLongA 20004->20005 20006 41c189 20005->20006 20006->20003 20007 41c190 GetWindowRect 20006->20007 20007->20003 20008 41c1a7 20007->20008 20008->20003 20009 41c1af GetWindow 20008->20009 20010 41c48d 58 API calls 20009->20010 20011 41c1c0 20010->20011 20012 41c1cb 20011->20012 20068 41ec07 20011->20068 20012->20003 20038 41e1aa 20012->20038 20016 41c256 20015->20016 20017 41c2bb 20015->20017 20016->20017 20108 41d95f 20016->20108 20017->19986 20019 41c279 20019->20017 20020 41c27d GetLastActivePopup 20019->20020 20021 41c48d 58 API calls 20020->20021 20022 41c28c 20021->20022 20022->20017 20023 41c292 GetForegroundWindow 20022->20023 20024 41c48d 58 API calls 20023->20024 20025 41c29e 20024->20025 20025->20017 20026 41ec07 IsWindowEnabled 20025->20026 20027 41c2a9 20026->20027 20027->20017 20028 41c2ad SetForegroundWindow 20027->20028 20028->20017 20030 41eaab GetWindowLongA 20029->20030 20031 41c1fd 20030->20031 20032 41c245 20031->20032 20033 41d95f 62 API calls 20031->20033 20032->19986 20034 41c20b 20033->20034 20035 41d95f 62 API calls 20034->20035 20036 41c217 20035->20036 20036->20032 20037 41c230 SendMessageA 20036->20037 20037->20032 20039 41eaab GetWindowLongA 20038->20039 20040 41e1bd 20039->20040 20041 41e1c7 20040->20041 20043 41e1d2 GetParent 20040->20043 20044 41e1dd GetWindow 20040->20044 20042 41e204 GetWindowRect 20041->20042 20045 41e2a8 GetParent GetClientRect GetClientRect MapWindowPoints 20042->20045 20046 41e21d 20042->20046 20047 41e1e8 20043->20047 20044->20047 20060 41e2d5 20045->20060 20048 41e221 GetWindowLongA 20046->20048 20050 41e231 20046->20050 20047->20042 20049 41e1ee SendMessageA 20047->20049 20048->20050 20049->20042 20053 41e202 20049->20053 20051 41e245 20050->20051 20052 41e27f GetWindowRect 20050->20052 20055 401ca1 28 API calls 20051->20055 20054 402729 14 API calls 20052->20054 20053->20042 20056 41e292 20054->20056 20057 41e24a 20055->20057 20058 402794 12 API calls 20056->20058 20071 402729 20057->20071 20061 41e298 CopyRect 20058->20061 20063 41eb91 SetWindowPos 20060->20063 20061->20060 20065 41e358 20063->20065 20065->20003 20069 41ec18 20068->20069 20070 41ec0e IsWindowEnabled 20068->20070 20070->20012 20091 4025fb 20071->20091 20074 402746 20076 402753 IsIconic 20074->20076 20077 40274c 20074->20077 20075 402738 MonitorFromWindow 20075->20077 20078 402760 GetWindowPlacement 20076->20078 20079 40276f GetWindowRect 20076->20079 20082 402794 20077->20082 20080 40277c 20078->20080 20079->20080 20080->20077 20100 4026d3 20080->20100 20083 4025fb 7 API calls 20082->20083 20084 4027a1 20083->20084 20085 4027b3 20084->20085 20086 4027a5 GetMonitorInfoA 20084->20086 20087 4027ca SystemParametersInfoA 20085->20087 20089 40281b CopyRect CopyRect 20085->20089 20086->20089 20088 4027dc GetSystemMetrics GetSystemMetrics 20087->20088 20087->20089 20088->20089 20090 40280c lstrcpy 20088->20090 20089->20060 20090->20089 20092 402618 GetModuleHandleA 20091->20092 20099 402608 20091->20099 20093 402629 GetProcAddress 20092->20093 20092->20099 20094 402640 GetProcAddress 20093->20094 20093->20099 20095 402651 GetProcAddress 20094->20095 20094->20099 20096 402662 GetProcAddress 20095->20096 20095->20099 20097 402673 GetProcAddress 20096->20097 20096->20099 20098 402684 GetProcAddress 20097->20098 20097->20099 20098->20099 20099->20074 20099->20075 20101 4025fb 7 API calls 20100->20101 20102 4026da 20101->20102 20103 4026ee 20102->20103 20104 4026de MonitorFromRect 20102->20104 20105 40271b 20103->20105 20106 402705 GetSystemMetrics 20103->20106 20104->20105 20105->20077 20106->20105 20107 402712 GetSystemMetrics 20106->20107 20107->20105 20109 41d96a 20108->20109 20111 41d963 20108->20111 20109->20019 20111->20109 20112 41d97f 20111->20112 20115 41d91a 20111->20115 20113 41c48d 58 API calls 20112->20113 20114 41d985 20113->20114 20114->20019 20124 41c4b4 20115->20124 20117 41d925 20118 41d939 GetWindowLongA 20117->20118 20119 41d929 20117->20119 20121 41d952 GetWindow 20118->20121 20122 41d949 GetParent 20118->20122 20127 402827 20119->20127 20123 41d930 20121->20123 20122->20123 20123->20111 20125 41c41b ctype 57 API calls 20124->20125 20126 41c4bb ctype 20125->20126 20126->20117 20128 402837 20127->20128 20129 40282e GetParent 20127->20129 20130 41c48d 58 API calls 20128->20130 20129->20128 20131 40283d 20130->20131 20131->20123 20133 420bd8 GetWindowLongA 20132->20133 20135 41e0a6 20132->20135 20134 420bef GetClassNameA lstrcmpi 20133->20134 20133->20135 20134->20135 20135->19991 20135->19993 20136 41c539 20137 41c54b 20136->20137 20143 41c546 20136->20143 20138 41c4b4 57 API calls 20137->20138 20139 41c554 20138->20139 20140 41c56f NtdllDefWindowProc_A 20139->20140 20141 41c55d 20139->20141 20140->20143 20144 41c2c2 20141->20144 20145 41c2cc __EH_prolog 20144->20145 20146 422f5f ctype 21 API calls 20145->20146 20147 41c2e4 20146->20147 20148 41c341 20147->20148 20149 41c14f 2 API calls 20147->20149 20154 41d1f3 20148->20154 20149->20148 20151 41c172 95 API calls 20152 41c36a 20151->20152 20152->20143 20160 41c3f4 20154->20160 20165 41d237 20154->20165 20155 41d215 20156 41c352 20155->20156 20231 41cd25 20155->20231 20156->20151 20156->20152 20161 422f5f ctype 21 API calls 20160->20161 20162 41c406 20161->20162 20164 41cd25 2 API calls 20162->20164 20163 41c419 20163->20155 20164->20163 20166 41d241 __EH_prolog 20165->20166 20167 41d2b5 20166->20167 20168 41d2a5 20166->20168 20221 41d258 20166->20221 20170 41d2d2 20167->20170 20171 41d2ba 20167->20171 20169 41c48d 58 API calls 20168->20169 20172 41d2ab 20169->20172 20176 423293 ctype 6 API calls 20170->20176 20173 41c24c 66 API calls 20171->20173 20174 41c1eb 64 API calls 20172->20174 20175 41d2ca 20173->20175 20174->20167 20175->20170 20175->20221 20177 41d2f3 20176->20177 20178 41d311 20177->20178 20185 41d338 20177->20185 20180 423303 ctype RtlLeaveCriticalSection 20178->20180 20179 41d3b5 20181 423303 ctype RtlLeaveCriticalSection 20179->20181 20204 41d31e 20180->20204 20181->20221 20182 41d401 20187 41d540 20182->20187 20188 41d5bb 20182->20188 20189 41d5c8 20182->20189 20190 41d58f 20182->20190 20191 41d60e 20182->20191 20192 41d412 20182->20192 20193 41d696 20182->20193 20194 41d59d 20182->20194 20195 41d524 20182->20195 20196 41d5a7 20182->20196 20197 41d428 20182->20197 20198 41d5e8 20182->20198 20199 41d571 20182->20199 20200 41d5f6 20182->20200 20201 41d4fb 20182->20201 20202 41d5ff 20182->20202 20203 41d43f 20182->20203 20182->20221 20223 41d44d 20182->20223 20225 41d4ba 20182->20225 20183 41d3ef GetVersion 20183->20182 20184 41d3d3 20186 423303 ctype RtlLeaveCriticalSection 20184->20186 20185->20179 20185->20184 20185->20193 20186->20204 20230 41c3f4 23 API calls 20187->20230 20222 41c48d 58 API calls 20188->20222 20218 41c48d 58 API calls 20189->20218 20212 4203bb 57 API calls 20190->20212 20219 41c48d 58 API calls 20191->20219 20191->20221 20236 4203bb 20192->20236 20211 423303 ctype RtlLeaveCriticalSection 20193->20211 20214 41ee3b 57 API calls 20194->20214 20246 41ee3b 20195->20246 20216 41ee3b 57 API calls 20196->20216 20215 41c48d 58 API calls 20197->20215 20205 41c48d 58 API calls 20198->20205 20210 41c48d 58 API calls 20199->20210 20206 41c48d 58 API calls 20200->20206 20208 41c48d 58 API calls 20201->20208 20207 41c48d 58 API calls 20202->20207 20217 41c48d 58 API calls 20203->20217 20204->20182 20204->20183 20204->20221 20205->20221 20206->20221 20207->20221 20208->20221 20220 41d579 20210->20220 20211->20221 20212->20221 20214->20221 20215->20221 20216->20221 20217->20221 20218->20221 20219->20221 20224 41c48d 58 API calls 20220->20224 20221->20155 20222->20221 20226 41c4b4 57 API calls 20223->20226 20224->20221 20241 420438 20225->20241 20228 41d479 ctype 20226->20228 20229 41cb1b ctype 58 API calls 20228->20229 20229->20225 20230->20221 20232 41cd54 CallWindowProcA 20231->20232 20234 41cd32 20231->20234 20233 41cd67 20232->20233 20233->20156 20234->20232 20235 41cd40 NtdllDefWindowProc_A 20234->20235 20235->20233 20251 420349 20236->20251 20238 4203c2 20239 41f1c0 30 API calls 20238->20239 20240 4203cd 20239->20240 20240->20221 20242 420442 __EH_prolog 20241->20242 20243 420462 20242->20243 20259 420407 20242->20259 20243->20221 20265 41edc9 20246->20265 20248 41ee42 20249 41f1c0 30 API calls 20248->20249 20250 41ee4d 20249->20250 20250->20221 20252 420353 __EH_prolog 20251->20252 20253 422774 ctype 28 API calls 20252->20253 20254 420359 ctype 20253->20254 20255 41b0e0 ctype 29 API calls 20254->20255 20257 420397 ctype 20254->20257 20256 42037b 20255->20256 20256->20257 20258 41f15b ctype 29 API calls 20256->20258 20257->20238 20258->20257 20260 420412 20259->20260 20261 420428 DeleteDC 20259->20261 20262 420349 ctype 57 API calls 20260->20262 20261->20243 20263 420419 20262->20263 20263->20261 20264 41a3c2 ctype 29 API calls 20263->20264 20264->20261 20266 41edd3 __EH_prolog 20265->20266 20267 422774 ctype 28 API calls 20266->20267 20268 41edd9 ctype 20267->20268 20269 41b0e0 ctype 29 API calls 20268->20269 20271 41ee17 ctype 20268->20271 20270 41edfb 20269->20270 20270->20271 20272 41f15b ctype 29 API calls 20270->20272 20271->20248 20272->20271 20273 41abd8 KiUserCallbackDispatcher 20274 41ac12 20273->20274 20275 41abef 20273->20275 20275->20274 20276 41ac04 TranslateMessage DispatchMessageA 20275->20276 20276->20274 20277 401239 20284 42156f 20277->20284 20280 42156f 4 API calls 20281 40125f 20280->20281 20292 42151d 20281->20292 20302 4214ee 20284->20302 20287 421586 SendMessageA 20290 401250 20287->20290 20288 42159c 20289 4215ab 20288->20289 20291 4215ad SendMessageA 20288->20291 20289->20291 20290->20280 20291->20290 20313 4214d7 20292->20313 20295 421536 GetWindowTextLengthA 20297 41befe 34 API calls 20295->20297 20296 42155e 20316 420cb6 lstrlen 20296->20316 20299 42154a GetWindowTextA 20297->20299 20301 41bed6 35 API calls 20299->20301 20300 40126e 20301->20300 20307 41ea4a 20302->20307 20305 42150e 20305->20287 20305->20288 20308 41ea51 GetDlgItem 20307->20308 20309 41ea66 20307->20309 20308->20309 20309->20305 20310 419d1c 20309->20310 20312 40aa09 RaiseException 20310->20312 20314 4214ee 2 API calls 20313->20314 20315 4214e3 20314->20315 20315->20295 20315->20296 20317 420cd4 GetWindowTextA 20316->20317 20318 420cfd SetWindowTextA 20316->20318 20317->20318 20319 420ce9 lstrcmp 20317->20319 20320 420d09 20318->20320 20319->20318 20319->20320 20320->20300 20321 40a76c 20322 40a77e ctype 29 API calls 20321->20322 20323 40a77b 20322->20323 20324 423d0e 20325 423d1b 20324->20325 20326 423d2c 20324->20326 20330 41b114 20325->20330 20328 423d2a 20326->20328 20329 423d3d SendMessageA 20326->20329 20329->20328 20331 41b11e 20330->20331 20334 41b142 20330->20334 20332 41c4b4 57 API calls 20331->20332 20333 41b127 20332->20333 20333->20334 20337 41b836 20333->20337 20354 401279 20333->20354 20334->20328 20338 41b840 20337->20338 20340 41b846 20337->20340 20374 41e3b3 20338->20374 20341 41b863 20340->20341 20370 41e0f2 20340->20370 20380 41b710 20341->20380 20345 41b86c 20345->20334 20346 41b870 20383 41ea20 20346->20383 20349 41b882 20387 41b7e0 20349->20387 20350 41b896 20350->20334 20353 41ebe0 ShowWindow 20353->20350 20355 401283 __EH_prolog 20354->20355 20356 41b836 117 API calls 20355->20356 20357 401293 GetSystemMenu 20356->20357 20358 41ee3b 57 API calls 20357->20358 20359 4012a5 20358->20359 20360 4012f2 SendMessageA SendMessageA GetCurrentDirectoryA 20359->20360 20403 41ed1e 20359->20403 20362 41bd6d ctype 35 API calls 20360->20362 20363 40134b 20362->20363 20365 41e0f2 21 API calls 20363->20365 20368 40135d 20365->20368 20366 4012e6 20369 41bc28 ctype 32 API calls 20366->20369 20367 4012c8 AppendMenuA AppendMenuA 20367->20366 20368->20334 20369->20360 20371 41e0fc __EH_prolog 20370->20371 20372 422521 21 API calls 20371->20372 20373 41b85f 20372->20373 20373->20341 20373->20346 20375 41e462 20374->20375 20376 41e3cf 20374->20376 20378 41e47c 20375->20378 20394 41da41 GetTopWindow 20375->20394 20376->20375 20379 41e443 SendDlgItemMessageA 20376->20379 20378->20340 20379->20376 20381 41b722 EndDialog 20380->20381 20382 41b719 20380->20382 20381->20345 20382->20381 20384 41ea27 GetDlgItem 20383->20384 20385 41b87c 20383->20385 20386 41c48d 58 API calls 20384->20386 20385->20349 20385->20350 20386->20385 20388 42274e ctype 28 API calls 20387->20388 20389 41b7ec 20388->20389 20390 401ca1 28 API calls 20389->20390 20393 41b7f3 20389->20393 20392 41b7fc 20390->20392 20391 42274e ctype 28 API calls 20391->20393 20392->20391 20392->20393 20393->20353 20400 41da51 20394->20400 20395 41dab8 20395->20378 20396 41da7b SendMessageA 20396->20400 20397 41c4b4 57 API calls 20397->20400 20398 41da91 GetTopWindow 20399 41daad GetWindow 20398->20399 20398->20400 20399->20400 20400->20395 20400->20396 20400->20397 20400->20398 20400->20399 20401 41da41 109 API calls 20400->20401 20402 41c2c2 109 API calls 20400->20402 20401->20399 20402->20400 20404 41eda2 29 API calls 20403->20404 20405 41ed41 20404->20405 20406 41ed4c 20405->20406 20407 41ed64 20405->20407 20408 41bd6d ctype 35 API calls 20406->20408 20410 41be87 34 API calls 20407->20410 20411 41eda2 29 API calls 20407->20411 20412 41ed8a 20407->20412 20409 4012c0 20408->20409 20409->20366 20409->20367 20410->20407 20411->20407 20413 41bed6 35 API calls 20412->20413 20413->20409

    Executed Functions

    Function 0041B5B0, Relevance: 13.6, APIs: 9, Instructions: 113COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 155 41b5b0-41b5dd call 409b78 call 42274e 160 41b5fd-41b5ff 155->160 161 41b5df-41b5fb call 42274e FindResourceA LoadResource 155->161 163 41b601-41b608 LockResource 160->163 164 41b60b-41b60f 160->164 161->160 163->164 166 41b611-41b614 164->166 167 41b619-41b630 call 41b534 call 41c9a7 164->167 168 41b701-41b70f 166->168 173 41b650-41b66f call 41c95b call 41c48d call 41b2cc 167->173 174 41b632-41b63d IsWindowEnabled 167->174 182 41b671-41b675 173->182 183 41b6c3-41b6ca 173->183 174->173 175 41b63f-41b649 EnableWindow 174->175 175->173 186 41b691-41b694 182->186 187 41b677-41b684 call 41eaab 182->187 184 41b6d7-41b6da 183->184 185 41b6cc-41b6d1 EnableWindow 183->185 189 41b6f0-41b6fe call 41b56e 184->189 190 41b6dc-41b6e5 GetActiveWindow 184->190 185->184 186->183 188 41b696-41b6a7 call 41eb91 186->188 197 41b686-41b688 187->197 198 41b689-41b68c call 41e4b5 187->198 188->183 189->168 190->189 193 41b6e7-41b6ea SetActiveWindow 190->193 193->189 197->198 198->186
    APIs
    • __EH_prolog.LIBCMT ref: 0041B5B5
    • FindResourceA.KERNEL32(?,00000000,00000005), ref: 0041B5ED
    • LoadResource.KERNEL32(?,00000000), ref: 0041B5F5
      • Part of subcall function 0041C9A7: UnhookWindowsHookEx.USER32(?), ref: 0041C9CC
    • LockResource.KERNEL32(?), ref: 0041B602
    • IsWindowEnabled.USER32(?), ref: 0041B635
    • EnableWindow.USER32(?,00000000), ref: 0041B643
    • EnableWindow.USER32(?,00000001), ref: 0041B6D1
    • GetActiveWindow.USER32 ref: 0041B6DC
    • SetActiveWindow.USER32(?), ref: 0041B6EA
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Window$Resource$ActiveEnable$EnabledFindH_prologHookLoadLockUnhookWindows
    • String ID:
    • API String ID: 401145483-0
    • Opcode ID: 9c13e82c31ea8126bf633e86440852d43c12023f5c42eb63c240a6ba4a6371d4
    • Instruction ID: c6b1c21f70f0eda56e5f224a4d3cdf4d0f17ff15d3d7e1b6d445010aa08c3e1b
    • Opcode Fuzzy Hash: 9c13e82c31ea8126bf633e86440852d43c12023f5c42eb63c240a6ba4a6371d4
    • Instruction Fuzzy Hash: DD419130A00615DBCB21AF65CC45AEFBBB5EF84715F10051FF502A22A1C7799981CAAE
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041E685, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 265 41e685-41e6a1 GetModuleHandleA LoadLibraryA 266 41e6a3-41e6b3 GetProcAddress 265->266 267 41e6f6-41e6f9 265->267 268 41e6d0-41e6d8 266->268 269 41e6b5-41e6c4 266->269 271 41e6ed-41e6f4 FreeLibrary 268->271 274 41e6da-41e6e0 268->274 270 41e6c6-41e6ce 269->270 269->271 270->271 271->267 274->271 275 41e6e2-41e6e8 274->275 275->271
    APIs
    • GetModuleHandleA.KERNELBASE(COMCTL32.DLL,00000800,00000000,00000400,0041E97F,?,00020000), ref: 0041E68E
    • LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 0041E697
    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0041E6AB
    • FreeLibrary.KERNEL32(00000000), ref: 0041E6EE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Library$AddressFreeHandleLoadModuleProc
    • String ID: COMCTL32.DLL$InitCommonControlsEx
    • API String ID: 1437655972-4218389149
    • Opcode ID: 4f4e9835824409b15afb8647716c1b7b6f978b7695c7d01f378cf114a1f15769
    • Instruction ID: 1374f92089fc212110b42683be3ef3a77f427aebd031e98896efb8405606f498
    • Opcode Fuzzy Hash: 4f4e9835824409b15afb8647716c1b7b6f978b7695c7d01f378cf114a1f15769
    • Instruction Fuzzy Hash: 77F028367042128787219F7AAC4894F72E9AFB87517C50876F900E3210CF28CC468B7D
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041D237, Relevance: 3.4, APIs: 2, Instructions: 422COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 0041D23C
    • GetVersion.KERNEL32(00000007,?,?,00000000,00000000,?,0000C000,00000000,00000000,00000007), ref: 0041D3EF
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: H_prologVersion
    • String ID:
    • API String ID: 1836448879-0
    • Opcode ID: 0547099746b990c9097a0bb38031d08986fda934a185f89fb2fb3d416d321291
    • Instruction ID: 1e776a81a1d2d7f22023ae94e72e3dfac7a938e72e6e01aab679b61fd9699312
    • Opcode Fuzzy Hash: 0547099746b990c9097a0bb38031d08986fda934a185f89fb2fb3d416d321291
    • Instruction Fuzzy Hash: A2E170B0A04219EBDB14DF65DC80AFE77A9AF04314F10851BF81ADB241D73CDA91DB6A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041CD25, Relevance: 3.0, APIs: 2, Instructions: 27nativeCOMMON
    Download Yara Rule
    APIs
    • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 0041CD4C
    • CallWindowProcA.USER32(?,?,?,?,?), ref: 0041CD61
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Window$CallNtdllProcProc_
    • String ID:
    • API String ID: 1646280189-0
    • Opcode ID: ff0c6840fd89ca77777306d80818695eebde114d3a42b22cdb27cfe6a40782d2
    • Instruction ID: 2ec603abcebbf9c2f0aa945f91831beae260904d1b3eb8bf6b17a3037968d538
    • Opcode Fuzzy Hash: ff0c6840fd89ca77777306d80818695eebde114d3a42b22cdb27cfe6a40782d2
    • Instruction Fuzzy Hash: 81F01536200208EFCF218F94EC48DEA7FB9FF08360B048429FA4986130D732D860EB84
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041C539, Relevance: 1.5, APIs: 1, Instructions: 30COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ba2eaebd1a8e2068ff24fa888bffd0b00cf1dd4f6a0331a112986574440eb1d8
    • Instruction ID: 74dd89ac5fb6eec965754c280a3ff515c4601d12228289f6156730aa0e45a1ee
    • Opcode Fuzzy Hash: ba2eaebd1a8e2068ff24fa888bffd0b00cf1dd4f6a0331a112986574440eb1d8
    • Instruction Fuzzy Hash: 39F01232580629BBCF129E919C41EEF3B1AAF053A0F448416FA1455051C739E6A1EBAD
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040EE16, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040EE16() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0040EDD0); // executed
				 *0x437860 = _t1;
				return _t1;
			}




    0x0040ee1b
    0x0040ee21
    0x0040ee26

    APIs
    • SetUnhandledExceptionFilter.KERNELBASE(Function_0000EDD0), ref: 0040EE1B
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 8b8b840c6cc93a95279f4c51e9c779ea80bdd793fd5ca5c8894603f598f11bf7
    • Instruction ID: 6e66422c88b628b46948dee5cfcb8958efa4335705e20bdb78607565375c715f
    • Opcode Fuzzy Hash: 8b8b840c6cc93a95279f4c51e9c779ea80bdd793fd5ca5c8894603f598f11bf7
    • Instruction Fuzzy Hash: FFA011B020A208AA83202F22AC0C8003AA0AA88202B000832EA80A03A0CB300020CA0C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041E1AA, Relevance: 19.7, APIs: 13, Instructions: 174windowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 0041EAAB: GetWindowLongA.USER32(?,000000F0), ref: 0041EAB7
    • GetParent.USER32(?), ref: 0041E1D5
    • SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 0041E1F8
    • GetWindowRect.USER32(?,?), ref: 0041E211
    • GetWindowLongA.USER32(00000000,000000F0), ref: 0041E224
    • CopyRect.USER32(?,?), ref: 0041E271
    • CopyRect.USER32(?,?), ref: 0041E27B
    • GetWindowRect.USER32(00000000,?), ref: 0041E284
      • Part of subcall function 00402729: MonitorFromWindow.USER32(?,?), ref: 0040273E
      • Part of subcall function 00402794: GetMonitorInfoA.USER32(?,?), ref: 004027AB
    • CopyRect.USER32(?,?), ref: 0041E2A0
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: RectWindow$Copy$LongMonitor$FromInfoMessageParentSend
    • String ID:
    • API String ID: 1450647913-0
    • Opcode ID: c6295bb1a97085046b82b499d5fbc23c1d958a976d1de123ce1f313b680d6f26
    • Instruction ID: fc07e601d00e67695684d0e24734d9bce940672d81655c98c496d4079db49ff8
    • Opcode Fuzzy Hash: c6295bb1a97085046b82b499d5fbc23c1d958a976d1de123ce1f313b680d6f26
    • Instruction Fuzzy Hash: 47519475A00219ABDB14DBA9CD89EEEBBBDAF48310F144166FD11F3280D774EC468B58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041B2CC, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 172COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __EH_prolog.LIBCMT ref: 0041B2D1
    • GetSystemMetrics.USER32(0000002A), ref: 0041B382
    • GlobalFix.KERNEL32(?), ref: 0041B40C
    • CreateDialogIndirectParamA.USER32(?,?,?,Function_0001B114,00000000), ref: 0041B43E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CreateDialogGlobalH_prologIndirectMetricsParamSystem
    • String ID: Helv$MS Sans Serif$MS Shell Dlg
    • API String ID: 2252606490-2894235370
    • Opcode ID: b7768515eae486af785734151f8f9cdd107d2ae8204bf57f987365b76fc1d650
    • Instruction ID: 856cec234d1d29601057443d6a710529da1af93a04376bd3c7024264fe759a06
    • Opcode Fuzzy Hash: b7768515eae486af785734151f8f9cdd107d2ae8204bf57f987365b76fc1d650
    • Instruction Fuzzy Hash: E9616E71A0021ADFCF14EFA5D9859EEBBB1FF14314F10453FE515A2292DB388A81CB99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041C58A, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __EH_prolog.LIBCMT ref: 0041C58F
    • GetPropA.USER32(?,AfxOldWndProc423), ref: 0041C5A7
    • CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 0041C605
      • Part of subcall function 0041C172: GetWindowRect.USER32(?,0041C36A), ref: 0041C197
      • Part of subcall function 0041C172: GetWindow.USER32(?,00000004), ref: 0041C1B4
    • SetWindowLongA.USER32(?,000000FC,?), ref: 0041C635
    • RemovePropA.USER32(?,AfxOldWndProc423), ref: 0041C63D
    • GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 0041C644
    • GlobalDeleteAtom.KERNEL32(00000000), ref: 0041C64B
      • Part of subcall function 0041C14F: GetWindowRect.USER32(?,?), ref: 0041C15B
    • CallWindowProcA.USER32(?,?,?,?,00000000), ref: 0041C69F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
    • String ID: AfxOldWndProc423
    • API String ID: 2397448395-1060338832
    • Opcode ID: 249af87b2fa61472de66a7994bfca088623a809077bfce4ab8dc451873c13f40
    • Instruction ID: 8383ee8bd70407e0b867521a652064d3230271098d6b76c8c44a31f9f60f4286
    • Opcode Fuzzy Hash: 249af87b2fa61472de66a7994bfca088623a809077bfce4ab8dc451873c13f40
    • Instruction Fuzzy Hash: E131907298121ABBCB11AFE5DD89EFF7B78FF45310F00412AF901A2151C7398951DBAA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00422BF8, Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 136 422bf8-422c15 RtlEnterCriticalSection 137 422c17-422c1e 136->137 138 422c24-422c29 136->138 137->138 139 422cdd-422ce0 137->139 140 422c46-422c4f 138->140 141 422c2b-422c2e 138->141 144 422ce2-422ce5 139->144 145 422ce8-422d09 RtlLeaveCriticalSection 139->145 142 422c51-422c62 GlobalAlloc 140->142 143 422c64-422c80 GlobalHandle GlobalUnWire GlobalReAlloc 140->143 146 422c31-422c34 141->146 147 422c86-422c92 142->147 143->147 144->145 148 422c36-422c3c 146->148 149 422c3e-422c40 146->149 150 422c94-422caa GlobalHandle GlobalFix RtlLeaveCriticalSection call 419d03 147->150 151 422caf-422cdc GlobalFix call 409c20 147->151 148->146 148->149 149->139 149->140 150->151 151->139
    APIs
    • RtlEnterCriticalSection.NTDLL(0043721C), ref: 00422C07
    • GlobalAlloc.KERNELBASE(00002002,00000000,?,?,00437200,00437200,00422F93,?,00000000,0042275D,00422136,00422779,0041A668,0042029B,?,00000000), ref: 00422C5C
    • GlobalHandle.KERNEL32(0071FC60), ref: 00422C65
    • GlobalUnWire.KERNEL32(00000000), ref: 00422C6E
    • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00422C80
    • GlobalHandle.KERNEL32(0071FC60), ref: 00422C97
    • GlobalFix.KERNEL32(00000000), ref: 00422C9E
    • RtlLeaveCriticalSection.NTDLL(0040A3D5), ref: 00422CA4
    • GlobalFix.KERNEL32(00000000), ref: 00422CB3
    • RtlLeaveCriticalSection.NTDLL(?), ref: 00422CFC
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Global$CriticalSection$AllocHandleLeave$EnterWire
    • String ID:
    • API String ID: 1877740037-0
    • Opcode ID: 9d2905c6042edb63f8f74741eea6ba1917248de49369a6d6d17325822d7b74a2
    • Instruction ID: 7478fa27e539c3c6c703c38a9211e7202548afc69c9728214b4afa0bbd09313f
    • Opcode Fuzzy Hash: 9d2905c6042edb63f8f74741eea6ba1917248de49369a6d6d17325822d7b74a2
    • Instruction Fuzzy Hash: B2318E71304706AFD7349F29ED89A2AB7E9FF44304B404A6EF852C3661E7B5E8458B24
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041E4B5, Relevance: 10.6, APIs: 7, Instructions: 122windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 202 41e4b5-41e4d0 203 41e4e2 202->203 204 41e4d2-41e4e0 call 41eaab 202->204 206 41e4e6-41e504 GetParent call 41a663 203->206 204->203 204->206 210 41e507-41e50b 206->210 211 41e583-41e591 call 41a663 210->211 212 41e50d-41e51a PeekMessageA 210->212 226 41e593-41e597 211->226 227 41e5f8-41e601 call 4253fc 211->227 212->211 213 41e51c-41e520 212->213 215 41e522-41e530 call 41ebe0 UpdateWindow 213->215 216 41e534-41e539 213->216 215->216 219 41e53b-41e53f 216->219 220 41e55a-41e55f 216->220 219->220 223 41e541-41e545 219->223 224 41e561-41e57b SendMessageA 220->224 225 41e57d-41e581 220->225 223->220 228 41e547-41e554 SendMessageA 223->228 224->210 224->225 225->210 229 41e599-41e5a1 226->229 230 41e5bc-41e5c5 226->230 236 41e60a-41e611 227->236 228->220 232 41e5a3-41e5a8 229->232 233 41e5aa-41e5b8 call 41ebe0 UpdateWindow 229->233 239 41e603-41e607 230->239 240 41e5c7-41e5d6 call 41a663 230->240 232->230 232->233 233->230 239->236 244 41e5e4-41e5f1 PeekMessageA 240->244 245 41e5d8-41e5e0 240->245 244->211 246 41e5f3 244->246 245->244 246->210
    APIs
    • GetParent.USER32(?), ref: 0041E4E9
    • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0041E512
    • UpdateWindow.USER32(?), ref: 0041E52E
    • SendMessageA.USER32(?,00000121,00000000,?), ref: 0041E554
    • SendMessageA.USER32(?,0000036A,00000000,00000001), ref: 0041E573
    • UpdateWindow.USER32(?), ref: 0041E5B6
    • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0041E5E9
      • Part of subcall function 0041EAAB: GetWindowLongA.USER32(?,000000F0), ref: 0041EAB7
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Message$Window$PeekSendUpdate$LongParent
    • String ID:
    • API String ID: 2853195852-0
    • Opcode ID: f30b7d3a27fafbae3bfae6e81c2bcbe6a4fc56b0cb4372b9b2374fb08bf45fed
    • Instruction ID: 09e6a9f899521ca90ff2cfe3eac803617b6fd6a40e3a2301ec45f550c1077e6a
    • Opcode Fuzzy Hash: f30b7d3a27fafbae3bfae6e81c2bcbe6a4fc56b0cb4372b9b2374fb08bf45fed
    • Instruction Fuzzy Hash: 5A418F34608341ABD720DF578848E9BBBE5EFC0B48F540A1EFC8186291E779D985CB5A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401279, Relevance: 10.6, APIs: 7, Instructions: 83windowCOMMON
    Download Yara Rule

    Control-flow Graph

    C-Code - Quality: 38%
    			E00401279(void* __ecx) {
				struct HMENU__* _t29;
				CHAR* _t38;
				void* _t42;
				struct HMENU__* _t43;
				signed int _t47;
				void* _t54;
				void* _t63;
				void* _t64;
				void* _t66;

				E00409B78(0x425624, _t66);
				_t64 = __ecx;
				0x41b836(_t54, _t63, _t42);
				_t29 = GetSystemMenu( *(__ecx + 0x1c), 0);
				0x41ee3b(_t29);
				_t43 = _t29;
				if(_t43 != 0) {
					_t38 =  *0x431458; // 0x43146c
					 *(_t66 - 0x10) = _t38;
					 *(_t66 - 4) = 0;
					0x41ed1e(0x65); // executed
					if( *((intOrPtr*)( *(_t66 - 0x10) - 8)) != 0) {
						AppendMenuA( *(_t43 + 4), 0x800, 0, 0);
						AppendMenuA( *(_t43 + 4), 0, 0x10,  *(_t66 - 0x10));
					}
					 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
					0x41bc28();
				}
				SendMessageA( *(_t64 + 0x1c), 0x80, 1,  *(_t64 + 0x68)); // executed
				SendMessageA( *(_t64 + 0x1c), 0x80, 0,  *(_t64 + 0x68)); // executed
				 *(_t66 - 0x114) =  *(_t66 - 0x114) & 0x00000000;
				_t47 = 0x40;
				memset(_t66 - 0x113, 0, _t47 << 2);
				asm("stosw");
				asm("stosb");
				GetCurrentDirectoryA(0x104, _t66 - 0x114);
				0x41bd6d(_t66 - 0x114);
				 *((intOrPtr*)(_t64 + 0x5c)) = 1;
				 *((intOrPtr*)(_t64 + 0x60)) = 1;
				0x41e0f2(0); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t66 - 0xc));
				return 1;
			}












    0x0040127e
    0x0040128c
    0x0040128e
    0x00401299
    0x004012a0
    0x004012a5
    0x004012a9
    0x004012ab
    0x004012b0
    0x004012b8
    0x004012bb
    0x004012c6
    0x004012d8
    0x004012e4
    0x004012e4
    0x004012e6
    0x004012ed
    0x004012ed
    0x00401306
    0x00401311
    0x00401313
    0x0040131c
    0x00401325
    0x00401327
    0x00401329
    0x00401336
    0x00401346
    0x00401352
    0x00401355
    0x00401358
    0x00401365
    0x0040136d

    APIs
    • __EH_prolog.LIBCMT ref: 0040127E
    • GetSystemMenu.USER32(?,00000000), ref: 00401299
    • AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 004012D8
    • AppendMenuA.USER32(?,00000000,00000010,?), ref: 004012E4
    • SendMessageA.USER32(?,00000080,00000001,?), ref: 00401306
    • SendMessageA.USER32(?,00000080,00000000,?), ref: 00401311
    • GetCurrentDirectoryA.KERNEL32(00000104,00000000), ref: 00401336
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Menu$AppendMessageSend$CurrentDirectoryH_prologSystem
    • String ID:
    • API String ID: 3057829680-0
    • Opcode ID: 7668859d305371aed3856db033b88c41afe3ddc3e9fa0850a4097b0447e01100
    • Instruction ID: 20ca1b439980ec705d4e4b4d844f0f83eafbe730898eb3a292a7cbc624e4c4aa
    • Opcode Fuzzy Hash: 7668859d305371aed3856db033b88c41afe3ddc3e9fa0850a4097b0447e01100
    • Instruction Fuzzy Hash: 1D21D231600718AFDB30AB66DC85FDABBB5FF84704F10456AF641A62E0CBB4A945CF14
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041F000, Relevance: 9.0, APIs: 6, Instructions: 35COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • KiUserCallbackDispatcher.NTDLL(0000000B), ref: 0041F00D
    • GetSystemMetrics.USER32(0000000C), ref: 0041F014
    • GetDC.USER32(00000000), ref: 0041F02D
    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0041F03E
    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041F046
    • ReleaseDC.USER32(00000000,00000000), ref: 0041F04E
      • Part of subcall function 0042334E: GetSystemMetrics.USER32(00000002), ref: 00423360
      • Part of subcall function 0042334E: GetSystemMetrics.USER32(00000003), ref: 0042336A
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
    • String ID:
    • API String ID: 1031845853-0
    • Opcode ID: 04d1f559de8389cac5ea01e62d5afea9ee6a08bcf67a5b674b5e579951a3411c
    • Instruction ID: 48417e4e6c3a254812e36044e1c2a173b5c5467a47b006dd95793fce3c74c58e
    • Opcode Fuzzy Hash: 04d1f559de8389cac5ea01e62d5afea9ee6a08bcf67a5b674b5e579951a3411c
    • Instruction Fuzzy Hash: 3EF030706407009AE330ABB29C49B17BBA4EB84B56F51442AE60546291CA7899468BA9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0042332E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 284 42332e-4233df GetVersion 286 4233f3-4233f5 call 41f000 284->286 287 4233e1-4233f0 GetProcessVersion 284->287 289 4233fa-42343a call 41efbc LoadCursorA * 2 286->289 287->286
    APIs
    • GetVersion.KERNEL32(?,?,?,00423329), ref: 004233A5
    • GetProcessVersion.KERNELBASE(00000000,?,?,?,00423329), ref: 004233E2
    • LoadCursorA.USER32(00000000,00007F02), ref: 00423410
    • LoadCursorA.USER32(00000000,00007F00), ref: 0042341B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CursorLoadVersion$Process
    • String ID: huC
    • API String ID: 2246821583-68738579
    • Opcode ID: 53d3e663c75979945a790481fde6df12d7ea49bb7c89b2726cd93b0695f8d457
    • Instruction ID: d345d6e8c67e1c9958705ad87fc6c84ebb6a2319113fd2e7daef7292992ad9a1
    • Opcode Fuzzy Hash: 53d3e663c75979945a790481fde6df12d7ea49bb7c89b2726cd93b0695f8d457
    • Instruction Fuzzy Hash: 7B118FB1A047108FD728DF3A988462ABBE5FB487057404D3FE58BC6B40DB78E441CB58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00420CB6, Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 292 420cb6-420cd2 lstrlen 293 420cd4-420ce7 GetWindowTextA 292->293 294 420cfd-420d03 SetWindowTextA 292->294 293->294 295 420ce9-420cfb lstrcmp 293->295 296 420d09-420d0b 294->296 295->294 295->296
    APIs
    • lstrlen.KERNEL32(?), ref: 00420CC3
    • GetWindowTextA.USER32(?,?,00000100), ref: 00420CDF
    • lstrcmp.KERNEL32(?,?), ref: 00420CF3
    • SetWindowTextA.USER32(?,?), ref: 00420D03
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: TextWindow$lstrcmplstrlen
    • String ID:
    • API String ID: 330964273-0
    • Opcode ID: b2a0dbdda95e18fe1de40026b38a92863c5cd299e616089cefc0fb5a07b81dd9
    • Instruction ID: 119a75f1f72beecec215bd42e51f6b210208c7fa7f7eee5b8f8e84a6ebe44501
    • Opcode Fuzzy Hash: b2a0dbdda95e18fe1de40026b38a92863c5cd299e616089cefc0fb5a07b81dd9
    • Instruction Fuzzy Hash: CAF08235200019BBCF326F20EC08ADE7BADEB08350F408162FC49D1120D774CE55CB98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041A678, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27threadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 297 41a678-41a681 call 42274e 300 41a683-41a6ae call 422521 GetCurrentThreadId SetWindowsHookExA call 422ff4 297->300 301 41a6d6 297->301 305 41a6b3-41a6b9 300->305 306 41a6c6-41a6d5 call 422f5f 305->306 307 41a6bb-41a6c0 call 42274e 305->307 306->301 307->306
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 0041A68B
    • SetWindowsHookExA.USER32(000000FF,Vx},00000000,00000000), ref: 0041A69B
      • Part of subcall function 00422FF4: __EH_prolog.LIBCMT ref: 00422FF9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CurrentH_prologHookThreadWindows
    • String ID: Vx}
    • API String ID: 2183259885-2153043895
    • Opcode ID: c8a9dab6479c3ac065f846e96853865f631a33222aee90965794e73d8f5c8fb5
    • Instruction ID: 091430f2cf4aaf227a7c54aa235a5e78db672453f13d8eb9b68ab0e1a7b58083
    • Opcode Fuzzy Hash: c8a9dab6479c3ac065f846e96853865f631a33222aee90965794e73d8f5c8fb5
    • Instruction Fuzzy Hash: BFF0E2307042207BC7303B707E09B2A2560AB00364F89865BB541265F2CBAC9890D35E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041C95B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25threadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 312 41c95b-41c975 call 422f5f 315 41c9a2-41c9a4 312->315 316 41c977-41c97b 312->316 317 41c97d-41c998 GetCurrentThreadId SetWindowsHookExA 316->317 318 41c99f 316->318 317->318 319 41c99a call 419d03 317->319 318->315 319->318
    APIs
      • Part of subcall function 00422F5F: TlsGetValue.KERNEL32(00437200,?,00000000,0042275D,00422136,00422779,0041A668,0042029B,?,00000000,?,00418C5C,00000000,00000000,00000000,00000000), ref: 00422F9E
    • GetCurrentThreadId.KERNEL32 ref: 0041C97D
    • SetWindowsHookExA.USER32(00000005,Function_0001C765,00000000,00000000), ref: 0041C98D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CurrentHookThreadValueWindows
    • String ID: 8pC
    • API String ID: 933525246-366150886
    • Opcode ID: 6356e0cc8820bd23f42b4511e65e2484e5313dff0ca9dc3ec7a04553f2ecd627
    • Instruction ID: 12d1cfcefd51ec8332386679d8efcd335da5deada7f9f23b8ac9f59a831245b6
    • Opcode Fuzzy Hash: 6356e0cc8820bd23f42b4511e65e2484e5313dff0ca9dc3ec7a04553f2ecd627
    • Instruction Fuzzy Hash: 7BE0ED70340710AED330AB26AD04B5BB6A0EB80B11F15452FF26982180D7B898828B7E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041ABD8, Relevance: 4.5, APIs: 3, Instructions: 29windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 321 41abd8-41abed KiUserCallbackDispatcher 322 41ac15-41ac17 321->322 323 41abef-41abf6 321->323 324 41ac12-41ac14 323->324 325 41abf8-41ac02 323->325 324->322 325->324 327 41ac04-41ac0c TranslateMessage DispatchMessageA 325->327 327->324
    APIs
    • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0041ABE5
    • TranslateMessage.USER32(?), ref: 0041AC05
    • DispatchMessageA.USER32(?), ref: 0041AC0C
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Message$CallbackDispatchDispatcherTranslateUser
    • String ID:
    • API String ID: 2960505505-0
    • Opcode ID: 2cfc208e5b9c8f4430915d4df508953bc0f145ab1294476755a3ea796a51ed40
    • Instruction ID: 881fb4bae946ee293dd3a20f01e5a50dab340a007b9a968d216ab9620874fc56
    • Opcode Fuzzy Hash: 2cfc208e5b9c8f4430915d4df508953bc0f145ab1294476755a3ea796a51ed40
    • Instruction Fuzzy Hash: 68E06D32305100AFD3219B64AD4CDBB37ADAF85B01744542EF902C2110DB649CC2EAAA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041C2C2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 328 41c2c2-41c317 call 409b78 call 422f5f 333 41c327-41c331 328->333 334 41c319-41c31e 328->334 336 41c341-41c35b call 41d1f3 333->336 337 41c333-41c33c call 41c14f 333->337 334->333 335 41c320-41c322 334->335 335->333 340 41c3a0-41c3bc 336->340 341 41c35d-41c365 call 41c172 336->341 337->336 343 41c36a 341->343 343->340
    APIs
    • __EH_prolog.LIBCMT ref: 0041C2C7
      • Part of subcall function 00422F5F: TlsGetValue.KERNEL32(00437200,?,00000000,0042275D,00422136,00422779,0041A668,0042029B,?,00000000,?,00418C5C,00000000,00000000,00000000,00000000), ref: 00422F9E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: H_prologValue
    • String ID: 8pC
    • API String ID: 3700342317-366150886
    • Opcode ID: 78d8297df557c4dd4f8ad7c6213d663a27075a7a7da74e9e3044fde95206ca43
    • Instruction ID: 1475af58bed0619d2d56686d421bc99ccec5bcc9bc20bb05be0de175dc620df1
    • Opcode Fuzzy Hash: 78d8297df557c4dd4f8ad7c6213d663a27075a7a7da74e9e3044fde95206ca43
    • Instruction Fuzzy Hash: 3E215A72A00209EFCF05DF54C881AEE7BB9FF05314F40806AF919AB241C378AD55CBA4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041C172, Relevance: 3.0, APIs: 2, Instructions: 44COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0041EAAB: GetWindowLongA.USER32(?,000000F0), ref: 0041EAB7
    • GetWindowRect.USER32(?,0041C36A), ref: 0041C197
    • GetWindow.USER32(?,00000004), ref: 0041C1B4
      • Part of subcall function 0041EC07: IsWindowEnabled.USER32(?), ref: 0041EC11
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Window$EnabledLongRect
    • String ID:
    • API String ID: 3170195891-0
    • Opcode ID: f1dbcee157cfed4b5d396127ec9dbf0498bb23a6d87f15859fa492bce42a2e39
    • Instruction ID: 6ca27f96ef341e3042d69a2dfb71032b59b9ab41f432de482452522f48cc3bda
    • Opcode Fuzzy Hash: f1dbcee157cfed4b5d396127ec9dbf0498bb23a6d87f15859fa492bce42a2e39
    • Instruction Fuzzy Hash: 40015E31784208EBDF22AB61CD85BEE77B5AF40354F40485AEC41D7292DB38D980CA5C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004011AB, Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
    Download Yara Rule
    C-Code - Quality: 16%
    			E004011AB(intOrPtr __ecx) {
				struct HICON__* _t15;
				intOrPtr _t20;
				void* _t21;
				intOrPtr _t22;
				void* _t24;

				E00409B78(0x42560f, _t24);
				_t22 = __ecx;
				 *((intOrPtr*)(_t24 - 0x10)) = __ecx;
				0x41b4fb(0x66,  *((intOrPtr*)(_t24 + 8)), _t21, __ecx);
				_t20 =  *0x431458; // 0x43146c
				 *((intOrPtr*)(_t24 - 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x64)) = _t20;
				 *((char*)(_t24 - 4)) = 1;
				 *((intOrPtr*)(__ecx)) = 0x427760;
				 *((intOrPtr*)(__ecx + 0x5c)) = 0;
				 *((intOrPtr*)(__ecx + 0x60)) = 0;
				0x41bd6d(0x435624);
				0x42274e();
				0x42274e();
				_t15 = LoadIconA( *0x0000000C, 0x80); // executed
				 *(_t22 + 0x68) = _t15;
				 *[fs:0x0] =  *((intOrPtr*)(_t24 - 0xc));
				return _t22;
			}








    0x004011b0
    0x004011b7
    0x004011bc
    0x004011c1
    0x004011c6
    0x004011d1
    0x004011d4
    0x004011db
    0x004011df
    0x004011e5
    0x004011e8
    0x004011eb
    0x004011f0
    0x004011f5
    0x00401203
    0x0040120c
    0x00401212
    0x0040121a

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: H_prologIconLoad
    • String ID:
    • API String ID: 3032110321-0
    • Opcode ID: f99ee073ff777533ec35844975a0a937ffcec195c6ae387525a8ac0fbad21124
    • Instruction ID: 546313d42aba6f95ac627141bffb468252e86a9e4d5337c09b9ba1a7dabb3641
    • Opcode Fuzzy Hash: f99ee073ff777533ec35844975a0a937ffcec195c6ae387525a8ac0fbad21124
    • Instruction Fuzzy Hash: 5EF08C70A00754AFC720EF69E806A8ABBF0FF08714F00852EE48697351D7B8A900CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0042151D, Relevance: 3.0, APIs: 2, Instructions: 33COMMON
    Download Yara Rule
    APIs
    • GetWindowTextLengthA.USER32(00000000), ref: 00421537
    • GetWindowTextA.USER32(00000000,00000000,00000000), ref: 0042154C
      • Part of subcall function 0041BED6: lstrlen.KERNEL32(00000014,00000014,0041BDCD,000000FF,00000000,00425222,?,?,?,?,?,00000000), ref: 0041BEE9
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: TextWindow$Lengthlstrlen
    • String ID:
    • API String ID: 288803333-0
    • Opcode ID: 22a2d38382f2a1fbd09bfd18be9cd0f421c4bcc26bc9b378e1ecdfd4ece49e5f
    • Instruction ID: 4ffe6f5b9bba727e1d6b512f11f49e202630f58694c08bb857eb1afe837ecd72
    • Opcode Fuzzy Hash: 22a2d38382f2a1fbd09bfd18be9cd0f421c4bcc26bc9b378e1ecdfd4ece49e5f
    • Instruction Fuzzy Hash: 16F0B432200115BB8B00EF96EC04DEF7759EF89360B44011BFE1183261CF389851CBA9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00423553, Relevance: 3.0, APIs: 2, Instructions: 32COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNELBASE(00000000,00000000,004202BA,00000000,00000000,00000000,00000000,?,00000000,?,00418C5C,00000000,00000000,00000000,00000000,0040A3D5), ref: 0042355C
    • SetErrorMode.KERNELBASE(00000000,?,00000000,?,00418C5C,00000000,00000000,00000000,00000000,0040A3D5,00000000), ref: 00423563
      • Part of subcall function 004235B6: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 004235E7
      • Part of subcall function 004235B6: lstrcpy.KERNEL32(?,.HLP), ref: 00423688
      • Part of subcall function 004235B6: lstrcat.KERNEL32(?,.INI), ref: 004236B5
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
    • String ID:
    • API String ID: 3389432936-0
    • Opcode ID: 3d47847af0137a873c0845da5ba4778696ba0c0856ce19934b5912b7bfc64fcc
    • Instruction ID: fe24ecb36213765ed918ac973e83997c3601e0f4c7d2af2d7c410a5665a2dc65
    • Opcode Fuzzy Hash: 3d47847af0137a873c0845da5ba4778696ba0c0856ce19934b5912b7bfc64fcc
    • Instruction Fuzzy Hash: 0BF04F74A18320AFC714EF65E444B1A7BE5AF44721F05848FF4489B3A2CB78D880CB5A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040D1DA, Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 94%
    			E0040D1DA(void* __ecx, intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;
				void* _t9;
				void* _t10;
				void* _t12;

				_t12 = __ecx;
				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				_t15 = _t6;
				 *0x438ea8 = _t6;
				if(_t6 == 0) {
					L7:
					return 0;
				} else {
					_t8 = E0040D092(_t12, _t15);
					 *0x438eac = _t8;
					if(_t8 != 3) {
						__eflags = _t8 - 2;
						if(_t8 != 2) {
							goto L8;
						} else {
							_t10 = E0040E217();
							goto L5;
						}
					} else {
						_push(0x3f8);
						_t10 = E0040D6D0();
						L5:
						if(_t10 != 0) {
							L8:
							_t9 = 1;
							return _t9;
						} else {
							HeapDestroy( *0x438ea8);
							goto L7;
						}
					}
				}
			}








    0x0040d1da
    0x0040d1eb
    0x0040d1f1
    0x0040d1f3
    0x0040d1f8
    0x0040d230
    0x0040d232
    0x0040d1fa
    0x0040d1fa
    0x0040d202
    0x0040d207
    0x0040d216
    0x0040d219
    0x00000000
    0x0040d21b
    0x0040d21b
    0x00000000
    0x0040d21b
    0x0040d209
    0x0040d209
    0x0040d20e
    0x0040d220
    0x0040d222
    0x0040d233
    0x0040d235
    0x0040d236
    0x0040d224
    0x0040d22a
    0x00000000
    0x0040d22a
    0x0040d222
    0x0040d207

    APIs
    • HeapCreate.KERNELBASE(00000000,00001000,00000000,0040A353,00000001), ref: 0040D1EB
      • Part of subcall function 0040D092: GetVersionExA.KERNEL32 ref: 0040D0B1
    • HeapDestroy.KERNEL32 ref: 0040D22A
      • Part of subcall function 0040D6D0: RtlAllocateHeap.NTDLL(00000000,00000140,0040D213), ref: 0040D6DD
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Heap$AllocateCreateDestroyVersion
    • String ID:
    • API String ID: 760317429-0
    • Opcode ID: 8dab59e7fafc7a49ab21fc43b40e98d86d51f07abd451e83954ef94eb4fbe674
    • Instruction ID: ba55980d6d6bcb5cbf6f5af8a9bf3fc01347ae51667ab442a2d9c65712393f92
    • Opcode Fuzzy Hash: 8dab59e7fafc7a49ab21fc43b40e98d86d51f07abd451e83954ef94eb4fbe674
    • Instruction Fuzzy Hash: CDF06531E543016EEB205FB16C0673A76949B51795F10487FF400E82D0EBB8C585961E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040A7AA, Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE
    Download Yara Rule
    C-Code - Quality: 24%
    			E0040A7AA(unsigned int _a4) {
				signed int _v8;
				intOrPtr _v20;
				void* _v32;
				intOrPtr _t19;
				void* _t20;
				signed char _t22;
				void* _t23;
				void* _t24;
				void* _t36;
				unsigned int _t44;
				unsigned int _t46;
				intOrPtr _t47;

				_push(0xffffffff);
				_push(0x429850);
				_push(E0040D240);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_t19 =  *0x438eac;
				if(_t19 != 3) {
					__eflags = _t19 - 2;
					if(_t19 != 2) {
						goto L11;
					} else {
						_t24 = _a4;
						__eflags = _t24;
						if(_t24 == 0) {
							_t44 = 0x10;
						} else {
							_t9 = _t24 + 0xf; // 0xf
							_t44 = _t9 & 0xfffffff0;
						}
						_a4 = _t44;
						__eflags = _t44 -  *0x4345b4; // 0x1e0
						if(__eflags > 0) {
							L10:
							_push(_t44);
							goto L14;
						} else {
							E0040D4CD(9);
							_pop(_t36);
							_v8 = 1;
							_v32 = E0040E50F(_t36, _t44 >> 4);
							_v8 = _v8 | 0xffffffff;
							E0040A870();
							_t23 = _v32;
							__eflags = _t23;
							if(_t23 == 0) {
								goto L10;
							}
						}
					}
				} else {
					_t46 = _a4;
					if(_t46 >  *0x438ea4) {
						L11:
						_t20 = _a4;
						__eflags = _t20;
						if(_t20 == 0) {
							_t20 = 1;
						}
						_t22 = _t20 + 0x0000000f & 0x000000f0;
						__eflags = _t22;
						_push(_t22);
						L14:
						_push(0);
						_t23 = RtlAllocateHeap( *0x438ea8); // executed
					} else {
						E0040D4CD(9);
						_v8 = _v8 & 0x00000000;
						_push(_t46);
						_v32 = E0040DA6C();
						_v8 = _v8 | 0xffffffff;
						E0040A811();
						_t23 = _v32;
						if(_t23 == 0) {
							goto L11;
						} else {
						}
					}
				}
				 *[fs:0x0] = _v20;
				return _t23;
			}















    0x0040a7ad
    0x0040a7af
    0x0040a7b4
    0x0040a7bf
    0x0040a7c0
    0x0040a7cd
    0x0040a7d5
    0x0040a81a
    0x0040a81d
    0x00000000
    0x0040a81f
    0x0040a81f
    0x0040a822
    0x0040a824
    0x0040a830
    0x0040a826
    0x0040a826
    0x0040a829
    0x0040a829
    0x0040a831
    0x0040a834
    0x0040a83a
    0x0040a86a
    0x0040a86a
    0x00000000
    0x0040a83c
    0x0040a83e
    0x0040a843
    0x0040a844
    0x0040a857
    0x0040a85a
    0x0040a85e
    0x0040a863
    0x0040a866
    0x0040a868
    0x00000000
    0x00000000
    0x0040a868
    0x0040a83a
    0x0040a7d7
    0x0040a7d7
    0x0040a7e0
    0x0040a879
    0x0040a879
    0x0040a87c
    0x0040a87e
    0x0040a882
    0x0040a882
    0x0040a886
    0x0040a886
    0x0040a888
    0x0040a889
    0x0040a889
    0x0040a891
    0x0040a7e6
    0x0040a7e8
    0x0040a7ee
    0x0040a7f2
    0x0040a7f9
    0x0040a7fc
    0x0040a800
    0x0040a805
    0x0040a80a
    0x00000000
    0x00000000
    0x0040a80c
    0x0040a80a
    0x0040a7e0
    0x0040a89a
    0x0040a8a5

    APIs
    • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000), ref: 0040A891
      • Part of subcall function 0040D4CD: RtlInitializeCriticalSection.NTDLL(00000000), ref: 0040D50A
      • Part of subcall function 0040D4CD: RtlEnterCriticalSection.NTDLL(?), ref: 0040D525
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CriticalSection$AllocateEnterHeapInitialize
    • String ID:
    • API String ID: 1616793339-0
    • Opcode ID: 8c2da830b3ea01824120b4ffb5499a62e58254e939f8308849b6233a08349897
    • Instruction ID: a13b92522ac9843b1322a2fd6cf920b141d7d2df3aa362283444895cbcf38022
    • Opcode Fuzzy Hash: 8c2da830b3ea01824120b4ffb5499a62e58254e939f8308849b6233a08349897
    • Instruction Fuzzy Hash: AB218833A00314ABDB10ABA5DC42B9EB764EB00764F14823BF410FB2D0C77CD952869D
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401065, Relevance: 1.5, APIs: 1, Instructions: 30COMMON
    Download Yara Rule
    C-Code - Quality: 28%
    			E00401065(void* __ecx, void* __eflags) {
				void* _t14;
				void* _t27;
				void* _t28;
				void* _t30;

				_t14 = E00409B78(0x4255dc, _t30);
				_t28 = __ecx;
				E00401CF8(_t14, 0);
				0x4222b6(_t27);
				E004011AB(_t30 - 0x78, 0); // executed
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				 *((intOrPtr*)(_t28 + 0x1c)) = _t30 - 0x78;
				0x41b5b0(); // executed
				 *(_t30 - 4) = 1;
				0x41bc28();
				 *(_t30 - 4) =  *(_t30 - 4) | 0xffffffff;
				0x41b28e();
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return 0;
			}







    0x0040106a
    0x00401075
    0x00401077
    0x0040107f
    0x00401089
    0x0040108e
    0x00401098
    0x0040109b
    0x004010a3
    0x004010aa
    0x004010af
    0x004010b6
    0x004010c1
    0x004010c9

    APIs
    • __EH_prolog.LIBCMT ref: 0040106A
      • Part of subcall function 004011AB: __EH_prolog.LIBCMT ref: 004011B0
      • Part of subcall function 004011AB: LoadIconA.USER32(?,00000080), ref: 00401203
      • Part of subcall function 0041B5B0: __EH_prolog.LIBCMT ref: 0041B5B5
      • Part of subcall function 0041B5B0: FindResourceA.KERNEL32(?,00000000,00000005), ref: 0041B5ED
      • Part of subcall function 0041B5B0: LoadResource.KERNEL32(?,00000000), ref: 0041B5F5
      • Part of subcall function 0041B5B0: LockResource.KERNEL32(?), ref: 0041B602
      • Part of subcall function 0041BC28: InterlockedDecrement.KERNEL32(-000000F4), ref: 0041BC3C
      • Part of subcall function 0041B28E: __EH_prolog.LIBCMT ref: 0041B293
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: H_prolog$Resource$Load$DecrementFindIconInterlockedLock
    • String ID:
    • API String ID: 1834554830-0
    • Opcode ID: 8b34cfacd1639ca91298b29116989bf91c67198253ae492158db5cc66dc06861
    • Instruction ID: 771f1842cd823dad5f64a7072f48b78b45f5d7439afc3090d503f5aa73e7805c
    • Opcode Fuzzy Hash: 8b34cfacd1639ca91298b29116989bf91c67198253ae492158db5cc66dc06861
    • Instruction Fuzzy Hash: F8F06D319042089AEB24FBB1C146BDDBBB0EF04328F50026FA002A31C2DF785A48CE99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041EA78, Relevance: 1.5, APIs: 1, Instructions: 17windowCOMMON
    Download Yara Rule
    APIs
    • IsDialogMessage.USER32(?,?), ref: 0041EAA1
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: DialogMessage
    • String ID:
    • API String ID: 547518314-0
    • Opcode ID: b56537891fb8a0e1e0c2ca661bd9c24a9ccd3d2720ee97002b77249284ae4304
    • Instruction ID: 2d8d5d18a7005eefd02ddcc246fc07b901cb5efb4381f9e1b4c0bdbba88c4791
    • Opcode Fuzzy Hash: b56537891fb8a0e1e0c2ca661bd9c24a9ccd3d2720ee97002b77249284ae4304
    • Instruction Fuzzy Hash: F4E0C239208611AFC721AB54D808FDB7FF1BF89350F0585AAF48A82230C7749CC1DB99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041EDA2, Relevance: 1.5, APIs: 1, Instructions: 14COMMON
    Download Yara Rule
    APIs
    • LoadStringA.USER32(?,?,?,?), ref: 0041EDB9
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: LoadString
    • String ID:
    • API String ID: 2948472770-0
    • Opcode ID: 53a7cc0943c4b1a5061211dd8f45f59ef8f8f4d13dfcfa730e5f263be49d1abc
    • Instruction ID: 3688e17b608a8c774ce4df15ffc1905843c9cc19a8729a478148f391183b45d9
    • Opcode Fuzzy Hash: 53a7cc0943c4b1a5061211dd8f45f59ef8f8f4d13dfcfa730e5f263be49d1abc
    • Instruction Fuzzy Hash: 80D0A77610C3629BC711DF519C08C8FBFA4BF54324B444C0EF48053121C324D444C765
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 004165B0, Relevance: 45.6, APIs: 18, Strings: 8, Instructions: 136COMMON
    Download Yara Rule
    C-Code - Quality: 87%
    			E004165B0() {
				struct _WNDCLASSA _v60;
				signed int _t9;
				signed int _t10;
				int _t11;
				struct HINSTANCE__* _t15;
				short _t16;
				short _t17;
				short _t19;
				short _t22;
				short _t24;
				struct HDC__* _t35;
				intOrPtr* _t36;
				intOrPtr* _t46;

				 *0x4271f4(0x439220);
				_t35 = GetDC(0);
				_t9 = GetDeviceCaps(_t35, 0xc);
				_t10 = GetDeviceCaps(_t35, 0xe);
				_t11 = 1;
				if(_t9 * _t10 < 4) {
					_t11 = 0;
				}
				 *0x439240 = _t11;
				if(GetSystemMetrics(1) == 0x15e && GetSystemMetrics(0) == 0x280) {
					 *0x439240 = 0;
				}
				ReleaseDC(0, _t35);
				if( *0x439240 == 0) {
					L8:
					 *0x4271fc(0x439220);
					_t15 =  *0x439240; // 0x0
					return _t15;
				} else {
					_t16 = GlobalAddAtomA("C3d");
					 *0x439248 = _t16;
					if(_t16 != 0) {
						_t17 = GlobalAddAtomA("C3dNew");
						 *0x43924e = _t17;
						if(_t17 == 0) {
							goto L7;
						} else {
							 *0x43924c = GlobalAddAtomA("C3dL");
							_t19 = GlobalAddAtomA("C3dH");
							 *0x43924a = _t19;
							if( *0x43924c == 0 || _t19 == 0) {
								 *0x439240 = 0;
								return 0;
							} else {
								 *0x439252 = GlobalAddAtomA("C3dLNew");
								_t22 = GlobalAddAtomA("C3dHNew");
								 *0x439250 = _t22;
								if( *0x439252 == 0 || _t22 == 0) {
									 *0x439240 = 0;
									return 0;
								} else {
									_t24 = GlobalAddAtomA("C3dD");
									 *0x439254 = _t24;
									if(_t24 == 0) {
										goto L7;
									} else {
										 *0x439d45 = GetSystemMetrics(0x2a);
										E00416510();
										if(E00416880(1) == 0) {
											goto L7;
										} else {
											_t36 = 0x439ca0;
											_t46 = 0x42a98c;
											do {
												_t1 = _t46 - 0x14; // 0x42a978
												 *_t36 =  *_t46;
												_t36 = _t36 + 0x18;
												_t46 = _t46 + 0x20;
												GetClassInfoA(0, _t1,  &_v60);
												 *((intOrPtr*)(_t36 - 0x14)) = _v60.lpfnWndProc;
											} while (_t46 < 0x42aa4c);
											if(GetClassInfoA(0, 0x8002,  &_v60) == 0) {
												 *0x439d30 =  *0x42745c;
											} else {
												 *0x439d30 = _v60.lpfnWndProc;
											}
										}
									}
									goto L8;
								}
							}
						}
					} else {
						L7:
						 *0x439240 = 0;
						goto L8;
					}
				}
			}
















    0x004165bb
    0x004165c9
    0x004165d4
    0x004165db
    0x004165e0
    0x004165e8
    0x004165ea
    0x004165ea
    0x004165f4
    0x00416600
    0x0041660d
    0x0041660d
    0x0041661a
    0x00416627
    0x0041664b
    0x00416650
    0x00416656
    0x00416661
    0x00416629
    0x00416634
    0x00416636
    0x0041663f
    0x00416667
    0x00416669
    0x00416672
    0x00000000
    0x00416674
    0x0041667b
    0x00416686
    0x00416690
    0x00416696
    0x00416787
    0x00416796
    0x004166a5
    0x004166ac
    0x004166b7
    0x004166c1
    0x004166c7
    0x00416774
    0x00416783
    0x004166d6
    0x004166db
    0x004166dd
    0x004166e6
    0x00000000
    0x004166ec
    0x004166f0
    0x004166f5
    0x00416706
    0x00000000
    0x0041670c
    0x0041670c
    0x00416711
    0x0041671c
    0x0041671e
    0x00416721
    0x00416728
    0x0041672c
    0x00416731
    0x0041673d
    0x0041673d
    0x00416752
    0x00416767
    0x00416754
    0x00416758
    0x00416758
    0x00416752
    0x00416706
    0x00000000
    0x004166e6
    0x004166c7
    0x00416696
    0x00416641
    0x00416641
    0x00416641
    0x00000000
    0x00416641
    0x0041663f

    APIs
    • RtlEnterCriticalSection.NTDLL(00439220), ref: 004165BB
    • GetDC.USER32(00000000), ref: 004165C3
    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 004165D4
    • GetDeviceCaps.GDI32(00000000,0000000E), ref: 004165DB
    • GetSystemMetrics.USER32(00000001), ref: 004165F9
    • GetSystemMetrics.USER32(00000000), ref: 00416604
    • ReleaseDC.USER32(00000000,00000000), ref: 0041661A
    • GlobalAddAtomA.KERNEL32(C3d), ref: 00416634
    • RtlLeaveCriticalSection.NTDLL(00439220), ref: 00416650
    • GlobalAddAtomA.KERNEL32(C3dNew), ref: 00416667
    • GlobalAddAtomA.KERNEL32(C3dL), ref: 00416679
    • GlobalAddAtomA.KERNEL32(C3dH), ref: 00416686
    • GlobalAddAtomA.KERNEL32(C3dLNew), ref: 004166AA
    • GlobalAddAtomA.KERNEL32(C3dHNew), ref: 004166B7
    • GlobalAddAtomA.KERNEL32(C3dD), ref: 004166DB
    • GetSystemMetrics.USER32(0000002A), ref: 004166EE
    • GetClassInfoA.USER32(00000000,Button,?), ref: 00416731
    • GetClassInfoA.USER32(00000000,00008002,?), ref: 0041674E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: AtomGlobal$MetricsSystem$CapsClassCriticalDeviceInfoSection$EnterLeaveRelease
    • String ID: Button$C3d$C3dD$C3dH$C3dHNew$C3dL$C3dLNew$C3dNew
    • API String ID: 1233821986-2558600121
    • Opcode ID: b74cd5075a8cd23f65b92710d996486e7a9022b99f1ce6ac664a3885ff64efcf
    • Instruction ID: 2df905c7d0ad8229a6e182c3e09a6e9eec92bd3318ac230414eba4a148d26114
    • Opcode Fuzzy Hash: b74cd5075a8cd23f65b92710d996486e7a9022b99f1ce6ac664a3885ff64efcf
    • Instruction Fuzzy Hash: 2541B574680700ABD720AB64EC41BA777A4EB48355F551877EC04972E0DBFC9C85CB6E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00416A10, Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 298COMMON
    Download Yara Rule
    C-Code - Quality: 88%
    			E00416A10(void* __edx, int _a4, int _a8, int _a12, long _a16) {
				char _v16;
				_Unknown_base(*)()* _v20;
				void* _v24;
				void* __ebx;
				void* __esi;
				_Unknown_base(*)()* _t52;
				signed int _t53;
				_Unknown_base(*)()* _t55;
				_Unknown_base(*)()* _t57;
				_Unknown_base(*)()* _t59;
				long _t62;
				signed char _t64;
				signed char _t70;
				void* _t78;
				int _t79;
				void* _t87;
				int _t88;
				signed char _t89;
				struct HWND__* _t90;
				long _t92;

				_t87 = __edx;
				_t100 =  &_v24;
				_t88 = _a8;
				_t106 = _t88 - 0x82;
				if(_t88 != 0x82) {
					_t90 = _a4;
					__eflags = GetPropA(_t90, 0);
					if(__eflags == 0) {
						__eflags = _t88 - 0x86;
						if(_t88 > 0x86) {
							__eflags = _t88 - 0x138;
							if(_t88 > 0x138) {
								__eflags = _t88 - 0x1943;
								if(__eflags < 0) {
									goto L7;
								} else {
									__eflags = _t88 - 0x1944;
									if(__eflags <= 0) {
										 *_a16 = 1;
										return 0x3ee;
									} else {
										goto L7;
									}
								}
							} else {
								__eflags = _t88 - 0x132;
								if(_t88 >= 0x132) {
									GetClassNameA(_t90,  &_v16, 0x10);
									__eflags =  *0x427284("#32770",  &_v16);
									if(__eflags == 0) {
										_t52 = GetWindowLongA(_t90, 4);
										__eflags = _t52;
										if(_t52 != 0) {
											__eflags = _t52 - 0xffff0000;
											if(_t52 <= 0xffff0000) {
												L40:
												_t92 = _a8;
												_t79 = _a4;
												_t53 = CallWindowProcA(_t52, _t90, _t88, _t79, _t92);
												__eflags = _t53;
												if(__eflags == 0) {
													L42:
													_t55 = E00415530(__eflags, _t90, 6);
													_t100 = _t100 + 8;
													_t52 = CallWindowProcA(_t55, _t90, _t88 + 0xcbf, _t79, _t92);
													__eflags = _t52;
													if(_t52 == 0) {
														goto L44;
													} else {
														__eflags = _t52 - 1;
														if(_t52 == 1) {
															goto L44;
														}
													}
												} else {
													__eflags = _t53 - 1;
													if(__eflags == 0) {
														goto L42;
													}
												}
											} else {
												__eflags =  *0x439260 - 0x30a;
												if(__eflags > 0) {
													goto L40;
												} else {
													_t92 = _a8;
													_t79 = _a4;
													_t57 = E00415530(__eflags, _t90, 6);
													_t100 =  &_v24 + 8;
													_t52 = CallWindowProcA(_t57, _t90, _t88 + 0xcbf, _t79, _t92);
													__eflags = _t52;
													if(_t52 == 0) {
														goto L44;
													} else {
														__eflags = _t52 - 1;
														if(_t52 == 1) {
															goto L44;
														}
													}
												}
											}
										} else {
											_t92 = _a8;
											_t79 = _a4;
											_push(_t92);
											goto L45;
										}
									} else {
										_t92 = _a8;
										_t79 = _a4;
										_t59 = E00415530(__eflags, _t90, 6);
										_t100 =  &_v24 + 8;
										_t52 = CallWindowProcA(_t59, _t90, _t88 + 0xcbf, _t79, _t92);
										__eflags = _t52;
										if(_t52 == 0) {
											L44:
											_push(_t92);
											L45:
											_push(_t79);
											_push(_t88);
											_t52 = E004161A0(_t52, _t87, _t90);
										} else {
											__eflags = _t52 - 1;
											if(_t52 == 1) {
												goto L44;
											}
										}
									}
									__eflags = _t52;
									if(__eflags == 0) {
										goto L8;
									} else {
										return _t52;
									}
								} else {
									__eflags = _t88 - 0x110;
									if(__eflags == 0) {
										_v20 = E00415530(__eflags, _t90, 6);
										__eflags =  *0x439260 - 0x35f;
										if( *0x439260 < 0x35f) {
											L22:
											_v24 = 1;
										} else {
											_t70 = GetWindowLongA(_t90, 0xfffffff0);
											_v24 = 0;
											__eflags = _t70 & 0x00000004;
											if((_t70 & 0x00000004) == 0) {
												goto L22;
											}
										}
										_t62 = SendMessageA(_t90, 0x11f0, 0,  &_v24);
										__eflags = _v24;
										if(_v24 != 0) {
											_t80 = _a12;
											_t64 = CallWindowProcA(_v20, _t90, _t88, _a12, _a16);
											__eflags =  *0x439260 - 0x35f;
											_t89 = _t64;
											if( *0x439260 < 0x35f) {
												L27:
												E004160B0(_t64, _t80, _t87, _t90, 0xffff);
											} else {
												_t64 = GetWindowLongA(_t90, 0xfffffff0);
												__eflags = _t64 & 0x00000004;
												if((_t64 & 0x00000004) == 0) {
													goto L27;
												}
											}
											return _t89;
										} else {
											E00415E60(_t62, _t78, _t87, _t90);
											return CallWindowProcA(_v24, _t90, _t88, _a8, _a12);
										}
									} else {
										goto L7;
									}
								}
							}
						} else {
							__eflags = _t88 - 0x85;
							if(_t88 >= 0x85) {
								L16:
								__eflags =  *0x439260 - 0x35f;
								if(__eflags >= 0) {
									L19:
									return CallWindowProcA(E00415530(__eflags, _t90, 6), _t90, _t88, _a12, _a16);
								} else {
									__eflags = IsIconic(_t90);
									if(__eflags != 0) {
										goto L19;
									} else {
										return E00416260(_t90, _t88, _a12, _a16, 0);
									}
								}
							} else {
								__eflags = _t88 - 0xc;
								if(__eflags == 0) {
									goto L16;
								} else {
									L7:
									_t79 = _a12;
									_t92 = _a16;
									L8:
									return CallWindowProcA(E00415530(__eflags, _t90, 6), _t90, _t88, _t79, _t92);
								}
							}
						}
					} else {
						return CallWindowProcA(E00415530(__eflags, _t90, 6), _t90, _t88, _a12, _a16);
					}
				} else {
					return E00415760(_t106, _a4, _t88, _a12, _a16, 6);
				}
			}























    0x00416a10
    0x00416a10
    0x00416a17
    0x00416a1b
    0x00416a21
    0x00416a49
    0x00416a5b
    0x00416a5d
    0x00416a87
    0x00416a8d
    0x00416ac4
    0x00416aca
    0x00416ae2
    0x00416ae8
    0x00000000
    0x00416aea
    0x00416aea
    0x00416af0
    0x00416d2f
    0x00416d3d
    0x00416af6
    0x00000000
    0x00416af6
    0x00416af0
    0x00416acc
    0x00416acc
    0x00416ad2
    0x00416c1b
    0x00416c31
    0x00416c33
    0x00416c72
    0x00416c78
    0x00416c7a
    0x00416c8a
    0x00416c8f
    0x00416ccb
    0x00416ccb
    0x00416ccf
    0x00416cd8
    0x00416cde
    0x00416ce0
    0x00416ce7
    0x00416cf4
    0x00416cf9
    0x00416cfd
    0x00416d03
    0x00416d05
    0x00000000
    0x00416d07
    0x00416d07
    0x00416d0a
    0x00000000
    0x00000000
    0x00416d0a
    0x00416ce2
    0x00416ce2
    0x00416ce5
    0x00000000
    0x00000000
    0x00416ce5
    0x00416c91
    0x00416c91
    0x00416c9a
    0x00000000
    0x00416c9c
    0x00416c9c
    0x00416ca0
    0x00416cb1
    0x00416cb6
    0x00416cba
    0x00416cc0
    0x00416cc2
    0x00000000
    0x00416cc4
    0x00416cc4
    0x00416cc7
    0x00000000
    0x00416cc9
    0x00416cc7
    0x00416cc2
    0x00416c9a
    0x00416c7c
    0x00416c7c
    0x00416c80
    0x00416c84
    0x00000000
    0x00416c84
    0x00416c35
    0x00416c35
    0x00416c39
    0x00416c4a
    0x00416c4f
    0x00416c53
    0x00416c59
    0x00416c5b
    0x00416d0c
    0x00416d0c
    0x00416d0d
    0x00416d0d
    0x00416d0e
    0x00416d0f
    0x00416c61
    0x00416c61
    0x00416c64
    0x00000000
    0x00416c6a
    0x00416c64
    0x00416c5b
    0x00416d14
    0x00416d16
    0x00000000
    0x00416d23
    0x00416d23
    0x00416d23
    0x00416ad8
    0x00416ad8
    0x00416ade
    0x00416b5b
    0x00416b62
    0x00416b6b
    0x00416b82
    0x00416b82
    0x00416b6d
    0x00416b70
    0x00416b76
    0x00416b7e
    0x00416b80
    0x00000000
    0x00000000
    0x00416b80
    0x00416b97
    0x00416b9d
    0x00416ba2
    0x00416bcf
    0x00416bdc
    0x00416be2
    0x00416beb
    0x00416bed
    0x00416bfc
    0x00416c02
    0x00416bef
    0x00416bf2
    0x00416bf8
    0x00416bfa
    0x00000000
    0x00000000
    0x00416bfa
    0x00416c10
    0x00416ba4
    0x00416ba5
    0x00416bc8
    0x00416bc8
    0x00416ae0
    0x00000000
    0x00416ae0
    0x00416ade
    0x00416ad2
    0x00416a8f
    0x00416a8f
    0x00416a95
    0x00416af8
    0x00416af8
    0x00416b01
    0x00416b2b
    0x00416b50
    0x00416b03
    0x00416b0a
    0x00416b0c
    0x00000000
    0x00416b0e
    0x00416b28
    0x00416b28
    0x00416b0c
    0x00416a97
    0x00416a97
    0x00416a9a
    0x00000000
    0x00416a9c
    0x00416a9c
    0x00416a9c
    0x00416aa0
    0x00416aa4
    0x00416ac1
    0x00416ac1
    0x00416a9a
    0x00416a95
    0x00416a5f
    0x00416a84
    0x00416a84
    0x00416a23
    0x00416a44
    0x00416a44

    APIs
    • GetPropA.USER32(?,00000000), ref: 00416A55
    • CallWindowProcA.USER32(00000000), ref: 00416A77
      • Part of subcall function 00415760: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 00415786
      • Part of subcall function 00415760: RemovePropA.USER32(?,00000000), ref: 0041579E
      • Part of subcall function 00415760: RemovePropA.USER32(?,00000000), ref: 004157AA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Prop$CallProcRemoveWindow
    • String ID: #32770
    • API String ID: 2276450057-463685578
    • Opcode ID: 22a54feaed90eaf36b1fd6e9d77832f3a7ed110759963c3274e6e15d42d87457
    • Instruction ID: c2ace7da3a9e3ee9e30b5ef7dfa40b4c02aa993d955b63270f18ba063030bfab
    • Opcode Fuzzy Hash: 22a54feaed90eaf36b1fd6e9d77832f3a7ed110759963c3274e6e15d42d87457
    • Instruction Fuzzy Hash: F781283274530477D220AB41EC45EEF7B6CEF857A5F81042BFE0582251D72AE986C7BA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004115D9, Relevance: 26.7, Strings: 21, Instructions: 417COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 70%
    			E004115D9(signed int* _a4, intOrPtr* _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, signed int _a28) {
				signed int _v8;
				char _v12;
				signed char* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v58;
				signed int _v62;
				signed int _v66;
				signed int _v68;
				char _v73;
				char _v96;
				signed int _t121;
				intOrPtr _t141;
				intOrPtr _t143;
				signed int _t146;
				intOrPtr* _t148;

				_t148 = _a12;
				_v16 =  &_v96;
				_t121 = 0;
				_t146 = 1;
				_v44 = 0;
				_v28 = _t146;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v36 = 0;
				_v48 = 0;
				_v52 = 0;
				_v32 = 0;
				_v12 = 0;
				_v24 = 0;
				_a12 = _t148;
				L1:
				_t143 =  *_t148;
				if(_t143 == 0x20 || _t143 == 9 || _t143 == 0xa || _t143 == 0xd) {
					_t148 = _t148 + 1;
					goto L1;
				}
				_push(4);
				while(1) {
					L7:
					_t141 =  *_t148;
					_t148 = _t148 + 1;
					if(_t121 > 0xb) {
						break;
					}
					switch( *((intOrPtr*)(_t121 * 4 +  &M00411A7A))) {
						case 0:
							__eflags = _t141 - 0x31;
							if(_t141 < 0x31) {
								L12:
								__eflags = _t141 -  *0x4347d0; // 0x2e
								if(__eflags != 0) {
									_t137 = _t141 - 0x2b;
									__eflags = _t137;
									if(_t137 == 0) {
										_v44 = _v44 & 0x00000000;
										_push(2);
										_pop(_t121);
										goto L7;
									}
									_t139 = _t137;
									__eflags = _t139;
									if(_t139 == 0) {
										_push(2);
										_v44 = 0x8000;
										_pop(_t121);
										goto L7;
									}
									__eflags = _t139 != 3;
									if(_t139 != 3) {
										goto L109;
									}
									goto L36;
								}
								goto L13;
							}
							__eflags = _t141 - 0x39;
							if(_t141 > 0x39) {
								goto L12;
							}
							goto L11;
						case 1:
							__eflags = __bl - 0x31;
							_v20 = __edx;
							if(__bl < 0x31) {
								L22:
								__eflags = __bl -  *0x4347d0; // 0x2e
								if(__eflags == 0) {
									goto L47;
								}
								__eflags = __bl - 0x2b;
								if(__bl == 0x2b) {
									goto L31;
								}
								__eflags = __bl - 0x2d;
								if(__bl == 0x2d) {
									goto L31;
								}
								__eflags = __bl - 0x30;
								if(__bl == 0x30) {
									goto L36;
								}
								goto L26;
							}
							__eflags = __bl - 0x39;
							if(__bl <= 0x39) {
								goto L11;
							}
							goto L22;
						case 2:
							__eflags = __bl - 0x31;
							if(__bl < 0x31) {
								L34:
								__eflags = __bl -  *0x4347d0; // 0x2e
								if(__eflags == 0) {
									L13:
									_push(5);
									goto L90;
								}
								__eflags = __bl - 0x30;
								if(__bl != 0x30) {
									goto L94;
								}
								L36:
								_t121 = _t146;
								goto L7;
							}
							__eflags = __bl - 0x39;
							if(__bl <= 0x39) {
								L11:
								_push(3);
								goto L81;
							}
							goto L34;
						case 3:
							_v20 = __edx;
							while(1) {
								__eflags =  *0x4347cc - __edx; // 0x1
								if(__eflags <= 0) {
									__ecx =  *0x4345c0; // 0x4345ca
									__eax = __bl & 0x000000ff;
									__eax = __bl & 0x000000ff & __esi;
									__eflags = __eax;
								} else {
									__eax = __bl & 0x000000ff;
									__eax = E0040EF6F(__ecx, __esi, __bl & 0x000000ff, __esi);
									_pop(__ecx);
									_pop(__ecx);
									_push(1);
									_pop(__edx);
								}
								__eflags = __eax;
								if(__eax == 0) {
									break;
								}
								__eflags = _v8 - 0x19;
								if(_v8 >= 0x19) {
									_t31 =  &_v12;
									 *_t31 = _v12 + 1;
									__eflags =  *_t31;
								} else {
									__eax = _v16;
									_v8 = _v8 + 1;
									__bl = __bl - 0x30;
									_v16 =  &(_v16[1]);
									 *_v16 = __bl;
								}
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							__eflags = __bl -  *0x4347d0; // 0x2e
							if(__eflags != 0) {
								goto L58;
							}
							L47:
							__eax = __esi;
							goto L7;
						case 4:
							__eflags = _v8;
							_v20 = __edx;
							_v40 = __edx;
							if(_v8 != 0) {
								while(1) {
									L51:
									__eflags =  *0x4347cc - __edx; // 0x1
									if(__eflags <= 0) {
										__ecx =  *0x4345c0; // 0x4345ca
										__eax = __bl & 0x000000ff;
										__eax = __bl & 0x000000ff & __esi;
										__eflags = __eax;
									} else {
										__eax = __bl & 0x000000ff;
										__eax = E0040EF6F(__ecx, __esi, __bl & 0x000000ff, __esi);
										_pop(__ecx);
										_pop(__ecx);
										_push(1);
										_pop(__edx);
									}
									__eflags = __eax;
									if(__eax == 0) {
										break;
									}
									__eflags = _v8 - 0x19;
									if(_v8 < 0x19) {
										__eax = _v16;
										_v8 = _v8 + 1;
										__bl = __bl - 0x30;
										_v16 =  &(_v16[1]);
										_t46 =  &_v12;
										 *_t46 = _v12 - 1;
										__eflags =  *_t46;
										 *_v16 = __bl;
									}
									__bl =  *__edi;
									__edi = __edi + 1;
								}
								L58:
								__eflags = __bl - 0x2b;
								if(__bl == 0x2b) {
									L31:
									__edi = __edi - 1;
									_push(0xb);
									goto L90;
								}
								__eflags = __bl - 0x2d;
								if(__bl == 0x2d) {
									goto L31;
								}
								L26:
								__eflags = __bl - 0x43;
								if(__bl <= 0x43) {
									goto L109;
								}
								__eflags = __bl - 0x45;
								if(__bl <= 0x45) {
									L30:
									_push(6);
									goto L90;
								}
								__eflags = __bl - 0x63;
								if(__bl <= 0x63) {
									goto L109;
								}
								__eflags = __bl - 0x65;
								if(__bl > 0x65) {
									goto L109;
								}
								goto L30;
							} else {
								goto L49;
							}
							while(1) {
								L49:
								__eflags = __bl - 0x30;
								if(__bl != 0x30) {
									goto L51;
								}
								_v12 = _v12 - 1;
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							goto L51;
						case 5:
							__eflags =  *0x4347cc - __edx;
							_v40 = __edx;
							if( *0x4347cc <= __edx) {
								__ecx =  *0x4345c0; // 0x4345ca
								__eax = __bl & 0x000000ff;
								__eax = __bl & 0x000000ff & __esi;
								__eflags = __eax;
							} else {
								__eax = __bl & 0x000000ff;
								__eax = E0040EF6F(__ecx, __esi, __bl & 0x000000ff, __esi);
								_pop(__ecx);
								_pop(__ecx);
								_push(1);
								_pop(__edx);
							}
							__eflags = __eax;
							if(__eax == 0) {
								goto L94;
							} else {
								__eax = __esi;
								goto L82;
							}
						case 6:
							_t51 = __edi - 2; // 0x0
							__ecx = _t51;
							__eflags = __bl - 0x31;
							_a12 = __ecx;
							if(__bl < 0x31) {
								L68:
								__eax = __bl;
								__eax = __bl - 0x2b;
								__eflags = __eax;
								if(__eax == 0) {
									goto L89;
								}
								__eax = __eax - 1;
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L88;
								}
								__eax = __eax - 3;
								__eflags = __eax;
								if(__eax != 0) {
									goto L110;
								}
								goto L71;
							}
							__eflags = __bl - 0x39;
							if(__bl <= 0x39) {
								goto L80;
							}
							goto L68;
						case 7:
							__eflags = __bl - 0x31;
							if(__bl < 0x31) {
								L83:
								__eflags = __bl - 0x30;
								if(__bl != 0x30) {
									L94:
									__edi = _a12;
									goto L111;
								}
								L71:
								_push(8);
								goto L90;
							}
							__eflags = __bl - 0x39;
							if(__bl > 0x39) {
								goto L83;
							}
							goto L80;
						case 8:
							_v36 = __edx;
							while(1) {
								__eflags = __bl - 0x30;
								if(__bl != 0x30) {
									break;
								}
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							__eflags = __bl - 0x31;
							if(__bl < 0x31) {
								goto L109;
							}
							__eflags = __bl - 0x39;
							if(__bl > 0x39) {
								goto L109;
							}
							L80:
							_push(9);
							L81:
							_pop(_t121);
							L82:
							_t148 = _t148 - 1;
							goto L7;
						case 9:
							_v36 = 1;
							__esi = 0;
							__eflags = 0;
							while(1) {
								__eflags =  *0x4347cc - 1;
								if( *0x4347cc <= 1) {
									__ecx =  *0x4345c0; // 0x4345ca
									__eax = __bl & 0x000000ff;
									__eax = __bl & 4;
									__eflags = __eax;
								} else {
									__eax = __bl & 0x000000ff;
									__eax = E0040EF6F(__ecx, __esi, __bl & 0x000000ff, 4);
									_pop(__ecx);
									_pop(__ecx);
								}
								__eflags = __eax;
								if(__eax == 0) {
									break;
								}
								__ecx = __bl;
								_t66 = (__esi + __esi * 4) * 2; // -44
								__esi = __ecx + _t66 - 0x30;
								__eflags = __esi - 0x1450;
								if(__esi > 0x1450) {
									__esi = 0x1451;
									break;
								}
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							_v32 = __esi;
							while(1) {
								__eflags =  *0x4347cc - 1;
								if( *0x4347cc <= 1) {
									__ecx =  *0x4345c0; // 0x4345ca
									__eax = __bl & 0x000000ff;
									__eax = __bl & 4;
									__eflags = __eax;
								} else {
									__eax = __bl & 0x000000ff;
									__eax = E0040EF6F(__ecx, __esi, __bl & 0x000000ff, 4);
									_pop(__ecx);
									_pop(__ecx);
								}
								__eflags = __eax;
								if(__eax == 0) {
									break;
								}
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							L109:
							_t148 = _t148 - 1;
							goto L111;
						case 0xa:
							goto L92;
						case 0xb:
							__eflags = _a28;
							if(_a28 == 0) {
								_push(0xa);
								__edi = __edi - 1;
								__eflags = __edi;
								_pop(__eax);
								goto L92;
							}
							__eax = __bl;
							_t55 = __edi - 1; // 0x1
							__ecx = _t55;
							__eax = __bl - 0x2b;
							__eflags = __eax;
							_a12 = __ecx;
							if(__eax == 0) {
								L89:
								_push(7);
								L90:
								_pop(_t121);
								goto L7;
							}
							__eax = __eax - 1;
							__eax = __eax - 1;
							__eflags = __eax;
							if(__eax != 0) {
								L110:
								__edi = __ecx;
								L111:
								__eflags = _v20;
								 *_a8 = _t148;
								if(_v20 == 0) {
									_t147 = 0;
									_t123 = 0;
									_t150 = 0;
									_t142 = 0;
									_v24 = 4;
									L138:
									_t144 = _a4;
									_t124 = _t123 | _v44;
									__eflags = _t124;
									_t144[1] = _t150;
									_t144[0] = _t142;
									_t144[2] = _t124;
									 *_t144 = _t147;
									return _v24;
								}
								_push(0x18);
								_pop(_t126);
								__eflags = _v8 - _t126;
								if(_v8 <= _t126) {
									_t127 = _v16;
								} else {
									__eflags = _v73 - 5;
									if(_v73 >= 5) {
										_t75 =  &_v73;
										 *_t75 = _v73 + 1;
										__eflags =  *_t75;
									}
									_v8 = _t126;
									_t127 = _v16 - 1;
									_v12 = _v12 + 1;
								}
								__eflags = _v8;
								if(_v8 <= 0) {
									_t147 = 0;
									_t123 = 0;
									_t150 = 0;
									_t142 = 0;
									goto L129;
								} else {
									while(1) {
										_t127 = _t127 - 1;
										__eflags =  *_t127;
										if( *_t127 != 0) {
											break;
										}
										_v8 = _v8 - 1;
										_v12 = _v12 + 1;
									}
									E00411512(_t148,  &_v96, _v8,  &_v68);
									_t131 = _v32;
									__eflags = _v28;
									if(_v28 < 0) {
										_t131 =  ~_t131;
									}
									_t132 = _t131 + _v12;
									__eflags = _v36;
									if(_v36 == 0) {
										_t132 = _t132 + _a20;
										__eflags = _t132;
									}
									__eflags = _v40;
									if(_v40 == 0) {
										_t132 = _t132 - _a24;
										__eflags = _t132;
									}
									__eflags = _t132 - 0x1450;
									if(_t132 <= 0x1450) {
										__eflags = _t132 - 0xffffebb0;
										if(_t132 >= 0xffffebb0) {
											E00412561( &_v68, _t132, _a16);
											_t147 = _v68;
											_t142 = _v66;
											_t150 = _v62;
											_t123 = _v58;
											goto L129;
										}
										_v52 = 1;
										goto L128;
									} else {
										_v48 = 1;
										L128:
										_t142 = _a12;
										_t150 = _a12;
										_t123 = _a12;
										_t147 = _a12;
										L129:
										__eflags = _v48;
										if(_v48 == 0) {
											__eflags = _v52;
											if(_v52 != 0) {
												_t147 = 0;
												_t123 = 0;
												_t150 = 0;
												_t142 = 0;
												__eflags = 0;
												_v24 = 1;
											}
										} else {
											_t142 = 0;
											_t123 = 0x7fff;
											_t150 = 0x80000000;
											_t147 = 0;
											_v24 = 2;
										}
										goto L138;
									}
								}
							}
							L88:
							_v28 = _v28 | 0xffffffff;
							_push(7);
							_pop(__eax);
							goto L7;
					}
				}
				L92:
				if(_t121 == 0xa) {
					goto L111;
				}
				goto L7;
			}


























    0x004115e2
    0x004115ea
    0x004115ed
    0x004115ef
    0x004115f0
    0x004115f3
    0x004115f6
    0x004115f9
    0x004115fc
    0x004115ff
    0x00411602
    0x00411605
    0x00411608
    0x0041160b
    0x0041160e
    0x00411611
    0x00411614
    0x00411614
    0x00411619
    0x0041162a
    0x00000000
    0x0041162a
    0x0041162d
    0x00411630
    0x00411630
    0x00411630
    0x00411632
    0x00411636
    0x00000000
    0x00000000
    0x0041163c
    0x00000000
    0x00411643
    0x00411646
    0x00411654
    0x00411654
    0x0041165a
    0x00411666
    0x00411666
    0x00411669
    0x00411689
    0x0041168d
    0x0041168f
    0x00000000
    0x0041168f
    0x0041166c
    0x0041166c
    0x0041166d
    0x0041167d
    0x0041167f
    0x00411686
    0x00000000
    0x00411686
    0x0041166f
    0x00411672
    0x00000000
    0x00000000
    0x00000000
    0x00411678
    0x00000000
    0x0041165a
    0x00411648
    0x0041164b
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00411692
    0x00411695
    0x00411698
    0x0041169f
    0x0041169f
    0x004116a5
    0x00000000
    0x00000000
    0x004116ab
    0x004116ae
    0x00000000
    0x00000000
    0x004116b0
    0x004116b3
    0x00000000
    0x00000000
    0x004116b5
    0x004116b8
    0x00000000
    0x00000000
    0x00000000
    0x004116b8
    0x0041169a
    0x0041169d
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004116e9
    0x004116ec
    0x004116f7
    0x004116f7
    0x004116fd
    0x0041165c
    0x0041165c
    0x00000000
    0x0041165c
    0x00411703
    0x00411706
    0x00000000
    0x00000000
    0x0041170c
    0x0041170c
    0x00000000
    0x0041170c
    0x004116ee
    0x004116f1
    0x0041164d
    0x0041164d
    0x00000000
    0x0041164d
    0x00000000
    0x00000000
    0x00411713
    0x00411716
    0x00411716
    0x0041171c
    0x0041172f
    0x00411735
    0x0041173b
    0x0041173b
    0x0041171e
    0x0041171e
    0x00411723
    0x00411728
    0x00411729
    0x0041172a
    0x0041172c
    0x0041172c
    0x0041173d
    0x0041173f
    0x00000000
    0x00000000
    0x00411741
    0x00411745
    0x00411757
    0x00411757
    0x00411757
    0x00411747
    0x00411747
    0x0041174a
    0x0041174d
    0x00411750
    0x00411753
    0x00411753
    0x0041175a
    0x0041175c
    0x0041175c
    0x0041175f
    0x00411765
    0x00000000
    0x00000000
    0x00411767
    0x00411767
    0x00000000
    0x00000000
    0x0041176e
    0x00411772
    0x00411775
    0x00411778
    0x00411787
    0x00411787
    0x00411787
    0x0041178d
    0x004117a0
    0x004117a6
    0x004117ac
    0x004117ac
    0x0041178f
    0x0041178f
    0x00411794
    0x00411799
    0x0041179a
    0x0041179b
    0x0041179d
    0x0041179d
    0x004117ae
    0x004117b0
    0x00000000
    0x00000000
    0x004117b2
    0x004117b6
    0x004117b8
    0x004117bb
    0x004117be
    0x004117c1
    0x004117c4
    0x004117c4
    0x004117c4
    0x004117c7
    0x004117c7
    0x004117c9
    0x004117cb
    0x004117cb
    0x004117ce
    0x004117ce
    0x004117d1
    0x004116e1
    0x004116e1
    0x004116e2
    0x00000000
    0x004116e2
    0x004117d7
    0x004117da
    0x00000000
    0x00000000
    0x004116ba
    0x004116ba
    0x004116bd
    0x00000000
    0x00000000
    0x004116c3
    0x004116c6
    0x004116da
    0x004116da
    0x00000000
    0x004116da
    0x004116c8
    0x004116cb
    0x00000000
    0x00000000
    0x004116d1
    0x004116d4
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0041177a
    0x0041177a
    0x0041177a
    0x0041177d
    0x00000000
    0x00000000
    0x0041177f
    0x00411782
    0x00411784
    0x00411784
    0x00000000
    0x00000000
    0x004117e5
    0x004117eb
    0x004117ee
    0x00411801
    0x00411807
    0x0041180d
    0x0041180d
    0x004117f0
    0x004117f0
    0x004117f5
    0x004117fa
    0x004117fb
    0x004117fc
    0x004117fe
    0x004117fe
    0x0041180f
    0x00411811
    0x00000000
    0x00411817
    0x00411817
    0x00000000
    0x00411817
    0x00000000
    0x0041181b
    0x0041181b
    0x0041181e
    0x00411821
    0x00411824
    0x0041182b
    0x0041182b
    0x0041182e
    0x0041182e
    0x00411831
    0x00000000
    0x00000000
    0x00411833
    0x00411834
    0x00411834
    0x00411835
    0x00000000
    0x00000000
    0x00411837
    0x00411837
    0x0041183a
    0x00000000
    0x00000000
    0x00000000
    0x0041183a
    0x00411826
    0x00411829
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00411865
    0x00411868
    0x00411878
    0x00411878
    0x0041187b
    0x004118c1
    0x004118c1
    0x00000000
    0x004118c1
    0x00411840
    0x00411840
    0x00000000
    0x00411840
    0x0041186a
    0x0041186d
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00411844
    0x00411847
    0x00411847
    0x0041184a
    0x00000000
    0x00000000
    0x0041184c
    0x0041184e
    0x0041184e
    0x00411851
    0x00411854
    0x00000000
    0x00000000
    0x0041185a
    0x0041185d
    0x00000000
    0x00000000
    0x0041186f
    0x0041186f
    0x00411871
    0x00411871
    0x00411872
    0x00411872
    0x00000000
    0x00000000
    0x004118c9
    0x004118d0
    0x004118d0
    0x004118d2
    0x004118d2
    0x004118d9
    0x004118ea
    0x004118f0
    0x004118f6
    0x004118f6
    0x004118db
    0x004118db
    0x004118e1
    0x004118e6
    0x004118e7
    0x004118e7
    0x004118f9
    0x004118fb
    0x00000000
    0x00000000
    0x004118fd
    0x00411903
    0x00411903
    0x00411907
    0x0041190d
    0x00411914
    0x00000000
    0x00411914
    0x0041190f
    0x00411911
    0x00411911
    0x00411919
    0x0041191c
    0x0041191c
    0x00411923
    0x00411934
    0x0041193a
    0x00411940
    0x00411940
    0x00411925
    0x00411925
    0x0041192b
    0x00411930
    0x00411931
    0x00411931
    0x00411943
    0x00411945
    0x00000000
    0x00000000
    0x00411947
    0x00411949
    0x00411949
    0x0041194c
    0x0041194c
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0041187f
    0x00411883
    0x004118af
    0x004118b1
    0x004118b1
    0x004118b2
    0x00000000
    0x004118b2
    0x00411885
    0x00411888
    0x00411888
    0x0041188b
    0x0041188b
    0x0041188e
    0x00411891
    0x004118a7
    0x004118a7
    0x004118a9
    0x004118a9
    0x00000000
    0x004118a9
    0x00411893
    0x00411894
    0x00411894
    0x00411895
    0x0041194f
    0x0041194f
    0x00411951
    0x00411954
    0x00411958
    0x0041195a
    0x00411a39
    0x00411a3b
    0x00411a3d
    0x00411a3f
    0x00411a41
    0x00411a5f
    0x00411a5f
    0x00411a62
    0x00411a62
    0x00411a66
    0x00411a69
    0x00411a6c
    0x00411a74
    0x00411a79
    0x00411a79
    0x00411960
    0x00411962
    0x00411963
    0x00411966
    0x0041197d
    0x00411968
    0x00411968
    0x0041196c
    0x0041196e
    0x0041196e
    0x0041196e
    0x0041196e
    0x00411971
    0x00411977
    0x00411978
    0x00411978
    0x00411980
    0x00411984
    0x00411a2f
    0x00411a31
    0x00411a33
    0x00411a35
    0x00000000
    0x0041198a
    0x0041198a
    0x0041198a
    0x0041198b
    0x0041198e
    0x00000000
    0x00000000
    0x00411990
    0x00411993
    0x00411993
    0x004119a3
    0x004119a8
    0x004119b0
    0x004119b3
    0x004119b5
    0x004119b5
    0x004119b7
    0x004119ba
    0x004119bd
    0x004119bf
    0x004119bf
    0x004119bf
    0x004119c2
    0x004119c5
    0x004119c7
    0x004119c7
    0x004119c7
    0x004119ca
    0x004119cf
    0x00411a01
    0x00411a06
    0x00411a19
    0x00411a1e
    0x00411a21
    0x00411a24
    0x00411a27
    0x00000000
    0x00411a2a
    0x00411a08
    0x00000000
    0x004119d1
    0x004119d1
    0x004119d8
    0x004119d8
    0x004119db
    0x004119de
    0x004119e1
    0x004119e4
    0x004119e4
    0x004119e8
    0x00411a4a
    0x00411a4e
    0x00411a50
    0x00411a52
    0x00411a54
    0x00411a56
    0x00411a56
    0x00411a58
    0x00411a58
    0x004119ea
    0x004119ea
    0x004119ec
    0x004119f1
    0x004119f6
    0x004119f8
    0x004119f8
    0x00000000
    0x004119e8
    0x004119cf
    0x00411984
    0x0041189b
    0x0041189b
    0x0041189f
    0x004118a1
    0x00000000
    0x00000000
    0x0041163c
    0x004118b3
    0x004118b6
    0x00000000
    0x00000000
    0x00000000

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID:
    • String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
    • API String ID: 0-1157002505
    • Opcode ID: dca72bba2af629aef88690dcfddf0c0fc92b22ffd6e1f6c5c29e2e646468111b
    • Instruction ID: af8a01ed2e7b2f99f2ea194be5e2d1066a6e6435603b23dbf93e51cf87bb3bcc
    • Opcode Fuzzy Hash: dca72bba2af629aef88690dcfddf0c0fc92b22ffd6e1f6c5c29e2e646468111b
    • Instruction Fuzzy Hash: 13E1F171E65249DFEB258FA4C8157FE7BB1BB04344F28402BD611A62A1D37D89C2CB1E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00416260, Relevance: 19.7, APIs: 13, Instructions: 220windownativeCOMMON
    Download Yara Rule
    C-Code - Quality: 79%
    			E00416260(struct HWND__* _a4, int _a8, int _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v28;
				intOrPtr _v36;
				char _v40;
				signed int _v44;
				intOrPtr _v48;
				struct tagRECT _v64;
				intOrPtr _v68;
				void* _v72;
				void* _v76;
				_Unknown_base(*)()* _t71;
				long _t73;
				int _t74;
				signed int _t77;
				void* _t80;
				void* _t90;
				intOrPtr* _t91;
				signed int _t112;
				intOrPtr _t118;
				signed int _t119;
				intOrPtr _t123;
				void* _t124;
				intOrPtr _t125;
				void* _t134;
				intOrPtr* _t135;
				intOrPtr* _t141;
				intOrPtr* _t148;
				struct HDC__* _t151;
				struct HWND__* _t152;
				signed int _t153;
				signed int _t154;
				int* _t161;

				_t156 =  &(_v64.top);
				if(_a20 == 0) {
					_t152 = _a4;
					_t71 = E00415530(__eflags, _t152, 6);
					_t156 =  &(( &(_v64.top))[2]);
				} else {
					_t71 = 0;
					_t152 = _a4;
				}
				_push(_a16);
				if(_t71 == 0) {
					_t73 =  *0x427350(_t152, _a8, _a12);
				} else {
					_t73 = CallWindowProcA(_t71, _t152, _a8, _a12);
				}
				_v76 = _t73;
				if( *0x439240 != 0) {
					_t74 = IsIconic(_t152);
					__eflags = _t74;
					if(_t74 == 0) {
						_v72 = 1;
						SendMessageA(_t152, 0x11ef, 0,  &_v72);
						_t153 =  *0x427420;
						_t77 = GetWindowLongA(_t152, 0xfffffff0);
						__eflags = _v72;
						if(_v72 != 0) {
							__eflags = (_t77 & 0x10400080) - 0x10400080;
							if((_t77 & 0x10400080) == 0x10400080) {
								_t123 =  *0x439d38; // 0x0
								_t80 = (_t77 & 0x00c00000) - 0xc00000;
								__eflags = _t80 - 1;
								asm("sbb ebp, ebp");
								_t154 =  ~_t153;
								__eflags = _t154 - 1;
								asm("sbb eax, eax");
								_t124 = _t123 - _t80 + 1;
								_t151 = GetWindowDC(_t152);
								GetWindowRect(_t152,  &_v64);
								_v64.right.left = _v64.right.left - _v64.left;
								_push(0xf);
								_push(7);
								_v64.bottom = _v64.bottom - _v64.top;
								_v64.top = 0;
								_v64.left = 0;
								E00415840(_t151,  &_v64, 2);
								InflateRect( &_v64, 0xffffffff, 0xffffffff);
								_push(0xf);
								_push(2);
								E00415840(_t151,  &_v64, 0);
								InflateRect( &_v64, 0xffffffff, 0xffffffff);
								_t134 =  *0x439288; // 0x0
								_t90 = SelectObject(_t151, _t134);
								_t135 =  &(_v64.right);
								_v76 = _t90;
								_t91 =  &_v72;
								 *_t135 =  *_t91;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t91 + 4));
								 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t91 + 8));
								 *((intOrPtr*)(_t135 + 0xc)) =  *((intOrPtr*)(_t91 + 0xc));
								_v48 = _v72 +  *0x439d34;
								E00415810(_t151, _t135);
								OffsetRect( &(_v64.right), _v64.left - _v72 -  *0x439d34, 0);
								E00415810(_t151,  &(_v64.right));
								_v64.right.left = _v72 +  *0x439d34;
								_v48 = _v64.left -  *0x439d34;
								_v44 = _v64.bottom + _t124;
								E00415810(_t151,  &(_v64.right));
								_t161 =  &(_t156[0x10]);
								__eflags = _t154;
								if(_t154 != 0) {
									_t148 =  &(_v64.right);
									_t141 =  &_v40;
									_t125 = _t124 + _v64.bottom;
									 *_t141 =  *_t148;
									 *((intOrPtr*)(_t141 + 4)) = _v64.bottom;
									 *((intOrPtr*)(_t141 + 8)) =  *((intOrPtr*)(_t148 + 8));
									_t118 =  *0x439d3c; // 0x0
									_push(0xf);
									_t119 = _t118 + _t125;
									__eflags = _t119;
									_push(0);
									 *((intOrPtr*)(_t141 + 0xc)) =  *((intOrPtr*)(_t148 + 0xc));
									_v36 = _t125;
									_v28 = _t119;
									E00415840(_t151,  &_v40, 2);
									_t161 =  &(_t161[5]);
								}
								_v64.bottom = _v64.bottom + _v64.top - _v68 -  *0x439d34;
								_t112 = _v64.bottom +  *0x439d38;
								__eflags = _t112;
								_v44 = _t112;
								E00415810(_t151,  &(_v64.right));
								SelectObject(_t151, _v76);
								ReleaseDC(_t152, _t151);
							}
						}
						return _v76;
					} else {
						return _v76;
					}
				} else {
					return _v76;
				}
			}


































    0x00416260
    0x0041626c
    0x00416276
    0x0041627d
    0x00416282
    0x0041626e
    0x0041626e
    0x00416270
    0x00416270
    0x0041628b
    0x0041628c
    0x004162ad
    0x0041628e
    0x0041629a
    0x0041629a
    0x004162ba
    0x004162be
    0x004162cf
    0x004162d5
    0x004162d7
    0x004162e7
    0x004162fc
    0x00416304
    0x0041630b
    0x0041630d
    0x00416312
    0x00416320
    0x00416326
    0x00416331
    0x00416337
    0x0041633c
    0x00416340
    0x00416342
    0x00416344
    0x00416347
    0x0041634a
    0x00416352
    0x0041635a
    0x00416368
    0x0041636c
    0x00416372
    0x00416374
    0x0041637a
    0x00416382
    0x0041638c
    0x0041639d
    0x004163a7
    0x004163a9
    0x004163af
    0x004163c0
    0x004163c6
    0x004163ce
    0x004163d4
    0x004163d8
    0x004163dc
    0x004163e2
    0x004163e7
    0x004163f2
    0x004163f5
    0x00416402
    0x00416406
    0x00416424
    0x00416430
    0x00416442
    0x00416454
    0x00416460
    0x00416464
    0x00416469
    0x0041646c
    0x0041646e
    0x00416474
    0x00416478
    0x0041647e
    0x00416482
    0x00416487
    0x0041648d
    0x00416490
    0x00416495
    0x00416497
    0x00416497
    0x00416499
    0x0041649d
    0x004164a4
    0x004164a8
    0x004164ae
    0x004164b3
    0x004164b3
    0x004164ca
    0x004164d2
    0x004164d2
    0x004164d8
    0x004164dc
    0x004164ea
    0x004164f2
    0x004164f2
    0x00416326
    0x00416503
    0x004162d9
    0x004162e4
    0x004162e4
    0x004162c0
    0x004162cb
    0x004162cb

    APIs
    • CallWindowProcA.USER32(00000000,00000000,?,?,?), ref: 0041629A
    • NtdllDefWindowProc_A.NTDLL(00000000,?,?,?), ref: 004162AD
    • IsIconic.USER32(00000000), ref: 004162CF
    • SendMessageA.USER32(00000000,000011EF,00000000,00000001), ref: 004162FC
    • GetWindowLongA.USER32(00000000,000000F0), ref: 0041630B
    • GetWindowDC.USER32(00000000), ref: 0041634C
    • GetWindowRect.USER32(00000000,?), ref: 0041635A
    • InflateRect.USER32(?,000000FF,000000FF), ref: 0041639D
    • InflateRect.USER32(?,000000FF,000000FF), ref: 004163C0
    • SelectObject.GDI32(00000000,00000000), ref: 004163CE
    • OffsetRect.USER32(?,?,00000000), ref: 00416424
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Window$Rect$Inflate$CallIconicLongMessageNtdllObjectOffsetProcProc_SelectSend
    • String ID:
    • API String ID: 915043530-0
    • Opcode ID: ab1b1a5e334b3751772fcebcfadad576c0ea648cf6f97bbb07791792dd87be57
    • Instruction ID: f150663ee8fa8894a9db0ca2fad0714fe1d13e59418d543ad10d96b5570af260
    • Opcode Fuzzy Hash: ab1b1a5e334b3751772fcebcfadad576c0ea648cf6f97bbb07791792dd87be57
    • Instruction Fuzzy Hash: 35816A71608201DFC310DF68DC85EABB7E4FB88318F444A2DF95587291D779E906CB6A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00418AB0, Relevance: 12.2, APIs: 8, Instructions: 163COMMON
    Download Yara Rule
    APIs
    • FindResourceA.KERNEL32(?,?,00000002), ref: 00418AC3
    • SizeofResource.KERNEL32(?,00000000,?,770D2D10,00000000,770D17C0,?,?,?,?,?,?,?,?,00416701,00000001), ref: 00418ADD
    • LoadResource.KERNEL32(?,00000000,?,770D2D10,00000000,770D17C0,?,?,?,?,?,?,?,?,00416701,00000001), ref: 00418AE7
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Resource$FindLoadSizeof
    • String ID:
    • API String ID: 507330600-0
    • Opcode ID: d366e12093e26771ead6cd07b9b14bb45c23a22248f9ee6f36b30516786e1e77
    • Instruction ID: 07668bfb25034fc138ddb123f518d91c2733de85c9aa5bc2d553d85f1a352ca8
    • Opcode Fuzzy Hash: d366e12093e26771ead6cd07b9b14bb45c23a22248f9ee6f36b30516786e1e77
    • Instruction Fuzzy Hash: 8141E1323082145BE70CCE29A856AAF7BD2EBC9350F44863EF946C3381CF71950AC3A5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041FAED, Relevance: 12.1, APIs: 8, Instructions: 72stringfileCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 0041FAF2
    • GetFullPathNameA.KERNEL32(?,00000104,?,?,?), ref: 0041FB10
    • lstrcpyn.KERNEL32(?,?,00000104), ref: 0041FB1F
    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0041FB53
    • CharUpperA.USER32(?), ref: 0041FB64
    • FindFirstFileA.KERNEL32(?,?), ref: 0041FB7A
    • FindClose.KERNEL32(00000000), ref: 0041FB86
    • lstrcpy.KERNEL32(?,?), ref: 0041FB96
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Find$CharCloseFileFirstFullH_prologInformationNamePathUpperVolumelstrcpylstrcpyn
    • String ID:
    • API String ID: 304730633-0
    • Opcode ID: 6a49044c25ce0b668f077c90d42e730ddff793e63e62d359b10226a911cf8ae6
    • Instruction ID: 8e790955d47000bc80a7ed2b6bd5a1572ef52ef187572a8a3ebb20646855776b
    • Opcode Fuzzy Hash: 6a49044c25ce0b668f077c90d42e730ddff793e63e62d359b10226a911cf8ae6
    • Instruction Fuzzy Hash: B0215C71A04019BBDB209F61DC48EEF7F7CEF05364F104166F919E21A1D7349A86CBA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004013BD, Relevance: 9.1, APIs: 6, Instructions: 59windowCOMMON
    Download Yara Rule
    C-Code - Quality: 42%
    			E004013BD(void* __ecx, void* __edx) {
				struct tagRECT _v20;
				int _v100;
				void* _v104;
				int _t14;
				int _t16;
				int _t17;
				int _t32;
				void* _t33;
				void* _t40;
				void* _t41;
				void* _t45;

				_t40 = __edx;
				_t45 = __ecx;
				_t14 = IsIconic( *(__ecx + 0x1c));
				if(_t14 == 0) {
					0x41c3f4();
					return _t14;
				}
				0x420a33(_t45, _t41, _t33);
				SendMessageA( *(_t45 + 0x1c), 0x27, _v100, 0);
				_t16 = GetSystemMetrics(0xb);
				_t17 = GetSystemMetrics(0xc);
				GetClientRect( *(_t45 + 0x1c),  &_v20);
				asm("cdq");
				asm("cdq");
				_t32 = DrawIcon(_v100, _v20.right - _v20.left - _t16 + 1 - _t40 >> 1, _v20.bottom - _v20.top - _t17 + 1 - _t40 >> 1,  *(_t45 + 0x68));
				0x420aa5();
				return _t32;
			}














    0x004013bd
    0x004013c4
    0x004013c9
    0x004013d1
    0x00401445
    0x00000000
    0x00401445
    0x004013d9
    0x004013e8
    0x004013f6
    0x004013fc
    0x00401407
    0x00401419
    0x00401428
    0x00401431
    0x0040143a
    0x00000000

    APIs
    • IsIconic.USER32(?), ref: 004013C9
      • Part of subcall function 00420A33: __EH_prolog.LIBCMT ref: 00420A38
      • Part of subcall function 00420A33: BeginPaint.USER32(?,?,?,?,004013DE), ref: 00420A61
    • SendMessageA.USER32(?,00000027,?,00000000), ref: 004013E8
    • GetSystemMetrics.USER32(0000000B), ref: 004013F6
    • GetSystemMetrics.USER32(0000000C), ref: 004013FC
    • GetClientRect.USER32(?,?), ref: 00401407
    • DrawIcon.USER32(?,?,?,?), ref: 00401431
      • Part of subcall function 00420AA5: __EH_prolog.LIBCMT ref: 00420AAA
      • Part of subcall function 00420AA5: EndPaint.USER32(?,?,?,?,0040143F), ref: 00420AC7
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: H_prologMetricsPaintSystem$BeginClientDrawIconIconicMessageRectSend
    • String ID:
    • API String ID: 1530917984-0
    • Opcode ID: 34cefb6a8d06106120f7aeb631fd004ce51fa25345e1aa4704f7e3155fb6ef3b
    • Instruction ID: 44b551fe8f6d933909e625ce76e17276a60cf4cf0594dccf08d2612d116ffb7e
    • Opcode Fuzzy Hash: 34cefb6a8d06106120f7aeb631fd004ce51fa25345e1aa4704f7e3155fb6ef3b
    • Instruction Fuzzy Hash: D2115631604219AFDB10AFB8DD49D9EBBB9EB84304F540525F542E71A0DA70AD05CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041E6FC, Relevance: 9.0, Strings: 7, Instructions: 226COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID:
    • String ID: @$@$AfxControlBar42s$AfxFrameOrView42s$AfxMDIFrame42s$AfxOleControl42s$AfxWnd42s
    • API String ID: 0-2431135857
    • Opcode ID: b146c1565e215d5c12d68de85cadc64ae01692d922951e60402669b8a932f7b0
    • Instruction ID: 2ce6c69abc449ccd2d45696b5329f9e621b6a46b7fa33c1775f090b7c2a638af
    • Opcode Fuzzy Hash: b146c1565e215d5c12d68de85cadc64ae01692d922951e60402669b8a932f7b0
    • Instruction Fuzzy Hash: 98815475D40209AAEB50DFA5C485BDFBFF8AF08348F55806AFD04E7181D7788A85C794
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040F755, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 207timeCOMMON
    Download Yara Rule
    C-Code - Quality: 91%
    			E0040F755() {
				int _v8;
				char* _v12;
				void* __ecx;
				char* _t18;
				intOrPtr _t19;
				intOrPtr _t23;
				char* _t27;
				char _t29;
				char _t30;
				signed int _t32;
				char _t34;
				void* _t35;
				char _t36;
				void* _t37;
				signed int _t39;
				signed int _t40;
				char* _t43;
				char* _t46;
				intOrPtr _t47;
				void* _t56;
				signed int _t60;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				intOrPtr _t68;
				void* _t69;
				void* _t70;
				char* _t74;
				char* _t76;
				signed int** _t80;
				intOrPtr _t86;
				intOrPtr _t88;

				_push(_t55);
				_t70 = 0xc;
				_v12 = 0;
				E0040D4CD(_t70);
				 *0x4349c0 =  *0x4349c0 | 0xffffffff;
				 *0x4349b0 =  *0x4349b0 | 0xffffffff;
				 *0x437888 = 0;
				 *_t80 = 0x429f14;
				_t74 = E00410A5C();
				_t56 = _t69;
				if(_t74 != 0) {
					if( *_t74 == 0) {
						L41:
						_t18 = E0040D52E(_t70);
					} else {
						_t19 =  *0x43793c; // 0x0
						if(_t19 == 0) {
							L18:
							E0040A5D6( *0x43793c);
							_t23 = E0040A76C(E00409BA0(_t74) + 1);
							 *0x43793c = _t23;
							if(_t23 == 0) {
								goto L41;
							} else {
								E0040D5E0(_t23, _t74);
								E0040D52E(_t70);
								E00410140( *0x4349a4, _t74, 3);
								_t27 =  *0x4349a4; // 0x434924
								_t76 = _t74 + 3;
								_t27[3] = _t27[3] & 0x00000000;
								if( *_t76 == 0x2d) {
									_v12 = 1;
									_t76 = _t76 + 1;
								}
								_t60 = E0040AC81(_t56, _t76) * 0xe10;
								 *0x434918 = _t60;
								while(1) {
									_t29 =  *_t76;
									if(_t29 != 0x2b && (_t29 < 0x30 || _t29 > 0x39)) {
										break;
									}
									_t76 = _t76 + 1;
								}
								if( *_t76 == 0x3a) {
									_t76 = _t76 + 1;
									_t32 = E0040AC81(_t60, _t76);
									_t63 =  *0x434918; // 0x7080
									_t60 = _t63 + _t32 * 0x3c;
									 *0x434918 = _t60;
									while(1) {
										_t34 =  *_t76;
										if(_t34 < 0x30 || _t34 > 0x39) {
											break;
										}
										_t76 = _t76 + 1;
									}
									if( *_t76 == 0x3a) {
										_t76 = _t76 + 1;
										_t35 = E0040AC81(_t60, _t76);
										_t65 =  *0x434918; // 0x7080
										_t60 = _t65 + _t35;
										 *0x434918 = _t60;
										while(1) {
											_t36 =  *_t76;
											if(_t36 < 0x30 || _t36 > 0x39) {
												goto L36;
											}
											_t76 = _t76 + 1;
										}
									}
								}
								L36:
								if(_v12 != 0) {
									 *0x434918 =  ~_t60;
								}
								_t30 =  *_t76;
								 *0x43491c = _t30;
								if(_t30 == 0) {
									goto L40;
								} else {
									E00410140( *0x4349a8, _t76, 3);
									_t18 =  *0x4349a8; // 0x434964
									_t18[3] = _t18[3] & 0x00000000;
								}
							}
						} else {
							_t37 = E0040D550(_t74, _t19);
							_pop(_t56);
							if(_t37 == 0) {
								goto L41;
							} else {
								goto L18;
							}
						}
					}
				} else {
					E0040D52E(_t70);
					 *_t80 = 0x437890;
					_t18 = GetTimeZoneInformation(??);
					if(_t18 != 0xffffffff) {
						_t39 =  *0x437890; // 0x0
						_t67 =  *0x4378e4; // 0x0
						_t40 = _t39 * 0x3c;
						_t86 =  *0x4378d6; // 0x0
						_t68 = 1;
						 *0x434918 = _t40;
						 *0x437888 = _t68;
						if(_t86 != 0) {
							 *0x434918 = _t40 + _t67 * 0x3c;
						}
						_t88 =  *0x43792a; // 0x0
						if(_t88 == 0) {
							L7:
							 *0x43491c = 0;
							 *0x434920 = 0;
						} else {
							_t47 =  *0x437938; // 0x0
							if(_t47 == 0) {
								goto L7;
							} else {
								 *0x43491c = _t68;
								 *0x434920 = (_t47 - _t67) * 0x3c;
							}
						}
						if(WideCharToMultiByte( *0x43787c, 0x220, 0x437894, 0xffffffff,  *0x4349a4, 0x3f, 0,  &_v8) == 0 || _v8 != 0) {
							_t43 =  *0x4349a4; // 0x434924
							 *_t43 =  *_t43 & 0x00000000;
						} else {
							_t46 =  *0x4349a4; // 0x434924
							_t46[0x3f] = _t46[0x3f] & 0x00000000;
						}
						if(WideCharToMultiByte( *0x43787c, 0x220, 0x4378e8, 0xffffffff,  *0x4349a8, 0x3f, 0,  &_v8) == 0 || _v8 != 0) {
							L40:
							_t18 =  *0x4349a8; // 0x434964
							 *_t18 =  *_t18 & 0x00000000;
						} else {
							_t18 =  *0x4349a8; // 0x434964
							_t18[0x3f] = _t18[0x3f] & 0x00000000;
						}
					}
				}
				return _t18;
			}



































    0x0040f759
    0x0040f75f
    0x0040f763
    0x0040f766
    0x0040f76b
    0x0040f772
    0x0040f779
    0x0040f77f
    0x0040f78b
    0x0040f78d
    0x0040f790
    0x0040f896
    0x0040f9d0
    0x0040f9d1
    0x0040f89c
    0x0040f89c
    0x0040f8a3
    0x0040f8b6
    0x0040f8bc
    0x0040f8c9
    0x0040f8d3
    0x0040f8d8
    0x00000000
    0x0040f8de
    0x0040f8e0
    0x0040f8e6
    0x0040f8f4
    0x0040f8f9
    0x0040f8fe
    0x0040f904
    0x0040f90b
    0x0040f90d
    0x0040f914
    0x0040f914
    0x0040f920
    0x0040f926
    0x0040f92c
    0x0040f92c
    0x0040f930
    0x00000000
    0x00000000
    0x0040f93a
    0x0040f93a
    0x0040f940
    0x0040f942
    0x0040f944
    0x0040f94d
    0x0040f953
    0x0040f955
    0x0040f95b
    0x0040f95b
    0x0040f95f
    0x00000000
    0x00000000
    0x0040f965
    0x0040f965
    0x0040f96b
    0x0040f96d
    0x0040f96f
    0x0040f975
    0x0040f97b
    0x0040f97d
    0x0040f983
    0x0040f983
    0x0040f987
    0x00000000
    0x00000000
    0x0040f98d
    0x0040f98d
    0x0040f983
    0x0040f96b
    0x0040f990
    0x0040f994
    0x0040f998
    0x0040f998
    0x0040f99e
    0x0040f9a3
    0x0040f9a8
    0x00000000
    0x0040f9aa
    0x0040f9b3
    0x0040f9b8
    0x0040f9c0
    0x0040f9c0
    0x0040f9a8
    0x0040f8a5
    0x0040f8a7
    0x0040f8af
    0x0040f8b0
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040f8b0
    0x0040f8a3
    0x0040f796
    0x0040f797
    0x0040f79c
    0x0040f7a3
    0x0040f7ac
    0x0040f7b2
    0x0040f7b7
    0x0040f7bd
    0x0040f7c0
    0x0040f7c9
    0x0040f7ca
    0x0040f7cf
    0x0040f7d5
    0x0040f7de
    0x0040f7de
    0x0040f7e3
    0x0040f7ea
    0x0040f807
    0x0040f807
    0x0040f80d
    0x0040f7ec
    0x0040f7ec
    0x0040f7f3
    0x00000000
    0x0040f7f5
    0x0040f7f7
    0x0040f800
    0x0040f800
    0x0040f7f3
    0x0040f83d
    0x0040f84f
    0x0040f854
    0x0040f844
    0x0040f844
    0x0040f849
    0x0040f849
    0x0040f876
    0x0040f9c6
    0x0040f9c6
    0x0040f9cb
    0x0040f885
    0x0040f885
    0x0040f88a
    0x0040f88a
    0x0040f876
    0x0040f7ac
    0x0040f9db

    APIs
      • Part of subcall function 0040D4CD: RtlInitializeCriticalSection.NTDLL(00000000), ref: 0040D50A
      • Part of subcall function 0040D4CD: RtlEnterCriticalSection.NTDLL(?), ref: 0040D525
      • Part of subcall function 0040D52E: RtlLeaveCriticalSection.NTDLL ref: 0040D53B
    • GetTimeZoneInformation.KERNEL32(0000000C,00000000,0000000C,?,0000000B,0000000B,?,0040F746,0040BD53,00000000,?,?,0040BBC6,00000000,00000001), ref: 0040F7A3
    • WideCharToMultiByte.KERNEL32(00000220,00437894,000000FF,0000003F,00000000,00000000,?,0000000B,0000000B,?,0040F746,0040BD53,00000000,?,?,0040BBC6), ref: 0040F839
    • WideCharToMultiByte.KERNEL32(00000220,004378E8,000000FF,0000003F,00000000,00000000,?,0000000B,0000000B,?,0040F746,0040BD53,00000000,?,?,0040BBC6), ref: 0040F872
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CriticalSection$ByteCharMultiWide$EnterInformationInitializeLeaveTimeZone
    • String ID: $IC$dIC
    • API String ID: 3442286286-1064961087
    • Opcode ID: 7cb58ed1fe22ba2a44917739599c2bcd216a53407f51708e3b943ba64ac8b8d3
    • Instruction ID: e417cb0fc98deb895bcb829f9c50644e8d2d5816bdd20343d4e4bc54b5179fed
    • Opcode Fuzzy Hash: 7cb58ed1fe22ba2a44917739599c2bcd216a53407f51708e3b943ba64ac8b8d3
    • Instruction Fuzzy Hash: 046137F1908200AED735AF39EC41BAA3B94AF41314F24217FE484A76E1D3785986D78E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041DEA9, Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0041EAAB: GetWindowLongA.USER32(?,000000F0), ref: 0041EAB7
    • GetKeyState.USER32(00000010), ref: 0041DECD
    • GetKeyState.USER32(00000011), ref: 0041DED6
    • GetKeyState.USER32(00000012), ref: 0041DEDF
    • SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 0041DEF5
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: State$LongMessageSendWindow
    • String ID:
    • API String ID: 1063413437-0
    • Opcode ID: 0d840ace7f6fde5774b0fe6a6ccb8c91a9519d9cbd515b70d372957f7de8520f
    • Instruction ID: cca7b6ac6dcf5e33b3903f0696d18589692d4a00622b7d3a6025c75083f8511c
    • Opcode Fuzzy Hash: 0d840ace7f6fde5774b0fe6a6ccb8c91a9519d9cbd515b70d372957f7de8520f
    • Instruction Fuzzy Hash: ABF082B6B4435626EA2036665C42FD641164F80FD8F11043BFB02AB1D5C99999C3627D
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00402729, Relevance: 6.0, APIs: 4, Instructions: 37COMMON
    Download Yara Rule
    C-Code - Quality: 79%
    			E00402729(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				int _t16;

				if(E004025FB() == 0) {
					if((_a8 & 0x00000003) == 0) {
						if(IsIconic(_a4) == 0) {
							_t16 = GetWindowRect(_a4,  &(_v48.rcNormalPosition));
						} else {
							_t16 = GetWindowPlacement(_a4,  &_v48);
						}
						if(_t16 == 0) {
							return 0;
						} else {
							return E004026D3( &(_v48.rcNormalPosition), _a8);
						}
					}
					return 0x12340042;
				}
				return  *0x43701c(_a4, _a8);
			}





    0x00402736
    0x0040274a
    0x0040275e
    0x00402776
    0x00402760
    0x00402767
    0x00402767
    0x0040277e
    0x00000000
    0x00402780
    0x00000000
    0x00402787
    0x0040277e
    0x00000000
    0x0040274c
    0x00000000

    APIs
    • MonitorFromWindow.USER32(?,?), ref: 0040273E
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: FromMonitorWindow
    • String ID:
    • API String ID: 721739931-0
    • Opcode ID: caaf205bd68dd916ad92fe80ed65bed63d4f9a7ebbed38cb4f6b4788389e5da7
    • Instruction ID: eaa6da3268f02295b88fa2304a2aaeb0562a2d7bc004d53102a0635bf85c547c
    • Opcode Fuzzy Hash: caaf205bd68dd916ad92fe80ed65bed63d4f9a7ebbed38cb4f6b4788389e5da7
    • Instruction Fuzzy Hash: 5AF03131504109ABDF11AF71CE4DAAE7BA9AB04344B448036FC15E61E0DBB8CA52EB69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041AA28, Relevance: 4.5, APIs: 3, Instructions: 29keyboardCOMMON
    Download Yara Rule
    APIs
    • GetKeyState.USER32(00000010), ref: 0041AA4F
    • GetKeyState.USER32(00000011), ref: 0041AA58
    • GetKeyState.USER32(00000012), ref: 0041AA61
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: State
    • String ID:
    • API String ID: 1649606143-0
    • Opcode ID: cb147a10cb4151b2a3d98b9f95c2f214e62c689ba8134403174265d96312b520
    • Instruction ID: 11a4d5f118fefb9a82442b6dc9b4c581bbe8f71282005a04726692d989bef137
    • Opcode Fuzzy Hash: cb147a10cb4151b2a3d98b9f95c2f214e62c689ba8134403174265d96312b520
    • Instruction Fuzzy Hash: 33E092356037599EEA10D2408B00FD566905F00FD0F488467EA4DAB091C6A89AE7DFEF
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040EE28, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 0040EE2D
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 4bf4c3a5ef6477ab9ab41f0b6b14920f598728fb4f107ad82711606d9958f6c1
    • Instruction ID: 4fc6f0b4ce869025021b4e5f1827ff265d981e72261c412d88ab857affb10cd7
    • Opcode Fuzzy Hash: 4bf4c3a5ef6477ab9ab41f0b6b14920f598728fb4f107ad82711606d9958f6c1
    • Instruction Fuzzy Hash:
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040DF21, Relevance: .3, Instructions: 259COMMONLIBRARYCODECrypto
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040DF21(signed int* _a4, intOrPtr* _a8, char _a11, signed int _a12, char _a15) {
				signed int _v8;
				signed char _v12;
				intOrPtr _v16;
				intOrPtr _t186;
				void* _t187;
				signed int _t188;
				signed int* _t189;
				intOrPtr _t191;
				signed int* _t192;
				signed int* _t193;
				signed char _t194;
				intOrPtr _t195;
				intOrPtr* _t196;
				signed int _t199;
				signed int _t202;
				signed int _t207;
				signed int _t209;
				signed int _t218;
				signed int _t221;
				signed int* _t222;
				signed int _t227;
				intOrPtr _t228;
				intOrPtr _t229;
				intOrPtr _t230;
				char _t233;
				signed int _t234;
				signed char _t235;
				signed int* _t237;
				signed int* _t239;
				signed int* _t244;
				signed int* _t245;
				signed char _t250;
				intOrPtr _t256;
				signed int _t257;
				char _t258;
				char _t259;
				signed char _t260;
				signed int* _t262;
				signed int* _t267;
				signed int* _t268;
				char* _t270;
				signed int _t274;
				unsigned int _t275;
				intOrPtr _t277;
				unsigned int _t278;
				intOrPtr* _t280;
				void* _t281;
				signed char _t290;
				signed int _t292;
				signed char _t295;
				signed int _t298;
				signed int _t302;
				signed int* _t304;

				_t222 = _a4;
				_t280 = _a8;
				_t186 =  *((intOrPtr*)(_t222 + 0x10));
				_t292 = _a12 + 0x00000017 & 0xfffffff0;
				_t274 = _t280 -  *((intOrPtr*)(_t222 + 0xc)) >> 0xf;
				_v16 = _t274 * 0x204 + _t186 + 0x144;
				_t227 =  *((intOrPtr*)(_t280 - 4)) - 1;
				_a12 = _t227;
				_t194 =  *(_t227 + _t280 - 4);
				_t281 = _t227 + _t280 - 4;
				_v8 = _t194;
				if(_t292 <= _t227) {
					if(__eflags < 0) {
						_t195 = _a8;
						_a12 = _a12 - _t292;
						_t228 = _t292 + 1;
						 *((intOrPtr*)(_t195 - 4)) = _t228;
						_t196 = _t195 + _t292 - 4;
						_a8 = _t196;
						_t295 = (_a12 >> 4) - 1;
						 *((intOrPtr*)(_t196 - 4)) = _t228;
						__eflags = _t295 - 0x3f;
						if(_t295 > 0x3f) {
							_t295 = 0x3f;
						}
						__eflags = _v8 & 0x00000001;
						if((_v8 & 0x00000001) == 0) {
							_t298 = (_v8 >> 4) - 1;
							__eflags = _t298 - 0x3f;
							if(_t298 > 0x3f) {
								_t298 = 0x3f;
							}
							__eflags =  *((intOrPtr*)(_t281 + 4)) -  *((intOrPtr*)(_t281 + 8));
							if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
								__eflags = _t298 - 0x20;
								if(_t298 >= 0x20) {
									_t128 = _t298 - 0x20; // -32
									_t130 = _t186 + 4; // 0x4
									_t244 = _t298 + _t130;
									_t199 =  !(0x80000000 >> _t128);
									 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
									 *_t244 =  *_t244 - 1;
									__eflags =  *_t244;
									if( *_t244 == 0) {
										_t245 = _a4;
										_t138 = _t245 + 4;
										 *_t138 =  *(_t245 + 4) & _t199;
										__eflags =  *_t138;
									}
								} else {
									_t304 = _t298 + _t186 + 4;
									_t202 =  !(0x80000000 >> _t298);
									 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
									 *_t304 =  *_t304 - 1;
									__eflags =  *_t304;
									if( *_t304 == 0) {
										 *_a4 =  *_a4 & _t202;
									}
								}
								_t196 = _a8;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
							_t302 = _a12 + _v8;
							_a12 = _t302;
							_t295 = (_t302 >> 4) - 1;
							__eflags = _t295 - 0x3f;
							if(_t295 > 0x3f) {
								_t295 = 0x3f;
							}
						}
						_t229 = _v16;
						_t230 = _t229 + _t295 * 8;
						 *((intOrPtr*)(_t196 + 4)) =  *((intOrPtr*)(_t229 + 4 + _t295 * 8));
						 *((intOrPtr*)(_t196 + 8)) = _t230;
						 *((intOrPtr*)(_t230 + 4)) = _t196;
						 *((intOrPtr*)( *((intOrPtr*)(_t196 + 4)) + 8)) = _t196;
						__eflags =  *((intOrPtr*)(_t196 + 4)) -  *((intOrPtr*)(_t196 + 8));
						if( *((intOrPtr*)(_t196 + 4)) ==  *((intOrPtr*)(_t196 + 8))) {
							_t233 =  *(_t295 + _t186 + 4);
							__eflags = _t295 - 0x20;
							_a11 = _t233;
							_t234 = _t233 + 1;
							__eflags = _t234;
							 *(_t295 + _t186 + 4) = _t234;
							if(_t234 >= 0) {
								__eflags = _a11;
								if(_a11 == 0) {
									_t174 = _t295 - 0x20; // -33
									_t237 = _a4;
									_t176 = _t237 + 4;
									 *_t176 =  *(_t237 + 4) | 0x80000000 >> _t174;
									__eflags =  *_t176;
								}
								_t189 = _t186 + 0xc4 + _t274 * 4;
								_t181 = _t295 - 0x20; // -33
								_t235 = _t181;
								_t275 = 0x80000000;
							} else {
								__eflags = _a11;
								if(_a11 == 0) {
									_t239 = _a4;
									 *_t239 =  *_t239 | 0x80000000 >> _t295;
									__eflags =  *_t239;
								}
								_t189 = _t186 + 0x44 + _t274 * 4;
								_t275 = 0x80000000;
								_t235 = _t295;
							}
							 *_t189 =  *_t189 | _t275 >> _t235;
							__eflags =  *_t189;
						}
						_t188 = _a12;
						 *_t196 = _t188;
						 *((intOrPtr*)(_t188 + _t196 - 4)) = _t188;
					}
					L52:
					_t187 = 1;
					return _t187;
				}
				if((_t194 & 0x00000001) != 0 || _t292 > _t194 + _t227) {
					return 0;
				} else {
					_t250 = (_v8 >> 4) - 1;
					_v12 = _t250;
					if(_t250 > 0x3f) {
						_t250 = 0x3f;
						_v12 = _t250;
					}
					if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
						if(_t250 >= 0x20) {
							_t267 = _v12 + _t186 + 4;
							_t218 =  !(0x80000000 >> _t250 + 0xffffffe0);
							 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
							 *_t267 =  *_t267 - 1;
							__eflags =  *_t267;
							if( *_t267 == 0) {
								_t268 = _a4;
								_t44 = _t268 + 4;
								 *_t44 =  *(_t268 + 4) & _t218;
								__eflags =  *_t44;
							}
						} else {
							_t270 = _v12 + _t186 + 4;
							_t221 =  !(0x80000000 >> _t250);
							 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
							 *_t270 =  *_t270 - 1;
							if( *_t270 == 0) {
								 *_a4 =  *_a4 & _t221;
							}
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
					_v8 = _v8 + _a12 - _t292;
					if(_v8 <= 0) {
						_t277 = _a8;
					} else {
						_t290 = (_v8 >> 4) - 1;
						_t256 = _a8 + _t292 - 4;
						if(_t290 > 0x3f) {
							_t290 = 0x3f;
						}
						_t207 = _v16 + _t290 * 8;
						_a12 = _t207;
						 *((intOrPtr*)(_t256 + 4)) =  *((intOrPtr*)(_t207 + 4));
						_t209 = _a12;
						 *(_t256 + 8) = _t209;
						 *((intOrPtr*)(_t209 + 4)) = _t256;
						 *((intOrPtr*)( *((intOrPtr*)(_t256 + 4)) + 8)) = _t256;
						if( *((intOrPtr*)(_t256 + 4)) ==  *(_t256 + 8)) {
							_t258 =  *((intOrPtr*)(_t290 + _t186 + 4));
							_a15 = _t258;
							_t259 = _t258 + 1;
							 *((char*)(_t290 + _t186 + 4)) = _t259;
							if(_t259 >= 0) {
								__eflags = _a15;
								if(_a15 == 0) {
									_t84 = _t290 - 0x20; // -33
									_t262 = _a4;
									_t86 = _t262 + 4;
									 *_t86 =  *(_t262 + 4) | 0x80000000 >> _t84;
									__eflags =  *_t86;
								}
								_t193 = _t186 + 0xc4 + _t274 * 4;
								_t91 = _t290 - 0x20; // -33
								_t260 = _t91;
								_t278 = 0x80000000;
							} else {
								if(_a15 == 0) {
									 *_a4 =  *_a4 | 0x80000000 >> _t290;
								}
								_t193 = _t186 + 0x44 + _t274 * 4;
								_t278 = 0x80000000;
								_t260 = _t290;
							}
							 *_t193 =  *_t193 | _t278 >> _t260;
						}
						_t277 = _a8;
						_t257 = _v8;
						_t95 = _t292 - 4; // 0x246117c
						_t192 = _t277 + _t95;
						 *_t192 = _t257;
						 *(_t257 + _t192 - 4) = _t257;
					}
					_t191 = _t292 + 1;
					 *((intOrPtr*)(_t277 - 4)) = _t191;
					 *((intOrPtr*)(_t277 + _t292 - 8)) = _t191;
					goto L52;
				}
			}
























































    0x0040df27
    0x0040df30
    0x0040df3b
    0x0040df3e
    0x0040df41
    0x0040df53
    0x0040df59
    0x0040df5c
    0x0040df5f
    0x0040df63
    0x0040df67
    0x0040df6a
    0x0040e0cf
    0x0040e0d5
    0x0040e0d8
    0x0040e0db
    0x0040e0de
    0x0040e0e1
    0x0040e0e8
    0x0040e0ee
    0x0040e0ef
    0x0040e0f2
    0x0040e0f5
    0x0040e0f9
    0x0040e0f9
    0x0040e0fa
    0x0040e0fe
    0x0040e10a
    0x0040e10b
    0x0040e10e
    0x0040e112
    0x0040e112
    0x0040e116
    0x0040e119
    0x0040e11b
    0x0040e11e
    0x0040e13e
    0x0040e148
    0x0040e148
    0x0040e14c
    0x0040e14e
    0x0040e155
    0x0040e155
    0x0040e157
    0x0040e159
    0x0040e15c
    0x0040e15c
    0x0040e15c
    0x0040e15c
    0x0040e120
    0x0040e129
    0x0040e12d
    0x0040e12f
    0x0040e133
    0x0040e133
    0x0040e135
    0x0040e13a
    0x0040e13a
    0x0040e135
    0x0040e15f
    0x0040e15f
    0x0040e168
    0x0040e171
    0x0040e177
    0x0040e17a
    0x0040e180
    0x0040e181
    0x0040e184
    0x0040e188
    0x0040e188
    0x0040e184
    0x0040e189
    0x0040e190
    0x0040e193
    0x0040e196
    0x0040e199
    0x0040e19f
    0x0040e1a5
    0x0040e1a8
    0x0040e1aa
    0x0040e1ae
    0x0040e1b1
    0x0040e1b4
    0x0040e1b4
    0x0040e1b6
    0x0040e1ba
    0x0040e1dd
    0x0040e1e1
    0x0040e1e3
    0x0040e1ed
    0x0040e1f0
    0x0040e1f0
    0x0040e1f0
    0x0040e1f0
    0x0040e1f3
    0x0040e1fa
    0x0040e1fa
    0x0040e1fd
    0x0040e1bc
    0x0040e1bc
    0x0040e1c0
    0x0040e1cb
    0x0040e1ce
    0x0040e1ce
    0x0040e1ce
    0x0040e1d0
    0x0040e1d4
    0x0040e1d9
    0x0040e1d9
    0x0040e204
    0x0040e204
    0x0040e204
    0x0040e206
    0x0040e209
    0x0040e20b
    0x0040e20b
    0x0040e20f
    0x0040e211
    0x00000000
    0x0040e211
    0x0040df73
    0x00000000
    0x0040df83
    0x0040df89
    0x0040df8d
    0x0040df90
    0x0040df94
    0x0040df95
    0x0040df95
    0x0040df9e
    0x0040dfa3
    0x0040dfd1
    0x0040dfd5
    0x0040dfd7
    0x0040dfde
    0x0040dfde
    0x0040dfe0
    0x0040dfe2
    0x0040dfe5
    0x0040dfe5
    0x0040dfe5
    0x0040dfe5
    0x0040dfa5
    0x0040dfaf
    0x0040dfb3
    0x0040dfb5
    0x0040dfb9
    0x0040dfbb
    0x0040dfc0
    0x0040dfc0
    0x0040dfbb
    0x0040dfa3
    0x0040dfee
    0x0040dff7
    0x0040dfff
    0x0040e006
    0x0040e0b6
    0x0040e00c
    0x0040e015
    0x0040e016
    0x0040e01d
    0x0040e021
    0x0040e021
    0x0040e025
    0x0040e028
    0x0040e02e
    0x0040e031
    0x0040e034
    0x0040e037
    0x0040e03d
    0x0040e046
    0x0040e048
    0x0040e04f
    0x0040e052
    0x0040e054
    0x0040e058
    0x0040e07b
    0x0040e07f
    0x0040e081
    0x0040e08b
    0x0040e08e
    0x0040e08e
    0x0040e08e
    0x0040e08e
    0x0040e091
    0x0040e098
    0x0040e098
    0x0040e09b
    0x0040e05a
    0x0040e05e
    0x0040e06c
    0x0040e06c
    0x0040e06e
    0x0040e072
    0x0040e077
    0x0040e077
    0x0040e0a2
    0x0040e0a2
    0x0040e0a4
    0x0040e0a7
    0x0040e0aa
    0x0040e0aa
    0x0040e0ae
    0x0040e0b0
    0x0040e0b0
    0x0040e0b9
    0x0040e0bc
    0x0040e0bf
    0x00000000
    0x0040e0bf

    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
    • Instruction ID: a14dbc07d152ef15904ad1dce803de86b8e381be7417189aecd5625626e59f02
    • Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
    • Instruction Fuzzy Hash: 35B19C35A0021ADFDB15CF05C5D0AA9BBA1BF58318F14C5AED81A6B382C735EE56CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00417EA0, Relevance: 51.0, APIs: 28, Strings: 1, Instructions: 263windowstringCOMMON
    Download Yara Rule
    APIs
    • GetWindowLongA.USER32(?,000000F0), ref: 00417EAE
    • SendMessageA.USER32(?,00000157,00000000,00000000), ref: 00417EDA
    • HideCaret.USER32(?), ref: 00417EF0
    • GetWindowRect.USER32(?,?), ref: 00417EFC
    • GetParent.USER32(?), ref: 00417F03
    • ScreenToClient.USER32(00000000,?), ref: 00417F17
    • ScreenToClient.USER32(00000000,?), ref: 00417F23
    • GetDC.USER32(00000000), ref: 00417F26
    • GetWindowLongA.USER32(?,000000F4), ref: 00417F58
    • SendMessageA.USER32(00000000,00001944,00000000,0000029A), ref: 00417F85
    • SendMessageA.USER32(00000000,00001943,00000000,0000029A), ref: 00417FA6
    • GetClassNameA.USER32(00000000,?,00000010), ref: 00417FB8
    • lstrcmp.KERNEL32(?,ComboBox), ref: 00417FC8
    • GetParent.USER32(00000000), ref: 00417FEC
    • MapWindowPoints.USER32(00000000,0000029A,?,00000002), ref: 00418003
    • ReleaseDC.USER32(00000000,00000000), ref: 0041800B
    • GetDC.USER32(?), ref: 00418016
    • GetWindowLongA.USER32(00000000,000000F0), ref: 0041802C
    • GetWindow.USER32(00000000,00000005), ref: 00418047
    • GetWindowRect.USER32(00000000,?), ref: 00418053
    • SendMessageA.USER32(00000000,00000157,00000000,00000000), ref: 00418090
    • ReleaseDC.USER32(?,00000000), ref: 004180A0
    • ShowCaret.USER32(?), ref: 004180A7
    • GetSystemMetrics.USER32(00000002), ref: 004180E8
    • GetSystemMetrics.USER32(00000002), ref: 00418147
    • GetSystemMetrics.USER32(00000015), ref: 00418198
    • ReleaseDC.USER32(00000000,00000000), ref: 004181BA
    • ShowCaret.USER32(?), ref: 004181C8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Window$MessageSend$CaretLongMetricsReleaseSystem$ClientParentRectScreenShow$ClassHideNamePointslstrcmp
    • String ID: ComboBox
    • API String ID: 930961256-1152790111
    • Opcode ID: 2a29855ee5a4b0d49cdd459574d12da3068cd8400b3a6abd4fdc62b936cc82c8
    • Instruction ID: 005532f33a722c943b4671186264237e811d9804be48512d20f385957222a308
    • Opcode Fuzzy Hash: 2a29855ee5a4b0d49cdd459574d12da3068cd8400b3a6abd4fdc62b936cc82c8
    • Instruction Fuzzy Hash: A5917371608305EFD220EB64CC49FAFBBE8EB85708F40092EFA4596191D778D946CB5B
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00423735, Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 47registryclipboardCOMMON
    Download Yara Rule
    APIs
    • RegisterClipboardFormatA.USER32(Native), ref: 00423753
    • RegisterClipboardFormatA.USER32(OwnerLink), ref: 0042375C
    • RegisterClipboardFormatA.USER32(ObjectLink), ref: 00423766
    • RegisterClipboardFormatA.USER32(Embedded Object), ref: 00423770
    • RegisterClipboardFormatA.USER32(Embed Source), ref: 0042377A
    • RegisterClipboardFormatA.USER32(Link Source), ref: 00423784
    • RegisterClipboardFormatA.USER32(Object Descriptor), ref: 0042378E
    • RegisterClipboardFormatA.USER32(Link Source Descriptor), ref: 00423798
    • RegisterClipboardFormatA.USER32(FileName), ref: 004237A2
    • RegisterClipboardFormatA.USER32(FileNameW), ref: 004237AC
    • RegisterClipboardFormatA.USER32(Rich Text Format), ref: 004237B6
    • RegisterClipboardFormatA.USER32(RichEdit Text and Objects), ref: 004237C0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: ClipboardFormatRegister
    • String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
    • API String ID: 1228543026-2889995556
    • Opcode ID: 689adb4f6e3318617a904b8492a20057c0325d6a3c3197f2d197b93cc57c89a5
    • Instruction ID: 561fafb3c643771a60b5c71695313fe72863d51ffe0f339a15fdc61493c2f750
    • Opcode Fuzzy Hash: 689adb4f6e3318617a904b8492a20057c0325d6a3c3197f2d197b93cc57c89a5
    • Instruction Fuzzy Hash: 2401E170F407665A9B306F73AC0E917BAE0DDC5B107A14D2FD08587640D67C9811CF4C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00417330, Relevance: 37.8, APIs: 25, Instructions: 294windowCOMMON
    Download Yara Rule
    C-Code - Quality: 86%
    			E00417330(void* __eflags) {
				void* _t113;
				void* _t121;
				intOrPtr _t142;
				struct tagRECT _t144;
				int _t147;
				struct tagRECT _t158;
				intOrPtr _t160;
				long _t161;
				void* _t163;
				struct tagRECT* _t178;
				signed int _t180;
				int _t182;
				CHAR* _t183;
				long* _t184;
				intOrPtr _t194;
				struct tagRECT _t195;
				struct tagRECT _t198;
				intOrPtr _t199;
				int _t206;
				RECT* _t209;
				struct HDC__* _t210;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t216;

				_t184 = _t214 + 0xc;
				_t209 =  *(_t214 + 0x34);
				_t180 = _t209->right;
				_push(0xf);
				_push(7);
				 *_t184 = _t209->left;
				_t210 =  *(_t214 + 0x40);
				_t184[1] = _t209->top;
				_t184[2] = _t180;
				_t184[3] = _t209->bottom;
				E00415840(_t210, _t209, 7);
				_t215 = _t214 + 0x14;
				InflateRect(_t214 + 0x30, 0xffffffff, 0xffffffff);
				if( *((short*)(_t215 + 0x44)) == 1 && IsWindowEnabled( *(_t215 + 0x30)) != 0) {
					_push(0xf);
					_push(7);
					E00415840(_t210, _t215 + 0x1c, 7);
					_t178 = _t215 + 0x30;
					_t215 = _t215 + 0x14;
					InflateRect(_t178, 0xffffffff, 0xffffffff);
				}
				PatBlt(_t210, _t209->left, _t209->top, 1, 1, 0xf00021);
				PatBlt(_t210, _t209->right - 1, _t209->top, 1, 1, 0xf00021);
				PatBlt(_t210,  *_t209, _t209->bottom - 1, 1, 1, 0xf00021);
				PatBlt(_t210, _t209->right - 1, _t209->bottom - 1, 1, 1, 0xf00021);
				asm("sbb ebx, ebx");
				_t182 =  ~_t180 + 1;
				if( *((intOrPtr*)(_t215 + 0x48)) == 0) {
					_t113 =  *0x439284; // 0x0
				} else {
					_t113 =  *0x43928c; // 0x0
				}
				 *((intOrPtr*)(_t215 + 0x14)) = SelectObject(_t210, _t113);
				PatBlt(_t210,  *(_t215 + 0x20),  *(_t215 + 0x20), _t182,  *((intOrPtr*)(_t215 + 0x2c)) -  *(_t215 + 0x24), 0xf00021);
				PatBlt(_t210,  *(_t215 + 0x28),  *(_t215 + 0x28),  *(_t215 + 0x24) -  *(_t215 + 0x20), _t182, 0xf00021);
				if( *((intOrPtr*)(_t215 + 0x48)) == 0) {
					_t163 =  *0x43928c; // 0x0
					_t213 = 0;
					SelectObject(_t210, _t163);
					 *(_t215 + 0x28) =  *(_t215 + 0x28) - 1;
					 *(_t215 + 0x24) =  *(_t215 + 0x24) - 1;
					if(_t182 > 0) {
						do {
							PatBlt(_t210,  *(_t215 + 0x24),  *(_t215 + 0x30),  *(_t215 + 0x24) -  *(_t215 + 0x20) + 1, 1, 0xf00021);
							PatBlt(_t210,  *(_t215 + 0x28),  *(_t215 + 0x24), 1,  *(_t215 + 0x28) -  *(_t215 + 0x24), 0xf00021);
							if(_t182 - 1 > _t213) {
								InflateRect(_t215 + 0x1c, 0xffffffff, 0xffffffff);
							}
							_t213 = _t213 + 1;
						} while (_t182 > _t213);
					}
				}
				_t121 =  *0x439288; // 0x0
				 *(_t215 + 0x1c) =  *(_t215 + 0x1c) + 1;
				 *(_t215 + 0x20) =  *(_t215 + 0x20) + 1;
				SelectObject(_t210, _t121);
				_t206 =  *(_t215 + 0x20);
				PatBlt(_t210, _t206,  *(_t215 + 0x24),  *((intOrPtr*)(_t215 + 0x2c)) -  *(_t215 + 0x24),  *(_t215 + 0x28) -  *(_t215 + 0x24), 0xf00021);
				if(IsWindowEnabled( *(_t215 + 0x30)) == 0) {
					_t161 =  *0x43927c; // 0x0
					SetTextColor(_t210, _t161);
				}
				_t183 =  *(_t215 + 0x3c);
				_push(_t215 + 0x18);
				_push(_t215 + 0x14);
				_push(_t183);
				E00415A30(_t210);
				_t216 = _t215 + 0x10;
				asm("cdq");
				 *((intOrPtr*)(_t216 + 0x20)) =  *((intOrPtr*)(_t216 + 0x20)) + ( *((intOrPtr*)(_t215 + 0x38)) -  *(_t215 + 0x30) -  *(_t215 + 0x28) - _t206 >> 1);
				_t194 =  *((intOrPtr*)(_t216 + 0x28));
				asm("cdq");
				 *(_t216 + 0x1c) =  *(_t216 + 0x1c) + ( *(_t216 + 0x24) -  *(_t216 + 0x1c) -  *((intOrPtr*)(_t216 + 0x14)) - _t206 >> 1);
				_t142 =  *((intOrPtr*)(_t216 + 0x20)) +  *((intOrPtr*)(_t216 + 0x18));
				if(_t142 >= _t194) {
					_t142 = _t194;
				}
				_t195 =  *(_t216 + 0x24);
				 *((intOrPtr*)(_t216 + 0x28)) = _t142;
				_t144 =  *(_t216 + 0x1c) +  *((intOrPtr*)(_t216 + 0x14));
				if(_t144 >= _t195) {
					_t144 = _t195;
				}
				 *(_t216 + 0x24) = _t144;
				if( *((intOrPtr*)(_t216 + 0x48)) != 0) {
					OffsetRect(_t216 + 0x1c, 1, 1);
					_t198 =  *(_t216 + 0x24);
					_t158 = _t209->right - 3;
					if(_t158 >= _t198) {
						_t158 = _t198;
					}
					_t199 =  *((intOrPtr*)(_t216 + 0x28));
					 *(_t216 + 0x24) = _t158;
					_t160 = _t209->bottom - 3;
					if(_t160 >= _t199) {
						_t160 = _t199;
					}
					 *((intOrPtr*)(_t216 + 0x28)) = _t160;
				}
				DrawTextA(_t210, _t183,  *(_t216 + 0x44), _t216 + 0x1c, 0x20);
				_t147 = GetFocus();
				if(_t147 ==  *((intOrPtr*)(_t216 + 0x30))) {
					InflateRect(_t216 + 0x1c, 1, 1);
					IntersectRect(_t216 + 0x24, _t216 + 0x1c, _t209);
					_t147 = DrawFocusRect(_t210, _t216 + 0x1c);
				}
				if( *(_t216 + 0x10) != 0) {
					return SelectObject(_t210,  *(_t216 + 0x10));
				}
				return _t147;
			}




























    0x00417333
    0x0041733a
    0x00417344
    0x00417347
    0x00417349
    0x0041734b
    0x00417352
    0x00417358
    0x0041735b
    0x0041735e
    0x00417361
    0x0041736a
    0x00417372
    0x0041737e
    0x00417393
    0x00417395
    0x0041739b
    0x004173a0
    0x004173a4
    0x004173ac
    0x004173ac
    0x004173c3
    0x004173dc
    0x004173f4
    0x0041740e
    0x00417419
    0x0041741d
    0x00417423
    0x0041742c
    0x00417425
    0x00417425
    0x00417425
    0x00417446
    0x00417457
    0x00417477
    0x00417482
    0x00417484
    0x00417489
    0x0041748d
    0x00417493
    0x00417497
    0x0041749d
    0x0041749f
    0x004174bb
    0x004174dc
    0x004174e7
    0x004174f2
    0x004174f2
    0x004174f8
    0x004174f9
    0x0041749f
    0x0041749d
    0x004174fd
    0x00417502
    0x00417506
    0x0041750c
    0x00417523
    0x00417534
    0x00417547
    0x00417549
    0x00417550
    0x00417550
    0x0041755e
    0x00417562
    0x00417563
    0x00417564
    0x00417566
    0x00417577
    0x0041757a
    0x00417580
    0x00417590
    0x00417594
    0x0041759a
    0x004175a2
    0x004175a8
    0x004175aa
    0x004175aa
    0x004175ac
    0x004175b0
    0x004175b8
    0x004175be
    0x004175c0
    0x004175c0
    0x004175c7
    0x004175cb
    0x004175dc
    0x004175e1
    0x004175e5
    0x004175ea
    0x004175ec
    0x004175ec
    0x004175ee
    0x004175f2
    0x004175f9
    0x004175fe
    0x00417600
    0x00417600
    0x00417602
    0x00417602
    0x00417614
    0x00417620
    0x00417626
    0x00417631
    0x00417642
    0x0041764e
    0x0041764e
    0x00417659
    0x00000000
    0x00417661
    0x0041766e

    APIs
      • Part of subcall function 00415840: SetBkColor.GDI32(?), ref: 0041585D
      • Part of subcall function 00415840: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004158AA
      • Part of subcall function 00415840: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004158D9
      • Part of subcall function 00415840: SetBkColor.GDI32(?,?), ref: 004158F7
      • Part of subcall function 00415840: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00415922
      • Part of subcall function 00415840: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041595C
    • InflateRect.USER32(?,000000FF,000000FF), ref: 00417372
    • IsWindowEnabled.USER32(?), ref: 00417385
    • InflateRect.USER32(?,000000FF,000000FF), ref: 004173AC
    • PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 004173C3
    • PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 004173DC
    • PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 004173F4
    • PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0041740E
    • SelectObject.GDI32(?,00000000), ref: 00417433
    • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00417457
    • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00417477
    • SelectObject.GDI32(?,00000000), ref: 0041748D
    • PatBlt.GDI32(?,00000000,?,?,00000001,00F00021), ref: 004174BB
    • PatBlt.GDI32(?,00000000,00000000,00000001,00000000,00F00021), ref: 004174DC
    • InflateRect.USER32(?,000000FF,000000FF), ref: 004174F2
    • SelectObject.GDI32(?,00000000), ref: 0041750C
    • PatBlt.GDI32(?,00000000,?,?,?,00F00021), ref: 00417534
    • IsWindowEnabled.USER32(?), ref: 0041753F
    • SetTextColor.GDI32(?,00000000), ref: 00417550
    • OffsetRect.USER32(?,00000001,00000001), ref: 004175DC
      • Part of subcall function 00415840: SetBkColor.GDI32(?,00000000), ref: 00415964
    • DrawTextA.USER32(?,?,?,?,00000020), ref: 00417614
    • GetFocus.USER32 ref: 00417620
    • InflateRect.USER32(?,00000001,00000001), ref: 00417631
    • IntersectRect.USER32(?,?,?), ref: 00417642
    • DrawFocusRect.USER32(?,?), ref: 0041764E
    • SelectObject.GDI32(?,00000000), ref: 00417661
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Rect$Text$ColorInflateObjectSelect$DrawEnabledFocusWindow$IntersectOffset
    • String ID:
    • API String ID: 1611134597-0
    • Opcode ID: a62822bfcda22e29dcf84be2a9462bdc7fa028e95cd4b56ff6a66841d41bd1a7
    • Instruction ID: dc2e29af57539bd7e71a936666c795998fad0635ceb9c9e1fe78bfc417795ce3
    • Opcode Fuzzy Hash: a62822bfcda22e29dcf84be2a9462bdc7fa028e95cd4b56ff6a66841d41bd1a7
    • Instruction Fuzzy Hash: 2CB14971208201AFD310DF68CD85EABBBF8FB88704F404A1CF659D6290D775E946CB6A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041C765, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 170stringCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00422F5F: TlsGetValue.KERNEL32(00437200,?,00000000,0042275D,00422136,00422779,0041A668,0042029B,?,00000000,?,00418C5C,00000000,00000000,00000000,00000000), ref: 00422F9E
    • CallNextHookEx.USER32(?,00000003,?,?), ref: 0041C78F
    • GetClassLongA.USER32(?,000000E6), ref: 0041C7D6
    • GlobalGetAtomNameA.KERNEL32(?,?,00000005), ref: 0041C802
    • lstrcmpi.KERNEL32(?,ime), ref: 0041C811
    • GetWindowLongA.USER32(?,000000FC), ref: 0041C884
    • SetWindowLongA.USER32(?,000000FC,00000000), ref: 0041C8A5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
    • String ID: 8pC$AfxOldWndProc423$ime
    • API String ID: 3731301195-2311159598
    • Opcode ID: 735968d68adcdd59250a798c575c81741241aa071ee6e4f6f8c163aa4064b0e7
    • Instruction ID: e41264f9398b6f863e567b403b4ad6502717b13875c9848d8935542e5abfc7a4
    • Opcode Fuzzy Hash: 735968d68adcdd59250a798c575c81741241aa071ee6e4f6f8c163aa4064b0e7
    • Instruction Fuzzy Hash: 5D51B371644215AFCB21AF60DCC8BAF7BB8FF04365F10456AF956A7290C738D981CB98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401451, Relevance: 31.7, APIs: 1, Strings: 17, Instructions: 158COMMON
    Download Yara Rule
    C-Code - Quality: 48%
    			E00401451(void* __ecx, void* __eflags) {
				void* _t65;
				void* _t83;
				void* _t85;
				void* _t114;
				void* _t116;

				E00409B78(0x42567c, _t116);
				_t83 = __ecx;
				E00401766(__eflags);
				 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
				_t122 =  *((intOrPtr*)(__ecx + 0x60));
				if( *((intOrPtr*)(__ecx + 0x60)) == 0) {
					_t114 = 0x80000000;
					E0040187B(_t116 - 0x28, 0x80000000, "*\Shell\IDA Pro (32-bit)");
					E0040187B(_t116 - 0x28, 0x80000000, "*\Shell\IDA Pro (64-bit)");
				} else {
					0x41be13(_t116 - 0x10, __ecx + 0x64, "\ida.exe %1");
					_t114 = 0x80000000;
					 *(_t116 - 4) = 1;
					E00401833(_t122, 0x80000000, "*\Shell\IDA Pro (32-bit)\Command", 0x435624,  *((intOrPtr*)(_t116 - 0x10)));
					 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
					0x41bc28();
					0x41be13(_t116 - 0x10, __ecx + 0x64, "\ida64.exe %1");
					 *(_t116 - 4) = 2;
					E00401833(_t122, 0x80000000, "*\Shell\IDA Pro (64-bit)\Command", 0x435624,  *((intOrPtr*)(_t116 - 0x10)));
					 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
					0x41bc28();
				}
				_t123 =  *((intOrPtr*)(_t83 + 0x5c));
				if( *((intOrPtr*)(_t83 + 0x5c)) == 0) {
					E0040187B(_t116 - 0x28, _t114, "IDApro.Database32");
					E0040187B(_t116 - 0x28, _t114, "IDApro.Database64");
					E0040187B(_t116 - 0x28, _t114, ".idb");
					E0040187B(_t116 - 0x28, _t114, ".i64");
				} else {
					_t85 = _t83 + 0x64;
					0x41be13(_t116 - 0x10, _t85, "\ida.exe,0");
					 *(_t116 - 4) = 3;
					E00401833(_t123, _t114, "IDApro.Database32\DefaultIcon", 0x435624,  *((intOrPtr*)(_t116 - 0x10)));
					 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
					0x41bc28();
					0x41be13(_t116 - 0x10, _t85, "\ida.exe %1");
					 *(_t116 - 4) = 4;
					E00401833(_t123, _t114, "IDApro.Database32\shell\open\command", 0x435624,  *((intOrPtr*)(_t116 - 0x10)));
					 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
					0x41bc28();
					E00401833(_t123, _t114, ".idb", 0x435624, "IDApro.Database32");
					0x41be13(_t116 - 0x10, _t85, "\ida64.exe,0");
					 *(_t116 - 4) = 5;
					E00401833(_t123, _t114, "IDApro.Database64\DefaultIcon", 0x435624,  *((intOrPtr*)(_t116 - 0x10)));
					 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
					0x41bc28();
					0x41be13(_t116 - 0x10, _t85, "\ida64.exe %1");
					 *(_t116 - 4) = 6;
					E00401833(_t123, _t114, "IDApro.Database64\shell\open\command", 0x435624,  *((intOrPtr*)(_t116 - 0x10)));
					 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
					0x41bc28();
					E00401833(_t123, _t114, ".i64", 0x435624, "IDApro.Database64");
				}
				 *(_t116 - 4) =  *(_t116 - 4) | 0xffffffff;
				_t65 = E004017A5(_t116 - 0x28);
				 *[fs:0x0] =  *((intOrPtr*)(_t116 - 0xc));
				return _t65;
			}








    0x00401456
    0x00401460
    0x00401466
    0x0040146b
    0x0040146f
    0x00401478
    0x004014e7
    0x004014f5
    0x00401503
    0x0040147a
    0x00401487
    0x0040148e
    0x00401496
    0x004014a1
    0x004014a6
    0x004014ad
    0x004014bf
    0x004014c9
    0x004014d4
    0x004014d9
    0x004014e0
    0x004014e0
    0x00401508
    0x0040150c
    0x00401608
    0x00401616
    0x00401624
    0x00401632
    0x00401512
    0x00401512
    0x0040151f
    0x00401529
    0x00401534
    0x00401539
    0x00401540
    0x0040154f
    0x00401559
    0x00401564
    0x00401569
    0x00401570
    0x00401584
    0x00401593
    0x0040159d
    0x004015a8
    0x004015ad
    0x004015b4
    0x004015c3
    0x004015cd
    0x004015d8
    0x004015dd
    0x004015e4
    0x004015f8
    0x004015f8
    0x00401637
    0x0040163e
    0x00401649
    0x00401651

    APIs
    • __EH_prolog.LIBCMT ref: 00401456
      • Part of subcall function 0041BE13: __EH_prolog.LIBCMT ref: 0041BE18
      • Part of subcall function 00401833: lstrlen.KERNEL32(80000000,00435624,?,?,80000000,?,00401539,80000000,IDApro.Database32\DefaultIcon,00435624,00000000,?,?,\ida.exe,0,80000000,*\Shell\IDA Pro (64-bit)), ref: 0040184C
      • Part of subcall function 00401833: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000001,80000000,00000001,?,00401539,80000000,IDApro.Database32\DefaultIcon,00435624,00000000,?,?,\ida.exe,0,80000000), ref: 0040185F
      • Part of subcall function 00401833: RegCloseKey.ADVAPI32(00000000,?,00401539,80000000,IDApro.Database32\DefaultIcon,00435624,00000000,?,?,\ida.exe,0,80000000,*\Shell\IDA Pro (64-bit),80000000,*\Shell\IDA Pro (32-bit),?), ref: 00401868
      • Part of subcall function 0041BC28: InterlockedDecrement.KERNEL32(-000000F4), ref: 0041BC3C
      • Part of subcall function 0041BE13: lstrlen.KERNEL32(00000000,80000000,?,?,00401524,?,?,\ida.exe,0,80000000,*\Shell\IDA Pro (64-bit),80000000,*\Shell\IDA Pro (32-bit),?,?,00000000), ref: 0041BE3F
      • Part of subcall function 0040187B: RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 00401892
      • Part of subcall function 0040187B: RegEnumKeyA.ADVAPI32(00000000,00000000,?,0000012B), ref: 004018D2
      • Part of subcall function 0040187B: RegDeleteKeyA.ADVAPI32(?,?), ref: 004018F2
      • Part of subcall function 0040187B: RegCloseKey.ADVAPI32(00000000), ref: 004018FD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CloseH_prologlstrlen$DecrementDeleteEnumInterlockedOpenValue
    • String ID: $VC$*\Shell\IDA Pro (32-bit)$*\Shell\IDA Pro (32-bit)\Command$*\Shell\IDA Pro (64-bit)$*\Shell\IDA Pro (64-bit)\Command$.i64$.idb$IDApro.Database32$IDApro.Database32\DefaultIcon$IDApro.Database32\shell\open\command$IDApro.Database64$IDApro.Database64\DefaultIcon$IDApro.Database64\shell\open\command$\ida.exe %1$\ida.exe,0$\ida64.exe %1$\ida64.exe,0
    • API String ID: 2304846442-3726948690
    • Opcode ID: 030930a84e44c1f3693426c7e7464e0cd2b4eeb3e7fde30f502cc5612f41c23c
    • Instruction ID: 5587c8ad203656773f87e4fcbbb6bb5ae6f3744a8649545616510281fca48c2b
    • Opcode Fuzzy Hash: 030930a84e44c1f3693426c7e7464e0cd2b4eeb3e7fde30f502cc5612f41c23c
    • Instruction Fuzzy Hash: E9515072840258B9CB00E7A1CC96FEFBB78AF59718F1854AFF401721E29B7C5B44C669
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00417BC0, Relevance: 30.2, APIs: 20, Instructions: 246COMMON
    Download Yara Rule
    APIs
    • GetPropA.USER32(?,00000000), ref: 00417C05
    • CallWindowProcA.USER32(00000000), ref: 00417C2D
      • Part of subcall function 00415760: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 00415786
      • Part of subcall function 00415760: RemovePropA.USER32(?,00000000), ref: 0041579E
      • Part of subcall function 00415760: RemovePropA.USER32(?,00000000), ref: 004157AA
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Prop$CallProcRemoveWindow
    • String ID:
    • API String ID: 2276450057-0
    • Opcode ID: f8018b346350a62c1011c5294139f39c9a41e6dfdecbaa5b608dcf5fdc87d1b9
    • Instruction ID: 46a308f091c949c457177331ad57808cd3d52831e0b2c48af70d7af8156ab79a
    • Opcode Fuzzy Hash: f8018b346350a62c1011c5294139f39c9a41e6dfdecbaa5b608dcf5fdc87d1b9
    • Instruction Fuzzy Hash: 9D61F77274C3146BD230AB14EC45FEF3BA8EB86761F500526FE1192391DB199D8286BE
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004025FB, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004025FB() {
				_Unknown_base(*)()* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				intOrPtr _t11;
				struct HINSTANCE__* _t15;
				intOrPtr _t17;
				_Unknown_base(*)()* _t18;

				_t17 =  *0x437030; // 0x1
				if(_t17 == 0) {
					_t15 = GetModuleHandleA("USER32");
					if(_t15 == 0) {
						L10:
						 *0x437018 = 0;
						 *0x43701c = 0;
						 *0x437020 = 0;
						 *0x437024 = 0;
						 *0x437028 = 0;
						 *0x43702c = 0;
						 *0x437030 = 1;
						return 0;
					}
					_t5 = GetProcAddress(_t15, "GetSystemMetrics");
					 *0x437018 = _t5;
					if(_t5 == 0) {
						goto L10;
					}
					_t6 = GetProcAddress(_t15, "MonitorFromWindow");
					 *0x43701c = _t6;
					if(_t6 == 0) {
						goto L10;
					}
					_t7 = GetProcAddress(_t15, "MonitorFromRect");
					 *0x437020 = _t7;
					if(_t7 == 0) {
						goto L10;
					}
					_t8 = GetProcAddress(_t15, "MonitorFromPoint");
					 *0x437024 = _t8;
					if(_t8 == 0) {
						goto L10;
					}
					_t9 = GetProcAddress(_t15, "EnumDisplayMonitors");
					 *0x43702c = _t9;
					if(_t9 == 0) {
						goto L10;
					}
					_t10 = GetProcAddress(_t15, "GetMonitorInfoA");
					 *0x437028 = _t10;
					if(_t10 == 0) {
						goto L10;
					}
					_t11 = 1;
					 *0x437030 = _t11;
					return _t11;
				}
				_t18 =  *0x437028; // 0x770c9850
				return 0 | _t18 != 0x00000000;
			}













    0x004025fe
    0x00402606
    0x00402623
    0x00402627
    0x0040269f
    0x0040269f
    0x004026a5
    0x004026ab
    0x004026b1
    0x004026b7
    0x004026bd
    0x004026c3
    0x00000000
    0x004026cd
    0x00402635
    0x00402639
    0x0040263e
    0x00000000
    0x00000000
    0x00402646
    0x0040264a
    0x0040264f
    0x00000000
    0x00000000
    0x00402657
    0x0040265b
    0x00402660
    0x00000000
    0x00000000
    0x00402668
    0x0040266c
    0x00402671
    0x00000000
    0x00000000
    0x00402679
    0x0040267d
    0x00402682
    0x00000000
    0x00000000
    0x0040268a
    0x0040268e
    0x00402693
    0x00000000
    0x00000000
    0x00402697
    0x00402698
    0x00000000
    0x00402698
    0x0040260a
    0x00000000

    APIs
    • GetModuleHandleA.KERNEL32(USER32,?,?,?,00402734), ref: 0040261D
    • GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 00402635
    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00402646
    • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00402657
    • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 00402668
    • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 00402679
    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0040268A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: AddressProc$HandleModule
    • String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
    • API String ID: 667068680-2376520503
    • Opcode ID: 5cb6e099c8164869ee4af80f431064e90eebacd619c91e24f1325f1a292b0fc2
    • Instruction ID: 16f56168aeb54c5b85f5ad46dd0d2d4c2fbd7939300bdd199719a67d3f62811d
    • Opcode Fuzzy Hash: 5cb6e099c8164869ee4af80f431064e90eebacd619c91e24f1325f1a292b0fc2
    • Instruction Fuzzy Hash: 0A1151B1A093209AC3359F256DC552EBAF4B24C7503A1683FE148E26D4CFB944469F6C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00408F5B, Relevance: 24.3, APIs: 16, Instructions: 319windowkeyboardCOMMON
    Download Yara Rule
    C-Code - Quality: 58%
    			E00408F5B() {
				signed int _t92;
				struct HWND__* _t93;
				signed int _t95;
				signed char _t96;
				signed int _t99;
				signed int _t100;
				struct HWND__* _t101;
				signed int _t103;
				struct HWND__* _t106;
				signed char _t109;
				struct HWND__* _t110;
				signed int _t112;
				int _t114;
				short _t117;
				int _t118;
				signed int _t120;
				signed int _t123;
				signed char _t124;
				signed int _t125;
				signed int _t126;
				short _t129;
				signed short _t131;
				intOrPtr _t132;
				intOrPtr* _t133;
				struct HWND__* _t135;
				struct HWND__* _t136;
				void* _t137;
				intOrPtr _t138;
				signed char _t139;
				signed int _t143;
				signed int _t147;
				void* _t150;
				intOrPtr _t159;
				void* _t162;
				struct HWND__* _t163;
				signed int _t164;
				void* _t167;
				signed int _t168;
				signed int _t172;
				struct HWND__* _t173;
				struct HWND__* _t174;
				intOrPtr _t175;
				void* _t176;
				void* _t178;

				E00409B78(0x425ee8, _t176);
				 *((intOrPtr*)(_t176 - 0x10)) = _t178 - 0x18;
				_t92 = GetFocus();
				0x41c48d(_t92, _t162, _t167, _t137);
				 *(_t176 - 0x14) = _t92;
				if(_t92 != 0) {
					 *(_t176 - 0x20) =  *(_t92 + 0x1c);
				} else {
					 *(_t176 - 0x20) =  *(_t176 - 0x20) & _t92;
				}
				_t143 =  *(_t176 + 8);
				if(_t143 != 0) {
					 *(_t176 - 0x24) =  *(_t143 + 0x1c);
				} else {
					 *(_t176 - 0x24) =  *(_t176 - 0x24) & _t143;
				}
				_t138 =  *((intOrPtr*)( *(_t176 + 0xc) + 4));
				 *((intOrPtr*)(_t176 - 0x18)) = _t138;
				if(_t138 < 0x100 || _t138 > 0x108) {
					if(_t138 < 0x200 || _t138 > 0x209) {
						goto L29;
					} else {
						goto L10;
					}
				} else {
					L10:
					_t174 = _t92;
					if(_t92 == 0) {
						L19:
						if(_t138 == 0x101 || _t138 == 0x100 || _t138 == 0x102) {
							if(_t174 == 0) {
								goto L29;
							}
							_t175 =  *((intOrPtr*)(_t174 + 0x38));
							if(_t175 == 0) {
								goto L29;
							}
							_t131 =  *( *(_t176 + 0xc) + 8);
							if(_t131 != 0xd || ( *(_t175 + 0x80) & 0x00000001) == 0) {
								if(_t131 != 0x1b || ( *(_t175 + 0x80) & 0x00000002) == 0) {
									goto L29;
								} else {
									goto L28;
								}
							} else {
								L28:
								_t100 = 0;
								goto L59;
							}
						} else {
							L29:
							_t93 =  *(_t176 + 0xc);
							0x41c48d(_t93->i);
							_t163 = _t93;
							_t168 = 0;
							_t95 =  *((intOrPtr*)(_t176 - 0x18)) - 0x100;
							__eflags = _t95;
							 *(_t176 - 0x1c) = 0;
							_t139 = 2;
							if(_t95 == 0) {
								_t96 = E0040897A(_t163,  *(_t176 + 0xc));
								_t147 =  *( *(_t176 + 0xc) + 8) & 0x0000ffff;
								__eflags = _t147 - 0x1b;
								if(__eflags > 0) {
									__eflags = _t147 - 0x25;
									if(_t147 < 0x25) {
										L52:
										_t164 =  *0x4274b0( *( *(_t176 + 8) + 0x1c),  *(_t176 + 0xc));
										__eflags = _t164;
										if(_t164 != 0) {
											_t106 = GetFocus();
											0x41c48d(_t106);
											__eflags = _t106 -  *(_t176 - 0x14);
											if(_t106 !=  *(_t176 - 0x14)) {
												0x41c48d(GetFocus());
												E00408C4A(_t107);
											}
										}
										L55:
										_t99 = IsWindow( *(_t176 - 0x20));
										__eflags = _t99;
										if(_t99 != 0) {
											_t101 = GetFocus();
											0x41c48d(_t101);
											E00408CA7( *(_t176 - 0x14));
											_t150 = _t101;
											_t103 = IsWindow( *(_t176 - 0x24));
											__eflags = _t103;
											if(_t103 != 0) {
												0x41c48d(GetFocus());
												E00408E6E(_t150,  *(_t176 + 8),  *(_t176 - 0x14), _t104);
											}
										}
										_t100 = _t164;
										goto L59;
									}
									__eflags = _t147 - 0x26;
									if(_t147 <= 0x26) {
										 *(_t176 - 0x1c) = 1;
										L80:
										_t109 = E0040897A( *(_t176 - 0x14),  *(_t176 + 0xc));
										__eflags = _t109 & 0x00000001;
										if((_t109 & 0x00000001) != 0) {
											goto L52;
										}
										_t110 =  *(_t176 - 0x14);
										__eflags = _t110;
										if(_t110 != 0) {
											_t110 =  *(_t110 + 0x1c);
										}
										_t112 = GetNextDlgGroupItem( *( *(_t176 + 8) + 0x1c), _t110,  *(_t176 - 0x1c));
										0x41c48d(_t112);
										__eflags = _t112;
										if(_t112 == 0) {
											goto L52;
										} else {
											__eflags =  *(_t112 + 0x38);
											if( *(_t112 + 0x38) == 0) {
												goto L52;
											}
											E004089A8(_t112);
											L78:
											_t164 = 1;
											goto L55;
										}
									}
									__eflags = _t147 - 0x28;
									if(_t147 <= 0x28) {
										goto L80;
									}
									__eflags = _t147 - 0x2b;
									if(_t147 != 0x2b) {
										goto L52;
									}
									L69:
									_t114 = E00408DBE( *(_t176 - 0x14));
									__eflags = _t114 & 0x00000010;
									if((_t114 & 0x00000010) == 0) {
										_t114 = E00408E41( *(_t176 + 8));
									} else {
										_t168 =  *(_t176 - 0x14);
										0x41eb35();
									}
									__eflags = _t168;
									_t139 = _t114;
									if(_t168 != 0) {
										L74:
										0x41ec07();
										__eflags = _t114;
										if(_t114 != 0) {
											__eflags =  *(_t168 + 0x38);
											if( *(_t168 + 0x38) == 0) {
												goto L52;
											}
											 *(_t176 - 4) = 0;
											0x41ec6a(_t168, 0xfffffdd9, 1, 0, 0, 0);
											_t77 = _t176 - 4;
											 *_t77 =  *(_t176 - 4) | 0xffffffff;
											__eflags =  *_t77;
											goto L78;
										}
										MessageBeep(_t114);
										goto L52;
									} else {
										L73:
										_t114 = E00408D1A(_t114,  *(_t176 + 8), _t139);
										_t168 = _t114;
										__eflags = _t168;
										if(_t168 == 0) {
											goto L52;
										}
										goto L74;
									}
								}
								if(__eflags == 0) {
									goto L73;
								}
								__eflags = _t147 - 3;
								if(_t147 == 3) {
									goto L73;
								}
								__eflags = _t147 - 9;
								if(_t147 == 9) {
									__eflags = _t96 & 0x00000002;
									if((_t96 & 0x00000002) != 0) {
										goto L52;
									}
									_t117 = GetKeyState(0x10);
									_t117 = _t163;
									_t118 = 0 | _t117 < 0x00000000;
									if(_t163 != 0) {
										_t163 =  *(_t163 + 0x1c);
									}
									_t120 = GetNextDlgTabItem( *( *(_t176 + 8) + 0x1c), _t163, _t118);
									0x41c48d(_t120);
									_t172 = _t120;
									__eflags = _t172;
									if(_t172 != 0) {
										E004089A8(_t172);
										_push(_t172);
										E00408CA7( *(_t176 - 0x14));
									}
									goto L78;
								}
								__eflags = _t147 - 0xd;
								if(_t147 == 0xd) {
									goto L69;
								}
								goto L52;
							}
							_t123 = _t95 - _t139;
							__eflags = _t123;
							if(_t123 == 0) {
								_t173 =  *(_t176 + 0xc);
								L37:
								__eflags = _t163 -  *(_t176 + 8);
								if(_t163 ==  *(_t176 + 8)) {
									goto L43;
								}
								_t124 = E0040897A(_t163, _t173);
								__eflags =  *((intOrPtr*)(_t176 - 0x18)) - 0x102;
								if( *((intOrPtr*)(_t176 - 0x18)) != 0x102) {
									L40:
									_t159 =  *((intOrPtr*)(_t173 + 8));
									__eflags = _t159 - 9;
									if(_t159 != 9) {
										L42:
										__eflags = _t159 - 0x20;
										if(_t159 != 0x20) {
											_t125 = E00408BD5(_t159,  *(_t176 + 8), _t163, _t173);
											__eflags = _t125;
											if(_t125 == 0) {
												goto L52;
											}
											_t126 =  *(_t125 + 0x38);
											__eflags = _t126;
											if(_t126 == 0) {
												goto L52;
											}
											E00404B08(_t126, _t173);
											goto L78;
										}
										goto L43;
									}
									__eflags = _t139 & _t124;
									if((_t139 & _t124) != 0) {
										goto L52;
									}
									goto L42;
								}
								__eflags = _t124 & 0x00000084;
								if((_t124 & 0x00000084) != 0) {
									goto L52;
								}
								goto L40;
							}
							__eflags = _t123 != 4;
							if(_t123 != 4) {
								goto L52;
							}
							__eflags =  *(_t176 - 0x14);
							if( *(_t176 - 0x14) != 0) {
								L34:
								_t173 =  *(_t176 + 0xc);
								__eflags =  *((short*)(_t173 + 8)) - 0x20;
								if( *((short*)(_t173 + 8)) == 0x20) {
									goto L52;
								} else {
									goto L37;
								}
							}
							_t129 = GetKeyState(0x12);
							__eflags = _t129;
							if(_t129 >= 0) {
								goto L52;
							}
							goto L34;
						}
					} else {
						while( *((intOrPtr*)(_t174 + 0x38)) == 0) {
							_t135 = GetParent( *(_t174 + 0x1c));
							0x41c48d(_t135);
							if(_t135 ==  *(_t176 + 8)) {
								break;
							}
							_t136 = GetParent( *(_t174 + 0x1c));
							0x41c48d(_t136);
							_t174 = _t136;
							if(_t174 != 0) {
								continue;
							}
							break;
						}
						if(_t174 == 0) {
							goto L19;
						}
						_t132 =  *((intOrPtr*)(_t174 + 0x38));
						if(_t132 == 0) {
							goto L19;
						}
						_t133 =  *((intOrPtr*)(_t132 + 0x54));
						if(_t133 == 0) {
							goto L19;
						}
						_push( *(_t176 + 0xc));
						_push(_t133);
						if( *((intOrPtr*)( *_t133 + 0x14))() == 0) {
							L43:
							_t100 = 1;
							L59:
							 *[fs:0x0] =  *((intOrPtr*)(_t176 - 0xc));
							return _t100;
						}
						goto L19;
					}
				}
			}















































    0x00408f60
    0x00408f6b
    0x00408f6e
    0x00408f75
    0x00408f7c
    0x00408f7f
    0x00408f89
    0x00408f81
    0x00408f81
    0x00408f81
    0x00408f8c
    0x00408f91
    0x00408f9b
    0x00408f93
    0x00408f93
    0x00408f93
    0x00408fa1
    0x00408faa
    0x00408fad
    0x00408fbd
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00408fcf
    0x00408fcf
    0x00408fd1
    0x00408fd3
    0x00409025
    0x0040902b
    0x0040903f
    0x00000000
    0x00000000
    0x00409041
    0x00409046
    0x00000000
    0x00000000
    0x0040904b
    0x00409053
    0x00409062
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040906d
    0x0040906d
    0x0040906d
    0x00000000
    0x0040906d
    0x00409074
    0x00409074
    0x00409074
    0x00409079
    0x0040907e
    0x00409083
    0x00409087
    0x00409087
    0x0040908c
    0x0040908f
    0x00409090
    0x00409127
    0x0040912f
    0x00409133
    0x00409136
    0x00409241
    0x00409244
    0x0040915d
    0x0040916c
    0x0040916e
    0x00409170
    0x00409178
    0x0040917b
    0x00409180
    0x00409183
    0x00409188
    0x0040918e
    0x00409193
    0x00409183
    0x00409194
    0x0040919d
    0x0040919f
    0x004091a1
    0x004091a9
    0x004091ac
    0x004091b5
    0x004091bb
    0x004091bf
    0x004091c1
    0x004091c3
    0x004091c8
    0x004091d4
    0x004091d4
    0x004091c3
    0x004091d9
    0x00000000
    0x004091d9
    0x0040924a
    0x0040924d
    0x004092f2
    0x004092f9
    0x004092ff
    0x00409304
    0x00409306
    0x00000000
    0x00000000
    0x0040930c
    0x0040930f
    0x00409311
    0x00409313
    0x00409313
    0x00409320
    0x00409327
    0x0040932c
    0x0040932e
    0x00000000
    0x00409334
    0x00409334
    0x00409338
    0x00000000
    0x00000000
    0x0040933f
    0x004092dc
    0x004092de
    0x00000000
    0x004092de
    0x0040932e
    0x00409253
    0x00409256
    0x00000000
    0x00000000
    0x0040925c
    0x0040925f
    0x00000000
    0x00000000
    0x00409265
    0x00409268
    0x0040926d
    0x00409270
    0x00409281
    0x00409272
    0x00409272
    0x00409277
    0x00409277
    0x00409286
    0x00409288
    0x0040928a
    0x0040929f
    0x004092a1
    0x004092a6
    0x004092a8
    0x004092b6
    0x004092ba
    0x00000000
    0x00000000
    0x004092cd
    0x004092d0
    0x004092d8
    0x004092d8
    0x004092d8
    0x00000000
    0x004092d8
    0x004092ab
    0x00000000
    0x0040928c
    0x0040928c
    0x00409290
    0x00409295
    0x00409297
    0x00409299
    0x00000000
    0x00000000
    0x00000000
    0x00409299
    0x0040928a
    0x0040913c
    0x00000000
    0x00000000
    0x00409142
    0x00409145
    0x00000000
    0x00000000
    0x0040914b
    0x0040914e
    0x004091ec
    0x004091ee
    0x00000000
    0x00000000
    0x004091f6
    0x00409204
    0x00409206
    0x00409208
    0x0040920a
    0x0040920a
    0x00409215
    0x0040921c
    0x00409221
    0x00409223
    0x00409225
    0x0040922c
    0x00409231
    0x00409235
    0x0040923b
    0x00000000
    0x00409225
    0x00409154
    0x00409157
    0x00000000
    0x00000000
    0x00000000
    0x00409157
    0x00409096
    0x00409096
    0x00409098
    0x004090c9
    0x004090cc
    0x004090cc
    0x004090cf
    0x00000000
    0x00000000
    0x004090d3
    0x004090d8
    0x004090df
    0x004090e5
    0x004090e5
    0x004090e9
    0x004090ed
    0x004090f3
    0x004090f3
    0x004090f7
    0x00409106
    0x0040910b
    0x0040910d
    0x00000000
    0x00000000
    0x0040910f
    0x00409112
    0x00409114
    0x00000000
    0x00000000
    0x00409119
    0x00000000
    0x00409119
    0x00000000
    0x004090f7
    0x004090ef
    0x004090f1
    0x00000000
    0x00000000
    0x00000000
    0x004090f1
    0x004090e1
    0x004090e3
    0x00000000
    0x00000000
    0x00000000
    0x004090e3
    0x0040909a
    0x0040909d
    0x00000000
    0x00000000
    0x004090a3
    0x004090a6
    0x004090b9
    0x004090b9
    0x004090bc
    0x004090c1
    0x00000000
    0x004090c7
    0x00000000
    0x004090c7
    0x004090c1
    0x004090aa
    0x004090b0
    0x004090b3
    0x00000000
    0x00000000
    0x00000000
    0x004090b3
    0x00408fd5
    0x00408fdb
    0x00408fe4
    0x00408fe7
    0x00408fef
    0x00000000
    0x00000000
    0x00408ff4
    0x00408ff7
    0x00408ffc
    0x00409000
    0x00000000
    0x00000000
    0x00000000
    0x00409000
    0x00409004
    0x00000000
    0x00000000
    0x00409006
    0x0040900b
    0x00000000
    0x00000000
    0x0040900d
    0x00409012
    0x00000000
    0x00000000
    0x00409014
    0x00409019
    0x0040901f
    0x004090f9
    0x004090fb
    0x004091db
    0x004091e0
    0x004091e9
    0x004091e9
    0x00000000
    0x0040901f
    0x00408fd3

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Focus$MessageParentStateWindow$BeepDialogH_prologItemNext
    • String ID:
    • API String ID: 1894107442-0
    • Opcode ID: 62ddad14b4b6bc5b4e7330820134b58edb7ea2d4b15da311f5899cc5e2ad07cc
    • Instruction ID: e5c846a792f5bf20718bc9508e94271b233cc345001125805052d2ac7573fdd2
    • Opcode Fuzzy Hash: 62ddad14b4b6bc5b4e7330820134b58edb7ea2d4b15da311f5899cc5e2ad07cc
    • Instruction Fuzzy Hash: 3AA1A131A01206AADF24AF65CD89AAF7765AF00754F14443FF845BB2E2CB3C9C81CA59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00416510, Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 44stringCOMMON
    Download Yara Rule
    APIs
    • RtlEnterCriticalSection.NTDLL(00439220), ref: 00416527
    • GetProfileStringA.KERNEL32(windows,kanjimenu,roman,?,00000009), ref: 00416550
    • lstrcmpi.KERNEL32(?,kanji), ref: 00416562
    • GetProfileStringA.KERNEL32(windows,hangeulmenu,english,?,00000009), ref: 00416585
    • lstrcmpi.KERNEL32(?,hangeul), ref: 00416591
    • RtlLeaveCriticalSection.NTDLL(00439220), ref: 004165A3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CriticalProfileSectionStringlstrcmpi$EnterLeave
    • String ID: english$hangeul$hangeulmenu$kanji$kanjimenu$roman$windows
    • API String ID: 1105401458-111014456
    • Opcode ID: 607f9e4159ede3880086250bff95cc5eea78b4b7d5db821befb0b10c1c0055ca
    • Instruction ID: 263318ace9f5b58122f06d0c769b9036992e5784c0ba4a7b6976f1e37c17029c
    • Opcode Fuzzy Hash: 607f9e4159ede3880086250bff95cc5eea78b4b7d5db821befb0b10c1c0055ca
    • Instruction Fuzzy Hash: 5601F2356447067AD334A314FC06F9B3F989B98B49F219026F848A6196E6EC9884876E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00424B6B, Relevance: 22.7, APIs: 15, Instructions: 210memorystringCOMMON
    Download Yara Rule
    APIs
    • lstrlen.KERNEL32(?,00428F58), ref: 00424BE4
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?), ref: 00424C09
    • SysAllocString.OLEAUT32(?), ref: 00424C0F
    • lstrlen.KERNEL32(?,00428F58), ref: 00424C36
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?), ref: 00424C5B
    • SysAllocString.OLEAUT32(?), ref: 00424C61
    • lstrlen.KERNEL32(?,0000F108,?,00000100,00428858,00428F58), ref: 00424CBE
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?), ref: 00424CE3
    • SysAllocString.OLEAUT32(?), ref: 00424CE9
    • lstrlen.KERNEL32(?,?,?), ref: 00424D0E
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?), ref: 00424D33
    • SysAllocString.OLEAUT32(?), ref: 00424D39
    • lstrlen.KERNEL32(?,?,?), ref: 00424D65
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,?), ref: 00424D88
    • SysAllocString.OLEAUT32(00000000), ref: 00424D8E
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: AllocByteCharMultiStringWidelstrlen
    • String ID:
    • API String ID: 792254170-0
    • Opcode ID: 2ba988243a3605197158a0c357cae5d9d3cd374cde7b75cb6ef27c1a4f52ab3f
    • Instruction ID: 6a03b3283efbb26d958a66c07493981ef0f6775e6de5dbcd3e28d85244090d22
    • Opcode Fuzzy Hash: 2ba988243a3605197158a0c357cae5d9d3cd374cde7b75cb6ef27c1a4f52ab3f
    • Instruction Fuzzy Hash: C4716F74A00219EFCB11DF66DC4599EBBB4FF49360B51849AF818DB350D738CA42CBA9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00424E97, Relevance: 21.4, APIs: 14, Instructions: 385stringCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00424E9C
    • lstrlen.KERNEL32(?,?,00000000), ref: 00424ECD
    • VariantClear.OLEAUT32(?), ref: 00425170
    • VariantClear.OLEAUT32(?), ref: 00425197
    • SysFreeString.OLEAUT32(00000000), ref: 004251FB
    • SysFreeString.OLEAUT32(?), ref: 00425210
    • SysFreeString.OLEAUT32(?), ref: 00425225
    • VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 00425260
    • VariantClear.OLEAUT32(?), ref: 00425270
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Variant$ClearFreeString$ChangeH_prologTypelstrlen
    • String ID:
    • API String ID: 344392101-0
    • Opcode ID: b295283361606a9c4005f9a61455ae245a517ff6d65e1d131c8853ab30a727a3
    • Instruction ID: bf785cf74c1637480c8cfa513f04e70fc1214fff844be0bac54c214bfa339aca
    • Opcode Fuzzy Hash: b295283361606a9c4005f9a61455ae245a517ff6d65e1d131c8853ab30a727a3
    • Instruction Fuzzy Hash: 83E19071A0061ADFDF10DFA8E8806AEBBB4FF04304F64406AF811A7291D7389D51CFA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00415580, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 83stringCOMMON
    Download Yara Rule
    C-Code - Quality: 89%
    			E00415580(struct HWND__* _a4, long _a8) {
				char _v16;
				void* _t7;
				struct HWND__* _t29;

				_t29 = _a4;
				_t7 = GetPropA(_t29, 0);
				if(_t7 == 0) {
					_t7 = GetPropA(_t29, 0);
					if(_t7 == 0) {
						_t7 = GetPropA(_t29, 0);
						if(_t7 == 0) {
							_t7 = GetPropA(_t29, 0);
							if(_t7 == 0) {
								_t7 = GetPropA(_t29, 0);
								if(_t7 == 0) {
									_t7 = GetPropA(_t29, 0);
									if(_t7 == 0) {
										_t7 = E00415510(_t29);
										if(_t7 == 0) {
											if( *0x439d45 != 0 && IsWindowUnicode(_t29) == 0) {
												GetClassNameA(_t29,  &_v16, 0x10);
												 *0x427288( &_v16, "edit");
											}
											return SetPropA(_t29, 0, SetWindowLongA(_t29, 0xfffffffc, _a8));
										}
									}
								}
							}
						}
					}
				}
				return _t7;
			}






    0x0041558c
    0x00415599
    0x0041559d
    0x004155ad
    0x004155b1
    0x004155c1
    0x004155c5
    0x004155d5
    0x004155d9
    0x004155e9
    0x004155ed
    0x004155f9
    0x004155fd
    0x00415600
    0x0041560a
    0x00415613
    0x00415628
    0x00415638
    0x0041563e
    0x00000000
    0x00415659
    0x0041560a
    0x004155fd
    0x004155ed
    0x004155d9
    0x004155c5
    0x004155b1
    0x00415664

    APIs
    • GetPropA.USER32(?,00000000), ref: 00415599
    • GetPropA.USER32(?,00000000), ref: 004155AD
    • GetPropA.USER32(?,00000000), ref: 004155C1
    • GetPropA.USER32(?,00000000), ref: 004155D5
    • GetPropA.USER32(?,00000000), ref: 004155E9
    • GetPropA.USER32(?,00000000), ref: 004155F9
    • IsWindowUnicode.USER32(?), ref: 00415616
    • GetClassNameA.USER32(?,?,00000010), ref: 00415628
    • lstrcmpi.KERNEL32(?,edit), ref: 00415638
    • SetWindowLongA.USER32(?,000000FC,?), ref: 00415648
    • SetPropA.USER32(?,00000000,00000000), ref: 00415659
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Prop$Window$ClassLongNameUnicodelstrcmpi
    • String ID: edit
    • API String ID: 4088303749-2167791130
    • Opcode ID: 7ee16bd8df842cbf94abab711a540c5cb7a3a66d973f6d258dfe23a8cb65101a
    • Instruction ID: b92a98f9d74073000649f21665a39c2429a95afd22befe0ca05e2cc7b5d5639d
    • Opcode Fuzzy Hash: 7ee16bd8df842cbf94abab711a540c5cb7a3a66d973f6d258dfe23a8cb65101a
    • Instruction Fuzzy Hash: CA21A4A6215912B9A350B7789C00EFB369C9F997447400431FD18C1221F768DD828BBE
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004189E0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 52libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?), ref: 004189F4
    • GetProcAddress.KERNEL32(00000000,DisableThreadLibraryCalls), ref: 00418A00
    • RtlEnterCriticalSection.NTDLL(00439220), ref: 00418A1C
    • GetVersion.KERNEL32 ref: 00418A2E
    • GetSystemMetrics.USER32(00000007), ref: 00418A72
    • GetSystemMetrics.USER32(00000008), ref: 00418A7C
    • GetSystemMetrics.USER32(00000004), ref: 00418A86
    • GetSystemMetrics.USER32(0000001E), ref: 00418A8F
    • RtlLeaveCriticalSection.NTDLL(00439220), ref: 00418A9B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: MetricsSystem$CriticalSection$AddressEnterHandleLeaveModuleProcVersion
    • String ID: DisableThreadLibraryCalls$KERNEL32.DLL
    • API String ID: 1414939872-3863293605
    • Opcode ID: 2a608422d5d67f8e3e38c05b37bf83f8012927981bf80a49695ee8b59585b626
    • Instruction ID: 0e21d343407f9060bfd75ac0cac286d7a58c71e1bc7cad8843e7e0a24ede255b
    • Opcode Fuzzy Hash: 2a608422d5d67f8e3e38c05b37bf83f8012927981bf80a49695ee8b59585b626
    • Instruction Fuzzy Hash: 85119E70A55715EBDB20AB20BC0968B3F60EF04701F5068BBE845972A0DBF89844CF5E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00418360, Relevance: 16.7, APIs: 11, Instructions: 199COMMON
    Download Yara Rule
    APIs
    • GetPropA.USER32(?,00000000), ref: 004183A4
    • CallWindowProcA.USER32(00000000), ref: 004183C9
      • Part of subcall function 00415760: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 00415786
      • Part of subcall function 00415760: RemovePropA.USER32(?,00000000), ref: 0041579E
      • Part of subcall function 00415760: RemovePropA.USER32(?,00000000), ref: 004157AA
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Prop$CallProcRemoveWindow
    • String ID:
    • API String ID: 2276450057-0
    • Opcode ID: 3cefdfa3987c22f52abea5d282e7aeb28c7ce2903e57f66e7eae6b50974e114b
    • Instruction ID: 8d1fa4d8b51fa96058df3d9eb8cafbc814d41fa9cd8eafd8273e133ac2af73ad
    • Opcode Fuzzy Hash: 3cefdfa3987c22f52abea5d282e7aeb28c7ce2903e57f66e7eae6b50974e114b
    • Instruction Fuzzy Hash: 55519E76A08200BFD210DB45DC85DBBB7B8EBC9725F84442EFD5483210E7399C86DBA6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004186F0, Relevance: 16.6, APIs: 11, Instructions: 140windowCOMMON
    Download Yara Rule
    APIs
    • GetWindowLongA.USER32(?,000000F0), ref: 004186FE
    • GetClientRect.USER32(?,?), ref: 00418719
    • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0041874B
    • SelectObject.GDI32(?,00000000), ref: 00418759
    • SetBkMode.GDI32(?,00000002), ref: 0041876A
    • GetParent.USER32(?), ref: 00418778
    • SendMessageA.USER32(00000000), ref: 0041877F
    • SelectObject.GDI32(?,00000000), ref: 00418789
    • SelectObject.GDI32(?,00000000), ref: 004187AB
    • SelectObject.GDI32(?,00000000), ref: 004187BB
    • OffsetRect.USER32(?,000000FF,000000FF), ref: 00418812
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: ObjectSelect$MessageRectSend$ClientLongModeOffsetParentWindow
    • String ID:
    • API String ID: 3606012576-0
    • Opcode ID: eb90ccaa625a98f186f2bf0395a5799dcd177b4e0228be0089d992bfc7fe9c79
    • Instruction ID: 034c128dacac5eadace5933a027dd7e0b9213e443eb5e171fa61a04c945910fe
    • Opcode Fuzzy Hash: eb90ccaa625a98f186f2bf0395a5799dcd177b4e0228be0089d992bfc7fe9c79
    • Instruction Fuzzy Hash: E541E872208301ABD210BB58AC46FBB77ACEBC5B14FD4056DFA10961C2DB69D906877A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00415E61, Relevance: 16.6, APIs: 11, Instructions: 107COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00415E61(void* __eax, void* __ebx, void* __edx, struct HWND__* _a12) {
				long _t9;
				struct HWND__* _t15;
				struct HWND__* _t21;
				struct HWND__* _t24;
				long _t25;
				long _t30;
				intOrPtr _t37;
				signed int _t40;
				struct HWND__* _t45;
				struct HWND__* _t49;
				void* _t58;

				_t1 = __ebx + 0x56;
				 *_t1 =  *((intOrPtr*)(__ebx + 0x56)) + __edx;
				if( *_t1 != 0) {
					_t49 = _a12;
					_t9 = GetWindowLongA(_t49, 0xfffffffc);
					_t40 = 0;
					__eflags = 0;
					_t37 =  *0x42734c;
					do {
						_t42 = _t40 + _t40 * 2;
						__eflags =  *((intOrPtr*)(0x439ca0 + (_t40 + _t40 * 2) * 8)) - _t9;
						if(__eflags == 0) {
							_t30 = E00415530(__eflags, _t49, _t40);
							_t58 = _t58 + 8;
							RemovePropA(_t49, 0);
							SetWindowLongA(_t49, 0xfffffffc, _t30);
							_t9 = 0;
							__eflags = 0;
							_t40 = 0x10;
						}
						_t40 = 1 + _t40;
						__eflags = _t40 - 6;
					} while (__eflags < 0);
					if(__eflags == 0) {
						__eflags = _t9 - E00416A10;
						if(__eflags != 0) {
							_t15 = GetPropA(_t49, 0);
							__eflags = _t15;
							if(_t15 != 0) {
								L12:
								__eflags = 0;
								SetPropA(_t49, 0, 1);
							} else {
								_t21 = GetPropA(_t49, 0);
								__eflags = _t21;
								if(_t21 != 0) {
									goto L12;
								} else {
									_t24 = GetPropA(_t49, 0);
									__eflags = _t24;
									if(_t24 != 0) {
										goto L12;
									}
								}
							}
						} else {
							_t25 = E00415530(__eflags, _t49, _t40);
							RemovePropA(_t49, 0);
							SetWindowLongA(_t49, 0xfffffffc, _t25);
						}
					}
					_t45 = GetWindow(_t49, 5);
					__eflags = _t45;
					while(_t45 != 0) {
						E00415E60(_t10, _t37, _t42, _t45);
						_t45 = GetWindow(_t45, 2);
						__eflags = _t45;
					}
					return 1;
				} else {
					return 0;
				}
			}














    0x00415e66
    0x00415e66
    0x00415e6b
    0x00415e76
    0x00415e7d
    0x00415e83
    0x00415e83
    0x00415e8b
    0x00415e91
    0x00415e91
    0x00415e94
    0x00415e9b
    0x00415e9f
    0x00415ea4
    0x00415eb3
    0x00415eb9
    0x00415ebb
    0x00415ebb
    0x00415ebd
    0x00415ebd
    0x00415ec2
    0x00415ec3
    0x00415ec3
    0x00415ec8
    0x00415eca
    0x00415ecf
    0x00415f01
    0x00415f03
    0x00415f05
    0x00415f27
    0x00415f29
    0x00415f33
    0x00415f07
    0x00415f11
    0x00415f13
    0x00415f15
    0x00000000
    0x00415f17
    0x00415f21
    0x00415f23
    0x00415f25
    0x00000000
    0x00000000
    0x00415f25
    0x00415f15
    0x00415ed1
    0x00415ed3
    0x00415ee7
    0x00415eed
    0x00415eed
    0x00415ecf
    0x00415f44
    0x00415f46
    0x00415f48
    0x00415f4b
    0x00415f55
    0x00415f57
    0x00415f57
    0x00415f64
    0x00415e6d
    0x00415e73
    0x00415e73

    APIs
    • GetWindowLongA.USER32(?,000000FC), ref: 00415E7D
    • RemovePropA.USER32(?,00000000), ref: 00415EB3
    • SetWindowLongA.USER32(?,000000FC,00000000), ref: 00415EB9
    • RemovePropA.USER32(?,00000000), ref: 00415EE7
    • SetWindowLongA.USER32(?,000000FC,00000000), ref: 00415EED
    • GetWindow.USER32(?,00000005), ref: 00415F42
    • GetWindow.USER32(00000000,00000002), ref: 00415F53
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Window$Long$PropRemove
    • String ID:
    • API String ID: 3256693057-0
    • Opcode ID: c621bf24bdd6ed97d0535030868debb3c145b84f83da06ffc2b2220277879a2d
    • Instruction ID: d4c5397e51453809699c53b4c2b54cc3286add1b6cbc757313791e7c87c7f7db
    • Opcode Fuzzy Hash: c621bf24bdd6ed97d0535030868debb3c145b84f83da06ffc2b2220277879a2d
    • Instruction Fuzzy Hash: A3210476215915BAD350A7646C00EFF329CDBCA364B110536F900D2250FB68CD838BBD
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00403494, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 121stringCOMMON
    Download Yara Rule
    C-Code - Quality: 40%
    			E00403494(intOrPtr __ecx) {
				intOrPtr _t54;
				void* _t55;
				signed int _t71;
				signed int _t72;
				void* _t77;
				short* _t92;
				signed int _t93;
				intOrPtr _t96;
				int _t98;
				intOrPtr* _t99;
				void* _t101;
				void* _t103;
				short* _t104;

				E00409B78(0x425b6c, _t101);
				_t104 = _t103 - 0x7c;
				_t96 = __ecx;
				 *((intOrPtr*)(_t101 - 0x10)) = __ecx;
				 *(_t101 - 0x14) = 0;
				 *((intOrPtr*)(_t101 - 0x18)) = 0x428a4c;
				_t54 =  *((intOrPtr*)(_t101 + 8));
				 *((intOrPtr*)(_t101 - 4)) = 0;
				if(_t54 == 0 ||  *(_t54 + 4) == 0) {
					_t55 = GetStockObject(0x11);
					 *(_t101 - 0x14) = _t55;
					if(_t55 != 0) {
						L5:
						_t54 = _t101 - 0x18;
						goto L6;
					} else {
						_t77 = GetStockObject(0xd);
						 *(_t101 - 0x14) = _t77;
						if(_t77 != 0) {
							goto L5;
						} else {
							 *((intOrPtr*)(_t96 + 0x44)) = 0;
							 *((intOrPtr*)(_t101 - 0x18)) = 0x428720;
							 *((intOrPtr*)(_t101 - 4)) = 1;
						}
					}
				} else {
					L6:
					_t83 = _t101 - 0x88;
					_t14 = _t54 + 4; // 0x40360d
					GetObjectA( *_t14, 0x3c, _t101 - 0x88);
					 *((intOrPtr*)(_t101 - 0x4c)) = 0x20;
					if(_t101 != 0x6c) {
						_t98 =  *0x427294() + 1;
						E0040AF60(_t98 + _t98 + 0x00000003 & 0x000000fc, _t83, _t101 - 0x6c);
						_t92 = _t104;
						 *_t92 = 0;
						MultiByteToWideChar(0, 0, _t101 - 0x6c, 0xffffffff, _t92, _t98);
						_t96 =  *((intOrPtr*)(_t101 - 0x10));
						 *(_t101 - 0x48) = _t92;
					} else {
						 *(_t101 - 0x48) = 0;
					}
					 *((short*)(_t101 - 0x3c)) =  *((intOrPtr*)(_t101 - 0x78));
					 *(_t101 - 0x3a) =  *(_t101 - 0x71) & 0x000000ff;
					 *(_t101 - 0x38) =  *(_t101 - 0x74) & 0x000000ff;
					 *(_t101 - 0x34) =  *(_t101 - 0x73) & 0x000000ff;
					 *(_t101 - 0x30) =  *(_t101 - 0x72) & 0x000000ff;
					_t71 =  *(_t101 - 0x88);
					_t93 = _t71;
					if(_t71 < 0) {
						_t93 =  ~_t71;
					}
					0x42097f( *((intOrPtr*)(_t96 + 0x1c)));
					 *((char*)(_t101 - 4)) = 2;
					_t72 = GetDeviceCaps( *(_t101 - 0x24), 0x5a);
					asm("cdq");
					_t99 = _t96 + 0x44;
					 *((intOrPtr*)(_t101 - 0x40)) = 0;
					 *(_t101 - 0x44) = _t93 * 0xafc80 / _t72;
					0x423a7e(_t99);
					_t77 =  *0x4272c8(_t101 - 0x4c, 0x42a0e0, _t99);
					if(_t77 < 0) {
						 *_t99 = 0;
					}
					 *((char*)(_t101 - 4)) = 0;
					0x4209f1();
					 *((intOrPtr*)(_t101 - 0x18)) = 0x428720;
					 *((intOrPtr*)(_t101 - 4)) = 3;
				}
				0x420b9d();
				 *[fs:0x0] =  *((intOrPtr*)(_t101 - 0xc));
				return _t77;
			}
















    0x00403499
    0x0040349e
    0x004034a3
    0x004034a8
    0x004034ab
    0x004034ae
    0x004034b5
    0x004034b8
    0x004034bd
    0x004034cc
    0x004034d0
    0x004034d3
    0x004034f6
    0x004034f6
    0x00000000
    0x004034d5
    0x004034d7
    0x004034db
    0x004034de
    0x00000000
    0x004034e0
    0x004034e0
    0x004034e3
    0x004034ea
    0x004034ea
    0x004034de
    0x004034f9
    0x004034f9
    0x004034f9
    0x00403502
    0x00403505
    0x0040350e
    0x00403517
    0x0040352a
    0x00403533
    0x00403538
    0x00403544
    0x00403547
    0x0040354d
    0x00403550
    0x00403519
    0x00403519
    0x00403519
    0x00403557
    0x00403560
    0x00403568
    0x0040356f
    0x00403576
    0x00403579
    0x00403581
    0x00403583
    0x00403587
    0x00403587
    0x0040358f
    0x00403596
    0x0040359d
    0x004035ad
    0x004035b0
    0x004035b3
    0x004035b7
    0x004035ba
    0x004035c9
    0x004035d1
    0x004035d3
    0x004035d3
    0x004035d8
    0x004035db
    0x004035e0
    0x004035e7
    0x004035e7
    0x004035f1
    0x004035ff
    0x0040360a

    APIs
    • __EH_prolog.LIBCMT ref: 00403499
    • GetStockObject.GDI32(00000011), ref: 004034CC
    • GetStockObject.GDI32(0000000D), ref: 004034D7
    • GetObjectA.GDI32(0040360D,0000003C,?), ref: 00403505
    • lstrlen.KERNEL32(?), ref: 00403522
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 00403547
    • GetDeviceCaps.GDI32(?,0000005A), ref: 0040359D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Object$Stock$ByteCapsCharDeviceH_prologMultiWidelstrlen
    • String ID:
    • API String ID: 1379764919-3916222277
    • Opcode ID: 77a9004114e905107c0fdd3796d7e0e801f7b18a2ac6b5dc20bda96a14f4c21f
    • Instruction ID: 2b12c8d8304a2b5d3a13a6b2bc6d62663b39bfea6a106b501ae5dd187b70c45d
    • Opcode Fuzzy Hash: 77a9004114e905107c0fdd3796d7e0e801f7b18a2ac6b5dc20bda96a14f4c21f
    • Instruction Fuzzy Hash: 81415C71E01219DFCB20DFA5D885AAEBBB8EF04344F64416AE905B3251E7389A45CB64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004057B8, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON
    Download Yara Rule
    C-Code - Quality: 89%
    			E004057B8(intOrPtr __fp0, intOrPtr _a4, intOrPtr* _a8, intOrPtr* _a12, signed char _a16) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct tagPOINT _v24;
				intOrPtr* _t61;
				intOrPtr* _t62;
				intOrPtr* _t66;
				signed char _t69;
				intOrPtr _t71;
				struct HDC__* _t78;
				intOrPtr _t83;

				_t83 = __fp0;
				_v8 = 0;
				_t78 = GetDC( *(_a4 - 0xa0));
				SetMapMode(_t78, 3);
				_t69 = _a16;
				_v24.x = 0;
				_v24.y = 0;
				if((_t69 & 0x00000004) == 0) {
					if((_t69 & 0x00000008) == 0) {
						goto L12;
					} else {
						_v16 = E0040B5AC();
						_v12 = E0040B5AC();
						DPtoLP(_t78,  &_v24, 2);
						if((_t69 & 0x00000002) == 0) {
							if((_t69 & 0x00000001) == 0) {
								goto L12;
							} else {
								_t61 = _a8;
								 *_t61 = _v16;
								_t71 = _v12;
								goto L11;
							}
						} else {
							_t61 = _a8;
							 *_t61 = _v16 - _v24.x;
							_t71 = _v24.y - _v12;
							L11:
							 *((intOrPtr*)(_t61 + 4)) = _t71;
						}
					}
				} else {
					_t62 = _a8;
					_v12 =  *((intOrPtr*)(_t62 + 4));
					_v16 =  *_t62;
					LPtoDP(_t78,  &_v24, 2);
					if((_t69 & 0x00000002) == 0) {
						if((_t69 & 0x00000001) == 0) {
							L12:
							_v8 = 0x80070057;
						} else {
							asm("fild dword [ebp-0xc]");
							_t66 = _a12;
							 *_t66 = __fp0;
							asm("fild dword [ebp-0x8]");
							goto L5;
						}
					} else {
						_a8 = _v16 - _v24.x;
						_t66 = _a12;
						asm("fild dword [ebp+0xc]");
						_a12 = _v24.y - _v12;
						 *_t66 = __fp0;
						asm("fild dword [ebp+0x10]");
						L5:
						 *((intOrPtr*)(_t66 + 4)) = _t83;
					}
				}
				ReleaseDC( *(_a4 - 0xa0), _t78);
				return _v8;
			}














    0x004057b8
    0x004057cc
    0x004057d5
    0x004057da
    0x004057e0
    0x004057e3
    0x004057e9
    0x004057ec
    0x00405845
    0x00000000
    0x00405847
    0x00405854
    0x0040585c
    0x00405866
    0x0040586f
    0x00405887
    0x00000000
    0x00405889
    0x00405889
    0x0040588f
    0x00405891
    0x00000000
    0x00405891
    0x00405871
    0x00405874
    0x0040587a
    0x0040587f
    0x00405894
    0x00405894
    0x00405894
    0x0040586f
    0x004057ee
    0x004057ee
    0x004057f8
    0x00405800
    0x00405803
    0x0040580c
    0x00405830
    0x00405899
    0x00405899
    0x00405832
    0x00405832
    0x00405835
    0x00405838
    0x0040583a
    0x00000000
    0x0040583a
    0x0040580e
    0x0040581a
    0x0040581d
    0x00405820
    0x00405823
    0x00405826
    0x00405828
    0x0040583d
    0x0040583d
    0x0040583d
    0x0040580c
    0x004058aa
    0x004058b7

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: __ftol$ModeRelease
    • String ID: W
    • API String ID: 1379597261-655174618
    • Opcode ID: 8433ae1cde2ad56d35503f4601ebbe2bb93ea0d690a325312f25397c1b92b4e7
    • Instruction ID: c723033b164f705ce87b9d7e7232bd0cb13c2d938cd1d64a1a555df37debd940
    • Opcode Fuzzy Hash: 8433ae1cde2ad56d35503f4601ebbe2bb93ea0d690a325312f25397c1b92b4e7
    • Instruction Fuzzy Hash: FE414D75A01209EFDB04DF98D949AAEBFB4FF44300F1580AAEC55AB391C7349A20CF59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041F61E, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58COMMON
    Download Yara Rule
    APIs
    • GetStockObject.GDI32(00000011), ref: 0041F63A
    • GetStockObject.GDI32(0000000D), ref: 0041F642
    • GetObjectA.GDI32(00000000,0000003C,?), ref: 0041F64F
    • GetDC.USER32(00000000), ref: 0041F65E
    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041F675
    • MulDiv.KERNEL32(?,00000048,00000000), ref: 0041F681
    • ReleaseDC.USER32(00000000,00000000), ref: 0041F68C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Object$Stock$CapsDeviceRelease
    • String ID: System
    • API String ID: 46613423-3470857405
    • Opcode ID: b6644353c23ee33136b700ffdd7f7069ad94fdd3be890a5caf6df78b64713545
    • Instruction ID: d564391fd262d4690114e1052b57fb95a45c0cf7ff9848c0d23e152ccd77982a
    • Opcode Fuzzy Hash: b6644353c23ee33136b700ffdd7f7069ad94fdd3be890a5caf6df78b64713545
    • Instruction Fuzzy Hash: 30117031B41218EFEB10ABA1DC05FAE3AB8EB04744F40803AF605E7191D7749D47CBA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004100B7, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    C-Code - Quality: 46%
    			E004100B7(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x437950 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x437954; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x437958; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x437950(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x437950 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x437954 = GetProcAddress(_t15, "GetActiveWindow");
					 *0x437958 = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}









    0x004100b8
    0x004100ba
    0x004100c2
    0x00410106
    0x00410106
    0x0041010d
    0x00410111
    0x00410115
    0x00410117
    0x0041011e
    0x00410123
    0x00410123
    0x0041011e
    0x00410115
    0x00000000
    0x00410132
    0x004100cf
    0x004100d3
    0x0041013c
    0x00000000
    0x0041013c
    0x004100e1
    0x004100e5
    0x004100ea
    0x00000000
    0x004100ec
    0x004100fa
    0x00410101
    0x00000000
    0x00410101

    APIs
    • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,0040D475,?,Microsoft Visual C++ Runtime Library,00012010,?,00429D0C,?,00429D5C,?,?,?,Runtime Error!Program: ), ref: 004100C9
    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004100E1
    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004100F2
    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004100FF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
    • API String ID: 2238633743-4044615076
    • Opcode ID: c37c4053903b640a92bd8f45905d3883ce4fa115880f7df683f173d08e869bb7
    • Instruction ID: 72aae5932af08b6290a14d377ce3b87b26f00e0b8c98a3925db6c40c77e24d08
    • Opcode Fuzzy Hash: c37c4053903b640a92bd8f45905d3883ce4fa115880f7df683f173d08e869bb7
    • Instruction Fuzzy Hash: 6701B5B1709226AB97609FB5AD80B577FE8AB88760715153AB141C2221D7BD8881DB28
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004125DD, Relevance: 13.7, APIs: 9, Instructions: 221COMMON
    Download Yara Rule
    C-Code - Quality: 86%
    			E004125DD(int _a4, int _a8, char* _a12, int _a16, char* _a20, int _a24, int _a28) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				int _v36;
				short* _v40;
				short* _v44;
				char _v58;
				struct _cpinfo _v64;
				void* _v80;
				int _t65;
				int _t66;
				int _t69;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t86;
				int _t87;
				int _t88;
				void* _t96;
				char _t99;
				char _t101;
				intOrPtr _t104;
				intOrPtr _t105;
				int _t107;
				short* _t109;
				int _t111;
				int _t114;
				intOrPtr _t115;
				short* _t116;
				int _t118;

				_push(0xffffffff);
				_push(0x429fe8);
				_push(E0040D240);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t115;
				_t116 = _t115 - 0x30;
				_v28 = _t116;
				_t118 =  *0x4379e8; // 0x0
				_t107 = 1;
				if(_t118 != 0) {
					L5:
					_t111 = _a16;
					if(_t111 > 0) {
						_t88 = E0040ED6E(_a12, _t111);
						_pop(_t96);
						_t111 = _t88;
						_a16 = _t111;
					}
					if(_a24 > 0) {
						_t87 = E0040ED6E(_a20, _a24);
						_pop(_t96);
						_a24 = _t87;
					}
					_t65 =  *0x4379e8; // 0x0
					if(_t65 != 2) {
						if(_t65 != _t107) {
							goto L48;
						} else {
							if(_a28 == 0) {
								_t86 =  *0x43787c; // 0x0
								_a28 = _t86;
							}
							if(_t111 == 0 || _a24 == 0) {
								if(_t111 != _a24) {
									if(_a24 <= _t107) {
										if(_t111 > _t107) {
											L30:
											_push(3);
											goto L18;
										} else {
											if(GetCPInfo(_a28,  &_v64) == 0) {
												goto L48;
											} else {
												if(_t111 <= 0) {
													if(_a24 <= 0) {
														goto L39;
													} else {
														if(_v64 >= 2) {
															_t82 =  &_v58;
															if(_v58 != 0) {
																while(1) {
																	_t104 =  *((intOrPtr*)(_t82 + 1));
																	if(_t104 == 0) {
																		goto L20;
																	}
																	_t99 =  *_a20;
																	if(_t99 <  *_t82 || _t99 > _t104) {
																		_t82 = _t82 + 2;
																		if( *_t82 != 0) {
																			continue;
																		} else {
																			goto L20;
																		}
																	} else {
																		goto L17;
																	}
																	goto L49;
																}
															}
														}
														goto L20;
													}
												} else {
													if(_v64 >= 2) {
														_t84 =  &_v58;
														if(_v58 != 0) {
															while(1) {
																_t105 =  *((intOrPtr*)(_t84 + 1));
																if(_t105 == 0) {
																	goto L30;
																}
																_t101 =  *_a12;
																if(_t101 <  *_t84 || _t101 > _t105) {
																	_t84 = _t84 + 2;
																	if( *_t84 != 0) {
																		continue;
																	} else {
																		goto L30;
																	}
																} else {
																	goto L17;
																}
																goto L50;
															}
														}
													}
													goto L30;
													L50:
												}
											}
										}
									} else {
										L20:
										_t66 = _t107;
									}
								} else {
									L17:
									_push(2);
									L18:
									_pop(_t66);
								}
							} else {
								L39:
								_t69 = MultiByteToWideChar(_a28, 9, _a12, _t111, 0, 0);
								_v32 = _t69;
								if(_t69 == 0) {
									goto L48;
								} else {
									_v8 = 0;
									E0040AF60(_t69 + _t69 + 0x00000003 & 0x000000fc, _t96);
									_v28 = _t116;
									_v40 = _t116;
									_v8 = _v8 | 0xffffffff;
									if(_v40 == 0 || MultiByteToWideChar(_a28, _t107, _a12, _t111, _v40, _v32) == 0) {
										goto L48;
									} else {
										_t114 = MultiByteToWideChar(_a28, 9, _a20, _a24, 0, 0);
										_v36 = _t114;
										if(_t114 == 0) {
											goto L48;
										} else {
											_v8 = _t107;
											E0040AF60(_t114 + _t114 + 0x00000003 & 0x000000fc, _t96);
											_v28 = _t116;
											_t109 = _t116;
											_v44 = _t109;
											_v8 = _v8 | 0xffffffff;
											if(_t109 == 0 || MultiByteToWideChar(_a28, 1, _a20, _a24, _t109, _t114) == 0) {
												goto L48;
											} else {
												_t66 = CompareStringW(_a4, _a8, _v40, _v32, _t109, _t114);
											}
										}
									}
								}
							}
						}
					} else {
						_t66 = CompareStringA(_a4, _a8, _a12, _t111, _a20, _a24);
					}
				} else {
					if(CompareStringW(0, 0, 0x429db4, _t107, 0x429db4, _t107) == 0) {
						if(CompareStringA(0, 0, 0x429db0, _t107, 0x429db0, _t107) == 0) {
							L48:
							_t66 = 0;
						} else {
							 *0x4379e8 = 2;
							goto L5;
						}
					} else {
						 *0x4379e8 = _t107;
						goto L5;
					}
				}
				L49:
				 *[fs:0x0] = _v20;
				return _t66;
				goto L50;
			}

































    0x004125e0
    0x004125e2
    0x004125e7
    0x004125f2
    0x004125f3
    0x004125fa
    0x00412600
    0x00412605
    0x0041260d
    0x0041260e
    0x00412650
    0x00412650
    0x00412655
    0x0041265b
    0x00412661
    0x00412662
    0x00412664
    0x00412664
    0x0041266a
    0x00412672
    0x00412678
    0x00412679
    0x00412679
    0x0041267c
    0x00412684
    0x004126a3
    0x00000000
    0x004126a9
    0x004126ac
    0x004126ae
    0x004126b3
    0x004126b3
    0x004126b8
    0x004126c6
    0x004126d3
    0x004126de
    0x00412721
    0x00412721
    0x00000000
    0x004126e0
    0x004126ef
    0x00000000
    0x004126f5
    0x004126f7
    0x00412728
    0x00000000
    0x0041272a
    0x0041272e
    0x00412730
    0x00412736
    0x00412738
    0x00412738
    0x0041273d
    0x00000000
    0x00000000
    0x00412742
    0x00412746
    0x00412751
    0x00412754
    0x00000000
    0x00412756
    0x00000000
    0x00412756
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00412746
    0x00412738
    0x00412736
    0x00000000
    0x0041272e
    0x004126f9
    0x004126fd
    0x004126ff
    0x00412705
    0x00412707
    0x00412707
    0x0041270c
    0x00000000
    0x00000000
    0x00412711
    0x00412715
    0x0041271c
    0x0041271f
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00412715
    0x00412707
    0x00412705
    0x00000000
    0x00000000
    0x004126fd
    0x004126f7
    0x004126ef
    0x004126d5
    0x004126d5
    0x004126d5
    0x004126d5
    0x004126c8
    0x004126c8
    0x004126c8
    0x004126ca
    0x004126ca
    0x004126ca
    0x0041275b
    0x0041275b
    0x00412766
    0x0041276c
    0x00412771
    0x00000000
    0x00412777
    0x00412777
    0x00412781
    0x00412786
    0x0041278b
    0x0041278e
    0x004127ad
    0x00000000
    0x004127cd
    0x004127dc
    0x004127de
    0x004127e3
    0x00000000
    0x004127e5
    0x004127e5
    0x004127f0
    0x004127f5
    0x004127f8
    0x004127fa
    0x004127fd
    0x00412817
    0x00000000
    0x00412830
    0x0041283e
    0x0041283e
    0x00412817
    0x004127e3
    0x004127ad
    0x00412771
    0x004126b8
    0x00412686
    0x00412696
    0x00412696
    0x00412610
    0x00412623
    0x00412640
    0x00412846
    0x00412846
    0x00412646
    0x00412646
    0x00000000
    0x00412646
    0x00412625
    0x00412625
    0x00000000
    0x00412625
    0x00412623
    0x00412848
    0x0041284e
    0x00412859
    0x00000000

    APIs
    • CompareStringW.KERNEL32(00000000,00000000,00429DB4,00000001,00429DB4,00000001,00000000,0246117C,00000001,?,0040F746,0040BD53,00000000,?,?,0040BBC6), ref: 0041261B
    • CompareStringA.KERNEL32(00000000,00000000,00429DB0,00000001,00429DB0,00000001,?,0040F746,0040BD53,00000000,?,?,0040BBC6,00000000), ref: 00412638
    • CompareStringA.KERNEL32(00000000,00000000,00000000,00000000,0040BBC6,?,00000000,0246117C,00000001,?,0040F746,0040BD53,00000000,?,?,0040BBC6), ref: 00412696
    • GetCPInfo.KERNEL32(?,00000000,00000000,0246117C,00000001,?,0040F746,0040BD53,00000000,?,?,0040BBC6,00000000), ref: 004126E7
    • MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000,?,0040F746,0040BD53,00000000,?,?,0040BBC6,00000000), ref: 00412766
    • MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,00000000,?,?,0040F746,0040BD53,00000000,?,?,0040BBC6,00000000), ref: 004127C7
    • MultiByteToWideChar.KERNEL32(?,00000009,0040BBC6,?,00000000,00000000,?,0040F746,0040BD53,00000000,?,?,0040BBC6,00000000), ref: 004127DA
    • MultiByteToWideChar.KERNEL32(?,00000001,0040BBC6,?,?,00000000,?,0040F746,0040BD53,00000000,?,?,0040BBC6,00000000), ref: 00412826
    • CompareStringW.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,00000000,?,0040F746,0040BD53,00000000,?,?,0040BBC6,00000000), ref: 0041283E
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: ByteCharCompareMultiStringWide$Info
    • String ID:
    • API String ID: 1651298574-0
    • Opcode ID: 8f30af08ad9b2ef80446eb9b3d58270534faad420554e36fee394e0f55281015
    • Instruction ID: 97f14a4a309690ccf19299f5dda3d2e63da5e64cacfefe68047b3cdfad3c9b02
    • Opcode Fuzzy Hash: 8f30af08ad9b2ef80446eb9b3d58270534faad420554e36fee394e0f55281015
    • Instruction Fuzzy Hash: 79719F71900249EFCF219F54DE81AEB7BB5FB05354F14412BF950E22A0D37988A1DB69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040EB4A, Relevance: 13.7, APIs: 9, Instructions: 177COMMON
    Download Yara Rule
    C-Code - Quality: 61%
    			E0040EB4A(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, signed int _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				int _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x429db8);
				_push(E0040D240);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x43785c; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t83 = E0040ED6E(_a12, _a16);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x43785c; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x43787c; // 0x0
								_a28 = _t82;
							}
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12, _a16, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E0040AF60(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
									goto L21;
								} else {
									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
									_v44 = _t99;
									if(_t99 == 0) {
										goto L21;
									} else {
										if((_a9 & 0x00000004) == 0) {
											_v8 = 1;
											E0040AF60(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
											_v28 = _t102;
											_t89 = _t102;
											_v36 = _t89;
											_v8 = _v8 | 0xffffffff;
											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
												goto L21;
											} else {
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
												if(_t99 == 0) {
													goto L21;
												} else {
													goto L30;
												}
											}
										} else {
											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
												L30:
												_t62 = _t99;
											} else {
												goto L21;
											}
										}
									}
								}
							}
						}
					} else {
						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x429db4, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x429db0, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x43785c = 2;
							goto L5;
						}
					} else {
						 *0x43785c = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}























    0x0040eb4d
    0x0040eb4f
    0x0040eb54
    0x0040eb5f
    0x0040eb60
    0x0040eb67
    0x0040eb6d
    0x0040eb72
    0x0040eb78
    0x0040ebc0
    0x0040ebc3
    0x0040ebcb
    0x0040ebd1
    0x0040ebd2
    0x0040ebd2
    0x0040ebd5
    0x0040ebdd
    0x0040ebff
    0x00000000
    0x0040ec05
    0x0040ec08
    0x0040ec0a
    0x0040ec0f
    0x0040ec0f
    0x0040ec1f
    0x0040ec2f
    0x0040ec31
    0x0040ec36
    0x00000000
    0x0040ec3c
    0x0040ec3c
    0x0040ec47
    0x0040ec4c
    0x0040ec51
    0x0040ec54
    0x0040ec70
    0x00000000
    0x0040ec8b
    0x0040ec9d
    0x0040ec9f
    0x0040eca4
    0x00000000
    0x0040eca6
    0x0040ecaa
    0x0040ecec
    0x0040ecfb
    0x0040ed00
    0x0040ed03
    0x0040ed05
    0x0040ed08
    0x0040ed22
    0x00000000
    0x0040ed3c
    0x0040ed3f
    0x0040ed40
    0x0040ed41
    0x0040ed47
    0x0040ed4a
    0x0040ed43
    0x0040ed43
    0x0040ed44
    0x0040ed44
    0x0040ed5d
    0x0040ed61
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040ed61
    0x0040ecac
    0x0040ecaf
    0x0040ed67
    0x0040ed67
    0x00000000
    0x00000000
    0x00000000
    0x0040ecaf
    0x0040ecaa
    0x0040eca4
    0x0040ec70
    0x0040ec36
    0x0040ebdf
    0x0040ebf1
    0x0040ebf1
    0x0040eb7a
    0x0040eb7a
    0x0040eb7b
    0x0040eb7e
    0x0040eb94
    0x0040ebb0
    0x0040ecd8
    0x0040ecd8
    0x0040ebb6
    0x0040ebb6
    0x00000000
    0x0040ebb6
    0x0040eb96
    0x0040eb96
    0x00000000
    0x0040eb96
    0x0040eb94
    0x0040ece0
    0x0040eceb

    APIs
    • LCMapStringW.KERNEL32(00000000,00000100,00429DB4,00000001,00000000,00000000,747870F0,00438E88,?,?,?,0040EE85,?,?,?,00000000), ref: 0040EB8C
    • LCMapStringA.KERNEL32(00000000,00000100,00429DB0,00000001,00000000,00000000,?,?,0040EE85,?,?,?,00000000,00000001), ref: 0040EBA8
    • LCMapStringA.KERNEL32(?,?,?,0040EE85,?,?,747870F0,00438E88,?,?,?,0040EE85,?,?,?,00000000), ref: 0040EBF1
    • MultiByteToWideChar.KERNEL32(?,00438E89,?,0040EE85,00000000,00000000,747870F0,00438E88,?,?,?,0040EE85,?,?,?,00000000), ref: 0040EC29
    • MultiByteToWideChar.KERNEL32(00000000,00000001,?,0040EE85,?,00000000,?,?,0040EE85,?), ref: 0040EC81
    • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040EE85,?), ref: 0040EC97
    • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0040EE85,?), ref: 0040ECCA
    • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0040EE85,?), ref: 0040ED32
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: String$ByteCharMultiWide
    • String ID:
    • API String ID: 352835431-0
    • Opcode ID: 40610d2fddbe8cb13941bb40e468381f5f1b9a3b3a25f774f99f29b2c05cc1c5
    • Instruction ID: 22c344f9287e1ee663ddbdb24c95b9117f3c3a0df0180da94ea319527ef63122
    • Opcode Fuzzy Hash: 40610d2fddbe8cb13941bb40e468381f5f1b9a3b3a25f774f99f29b2c05cc1c5
    • Instruction Fuzzy Hash: 82516B72508209EBDF228F56CC45EAF7FB5FB48750F10453AF911A12A0D33A8D61EB69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00416D80, Relevance: 13.6, APIs: 9, Instructions: 128threadwindowCOMMON
    Download Yara Rule
    C-Code - Quality: 66%
    			E00416D80() {
				signed int _t37;
				struct HWND__* _t40;
				signed int _t42;
				signed char _t49;
				intOrPtr* _t53;
				long _t54;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				long _t61;
				int _t62;
				void* _t64;
				void* _t67;
				void* _t69;
				void* _t71;
				void* _t72;

				_t61 = GetCurrentThreadId();
				 *0x4271f4(0x439220);
				if( *0x439294 == _t61) {
					L10:
					_t59 =  *0x439298; // 0x0
					 *0x4271fc(0x439220);
					_t62 =  *(_t67 + 0x18);
					_t54 =  *(_t67 + 0x20);
					__eflags = _t62 - 3;
					if(_t62 == 3) {
						_t64 =  *_t54;
						__eflags =  *((intOrPtr*)(_t64 + 0x28)) - 0x8002;
						if( *((intOrPtr*)(_t64 + 0x28)) != 0x8002) {
							__eflags =  *(_t59 * 4 + 0x4392b0 + _t59 * 4 * 4) & 0x00000001;
							if(__eflags != 0) {
								_t37 = E00416D40(__eflags,  *(_t64 + 0xc));
								_t67 = _t67 + 4;
								__eflags = _t37;
								if(__eflags != 0) {
									L24:
									_push( *(_t64 + 0xc));
									_push(1);
									_push(0xffff);
									_push( *(_t67 + 0x1c));
									E00417110(__eflags);
									_t67 = _t67 + 0x10;
								} else {
									_t40 =  *(_t64 + 0xc);
									__eflags = _t40;
									if(_t40 != 0) {
										__eflags =  *0x439262 - 0x18;
										if(__eflags != 0) {
											_t42 = E00416D40(__eflags, GetParent(_t40));
											_t67 = _t67 + 4;
											__eflags = _t42;
											if(__eflags != 0) {
												goto L24;
											}
										}
									}
								}
							}
						} else {
							__eflags =  *0x439262 - 0x20;
							if( *0x439262 != 0x20) {
								E00415720( *(_t67 + 0x1c), E00416A10);
								_t67 = _t67 + 8;
							} else {
								__eflags =  *0x439260 - 0x35f;
								if( *0x439260 < 0x35f) {
									L15:
									 *(_t67 + 0x10) = 1;
								} else {
									_t49 = GetWindowLongA( *(_t67 + 0x1c), 0xfffffff0);
									 *(_t67 + 0x10) = 0;
									__eflags = _t49 & 0x00000004;
									if((_t49 & 0x00000004) == 0) {
										goto L15;
									}
								}
								_t65 =  *(_t67 + 0x1c);
								SendMessageA( *(_t67 + 0x1c), 0x11f0, 0, _t67 + 0x10);
								__eflags =  *(_t67 + 0x10);
								if( *(_t67 + 0x10) != 0) {
									E00415580(_t65, E00416A10);
									_t67 = _t67 + 8;
								}
							}
						}
					}
					_t60 = _t59 << 2;
					__eflags = _t60;
					_t28 = _t60 * 4; // 0x0
					return CallNextHookEx( *(_t60 + _t28 + 0x4392a8), _t62,  *(_t67 + 0x20), _t54);
				} else {
					_t58 = 0;
					_t69 = _t58 -  *0x43929c; // 0x0
					if(_t69 < 0) {
						_t53 = 0x4392a4;
						while( *_t53 != _t61) {
							_t53 = _t53 + 0x14;
							_t58 = _t58 + 1;
							_t71 = _t58 -  *0x43929c; // 0x0
							if(_t71 < 0) {
								continue;
							} else {
							}
							L7:
							_t72 = _t58 -  *0x43929c; // 0x0
							goto L8;
						}
						 *0x439298 = _t58;
						 *0x439294 = _t61;
						goto L7;
					}
					L8:
					if(_t72 != 0) {
						goto L10;
					} else {
						 *0x4271fc(0x439220);
						return CallNextHookEx(0,  *(_t67 + 0x18),  *(_t67 + 0x1c),  *(_t67 + 0x20));
					}
				}
			}



















    0x00416d8d
    0x00416d94
    0x00416da0
    0x00416e03
    0x00416e03
    0x00416e0e
    0x00416e14
    0x00416e18
    0x00416e1c
    0x00416e1f
    0x00416e25
    0x00416e27
    0x00416e2e
    0x00416eb5
    0x00416ebd
    0x00416ec3
    0x00416ec8
    0x00416ecb
    0x00416ecd
    0x00416ef4
    0x00416efb
    0x00416efc
    0x00416efe
    0x00416f03
    0x00416f04
    0x00416f09
    0x00416ecf
    0x00416ecf
    0x00416ed2
    0x00416ed4
    0x00416ed6
    0x00416ede
    0x00416ee8
    0x00416eed
    0x00416ef0
    0x00416ef2
    0x00000000
    0x00000000
    0x00416ef2
    0x00416ede
    0x00416ed4
    0x00416ecd
    0x00416e30
    0x00416e30
    0x00416e38
    0x00416ea4
    0x00416ea9
    0x00416e3a
    0x00416e3a
    0x00416e43
    0x00416e60
    0x00416e60
    0x00416e45
    0x00416e52
    0x00416e54
    0x00416e5c
    0x00416e5e
    0x00000000
    0x00000000
    0x00416e5e
    0x00416e68
    0x00416e79
    0x00416e7f
    0x00416e84
    0x00416e90
    0x00416e95
    0x00416e95
    0x00416e84
    0x00416e38
    0x00416e2e
    0x00416f0c
    0x00416f0c
    0x00416f14
    0x00416f2b
    0x00416da2
    0x00416da2
    0x00416da4
    0x00416daa
    0x00416dac
    0x00416db1
    0x00416db5
    0x00416db8
    0x00416db9
    0x00416dbf
    0x00000000
    0x00000000
    0x00416dc1
    0x00416dcf
    0x00416dcf
    0x00000000
    0x00416dcf
    0x00416dc3
    0x00416dc9
    0x00000000
    0x00416dc9
    0x00416dd5
    0x00416dd5
    0x00000000
    0x00416dd7
    0x00416ddc
    0x00416e00
    0x00416e00
    0x00416dd5

    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00416D87
    • RtlEnterCriticalSection.NTDLL(00439220), ref: 00416D94
    • RtlLeaveCriticalSection.NTDLL(00439220), ref: 00416DDC
    • CallNextHookEx.USER32(00000000,?,?,?), ref: 00416DF3
    • RtlLeaveCriticalSection.NTDLL(00439220), ref: 00416E0E
    • GetWindowLongA.USER32(?,000000F0), ref: 00416E52
    • SendMessageA.USER32(?,000011F0,00000000,00000001), ref: 00416E79
    • GetParent.USER32(?), ref: 00416EE1
    • CallNextHookEx.USER32(00000000,?,?,?), ref: 00416F1E
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CriticalSection$CallHookLeaveNext$CurrentEnterLongMessageParentSendThreadWindow
    • String ID:
    • API String ID: 1151315845-0
    • Opcode ID: 2ee36856f24e95d03ab29b6b8170600fe4efec6208625fece676e92d4acc965c
    • Instruction ID: 9f95fa80d3cefc04344fccc1436fa424003e36e3abc605fc6e62ae2fe0af0e47
    • Opcode Fuzzy Hash: 2ee36856f24e95d03ab29b6b8170600fe4efec6208625fece676e92d4acc965c
    • Instruction Fuzzy Hash: EC41DE71604301ABD710EF14FC45BAB77A8EB44314F01496AFD0592262D7B9EC99CB6E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004167A0, Relevance: 13.6, APIs: 9, Instructions: 54COMMON
    Download Yara Rule
    C-Code - Quality: 75%
    			E004167A0() {
				intOrPtr* _t2;
				int _t5;
				int _t7;
				int _t9;
				int _t11;
				int _t13;
				int _t15;
				int _t17;

				 *0x4271f4(0x439220);
				_t2 = 0x439ca0;
				do {
					if( *_t2 != 0) {
						 *_t2 = 0;
					}
					_t2 = _t2 + 0x18;
				} while (_t2 < 0x439d30);
				E004157E0();
				if( *0x439248 != 0) {
					_t17 =  *0x439248; // 0x0
					GlobalDeleteAtom(_t17);
				}
				if( *0x43924e != 0) {
					_t15 =  *0x43924e; // 0x0
					GlobalDeleteAtom(_t15);
				}
				if( *0x43924c != 0) {
					_t13 =  *0x43924c; // 0x0
					GlobalDeleteAtom(_t13);
				}
				if( *0x43924a != 0) {
					_t11 =  *0x43924a; // 0x0
					GlobalDeleteAtom(_t11);
				}
				if( *0x439252 != 0) {
					_t9 =  *0x439252; // 0x0
					GlobalDeleteAtom(_t9);
				}
				if( *0x439250 != 0) {
					_t7 =  *0x439250; // 0x0
					GlobalDeleteAtom(_t7);
				}
				if( *0x439254 != 0) {
					_t5 =  *0x439254; // 0x0
					GlobalDeleteAtom(_t5);
				}
				 *0x439240 = 0;
				return  *0x4271fc(0x439220);
			}











    0x004167a6
    0x004167ac
    0x004167b1
    0x004167b4
    0x004167b6
    0x004167b6
    0x004167bc
    0x004167bf
    0x004167c6
    0x004167d3
    0x004167d5
    0x004167e2
    0x004167e2
    0x004167f4
    0x004167f6
    0x004167fd
    0x004167fd
    0x00416807
    0x00416809
    0x00416810
    0x00416810
    0x0041681a
    0x0041681c
    0x00416823
    0x00416823
    0x0041682d
    0x0041682f
    0x00416836
    0x00416836
    0x00416840
    0x00416842
    0x00416849
    0x00416849
    0x00416853
    0x00416855
    0x0041685c
    0x0041685c
    0x0041685e
    0x00416874

    APIs
    • RtlEnterCriticalSection.NTDLL(00439220), ref: 004167A6
    • GlobalDeleteAtom.KERNEL32(00000000), ref: 004167E2
    • GlobalDeleteAtom.KERNEL32(00000000), ref: 004167FD
    • GlobalDeleteAtom.KERNEL32(00000000), ref: 00416810
    • GlobalDeleteAtom.KERNEL32(00000000), ref: 00416823
    • GlobalDeleteAtom.KERNEL32(00000000), ref: 00416836
    • GlobalDeleteAtom.KERNEL32(00000000), ref: 00416849
    • GlobalDeleteAtom.KERNEL32(00000000), ref: 0041685C
    • RtlLeaveCriticalSection.NTDLL(00439220), ref: 0041686D
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: AtomDeleteGlobal$CriticalSection$EnterLeave
    • String ID:
    • API String ID: 3843206905-0
    • Opcode ID: 2c9f0eaba78a475f7c8bf02f0ccc123cbbbbaa5b5b68dc9d70984f8dbdeab6e4
    • Instruction ID: 5113774805347f93935e1f8ad295c7d98fa7be91338ae2e7ca7dcce3714071ee
    • Opcode Fuzzy Hash: 2c9f0eaba78a475f7c8bf02f0ccc123cbbbbaa5b5b68dc9d70984f8dbdeab6e4
    • Instruction Fuzzy Hash: A6113A69C00A11A1D7657BA4EC086E77768E709304F1668A6E410436F0D7FC8CC6CBAD
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040D351, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE
    Download Yara Rule
    C-Code - Quality: 96%
    			E0040D351(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x432438;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x4324c8) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x432438; // 0xc000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x437654; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x432014 == 1) {
						_t16 = _t54 + 0x43243c; // 0x429d0c
						_t56 = _t16;
						_t19 = E00409BA0( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E0040D5E0( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E00409BA0( &_v424) + 1 > 0x3c) {
								_t49 = E00409BA0( &_v424) +  &_v424 - 0x3b;
								E00410140(E00409BA0( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E0040D5E0( &_v164, "Runtime Error!Program: ");
							E0040D5F0( &_v164, _t49);
							E0040D5F0( &_v164, 0x429d5c);
							_t12 = _t54 + 0x43243c; // 0x429d0c
							E0040D5F0( &_v164,  *_t12);
							_t17 = E004100B7( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}













    0x0040d351
    0x0040d35a
    0x0040d35d
    0x0040d35f
    0x0040d364
    0x0040d368
    0x0040d36b
    0x0040d371
    0x00000000
    0x00000000
    0x00000000
    0x0040d371
    0x0040d376
    0x0040d379
    0x0040d37f
    0x0040d385
    0x0040d38d
    0x0040d47e
    0x0040d47e
    0x0040d489
    0x0040d49b
    0x0040d3a4
    0x0040d3aa
    0x0040d3c6
    0x0040d3d4
    0x0040d3da
    0x0040d3e1
    0x0040d3e3
    0x0040d3f3
    0x0040d40e
    0x0040d416
    0x0040d41b
    0x0040d41b
    0x0040d42a
    0x0040d437
    0x0040d448
    0x0040d44d
    0x0040d45a
    0x0040d470
    0x0040d478
    0x0040d3aa
    0x0040d38d
    0x0040d4a3

    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0040D3BE
    • GetStdHandle.KERNEL32(000000F4,00429D0C,00000000,00000000,00000000,?), ref: 0040D494
    • WriteFile.KERNEL32(00000000), ref: 0040D49B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: File$HandleModuleNameWrite
    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
    • API String ID: 3784150691-4022980321
    • Opcode ID: 2aee1ffbe8e2d75c9751be7f4c27bb3e318297fd2912d6c044aa0709b33a2892
    • Instruction ID: affd76396205755ae83de12d030cb82148c6949080e3978d83af86090b549964
    • Opcode Fuzzy Hash: 2aee1ffbe8e2d75c9751be7f4c27bb3e318297fd2912d6c044aa0709b33a2892
    • Instruction Fuzzy Hash: BC31D672F002186FDF20EAA4DD45F9A736CEB45314F90047BF544F61C1E6BCA9498A5D
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00422D67, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • TlsGetValue.KERNEL32(00437200,00437038,00000000,?,00437200,?,00422FCF,00437038,00000000,?,00000000,0042275D,00422136,00422779,0041A668,0042029B), ref: 00422D72
    • RtlEnterCriticalSection.NTDLL(0043721C), ref: 00422DC1
    • RtlLeaveCriticalSection.NTDLL(0043721C), ref: 00422DD4
    • LocalAlloc.KERNEL32(00000000,00000004,?,00437200,?,00422FCF,00437038,00000000,?,00000000,0042275D,00422136,00422779,0041A668,0042029B), ref: 00422DEA
    • LocalReAlloc.KERNEL32(?,00000004,00000002,?,00437200,?,00422FCF,00437038,00000000,?,00000000,0042275D,00422136,00422779,0041A668,0042029B), ref: 00422DFC
    • TlsSetValue.KERNEL32(00437200,00000000), ref: 00422E38
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: AllocCriticalLocalSectionValue$EnterLeave
    • String ID: Q.B
    • API String ID: 4117633390-32158725
    • Opcode ID: cadfd0185e6a564f02897adc8806bde7523b15ed0b7ece4c360f3f88302091bc
    • Instruction ID: 2c0ceeb134ceeeaac7f3905e506a79326a4031036aac794e41acfdee970733b1
    • Opcode Fuzzy Hash: cadfd0185e6a564f02897adc8806bde7523b15ed0b7ece4c360f3f88302091bc
    • Instruction Fuzzy Hash: FF31CC31200215BFD724DF15E889F6AB7E8FF44324F80852AF416C7650DBB4E916CBA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00402794, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61stringCOMMON
    Download Yara Rule
    C-Code - Quality: 56%
    			E00402794(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				int _t18;
				intOrPtr* _t22;
				intOrPtr _t30;

				if(E004025FB() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						return 0;
					}
					_t22 = _a8;
					if(_t22 == 0 ||  *_t22 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t22 + 4)) = 0;
						 *((intOrPtr*)(_t22 + 8)) = 0;
						 *((intOrPtr*)(_t22 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t30 = 1;
						 *(_t22 + 0x10) = _t18;
						 *((intOrPtr*)(_t22 + 0x24)) = _t30;
						if( *_t22 >= 0x48) {
							 *0x427240(_t22 + 0x28, "DISPLAY");
						}
						return _t30;
					}
				}
				return GetMonitorInfoA(_a4, _a8);
			}







    0x004027a3
    0x004027ba
    0x0040281f
    0x00000000
    0x0040281f
    0x004027bc
    0x004027c3
    0x00000000
    0x004027dc
    0x004027dd
    0x004027e0
    0x004027ee
    0x004027f1
    0x004027f9
    0x004027fa
    0x004027fb
    0x00402801
    0x00402802
    0x00402803
    0x00402806
    0x0040280a
    0x00402815
    0x00402815
    0x00000000
    0x0040281b
    0x004027c3
    0x00000000

    APIs
    • GetMonitorInfoA.USER32(?,?), ref: 004027AB
    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004027D2
    • GetSystemMetrics.USER32(00000000), ref: 004027EA
    • GetSystemMetrics.USER32(00000001), ref: 004027F1
    • lstrcpy.KERNEL32(?,DISPLAY), ref: 00402815
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: System$InfoMetrics$MonitorParameterslstrcpy
    • String ID: B$DISPLAY
    • API String ID: 1771318095-3316187204
    • Opcode ID: 54d76abbe19337592fa7d923d8fbe4fb5e543a61cc398018511748b36a434c69
    • Instruction ID: 13880c642de598199096e66a559ce5a9d5751a8c1b217b7e19e4636ea0576e96
    • Opcode Fuzzy Hash: 54d76abbe19337592fa7d923d8fbe4fb5e543a61cc398018511748b36a434c69
    • Instruction Fuzzy Hash: 301194766003249BCB11AF54DD8859B7BA8FF09750B10C076ED05BA1C5D6B59541CBA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00404428, Relevance: 12.3, APIs: 8, Instructions: 297memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 56%
    			E00404428(intOrPtr __ecx) {
				intOrPtr _t115;
				intOrPtr _t119;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				long _t133;
				void* _t134;
				intOrPtr _t136;
				intOrPtr _t138;
				long _t139;
				intOrPtr* _t141;
				intOrPtr* _t143;
				intOrPtr _t148;
				intOrPtr _t150;
				intOrPtr* _t151;
				void* _t153;
				intOrPtr* _t155;
				intOrPtr* _t158;
				intOrPtr _t159;
				intOrPtr* _t160;
				intOrPtr* _t162;
				void* _t167;
				intOrPtr* _t169;
				intOrPtr* _t171;
				intOrPtr* _t173;
				intOrPtr _t174;
				intOrPtr _t187;
				intOrPtr* _t207;
				intOrPtr* _t220;
				long _t225;
				void* _t227;

				E00409B78(0x425c44, _t227);
				_t220 = __ecx + 0x4c;
				 *((intOrPtr*)(_t227 - 0x24)) = __ecx;
				_t115 = E004041FA(__ecx,  *((intOrPtr*)(_t227 + 8)), 0, 3, 0x42a0a0, _t220,  *((intOrPtr*)(_t227 + 0x14)));
				 *((intOrPtr*)(_t227 + 0x14)) = _t115;
				if(_t115 < 0) {
					L48:
					 *[fs:0x0] =  *((intOrPtr*)(_t227 - 0xc));
					return _t115;
				}
				 *((intOrPtr*)(_t227 - 0x10)) = 0;
				 *((intOrPtr*)(_t227 - 0x14)) = 0;
				 *((intOrPtr*)(_t227 + 8)) = 0;
				E0040489D(__ecx, __ecx + 0x3c);
				_t119 =  *((intOrPtr*)( *((intOrPtr*)(__ecx)) + 0xbc))();
				 *((intOrPtr*)(_t227 - 0x20)) = _t119;
				if(_t119 != 0) {
					L4:
					_t225 =  *(_t227 + 0xc);
					if(_t225 == 0) {
						if( *(_t227 + 0x10) != 0) {
							L15:
							_t120 =  *_t220;
							_push(_t227 - 0x14);
							_push(0x42a030);
							_push(_t120);
							if( *((intOrPtr*)( *_t120))() < 0) {
								L39:
								if( *((intOrPtr*)(_t227 + 0x14)) >= 0) {
									L42:
									_t122 =  *((intOrPtr*)(_t227 + 8));
									if(_t122 != 0) {
										 *((intOrPtr*)( *_t122 + 8))(_t122);
									}
									if( *((intOrPtr*)(_t227 - 0x20)) != 0 &&  *((intOrPtr*)(_t227 + 0x14)) >= 0) {
										 *((intOrPtr*)(_t227 + 0x14)) = 1;
									}
									_t115 =  *((intOrPtr*)(_t227 + 0x14));
									goto L48;
								}
								L40:
								_t124 =  *_t220;
								if(_t124 != 0) {
									 *((intOrPtr*)( *_t124 + 0x18))(_t124, 1);
									_t126 =  *_t220;
									 *((intOrPtr*)( *_t126 + 8))(_t126);
									 *_t220 = 0;
								}
								goto L42;
							}
							if(_t225 != 0) {
								if( *(_t227 + 0x10) == 0) {
									 *((intOrPtr*)(_t227 + 0x14)) = 0x8000ffff;
									L33:
									_t128 =  *((intOrPtr*)(_t227 - 0x14));
									L34:
									 *((intOrPtr*)( *_t128 + 8))(_t128);
									L35:
									if( *((intOrPtr*)(_t227 + 0x14)) < 0) {
										goto L40;
									}
									if( *((intOrPtr*)(_t227 - 0x20)) == 0) {
										_t187 =  *((intOrPtr*)(_t227 - 0x24));
										if(( *(_t187 + 0x72) & 0x00000002) == 0) {
											_t130 =  *_t220;
											 *((intOrPtr*)(_t227 + 0x14)) =  *((intOrPtr*)( *_t130 + 0xc))(_t130, _t187 + 0xb8);
										}
									}
									goto L39;
								}
								_t133 =  *((intOrPtr*)( *_t225 + 0x30))();
								 *(_t227 + 0xc) = _t133;
								_t134 = GlobalAlloc(0, _t133);
								 *(_t227 + 0x10) = _t134;
								if(_t134 == 0) {
									L26:
									 *((intOrPtr*)(_t227 + 0x14)) = 0x8007000e;
									 *(_t227 + 0x10) = 0;
									L27:
									 *(_t227 - 0x1c) = 0;
									if( *(_t227 + 0x10) == 0) {
										goto L33;
									}
									_t136 =  *0x4274f8( *(_t227 + 0x10), 1, _t227 - 0x1c);
									 *((intOrPtr*)(_t227 + 0x14)) = _t136;
									if(_t136 < 0) {
										goto L33;
									}
									 *((intOrPtr*)(_t227 - 0x18)) = 0;
									_t138 =  *0x427500( *(_t227 - 0x1c), 0, 0x12, 0, 0, _t227 - 0x18);
									 *((intOrPtr*)(_t227 + 0x14)) = _t138;
									if(_t138 >= 0) {
										_t141 =  *((intOrPtr*)(_t227 - 0x14));
										 *((intOrPtr*)(_t227 + 0x14)) =  *((intOrPtr*)( *_t141 + 0x18))(_t141,  *((intOrPtr*)(_t227 - 0x18)));
										_t143 =  *((intOrPtr*)(_t227 - 0x18));
										 *((intOrPtr*)( *_t143 + 8))(_t143);
									}
									_t139 =  *(_t227 - 0x1c);
									L21:
									 *((intOrPtr*)( *_t139 + 8))(_t139);
									goto L33;
								}
								GlobalFix(_t134);
								if(_t134 == 0) {
									goto L26;
								}
								 *((intOrPtr*)( *_t225 + 0x34))(_t134,  *(_t227 + 0xc));
								GlobalUnWire( *(_t227 + 0x10));
								goto L27;
							}
							 *(_t227 + 0xc) = 0;
							_t148 =  *0x4274f8(0, 1, _t227 + 0xc);
							 *((intOrPtr*)(_t227 + 0x14)) = _t148;
							if(_t148 < 0) {
								goto L33;
							}
							 *(_t227 + 0x10) = 0;
							_t150 =  *0x4274fc( *(_t227 + 0xc), 0x1012, 0, _t227 + 0x10);
							 *((intOrPtr*)(_t227 + 0x14)) = _t150;
							if(_t150 >= 0) {
								_t151 =  *((intOrPtr*)(_t227 - 0x14));
								 *((intOrPtr*)(_t227 + 0x14)) =  *((intOrPtr*)( *_t151 + 0x14))(_t151,  *(_t227 + 0x10));
								_t153 =  *(_t227 + 0x10);
								 *((intOrPtr*)( *_t153 + 8))(_t153);
							}
							_t139 =  *(_t227 + 0xc);
							goto L21;
						}
						L10:
						_t155 =  *_t220;
						_push(_t227 - 0x10);
						_push(0x42a100);
						_push(_t155);
						if( *((intOrPtr*)( *_t155))() < 0) {
							goto L15;
						} else {
							if(_t225 != 0) {
								0x420daf(_t225, 1, 0x1000, 0);
								 *(_t227 - 4) = 0;
								0x419e43(_t227 - 0x70);
								_t158 =  *((intOrPtr*)(_t227 - 0x10));
								_t159 =  *((intOrPtr*)( *_t158 + 0x14))(_t158, _t227 - 0x2c);
								 *(_t227 - 4) =  *(_t227 - 4) | 0xffffffff;
								 *((intOrPtr*)(_t227 + 0x14)) = _t159;
								0x420e8b();
							} else {
								_t160 =  *((intOrPtr*)(_t227 - 0x10));
								 *((intOrPtr*)(_t227 + 0x14)) =  *((intOrPtr*)( *_t160 + 0x20))(_t160);
							}
							_t128 =  *((intOrPtr*)(_t227 - 0x10));
							goto L34;
						}
					}
					if( *(_t227 + 0x10) != 0) {
						goto L15;
					}
					_t162 =  *_t220;
					_push(_t227 + 8);
					_push(0x42a110);
					_push(_t162);
					if( *((intOrPtr*)( *_t162))() < 0) {
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(3);
					if( *((intOrPtr*)( *_t225 + 0x50))() == 0) {
						goto L10;
					} else {
						 *(_t227 + 0x10) = 0;
						_t167 =  *((intOrPtr*)( *_t225 + 0x50))(0, 0xffffffff, _t227 + 0x10, _t227 + 0xc);
						_t207 =  *((intOrPtr*)(_t227 + 8));
						 *((intOrPtr*)(_t227 + 0x14)) =  *((intOrPtr*)( *_t207 + 0x14))(_t207,  *(_t227 + 0x10), _t167);
						_t169 =  *((intOrPtr*)(_t227 + 8));
						 *((intOrPtr*)( *_t169 + 8))(_t169);
						 *((intOrPtr*)(_t227 + 8)) = 0;
						goto L35;
					}
				}
				_t171 =  *_t220;
				 *((intOrPtr*)( *_t171 + 0x58))(_t171, 1, __ecx + 0x70);
				if(( *(__ecx + 0x72) & 0x00000002) == 0) {
					goto L4;
				}
				_t173 =  *_t220;
				_t174 =  *((intOrPtr*)( *_t173 + 0xc))(_t173, __ecx + 0xb8);
				 *((intOrPtr*)(_t227 + 0x14)) = _t174;
				if(_t174 < 0) {
					goto L40;
				}
				goto L4;
			}





































    0x0040442d
    0x0040443f
    0x00404442
    0x00404451
    0x00404458
    0x0040445b
    0x00404721
    0x00404727
    0x0040472f
    0x0040472f
    0x00404467
    0x0040446a
    0x0040446d
    0x00404470
    0x00404479
    0x00404481
    0x00404484
    0x004044b4
    0x004044b4
    0x004044b9
    0x00404521
    0x0040458d
    0x0040458d
    0x00404592
    0x00404593
    0x0040459a
    0x0040459f
    0x004046e3
    0x004046e6
    0x00404700
    0x00404700
    0x00404705
    0x0040470a
    0x0040470a
    0x00404710
    0x00404717
    0x00404717
    0x0040471e
    0x00000000
    0x0040471e
    0x004046e8
    0x004046e8
    0x004046ec
    0x004046f3
    0x004046f6
    0x004046fb
    0x004046fe
    0x004046fe
    0x00000000
    0x004046ec
    0x004045a7
    0x0040460a
    0x004046ae
    0x004046b5
    0x004046b5
    0x004046b8
    0x004046bb
    0x004046be
    0x004046c1
    0x00000000
    0x00000000
    0x004046c6
    0x004046c8
    0x004046cf
    0x004046d1
    0x004046e0
    0x004046e0
    0x004046cf
    0x00000000
    0x004046c6
    0x00404614
    0x00404619
    0x0040461c
    0x00404624
    0x00404627
    0x0040464a
    0x0040464a
    0x00404651
    0x00404654
    0x00404657
    0x0040465a
    0x00000000
    0x00000000
    0x00404665
    0x0040466d
    0x00404670
    0x00000000
    0x00000000
    0x00404675
    0x00404681
    0x00404689
    0x0040468c
    0x0040468e
    0x0040469a
    0x0040469d
    0x004046a3
    0x004046a3
    0x004046a6
    0x004045fc
    0x004045ff
    0x00000000
    0x004045ff
    0x0040462a
    0x00404632
    0x00000000
    0x00000000
    0x0040463c
    0x00404642
    0x00000000
    0x00404642
    0x004045ac
    0x004045b3
    0x004045bb
    0x004045be
    0x00000000
    0x00000000
    0x004045c7
    0x004045d4
    0x004045dc
    0x004045df
    0x004045e1
    0x004045ed
    0x004045f0
    0x004045f6
    0x004045f6
    0x004045f9
    0x00000000
    0x004045f9
    0x00404523
    0x00404523
    0x00404528
    0x00404529
    0x00404530
    0x00404535
    0x00000000
    0x00404537
    0x00404539
    0x00404555
    0x00404561
    0x00404564
    0x00404569
    0x00404573
    0x00404576
    0x0040457d
    0x00404580
    0x0040453b
    0x0040453b
    0x00404544
    0x00404544
    0x00404585
    0x00000000
    0x00404585
    0x00404535
    0x004044be
    0x00000000
    0x00000000
    0x004044c4
    0x004044c9
    0x004044ca
    0x004044d1
    0x004044d6
    0x00000000
    0x00000000
    0x004044da
    0x004044db
    0x004044dc
    0x004044dd
    0x004044e6
    0x00000000
    0x004044e8
    0x004044f7
    0x004044fa
    0x004044fd
    0x0040450a
    0x0040450d
    0x00404513
    0x00404516
    0x00000000
    0x00404516
    0x004044e6
    0x00404486
    0x00404491
    0x00404498
    0x00000000
    0x00000000
    0x0040449a
    0x004044a6
    0x004044ab
    0x004044ae
    0x00000000
    0x00000000
    0x00000000

    APIs
    • __EH_prolog.LIBCMT ref: 0040442D
      • Part of subcall function 00420DAF: __EH_prolog.LIBCMT ref: 00420DB4
      • Part of subcall function 00420E8B: __EH_prolog.LIBCMT ref: 00420E90
    • CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 004045B3
    • StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 004045D4
    • GlobalAlloc.KERNEL32(00000000,00000000), ref: 0040461C
    • GlobalFix.KERNEL32(00000000), ref: 0040462A
    • GlobalUnWire.KERNEL32(?), ref: 00404642
    • CreateILockBytesOnHGlobal.OLE32(?,00000001,?), ref: 00404665
    • StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,00000000), ref: 00404681
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Global$BytesLock$CreateH_prolog$AllocDocfileOpenStorageWire
    • String ID:
    • API String ID: 1825251643-0
    • Opcode ID: 7adf303213dc35b5bb612f95202ad056f174600a5cece54670663358f48e3b53
    • Instruction ID: 22e38916b9e8b923d5932d5348e8aac46c07d76a9da0ee0002f92ca8fa6bad17
    • Opcode Fuzzy Hash: 7adf303213dc35b5bb612f95202ad056f174600a5cece54670663358f48e3b53
    • Instruction Fuzzy Hash: 94B10EB0A0020AEFCB10DF55C8849AE7BB9FF89304B50446EFA15EB290D779DD51CB65
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040CD77, Relevance: 12.1, APIs: 8, Instructions: 132COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040CD77() {
				int _v4;
				int _v8;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x4377e8; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E0040A76C(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E00409C80(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E0040A76C(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										E0040A5D6(_v8);
										_v8 = _t32;
									}
									_t32 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x4377e8 = 2;
					goto L18;
				}
				 *0x4377e8 = 1;
				goto L6;
			}















    0x0040cd79
    0x0040cd88
    0x0040cd8a
    0x0040cd8c
    0x0040cd90
    0x0040cdc8
    0x0040ce52
    0x0040cea0
    0x00000000
    0x0040cea0
    0x0040ce54
    0x0040ce56
    0x0040ce64
    0x0040ce66
    0x0040ce68
    0x0040ce74
    0x0040ce77
    0x0040ce7f
    0x0040ce84
    0x0040ce8d
    0x0040ce86
    0x0040ce86
    0x0040ce86
    0x0040ce96
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040ce6a
    0x0040ce6a
    0x0040ce6a
    0x0040ce6a
    0x0040ce6b
    0x0040ce6f
    0x0040ce70
    0x00000000
    0x0040ce6a
    0x0040ce5e
    0x0040ce62
    0x00000000
    0x00000000
    0x00000000
    0x0040ce62
    0x0040cdce
    0x0040cdd0
    0x0040cdde
    0x0040cde1
    0x0040cde3
    0x0040cdf3
    0x0040cdff
    0x0040ce06
    0x0040ce0c
    0x0040ce10
    0x0040ce13
    0x0040ce1b
    0x0040ce1f
    0x0040ce30
    0x0040ce36
    0x0040ce3c
    0x0040ce3c
    0x0040ce40
    0x0040ce40
    0x0040ce1f
    0x0040ce45
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040cde5
    0x0040cde5
    0x0040cde5
    0x0040cde6
    0x0040cde7
    0x0040cded
    0x0040cdee
    0x00000000
    0x0040cde5
    0x0040cdd4
    0x0040cdd8
    0x00000000
    0x00000000
    0x00000000
    0x0040cdd8
    0x0040cd94
    0x0040cd98
    0x0040cdac
    0x0040cdb0
    0x00000000
    0x00000000
    0x0040cdb6
    0x00000000
    0x0040cdb6
    0x0040cd9a
    0x00000000

    APIs
    • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0040A38B), ref: 0040CD92
    • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0040A38B), ref: 0040CDA6
    • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0040A38B), ref: 0040CDD2
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0040A38B), ref: 0040CE0A
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0040A38B), ref: 0040CE2C
    • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0040A38B), ref: 0040CE45
    • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0040A38B), ref: 0040CE58
    • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0040CE96
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: EnvironmentStrings$ByteCharFreeMultiWide
    • String ID:
    • API String ID: 1823725401-0
    • Opcode ID: 9c74925991643c7959a6ec2414c194e2168288c50b585615348fedfd09313e66
    • Instruction ID: bc61900c984dceae8c80ef1d5d45fa8923fa7434e346973c5f47bd831570fe07
    • Opcode Fuzzy Hash: 9c74925991643c7959a6ec2414c194e2168288c50b585615348fedfd09313e66
    • Instruction Fuzzy Hash: F73102B2508211EFD7307B799CC483BBA9CEA45748715063BF542E3280EB389C4592EE
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00418881, Relevance: 10.6, APIs: 7, Instructions: 140COMMON
    Download Yara Rule
    APIs
    • GetPropA.USER32(?,00000000), ref: 004188D3
    • CallWindowProcA.USER32(00000000), ref: 004188F5
      • Part of subcall function 00415760: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 00415786
      • Part of subcall function 00415760: RemovePropA.USER32(?,00000000), ref: 0041579E
      • Part of subcall function 00415760: RemovePropA.USER32(?,00000000), ref: 004157AA
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Prop$CallProcRemoveWindow
    • String ID:
    • API String ID: 2276450057-0
    • Opcode ID: 114112c297ca804eb71664edf9b7d44ce688ca1153c6d05b33300e8405ec4a00
    • Instruction ID: 62695fc48d43aced9fa389bd55a4f4b2e8eb8c1450cf356eb46c9a81e0459984
    • Opcode Fuzzy Hash: 114112c297ca804eb71664edf9b7d44ce688ca1153c6d05b33300e8405ec4a00
    • Instruction Fuzzy Hash: 9D3103B6704210ABD210A799AC45EEFBB9CDBD5361F44042AFD0583202E739994AC7BB
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00407594, Relevance: 10.6, APIs: 7, Instructions: 136COMMON
    Download Yara Rule
    C-Code - Quality: 32%
    			E00407594(void* __ecx) {
				intOrPtr* _t77;
				intOrPtr _t83;
				signed int _t85;
				intOrPtr* _t86;
				intOrPtr* _t90;
				intOrPtr* _t92;
				void* _t102;
				intOrPtr* _t107;
				signed int _t110;
				void* _t126;
				intOrPtr _t129;
				void* _t131;
				void* _t133;
				void* _t134;

				E00409B78(0x425e6c, _t131);
				_t134 = _t133 - 0x6c;
				_t126 = __ecx;
				_t110 = 0;
				 *((intOrPtr*)(__ecx + 0x44)) = 1;
				 *(_t131 - 0x10) = 0;
				 *(_t131 - 0x18) = 0;
				if( *((intOrPtr*)(__ecx + 0x10)) <= 0) {
					L21:
					 *(_t126 + 0x44) =  *(_t126 + 0x44) & 0x00000000;
					 *[fs:0x0] =  *((intOrPtr*)(_t131 - 0xc));
					return 0;
				}
				_t107 =  *0x4272a4;
				do {
					_t77 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t126 + 0x14)) + 0x24 + (_t110 + _t110 * 4) * 8)) + 4));
					if(_t77 == 0) {
						goto L19;
					}
					 *(_t131 - 0x14) =  *(_t131 - 0x10) << 4;
					while(1) {
						_t129 =  *((intOrPtr*)(_t77 + 8));
						 *((intOrPtr*)(_t131 - 0x20)) =  *_t77;
						 *((intOrPtr*)(_t131 - 0x24)) = 0xfffffffd;
						E00409C20(_t131 - 0x78, 0, 0x20);
						_t134 = _t134 + 0xc;
						E00409506(_t131 - 0x38);
						 *(_t131 - 4) =  *(_t131 - 4) & 0x00000000;
						_t138 =  *((intOrPtr*)(_t126 + 0x48));
						if( *((intOrPtr*)(_t126 + 0x48)) == 0) {
							_t83 =  *((intOrPtr*)(_t126 + 0x40)) +  *(_t131 - 0x14);
							__eflags = _t83;
						} else {
							_t102 = E00406DBD(_t126, _t138);
							 *(_t131 - 4) = 1;
							E004094EC(_t131 - 0x38, _t102);
							 *(_t131 - 4) =  *(_t131 - 4) & 0x00000000;
							 *_t107(_t131 - 0x58, _t131 - 0x58,  *(_t131 - 0x18) + 1);
							_t83 = _t131 - 0x38;
						}
						 *((intOrPtr*)(_t131 - 0x48)) = _t83;
						 *((intOrPtr*)(_t131 - 0x44)) = _t131 - 0x24;
						_t85 = 1;
						 *(_t131 - 0x40) = _t85;
						 *(_t131 - 0x3c) = _t85;
						 *(_t129 + 0xa0) = _t85;
						_t86 =  *((intOrPtr*)(_t129 + 0x4c));
						if(_t86 != 0) {
							_push(_t131 - 0x1c);
							_push(0x42a000);
							_push(_t86);
							if( *((intOrPtr*)( *_t86))() >= 0) {
								_t90 =  *((intOrPtr*)(_t131 - 0x1c));
								 *((intOrPtr*)( *_t90 + 0x18))(_t90,  *((intOrPtr*)(_t129 + 0x94)), 0x42a700, 0, 4, _t131 - 0x48, 0, _t131 - 0x78, _t131 - 0x28);
								_t92 =  *((intOrPtr*)(_t131 - 0x1c));
								 *((intOrPtr*)( *_t92 + 8))(_t92);
								 *(_t129 + 0xa0) =  *(_t129 + 0xa0) & 0x00000000;
								if( *((intOrPtr*)(_t131 - 0x74)) != 0) {
									 *0x4272ac( *((intOrPtr*)(_t131 - 0x74)));
								}
								if( *((intOrPtr*)(_t131 - 0x70)) != 0) {
									 *0x4272ac( *((intOrPtr*)(_t131 - 0x70)));
								}
								if( *((intOrPtr*)(_t131 - 0x6c)) != 0) {
									 *0x4272ac( *((intOrPtr*)(_t131 - 0x6c)));
								}
								 *_t107(_t131 - 0x38);
								 *(_t131 - 0x10) =  *(_t131 - 0x10) + 1;
								 *(_t131 - 0x14) =  *(_t131 - 0x14) + 0x10;
							}
						}
						 *(_t131 - 4) =  *(_t131 - 4) | 0xffffffff;
						 *_t107(_t131 - 0x38);
						if( *((intOrPtr*)(_t131 - 0x20)) == 0) {
							break;
						}
						_t77 =  *((intOrPtr*)(_t131 - 0x20));
					}
					_t110 =  *(_t131 - 0x18);
					L19:
					_t110 = _t110 + 1;
					 *(_t131 - 0x18) = _t110;
				} while (_t110 <  *((intOrPtr*)(_t126 + 0x10)));
				goto L21;
			}

















    0x00407599
    0x0040759e
    0x004075a2
    0x004075a4
    0x004075a9
    0x004075b0
    0x004075b3
    0x004075b6
    0x00407716
    0x00407719
    0x00407720
    0x00407728
    0x00407728
    0x004075bd
    0x004075c4
    0x004075ce
    0x004075d3
    0x00000000
    0x00000000
    0x004075df
    0x004075e7
    0x004075e9
    0x004075f4
    0x004075f7
    0x004075fe
    0x00407603
    0x0040760a
    0x0040760f
    0x00407613
    0x00407617
    0x00407648
    0x00407648
    0x00407619
    0x00407624
    0x0040762d
    0x00407631
    0x00407636
    0x0040763e
    0x00407640
    0x00407640
    0x0040764b
    0x00407653
    0x00407656
    0x00407657
    0x0040765a
    0x0040765d
    0x00407663
    0x00407668
    0x00407673
    0x00407674
    0x00407679
    0x0040767e
    0x00407683
    0x004076a3
    0x004076a6
    0x004076ac
    0x004076af
    0x004076ba
    0x004076bf
    0x004076bf
    0x004076c9
    0x004076ce
    0x004076ce
    0x004076d8
    0x004076dd
    0x004076dd
    0x004076e7
    0x004076e9
    0x004076ec
    0x004076ec
    0x0040767e
    0x004076f0
    0x004076f8
    0x004076fe
    0x00000000
    0x00000000
    0x004075e4
    0x004075e4
    0x00407704
    0x00407707
    0x00407707
    0x0040770b
    0x0040770b
    0x00000000

    APIs
    • __EH_prolog.LIBCMT ref: 00407599
    • VariantClear.OLEAUT32(?), ref: 0040763E
    • SysFreeString.OLEAUT32(00000000), ref: 004076BF
    • SysFreeString.OLEAUT32(00000000), ref: 004076CE
    • SysFreeString.OLEAUT32(00000000), ref: 004076DD
    • VariantClear.OLEAUT32(?), ref: 004076E7
    • VariantClear.OLEAUT32(?), ref: 004076F8
      • Part of subcall function 00406DBD: __EH_prolog.LIBCMT ref: 00406DC2
      • Part of subcall function 00406DBD: VariantClear.OLEAUT32(00000007), ref: 00407316
      • Part of subcall function 00406DBD: VariantClear.OLEAUT32(?), ref: 00407523
      • Part of subcall function 004094EC: VariantCopy.OLEAUT32(?,?), ref: 004094F4
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Variant$Clear$FreeString$H_prolog$Copy
    • String ID:
    • API String ID: 3345578691-0
    • Opcode ID: 8dc2a68c9cb13230740cc73d986eaeb61089d8efe2b6924da35b67e8ce9046fb
    • Instruction ID: 2d2c044cb48841d5dbf8559586ba3bc0bb83109f633d9adb1d52191ff211b25d
    • Opcode Fuzzy Hash: 8dc2a68c9cb13230740cc73d986eaeb61089d8efe2b6924da35b67e8ce9046fb
    • Instruction Fuzzy Hash: 84512B71E04209EFDB14CFA8C884BDEBBB8BF04314F10456AE116B7291D775A945CB55
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401133, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00413D47
      • Part of subcall function 00414C2A: RtlEnterCriticalSection.NTDLL(00437DE0), ref: 00414C9C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CriticalEnterH_prologSection
    • String ID: VC$(|C$P}C$`|C${C
    • API String ID: 206681789-1977884022
    • Opcode ID: f1e8551cb2973a05b41a085253e558df3fcd8964f36897b3c9cf29464d1b45ae
    • Instruction ID: 987e916e367c387bc84db09ed3a11dfff15491cc2def88c434e76225d853edcc
    • Opcode Fuzzy Hash: f1e8551cb2973a05b41a085253e558df3fcd8964f36897b3c9cf29464d1b45ae
    • Instruction Fuzzy Hash: 4D418FB0B043159BDB208F59D981BEEB6F5AB48704F04506BB505EB391C7F9DE80CB98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401746, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 118COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00413D47
      • Part of subcall function 00414C2A: RtlEnterCriticalSection.NTDLL(00437DE0), ref: 00414C9C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CriticalEnterH_prologSection
    • String ID: (VC$(|C$P}C$`|C${C
    • API String ID: 206681789-1343624192
    • Opcode ID: ce421c15fa82fcf92f7c9da086b9378b4340efcce5c8b094ba1727f9bc2f25b9
    • Instruction ID: 0654f4a32cad301fdcfaf93b647c951f5a3b8b5221101e583c94711e99873c60
    • Opcode Fuzzy Hash: ce421c15fa82fcf92f7c9da086b9378b4340efcce5c8b094ba1727f9bc2f25b9
    • Instruction Fuzzy Hash: EF417EB0B143159BDB208F5ADD81BEEB6F5AB48705F04506BB505EB391C7F8DE808B98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00413BB5, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 118COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00413D47
      • Part of subcall function 00414C2A: RtlEnterCriticalSection.NTDLL(00437DE0), ref: 00414C9C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CriticalEnterH_prologSection
    • String ID: |C$(|C$P}C$`|C${C
    • API String ID: 206681789-940436803
    • Opcode ID: 2d53515d2e368b68f6f3b71518e06230afd38333a9aa211034671cb728312cae
    • Instruction ID: 98b82a42acfcc6be3ca403108d7dd361a624b631edf43255caac6aa059639c78
    • Opcode Fuzzy Hash: 2d53515d2e368b68f6f3b71518e06230afd38333a9aa211034671cb728312cae
    • Instruction Fuzzy Hash: 26417EB0B143159BDB208F5AD981BEEB6F5AB48705F04506BB505EB391C7F8DE808B98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00415840, Relevance: 10.6, APIs: 7, Instructions: 109COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00415840(struct HDC__* _a4, signed short _a8, signed int _a12) {
				long* _v0;
				struct tagRECT _v24;
				signed short _t56;
				long _t57;
				long* _t73;
				long* _t75;
				struct HDC__* _t78;
				long _t79;
				signed short _t81;

				_t78 = _a4;
				_t79 = SetBkColor(_t78,  *(0x439264 + (_a12 & 0x0000ffff) * 4));
				_t73 = _v0;
				_t75 =  &_v24;
				 *_t75 =  *_t73;
				_t75[1] = _t73[1];
				_t75[2] = _t73[2];
				_t81 = _a12;
				_t75[3] = _t73[3];
				_v24.bottom = _v24.top + 1;
				if((_t81 & 0x00000002) != 0) {
					ExtTextOutA(_t78, 0, 0, 2,  &_v24, 0, 0, 0);
				}
				_v24.bottom = _t73[3];
				_v24.right = _v24.left + 1;
				if((_t81 & 0x00000001) != 0) {
					ExtTextOutA(_t78, 0, 0, 2,  &_v24, 0, 0, 0);
				}
				_t56 = _a8;
				if(_a4 != _t56) {
					SetBkColor(_t78,  *(0x439264 + (_t56 & 0x0000ffff) * 4));
				}
				_t57 = _t73[2];
				_v24.right = _t57;
				_v24.left = _t57 - 1;
				if((_t81 & 0x00000004) != 0) {
					ExtTextOutA(_t78, 0, 0, 2,  &_v24, 0, 0, 0);
				}
				if((_t81 & 0x00000008) != 0) {
					_v24.left =  *_t73;
					_v24.top = _v24.bottom - 1;
					if((_t81 & 0x00001000) != 0) {
						_v24.right = _v24.right - 2;
					}
					ExtTextOutA(_t78, 0, 0, 2,  &_v24, 0, 0, 0);
				}
				return SetBkColor(_t78, _t79);
			}












    0x00415857
    0x00415863
    0x00415865
    0x00415869
    0x00415875
    0x0041587a
    0x0041587d
    0x00415880
    0x00415885
    0x00415892
    0x00415896
    0x004158aa
    0x004158aa
    0x004158b3
    0x004158c1
    0x004158c5
    0x004158d9
    0x004158d9
    0x004158df
    0x004158e9
    0x004158f7
    0x004158f7
    0x004158fd
    0x00415900
    0x0041590a
    0x0041590e
    0x00415922
    0x00415922
    0x0041592d
    0x00415931
    0x0041593f
    0x00415943
    0x00415945
    0x00415945
    0x0041595c
    0x0041595c
    0x00415971

    APIs
    • SetBkColor.GDI32(?), ref: 0041585D
    • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004158AA
    • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004158D9
    • SetBkColor.GDI32(?,?), ref: 004158F7
    • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00415922
    • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041595C
    • SetBkColor.GDI32(?,00000000), ref: 00415964
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Text$Color
    • String ID:
    • API String ID: 3751486306-0
    • Opcode ID: 10cb8b168f2d5c28efdd867514a9065877ef0ef53f8e8f587d53c58b20053be3
    • Instruction ID: 0121b2bc77c172a0303c65e058deb0e63492e045befe5e4d2147ce14d1f76169
    • Opcode Fuzzy Hash: 10cb8b168f2d5c28efdd867514a9065877ef0ef53f8e8f587d53c58b20053be3
    • Instruction Fuzzy Hash: 37418F74244301AFE320DF14CC86F6AB7E4EB84B00F54485DFA54AA2C1D774E84ACB6A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00408A2F, Relevance: 10.6, APIs: 7, Instructions: 87windowCOMMON
    Download Yara Rule
    C-Code - Quality: 35%
    			E00408A2F(void* __ebx) {
				struct HWND__* _t18;
				int _t19;
				struct HWND__* _t24;
				struct HWND__* _t25;
				struct HWND__* _t29;
				void* _t30;
				signed char _t32;
				intOrPtr _t35;
				struct HWND__* _t36;
				intOrPtr _t38;
				void* _t39;

				_t30 = __ebx;
				_t35 =  *((intOrPtr*)(_t39 + 0x10));
				if(_t35 == 0) {
					_t38 =  *((intOrPtr*)(_t39 + 0x10));
					L13:
					_t18 = GetTopWindow( *(_t38 + 0x1c));
					0x41c48d(_t18);
					_t36 = _t18;
					if(_t36 != 0) {
						L6:
						_push(_t30);
						_t19 = GetWindowLongA( *(_t36 + 0x1c), 0xffffffec);
						if((_t19 & 0x00010000) == 0) {
							L17:
							return _t36;
						}
						_t32 =  *(_t39 + 0x1c);
						if((_t32 & 0x00000001) == 0) {
							L9:
							if((_t32 & 0x00000002) == 0) {
								L15:
								_push(_t32);
								_push(0);
								_push(_t36);
								L16:
								_t36 = E00408A2F(_t32);
								goto L17;
							}
							0x41ec07();
							if(_t19 != 0) {
								goto L15;
							}
							L11:
							_push(_t32);
							_push(_t36);
							_push(_t38);
							goto L16;
						}
						_t19 = IsWindowVisible( *(_t36 + 0x1c));
						if(_t19 == 0) {
							goto L11;
						}
						goto L9;
					}
					return _t38;
				}
				_t24 = GetWindow( *(_t35 + 0x1c), 2);
				0x41c48d(_t24);
				_t38 =  *((intOrPtr*)(_t39 + 0x10));
				if(_t24 != 0) {
					L5:
					_t25 = GetWindow( *(_t35 + 0x1c), 2);
					0x41c48d(_t25);
					_t36 = _t25;
					goto L6;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					0x41c48d(GetParent( *(_t35 + 0x1c)));
					_t35 = E004089D6(_t38, _t26);
					if(_t35 == 0 || _t35 == _t38) {
						goto L13;
					}
					_t29 = GetWindow( *(_t35 + 0x1c), 2);
					0x41c48d(_t29);
					if(_t29 == 0) {
						continue;
					}
					goto L5;
				}
				goto L13;
			}














    0x00408a2f
    0x00408a31
    0x00408a38
    0x00408ada
    0x00408ade
    0x00408ae1
    0x00408ae8
    0x00408aed
    0x00408af1
    0x00408a9c
    0x00408a9c
    0x00408aa2
    0x00408aad
    0x00408b02
    0x00000000
    0x00408b04
    0x00408aaf
    0x00408ab6
    0x00408ac5
    0x00408ac8
    0x00408af7
    0x00408af7
    0x00408af8
    0x00408afa
    0x00408afb
    0x00408b00
    0x00000000
    0x00408b00
    0x00408acc
    0x00408ad3
    0x00000000
    0x00000000
    0x00408ad5
    0x00408ad5
    0x00408ad6
    0x00408ad7
    0x00000000
    0x00408ad7
    0x00408abb
    0x00408ac3
    0x00000000
    0x00000000
    0x00000000
    0x00408ac3
    0x00000000
    0x00408af3
    0x00408a4a
    0x00408a4d
    0x00408a54
    0x00408a58
    0x00408a8c
    0x00408a92
    0x00408a95
    0x00408a9a
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00408a5a
    0x00408a5a
    0x00408a64
    0x00408a70
    0x00408a74
    0x00000000
    0x00000000
    0x00408a80
    0x00408a83
    0x00408a8a
    0x00000000
    0x00000000
    0x00000000
    0x00408a8a
    0x00000000

    APIs
    • GetWindow.USER32(?,00000002), ref: 00408A4A
    • GetParent.USER32(?), ref: 00408A5D
      • Part of subcall function 004089D6: GetWindowLongA.USER32(?,000000F0), ref: 004089EE
      • Part of subcall function 004089D6: GetParent.USER32(?), ref: 00408A07
      • Part of subcall function 004089D6: GetWindowLongA.USER32(?,000000EC), ref: 00408A1A
    • GetWindow.USER32(?,00000002), ref: 00408A80
    • GetWindow.USER32(?,00000002), ref: 00408A92
    • GetWindowLongA.USER32(?,000000EC), ref: 00408AA2
    • IsWindowVisible.USER32(?), ref: 00408ABB
    • GetTopWindow.USER32(?), ref: 00408AE1
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Window$Long$Parent$Visible
    • String ID:
    • API String ID: 3473418232-0
    • Opcode ID: 77463de3a2b9bb46f0a5fa0140bb1457724d53cc2306ff239bfa9df7ad643d59
    • Instruction ID: dcb46471048726f602ef02479a7d464f7b43385fe7bdc189afbe0739603d9970
    • Opcode Fuzzy Hash: 77463de3a2b9bb46f0a5fa0140bb1457724d53cc2306ff239bfa9df7ad643d59
    • Instruction Fuzzy Hash: B221DE317443156BC631AAA59D09F6B76ACAF40350F04053FB981A7692CA38EC028BA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004215C1, Relevance: 10.6, APIs: 7, Instructions: 72windowCOMMON
    Download Yara Rule
    APIs
    • GetCapture.USER32 ref: 004215CA
    • SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 004215E7
    • GetFocus.USER32 ref: 004215F9
    • SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 00421609
    • GetLastActivePopup.USER32(?), ref: 0042162C
    • SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 0042163C
    • SendMessageA.USER32(?,00000111,0000E147,00000000), ref: 0042165B
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: MessageSend$ActiveCaptureFocusLastPopup
    • String ID:
    • API String ID: 3219385341-0
    • Opcode ID: 8f6468e831a2b71e761c06aeb28f849768de2e6781b477bd8cc32d64dd41139e
    • Instruction ID: a446505b51a97332c8f9efc9a23fc2485d3cbecd44017c5556991019ea24ff90
    • Opcode Fuzzy Hash: 8f6468e831a2b71e761c06aeb28f849768de2e6781b477bd8cc32d64dd41139e
    • Instruction Fuzzy Hash: 7311C6B27002697BD6206E62EC80C3F3A5DDBA67E4755042BF90283261DF6A9C435539
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00417200, Relevance: 10.6, APIs: 7, Instructions: 69COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00417200(struct HWND__* _a4, signed int _a8) {
				struct tagRECT _v16;
				signed int _t30;
				intOrPtr _t39;
				signed char _t43;
				struct HWND__* _t49;
				struct HWND__* _t50;
				signed int _t51;

				_t49 = _a4;
				GetWindowRect(_t49,  &_v16);
				_t30 = GetWindowLongA(_t49, 0xfffffff0);
				_t51 = _t30;
				if((_t30 & 0x10000000) == 0) {
					L12:
					return _t30;
				}
				_t30 = _a8;
				if(_t30 == 0) {
					L9:
					InflateRect( &_v16, 1, 1);
					_t50 = GetParent(_t49);
					ScreenToClient(_t50,  &_v16);
					ScreenToClient(_t50,  &(_v16.right));
					if((_t51 & 0x00200000) != 0) {
						_v16.right.x = _v16.right.x + 1;
					}
					return InvalidateRect(_t50,  &_v16, 0);
				}
				_t43 =  *(_t30 + 0x18);
				if((_t43 & 0x000000c0) != 0 || (_t43 & 0x00000002) == 0 || (_t43 & 0x00000001) == 0) {
					if((_t43 & 0x00000003) == 2 && _v16.right.x -  *((intOrPtr*)(_t30 + 0x10)) == _v16.left) {
						_t39 =  *((intOrPtr*)(_t30 + 0x14));
						if(_v16.bottom - _v16.top >= _t39) {
							_v16.top = _v16.top + _t39 + 1;
						}
					}
					goto L9;
				} else {
					goto L12;
				}
			}










    0x0041720a
    0x00417210
    0x00417219
    0x00417224
    0x00417226
    0x004172bd
    0x004172bd
    0x004172bd
    0x0041722c
    0x00417232
    0x0041726f
    0x00417278
    0x00417285
    0x00417293
    0x0041729b
    0x004172a3
    0x004172a5
    0x004172a5
    0x00000000
    0x004172b1
    0x00417234
    0x0041723a
    0x0041724c
    0x0041725b
    0x00417268
    0x0041726b
    0x0041726b
    0x00417268
    0x00000000
    0x00000000
    0x00000000
    0x00000000

    APIs
    • GetWindowRect.USER32(?), ref: 00417210
    • GetWindowLongA.USER32(?,000000F0), ref: 00417219
    • InflateRect.USER32(?,00000001,00000001), ref: 00417278
    • GetParent.USER32(?), ref: 0041727F
    • ScreenToClient.USER32(00000000,?), ref: 00417293
    • ScreenToClient.USER32(00000000,?), ref: 0041729B
    • InvalidateRect.USER32(00000000,?,00000000), ref: 004172B1
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Rect$ClientScreenWindow$InflateInvalidateLongParent
    • String ID:
    • API String ID: 1809568455-0
    • Opcode ID: 8c462bde06ea21d7b363257aa46abb0bc4c62d0503491906461a71e3d397fd03
    • Instruction ID: 878365840cbeb261cbfb3aa558999d6128e1497382d33788e5d24b3e0bcb1998
    • Opcode Fuzzy Hash: 8c462bde06ea21d7b363257aa46abb0bc4c62d0503491906461a71e3d397fd03
    • Instruction Fuzzy Hash: B6216D31208205AFD724DB54D8D4FBB73F9EB94720F80059EF95693291D738E886C726
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004230B6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 004230E4
    • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00423107
    • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00423126
    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00423136
    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00423140
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CloseCreate$Open
    • String ID: software
    • API String ID: 1740278721-2010147023
    • Opcode ID: ec4849638b1525c293d2e0b4e57c822d160125207bcc122547dde25c8ea884fa
    • Instruction ID: 5a236a271ee9847b5db711561f0ef4c87b4bcb5c6a7819df7edb27c311b00060
    • Opcode Fuzzy Hash: ec4849638b1525c293d2e0b4e57c822d160125207bcc122547dde25c8ea884fa
    • Instruction Fuzzy Hash: 1E11F572A01168FBCB21CF9ADC84DEFFFBCEF95701F5040AAA504A2121D6749B15DB64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004172C0, Relevance: 10.5, APIs: 7, Instructions: 42COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004172C0(struct HWND__* _a4) {
				struct tagRECT _v16;
				signed int _t11;
				struct HWND__* _t24;
				struct HWND__* _t25;

				_t24 = _a4;
				_t11 = GetWindowLongA(_t24, 0xfffffff0);
				GetWindowRect(_t24,  &_v16);
				InflateRect( &_v16, 1, 1);
				_t25 = GetParent(_t24);
				ScreenToClient(_t25,  &_v16);
				ScreenToClient(_t25,  &(_v16.right));
				if((_t11 & 0x00200000) != 0) {
					_v16.right.x = _v16.right.x + 1;
				}
				return ValidateRect(_t25,  &_v16);
			}







    0x004172c8
    0x004172cd
    0x004172db
    0x004172ea
    0x004172f7
    0x00417305
    0x0041730d
    0x00417315
    0x00417317
    0x00417317
    0x0041732d

    APIs
    • GetWindowLongA.USER32(?,000000F0), ref: 004172CD
    • GetWindowRect.USER32(?,?), ref: 004172DB
    • InflateRect.USER32(?,00000001,00000001), ref: 004172EA
    • GetParent.USER32(?), ref: 004172F1
    • ScreenToClient.USER32(00000000,?), ref: 00417305
    • ScreenToClient.USER32(00000000,?), ref: 0041730D
    • ValidateRect.USER32(00000000,?), ref: 00417321
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Rect$ClientScreenWindow$InflateLongParentValidate
    • String ID:
    • API String ID: 2275295265-0
    • Opcode ID: 8086fe9dd5a7d9d5503a716449f058101cafdfbef788481df7dd7d6aa1b5ad53
    • Instruction ID: d90f7f219b9cbdb7304fd52a6e3662cf8df24ae4bc947d0c2605ec7c33e68e55
    • Opcode Fuzzy Hash: 8086fe9dd5a7d9d5503a716449f058101cafdfbef788481df7dd7d6aa1b5ad53
    • Instruction Fuzzy Hash: 61F08132108205BFD321AB54DCC8EBF77BCEB89720F404569FE1592150D734A806DB76
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041EFBC, Relevance: 10.5, APIs: 7, Instructions: 29COMMON
    Download Yara Rule
    APIs
    • GetSysColor.USER32(0000000F), ref: 0041EFC8
    • GetSysColor.USER32(00000010), ref: 0041EFCF
    • GetSysColor.USER32(00000014), ref: 0041EFD6
    • GetSysColor.USER32(00000012), ref: 0041EFDD
    • GetSysColor.USER32(00000006), ref: 0041EFE4
    • GetSysColorBrush.USER32(0000000F), ref: 0041EFF1
    • GetSysColorBrush.USER32(00000006), ref: 0041EFF8
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Color$Brush
    • String ID:
    • API String ID: 2798902688-0
    • Opcode ID: c7f0029e87ddf1139d96c1f004eebb690d2c973e919fcdaa2fb10b7a8b818123
    • Instruction ID: e5658d71ba6e68948595777e91a88b27c6323313223a78a058e1d4820c8a644b
    • Opcode Fuzzy Hash: c7f0029e87ddf1139d96c1f004eebb690d2c973e919fcdaa2fb10b7a8b818123
    • Instruction Fuzzy Hash: D8F01C71A407489BD730BF769D09B47BEE4FFC4B10F42192ED2858BA90E6B5A401DF54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00421BBC, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 25registryclipboardCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Version$ClipboardFormatRegister
    • String ID: MSWHEEL_ROLLMSG
    • API String ID: 2888461884-2485103130
    • Opcode ID: 49ae03445a9ac40c609b022f888c5a78b5a7e06a852899440815f0b853eefefb
    • Instruction ID: 93bce4a4c7880cd1a8ecf7a8172aebf2dd9c32349866ab6e38b748b3d159b8fb
    • Opcode Fuzzy Hash: 49ae03445a9ac40c609b022f888c5a78b5a7e06a852899440815f0b853eefefb
    • Instruction Fuzzy Hash: 50E0D83E70413A59C7206764BC007A62DB45B68352FE10037ED0092630BB6C58838A7E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040F024, Relevance: 9.1, APIs: 6, Instructions: 117COMMON
    Download Yara Rule
    C-Code - Quality: 78%
    			E0040F024(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, signed int _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x429dd0);
				_push(E0040D240);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x437884; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x43787c; // 0x0
								_a20 = _t44;
							}
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E0040AF60(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E00409C20(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x43786c; // 0x0
						}
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x429db4, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x429db0, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x437884 = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}





















    0x0040f027
    0x0040f029
    0x0040f02e
    0x0040f039
    0x0040f03a
    0x0040f041
    0x0040f047
    0x0040f04a
    0x0040f053
    0x0040f093
    0x0040f096
    0x0040f0bf
    0x00000000
    0x0040f0c5
    0x0040f0c8
    0x0040f0ca
    0x0040f0cf
    0x0040f0cf
    0x0040f0df
    0x0040f0e9
    0x0040f0ef
    0x0040f0f4
    0x00000000
    0x0040f0f6
    0x0040f0f6
    0x0040f103
    0x0040f108
    0x0040f10b
    0x0040f10d
    0x0040f113
    0x0040f128
    0x0040f12e
    0x00000000
    0x0040f130
    0x0040f13f
    0x0040f147
    0x00000000
    0x0040f149
    0x0040f151
    0x0040f151
    0x0040f147
    0x0040f12e
    0x0040f0f4
    0x0040f098
    0x0040f098
    0x0040f09d
    0x0040f09f
    0x0040f09f
    0x0040f0b1
    0x0040f0b1
    0x0040f055
    0x0040f058
    0x0040f05b
    0x0040f06b
    0x0040f085
    0x0040f159
    0x0040f159
    0x0040f08b
    0x0040f08d
    0x00000000
    0x0040f08d
    0x0040f06d
    0x0040f06d
    0x0040f08e
    0x0040f08e
    0x00000000
    0x0040f08e
    0x0040f06b
    0x0040f161
    0x0040f16c

    APIs
    • GetStringTypeW.KERNEL32(00000001,00429DB4,00000001,?,747870F0,00438E88,?,?,0040EE85,?,?,?,00000000,00000001), ref: 0040F063
    • GetStringTypeA.KERNEL32(00000000,00000001,00429DB0,00000001,?,?,0040EE85,?,?,?,00000000,00000001), ref: 0040F07D
    • GetStringTypeA.KERNEL32(?,?,?,?,0040EE85,747870F0,00438E88,?,?,0040EE85,?,?,?,00000000,00000001), ref: 0040F0B1
    • MultiByteToWideChar.KERNEL32(?,00438E89,?,?,00000000,00000000,747870F0,00438E88,?,?,0040EE85,?,?,?,00000000,00000001), ref: 0040F0E9
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0040EE85,?), ref: 0040F13F
    • GetStringTypeW.KERNEL32(?,?,00000000,0040EE85,?,?,?,?,?,?,0040EE85,?), ref: 0040F151
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: StringType$ByteCharMultiWide
    • String ID:
    • API String ID: 3852931651-0
    • Opcode ID: e027d877569e5b4995012dfce1d89e4b8f97e75de6c829e599afc6e38b8d0903
    • Instruction ID: ee7606d455015b502b4a12470a4c6f3b64eee30a2d690d1daf4f53d79c1b17dc
    • Opcode Fuzzy Hash: e027d877569e5b4995012dfce1d89e4b8f97e75de6c829e599afc6e38b8d0903
    • Instruction Fuzzy Hash: F6419E72A04219EFCF309F94DC85EAF7BA8EB08750F104436FA11E6290C3399D55DBA9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00418610, Relevance: 9.1, APIs: 6, Instructions: 83windowCOMMON
    Download Yara Rule
    APIs
    • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00418638
    • GetWindowTextLengthA.USER32(?), ref: 00418642
    • GetWindowTextA.USER32(?,00000000,00000000), ref: 0041866A
    • SetTextColor.GDI32(?,00000000), ref: 004186AB
    • DrawTextA.USER32(?,00000000,000000FF,?,?), ref: 004186C3
    • SetTextColor.GDI32(?,?), ref: 004186D5
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Text$ColorWindow$DrawLength
    • String ID:
    • API String ID: 1177705772-0
    • Opcode ID: f61aa4dffdb18046b452c94626c5c2dc6b42ce8710c46d48a28af5027f2d761b
    • Instruction ID: 3933a94de64dcd1fd6086237cbceca51d1aa39c4d7f85a5a764248863055d609
    • Opcode Fuzzy Hash: f61aa4dffdb18046b452c94626c5c2dc6b42ce8710c46d48a28af5027f2d761b
    • Instruction Fuzzy Hash: 4B217C76700209AFD720DF68DD88AFB77B9EB88320F148219FD5997390CA34AD41CB64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041D0CB, Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 0041D0D0
    • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 0041D11D
    • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 0041D13F
    • GetCapture.USER32 ref: 0041D151
    • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 0041D160
    • WinHelpA.USER32(?,?,?,?), ref: 0041D174
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: MessageSend$CaptureH_prologHelp
    • String ID:
    • API String ID: 432264411-0
    • Opcode ID: 2b86eba168eb1c9d3659784aa94a729a24782b9f94e5b7180799c0c0e2b63285
    • Instruction ID: 6f3a9055864217afa5bf793e6a316ec40b2eabd2d76a1a2d8d6bf8f790d2764c
    • Opcode Fuzzy Hash: 2b86eba168eb1c9d3659784aa94a729a24782b9f94e5b7180799c0c0e2b63285
    • Instruction Fuzzy Hash: 5F218171740205BFEB21AF61DC8AFAA77A9EF44754F10413AB501A71E2CBB49C40DA14
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0042142F, Relevance: 9.1, APIs: 6, Instructions: 67COMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 00421462
    • GetLastActivePopup.USER32(?), ref: 00421471
    • IsWindowEnabled.USER32(?), ref: 00421486
    • EnableWindow.USER32(?,00000000), ref: 00421499
    • GetWindowLongA.USER32(?,000000F0), ref: 004214AB
    • GetParent.USER32(?), ref: 004214B9
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
    • String ID:
    • API String ID: 670545878-0
    • Opcode ID: e3d0acfb6d49c856fdb55c08b54a58acfa9b6697584734bc2ae9ff53d47d05dd
    • Instruction ID: 6c8b8cb064875c99703d182604416c456136690ae2c2b93b8094753ef9516b57
    • Opcode Fuzzy Hash: e3d0acfb6d49c856fdb55c08b54a58acfa9b6697584734bc2ae9ff53d47d05dd
    • Instruction Fuzzy Hash: C7119E32B053315786317A696C40F2BB6989F75BA1FD94227ED0D93324DB68CC0242ED
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00420C41, Relevance: 9.0, APIs: 6, Instructions: 46COMMON
    Download Yara Rule
    APIs
    • ClientToScreen.USER32(?,?), ref: 00420C50
    • GetWindow.USER32(?,00000005), ref: 00420C61
    • GetDlgCtrlID.USER32(00000000), ref: 00420C6A
    • GetWindowLongA.USER32(00000000,000000F0), ref: 00420C79
    • GetWindowRect.USER32(00000000,?), ref: 00420C8B
    • PtInRect.USER32(?,?,?), ref: 00420C9B
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Window$Rect$ClientCtrlLongScreen
    • String ID:
    • API String ID: 1315500227-0
    • Opcode ID: a26b61f3978cac998de9064cbaa822ad3764adc4bf2b274e904c50462e420015
    • Instruction ID: 3f28bb9bd10e891b6631c67d71c9935d9187de0b20147d5f79a2b23e50e02706
    • Opcode Fuzzy Hash: a26b61f3978cac998de9064cbaa822ad3764adc4bf2b274e904c50462e420015
    • Instruction Fuzzy Hash: 35018F71304129ABDB21AF66EC08EAF7BACFF44710F804132FD11922A5E7349912DB98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040D092, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
    Download Yara Rule
    C-Code - Quality: 91%
    			E0040D092(void* __ecx, void* __eflags) {
				char _v8;
				struct _OSVERSIONINFOA _v156;
				char _v416;
				char _v4656;
				void* _t24;
				CHAR* _t32;
				void* _t33;
				intOrPtr* _t34;
				void* _t35;
				char _t36;
				char _t38;
				void* _t40;
				char* _t44;
				char* _t45;
				char* _t50;

				E0040AF60(0x122c, __ecx);
				_v156.dwOSVersionInfoSize = 0x94;
				if(GetVersionExA( &_v156) != 0 && _v156.dwPlatformId == 2 && _v156.dwMajorVersion >= 5) {
					_t40 = 1;
					return _t40;
				}
				if(GetEnvironmentVariableA(?str?,  &_v4656, 0x1090) == 0) {
					L28:
					_t24 = E0040D065( &_v8);
					asm("sbb eax, eax");
					return _t24 + 3;
				}
				_t44 =  &_v4656;
				if(_v4656 != 0) {
					do {
						_t38 =  *_t44;
						if(_t38 >= 0x61 && _t38 <= 0x7a) {
							 *_t44 = _t38 - 0x20;
						}
						_t44 = _t44 + 1;
					} while ( *_t44 != 0);
				}
				if(E0040FDC0(?str?,  &_v4656, 0x16) != 0) {
					GetModuleFileNameA(0,  &_v416, 0x104);
					_t45 =  &_v416;
					if(_v416 != 0) {
						do {
							_t36 =  *_t45;
							if(_t36 >= 0x61 && _t36 <= 0x7a) {
								 *_t45 = _t36 - 0x20;
							}
							_t45 = _t45 + 1;
						} while ( *_t45 != 0);
					}
					_t32 = E0040FF10( &_v4656,  &_v416);
				} else {
					_t32 =  &_v4656;
				}
				if(_t32 == 0) {
					goto L28;
				}
				_t33 = E0040EA50(_t32, 0x2c);
				if(_t33 == 0) {
					goto L28;
				}
				_t34 = _t33 + 1;
				_t50 = _t34;
				if( *_t34 != 0) {
					do {
						if( *_t50 != 0x3b) {
							_t50 = _t50 + 1;
						} else {
							 *_t50 = 0;
						}
					} while ( *_t50 != 0);
				}
				_t35 = E0040AA43(_t34, 0, 0xa);
				if(_t35 != 2 && _t35 != 3 && _t35 != 1) {
					goto L28;
				}
				return _t35;
			}


















    0x0040d09a
    0x0040d0a7
    0x0040d0b9
    0x0040d0cf
    0x00000000
    0x0040d0cf
    0x0040d0ee
    0x0040d1c4
    0x0040d1c8
    0x0040d1d2
    0x00000000
    0x0040d1d4
    0x0040d0f6
    0x0040d102
    0x0040d104
    0x0040d104
    0x0040d108
    0x0040d110
    0x0040d110
    0x0040d112
    0x0040d113
    0x0040d104
    0x0040d12f
    0x0040d146
    0x0040d152
    0x0040d158
    0x0040d15a
    0x0040d15a
    0x0040d15e
    0x0040d166
    0x0040d166
    0x0040d168
    0x0040d169
    0x0040d15a
    0x0040d17b
    0x0040d131
    0x0040d131
    0x0040d131
    0x0040d184
    0x00000000
    0x00000000
    0x0040d189
    0x0040d192
    0x00000000
    0x00000000
    0x0040d194
    0x0040d195
    0x0040d199
    0x0040d19b
    0x0040d19e
    0x0040d1a4
    0x0040d1a0
    0x0040d1a0
    0x0040d1a0
    0x0040d1a5
    0x0040d19b
    0x0040d1ad
    0x0040d1b8
    0x00000000
    0x00000000
    0x0040d1d9

    APIs
    • GetVersionExA.KERNEL32 ref: 0040D0B1
    • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 0040D0E6
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040D146
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: EnvironmentFileModuleNameVariableVersion
    • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
    • API String ID: 1385375860-4131005785
    • Opcode ID: 40fa2809c185375c2546b640b59bae09e8fec81ac076597e574814ffbe37de77
    • Instruction ID: 8c48d6549a6c085a97523abe6bd539ad19be6c02514a4b25ff98b6cf6cb68a41
    • Opcode Fuzzy Hash: 40fa2809c185375c2546b640b59bae09e8fec81ac076597e574814ffbe37de77
    • Instruction Fuzzy Hash: 3F312A71D0525469EB3196F05C866DB37689B06308F1404FBD546FE2C2EA3C8E8ECB19
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041CBB5, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageA.USER32(00000000,00000405,00000000,?), ref: 0041CC6E
    • GetWindowLongA.USER32(?,000000FC), ref: 0041CC7F
    • GetWindowLongA.USER32(?,000000FC), ref: 0041CC8F
    • SetWindowLongA.USER32(?,000000FC,?), ref: 0041CCAB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: LongWindow$MessageSend
    • String ID: (
    • API String ID: 2178440468-3887548279
    • Opcode ID: 6a1f7de5bc6f187c3b806d41b761cc763c320ec350766a2c128c548d338a73f2
    • Instruction ID: c4ac3f9db1985cf5a9d5e46e43a29ed0e83d9cd66e9646bf6c7909ef62d61470
    • Opcode Fuzzy Hash: 6a1f7de5bc6f187c3b806d41b761cc763c320ec350766a2c128c548d338a73f2
    • Instruction Fuzzy Hash: 3131D0306447109FDB20AF65DC85A9EBBF4BF44314F14422EE546A77A1DB78EC80CB98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00417110, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97stringCOMMON
    Download Yara Rule
    C-Code - Quality: 71%
    			E00417110(void* __eflags) {
				void* _t19;
				long _t24;
				void* _t27;
				void* _t31;
				signed int* _t35;
				intOrPtr _t36;
				signed short _t41;
				struct HWND__* _t43;
				signed int _t44;
				void* _t45;
				void* _t46;

				_t43 =  *(_t45 + 0x1c);
				_t19 = E00415510(_t43);
				_t46 = _t45 + 4;
				if(_t19 == 0) {
					_t44 = 0;
					_t35 = 0x42a994;
					GetClassNameA(_t43, _t46 + 0x10, 0x10);
					_t41 =  *((intOrPtr*)(_t46 + 0x28));
					do {
						if(( *_t35 & _t41) == 0) {
							goto L5;
						} else {
							_t7 = _t35 - 0x1c; // 0x42a978
							_push(_t46 + 0x10);
							if( *0x427284() == 0) {
								_t24 = GetWindowLongA(_t43, 0xfffffff0);
								_t36 =  *((intOrPtr*)(_t46 + 0x2c));
								_t27 =  *((intOrPtr*)((_t44 << 5) + 0x42a990))(_t43, _t24, _t41, _t36,  *((intOrPtr*)(_t46 + 0x30)));
								if(_t27 != 1) {
									L12:
									asm("sbb eax, eax");
									return _t27 + 1;
								} else {
									if(_t36 != 1 ||  *0x439262 != 0x10) {
										_t27 = E00415580(_t43,  *((intOrPtr*)(0x439ca0 + (_t44 + _t44 * 2) * 8)));
										goto L12;
									} else {
										_t31 = E00415720(_t43,  *((intOrPtr*)(0x439ca0 + (_t44 + _t44 * 2) * 8)));
										asm("sbb eax, eax");
										return _t31 + 1;
									}
								}
							} else {
								goto L5;
							}
						}
						goto L13;
						L5:
						_t35 =  &(_t35[8]);
						_t44 = _t44 + 1;
					} while (_t35 < 0x42aa54);
					return 0;
				} else {
					return 0;
				}
				L13:
			}














    0x00417115
    0x0041711c
    0x00417121
    0x00417126
    0x00417139
    0x0041713c
    0x00417141
    0x00417147
    0x0041714c
    0x0041714f
    0x00000000
    0x00417151
    0x00417155
    0x00417158
    0x00417162
    0x0041717d
    0x00417183
    0x00417196
    0x004171a4
    0x004171f1
    0x004171f1
    0x004171fb
    0x004171a6
    0x004171aa
    0x004171e6
    0x00000000
    0x004171b6
    0x004171c3
    0x004171ce
    0x004171d8
    0x004171d8
    0x004171aa
    0x00000000
    0x00000000
    0x00000000
    0x00417162
    0x00000000
    0x00417164
    0x00417164
    0x00417167
    0x00417168
    0x00417179
    0x00417128
    0x00417131
    0x00417131
    0x00000000

    APIs
    • GetClassNameA.USER32(?,?,00000010), ref: 00417141
    • lstrcmp.KERNEL32(Button,?), ref: 0041715A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: ClassNamelstrcmp
    • String ID: Button$Unknown exception
    • API String ID: 3770760073-1744519170
    • Opcode ID: 3a378a0b858ab8c92cec3eb9458625d8dda9b60a4693cde666e82af8142ed0fe
    • Instruction ID: 77194b7f14482824f2164bd987f2d7e6cd6fc9e89a4c27169b0526717ae16d14
    • Opcode Fuzzy Hash: 3a378a0b858ab8c92cec3eb9458625d8dda9b60a4693cde666e82af8142ed0fe
    • Instruction Fuzzy Hash: 44212C767042147FD710EB58EC84CFB336DEB85325F84097BFC15C2320E62B955986AA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004235B6, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 004235E7
      • Part of subcall function 004236D3: lstrlen.KERNEL32(00000104,00000000,?,00423617), ref: 0042370A
    • lstrcpy.KERNEL32(?,.HLP), ref: 00423688
    • lstrcat.KERNEL32(?,.INI), ref: 004236B5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: FileModuleNamelstrcatlstrcpylstrlen
    • String ID: .HLP$.INI
    • API String ID: 2421895198-3011182340
    • Opcode ID: 6d1c7d594c8f843c2e1c3e0fb0bd488519680b7f375aca8b70ef434c6012f1aa
    • Instruction ID: c998b6c95380fb829d9309430f9646efe8bb59952caad2d43feeb58e740f7c14
    • Opcode Fuzzy Hash: 6d1c7d594c8f843c2e1c3e0fb0bd488519680b7f375aca8b70ef434c6012f1aa
    • Instruction Fuzzy Hash: E3319475904718AFDB30DF71E884BCAB7FCEB04305F5049ABE189D3251DB78AA818B54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041FE0C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85stringtimeCOMMON
    Download Yara Rule
    APIs
    • lstrcpyn.KERNEL32(0041FE08,?,00000104,?,?,?,?,?,?,?,0041FDF6,?), ref: 0041FE36
    • GetFileTime.KERNEL32(00000000,0041FDF6,?,?,?,?,?,?,?,?,?,0041FDF6,?), ref: 0041FE57
    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0041FDF6,?), ref: 0041FE66
    • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,0041FDF6,?), ref: 0041FE87
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: File$AttributesSizeTimelstrcpyn
    • String ID: t
    • API String ID: 1499663573-2238339752
    • Opcode ID: 3739aa3469a7306d450bd2ad3b12157d62f7c96ae24f661b2d6f5aaff109e42c
    • Instruction ID: 0b94d4305e393bc50297bd8a1f722c6ae836aa6048ebc9e63360a4eaa95d8be7
    • Opcode Fuzzy Hash: 3739aa3469a7306d450bd2ad3b12157d62f7c96ae24f661b2d6f5aaff109e42c
    • Instruction Fuzzy Hash: 2D315E72500605AFD720DF64CC85AEBB7A8BF14310F504A3EE256C7691DB74A98ACB94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004221CA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 81windowCOMMON
    Download Yara Rule
    APIs
    • GetMenuCheckMarkDimensions.USER32 ref: 004221D6
    • CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 00422285
    • LoadBitmapA.USER32(00000000,00007FE3), ref: 0042229D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
    • String ID: $dzB
    • API String ID: 2596413745-711930444
    • Opcode ID: 35a62182a3ddc29fa96898832622f9672458323b1e94aca126063a4c8e204a18
    • Instruction ID: 6e5f14134cb4c832d4e34a4bb61a5982d64cf34e508004b97c7b0afa8543f761
    • Opcode Fuzzy Hash: 35a62182a3ddc29fa96898832622f9672458323b1e94aca126063a4c8e204a18
    • Instruction Fuzzy Hash: A7212571F04225FFEB20CB78DD85BAE7BB8EF40710F4441A6E905EB282D6749A45CB94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00423C66, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61stringwindowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00423C6B
    • FormatMessageA.KERNEL32(00001100,00000000,?,00000800,00000000,00000000,00000000,00000000,?,0042E4B0,00000000,?,0042527C,00000000), ref: 00423CDB
    • lstrcpyn.KERNEL32(|RB,00000000,?,?,0042E4B0,00000000,?,0042527C,00000000,?,?,?,?,00000000), ref: 00423CF7
    • LocalFree.KERNEL32(?,?,0042E4B0,00000000,?,0042527C,00000000,?,?,?,?,00000000), ref: 00423D00
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: FormatFreeH_prologLocalMessagelstrcpyn
    • String ID: |RB
    • API String ID: 1069405352-3002423116
    • Opcode ID: 5b1abd24b09e584fe7c3064ab9d7c7f60d1fb807c32b649b618893e7385ce167
    • Instruction ID: 092a1a9164ada0c8ee74cfb608b434e54693656992f511271687a5c1f1674967
    • Opcode Fuzzy Hash: 5b1abd24b09e584fe7c3064ab9d7c7f60d1fb807c32b649b618893e7385ce167
    • Instruction Fuzzy Hash: C411E672600218EFDB119F91EC85EEB7BB8FF04755F10852AF9049A290D3789E50CB98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401652, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0041E0F2: __EH_prolog.LIBCMT ref: 0041E0F7
    • wsprintfA.USER32 ref: 00401695
      • Part of subcall function 00418CB2: GetFileAttributesA.KERNEL32(?,004016A8,?,00000000), ref: 00418CB6
      • Part of subcall function 00418CB2: GetLastError.KERNEL32 ref: 00418CC1
    • MessageBoxA.USER32(00000000,004312B0,P.Y.G,00000000), ref: 004016DE
      • Part of subcall function 00401451: __EH_prolog.LIBCMT ref: 00401456
    • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 004016BF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: H_prolog$AttributesChangeErrorFileLastMessageNotifywsprintf
    • String ID: %s\ida.exe$P.Y.G
    • API String ID: 223957963-757092171
    • Opcode ID: db146c9a65c3a15ebea06757401418463de71b9546307398085ff665a75e25bf
    • Instruction ID: 8962cb91546730f80324e6499c0f4c542f6d9829b1e264443176097299c6b903
    • Opcode Fuzzy Hash: db146c9a65c3a15ebea06757401418463de71b9546307398085ff665a75e25bf
    • Instruction Fuzzy Hash: 5A01F976A042183BD72172B98C86EEB7A5C9708B58F1005ABF305B10D1D9B89D4146BC
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041B154, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56windowCOMMON
    Download Yara Rule
    APIs
    • GetWindowLongA.USER32(?,000000F0), ref: 0041B195
    • GetDlgItem.USER32(?,00000002), ref: 0041B1B4
    • IsWindowEnabled.USER32(00000000), ref: 0041B1BF
    • SendMessageA.USER32(?,00000111,00000002,00000000), ref: 0041B1D5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Window$EnabledItemLongMessageSend
    • String ID: Edit
    • API String ID: 3499652902-554135844
    • Opcode ID: 9df82df395981d24f5f9742fa8d1aa676500055651a5adcef875d14ee72bacd0
    • Instruction ID: dfc5ff48ba802326c42e33e879478dc56a3610e2da7bf29371cd18f6a0b2f3c4
    • Opcode Fuzzy Hash: 9df82df395981d24f5f9742fa8d1aa676500055651a5adcef875d14ee72bacd0
    • Instruction Fuzzy Hash: E8018430344205BBEB361A229C2BBDBBA65EF447D5F51452BF901D22E4CF68E8D2C59C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00414C2A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMONLIBRARYCODE
    Download Yara Rule
    C-Code - Quality: 42%
    			E00414C2A(void* __ecx) {
				long _t1;
				long _t4;
				long _t10;
				void* _t11;

				_t1 =  *0x437df8; // 0x2
				_t11 = __ecx;
				_t10 = 2;
				if(_t1 != _t10) {
					__eflags = _t1;
					if(_t1 != 0) {
						while(1) {
							L7:
							__eflags =  *0x437df8 - 1;
							if( *0x437df8 != 1) {
								break;
							}
							Sleep(1);
						}
						__eflags =  *0x437df8 - _t10; // 0x2
						if(__eflags != 0) {
							L12:
							return _t11;
						}
						L10:
						_push(0x437de0);
						L11:
						 *0x4271f4();
						goto L12;
					}
					_t4 = InterlockedExchange(0x437df8, 1);
					__eflags = _t4;
					if(__eflags != 0) {
						__eflags = _t4 - _t10;
						if(_t4 == _t10) {
							 *0x437df8 = _t10;
						}
						goto L7;
					}
					 *0x427210(0x437de0);
					E0040975E(__eflags, E00414CA8);
					 *0x437df8 = _t10;
					goto L10;
				}
				_push(0x437de0);
				goto L11;
			}







    0x00414c2a
    0x00414c34
    0x00414c36
    0x00414c39
    0x00414c42
    0x00414c49
    0x00414c80
    0x00414c80
    0x00414c80
    0x00414c87
    0x00000000
    0x00000000
    0x00414c8b
    0x00414c8b
    0x00414c93
    0x00414c99
    0x00414ca2
    0x00414ca7
    0x00414ca7
    0x00414c9b
    0x00414c9b
    0x00414c9c
    0x00414c9c
    0x00000000
    0x00414c9c
    0x00414c52
    0x00414c58
    0x00414c5a
    0x00414c76
    0x00414c78
    0x00414c7a
    0x00414c7a
    0x00000000
    0x00414c78
    0x00414c5d
    0x00414c68
    0x00414c6e
    0x00000000
    0x00414c6e
    0x00414c3b
    0x00000000

    APIs
    • InterlockedExchange.KERNEL32(00437DF8,00000001), ref: 00414C52
    • RtlInitializeCriticalSection.NTDLL(00437DE0), ref: 00414C5D
    • RtlEnterCriticalSection.NTDLL(00437DE0), ref: 00414C9C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CriticalSection$EnterExchangeInitializeInterlocked
    • String ID: }C
    • API String ID: 3643093385-2440397581
    • Opcode ID: 0594ad4f06ba62a8bc70d3b2cd4a4a4ecdc2ed25592a3df156adf3db05451c7a
    • Instruction ID: fccdb47257235cd1417484cf7a2554efff0c808eea1ab200fff3aa0ac606b65f
    • Opcode Fuzzy Hash: 0594ad4f06ba62a8bc70d3b2cd4a4a4ecdc2ed25592a3df156adf3db05451c7a
    • Instruction Fuzzy Hash: 58F0F4B038D201ABD6314B91BD85BB63259EFC43A1F331037F196C1250F26848D193DE
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040B635, Relevance: 7.8, APIs: 5, Instructions: 278COMMONLIBRARYCODE
    Download Yara Rule
    C-Code - Quality: 68%
    			E0040B635(void* _a4, long _a8) {
				signed int _v8;
				intOrPtr _v20;
				long _v36;
				void* _v40;
				intOrPtr _v44;
				char _v48;
				long _v52;
				long _v56;
				char _v60;
				intOrPtr _t56;
				void* _t57;
				long _t58;
				long _t59;
				long _t63;
				long _t66;
				long _t68;
				long _t71;
				long _t72;
				long _t74;
				long _t78;
				intOrPtr _t80;
				void* _t83;
				long _t85;
				long _t88;
				void* _t89;
				long _t91;
				intOrPtr _t93;
				void* _t97;
				void* _t104;
				long _t113;
				long _t116;
				intOrPtr _t122;
				void* _t123;

				_push(0xffffffff);
				_push(0x4298b8);
				_push(E0040D240);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t122;
				_t123 = _t122 - 0x28;
				_t97 = _a4;
				_t113 = 0;
				if(_t97 != 0) {
					_t116 = _a8;
					__eflags = _t116;
					if(_t116 != 0) {
						_t56 =  *0x438eac;
						__eflags = _t56 - 3;
						if(_t56 != 3) {
							__eflags = _t56 - 2;
							if(_t56 != 2) {
								while(1) {
									_t57 = 0;
									__eflags = _t116 - 0xffffffe0;
									if(_t116 <= 0xffffffe0) {
										__eflags = _t116 - _t113;
										if(_t116 == _t113) {
											_t116 = 1;
										}
										_t116 = _t116 + 0x0000000f & 0xfffffff0;
										__eflags = _t116;
										_t57 = RtlReAllocateHeap( *0x438ea8, _t113, _t97, _t116);
									}
									__eflags = _t57 - _t113;
									if(_t57 != _t113) {
										goto L64;
									}
									__eflags =  *0x437854 - _t113; // 0x0
									if(__eflags == 0) {
										goto L64;
									}
									_t58 = E0040EA21(_t116);
									__eflags = _t58;
									if(_t58 != 0) {
										continue;
									}
									goto L63;
								}
								goto L64;
							}
							__eflags = _t116 - 0xffffffe0;
							if(_t116 <= 0xffffffe0) {
								__eflags = _t116;
								if(_t116 <= 0) {
									_t116 = 0x10;
								} else {
									_t116 = _t116 + 0x0000000f & 0xfffffff0;
								}
								_a8 = _t116;
							}
							while(1) {
								_v40 = _t113;
								__eflags = _t116 - 0xffffffe0;
								if(_t116 <= 0xffffffe0) {
									E0040D4CD(9);
									_pop(_t104);
									_v8 = 1;
									_t63 = E0040E473(_t97,  &_v60,  &_v48);
									_t123 = _t123 + 0xc;
									_t113 = _t63;
									_v52 = _t113;
									__eflags = _t113;
									if(_t113 == 0) {
										_v40 = RtlReAllocateHeap( *0x438ea8, 0, _t97, _t116);
									} else {
										__eflags = _t116 -  *0x4345b4; // 0x1e0
										if(__eflags < 0) {
											_t100 = _t116 >> 4;
											_t71 = E0040E83B(_t104, _v60, _v48, _t113, _t116 >> 4);
											_t123 = _t123 + 0x10;
											__eflags = _t71;
											if(_t71 == 0) {
												_t72 = E0040E50F(_t104, _t100);
												_v40 = _t72;
												__eflags = _t72;
												if(_t72 != 0) {
													_t74 = ( *_t113 & 0x000000ff) << 4;
													_v56 = _t74;
													__eflags = _t74 - _t116;
													if(_t74 >= _t116) {
														_t74 = _t116;
													}
													E00409C80(_v40, _a4, _t74);
													E0040E4CA(_v60, _v48, _t113);
													_t123 = _t123 + 0x18;
												}
											} else {
												_v40 = _a4;
											}
											_t97 = _a4;
										}
										__eflags = _v40;
										if(_v40 == 0) {
											_t66 = RtlAllocateHeap( *0x438ea8, 0, _t116);
											_v40 = _t66;
											__eflags = _t66;
											if(_t66 != 0) {
												_t68 = ( *_t113 & 0x000000ff) << 4;
												_v56 = _t68;
												__eflags = _t68 - _t116;
												if(_t68 >= _t116) {
													_t68 = _t116;
												}
												E00409C80(_v40, _t97, _t68);
												E0040E4CA(_v60, _v48, _t113);
												_t123 = _t123 + 0x18;
											}
										}
									}
									_t51 =  &_v8;
									 *_t51 = _v8 | 0xffffffff;
									__eflags =  *_t51;
									E0040B90E();
								}
								_t57 = _v40;
								__eflags = _t57 - _t113;
								if(_t57 != _t113) {
									goto L64;
								}
								__eflags =  *0x437854 - _t113; // 0x0
								if(__eflags == 0) {
									goto L64;
								}
								_t59 = E0040EA21(_t116);
								__eflags = _t59;
								if(_t59 != 0) {
									continue;
								}
								goto L63;
							}
							goto L64;
						} else {
							goto L5;
						}
						do {
							L5:
							_v40 = _t113;
							__eflags = _t116 - 0xffffffe0;
							if(_t116 > 0xffffffe0) {
								L25:
								_t57 = _v40;
								__eflags = _t57 - _t113;
								if(_t57 != _t113) {
									goto L64;
								}
								__eflags =  *0x437854 - _t113; // 0x0
								if(__eflags == 0) {
									goto L64;
								}
								goto L27;
							}
							E0040D4CD(9);
							_v8 = _t113;
							_t80 = E0040D718(_t97);
							_v44 = _t80;
							__eflags = _t80 - _t113;
							if(_t80 == _t113) {
								L21:
								_v8 = _v8 | 0xffffffff;
								E0040B7C0();
								__eflags = _v44 - _t113;
								if(_v44 == _t113) {
									__eflags = _t116 - _t113;
									if(_t116 == _t113) {
										_t116 = 1;
									}
									_t116 = _t116 + 0x0000000f & 0xfffffff0;
									__eflags = _t116;
									_a8 = _t116;
									_v40 = RtlReAllocateHeap( *0x438ea8, _t113, _t97, _t116);
								}
								goto L25;
							}
							__eflags = _t116 -  *0x438ea4;
							if(_t116 <=  *0x438ea4) {
								_push(_t116);
								_push(_t97);
								_push(_t80);
								_t88 = E0040DF21();
								_t123 = _t123 + 0xc;
								__eflags = _t88;
								if(_t88 == 0) {
									_push(_t116);
									_t89 = E0040DA6C();
									_v40 = _t89;
									__eflags = _t89 - _t113;
									if(_t89 != _t113) {
										_t91 =  *((intOrPtr*)(_t97 - 4)) - 1;
										_v36 = _t91;
										__eflags = _t91 - _t116;
										if(_t91 >= _t116) {
											_t91 = _t116;
										}
										E00409C80(_v40, _t97, _t91);
										_t93 = E0040D718(_t97);
										_v44 = _t93;
										_push(_t97);
										_push(_t93);
										E0040D743();
										_t123 = _t123 + 0x18;
									}
								} else {
									_v40 = _t97;
								}
							}
							__eflags = _v40 - _t113;
							if(_v40 == _t113) {
								__eflags = _t116 - _t113;
								if(_t116 == _t113) {
									_t116 = 1;
									_a8 = _t116;
								}
								_t116 = _t116 + 0x0000000f & 0xfffffff0;
								_a8 = _t116;
								_t83 = RtlAllocateHeap( *0x438ea8, _t113, _t116);
								_v40 = _t83;
								__eflags = _t83 - _t113;
								if(_t83 != _t113) {
									_t85 =  *((intOrPtr*)(_t97 - 4)) - 1;
									_v36 = _t85;
									__eflags = _t85 - _t116;
									if(_t85 >= _t116) {
										_t85 = _t116;
									}
									E00409C80(_v40, _t97, _t85);
									_push(_t97);
									_push(_v44);
									E0040D743();
									_t123 = _t123 + 0x14;
								}
							}
							goto L21;
							L27:
							_t78 = E0040EA21(_t116);
							__eflags = _t78;
						} while (_t78 != 0);
						goto L63;
					} else {
						E0040A5D6(_t97);
						L63:
						_t57 = 0;
						__eflags = 0;
						goto L64;
					}
				} else {
					_t57 = E0040A76C(_a8);
					L64:
					 *[fs:0x0] = _v20;
					return _t57;
				}
			}




































    0x0040b638
    0x0040b63a
    0x0040b63f
    0x0040b64a
    0x0040b64b
    0x0040b652
    0x0040b658
    0x0040b65b
    0x0040b65f
    0x0040b66f
    0x0040b672
    0x0040b674
    0x0040b682
    0x0040b687
    0x0040b68a
    0x0040b7c9
    0x0040b7cc
    0x0040b919
    0x0040b919
    0x0040b91b
    0x0040b91e
    0x0040b920
    0x0040b922
    0x0040b926
    0x0040b926
    0x0040b92a
    0x0040b92a
    0x0040b936
    0x0040b936
    0x0040b93c
    0x0040b93e
    0x00000000
    0x00000000
    0x0040b940
    0x0040b946
    0x00000000
    0x00000000
    0x0040b949
    0x0040b94f
    0x0040b951
    0x00000000
    0x00000000
    0x00000000
    0x0040b951
    0x00000000
    0x0040b919
    0x0040b7d2
    0x0040b7d5
    0x0040b7d7
    0x0040b7d9
    0x0040b7e5
    0x0040b7db
    0x0040b7de
    0x0040b7de
    0x0040b7e6
    0x0040b7e6
    0x0040b7e9
    0x0040b7e9
    0x0040b7ec
    0x0040b7ef
    0x0040b7f7
    0x0040b7fc
    0x0040b7fd
    0x0040b80d
    0x0040b812
    0x0040b815
    0x0040b817
    0x0040b81a
    0x0040b81c
    0x0040b8dc
    0x0040b822
    0x0040b822
    0x0040b828
    0x0040b82c
    0x0040b837
    0x0040b83c
    0x0040b83f
    0x0040b841
    0x0040b84c
    0x0040b852
    0x0040b855
    0x0040b857
    0x0040b85c
    0x0040b85f
    0x0040b862
    0x0040b864
    0x0040b866
    0x0040b866
    0x0040b86f
    0x0040b87b
    0x0040b880
    0x0040b880
    0x0040b843
    0x0040b846
    0x0040b846
    0x0040b883
    0x0040b883
    0x0040b886
    0x0040b88a
    0x0040b895
    0x0040b89b
    0x0040b89e
    0x0040b8a0
    0x0040b8a5
    0x0040b8a8
    0x0040b8ab
    0x0040b8ad
    0x0040b8af
    0x0040b8af
    0x0040b8b6
    0x0040b8c2
    0x0040b8c7
    0x0040b8c7
    0x0040b8a0
    0x0040b88a
    0x0040b8df
    0x0040b8df
    0x0040b8df
    0x0040b8e3
    0x0040b8e3
    0x0040b8e8
    0x0040b8eb
    0x0040b8ed
    0x00000000
    0x00000000
    0x0040b8ef
    0x0040b8f5
    0x00000000
    0x00000000
    0x0040b8f8
    0x0040b8fe
    0x0040b900
    0x00000000
    0x00000000
    0x00000000
    0x0040b906
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040b690
    0x0040b690
    0x0040b690
    0x0040b693
    0x0040b696
    0x0040b78d
    0x0040b78d
    0x0040b790
    0x0040b792
    0x00000000
    0x00000000
    0x0040b798
    0x0040b79e
    0x00000000
    0x00000000
    0x00000000
    0x0040b79e
    0x0040b69e
    0x0040b6a4
    0x0040b6a8
    0x0040b6ae
    0x0040b6b1
    0x0040b6b3
    0x0040b75d
    0x0040b75d
    0x0040b761
    0x0040b766
    0x0040b769
    0x0040b76b
    0x0040b76d
    0x0040b771
    0x0040b771
    0x0040b775
    0x0040b775
    0x0040b778
    0x0040b78a
    0x0040b78a
    0x00000000
    0x0040b769
    0x0040b6b9
    0x0040b6bf
    0x0040b6c1
    0x0040b6c2
    0x0040b6c3
    0x0040b6c4
    0x0040b6c9
    0x0040b6cc
    0x0040b6ce
    0x0040b6d5
    0x0040b6d6
    0x0040b6dc
    0x0040b6df
    0x0040b6e1
    0x0040b6e6
    0x0040b6e7
    0x0040b6ea
    0x0040b6ec
    0x0040b6ee
    0x0040b6ee
    0x0040b6f5
    0x0040b6fb
    0x0040b700
    0x0040b703
    0x0040b704
    0x0040b705
    0x0040b70a
    0x0040b70a
    0x0040b6d0
    0x0040b6d0
    0x0040b6d0
    0x0040b6ce
    0x0040b70d
    0x0040b710
    0x0040b712
    0x0040b714
    0x0040b718
    0x0040b719
    0x0040b719
    0x0040b71f
    0x0040b722
    0x0040b72d
    0x0040b733
    0x0040b736
    0x0040b738
    0x0040b73d
    0x0040b73e
    0x0040b741
    0x0040b743
    0x0040b745
    0x0040b745
    0x0040b74c
    0x0040b751
    0x0040b752
    0x0040b755
    0x0040b75a
    0x0040b75a
    0x0040b738
    0x00000000
    0x0040b7a4
    0x0040b7a5
    0x0040b7ab
    0x0040b7ab
    0x00000000
    0x0040b676
    0x0040b677
    0x0040b953
    0x0040b953
    0x0040b953
    0x00000000
    0x0040b953
    0x0040b661
    0x0040b664
    0x0040b955
    0x0040b958
    0x0040b963
    0x0040b963

    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0214cfaeb0b1b1bb6a297c0385385adfd36da81b9b333fb666ba71f4908cae7f
    • Instruction ID: a4a45cb08c70de79c59741501c480938c708ce91236aea01ddcab43b872794f9
    • Opcode Fuzzy Hash: 0214cfaeb0b1b1bb6a297c0385385adfd36da81b9b333fb666ba71f4908cae7f
    • Instruction Fuzzy Hash: 0E91F772D01214ABCB21AB698C41ADFBBB8EB44764F24463BF854B72D1D7394D408BEC
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00402300, Relevance: 7.7, APIs: 5, Instructions: 231memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 23%
    			E00402300() {
				intOrPtr* _t130;
				intOrPtr _t136;
				int _t137;
				short* _t138;
				int* _t139;
				int _t141;
				int _t162;
				int _t163;
				intOrPtr _t167;
				int _t168;
				int _t172;
				int _t174;
				int _t175;
				void* _t176;
				int* _t179;
				void* _t195;
				intOrPtr _t199;
				short _t200;
				int _t207;
				struct tagRECT _t210;
				int* _t211;
				signed int _t215;
				int* _t219;
				int* _t220;
				void* _t221;

				E00409B78(0x4257f5, _t221);
				_t207 =  *(_t221 + 0x14);
				_t172 = 0;
				_t130 = _t207 + 0x12;
				 *((intOrPtr*)(_t221 - 0x18)) = _t130;
				if( *(_t221 + 0x10) != 0) {
					 *(_t221 - 0x64) =  *((intOrPtr*)(_t207 + 8));
					 *((intOrPtr*)(_t221 - 0x60)) =  *((intOrPtr*)(_t207 + 4));
					 *((short*)(_t221 - 0x5c)) =  *((intOrPtr*)(_t207 + 0xc));
					 *((short*)(_t221 - 0x5a)) =  *((intOrPtr*)(_t207 + 0xe));
					 *((short*)(_t221 - 0x56)) =  *_t130;
					_t199 = _t207 + 0x18;
					 *((short*)(_t221 - 0x58)) =  *(_t207 + 0x10);
					 *((short*)(_t221 - 0x54)) =  *((intOrPtr*)(_t207 + 0x14));
					_t207 = _t221 - 0x64;
					 *((intOrPtr*)(_t221 - 0x18)) = _t199;
				}
				_t200 =  *((short*)(_t207 + 0xa));
				_t210 =  *((short*)(_t207 + 8));
				 *((intOrPtr*)(_t221 - 0x34)) =  *((short*)(_t207 + 0xe)) + _t200;
				 *(_t221 - 0x40) = _t210;
				 *((intOrPtr*)(_t221 - 0x3c)) = _t200;
				 *((intOrPtr*)(_t221 - 0x38)) =  *((short*)(_t207 + 0xc)) + _t210;
				MapDialogRect( *( *((intOrPtr*)(_t221 + 8)) + 0x1c), _t221 - 0x40);
				_t211 =  *(_t221 + 0x1c);
				 *(_t221 + 0x10) = _t172;
				if( *((intOrPtr*)(_t221 + 0x20)) >= 4) {
					_t175 =  *_t211;
					 *((intOrPtr*)(_t221 + 0x20)) =  *((intOrPtr*)(_t221 + 0x20)) - 4;
					_t211 =  &(_t211[1]);
					if(_t175 > 0) {
						_t168 =  *0x4272a8(_t211, _t175);
						_t176 = _t175 + _t175;
						 *(_t221 + 0x10) = _t168;
						_t211 = _t211 + _t176;
						 *((intOrPtr*)(_t221 + 0x20)) =  *((intOrPtr*)(_t221 + 0x20)) - _t176;
					}
					_t172 = 0;
				}
				_t136 =  *0x431458; // 0x43146c
				 *(_t221 - 0x14) = _t172;
				 *((intOrPtr*)(_t221 - 0x10)) = _t136;
				 *(_t221 - 4) = _t172;
				 *(_t221 - 0x1c) = _t172;
				 *(_t221 - 0x20) = _t172;
				 *(_t221 - 0x24) = _t172;
				if( *((short*)(_t221 + 0x18)) == 0x37a ||  *((short*)(_t221 + 0x18)) == 0x37b) {
					_t137 =  *_t211;
					_t211 =  &(_t211[3]);
					 *(_t221 - 0x2c) = _t137;
					_t48 = _t137 - 0xc; // 0x431460
					_t179 = _t48;
					 *(_t221 + 0x1c) = _t179;
					if(_t179 > _t172) {
						do {
							_t162 =  *_t211;
							_t174 = _t211[1];
							 *(_t221 + 0x1c) =  *(_t221 + 0x1c) - 6;
							 *(_t221 - 0x28) = _t162;
							_t211 =  &(_t211[1]);
							if(_t162 != 0x80010001) {
								0x41b0e0(0x1c);
								 *(_t221 - 0x30) = _t162;
								 *(_t221 - 4) = 1;
								if(_t162 == 0) {
									_t163 = 0;
								} else {
									_t163 = E0040823D(_t162,  *(_t221 - 0x14),  *(_t221 - 0x28), _t174);
								}
								 *(_t221 - 4) =  *(_t221 - 4) & 0x00000000;
								 *(_t221 - 0x14) = _t163;
							} else {
								_t219 =  &(_t211[1]);
								 *(_t221 - 0x20) =  *_t211;
								_t220 =  &(_t219[3]);
								 *(_t221 - 0x24) =  *_t219;
								0x41bd6d(_t220);
								_t195 = 0xffffffef;
								 *(_t221 - 0x1c) = _t174;
								_t167 =  *((intOrPtr*)( *((intOrPtr*)(_t221 - 0x10)) - 8));
								 *(_t221 + 0x1c) =  *(_t221 + 0x1c) + _t195 - _t167;
								_t211 = _t220 + _t167 + 1;
							}
						} while ( *(_t221 + 0x1c) > 0);
						_t137 =  *(_t221 - 0x2c);
						_t172 = 0;
					}
					 *((intOrPtr*)(_t221 + 0x20)) =  *((intOrPtr*)(_t221 + 0x20)) - _t137;
					 *((intOrPtr*)(_t221 + 0x18)) =  *((intOrPtr*)(_t221 + 0x18)) + 0xfffc;
				}
				_t138 =  *((intOrPtr*)(_t221 - 0x18));
				_push(_t221 - 0x50);
				_push(_t138);
				if( *_t138 != 0x7b) {
					_t139 =  *0x42750c();
				} else {
					_t139 =  *0x427508();
				}
				 *(_t221 + 0x1c) = _t139;
				0x421727(_t211,  *((intOrPtr*)(_t221 + 0x20)), _t172);
				 *(_t221 - 4) = 2;
				asm("sbb esi, esi");
				 *(_t221 + 0x14) = _t172;
				_t215 =  ~( *((intOrPtr*)(_t221 + 0x18)) - 0x378) & _t221 - 0x0000008c;
				if( *(_t221 + 0x1c) >= _t172 && E00402F18( *((intOrPtr*)(_t221 + 8))) != 0 && E00403126( *((intOrPtr*)( *((intOrPtr*)(_t221 + 8)) + 0x34)), _t172, _t221 - 0x50, _t172,  *_t207, _t221 - 0x40,  *(_t207 + 0x10) & 0x0000ffff, _t215, 0 |  *((short*)(_t221 + 0x18)) == 0x00000377,  *(_t221 + 0x10), _t221 + 0x14) != 0) {
					E00404B50( *(_t221 + 0x14), 1);
					SetWindowPos( *( *(_t221 + 0x14) + 0x20),  *(_t221 + 0xc), _t172, _t172, _t172, _t172, 0x13);
					 *( *(_t221 + 0x14) + 0x8c) =  *(_t221 - 0x14);
					0x41bd1d(_t221 - 0x10);
					 *((short*)( *(_t221 + 0x14) + 0x90)) =  *(_t221 - 0x1c);
					 *( *(_t221 + 0x14) + 0x94) =  *(_t221 - 0x20);
					 *( *(_t221 + 0x14) + 0x98) =  *(_t221 - 0x24);
				}
				if( *(_t221 + 0x10) != _t172) {
					 *0x4272ac( *(_t221 + 0x10));
				}
				_t141 =  *(_t221 + 0x14);
				if(_t141 != _t172) {
					_t172 =  *(_t141 + 0x20);
				}
				 *(_t221 - 4) =  *(_t221 - 4) & 0x00000000;
				0x421763();
				 *(_t221 - 4) =  *(_t221 - 4) | 0xffffffff;
				0x41bc28();
				 *[fs:0x0] =  *((intOrPtr*)(_t221 - 0xc));
				return _t172;
			}




























    0x00402305
    0x00402312
    0x00402315
    0x0040231a
    0x0040231d
    0x00402320
    0x00402328
    0x0040232e
    0x00402335
    0x0040233f
    0x00402347
    0x0040234f
    0x00402352
    0x00402356
    0x0040235a
    0x0040235d
    0x0040235d
    0x00402360
    0x0040236f
    0x00402373
    0x0040237f
    0x00402385
    0x00402388
    0x0040238b
    0x00402395
    0x00402398
    0x0040239b
    0x0040239d
    0x0040239f
    0x004023a3
    0x004023a8
    0x004023ac
    0x004023b2
    0x004023b4
    0x004023b7
    0x004023b9
    0x004023b9
    0x004023bc
    0x004023bc
    0x004023be
    0x004023c3
    0x004023c6
    0x004023cf
    0x004023d2
    0x004023d5
    0x004023d8
    0x004023db
    0x004023e9
    0x004023eb
    0x004023ee
    0x004023f1
    0x004023f1
    0x004023f6
    0x004023f9
    0x004023ff
    0x004023ff
    0x00402401
    0x00402405
    0x0040240d
    0x00402410
    0x00402416
    0x0040244a
    0x00402450
    0x00402455
    0x00402459
    0x0040246b
    0x0040245b
    0x00402464
    0x00402464
    0x0040246d
    0x00402471
    0x00402418
    0x0040241a
    0x0040241d
    0x00402425
    0x00402429
    0x0040242c
    0x00402436
    0x00402437
    0x0040243a
    0x0040243f
    0x00402442
    0x00402442
    0x00402474
    0x0040247a
    0x0040247d
    0x0040247d
    0x0040247f
    0x00402482
    0x00402482
    0x00402489
    0x0040248f
    0x00402490
    0x00402495
    0x0040249f
    0x00402497
    0x00402497
    0x00402497
    0x004024af
    0x004024b3
    0x004024c7
    0x004024ce
    0x004024d0
    0x004024d3
    0x004024d8
    0x00402527
    0x0040253b
    0x00402547
    0x0040255a
    0x00402566
    0x00402573
    0x0040257f
    0x0040257f
    0x00402589
    0x0040258e
    0x0040258e
    0x00402594
    0x00402599
    0x0040259b
    0x0040259b
    0x0040259e
    0x004025a8
    0x004025ad
    0x004025b4
    0x004025c0
    0x004025c8

    APIs
    • __EH_prolog.LIBCMT ref: 00402305
    • MapDialogRect.USER32(?,?), ref: 0040238B
    • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004023AC
    • SetWindowPos.USER32(00000004,?,00000000,00000000,00000000,00000000,00000013,00000001,00000000,?,00000000,?,?,?,0000FC84,00000000), ref: 0040253B
    • SysFreeString.OLEAUT32(?), ref: 0040258E
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: String$AllocDialogFreeH_prologRectWindow
    • String ID:
    • API String ID: 2318429568-0
    • Opcode ID: 73107e38fcb8fd2bf1b7b72da537ca338ab676e4c8c6debe39b37d632fc5160d
    • Instruction ID: a54f0551ac6f29be9b3f9c6e59dd52f80b5c76c62cec33316bbfbd5fa31075ed
    • Opcode Fuzzy Hash: 73107e38fcb8fd2bf1b7b72da537ca338ab676e4c8c6debe39b37d632fc5160d
    • Instruction Fuzzy Hash: 31A12A7190021ADFCB14DFA5D984AEEBBB4FF08304F14413EE815A7390E7789A55CBA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0042485C, Relevance: 7.7, APIs: 5, Instructions: 208stringCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00424861
    • lstrlen.KERNEL32(?,?,00000000), ref: 0042488C
      • Part of subcall function 004245DD: VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 004246A8
      • Part of subcall function 004245DD: SysFreeString.OLEAUT32(00000000), ref: 004246D5
    • VariantClear.OLEAUT32(0000000C), ref: 004249C9
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Variant$ChangeClearFreeH_prologStringTypelstrlen
    • String ID:
    • API String ID: 2273458292-0
    • Opcode ID: 17890d6af9ad7171e218131e490ab6bccee9de03ec0ccbc81af6d760628dcb9e
    • Instruction ID: 50df2d7cbbca7ac2aac3b0eef6bc84963352aa9b33a0c8be08dd75e1070d4f92
    • Opcode Fuzzy Hash: 17890d6af9ad7171e218131e490ab6bccee9de03ec0ccbc81af6d760628dcb9e
    • Instruction Fuzzy Hash: 1D71D471A0022ADFCB10DFA5E884AAFBBB4EF84350F54806AF8059B251D738D941DB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040CEA9, Relevance: 7.6, APIs: 5, Instructions: 150COMMON
    Download Yara Rule
    C-Code - Quality: 98%
    			E0040CEA9() {
				void** _v8;
				struct _STARTUPINFOA _v76;
				signed int* _t48;
				signed int _t50;
				long _t55;
				signed int _t57;
				signed int _t58;
				int* _t59;
				signed char _t63;
				void** _t67;
				signed int* _t69;
				signed int _t72;
				int* _t73;
				signed int* _t75;
				void* _t76;
				signed int* _t84;
				void* _t87;
				int _t88;
				signed int* _t89;
				void** _t90;
				signed int _t91;
				signed int** _t92;

				_t89 = E0040A76C(0x480);
				if(_t89 == 0) {
					E0040A3FD(0x1b);
				}
				 *0x438ec0 = _t89;
				 *0x438fc0 = 0x20;
				_t1 =  &(_t89[0x120]); // 0x480
				_t48 = _t1;
				while(_t89 < _t48) {
					_t89[1] = _t89[1] & 0x00000000;
					 *_t89 =  *_t89 | 0xffffffff;
					_t89[2] = _t89[2] & 0x00000000;
					_t89[1] = 0xa;
					_t89 =  &(_t89[9]);
					_t48 =  &(( *0x438ec0)[0x120]);
				}
				GetStartupInfoA( &_v76);
				if(_v76.cbReserved2 == 0) {
					L25:
					_t72 = 0;
					do {
						_t75 =  *0x438ec0;
						_t50 = _t72 + _t72 * 8;
						_t90 =  &(_t75[_t50]);
						if(_t75[_t50] != 0xffffffff) {
							_t90[1] = _t90[1] | 0x00000080;
							goto L37;
						}
						_t90[1] = 0x81;
						if(_t72 != 0) {
							asm("sbb eax, eax");
							_t55 =  ~(_t72 - 1) + 0xfffffff5;
						} else {
							_t55 = 0xfffffff6;
						}
						_t87 = GetStdHandle(_t55);
						if(_t87 == 0xffffffff) {
							L33:
							_t90[1] = _t90[1] | 0x00000040;
						} else {
							_t57 = GetFileType(_t87);
							if(_t57 == 0) {
								goto L33;
							}
							_t58 = _t57 & 0x000000ff;
							 *_t90 = _t87;
							if(_t58 != 2) {
								if(_t58 == 3) {
									_t90[1] = _t90[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t72 = _t72 + 1;
					} while (_t72 < 3);
					return SetHandleCount( *0x438fc0);
				}
				_t59 = _v76.lpReserved2;
				if(_t59 == 0) {
					goto L25;
				}
				_t88 =  *_t59;
				_t73 =  &(_t59[1]);
				_v8 = _t73 + _t88;
				if(_t88 >= 0x800) {
					_t88 = 0x800;
				}
				if( *0x438fc0 >= _t88) {
					L18:
					_t91 = 0;
					if(_t88 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t76 =  *_v8;
						if(_t76 != 0xffffffff) {
							_t63 =  *_t73;
							if((_t63 & 0x00000001) != 0 && ((_t63 & 0x00000008) != 0 || GetFileType(_t76) != 0)) {
								_t67 =  &(0x438ec0[_t91 >> 5][(_t91 & 0x0000001f) + (_t91 & 0x0000001f) * 8]);
								 *_t67 =  *_v8;
								_t67[1] =  *_t73;
							}
						}
						_v8 =  &(_v8[1]);
						_t91 = _t91 + 1;
						_t73 =  &(_t73[0]);
					} while (_t91 < _t88);
					goto L25;
				} else {
					_t92 = 0x438ec4;
					while(1) {
						_t69 = E0040A76C(0x480);
						if(_t69 == 0) {
							break;
						}
						 *0x438fc0 =  *0x438fc0 + 0x20;
						 *_t92 = _t69;
						_t13 =  &(_t69[0x120]); // 0x480
						_t84 = _t13;
						while(_t69 < _t84) {
							_t69[1] = _t69[1] & 0x00000000;
							 *_t69 =  *_t69 | 0xffffffff;
							_t69[2] = _t69[2] & 0x00000000;
							_t69[1] = 0xa;
							_t69 =  &(_t69[9]);
							_t84 =  &(( *_t92)[0x120]);
						}
						_t92 =  &(_t92[1]);
						if( *0x438fc0 < _t88) {
							continue;
						}
						goto L18;
					}
					_t88 =  *0x438fc0;
					goto L18;
				}
			}

























    0x0040cebc
    0x0040cec1
    0x0040cec5
    0x0040ceca
    0x0040cecb
    0x0040ced1
    0x0040cedb
    0x0040cedb
    0x0040cee1
    0x0040cee5
    0x0040cee9
    0x0040ceec
    0x0040cef0
    0x0040cef9
    0x0040cefc
    0x0040cefc
    0x0040cf07
    0x0040cf12
    0x0040cfe9
    0x0040cfe9
    0x0040cfeb
    0x0040cfeb
    0x0040cff1
    0x0040cff8
    0x0040cffb
    0x0040d04a
    0x00000000
    0x0040d04a
    0x0040cfff
    0x0040d003
    0x0040d00f
    0x0040d011
    0x0040d005
    0x0040d007
    0x0040d007
    0x0040d01b
    0x0040d020
    0x0040d039
    0x0040d039
    0x0040d022
    0x0040d023
    0x0040d02b
    0x00000000
    0x00000000
    0x0040d02d
    0x0040d032
    0x0040d037
    0x0040d042
    0x0040d044
    0x0040d044
    0x00000000
    0x0040d042
    0x00000000
    0x0040d037
    0x0040d04e
    0x0040d04e
    0x0040d04f
    0x0040d064
    0x0040d064
    0x0040cf18
    0x0040cf1d
    0x00000000
    0x00000000
    0x0040cf23
    0x0040cf25
    0x0040cf2b
    0x0040cf35
    0x0040cf37
    0x0040cf37
    0x0040cf3f
    0x0040cf97
    0x0040cf97
    0x0040cf9b
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040cf9d
    0x0040cf9d
    0x0040cfa0
    0x0040cfa5
    0x0040cfa7
    0x0040cfab
    0x0040cfd0
    0x0040cfd8
    0x0040cfdc
    0x0040cfdc
    0x0040cfab
    0x0040cfdf
    0x0040cfe3
    0x0040cfe4
    0x0040cfe5
    0x00000000
    0x0040cf41
    0x0040cf41
    0x0040cf46
    0x0040cf4b
    0x0040cf53
    0x00000000
    0x00000000
    0x0040cf55
    0x0040cf5c
    0x0040cf5e
    0x0040cf5e
    0x0040cf64
    0x0040cf68
    0x0040cf6c
    0x0040cf6f
    0x0040cf73
    0x0040cf79
    0x0040cf7c
    0x0040cf7c
    0x0040cf84
    0x0040cf8d
    0x00000000
    0x00000000
    0x00000000
    0x0040cf8f
    0x0040cf91
    0x00000000
    0x0040cf91

    APIs
    • GetStartupInfoA.KERNEL32(?), ref: 0040CF07
    • GetFileType.KERNEL32(?,?,00000000), ref: 0040CFB2
    • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 0040D015
    • GetFileType.KERNEL32(00000000,?,00000000), ref: 0040D023
    • SetHandleCount.KERNEL32 ref: 0040D05A
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: FileHandleType$CountInfoStartup
    • String ID:
    • API String ID: 1710529072-0
    • Opcode ID: a0d59acae03d32c7dd5fefd1454de300ee26b0e9f425a8684b735c552a26c3d1
    • Instruction ID: f241e3ae5b314aa26e923e9ce79423c37ce5c578bd983baa0d98ed8d915dea24
    • Opcode Fuzzy Hash: a0d59acae03d32c7dd5fefd1454de300ee26b0e9f425a8684b735c552a26c3d1
    • Instruction Fuzzy Hash: F551F971904302CFC720CB68C884B6A7BA2FB51329F24477EE556E72E1DB78C906C75A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040328C, Relevance: 7.6, APIs: 5, Instructions: 127windowthreadCOMMON
    Download Yara Rule
    C-Code - Quality: 35%
    			E0040328C(void* __ecx, void* __edx) {
				signed int _t64;
				void* _t76;

				E00409B78(0x425b40, _t76);
				_t64 =  *((intOrPtr*)(_t76 + 0xc)) + 0x2cc;
				if(_t64 > 0xf) {
					L23:
				} else {
					switch( *((intOrPtr*)(_t64 * 4 +  &M00403454))) {
						case 0:
							__esi =  *(__ebp + 0x10);
							__edi = 0;
							 *__esi = 2;
							__eflags =  *0x4375c4 - __edi; // 0x1
							if(__eflags != 0) {
								L7:
								 *(__esi + 8) = 1;
							} else {
								0x4234b2();
								__eflags =  *(__eax + 0x20);
								if( *(__eax + 0x20) != 0) {
									goto L7;
								} else {
									 *(__esi + 8) = __di;
								}
							}
							goto L22;
						case 1:
							_t66 =  *((intOrPtr*)(_t76 + 0x10));
							 *(_t66 + 8) =  *(_t66 + 8) | 0x0000ffff;
							 *_t66 = 0xb;
							goto L22;
						case 2:
							__esi =  *(__ebp + 0x10);
							__ecx =  *(__ebp + 8);
							 *__esi = 0xb;
							E0040475E( *(__ebp + 8)) =  ~__eax;
							asm("sbb eax, eax");
							 *(__esi + 8) = __ax;
							goto L22;
						case 3:
							__eax =  *(__ebp + 0x10);
							 *(__eax + 8) =  *(__eax + 8) & 0x00000000;
							 *__eax = 0xb;
							goto L22;
						case 4:
							goto L23;
						case 5:
							__eax =  *0x431458;
							 *(__ebp + 0xc) = __eax;
							_push(0xf1c0);
							__ecx = __ebp + 0xc;
							 *(__ebp - 4) = 1;
							0x41ed1e();
							__esi =  *(__ebp + 0x10);
							__ecx = __ebp + 0xc;
							 *__esi = 8;
							0x424551();
							_t57 = __ebp - 4;
							 *_t57 =  *(__ebp - 4) | 0xffffffff;
							__eflags =  *_t57;
							 *(__esi + 8) = __eax;
							__ecx = __ebp + 0xc;
							goto L21;
						case 6:
							__esi =  *(__ebp + 0x10);
							 *__esi = 3;
							 *(__esi + 8) = GetThreadLocale();
							goto L22;
						case 7:
							__eflags =  *(__esi + 0x3c) - 0xffffffff;
							if( *(__esi + 0x3c) == 0xffffffff) {
								_push( *(__esi + 0x1c));
								__ecx = __ebp - 0x20;
								0x42097f();
								__eax =  *(__esi + 0x1c);
								 *( *(__esi + 0x1c) + 0x1c) = SendMessageA( *( *(__esi + 0x1c) + 0x1c), 0x138,  *(__ebp - 0x1c),  *( *(__esi + 0x1c) + 0x1c));
								 *(__esi + 0x3c) = GetBkColor( *(__ebp - 0x18));
								__eax = GetTextColor( *(__ebp - 0x18));
								__ecx = __ebp - 0x20;
								 *(__esi + 0x40) = __eax;
								0x4209f1();
							}
							__eax =  *(__ebp + 0x10);
							__eflags = __edi - 0xfffffd43;
							 *__eax = 3;
							if(__edi != 0xfffffd43) {
								__esi =  *(__esi + 0x40);
							} else {
								__esi =  *(__esi + 0x3c);
							}
							 *(__eax + 8) = __esi;
							goto L22;
						case 8:
							__edi = 0;
							__eflags =  *(__esi + 0x44);
							if( *(__esi + 0x44) != 0) {
								L16:
								__edi =  *(__ebp + 0x10);
								 *__edi = 9;
								__eax =  *(__esi + 0x44);
								_push(__eax);
								__ecx =  *__eax;
								__eax =  *(__esi + 0x44);
								 *(__edi + 8) =  *(__esi + 0x44);
								goto L22;
							} else {
								__ecx =  *(__esi + 0x1c);
								__eax = E00403C1B( *(__esi + 0x1c));
								__ecx = __esi;
								__eax = E00403494(__esi, __eax);
								__eflags =  *(__esi + 0x44);
								if( *(__esi + 0x44) == 0) {
									goto L23;
								} else {
									goto L16;
								}
							}
							goto L24;
						case 9:
							__eax =  *0x431458;
							 *(__ebp + 8) = __eax;
							__esi =  *(__ebp + 0x10);
							 *(__ebp - 4) =  *(__ebp - 4) & 0x00000000;
							__ecx = __ebp + 8;
							 *__esi = 8;
							0x424551();
							 *(__ebp - 4) =  *(__ebp - 4) | 0xffffffff;
							 *(__esi + 8) = __eax;
							__ecx = __ebp + 8;
							L21:
							0x41bc28();
							L22:
							_push(1);
							_pop(0);
							goto L24;
					}
				}
				L24:
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return 0;
			}





    0x00403291
    0x004032a0
    0x004032a9
    0x00403442
    0x004032af
    0x004032af
    0x00000000
    0x004032da
    0x004032dd
    0x004032df
    0x004032e4
    0x004032ea
    0x004032ff
    0x004032ff
    0x004032ec
    0x004032ec
    0x004032f1
    0x004032f4
    0x00000000
    0x004032f6
    0x004032f6
    0x004032f6
    0x004032f4
    0x00000000
    0x00000000
    0x004032b6
    0x004032b9
    0x004032be
    0x00000000
    0x00000000
    0x004033ad
    0x004033b0
    0x004033b3
    0x004033bd
    0x004033bf
    0x004033c1
    0x00000000
    0x00000000
    0x004032c8
    0x004032cb
    0x004032d0
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00403402
    0x00403407
    0x0040340a
    0x0040340f
    0x00403412
    0x00403419
    0x0040341e
    0x00403421
    0x00403424
    0x00403429
    0x0040342e
    0x0040342e
    0x0040342e
    0x00403432
    0x00403435
    0x00000000
    0x00000000
    0x004033c7
    0x004033ca
    0x004033d5
    0x00000000
    0x00000000
    0x0040330a
    0x0040330e
    0x00403310
    0x00403313
    0x00403316
    0x0040331b
    0x0040332b
    0x0040333d
    0x00403340
    0x00403346
    0x00403349
    0x0040334c
    0x0040334c
    0x00403351
    0x00403354
    0x0040335a
    0x0040335f
    0x00403366
    0x00403361
    0x00403361
    0x00403361
    0x00403369
    0x00000000
    0x00000000
    0x00403371
    0x00403373
    0x00403376
    0x00403391
    0x00403391
    0x00403394
    0x00403399
    0x0040339c
    0x0040339d
    0x004033a2
    0x004033a5
    0x00000000
    0x00403378
    0x00403378
    0x0040337b
    0x00403381
    0x00403383
    0x00403388
    0x0040338b
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040338b
    0x00000000
    0x00000000
    0x004033da
    0x004033df
    0x004033e2
    0x004033e5
    0x004033e9
    0x004033ec
    0x004033f1
    0x004033f6
    0x004033fa
    0x004033fd
    0x00403438
    0x00403438
    0x0040343d
    0x0040343d
    0x0040343f
    0x00000000
    0x00000000
    0x004032af
    0x00403444
    0x00403449
    0x00403451

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Color$H_prologLocaleMessageSendTextThread
    • String ID:
    • API String ID: 741590120-0
    • Opcode ID: b22a98f788cdb3dd9cbf4bb62c82e8364f401a87eea4fc59e8aeff79984c55ad
    • Instruction ID: 5f290abe0212ad2045f840c782f41af89a1069c44c8ade3987edaf54377c7826
    • Opcode Fuzzy Hash: b22a98f788cdb3dd9cbf4bb62c82e8364f401a87eea4fc59e8aeff79984c55ad
    • Instruction Fuzzy Hash: 9751E431900706DFCB21DF25D84059ABBF4FF04311B60856FF866AB7A0D778AA81CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040E217, Relevance: 7.6, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040E217() {
				void* _t25;
				intOrPtr* _t28;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t55;

				if( *0x4325a0 != 0xffffffff) {
					_t43 = RtlAllocateHeap( *0x438ea8, 0, 0x2020);
					if(_t43 == 0) {
						goto L20;
					}
					goto L3;
				} else {
					_t43 = 0x432590;
					L3:
					_t42 = VirtualAlloc(0, 0x400000, 0x2000, 4);
					if(_t42 == 0) {
						L18:
						if(_t43 != 0x432590) {
							HeapFree( *0x438ea8, 0, _t43);
						}
						L20:
						return 0;
					}
					if(VirtualAlloc(_t42, 0x10000, 0x1000, 4) == 0) {
						VirtualFree(_t42, 0, 0x8000);
						goto L18;
					}
					if(_t43 != 0x432590) {
						 *_t43 = 0x432590;
						_t25 =  *0x432594; // 0x432590
						 *(_t43 + 4) = _t25;
						 *0x432594 = _t43;
						 *( *(_t43 + 4)) = _t43;
					} else {
						if( *0x432590 == 0) {
							 *0x432590 = 0x432590;
						}
						if( *0x432594 == 0) {
							 *0x432594 = 0x432590;
						}
					}
					_t3 = _t42 + 0x400000; // 0x400000
					_t4 = _t43 + 0x98; // 0x98
					 *((intOrPtr*)(_t43 + 0x14)) = _t3;
					_t6 = _t43 + 0x18; // 0x18
					_t28 = _t6;
					 *((intOrPtr*)(_t43 + 0xc)) = _t4;
					 *(_t43 + 0x10) = _t42;
					 *((intOrPtr*)(_t43 + 8)) = _t28;
					_t45 = 0;
					do {
						_t55 = _t45 - 0x10;
						_t45 = _t45 + 1;
						 *_t28 = ((0 | _t55 >= 0x00000000) - 0x00000001 & 0x000000f1) - 1;
						 *((intOrPtr*)(_t28 + 4)) = 0xf1;
						_t28 = _t28 + 8;
					} while (_t45 < 0x400);
					E00409C20(_t42, 0, 0x10000);
					while(_t42 <  *(_t43 + 0x10) + 0x10000) {
						 *(_t42 + 0xf8) =  *(_t42 + 0xf8) | 0x000000ff;
						_t16 = _t42 + 8; // -4088
						 *_t42 = _t16;
						 *((intOrPtr*)(_t42 + 4)) = 0xf0;
						_t42 = _t42 + 0x1000;
					}
					return _t43;
				}
			}









    0x0040e222
    0x0040e23e
    0x0040e242
    0x00000000
    0x00000000
    0x00000000
    0x0040e224
    0x0040e224
    0x0040e248
    0x0040e25e
    0x0040e262
    0x0040e33d
    0x0040e343
    0x0040e34e
    0x0040e34e
    0x0040e354
    0x00000000
    0x0040e354
    0x0040e27a
    0x0040e337
    0x00000000
    0x0040e337
    0x0040e287
    0x0040e2a7
    0x0040e2a9
    0x0040e2ae
    0x0040e2b1
    0x0040e2ba
    0x0040e289
    0x0040e290
    0x0040e292
    0x0040e292
    0x0040e29e
    0x0040e2a0
    0x0040e2a0
    0x0040e29e
    0x0040e2bc
    0x0040e2c2
    0x0040e2c8
    0x0040e2cb
    0x0040e2cb
    0x0040e2ce
    0x0040e2d1
    0x0040e2d4
    0x0040e2d7
    0x0040e2de
    0x0040e2e0
    0x0040e2ea
    0x0040e2eb
    0x0040e2ed
    0x0040e2f0
    0x0040e2f3
    0x0040e2ff
    0x0040e307
    0x0040e310
    0x0040e317
    0x0040e31a
    0x0040e31c
    0x0040e323
    0x0040e323
    0x00000000
    0x0040e32b

    APIs
    • RtlAllocateHeap.NTDLL(00000000,00002020,00432590), ref: 0040E238
    • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,0040E6E3,00000000,00000010,00000000,00000009,00000009,?,0040A856,00000010,00000000), ref: 0040E25C
    • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,0040E6E3,00000000,00000010,00000000,00000009,00000009,?,0040A856,00000010,00000000), ref: 0040E276
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0040E6E3,00000000,00000010,00000000,00000009,00000009,?,0040A856,00000010,00000000,?), ref: 0040E337
    • HeapFree.KERNEL32(00000000,00000000,?,?,0040E6E3,00000000,00000010,00000000,00000009,00000009,?,0040A856,00000010,00000000,?,00000000), ref: 0040E34E
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Virtual$AllocFreeHeap$Allocate
    • String ID:
    • API String ID: 3000792370-0
    • Opcode ID: 251cd0a29b172d102364b32ed70e2291b058a7e11410e3c678ccfe7df064c237
    • Instruction ID: 96f6a5e6ce1229e661b1cb6462af4d0817629345f321959dbb7334505033d33a
    • Opcode Fuzzy Hash: 251cd0a29b172d102364b32ed70e2291b058a7e11410e3c678ccfe7df064c237
    • Instruction Fuzzy Hash: C531F072600711AFE3308F25DC42B22BBA4EB48755F10493EE569A73D1E7B8A851CB4C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00415C20, Relevance: 7.6, APIs: 5, Instructions: 78COMMON
    Download Yara Rule
    C-Code - Quality: 25%
    			E00415C20(signed int _a8) {
				intOrPtr _v4;
				signed int _t30;
				struct HINSTANCE__* _t31;
				struct HHOOK__* _t32;
				signed int _t33;
				signed int _t35;
				signed int _t43;
				signed int _t45;
				signed int _t47;
				intOrPtr* _t48;
				signed int _t49;
				long _t51;
				signed int _t53;

				if( *0x439260 >= 0x30a) {
					__eflags =  *0x439240;
					if( *0x439240 != 0) {
						_t53 = _a8 | 0x00000001;
						__eflags = _t53 & 0x00000002;
						if((_t53 & 0x00000002) != 0) {
							_t53 = _t53 & 0xfffffffc;
							__eflags = _t53;
						}
						 *0x4271f4(0x439220);
						__eflags =  *0x43929c - 0x80;
						if( *0x43929c == 0x80) {
							L15:
							 *0x4271fc(0x439220);
							__eflags = 0;
							return 0;
						} else {
							_t51 = GetCurrentThreadId();
							_t30 = 0;
							__eflags =  *0x43929c - _t30; // 0x0
							if(__eflags <= 0) {
								L11:
								_t31 =  *0x43925c; // 0x0
								_t32 = SetWindowsHookExA(5, E00416D80, _t31, _t51);
								__eflags = _t32;
								if(_t32 == 0) {
									goto L15;
								} else {
									_t49 =  *0x43929c; // 0x0
									 *((intOrPtr*)((_t49 << 2) + 0x4392a0 + (_t49 << 2) * 4)) = _v4;
									_t43 =  *0x43929c; // 0x0
									 *((_t43 << 2) + 0x4392a4 + (_t43 << 2) * 4) = _t51;
									_t45 =  *0x43929c; // 0x0
									 *((_t45 << 2) + 0x4392a8 + (_t45 << 2) * 4) = _t32;
									_t33 =  *0x43929c; // 0x0
									 *((intOrPtr*)((_t33 << 2) + 0x4392ac + (_t33 << 2) * 4)) = 1;
									_t35 =  *0x43929c; // 0x0
									 *((_t35 << 2) + 0x4392b0 + (_t35 << 2) * 4) = _t53;
									_t47 =  *0x43929c; // 0x0
									 *0x439294 = _t51;
									 *0x439298 = _t47;
									 *0x43929c =  *0x43929c + 1;
									__eflags =  *0x43929c;
									goto L13;
								}
							} else {
								_t48 = 0x4392a4;
								while(1) {
									__eflags =  *_t48 - _t51;
									if( *_t48 == _t51) {
										break;
									}
									_t48 = _t48 + 0x14;
									_t30 = _t30 + 1;
									__eflags = _t30 -  *0x43929c; // 0x0
									if(__eflags < 0) {
										continue;
									} else {
										goto L11;
									}
									goto L16;
								}
								 *((intOrPtr*)((_t30 << 2) + 0x4392ac + _t39 * 4)) =  *((intOrPtr*)((_t30 << 2) + 0x4392ac + _t39 * 4)) + 1;
								L13:
								 *0x4271fc(0x439220);
								return 1;
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return 0;
				}
				L16:
			}
















    0x00415c2b
    0x00415c34
    0x00415c3b
    0x00415c48
    0x00415c4b
    0x00415c51
    0x00415c53
    0x00415c53
    0x00415c53
    0x00415c5b
    0x00415c61
    0x00415c6b
    0x00415d47
    0x00415d4c
    0x00415d52
    0x00415d56
    0x00415c71
    0x00415c77
    0x00415c79
    0x00415c7b
    0x00415c81
    0x00415c9c
    0x00415c9d
    0x00415caa
    0x00415cb0
    0x00415cb2
    0x00000000
    0x00415cb8
    0x00415cb8
    0x00415cc5
    0x00415ccc
    0x00415cd5
    0x00415cdc
    0x00415ce5
    0x00415cec
    0x00415cf4
    0x00415cff
    0x00415d07
    0x00415d0e
    0x00415d14
    0x00415d1a
    0x00415d20
    0x00415d20
    0x00000000
    0x00415d20
    0x00415c83
    0x00415c83
    0x00415c88
    0x00415c88
    0x00415c8a
    0x00000000
    0x00000000
    0x00415c90
    0x00415c93
    0x00415c94
    0x00415c9a
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00415c9a
    0x00415d3e
    0x00415d26
    0x00415d2b
    0x00415d38
    0x00415d38
    0x00415c81
    0x00415c3d
    0x00415c3d
    0x00415c41
    0x00415c41
    0x00415c2d
    0x00415c31
    0x00415c31
    0x00000000

    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 244b988c920f851148e18e1882cbe363bd39329c86b6c3fdf7bcaa163aff35ff
    • Instruction ID: f03e06bc0836cf745b7e6834d19c34af4daf12035072becbe844339ace87013e
    • Opcode Fuzzy Hash: 244b988c920f851148e18e1882cbe363bd39329c86b6c3fdf7bcaa163aff35ff
    • Instruction Fuzzy Hash: 7B31BB32615A10EFD724DF18F809AA377A4FB91315B11ADBEE44987261C7F44C96CB1C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00421C27, Relevance: 7.6, APIs: 5, Instructions: 58COMMON
    Download Yara Rule
    APIs
    • GetMapMode.GDI32(?,?,?,?,?,?,00403EC3,?,00000000,?,?,?,?,?,?,?), ref: 00421C37
    • GetDeviceCaps.GDI32(?,00000058), ref: 00421C71
    • GetDeviceCaps.GDI32(?,0000005A), ref: 00421C7A
      • Part of subcall function 00420862: GetWindowExtEx.GDI32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 00420873
      • Part of subcall function 00420862: GetViewportExtEx.GDI32(?,?,?,?,?,?,?,00000000,00000000), ref: 00420880
      • Part of subcall function 00420862: MulDiv.KERNEL32(?,00000000,00000000), ref: 004208A5
      • Part of subcall function 00420862: MulDiv.KERNEL32(00000002,00000000,00000000), ref: 004208C0
    • MulDiv.KERNEL32(?,000009EC,00000060), ref: 00421C9E
    • MulDiv.KERNEL32(00000002,000009EC,?), ref: 00421CA9
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CapsDevice$ModeViewportWindow
    • String ID:
    • API String ID: 2598972148-0
    • Opcode ID: 8f83a95cdb670d1102950b539257e8a816570998ff00102f56a29ec6b6050ecf
    • Instruction ID: 5ff1d7ecbca5809fcff23c2bcd73d217aa1eb2c736d6b0f6eacb559674ca06fe
    • Opcode Fuzzy Hash: 8f83a95cdb670d1102950b539257e8a816570998ff00102f56a29ec6b6050ecf
    • Instruction Fuzzy Hash: 4911ECB6300624EFD721AF56DC44C2EBBE9EF88700B51442AE98187230D775AC028F94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00421CB5, Relevance: 7.6, APIs: 5, Instructions: 58COMMON
    Download Yara Rule
    APIs
    • GetMapMode.GDI32(?,00000000,?,?,?,?,00403EF7,?,?,?,?,?,?,00000000,00000000), ref: 00421CC5
    • GetDeviceCaps.GDI32(?,00000058), ref: 00421CFF
    • GetDeviceCaps.GDI32(?,0000005A), ref: 00421D08
      • Part of subcall function 004207F9: GetWindowExtEx.GDI32(?,00403EF7,00000000,?,?,?,00403EF7,?,?,?,?,?,?,00000000,00000000), ref: 0042080A
      • Part of subcall function 004207F9: GetViewportExtEx.GDI32(?,?,?,00403EF7,?,?,?,?,?,?,00000000,00000000), ref: 00420817
      • Part of subcall function 004207F9: MulDiv.KERNEL32(00403EF7,00000000,00000000), ref: 0042083C
      • Part of subcall function 004207F9: MulDiv.KERNEL32(46892C46,00000000,00000000), ref: 00420857
    • MulDiv.KERNEL32(00403EF7,00000060,000009EC), ref: 00421D2C
    • MulDiv.KERNEL32(46892C46,?,000009EC), ref: 00421D37
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CapsDevice$ModeViewportWindow
    • String ID:
    • API String ID: 2598972148-0
    • Opcode ID: e2447409f0cbc5efb15b967d56961c47f7009d8eadb1b155ec7f7a0ce1a80f31
    • Instruction ID: 5fd1f2f1e194ac0b11a5f41f2ffad3ee7fdc77011e998a5f72582658924e2ae9
    • Opcode Fuzzy Hash: e2447409f0cbc5efb15b967d56961c47f7009d8eadb1b155ec7f7a0ce1a80f31
    • Instruction Fuzzy Hash: 8D11AC76300614EFDB219F5ADC44C1EBBA9EF98710B51482AE98297330D775AC028F68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041CFE4, Relevance: 7.6, APIs: 5, Instructions: 52stringregistryCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 0041CFE9
    • GetClassInfoA.USER32(?,?,?), ref: 0041D004
    • RegisterClassA.USER32(00000004), ref: 0041D00F
    • lstrcat.KERNEL32(00000034,?), ref: 0041D046
    • lstrcat.KERNEL32(00000034,?), ref: 0041D054
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Classlstrcat$H_prologInfoRegister
    • String ID:
    • API String ID: 106226465-0
    • Opcode ID: f788dd751b69ae0d0571df7077bca9172e18be052f11a47acd13c770a436592a
    • Instruction ID: 84baf38d6dc543f8cec105ec77a38831738f7db8b9bee8e1d398d2827bc4796a
    • Opcode Fuzzy Hash: f788dd751b69ae0d0571df7077bca9172e18be052f11a47acd13c770a436592a
    • Instruction Fuzzy Hash: 2611E571A04214BFCB20AF64AD41ADE7FB8AF04328F00456BF802B7151C7B8D642C669
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004093CE, Relevance: 7.5, APIs: 5, Instructions: 49memorystringCOMMON
    Download Yara Rule
    APIs
    • lstrlen.KERNEL32(?), ref: 004093EE
    • SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 004093F6
    • lstrlen.KERNEL32(?), ref: 004093FE
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001), ref: 00409424
    • SysAllocString.OLEAUT32 ref: 0040942B
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: AllocByteStringlstrlen$CharMultiWide
    • String ID:
    • API String ID: 1909028937-0
    • Opcode ID: 621371a120cef446170f8ea006a74e40375f6ed95ad6d7e1f0bdc2d4ee943415
    • Instruction ID: 0948bcf59551e95c9a11adac5d9a7d1dfb8d2dd3c01fcfb4431f6d49ddaf5b87
    • Opcode Fuzzy Hash: 621371a120cef446170f8ea006a74e40375f6ed95ad6d7e1f0bdc2d4ee943415
    • Instruction Fuzzy Hash: A1012672609215FBD7206F65EC44AABB7ACEF05365B508172F804D2291D7388C458BF9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040C783, Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMONLIBRARYCODE
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040C783() {
				void _t10;
				long _t15;
				void* _t16;

				_t15 = GetLastError();
				_t16 = TlsGetValue( *0x432380);
				if(_t16 == 0) {
					_t16 = E0040E8E4(1, 0x74);
					if(_t16 == 0 || TlsSetValue( *0x432380, _t16) == 0) {
						E0040A3FD(0x10);
					} else {
						E0040C770(_t16);
						_t10 = GetCurrentThreadId();
						 *(_t16 + 4) =  *(_t16 + 4) | 0xffffffff;
						 *_t16 = _t10;
					}
				}
				SetLastError(_t15);
				return _t16;
			}






    0x0040c791
    0x0040c799
    0x0040c79d
    0x0040c7a8
    0x0040c7ae
    0x0040c7d8
    0x0040c7c1
    0x0040c7c2
    0x0040c7c8
    0x0040c7ce
    0x0040c7d2
    0x0040c7d2
    0x0040c7ae
    0x0040c7df
    0x0040c7e9

    APIs
    • GetLastError.KERNEL32(00000103,7FFFFFFF,0040BBAE,0040AC11,00000000,?,?,00000000,00000001), ref: 0040C785
    • TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 0040C793
    • SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 0040C7DF
      • Part of subcall function 0040E8E4: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 0040E9DA
    • TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 0040C7B7
    • GetCurrentThreadId.KERNEL32 ref: 0040C7C8
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: ErrorLastValue$AllocateCurrentHeapThread
    • String ID:
    • API String ID: 2047054392-0
    • Opcode ID: 9679074d963277c10f7a1e92b27076ad0b8be8dae8589826a4e705073d08c1e2
    • Instruction ID: 18388f969feaf5d31cb9cda1e278a454c0e62dbc621f611f745f327e2f38b143
    • Opcode Fuzzy Hash: 9679074d963277c10f7a1e92b27076ad0b8be8dae8589826a4e705073d08c1e2
    • Instruction Fuzzy Hash: 79F09632644313DBC7312B35BC4955A3A61BF017B5F10063BF941EB6E0DF7888529A9D
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00422BA1, Relevance: 7.5, APIs: 5, Instructions: 35COMMON
    Download Yara Rule
    APIs
    • TlsFree.KERNEL32(00000000,?,?,004230AE,00000000,00000001), ref: 00422BAD
    • GlobalHandle.KERNEL32(0071FC60), ref: 00422BD5
    • GlobalUnWire.KERNEL32(00000000), ref: 00422BDE
    • GlobalFree.KERNEL32(00000000), ref: 00422BE5
    • RtlDeleteCriticalSection.NTDLL(004371E4), ref: 00422BEF
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Global$Free$CriticalDeleteHandleSectionWire
    • String ID:
    • API String ID: 1964465133-0
    • Opcode ID: 2664afa86cba773f9bc77ed8a46696a9580fcc2e4465bb69784368102e673446
    • Instruction ID: 24d82048406bc87089594907e21af889b512f1f8174dae1f8e42239488f6a7ad
    • Opcode Fuzzy Hash: 2664afa86cba773f9bc77ed8a46696a9580fcc2e4465bb69784368102e673446
    • Instruction Fuzzy Hash: 53F05435304110ABD6315F29BD48E2B77ADAF95711795059AF811D3360DBA8EC028678
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401109, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00412E52
      • Part of subcall function 00414C2A: RtlEnterCriticalSection.NTDLL(00437DE0), ref: 00414C9C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CriticalEnterH_prologSection
    • String ID: !VC$0zC$X{C
    • API String ID: 206681789-1909725824
    • Opcode ID: 37f26e36b3eca1f0964a22b6d18930e60717025c853fb274437077cdf63e9b31
    • Instruction ID: d6cd74567b5fd6783ed18c576210a5c20cd704b8e0de657285160e9ef6f6d09c
    • Opcode Fuzzy Hash: 37f26e36b3eca1f0964a22b6d18930e60717025c853fb274437077cdf63e9b31
    • Instruction Fuzzy Hash: 60417EB0B142159BEB109F59CD51BEEB7F5AB48704F04806BB405EB391C7F9DA809B98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040171C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 119COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00412E52
      • Part of subcall function 00414C2A: RtlEnterCriticalSection.NTDLL(00437DE0), ref: 00414C9C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CriticalEnterH_prologSection
    • String ID: )VC$0zC$X{C
    • API String ID: 206681789-3407346629
    • Opcode ID: fba676002e2c9b7a42971e90ebfb142561659fbca32e45013d816456befe87f3
    • Instruction ID: 075a26c23e7b8e2272696f0976ba6a4693f31d85ee8d5430bd78dea3b1432b7e
    • Opcode Fuzzy Hash: fba676002e2c9b7a42971e90ebfb142561659fbca32e45013d816456befe87f3
    • Instruction Fuzzy Hash: BD418DB0B142159BEB109F19CD91BEEB6F5AB48704F04416BB405EB381C7F9DE809B98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041F504, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON
    Download Yara Rule
    APIs
    • GlobalFix.KERNEL32 ref: 0041F520
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 0041F573
    • GlobalUnWire.KERNEL32(?), ref: 0041F60A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Global$ByteCharMultiWideWire
    • String ID: @
    • API String ID: 599868136-2766056989
    • Opcode ID: 54c4a4d188fe7d3d53e77eba91df5c57ac916fb69ce026bb878837edfcc3ea0e
    • Instruction ID: 479d9676086319831dc331637a3f742d612e6bb123bf8ab183a6c734a95d85f3
    • Opcode Fuzzy Hash: 54c4a4d188fe7d3d53e77eba91df5c57ac916fb69ce026bb878837edfcc3ea0e
    • Instruction Fuzzy Hash: 4F41D871900216EBCF10DF54C8419EEBBB9FF40354B14817AE8159B255D7349A87CB98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00421EB1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: AtomDeleteGlobal$H_prolog
    • String ID: M B
    • API String ID: 3979803748-2320876447
    • Opcode ID: 4093a5ba77d824293b690010682fd4d26c05b30b664283e4ec8e52f3d20588e7
    • Instruction ID: de5d6bddc3c563fb2499896dc33ef80e0c900ab3932898fcbe2db36d6be7024a
    • Opcode Fuzzy Hash: 4093a5ba77d824293b690010682fd4d26c05b30b664283e4ec8e52f3d20588e7
    • Instruction Fuzzy Hash: B53198307007509FC724AF65E985E6AB7E2BF14304F91447EF16A9B6B2CB749C41CB18
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00421D67, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58threadCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00421D6C
      • Part of subcall function 004220C1: __EH_prolog.LIBCMT ref: 004220C6
    • GetCurrentThread.KERNEL32 ref: 00421DBA
    • GetCurrentThreadId.KERNEL32 ref: 00421DC3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CurrentH_prologThread
    • String ID: M B
    • API String ID: 2095891121-2320876447
    • Opcode ID: 556437425fedcc9374d286d32a803583dc45c36a45a01e5cf619f273341cde7a
    • Instruction ID: cb2168c1fa5fd3580510ace2cdc648034e7c84986387aa528f5052498a9177db
    • Opcode Fuzzy Hash: 556437425fedcc9374d286d32a803583dc45c36a45a01e5cf619f273341cde7a
    • Instruction Fuzzy Hash: 4521BDB0A05B10DED3209F2AD54579AFBF8FFA4300F50892FE5AA87221CBB46441CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00414CDB, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON
    Download Yara Rule
    C-Code - Quality: 89%
    			E00414CDB(void* __ecx) {
				signed int _t22;
				signed char _t36;
				void* _t43;
				void* _t45;

				E00409B78(0x4264c4, _t45);
				_t22 =  *(_t45 + 8) & 0x00000007;
				 *(__ecx + 4) = _t22;
				_t36 =  *(__ecx + 8) & _t22;
				if(_t36 != 0) {
					if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
						E0040AA09(0, 0);
					}
					if((_t36 & 0x00000004) == 0) {
						_t43 = 0x42a918;
						if((_t36 & 0x00000002) == 0) {
							_t43 = 0x42a908;
						}
					} else {
						_t43 = 0x42a92c;
					}
					 *((char*)(_t45 - 0x1c)) =  *((intOrPtr*)(_t45 + 0xf));
					E00401AA0(_t45 - 0x1c, 0);
					_push(E00409BA0(_t43));
					E00401AD8(_t45 - 0x1c, _t43);
					_push(_t45 - 0x1c);
					 *((intOrPtr*)(_t45 - 4)) = 0;
					E00414D77(_t45 - 0x38);
					 *((intOrPtr*)(_t45 - 0x38)) = 0x42a8fc;
					_t22 = E0040AA09(_t45 - 0x38, 0x42eb00);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t22;
			}







    0x00414ce0
    0x00414cec
    0x00414cef
    0x00414cf5
    0x00414cf7
    0x00414cfe
    0x00414d02
    0x00414d02
    0x00414d0b
    0x00414d17
    0x00414d1c
    0x00414d1e
    0x00414d1e
    0x00414d0d
    0x00414d0d
    0x00414d0d
    0x00414d2a
    0x00414d2d
    0x00414d39
    0x00414d3e
    0x00414d49
    0x00414d4a
    0x00414d4d
    0x00414d5b
    0x00414d62
    0x00414d67
    0x00414d6c
    0x00414d74

    APIs
    • __EH_prolog.LIBCMT ref: 00414CE0
      • Part of subcall function 0040AA09: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0040A3D5,00000000), ref: 0040AA37
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: ExceptionH_prologRaise
    • String ID: ios::badbit set$ios::eofbit set$ios::failbit set
    • API String ID: 3968804221-425934345
    • Opcode ID: 747fb2f344e23f61c76e46aad8ecd66641b509d1294e2fa30aad43265e138f66
    • Instruction ID: 9a9e008263532060e8e88f421907050750ca41310fbd74bf78243b2f24aaaedf
    • Opcode Fuzzy Hash: 747fb2f344e23f61c76e46aad8ecd66641b509d1294e2fa30aad43265e138f66
    • Instruction Fuzzy Hash: 1A11C6B2E011586FCB00EBA1E491EEE77789F00318F54802BF84567282D73C5985CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00414D77, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
    Download Yara Rule
    C-Code - Quality: 68%
    			E00414D77(intOrPtr __ecx) {
				void* _t16;
				void* _t23;
				void* _t26;
				void* _t29;

				E00409B78(0x4264d8, _t29);
				 *((intOrPtr*)(_t29 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t29 - 0x10)) = 0x435624;
				0x41931d(_t29 - 0x10, _t23, _t26, _t16, __ecx, __ecx);
				 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
				 *((char*)(__ecx + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(_t29 + 8))));
				E00401AA0(__ecx + 0xc, 0);
				E0040196C(__ecx + 0xc,  *((intOrPtr*)(_t29 + 8)), 0,  *0x42a7fc);
				 *((intOrPtr*)(__ecx)) = 0x42a940;
				 *[fs:0x0] =  *((intOrPtr*)(_t29 - 0xc));
				return __ecx;
			}







    0x00414d7c
    0x00414d8c
    0x00414d8f
    0x00414d96
    0x00414d9e
    0x00414dab
    0x00414dad
    0x00414dbd
    0x00414dc5
    0x00414dd0
    0x00414dd8

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: H_prolog
    • String ID: $VC$BNA$ios::failbit set
    • API String ID: 3519838083-1439594045
    • Opcode ID: 8f99ee56b72a86a1a1df9311d4bd7e1d35cf2f7c8e4f51c0da4925d3424f8b22
    • Instruction ID: 4a239c8b556dced99dba716248727a6f3ffd2296d299392ec59214233ece3eac
    • Opcode Fuzzy Hash: 8f99ee56b72a86a1a1df9311d4bd7e1d35cf2f7c8e4f51c0da4925d3424f8b22
    • Instruction Fuzzy Hash: 5FF06DB2B00215AFC7009B55D856BAEF7B8EB84714F40442FB551A7291C7B86904CBA9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00420BCC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
    Download Yara Rule
    APIs
    • GetWindowLongA.USER32(00000000,000000F0), ref: 00420BDD
    • GetClassNameA.USER32(00000000,?,0000000A), ref: 00420BF8
    • lstrcmpi.KERNEL32(?,combobox), ref: 00420C07
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: ClassLongNameWindowlstrcmpi
    • String ID: combobox
    • API String ID: 2054663530-2240613097
    • Opcode ID: 1cfa7defed25330820ab914544ba2d74895aaaf2a7ea92f51cbd885846273a67
    • Instruction ID: f789e31afab7ec3cd41f96cc661b3f33e734748eb253288709d80eed1e767ec2
    • Opcode Fuzzy Hash: 1cfa7defed25330820ab914544ba2d74895aaaf2a7ea92f51cbd885846273a67
    • Instruction Fuzzy Hash: 45E06531758119BBCF216F60DC4AE5E7FB8A700305F908621B512D51A1D634E656CA59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00423245, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26COMMON
    Download Yara Rule
    APIs
    • RtlDeleteCriticalSection.NTDLL(004373B0), ref: 0042326B
    • RtlDeleteCriticalSection.NTDLL(004373C8), ref: 0042327D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CriticalDeleteSection
    • String ID: `uC$hsC
    • API String ID: 166494926-3493180830
    • Opcode ID: c7103efd454e491c1db8eda583cdf89b1ba421a98bd2fb88cabea59003a15479
    • Instruction ID: 03937508fd3843840c24aca510653c7ab995140dd3b6e15cbf81d0dec7341898
    • Opcode Fuzzy Hash: c7103efd454e491c1db8eda583cdf89b1ba421a98bd2fb88cabea59003a15479
    • Instruction Fuzzy Hash: 6AE06DB2608328EAE7344B08FCC47867264E744366F9471B7D88451261837C0E81D6BC
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040F2A5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 67%
    			E0040F2A5() {
				signed int _v12;
				signed long long _v20;
				signed long long _v28;
				void* _t10;
				struct HINSTANCE__* _t19;

				_t19 = GetModuleHandleA("KERNEL32");
				if(_t19 == 0) {
					L6:
					_v12 =  *0x429de8;
					_v20 =  *0x429de0;
					asm("fsubr qword [ebp-0x10]");
					_v28 = _v20 / _v12 * _v12;
					asm("fcomp qword [0x4298d0]");
					asm("fnstsw ax");
					asm("sahf");
					if(_t19 <= 0) {
						return 0;
					} else {
						_t10 = 1;
						return _t10;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}








    0x0040f2b0
    0x0040f2b2
    0x0040f2c9
    0x0040f273
    0x0040f27c
    0x0040f288
    0x0040f28b
    0x0040f291
    0x0040f297
    0x0040f299
    0x0040f29a
    0x0040f2a4
    0x0040f29c
    0x0040f29e
    0x0040f2a0
    0x0040f2a0
    0x0040f2b4
    0x0040f2ba
    0x0040f2c2
    0x00000000
    0x0040f2c4
    0x0040f2c4
    0x0040f2c8
    0x0040f2c8
    0x0040f2c2

    APIs
    • GetModuleHandleA.KERNEL32(KERNEL32,0040B563), ref: 0040F2AA
    • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0040F2BA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: IsProcessorFeaturePresent$KERNEL32
    • API String ID: 1646373207-3105848591
    • Opcode ID: 5df788912347d99d1b3832f4a11d1e36c1b424ffefb3c0a61784b1b0319585ab
    • Instruction ID: c2477f5fe21185a8925c23b62c8c13561fb1053bcb06acab07cf3f573ea2a64f
    • Opcode Fuzzy Hash: 5df788912347d99d1b3832f4a11d1e36c1b424ffefb3c0a61784b1b0319585ab
    • Instruction Fuzzy Hash: 03C0123C398201A2D9301B706C1AB1626088B04B01F9400FBF005F04D4DF69C44590BD
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004199C8, Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON
    Download Yara Rule
    APIs
    • ReadFile.KERNEL32(?,?,00000000,?,00000000,?,?), ref: 00419A42
    • GetLastError.KERNEL32(?,?), ref: 00419A4C
    • ReadFile.KERNEL32(?,?,00000001,?,00000000,?,?), ref: 00419B12
    • GetLastError.KERNEL32(?,?), ref: 00419B1C
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: ErrorFileLastRead
    • String ID:
    • API String ID: 1948546556-0
    • Opcode ID: 63d41105276455104ae94c2240e6bfd5847248b56ab5d750c648be6d55e76126
    • Instruction ID: e1a9ea900de86bb03a19ce665102ee038c14227c428f55827bae56469d5d6cf0
    • Opcode Fuzzy Hash: 63d41105276455104ae94c2240e6bfd5847248b56ab5d750c648be6d55e76126
    • Instruction Fuzzy Hash: 9051E630A083859FDF218F58D890BEA7BB0BF16344F54419BE8558B392C378ADC6CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00405F39, Relevance: 6.2, APIs: 4, Instructions: 165windowCOMMON
    Download Yara Rule
    C-Code - Quality: 16%
    			E00405F39(void* __ecx, void* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				void* __ebp;
				signed int _t57;
				intOrPtr _t59;
				intOrPtr* _t61;
				intOrPtr* _t64;
				intOrPtr _t65;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t83;
				struct HWND__* _t90;
				void* _t102;
				void* _t121;
				intOrPtr _t124;
				intOrPtr* _t125;
				intOrPtr* _t126;
				intOrPtr* _t127;
				intOrPtr* _t128;
				void* _t129;
				void* _t130;

				_t121 = __edx;
				_t129 = __ecx;
				0x41d95f();
				_t124 =  *((intOrPtr*)(__ecx + 4));
				_v12 = _t124;
				_t57 = IsWindowVisible( *(_t124 + 0x1c));
				asm("sbb eax, eax");
				_t59 =  ~_t57 + 1;
				_t102 = 0;
				_v24 = _t59;
				if(_t59 != 0) {
					_t90 = GetDesktopWindow();
					0x41c48d(_t90);
					GetWindowRect( *(_t90 + 0x1c),  &_v56);
					GetWindowRect( *(_t124 + 0x1c),  &_v40);
					asm("cdq");
					asm("cdq");
					0x41eb50(_v56.right - _v56.left - _t121 >> 1, _v56.bottom - _v56.top - _t121 >> 1, _t102, _t102, _t102);
					0x41ebe0(1);
				}
				_t125 = _t129 + 0x48;
				_push(_t125);
				_push(0x428ad0);
				_t61 =  *((intOrPtr*)( *((intOrPtr*)(_t129 + 4)) + 0x4c));
				_push(_t61);
				if( *((intOrPtr*)( *_t61))() >= 0) {
					_t83 =  *_t125;
					_t128 = _t129 + 0x4c;
					_v8 =  *((intOrPtr*)( *_t83 + 0xc))(_t83, _t102, 0x42a210, _t128);
					if( *_t128 == _t102) {
						_v8 = 0x80004003;
					}
					if(_v8 >= _t102) {
						L14:
						_t130 = E00406144(_t129);
						if(_v24 != _t102) {
							0x41eb50(_v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, _t102);
							0x41ebe0(_t102);
						}
						return _t130;
					} else {
						if(_v24 != _t102) {
							0x41eb50(_v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, _t102);
							0x41ebe0(_t102);
						}
						return _v8;
					}
				}
				_t64 =  *((intOrPtr*)( *((intOrPtr*)(_t129 + 4)) + 0x4c));
				_t65 =  *((intOrPtr*)( *_t64))(_t64, 0x428ae0,  &_v16);
				if(_t65 >= _t102) {
					_t66 = _v16;
					 *((intOrPtr*)( *_t66 + 0x14))(_t66,  &_v20);
					_t68 = _v16;
					 *((intOrPtr*)( *_t68 + 8))(_t68);
					_t70 = _v20;
					if(_t70 == _t102) {
						return 0x80004005;
					}
					_t126 = _t129 + 8;
					_v8 =  *((intOrPtr*)( *_t70))(_t70, 0x42a6e0, _t126);
					_t72 = _v20;
					 *((intOrPtr*)( *_t72 + 8))(_t72);
					_t65 = _v8;
					if(_t65 >= _t102) {
						_t127 =  *_t126;
						 *((intOrPtr*)( *_t127))(_t127, 0x42a6d0, _t129 + 0xc);
						goto L14;
					}
				}
				return _t65;
			}































    0x00405f39
    0x00405f41
    0x00405f4a
    0x00405f4f
    0x00405f51
    0x00405f57
    0x00405f5f
    0x00405f63
    0x00405f64
    0x00405f65
    0x00405f68
    0x00405f6a
    0x00405f71
    0x00405f7d
    0x00405f8a
    0x00405f9b
    0x00405fa7
    0x00405fad
    0x00405fb6
    0x00405fb6
    0x00405fbe
    0x00405fc1
    0x00405fc2
    0x00405fc7
    0x00405fca
    0x00405fd1
    0x00405fd3
    0x00405fd5
    0x00405fe7
    0x00405fea
    0x00405fec
    0x00405fec
    0x00405ff6
    0x004060a0
    0x004060aa
    0x004060ac
    0x004060c6
    0x004060cf
    0x004060cf
    0x00000000
    0x00405ffc
    0x00405fff
    0x00406019
    0x00406022
    0x00406022
    0x00000000
    0x00406027
    0x00405ff6
    0x0040603b
    0x00406041
    0x00406045
    0x0040604b
    0x00406055
    0x00406058
    0x0040605e
    0x00406061
    0x00406066
    0x00000000
    0x00406068
    0x00406071
    0x0040607d
    0x00406080
    0x00406086
    0x00406089
    0x0040608e
    0x00406090
    0x0040609e
    0x00000000
    0x0040609e
    0x0040608e
    0x004060da

    APIs
    • IsWindowVisible.USER32(?), ref: 00405F57
    • GetDesktopWindow.USER32 ref: 00405F6A
    • GetWindowRect.USER32(?,?), ref: 00405F7D
    • GetWindowRect.USER32(?,?), ref: 00405F8A
      • Part of subcall function 0041EB50: MoveWindow.USER32(?,?,?,00000000,?,?,?,004060CB,?,?,?,?,00000000), ref: 0041EB6C
      • Part of subcall function 0041EBE0: ShowWindow.USER32(?,?,004060D4,00000000,?,?,?,?,00000000), ref: 0041EBEE
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Window$Rect$DesktopMoveShowVisible
    • String ID:
    • API String ID: 3835705305-0
    • Opcode ID: 7d5f1ea3d02f28ef58fd5769c7c140b46a8c2453ce02bc22c33bb6b504030e32
    • Instruction ID: 2a59b528c31d27b231e0c62c13ec470b7bb325abbe4e2a6a4de7b6bac1819c5d
    • Opcode Fuzzy Hash: 7d5f1ea3d02f28ef58fd5769c7c140b46a8c2453ce02bc22c33bb6b504030e32
    • Instruction Fuzzy Hash: 43512C75A0010AEFCB00DFA9C995DAEBBB9FF48304B14446EF506EB290CB75AD41CB64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00410C16, Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMONLIBRARYCODE
    Download Yara Rule
    C-Code - Quality: 100%
    			E00410C16(long _a4, void* _a8, long _a12) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				void _v1048;
				void** _t66;
				signed int _t67;
				intOrPtr _t69;
				signed int _t70;
				intOrPtr _t71;
				signed int _t73;
				signed int _t80;
				int _t85;
				long _t87;
				intOrPtr* _t91;
				intOrPtr _t97;
				struct _OVERLAPPED* _t101;
				long _t103;
				signed int _t105;
				struct _OVERLAPPED* _t106;

				_t101 = 0;
				_v12 = 0;
				_v20 = 0;
				if(_a12 != 0) {
					_t91 = 0x438ec0 + (_a4 >> 5) * 4;
					_t105 = (_a4 & 0x0000001f) + (_a4 & 0x0000001f) * 8 << 2;
					__eflags =  *( *_t91 + _t105 + 4) & 0x00000020;
					if(__eflags != 0) {
						E00410B3E(__eflags, _a4, 0, 2);
					}
					_t66 =  *_t91 + _t105;
					__eflags = _t66[1] & 0x00000080;
					if((_t66[1] & 0x00000080) == 0) {
						_t67 = WriteFile( *_t66, _a8, _a12,  &_v16, _t101);
						__eflags = _t67;
						if(_t67 == 0) {
							_a4 = GetLastError();
						} else {
							_a4 = _t101;
							_v12 = _v16;
						}
						L15:
						_t69 = _v12;
						__eflags = _t69 - _t101;
						if(_t69 != _t101) {
							_t70 = _t69 - _v20;
							__eflags = _t70;
							return _t70;
						}
						__eflags = _a4 - _t101;
						if(_a4 == _t101) {
							L25:
							_t71 =  *_t91;
							__eflags =  *(_t71 + _t105 + 4) & 0x00000040;
							if(( *(_t71 + _t105 + 4) & 0x00000040) == 0) {
								L27:
								 *((intOrPtr*)(E0040BBA9())) = 0x1c;
								_t73 = E0040BBB2();
								 *_t73 = _t101;
								L24:
								return _t73 | 0xffffffff;
							}
							__eflags =  *_a8 - 0x1a;
							if( *_a8 == 0x1a) {
								goto L1;
							}
							goto L27;
						}
						_t106 = 5;
						__eflags = _a4 - _t106;
						if(_a4 != _t106) {
							_t73 = E0040BB36(_a4);
						} else {
							 *((intOrPtr*)(E0040BBA9())) = 9;
							_t73 = E0040BBB2();
							 *_t73 = _t106;
						}
						goto L24;
					}
					__eflags = _a12 - _t101;
					_v8 = _a8;
					_a4 = _t101;
					if(_a12 <= _t101) {
						goto L25;
					} else {
						goto L6;
					}
					do {
						L6:
						_t80 =  &_v1048;
						do {
							__eflags = _v8 - _a8 - _a12;
							if(_v8 - _a8 >= _a12) {
								break;
							}
							_v8 = _v8 + 1;
							_t97 =  *_v8;
							__eflags = _t97 - 0xa;
							if(_t97 == 0xa) {
								_v20 = _v20 + 1;
								 *_t80 = 0xd;
								_t80 = _t80 + 1;
								__eflags = _t80;
							}
							 *_t80 = _t97;
							_t80 = _t80 + 1;
							__eflags = _t80 -  &_v1048 - 0x400;
						} while (_t80 -  &_v1048 < 0x400);
						_t103 = _t80 -  &_v1048;
						_t85 = WriteFile( *( *_t91 + _t105),  &_v1048, _t103,  &_v16, 0);
						__eflags = _t85;
						if(_t85 == 0) {
							_a4 = GetLastError();
							break;
						}
						_t87 = _v16;
						_v12 = _v12 + _t87;
						__eflags = _t87 - _t103;
						if(_t87 < _t103) {
							break;
						}
						__eflags = _v8 - _a8 - _a12;
					} while (_v8 - _a8 < _a12);
					_t101 = 0;
					__eflags = 0;
					goto L15;
				}
				L1:
				return 0;
			}























    0x00410c22
    0x00410c27
    0x00410c2a
    0x00410c2d
    0x00410c3c
    0x00410c4e
    0x00410c51
    0x00410c56
    0x00410c5e
    0x00410c63
    0x00410c68
    0x00410c6a
    0x00410c6e
    0x00410d42
    0x00410d48
    0x00410d4a
    0x00410d5d
    0x00410d4c
    0x00410d4f
    0x00410d52
    0x00410d52
    0x00410cfe
    0x00410cfe
    0x00410d01
    0x00410d03
    0x00410d99
    0x00410d99
    0x00000000
    0x00410d99
    0x00410d09
    0x00410d0c
    0x00410d70
    0x00410d70
    0x00410d72
    0x00410d77
    0x00410d85
    0x00410d8a
    0x00410d90
    0x00410d95
    0x00410d6b
    0x00000000
    0x00410d6b
    0x00410d7c
    0x00410d7f
    0x00000000
    0x00000000
    0x00000000
    0x00410d7f
    0x00410d10
    0x00410d11
    0x00410d14
    0x00410d65
    0x00410d16
    0x00410d1b
    0x00410d21
    0x00410d26
    0x00410d26
    0x00000000
    0x00410d14
    0x00410c77
    0x00410c7a
    0x00410c7d
    0x00410c80
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00410c86
    0x00410c86
    0x00410c86
    0x00410c8c
    0x00410c92
    0x00410c95
    0x00000000
    0x00000000
    0x00410c9a
    0x00410c9d
    0x00410c9f
    0x00410ca2
    0x00410ca4
    0x00410ca7
    0x00410caa
    0x00410caa
    0x00410caa
    0x00410cab
    0x00410cad
    0x00410cb8
    0x00410cb8
    0x00410cc8
    0x00410cdd
    0x00410ce3
    0x00410ce5
    0x00410d30
    0x00000000
    0x00410d30
    0x00410ce7
    0x00410cea
    0x00410ced
    0x00410cef
    0x00000000
    0x00000000
    0x00410cf7
    0x00410cf7
    0x00410cfc
    0x00410cfc
    0x00000000
    0x00410cfc
    0x00410c2f
    0x00000000

    APIs
    • WriteFile.KERNEL32(?,?,?,?,00000000,00000001,?,?), ref: 00410CDD
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: 8233de90432b391364fece043de971e5d7a7a924a418657e4706444c41cacdee
    • Instruction ID: 234f890987bb15642026c964d2887e2ade862e202282d8291e1c2430f2444d67
    • Opcode Fuzzy Hash: 8233de90432b391364fece043de971e5d7a7a924a418657e4706444c41cacdee
    • Instruction Fuzzy Hash: D4518371900208EFCB15CFA8D984ADE7BB4FF45340F2085AAE8159B251D7B4EAC1CF99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004181E0, Relevance: 6.1, APIs: 4, Instructions: 131COMMON
    Download Yara Rule
    APIs
    • GetPropA.USER32(?,00000000), ref: 00418226
    • CallWindowProcA.USER32(00000000), ref: 00418251
      • Part of subcall function 00415760: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 00415786
      • Part of subcall function 00415760: RemovePropA.USER32(?,00000000), ref: 0041579E
      • Part of subcall function 00415760: RemovePropA.USER32(?,00000000), ref: 004157AA
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Prop$CallProcRemoveWindow
    • String ID:
    • API String ID: 2276450057-0
    • Opcode ID: 2839c485847539e925c134b3a614f98685b10280340fa967838a94a2557cec18
    • Instruction ID: d3a96bc47f464f7725269756194fabf8748dbc430cc42502c6f47e313bdca380
    • Opcode Fuzzy Hash: 2839c485847539e925c134b3a614f98685b10280340fa967838a94a2557cec18
    • Instruction Fuzzy Hash: B8312676B04A145BD6219706FC45AEF7398EB87324F8405ABF90843240DB3DADCA866F
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040598C, Relevance: 6.1, APIs: 4, Instructions: 98COMMON
    Download Yara Rule
    C-Code - Quality: 29%
    			E0040598C(void* _a4, intOrPtr _a8) {
				char _v8;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr* _t44;
				intOrPtr* _t50;
				intOrPtr _t51;
				intOrPtr* _t52;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr* _t61;
				void* _t71;

				_t71 = _a4 - 0xc8;
				if( *((intOrPtr*)(_t71 + 0xa0)) != 0) {
					L13:
					return 0;
				}
				_t60 = _a8;
				if( *((intOrPtr*)(_t71 + 0x88)) != 0) {
					L3:
					if( *((intOrPtr*)(_t71 + 0x94)) == _t60) {
						 *0x4272a4(_t71 + 0xa8);
						_t44 =  *((intOrPtr*)(_t71 + 0x4c));
						_a4 = 0;
						_push( &_a4);
						_push(0x42a000);
						_push(_t44);
						if( *((intOrPtr*)( *_t44))() >= 0) {
							E00409C20( &_v56, 0, 0x20);
							E00409C20( &_v24, 0, 0x10);
							_t50 = _a4;
							_t51 =  *((intOrPtr*)( *_t50 + 0x18))(_t50, _t60, 0x42a700, 0, 2,  &_v24, _t71 + 0xa8,  &_v56,  &_v8);
							_t61 =  *0x4272ac;
							_a8 = _t51;
							if(_v52 != 0) {
								 *_t61(_v52);
							}
							if(_v48 != 0) {
								 *_t61(_v48);
							}
							if(_v44 != 0) {
								 *_t61(_v44);
							}
							_t52 = _a4;
							 *((intOrPtr*)( *_t52 + 8))(_t52);
							if(_a8 >= 0) {
								 *((intOrPtr*)(_t71 + 0xa4)) = 1;
							}
						}
					}
					goto L13;
				}
				_v60 = 2;
				_v56 = _t60;
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				E00404C11(_t71,  &_v60);
				_t59 = _v36;
				if(_t59 != 0) {
					return _t59;
				}
				goto L3;
			}





















    0x00405998
    0x004059a6
    0x00405a99
    0x00000000
    0x00405a99
    0x004059b2
    0x004059b5
    0x004059e9
    0x004059ef
    0x004059fc
    0x00405a02
    0x00405a08
    0x00405a0b
    0x00405a0e
    0x00405a13
    0x00405a18
    0x00405a21
    0x00405a2d
    0x00405a38
    0x00405a57
    0x00405a5d
    0x00405a63
    0x00405a66
    0x00405a6b
    0x00405a6b
    0x00405a70
    0x00405a75
    0x00405a75
    0x00405a7a
    0x00405a7f
    0x00405a7f
    0x00405a81
    0x00405a87
    0x00405a8d
    0x00405a8f
    0x00405a8f
    0x00405a8d
    0x00405a18
    0x00000000
    0x004059ef
    0x004059bd
    0x004059c4
    0x004059c7
    0x004059ca
    0x004059cd
    0x004059d0
    0x004059d3
    0x004059d6
    0x004059d9
    0x004059de
    0x004059e3
    0x00405a9f
    0x00405a9f
    0x00000000

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: FreeString$ClearVariant
    • String ID:
    • API String ID: 3349467263-0
    • Opcode ID: 3233826891605795714c7ec17396f4e87e87f0fe1dccbf22789ca17f206eddde
    • Instruction ID: 3737fc164567ea1641a903dc7c477de2e1d6a5b5be72fe3d4222f00fbd2820dd
    • Opcode Fuzzy Hash: 3233826891605795714c7ec17396f4e87e87f0fe1dccbf22789ca17f206eddde
    • Instruction Fuzzy Hash: E9311BB1A01629BFCB14DFA5D884EDFBBB8FF08710F50812AF505A6240D774A944CFA4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004212B7, Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0042142F: GetParent.USER32(?), ref: 00421462
      • Part of subcall function 0042142F: GetLastActivePopup.USER32(?), ref: 00421471
      • Part of subcall function 0042142F: IsWindowEnabled.USER32(?), ref: 00421486
      • Part of subcall function 0042142F: EnableWindow.USER32(?,00000000), ref: 00421499
    • SendMessageA.USER32(?,00000376,00000000,00000000), ref: 004212ED
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 0042135B
    • MessageBoxA.USER32(00000000,?,?,00000000), ref: 00421369
    • EnableWindow.USER32(00000000,00000001), ref: 00421385
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
    • String ID:
    • API String ID: 1958756768-0
    • Opcode ID: b6f6c6b20fd165612ccbf1b09f1e3cc190bf90e3b940043149b2468a78de8bb1
    • Instruction ID: a7a08bcbf7aac38ccefc32d9d54a90bda2d2d2ea202886207ac6057dbd6a0504
    • Opcode Fuzzy Hash: b6f6c6b20fd165612ccbf1b09f1e3cc190bf90e3b940043149b2468a78de8bb1
    • Instruction Fuzzy Hash: 4A21D772B00124EFEB20DF94DC85AEEB7BAEB54340FA4007AFA00E3660C7749D4087A4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040A2F5, Relevance: 6.1, APIs: 4, Instructions: 81COMMON
    Download Yara Rule
    C-Code - Quality: 76%
    			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				struct HINSTANCE__* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				unsigned int _t15;
				signed int _t27;
				struct HINSTANCE__* _t28;
				signed int _t34;
				intOrPtr _t51;

				_t46 = __edi;
				_push(0xffffffff);
				_push(0x429820);
				_push(E0040D240);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t51;
				_push(__edi);
				_v28 = _t51 - 0x58;
				_t15 = GetVersion();
				 *0x437668 = 0;
				_t34 = _t15 & 0x000000ff;
				 *0x437664 = _t34;
				 *0x437660 = _t34 << 8;
				 *0x43765c = _t15 >> 0x10;
				if(E0040D1DA(_t34 << 8, 1) == 0) {
					E0040A422(0x1c);
				}
				if(E0040C71C() == 0) {
					E0040A422(0x10);
				}
				_v8 = 0;
				E0040CEA9();
				 *0x4391f8 = GetCommandLineA();
				 *0x43764c = E0040CD77();
				E0040CB2A();
				E0040CA71();
				E0040A4B6();
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_v104 = E0040CA19();
				_t55 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t27 = 0xa;
				} else {
					_t27 = _v96.wShowWindow & 0x0000ffff;
				}
				_t28 = GetModuleHandleA(0);
				0x418c47(_t28, 0, _v104, _t27);
				_v100 = _t28;
				E0040A4E3(_t28);
				_v108 =  *((intOrPtr*)( *_v24));
				return E0040C8A1(_t46, _t55,  *((intOrPtr*)( *_v24)), _v24);
			}















    0x0040a2f5
    0x0040a2f8
    0x0040a2fa
    0x0040a2ff
    0x0040a30a
    0x0040a30b
    0x0040a317
    0x0040a318
    0x0040a31b
    0x0040a325
    0x0040a32d
    0x0040a333
    0x0040a33e
    0x0040a347
    0x0040a356
    0x0040a35a
    0x0040a35f
    0x0040a367
    0x0040a36b
    0x0040a370
    0x0040a373
    0x0040a376
    0x0040a381
    0x0040a38b
    0x0040a390
    0x0040a395
    0x0040a39a
    0x0040a39f
    0x0040a3a6
    0x0040a3b1
    0x0040a3b4
    0x0040a3b8
    0x0040a3c2
    0x0040a3ba
    0x0040a3ba
    0x0040a3ba
    0x0040a3c9
    0x0040a3d0
    0x0040a3d5
    0x0040a3d9
    0x0040a3e5
    0x0040a3f1

    APIs
    • GetVersion.KERNEL32 ref: 0040A31B
      • Part of subcall function 0040D1DA: HeapCreate.KERNELBASE(00000000,00001000,00000000,0040A353,00000001), ref: 0040D1EB
      • Part of subcall function 0040D1DA: HeapDestroy.KERNEL32 ref: 0040D22A
    • GetCommandLineA.KERNEL32 ref: 0040A37B
    • GetStartupInfoA.KERNEL32(?), ref: 0040A3A6
    • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040A3C9
      • Part of subcall function 0040A422: ExitProcess.KERNEL32 ref: 0040A43F
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
    • String ID:
    • API String ID: 2057626494-0
    • Opcode ID: 850b28128f9bb2cd86e679da39c714fbbd556ecf0758b3c44320a21eb9e14c41
    • Instruction ID: 7d92941f399f6704b1b3c065f0f2493b68e3a84dd8df104a7a40252e0ee3723c
    • Opcode Fuzzy Hash: 850b28128f9bb2cd86e679da39c714fbbd556ecf0758b3c44320a21eb9e14c41
    • Instruction Fuzzy Hash: 1021A2B1944705DAD718AFB6DC5AB6D7BA4EF04314F10413FF901AA2D1DB7C4850CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00412798, Relevance: 6.1, APIs: 4, Instructions: 67COMMON
    Download Yara Rule
    C-Code - Quality: 95%
    			E00412798(void* __ecx) {
				int _t30;
				void* _t40;
				int _t42;
				short* _t44;
				int _t45;
				int _t48;
				void* _t49;
				short* _t51;

				_t40 = __ecx;
				_t51 =  *(_t49 - 0x18);
				 *(_t49 - 0x24) = 0;
				 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
				_t45 =  *(_t49 + 0x14);
				_t42 = 1;
				if( *(_t49 - 0x24) == 0 || MultiByteToWideChar( *(_t49 + 0x20), _t42,  *(_t49 + 0x10), _t45,  *(_t49 - 0x24),  *(_t49 - 0x1c)) == 0) {
					L8:
					_t30 = 0;
				} else {
					_t48 = MultiByteToWideChar( *(_t49 + 0x20), 9,  *(_t49 + 0x18),  *(_t49 + 0x1c), 0, 0);
					 *(_t49 - 0x20) = _t48;
					if(_t48 == 0) {
						goto L8;
					} else {
						 *(_t49 - 4) = _t42;
						E0040AF60(_t48 + _t48 + 0x00000003 & 0x000000fc, _t40);
						 *(_t49 - 0x18) = _t51;
						_t44 = _t51;
						 *(_t49 - 0x28) = _t44;
						 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
						if(_t44 == 0 || MultiByteToWideChar( *(_t49 + 0x20), 1,  *(_t49 + 0x18),  *(_t49 + 0x1c), _t44, _t48) == 0) {
							goto L8;
						} else {
							_t30 = CompareStringW( *(_t49 + 8),  *(_t49 + 0xc),  *(_t49 - 0x24),  *(_t49 - 0x1c), _t44, _t48);
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0x10));
				return _t30;
			}











    0x00412798
    0x00412798
    0x0041279d
    0x004127a0
    0x004127a4
    0x004127a9
    0x004127ad
    0x00412846
    0x00412846
    0x004127cd
    0x004127dc
    0x004127de
    0x004127e3
    0x00000000
    0x004127e5
    0x004127e5
    0x004127f0
    0x004127f5
    0x004127f8
    0x004127fa
    0x004127fd
    0x00412817
    0x00000000
    0x00412830
    0x0041283e
    0x0041283e
    0x00412817
    0x004127e3
    0x0041284e
    0x00412859

    APIs
    • MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,00000000,?,?,0040F746,0040BD53,00000000,?,?,0040BBC6,00000000), ref: 004127C7
    • MultiByteToWideChar.KERNEL32(?,00000009,0040BBC6,?,00000000,00000000,?,0040F746,0040BD53,00000000,?,?,0040BBC6,00000000), ref: 004127DA
    • MultiByteToWideChar.KERNEL32(?,00000001,0040BBC6,?,?,00000000,?,0040F746,0040BD53,00000000,?,?,0040BBC6,00000000), ref: 00412826
    • CompareStringW.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,00000000,?,0040F746,0040BD53,00000000,?,?,0040BBC6,00000000), ref: 0041283E
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: ByteCharMultiWide$CompareString
    • String ID:
    • API String ID: 376665442-0
    • Opcode ID: 982aea6b901e5d1bdc14dd24f871586cc8217c75a645b50daf484f103103919c
    • Instruction ID: ccff48dd1fa7ce84c369fb46c87bd7af1eb2031cdd83c134cfd16c09d5991923
    • Opcode Fuzzy Hash: 982aea6b901e5d1bdc14dd24f871586cc8217c75a645b50daf484f103103919c
    • Instruction Fuzzy Hash: 3C213A32901259EFCF219F94CD41ADE7FB1FF48354F104226FA10B2160C3769962DBA4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00416000, Relevance: 6.1, APIs: 4, Instructions: 65windowCOMMON
    Download Yara Rule
    C-Code - Quality: 64%
    			E00416000(void* __eflags, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				void* _t10;
				long _t13;
				long _t21;
				struct HWND__* _t25;

				_t25 = _a4;
				_t10 = E00415510(_t25);
				_t31 = _t10;
				if(_t10 != 0) {
					_t13 = GetPropA(_t25, 0);
					__eflags = _t13;
					if(_t13 == 0) {
						_t21 =  &_v4;
						_v4 = 0x29a;
						_t13 = SendMessageA(_t25, 0x1944, 0, _t21);
						__eflags = _v4 - 0x29a;
						if(_v4 == 0x29a) {
							_t13 = SendMessageA(_t25, 0x1943, 0, _t21);
							__eflags = _v4 - 0x29a;
							if(_v4 == 0x29a) {
								__eflags = 0;
								RemovePropA(_t25, 0);
								_push(_a12);
								_push(0);
								_push(_a8);
								_push(_t25);
								return E00417110(__eflags);
							}
						}
					}
					return _t13;
				} else {
					_push(_a12);
					_push(0);
					_push(_a8);
					_push(_t25);
					return E00417110(_t31);
				}
			}








    0x00416005
    0x0041600b
    0x00416013
    0x00416015
    0x0041603d
    0x00416043
    0x00416045
    0x00416047
    0x00416051
    0x00416062
    0x00416064
    0x0041606c
    0x00416077
    0x00416079
    0x00416081
    0x00416083
    0x0041608d
    0x0041609c
    0x0041609d
    0x0041609f
    0x004160a0
    0x00000000
    0x004160a6
    0x00416081
    0x0041606c
    0x004160af
    0x00416017
    0x0041601f
    0x00416020
    0x00416022
    0x00416023
    0x00416032
    0x00416032

    APIs
    • GetPropA.USER32(?,00000000), ref: 0041603D
    • SendMessageA.USER32(?,00001944,00000000,?), ref: 00416062
    • SendMessageA.USER32(?,00001943,00000000,?), ref: 00416077
    • RemovePropA.USER32(?,00000000), ref: 0041608D
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: MessagePropSend$Remove
    • String ID:
    • API String ID: 2793251306-0
    • Opcode ID: 760c7b8e16671800463973b9da571f5bce5670b5cd4a0d8873e441d95907b5a3
    • Instruction ID: 5c59246454645b0823355e3f0d91e2913db08960c7d66f3187dfb781d166a032
    • Opcode Fuzzy Hash: 760c7b8e16671800463973b9da571f5bce5670b5cd4a0d8873e441d95907b5a3
    • Instruction Fuzzy Hash: F01191797042007EE210AB10AC06FEB7798EB88764F404829FD1482241E378A94A8BAF
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041A5B6, Relevance: 6.1, APIs: 4, Instructions: 65memorystringCOMMON
    Download Yara Rule
    APIs
    • GlobalFix.KERNEL32(?), ref: 0041A5D6
    • lstrcmp.KERNEL32(?,?), ref: 0041A5E2
    • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0041A61F
    • GlobalFix.KERNEL32(00000000), ref: 0041A62C
      • Part of subcall function 00420D27: GlobalFlags.KERNEL32(?), ref: 00420D31
      • Part of subcall function 00420D27: GlobalUnWire.KERNEL32(?), ref: 00420D48
      • Part of subcall function 00420D27: GlobalFree.KERNEL32(?), ref: 00420D53
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Global$AllocFlagsFreeWirelstrcmp
    • String ID:
    • API String ID: 396917142-0
    • Opcode ID: 4586a962747e0abb1e1b0137d068ef961d7139c1f1e142d1abca93a9540b80e3
    • Instruction ID: e080531e114e52b4571c47b89730b12d9f67959ecfc16b512b091e4c058842da
    • Opcode Fuzzy Hash: 4586a962747e0abb1e1b0137d068ef961d7139c1f1e142d1abca93a9540b80e3
    • Instruction Fuzzy Hash: CE11E371200104BEEB215BB6CE4AEFF7ABDEF85744F44005AF608C2112D6799DA0D778
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00422E6D, Relevance: 6.1, APIs: 4, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • RtlEnterCriticalSection.NTDLL(?), ref: 00422ECA
    • RtlLeaveCriticalSection.NTDLL(?), ref: 00422EDA
    • LocalFree.KERNEL32(?), ref: 00422EE3
    • TlsSetValue.KERNEL32(?,00000000), ref: 00422EF9
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CriticalSection$EnterFreeLeaveLocalValue
    • String ID:
    • API String ID: 2949335588-0
    • Opcode ID: 25b6cc8b84e51dbe12ff4f8145eeceaf2227726f481d549b300d0ea1cef0391a
    • Instruction ID: 8bf293906332789fd812871ca859e227e5ff3c7f0a9519088559453395784807
    • Opcode Fuzzy Hash: 25b6cc8b84e51dbe12ff4f8145eeceaf2227726f481d549b300d0ea1cef0391a
    • Instruction Fuzzy Hash: F421AC31704221FFCB24CF48E945B6A77A4FF81705F41846AE5428B2A1C7F9EC41EB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004160B1, Relevance: 6.1, APIs: 4, Instructions: 54COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004160B1(void* __eax, void* __ebx, void* __edx, struct HWND__* _a12, intOrPtr _a16) {
				struct HWND__* _t17;
				struct HWND__* _t21;
				intOrPtr _t25;
				void* _t31;

				_t1 = __ebx + 0x56;
				 *_t1 =  *((intOrPtr*)(__ebx + 0x56)) + __edx;
				if( *_t1 != 0) {
					_t21 = GetWindow(_a12, 5);
					__eflags = _t21;
					if(__eflags != 0) {
						_t25 = _a16;
						do {
							E00416000(__eflags, _t21, _t25, 0);
							_t31 = _t31 + 0xc;
							_t17 = GetWindow(_t21, 5);
							__eflags = _t17;
							while(__eflags != 0) {
								E00416000(__eflags, _t17, _t25, _t21);
								_t31 = _t31 + 0xc;
								_t17 = GetWindow(_t17, 2);
								__eflags = _t17;
							}
							_t21 = GetWindow(_t21, 2);
							__eflags = _t21;
						} while (__eflags != 0);
					}
					return 1;
				} else {
					return 0;
				}
			}







    0x004160b6
    0x004160b6
    0x004160bb
    0x004160d5
    0x004160d7
    0x004160d9
    0x004160db
    0x004160e0
    0x004160e4
    0x004160e9
    0x004160f1
    0x004160f3
    0x004160f5
    0x004160fa
    0x004160ff
    0x00416107
    0x00416109
    0x00416109
    0x00416112
    0x00416114
    0x00416114
    0x004160e0
    0x00416121
    0x004160bd
    0x004160c3
    0x004160c3

    APIs
    • GetWindow.USER32(?,00000005), ref: 004160D3
    • GetWindow.USER32(00000000,00000005), ref: 004160EF
    • GetWindow.USER32(00000000,00000002), ref: 00416105
    • GetWindow.USER32(00000000,00000002), ref: 00416110
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Window
    • String ID:
    • API String ID: 2353593579-0
    • Opcode ID: 901de9eb88ecc23372df517cc33936e9a477a8d3599c0fbf1eef62955c2f37b2
    • Instruction ID: a7cee2a08a9af185d341112d04e0a1447a33d7dcc542c6e89f93694597682b5f
    • Opcode Fuzzy Hash: 901de9eb88ecc23372df517cc33936e9a477a8d3599c0fbf1eef62955c2f37b2
    • Instruction Fuzzy Hash: A9F0F47334070222C321E16A2C86FAB7B988BD5B51F52403AF60096283EE59D8458269
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004161A1, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004161A1(void* __eax, void* __edx, void* __esi, signed char _a8, struct HDC__* _a13, struct HWND__* _a17) {
				signed char _t7;
				signed char _t8;
				long _t10;
				intOrPtr _t13;
				long _t18;
				struct HDC__* _t22;
				struct HWND__* _t25;

				_t1 = __esi + 0x74;
				 *_t1 =  *((intOrPtr*)(__esi + 0x74)) + __edx;
				if( *_t1 < 0) {
					L10:
					return 0;
				} else {
					_t7 = _a8;
					_t8 = _t7 & 0x00000008;
					if(_t8 < 0x134 || _t8 == 0x137) {
						goto L10;
					} else {
						if(_t8 != 0x134) {
							L9:
							_t22 = _a13;
							_t10 =  *0x439270; // 0x0
							SetTextColor(_t22, _t10);
							_t18 =  *0x439268; // 0x0
							SetBkColor(_t22, _t18);
							_t13 =  *0x439288; // 0x0
							return _t13;
						} else {
							if( *0x439260 >= 0x35f) {
								L8:
								return 0;
							} else {
								_t25 = _a17;
								if(GetWindow(_t25, 5) == 0 || (GetWindowLongA(_t25, 0xfffffff0) & 0x00000003) == 3) {
									goto L8;
								} else {
									goto L9;
								}
							}
						}
					}
				}
			}










    0x004161a6
    0x004161a6
    0x004161a9
    0x0041621c
    0x0041621f
    0x004161aa
    0x004161aa
    0x004161ac
    0x004161b3
    0x00000000
    0x004161bc
    0x004161c1
    0x004161f4
    0x004161f4
    0x004161f8
    0x004161ff
    0x00416205
    0x0041620d
    0x00416213
    0x00416219
    0x004161c3
    0x004161cc
    0x004161ee
    0x004161f1
    0x004161ce
    0x004161ce
    0x004161dd
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004161dd
    0x004161cc
    0x004161c1
    0x004161b3

    APIs
    • GetWindow.USER32(?,00000005), ref: 004161D5
    • GetWindowLongA.USER32(?,000000F0), ref: 004161E2
    • SetTextColor.GDI32(?,00000000), ref: 004161FF
    • SetBkColor.GDI32(?,00000000), ref: 0041620D
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: ColorWindow$LongText
    • String ID:
    • API String ID: 3945788684-0
    • Opcode ID: 1fb94d819b8c3952816df937465cd79d17ab0af45b832cf853baad0368d57adc
    • Instruction ID: 3b4b9aeb45132527258c2c9c88f04f04a0d340910fdd1b20e255ac12e6ea315c
    • Opcode Fuzzy Hash: 1fb94d819b8c3952816df937465cd79d17ab0af45b832cf853baad0368d57adc
    • Instruction Fuzzy Hash: 4101F13634D510ABDB20D724AC489DB7794EB91320F010DABF941C21A1C768DD86C6AE
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00415670, Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00415670(int _a4, int _a8, long _a12) {
				void* _v4;
				struct HHOOK__* _t17;
				long _t22;
				signed char _t25;
				intOrPtr _t27;
				struct HHOOK__* _t30;
				long _t31;
				long _t32;

				_t32 = _a12;
				_t30 =  *0x437e68; // 0x0
				_t31 = CallNextHookEx(_t30, _a4, _a8, _t32);
				_t27 =  *0x437e64; // 0x0
				if( *(_t32 + 0xc) == _t27) {
					_t17 =  *0x437e68; // 0x0
					UnhookWindowsHookEx(_t17);
					if( *0x439260 < 0x35f) {
						L3:
						_v4 = 1;
					} else {
						_t25 = GetWindowLongA( *(_t32 + 0xc), 0xfffffff0);
						_v4 = 0;
						if((_t25 & 0x00000004) == 0) {
							goto L3;
						}
					}
					SendMessageA( *(_t32 + 0xc), 0x11f0, 0,  &_v4);
					if(_v4 != 0) {
						_t22 =  *0x437e6c; // 0x0
						E00415580( *(_t32 + 0xc), _t22);
					}
					 *0x437e68 = 0;
					 *0x437e6c = 0;
					 *0x437e64 = 0;
				}
				return _t31;
			}











    0x0041567c
    0x00415682
    0x00415691
    0x00415693
    0x0041569c
    0x0041569e
    0x004156a4
    0x004156b3
    0x004156cd
    0x004156cd
    0x004156b5
    0x004156bb
    0x004156c1
    0x004156cb
    0x00000000
    0x00000000
    0x004156cb
    0x004156e5
    0x004156f0
    0x004156f2
    0x004156fc
    0x00415701
    0x00415706
    0x0041570b
    0x00415710
    0x00415710
    0x0041571c

    APIs
    • CallNextHookEx.USER32(00000000,?,?,?), ref: 0041568B
    • UnhookWindowsHookEx.USER32(00000000), ref: 004156A4
    • GetWindowLongA.USER32(?,000000F0), ref: 004156BB
    • SendMessageA.USER32(00000001,000011F0,00000000,00000001), ref: 004156E5
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Hook$CallLongMessageNextSendUnhookWindowWindows
    • String ID:
    • API String ID: 4187046592-0
    • Opcode ID: 4ecfff7e56ba0a4d642dc80568e4fe1e313b06c1fa6804bc8ce80c228c25bcb5
    • Instruction ID: 41c4be4e95155e02cf4e195df35266e5927764d5d00062f74f5bbda7557d121e
    • Opcode Fuzzy Hash: 4ecfff7e56ba0a4d642dc80568e4fe1e313b06c1fa6804bc8ce80c228c25bcb5
    • Instruction Fuzzy Hash: 4C112EB5614300EFE224DB54EC85E9777E9A784314F50846DF985C3360D7B4AC84CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040DD75, Relevance: 6.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040DD75() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				intOrPtr* _t29;

				_t15 =  *0x438e9c;
				_t26 =  *0x438e8c;
				if(_t15 != _t26) {
					L3:
					_t29 =  *0x438ea0 + (_t15 + _t15 * 4) * 4;
					_t17 = RtlAllocateHeap( *0x438ea8, 8, 0x41c4);
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4);
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x438e9c =  *0x438e9c + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x438ea8, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t25 = RtlReAllocateHeap( *0x438ea8, 0,  *0x438ea0, _t26 + 0x50 + _t26 * 4 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x438e8c =  *0x438e8c + 0x10;
				 *0x438ea0 = _t25;
				_t15 =  *0x438e9c;
				goto L3;
			}









    0x0040dd75
    0x0040dd7a
    0x0040dd86
    0x0040ddb8
    0x0040ddce
    0x0040ddd1
    0x0040ddd9
    0x0040dddc
    0x0040de08
    0x00000000
    0x0040de08
    0x0040ddeb
    0x0040ddf3
    0x0040ddf6
    0x0040de0c
    0x0040de10
    0x0040de12
    0x0040de15
    0x0040de1e
    0x00000000
    0x0040de21
    0x0040de02
    0x00000000
    0x0040de02
    0x0040dd9d
    0x0040dda5
    0x00000000
    0x00000000
    0x0040dda7
    0x0040ddae
    0x0040ddb3
    0x00000000

    APIs
    • RtlReAllocateHeap.NTDLL(00000000,?,00000000,00000000), ref: 0040DD9D
    • RtlAllocateHeap.NTDLL(00000008,000041C4,00000000), ref: 0040DDD1
    • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 0040DDEB
    • HeapFree.KERNEL32(00000000,?), ref: 0040DE02
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Heap$Allocate$AllocFreeVirtual
    • String ID:
    • API String ID: 94566200-0
    • Opcode ID: aa070eedeb5d09166b5aca976424c078047f98e71b35a8f4d439cd5a1e342210
    • Instruction ID: a593c1c3db30ebe78dbcee3b376bf8ffd9aa4caebcc0b5535706739ba25acb9d
    • Opcode Fuzzy Hash: aa070eedeb5d09166b5aca976424c078047f98e71b35a8f4d439cd5a1e342210
    • Instruction Fuzzy Hash: 20115871200710AFC7209F68EC46922BBB6FB95B247545A3EF251D71B0CBB5984ACF48
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041F74C, Relevance: 6.1, APIs: 4, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 0041F780
    • GetCurrentProcess.KERNEL32(?,00000000), ref: 0041F786
    • DuplicateHandle.KERNEL32(00000000), ref: 0041F789
    • GetLastError.KERNEL32(00000000), ref: 0041F7A3
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CurrentProcess$DuplicateErrorHandleLast
    • String ID:
    • API String ID: 3907606552-0
    • Opcode ID: 3ee9b5898c2ef0f5df76112fb7332b7d42f2f9a94479a94beaae15ab8b38f541
    • Instruction ID: 2230599df16ca824ce167ec0b41325d7635243b6b5c60e78c9918f2d0e9e3cb5
    • Opcode Fuzzy Hash: 3ee9b5898c2ef0f5df76112fb7332b7d42f2f9a94479a94beaae15ab8b38f541
    • Instruction Fuzzy Hash: D201AC757042047BEB10ABA5DD4AF9A7B9DDF84760F144036F514C73D1EA74DC428B64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00415B50, Relevance: 6.1, APIs: 4, Instructions: 52threadCOMMON
    Download Yara Rule
    C-Code - Quality: 58%
    			E00415B50() {
				signed int _t20;
				intOrPtr _t22;
				void* _t26;
				long _t28;
				void* _t31;
				void* _t34;
				signed int _t36;
				void* _t37;
				void* _t38;
				void* _t42;
				void* _t43;
				void* _t44;

				_t36 = 0;
				_t28 = GetCurrentThreadId();
				 *0x4271f4(0x439220);
				_t38 =  *0x43929c - _t36; // 0x0
				if(_t38 > 0) {
					do {
						_t20 = _t36 * 4;
						_t34 = _t20 + _t20 * 4;
						if( *((intOrPtr*)(_t20 + 0x4392a4 + _t20 * 4)) == _t28) {
							_t22 =  *((intOrPtr*)(_t34 + 0x4392ac)) - 1;
							 *((intOrPtr*)(_t34 + 0x4392ac)) = _t22;
							if(_t22 == 0 ||  *(_t34 + 0x4392a0) ==  *((intOrPtr*)(_t37 + 0x14))) {
								UnhookWindowsHookEx( *(_t34 + 0x4392a8));
								 *0x43929c =  *0x43929c - 1;
								_t42 = _t36 -  *0x43929c; // 0x0
								if(_t42 < 0) {
									_t31 = _t34 + 0x4392a0;
									do {
										_t36 = _t36 + 1;
										_t26 = memcpy(_t31, _t31 + 0x14, 5 << 2);
										_t37 = _t37 + 0xc;
										_t31 = _t26;
										_t43 = _t36 -  *0x43929c; // 0x0
									} while (_t43 < 0);
								}
							}
						}
						_t36 = _t36 + 1;
						_t44 = _t36 -  *0x43929c; // 0x0
					} while (_t44 < 0);
				}
				 *0x439244 =  *0x439244 - 1;
				 *0x4271fc(0x439220);
				if( *0x439244 == 0) {
					E004167A0();
				}
				return 1;
			}















    0x00415b54
    0x00415b5c
    0x00415b63
    0x00415b69
    0x00415b6f
    0x00415b71
    0x00415b71
    0x00415b7f
    0x00415b82
    0x00415b8a
    0x00415b8b
    0x00415b91
    0x00415ba6
    0x00415bac
    0x00415bb2
    0x00415bb8
    0x00415bba
    0x00415bc0
    0x00415bca
    0x00415bcb
    0x00415bcb
    0x00415bcd
    0x00415bcf
    0x00415bcf
    0x00415bc0
    0x00415bb8
    0x00415b91
    0x00415bd7
    0x00415bd8
    0x00415bd8
    0x00415b71
    0x00415be5
    0x00415beb
    0x00415bf8
    0x00415bfa
    0x00415bfa
    0x00415c08

    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00415B56
    • RtlEnterCriticalSection.NTDLL(00439220), ref: 00415B63
    • UnhookWindowsHookEx.USER32(?), ref: 00415BA6
    • RtlLeaveCriticalSection.NTDLL(00439220), ref: 00415BEB
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CriticalSection$CurrentEnterHookLeaveThreadUnhookWindows
    • String ID:
    • API String ID: 1197249173-0
    • Opcode ID: 0b36dc0582e201805e3fd07b1b8ae4b73aff2c8446176cb3fdde44981dbe37f5
    • Instruction ID: 88b62d21994fe6c7175de7ecd9b622f7d1415ebe514b2e687dbc7a8ea07160fb
    • Opcode Fuzzy Hash: 0b36dc0582e201805e3fd07b1b8ae4b73aff2c8446176cb3fdde44981dbe37f5
    • Instruction Fuzzy Hash: DA118F31145E09EFCB20DF65E8446E773A9FB51315F5018BAE51983110DBBAACA1CB5C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040187B, Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040187B(intOrPtr __ecx, void* _a4, char* _a8) {
				void* _v8;
				intOrPtr _v12;
				char _v312;
				long _t30;

				_v12 = __ecx;
				_t30 = RegOpenKeyA(_a4, _a8,  &_v8);
				if(_t30 != 0) {
					L7:
					RegCloseKey(_v8);
					return _t30;
				}
				while(RegEnumKeyA(_v8, 0,  &_v312, 0x12b) == 0) {
					_t30 = E0040187B(_v12, _v8,  &_v312);
					if(_t30 != 0) {
						break;
					}
				}
				if(_t30 == 0x103 || _t30 == 0x3f2) {
					_t30 = RegDeleteKeyA(_a4, _a8);
				}
				goto L7;
			}







    0x00401889
    0x00401898
    0x0040189c
    0x004018fa
    0x004018fd
    0x00401907
    0x00401907
    0x004018c5
    0x004018bf
    0x004018c3
    0x00000000
    0x00000000
    0x004018c3
    0x004018e2
    0x004018f8
    0x004018f8
    0x00000000

    APIs
    • RegOpenKeyA.ADVAPI32(?,?,00000000), ref: 00401892
    • RegEnumKeyA.ADVAPI32(00000000,00000000,?,0000012B), ref: 004018D2
    • RegDeleteKeyA.ADVAPI32(?,?), ref: 004018F2
    • RegCloseKey.ADVAPI32(00000000), ref: 004018FD
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CloseDeleteEnumOpen
    • String ID:
    • API String ID: 4142876296-0
    • Opcode ID: 6e18793f21146cf9964f692d07c7c4d3f13f18a8cff02a5d6e4f0ab59a0c5b33
    • Instruction ID: c481470cd44d8f578979e48655e6b5bdbeaf33df73bda130a1f501847abf5c56
    • Opcode Fuzzy Hash: 6e18793f21146cf9964f692d07c7c4d3f13f18a8cff02a5d6e4f0ab59a0c5b33
    • Instruction Fuzzy Hash: 32012D37D00129ABDF22AB54CC41AAEBBB9EF04364F114072ED05B72B0D7349F599B94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041D9C8, Relevance: 6.0, APIs: 4, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,?), ref: 0041D9D3
    • GetTopWindow.USER32(00000000), ref: 0041D9E6
    • GetTopWindow.USER32(?), ref: 0041DA16
    • GetWindow.USER32(00000000,00000002), ref: 0041DA31
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Window$Item
    • String ID:
    • API String ID: 369458955-0
    • Opcode ID: d1cf88e2ae9062b86faf186f3de0e0d4637ceb1a266ee6a8466c2cea66202b5d
    • Instruction ID: eb48a10addd87decad2dcca691dd12d15ccc3ad1db0a947e3f837dcfe0b5c702
    • Opcode Fuzzy Hash: d1cf88e2ae9062b86faf186f3de0e0d4637ceb1a266ee6a8466c2cea66202b5d
    • Instruction Fuzzy Hash: B90162B2909215BBCB22AF71DC01EDF3A5AAF157D0F008127FD0095211D73DC99296DD
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041DA41, Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON
    Download Yara Rule
    APIs
    • GetTopWindow.USER32(?), ref: 0041DA4F
    • SendMessageA.USER32(00000000,?,?,?), ref: 0041DA85
    • GetTopWindow.USER32(00000000), ref: 0041DA92
    • GetWindow.USER32(00000000,00000002), ref: 0041DAB0
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Window$MessageSend
    • String ID:
    • API String ID: 1496643700-0
    • Opcode ID: 59e666a9d191c5a3425c144a23d009c91ee2c24e4dce453ae377ebe9d7cef01f
    • Instruction ID: bdde90f7f2851d96d9d84427f8c906db2882ef9a25b465825c57a45057ef67b1
    • Opcode Fuzzy Hash: 59e666a9d191c5a3425c144a23d009c91ee2c24e4dce453ae377ebe9d7cef01f
    • Instruction Fuzzy Hash: 3E010C7250421ABBCF12EF95DC05EDF3B29AF45390F044526FE1451161C73AC9A2EBA9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041AF27, Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Item$EnableFocusMenuNextParent
    • String ID:
    • API String ID: 988757621-0
    • Opcode ID: f376cecab5000765b89b0a96a99a861a62b32ee700f43b6c6e4ac95face89fa0
    • Instruction ID: 20dd42eca74e9960adf35e76bed5b0edf9b206fe81fdffb8b5a031db347aba5d
    • Opcode Fuzzy Hash: f376cecab5000765b89b0a96a99a861a62b32ee700f43b6c6e4ac95face89fa0
    • Instruction Fuzzy Hash: CF11C8702056019FCB38DF61DC59BA7B7B5EF40315F108A2EF542832A0D778E892CB5A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00415D90, Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMON
    Download Yara Rule
    C-Code - Quality: 50%
    			E00415D90() {
				signed int _t17;
				intOrPtr _t19;
				void* _t23;
				long _t24;
				void* _t27;
				void* _t30;
				signed int _t32;
				void* _t33;
				void* _t34;
				void* _t37;
				void* _t38;
				void* _t39;

				_t32 = 0;
				_t24 = GetCurrentThreadId();
				 *0x4271f4(0x439220);
				_t34 =  *0x43929c - _t32; // 0x0
				if(_t34 > 0) {
					do {
						_t17 = _t32 * 4;
						_t30 = _t17 + _t17 * 4;
						if( *((intOrPtr*)(_t17 + 0x4392a4 + _t17 * 4)) == _t24) {
							_t19 =  *((intOrPtr*)(_t30 + 0x4392ac)) - 1;
							 *((intOrPtr*)(_t30 + 0x4392ac)) = _t19;
							if(_t19 == 0) {
								UnhookWindowsHookEx( *(_t30 + 0x4392a8));
								 *0x43929c =  *0x43929c - 1;
								_t37 = _t32 -  *0x43929c; // 0x0
								if(_t37 < 0) {
									_t27 = _t30 + 0x4392a0;
									do {
										_t32 = _t32 + 1;
										_t23 = memcpy(_t27, _t27 + 0x14, 5 << 2);
										_t33 = _t33 + 0xc;
										_t27 = _t23;
										_t38 = _t32 -  *0x43929c; // 0x0
									} while (_t38 < 0);
								}
							}
						}
						_t32 = _t32 + 1;
						_t39 = _t32 -  *0x43929c; // 0x0
					} while (_t39 < 0);
				}
				 *0x4271fc(0x439220);
				return 1;
			}















    0x00415d94
    0x00415d9c
    0x00415da3
    0x00415da9
    0x00415daf
    0x00415db1
    0x00415db1
    0x00415dbf
    0x00415dc2
    0x00415dca
    0x00415dcb
    0x00415dd1
    0x00415dda
    0x00415de0
    0x00415de6
    0x00415dec
    0x00415dee
    0x00415df4
    0x00415dfe
    0x00415dff
    0x00415dff
    0x00415e01
    0x00415e03
    0x00415e03
    0x00415df4
    0x00415dec
    0x00415dd1
    0x00415e0b
    0x00415e0c
    0x00415e0c
    0x00415db1
    0x00415e19
    0x00415e28

    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00415D96
    • RtlEnterCriticalSection.NTDLL(00439220), ref: 00415DA3
    • UnhookWindowsHookEx.USER32(?), ref: 00415DDA
    • RtlLeaveCriticalSection.NTDLL(00439220), ref: 00415E19
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CriticalSection$CurrentEnterHookLeaveThreadUnhookWindows
    • String ID:
    • API String ID: 1197249173-0
    • Opcode ID: b55ffbd5cea1c9f0c3b512dbde751cbd72aab4dc8003bdc043dd5b085720f01a
    • Instruction ID: 1c953d116d29fbd505871537e88e780236475eca560d3d9a79e4d56898510177
    • Opcode Fuzzy Hash: b55ffbd5cea1c9f0c3b512dbde751cbd72aab4dc8003bdc043dd5b085720f01a
    • Instruction Fuzzy Hash: 5B019231641E09EFCB20DF65F8845E733A9F741311B4058AAE51E87610DBB66D61CB58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00421696, Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON
    Download Yara Rule
    APIs
    • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 004216C2
    • RegCloseKey.ADVAPI32(00000000,?,?), ref: 004216CB
    • wsprintfA.USER32 ref: 004216E7
    • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00421700
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: ClosePrivateProfileStringValueWritewsprintf
    • String ID:
    • API String ID: 1902064621-0
    • Opcode ID: f394c917e19961eb93cb068db4159fd25a4afe4f0c240602a1bfbe389897f7f5
    • Instruction ID: 5538260fa1785551750a6e30b390c6ac273e1704ac1a972e00b97f3be693603b
    • Opcode Fuzzy Hash: f394c917e19961eb93cb068db4159fd25a4afe4f0c240602a1bfbe389897f7f5
    • Instruction Fuzzy Hash: 6101A232600225BBCB215FA4EC05FEE7BB8FF44754F448426FA11E61A0D774D5218B98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041E075, Relevance: 6.0, APIs: 4, Instructions: 43COMMON
    Download Yara Rule
    APIs
    • GetObjectA.GDI32(00000000,0000000C,?), ref: 0041E0B3
    • SetBkColor.GDI32(00000000,00000000), ref: 0041E0BF
    • GetSysColor.USER32(00000008), ref: 0041E0CF
    • SetTextColor.GDI32(00000000,?), ref: 0041E0D9
      • Part of subcall function 00420BCC: GetWindowLongA.USER32(00000000,000000F0), ref: 00420BDD
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Color$LongObjectTextWindow
    • String ID:
    • API String ID: 2871169696-0
    • Opcode ID: 350acf485004be4fdb51c2cd3ff8b9c14460e3cf8f6dec3b77afafe216735f2d
    • Instruction ID: de67b5e9cc76c6956dcc238cb31b8160a3a2f62f0ec6125f1fada761a8a67790
    • Opcode Fuzzy Hash: 350acf485004be4fdb51c2cd3ff8b9c14460e3cf8f6dec3b77afafe216735f2d
    • Instruction Fuzzy Hash: 30012838204118ABDF215F69EC49BEB3EA4AB08315F508133FF12C42E1C7B9C8D5DA5A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004207F9, Relevance: 6.0, APIs: 4, Instructions: 42COMMON
    Download Yara Rule
    APIs
    • GetWindowExtEx.GDI32(?,00403EF7,00000000,?,?,?,00403EF7,?,?,?,?,?,?,00000000,00000000), ref: 0042080A
    • GetViewportExtEx.GDI32(?,?,?,00403EF7,?,?,?,?,?,?,00000000,00000000), ref: 00420817
    • MulDiv.KERNEL32(00403EF7,00000000,00000000), ref: 0042083C
    • MulDiv.KERNEL32(46892C46,00000000,00000000), ref: 00420857
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: ViewportWindow
    • String ID:
    • API String ID: 1589084482-0
    • Opcode ID: 3e1d3d1c82e93bb713b52458036612ae51490ebfb862ef864be096df7a696f16
    • Instruction ID: 689e5bae2517d979c1754ee587176f2439045077d4507ba0209e102f0db3e7b1
    • Opcode Fuzzy Hash: 3e1d3d1c82e93bb713b52458036612ae51490ebfb862ef864be096df7a696f16
    • Instruction Fuzzy Hash: 03F03CB2404608BFEB216FA1DD0ACBEBBBDFF41310711847AF851A2171EB716D619B54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00420862, Relevance: 6.0, APIs: 4, Instructions: 42COMMON
    Download Yara Rule
    APIs
    • GetWindowExtEx.GDI32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 00420873
    • GetViewportExtEx.GDI32(?,?,?,?,?,?,?,00000000,00000000), ref: 00420880
    • MulDiv.KERNEL32(?,00000000,00000000), ref: 004208A5
    • MulDiv.KERNEL32(00000002,00000000,00000000), ref: 004208C0
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: ViewportWindow
    • String ID:
    • API String ID: 1589084482-0
    • Opcode ID: 5bd0b579423a9bc04fc3ac621271bb57369d0d3c1e5280d189c13137efcfe8d2
    • Instruction ID: d00400923dae1c4152389e3d2d0bc166fc35cf24df1faab00bbb4aaa3c3abbeb
    • Opcode Fuzzy Hash: 5bd0b579423a9bc04fc3ac621271bb57369d0d3c1e5280d189c13137efcfe8d2
    • Instruction Fuzzy Hash: 9AF03CB2404608BFEB216FA1DD0ACBEBBBDFF41310711847AF851A2171EB716D619B54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0042395C, Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON
    Download Yara Rule
    APIs
    • SysStringLen.OLEAUT32(?), ref: 00423966
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,004246E5,00000000), ref: 0042397E
    • SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 00423986
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,00000000,?,?,?,004246E5,00000000), ref: 0042399B
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Byte$CharMultiStringWide$Alloc
    • String ID:
    • API String ID: 3384502665-0
    • Opcode ID: c0fa65d1b1a81102ee6df492bb3b8a943ba330df91d525e4042e3d77aefbf6a3
    • Instruction ID: a502866eb90b7ed41d54332aaa09464af0d87b95e574ba30538264f9ab39bae8
    • Opcode Fuzzy Hash: c0fa65d1b1a81102ee6df492bb3b8a943ba330df91d525e4042e3d77aefbf6a3
    • Instruction Fuzzy Hash: 6DF0F8B210B228BF92205B679C4CCEBBF9CEE8B2A5B01452AF54882110C6755801CAF5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00423293, Relevance: 6.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlEnterCriticalSection.NTDLL(004373B0), ref: 004232CE
    • RtlInitializeCriticalSection.NTDLL(00000000), ref: 004232E0
    • RtlLeaveCriticalSection.NTDLL(004373B0), ref: 004232E9
    • RtlEnterCriticalSection.NTDLL(00000000), ref: 004232FB
      • Part of subcall function 00423200: GetVersion.KERNEL32(?,004232A3,?,00423015,00000010,?,00000000,?,?,?,00422773,004227C0,00422136,00422779,0041A668,0042029B), ref: 00423213
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CriticalSection$Enter$InitializeLeaveVersion
    • String ID:
    • API String ID: 1193629340-0
    • Opcode ID: 928b87f2085459e4c00a2127b9aaa10fdeb15b3cb20e48e4471b6b42049404c0
    • Instruction ID: 254d67cf5dfac8617f40d87193e93952d9c787111c9e260c37f97755f4cf210f
    • Opcode Fuzzy Hash: 928b87f2085459e4c00a2127b9aaa10fdeb15b3cb20e48e4471b6b42049404c0
    • Instruction Fuzzy Hash: 87F06D7120931AEFD720DF54FCC0996B378FB24306B802436EA8582221D739A516DA6C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040D4A4, Relevance: 6.0, APIs: 4, Instructions: 12COMMON
    Download Yara Rule
    APIs
    • RtlInitializeCriticalSection.NTDLL ref: 0040D4B1
    • RtlInitializeCriticalSection.NTDLL ref: 0040D4B9
    • RtlInitializeCriticalSection.NTDLL ref: 0040D4C1
    • RtlInitializeCriticalSection.NTDLL ref: 0040D4C9
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CriticalInitializeSection
    • String ID:
    • API String ID: 32694325-0
    • Opcode ID: db0defa7ab95927d9eeecdfc825a9f1bc37ca07ad2044462b68cf9650ef2a28f
    • Instruction ID: eccb2eca5741bd91348ce28854078c96fa3c3d79bcf1516af11e323c16728afa
    • Opcode Fuzzy Hash: db0defa7ab95927d9eeecdfc825a9f1bc37ca07ad2044462b68cf9650ef2a28f
    • Instruction Fuzzy Hash: 5DC00231904039FACB626B65FE0484A3F26FB552A1325E572E108520308AA21C25EFE8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00406144, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280COMMON
    Download Yara Rule
    C-Code - Quality: 64%
    			E00406144(intOrPtr* __ecx) {
				intOrPtr* _t135;
				intOrPtr _t136;
				intOrPtr* _t141;
				intOrPtr* _t144;
				intOrPtr _t145;
				signed int _t147;
				intOrPtr* _t148;
				intOrPtr _t149;
				intOrPtr _t150;
				intOrPtr* _t158;
				intOrPtr* _t160;
				intOrPtr* _t162;
				intOrPtr* _t164;
				intOrPtr* _t165;
				signed int _t166;
				intOrPtr _t167;
				intOrPtr* _t168;
				intOrPtr* _t170;
				signed int _t174;
				intOrPtr* _t180;
				intOrPtr* _t182;
				intOrPtr* _t183;
				intOrPtr* _t185;
				intOrPtr _t189;
				intOrPtr* _t191;
				void* _t192;
				intOrPtr _t202;
				intOrPtr* _t205;
				intOrPtr* _t246;
				void* _t248;

				E00409B78(0x425d47, _t248);
				_t246 = __ecx;
				 *((intOrPtr*)(_t248 - 0x28)) =  *((intOrPtr*)(__ecx + 0x14));
				 *((intOrPtr*)(_t248 - 0x2c)) =  *((intOrPtr*)(__ecx + 0x10));
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					_t135 =  *((intOrPtr*)(__ecx + 8));
					if(_t135 != 0) {
						_t136 =  *((intOrPtr*)( *_t135 + 0xc))(_t135, 0x42a6f0, _t248 - 0x1c, _t248 - 0x24);
						if(_t136 >= 0) {
							E00406973(_t248 - 0xa4, 0x42a74c);
							 *(_t248 - 0x84) =  *(_t248 - 0x84) | 0xffffffff;
							 *((intOrPtr*)(_t248 - 0x8c)) = 0;
							 *((intOrPtr*)(_t248 - 0x88)) = 0;
							 *((intOrPtr*)(_t248 - 0x80)) = 0x18;
							 *((intOrPtr*)(_t248 - 0x7c)) = 0;
							 *((intOrPtr*)(_t248 - 0x78)) = 0x1fb;
							E00406973(_t248 - 0x74, 0x42a734);
							_t141 =  *((intOrPtr*)(_t248 - 0x1c));
							 *(_t248 - 0x54) =  *(_t248 - 0x54) | 0xffffffff;
							 *((intOrPtr*)(_t248 - 0x5c)) = 0x1c;
							 *((intOrPtr*)(_t248 - 0x58)) = 0;
							 *((intOrPtr*)(_t248 - 0x50)) = 0x20;
							 *((intOrPtr*)(_t248 - 0x4c)) = 0;
							 *((intOrPtr*)(_t248 - 0x48)) = 0x1e;
							_t189 =  *((intOrPtr*)( *_t141 + 0x10))(_t141, 2, _t248 - 0xa4, 0x28, 0);
							if(_t189 >= 0) {
								 *(_t248 - 0x44) =  *(_t248 - 0x24);
								_t144 =  *((intOrPtr*)(_t248 - 0x1c));
								 *(_t248 - 0x40) = 1;
								 *((intOrPtr*)(_t248 - 0x3c)) = 0;
								 *((intOrPtr*)(_t248 - 0x38)) = 0;
								 *((intOrPtr*)(_t248 - 0x34)) = 0;
								_t145 =  *((intOrPtr*)( *_t144 + 0x18))(_t144, 0, 0, _t248 - 0x44);
								 *((intOrPtr*)(_t248 - 0x20)) = _t145;
								if(_t145 >= 0) {
									 *((intOrPtr*)(_t246 + 0x14)) =  *((intOrPtr*)(_t248 - 0x3c));
									_t147 =  *(_t248 - 0x30);
									 *(_t248 - 0x24) = _t147;
									 *(_t246 + 0x10) = _t147;
									_t148 =  *((intOrPtr*)(_t248 - 0x1c));
									 *((intOrPtr*)(_t246 + 0x34)) =  *((intOrPtr*)(_t248 - 0x38));
									_t149 =  *((intOrPtr*)( *_t148 + 8))(_t148);
									goto L21;
								} else {
									_t160 =  *((intOrPtr*)(_t248 - 0x1c));
									 *((intOrPtr*)( *_t160 + 8))(_t160);
								}
								goto L37;
							} else {
								_t162 =  *((intOrPtr*)(_t248 - 0x1c));
								 *((intOrPtr*)( *_t162 + 8))(_t162);
								_t136 = _t189;
							}
						}
					} else {
						_t136 = 0;
					}
				} else {
					_t164 =  *((intOrPtr*)(__ecx + 0x4c));
					_t136 =  *((intOrPtr*)( *_t164 + 0x14))(_t164, 0x42a1a0, _t248 - 0x14);
					 *((intOrPtr*)(_t248 - 0x20)) = _t136;
					if(_t136 >= 0) {
						_t165 =  *((intOrPtr*)(_t248 - 0x14));
						_t166 =  *((intOrPtr*)( *_t165))(_t165, 0x42a180, _t248 - 0x18);
						if(_t166 >= 0) {
							_t180 =  *((intOrPtr*)(_t248 - 0x18));
							 *((intOrPtr*)(_t248 - 0x10)) = 0;
							_push(_t248 - 0x10);
							_push(0x42a2c0);
							_push(_t180);
							if( *((intOrPtr*)( *_t180 + 0x10))() >= 0) {
								_t183 =  *((intOrPtr*)(_t248 - 0x10));
								 *((intOrPtr*)( *_t183 + 0x14))(_t183,  *((intOrPtr*)(__ecx + 4)) + 0xd8, __ecx + 0x58);
								_t185 =  *((intOrPtr*)(_t248 - 0x10));
								 *((intOrPtr*)( *_t185 + 8))(_t185);
							}
							_t182 =  *((intOrPtr*)(_t248 - 0x18));
							_t166 =  *((intOrPtr*)( *_t182 + 8))(_t182);
						}
						0x41b0e0(0x10);
						 *(_t248 - 0x24) = _t166;
						 *(_t248 - 4) = 0;
						if(_t166 == 0) {
							_t167 = 0;
						} else {
							_push( *((intOrPtr*)(_t248 - 0x14)));
							_t167 = E00406464(_t166);
						}
						 *(_t248 - 4) =  *(_t248 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t246 + 0x50)) = _t167;
						_t168 =  *((intOrPtr*)(_t248 - 0x14));
						 *((intOrPtr*)( *_t168 + 8))(_t168);
						_t170 = E00406588( *((intOrPtr*)(_t246 + 0x50)));
						0x41b0e0(0x1c);
						if(_t170 == 0) {
							_t170 = 0;
						} else {
							 *_t170 = 0;
							 *((intOrPtr*)(_t170 + 4)) = 0;
							 *((intOrPtr*)(_t170 + 8)) = 0;
							 *((intOrPtr*)(_t170 + 0xc)) = 0;
							 *((intOrPtr*)(_t170 + 0x10)) = 0;
							 *((intOrPtr*)(_t170 + 0x14)) = 0;
						}
						 *((intOrPtr*)(_t246 + 0x54)) = _t170;
						E0040659D(_t170);
						 *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x50)) + 8)) =  *((intOrPtr*)(_t246 + 0x54));
						_t174 =  *( *((intOrPtr*)(_t246 + 0x54)) + 0xc);
						 *(_t246 + 0x10) = _t174;
						 *((intOrPtr*)(_t246 + 0x14)) =  *0x4274f0(_t174 + _t174 * 4 << 3,  *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x50)))));
						E00409C20(_t177, 0,  *(_t246 + 0x10) +  *(_t246 + 0x10) * 4 << 3);
						E004064B5( *((intOrPtr*)(_t246 + 0x50)));
						_t149 = E00405EDF( *((intOrPtr*)(_t246 + 0x50)));
						L21:
						 *((intOrPtr*)(_t248 - 0x14)) = 0;
						if( *(_t246 + 0x10) > 0) {
							_t192 = 0;
							do {
								0x41b0e0(0x1c);
								 *((intOrPtr*)(_t248 - 0x18)) = _t149;
								 *(_t248 - 4) = 1;
								if(_t149 == 0) {
									_t149 = 0;
								} else {
									0x419ff5(0xa);
								}
								 *(_t248 - 4) =  *(_t248 - 4) | 0xffffffff;
								 *((intOrPtr*)(_t248 - 0x14)) =  *((intOrPtr*)(_t248 - 0x14)) + 1;
								 *((intOrPtr*)(_t192 +  *((intOrPtr*)(_t246 + 0x14)) + 0x24)) = _t149;
								_t149 =  *((intOrPtr*)(_t248 - 0x14));
								_t192 = _t192 + 0x28;
							} while (_t149 <  *(_t246 + 0x10));
						}
						_t202 =  *((intOrPtr*)(_t248 - 0x28));
						if(_t202 != 0) {
							_t150 =  *((intOrPtr*)(_t248 - 0x2c));
							if(_t150 > 0) {
								 *((intOrPtr*)(_t248 - 0x18)) = _t150;
								 *((intOrPtr*)(_t248 - 0x10)) = _t202 + 0x24;
								do {
									_t191 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t248 - 0x10)))) + 4));
									while(_t191 != 0) {
										_t158 = _t191;
										_t191 =  *_t191;
										 *((intOrPtr*)( *_t246 + 8))( *((intOrPtr*)(_t158 + 8)), 1);
									}
									0x41a034();
									_t205 =  *((intOrPtr*)( *((intOrPtr*)(_t248 - 0x10))));
									if(_t205 != 0) {
										 *((intOrPtr*)( *_t205 + 4))(1);
									}
									 *((intOrPtr*)(_t248 - 0x10)) =  *((intOrPtr*)(_t248 - 0x10)) + 0x28;
									_t126 = _t248 - 0x18;
									 *_t126 =  *((intOrPtr*)(_t248 - 0x18)) - 1;
								} while ( *_t126 != 0);
							}
							 *0x4274f4( *((intOrPtr*)(_t248 - 0x28)));
						}
						L37:
						_t136 =  *((intOrPtr*)(_t248 - 0x20));
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t248 - 0xc));
				return _t136;
			}

































    0x00406149
    0x00406156
    0x00406161
    0x00406167
    0x0040616a
    0x00406297
    0x0040629c
    0x004062b5
    0x004062ba
    0x004062ce
    0x004062d3
    0x004062e5
    0x004062eb
    0x004062f1
    0x004062f8
    0x004062fb
    0x00406302
    0x00406307
    0x0040630a
    0x00406317
    0x0040631e
    0x00406321
    0x00406328
    0x0040632b
    0x0040633b
    0x0040633f
    0x00406357
    0x0040635a
    0x00406360
    0x00406367
    0x0040636a
    0x0040636d
    0x00406375
    0x0040637a
    0x0040637d
    0x00406393
    0x00406396
    0x00406399
    0x0040639c
    0x0040639f
    0x004063a2
    0x004063a8
    0x00000000
    0x0040637f
    0x0040637f
    0x00406385
    0x00406385
    0x00000000
    0x00406341
    0x00406341
    0x00406347
    0x0040634a
    0x0040634a
    0x0040633f
    0x0040629e
    0x0040629e
    0x0040629e
    0x00406170
    0x00406170
    0x0040617f
    0x00406184
    0x00406187
    0x0040618d
    0x0040619c
    0x004061a0
    0x004061a2
    0x004061a8
    0x004061ab
    0x004061ae
    0x004061b3
    0x004061b9
    0x004061bb
    0x004061cf
    0x004061d2
    0x004061d8
    0x004061d8
    0x004061db
    0x004061e1
    0x004061e1
    0x004061e6
    0x004061ec
    0x004061f1
    0x004061f4
    0x00406202
    0x004061f6
    0x004061f6
    0x004061fb
    0x004061fb
    0x00406204
    0x00406208
    0x0040620b
    0x00406211
    0x00406217
    0x0040621e
    0x00406226
    0x0040623b
    0x00406228
    0x00406228
    0x0040622a
    0x0040622d
    0x00406230
    0x00406233
    0x00406236
    0x00406236
    0x00406240
    0x00406247
    0x00406252
    0x00406258
    0x0040625b
    0x0040626e
    0x0040627a
    0x00406285
    0x0040628d
    0x004063ab
    0x004063ae
    0x004063b1
    0x004063b3
    0x004063b5
    0x004063b7
    0x004063bd
    0x004063c2
    0x004063c9
    0x004063d6
    0x004063cb
    0x004063cf
    0x004063cf
    0x004063db
    0x004063df
    0x004063e2
    0x004063e6
    0x004063e9
    0x004063ec
    0x004063b5
    0x004063f1
    0x004063f6
    0x004063f8
    0x004063fd
    0x00406402
    0x00406405
    0x00406408
    0x0040640d
    0x00406410
    0x00406416
    0x00406418
    0x00406421
    0x00406421
    0x0040642b
    0x00406433
    0x00406437
    0x0040643d
    0x0040643d
    0x00406440
    0x00406444
    0x00406444
    0x00406444
    0x00406408
    0x0040644c
    0x0040644c
    0x00406452
    0x00406452
    0x00406452
    0x00406187
    0x0040645b
    0x00406463

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: H_prolog
    • String ID: $(
    • API String ID: 3519838083-55695022
    • Opcode ID: 98454d7cfdf99129b0f9f86e840870de4b8b1ccaebcbc5ad8465cd7482b1f53c
    • Instruction ID: fc177bfd46dd3087edfb7a1de6dbc598e8d5ff695808f16b58c8f7aa192bb58f
    • Opcode Fuzzy Hash: 98454d7cfdf99129b0f9f86e840870de4b8b1ccaebcbc5ad8465cd7482b1f53c
    • Instruction Fuzzy Hash: ABB13B70A002059FCB14DFA9C885AAEFBF5FF88304B20456EE416EB291DB74A945CF65
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00404287, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
    Download Yara Rule
    C-Code - Quality: 54%
    			E00404287(void* __ecx) {
				intOrPtr* _t70;
				intOrPtr* _t95;
				intOrPtr* _t97;
				intOrPtr* _t99;
				signed int _t101;
				signed int* _t112;
				intOrPtr* _t137;
				void* _t140;
				void* _t142;

				E00409B78(0x425c30, _t142);
				_t140 = __ecx;
				 *((intOrPtr*)(_t142 - 0x10)) = 0;
				_t70 =  *((intOrPtr*)(__ecx + 0x4c));
				_push(_t142 - 0x10);
				_push(0x42a0d0);
				_push(_t70);
				 *((intOrPtr*)(_t142 - 0x14)) = 0;
				if( *((intOrPtr*)( *_t70))() >= 0) {
					 *((intOrPtr*)(_t142 - 0x78)) = __ecx + 0xb8;
					 *((intOrPtr*)(_t142 - 0x70)) = __ecx + 0xc8;
					 *((intOrPtr*)(_t142 - 0x6c)) = __ecx + 0xcc;
					 *((intOrPtr*)(_t142 - 0x7c)) = 0x40;
					 *((intOrPtr*)(_t142 - 0x74)) = 0;
					 *((intOrPtr*)(_t142 - 0x58)) = 0;
					 *((intOrPtr*)(_t142 - 0x4c)) = 0;
					 *((intOrPtr*)(_t142 - 0x48)) = 0;
					E00409506(_t142 - 0x24);
					 *((intOrPtr*)(_t142 - 4)) = 0;
					_t137 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c)) + 0x1c));
					 *(_t142 - 0x68) = 0;
					_t112 = 0x428af4;
					do {
						_t22 = _t112 - 4; // 0xfffffd3b
						 *((intOrPtr*)( *_t137 + 0x94))(_t140,  *_t22, _t142 - 0x24);
						if( *((short*)(_t142 - 0x1c)) != 0) {
							 *(_t142 - 0x68) =  *(_t142 - 0x68) |  *_t112;
						}
						_t112 =  &(_t112[2]);
					} while (_t112 < 0x428b34);
					 *((intOrPtr*)( *_t137 + 0x94))(_t140, 0xfffffd40, _t142 - 0x24);
					 *((intOrPtr*)(_t142 - 0x64)) =  *((intOrPtr*)(_t142 - 0x1c));
					 *((intOrPtr*)( *_t137 + 0x94))(_t140, 0xfffffd43, _t142 - 0x24);
					 *((intOrPtr*)(_t142 - 0x60)) =  *((intOrPtr*)(_t142 - 0x1c));
					 *((intOrPtr*)( *_t137 + 0x94))(_t140, 0xfffffd34, _t142 - 0x24);
					 *((intOrPtr*)(_t142 - 0x54)) =  *((short*)(_t142 - 0x1c));
					 *((intOrPtr*)( *_t137 + 0x94))(_t140, 0xfffffd3f, _t142 - 0x24);
					 *((intOrPtr*)(_t142 - 0x50)) =  *((intOrPtr*)(_t142 - 0x1c));
					 *((intOrPtr*)( *_t137 + 0x94))(_t140, 0xfffffd41, _t142 - 0x24);
					_t95 =  *((intOrPtr*)(_t142 - 0x1c));
					_push(_t142 - 0x5c);
					_push(0x42a0f0);
					_push(_t95);
					if( *((intOrPtr*)( *_t95))() < 0) {
						 *(_t142 - 0x5c) =  *(_t142 - 0x5c) & 0x00000000;
					}
					_t97 =  *((intOrPtr*)(_t142 - 0x10));
					_push(_t142 - 0x3c);
					 *((intOrPtr*)(_t142 - 0x3c)) = 0x18;
					_push(_t142 - 0x7c);
					_push(_t97);
					if( *((intOrPtr*)( *_t97 + 0xc))() >= 0) {
						 *((intOrPtr*)(_t142 - 0x14)) = 1;
						 *((intOrPtr*)(_t140 + 0x70)) =  *((intOrPtr*)(_t142 - 0x38));
						 *((intOrPtr*)(_t140 + 0x60)) =  *((intOrPtr*)(_t142 - 0x30));
						 *((intOrPtr*)(_t140 + 0x64)) =  *((intOrPtr*)(_t142 - 0x2c));
					}
					_t99 =  *((intOrPtr*)(_t142 - 0x10));
					 *((intOrPtr*)( *_t99 + 8))(_t99);
					_t101 =  *(_t142 - 0x5c);
					if(_t101 != 0) {
						 *((intOrPtr*)( *_t101 + 8))(_t101);
					}
					 *0x4272a4(_t142 - 0x24);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t142 - 0xc));
				return  *((intOrPtr*)(_t142 - 0x14));
			}












    0x0040428c
    0x00404296
    0x0040429d
    0x004042a0
    0x004042a3
    0x004042a4
    0x004042a9
    0x004042ac
    0x004042b3
    0x004042c0
    0x004042c9
    0x004042d2
    0x004042d9
    0x004042e0
    0x004042e3
    0x004042e6
    0x004042e9
    0x004042ec
    0x004042f4
    0x004042f7
    0x004042fa
    0x004042fd
    0x00404302
    0x0040430a
    0x0040430e
    0x00404319
    0x0040431d
    0x0040431d
    0x00404320
    0x00404323
    0x00404339
    0x00404345
    0x00404353
    0x0040435f
    0x0040436d
    0x0040437a
    0x00404388
    0x00404394
    0x004043a2
    0x004043a8
    0x004043ae
    0x004043af
    0x004043b6
    0x004043bc
    0x004043be
    0x004043be
    0x004043c2
    0x004043c8
    0x004043cc
    0x004043d5
    0x004043d6
    0x004043dc
    0x004043e1
    0x004043e8
    0x004043ee
    0x004043f4
    0x004043f4
    0x004043f7
    0x004043fd
    0x00404400
    0x00404405
    0x0040440a
    0x0040440a
    0x00404411
    0x00404411
    0x0040441f
    0x00404427

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: ClearH_prologVariant
    • String ID: @
    • API String ID: 1166855276-2766056989
    • Opcode ID: 26cd35ede55d31ac448524fdf170c53acc01d1d5e7a717ace276660c3518bf70
    • Instruction ID: 07509d9b7c3c58e4142d3738990acffaf94d7820c0de841b8743027b8307b31b
    • Opcode Fuzzy Hash: 26cd35ede55d31ac448524fdf170c53acc01d1d5e7a717ace276660c3518bf70
    • Instruction Fuzzy Hash: 4151B2B1A002199FDB04CFA9C988AEEB7F9FF48304F20456EE516E7251E775A905CF50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040B1F9, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
    Download Yara Rule
    C-Code - Quality: 92%
    			E0040B1F9(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x438fc4,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E0040F024(1,  &_v280, 0x100,  &_v1304,  *0x438fc4,  *0x4391e4, 0);
						E0040EB4A( *0x4391e4, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x438fc4, 0);
						E0040EB4A( *0x4391e4, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x438fc4, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x438fe0) =  *(_t55 + 0x438fe0) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x4390e1) =  *(_t55 + 0x4390e1) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x438fe0) = _t77;
								goto L16;
							}
							 *(_t55 + 0x4390e1) =  *(_t55 + 0x4390e1) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x438fe0) =  *(_t43 + 0x438fe0) & 0x00000000;
						} else {
							 *(_t43 + 0x4390e1) =  *(_t43 + 0x4390e1) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x4390e1) =  *(_t43 + 0x4390e1) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x438fe0) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}


























    0x0040b216
    0x0040b21c
    0x0040b223
    0x0040b223
    0x0040b22a
    0x0040b22b
    0x0040b22f
    0x0040b232
    0x0040b23b
    0x0040b274
    0x0040b293
    0x0040b2b7
    0x0040b2df
    0x0040b2e7
    0x0040b2e9
    0x0040b2ef
    0x0040b2ef
    0x0040b2f5
    0x0040b310
    0x0040b322
    0x00000000
    0x0040b322
    0x0040b312
    0x0040b319
    0x0040b305
    0x0040b305
    0x00000000
    0x0040b305
    0x0040b2f7
    0x0040b2fe
    0x00000000
    0x0040b329
    0x0040b329
    0x0040b32b
    0x0040b32c
    0x00000000
    0x0040b2ef
    0x0040b23f
    0x0040b242
    0x0040b242
    0x0040b245
    0x0040b24a
    0x0040b24e
    0x0040b255
    0x0040b25d
    0x0040b267
    0x0040b267
    0x0040b267
    0x0040b26a
    0x0040b26b
    0x0040b26e
    0x00000000
    0x0040b273
    0x0040b332
    0x0040b339
    0x0040b33c
    0x0040b35a
    0x0040b36f
    0x0040b361
    0x0040b361
    0x0040b36a
    0x00000000
    0x0040b36a
    0x0040b343
    0x0040b343
    0x0040b34c
    0x0040b34f
    0x0040b34f
    0x0040b34f
    0x0040b376
    0x0040b377
    0x0040b37d

    APIs
    • GetCPInfo.KERNEL32(?,00000000), ref: 0040B20D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Info
    • String ID: $
    • API String ID: 1807457897-3032137957
    • Opcode ID: 87182afa33054dc13317948e67825632d1bacd259a62af09019477874c4db712
    • Instruction ID: 9d16e2c89513b7a25f320d825c0cf3464c0258e25ad98d9aa282809859afc9f3
    • Opcode Fuzzy Hash: 87182afa33054dc13317948e67825632d1bacd259a62af09019477874c4db712
    • Instruction Fuzzy Hash: 154178304042585EEB11CB24DD5DBFBBFA9EB15700F2410FAE94AE61D2C7794A448BEE
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00408E6E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON
    Download Yara Rule
    C-Code - Quality: 48%
    			E00408E6E(void* __ecx, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				void* __ebx;
				struct HWND__* _t22;
				signed int _t23;
				intOrPtr _t33;
				intOrPtr _t44;
				void* _t48;
				void* _t49;

				_v8 = _v8 & 0x00000000;
				_t44 = _a12;
				if(_t44 != 0) {
					_t22 =  *(_t44 + 0x1c);
				} else {
					_t22 = 0;
				}
				_t33 = _a4;
				_t23 = IsChild( *(_t33 + 0x1c), _t22);
				if(_t23 != 0) {
					if(_t44 == 0) {
						L7:
						_t23 = _a8;
						if(_t23 != _t44) {
							if(_t23 == 0 || E00408DBE(_t23) == 0) {
								if(_t44 != 0 && _v8 != 0) {
									goto L18;
								}
							} else {
								L18:
								_push(_t44);
								goto L19;
							}
							goto L20;
						} else {
							if((_v8 & 0x00000020) != 0) {
								if(_t23 == 0) {
									L21:
									_push(1);
									_push(_t44);
									goto L25;
								} else {
									_t49 = E00408D1A(E00408E41(_t33), _t33, _t28);
									if(_t49 == 0 || _t49 == _t44 || (E00408DBE(_t49) & 0x00000010) == 0) {
										goto L21;
									} else {
										_push(_t49);
										L19:
										_push(_t33);
										E00408DDF(_t33);
										L20:
										if((_v8 & 0x00000030) == 0) {
											_t48 = E00408D1A(E00408E41(_t33), _t33, _t24);
											_t23 = E00408DBE(_t48);
											if((_t23 & 0x00000020) != 0) {
												0x41ec07();
												if(_t23 != 0) {
													_push(1);
													_push(_t48);
													L25:
													_t23 = E00408D71();
												}
											}
										} else {
											goto L21;
										}
									}
								}
							}
						}
					} else {
						_t23 = GetWindowLongA( *(_t44 + 0x1c), 0xffffffec);
						if((_t23 & 0x00010000) == 0) {
							_v8 = E00408DBE(_t44);
							goto L7;
						}
					}
				}
				return _t23;
			}











    0x00408e72
    0x00408e79
    0x00408e7e
    0x00408e84
    0x00408e80
    0x00408e80
    0x00408e80
    0x00408e87
    0x00408e8e
    0x00408e96
    0x00408e9e
    0x00408ec0
    0x00408ec0
    0x00408ec5
    0x00408efc
    0x00408f0b
    0x00000000
    0x00000000
    0x00408f13
    0x00408f13
    0x00408f13
    0x00000000
    0x00408f13
    0x00000000
    0x00408ec7
    0x00408ecb
    0x00408ed3
    0x00408f20
    0x00408f20
    0x00408f22
    0x00000000
    0x00408ed5
    0x00408ee2
    0x00408ee6
    0x00000000
    0x00408ef7
    0x00408ef7
    0x00408f14
    0x00408f14
    0x00408f15
    0x00408f1a
    0x00408f1e
    0x00408f32
    0x00408f35
    0x00408f3d
    0x00408f41
    0x00408f48
    0x00408f4a
    0x00408f4c
    0x00408f4d
    0x00408f4d
    0x00408f53
    0x00408f48
    0x00000000
    0x00000000
    0x00000000
    0x00408f1e
    0x00408ee6
    0x00408ed3
    0x00408ecb
    0x00408ea0
    0x00408ea5
    0x00408eb0
    0x00408ebd
    0x00000000
    0x00408ebd
    0x00408eb0
    0x00408e9e
    0x00408f58

    APIs
    • IsChild.USER32(?,?), ref: 00408E8E
    • GetWindowLongA.USER32(?,000000EC), ref: 00408EA5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: ChildLongWindow
    • String ID: 0
    • API String ID: 1178903432-4108050209
    • Opcode ID: 7f2b60103e7849be8cb3991a27d51a20ccf317eb52ad100b5a29bf534857e1d9
    • Instruction ID: 07fd4a3a661c621b2d218c9681fff9b013105d066133c0c79bc56250be720b18
    • Opcode Fuzzy Hash: 7f2b60103e7849be8cb3991a27d51a20ccf317eb52ad100b5a29bf534857e1d9
    • Instruction Fuzzy Hash: 8A218071105616A6DF216A358F41BAF665E9F90758F24013FFC85F22C2EE3CDD81816C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00403C37, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E00403C37(intOrPtr __ecx) {
				intOrPtr _t38;
				void* _t41;
				short* _t42;
				void* _t47;
				void* _t50;
				intOrPtr _t51;
				void* _t53;

				E00409B78(0x425bc8, _t53);
				_t51 = __ecx;
				 *((intOrPtr*)(_t53 - 0x10)) = __ecx;
				0x41ac18(_t47, _t50, _t41, __ecx);
				 *(__ecx + 0x28) =  *(__ecx + 0x28) | 0xffffffff;
				 *((intOrPtr*)(_t53 - 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) =  *((intOrPtr*)(_t53 + 8));
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((intOrPtr*)(__ecx + 0x4c)) = 0;
				 *((intOrPtr*)(__ecx + 0x50)) = 0;
				 *((intOrPtr*)(__ecx + 0x54)) = 0;
				0x424e57();
				 *((intOrPtr*)(__ecx + 0x60)) = 0;
				 *((intOrPtr*)(__ecx + 0x64)) = 0;
				 *((intOrPtr*)(__ecx + 0x70)) = 0;
				 *((intOrPtr*)(__ecx + 0x84)) = 0;
				 *((intOrPtr*)(__ecx + 0x88)) = 0;
				 *((intOrPtr*)(__ecx + 0x8c)) = 0;
				 *((intOrPtr*)(__ecx + 0x90)) = 0;
				 *((intOrPtr*)(__ecx + 0x94)) = 0;
				 *((intOrPtr*)(__ecx + 0x98)) = 0;
				_t38 =  *0x431458; // 0x43146c
				 *((intOrPtr*)(__ecx + 0x9c)) = _t38;
				 *((intOrPtr*)(__ecx + 0xa0)) = 0;
				 *((intOrPtr*)(__ecx + 0xa4)) = 0;
				 *((intOrPtr*)(__ecx + 0xb8)) = 0x428d60;
				 *((intOrPtr*)(__ecx + 0xbc)) = 0x428d20;
				 *((intOrPtr*)(__ecx + 0xc0)) = 0x428cf4;
				 *((intOrPtr*)(__ecx + 0xc4)) = 0x428cd4;
				 *((intOrPtr*)(__ecx + 0xc8)) = 0x428cbc;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0x428c9c;
				 *((intOrPtr*)(__ecx + 0xd0)) = 0x428c88;
				_t42 = __ecx + 0xa8;
				 *((intOrPtr*)(__ecx + 0xd4)) = 0x428c5c;
				 *((intOrPtr*)(__ecx + 0xd8)) = 0x428c40;
				 *((intOrPtr*)(__ecx)) = 0x428b7c;
				E00409C20(_t42, 0, 0x10);
				 *_t42 = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t51;
			}










    0x00403c3c
    0x00403c44
    0x00403c47
    0x00403c4a
    0x00403c52
    0x00403c5b
    0x00403c5e
    0x00403c61
    0x00403c64
    0x00403c67
    0x00403c6a
    0x00403c6d
    0x00403c72
    0x00403c75
    0x00403c78
    0x00403c7b
    0x00403c81
    0x00403c87
    0x00403c8d
    0x00403c93
    0x00403c99
    0x00403c9f
    0x00403ca4
    0x00403caa
    0x00403cb0
    0x00403cb6
    0x00403cc0
    0x00403cca
    0x00403cd4
    0x00403cde
    0x00403ce8
    0x00403cf2
    0x00403cfc
    0x00403d04
    0x00403d0f
    0x00403d1a
    0x00403d20
    0x00403d2b
    0x00403d33
    0x00403d3b

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: H_prolog
    • String ID: 7Y@$X@
    • API String ID: 3519838083-413898316
    • Opcode ID: 8b4c544be272bfa1a91bbb115fac50c12979cbaddb3fbfe60ca3b8af571408d8
    • Instruction ID: 26ccc09b1af1b473cbddfabb9931e66152acc95fdfc335431b88085e82bc7623
    • Opcode Fuzzy Hash: 8b4c544be272bfa1a91bbb115fac50c12979cbaddb3fbfe60ca3b8af571408d8
    • Instruction Fuzzy Hash: B32196B0A02B148ED3609F2AD445786FBE8FFA0314F40891FD1AA97661CBB46548CF69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00415286, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMONLIBRARYCODE
    Download Yara Rule
    C-Code - Quality: 73%
    			E00415286(intOrPtr* __ecx) {
				void* _t21;
				intOrPtr _t22;
				intOrPtr* _t23;
				signed int _t35;
				intOrPtr* _t38;
				void* _t40;

				E00409B78(0x426597, _t40);
				_push(__ecx);
				_push(__ecx);
				_t38 = __ecx;
				 *((intOrPtr*)(_t40 - 0x14)) = __ecx;
				 *__ecx = 0x42a964;
				 *(_t40 - 4) = 1;
				E00414C2A(_t40 - 0x10);
				_t35 =  *(__ecx + 0xc);
				 *(_t40 - 4) = 2;
				L1:
				if(_t35 > 0) {
					_t22 =  *((intOrPtr*)(_t38 + 8));
					_t35 = _t35 - 1;
					_t31 =  *((intOrPtr*)(_t22 + _t35 * 4));
					if( *((intOrPtr*)(_t22 + _t35 * 4)) != 0) {
						_t23 = E00413276(_t31);
						if(_t23 != 0) {
							 *((intOrPtr*)( *_t23))(1);
						}
					}
					goto L1;
				}
				E0040A5D6( *((intOrPtr*)(_t38 + 8)));
				 *(_t40 - 4) = 1;
				E00414CC6();
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				_t21 = E00401AA0(_t38 + 0x18, 1);
				 *_t38 = 0x42a96c;
				 *[fs:0x0] =  *((intOrPtr*)(_t40 - 0xc));
				return _t21;
			}









    0x0041528b
    0x00415290
    0x00415291
    0x00415293
    0x00415296
    0x00415299
    0x004152a2
    0x004152a9
    0x004152ae
    0x004152b1
    0x004152b5
    0x004152b7
    0x004152b9
    0x004152bc
    0x004152bd
    0x004152c2
    0x004152c4
    0x004152cb
    0x004152d3
    0x004152d3
    0x004152cb
    0x00000000
    0x004152c2
    0x004152da
    0x004152e0
    0x004152e7
    0x004152ec
    0x004152f5
    0x004152fd
    0x00415305
    0x0041530d

    APIs
    • __EH_prolog.LIBCMT ref: 0041528B
      • Part of subcall function 00414C2A: RtlEnterCriticalSection.NTDLL(00437DE0), ref: 00414C9C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CriticalEnterH_prologSection
    • String ID: MRA$jRA
    • API String ID: 206681789-2133011341
    • Opcode ID: aec8d322fd28b360c7c371dd22b812eddc921dfb9f4adfa708522bc2f488bc19
    • Instruction ID: 81356b2a89c09142fc01e703f14fca479d998fc4138412b755ef924f3897c938
    • Opcode Fuzzy Hash: aec8d322fd28b360c7c371dd22b812eddc921dfb9f4adfa708522bc2f488bc19
    • Instruction Fuzzy Hash: 7101AD71601610DFDB24EF95D415BEEB7B0EF90304F1084AFE442A7691EBB8AD80CB99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004151D4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMONLIBRARYCODE
    Download Yara Rule
    C-Code - Quality: 86%
    			E004151D4(intOrPtr* __ecx) {
				intOrPtr* _t33;
				void* _t35;

				E00409B78(0x426570, _t35);
				_push(__ecx);
				_t33 = __ecx;
				 *((intOrPtr*)(_t35 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = 1;
				 *__ecx = 0x42a96c;
				 *((char*)(__ecx + 0x14)) =  *((intOrPtr*)(_t35 + 8));
				_t30 = __ecx + 0x18;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((char*)(__ecx + 0x18)) =  *((intOrPtr*)(_t35 + 0xb));
				 *((intOrPtr*)(_t35 - 4)) = 0;
				E00401AA0(_t30, 0);
				_push(E00409BA0(0x42a958));
				E00401AD8(_t30, 0x42a958);
				 *_t33 = 0x42a964;
				 *[fs:0x0] =  *((intOrPtr*)(_t35 - 0xc));
				return _t33;
			}





    0x004151d9
    0x004151de
    0x004151e1
    0x004151e4
    0x004151e7
    0x004151ee
    0x004151f9
    0x004151ff
    0x00415202
    0x00415205
    0x00415208
    0x0041520b
    0x00415210
    0x00415213
    0x00415224
    0x00415228
    0x00415230
    0x0041523b
    0x00415243

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: H_prolog
    • String ID: MRA$jRA
    • API String ID: 3519838083-2133011341
    • Opcode ID: 2cc94ac76a678352622bbcbed52a2b472ec5a400581a93f5a57baf9b0de8eea8
    • Instruction ID: 8a6119c2d65c425b9ccf4f996419d2a6cf20f123b7aaadf6c99aaf58dd17bd4e
    • Opcode Fuzzy Hash: 2cc94ac76a678352622bbcbed52a2b472ec5a400581a93f5a57baf9b0de8eea8
    • Instruction Fuzzy Hash: 2401D6F1B003509FC7109F2AA44056AFBF8EF55714B40C92FE486E7341D3B8A944CB64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041493B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
    Download Yara Rule
    C-Code - Quality: 68%
    			E0041493B(intOrPtr __ecx) {
				void* _t16;
				void* _t23;
				void* _t26;
				void* _t29;

				E00409B78(0x42644c, _t29);
				 *((intOrPtr*)(_t29 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t29 - 0x10)) = 0x435624;
				0x41931d(_t29 - 0x10, _t23, _t26, _t16, __ecx, __ecx);
				 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
				 *((char*)(__ecx + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(_t29 + 8))));
				E00401AA0(__ecx + 0xc, 0);
				E0040196C(__ecx + 0xc,  *((intOrPtr*)(_t29 + 8)), 0,  *0x42a7fc);
				 *((intOrPtr*)(__ecx)) = 0x42a8bc;
				 *[fs:0x0] =  *((intOrPtr*)(_t29 - 0xc));
				return __ecx;
			}







    0x00414940
    0x00414950
    0x00414953
    0x0041495a
    0x00414962
    0x0041496f
    0x00414971
    0x00414981
    0x00414989
    0x00414994
    0x0041499c

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: H_prolog
    • String ID: $VC$string too long
    • API String ID: 3519838083-233398078
    • Opcode ID: c7984e31be58da73a8ec74655aea8bf26172d924ebca1f2df91e26885e7331ac
    • Instruction ID: 6cc2577340760be7cd4f5e46316d1c1d1a168e401778c73fbf602e62d27c5d87
    • Opcode Fuzzy Hash: c7984e31be58da73a8ec74655aea8bf26172d924ebca1f2df91e26885e7331ac
    • Instruction Fuzzy Hash: 30F06DB2B00215AFD700AB55D856BAEF7B8EB88704F40442FF551A7291C7B86A04CBA9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004208CB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: H_prolog
    • String ID: `)B
    • API String ID: 3519838083-1795337573
    • Opcode ID: 18cceb500af145bbced09807f8d61083a1af1c032e121219e7ea9e2b615caaf4
    • Instruction ID: a161c56736f6291ce0e340acd3bd30845745c1a89a7ff39885f362a4fbf75fa1
    • Opcode Fuzzy Hash: 18cceb500af145bbced09807f8d61083a1af1c032e121219e7ea9e2b615caaf4
    • Instruction Fuzzy Hash: 5EF08271B00224DFD724EFA9E405B5EB6E8AB04704F40452FB905D7202D7BC99008B9C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0042097F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00420984
    • GetWindowDC.USER32(00000000,?,?,0040331B,?), ref: 004209AD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: H_prologWindow
    • String ID: f)B
    • API String ID: 4014909691-1871696343
    • Opcode ID: cc702ecf54dd200b939d93a1395a5e2c990b56301383ee27eadc6f7fea4fd593
    • Instruction ID: d0cbb354efec6a66a2d8872f243b3d2fde66e2d730c2119dbdb8eed410e6734e
    • Opcode Fuzzy Hash: cc702ecf54dd200b939d93a1395a5e2c990b56301383ee27eadc6f7fea4fd593
    • Instruction Fuzzy Hash: 4EF08CB1B116249FD714EFA9A805B5EB6E8AF08708F40412FB902D3242D7BC9A008B99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00420A33, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00420A38
    • BeginPaint.USER32(?,?,?,?,004013DE), ref: 00420A61
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: BeginH_prologPaint
    • String ID: l)B
    • API String ID: 1900852855-1645761537
    • Opcode ID: 3cf850ca847b89a557f63845e487c311e24c2bdf3d1d8f1e7b23f31ac06c043a
    • Instruction ID: ffb0fa6ac709b1d9a6950b89afee73630bbcbf58c83c3d6886e395b06dc66269
    • Opcode Fuzzy Hash: 3cf850ca847b89a557f63845e487c311e24c2bdf3d1d8f1e7b23f31ac06c043a
    • Instruction Fuzzy Hash: F8F082B17106249FC714EF99E805B6EB7F8EB08704F40451FB401D7601D7BC99008BA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0042541F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00425424
    • CloseHandle.KERNEL32(?,?,?,00421FD9), ref: 00425442
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: CloseH_prologHandle
    • String ID: 0!B
    • API String ID: 3649405652-3479636445
    • Opcode ID: a02c7d7bbbcca210b70f9d9a37f81ed1a5408df36ff190f6d2a751739bc0acc6
    • Instruction ID: beb6c84914a1d635409de5b60367179af2cb0b10d1f6504532bec63526089d3c
    • Opcode Fuzzy Hash: a02c7d7bbbcca210b70f9d9a37f81ed1a5408df36ff190f6d2a751739bc0acc6
    • Instruction Fuzzy Hash: 80F0A771A50620DBCB24AF18D50979DB6B4BF00325F40826FB05197291C7B88940CB98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00416F60, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23stringCOMMON
    Download Yara Rule
    C-Code - Quality: 26%
    			E00416F60(struct HWND__* _a20) {
				struct HWND__* _t3;
				void* _t5;
				void* _t9;
				CHAR* _t10;

				_t10 = _t9 - 0x10;
				if( *0x439260 < 0x35f) {
					L3:
					return 1;
				} else {
					_t3 = _a20;
					if(_t3 == 0) {
						goto L3;
					} else {
						GetClassNameA(_t3, _t10, 0x10);
						_t5 =  *0x427284(_t10, "ComboBox");
						asm("sbb eax, eax");
						return _t5 + 1;
					}
				}
			}







    0x00416f60
    0x00416f6c
    0x00416f9e
    0x00416fa6
    0x00416f6e
    0x00416f6e
    0x00416f74
    0x00000000
    0x00416f76
    0x00416f7e
    0x00416f8e
    0x00416f97
    0x00416f9d
    0x00416f9d
    0x00416f74

    APIs
    • GetClassNameA.USER32(?,?,00000010), ref: 00416F7E
    • lstrcmp.KERNEL32(?,ComboBox), ref: 00416F8E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: ClassNamelstrcmp
    • String ID: ComboBox
    • API String ID: 3770760073-1152790111
    • Opcode ID: 3ab8910d5b38197441bcf7f9d10ee57b54972c65346f7b78df091cb0ca828339
    • Instruction ID: 457947db27369a039854ebcb96bb2a9d8a6a519082a19ff478d9c2522191c260
    • Opcode Fuzzy Hash: 3ab8910d5b38197441bcf7f9d10ee57b54972c65346f7b78df091cb0ca828339
    • Instruction Fuzzy Hash: A0E0DF707042006BE720AF249C09B6A32A8FB00705FC40D98F008C1291F7BAE5A6871A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00420AA5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00420AAA
    • EndPaint.USER32(?,?,?,?,0040143F), ref: 00420AC7
      • Part of subcall function 00420438: __EH_prolog.LIBCMT ref: 0042043D
      • Part of subcall function 00420438: DeleteDC.GDI32(00000000), ref: 0042045C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: H_prolog$DeletePaint
    • String ID: l)B
    • API String ID: 2732140596-1645761537
    • Opcode ID: 11881a74996de01fa1cbe79af9071ee0df5f54bf57990ed06ba41b95f4f6f2a1
    • Instruction ID: 42d8a5f9bab88cd0d5c7d03ae5a28815df5cd0523fa9661b9fb7d26a9be5cbf2
    • Opcode Fuzzy Hash: 11881a74996de01fa1cbe79af9071ee0df5f54bf57990ed06ba41b95f4f6f2a1
    • Instruction Fuzzy Hash: 91E09B71A10624DBC724AF58E80569DB7F9FF04724F90475FE012A2592CBB85A01C755
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0042093D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00420942
    • ReleaseDC.USER32(?,00000000), ref: 00420961
      • Part of subcall function 00420438: __EH_prolog.LIBCMT ref: 0042043D
      • Part of subcall function 00420438: DeleteDC.GDI32(00000000), ref: 0042045C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: H_prolog$DeleteRelease
    • String ID: `)B
    • API String ID: 4287524380-1795337573
    • Opcode ID: 418c4e795461e2413958425c61afd19a12a8e768e4829b6dbd73194331c620c8
    • Instruction ID: fd20cc2b44fc71d4613864062719215898bfffd1ef8c68e73e7a4825e28bb463
    • Opcode Fuzzy Hash: 418c4e795461e2413958425c61afd19a12a8e768e4829b6dbd73194331c620c8
    • Instruction Fuzzy Hash: 8FE0D870A10620DBC714BF58E4057ACB7F4FF00324F50871FB052A21D2C7B809008758
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004209F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 004209F6
    • ReleaseDC.USER32(?,00000000), ref: 00420A15
      • Part of subcall function 00420438: __EH_prolog.LIBCMT ref: 0042043D
      • Part of subcall function 00420438: DeleteDC.GDI32(00000000), ref: 0042045C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: H_prolog$DeleteRelease
    • String ID: f)B
    • API String ID: 4287524380-1871696343
    • Opcode ID: 877c267c19243d8eecd84c53f4efd006377618b1e6b618e415c105cb42a5117a
    • Instruction ID: ac30eaccee45dec591598100d84c7e82239e066d27e6f4bd73d217692b4538d1
    • Opcode Fuzzy Hash: 877c267c19243d8eecd84c53f4efd006377618b1e6b618e415c105cb42a5117a
    • Instruction Fuzzy Hash: 16E09270A10620DBC714BF54E4056ACB6B4FB00324F90861FA052A2192C7B80D018758
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0041C3BF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16windowtimeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00422F5F: TlsGetValue.KERNEL32(00437200,?,00000000,0042275D,00422136,00422779,0041A668,0042029B,?,00000000,?,00418C5C,00000000,00000000,00000000,00000000), ref: 00422F9E
    • GetMessageTime.USER32 ref: 0041C3D1
    • GetMessagePos.USER32 ref: 0041C3DA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: Message$TimeValue
    • String ID: 8pC
    • API String ID: 3832333830-366150886
    • Opcode ID: daebfb4331810316b1dc9a22399a22c217d88ee4faf2c175bd2fb8694f8ff29d
    • Instruction ID: 79dd22488c9c9f3be7bd898562af451538314895a3b54d2e988579d7af954e91
    • Opcode Fuzzy Hash: daebfb4331810316b1dc9a22399a22c217d88ee4faf2c175bd2fb8694f8ff29d
    • Instruction Fuzzy Hash: CED012705047709BC334AF25A6484BB7BF1EB48751381096FA9C6C7600DA789446DB48
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00420438, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1767637830.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1767620488.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767781492.0000000000434000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767805480.0000000000439000.00000040.00020000.sdmp Download File
    • Associated: 00000000.00000002.1767825337.0000000000443000.00000040.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_IDAProHelper.jbxd
    Similarity
    • API ID: DeleteH_prolog
    • String ID: Z)B
    • API String ID: 3406903920-1123994915
    • Opcode ID: cffe932360ca30c7e04df639531b42198e86741809ba9b5826db7cadf1da0339
    • Instruction ID: 266661683db9b284ae07f41f027710bd9cd5d042515be5c39907e50f144b2006
    • Opcode Fuzzy Hash: cffe932360ca30c7e04df639531b42198e86741809ba9b5826db7cadf1da0339
    • Instruction Fuzzy Hash: 89E012B0E05510EBC715AFA4E5087ADBAB4FB04319F50C56FE40662343C77C4545C919
    Uniqueness

    Uniqueness Score: -1.00%